Recommended
Recommended
More Related Content
Similar to Resource-Aware Framework for Designing Predictable Embedded Systems
Similar to Resource-Aware Framework for Designing Predictable Embedded Systems (20)
Resource-Aware Framework for Designing Predictable Embedded Systems
- 1. Aneta Vulgarakis A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems Doctoral Thesis Presentation Aneta Vulgarakis 1 A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 2. Aneta Vulgarakis Background and Motivation Research Description Problem Statement Research Goals Research Results Summary Relating Research Goals and Research Results Future Work 2 Outline A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 3. Aneta Vulgarakis 3 Background and Motivation Embedded systems “Computer that does not look like computer” Part of a larger system or machine Typical requirements Low cost Constantly react to changes in the environment Dependability Compute certain results in real-time without delay Limited available resources Manage the growing complexity of software Need for solutions that Alleviate software complexity Ensure predictable system behavior A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 4. Aneta Vulgarakis 4 Background and Motivation Resource-aware embedded system modeling and analysis perspective Consider from the start of the development the resource constraints imposed by the underlying platform Component Based Development Constructs systems by reusing existing components Promising approach to handle software complexity The structure and abstractions introduced by components contribute to the construction of abstract formal models A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 5. Aneta Vulgarakis 5 Background and Motivation Formal analysis Suitable solution to guarantee the correctness and reliability of software systems Rigorously exploring the correctness of system designs expressed as abstract mathematical models, typically with the assistance of a computer “yes/no” answers – properties that cannot be measured answers in form of numbers Best known formal analysis methods Theorem proving Model-checking Theorem Proving and Model Checking – Joe Hurd – p.2/15 A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 6. Aneta Vulgarakis 6 Our Research Problem: develop a resource-aware design framework encompassing modeling and formal analysis of component-based embedded systems Problem Statement A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 7. Aneta Vulgarakis 7 Develop a formal description of a component model for real-time embedded systems. (G1) Develop a behavioral language and associated tool support for modeling and formal analysis of functional, timing, and resource-wise behavior of components and their compositions. (G2) Exercise the applicability of the proposed design framework by modeling and analyzing example embedded systems that are motivated by reality (G3) Research Goals A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 8. Aneta Vulgarakis 8 The resource-aware framework includes two parts: The formally specified ProCom component model that fullfills the requirements coming from control-intensive ES The REMES behavioral language for describing component’s and system’s functional and extra-functional behavior, associated analysis techniques for various resource-wise properties, and a set of tools implementing the former and the latter. Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 9. Aneta Vulgarakis 9 Journals Paper A. “A Resource-Oriented Modeling and Formal Analysis of Embedded Systems Behavior.” Marin Orlić, Aneta Vulgarakis, Cristina Seceleanu and Paul Pettersson. Submitted to IEEE Transactions on Software Engineering Paper B. ”A Classification Framework for Component Models”. Ivica Crnković, Séverine Sentilles, Aneta Vulgarakis and Michel Chaudron. IEEE Transactions on Software Engineering, October, 2011 Licentiate thesis ”A Resource-Aware Component Model for Embedded Systems” Aneta Vulgarakis, Licentiate Thesis, Mälardalen University Press, September, 2009 Conferences and workshops Paper C. “Validation of Extra-Functional Behavioral Models on a Component-Based Ericsson Nikola Tesla Demonstrator” , Aneta Vulgarakis , Cristina Seceleanu, Paul Petterson, Ivan Skuliber, and Darko Huljenić. 11th International Conference on Quality Software, IEEE, Madrid, Spain, July, 2011. Paper D. “Integrating Behavioral Descriptions into a Component Model for Embedded Systems”, Aneta Vulgarakis, Séverine Sentilles, Jan Carlson, Cristina Seceleanu, 36th Euromicro Conference on Software Engineering and Advanced Applications, IEEE, Lille, France, September, 2010 Paper E. “REMES Tool-chain - A Set of Integrated Tools for Behavioral Modeling and Analysis of Embedded Systems”, Dinko Ivanov, Marin Orlić, Cristina Seceleanu, Aneta Vulgarakis, Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering (ASE 2010), Antwerp, Belgium, September, 2010 Publications Fundamental for the Thesis A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 10. Aneta Vulgarakis 10 Paper F. “Formal Semantics of the ProCom Real-Time Component Model”. Aneta Vulgarakis, Jagadish Suryadevara, Jan Carlson, Cristina Seceleanu and Paul Pettersson. Proceedings of 35th Euromicro Conference on Software Engineering and Advanced Applications (SEAA), Patras, Greece, August, 2009. Paper G. ”REMES: A Resource Model for Embedded Systems”. Cristina Seceleanu, Aneta Vulgarakis and Paul Pettersson. Proceedings of 14th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS), Potsdam, Germany, June, 2009 Paper H. ”A Component Model for Control-Intensive Distributed Embedded Systems”. Séverine Sentilles, Aneta Vulgarakis, Tomáš Bureš, Jan Carlson, Ivica Crnković. Proceedings of the 11th International Symposium on Component-Based Software Engineering (CBSE2008), Karlsruhe, Germany, October, 2008. Paper I. ”Embedded Systems Resources: Views on Modeling and Analysis”. Aneta Vulgarakis, Cristina Seceleanu. Proceedings of COMPSAC, the 1st IEEE International Workshop On Component-Based Design Of Resource-Constrained Systems Software and Applications Conference (CORCS), Turku, Finland, July, 2008. Publications Fundamental for the Thesis A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 11. Aneta Vulgarakis 11 Journals “Applying Remes Behavioral Modeling to PLC Systems” Aneta Vulgarakis and Aida Čausević. Mechatronic Systems, vol 1, nr 1, p40-49, Faculty Of Electrical Engineering, University Sarajevo, December, 2009. Conferences and workshops “Classification and Survey of Component Models ” Ivica Crnković, Aneta Vulgarakis, Mario Žagar, Ana Petričić, Juraj Feljan, Luka Lednicki, and Josip Maras. DICES workshop at the International Conference on Software Telecommunications and Computer Networks, Bol, Croatia, September 2010. “Towards Simulative Environment for Early Development of Component-Based Embedded Systems” Marin Orlić, Aneta Vulgarakis, and Mario Žagar. 15th International Workshop on Component-Oriented Programming , Prague, Czech Republic, June, 2010. “Applying Remes Behavioral Modeling to PLC Systems” Aneta Vulgarakis and Aida Čausević. 22nd International Symposium on Information, Communication and Automation Technologies, IEEE, Sarajevo, Bosnia Herzegovina, October 2009. “Towards a Resource-Aware Component Model for Embedded Systems” Aneta Vulgarakis. Doctoral Symposium of 33rd Annual IEEE International Computer Software and Applications Conference, IEEE, Seattle, Washington, July, 2009 “A Component Model Family for Vehicular Embedded Systems ” Tomáš Bureš, Jan Carlson, Séverine Sentilles, and Aneta Vulgarakis. 3rd International Conference on Software Engineering Advances, IEEE, Sliema, Malta, October 2008. “A Classification Framework for Component Models ” Ivica Crnković, Michel Chaudron, Séverine Sentilles, and Aneta Vulgarakis. 7th Conference on Software Engineering and Practice in Sweden, G¨oteborg, Sweden, October 2007. Publications Related to the Thesis A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 12. Aneta Vulgarakis 12 Conferences and workshops “A Model-Based Framework for Designing Embedded Real-Time Systems” Séverine Sentilles, Aneta Vulgarakis, and Ivica Crnković. Work-In-Progress track of the 19th Euromicro Conference on Real-Time Systems, Pisa, Italy, July 2007. Technical reports “Connecting ProCom and REMES ” Aneta Vulgarakis, Séverine Sentilles, Jan Carlson, and Cristina Seceleanu. MRTC report ISSN 1404-3041 ISRN MDH-MRTC-244/2010-1-SE, Mälardalen Real- Time Research Centre, M¨alardalen University, May, 2010. “ProCom: Formal Semantics ” Jagadish Suryadevara, Aneta Vulgarakis, Jan Carlson, Cristina Seceleanu, and Paul Pettersson. MRTC report ISSN 1404-3041 ISRN MDH-MRTC-234/2009-1-SE, Mälardalen Real- Time Research Centre, Mälardalen University, March, 2009. “Remes: A Resource Model for Embedded Systems ” Cristina Seceleanu, Aneta Vulgarakis, and Paul Pettersson. MRTC report ISSN 1404-3041 ISRN MDH-MRTC-232/2008-1-SE, Mälardalen Real-Time Research Centre, Mälardalen University, October, 2008. “ ProCom – the Progress Component Model Reference Manual - version 1.0 ” Tomáš Bureš, Jan Carlson, Ivica Crnković, Séverine Sentilles, and Aneta Vulgarakis. MRTC report ISSN 1404-3041 ISRN MDH-MRTC-230/2008-1-SE,M¨alardalen Real-Time Research Centre, Mälardalen University, June 2008. “Towards Component Modelling of Embedded Systems in the Vehicular Domain” Tomáš Bureš, Jan Carlson, Séverine Sentilles, and Aneta Vulgarakis. MRTC report ISSN 1404-3041 ISRN MDHMRTC 226/2008-1-SE, Mälardalen Real-Time Research Centre, Mälardalen University, April 2008. “Progress Component Model Reference Manual - version 0.5” Tomáš Bureš, Jan Carlson, Ivica Crnković, Séverine Sentilles, and Aneta Vulgarakis. MRTC report ISSN 1404-3041 ISRN MDH-MRTC 225/2008-1-SE, Mälardalen Real-Time Research Centre, Mälardalen University, April 2008. Publications Related to the Thesis A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 13. Aneta Vulgarakis The formally specified ProCom component model 13 Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 14. Aneta Vulgarakis 14 Complexity HW influence Safety-criticality Real-time demands Resource limitations (memory, bandwidth, power…) Distribution Complexity HW influence Safety-criticality Real-time demands Resource limitations (memory, bandwidth, power…) Distribution Main domain concerns of Embedded Systems Main domain concerns of Embedded Systems Manage complexity Manage the strong coupling between the system and the targeted platform Deal with different types of components (size, functionality and semantics) Utilize resources efficiently Predictability Distribution Manage complexity Manage the strong coupling between the system and the targeted platform Deal with different types of components (size, functionality and semantics) Utilize resources efficiently Predictability Distribution Requirements placed on a component model Requirements placed on a component model Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 15. Aneta Vulgarakis 15 ProCom – a two-layered component model A subsystem can internally be modelled by ProSave. A subsystem can internally be modelled by ProSave. Connection between the layers ProSys (upper layer) Subsystem components Active, distributed Asynchronous message passing Hierarchical Subsystem components Active, distributed Asynchronous message passing Hierarchical ProSave (lower layer) "Function block" components Passive, non-distributed Explicit transfer of data and control Hierarchical "Function block" components Passive, non-distributed Explicit transfer of data and control Hierarchical Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems Drill Drill sensors Drill control Drill motors Clamp Drill Driller 2012-06-15
- 16. Aneta Vulgarakis ProCom imposes restrictions on the behavior of its constructs, which should be formally defined, in order to achieve predictable behavior. For example, all the data must arrive to its end destinations before the trigger signal. 16 Research Results ProCom – formal semantics A B C Data fork A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems … 2012-06-15
- 17. Aneta Vulgarakis 17 ProCom – formal semantics FSM-like formalism with notions of urgency, implicit timing and priorities Semantics of each ProCom element is defined in the FSM language Semantics of a ProCom system = parallel composition of FSMs Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 18. Aneta Vulgarakis Formalization of data/trigger connection To ensure that the data is transferred prior to trigger, the data transitions in the FSM formalism are associated with priority. 18 ProCom – formal semantics Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 19. Aneta Vulgarakis The REMES behavioral language and associated analysis techniques 19 Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 20. Aneta Vulgarakis 20 REMES - REsource Model for Embedded Systems Behavioral model that describes functional, timing and resource-wise behavior of interacting embedded components Based on the Charon modeling language (Alur et al. 2003) Particularities Resources as primitive types resource consumption annotated with c Behavior of a component is a mode Composition of modes sequential parallel parallel with a synchronization protocol Research Results Resource Class Characteristics A (memory) discrete Referable B (CPU, bandwidth) discrete non-referable C (CPU, energy) continuous non-referable },{, +∞−∞−∈= Znnc ∞== corc 0 ∞== corc 0 A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 21. Aneta Vulgarakis 21 Composite mode M (SM, V, In, Out, E, RC, Inv, CC) Control points In: (Init point, Entry point), Out: (Write point, Exit point) Variables (V) (boolean, natural, integer, array, resource, clock, string, list) global interface local Actions over edges (E) discrete (guard, body) delay/timed Constraints set of invariants (Inv) set of res. diff equations (RC) Conditional connectors (CC) Nested submodes (SM) MMM WrRdG ∪= ML MM GI ⊆ Page 21, C M submode1 submode2 submode3 Entry Point Init Point Exit Point Write Point Research Results Inv1 RC1 (guard, body) A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 22. Aneta Vulgarakis 22 Illustrative example Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 23. Aneta Vulgarakis 23 Analysing REMES based ES REMES modes have access to set of resources R1,…, Rn Goal Analyze various scenarios of system’s resource usage Analysis model for REMES rtot total accumulated resource consumption for R1, …, Rn r1,…, rn accumulated consumption of R1,…, Rn w1,…, wn relative importance of r1,…, rn nndeftot rwrwrwr ∗++∗+∗= 2211 Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 24. Aneta Vulgarakis 07/28/16 24 Translating REMES into Priced timed automata or Multi Priced timed automata PTA TA + costs on locations and edges REMES atomic submode PTA location(s) REMES edge PTA edge REMES discrete step PTA transition REMES conditional connectors are removed Automated translation Page 24, Analysing REMES based ES Research Results nn cwcwcwcost ∗++∗+∗= 2211 24 nndeftot rwrwrwr ∗++∗+∗= 2211 A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 25. Aneta Vulgarakis 25 Research Results PTA waits in location Start for system startup Init, Entry, Write and Exit locations created Transformation of Submode2 Internal execution rounds - PTA edge connecting locations Write and Submode1 Synchronization with other components A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 26. Aneta Vulgarakis Types of analysis Feasibility are the accumulated values of consumed resources within the provided resource amounts? For example, weak feasibility Optimal/ worst-case resource consumption compute the trace with minimum/maximum cost for reaching some location minimizing/maximizing the cost function Trade-off analysis more than one property to satisfy simultaneously minimize a primary cost, while imposing an upper bound on secondary cost We perform weak feasibility and min resource consumption reachability 26 Research Results Analysing REMES based ES A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems vEF nt≤cos 2012-06-15
- 27. Aneta Vulgarakis 27 Model Checker (Uppaal Cora) PTA model from REMES transformation resource-aware property error trace yes Assumptions from hardware abstraction: Memory budget, Bandwidth, Cost model Analysing REMES based ES vEF nt≤cos Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 28. Aneta Vulgarakis Integrating ProCom and REMES 28 Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 29. Aneta Vulgarakis 29 Research Results Integrating ProCom and REMES ProCom component REMES model of component behavior Attribute Framework Managing and integrating properties Each ProCom component has an attribute with a complex value: Reference to a REMES model file Reference to a mapping file between ProCom and REMES interfaces A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 30. Aneta Vulgarakis 30 ProSave level Trigger port REMES interface boolean variable Data port REMES interface data variable ProSys level Input message port REMES read boolean variable and REMES read data variable Output message port REMES write boolean variable and REMES write data variable of same type as the port type Integrating ProCom and REMES Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems ProSys port REMES variables A1 bool A1 and float A1_value A2 bool A2 A3 bool A3 and int A3_value 2012-06-15
- 31. Aneta Vulgarakis The REMES tool-chain 31 Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 32. Aneta Vulgarakis 32 The REMES Tool-chain Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 33. Aneta Vulgarakis 33 The REMES Tool-chain Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 34. Aneta Vulgarakis 34 The REMES Tool-chain Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 35. Aneta Vulgarakis Validating the proposed resource-aware framework 35 Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 36. Aneta Vulgarakis The resource-aware framework has been applied to ”Toy-examples” stability control system – exemplifies the ProCom component model temperature control system – integration of ProSave and REMES, and formal behavior analysis turntable drilling system – integration of ProSys and REMES, and formal behavior analysis Real-world industrial case study study the applicability of our framework validate our framework under approved assumptions 36 Research Results Validation A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 37. Aneta Vulgarakis Ericsson Nikola Tesla (ENT) demonstrator is a proof-of-concept solution showing that horizontal development can be used for creating parts of a telecommunication system. ENT deployment architecture consists of two parts: Basic service (legacy system) Call control Extension service (open source software) Clients cluster – Load balancer (PEN) – DIAMETER clients Servers cluster – Load balancer (DIAMETER relay) – DIAMETER servers 37 Validation of the resource-aware framework on an Ericsson Nikola Tesla demonstrator Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 38. Aneta Vulgarakis 38 Ericsson Nikola Tesla demonstrator A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 39. Aneta Vulgarakis 39 Architectural modeling of the ENT demonstrator in ProCom Behavioral modeling in REMES Formal analysis Timing Resource consumption (cpu and memory) Round-robin protocol for serving requests Validation of the resource-aware framework on an Ericsson Nikola Tesla demonstrator Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 40. Aneta Vulgarakis 40 Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 41. Aneta Vulgarakis 41 Formal analysis goals and results Behavioral model validation and verification Performance – Is the end-to-end response time for 500 AAA requests less or at most 5 sec assumption on the linear response time increase per burst of requests (500) by model-checking derived a number for processing 500 request – 1710 time units that is just slightly higher than the measured value – 1690 ms Computing an optimal execution trace for the overall consumption of resources (CPU and memory) Of course absence of deadlocks Possibility for performing various types of analysis prior to implementation Research Results A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 42. Aneta Vulgarakis 42 A formally specified two-layered ProCom component model for design of control-intensive ES Addresses quality attributes, resource consumption and distribution more systematically than existing component models targeting embedded systems An unambiguous and compact description of the modeling elements of ProCom based on an extension of FSM REMES behavioral language for unified modeling and formal analysis of functional, timing and resource-wise behavior of ES Performing resource-wise analysis Method for encoding the resource-wise analysis problem as a weighted sum in which the variables capture the accumulated consumption of resources, respectively. ProCom and REMES integration Proposed a way of mapping the ProCom component interface onto the variables of REMES modes The REMES tool-chain An IDE for construction and analysis of REMES-based systems Exercised the applicability of the proposed resource-aware framework Summary of contributions A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 43. Aneta Vulgarakis 43 A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems Relating Research Goals and Research Results RG1. Develop a formal description of a component model for real-time embedded systems. The formally specified ProCom component model RG2. Develop a behavioral language and associated tool support for modeling and formal analysis of functional, timing, and resource-wise behavior of components and their compositions. The REMES behavioral language ProCom and REMES integration Performing resource-wise analysis The REMES tool-chain Validating the REMES behavioral model on the ENT demonstrator RG3. Exercise the applicability of the proposed design framework by modeling and analyzing example embedded systems that are motivated by reality. 2012-06-15
- 44. Aneta Vulgarakis 44 Extension of REMES to support Semantics of a REMES mode other than ”run-to-completion” Transformation rules for n levels of hierarchy, n>2 Compositional reasoning of REMES modes Exercise scalability of REMES and associate analysis techniques Investigate further the ENT demonstrator Model and verify other protocols for serving requests than round-robin Heterogeneous servers Future work A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
- 45. Aneta Vulgarakis 45 Thank you for your attention! A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems 2012-06-15
Editor's Notes
- The title of my PhD thesis is “A Resource-Aware Framework for Designing Predictable Component-Based Embedded Systems”.
- The outline of my talk is the following. I will first give a short background and motivation about the work presented in this thesis. Then I will move to the main part of my presentation, that is research description. Here I will formulate the problem, introduce the research goals and present the research results addressing the research goal. I will end this part with presenting how the research results are answering the research goals and I will end this presentation with thesis outline and a time plan for finishing the thesis.
- Embedded systems are everywhere around us. It is a computer that does not look like a computer. Instead it is embedded as a component inside of another product. Physically, embedded systems range from portable devices such as digital watches and MP3 players, to large stationary installations like traffic lights, factory controllers, or the systems controlling nuclear power plants. In the car embedded systems can be found as engine controllers or antilock brake controllers. The demanding extra-functional requirements (especially realted to timing and resource-wise requirements) of modern embedded systems, coupled with the increasing complexity of the underlying software, require techniques that will alleviate software complexity and for ensuring predictable system behavior High degree of dependability -
- One of the ways to ensure predictable behavior of an embedded system design is to formally check it against different requirements pertaining to various constraints including functional, timing, safety and resource-usage constraints. Meeting this demanding goal resorts to a resource-aware embedded system modeling and analysis perspective, that is consider from the start of the development the resource constrants impoded by the underlying platform. (software or hardware) that host the embedded system Promising aproach to handle software complexity, reduce time to market,intoduce structure and abstraction lies in the adoption of CBSE paradigm Constructs systems by reusing exsiting components like in electronics or mechanics: integrated circuits, switches, etc. The behavior of an ES should be predictable, both functionally and with respect to extra-functional properties. Although the behavior modeling and analysis of an ES is very important it is often omitted in component models targeting ES design. Thus there is a need to include behavior modeling in embedded systems
- Formal analysis can be a suitable solution to gurantee the correctness and reliability of software systems. Formal analysis is the process of rigorously exploring the correctness of system designs expressed as abstract mathematical models with assistance of a computer. Formal methods, by their very nature, can play a significant role in predictable system development. Through abstraction they provide formal models that allow software engineers to reason about critical system issues by ignoring extraneous details. Models may be developed as a precursor to implementing the physical system, or they may be derived from an existing system or a system in development as an aid to understanding its behavior. In this thesis, we consider two types of answers to formal analysis: “yes/no” answers as a result of verifying properties that can be either satisfied or not, but cannot be measured, and answers in form of numbers, in the sense that the formal analysis returns a computed number that might represent, in our case, the minimum/maximum value of the accumulated resource usage for reaching a given goal expressed as a reachability property for instance. Theorem proving has highest assurence and can handle infinite-state systems, however usually is not automated. Model checking emphasizes automation and relies on finite state models and temporal logic formulas. The main challenge is state explosion i.e. To reduce the problems to a form in which they can be efficiently model checked. The highest degree of automation of MC over TP justify our choice of chosing MC
- Having in mind the background and motivation I have presented so far, the main research problem of this thesis is developing a resource-aware framework encompassing modeling and analysis methods for component-based embedded systems
- This research goal is broad and we have addressed it by decomposing it into smaller goals, and addressing these new goals. The potential benefit of CBD is as attractive in the domain of ES, as it is in other areas of the software industry. The indispensable characteristic of CBD are the component models. They define rules for constructing individual components and for assembling them into systems. Although there exist several component models and technologies for the development of embedded systems (Koala, SaveCCM, Pecos, Pin…). However CBSE is still not broadly used in the embedded systems industry. An important reason for such limited success is the difficulty of providing solutions that meet typical embedded system requirements: such as functionality, resource-feasibility, reliability, and similar. All these requirements should be reflected in the component model. However, the specifications of many component models are defined informally and component models suffer from incomplete and imprecisely defined syntax and semantics. Formalization of component models using formal methods can provide precise definitions. The formalization should be designed to unambiguously describe the elements of the component model. Such motivation justifies our first research goal Develop a formal description of a component model for real-time embedded systems. One of the main characteristics of embedded systems is the restriction of available resources. . In our work we have studied the state of the art on resource modeling and analysis and we have come to a conclusion that that there is a difficulty of handling all relevant embedded resources within the same formal model. The formal model should incorporate resources as primitive types, that is, built in the model. Ideally the same language should provide support for modeling and analyzing functional and timed behavior. This will allow both separation of concerns as well as a simple model-to-model transformations, for analysis purposes. (why unified manner) Accordingly the second research goal can be formulated as: Develop a behavioral language and associated tool support for modeling and formal analysis of functional, timing and resource-wise behavior of components and their compositions. The usefulness, applicability and scalability of modeling languages and analysis methods can be exercised by performing their validation against measured, quantified behavioral properties. In order to validate the applicability of our design framework we must apply it to a number of relevant case-studies. Thus, our third research goal is: Exercise the applicability of the proposed design framework by modeling and analyzing example embedded systems that are motivated by reality.
- We have addressed the research problem and the smaller research goals by proposing a resource-aware framework for designing predictable component-based embedded systems that includes two parts: - The formally specified ProCom component model developing a component model that fulfills the requirements coming from control-intensive ES, that are a special class of embedded systems that primarly perform real-time controlling tasks. They can be fined in many products for example vehicles, automation systems, or distributed wireless networks. - The REMES behavioral language for describing component’s and system’s functional and extra- functional behavior, associated analysis techniques for various resource-wise properties, and a set of tools implementing the former
- The results presented in this thesis have been published in one journal paper and 7 conference and workshop papers. And recently we have submitted our last journal paper. In addition the work presented in this thesis is a continuation to the work presented in the licentiate thesis. In this doctoral thesis we have extended the REMES behavior language, introduced a set of transformation rules that semantically translate REMES modes into PTA, show a tool for modeling and analysis of REMES model, present an integration of ProCom and REMES, and validate the REMES behavioral language. Additionally, we have published one journal and several conference papers and technical reports that do not directly contribute the thesis, but are related to its contributions.
- Here I will say we have contributed in answering the research questions with these publications. Say how the work has been performed in teams
- As a basis for answering how can a component model be designed to fullfill the requirements coming from ES domain we first studied main domain conserns of ES. Basic requirements and design decisions guiding the elaboration of the component model Predictability (provide support for different kind of analysis (functional behavior, timed behavior, resource usage etc) In order to answer to this research question we have first studied the main domain concerns of ES such as software complexity, hw influence, safety-criticality, real-time demands, resource limitations and distribution. These domain concerns we have later placed as requirements on the component model. Accordinly a component model for embedded systems should be able to manage complexity, manage the strong coupling between the system and the targeted platform, deal with different types of components in terms of size, functionality and semantics; utilize resources efficiently, be predictable in sense that analysis techniques should be available already at early development stage and distribution. That is when we came to idea to develop the ProCom component model
- Different computational model, communication paradigm, Since in embedded systems different types of components may coexist in terms of size, functionality and semantics, ProCom component model is structured into two distinctive, but related layers . The two layers differ in terms of granularity, architectural style, execution style and communication paradigm. The upper layer, called ProSys, is intended for modeling the embedded system as a collection of complex active and concurrent subsystems, communicating via asynchronous message passing. The lower layer, ProSave, serves for modeling the internal design of a subsystem down to primitive functional components implemented by code. ProSave components are passive units, which communicate based on a pipe-and-filter architectural style with an explicit separation between data and control flow. The connection between the two-layers is done on the top-most level of ProSave, so ProSys subsystems may be internally modeled with ProSave components.
- ProCom component model imposes restrictions on the behavior of its constructs, which should be addressed and formally specified, in order to achieve predictable behavior. In order to address this problem and similar problems we have given formal semantics to each of ProCom architectural element. E.g. All the data must arrive to its end destinations before the trigger signal. This rule should also hold in cases when data is transferred through a connector. Since ProSave components can not be distributed the migration of data between the connections/connectors is loss-less atomics Push model for data transfer (whenever data is available at an output port it is forwarded (pushed) to an output port) If more trigger ports are available at same time, the order in which they are taken is non-deterministic. Scenario: lets assume components A,B and C, and a data-fork connector (used to split data connections so that data written to the input port is forwarded to the output ports. When component A has finished executing, component B should start executing. However, since the input trigger port of component B is directly connected to the output trigger port of component A, while the data is not transferred directly, but via a connector, there is a risk that the trigger signal may reach component B before the data has arrived. Hence, such a scenario in which trigger might arrive before data should be prohibited by the formalization.
- Formal semantics of the ProCom architectural elements is given in terms of FSM. necessary for modeling real-time systems And this is how the graphical representation of FSM looks like. A transition can be either urgent or non-urgent and it can have priority or no-priority. A transition which is decorated with a symbol * is non-urgent. If it does not have it then it is urgent. And if it is decorated with “up arrow” it has priority. An initial state presented with two concentric circles and other state with once circle. State may be decorated with a delay interval [n1,n2] which is inside of the cicrle. The execution of an FSM starts in the initial state. At a given state an outgoing transition may be taken only if it is enabled, i.e. if it is associate guard evaluates to true for the current variable values. If more than one transitions are enabled then one of them is chosen non-deterministically. Prioritized transitions are preferred over non-prioritized transitions. It is possible to delay in a state in case all enabled out-going transitions of a state are non-urgent. In case there are some urgent transitions enabled, one of them has to be taken immediately. A state that is associated with an interval [n1,n2] may be left anytime between n1 and n2 time units after it is entered. Systems are formed by parallel composition of FSMs. The semantic state of the composed system is the combined states and variable values of the FSMs. The notions of urgency and priority are applied globally, and time is assumed to progress with the same rate in all FSMs. Graphical appeal: in the sense that edges are decorated in explicit ways with info on urgency and priority for instance Intuitive: we haven't really proved this claim - you can say instead that it may be simpler than the corresponding TA description because it has a higher-level of abstraction The FSM language has graphical appeal, making it simpler than the corresponding TA model, and it abstracts from real-valued variables and synchronization channels. The FSM models of ProCom systems can be analyzed both in a dense-time underlying framework, as well as in a discrete-time one, since TA has been recently given a sampled semantics. Hence, tools such as uppaal can be employed for early-stage verification of ProCom models, whereas discrete-time model-checkers, such as DTSpin could be used for later-stage analysis, since sampled time semantics is closer to the actual software or hardware system with a fixed granularity of time.
- For example in order to assure that the data will arrive to its destination before triggering, this is how we have formalized the data/trigger connections of ProCom. For example let us look at ProSave connections between two data ports d0 and d1 and two trigger ports t0 and t1. To ensure that the data is transferred prior to trigger the data transitions in the FSM formalism are associated with priority. So the formal semantics of a data/trigger connection ensures its informal semantics that all data should arrive to its end destionations before triggering. FSMs communicate through these shared variables: vdi : variable associated with a data port di of corresponding type. vti : boolean variable associated with a trigger port ti indicating whether the port is triggered, default false. vmi : variable associated with a message port mi of corresp. type. v’di and v’ti : internal variables for ports of composite components, corresponding to port variables vdi and vti , respectively. ε : null value of any type indicating there is no data present on data/message port
- By now our resource-aware framework is equipped with an architectural model, which is the formally specified ProCom component model. In order to equip these ProCom components with behavior we have developed the REMES behavioral language.
- R. Alur, T. Dang, J. Esposito, Y. Hur, F. Ivanˇci´c, V. Kumar, I. Lee, P. Mishra, G. Pappas, and O. Sokolsky. Hierarchical modeling and analysis of embedded systems. Proceedings of the IEEE, 8(3):231–274, 2003 It is based on Charon modeling language used to specify ES as communication agents and addition of resource consumption+other constructs to facilate the modeling of functional and extra-functional behaviour the data is transferred between modes via a well-defined data interface, that is, typed global variables, whereas the (discrete) control is passed through a well-defined control interface consisting of entry and exit points. Show how the behavior of the air condition example in REMES with declaration of varibales and types of resources and explanation of modes through it. We consider resources as global quantities of finite size. This classification of resources comes from the analysis. Resources in class C are continous, and in A and B discrete. The consumption of the CPU can be modeled by a discrete variable, denoting the number of accumulated clock ticks, or processor load, or by a continuous variable, which represents the CPU usage in computerized systems (time elapsed since the mode is active)
- Let’s assume that REMES modes have access to set of resources: R1, R2, …, Rn. Our goal is to analyze various scenarios of systems resource usage. Analysis model for REMES is an objective function which is a weighted sum in which the variables present the accumulated consumption of resources which later should be minimized, maximized or manipulated. In this function rtot represent the total consumption of resources R1…Rn. r1,..rn is the accumulated resource consumption of resources R1 to Rn. The proposed cost analysis model for REMES is platform-aware. The values of the weights are a subjective matter; the way they are chosen depends mostly on the designer’s experience, application domain and on the analysis goals. For example in soft real-time systems where meeting deadlines is not as important as for hard-real time systems we may assign lower weight to time, and higher to memory if necessary.
- In order to analyse REMES compositions we need a semantic translation of the model. If we consider resource consumption r1…rn as cost variables c1,…, cn WCTL extends Timed CTL with resets and testing of cost variables. In order to analyse REMES compositions we need a semantic translation of the model, therefore resources in PTA are represented by costs. For formal analysis purposes, REMES can be semantically translated into timed automata or (multi) priced timed automata depending on the analysis goals (i.e., timing analysis, resource consumption, etc.). Each element of REMES is translated into a TA corresponding one. As such REMES atomic mode is translated into TA location, REMES discret edge is translated into a TA edge, REMES discret step into a TA transition and REMES global variables into TA synchronization channels. In PTA each of the resource consumptions r1, …, rn can be translated to cost variables c1,…, cn. Now the weighted sum presents a cost function. properties specified in WCTL say also that the model can be model-checked against these properties expressed in WCTL What means feasibility and what it is good for. Feasability: weather the required resources are within the bounds of the provided resources. Optimal/worst case: searches for the cheapest i.e. most expensive trace that will eventually reach a given goal. This trace may resolve eventual non-determinism in component implementation Trade-off analysis: minimize a primary cost, while imposing an upper bound on a secondary cost e.g., memory vs. Execution time. The result of this analysis is the best alternative between the conflicting requirements.
- A REMES composite mode with two atomic submodes, and a PTA generated from the transformation. PTA waits in location Start for system startup triggered by trigger a1 Init, Entry, Write, Exit locations are created from the Init, Entry, Write and Exit points of a composite mode. The Write and Exit locations are marked as urgent to prohibit the automaton to stay in these locations, as mandated by the REMES ”run-to-completion” semantics The init edge between Init and Submode2 is transformed into an edge in the PTA between locations Init and Submode2. If the composite mode does not have Init edge, there will not be an Init location in the resulted PTA, and instead there will be an edge directly from Start to Entry. Transformation of Submode2 with an invariant x<=C_X and resource consumption ratee res2’=10 is transformed into a location in the PTA with an invariant x<=C_X, and a cost rate for delaying in that location cost’=wres2*10
- Types of analysis we are interested in, and that we can express them in WCTL Feasibility: Checks whether are the accumulated values of consumed resources during all possible system behaviours within the available resource amounts provided by the implementation platform. It is an additive function for resources like non-refereable memory and energy. G and F operators for globally (always) and eventually respectively. The cost function is a single cost variable. The resources become undistinguishable. n- available resources provided by the platform For all execution paths the location v is eventually reached within n For all execution paths, it is always the case (G) that ones q is reached the cost of eventually reaching v will be less than n, regardless how v has been reached. There exists a path in which the target location v may be reached within a total cost n For all execution paths, it is always the case (G) that ones q is reached there exists a path in which the cost of eventually reaching v will be less than n Optimal/worst-case resource consumption Minimizing or maximizing the one cost function such that a given liveness or reachability property is satisfied Have been proposed by Larsen and Rasmussen the max/min reachability costs for PTA Challenge if some of the edges are negative than cost is non-monotonic. Than the usual branch and bound algorithm does not work, but have been theortically solved even when negative costs are involved. (9) ….see Trade-off analysis Limited memory is one of the dominating constraints of ES. However while minimizing memory, one can increase the execution time beyond acceptable limits which can make the system unschedulable. Between resources from class A and class C or B and C and only class A and B can be applied by single cost function. Between resources from class C is a multi cost function. Such trade-off analysis can be carried out through conditional reachability verification on MPTA [14], by considering ceng as the primary cost and ccpu as the secondary cost. Larsen and Rasmussen [15] have proved that such problems are decidable for MPTA. 1.Energy is minimazed , cpu bounded from above. The accumulated weighted CPU usage will not be more than m ticks at location v, while v may be reached by consuming no more than n weighted energy units. We have ways of expressing the properties in WCTL. But we can model check weak-feasbility, and min resource consumption
- TA/PTA/MPTA automata model describing the possible
- Each component has an attribute with two values Reference to a REMES model file in the component structure Reference to the maping file specifying the relation between the ports of the component and the variables of the REMES model Attribute framework - Provides a systematic way of managing and integrating functional and extra-functional properties such as Static memory usage Models (eg.,REMES behavior model, UML) Execution time etc
- REMES data variable of the same type as the ProSave port. The connection between ProSave and REMES we have described in our previous work (on a case study of a temperature control system) - In each case, one of the variables is a boolean that signals the receiving/sending of the message, respectively, while the other variable keeps the value of the message. If the message is empty, only the boolean variable is used. REMES read variable (global variables that can be written by other modes) REMES write variable (global variables of the mode that may only be read by other modes). The parallel composition of the REMES modes associated to all ProSys components in the given system together with the representations of the ProSys message channels and the connections (rest of the ProSys level elements) describe the whole system’s behavior.
- The Remes tool-chain implements a workflow based on two user roles: a system designer role, and a verification expert role. The system designer uses the Remes tool-chain for modeling and simulating Remes behaviors. As such, this role is similar to that of a software modeler/developer, and is focused on defining behavior models in Remes and simulating/testing these behaviors. The responsibility of the verification expert role is to use the Remes tool-chain for formal analysis of Remes behaviors. Note that the two roles are not necessarily always represented by different users. However, we envision that the verification expert role is dedicated to persons that have deeper knowledge in formal analysis. The workflow of the tool-chain, split in four steps: when the tool-chain is used by the system designer for simulating/testing Remes behaviors, and when the tool-chain is used by the verification expert for formal analysis of Remes behaviors. We envision that the tool-chain will be first used for simulation of Remes behaviors to see whether they perform as expected, and once they perform correctly they will be transformed into PTA for formal analysis. Once the behaviors are defined, the system designer can start the behavior similar to launching a program written in a programming language – either in run or in debug mode of the Remes simulator. Launching a behavior prepares the model for simulation and generates the code that implements the behavior in the simulator with a modelto- text transformation (M2T) (Step 2 for the designer). The Remes simulator starts the behavior in run or debug mode, and displays mode transitions in a text form (Step 3 for the designer). During debugging, a hierarchy of active modes is shown in the debugger interface, and the system designer can inspect mode variables (e.g., resources and clocks), execute a behavior step-by-step and track active modes in Remes diagrams. Finally, after each test run of the model, the system designer can conclude if the model performs as expected and correct it accordingly (Step 4 for the designer). Now let us present the part of the workflow when the Remes toolchain is used by the verification expert. The verification expert starts by modeling the behavior of every component of the system in the Remes editor (Step 1). Once the system model is complete (Step 1), the verification expert can select to transform the Remes behavior into a network of priced timed automata using an automated model-to-model (M2M) transformation. The verification expert then reviews the result of the transformation and modifies it if necessary, in the ULite graphical editor (Step 2 for the verifier). Once custom changes are made, the verification expert proceeds with generation of the final Uppaal file. The transformation into Uppaal Cora is an extended version of the ULite into Uppaal transformation, where the costs are inserted in the generated Uppaal file. Resulting model files can be submitted for verification to the Uppaal verification engine directly from the tool-chain (Step 3 for the verifier). The Uppaal verifier integration allows the verification expert to start the verification using the familiar Eclipse launch mechanism, specify verification queries, and inspect the automata trace within the tool-chain in an interface similar to the one implemented in Uppaal. Verification results can either confirm that the model conforms to the system requirements, or produce a counter-example to correct the model (Step 4 for the verifier).
- Modeled the behavior, and verified the resulted behavioral models of an Ericsson Nikola Tesla prototype telecommunication system
- Basic service - processes calls and when special kind of processing is needed, generates special events that result with requests (messages) that are being redirected into the extension service. Extension service - processes messages generated by the basic service by performing an AAA (authentication, authorization and accounting) functionality that conforms to the widely accepted Internet standard called DIAMETER. The result of the processing is also a message that is sent to the basic service. AAA protocol =authentication, authorization and accounting.
- Basic Service is an existing legacy ProSys component. Extension Service is a subsystem composed of two smaller ProSys components: Diameter clients cluster and Diameter servers cluster. We consider that there are four clients (resp. servers) in Diameter clients cluster (resp. Diameter servers cluster). Each of these ProSys components may be further decomposed into either smaller ProSys components, or into ProSave components, depending on the level of complexity of the functionality, and the possibility for distribution. Accordingly, the Diameter clients cluster component is built from Pen ProSave component and four Client ProSave components. Similarly, the Diameter servers cluster component is made of Relay ProSave component and four Server ProSave components. The component Basic Service sends AAA requests to Extension Service. These requests are forwarded to Diameter clients cluster component. Inside this cluster, the Pen component is responsible with forwarding these messages in a round-robin fashion to each of the four clients. The Diameter clients cluster is the client side of the DIAMETER protocol. Thus, inside Diameter clients cluster component AAA requests are transformed into DIAMETER requests and are forwarded to the Diameter servers cluster component. Relay, similarly to Pen, forwards the DIAMETER requests messages in a round-robin manner to each of the four servers. The servers process these requests and return DIAMETER responses to Relay that forwards them to Diameter clients cluster. In the end, Diameter clients cluster component transforms DIAMETER responses into AAA responses and sends them back to Basic Service.
- And this is how the behavior of ENT components Pen, Server and Client modeled in REMES looks like. When modeling the behavior we have made a number of assumptions within the model, which we have discussed with the researchers from Ericsson and we have agreed. As such, we consider instantaneous reads for IP client addresses and other information by the Pen component. We also make an assumption on the linear response time increase per burst of requests (500) that lets us compute the total response time, hence the extension service capacity, once we have predicted the response time of an individual request. In the ENT demonstrator, we consider two resources in our analysis: memory and CPU. We assume CPU as a continuous resource, and we treat memory as a discrete resource. The timing constraints and resource usage information that we have annotated the Remes models with are those measured directly on the prototype implementation. Note that in the current version of the demonstrator the clients and the servers are homogenous, that is, the processing time is the same for each request, on any of them.
- Is the number of calls that can be processed by the extension service greater than the minimum value i.e. 100 calls per second? We have considered in our model the actual source code measured values of the authorization request and authorization response time; as well as their CPU load, memory usage for each component of the demonstrator: PEN, Diameter client, Diameter relay and Diameter server. We have defined a global clock variable that stored the elapsed time from the start time of sending the authorization request to the Pen until the request is served and returns to the call controller in the basic service. Weighted sum representation of resource consumption. We consider cpu as a more critical resource than memory. Also, this result concludes our behavioral model formal validation, regarding the end-to-end response time, which has been a central design issue of the demonstrator Use a virtual experimental ”lab”, in which various types of extra-functional analysis of the demonstrator could be carried out, which could provide valuable feedback on the demonstrator performance, and resource usage assuming various settings prior to actual implementation of the respective setting.
- We present a method for encoding the resource-wise analysis as a weighted sum in which the variables capture the accumulated consumption of resources respectively. An unambiguous and compact description of the modeling elements of ProCom based on an extension of finite-state machines and sets the ground for formal analysis of systems built out of ProCom elements.
- The REMES behavioral language ProCom and REMES integration Performing resource-wise analysis The REMES tool-chain RG3. Exercise the applicability of the proposed design framework by modeling and analyzing example embedded systems that are motivated by reality.
- There are many possible future extensions of the work presented in this thesis. Extending ProCom to the automation domain Compositional reasoning- analyzing each component of the system in isolation and allowing global properties (such as resource consumption of the whole system) to be inferred about the entire system. Implement resource-wise verification algorithms in Uppaal Cora – implement max algorith (do not have to say this) -improve further the REMES tool-chain