Dependable Embedded Software Systems

1
Dependable Embedded Software Systems

• Kim Guldstrand Larsen

UCb
2
BRICS Machine Basic Research in Computer
Science, 1993-2006
304040 Millkr
100
100
Tools
Aarhus
Aalborg
3
Tools and BRICS
Applications
visualSTATE
UPPAAL
SPIN
PVS
HOL
ALF
TLP

• Semantics
• Concurrency Theory
• Abstract Interpretation
• Compositionality
• Models for real-time
• hybrid systems

• Algorithmic
• (Timed) Automata Theory
• Graph Theory
• BDDs
• Polyhedra Manipulation

• Logic
• Temporal Logic
• Modal Logic
• MSOL

4
A very complex system
Klaus Havelund, NASA
5
Rotterdam Storm Surge Barrier
6
Spectacular Software Bugs

• ARIANE-5
• INTEL Pentium II floating-point division
  470 Mill US
• Baggage handling system, Denver 1.1 Mill
  US /day for 9 months
• Mars Pathfinder
• Radiation theraphy, Therac-25
• .

7
Embedded Systems
Indlejrede Systemer Pervasive Computing

• 80 af al software er indlejret i interagerende
  apparater.
• Krav om stigende funktionalitet med minimale
  resourcer
• Udvikler skal ideelt set have adskillige
  kvalifikationer
• sofwarekonstr. og udvikl.
• hardware platforme,
• kommunikatíon protokoller,
• validering (test og verifikation),.

8
Traditional Software Development
The Waterfall Model
REVIEWS
Problem Area

Analyse
Design
REVIEWS
Implementation
Testing

• Costly in time-to-market and money
• Errors are detected late or never
• Application of FMs as early as possible

Running System
9
Modelbased Validation
Analysis
Validation
Design Model
Specification
FORMAL METHODS
Verification Refusal
UML
Implementation
Testing
10
Modelbased Validation
Analysis
Validation
Design Model
Specification
FORMAL METHODS
Verification Refusal
UML
Automatic Code generation
Implementation
Testing
11
Modelbased Validation
Analysis
Validation
Design Model
Specification
FORMAL METHODS
Verification Refusal
UML
Automatic Code generation
Automatic Test generation
Implementation
Testing
12
How?

• Unified Model State Machine!

y!
b?
a
Output ports
x
Input ports
b?
y
b
a?
x!
Control states
13
Tamagotchi
C
A
B
ALIVE
Passive
Feeding
Light
Meal
A
B
A
Health Health-1
A
B
Clean
Care
Snack
A
Health0 or Age2.000
A
A
Play
Discipline
Medicine
DEAD
Tick
A
A
HealthHealth-1 AgeAge1
14
Digital Watch
StatechartUML, David HAREL
15
SYNCmaster
16
SPIN, Gerald Holzmann ATT
17
visualSTATE
VVS w Baan Visualstate, DTU (CIT project)

• Hierarchical state systems
• Flat state systems
• Multiple and inter-related state machines
• Supports UML notation
• Device driver access

18
UPPAAL
19
Tool Support
System Description A
No! Debugging Information
TOOL
Yes, Prototypes Executable Code Test
sequences
Requirement F
Tools UPPAAL, visualSTATE, SPIN,
ESTEREL, Rhapsody, TeleLogic,
Statemate, Formalcheck,..
20
State Explosion problem
M2
M1
a
1
2
c
b
4
3
M1 x M2
2,b
1,c
4,a
1,b
2,c
1,a
4,c
4,a
3,b
4,b
3,c
3,a
Provably theoretical intractable
All combinations exponential in no. of
components
21
Train Simulator
VVS
1421 machines 11102 transitions 2981 inputs 2667
outputs 3204 local states Declare state sp.
10476
BUGS ?
22
Train Simulator
VVS visualSTATE
1421 machines 11102 transitions 2981 inputs 2667
outputs 3204 local states Declare state sp.
10476
BUGS ?
Our techniuqes has reduced verification time
with several orders of magnitude (ex 14 days to
6 sec)
23
See www.uppaal.com !!!!
UPPAAL
Modelling and Verification of Real Time systems
UPPAAL2k gt 2000 users gt 45 countries
24
Collaborators

• _at_AALborg
• Kim G Larsen
• Arne Skou
• Paul Pettersson
• Carsten Weise
• Kåre J Kristoffersen
• Gerd Behrman
• Thomas Hune
• Oliver Möller

• _at_UPPsala
• Wang Yi
• Johan Bengtsson
• Paul Pettersson
• Fredrik Larsson
• Alexandre David
• Tobias Amnell
• Oliver Möller

• _at_Elsewhere
• David Griffioen, Ansgar Fehnker, Frits
  Vandraager, Klaus Havelund, Theo Ruys, Pedro
  DArgenio, J-P Katoen, J. Tretmans,Judi Romijn,
  Ed Brinksma, Franck Cassez, Magnus Lindahl,
  Francois Laroussinie, Patricia Bouyer, Augusto
  Burgueno, H. Bowmann, D. Latella, M. Massink, G.
  Faconti, Kristina Lundqvist, Lars Asplund, Justin
  Pearson...

25
Real Time Systems
Computer Science
Control Theory
sensors
Task
Task
Task
Task
actuators
Controller Program Discrete
Plant Continuous
Eg.
Pump Control Air Bags Robots Cruise
Control ABS CD Players Production Lines
Real Time System A system where correctness not
only depends on the logical order of events but
also on their timing
26
Validation VerificationConstruction of UPPAAL
models
Controller Program Discrete
Plant Continuous
sensors
Task
Task
Task
Model of tasks (automatic)
Task
actuators
Model of environment (user-supplied)
UPPAAL Model
27
Intelligent Light Control
press?
Off
Light
Bright
press?
press?
press?
WANT if press is issued twice quickly then
the light will get brighter otherwise the light
is turned off.
28
Intelligent Light Control
press?
Xlt3
X0
Off
Light
Bright
press?
press?
press?
Xgt3
Solution Add real-valued clock x
29
Timed Automata
Alur Dill 1990
Clocks x, y
Guard Boolean combination of integer bounds on
clocks and clock-differences.
n
Reset Action perfomed on clocks
Action used for synchronization
xlt5 ygt3
State ( location , xv , yu ) where v,u are
in R
a
Transitions
x 0
a
( n , x2.4 , y3.1415 )
( m , x0 , y3.1415 )
m
e(1.1)
( n , x2.4 , y3.1415 )
( n , x3.5 , y4.2415 )
30
Timed Automata Invariants
n
Clocks x, y
xlt5
Transitions
xlt5 ygt3
e(3.2)
Location Invariants
( n , x2.4 , y3.1415 )

a
e(1.1)
( n , x2.4 , y3.1415 )
( n , x3.5 , y4.2415 )
x 0
m
Invariants ensure progress!!
ylt10
g4
g1
g3
g2
31
Cruise Control
When the car ignition is switched on and the on
button is pressed, the current speed is recorded
and the system is enabled it maintains the speed
of the car at the recorded setting. Pressing the
brake, accelerator or off button disables the
system. Pressing resume or on re-enables the
system.
32
Model Structure
engineOn engineOff on off resume brake accelerator
Cruise Control
The CONTROL system is structured as two
processes. The main actions and interactions are
as shown.
User
clearSpeed recordSpeed enablecontrol disablecontro
l
Speed Control
Engine
dSpeed cSpeed acc
33
User
Engine
34
The CARA System
Computer Assisted Resuscitation System Purpose
automate delivery of intravenous fluids to
injured persons in catastrophic
situations Comprises software to monitor
patients blood pressure control a
high-output infusion pump
35
System Structure
36
System Structure
37
Case Studies Protocols

• Philips Audio Protocol HS95, CAV95, RTSS95,
  CAV96
• Collision-Avoidance Protocol SPIN95
• Bounded Retransmission Protocol TACAS97
• Bang Olufsen Audio/Video Protocol RTSS97
• TDMA Protocol PRFTS97
• Lip-Synchronization Protocol FMICS97
• Multimedia Streams DSVIS98
• ATM ABR Protocol CAV99
• ABB Fieldbus Protocol ECRTS2k
• IEEE 1394 Firewire Root Contention (2000)

38
visualSTATE
VVS, CIT project
39
visualSTATE Tester Verification

• No local nor global dead-ends
• No never interpreted events
• No fired actions
• No conflicting transactions
• No unreachable states
• All combinations are checked!

100 Tested!
40
Train Simulator
1421 maskiner 11102 transitioner 2981 inputs 2667
outputs 3204 lokale tilstande Declare state sp.
10476
BUGS ?
41
Experimental BreakthroughsPatented
Machine 166 MHz Pentium PC with 32 MB RAM ---
Out of memory, or did not terminate after 3 hours.
42
Experimental BreakthroughsPatented
Vore teknikker har reduceret verifikationstiden
med flere størrelsesordner (ex fra 14 dage til 6
sec)
Machine 166 MHz Pentium PC with 32 MB RAM ---
Out of memory, or did not terminate after 3 hours.
43
Who is CISS ?
ICT Companies
Institute of Computer Science
Institute of Electronic Systems
Distributed Real Time Systems Control
Theory Real Time Systems Networking.
BRICS_at_Aalborg Modelling and Validation Programmin
g Languages Software Engineering
Embedded Systems Communication HW/SW Power
Management
UCb
44
Who is CISS ?
VTU 25.5 MDKK
Regional Councils of Northern Jutland Aalborg
City 12 MDKK
ICT Companies
AAU 12.75 MDKK
Companies 12.75 MDKK
Institute of Computer Science
Institute of Electronic Systems
Distributed Real Time Systems Control
Theory Real Time Systems Networking.
BRICS_at_Aalborg Modelling and Validation Programmin
g Languages Software Engineering
Embedded Systems Communication HW/SW Power
Management
UCb
45
Typical Activities

• Co-financed RD projects and case-studies
• Industrial training and education
• Seminars, workshops and networks of knowledge
  transfer and exchange
• Ph.D. and industrial Ph.D. projects
• Visiting Guest researchers
• Student projects

46
Organisation
Søren Damgaard, IBM Jørgen Elbæk, RTX Steen
Rasmussen, S-Card Frands Voss, MCI
Danfoss Flemming Fredriksen Anders P.
Ravn Wladyslaw Pietraszek
Kim Guldstrand Larsen
Henrik Schiøler Arne Skou Peter Koch
47
Member Companies
48
Where is CISS ?