Soundness of the Quasi-Synchronous Abstraction Guillaume Baudart Timothy Bourke Marc Pouzet École normale supérieure, INRIA Paris, UPMC FMCAD’16 Mountain View, 06-10-2016
Distributed Embedded Systems Distributed controllers for critical embedded systems sensor1 cmd1 Sensors FGS cmd Actuators sensor2 cmd2 Sensors FGS switch Transfer Switch Example: Flight Control System Generate pitch and roll guidance commands 2 Example from [Miller et al. 2015]
Distributed Embedded Systems Distributed controllers for critical embedded systems Two redundant Flight Guidance Systems Only one active side (pilot side) sensor1 cmd1 Sensors FGS cmd Actuators sensor2 cmd2 Sensors FGS switch Transfer Switch Example: Flight Control System Generate pitch and roll guidance commands 2 Example from [Miller et al. 2015]
Distributed Embedded Systems Distributed controllers for critical embedded systems Two redundant Flight Guidance Systems Only one active side (pilot side) sensor1 cmd1 Sensors FGS cmd Actuators sensor2 cmd2 Sensors FGS switch Transfer Switch Crew can switch from one to the other Example: Flight Control System Generate pitch and roll guidance commands 2 Example from [Miller et al. 2015]
Distributed Embedded Systems Distributed controllers for critical embedded systems Two redundant Flight Guidance Systems Only one active side (pilot side) sensor1 cmd1 Sensors FGS cmd Actuators sensor2 cmd2 Sensors FGS switch Transfer Switch Crew can switch from one to the other Example: Flight Control System Generate pitch and roll guidance commands 2 Example from [Miller et al. 2015]
Distributed Embedded Systems Distributed controllers for critical embedded systems Two redundant Flight Guidance Systems Only one active side (pilot side) sensor1 cmd1 Sensors FGS cmd Actuators sensor2 cmd2 Sensors FGS switch Transfer Switch The two modules must share Crew can switch from one to the other their state to avoid control glitch Example: Flight Control System Generate pitch and roll guidance commands 2 Example from [Miller et al. 2015]
Distributed Embedded Systems Distributed controllers for critical embedded systems Two redundant Flight Guidance Systems Run embedded application... Only one active side (pilot side) sensor1 cmd1 Sensors FGS cmd Actuators sensor2 cmd2 Sensors FGS switch Transfer Switch The two modules must share Crew can switch from one to the other their state to avoid control glitch Example: Flight Control System Generate pitch and roll guidance commands 2 Example from [Miller et al. 2015]
Distributed Embedded Systems Distributed controllers for critical embedded systems Two redundant Flight Guidance Systems Run embedded application... Only one active side (pilot side) ...on distributed architectures sensor1 cmd1 Sensors FGS cmd Actuators sensor2 cmd2 Sensors FGS switch Transfer Switch The two modules must share Crew can switch from one to the other their state to avoid control glitch Example: Flight Control System Generate pitch and roll guidance commands 2 Example from [Miller et al. 2015]
Synchronous Real-Time Model For each process, activations are triggered by a local clock Execution: infinite sequence of activations For each process: known bounds for • the time between two activations. 0 ≤ T min ≤ κ i − κ i − 1 ≤ T max A B clock activations ( κ i ) i ∈ N Buffered communication without • message inversion or loss C D Bounded communication delay • 0 ≤ τ min ≤ τ ≤ τ max 3
Synchronous Real-Time Model For each process, activations are triggered by a local clock Execution: infinite sequence of activations For each process: known bounds for • the time between two activations. 0 ≤ T min ≤ κ i − κ i − 1 ≤ T max A B clock activations ( κ i ) i ∈ N Buffered communication without • message inversion or loss C D Bounded communication delay • 0 ≤ τ min ≤ τ ≤ τ max 3
Synchronous Real-Time Model For each process, activations are triggered by a local clock Execution: infinite sequence of activations For each process: known bounds for • the time between two activations. 0 ≤ T min ≤ κ i − κ i − 1 ≤ T max A B clock activations ( κ i ) i ∈ N Buffered communication without • message inversion or loss C D Bounded communication delay • 0 ≤ τ min ≤ τ ≤ τ max 3
Synchronous Real-Time Model For each process, activations are triggered by a local clock Execution: infinite sequence of activations For each process: known bounds for • the time between two activations. 0 ≤ T min ≤ κ i − κ i − 1 ≤ T max A B clock activations ( κ i ) i ∈ N Buffered communication without • message inversion or loss C D Bounded communication delay • 0 ≤ τ min ≤ τ ≤ τ max 3
Synchronous Real-Time Model For each process, activations are triggered by a local clock Execution: infinite sequence of activations For each process: known bounds for • the time between two activations. 0 ≤ T min ≤ κ i − κ i − 1 ≤ T max A B clock activations ( κ i ) i ∈ N Buffered communication without • message inversion or loss C D Bounded communication delay • 0 ≤ τ min ≤ τ ≤ τ max 3
Overview VERIMAG UNITE MIXTE DE RECHERCHE Centre Equation 2 avenue de Vignate 38610 GIERES Tel. +33 4 76 63 48 48 Fax +33 4 76 63 48 50 Centre National de la Recherche Scientifique Universite Joseph Fourier Institut National Polytechnique de Grenoble Industrial practices observed at Airbus 4 [Caspi 2000]
Overview VERIMAG UNITE MIXTE DE RECHERCHE Verification Centre Equation 2 avenue de Vignate 38610 GIERES Tel. +33 4 76 63 48 48 Fax +33 4 76 63 48 50 Verifying safety critical applications running on quasi-periodic architectures Quasi-Synchronous Abstraction Centre National de la Recherche Scientifique Universite Joseph Fourier Institut National Polytechnique de Grenoble Industrial practices observed at Airbus 4 [Caspi 2000]
Overview VERIMAG UNITE MIXTE DE RECHERCHE ACSD'06 Verification Centre Equation 2 avenue de Vignate Verimag'08 38610 GIERES Tel. +33 4 76 63 48 48 Fax +33 4 76 63 48 50 DASC'14 Verifying safety critical applications Memocode'14 running on quasi-periodic architectures Memocode'15 Air Force'15 Quasi-Synchronous Abstraction Centre National de la Recherche Scientifique Universite Joseph Fourier Institut National Polytechnique de Grenoble Industrial practices observed at Airbus 4 [Caspi 2000]
Overview VERIMAG UNITE MIXTE DE RECHERCHE ACSD'06 Verification Centre Equation 2 avenue de Vignate Verimag'08 38610 GIERES Tel. +33 4 76 63 48 48 Fax +33 4 76 63 48 50 DASC'14 Verifying safety critical applications Memocode'14 running on quasi-periodic architectures Memocode'15 Air Force'15 Quasi-Synchronous Abstraction Contributions Abstraction is not sound in general Give exact conditions of application Centre National de la Recherche Scientifique Universite Joseph Fourier Institut National Polytechnique de Grenoble Industrial practices observed at Airbus 4 [Caspi 2000]
The Big Picture 0 < T min ≤ T A , T B ≤ T max Scheduler 0 < τ min ≤ τ A , τ B ≤ τ max c A c B T A T B τ A A B A B τ B A A B B Real-time Model (RT) Discrete-time Model (DT) 5
The Big Picture 0 < T min ≤ T A , T B ≤ T max Scheduler 0 < τ min ≤ τ A , τ B ≤ τ max c A c B T A T B τ A A B A B τ B A A B B Real-time Model (RT) Discrete-time Model (DT) 5
The Big Picture 0 < T min ≤ T A , T B ≤ T max Scheduler 0 < τ min ≤ τ A , τ B ≤ τ max c A c B T A T B τ A A B A B τ B A A B B Real-time Model (RT) Discrete-time Model (DT) l, RT | = ϕ DT | = ϕ . Soundness 5
The Big Picture 0 < T min ≤ T A , T B ≤ T max Scheduler 0 < τ min ≤ τ A , τ B ≤ τ max c A c B T A T B τ A A B A B τ B A A B B Real-time Model (RT) Discrete-time Model (DT) l, RT | = ϕ DT | = ϕ . Soundness Why discretize? Verification in a simpler discrete-time model Use discrete-time model checking tools (Lesar-Verimag, Kind2-UIowa) [Halbwachs et al 1992] 5 [Hagen, Tinelli 2008]
Abstracting Real Time 6
Abstracting Real Time Abstracting execution time 6
Abstracting Real Time Abstracting execution time τ exec τ send 6
Abstracting Real Time Abstracting execution time τ exec τ send τ = τ exec + τ send 6
Abstracting Real Time Abstracting execution time 6
Abstracting Real Time Abstracting execution time 7
Abstracting Real Time Abstracting execution time Abstracting communication 7
Abstracting Real Time Abstracting execution time Abstracting communication 7
Abstracting Real Time Abstracting execution time Abstracting communication 7
Abstracting Real Time Problems: Abstracting execution time Abstracting communication • Lots of possible interleavings • T oo general 7
Abstracting Real Time Problems: Abstracting execution time Abstracting communication • Lots of possible interleavings • T oo general Can we do better using real-time assumptions? 7
Recommend
More recommend