Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

- SPaCIFY project Synoptic : Spacecraft Synchronous DSML Alexandre Cortier Post-doc at IRIT/ACADIE

[email protected]

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

1/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

1. Introduction 2. Synoptic language 3. Middleware/Synoptic Interaction 4. Current works

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

2/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

SPaCIFY : ANR Project Spacify ANR (French Research National Agency) Project End : September 2009 Aim : I

I

R&D project aiming at developing a design environment for critical embedded software (Spacecraft System) Model-Driven Engineering and Formal Methods • model checking • formally-verified domain specific transformations

I I I I

multi-clock synchronous paradigm simulation and analysis tools scheduling analysis executive platform supporting distribution, partitionning and dynamic adaptation (middleware)

Environment components will be built upon the Topcased toolkit. (The Open-Source Toolkit for Critical Systems) IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

3/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

The SPaCIFY Project Industrial Stakeholders : I

CNES, Thales Alenia Space, EADS Astrium

I

Anyware Technologies, GEENSYS

• spacecraft system designers • graphical design environment • configuration, versions and documentation management

Academic Stakeholders : I

I I I

IRIT-ACADIE (Toulouse): Synoptic language definition, formally-verified model transformations ENSTB-CAMA (Brest) : middleware design IRISA-ESPRESSO (Rennes) : synchronous semantics LaBRI (Bordeaux) : model-checking

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

4/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Synoptic Synoptic : DSML (Domain Specific Modeling Language) for spacecraft systems. Requirements : central language of the development environment must be able to support an iterative and incremental development process functional, architectural and dynamic views specifications modular design based on a synchronous semantics (functional part)

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

5/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Overview : SPaCIFY development process Dynamic/Hardware Specification

Simulink / Stateflow models Textual Requirement

(limited to functional behavior) Automation / System Engineer

S O F T W A R E

D E V E L O P M E N T

AADL models

Model Transformation

Req. Analysis Design

"Functional" Synoptic model Domain specific transfo. pattern Synoptic Transfo. pattern

Automata elicitation Software function splitting Model Organisation

Synoptic model

Dynamic analysis and design Code Generation

Source Code Synoptic model

MW Config.

MW Config.

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

6/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Overview : SPaCIFY development process Dynamic/Hardware Specification

Simulink / Stateflow models Textual Requirement

(limited to functional behavior) Automation / System Engineer

S O F T W A R E

D E V E L O P M E N T

AADL models

Model Transformation

Req. Analysis Design

"Functional" Synoptic model

Synchronous World Synoptic model

Dynamic analysis and design Code Generation

Source Code Synoptic model

MW Config.

MW Config.

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

7/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Overview : SPaCIFY development process Development process starts with Simulink/Stateflow models... Reasons : Simulink/Stateflow is the most frequently used modelling language in the space domain by software engineers. Raised problems : Simulink/Stateflow is I I

based on synchronous paradigm but some control flow constructions were added ...

This requires to be careful during the translation process ! (cf. Geneauto - Marc Pantel)

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

8/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

1. Introduction 2. Synoptic language 3. Middleware/Synoptic Interaction 4. Current works

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

9/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Synoptic Synoptic : a graphical and textual DSML provides high-level constructions to handle I I I

multi-layers description (various modelling aspect) various granularity levels (iterative and refinement development) modular approach

based on a synchronous semantics. I I I

formal and deterministic analysis and verification refinement proof transformation proof

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

10/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Synoptic : multi-layers system specification Synoptic is not fundamentally a new language but an integration of different sources and concepts. Synoptic is inspired by several approaches : Geneauto : safe subset of the Simulink/Stateflow modelling language used for the development of certified safety critical embedded real time systems AADL : Architecture Analysis & Design Language (formerly Avionics Architecture Description Language) Components Models : CCM, Fractal

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

11/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Synoptic : multi-layers system specification Software Architecture : Geneauto approach I I

I

structural feature : Dataflow models (“Blocks Diagrams”) behavioral feature : Control Flow models (“Finite States Machines”) real-time constraints : clock properties

Dynamic/Hardware Architecture : AADL approach I I I

Threads description platform aspects (“components view”) mappings : which component execute which functional blocks ? • functional block → threads • threads → hardware components (processor)

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

12/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Synoptic : multi-layers system specification Functional and control design

Software architecture

Dynamic architecture

Hardware architecture

10 Hz

Device_1

Threads + Properties

Bus

50 Hz

Processor

Hardware Design

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

13/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Synoptic : multi-layers system specification Functional and control design

Software architecture

mappings

Dynamic architecture

10 Hz

Threads + Properties

50 Hz

mappings

Hardware architecture

Device_1

Bus

Processor

Hardware Design

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

14/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Synoptic : multi-layers system specification Functional and control design

Software architecture

mappings

Dynamic architecture

10 Hz

Threads + Properties

50 Hz

mappings

Hardware architecture

Device_1

Bus

Processor

Hardware Design

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

15/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Synoptic : functional model Software architecture = blocks/nodes hierarchy A node in a block diagram has : I I

a type several implementations

a node type describes interaction ports (interface) different kinds of implementations : I I I

dataflow : describes functional part automaton : describes behavioral part (modes) primitive : “black box”

Dataflow and automaton blocks are mutually nested.

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

16/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Synoptic : functional model (block hierarchy) AUTOMATON

Etat_1

transition

Etat_2

DATAFLOW

MACRO−ETAT

AUTOMATON Garde

Etat_1.1

Action

Etat_1.2

Macro−état 1.3

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

17/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Synoptic : functional model (node type) Node type example : 1 2 3 4 5 6 7 8

block type SunPointing features IMU_Data : i n data p o r t a r r a y 3 o f double ; STR_Data : i n data p o r t a r r a y 4 o f double ; DOR_Data : i n data p o r t a r r a y 4 o f double ; MTQ_Cmd : out data p o r t a r r a y 3 o f double ; RW_Cmd : out data p o r t a r r a y 3 o f double ; end SunPointing ;

Implicit ports : reset : re-initialization (boolean port) trigger : block activation (event port) enable : block activation control (boolean port) IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

18/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Synoptic : functional model (dataflow) Node type identifier

node body int1 . dtf

Dataflow implementation name

is dataflow

blocks sc1 : sc2 : sc3 : sc4 : sc1 :

dataflow dtf2 > interface int2 ; −− to refine extern var tc1; −− MW/Synoptic interaction automaton aut ; external algo >

Logical Expression

signals s2 : s1 :

Hierarchy

event (ev1? and (dp>3)^) −> sc1. trigger ; data port sc2.odp −> sc1.idp ;

.... properties

Port identifier

....

end int1.dtf ;

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

19/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Synoptic : functional model (automaton) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

automaton INIT_calculateur . aut states PM_RESET : s t a t e dtf , /* dtf = datfalow implementation */ Boostrap : s t a t e , OBSW_running : s t a t e , Firmware : macro s t a t e states PM_Built_IN_TESTS : s t a t e , OBSW_checkers : s t a t e ; i n i t i a l s t a t e PM_Built_IN_TESTS ; transitions tr1 : PM_Built_IN_TESTS -[ ]→OBSW_checkers ; end Firmware , RAM : macro s t a t e [...] end RAM ; i n i t i a l s t a t e PM_RESET ; transitions t1 : PM_RESET -[ on G do A ]→ Firmware . PM_Built_IN_TESTS ; t2 : Firmware . PM_Built_IN_TESTS -[ ]→Firmware . OBSW_checkers ; [...] end INIT_calculateur . aut ;

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

20/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

1. Introduction 2. Synoptic language 3. Middleware/Synoptic Interaction 4. Current works

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

21/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Synoptic/MW : external variables

The Middleware has to abstract the asynchronous behavior of the system (bufferisation,...) Interactions between MW and Synoptic models are handled using external variables concept. external variables = sources / sinks of signals external variables types : I

constants, TM, TC, global variables,

external variables contracts

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

22/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Synoptic/MW : external variables Usage contract

Client 1

Client 2

Synchronisation contract Persistence contract Syntactic Contract

Variable Remote access contract

External variables and associated contracts are used to configure the MW IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

23/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

1. Introduction 2. Synoptic language 3. Middleware/Synoptic Interaction 4. Current works

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

24/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Synoptic Language Definition

Synoptic Language Definition I I

Meta-Model definition (last steps) concrete textual syntax

Synoptic Semantics ? I I I

in progress... semantics by traduction (ESPRESSO-IRIT) : Signal (Polychrony) we need to define a semantics for the language core • works on transformations proof (Martin Streker)

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

25/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Meta-Model Ecore

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

26/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Textual Syntax and Edition tool (Topcased)

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

27/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Transformations Validation Automatic mappings : blocks → threads I I

to assist the developper need a formalisation of current pragmatic rules used by system engineers

Blocks and Signals Refinements : I I

automatic refinement (patterns : validated transformation) Proof Obligation (PO) generation for manual refinements

Edition transformations : I I

ex : Model organisation, Software function splitting Automatic and validated transformations

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

28/29

Introduction

Synoptic language

Middleware/Synoptic Interaction

Current works

Questions ?

Questions ?

IRIT - SPaCIFY project - , Synoptic : Spacecraft Synchronous DSML

29/29