IST, 2002-2004

This project is concerned with the evolution of the Time-Triggered Architecture (TTA) into a full-fledged methodology and tool-chain for the development of distributed control applications, such as those found in the automotive or the avionic industries. For more information check the project’s home page.

 Verimag role and achievements

The role of Verimag in the project has been to use Lustre as a high-level design language for TTA-based applications. So far, no such language has existed for TTA. Our goal in the project has been to develop an end-to-end tool-chain from high-level design in Lustre all the way down to a running implementation on TTA. In the course of the project this goal has been partially achieved. We now provide a tool-chain which can automatically generate distributed code for a multi-periodic Lustre program on a multi-processor architecture. The processors are assumed to run the OSEKtime operating system, use non-preemptive scheduling, and communicate via the TTP protocol. In particular:

— We have proposed a set of extensions to the Lustre language, in order to facilitate its implementation on a distributed, real-time architecture such as TTA. These extensions can be seen as "pragmas" and do not change the logical semantics of the program. The extensions include primitives to express assumptions on periodicity of inputs and on worst-case execution times, real-time requirements such as deadlines of the form "output must be produced at most x time units after input", as well as primitives to indicate which part of the program should be allocated to which processor.

— We have proposed methods to partition a Lustre program into tasks and schedule these tasks on the multi-processor architecture, respecting the TTP constraints on bus communication. We have also proposed methods to refine the partition based on feedback from the scheduler for cases where a schedule is infeasible. Finally, we have proposed methods to automatically generated "glue code" (interface code) so that the final running system preserves the logical semantics of the original Lustre program.

— The automotive industry largely employs the Matlab/Simulink/Stateflow (TM Mathworks) tool to design control software. Given this context, we have developed methods and tools to translate existing Simulink/Stateflow designs into Lustre (the Stateflow part has been done as part of the follow-up project RISE).

— Our main industrial partner in the project, Audi, was particularly interested in verification techniques, at different levels: verification of design, verification of schedules, verification of distributed run-time systems. We have provided methods to address these verification problems. For design verification, we used our Simulink-to-Lustre translator and the Lustre model-checker Lesar. For schedule and run-time system verification, new techniques and prototype tools have been developed.

— The above have been implemented in prototype tools, to be integrated in the Lustre software distribution. The tools have been used, along with existing tools such as Lustre to C code generators, in a number of case studies provided by Audi. One of these concerned the implementation of a steer-by-wire controller (camera based) for a prototype Audi vehicle. We used the Simulink-to-Lustre translator and a Lustre-to-C code generator to automatically generate code from Audi’s Simulink design. This code was then integrated and run on the prototype vehicle. A demonstration of the system was performed for the reviewers and project partners during the final project review on January 22, 2004 at the Audi testbed in Ingolstadt, Germany.

The activities of this project continue in the follow-up IST project Rise.

 Synchronous Team members involved

— Paul Caspi
— Adrian Curic
— Norman Scaife
— Aude Maignan
— Pascal Raymond

 Other Verimag members involved

— Stavros Tripakis
— Christos Sofronis


View online : Official Project page