SYRF Proposal

SYRF Proposal


Back to the SYRF Home Page


Outline of the Project
Approach



Back to the Proposal ToC

Outline of the Project

Back to the Proposal ToC

Background

Reactive systems are computer systems that continuously react to their environment at a speed determined by this environment. Most industrial ``real-time'' systems are reactive --- control, supervision and signal-processing systems. Such systems become critical players in our everyday environment, and constitute an industrial stake of increasing importance.

If we review the available, classical design tools, we find on one hand, multitasking systems driven by a real-time Operating System, and, on the other hand, general-purpose concurrent languages such as ADA. The former do not supply an acceptable level of reliability, because they do not provide a global and formal view of the system, which is separated into tasks and calls for services provided by the operating system; furthermore, they do not preserve application determinism. The latter are intrinsically non-deterministic and do not provide the necessary accurate real-time capabilities.

Synchronous languages [7, 5, 27] have been specifically designed to ease the programmer's task when dealing with reactive systems. Their basic choice is to provide idealised primitives for concurrency and communication: a reaction to an input event is considered to be instantaneous, thus making output strictly synchronous with input. For instance, the Esterel statement ``every 60 SECOND do emit MINUTE'' emits a signal ``MINUTE'' which is exactly synchronous with each 60th reception of a signal ``SECOND''. Synchronous languages offer a logical notion of concurrency, i.e., synchronous concurrency is just a way to logically split the description of an application into a set of communicating processes. This is extremely useful for describing complex systems, but has nothing to do with an actual concurrent implementation. Interaction between concurrent components within the program is conceptually performed by broadcasting events in no time and in a fully deterministic way: when a process emits a signal, the signal is instantaneously perceived by any other process which listens to it. Notice that this non-symmetric communication is exactly what is needed for reactive systems; in particular, it accurately models how a system receives events from its environment, without being able to control the speed of the environment [There is a design error in several published versions of the popular ``railroad-crossing'' example: when the gate is moving up, it does not perceive the approach of a new train. Now, if the communication is by rendez-vous, the model does not show the error: conceptually, the gate stops the train just by refusing the rendez-vous!] .

In practice, synchrony is the assumption that the program reacts rapidly enough to perceive all the external events in suitable order and to produce all the outputs for an input before reacting to a new input. For instance, automatic controllers are commonly programmed as an infinite loop over a body consisting of acquiring inputs, performing internal computations and returning outputs, execution of the body being considered atomic. This is readily abstracted into a perfectly synchronous reaction. If practical synchrony is satisfied --- and, more importantly, if its satisfaction can be checked --- the conceptual synchrony hypothesis is rather a more realistic abstraction than ignoring size limitations in the representation of numbers inside a particular computer.

Although the synchrony hypothesis may look relatively new for software, it is well-known in other fields: it is a very common assumption in digital hardware design, there called the zero-delay model; it is routinely used in control theory, where one always neglects the cost of numerical computations when designing control laws.

We don't mean that synchronous languages are the panacea for programming all real-time systems: there exist systems which are intrinsically distributed and asynchronous, and the design of complex systems generally require to deal with some degree of asynchrony. However, our claim is that one should stay in the synchronous world as long as it works, since it makes all the tasks dramatically simpler and safer.

Three synchronous languages have been designed in France during the last decade: Esterel [15] is an imperative language, while Lustre [28] and Signal [36] use a data-flow approach. An other formalism, Argos [40], inspired both by Esterel and the Statecharts, has been studied more recently. Academic research is now also taking place in European institutions like GMD and Linköping University. Corresponding research is also active in the USA, in universities like Berkeley, Austin, Carnegie Mellon, and institutions like AT&T Bell Labs and Xerox PARC. The proximity of synchronous reactive system theory with the general purpose of computer-aided design and synthesis of hardware circuits makes it an economically challenging topic worldwide. Potential impact of synchronous languages in the important area of hardware/software codesign is amply recognised by experts from this scientific community [see, for instance, the frequent references to synchronous languages in ``Hardware/software co-design. Proceedings of the NATO Advanced Study Institute, Serie Applied Sciences vol. 310, June 19-30 1995.''] .

These languages have been developed in tight cooperation. In particular, there is an important attempt to keep their compilers compatible, through the use of common formats. The goal is to translate the various languages into a single format, so as to allow various tools to be shared, and also to make easier the integration of components written in different formalisms. A first, low-level, common format, called OC (for ``object code'') was proposed a long time ago, and mainly shared by Esterel and Lustre. More recently, it was proposed to design a higher-level format. Made of two nested levels, called DC (for ``declarative code'') and DC+, this format was designed in the framework of the EUREKA-SYNCHRON project, and is intended to be used by industrial tools.

Back to the Proposal ToC

Industrial relevance

Synchronous languages are already exceptionally successful in industry, compared to other formal methods: industrial programming environments are available, and used in actual software production. For instance, Schneider-Electric uses the Saga-Lustre environment for designing systems for nuclear power-plant control and supervision. The SAO+ environment, also based on Lustre, has been chosen by Aérospatiale for the specification and maintenance of Airbus flight-control software. SAO+ is also used by VOLVO and SAAB Military Aircraft, and is likely to become a major development tool of the whole European avionics industry. Successful experiments with Esterel have taken place in several companies (in particular Dassault-Aviation and AT&T [ see, for instance, ``L.J. Jagadeesan, C. Puchol, and J.E. Von Olnhausen. A formal approach to reactive systems software, a telecommunications application in Esterel. In Formal Methods in System Design, vol. 8, pp. 123--151, 1996.'' ] ), and the language is a serious candidate to be used for designing hardware controllers by major CAD companies in the USA. Signal is used at Snecma and Thomson-Multimedia, and is under evaluation at EdF, Thomson, Siemens and VTT, among others.

These first industrial successes have prompted a demand for research extensions, from actual users. Such specific extensions are in the focus of the present proposal, which should provide new results, as well as tools ready for technology transfer, as outlined below.

Back to the Proposal ToC

Objectives

The main needs for extension expressed by users concern the following areas [From now on, work areas are numbered in a uniform way. Work Area 0 will be ``Project Management'', and Work Area 1 concerns ``Case Studies Analysis''.] , which will be detailed in the next section:

As it often happens, this structure is somewhat arbitrary, and some of the considered areas are overlapping: verification will not be addressed only in area 3, but also in area 5, for mixed synchronous/asynchronous systems, and in area 7, for mixed analog/discrete systems. Code distribution has obviously to do with asynchrony. Combination of formalisms is useful in verification (expression of properties by observers) and for hardware description.

Areas 1, 4, and 6, all concern integration of models and extension outside the strict synchronous framework. As such integration/extension represents a significant part of our objectives, let us comment further on it:

The engineering of embedded systems, let it be for control or signal processing, is concerned with several types of models of quite different nature. A taxonomy of models is given in Figure below, with time and state as coordinates, either being discrete of continuous.

Though sometimes it may be possible to model parts of a system within one single square, e.g., analog controllers in terms of continuous time and state, more often even parts of a system can be adequately modeled only by combining different aspects, e.g., both discrete and continuous time is needed for designing a compact disc player, or discrete change of state may be needed for a sensor/actuator system to model major changes of mode of operation.

All synchronous formalisms assume time to be discrete but differ with regard to the modeling of state. Available synchronous formalisms are either imperative, supporting discrete state transitions, or are declarative, supporting continuous state transition, where subsystems may run on a wide variety of clock rates. Hence a combination of these formalisms (area 2) will permit to explore the full design space of discrete time models in a uniform way. Extensions towards asynchronous environments (area 5) will enter the continuous-time/discrete-state domain, while integration with analog models (area 7) will cover the last square.

This ``horizontal'' exploration of the design space is complemented by a ``vertical'' integration concerning the development process: multiparadigm design needs to be complemented by respective technology for validation and verification (area 3) if, but not only if, dealing with safety-critical applications. Further, synchronous designs have to be efficiently mapped to different target architectures with quite different goals in mind; on one hand, synchronous programs will be mapped to or integrated with real-time operating systems by adding some kind of asynchrony while essentially retaining synchrony (area 5) and still supporting real-time analysis, and on the other hand, time-critical requirements demand mapping to an architecture which combines software components and dedicated hardware components (area 6).

All these research areas are inherently linked, though addressing different topics: e.g. code distribution and multi-tasking relies on a clear understanding of the interaction of synchrony and asynchrony as investigated in area 5 and on validation/verification principles relating synchrony and asynchrony for a correct mapping to a target architecture. Or, hardware/software codesign will take advantage of the combination of different synchronous formalisms each of which is best-suited to specify particular kinds of, e.g., hardware structure. Or, particular verification methods are better-suited for particular synchronous formalisms, so that the combination of formalisms will support a combination of verification methods, and conversely, a combination of verification methods will support a multiparadigm design.

Finally, let us explain why some important topics are not addressed by the project:

Back to the Proposal ToC

Results

Most of the proposed tasks will result in prototype tools. The adequacy of these tools to practical needs will be searched, through their assessment by users and their confrontation to actual case studies.

As far as possible, tools will be developed around existing common formats, with limited extensions only if necessary. This will make such tools independent from particular languages, and promote cross-distribution amongst project partners. This will also ease their transfer into industrial environments developed by software manufacturers aware of these representation formats.

Benefits will be immediate for industrial partners inside the project or from the Steering Committee, who will have definite influencial opportunities by expressing their needs and expectations through their submitted case studies. On a larger scale the results of the project will certainly be valuable in the framework of Esprit Workprogramme 1: Software Technology, concerning Tasks 1.1 (for embedded and safety critical systems), 1.3 and 5.5 (for hardware/software codesign).

Back to the Proposal ToC

Approach

Back to the Proposal ToC

Organization

Full partners will conduct research in coordination to propose adequate solutions to the topics mentioned above. Research will generally encompass basic aspects, but will be driven towards the development of tools applicable to industrial case studies.

Industrial associate partners, who are already familiar with synchronous languages, will provide real and significant case studies, to assess the results of the project. Some of these case studies have already been identified (see Section on case studies ).

The project will also be advised by an Industrial Steering Committee, that includes representatives of some of Europe's leading developers of embedded reactive systems.

The industrial associate partners and the members of the steering committee will make sure that the techniques and tools developed in the project are those which are the most urgently needed in industrial applications.

The main difference between the industrial associate partners within SYRF, and those who are only members of the Steering Committee lies in their degree of commitment to providing industrial case studies to full partners of the project. The industrial associate partners within SYRF have the obligation to supply the project with relevant case studies, to be available to discuss the details of the problems they propose, and to assess carefully the merits of the proposed solutions. Those who are only members of the Steering Committee are only encouraged to do so, and they are free to determine the amount of time they will invest in discussing with the SYRF partners.

Notice that none of the associate partners is a vendor of synchronous technology. The reason is that the companies that presently industrialise synchronous environments are not involved in long term research --- while being directly interested in the results and ready to transfer them. Rather, associate partners are final users of synchronous technology, who can better identify the actual needs, propose case studies, and assess the results.

Back to the Proposal ToC

Case Studies

As mentioned before, most research actions in the project will be assessed by applying the results on industrial case studies. Some of these case studies have already been identified (see below), but we expect other examples to be submitted by members of the Steering Committee. A very first task (hereafter called ``Work Area 1'') of the project will be that each partner get acquainted with the proposed case studies, and that these case studies be allocated to work areas and tasks. The treatment of case studies in the framework of each task is not part of this Work Area 1, but the assessment of this treatment by the associate partners is.

Back to the Proposal ToC

Turbine Bypassing Unit

This case study is proposed by Schneider Electric. It concerns a ``turbine bypassing unit'' (TBU) which is a part of a nuclear protection system.

The roles of the TBU are:

Functionnally, the unit receives: It outputs: It consists of a chain of analogic processing, and of signaling and switching logics.

The analogic chain performs consistency controls about pressure values sampled in redundancy 3, using a voltmetric balance protecting against the drift of analogic values. One value amongst 3 is extracted. This steam pressure is integrated by means of a PID to obtain a percentage of gate opening. According to emergency stopping informations, the unit decides then if it takes the gate under control, and updates the logical informations concerning the switching of the protection system.

On the other hand, the unit computes the nuclear power as a function of the steam pressure (tabulated function).

The unit is classified as a safety critical device: it is only active during an emergency stopping. Its validation is considered to be critical in the development process.

It has been developed using the tool Saga. It is made of about 40 Lustre nodes, and 7 functions in C. Schneider-Electric will provide

Back to the Proposal ToC

Aircraft Air Control System

SAAB-MA proposes to use the air control system in aircraft JAS 39 for a case study. The system supports different ``users'' in the aircraft, for example the pilot and the cockpit with tempered air and the cooling of the electronics. The system is an integrated system of hardware --- like valves to regulate the air flow and switches to indicate valve positions --- and software, which controls the movement of all hardware to produce the right amount of tempered air flow.

In case of degradation, resulting in that the air system cannot fulfill all the ``users'' needs, automatically the ``users'' will be served according to some priority ordering. This automatic coupling down of the system is very important and can be safety critical if performed wrongly.

Today there is a model of the system in ASA.

Back to the Proposal ToC

Steam Generator Water Level Control System

This case study is proposed by EDF.

Steam generators in PWR's ensure the cooling of the reactor and provide steam to the turbine. The feedwater system has to keep the mass balance on the secondary side of the steam generators. To fulfill this function, the operator has to maintain the water level in steam generator downcomer close to its setpoint by means of the feedwater control valves.

Steam generator (SG) water level control system operates over the entire power range and ensures:

Many signals are used in the control of a SG control, like : Feedwater Flow, steam flow, Feedwater Temperature, Turbine Load, Narrow Range Level, Wide Range Level, Operation Mode Selection, Steam Header pressure, Feedwater Header Pressure, Valves positions, High Level Alarm, Low Level Alarm, ...

Analogic and logic functions are involved in the control, such as :

Verification and validation of some critical properties of this control system are important for operations and safety. For example, some operating difficulties during start-up or when faults occur are the frequent cause of unexpected tripping of the reactor or turbine.

EDF/DER will provide a derived case study of the Steam Generator Water Level Control System including requirements and specifications of:

Most of controllers are specified in SIMULINK/MATLAB. EDF/DER will provide also :

One of the important features of this study case is the steam generator physical model representation; hybrid validation methodology has to be considered.

We detail now, for each research area, the available results and the projected work.

Back to the Proposal ToC

Combination of Formalisms

Background.

Available synchronous formalisms are, on one hand, either graphical or textual, and, on the other hand, either imperative or declarative (data-flow). The differences in style and focus reflect different objectives. While for instance the imperative style more addresses the construction of discrete controllers, the declarative style more supports ``continuous'' change of state such as in sensor/actuator systems or digital signal processing.

Experience shows that the existence of several synchronous formalisms is more an advantage than a drawback: these formalisms appear to be complementary, as some applications, or even some parts of applications, are easier to specify in some formalism. As a consequence, there is a strong need to combine these languages together, so as to allow the user to freely merge the various points of view. For instance, a discrete change of state may be needed for a sensor/actuator system in order to model major changes of mode of operation. Rather than to model such a change of state by some boolean flags, a combination of a state-based language such as Argos with some declarative language such as Lustre or Signal will provide a smooth and lucid programming style in that the states of Argos correspond to modes of operation while refinements of these states by declarative programs determine the actual operation. On the other hand Esterel would be best suited for modelling control tasks which are mainly interrupt driven.

It is as well often convenient to write programs in one language and an observer for testing and verification (see Section on verification ) in another language, or to use different languages for hardware description, e.g., Esterel is better suited for modelling control while the declarative languages are better suited for modelling digital signal processing (DSP).

Production compilers and development environments are already marketed by software companies for the imperative synchronous programming language Esterel and the declarative synchronous programming languages Lustre and Signal. The graphical, state-based synchronous language Argos will be supported by a graphical editor developed at GMD, a prototype of which is available.

The designers of the three languages Esterel, Lustre, and Signal, have cooperated for several years in defining internal formats for the interchange of whole programs between tools. For the combination of formalisms, however, a semantical framework is needed for the integration of programs at the level of object code.

At GMD, a combination of Argos and Lustre has already been implemented which allows arbitrary Lustre modules to be imported for refinement of Argos states, thus enabling discrete change of mode on top of (discrete time) continuous state models. The integration is based on a proprietary internal format (which roughly is an enhancement of the internal formats developed in ``SYNCHRON''), and on a common paradigm for compilation of the languages involved (a compiler based on the same paradigm is as well available for pure Esterel). The format supports linking of arbitrary modules which are presented in the internal format. So far, the combination has been achieved only for the ``pure'' part of the languages, i.e., the only data types supported are signals and booleans, and integration is restricted to the behavioural aspect, meaning that, so far, a deeper analysis of a combination of clock checking mechanisms --- as in Lustre and Signal --- and causality analysis --- as necessary for Argos and Esterel--- is still missing.

As compared to an exchange via common formats, the integration envisaged is seamless, meaning that every module may be freely imported to and exported from any of the supported synchronous languages.

It should be mentioned that another such combination is provided by the commercial environment Statemate where the (state-based) Statecharts are complemented by the (data-flow based) Activity-Charts although with no work on formal semantics and uniform verification framework. Another example of related work is an attempt [see `` C. Petersohn, C. Huizing and J. Paleska. A Comparison of Ward &Mellor's Transformation Schema with State- and Activity Charts. Technical Report 94/11, Eindhoven University of Technology, 1993.'' ] to defining a formal semantics for Ward-Mellor structured design languages, which also have both imperative (control-oriented) parts and declarative (data flow) parts. However, these approaches either lack the tight and clean semantically-based integration or they are not yet in a status where industrial exploitation can be envisaged

The synchronous formalisms as promoted by the present research proposal, have the unique feature of being based on a semantically sound uniform paradigm, which supports a tight combination of the different styles on different levels of abstractions, as demonstrated by prototypical implementation, and, last not least, of being industrially viable.

Proposed research.

A tight integration of synchronous formalisms will need further research on the following topics, which are closely related:

  1. Up to now, the formal semantics of synchronous languages is presented rather different in style, ranging from structural operational semantics to data-flow based denotational semantics. Hence proofs of correctness of compilation schemes are restricted to the respective language and its specific style of semantics.

    Quite clearly, neither these compilation schemes nor the respective proofs are prepared for the import of modules that stem from other languages. Thus the schemes have to be relativised with regard to imports from other paradigms, and a common semantical framework has to be set up.

    Then the original correctness proofs have to be re-established with regard to this framework in such a way that correctness is independent of the nature of imported modules. The technique is to use invariants for characterisation of imported modules and then to show that the translation schemes are correct relative to these invariant. This techniques has been implicitly used in [53] where invariants are used as lemmas.

  2. The tight integration, as sketched above, relies on particular assumptions with regard to the compilation schemes. Given that an integration is achieved on this basis, there is still the question whether the present industrial strength compilers can be adapted to support a seamless combination of formalisms, and if so, to modify these compilers respectively.

  3. In addition, algorithms for causality analysis and clock analysis have to be adapted and relativised to the combined formalisms. Apart from the general difficulty of finding such algorithms, particular attention has to be paid to designing algorithms which are as well liberal in accepting ``reasonable'' programs as they provide succinct feedback to the programmer why a program is rejected or accepted.

    More particularly, it seems to be fairly simple to localise clock-checking: clock correctness of a module (or a cluster of modules within one language) can be checked on its own, by assuming that outputs of imported modules behave as inputs, either being unconstrained or constrained (in the latter case there is the obligation to check whether an imported module satisfies the constraints). In contrast, there is little hope to modularise causality analysis even though the declarative languages avoid causal loops by syntactic means (no recursive use of a variable except if memorised).

This more theoretical research will be complemented (in fact, developed in parallel) by an implementation of the combined formalisms in form of a workbench for synchronous programming. The workbench will support editing (in particular a graphical editor for Argos), compilation of (at least) Argos, Esterel, and Lustre, as well as it will provide tools for debugging and simulation of the combined languages. Ports will be provided to link the verification tools considered within the project. We expect these tools to have a stable status as ``research software''. The software will be freely distributed to industrial partners as early as possible for experimental evaluation, and then released as free software.

Finally, the ideas and the benefits of the approach will be demonstrated by a major industrial case study provided by the industrial partners.

deliverable 2.1 (12 months)
: Definition of the translation schemes plus correctness proofs, first prototypical implementations of the combined formalisms as sketched above, setting up the supporting tools for the workbench

deliverable 2.2 (24 months)
: Refinement of the schemes with regard to efficiency of translation, algorithm for causality analysis and clock checking defined, stabilising the compilers, and completing the workbench, preparation of the case study, check whether results transfer to industrial strength compilers

deliverable 2.3 (36 months)
: application of the workbench to the case study

Back to the Proposal ToC

Program Verification and Validation

Concerning program verification, the synchronous approach has several advantages. Verification on finite-state models (model-checking, automata abstraction) is more successful, because considered models are smaller. Moreover, synchronous languages offer an original way for specifying critical properties, by means of synchronous observers [30]. This makes formal verification tools easily accessible to engineers, as shown by several realistic industrial experiences (e.g., [35]). However, because of the intrinsic difficulties of the subject (complexity, undecidab ility), the verification techniques must be investigated furth er. We strongly believe that the various approaches should be cons idered complementary, rather than competing. So many different approache s will be studied, with the concern of combinating them together:

Back to the Proposal ToC

Symbolic Abstraction of Automata

Background.
Boolean equation systems form a natural intermediate model of synchronous formalisms: they bear close ties to hardware circuits at the gate-register level; they exhibit natural synchronous parallelism; they provide means to describe the Mealy finite state machines (FSMs) transitional behaviours. This is why this level has been chosen for the common format DC/DC+. What boolean equations do not provide is the actual space of reachable configurations. While the synchronicity assumption disfavours size blow-up, this state space can still become unmanageably large in real cases. Boolean encoding of sets of states (as in BDD-based tools, or in methods using tautology checkers) have been recently largely successful in coping with state explosion by implicit/symbolic representation. Further analysis techniques have been reduced to methods very similar to symbolic state space computation, and including it. The scope is here to provide powerful means of analysis to the user without requiring much theoretical expertise from him.

Proposed research.
We shall explore further promising steps in the following directions:

deliverable 3.1.1 (12 months)
: Prototype tool on abstraction and FSM minimisation distributed to partners.
deliverable 3.1.2 (24 months)
: Prototype tool on compositional simplification of boolean equation systems distributed to partners. Prototype tool on ``easy'' specification of particular sets for model-checking. Case studies on abstraction and feedback.
deliverable 3.1.3 (36 months)
: Case studies on compositional simplification of boolean equation systems. Final tool versions.

Back to the Proposal ToC

Use of the Stalmarck Method

Background.

The use of automated formal verification tools is preferred since it lets system developers focus on requirement specification and design rather than more or less elaborate verification procedures, requiring a lot of manual assistance and expert knowledge. Such tools cannot be developed without efficient theorem proving techniques. Binary Decision Diagrams, BDDs, are by many considered the best approach. However, in many applications, the Stalmarck method [60] is a strong competitor to BDDs. E.g., in a recent investigation [see ``J.F. Groote, J.W.C. Koorn, and S.F.M. van Vlijmen. The safety guaranteeing system at station Hoorn-Kersenboogerd. Technical report, Department of Philosophy -- Utrecht University, 1994.''] , the method even proved superior. Up to date the performance of the Stalmarck method is sufficient for some applications, but not all [E.g., when large arithmetic domains are used.] ; consequently the verification procedure needs to be improved.

It has already been shown that the efficiency of the method allows for implementation of fully automatic, industrial verification tools [57]. The method is based on the following results:

The method allows the use of propositional logic extended with finite domain constraints. This feature simplifies representation of both requirements and systems. However, right now there is a penalty in efficiency when large domains are used. In order to cope with this, hybrid techniques have evolved, combining the Stalmarck method with finite domain constraint solving [19], originating from the idea of indexicals [18]. The preliminary results are promising. However, other approaches may need to be considered as well (see Section [->]).

Since 1995, Volvo has been using synchronous methods in a project together with Logikkonsult NP AB, aiming at producing verifiable specifications, by developing them in SAO+, and verifying them using NP-Tools[A verification tool based on the Stalmarck method]. Preliminary results show that lack of methodology, not efficiency, is the bottleneck regarding application of the Stalmarck method in synchronous systems development. Support for representing mixed synchronous/asynchronous systems also needs to be developed, including methodology.

Proposed research.

  1. Representing (a)synchronous systems in formalisms suitable for automatic verification using the Stalmarck method. This research will be based on on-going work within project SYNCHRON.

  2. Expressing (safety) properties of (a)synchronous systems in formalism suitable for automatic verification using the Stalmarck method. This research will be based on on-going work within project SYNCHRON.

  3. Proving (safety) properties of (a)synchronous systems using theorem proving techniques that combine the Stalmarck method with constraint solving techniques. This work will be based on on-going research within the Swedish competence center ASTEC [A Swedish competence center sponsored by Swedish industry and the Swedish National Board for Technical Development.].

  4. Proving (safety) properties of (a)synchronous data-flow systems using the Stalmarck method (Section [->]).

  5. Improving the handling of arithmetic (see Section [->]) constraints in the Stalmarck method.

  6. Comparing state-of-the-art verification techniques, by means of the results of program verification applied on the cases in the project (see Section [<-]).

  7. Generating test patterns using the Stalmarck method (Section [->]). This research will be based on work performed in telecommunication applications (with Ericsson), but that need to be further developed.

deliverable 3.2.1 (12 months)
:
deliverable 3.2.2 (24 months)
:
deliverable 3.2.3 (36 months)
:

Back to the Proposal ToC

Handling Properties Depending on the Behaviour of Numerical Variables

Background.
Any synchronous program can be viewed as an interpreted automaton, i.e., a finite control structure, the transitions of which are augmented with conditions and actions on variables. Existing verification tools for synchronous programs are based on the control structure, and ignore the interpretation. This abstraction has been shown to be reasonable in many practical cases, since the critical properties of a reactive system often depend only on the control. However, there are cases where the behaviour of datas must be taken into account.

Using the technique of synchronous observers, any safety property of a synchronous program can be expressed as the unreachability of some states in the interpreted automaton. Finite-state-based methods, which generally abstract away the interpretation, sometime wrongly conclude that these ``bad'' states can be reached. Two approaches are proposed to obtain more precise results:

Proposed research.
Several experiments on real-life case studies showed that the main limitation of these methods is not due to the result imprecision, but rather to problems of performances: both approaches are based on an explicit representation of the control automaton, the size of which is often prohibitive.

As a consequence, we propose to study a combination of these numerical methods with an implicit representation of the control structure, by means of BDDs. A possible track consists in starting from a rough control structure, which would be progressively refined in a demand-driven way. A mixed representation, merging Boolean and numerical aspects, will probably have to be defined.

Based on real case studies, this work will result in a prototype verification tool.

deliverable 3.3.1 (12 months)
: Detailed description of the method.
deliverable 3.3.2 (24 months)
: Prototype verification tool.
deliverable 3.3.3 (36 months)
: Experiment report and tool documentation.

Back to the Proposal ToC

Deductive Proofs of Data-flow Programs

Background.

Recently, several toolboxes for program formal derivation and proof have been proposed, among which we can cite B [see ``J.-R. Abrial. The B-Book. Cambridge University Press, 1995.'' ] , VDM [see ``C. B. Jones. Systematic Software Development using VDM. Prentice Hall International, 1990.'' ] , Z [see ``J.M. Spivey. Understanding Z: A specification language and its formal semantics. Cambridge University Press, 1988.'' ] , Coq [see ``T. Coquand and G. Huet. The calculus of construction. Information and Computation, 76(2), 1988.'' ] , and PVS [see ``S. Owre, J. Rushby, and N. Shankar. PVS: a prototype verification system. In 11th Conf. on Automated Deduction, LNCS 607, Springer Verlag, 1992.'' ] . Clearly this growing interest is due to the also growing involvement of software in critical systems, and the consequent concern about software errors.

These critical systems can arise from many fields, but one field which yields some of the most critical ones is the field of automatic control and monitoring systems; this can be easily illustrated by examples drawn from civil aircraft, nuclear plants and automatic ground transportation systems.

In these domains, synchronous data-flow programming has become a popular approach, for the quite obvious reason that automatic control engineers use to analyze and specify their systems in terms of signals flowing through networks of operators (block diagrams). Thus synchronous data-flow languages allow them to directly translate their specifications into code without undertaking a manual, error-prone coding phase. Several real-world achievements have been obtained in this way, among which we can cite the ``fly-by-wire'' system of Airbus aircrafts, the monitoring system of Framatome nuclear plants, designed by Schneider Electric, and the interlocking system of the Hong Kong subway designed by CS-Transport. Of these examples, the last two have been based on the Lustre data-flow synchronous language [28].

This has entailed a need for formal methods adapted to this language. A long lasting effort has already been made in this direction, mostly based on ``model checking'' techniques [29]. Model-checking was a good choice since automatic control programs have a control structure consisting of a finite automaton, over which most properties are decidable. Moreover, even properties involving unbounded data types, like integers or reals can be decidable. This is the case of linear (integer) programming problems for instance (see Section [<-]).

Yet there are many control problems which don't fall into such class, and should be handled within more general deductive frameworks like the ones cited above. Typical examples can be found in automatic railway systems where control systems have to deal with Newtonian dynamics, for instance.

Proposed research.
The goal of the action is to investigate the application of the PVS approach to Lustre programs. The choice of PVS is motivated here because it is a well-equipped and freely available tool. Yet, this is not to preclude other approaches and on the contrary, it can be expected that the lessons drawn from this research will serve in other frameworks. We propose to proceed stepwisely as follows:

deliverable 3.4.1 (12 months)
: Comparative study of data-flow to PVS translations.

deliverable 3.4.2 (24 months)
: Case studies on checking data-flow programs with PVS.

deliverable 3.4.3 (36 months)
: Front-end prototype.

Back to the Proposal ToC

Use of Automata Technology and Synchronous Observers for Automatic Testing

Automatic help in program testing is an important demand from industrial users. We propose to adapt and extend for this purpose the technology developed for synchronous program verification: An automatic tool for program testing will be designed and implemented, based on these ideas. Here again, case studies will play an important role.

deliverable 3.5.1 (12 months)
: External specification of the tester. Study of main internal algorithms.
deliverable 3.5.2 (24 months)
: Prototype implementation of the tester.
deliverable 3.5.3 (36 months)
: Experiment report and tool documentation.

Back to the Proposal ToC

Code distribution and Multi-Tasking

Background.
At the implementation level, available industrial compilers only produce standard sequential code. Other implementations must be studied, concerning distributed code generation, and integration with real-time operating systems offering multitasking and some kind of asynchrony.

A large part of the process of code generation based on synchronous technology is independent of target architecture. Unique features of synchronous technology for this purpose are available in the Signal language and the DC/DC+ common formats, they are listed now:

These features allow the designer to describe together
  1. The functional architecture of the application at different levels of detail.
  2. The target architecture for implementation, based on synchronous model.
  3. A profiling of (1) as mapped onto (2), i.e., a model of real-time behaviour of this mapping. This model can then be used for timeliness simulations or for timeliness formal verifications.

Proposed research.
A further step will consist in developing a next layer below the low level description of target architecture following synchronous model. This layer will have the form of a nano-kernel OS composed of a small library of real-time primitives, called Real-Time Library (RTL). RTL will satisfy the following requirements: Based on RTL, experimentations will be performed with a given real-time kernel as target. Also, RTL could be used for studies on fault-tolerance. Note that this task should not be considered as a research on real-time kernels per se, our aim is rather to emulate standard real-time kernel functions using a selected set of primitives suited to guarantee a provably correct connection to the synchronous model.

deliverable 4.1 (12 months)
: detailed specification of RTL, and of profiling techniques.

deliverable 4.2 (24 months)
: prototype RTL, comparisons of profiling predictions with RTL simulations.

deliverable 4.3 (36 months)
: experimentation on test case; limited release according to robustness of the prototype tool.

Back to the Proposal ToC

Integrating Synchrony and Asynchrony

Synchronous programming only solves a part of the problems raised by the design of a complex real-time systems. In general, synchronous programs must be integrated in a complex, asynchronous environment. There is a strong need for models integrating synchronous and asynchronous features, while offering a global view of the system, preserving a clean formal semantics, and allowing formal verification at the global level. The language CRP [12], which combines Esterel and CSP, is an attempt in that direction.

Back to the Proposal ToC

Automatic Verification on Mixed A/S Systems

Our goal here will be to deal with specifications consisting of asynchronous networks of synchronous systems, where ``asynchrony'' here refers to processes evolving at a different pace, and synchronising by mutual rendez-vous (such as in CCS, CSP or Lotos languages). Individual sequential components will now become whole synchronous programs, at synchronous sites, while asynchronous networks form an extra level where the synchronicity assumption cannot be assumed anymore. As an example telecommunication protocols consist of end-processes such as emitters/receivers or servers/clients, each of which is a synchronous system with increasing complexity, but whose correctness can only be asserted when modeling the asynchronous network media. In our opinion, many concurrent systems can adequately be represented as programmed synchronous parts communicating across specified asynchronous networks.

Model-based analysis is a well-developed topic both for synchronous and asynchronous systems of processes, independently. It is made possible by formal semantics, and relies heavily on FSM interpretation and reachable state space construction. Many useful verifications can then be conducted by encoding properties as observers and dealing with a product machine.

Symbolic techniques, and in particular BDDs, are now the prominent implementation method for (symbolic) state space representation and exploration. Still, algorithmic efficiency on such data structures demands that the transition relation representation be optimised, by partitioning. There the synchronous and asynchronous domains each lead to distinct partioning schemes : In synchronous programs, a state consists of a vector of state variables, each of which is a function of the previous state and input (determinism); so, partitioning consists of representing the transition relation as a vector of (small) functions. In asynchronous process algebras, each global transition only involves a small number of processes; so the transition relation can be represented as a union of (simple) relations.

We shall provide a description formalism for such mixed systems (at specification level), and study further the integration of actual efficient BDD-based tools for either synchronous or asynchronous systems in a unified framework. There external synchronisation offers must be included in a synchronous FSM model in a way compatible with transition relation partitioning.

deliverable 5.1.1 (12 months)
Definition of a programming/specification language (probably as a superset of Esterel) for mixed A/S systems, and early prototype tool for model-based analysis.

deliverable 5.1.2 (24 months)
Experiments on case studies (protocols,...) and development of a stable version. Distribution to project partners.

deliverable 5.1.3 (36 months)
Documentation and public release.

Back to the Proposal ToC

From Strong Synchrony to True Concurrency, and Back

Work on both the DC/DC+ common formats for synchronous languages, and on the Signal language have resulted in the introduction of a specific primitive related to scheduling constraints. This primitive, we denote it by ``depends'', allows to specify a state-dependent scheduling constraint (see Section [<-]). More precisely, ``Y depends X when COND'' expresses that flow Y cannot be produced before flow X when COND is satisfied. This can be used to describe causality constraints, or alternatively, for specifying additional scheduling constraints that one may want to impose on the different actions. This is also useful to abstract a program to its interface, by summarising both the communication automaton and the scheduling of the communications.

Recent theoretical work has been ongoing, which has established the link between

  1. Such a combined ``automaton/scheduling'' abstraction of a program.
  2. An abstract notion of synchronous partial order.
  3. The more usual notion of asynchronous partial order as a model of so-called ``true concurrency''.
An algorithm has been found, which allows the mutual translation between (1), (2), and (3). For example, CSP rendez-vous can be modelled using partial orders, and can thus be translated into an equivalent Signal program describing the sender/receiver mechanism globally.

More generally, one can envision to specify an asynchronous network of synchronous programs (as proposed in subsection [<-]), and then to backtranslate it into a single Signal program for various formal studies within a single and homogeneous formalism. Work on this topic will be mainly exploratory in nature, and can be seen as complementary to the work proposed in subsection [<-].

In general, translation followed by backtranslation will not recover the original synchronous partial order (backtranslation is not unique), however there are classes of synchronous partial order for which translation followed by backtranslation yields the original synchronous partial order. Such classes are called endochronous partial orders and are of particular interest for code distribution as asynchronous networks of synchronous programs, since very strong properties are preserved by code distribution.

deliverable 5.2.1 (12 months)
: detailed specification of the translation from synchronous to asynchronous partial orders, and back; the case of endochronous partial orders.

deliverable 5.2.2 (24 months)
: study of the extended formalism proposed in deliverable 5.1.1 adaptation of its asynchronous part for use in the specification of asynchronous partial orders; study of the combination with the Signal language.

deliverable 5.2.3 (36 months)
: prototype system implementing (back) translation and light experimentation following the lines of deliverable 5.1.2; limited release according to robustness of the prototype tool.

Back to the Proposal ToC

Connection with Hardware/Software Codesign

Synchronous languages are suitable for describing not only software, but also hardware (synchronous circuits). They are promising candidates for hardware/software codesign, which is an important goal in reactive system design. Here again, the integration of the various programming styles is an important goal, since data-flow languages are suitable for data-parts, whereas imperative languages provide new, powerful ways for defining controllers.

Background.

To summarise, the proposal group in its different components has the background to make progress in integration to and for hw/sw codesign. Studies in codesign will encompass all aspects of code generation, optimisation, architecture generation, and communication protocol generation. Aspects of software/hardware partitioning use techniques from optimisation, and are considered to be outside the scope of SYRF.

Back to the Proposal ToC

From Synchronous Formalisms to VHDL or VERILOG

Such a translation is the basis for code generation, optimisation, architecture generation, and communication protocol generation, and link to standards in hardware systems design.

deliverable 6.1.1 (12 months)
: prototype of translator.
deliverable 6.1.2 (24 months)
: release of translator and documentation.

Back to the Proposal ToC

Mixed Controller/Datapath Designs

Today, ASIC micro-controllers on the one hand, and hardware number crunching machines on the other hand, are designed using completely different and non compatible techniques. This forces the designer to strongly separate such parts in circuit or system design. We propose to explore techniques for joint controller/datapath designs. This is envisioned as follows:

  1. Hardware design from Signal makes strong use of the Signal compilation chain. This involves symbolic calculi of synchronisation and data paths.

  2. Hardware design of regular algorithms such as core signal processing algorithms (convolution, filtering,...) can make use of spatio-temporal description of the algorithms, in which a node on a grid is attached to each variable at each different instant of the computation. Multirate computations can also be described in this way. Then, synthesis of systolic or pipelined architectures amounts to computing, on the spatio-temporal grid describing the algorithm, a ``timing function''. Techniques are available which consist in computing polyhedral domains and their intersection, unions, and projections.

Exploratory work is proposed to combine the approaches (1) and (2 into an homogeneous one, thus allowing for mixed controller/datapath designs without the need for a strong separation.

deliverable 6.2.1 (12 months)
: report describing the unified approach, specification of a prototype tool.
deliverable 6.2.2 (24 months)
: prototype tool.
deliverable 6.2.3 (36 months)
: experiment and improvement of prototype tool.

Back to the Proposal ToC

Integration of Analog and Discrete Synchronous Design

Background.

The goal of this work is to extend the application of existing verification techniques to synchronous systems embedded in physical environments. There are several areas in which such an extension would be beneficial, e.g., physically based models of photocopiers [see ``V. Gupta, R. Jagadeesan, V. Saraswat, and D. G. Bobrow. Programming in Hybrid Constraint Languages. In 3rd. International workshop on Hybrid Systems. pages 226--251, LNCS 999, Springer Verlag, 1995.'' ] , control systems in aircrafts [50], etc. Two types of properties are widely observed to be of interest in such systems. First, a class of safety properties which cannot be attributed to the control system alone --- rather they are to be verified to hold in the environment while being under the control of the control system: e.g., the door and the landing gear will not collide under operation, or the paper will not be buckled during the passage. Secondly, the property of timeliness with respect to the developments in the environment, in particular when the control functions are distributed in several components with different computational cycles.

However, before verification techniques can be applied to prove these properties, some non-trivial modelling is necessary. Starting from the basic thesis that adequate modelling of such hybrid systems should be based on physically grounded models of the environment, we are faced with two alternatives.

Proposed research.

In the first alternative we model the control program in a language close to its implementation language, e.g., synchronous I/O machines. This has the benefit that if the controlled system satisfies the required properties, then the executable code for the controller is straightforward to obtain. The verification techniques obviously applicable are the existing search based methods including the use of synchronous observers, but the models to analyse will be that of the closed loop system. Thus, a discrete synchronous model of the environment --- e.g., in the form of I/O machines --- has to be constructed first. Earlier research indicates that the property to verify is a key to partitioning the continuous state space of the environment for arriving at a physically grounded discrete model [49]. In this proposal we will further study the use of inductive proofs over the environment phase space for formal derivation of these discrete models. Such models of a continuous environment can often turn out to be non-deterministic I/O machines, the verification of which must be allowed in the synchronie workbench.

The second alternative is essential in case the property to be verified is a timing property, or a safety property in systems where the computation delays abstracted away by the synchrony hypothesis are not obviously negligible in comparison with the environment dynamics. In this case, we need to translate the network of asynchronous computational processes (each with their own fixed period) as obtained in section [<-] above to a uniform model in which real time delays are explicitly represented. We propose to study various candidates for the uniform timed representation (UTR) of the controllers. We further propose to study systematic procedures for translating the environment models from hybrid transition systems to linear hybrid automata (LHA), for analysis in composition with the UTR. Here again the derivation of the LHA is parameterised by the property to be proved. Some steps in this direction have already been taken using inductive proof techniques [50] or abstract interpretation techniques [see also ``T. A. Henzinger and P-H. Ho. Algorithmic analysis of nonlinear hybrid systems. In Proc. 7th International Conference on Computer Aided Verification, LNCS 939, Springer Verlag, 1995.]  [32, 1]. We intend to further investigate both of these possibilities in the context of another case study: the aircraft air control system of [<-].

Finally, the obtained LHAs can be analysed using the Polka tool, as this tool, which will be improved in task 3.3, has been extended [32] to handle linear hybrid automata.

deliverable 7.1 (12 months)
Definition of a inductive proof based method for derivation of discrete synchronous models of the environment based on the air control case study.

deliverable 7.2 (12 months)
Definition of a UTR and a systematic translation procedure from multiple synchronous processes with varying periods.

deliverable 7.3 (24 months)
Documentation of hybrid environment models in the case study and the definition of systematic methods for the translation of the hybrid environment models to LHA.

deliverable 7.4 (36 months)
: Connection with the Polka tool, and experimentation on case studies.