Architecture Models Refinements for Software Development of Critical Real-time Embedded Systems

HABILIT A TION ` A DIRIGER DES RECHER CHES DE SORBONNE UNIVERSIT ´ E Sp ´ ecialit ´ e Informatique ´ Ecole do ctorale Informatique, T ´ el ´ ecomm unications et ´ Electronique (P aris) Pr ´ esen t ´ ee par Etiennne BORDE , Enseignan t-Cherc heur ` a TELECOM P arisT ec h / L TCI Arc hitecture Mo dels Reﬁnemen ts for Soft w are Dev elopmen t of Critical Real-time Em b edded Systems Raﬃnemen ts de Mo d ` eles d’Arc hitectures p our le D´ ev elopp emen t Logiciel des Syst ` emes T emps-r´ eels Em barqu´ es Critiques souten ue publiquemen t le 10 Mai 2019, dev ant le jury compos´ e de : M. F abrice Kordon Professeur ` a Sorbonne Universit ´ e Pr ´ esiden t du jury M. Xa vier Blanc Professeur ` a Univ ersit´ e de Bordeaux Rapp orteur M. Ivica Crnko vic Professeur ` a Chalmers Univ ersity of T ec hnology Rapp orteur M. Jo el Goossens Professeur ` a Univ ersit´ e Libre de Bruxelles Rapp orteur M. Y amine A ¨ ıt Ameur Professeur ` a ENSEEIHT T oulouse Examinateur M. Lauren t George Professeur ` a ESIEE P aris Examinateur M. F rank Singhoff Professeur ` a Univ ersit´ e de Bretagne Occidentale Examinateur Acknowledgements I would like to sincerely thank Professors Xavier Blanc, Ivica C rnkovic, and Joël Goossens for gi ving me the great honor of re viewing my habilitation thesis. I greatly appreciated their feedback on my work and the accurac y of their assessment. I w ould also lik e to thank Professors Y amine Ait Ameur , Laurent Geor ge, and Frank Singhof f for having accepted to serve on the jury , as well as Professor Fabrice K ordon for having accepted to be the president of the jury . I would especially lik e to thank Professor F abrice K ordon for his help in preparing for this habilitation at Sorbonne Univ ersité. The work presented in this document is the result of many and very rich interactions with colleagues from academia and industry . First of all, I want to warmly thank Laurent P autet who has been working with me since the very beginning of my career: from the PhD to this habilitation. It has been a pleasure to w ork with him, and learn from him. I also want to thank my colleagues from TELECOM ParisT ech for the quality of their feedback on my work, and all the good times spent together: Thomas Robert, Florian Brandner , Rémi Sharrock, James Eagan, Ada Diaconescu, Elie Najm, Sylvie V ignes, and Petr K uznetsov . Not to mention Sébastien Gardoll from CNRS. This work is also the result of the w ork of brilliant PhD students that I would like to congratulate again for their achie vements, and thank for their collaborations: Fabien Cadoret, Cuauhtémoc Castellanos, Elie Richa, Smail Rahmoun, and Roberto Medina. Finally , this work is the result of numerous interactions with researchers and engineers from both academic and industrial insitutes: I w ould like to thank the Chaire ISC (in particular Eric Goubault from Polytechnique, and Ale xandre Chapoutot from ENST A), the IR T SystemX (along with Alstom, Renault, Thales, Safran), the AADL standardization committee (in particular Peter Feiler from the Software Engineering Institute, Jean-Pierre T alpin from INRIA, Pierre Dissaux from Ellidiss, and Brian Larson from Kansas State Uni versity) for their support, their contributions, and feedback. Last but not least, I w ant to thank my wife Sara for her support in both my professional and personal achie vements. Abstract Cyber Physical Systems are systems controlled or monitored by computer -based programs, tightly integrated netw orks, sensors, and actuators. T rains, aircrafts, cars, and some medical equipments are examples of complex CPS. Software dev elopment of complex CPS has become so difﬁcult that it represents most of the cost of CPS production. According to domain experts, this trend is going to reach a point where software dev elopment would represent the main source of cost of a CPS production. In addition, it is interesting to note that the integration, v eriﬁcation and v alidation of softw are in CPS require more ef forts than the analysis, design, and implementation activities. The main reason is that these activities are conducted late in the de velopment process and issues discov ered at this stage of the process will require to rework artifacts produced in the pre vious acti vities ( i.e. analysis, design and/or implementation). In this document, we present our work aiming to improv e the reliability of software de vel- opment in the domain of CPS. In this context, we deﬁne the reliability of the de velopment process as its capacity to deli ver intermediate artifacts for which the re work ef fort would be as small as possible. This problem is very dif ﬁcult for general purpose software ( i.e. used on desktop computers or servers), and ev en more difﬁcult for software in CPS. The main reason is that software in CPS is often critical, real-time and embedded on domain speciﬁc execution platforms . As a consequence, non-functional properties (also called quality attributes) of software applications in CPS are often as important and dif ﬁcult to satisfy as the logical correctness of these applications. In order to the improv e the reliability of software dev elopment in the domain of CPS, we propose a Model Driv en Engineering (MDE) method based on step-wise reﬁnements of software architecture descriptions (also called architectural models). An architecture description being an abstraction of the software being de veloped, the implementation of this software ( i.e . source or binary code) is an interpr etation of the architecture model. In the frame work we propose, such interpretations are automated using model reﬁnements , i.e. model to model transformations lowering the abstraction lev el of the architecture description. 6 Ho wev er , models interpretation may introduce faults such as bugs or in validation of non- functional requirements. It is hence necessary to control as much as possible the correctness, consistency , and optimality of artifacts produced along the model reﬁnement steps. T o reach this objectiv e, we propose to 1. deﬁne model transformations so as to interleav e reﬁnement steps with analysis of the resulting artif acts. W e thus impro ve the consistenc y between the analysis results and the software implementation by analyzing models as close as possible to the implementation. 2. deﬁne timing analysis and real-time scheduling techniques to ensure the correctness of software architectures from a timing perspecti ve. 3. formalize model transformations in order to ensure their correctness using formal veriﬁcation techniques. 4. compose model transformations in order to automate the search for optimal (or near - optimal) architectures. The work presented in this document is thus at the frontier among dif f erent research domains: MDE, real-time systems scheduling, formal veriﬁcation, and operational research. In this work, we chose to rely and e xtend the Architecture Analysis and Design Language (AADL) to model the cyber part of CPS. The reasons for this choice are simple: Firstly , AADL is a standard and a domain speciﬁc language for real-time embedded systems. Sec- ondly , It allo ws to represent software architectures with different abstraction le vels. Last but not least, AADL supports different types of models of computations communications, some of which being deterministic. As a guideline for our w ork, we de veloped the methodology we propose in a MDE frame work called RAMSES (Reﬁnement of AADL Models for the Synthesis of Embedded Systems). This document presents both the methodology and some illustrations of its implementation in RAMSES. T able of contents List of ﬁgures 9 1 Introduction 1 1.1 Industrial Context and Scientiﬁc Challenges . . . . . . . . . . . . . . . . . 1 1.2 Problem statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 Org anization of the document . . . . . . . . . . . . . . . . . . . . . . . . . 7 2 Overview of contrib utions 9 2.1 Approach: Architecture reﬁnement framework . . . . . . . . . . . . . . . . 9 2.2 Overvie w of the State-of-Art . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.3 Supervised PhD students . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3 Architectur e Models Timing Analysis 19 3.1 AADL Reﬁnement Frame work . . . . . . . . . . . . . . . . . . . . . . . . 21 3.2 Code generation and ﬁne-grain analysis of partitioned systems . . . . . . . 22 3.3 Periodic delayed communications . . . . . . . . . . . . . . . . . . . . . . 27 3.4 Mixed-criticality D A Gs analysis . . . . . . . . . . . . . . . . . . . . . . . 30 3.5 Concluding remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 4 Composition and f ormalization of model transformations 43 4.1 Model transformation chains in RAMSES . . . . . . . . . . . . . . . . . . 46 4.2 Automatic construction of transformation chains . . . . . . . . . . . . . . . 48 4.3 Precondition construction in algebraic graph transformations . . . . . . . . 52 4.4 Design space exploration by composition of model transformations . . . . . 55 4.5 Concluding remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 8 T able of contents 5 Conclusion and Perspecti ves 63 5.1 Concluding remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 5.1.1 Overvie w of contributions . . . . . . . . . . . . . . . . . . . . . . 64 5.1.2 Comparison of RAMSES with existing frame works . . . . . . . . . 64 5.2 Future Research Directions . . . . . . . . . . . . . . . . . . . . . . . . . . 68 5.2.1 Software Security in Cyber -Physical Systems. . . . . . . . . . . . . 68 5.2.2 Autonomy by Reconﬁguration of CPS Applications . . . . . . . . . 69 5.2.3 Uncertainty Management in Design Space Exploration . . . . . . . 70 Bibliography 73 List of ﬁgur es 1.1 Context: Critical CPSs De velopment Process . . . . . . . . . . . . . . . . 2 1.2 Problems in Critical CPSs De velopment Process . . . . . . . . . . . . . . . 4 2.1 Proposed reﬁnement frame work for CPS design models . . . . . . . . . . . 10 2.2 Thematic distribution of co-supervised PhD students . . . . . . . . . . . . 16 3.1 Perimeter of research acti vities presented in this chapter . . . . . . . . . . . 21 3.2 Overvie w of RAMSES functionalities . . . . . . . . . . . . . . . . . . . . 22 3.3 Model Reﬁnement for T iming Analysis . . . . . . . . . . . . . . . . . . . 24 3.4 AADL Model of our Case Study . . . . . . . . . . . . . . . . . . . . . . . 27 3.5 Illustrati ve Example of periodic-delayed communications . . . . . . . . . . 29 3.6 U A V software architecture with two MC-D A Gs . . . . . . . . . . . . . . . 32 3.7 Scheduling tables for the U A V , using G-LLF and Safe T rans. Prop. . . . . 34 3.8 Comparison to existing multiple MC-D A G scheduling approach . . . . . . 36 3.9 U A V AADL architecture: system lev el . . . . . . . . . . . . . . . . . . . . 39 3.10 UA V AADL architecture: FCS MC-D A G . . . . . . . . . . . . . . . . . . 39 4.1 Perimeter of research acti vities presented in this chapter . . . . . . . . . . . 45 4.2 RAMSES reﬁnements: chain of model transformations . . . . . . . . . . . 46 4.3 Overvie w of the TMR (also called 2oo3) transformation . . . . . . . . . . . 47 4.4 Model transformation chains production with Alloy . . . . . . . . . . . . . 50 4.5 Mean time to ﬁnd transformation chains . . . . . . . . . . . . . . . . . . . 51 4.6 Backward translation of test requirements . . . . . . . . . . . . . . . . . . 54 4.7 Approach Overvie w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 4.8 Crossov er and Mutation Operators . . . . . . . . . . . . . . . . . . . . . . 60 5.1 Comparison between RAMSES and similar frame works . . . . . . . . . . . 66 Chapter 1 Intr oduction Contents 1.1 Industrial Context and Scientiﬁc Challenges . . . . . . . . . . . . . . 1 1.2 Pr oblem statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 Or ganization of the document . . . . . . . . . . . . . . . . . . . . . . 7 1.1 Industrial Context and Scientiﬁc Challenges A Cyber Physical System (CPS) is a system that is controlled or monitored by computer-based programs, tightly integrated networks, sensors, and actuators. “In cyber -physical systems, physical and software components are deeply intertwined, each operating on dif ferent spatial and temporal scales, exhibiting multiple and distinct beha vioral modalities, and interacting with each other in a lot of w ays that change with conte xt. ” 1 Robotic systems of course, b ut also transportation systems, medical de vices or power plants are e xample of CPSs. The e volution of software applications deployed in CPS sho ws a signiﬁcant increase in their complexity . Measured in terms of lines of code (SLOC) embedded in different generations of aircraft systems, this complexity indicator sho ws the signiﬁcance of their software ev olution: Airbus A310: ˜400 KSLOC, A320: ˜800KSLOC, A330/340: ˜2MSLOC, Boeing 777: ˜4MSLOC, Airbus A380: ˜8MSLOC, Boeing 787: ˜10MSLOC. These impressiv e numbers are still below the numbers of estimated lines of code in military aircrafts or luxurious modern cars. As a consequence, software dev elopment, takes an important role in the production of such systems. Our industrial partners in the a vionics domain estimate that 70% of systems 1 https://www .nsf.gov/pubs/2010/nsf10515/nsf10515.htm 2 Introduction production cost is due to software dev elopment, mainly because of very demanding validation, documentation, and inte gration activities. They estimate this ratio w ould grow up to about 90% in 2024. The cost presented here abov e measures how dif ﬁcult software de velopment has become in the domain of CPS. This cost actually aggregates se veral sources of difﬁculties over the de vel- opment life-cycle. In particular , our industrial partners (still in the avionics domain) estimate that 70% of softw are de velopment cost is due to re work, v alidation, and v eriﬁcation acti vities, mostly because of faults introduced during the early phases of the de velopment process. Counterintuiti vely , this estimation highlights that integration, veriﬁcation, and validation acti vities represent more efforts than analysis, design, and implementation acti vities. V eriﬁcation and validation of software in CPS is particularly dif ﬁcult because CPS are often mission or safety critical: failures of such systems could hav e catastrophic consequences. As a result, dev elopers of CPS are often required to conform to certiﬁcation processes aiming at ensuring these systems meet safety requirements. On the other hand, software integration in CPS is also challenging because these systems hav e meet various requirements such as timing performance, energy consumption, weight, av ailability , maintainability , robustness, etc. A na l ys i s D es i g n I m p l em e n t a t i o n U n i t t e s t i n g I n t eg r at i o n D el i v er y R e qu i r em e nt s m o d e l A r ch i t e ct u r e m o d el So u r c e co d e V e r i f i cat i o n V er i f i ca t i o n M od e l b as e d a na l ys i s a n d v er i f i c at i o n R e s ea r ch p er i m et er Figure 1.1: Context: Critical CPSs Dev elopment Process Figure 1.1 giv es an ov ervie w of a traditional dev elopment process, called V -cycle, generally used in the development of CPSs. The objective of the V -c ycle dev elopment process is to anticipate validation activity by preparing veriﬁcation and validation artifacts along with requirements, design, and implementation acti vities. 1.1 Industrial Context and Scientiﬁc Challenges 3 In addition, Model Dri ven Engineering (MDE) advocates for the use of models in order to improv e the dev elopment process of software applications and in order to increase products quality . For e xample, models can be used to improv e the de velopment process by enabling early estimation of software applications performance. In addition, such estimation will help designers of software applications to compare dif ferent solutions and select the most appropriate one(s). As sho wn in ﬁgure 1.1, models can be the result of the requirements deﬁnition and design acti vities of the dev elopment process, while source code is produced during the implementation phase of the process. In the work we present in this document, architecture models produced during the design acti vities play a major role: ﬁrstly , we combine them with v eriﬁcation and analysis techniques in order to detect design ﬂaws as early as possible in the process. Secondly , as illustrated on the ﬁgure, we aim at using architecture models to bridge the gap between requirements models and source code. Therefore, the work presented in this document aims to impro ve methods dedicated to the design of software architecture(s) for embedded systems which are also critical, real-time, and distributed systems. Because the type of systems we consider are mission or safety critical, the methods we aim for must rely on rigorous models so as to guarantee safety related properties. The targeted application domain is the domain of CPS, in which physical systems are controlled by a set of interconnected computation units (CUs) ex ecuting control and/or monitoring algorithms. More speciﬁcally , industrial partners in volved in the deﬁnition of research problems presented in this document work on transportation systems (cars, planes, and/or trains). In next subsection, we present the general problems for which we proposed the scientiﬁc contributions presented in this document. 4 Introduction 1.2 Pr oblem statement Gi ven the increasing comple xity and cost of software de velopment in CPSs, a zoom on the research perimeter presented in pre vious section (see the orange part of ﬁgure 1.1) led us to raise the following research question: how to improv e the reliability of CPS design activities? In the context of software de velopment for CPS, we deﬁne the reliability of design acti vities as their capacity to deliv er intermediate artifacts for which the rew ork effort would be as small as possible. D es i g n I m p l em e n t a t i o n I n t e gr a t i o n A r ch i t ec t u r e m od e l So u r ce co d e V er i f i ca t i o n V e r i f i cat i o n A na l ys i s & V e r i f i cat i on Pb 1 : c on s i s t en c y? Pb 3 : o p t i m a l i t y? Pb 2 : c or r ec t n e s s ? Pb 4: ef f i ci en t r es ou r ce us ag e? Figure 1.2: Problems in Critical CPSs Dev elopment Process On ﬁgure 1.2, we provide a decomposition of this research question into different but connected research problems: Problem 1: Are analysis results, obtained on an architecture model, consistent with the implementation of this architecture with source code? By essence, architecture models are abstractions of the reality aiming to enable the analysis of a system under design. This analysis can e valuate quality of services or e ven safety properties of the system. On the other hand, the implementation of these models will require to interpret this abstract view and translate it into source code by introducing missing details. If these details had an impact on the anal- ysis results, these results obtained with the model may no longer be 1.2 Problem statement 5 consistent with the properties exhibited by its implementation. The corresponding design would become obsolete, early design choices would be in v alidated, leading to extra re-engineering ef forts. Problem 2: Ho w to ensure the correctness of an architecture model implementa- tion? The acti vity transforming an architecture model into the implemen- tation of a software application boils down to translate an abstract vie w of the system to pro vide an equiv alent executable artifact. By essence, there e xist se veral v ariants of such translation: an abstract model may ha ve se veral possible implementations. In addition, this acti vity my rapidly become repetiti ve, thus error prone. It is therefore very important to ensure the correctness of the implementation by making sure the translation effort did not introduce ﬂaws in the result- ing source code. Such ﬂaws may , again, in v alidate analysis results, or e ven worse: introduce bugs in the source code of the application. Problem 3: Is the input architecture optimal? As explained in the presentation of Problem 1, the translation of abstract models into source code may in validate early analysis results. One may conclude it would be sufﬁcient to model systems with suf ﬁcient margins to ensure the preserv ation of analysis results along the dev elopment life-cycle. Howe ver , the v alues of such margins are difﬁcult to anticipate, and it would be necessary to take very pessimistic estimations to make sure there would not be extra re- engineering ef forts ev entually . In practice, this is infeasible since big margins also means poor quality: for instance, a computer loaded at 20% e xhibits a big mar gin but is poorly exploited (which means more functions of more complex functions could ha ve been deployed on it). In addition, quality attributes are often in conﬂict as improving one quality attrib ute requires to degrade another one. For instance, the deployment of replicated functions improves the av ailability of these functions to the price of extra weight, ener gy consumption, and data ﬂow latency . It is thus important to deal with the problem of providing optimal (or near optimal) architecture models, otherwise the chance to face integration issues grows rapidly for complex systems. 6 Introduction Problem 4: Are computation resources ef ﬁciently allocated to software applica- tions? In CPS, software architects have to pay extra attention to the allo- cation of computation resources to software applications. The main reason is that some of these applications will have a direct impact on the safety of the system. Such applications would be classiﬁed with a high le vel of criticality whereas others w ould be classiﬁed with a lo wer lev el of criticality . In most cyber physical systems, the pro- vision of enough computation resource to high criticality functions is thus a safety requirement, whereas the pro vision of computation resources to lower criticality functions is a quality of service require- ment. Note that quality of service, though not critical, is of prime importance as it has a direct impact on consumers satisf action. In a CPS, an inef ﬁcient resource allocation may lead to a poor quality of services, and e ven worse, to safety requirements violation. Problems 1 and 2 are obviously connected to our research question ( i.e. ho w to improve the reliability of CPS design activities?) whereas the link with problems 3 and 4 may seems less direct. Y et, it is important to consider that software applications in CPS have to meet stringent requirements in terms of timing performance, memory footprint, safety , security , and/or energy consumption. These requirements, usually called Non-Functional Requirements (NFR), are often as important as functional requirements in CPSs. Thus, if errors are discov ered late in the de velopment process because of poor Non Functional Properties (NFPs) due to design ﬂaws, a design re work is necessary and its cost will raise fast. It is thus important to ensure, as soon as possible in the design process, that considered architectures respect NFRs but also provide the best possible mar gin with respect to the limit imposed by these NFRs. This boils do wn to optimize these architectures, either during the modeling phase (problem 3) or during the deployment phase (problem 4). Even though our work focuses on software architectures, speciﬁcities of CPSs require to take into consideration hardw are platform characteristics as well. Indeed, the adequacy of a software architecture with respect to these requirements, called Non Functional Requirements (NFRs), cannot be assessed without a knowledge of the underlying hardware and/or network architecture. This is the reason why we used in our work the Architecture Analysis and Design Language (AADL), an architecture description language offering the capabilities to model both the software and hardware architecture of a CPS, as well as the binding of software components onto hardware components. 1.3 Org anization of the document 7 In addition, Non Functional Properties (NFPs) ev aluation requires dedicated models in which implementation details are abstracted away in order to focus on most rele vant characteristics of the architecture for a gi ven property . T o e xtract such characteristics from a model, model transformations are often used: a model transformation is a software application that takes as input a model, and/or produce a model as output. Model transformations may be used to translate a gi ven model from one formalism to another one with the same abstraction lev el. Such transformations are called horizontal transformations. Model transformations may also be used to change the lev el of abstraction of a model by adding or abstracting a way modeling details. Such transformations are called vertical transformations. In this document, we call r eﬁnement a vertical model transformation adding modeling details. Last but not least, CPS architects often consider design alternativ es as decision variables in an optimization problem aiming at minimizing or maximizing NFPs. Howe ver , design alternati ves often come into conﬂict with respect to their impacts on NFP: most of the time, a design alternati ve improv es a NFP at the cost of degrading another NFP of a CPS. As a consequence, designers aim at providing the best possible trade-of f among NFPs of a CPS. 1.3 Organization of the document This document is org anized as follows. Chapter 2 contains an overvie w of the approach we propose to contrib ute to the resolution of the problems presented abov e. A brief presentation of related works helps to understand the originality of our approach. In chapter 3, we present the core ideas our work relies on: model transformations of architecture models for the analysis, design, and optimisation of critical CPSs. Chapter 4 gi ves more details on the work we undertook on the composition and formalization of model transformations. This work is inte grated in RAMSES, which is to the best of our knowledge the only AADL to code generation frame work implementing deterministic subsets of AADL. It is also the only AADL to code generation framework allowing ﬁne-grained timing analysis of the non-deterministic subsets of AADL. Last b ut not least, model transformation compositions for design space exploration ha ve been experimented in RAMSES on comple x optimization problems with very satisfying results. Finally , chapter 5 concludes this document and provides research perspecti ves for the w ork presented in this document. Chapter 2 Over view of contrib utions Contents 2.1 A pproach: Architectur e reﬁnement framew ork . . . . . . . . . . . . . 9 2.2 Ov erview of the State-of-Art . . . . . . . . . . . . . . . . . . . . . . . 11 2.3 Super vised PhD students . . . . . . . . . . . . . . . . . . . . . . . . . 16 In the previous chapter , we have deﬁned ambitious and dif ﬁcult research problems. W e contributed to their resolution through the deﬁnition of an architecture models reﬁnement frame work we present in section 2.1. W e then present in section 2.2 a brief o vervie w of the state of the art in this domain, before to summarize this activity in terms of PhD students supervisions (section 2.3). 2.1 A pproach: Ar chitectur e reﬁnement framew ork In order to answer the research problems introduced in previous chapter , we proposed a method based on model reﬁnements, analysis, and optimization. The general idea behind this approach is to bridge the gap between requirements model and source code by deﬁning model transformations that progressiv ely lo wer the abstraction lev el of design models. Thus, from an abstract model provided by a CPS architect, we propose to deﬁne and compose model transformations which produce reﬁned and optimal (or near optimal) architecture models. Such transformations would, for instance, integrate design patterns in the initial architecture model. 10 Overvie w of contributions W e then analyze the resulting models in order to ev aluate the impact of the reﬁnement on the system’ s NFPs and select architectures answering at best the trade-of f among NFRs. W e continue this process until we deﬁne implementation models, i.e. architecture models with a straightforward correspondence between model elements and source code ( e.g . a one-to-one mapping between each modeling element and a construction in the underlying programming language and/or operating system conﬁguration). Figure 2.1 illustrates this approach in a two stages reﬁnement process: the input architecture model is reﬁned into a set of architecture candidates. These candidates, are, when possible, analyzed to compute their NFPs and veriﬁed to check the design meets predeﬁned NFR and structural constraints. Architecture candidates satisfying predeﬁned NFRs and structural constraints are then selected and further reﬁned into a set of implementation models. Again, these models are analyzed and the most appropriate model(s) is (are) used to automatically generate the corresponding source code. D es i g n I m pl e m en t at i o n A r c h i t ec t u r e m o d el H i g h er a b s t r a ct i o n l ev el L o w e r a b s t r a ct i o n l ev e l I m p l em en t at i o n m o d el G e ner a t e d s o ur c e co d e 1- t o- 1 m a ppi ng C an d i da t e a r c h i t ec t u r es C a nd i d at e a r c h i t ec t ur e s C an d i d at e ar ch i t e ct ur e s N FPs co m p u t a t i o n M o d e l t ra ns f orm a t i o n var i an ts ( e .g. de s i gn pa t t e r ns ) A rc hi t e c t ure s e l e c t i on C an d i dat e ar ch i t ect u r e s C a n di d at e ar ch i t e ct ur e s C a n d i d at e ar ch i t e ct ur e s C an d i da t e a r c h i t ec t u r es N FPs c om pu t at i o n C a nd i d at e a r c h i t ec t u r es C an d i dat e ar ch i t ect u r e s Sche d ul i ng an al y s i s C a nn o t be a na l yz e d ( e .g. do not re s p e c t a na l ys i s a ppl i c a t i on c ondi t i ons ) U ns a t i s f i e d re qui re m e nt s ( e .g. e nd- t o e nd l a t e nc y) Se l e ct ed ar c hi t ec t u r e M od e l t r an s for mati o n I m p l em e n t a t i o n m od e l I m p l e m en t at i o n m o d e l s Figure 2.1: Proposed reﬁnement framework for CPS design models 2.2 Overvie w of the State-of-Art 11 By lo wering the abstraction le vel of models used for both code generation and analysis, we improv e consistency between analysis results and softw are implementation. More generally , we aim at applying model transformations and analyze output models to control the impact of these transformations on NFPs. This work contributes to the resolution of problem 1. Because timing properties and in particular real-time tasks scheduling plays an important role in CPSs design, we ﬁrst experimented these ideas so as to improve precision and/or reduce the pessimism of timing analysis based on architecture models. This work contributes to the resolution of problem 4. W e also work ed on model transformations formalization as a mean to verify their correctness: we deﬁned structural constraints on output models and proposed a method to deﬁne model transformation chains enforcing the respect of these constraints; we also deﬁned a method to v alidate model transformation chains by producing inte gration test cases co vering unit test requirements. This work contributes to the resolution of problem 2. Last but not least, we proposed a design space exploration framework combining multi- objecti ves optimization techniques and model transformations composition in order to pro- duce architecture models answering at best a trade-of f among NFPs. This work contrib utes to the resolution of problem 3. Pursuing the objecti ve to provide Reﬁnement T echniques for Real-time Embedded Systems Ar chitectur es , the work we present in this document cov ers different research domains: 1. Real-time scheduling analysis, 2. Model Driv en Engineering, 3. Design Space exploration, 4. Safety and Security . W e giv e a rapid ov ervie w of the state of art of these domains in next section. 2.2 Over view of the State-of-Art Research areas mentioned at the end of the previous section co ver a huge number of relev ant research works. In this section, we do not seek for an exhaustiv e presentation of these areas. Instead, we aim at providing a minimal background information to ha ve our readers understand the scientiﬁc context in which our research ef forts were undertaken. Architectur es description Languages. W orks in the domain of architecture description languages aim at deﬁning modeling languages for software architectures, hardware archi- tectures, or a combination of both. Historically , research w orks in this area ha ve produced 12 Overvie w of contributions formalisms, which may be Modeling Languages, Architecture Description Languages and/or Component-Based Modeling languages. In the domain of CPS, different languages hav e been proposed, such as SCADE 1 , MA TLAB/SIMULINK 2 , LUSTRE [ 35 ], Giotto [ 36 ], Polychrony [ 33 ], the Synchronous Data Flo ws Graphs (SDFGs) [ 43 ], Wright [ 2 ], BIP [ 15 ], ProCom [ 17 ], the Palladio Component Model (PCM) [ 67 ], Fractal [ 16 ], UML/MAR TE [ 56 ], and the Architecture Analysis and Design Language (AADL) [ 5 ]. These languages dif fer in many aspects, including the Model of Computation and Communication (MoCC) they deﬁne. For instance, SCADE relies on the synchronous model of computation in which computations and communications are assumed to take zero time. This hypothesis is satisﬁed if the underlying Computation Unit (CU) is fast enough to process input and produce results before the acquisition of the next input. Relaxing the synchronous hypothesis, Giotto deﬁnes a Logical Execution T ime (LET) model of computation where components, modeled as tasks, take a predeﬁned amount of time (the LET) to ex ecute. Communications with a component ( i.e. inputs reading, outputs writing) can only occur outside its LET interval (i.e. when the component is not executed). In SDFGs, the focus is more on communications among components than on their independent execution: applications are described as a set of communication channels connecting applications (also called actors, processes or tasks). These channels model communication FIFO queues, and the ex ecution of an application is triggered by the content of its input queues. Last but not least, AADL is a standardized modeling language aiming at gathering both a representation of the software architecture, the hardware architecture, and the binding of software components onto hardw are components. In our work, we consider source code generation as the ﬁnal objectiv e of an ef ﬁcient MDE process. In some industry , and in particular in the transportation domain, sev eral success stories show the added v alue of automated source code generation techniques. MA TLAB/SIMULINK and SCADE SUITE provide source code generator widely used today . Note that these code generators produce the so-called functional code, i.e. software responsible to answer functional requirements. Another part of software applications for CPSs is called technical code, i.e . software responsible for interf acing functional code with the hardware platform of the CPS. In this conte xt, AADL is an interesting architecture description language since it allows to represent both the software architecture, the hardware architecture, and the allocation of software components on hardw are components. In addition, as illustrated on ﬁgure 2.1, we aim at representing CPSs architecture at different abstraction le vel. This is also a facility of fered by AADL, which was experimented during the PhD of Fabien Cadoret (2010 - 1 https://www .ansys.com/products/embedded-software/ansys-scade-suite 2 https://www .mathworks.com/products/simulink.html 2.2 Overvie w of the State-of-Art 13 2014). W ith respect to its usability in industrial applications, AADL is a standard with a high visibility . This is an important asset when it comes to experiment our work on industrial case studies. Last but not least, AADL deﬁnes a MoCC which is conﬁgurable thanks to standardized properties. For some subsets of AADL conﬁgurations, the MoCC is deterministic and matches e xisting formally deﬁned languages ( e.g . LET or SDFGs). In the PhD of Fabien Cadoret and Roberto Medina, we identiﬁed subsets of AADL with a deterministic and formally deﬁned MoCC. Being adv anced users of the language, we ha ve also contributed to its ev olution by (i) providing re gular feedback to the AADL standardization committee, and (ii) by leading the re vision of its Behavior Annex: a sub-language of AADL dedicated to modeling components behavior with state machines. Scheduling and analysis of real-time systems. Among NFRs of CPSs, timing requirements plays an important role. Indeed, one of the speciﬁcities of CPSs is that they control physical systems. This means CPSs implement control loops ex ecuted repeatedly with a frequenc y that is deri ved from an analysis of the system’ s physics. If the results of this control law are not produced in time, the ph ysical system does not wait. This is why , in real-time systems, the outputs produced by a software function are v alid if their computation is correct, and they are produced before a predeﬁned deadline . In order to ensure timing requirements are alw ays satisﬁed, Liu and Layland [ 46 ] proposed to model software applications with a set of tasks τ = { τ i } i = 1 .. N characterized by: • a period T i : the minimum delay between two consecutiv e executions of a task τ i . • a capacity C i : the time required for the CU to execute task τ i . C i is usually set to the worst-case e xecution time (WCET) of τ i . • a deadline D i : time interval between the release of τ i and the date at which τ i must hav e ﬁnished its execution. Since the deﬁnition of this very ﬁrst task model, real-time systems hav e been intensiv ely studied and this research ﬁeld has signiﬁcantly matured. In particular , one important issue with the initial model introduced Liu and Layland is the induced pessimism on tasks response time which leads to a poor resource usage. Different sources of pessimism are indeed cumulated when v erifying tasks al ways meet their deadlines, since the veriﬁcation methods assume: • tasks always e xecute all together for their worst case e xecution time; • if tasks share data is a protected access, they ex ecute all together spending the longest possible time in all their critical sections, causing signiﬁcant blocking times. 14 Overvie w of contributions In practice, the probability that one task executes for its WCET is lo w , so the probability they all together execute for their WCET is very lo w . T o ov ercome this limitation, methods based on allo wance [14] or mixed-criticality scheduling [19] ha ve been proposed. In the PhD of Fabie n Cadoret, we ﬁrst proposed to use AADL in order to implement ﬁne-grain and less pessimistic response time analysis [ 13 ]. The objectiv e was to reduce pessimism due to the presence of critical sections. W e studied this problem in the conte xt of a vionics systems using the ARINC653 standard: in this context, blocking time induced by inter -partition communications is particularly signiﬁcant. W e also proposed a lock free implementation for a deterministic MoCC [ 21 , 38 ]. More recently , in the PhD of Roberto Medina, we ha ve considered a MoCC for which, by construction, data access protection is not needed: Directed Acyclic Graphs (D A Gs) of tasks. Using this well-known MoCC, we hav e proposed new methods to schedule D A Gs of mixed-criticality tasks. In this research work, we sho wed the capacity of AADL to model such MoCCs. Even more signiﬁcant, we used AADL to implement step-wise architecture reﬁnements and proceed to timing analysis at dif ferent abstraction lev els. This work has been inte grated in the RAMSES platform 3 , an open source AADL to AADL model transformation and code generation platform. Building on the knowledge g ained designing model transformations in RAMSES, we de vel- oped ne w research acti vities dedicated to (i) compose and validate model transformations, and (ii) implement model-based design e xploration techniques. W e brieﬂy introduce these methods in next subsection. MDE and Model transf ormations for CPS. Model transformations are software appli- cations taking model(s) as input and producing model(s) as output. Even though model transformations can be written in any programming language, they are by essence dif ﬁcult to write. Indeed, a model transformation consists in transforming a typed graph into another typed graph. Writing and maintaining such applications rapidly becomes dif ﬁcult [ 29 ]. For these reasons, dedicated model transformation methods [ 25 , 55 ] and languages [ 39 , 58 , 4 ] and ha ve been proposed. In RAMSES, we hav e initially decided to use A TL as a trade-of f between the rigor of its semantics, and its simplicity of use. In addition, we decided to decompose model transformations as a chain of AADL to AADL transformations in order to enable veriﬁcations on intermediate AADL models. Ho wev er , we use model transformations in the context of critical CPSs, hence we hav e to pay extra attention to the validation of these transformations. This is why we proposed to formalize model transformations and more speciﬁcally model transformation chains. In the PhD of Cuauhtémoc Castellanos, we proposed a formalization of model transforma- 3 https://mem4csd.telecom-paristech.fr/blog/ 2.2 Overvie w of the State-of-Art 15 tions in Alloy [ 37 ]. From this formalization, and the speciﬁcation of constraints on the output model (expressed with ﬁrst order logic) we were able to automate the production of model transformation chains to produce output models satisfying the constraints [23, 22]. In the PhD of Elie Richa, we proposed a formalization of A TL as Algebraic Graph T rans- formations (A GT) [ 27 ]. An automated mapping to Henshin, as well as the automated construction of the weakest liberal precondition pav ed the way tow ards different kinds of A TL transformations veriﬁcation [ 61 , 60 ]. This work w as deﬁned as part of an integration test case generation, but it could also be used for pro ving model transformations. In addition to our contributions on model transformations formalization, we proposed to use model transformations as a medium for design space e xploration. W e describe this work in next subsection. Design space exploration. As CPS hav e to meet conﬂicting objectiv es with respect to their NFPs, lots of work ha ve been conducted to automate design space exploration for CPSs. In particular , frameworks such as ArcheOpterix [ 1 ], PerOpteryx [ 40 ], and A QOSA [ 45 ] are model-based DSE frameworks in the sense that they rely on an input modeling language ( i.e. AADL, PCM) and they pro vide interfaces for models analysis, optimization problems deﬁnition, and constraints v alidation. As an extension to these principles, we proposed in the PhD of Smail Rahmoun to deﬁne design space exploration problems by composition of model transformation v ariants [ 63 , 65 ]. The DSE frame work we dev eloped relies on genetic algorithms, and our method based on model transformations composition had the follo wing advantages: ﬁrst, by transferring structural v alidity constraints from the output model to the composition process, only valid architectures are considered during the e xploration process. W e expressed v alidity constraints with boolean formula and used SA T solving techniques to ensure explored architecture satisfy the v alidity constraints. Second, by deﬁning model transformation composition techniques for DSE, we keep the optimization framework (based on genetic algorithm) completely generic: it only requires the deﬁnition of alternativ e model transformations as the deﬁnition of a ne w optimization problem. Follo wing very similar ideas, the MOMoT frame work was designed in parallel [ 30 ]. This work, as well as ours, fulﬁll the objecti ve to make DSE generic. Howe ver , as opposed to our work, this w ork does not proceed to the v alidation of structural constraints during the composition of model transformation rules but after their application. As sho wn in [ 65 ], this would lead to a prohibitiv e loss of performance on complex optimization problems. Safety and Security . When deﬁning model dri ven methods for critical software applications, safety and security issues ha ve to be considered. Safety related concerns ha ve alw ays been considered in our work, either by considering platforms ( e .g. operating systems), standards 16 Overvie w of contributions ( e.g . for certiﬁcation), or design patterns ( e.g . triple modular redundancy) dedicated to improv e systems safety . More recently , we hav e started a PhD with Jean Oudot aiming at deﬁning quantitati ve e valuation methods for CPS security , as well as architecture optimiza- tion methods for CPS security . W e also started another PhD with Maxime A yrault aiming at deﬁning design methods and runtime mechanisms to improving the resilience of CPSs to cyber attacks. 2.3 Supervised PhD students Fig. 2.2 provides a rapid o vervie w of the PhDs undertaken with the aforementioned general objecti ves. In this ﬁgure, PhDs hav e been placed with respect to the research areas they contribute to. S c h e d u lin g a n d  m in g a n a ly s is o f r e a l -  m e s y s t e m s M o d e l t r a n s f o r m a  o n a n d s o u r c e c o d e g e n e r a  o n S a f e t y a n d s e c u r it y o f e m b e d d e d s y s t e m s O p  m iz a  o n a n d d e s ig n s p a c e e x p lo r a  o n R . M e d i n a C . C a s t e l l a n o s E . R i c h a J . O u d ot M . A y r a u l t F . C a d or e t S . R a h m o u n Figure 2.2: Thematic distribution of co-supervised PhD students These students hav e studied, with dif ferent vie wpoints and objectiv es, the problems presented in section 2.3: • Fabien Cadoret (02/2010 - 05/2014): initial proposal of the approach presented on ﬁgure 2.1, with a focus on consistency between models used for schedulability analysis and models used for code generation (thus contrib uting to solve problem 1). Fabien Cadoret also studied a deterministic MoCC of AADL, for which he proposed lock-free implementation v ariants (thus contributing to solv e problem 4). • Cuauhtémoc Castellanos (09/2011 - 12/2015) proposed to formalize model transforma- tions into Alloy in order to ensure their composition always leads to analyzable models. W ith respect to the approach presented in ﬁgure 2.1, this work aimed at chaining model 2.3 Supervised PhD students 17 transformations in order to reduce the abstraction le vel of models used for analysis (contribution to solve problem 1) while making sure the model transformation is correct in the follo wing sense: the model it produces respects the application condition of predeﬁned analysis techniques (contribution to solv e problem 2). • Elie Richa (01/2012 - 12/2015) also studied the correctness of model transformations (problem 2) with another viewpoint: ho w to ease the veriﬁcation and v alidation of their implementation? In this PhD, we deﬁned a test framew ork for model transfor- mation chains, allo wing to enforce unit test co verage (where a unit is a single model transformation) using integration tests ( i.e . tests on model transformation chains). • Smail Rahmoun (11/2013 - 02/2017) extended the work of Fabien Cadoret and Cuauhté- moc Castellanos by considering design space exploration based on model transfor- mations as a multi-objectiv e optimization problem aiming to improv e NFPs. This extension is presented in the upper part of ﬁgure 2.1, were candidate architecture are selected according to their NFPs. This work helped to automate the deﬁnition of near-optimal architectures, which is an important part of our initial goal: make the design process of CPSs more reliable by starting with the best possible design. In addition, the proposed approach w as both applied on design patterns for safety (thus reusing and extending model transformations proposed by Cuauhtémoc Castellanos) and code generation (thus reusing and extending model transformations proposed by Fabien Cadoret). • Roberto Medina (11/2015 - 01/2019) studied more speciﬁcally the problem of resource usage efﬁcienc y in real-time embedded systems (problem 4). This is an important topic in our context as impro ving the reliability of software de velopment in real-time CPS often leads to consider margins on tasks execution time. As a consequence, computation resources are poorly used whereas system designers aim at deploying more and more complex applications in CPSs. As a contribution to solv e this problem, Roberto Medina proposed new scheduling techniques on multi-core architectures based on the concepts of Mixed-Criticality , applied to directed acyclic graphs of tasks. In particular , we deﬁned in this work ne w methods to (i) ensure schedulability of high criticality functions and (ii) e valuate the impact of sharing computation resource among functions of dif ferent criticality le vels on the quality of service of low criticality functions. • Jean Oudot (09/2017 - ) is working on the deﬁnition of quantiﬁcation methods for cyber -security of CPSs. Indeed, cyber security is becoming an important problem 18 Overvie w of contributions in the design of CPS since these systems are becoming more and more connected to their en vironment. These interactions with their en vironment make CPSs subjects to cyber attacks with a more and more important surface attack. As opposed to traditional information systems or desktop computers, CPSs also hav e to meet stringent safety , performance, and/or energy consumption properties. For this reason, integrating security counter measures in CPS architectures raises important challenges in terms of multi-objecti ve optimization problems. In particular , we aim at deﬁning a methodology to select the set of suf ﬁcient counter measures to reach a lev el of acceptable risk while minimizing the impact of these counter measures on safety and performance properties. This work will contribute to the resolution of problem 3, with an emphasis on security counter measure selection and conﬁguration. • Maxime A yrault (10/2018 - ) is also studying c yber security of CPS b ut with a dif ferent vie wpoint: ho w to improve their resilience to attacks? Indeed, it is impossible to anticipate all the potential vulnerabilities of a complex CPS. In addition, once a CPS is deployed and used, attackers have time to study the system and discov er ne w vulnerabilities. For this reason, it is important to deploy resilience mechanisms in CPSs to delay as much as possible the ef fecti veness of an attack and/or its propagation. This problem is obviously connected to the design of CPS architectures since resilience mechanisms hav e to be deﬁned at design time. This work is going to contribute to the resolution of problem 3, with an emphasis on resilience to cyber attacks. I ha ve been the advisor of the ﬁrst 6 PhD students listed above, and I am the supervisor of Maxime A yrault’ s PhD. In next chapters (3 and 4), we describe more precisely these research contributions and their link with the general approach presented on ﬁgure 2.1. Chapter 3 Ar chitectur e Models T iming Analysis Contents 3.1 AADL Reﬁnement Framew ork . . . . . . . . . . . . . . . . . . . . . . 21 3.2 Code generation and ﬁne-grain analysis of partitioned systems . . . . 22 3.3 P eriodic delayed communications . . . . . . . . . . . . . . . . . . . . 27 3.4 Mixed-criticality D A Gs analysis . . . . . . . . . . . . . . . . . . . . . 30 3.5 Concluding r emarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 CPSs are subject to various non-functional requirements, and timing performance is an important class of such requirements when architecting softw are applications of a CPS. In addition, Model Dri ven Engineering (MDE) advocates for the use of models in order to improv e the de velopment process, as well as the quality , of these applications. In this chapter , we present a MDE framew ork aiming at automating the production of software applications of CPSs. In particular , we consider source code generation as the ﬁnal objecti ve of an ef ﬁcient MDE process. In some industry , and in particular in the transportation domain, sev eral success stories show the added v alue of automated source code generation techniques. MA TLAB/SIMULINK and SCADE SUITE provide source code generator widely used today . Note that these code generators produce the so-called functional code, i.e. software responsible to answer functional requirements. Another part of software applications for CPSs is called technical code, i.e . software responsible for interf acing functional code with the hardware platform of the CPS. 20 Architecture Models T iming Analysis When it comes to the ev aluation of timing performance in software architectures, both functional and technical concerns can have a great impact on the result. For instance, functional code is the main software artifact used to compute the execution time of tasks, i.e. their capacity C i as deﬁned in the previous chapter . On the other hand, technical code may implement complex communication mechanisms with a signiﬁcant impact on timing performance. This is particularly true in avionics ARINC653 systems with inter partition communications. Nowadays, v ery few MDE frame works are able to consider both the functional and technical code of a software application when ev aluating their timing performances. In this chapter , we present our contributions on the timing analysis of software architectures for CPSs. The remainder of this chapter is org anized as follo ws. Section 3.1 giv es an ov ervie w of the MDE framew ork we hav e designed to experiment our research activities. In the follo wing sections, we present subsets of the AADL modeling language for which this frame work was e xperimented: partitioned ARINC653 systems in section 3.2, periodic delayed queued communications in section 3.3, and D A Gs of mixed-criticality tasks in section 3.4. Results presented in sections 3.2 and 3.3 are results of Fabien Cadoret’ s PhD. Results presented in section 3.4 were obtained during Roberto Medina’ s PhD [ 52 – 54 ]. Figure 3.1 sho w ho w these contributions are positioned with respect to the approach we described in chapter 2. 3.1 AADL Reﬁnement Frame work 21 D es i g n I m pl e m en t at i o n A r c h i t ec t u r e m o d el H i g h er a b s t r a ct i o n l ev el L o w e r a b s t r a ct i o n l ev e l I m p l em en t at i o n m o d el G e ner a t e d s o ur c e co d e 1- t o- 1 m a ppi ng C an d i da t e a r c h i t ec t u r es C a nd i d at e a r c h i t ec t ur e s C an d i d at e ar ch i t e ct ur e s N FPs co m p u t a t i o n M o d e l t ra ns f orm a t i o n var i an ts ( e .g. de s i gn pa t t e r ns ) A rc hi t e c t ure s e l e c t i on C an d i dat e ar ch i t ect u r e s C a n di d at e ar ch i t e ct ur e s C a n d i d at e ar ch i t e ct ur e s C an d i da t e a r c h i t ec t u r es N FPs c om pu t at i o n C a nd i d at e a r c h i t ec t u r es C an d i dat e ar ch i t ect u r e s Sche d ul i ng an al y s i s C a nn o t be a na l yz e d ( e .g. do not re s p e c t a na l ys i s a ppl i c a t i on c ondi t i ons ) U ns a t i s f i e d re qui re m e nt s ( e .g. e nd- t o e nd l a t e nc y) Se l e ct ed ar c hi t ec t u r e M od e l t r an s for mati on I m p l em e n t a t i o n m od e l I m p l e m en t at i o n m o d e l s C o n t r i b u t i o n s p er i m et er , Fab i e n C ad o r et an d R o b er t o M ed i na Figure 3.1: Perimeter of research activities presented in this chapter 3.1 AADL Reﬁnement Framework In order to automate code generation for CPS while mastering the impact of generated code on timing performance, we proposed in 2011 a model transformation and code generation frame work based on AADL, called RAMSES [ 13 ]. The basic principles of this frame work are depicted on ﬁgure 3.2. The idea is to proceed to code generation in a step-wise model transformation process which would (i) e xhibit the generated code into intermediate AADL models ( e.g. reﬁned AADL model on ﬁgure 3.2), (ii) analyze these intermediate models, until (iii) the AADL model reaches an abstraction level leading to a very simple mapping from AADL to source code constructions. One of the major beneﬁt of this approach is to reduce the semantic gap between models used for analysis purpose, and models used for code generation per se. 22 Architecture Models T iming Analysis RAMSES model transformation Refined AADL model AN AL YSE Analysis RAMSES code generator Automatically generated code Initial AADL model Reduced semantic gap Figure 3.2: Overvie w of RAMSES functionalities This frame work has been the playground of se veral ideas and experiments presented through- out this document. W e describe those related to timing analysis in the remainder of this chapter . 3.2 Code generation and ﬁne-grain analysis of partitioned systems As mentioned in the introduction of this document, CPSs are often critical systems. Howe ver , among softw are components of a CPS, only a fe w are expected to have a high criticality lev el. As a consequence, CPS designers ha ve to provide safe methods to share computation and storage resources among software components of dif ferent lev els of criticality . In the avionics domain, this problem has been solved by de veloping dedicated fault con- tainment mechanisms in operating systems. These mechanisms are called time and space partitioning: applications are statically provisioned with dedicated memory and e xecution time slots and the operating system is in charge of enforcing the applications to remain within these predeﬁned slots. Partitioned operating systems are kno wn to ensure a good time and space isolation among software applications the y ex ecute, to the price of a timing ov erhead in communication mechanisms. This timing ov erhead is ev en more signiﬁcant when considering communications among dif ferent partitions. Input models description. Follo wing the general principles described in section 3.1, we hav e proposed a method to precisely take into account this ov erhead when verifying timing requirements of a CPS. This method w as ﬁrst published at the International Conference on Complex Computer Systems [ 20 ] and specialized to a case study from the real-time systems domain in a publication at the international symposium on Rapid Systems Prototyping in 2014 [ 13 ]. The proposed method takes as input (i) the AADL model of applications 3.2 Code generation and ﬁne-grain analysis of partitioned systems 23 deployed on a partitioned system using the ARINC653 annex of AADL, and (ii) a behavioral description of the runtime services of an ARINC653 system provider , using the behavior annex e of AADL. The AADL model of applications is composed of a set of interconnected processes, theme- selves composed of interconnected tasks. In addition to these structural characteristics, models may come with a description of tasks internal beha vior . The task set is e xpected to be described with the follo wing information: • timing consumption of each subprogram or thread component: either as a timing interv al (bounded by best and worst case e xecution time) for subprograms or threads, or timed beha vior actions (in the behavior anne x), or a set of properties that enable to compute such timing consumptions from the control ﬂow graph of the components ( e.g . time of assignment actions, subprogram calls, expressions, etc.); • accesses to shared data, in order to describe which component has access to a shared data, when does it access it, and what is the access policy to be considered for schedu- lability analysis; • scheduling properties of the task set: scheduling protocol, periods, deadlines, and priorities (if needed, depending on the scheduling protocol). AADL models of the runtime services are provided by RAMSES, with the support of operating systems provider . These models takes the form of a library of AADL subprograms and data components deﬁnition. Their behavior is described with the same elements as those described in pre vious paragraph for threads description. Their timing characteristics are supposed to be provided by operating systems v endors. Model reﬁnements in RAMSES. Figure 3.3 illustrates the principles of the architecture reﬁnement implemented in RAMSES in order to provide ﬁne-grain schedulability analysis. On the part A of the ﬁgure, we represented a summary of the input models : the architecture model on top, provided by an end-user of the framew ork, and the runtime services on the lo wer part, provided by an operating system vendor . As speciﬁed on the ﬁgure, the AADL code of the receive_input runtime service is provided in listing 3.1. Part B of the ﬁgure represents the result of the reﬁnement implemented as an automatic model transformation in RAMSES. This transformation expands abstract communication interfaces ( i.e . AADL ports) into data accesses and subprogram calls. Data accesses enable threads to write or read the v alue of shared v ariable Pi _ shared _ d at a , which contains data exchanged between threads through these ports. Global variable Pi _ l ock enables to protect accesses to Pi _ shared _ d at a . Subprogram calls are represented on part C of the ﬁgure (see receive _ in put ! ( ... ) ). 24 Architecture Models T iming Analysis Pi_shared_data:,Float, subprogram receive_input -- see listing 2.1 end receive_input T ask T2 Period = 50 ms T ask T1 Period = 100 ms Pi: Float Pi_lock :, ARINC653_semaphore, Port_local :, Float, computation (1ms..2ms) receive_input !( port_local , Pi_shared_data_access , Pi_lock_access) C o mputation (5ms..5ms) computation (18ms..22ms ) receive_input !( port_local , Pi_shared_data_access , Pi_lock_access) computation ( 8ms..10ms) S4 S3 S2 S1 A B C Legend: Data access T ask T1 Period = 100 ms T ask T2 Period = 50 ms Figure 3.3: Model Reﬁnement for Timing Analysis Listing 3.1 sho ws the AADL model of the receive _ in put subprogram of the runtime services we use to implement communications between AADL threads. In addition, this listing provides the deﬁnition of a processor component which according to the AADL standard, is an abstract e xecution platform that represents both the hardware e xecution unit, and the operating system running on it. The reason for modeling the processor at this stage is that ex ecution times of threads and subprograms obviously depend on the processor they are ex ecuted on. From a timing analysis vie wpoint, this model contains the following information: • A computation statement describes that an execution time interval of one to tw o milliseconds is necessary at the beginning of the execution of this subprogram (see line 12 of listing 3.1). Note that these timing characteristics are only valid when the subprogram is e xecuted on the x86 processor (modeled in the same listing) as speciﬁed by the “in binding” statement line 12. • Execution time of subprogram receive _ in put can also be deduced from the assignment action line 14, combined with (i) the data size of operands of the assignment and (ii) the assignment time property gi ven in line 22 of the listing. • Data accesses are represented in lines 13 and 15, with respectiv ely a locking and unlocking access to shared data that will be connected to interface loc k_access (line 5). 3.2 Code generation and ﬁne-grain analysis of partitioned systems 25 1 s u b p r o g r a m r e c e i v e _ i n p u t 2 f e a t u r e s 3 v a l u e _ o u t : o u t p a r a m e t e r F l o a t ; 4 d a t a _ s t o r a g e : r e q u i r e s d a t a a c c e s s F l o a t ; 5 l o c k _ a c c e s s : r e q u i r e s d a t a a c c e s s A R I N C 6 5 3 _ s e m a p h o r e ; 6 a n n e x b e h a v i o r _ s p e c i f i c a t i o n { * * 7 s t a t e s 8 s 1 : i n i t i a l f i n a l s t a t e ; 9 t r a n s i t i o n s 10 t 1 : s 1 − [] − > s 1 11 { 12 c o m p u t a t i o n ( 1 ms . . 2 ms ) i n b i n d i n g ( x 8 6 ) ; 13 l o c k _ a c c e s s ! < ; 14 v a l u e _ o u t : = d a t a _ s t o r a g e ; 15 l o c k _ a c c e s s ! > ; 16 } 17 * * } ; 18 e n d s e n d _ o u t p u t ; 19 20 p r o c e s s o r x 8 6 21 p r o p e r t i e s 22 A s s i g n _ T i m e = > [ F i x e d = > 0 u s ; P e r _ B y t e = > 5 0 u s ] ; 23 e n d x 8 6 ; Listing 3.1: AADL Runtime Services Component In order to analyze the reﬁned model illustrated on parts B and C of ﬁgure 3.3, at least three alternati ves e xist: 1. transform the intermediate model into a formal model to apply model checking tech- niques. Giv en its features, TIMES [ 3 ] would be a good candidate but to the best of our knowledge, it does not cov er hierarchical scheduling (which is an important feature of ARINC653 systems). Another possibility could be to use more generic formal models such as timed automata or timed Petri nets. Howe ver , the translation of AADL to such models is a difﬁcult task for which different research works were already undertaken [ 8 , 66 ]. These works only cov er a subset of AADL which is not he one considered in our work. 2. transform the intermediate model into a single task set with the follo wing character- istics: each task is gi ven for its capacity its WCET , and each critical section of each task is characterized by its WCET as well. The resulting model is simple to analyze with tools such as Cheddar [ 72 ] but it may cumulate pessimism (and thus waste of computation resources). Indeed, when a job executes for its task’ s WCET , it may spend little time in its critical section, and vice versa (when a job enters a critical section’ s WCET , it may spend little time in the task itself). 3. transform the intermediate model into a set of task sets: the control ﬂow graph of each task of the intermediate model is transformed into an execution tree (going from one 26 Architecture Models T iming Analysis suspended state of the task to another suspended state). Among the branches without accesses to locks, we only k eep the one with the highest e xecution time. Branches with accesses to locks are kept as is in the tree. T ask sets are then built from e xecution trees by applying a cartesian product of the set of execution branches of each task. Then, each task set is simple to analyze with tools such as Cheddar [72]. Case study . W e experimented the latest alternativ e in [ 13 ]. The number of task sets to analyze gro ws rapidly with the number of branches in tasks ex ecution trees. The number of task set conﬁgurations to analyze mainly depends on the characteristics of the input model: the number of conﬁguration to analyze grows with the number of conditional branches in which shared data are acquired and released. Figure 3.4 illustrates the AADL architecture of a case study from the train industry . In this domain, the main business objecti ve is to reduce the time interval separating two consecuti ve trains while guaranteeing passengers safety . T o reach this objectiv e, the adaptation of po werful CU giv es the opportunity to embed more computation power on-board trains. Functions traditionally deployed on the wayside infrastructure can then be embedded on- board in order to reduce response- time of functions. Trains may then be closer to one another by depending less on the wayside infrastructure. Ho we ver , grouping functions on-board the train should not lead to hardware resources ov er-consumption otherwise the safety of the system may be put at risk. Because train application are also made up of components of different criticality le vels, parti- tioned operating systems are also studied for future architectures of these applications. Fig- ure 3.4 illustrates the AADL architecture of a simpliﬁed application called Communications- Based T rain Control (CBTC). This application is decomposed in two processes: the Auto- matic Train Operation (A TO) process, represented on the left of ﬁgure 3.4, is responsible for controlling the position, speed, and acceleration of the train. The other process, called Automatic T rain Protection (A TP), is represented on the right of ﬁgure 3.4: it communicates with the A TO in order to check the v alidity of data computed by the A TO. Our objecti ve is to ensure CUs provide enough computation po wer to host both processes. The software architecture represented conﬁgure 3.4 is made up of two AADL processes, eight AADL threads (four threads in each process), and twelve connections among ports of these threads. For the case study presented in ﬁgure 3.4, the timing analysis of our case study required the analysis of 64 tasks conﬁgurations (dif ferent v alues for the WCET of tasks and the WCET in critical sections). These conﬁgurations were analyzed using the Cheddar tool suite [ 72 ]. Experimentations were conducted on a 2.7 GHz Intel processor (Intel Core i7-3740QM; 4 cores) with 3.9 GiB memory and a SSD hard driv e disk. The complete process, from the 3.3 Periodic delayed communications 27 Figure 3.4: AADL Model of our Case Study beginning of the model reﬁnement, until the compilation of generated code, passing by the analysis of 64 tasks conﬁguration took 2 minutes and 17 seconds. Considering the comple xity of the input architecture, this result seems to be very satisfactory: of course, the number of conﬁguration to analyze can grow v ery fast by increasing the complexity of the input model, but the analysis of e very single conﬁguration is the price to pay for an e xhaustiv e analysis. Ho wev er , to limit the complexity of timing analysis, another strategy is to consider more deterministic MoCCs and to propose lock-fee implementations of these MoCCs. W e present our work related to such techniques in the remainder of this chapter . 3.3 P eriodic delayed communications MoCC presentation. The MoCC we consider in this section is a v ariant of message passing communications among periodic tasks: • Communication channels are modeled by directed ports and connections to enable v arious conﬁgurations regarding the number of sender and recei ver . • A task τ i can recei ve a set of messages on its input ports. • A task τ j can send a message on its output ports to connected input ports. • A message sent on an output port p, is ev entually receiv ed on input ports connected to p. W e reﬁned this model to ensure deterministic communications among tasks: • During each job J j of a task τ j , exactly one message is sent on each output port of a task. 28 Architecture Models T iming Analysis • A message sent by a job is deli vered to the receiving task at the recipient release time f ollowing the sender job deadline . More formally , a message sent to τ i , by the k t h job of τ j is considered deliv ered at ⌈ k · T i + D j T i ⌉ · T i (remember that T i and D i are respecti vely the period and deadline of task τ i , as deﬁned in notations used in chapter 2). • Any message deli vered to the k t h job of τ i should be remov ed from the recei ving port at time k · T i + D i . After this time, deliv ered messages to the k t h job of τ i are considered outdated. • Messages deli vered to a task are recei ved in the order of sender jobs deadlines. When sender jobs deadlines are simultaneous, a predeﬁned order noted ≺ , e.g. task priorities, is used. The model is said “periodic-delayed” as messages are periodically sent and their deli very is delayed until sender job deadlines. Such a communication model can be modeled in AADL with the follo wing properties : • The Dispatch_Pr otocol property is set to P eriodic for each thread component: tasks are periodic, • The P eriod , and Deadline properties are set for each thread component (with Dead l ine ≤ P er iod ), • The T iming property is set to Delayed for output ports of tasks: messages are sent at deadline. Note that the default value of the AADL Output_Rate property already states that one message is produced per acti vation of the producer tasks. Similarly , we use AllItems as the default value for the property Dequeue_Pr otocol , which means that all the messages a vailable at release time of the recipient will be considered as consumed at the end of its job . Lock-free implementation. In next paragraphs, we sho w how to compute message index es for sent recei ved messages order to implement these action without locks. The number of recei ved messages at time t on a queue q of size Q can be computed as follows: Received ( q , t ) = ∑ j ∈ S T q ⌊ t − D j T j ⌋ + 1 where ST q is the set of tasks sending messages to q .The index es of sent v alues can be computed as follo ws for queue q and the k t h job of a sender task τ j : Send I nd ex ( q , j , k ) = Red eived ( q , k · T j + D j ) − Fol l ower s ( q , j , k ) 3.3 Periodic delayed communications 29 where F ol l ower s is the number of successors of τ j (according to ≺ ) in ST q having their deadline at k · T j + D j . More formally: F ol l ower ( q , j , k ) = ∑ s ∈ ST q , j ≺ s C ol l id e ( s , k · T j + D j ) where Collide is deﬁned as follo ws C ol l id e ( s , t ) =    1 if t − D s T s ∈ N 0 otherwise Hence, the message sent in q by the k t h job of τ j ( τ j is the task sending messages in q ) is stored in slot Send I nd ex ( q , i , k ) mod ul o Q ( Q is the size of q ). Besides, receiv ed messages range from ( Read I nd ex ( q r , k − 1 ) + 1 ) mod ul o Q to Read I nd ex ( q , k ) mod ul o Q where Read I nd ex ( q , k ) = Received ( q , k · T i ) for the task τ i recei ving messages from q . Note that Send I nd ex ( q , j , k ) and Read I nd ex ( q , k ) can be computed independently without any internal state, reason why lock free implementations of these functions are possible. Finally , the size of q can be bound as follo ws (the proof of this result is av ailable in [21]): Q ≤ ∑ j ∈ S T q ( ⌊ 2 · T q + D max T j ⌋ + 1 ) Illustrative example T o illustrate this task and communication model, we consider the time-line depicted in Figure 3.5. This ﬁgure shows communications between three tasks: τ i J1.1 J2.1 J1.2 J2.1 Sends m1.1 Sends m1.2 J2.2 J3.1 Sends m2.2 J1.3 J1.4 Sends m1.3 J3.1 Receives : {m1.1, m2.1, m1.2} Sends m2.1 Figure 3.5: Illustrativ e Example of periodic-delayed communications with i = 1 .. 3 , T i = D i , and T 1 = 5 , T 2 = 7 , T 3 = 10 . τ 1 and τ 2 send periodically messages 30 Architecture Models T iming Analysis to τ 3 according to the communication model described abo ve. As illustrated on this ﬁgure, exactly one message is sent during each task job for τ 1 and τ 2 . Note that messages m1.1, m2.1, and m1.2 are only deliv ered at time 10. Message m2.2 will not be delivered before 20 time units, e ven though job J2.2 (that produces m2.2) already ﬁnished its ex ecution when J3.2 starts in this scenario. This model allows ensuring deterministic time for message reception independently of task interleaving and actual execution time. Notice also, that messages are ordered with respect to sender deadlines, reason why m2.1 is put before m1.2 in the queue e ven though J1.2 ﬁnishes before J2.1 sends message m2.2. This is done to enforce a deterministic order on message from the point of view of the recei ver . Finally , m1.1, m2.1, and m2.2 are discarded at completion time of J3.2 ev en if these message were not used during this job . Discussion. W ith respect to timing analysis of architecture models, periodic delayed com- munications bring the adv antage of being deterministic and can therefore be implemented without locks. As a consequence, tasks with periodic delayed communications can be consid- ered as independent tasks, which greatly simpliﬁes timing analysis. For instance, it reduces the complexity of timing analysis induced by multiple critical sections (as presented in section 3.2). Howe ver , these lock free implementations require to store data structures and ex ecute functions to retrie ve and/or compute the inde xes of sent or recei ved messages. This is why the reﬁned model produced by RAMSES is important: it allo ws to check platform resources are still sufﬁcient ev en when taking into account the o verhead due to the implemen- tation of communication mechanisms. Last but not least, delayed communications tend to increase data ﬂow latenc y , i.e . the time range separating the reception of inputs from sensors to the production of commands to actuators in a CPS. This is one of the reasons why we decided to consider task models made up of D A Gs of tasks. Another reason was the necessity to provide solutions for scheduling mixed-criticality task sets on multi-core architectures. This work is presented in next section. Note howe ver , that these two MoCCs ( i.e. D AGs and periodic-delayed) are complementary: periodic delayed communications are often used to break cycles in tasks dependencies while preserving deterministic MoCC and lock free implementations. Last but not least, scheduling real-time D A Gs is known to be a difﬁcult problem and its adaptation to mixed criticality scheduling required a PhD thesis on its o wn. 3.4 Mixed-criticality D A Gs analysis The contributions presented in section 3.2 aim at automating the analysis of tasks sets with critical sections. On hypothesis of this work was that tasks are ex ecuted on mono- core architectures. The results presented in section 3.3 show how to implement lock free 3.4 Mixed-criticality D A Gs analysis 31 communications among periodic tasks. Gi ven the communication model we considered, these results can be used when scheduling tasks on multi-core architecture. T asks would then be considered as independent, which greatly ease the application of scheduling techniques. Ho wev er , as stated at the end of pre vious section, this MoCC induces important latency on data ﬂo ws. Context. A MoCC frequently used to model critical embedded systems consists of data ﬂo w graphs. This model deﬁnes actors that communicate with each other in order to make the system run: the system is said to be data-driven . The actors deﬁned by this model can be tasks, jobs or pieces of code. An actor can only ex ecute if all its predecessors ha ve produced the required amount of data. Therefore, actors hav e data-dependencies in their ex ecution. Theory behind this model and its semantics provide interesting results in terms of logical correctness: deterministic ex ecution, starv ation freedom, bounded latency , are some examples of properties that can be formally pro ven thanks to data-ﬂo w graphs. In this work we ha ve considered a simple subclass of data-ﬂo w graphs in which data depen- dencies are directly captured into Directed Ac yclic Graphs of tasks. In this MoCC, a software architecture is made up of D AGs in which vertices represents tasks, and edges represent precendence constraint, i.e. a task can only start executing when all its predecessors hav e ﬁnished their ex ecution. In parallel, the adoption of multi-core architectures in the real-time scheduling theory led to the adaptation and de velopment of new scheduling policies [ 26 ]. Pro- cessing capabilities offered by multi-core architectures are quite appealing for safety-critical systems since there are important constraints in terms of power consumption and weight. Nonetheless, this type of architecture was designed to optimize the av erage performance and not the worst case. Therefore, ensuring time correctness becomes harder when multi-core architectures are considered: in hard real-time systems the W orst Case Execution T ime is used to determine if a system is schedulable. This observation is one of the main reason for the popularity of the mixed-criticality schedul- ing (MCS), intensiv ely studied these last years [ 19 ]. With MCS, tasks can be ex ecuted in dif ferent ex ecution modes: in the nominal mode, high and low criticality tasks are both ex ecuted with an optimistic timing b udget. When the system detects a timing f ailure e vent (TFE), i.e. a task did not complete its execution within its optimistic timing budget, the system switches to a de graded mode. In this mode, high criticality tasks are executed with their pessimistic timing b udget, discarding [74] low criticality tasks or degrading them [73] ( i.e. reducing their ex ecution frequency). Overview of the work. The schedulability problem of real-time tasks in multi-core archi- tectures is known to be NP-hard. When considering mixed-criticality multi-core systems, the problem holds its complexity . Thus, in our contributions we hav e designed a meta- 32 Architecture Models T iming Analysis remote control satellite P F C S = 10 3 2 = 3 2 = 3 motor gr ound camera 1 camera 2 disk gr ound P M ontag e = 20 4 = 4 4 = 4 2 = 3 2 = 3 3 = 4 2 2 2 2 GP S Receiv er F lig ht C tr l Altitude C tr l Guidance F il ter T rans Gr d C ap 1 C ap 2 Dif f 1 Dif f 2 C oncat B ack 1 B ack 2 E ncode T rans 2 = 3 2 = 3 3 = 4 2 2 Data Acq T rans F l eet f leet Figure 3.6: U A V software architecture with tw o MC-D A Gs heuristic capable of computing scheduling tables for the execution of Mixed-Criticality D A Gs (MC-D A Gs). The reason for choosing scheduling tables is simple: it is known to ease the certiﬁcation of critical systems and the ARINC653 scheduling of partitions (using schedule table to enforce temporal isolation of partitions) is a good e xample of this statement. In addition to this meta-heuristic, we hav e proposed a method to ev aluate the av ailability of lo wer criticality tasks. Indeed, the initial objectiv e of MCS is to improve computation resources usage by allo wing to conﬁgure the system with lo wer timing budgets than tasks WCET . In practice, this is only possible if low criticality tasks are degraded whene ver high criticality tasks need more computation resources. This impacts the quality of low criticality services. W e proposed to measure this impact in terms of a vailability . Illustration. Figure 3.6 illustrate the structure of a MC-D A G on a moti vating e xample: an U A V for ﬁeld exploration. The U A V is composed of two MC-D A Gs: the ﬁrst one takes care of the Flight Control System (FCS), noted G F CS [ 71 ]. The second MC-D A G represents a scientiﬁc workﬂo w used for image processing [ 9 ], noted G M ont age . V ertices in gray represent high criticality tasks, while white vertices are low criticality tasks. V ertices are annotated with their timing b udgets: a single value is given for low criticality tasks since the y are not ex ecuted in the high criticality mode. Full edges represent precedence constraints between tasks, while dashed edges represent the interface with the system’ s boundaries: where data is initially coming from or ﬁnally sent to. The idea behind this motiv ating example is to demonstrate that the FCS could be executed next to an image processing workﬂo w on a tri-core architecture. In the remainder of this section, we present our two main contrib utions on this task model: we ﬁrst present the scheduling method we proposed, before to e xplain how we compute the av ailability of low criticality tasks. For the sake of simplicity , we present these results on a dual criticality system with a LO and HI modes ( i.e. respecti vely lo w and high criticality 3.4 Mixed-criticality D A Gs analysis 33 modes) b ut we pro vided more general results (for any number of criticality lev els) in Roberto Medina’ s PhD thesis. ALAP implementations of MC-Correct schedules. T o begin with, we shall recall the deﬁnition of a MC-correct scheduling for D A Gs, as deﬁned in [6]: Deﬁnition 1. A MC-correct schedule is one which guarantees 1. Condition LO-Mode : If no verte x of any MC-D A G in G ex ecutes beyond its C i ( LO ) then all the vertices complete e xecution by the deadlines; and 2. Condition HI-Mode : If no verte x of any MC-DA G in G ex ecutes beyond its C i ( H I ) then all the v ertices that are designated as being of HI-criticality complete e xecution by their deadlines. In the Real-Time Systems Symposium, 2018, we proposed a suf ﬁcient conditions to guarantee Condition HI-Mode of MC-correct scheduling [54]: First, for each task τ i ex ecuting in mode χ , we deﬁne the function ψ χ i as follo ws: ψ χ i ( t 1 , t 2 ) = t 2 ∑ s = t 1 δ χ i ( s ) . (3.1) where δ χ i ( s ) =    1 if τ i is running at time s in mode χ , 0 otherwise . This function deﬁnes the e xecution time allocated to task τ i in mode χ from time t 1 to time t 2 . Deﬁnition 2. Safe T ransition Property ψ LO i ( r i , k , t ) < C i ( LO ) ⇒ ψ LO i ( r i , k , t ) ≥ ψ H I i ( r i , k , t ) . (3.2) As one cans see in equation (3.2), Safe T rans. Prop. states that, while the k -th acti vation of HI task τ i has not been fully allocated in LO mode, the budget allocated to this job in LO mode must be greater than the one allocated to it in HI mode. Intuiti vely , this guarantees that whene ver a TFE occurs, the ﬁnal b udget allocated to the job of τ i is at least equal to its WCET in HI mode. Building on the deﬁnition Safe T rans. Prop. , we proposed a meta-heuristic to build MC- correct schedules. W e also proposed se veral implementations of this meta-heuristic, based on 34 Architecture Models T iming Analysis G-EDF 1 or G-LLF (Global Least Laxity First): two well known global schedulers appreciated for their performances. In our implementations of schedulers for MC-D AGs, G-EDF or G-LLF are used to assign priorities to tasks. In addition, we proposed to improve the performance of MC-D A G schedulers by ex ecuting tasks As Late As Possible (ALAP) in HI mode, and As Soon As Possible (ASAP) in LO mode. Executing tasks ALAP in HI mode, we expect to free ex ecution slots close to tasks activ ation, usable by tasks ex ecuted ASAP in LO mode. Figure 3.7 illustrates the scheduling tables obtained with our MC-D A G scheduler , using G-LLF and enforcing the respect of Safe T rans. Prop. . (a) Scheduling table in LO mode (ASAP) (b) Scheduling table in HI mode (ALAP) Figure 3.7: Scheduling tables for the U A V , using G-LLF and Safe T rans. Prop. Evaluation framework. A systematic e valuation of the scheduling methods we proposed was performed during the PhD of Roberto Medina. W e implemented the G - A L A P - L L F and G - A L A P - E D F algorithm in an open-sourced framework 2 . In addition, since works in [ 6 ] hav e only presented theoretical results, we also implemented the federated approach. Last but not least, we dev eloped a MCS generator in order to produce man y MCS with random properties. Thanks to these tools, we generated a set of MCSs and measured the ratio for which each scheduling method ﬁnds a MC-correct schedule. 1 Global Earliest Deadline First 2 MC-D AG Frame work - https://github .com/robertoxmed/MC-D A G 3.4 Mixed-criticality D A Gs analysis 35 The random generation needs to be unbiased and unif ormly cover the possible timing conﬁgurations of MCS. T o design this random generation, we ﬁrst integrated e xisting methods to generate D A Gs with unbiased topologies [ 24 ]. This is an important aspect, since certain D A G shapes tend to be more schedulable than others. The distribution of ex ecution time for tasks is not controlled by existing D A G generation approaches. Y et, the utilization of the system is the most important factor used to perform benchmarks on real-time scheduling techniques. T o overcome this limitation, we ha ve inte grated existing methods achie ving a uniform distribution of utilizations for tasks [10, 26]. Parameters for the generation of MCS are: • U : Utilization of the system in both criticality modes. • | G | : Fixed number of MC-D A Gs per system. • | V j | : Fixed number of vertices per MC-D A G, i.e. all MC-D A Gs hav e the same number of vertices. • ρ : Ratio of HI criticality tasks. • f : Reduction factor for the utilization of HI tasks in LO mode. • e : Probability to hav e an edge between two vertices. Once these parameters are set, we ﬁrst distribute uniformly the utilization of the system to each MC-D A G. W e use the uniform distribution described in [ 10 ] to assign a utilization for each MC-D A G. The period/deadline for each MC-D A G is then assigned randomly: this period is chosen from a predeﬁned list of numbers in order to av oid prime numbers 3 (which are also av oided in the industrial context). W ith the assignment of the period and the utilization of the MC-D A G, we can distribute the utilization to tasks of the D A G. W e use UUnifast-discard [ 26 ] in this case. As opposed to the utilization that can be gi ven to DA Gs, a verte x cannot hav e a utilization greater than 1 since it is a sequential task (parallel ex ecution for a verte x is not possible). UUnifast-discard is therefore an appropriate method. The utilization av ailable for LO-criticality tasks is giv en by the difference between the utilization of HI tasks in HI mode and the utilization of HI tasks in LO mode, the dif ference being controlled by parameter f . Once the utilization of the system is distributed among MC-D A Gs and the utilization of MC-D A Gs is distrib uted among tasks, we start the generation of the topology for the MC- D A Gs. W e start by creating the HI-criticality vertices. These vertices are connected follo wing 3 Possible periods: { 100 , 120 , 150 , 180 , 200 , 220 , 250 , 300 , 400 , 500 } . 36 Architecture Models T iming Analysis 0 . 2 0 . 3 0 . 4 0 . 5 0 . 6 0 . 7 0 . 8 0 . 9 1 0 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 0 . 6 0 . 7 0 . 8 0 . 9 1 Acceptance rate (%) G - A L A P - L L F G - A L A P - E D F F E D M C D AG (a) m = 4 , | G | = 2 , ∑ | V | = 100 , e = 20% 0 . 2 0 . 3 0 . 4 0 . 5 0 . 6 0 . 7 0 . 8 0 . 9 1 0 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 0 . 6 0 . 7 0 . 8 0 . 9 1 (b) m = 4 , | G | = 4 , ∑ | V | = 100 , e = 20% 0 . 2 0 . 3 0 . 4 0 . 5 0 . 6 0 . 7 0 . 8 0 . 9 1 0 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 0 . 6 0 . 7 0 . 8 0 . 9 1 U norm ( S ) Acceptance rate (%) (c) m = 8 , | G | = 2 , ∑ | V | = 100 , e = 20% 0 . 2 0 . 3 0 . 4 0 . 5 0 . 6 0 . 7 0 . 8 0 . 9 1 0 0 . 1 0 . 2 0 . 3 0 . 4 0 . 5 0 . 6 0 . 7 0 . 8 0 . 9 1 U norm ( S ) (d) m = 8 , | G | = 4 , ∑ | V | = 100 , e = 20% Figure 3.8: Comparison to existing multiple MC-D A G scheduling approach the probability e gi ven by the user and without creating cycles among vertices. After the HI-criticality tasks ha ve been created, we create the LO-criticality tasks. Again vertices are connected follo wing the probability e chosen by the user and without creating c ycles. The higher the probability e , the more dense is the resulting graph: vertices ha ve more precedence constraints to satisfy , making the scheduling of the system more dif ﬁcult. Experimentation setup : W e control the parameters of the MCS generator so as to measure their inﬂuence on the performance of our method. W e expect the follo wing parameters to make the scheduling problem more dif ﬁcult: (i) the density of the graphs, (ii) the utilization of the system, (iii) the utilization per task of the system, (iv) the number of MC-D A Gs. Our experiments aim at measuring the ef fect of these parameters on G - A L A P - L L F ’ s performance. Experimentation results. Figure 3.8 provides our experimental results in terms of accep- tance rate obtained with dif ferent schedulers and various setups of the MC-D A G generator . For each point in the ﬁgure, the acceptance rate was obtained by generating 500 MC sys- 3.4 Mixed-criticality D A Gs analysis 37 tems (i.e. sets of MC-D A Gs) and measuring the percentage of these systems for which a MC-correct schedule (see deﬁnition 1) was found. Each subﬁgure shows the ev olution of the acceptance rate when the CPU usage increases. From one subﬁgure to another , the conﬁguration of the MC-D A G generator was changed. For instance, subﬁgure 3.8a shows results obtained with 2 MC-D A Gs of 100 tasks each, with an edge probability of 20% and a processor with 4 cores. Results shown on subﬁgure 3.8b were obtained using the same conﬁguration except of the number of MC-D A G: 4 MC-D AGs were generated in this case. On each subﬁgure, the acceptance rate obtained with dif ferent scheduling strategies are displayed: the red curve corresponds to the G - A L A P - L L F scheduler we proposed. It uses G-LLF to set tasks priority , enforces the respect of Safe T rans. Prop. , and executes tasks ALAP in HI mode and ASAP in LO mode. the green curve corresponds to G - A L A P - E D F , follo wing the same principles as G - A L A P - L L F but assigning tasks priorities according to G-EDF . Finally , the grey curv e corresponds to the federated approach, proposed by Baruah in [6]. W ithout entering in details into the comparison of these results, readers can easily observe that G - A L A P - L L F provides much better results than the two other methods. When it comes to the comparison of G - A L A P - E D F and the federated approach, the performance gain obtained with G-EDF depends on the system’ s conﬁguration. T o better understand the results, we shall explain ho w the difﬁculty of the scheduling problems e volve across subﬁgures. Scheduling problems obtained with conﬁguration of subﬁgure 3.8b are easier than problems obtained with the conﬁguration of subﬁgure 3.8a: when increasing the number of MC-D AGs on the same number of cores and the same CPU utilization, we tend to produce smaller tasks which is easier to schedule than more monolithic task sets. For the same reason, scheduling problems obtained with conﬁguration of subﬁgure 3.8c are easier than problems obtained with the conﬁguration of subﬁgure 3.8d, and problems corresponding to subﬁgure 3.8c are easier than problems corresponding to subﬁgure 3.8a. This classiﬁcation of the dif ﬁculty of scheduling problems is conﬁrmed by the experimental results sho w on the subﬁgures. Therefore, the ov erall comparison of obtained results tend to sho w that 1. G - A L A P - E D F is better than the federated approach for systems of intermediate dif- ﬁculty b ut the dif ference between these methods tend to be reduced for very easy or very dif ﬁcult scheduling problems. 2. G - A L A P - L L F is far better than other approaches in terms of acceptance rate. Ho wev er , solutions based on LLF are kno wn to produce an important number of preemptions among tasks. In Roberto Medina’ s PhD, we have measured the number of preemptions 38 Architecture Models T iming Analysis obtained with the dif ferent MC-D AG schedulers mentioned abov e. W ithout knowing the cost of a preemption, it is not possible to kno w how taking preemptions cost into account impacts the acceptance rate. Howe ver , since we produce scheduling tables, the number of preemptions is kno wn at design time and if we were giv en a value for preemption cost, we could easily adapt our scheduling method and decide whether the system remains schedulable. A vailability analysis of low criticality services. In addition to our contributions on MC- D A Gs scheduling, we studied the impact of mixed criticality scheduling on the quality of services of lo w criticality tasks. The objectiv e of mixed criticality scheduling is to impro ve computation resources usage, to the price of a degradation of low criticality services. Indeed, when high criticality tasks risk to miss their deadlines, low criticality tasks are discarded (or slo wed down). In our work, published at the international conference on Design Automation and T est in Europe 2018, we proposed a method to e valuate the impact of mix ed criticality scheduling on the quality of lo w criticality services. W e formalized this quality of service as the av ailability of outputs produced by low criticality tasks, and proposed enhancements of this quality of service for task sets modeled as MC-D AGs with a discard model (lo w tasks are temporarily discarded in case of TFE). T aking adv antage of the D A G, we proposed the follo wing modiﬁcations of the MC scheduling: when a TFE occurs in a low criticality task, we only discard the induced subgraph by the discard of the faulty task. In addition, we proposed to consider fault tolerance mechanisms such as the Triple Modular Redundanc y of MC-DA Gs, and/or the weakly hard nature of some tasks, which is usually formalized as follows: tasks able to continue their execution as long as less than M errors out for K consecuti ve e xecutions. In order to ev aluate the av ailability of outputs, two types of precedence relationships among tasks had to be considered: structural precendence (captured by edges in D A Gs) and temporal precedence (captured by the scheduling table obtained with techniques presented in previous sections). From these models ( i.e. MC-D A Gs and scheduling tables) we proposed a model transformation to probabilistic automata. The probabilistic nature of TFE was captures using the recent notion of probabilistic WCET [ 51 ]. Besides, a recovery tow ards the LO mode as well as the fault tolerance mechanisms were also captured with state and transitions of probabilistic automata. T o the best of our knowledge, this contribution was the ﬁrst method to compute the av ailability of lo w criticality tasks of MC systems. In addition, our experimental e v aluation, made with the PRISM framew ork [ 41 ], showed that our enhancements of this av ailability were very signiﬁcant. 3.4 Mixed-criticality D A Gs analysis 39 Figure 3.9: U A V AADL architecture: system lev el Figure 3.10: U A V AADL architecture: FCS MC-D AG Integration in RAMSES. The work presented in this section has also been integrated in the RAMSES frame work. Interestingly , the computation of low criticality tasks a vailability relies on the computation of scheduling tables. W e thus adapted the RAMSES frame work to reﬁne input AADL models by including a representation of the schedule tables. This model is then used to produce formulas or automata from which a vailability of lo w criticality functions is computed. W e also elaborated a library of AADL models to model MC-D A Gs. Figure 3.9 shows the model of the hardware multi-core platform, i.e. two cores modeled as AADL processors on the left part of the ﬁgure. For the software architecture, which is illustrated on the right part of ﬁgure 3.9, two AADL thread groups represent the MC-DA Gs of the U A V case study . In the software part, LO and HI modes are modeled with AADL modes, and e vent ports connect the hardw are part to the software part to represent potential mode switches (LO to HI in case of TFE in a high criticality task, and recovery to switch back to LO mode). Figure 3.10 represents the content of the FCS MC-D A G modeled as a set of AADL thread with data port connections. These connections are associated with a T iming property of v alue Immediate to represent in AADL the precedence constraints of D A Gs. 40 Architecture Models T iming Analysis 3.5 Concluding r emarks In this chapter , we hav e presented our contributions to answer the follo wing questions: 1. ho w to improve the consistenc y between models used for analysis and code generation purposes? 2. ho w to improve resource usage induced by pessimistic hypothesis in the design of real-time CPS? T o answer these questions, we have proposed a model reﬁnement method and its prototyping in the RAMSES frame work. This framework has been experimented on dif ferent MoCCs, sho wing the added value of model transformations in the conte xt of CPSs design. By providing answers to some of the research questions presented here abo ve, our work provides original methods to improv e the reliability of software de velopment in CPSs. T o the best of our kno wledge, this work provides a unique AADL framework for ﬁne grain timing analysis of real-time embedded systems, as well as source code generation for the most common subsets of AADL MoCCs used in safety critical real-time systems (partitioned systems, periodic delayed communications, periodic MC-D A Gs). These contributions ha ve been produced by sev eral PhD students who presented their results in well established international conferences. This work was inspired by technical discussions with industrial partners, in particular from the railway domain. Our new results bring answers to signiﬁcant concerns in this industry in particular when it comes to better understand how to improv e resource usage while ensuring safety . These results hav e also been applied in a project with the Department of Defence (USA) and the Software Engineering Institute (SEI), aiming at generating source code for a commercial operating system implementing the ARINC653 standard. As a follow up on this work, we started new research activities in order to adapt security techniques to the speciﬁcity of critical real-time embedded systems. In the scope of Maxime A yrault’ s PhD, we aim at studying the inte gration of resilience mechanisms in connected cars. More generally , we aim at impro ving the autonomy of critical systems, which is the objecti ve of a european collaborativ e project proposals we are inv olved in. These two perspecti ves are further described in chapter 5. W e hav e focused in this chapter on model transformations for source code generation, but se veral other types of model transformations were implemented in RAMSES. In particular , model transformations for remote communications, modes, and error management are of interest for timing analysis since all these transformations require to add task to the initial model in order to react on incoming messages, mode change requests, and error occurrences. 3.5 Concluding remarks 41 Building on this experience, we e xtended our research activities to wards the composition of model transformations for CPSs. W e present our contrib utions on this topic in next chapter . Chapter 4 Composition and f ormalization of model transf ormations Contents 4.1 Model transf ormation chains in RAMSES . . . . . . . . . . . . . . . . 46 4.2 A utomatic construction of transf ormation chains . . . . . . . . . . . . 48 4.3 Pr econdition construction in algebraic graph transformations . . . . 52 4.4 Design space exploration by composition of model transf ormations . . 55 4.5 Concluding r emarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 In the pre vious chapter , we hav e shown how we use model transformations to improv e software design process in the context of real-time CPSs. As stated in the introduction of this document, howe ver , model transformations are dif ﬁcult to write: they are, essentially , graphs transformation applications. This is one of the reasons why dedicated model transformation languages ha ve been deﬁned. In addition, in order to ease their maintenance and reuse, model transformations are usually written as small units of transformation which can be composed into model transformation chains: the output model of a transformation becomes the input model of the next transformation of the chain. Ho wev er , sev eral problems come from the decomposition of model transformations into chains of smaller transformations: 1. transformation con ver gence: when model transformations are chained, each transforma- tion produces an output model that becomes the input model of another transformation. 44 Composition and formalization of model transformations This process could be repeated inﬁnitely , failing to produce the output model of the chain. Ensuring existence of models produced by model transformation chains is a dif ﬁcult problem, mentioned on the upper and left part of ﬁgure 2.1. 2. output model correctness: because model transformations are complex software ap- plications, model transformation chains rapidly become difﬁcult to master . Howe ver , it is important to ensure output models correctness. This notion can be decomposed into qualitativ e and quantitativ e correctness where qualitativ e correctness boils to ensure the output model satisﬁes predeﬁned structural constraints whereas quantitativ e correctness boils to ensure the output model exhibits satisfactory NFPs. Ensuring correctness of models produced by model transformation chains is a dif ﬁcult problem mentioned on the upper and central part of ﬁgure 2.1. 3. v ariability management: in a model transformation chain, each model transformation is subject to v ariability . Indeed, abstraction embodied by a model implies there will exist se veral implementations or reﬁnement variants of this model. In practice, it is very common that such v ariants w ould ha ve dif ferent impacts on NFPs exhibited by the resulting model. As these impacts are often in conﬂict, ﬁnding the best transformation chain boils to solve a multi-objecti ve optimization problem. Solving such problems is a very dif ﬁcult task mentioned on the upper and right part of ﬁgure 2.1. 4. transformations v alidation and veriﬁcation: model transformation chains hav e to be v alidated with very rigorous methods when they are inv olved in the implementation process of critical software applications. This becomes a very challenging problem when model transformations are organized into chains of model transformations since transformations hav e to be tested individually and as an integrated chain of transforma- tions. As a consequence, v alidation and veriﬁcation of model transformation chains may become very costly . This problem is not depicted on ﬁgure 2.1 but it is obviously very rele vant in the application domains of our w ork. In this chapter , we present the work we have conducted to increase the conﬁdence one can hav e in model transformation chains. Reading the contrib utions presented in this chapter , one will notice their common focus on structural constraints applied to models produced by model transformations. Indeed, the notion of structural constraints has been used in this work to represent: (i) validity constraints for the applicability of analysis and veriﬁcation techniques on output models, (ii) test requirements for the validation of model transformations, and (iii) v alidity constraints for the model transformation variants selection and composition. This chapter is organized as follows: section 4.1 introduces the context of this work with a presentation of model transformation chains implemented in the RAMSES framew ork. 45 Building on this presentation, we illustrate the notion of structural constraint which enable the application of analysis presented in previous chapter . In section 4.2, we describe our method to b uild model transformation chains ensuring produced models respect predeﬁned structural constraints (results of Cuauhtémoc Castellanos PhD). Section 4.3 presents our contributions dedicated to model transformation chains v alidation (results obtained during Elie Richa PhD). Finally , we present in section 4.4 our work on model transformation v ariants selection and composition to implement model-dri ven and multi-objecti ve design space exploration techniques (result obtained during Smail Rahmoun PhD). Figure 4.1 show ho w these contributions are positioned with respect to the approach we described in chapter 2. D es i g n I m pl e m en t at i o n A r c h i t ec t u r e m o d el H i g h er a b s t r a ct i o n l ev el L o w e r a b s t r a ct i o n l ev e l I m p l em en t at i o n m o d el G e ner a t e d s o ur c e co d e 1- t o- 1 m a ppi ng C an d i da t e a r c h i t ec t u r es C a nd i d at e a r c h i t ec t ur e s C an d i d at e ar ch i t e ct ur e s N FPs co m p u t a t i o n M o d e l t ra ns f orm a t i o n var i an ts ( e .g. de s i gn pa t t e r ns ) A rc hi t e c t ure s e l e c t i on C an d i dat e ar ch i t ect u r e s C a n di d at e ar ch i t e ct ur e s C a n d i d at e ar ch i t e ct ur e s C an d i da t e a r c h i t ec t u r es N FPs c om pu t at i o n C a nd i d at e a r c h i t ec t u r es C an d i dat e ar ch i t ect u r e s Sche d ul i ng an al y s i s C a nn o t be a na l yz e d ( e .g. do not re s p e c t a na l ys i s a ppl i c a t i on c ondi t i ons ) U ns a t i s f i e d re qui re m e nt s ( e .g. e nd- t o e nd l a t e nc y) Se l e ct ed ar c hi t ec t u r e M od e l t r an s for mati on I m p l em e n t a t i o n m od e l I m p l e m en t at i o n m o d e l s C on t r i b u t i o n s pe r i m e t e r , C ua u ht ém oc C a s t e l l an o s , E l i e R i ch a a nd Sm a i l R a hm ou n Figure 4.1: Perimeter of research activities presented in this chapter 46 Composition and formalization of model transformations 4.1 Model transf ormation chains in RAMSES In order to produce software applications of CPS from architecture models, we proposed to implement AADL to AADL model transformations. One such model transformations ha ve been described in chapter 2. More generally , a step-wise model transformation process is illustrated on ﬁgure 4.2. In this process, sev eral model transformations are chained: • security and safety design patterns are ﬁrst applied to integrate safety and/or security components such as ﬁrew alls, encryption/decryption components, software/hardware redundancy , etc. • remote connections are then transformed in order to incorporate communication tasks in the software architecture of the application. • operational modes are treated in a similar way: dedicated mode management tasks are added to the software architecture to handle mode change requests. • connections among ports of tasks deployed on the same processors are then mapped into global v ariables and runtime services calls, as described in chapter 2. Figure 4.2: RAMSES reﬁnements: chain of model transformations se cu ri t y and sa f e t y d e si g n p a t t e rn s re mo t e co n n e ct i o n s o p e ra t i o n a l mo d e s l o ca l co n n e ct i o n s sch e d u l a b i l i t y a n a l ysi s C co d e a n d O S co n f i g u ra t i o n Sa f e t y a n a l ysi s Mo d e l t ra n sf o rma t i o n AAD L mo d e l D a t a f l o w t i mi n g a n a l ysi s RAMSES model transformation Initial AADL model In the remainder of this section, we giv e more details about the implementation of these trans- formations in RAMSES. The objectiv e of this presentation is to provide enough information about the technical conte xt in which the research w ork presented in this chapter ha ve been conducted. W e start with an illustration of a model transformation, and use this example to explain the model transformation language used in RAMSES. Se veral model transformation methods, languages, and tools, have been studied to help MDE experts de velop their frame works. A classiﬁcation of model transformation approaches was proposed by Czarnecki and al. in [ 25 ]. From this classiﬁcation, we decided to use A TL for 4.1 Model transformation chains in RAMSES 47 the implementation of the RAMSES frame work. W e chose this language for the simplicity of its semantics, as well as for the quality of the associated model transformation tools. In terms of semantics, A TL is a rule-based transformation language which e xecution relies mainly on a pattern matching semantics [ 39 ]: in A TL, a transformation consists of a set of declarati ve matc hed rules , each specifying a sour ce pattern and a tar get pattern . The source pattern is made up of (i) a set of objects identiﬁers, typed with meta-classes from the source meta-model and (ii) an optional OCL [ 59 ] constraint acting as a guard of the rule. The target pattern is a set of objects of the target meta-model and a set of bindings that assign values to the attributes and references of the tar get objects. Figure 4.3 provides an illustration of the application of a model transformation to implement a safety design pattern called T riple Modular Redundancy (TMR) [ 50 ], also called two out of three (2oo3). Listings 4.1 and 4.2 provide snippets of the A TL code used to implement the 2oo3 model transformation for components replication. This transformation will be used as an illustrati ve e xample in the remainder of this chapter . In listing 4.1, A TL rule m_Process_- 2oo3 transforms e very AADL process component into three process components identiﬁed with the follo wing targ et object identiﬁers: proc1_2oo3 , proc2_2oo3 , and proc3_2oo2 . For the sake of concision, this listing does not dev elop the creation of these processes. Giv en the ex ecution semantics of A TL, this rule will match any AADL component instance of the process category . Figure 4.3: Overvie w of the TMR (also called 2oo3) transformation ρ 1 ρ 2 τ 1 τ 2 ρ ' 1 τ ' 1 voter ρ ' 2 τ 2 voter' ρ '' 2 τ 2 voter'' ρ '' 1 τ ' ' 1 Model transformation “2oo3” ρ 1 ρ 2 τ 1 τ 2 In listing 4.2, A TL rule m_PortConnection_2oo3 transforms connections among process components in the source model, into connections among their replicas in the target model. This is represented in rule m_PortConnection_2oo3 with the creation of cnx1_1_2oo3 , cnx1_2_2oo3 , etc. For the sake of concision, the creation of only one of the connections in the target model is fully de veloped in this listing. This rule will match, in the source model 48 Composition and formalization of model transformations Listing 4.1: A TL rule for 2oo3: processes replication 1 r u l e m _ P r o c e s s _ 2 o o 3 2 { 3 f r o m 4 c : AA DLI ! C o m p o n e n t I n s t a n c e ( c . c a t e g o r y = # p r o c e s s ) 5 t o 6 p r o c 1 _ 2 o o 3 : A A D L B A ! P r o c e s s S u b c o m p o n e n t ( . . . ) , 7 p r o c 2 _ 2 o o 3 : A A D L B A ! P r o c e s s S u b c o m p o n e n t ( . . . ) , 8 p r o c 3 _ 2 o o 3 : A A D L B A ! P r o c e s s S u b c o m p o n e n t ( . . . ) , 9 } of the transformation, any connection cnx c between two process components of the input model. One of the reasons for the simplicity of the A TL language is the deﬁnition of its resolve mechanisms: when a source object identiﬁer is referenced in the right hand side of a binding, a resolve operation is automatically performed to ﬁnd the rule that matched the source objects, and the ﬁrst output pattern object created by that rule is used for the assignment to the target reference. This is referred to as the default resolve mechanism. Another non- default resolv e mechanism allo ws resolving a (set of) source object(s) to an arbitrary tar get pattern object instead of the ﬁrst one as in the default mechanism. It is inv oked via the follo wing A TL standard operation: thisModule.resolveTemp(obj, tgtPatternName) as sho wn in pre vious listing. Last but not least, the semantics of A TL ensures transformations con vergence: each rules is applied at most once per pattern it matches in the input model. This property is not veriﬁed by all model transformation languages: for some of them, rules are ex ecuted as long as they match on the input model and the target elements produced by pre viously executed rules. As a consequence, we do not consider in our work the problem of model transformation chains con ver gence presented in the introduction of this chapter . This brief presentation of A TL will allow us to present our contributions on model dri ven engineering in the context CPSs. In the next section, we present the framework we proposed in order to chain model transformations in a way that guarantees the output model of the chain can be analyzed. Contributions presented in chapter 2 provide e xamples of such analysis. 4.2 A utomatic construction of transformation chains Chaining model transformations properly may become a difﬁcult task. In particular , one of the objecti ve of models in the domain of CPS is to enable analysis of Non-Functional Properties. Howe ver , this requires to conform to a set of v alidity constraints: for instance, models used to ensure real-time systems schedulability (presented in chapter 2) assume that tasks are periodic (or sporadic in some cases). Howe ver , error management tasks are often 4.2 Automatic construction of transformation chains 49 Listing 4.2: A TL rule for 2oo3: connections replication 1 r u l e m _ P o r t C o n n e c t i o n _ 2 o o 3 2 { 3 f r o m 4 c n x : AAD LI ! C o n n e c t i o n R e f e r e n c e ( c n x . i s P r o c e s s P o r t s C o n n e c t i o n ( ) ) 5 u s i n g 6 { 7 c S r c : AAD LI ! C o m p o n e n t I n s t a n c e = c n x . g e t S r c C p t I n s t a n c e ( ) ; 8 c D s t : AA DLI ! C o m p o n e n t I n s t a n c e = c n x . g e t D s t C p t I n s t a n c e ( ) ; 9 } 10 t o 11 − − f e a t u r e f _ 1 : P R O C _ 1 _ s r c − > P R O C _ 1 _ d s t − − 12 c n x 1 _ 2 o o 3 : A A D L B A ! P o r t C o n n e c t i o n ( 13 n a m e < − c n x . g e t N a m e ( ) + ’ _ 1 ’ , 14 s o u r c e < − s o u r c e C E 1 _ 1 , 15 d e s t i n a t i o n < − d e s t i n a t i o n C E 1 _ 1 16 ) , 17 s o u r c e C E 1 _ 1 : A A D L B A ! C o n n e c t e d E l e m e n t ( 18 c o n n e c t i o n E n d < − c n x . s o u r c e , 19 c o n t e x t < − t h i s M o d u l e . r e s o l v e T e m p ( c S r c , ’ p r o c 1 _ 2 o o 3 ’ ) 20 ) , 21 d e s t i n a t i o n C E 1 _ 1 : A A D L B A ! C o n n e c t e d E l e m e n t ( 22 c o n n e c t i o n E n d < − c n x . d e s t i n a t i o n , 23 c o n t e x t < − t h i s M o d u l e . r e s o l v e T e m p ( c D s t , ’ p r o c 1 _ 2 o o 3 ’ ) 24 ) , 25 − − f e a t u r e f _ 1 : P R O C _ 1 _ s r c − > P R O C _ 2 _ d s t − − 26 c n x 2 _ 2 o o 3 : A A D L B A ! P o r t C o n n e c t i o n 27 . . . 28 − − o t h e r c o n n e c t i o n s o m m i t t e d f o r t h e s a k e o f c o n c i s i o n 29 } aperiodic and hav e a high priority . As a consequence, hypothesis for a timing analysis does not hold in this case. In practice, this is not an issue from a timing analysis perspective since designers proceed to timing analysis in nominal conditions (i.e. in the absence of errors). Ho wev er , this becomes an issue from a model transformation perspectiv e since it requires to ensure that timing analysis is performed before model transformations dedicated to errors management b ut after all other transformations leading to an analyzable model in terms of timing analysis. Solving this problem boils to ﬁnd model transformation chains producing output models enforcing the respect of application conditions on output models. In the introduction of this chapter , we hav e introduced the problem of ensuring model trans- formation chains produce correct output model. This notion of correctness was decomposed into qualitati ve and quantitati ve correctness. In his PhD, Cuauhtémoc Castellanos studied this problem considering qualitati ve correctness deﬁned as a set of structural constraints on models produced by model transformation chains. Such constraints would also enable the veriﬁcation of qualitati ve correctness by enforcing the respect of application conditions for analysis of NFPs on the output model. Cuauhtémoc Castellanos also proposed to for- malize design patterns as model transformations. Design patterns composition was thus implemented by chaining model transformations. Structural constraints on intermediate 50 Composition and formalization of model transformations models were formalized as a set of pre-conditions and post-conditions of transformations. Additional structural constraints were also deﬁned in order to enforce the applicability of analysis techniques on output models of a chain. OCL was ﬁrst used to formalize these constraints, while A TL was used to deﬁne model transformations. The main problem we addressed in this PhD was: giv en a set of model transformations with their preconditions and post conditions, and a set of structural constraints on the output models of transformation chains, in which order should transformations be chained in order to produce an output model which satisﬁes structural constraints on the output model? When transformations are commutati ve, which was the object of pre vious works [ 29 ], the order has no importance. Ho wev er , model transformations we consider in our work are mostly non-commutativ e since they are reﬁnement transformations. In order to ﬁnd a correct sequence of non-commutati ve model transformations, we proposed to formalize model transformations in Alloy [ 37 ]. Alloy is a modeling language to deﬁned constraint satisfaction problems with a r elational algebra . W ith Alloy , we specify a set of constraints a solution to the problem must satisfy . These constraints are expressed in ﬁrst-order logic, which matches a subset of OCL. Once these constraints are solv ed, a model instance satisfying all the constraints e xpressed in Alloy is generated (if it exists). Figure 4.4 illustrates the approach we proposed in this research work: from an input model, a set of transformations along with their applications preconditions and post-conditions, we asked the Alloy solv er to produce a model transformation chains and an output model which respects predeﬁned post-conditions. Figure 4.4: Model transformation chains production with Alloy Allo y s o lve r I n p u t mo d e l Mo d e l t r a n sf o r ma t i o n s s p e c i f i ca t i o n St ru c t u ra l c o n s t ra i n t s N o va l i d ch a i n T1 T 3 T4 T 2 T3 T 4 T1 T 2 V a l i d t r a n s f o rma t i o n ch a i n s In this work, we speciﬁed how to formalize A TL model transformations and the chaining problem in Alloy [ 37 ]. Howe ver , we did not implement a higher order transformation (HO T , a transformation that takes as input and/or produce as output a model transformation) from 4.2 Automatic construction of transformation chains 51 A TL to Alloy . Instead, we focused on solving important scalability issues we faced when using Alloy solvers to ﬁnd correct chains of non-commutativ e transformations. W e thus decided to study and improv e the scalability of the method proposed method [22]. As a case-study , we presented in this PhD the formalization of a safety design pattern called T riple Modular Redundancy (TMR), also called two out of three (2oo3). W e also deﬁned a security pattern used in cyber -security called red-black separation. This research work helped us to formalize such model transformations, highlight their non commutati vity , and deﬁne constraint satisfying model transformation chains. The formalization of these transformations in Alloy led us to realize that the approach deﬁned in ﬁgure 4.4 suffered from important scalability issues. More precisely , these scalability issues came from the chaining process itself and not from the execution of each transformation in isolation. In order to improv e the scalability of this approach, we needed to deﬁne more transformations than just the safety and security patterns mentioned abov e. The formalization in Alloy of all the transformations implemented in RAMSES would have taken too much time, and the implementation of a HO T from A TL to Alloy would ha ve been risky without improving ﬁrst the scalability of the method. W e thus focused on simpler model transformations ( i.e . easier to formalize in Alloy) b ut more complex chains. W e decided to formalize design patterns from the Gang of F our [ 31 ] in Allo y . This contrib ution, as well as the general approach illustrated on ﬁgure 4.4, were published in the Euromicro conference on Software Engineering and Adv anced Applications (SEAA) 2014 [ 23 ]. Studying more precisely the reasons for the scalability limitation of our approach, we deﬁned an improv ed version in 2015 and published our results at SEAA 2015 [22]. 0" 2000" 4000" 6000" 8000" 10000" 12000" 14000" adaptCompo1" adaptCompo1bis" adaptCompo1ter" adaptCompo1quart" adapter2" adapter2bis" adapter2ter" adapter2quart" adapter2quint" composite2" composite2bis" adapter3" composite3" (a) Performance of our initial approach 0" 5" 10" 15" 20" 25" 30" 35" 40" adaptCompo1" adaptCompo1bis" adaptCompo1ter" adaptCompo1quart" adapter2" adapter2bis" adapter2ter" adapter2quart" adapter2quint" composite2" composite2bis" adapter3" composite3" (b) Performance of the improv ed the chaining process Figure 4.5: Mean time to ﬁnd transformation chains Figure 4.5 sho ws the performance improvements on a set of model transformation chains: ﬁgure 4.5a shows the solving time (in seconds) obtained on different scenarios with our initial approach while ﬁgure 4.5b sho ws the solving time (in seconds) obtained on the same 52 Composition and formalization of model transformations scenarios but with our improved approach. Each bar thus corresponds to the solving time for ﬁnding a transformation chain on a gi ven input model and a set of design patterns of the GoF to apply . For instance, the case “adapter3” (which appears to be the most difﬁcult case) consists in applying three time the adapter pattern on an input model made up of 8 UML classes. These experiments were conducted on a bi-processor Intel ™ Xeon ™ CPU E7-4870 at 2.40 GHz with 52 GB RAM and 3 exploration threads. The reasons for these improv ements are further explained in [ 22 ] and can be summarized as follo ws: • partial solutions and parallelization: instead of submitting to the Alloy solver the complete chaining problem, we submit partial instances of the solution where a partial solution is the result of e xecuting a sub-chain. This strategy signiﬁcantly reduced the size of each problem submitted to the solv er , thus leading to better performances. In addition, it enabled to parallelize of the exploration. • when selecting one model transformation to apply , early pruning was implemented by checking the following constraint: either the set of remaining transformations to apply is empty , or there exists at least one model transformation that can be applied on the output model. W e also assessed the scalability of our method on “long” model transformation chains: with 12 transformations to chain (leading to 12! possible orders) and input models of about 30 elements impacted by the transformations, it took about 2 hours to ﬁnd a correct transformation chain. The same case study would not ha ve been solvable without the optimizations we proposed in this work. Ho wev er , an important limitation of this work came from the focus on structural constraints only . Indeed, beyond such structural constraints, resulting non functional properties are of prime importance. This is the reason why we decided to study model transformations composition as a multi-objectiv e optimization problem, as described in section 4.4. In parallel, we continued studying the v alidation of model transformation chains considering their formalization as algebraic graph transformations. This work is presented in section 4.3. 4.3 Pr econdition construction in algebraic graph transf or - mations As stated in the introduction of this chapter, model transformation chains are comple x applications, hence difﬁcult to validate and verify . In the PhD of Elie Richa, we studied 4.3 Precondition construction in algebraic graph transformations 53 the validation of model transformation chains in the context of source code generators qualiﬁcation. Indeed, when a code generator is used to produce source code of a critical system, the generated code needs to be certiﬁed. Using qualiﬁed tools, the certiﬁcation effort can be reduced. Qualifying a code generator is as rigorous and demanding as certifying critical embedded software. This is the reason why tool providers need to adopt efﬁcient methodologies in the de velopment and v eriﬁcation of code generators [70, 68, 69]. As illustrated on ﬁgure 4.2, we consider code generators made up of a transformation chain. Qualifying an Automatic Code Generator (ACG) requires extensiv e testing to sho w the compliance of the implementation with its requirements. Both the testing of components in isolation ( i.e. unit testing) and the testing of the tool as a whole ( i.e. integration testing) are required. Gi ven the A CG is a transformation T , a unit is a transformation step T i . Unit testing then consists of producing test models M i , j in the intermediate meta-model M M i , executing T i ov er these test models, and validating the resulting models M i + 1 , j with a suitable test oracle. Con versely , integration testing considers the complete chain, producing test models M 0 in the input meta-model M M 0 , ex ecuting the complete chain, and v alidating the ﬁnal result M N , j (where N is the number of transformations in the chain) with a suitable test oracle. A unit test requirement t r i , j of a transformation step T i is a constraint ov er its input meta- model which must be satisﬁed at least once during the testing campaign. T aking inspiration from the work in [ 7 ], we notice the follo wing: an integration test e xercises the complete tool, i.e. all intermediate transformation steps T i . During the ex ecution of an integration test, the intermediate models M i manipulated along the w ay can cov er unit test cases of the intermediate transformations. This interesting property of transformation chains would allo w us to use only integration testing to cov er unit test cases. Ho wev er , we no w need a way to produce ne w models to cov er these unit test requirements. Gi ven a non-satisﬁed test requirement t r i , j ho w can we produce a test model M 0 in the input meta-model of the chain such that upon ex ecution of the integration test, t r i , j is satisﬁed? In order to answer this question, we proposed a new approach in the PhD of Elie Richa, as illustrated in ﬁgure 4.6: giv en a non satisﬁed test requirement t r i , j , we consider t r i , j as a post-condition of the pre vious transformation step T i − 1 , and design a construction P ost2Pr e that transforms the post-condition into an equi valent precondition that ensures the satisf action of the post-condition. W e call this pre-condition the equivalent test r equir ement e t r i , j , i − 1 of t r i , j at step T i − 1 . Recently , the construction of P ost2Pr e has been studied in in the theory of Algebraic Graph T ransformation (A GT) in [34] and [62]. 54 Composition and formalization of model transformations Figure 4.6: Backward translation of test requirements M 0 T i − 2 T i − 1 M i − 1 M i ... T i ... tr i,j etr i,j,i − 1 Post 2 Pre Post 2 Pr e ... etr i,j, 0 Model Generation The implementation of this approach in the context of A TL model transformations required to propose two main contributions. These contributions were all implemented as components of our Jav a and EMF-based tool called A TLAnalyser 1 : 1. a translation of OCL (used to e xpress test requirements) into Nested Graph Constraints and A TL model transformations into A GTs. This contribution was presented at the International Conference on Model T ransformations 2015 and receiv ed the best paper awar d of the conference. Using A TL instead of A GT , the objecti ve was to reduce the complexity of P ost2Pr e by using model transformations with a simpler semantics than A GT . One of the challenges of this translation was the translation of the A TL r esolveT emp mechanism, for which dedicated model transformation traces had to be deﬁned in the A GT . In addition, an A TL rule had to be decomposed in sev eral A GT rules in order to implement the different phases of an A TL transformation engine: mainly (i) input patterns matching and output objects instantiation, and (ii) bindings and objects resolution. 2. an automatic construction of the weakest liber al pr econdition (wlp) : a liberal precon- dition of a graph transformation is a precondition for which the e xistence of a graph resulting from the transformation is not guaranteed, and the termination of the program is not guaranteed either . In the context of A TL transformations, the termination is ho wev er guaranteed, and the existence of a graph resulting from the transformation should also be guaranteed by the deﬁnition of the application preconditions of the transformation. A liberal precondition is thus sufﬁcient in our context. Besides, a precondition c is the weakest precondition if it is implied by all other preconditions. Ho wev er , wl p is theoretically inﬁnite for the kind of transformations that we analyze. 1 A TLAnalyser , https://github.com/eliericha/atlanalyser 4.4 Design space exploration by composition of model transformations 55 W e thus proposed to implement a bounded version of the wl p , called sco pedW l p which proceeds to the construction of wl p on a bounded number of transformation rules iteration. In this work, we prov ed sco pedW l p provides results applicable to the original unbounded transformations. Both contrib utions were tested on dif ferent model transformations. The translation from A TL to A GT was validated on several model transformations av ailable online. The validation method consisted in transforming an A TL transformation into an A GT transformation.Then both were ex ecuted on the same input model and output models were compared to ensure they are identical. The A TL to A GT translation was also applied to model transformation from MA TLAB/Simulink to C source code in CodeGen, a qualiﬁable source code generator de veloped by AdaCore. The corresponding results hav e been published in the international journal on Software and System Modeling 2018 [69]. The automated P ost2Pr e construction was tested on simple transformations but the com- putational complexity of the algorithms made the results difﬁcult to produce on realistic examples.W e proposed simpliﬁcation strategies, b ut the resulting prototype was still unable to scale. The theoretical results, howe ver , as well as the ﬁrst implementation of this complex technique, is a step forward towards the formal proof of model transformations. T o go beyond these limitations, signiﬁcant impro vements in the algorithms of the Post2Pre constructions are necessary but such contrib utions were out of the initial scope of Elie Richa’ s PhD. Last but not least, we present in next section our contributions on model transformation v ariants selection and composition, aiming at producing models answering at best the trade- of f between conﬂicting NFPs. 4.4 Design space exploration by composition of model trans- f ormations The last problem we deﬁned in the introduction of this chapter is variability management in model reﬁnements. Indeed, from our experience in architecture models reﬁnement, we realized that the quality of a model transformation chains depends not only on its structural correctness, but more importantly on the quality attributes of the resulting model. The correctness of transformation chains was the object of PhDs described in sections 4.2 and 4.3. In the PhD of Smail Rahmoun, we decided to study the quality of model transformation chains with respect to the quality attributes of the resulting models [ 63 – 65 ]. This research work w as also aiming at facilitating the transition from requirements speciﬁcation to early architecturel design [48, 47]. 56 Composition and formalization of model transformations W e thus deﬁned model transformations composition as a multi-objectiv e optimization prob- lem. Indeed, as stated in the introduction of this document, design alternatives often come into conﬂict with respect to their impacts on NFP: a design alternati ve impro ves a NFP at the cost of degrading another NFP of a CPS. In this work, we proposed to deﬁne design alternati ves from model transformation v ariants. W e then used genetic algorithms to compose these variants and hav e them ev olve tow ards satisfactory architectures. In order to apply genetic algorithms to the selection and composition of model transformation variants, we proposed a generic encoding on which genetic operators ( i.e. mutations, crossover) can be applied. Last but not least, we proposed to express constraints on the output model as boolean constraints on the application of transformations. T o do so, we deﬁned a dedicated language and the notion of T ransformation Rules Catalog (TRC), as well as a translation of these constraints into a satisﬁability (SA T) problem. Once the SA T problem is solved, model transformation rules are structured in a way that guarantees that the application of genetic operators would only produce v alid transformations, i.e. transformations producing models respecting structural validity constraints. Again, structural constraints take an important role in this work but using genetic algorithms, we also proposed a frame work aiming at impro ving non-functional properties. S o u r c e m o d e l In te r m e d ia te m o d e l T a r g e t m o d e l 1 3 4 T a r g e t m o d e l e va lu a tio n co n ti n u e co n ve r g e d 2 T r ansf or m at i on l i nk 1 M odel t r ans f or m at i on c hai n ( N l i nk s ) T r an s f or m at i on l i nk 2 T r ans f or m at i on l i nk L T r a n s fo r m a ti o n a lte r n a tive s T r a n sfo r m a tio n a l te r n a ti ve s In te r m e d ia te m o d e l T r a n s fo r m a ti o n a lte r n a tiv e s co n tin u e co n ti n u e E A ite r a tio n s lin k 1 E A ite r a tio n s li n k 2 E A ite r a tio n s li n k 2 . . L NF Rs sp e ci fica tio n NF P s a n a ly sis p lu g i n s co n ve r g e d co n v e r g e d B e s t m o d e ls w . r . t. NF P s Figure 4.7: Approach Overvie w 4.4 Design space exploration by composition of model transformations 57 Figure 4.7 gives an ov ervie w of the process we proposed in Rahmoun’ s PhD: from the deﬁnition of a model transformation chain, having for each link a set of transformation alternati ves, we ﬁrst produce an intermediate model that results from the composition of these alternati ves. This ﬁrst step is highlighted with b ullet 1 on the ﬁgure, and repeated for each link of the transformation chain until the tar get model is produced. The composition mechanism, used in this step of the process, is explained at the end of this section. Once produced, the target model is analyzed with respect to NFPs (b ullet 2 in ﬁgure 4.7), and the analysis results are used to e valuate composite transformations. The process we propose is iterativ e: each iteration produces, ex ecutes, and ev aluates a (sub)chain of composite transformations. In addition, because of the combinatorial complex- ity of the design space exploration, it is not possible to enumerate, e xecute, and e valuate all the composite transformations. As a consequence, we rely on ev olutionary algorithms (EAs) to implement this iterati ve exploration (see b ullet 3 in ﬁgure 4.7). In addition, we can see in ﬁgure 4.7 that the proposed process is made up of embedded loops, each loop being dedicated to explore composite transformations of a gi ven link in the transformation chain. When an inner loop has con verged, other transformation candidates may be ev aluated for the outer loop, thus producing a ne w intermediate model for the inner loop. The con vergence criteria for each loop relies on con ver gence criteria of EAs and is parameterized by an end-user of our approach. As far as structural constraints are concerned, we aim at validating them a priori , i.e. before ex ecuting the transformation. As far as NFPs are concerned, we aim at validating them a posteriori , i.e. after ex ecuting the transformation. T o reach the objecti ve of a priori v alidation, we deﬁned application constraints on model transformation rules in transformation rules catalog. Listing 4.3 provides a subset of the T ransformation Rule Catalog (TRC) we used to describe transformation alternativ es for components replication: 2oo3 and 2*2oo2 . This TRC is made up of two main parts: 1. a description of model transformation alternati ves, from line 1 to line 10, lists the set of A TL modules and rules being part of each alternativ e. The 2oo3 alternativ e is made up of transformation rules described in section 4.1. The 2*2oo2 alternati ve is made up of very similar transformation rules. 2. a speciﬁcation of validity constraints, from line 12 to line 30. The ﬁrst one, from line 14 to line 21, speciﬁes that when m_PortConnection_2_2oo2 is applied on a connection (identiﬁed as cnx in the constraint), it is necessary to apply rule m_Process_2_2oo2 on both ends of the connection (retrie ved executing a OCL helpers called getDes- tinationProcess and getSourceProcess on cnx ). The second constraint, from 58 Composition and formalization of model transformations line 22 to line 27, speciﬁes that when applying m_Process_2_2oo2 on a process component processInstance , m_PortConnection_2_2oo2 should be applied on all the connections ha ving processInstance as a source (retrie ved by applying the OCL helper getSourceConnectionReference on processInstance ). Gathering these two constraints lead to ensure that the 2*2oo2 alternativ e is applied to sets of interconnected process components. V ery similar constraints are expressed for the application of the 2oo3 alternati ve in the remaining of the TRC. 1 M o d u l e s 2 { 3 2 _ 2 o o 2 . a t l : m _ P r o c e s s _ 2 _ 2 o o 2 , m _ P o r t C o n n e c t i o n _ 2 _ 2 o o 2 ; 4 2 o o 3 . a t l : m _ P r o c e s s _ 2 o o 3 , m _ P o r t C o n n e c t i o n _ 2 o o 3 ; 5 } 6 7 A l t e r n a t i v e s { 8 r e p l i c a t i o n _ 2 _ 2 o o 2 { m o d u l e s : 2 _ 2 o o 2 . a t l } , 9 r e p l i c a t i o n _ 2 o o 3 { m o d u l e s : 2 o o 3 . a t l } 10 } 11 12 C o n s t r a i n t s { 13 / / 2 * 2 o o 2 14 A p p l y ( r e p l i c a t i o n _ 2 _ 2 o o 2 . m _ P o r t C o n n e c t i o n _ 2 _ 2 o o 2 , { c n x } ) 15 [ 16 r e q u i r e s ( r e p l i c a t i o n _ 2 _ 2 o o 2 . m _ P r o c e s s _ 2 _ 2 o o 2 , 17 { g e t S o u r c e P r o c e s s ( c n x ) } 18 ) a n d r e q u i r e s ( r e p l i c a t i o n _ 2 _ 2 o o 2 . m _ P r o c e s s _ 2 _ 2 o o 2 , 19 { g e t D e s t i n a t i o n P r o c e s s ( c n x ) } 20 ) 21 ] ; 22 A p p l y ( r e p l i c a t i o n _ 2 _ 2 o o 2 . m _ P r o c e s s _ 2 _ 2 o o 2 , { p r o c e s s I n s t a n c e } ) 23 [ 24 r e q u i r e s ( r e p l i c a t i o n _ 2 _ 2 o o 2 . m _ P o r t C o n n e c t i o n _ 2 _ 2 o o 2 , 25 { g e t S o u r c e C o n n e c t i o n R e f e r e n c e ( p r o c e s s I n s t a n c e ) } 26 ) 27 ] ; 28 / / s i m i l a r c o n s t r a i n t s f o r 2 o o 3 29 . . . 30 } Listing 4.3: TRC for the AADL reﬁnement alternativ es When applying A TL model transformation variants, such as the 2oo3 and 2*2oo2 replication patterns, we consider as optimization v ariables the choice of each variant applied to elements of the input model. T o deﬁne such alternativ es more formally , we ﬁrst provide a deﬁnition of transformation rules instantiation: Deﬁnition 3. A transf ormation rule instantiation T RI i is the application of a transforma- tion rule on an ordered set of elements from the source model. In the remainder of this section, we say such TRIs are non-conﬂuent. It can be represented as a tuple < R , E i , A i > , where: 4.4 Design space exploration by composition of model transformations 59 1. R represents the applied transformation rule; 2. E i is i t h tuple of elements in the source model; 3. A i is the set of actions that R ex ecutes when it is applied to E i . Gi ven this deﬁnition, alternativ e TRIs exist when more than one rule can be applied to the same tuple of elements in the source model. Formally , this means : ∃ ( R , R ′ ) s . t . R  = R ′ and T RI i = < R , E i , A i > and T RI j = < R ′ , E j , A j > and E i = E j (4.1) According to the semantics of A TL, such situation has to be solve by selecting, among all the possible TRIs, a subset where non-conﬂuence has been eliminated. T o do so, we rely on a simple selection function deﬁned as follows: Sel : T → B = { T rue , F al se } T RI → b , where b is T rue if T RI should be included, and Fal se if T RI should be excluded from T . The selection of TRIs may be decomposed into the follo wing formulas: 1) A t Leas t One , dedicated to ensure that at least one of the non-conﬂuent TRIs, gathered in a set S , is selected: A t Least One ( S ) = P _ i = 1 Sel ( T RI i ) (4.2) 2) A t M os t One , dedicated to ensure that at most one of the non-conﬂuent TRIs is selected: A t M ost One ( S ) = i = P , j = P ^ i = 1 , j = 1 , i  = j ¬ ( Sel ( T RI i ) ∧ Sel ( T RI j )) (4.3) Combining equations (4.2) and (4.3), we obtain Sel ect One , dedicated to select exactly one TRI from S (set of non-conﬂuent TRIs): Sel ect One ( S ) = At Least One ( S ) ∧ At M ost One ( S ) (4.4) Alternati ve TRIs can be detected by applying the pattern matching part of alternati ve model transformations on an input model. Enforcing the respect of equation (4.4) boils to select exactly one alternati ve per element of the input model. 60 Composition and formalization of model transformations In addition, v alidity constraints expressed in the TRC are transformed into boolean validity constraints on TRIs selection of the form: Val id it y C ons t r ain t s = N ^ i = 1 ( Sel ( T RI i ) ⇒ Bool E x pr ( T i )) (4.5) where T i is a subset of TRIs, and Bool E x pr is a boolean expression ov er T RI s in T i , using (i) the Sel function, (ii) simple boolean operators and , or , and not ( ∧ , ∨ , and ¬ ). Finally , for all the sets of alternativ e rule instantiations S i i ∈ [ 0 .. Q ] , the selection of a v alid set of TRIs boils to e valuate the satisﬁability of the boolean formula: Q ^ i = 1 ( Sel ec t One ( S i )) ∧ Val id it y C ons t r ain t s (4.6) Ho wev er , our objectiv e is not to deﬁne a set of v alid model transformations, but to deﬁne the genome encoding of a genetic algorithm. T o do so, instead of solving the SA T problem induced by equation (4.6) at once, we aim at grouping TRIs in volv ed in the same validity constraints into partitions called Atomic T ransformation Instantiations (A TI). Doing so, each A TI become a potential gene in the genome of indi viduals in the genetic algorithm population. Grouping TRIs into A TIs is done as follows: we ﬁrst reorg anize equation (4.6) under a conjuncti ve normal form. W e call B the set of boolean e xpressions in the conjunction, and build a partition of B : we group such expressions into smallest non-empty subsets of B in such a way that e very T RI is used in expressions of one and only one of the subsets. These subsets are called the parts of the partition, and we note β q the boolean formula corresponding to the q t h part of the partition. W e note A T I q , i the i t h solution of β q . W e then structure a composite transformation (CT) by choosing, for each possible v alue of q, one of the solutions of β q . An individual of the genetic algorithm population is then a CT structured as an array of A T I i , j where i is one of the partitions of (4.6) and j is the identiﬁer of a solution of this partition. !"# $ !"#% $ !"# $ !"& $ !"#% $ !"&% $ '()**)+ ,( $ -./01)2 $ 3 "4#& 4$ 3 "4&# $ 3 "45&$ 3 "4#& 4$ 3 "4&# $ 3 "456$ 3 "4## 4$ 3 "4&# $ 3 "456$ 3 "45# $ 3 "4&5$ 3 "4#&$ 3 "4## 4$ 3 "4&# $ 3 "456$ 3 "45# $ 3 "4&5$ 3 "4#&$ './$7)82/ $ Figure 4.8: Crossover and Mutation Operators 4.5 Concluding remarks 61 Figure 4.8 illustrates the structure of a genome as an array of atomic transformation instantia- tions A T I i , j , as well as the application of the crossover operator on two genomes C T 1 and C T 2 and the application of the mutation operator C T 1 to obtain C T ′ 1 . Note that the construction of the genome by partitioning solutions of equation (4.6) ensures that the result of the genetic operations ( i.e . crossov er , mutation) leads to the production of v alid transformations. Resulting composite transformations are then applied to input models in order to produce intermediate models on which NFPs can be analyzed. This method has been successfully applied on two case-studies inspired from the railway domain: 1. a selection of implementations of the periodic delayed communications introduced in section 3.3. Indeed, three implementations of this communication patterns were proposed, with conﬂicting impact on three NFPs: timing performance, memory foot- print, and maintainability . The corresponding results were published in the ICECCS conference [65]. 2. a chain of model transformations made up of (i) the selection of the replication pattern (2oo3 or 2*2oo2), (ii) the binding of replicated processes and connections onto processors and b usses with the follo wing v alidity constraint: replicated components should not use the same hardw are resources. The corresponding results were published in the international journal on Software and Systems Modeling 2018 [65]. 4.5 Concluding r emarks In this chapter , we hav e presented our contributions to answer the follo wing questions: 1. ho w to verify the correctness of model transformations structured as model transforma- tion chains? 2. ho w to compose model transformations to deﬁne optimal (or near optimal) reﬁnement steps? T o answer these questions, we hav e proposed to formalize model transformations along with structural constraints on the output models of these transformations. This formalization was then used either to search for model transformation chains enforcing the structural constraints, or to enhance a model transformation validation framew ork by automating the generation of test requirements. Reusing this notion of structural constraints, we also 62 Composition and formalization of model transformations deﬁned a frame work combining model transformations, SA T solving techniques and genetic algorithms to automate the search for near-optimal architecture reﬁnements. By providing answers to some of the research questions presented here above, our work provides original methods to improve the reliability of software dev elopment in CPSs: it enables to check as early as possible the correctness of model transformations, and to automate the search for near-optimal reﬁnements. The work we ha ve done on model transformation of AADL models gav e us se veral inputs to start new research activities in the domain of Model Dri ven Engineering for CPSs. In particular , we plan to extend our frame work to deal with security in CPSs. Indeed, security is becoming an important concern in the design and de velopment of CPS. The w ay to deal with interactions among security design patterns and other design techniques of CPS is still an open question. In the PhD of Jean Oudot, started with IR T SystemX and the Nanyang T echnological Uni versity (NTU) Singapore, we aim at proposing ne w techniques to (i) e valuate architectures security , and (ii) optimize them with respect to this criteria as well as traditional concerns of CPS (timing performance, safety , cost, and/or energy consumption). This work aims at extending Smail Rahmoun’ s results with a dedicated focus on cyber security , which would require to drastically re vise the design space exploration method since the nature of threats in cyber security is v ery dif ferent from the nature of threats in safety . Chapter 5 Conclusion and P erspectiv es Contents 5.1 Concluding r emarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 5.1.1 Overvie w of contributions . . . . . . . . . . . . . . . . . . . . . 64 5.1.2 Comparison of RAMSES with existing frame works . . . . . . . . 64 5.2 Futur e Research Directions . . . . . . . . . . . . . . . . . . . . . . . . 68 5.2.1 Software Security in Cyber -Physical Systems. . . . . . . . . . . . 68 5.2.2 Autonomy by Reconﬁguration of CPS Applications . . . . . . . . 69 5.2.3 Uncertainty Management in Design Space Exploration . . . . . . 70 In this chapter , we conclude this document before to present of our future research directions. 5.1 Concluding r emarks Our concluding remarks aim at summarizing our cintributions, as well as comparing our contributions to the state of the art. This comparison will focus on a few existing frame- works, and the comparison will be based on the set of expecte capabilities for model-based engineering frame works dedicated to critical, real-time and embbeded software. 64 Conclusion and Perspecti ves 5.1.1 Over view of contributions Our initial objecti ve was to propose methods to improve the reliability of CPSs design process. W e decided to pursue this objectiv e in the frame work of MDE techniques. Our ﬁrst intent w as to use models as a mean to bridge the gap between requirements deﬁnition and source code production. Indeed, models help bridging this g ap by representing systems under design with dif ferent abstraction lev els, ranging from high lev el speciﬁcations to implementation models. W e proposed to use architecture models as design artifacts, and model transformations to automate their reﬁnement steps up to the production of source code. Building on this ﬁrst idea, we deﬁned a set of challenging problems, digged into existing solutions, and proposed improvements over the state-of-art. W e highlight hereafter some noticeable aspects of our work: 1. as often as possible, we prototyped our contributions on top of AADL in order to improv e their applicability to realistic case studies: AADL is a standardized language built from collaborations with companies in the domain of CPS, and AADL is quite a complex language (its meta-model is made up of more than 260 meta classes). 2. we deﬁned the ﬁrst implementation of a deterministic model of computation and com- munications based on mix ed criticality D A Gs and periodic delayed communications. W e deﬁned the corresponding subset of AADL and prototyped the compilation of this AADL subset in a source code generator . 3. we proposed to formalize model transformations to ease their v alidation and ver- iﬁcation. W e hav e sho wn how this formalization can help to ﬁnd correct model transformation chains and v alidate model transformations using integration tests. 4. we in vented a design space exploration frame work based on model transformations composition, combining model transformations, constraint solving and multi-objecti ve optimization techniques. These contributions ha ve been integrated in the RAMSES in order to e xperiment them on industrial case studies. This effort w as necessary to perpetuate the works of PhD students I had the opportunity to co-supervise. In the remainder of this section, we compare RAMSES with similar frame works from the state of the art. 5.1.2 Comparison of RAMSES with existing frameworks In order to compare RAMSES with e xisting frame works from the state of the art, we propose to use the following citeria. The selection of these citeria relies on our e xpertise in the domain 5.1 Concluding remarks 65 of criticcal and real-time embedded systems. It is incomplete, and aims primarily at showing the wide spectrum of contributions prototyped in the RAMSES frame work. The criteria we hav e selected are the capabilities of existing frame works to: C1 reﬁne software models; necessary to bridge the gap between requirements speciﬁcation and software implementation while progressi vely producing and analysing models. C2 source code generation ; here, the objective is to fasten the production of software while easing its maintenance by relying on automate code generation techniques. C3 explore and select the best design alternativ es; this is all the more important in the context of critical real-time embedded systems where non-functional properties play a very important role. In addition, this capability requires to deal with multi-objective optimization problems. C4 interoperate with other framew orks, in order to av oid re-deﬁning existing analysis or veriﬁcation techniques, b ut re-use them instead. C5 produce scheduling conﬁguration ; this criteria is obviously speciﬁc to the domain of real-time system, but a v ery fundamental one since software inte gration issues in this domain are often related to scheduling and timing performance issues. In order to compare RAMSES with e xisting frame works from the state-of-the art, we only selected existing frameworks that, to our best knowledge, cover all these criteria. W ithout this selection, potentially incomplete, the body of literature covering these criteria is far too proliﬁc to provide a meaningful comarison. The frame works we hav e selected are: ProCom [ 75 ], Pap yrus/MAR TE [ 32 ], Scade 1 , Simulink 2 , ArcheOpteryx [ 1 ] and Ocarina [ 42 ]. Figure 5.1 provides an ov erview of the comparison between RAMSES and these selected frame works. In the reminder of this section, we provide a brief argumentation for this comparison. C1: Model transformations (r eﬁnements) Models reﬁnement is the main focus of the method introduced in this document. Among the selected framew orks, the ProCom component model has been used to deﬁne model reﬁnements [44, 76]. Other frame work, based on rich modeling languages (e.g. MAR TE and AADL), could also implement similar reﬁnements as those proposed in RAMSES. This is typically the case for 1 https://www .ansys.com/products/embedded- software/ansys- scade- suite 2 https://www .mathw orks.com/products/simulink.html 66 Conclusion and Perspecti ves 0+ 0.5+ 1+ 1.5+ 2+ 2.5+ 3+ Mo d e l + tr an s f o r m a- o n s + ( r e ﬁ n e m e n t) + G l u e + c o d e + g e n e r a- o n + Mu l - 4 o b j e c - v e + o p - m i za- o n + In te r o p e r ab i l i ty + S c h e d u l i n g + c o n ﬁ g u r a- o n + E v a l u a & o n ) o f ) RAMS E S ) v s . ) s i m i l a r ) f r a m e w o r ks ) RAMSES+ ProCom+ Papyrus+ Scade/Simulink+ ArcheOpteryx+ Ocarina+ Figure 5.1: Comparison between RAMSES and similar frameworks Pap yrus, ArcheOpteryx, and Ocarina. Howe ver , to our best knowledge, model reﬁnements hav e not been prototyped in the considered frameworks. Scade and Simulink could also be used to proceed to models reﬁnement, but their scope and utility would be less signiﬁcant as these languages mainly focus on modeling the funcional aspects of critical real-time and embedded software. C2: Source/glue code generation In terms of source code generation for the functional parts of a software architecture, Scade and Simulink are, by far , the references. When it comes to code generation for the tech- nical architecture ( i.e. operationg system, middleware), Ocarina is the most mature of the frame works we considered. Developped in the context of the ASSER T project, it has been maintained for the needs of the European Space Agenc y in the scope of the T ASTE project. ProCom also provides code generation capabilities, though the focus of this work w as more on the preserv ation of the semnatics than on the support of v arious programming languages or operating systems [ 12 ]. Papyrus has inte grated code generation techniques as well, mainly fo- cusing on code generation for component diagrams and state-charts. Finally , code generation was not the main focus of ArcheOpteryx. C3: Multi-objective optimization W ith respect to design space exploration, ArcheOpteryx is, among the framew orks we considered, the richest in terms variety of prototyped optimization methods. Ho wev er, by combining model transformations and optimisation techniques, RAMSES allo ws to (i) 5.1 Concluding remarks 67 reuse a generic design exploration frame work, i.e. the design alternati ves being e xpressed using transformation rules catalogs, (ii) focus only on valid design alternatives in terms of structural constraints satisfaction, and (iii) reuse existing analysis method to ev aluate the quality attributes of these alternati ves. Other frame works ha ve been used to implement preliminary w orks on models optimization, e.g . is Papyrus/MAR TE [57], or in Ocarina [ ? ]. Finally , Scade and Simulink are less usable for automated design space exploration as they mainly focus on modeling the funcional aspects of critical real-time and embedded software. C4: Interoperability This criteria is mainly achiev ed by relying on standardized modeling languages, which is the case for RAMSES, Papyrus, Ocarina, and ArcheOpteryx. The ProCom component model is not standardized but the language speciﬁcation is publicly av ailable [ 18 ]. Finally , Scade and Simulink use proprietary modeling languages. C5: Scheduling conﬁguration Ocarina can be used to anlyse various types of real-time schedulers, and to conﬁgure the scheduler of se veral operating systems. Howe ver , compared to RAMSES, this frame work supports a smaller subset of models of computation. For instance, our recent works on D A Gs and Mixed-criticality scheduling is not part of the subset of AADL supported by Ocarina. This statement is also true for periodic delayed communications, e ven though it has less impact on the scheduler conﬁguration. Pap yrus/MAR TE and ProCom can also be used to analyse and conﬁgure the scheduler of real-time operating system. Howe ver , only a few research works report ne w contributions in this area. Finally , scheduling conﬁguration has not been the main focus of research works in ArcheOpteryx, Scade, or Simulink. As on can easily understand, our work is at the intersection of the ﬁelds of model-driv en engineering, operational research, and scheduling of real-time systems. The perspectiv es we present in the remainder of this chapter aim at extending this w ork in three main directions: (i) security of software architectures for connected CPSs, (ii) autonomy of comple x and/or critical CPSs, and (iii) uncertainty management in design space exploration acti vities. W e de velop these perspecti ves in the next sections. 68 Conclusion and Perspecti ves 5.2 Futur e Resear ch Directions 5.2.1 Softwar e Security in Cyber -Physical Systems. Cyber-ph ysical systems are increasingly connected with their external en vironment. In particular , in the transportation domain (rail, automotiv e and avionics), vehicles are no w connected to their infrastructure, to mobile de vices, and to the internet. This e volution allo ws manufacturers to deliv er new services, b ut exposes these systems to malicious actions from hackers. In parallel to this, more and more functionalities are introduced into the transportation systems in the form of software systems. Some of these functionalities are also critical, since their failure, or a malicious takeo ver of these functions can have catastrophic consequences. The link between vulnerabilities and safety of these systems was considered negligible as long as the potentially af fected functions were not critical, b ut this is less and less true. Indeed, security vulnerabilities now adays can jeopardize the safety of critical embedded real-time systems, and thus endanger its users. The introduction of security counter-measures in the architectures of these embedded systems is necessary , pro vided they do not degrade signiﬁcantly the safety , performance or cost of the system. W e plan to study this problem with two complementary vie wpoints: 1. in the PhD of Jean Oudot (started in 09/2017), we aim at deﬁning a design space exploration frame work focusing on security metrics and counter measures. This will require to quantify a CPS architecture security , and the impact of security counter measures on security , safety , performance, and cost. The objecti ve is to deﬁne the best set of counter measures to deploy in the CPS architecture. Another objecti ve of this work is to propose a generic exploration framework, i.e. usable in dif ferent ﬁelds of cyber -physical systems and in particular in the transportation domain: avionics, railway , and automoti ve. This PhD is funded by the IR T 3 SystemX in the CTI (Cybersecurity of Intelligent T ransports) and is co-supervised with Arvind Easwaran from the Nan yang T echnological Uni versity (NTU) of Singapore. 2. in the PhD of Maxime A yrault (started in 10/2018), funded by the industrial chaire on Connected Cars and Cyber Security (C3S) we adopt a complementary vie wpoint: ho w to delay attacks and/or their propag ation? The basic idea behind this work is to consider that (i) all vulnerabilities and attacks paths cannot be anticipated at design time, and (ii) once a system is deplo yed, attackers ha ve time to study the system and discover new vulnerabilities and attacks paths. In this work, we will study the integration of moving 3 Institut de Recherche T echnologique/T echnological Research Institute 5.2 Future Research Directions 69 target defense mechanisms in CPSs architectures: the idea of MTD is to reconﬁgure the CPS architecture periodically so that vulnerabilities become unstable and attacks dif ﬁcult to discover and deplo y . Finally , the objectiv e will be to maximize the attacker learning time and minimize the probability of success of an attack. This approach is particularly challenging in CPSs since computation and communication resources are very limited. The approach outlined in the w ork of Maxime A yrault can be generalized and extended to improv e the autonomy of CPS. W e present this perspectiv e of our work in the ne xt section. 5.2.2 A utonomy by Reconﬁguration of CPS A pplications Architecture models such as AADL provide means to describe different software conﬁg- urations as well as services or techniques to reconﬁgure software applications. In AADL, this is done by deﬁning operational modes along with a particular conﬁguration per mode. Reconﬁgurations are described with transitions between operational modes. This type of reconﬁgurations is pseudo-dynamic: they are executed at runtime but all the possible conﬁgurations and transitions among them hav e been deﬁned at design time. Modern CPS are expected to be used for a v ery long time: a train, for instance, is exploited for decades. The algorithms running on these systems are thus expected to e volve o ver time, as well as the de vices they are connected to, the y interact with. In addition, some of these systems cannot be stopped for maintenance purpose, and more generally maintenance should disrupt as little as possible the operation of CPSs. Eventually , the objectiv e of this perspecti ve is to improv e the robustness of CPSs by having capabilities to reconﬁgure them e ven in case of situations or e volution needs that were not foreseen in their initial de velopment. In this context, we plan to study ho w MDE techniques presented in this document can help to deﬁne reconﬁgurations beyond pseudo-dynamic reconﬁgurations. The idea would be to (i) model platform reconﬁguration capabilities, (ii) use design exploration techniques to ﬁnd ne w conﬁgurations, and (iii) dev elop new design space exploration techniques to ﬁnd out ho w to progressiv ely move from the current conﬁguration to the tar geted conﬁguration. This boils do wn to ﬁnd ways to update systems as dynamically as possible, dele gating design space e xploration and tar get conﬁguration selection to an e xternal model based infrastructure. This model-based infrastructure would be responsible for ﬁnding ho w to deploy the ne w conﬁguration, and ho w to mov e from the current conﬁguration to the new one. The objecti ve of using models to reason about adaptation is to shorten as much as possible the delay between the detection of new needs and the implementation of a new solution. Another objecti ve to automate the migration from one solution to another one. 70 Conclusion and Perspecti ves This perspecti ve is ambitious, and is actually being dev eloped as a European project proposal with partners met in the European COST action MPM4CPS (Multi-P aradigm Modeling for Cyber Physical Systems). 5.2.3 Uncertainty Management in Design Space Exploration Uncertainty management in design decisions is the third perspectiv e presented in this chapter . It is strongly linked to the topic of architectures exploration as this acti vity , e xploration, aims to provide architecture candidates for a decision process to select one (or a subset) of them. This perspecti ve is also related to requirements engineering insofar architecture exploration aims to develop an architecture (or set of architectures) that satisfy at best a set of non- functional requirements. Howe ver , these requirements are often in conﬂict: improving certain non-functional properties of an architecture requires adopting solutions that degrade the architecture with respect to other non-functional properties. It is in this context that we hav e extended the requirements modeling language called RD AL (Requirements Analysis and Deﬁnition Language) [ 49 , 11 ] and hav e dev eloped a method of architectures exploration based on the composition of model transformations [ 65 ]. Howe ver , these studies do not consider an important aspect of model-based design: uncertainty . Indeed, in the early stages of the dev elopment process, decisions rely on models containing uncertain data. Those data are uncertain either because they are difﬁcult to estimate by essence ( e.g . errors probability distribution), or because the implementations they could be measured from are not av ailable yet ( e.g . in construction). As a consequence, decision-makers should be aware of ho w much conﬁdence they may ha ve in the data upon which they base their judgement. Someho w , this problem could be tackled by considering design activities as an optimization problem aiming at maximizing design margins ( i.e. dif ference between an estimated quality attribute and the lo west acceptable le vel of quality for this attribute). Roughly , increasing mar gins is expected to impro ve the conﬁdence of the decision maker , at least with respect to the risk of necessary re work during the integration and v alidation phases of the dev elopment process. Ho wev er , as explained in the introduction of this document, increasing margins may also lead to poor quality of service. This is, for example, the philosophy behind mixed-criticality scheduling as the objecti ve is to improv e computation resources usage by reducing margins in lo w criticality modes while preserving margins for high criticality tasks in high mode. In essence, a model is an abstraction of an object that focuses on predominant characteristics of this object. The e valuation of this abstraction therefore contains a degree of uncertainty since it deals with a model and not the object itself. Be yond the activity of abstraction, the information contained in a model may come from more or less reliable sources. For 5.2 Future Research Directions 71 instance, this information can be estimated (by e xpert judgment for example) or imprecise (using inaccurate or approximate analysis methods). T o some extent, RAMSES reduces uncertainty by executing successiv e reﬁnements and rev aluations of real-time embedded system architectures. This reduces the uncertainty due to abstraction, exhibiting architectures for which the non-functional properties are ev aluated with lo wer and lower abstraction le vel. Ho wev er , uncertainty must also be considered, ev aluated, and processed, at the decision- making le vel, in order to guide the exploration of architectures. This requires considering, in particular , uncertainty due to estimated or imprecise information contained in a model. In the future, we aim at studying uncertainty modeling, and its impact on the related decision- making and architectural exploration techniques. Existing studies consider a formalization with fuzzy mathematics [ 28 ] to guide the con- struction of products from a set of feature variants. It would be interesting to extend such an approach in the scope of design space exploration by model reﬁnements. In particular , considering uncertainty metrics would help the robustiﬁcation of design processes in a semi- automatic way: uncertainty would ev olve by interleaving automatic e xploration phases with studies dedicated to lo wer the le vel of uncertainty and update NFP properties. In addition, the risk associated to uncertainty could be controlled by feedbacks from previous experience. More generally , this perspectiv e aims to rationalize the attitude of decision makers facing uncertainty in an architecture design activity . W e plan to pursue this objecti ve by taking adv antage of model transformation traces, analysis results with uncertainty modeling, and a description of the multi-criteria decision process. Bibliograph y [1] Aleti, A., Björnander , S., Grunske, L., and Meedeniya, I. (2009). Archeopterix: An extendable tool for architecture optimization of AADL models. In ICSE 2009 W orkshop on Model-Based Methodologies for P ervasive and Embedded Softwar e, MOMPES 2009, May 16, 2009, V ancouver , Canada , pages 61–71. [2] Allen, R. (1997). A F ormal Appr oach to Softwar e Ar chitectur e . PhD thesis, Carnegie Mellon, School of Computer Science. Issued as CMU T echnical Report CMU-CS-97-144. [3] Amnell, T ., Fersman, E., Mokrushin, L., Pettersson, P ., and Y i, W . (2004). T imes: A tool for schedulability analysis and code generation of real-time systems. In Larsen, K. G. and Niebert, P ., editors, F ormal Modeling and Analysis of T imed Systems , pages 60–72, Berlin, Heidelberg. Springer Berlin Heidelber g. [4] Arendt, T ., Biermann, E., Jurack, S., Krause, C., and T aentzer , G. (2010). Henshin: Adv anced concepts and tools for in-place emf model transformations. In Pr oceedings of the 13th International Confer ence on Model Driven Engineering Languages and Systems: P art I , MODELS’10, pages 121–135, Berlin, Heidelberg. Springer -V erlag. [5] As-2 Embedded Computing Systems Committee SAE (2004). Architecture Analysis & Design Language (AADL). SAE Standards n o AS5506. [6] Baruah, S. (2016). The federated scheduling of systems of mixed-criticality sporadic dag tasks. In Real-T ime Systems Symposium . IEEE. [7] Bauer , E., Küster , J., and Engels, G. (2011). T est suite quality for model transformation chains. In Bishop, J. and V allecillo, A., editors, Objects, Models, Components, P at- terns , v olume 6705 of Lectur e Notes in Computer Science , pages 3–19. Springer Berlin Heidelberg. [8] Berthomieu, B., Bodev eix, J., Chaudet, C., Dal-Zilio, S., Filali, M., and V ernadat, F . (2009). Formal veriﬁcation of AADL speciﬁcations in the topcased en vironment. In Reliable Softwar e T echnologies - Ada-Eur ope 2009, 14th Ada-Eur ope International Confer ence, Br est, F rance, J une 8-12, 2009. Pr oceedings , pages 207–221. [9] Bharathi, S., Chervenak, A., Deelman, E., Mehta, G., Su, M.-H., and V ahi, K. (2008). Characterization of scientiﬁc workﬂo ws. In W orkshop on W orkﬂows in Support of Larg e- Scale Science . IEEE. [10] Bini, E. and Buttazzo, G. C. (2005). Measuring the performance of schedulability tests. Real-T ime Systems Symposium , 30(1). 74 Bibliography [11] Blouin, D., Barko wski, M., Schneider , M., Giese, H., Dyck, J., Borde, E., T amzalit, D., and Noppen, J. (2017). A semi-automated approach for the co-reﬁnement of requirements and architecture models. In IEEE 25th International Requir ements Engineering Con- fer ence W orkshops, RE 2017 W orkshops, Lisbon, P ortugal, September 4-8, 2017 , pages 36–45. [12] Borde, E. and Carlson, J. (2011). T o wards veriﬁed synthesis of procom, a component model for real-time embedded systems. In Pr oceedings of the 14th International A CM Sigsoft Symposium on Component Based Softwar e Engineering, CBSE 2011, part of Compar ch ’11 F ederated Events on Component-Based Software Engineering and Softwar e Ar chitectur e, Boulder , CO, USA, June 20-24, 2011 , pages 129–138. [13] Borde, E., Rahmoun, S., Cadoret, F ., P autet, L., Singhoff, F ., and Dissaux, P . (2014). Architecture models reﬁnement for ﬁne grain timing analysis of embedded systems. In 25nd IEEE International Symposium on Rapid System Pr ototyping, RSP 2014, New Delhi, India, October 16-17, 2014 , pages 44–50. [14] Bougueroua, L., George, L., and Midonnet, S. (2004). T ask allow ance for failure pre vention of ﬁxed priority scheduled real-time jav a systems. In Pr oceedings of the IASTED International Confer ence on P ar allel and Distributed Computing and Networks, Innsbruck, A ustria, F ebruary 17-19, 2004 , pages 375–380. [15] Bozga, M. D., Sfyrla, V ., and Sifakis, J. (2009). Modeling synchronous systems in bip. In Pr oceedings of the Seventh A CM International Conference on Embedded Software , EMSOFT ’09, pages 77–86, Ne w Y ork, NY , USA. A CM. [16] Bruneton, E., Coupaye, T ., Leclercq, M., Quéma, V ., and Stefani, J.-B. (2006). The fractal component model and its support in jav a: Experiences with auto-adapti ve and reconﬁgurable systems. Softw . Pract. Exper . , 36(11-12):1257–1284. [17] Bures, T ., Carlson, J., Crnkovic, I., Sentilles, S., and Feljan, A. V . (2008a). Procom - the progress component model reference manual, version 1.0. T echnical Report ISSN 1404-3041 ISRN MDH-MR TC-230/2008-1-SE. [18] Bures, T ., Carlson, J., Crnkovic, I., Sentilles, S., and V ulgarakis, A. (2008b). Procom - the progress component model reference manual, version 1.0. [19] Burns, A. and Da vis, R. I. (2017). A survey of research into mix ed criticality systems. A CM Comput. Surv . , 50(6):82:1–82:37. [20] Cadoret, F ., Borde, E., Gardoll, S., and Pautet, L. (2012). Design patterns for rule-based reﬁnement of safety critical embedded systems models. In 17th IEEE International Confer ence on Engineering of Complex Computer Systems, ICECCS 2012, P aris, F rance, J uly 18-20, 2012 , pages 67–76. [21] Cadoret, F ., Robert, T ., Borde, E., Pautet, L., and Singhof f, F . (2013). Deterministic implementation of periodic-delayed communications and e xperimentation in AADL. In 16th IEEE International Symposium on Object/Component/Service-Oriented Real-T ime Distributed Computing , ISORC 2013, P aderborn, Germany , J une 19-21, 2013 , pages 1–8. Bibliography 75 [22] Castellanos, C., Borde, E., Pautet, L., Sebastien, G., and V er gnaud, T . (2015). Improving reusability of model transformations by automating their composition. In 41st Eur omicr o Confer ence on Softwar e Engineering and Advanced Applications, EUR OMICR O-SEAA 2015, Madeira, P ortugal, A ugust 26-28, 2015 , pages 267–274. [23] Castellanos, C., Borde, E., P autet, L., V ergnaud, T ., and Deriv e, T . (2014). Automatic production of transformation chains using structural constraints on output models. In 40th EUR OMICR O Confer ence on Software Engineering and Advanced Applications, EUR OMICR O-SEAA 2014, V er ona, Italy , August 27-29, 2014 , pages 158–165. [24] Cordeiro, D., Mounié, G., Perarnau, S., Trystram, D., V incent, J.-M., and W agner , F . (2010). Random graph generation for scheduling simulations. In International ICST confer ence on simulation tools and tec hniques . Institute for Computer Sciences, Social- Informatics and T elecommunications Engineering. [25] Czarnecki, K. and Helsen, S. (2006). Feature-based surve y of model transformation approaches. IBM Syst. J. , 45(3):621–645. [26] Davis, R. I. and Burns, A. (2009). Priority assignment for global ﬁxed priority pre- empti ve scheduling in multiprocessor real-time systems. In Real-T ime Systems Symposium , pages 398–409. IEEE. [27] Ehrig, H., Ehrig, K., Prange, U., and T aentzer , G. (2006). Fundamentals of algebr aic graph tr ansformation , volume 373. Springer . [28] Esfahani, N., Malek, S., and Raza vi, K. (2013). Guidearch: guiding the exploration of architectural solution space under uncertainty . In ICSE , pages 43–52. IEEE Computer Society . [29] Etien, A., Aranega, V ., Blanc, X., and Paige, R. F . (2012). Chaining model transforma- tions. In Pr oceedings of the F irst W orkshop on the Analysis of Model T ransformations, AMT@MODELS 2012, Innsbruck, A ustria, October 2, 2012 , pages 9–14. [30] Fleck, M., Tro ya, J., and Wimmer , M. (2016). Search-based model transformations with momot. In V an Gorp, P . and Engels, G., editors, Theory and Practice of Model T ransformations , pages 79–87, Cham. Springer International Publishing. [31] Gamma, E. e. a. (1994). Design P atterns - Elements of Reusable Object-Oriented Softwar e. Addison-W esle y . [32] Gérard, S. (2015). Once upon a time, there was papyrus... In MODELSW ARD 2015 - Pr oceedings of the 3r d International Confer ence on Model-Driven Engineering and Softwar e Development, ESEO, Angers, Loir e V alley , F rance, 9-11 F ebruary , 2015 , pages IS–7. [33] Guernic, P . L., T alpin, J., and Lann, J. L. (2003). POL YCHR ONY for system design. J ournal of Cir cuits, Systems, and Computers , 12(3):261–304. [34] Habel, A., Pennemann, K.-H., and Rensink, A. (2006). W eakest preconditions for high-le vel programs: Long version. T echnical Report 8/06, Uni versity of Oldenbur g. 76 Bibliography [35] Halbwachs, N., Caspi, P ., Raymond, P ., and Pilaud, D. (1991). The synchronous dataﬂo w programming language lustre. In Pr oceedings of the IEEE , pages 1305–1320. [36] Henzinger , T . A., Horowitz, B., and Kirsch, C. M. (2001). Giotto: A time-triggered language for embedded programming. In Pr oceedings of the F irst International W orkshop on Embedded Softwar e , EMSOFT ’01, pages 166–184, Berlin, Heidelberg. Springer- V erlag. [37] Jackson, D. (2002). Alloy: A lightweight object modelling notation. ACM T ransactions on Softwar e Engineering and Methodology (TOSEM) , 11(2). [38] Jaouën, A., Borde, E., P autet, L., and Robert, T . (2014). PDP 4ps : Periodic-delayed protocol for partitioned systems. In Reliable Softwar e T echnologies - Ada-Eur ope 2014, 19th Ada-Eur ope International Confer ence on Reliable Softwar e T echnologies, P aris, F rance , J une 23-27, 2014. Pr oceedings , pages 149–165. [39] Jouault, F . and Kurte v , I. (2005). T ransforming models with atl. In Pr oceedings of the Model T ransformations in Pr actice W orkshop at MoDELS 2005 , Montego Bay , Jamaica. [40] K oziolek, A., Koziolek, H., and Reussner , R. (2011). Peropteryx: Automated applica- tion of tactics in multi-objecti ve softw are architecture optimization. In the ACM SIGSOFT Confer ence Quality of Softwar e Ar chitectur es , NY , NY , USA. ACM. [41] Kwiatko wska, M., Norman, G., and Parker , D. (2011). PRISM 4.0: V eriﬁcation of probabilistic real-time systems. In Gopalakrishnan, G. and Qadeer , S., editors, Pr oc. 23r d International Confer ence on Computer Aided V eriﬁcation (CA V’11) , volume 6806 of LNCS , pages 585–591. Springer . [42] Lasnier , G., Zalila, B., Pautet, L., and Hugues, J. (2009). Ocarina : An en vironment for AADL models analysis and automatic code generation for high integrity applications. In Reliable Softwar e T echnologies - Ada-Eur ope 2009, 14th Ada-Eur ope International Confer ence, Br est, F rance, J une 8-12, 2009. Pr oceedings , pages 237–250. [43] Lee, E. A. and Messerschmitt, D. (1987). Synchronous data ﬂow . Pr oceedings of the IEEE , 75:1235–1245. [44] Le veque, T ., Carlson, J., Sentilles, S., and Borde, E. (2011). Flexible semantic- preserving ﬂattening of hierarchical component models. In 37th EUR OMICR O Confer ence on Softwar e Engineering and Advanced Applications, SEAA 2011, Oulu, F inland, August 30 - September 2, 2011 , pages 31–38. [45] Li, R., Etemaadi, R., Emmerich, M. T . M., and Chaudron, M. R. V . (2011). An ev olu- tionary multiobjecti ve optimization approach to component-based softw are architecture design. In Evolutionary Computation (CEC), 2011 IEEE Congress on , pages 432–439. [46] Liu, C. L. and Layland, J. W . (1973). Scheduling algorithms for multiprogramming in a hard-real-time en vironment. J. A CM , 20(1):46–61. [47] Lonie wski, G., Borde, E., Blouin, D., and Insfrán, E. (2013a). An automated approach for architectural model transformations. In Information System Development - Impr ov- ing Enterprise Communication, [Pr oceedings of the 22nd International Confer ence on Information Systems Development, ISD 2013, Se ville, Spain] , pages 295–306. Bibliography 77 [48] Lonie wski, G., Borde, E., Blouin, D., and Insfrán, E. (2013b). Model-driv en require- ments engineering for embedded systems development. In 39th Eur omicr o Confer ence on Softwar e Engineering and Advanced Applications, SEAA 2013, Santander , Spain, September 4-6, 2013 , pages 236–243. [49] Lonie wski, G., Borde, E., Blouin, D., and Insfrán, E. (2013c). Model-dri ven require- ments engineering for embedded systems development. In 39th Eur omicr o Confer ence on Softwar e Engineering and Advanced Applications, SEAA 2013, Santander , Spain, September 4-6, 2013 , pages 236–243. [50] L yons, R. E. and V anderkulk, W . (1962). The use of triple-modular redundancy to improv e computer reliability . IBM J. Res. De v . , 6(2):200–209. [51] Maxim, D., Davis, R. I., Cucu-Grosjean, L., and Easwaran, A. (2017). Probabilistic analysis for mixed criticality systems using ﬁxed priority preempti ve scheduling. In Pr oceedings of the 25th International Conference on Real-T ime Networks and Systems , R TNS ’17, pages 237–246, Ne w Y ork, NY , USA. A CM. [52] Medina, R., Borde, E., and Pautet, L. (2017). Directed acyclic graph scheduling for mixed-criticality systems. In Reliable Softwar e T echnolo gies - Ada-Eur ope 2017 - 22nd Ada-Eur ope International Confer ence on Reliable Software T echnologies, V ienna, Austria, J une 12-16, 2017, Pr oceedings , pages 217–232. [53] Medina, R., Borde, E., and P autet, L. (2018a). A v ailability enhancement and analysis for mix ed-criticality systems on multi-core. In 2018 Design, Automation & T est in Eur ope Confer ence & Exhibition, D A TE 2018, Dr esden, Germany , Mar ch 19-23, 2018 , pages 1271–1276. [54] Medina, R., Borde, E., and Pautet, L. (2018b). Scheduling multi-periodic mixed criticality dags on multi-core architectures. In 2018 IEEE Real-T ime Systems Symposium (RTSS) . IEEE. [55] Mens, T . and V an Gorp, P . (2006). A taxonomy of model transformation. Electr on. Notes Theor . Comput. Sci. , 152:125–142. [56] MG (2009). Uml proﬁle for marte: Modeling and analysis of real-time embedded systems. [57] Mura, M., Murillo, L. G., and Prev ostini, M. (2008). Model-based design space exploration for R TES with sysml and MAR TE. In F orum on speciﬁcation and Design Languages, FDL 2008, September 23-25, 2008, Stuttgart, Germany , Pr oceedings , pages 203–208. [58] OMG (2005). MOF QVT F inal Adopted Speciﬁcation . Object Modeling Group. [59] OMG (2014). Object Constraint Language (OCL). http://www .omg.or g/spec/OCL. [60] Pennemann, K.-H. (2008). Dev elopment of correct graph transformation systems. In Graph T r ansformations , volume 5214 of LNCS , pages 508–510. Springer . [61] Poskitt, C. M. (2013). V eriﬁcation of Graph Pr ograms . PhD thesis, Univ ersity of Y ork. 78 Bibliography [62] Poskitt, C. M. and Plump, D. (2013). V erifying total correctness of graph programs. In Revised Selected P apers, Gr aph Computation Models (GCM 2012) , Electronic Communi- cations of the ECEASST 61. [63] Rahmoun, S., Borde, E., and Pautet, L. (2015a). Automatic selection and composition of model transformations alternati ves using e volutionary algorithms. In 2015 Eur opean Confer ence on Software Ar chitectur e W orkshops , pages 25:1–25:7, Ne w Y ork, NY , USA. A CM. [64] Rahmoun, S., Borde, E., and Pautet, L. (2015b). Multi-objecti ves reﬁnement of AADL models for the synthesis embedded systems (mu-ramses). In 20th International Conference on Engineering of Complex Computer Systems, ICECCS 2015, Gold Coast, Austr alia, December 9-12, 2015 , pages 21–30. [65] Rahmoun, S., Mehiaoui-Hamitou, A., Borde, E., P autet, L., and Soubiran, E. (2017). Multi-objecti ve e xploration of architectural designs by composition of model transforma- tions. Software & Systems Modeling . [66] Renault, X., K ordon, F ., and Hugues, J. (2009). Adapting models to model checkers, a case study: Analysing aadl using time or colored petri nets. In Pr oceedings of the 2009 IEEE/IFIP International Symposium on Rapid System Pr ototyping , RSP ’09, pages 26–33, W ashington, DC, USA. IEEE Computer Society . [67] Reussner , R., Becker , S., Burger , E., Happe, J., Hauck, M., K oziolek, A., K oziolek, H., Krogmann, K., and K uperberg, M. (2011). The Palladio Component Model. T echnical report, KIT , Fakultät für Informatik, Karlsruhe. [68] Richa, E., Borde, E., and Pautet, L. (2015). T ranslating A TL model transformations to algebraic graph transformations. In Theory and Practice of Model T ransformations - 8th International Confer ence, ICMT 2015, Held as P art of ST AF 2015, L’Aquila, Italy , July 20-21, 2015. Pr oceedings , pages 183–198. [69] Richa, E., Borde, E., and Pautet, L. (2017). T ranslation of atl to agt and application to a code generator for simulink. Software & Systems Modeling . [70] Richa, E., Borde, E., Pautet, L., Bordin, M., and Ruiz, J. F . (2014). T ow ards testing model transformation chains using precondition construction in algebraic graph transfor - mation. In Pr oceedings of the W orkshop on Analysis of Model T r ansformations co-located with A CM/IEEE 17th International Confer ence on Model Driven Engineering Languages & Systems (MoDELS 2014), V alencia, Spain, September 29, 2014 , pages 34–43. [71] Siebert, S. and T eizer, J. (2014). Mobile 3d mapping for surve ying earthwork projects using an unmanned aerial vehicle (ua v) system. Automation in Construction , 41. [72] Singhof f, F ., Legrand, J., Nana, L., and Marcé, L. (2004). Cheddar: A ﬂexible real time scheduling frame work. In Pr oceedings of the 2004 Annual A CM SIGAda International Confer ence on Ada: The Engineering of Corr ect and Reliable Softwar e for Real-time &Amp; Distributed Systems Using Ada and Related T echnologies , SIGAda ’04, pages 1–8, Ne w Y ork, NY , USA. A CM. Bibliography 79 [73] Su, H., Zhu, D., and Brandt, S. (2016). An elastic mixed-criticality task model and early- release edf scheduling algorithms. ACM T rans. Des. Autom. Electr on. Syst. , 22(2):28:1– 28:25. [74] V estal, S. (2007). Preemptiv e scheduling of multi-criticality systems with v arying degrees of execution time assurance. In Pr oceedings of the 28th IEEE International Real-T ime Systems Symposium , R TSS ’07, pages 239–243, W ashington, DC, USA. IEEE Computer Society . [75] V ulgarakis, A., Suryadev ara, J., Carlson, J., Seceleanu, C. C., and Pettersson, P . (2009). Formal semantics of the procom real-time component model. In 35th Eur omicr o Confer- ence on Softwar e Engineering and Advanced Applications, SEAA 2009, P atras, Gr eece, August 27-29, 2009, Pr oceedings , pages 478–485. [76] Y in, H., Borde, E., and Hansson, H. (2011). Composable mode switch for component- based systems. In Sebastian Fischmeister , L. T . P ., editor , 3r d W orkshop on Adaptive and Reconﬁgurable Embedded Systems (APRES 2011) , pages 19–22.

Architecture Models Refinements for Software Development of Critical Real-time Embedded Systems

Original Paper

Comments & Academic Discussion

Leave a Comment

Original Paper

Related Papers

Comments & Academic Discussion

Leave a Comment