Cyber-physical systems, used in domains such as avionics or medical devices, perform safety-criti... more Cyber-physical systems, used in domains such as avionics or medical devices, perform safety-critical functions where a fault might have catastrophic consequences (mission failure, severe injuries, etc.). Their development is guided by rigorous practice standards to avoid any error. However, as more software-based functions are integrated into a system, interaction complexity has increased significantly over the years. While software appears to ease upgrades and adaptation, interaction complexity, e.g., due to shared hardware resources, has resulted in high error leakage to system integration. Late discovery of errors introduced in requirements and architecture design have resulted in costly rework, making up as much as 70% of the total software system cost. To overcome these issues, architecture-centric model-based approaches abstract system concerns into analyzable architecture models. These models are then analyzed to spot and detect errors, issues or defects that are usually dete...
This material has been approved for public release and unlimited distribution except as restricte... more This material has been approved for public release and unlimited distribution except as restricted below. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at
High-integrity systems must be designed to ensure reliability and robustness properties. They mus... more High-integrity systems must be designed to ensure reliability and robustness properties. They must operate continuously, even when deployed in hostile environment and exposed to hazards and threats. To avoid any potential issue during execution, they are developed with specific attention. For that purpose, specific standards define methods and rules to be checked during the development process. Dedicated execution platforms must also be used to reduce potential errors. For example, in the avionics domain, the DO178-B standard defines the quality criteria (in terms of performance, code coverage, etc.) to be met according to the software assurance level. ARINC653 specifies services for the design of safe systems of avionics systems by using partitioning mechanisms. However, despite those specific methods and tools, errors are still introduced in high-integrity systems implementation. In fact, their complexity due to the large number of collocated functions complicates their analysis, ...
Cyber-Physical Systems are becoming software intensive, collocating many functions on a single pr... more Cyber-Physical Systems are becoming software intensive, collocating many functions on a single processor and requiring a significant processing capacity which increased over the years. In recent years, improving processing performance has been achieved by adding more processing cores on the same chip rather than increasing its frequency. This new design also introduces issues: interaction among cores may impact software performance and might also arm software isolation layers, such as the one defined in ARINC653. For that reason, software using multi-core architecture must be carefully designed and specified with hardware and software aspects. This would help to analyze the system and detect potential design issue. This paper proposes an approach to represent multi-core architectures and their association with software artifacts, such as the ones used for cyber-physical systems (e.g., the ARINC653 platform). For that purpose, we use the AADL language and define specific modeling pat...
Proceedings of the 2011 ACM annual international conference on Special interest group on the ada programming language - SIGAda '11
Welcome to the 2011 Annual International Conference of the Association for Computing Machinery... more Welcome to the 2011 Annual International Conference of the Association for Computing Machinery's (ACM's) Special Interest Group on the Ada Programming Language (SIGAda), being held in Denver, Colorado, in the heart of the western United States. We offer you a conference featuring a top-quality technical program focused on important strengths of Ada: safety, security, distributed, real-time, and embedded systems. The visions of these systems reflected in Ada's original requirements in the 1970s have expanded in almost unimaginable ways with the Ada 95 and Ada 2005 implementations, and continue to be objects of envy by those in the programming language community who understand what the strengths of a language bring to implementers in terms of safety, security efficiency, reliability, and effectiveness. Software challenges remain dominant in these domains with rapid hardware advances. Most other languages fail to meet the needs identified as far back as the 1978 Steelman, being able at best to do only 3/4 of the needed functions, while Ada performs over 95%. Ada's track record of safety, security, reliability, efficiency, robustness and all-around success is unparalleled at solving safety/security critical, real-time and/or distributed system challenges. Ada is used in air traffic control systems, space/satellite systems, most modern jetliner avionics, high-speed ground transportation systems, and battle automation systems. As such, it is an important part of the world's economies, transportation, and defenses. Three days of technical papers, keynotes, and invited presentations will report how these successes are achieved and where remaining issues are leading. We are fortunate to have leaders in the software engineering community to provide keynote addresses to set the tone for our conference. Beyond the formal conference of selected papers and presentations, SIGAda 2011 also offers workshops and tutorials with the same duality of on-theme and complementary topics. SIGAda's tutorials provide full-day or halfdays on selected topics to enhance one's professional development. SIGAda's workshops allow those working related issues to share with each other and leverage everyone's accomplishments; workshop products are "delivered" to the community. The broad offerings of career-enhancing tutorials include basic Ada language introductions for software engineers new to Ada, intermediate and advanced Ada topics for practitioners striving to expand their Ada expertise, and several language-independent technology topics. These topics are often coupled with Ada technology because only Ada's full and complete definition allows one to indicate what is expected, and to show that it can be achieved. Join us in understanding how these topics mutually support the disciplined development and evolution of serious, high quality software systems. Finally, we hope SIGAda 2011 provides you an outstanding opportunity for rewarding affiliation with colleagues in industry, academia, and government --- discussions "in the hall," informal meal-time meetings, and even during the more relaxed moments we make for socializing. These associations can be as valuable as the technical program at professional conferences, and often extend the experience after you return home.
Cyber-Physical System Design from an Architecture Analysis Viewpoint, 2017
The use of general descriptive names, registered names, trademarks, service marks, etc. in this p... more The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Validation des spécifications et de l'implémentation avec la plate-forme TASTE
Genie Logiciel, 2011
C'est un fait, et tous les ingenieurs logiciels en sont d'accord, que la conception de sy... more C'est un fait, et tous les ingenieurs logiciels en sont d'accord, que la conception de systemes critiques est devenue de plus en plus complexe. L'execution conjointe de plusieurs fonctions sur un meme calculateur, le recours a des equipements heterogenes, la multiplication des interfaces complexifient le processus de developpement et amenent les developpeurs a commettre des fautes de conception lors de l'implementation, de l'integration ou de l'execution des systemes. Aujourd'hui, ces erreurs potentielles sont detectees au travers d'une campagne de tests intensifs et de revues du code ou des documents de conception. Les standards en vigueur (DO178B pour l'avionique, ECSS pour le spatial) requierent que les documents de conception et le code repondent a des criteres de qualite (couverture de code, tracabilite des exigences, etc.). Cependant, ces etapes d'analyse presentent deux inconvenients principaux. D'abord, du fait de la multiplication des fonctions et de la complexite des systemes critiques, les activites de test et de revue prennent une part de plus en plus importante dans le developpement, augmentant leur temps de conception et les couts associes. Ensuite, ces verifications n'interviennent qu'a la fin du processus, obligeant bien souvent a des modifications ayant des impacts sur d'autres composants qu'il est alors necessaire d'analyser. Pour ces raisons, il est necessaire d'introduire de nouvelles methodes de conception. Celles-ci doivent tenir compte des problemes identifies, a savoir: faciliter l'integration des composants logiciels et materiels, automatiser les activites de verification et detecter les erreurs de conception au plus tot dans le cycle de developpement. Le present article decrit TASTE [9], une plate-forme de conception de systemes critiques repondant a ces besoins. Cette derniere sert a capturer les exigences logicielles et materielles a l'aide de modeles (ASN.1, AADL, SCADE, Simulink, etc.), a valider leur integration et a creer la mise en œuvre de chaque programme. L'article donne un apercu des fonctionnalites de la plate-forme avant de se focaliser sur les aspects validation de modeles.
Les systèmes embarqués critiques (utilisés dans le domaine avionique, militaire ou médical) doive... more Les systèmes embarqués critiques (utilisés dans le domaine avionique, militaire ou médical) doivent assurer une continuité de service et la sécurité des données qu'ils contiennent ou échangent. La garantie de ces exigences s'effectue au travers d'un processus de développement rigoureux qui s'attache à détecter et corriger toute erreur avant la mise en production du système. Toutefois, plusieurs exemples (explosion de la fusée Ariane 5, échec de la mission Mars Climate Orbiter} ont montré les limites de ces méthodes. De plus, l'augmentation des fonctionnalités fournies par ces systèmes complique la garantie de règles de sécurité et de sûreté. Ce travail de thèse propose une méthode de conception de systèmes critiques visant à faciliter le respect des politiques de sécurité et de sûreté dans la production de systèmes critiques. L'approche décrite au sein de ce manuscrit définit des règles de spécifications des systèmes sûrs et sécurisés qui sont utilisés au cou...
Safety-critical systems may contain a large number of functions having different security/safety ... more Safety-critical systems may contain a large number of functions having different security/safety levels and must ensure a continuous operational state. It is of prime importance to avoid errors propagation between system functions. One may identify two main solutions to tackle that problem. The first and classical solution relies on the federated architecture where different hardware nodes, each one executing one or several functions having the same security/safety level, are interconnected using communication channels. The second solution emerged recently and leaded to the definition of the integrated architecture where a same hardware node is able to execute several functions having different security/safety levels thanks to dedicated hardware (as Memory Management Unit) and software (as hypervisors). These two architectures have their own advantages and drawbacks in term of dependability, mass, processing power, consumption, integration and validation efforts, costs, etc. As a co...
Illustrating the AADL error modeling annex (v.2) using a simple safety-critical medical device
ACM SIGAda Ada Letters, 2013
Developing and certifying safety-critical and highly reliable systems almost always includes sign... more Developing and certifying safety-critical and highly reliable systems almost always includes significant emphasis on hazard analysis and risk assessment. There have been substantial improvements in automation and formalization of other aspects of critical system engineering including model-driven development, analysis of source code and models, and verification techniques. However, hazard analysis and risk assessment are still largely manual and informal activities, tool support is limited (which for both development and auditing, increases time and effort and reduces accuracy and correctness), and artifacts are not integrated with architectural descriptions, system interfaces, high-level behavioral descriptions or code. The Error Model annex of the Architecture Analysis and Design Language (AADL) provides formal and automated support for a variety of forms of hazard analysis and risk assessment activities. Specifically, it enables engineers to formally specify errors, error propaga...
Architecture driven generation of distributed embedded software from functional models
ABSTRACT Embedded systems are becoming increasingly complex and more distributed. Cost and qualit... more ABSTRACT Embedded systems are becoming increasingly complex and more distributed. Cost and quality requirements necessitate reuse of the functional software components for multiple deployment architectures. An important step is the allocation of software ...
Distributed Real-time Embedded (DRE) systems are increasingly used in critical domains such as av... more Distributed Real-time Embedded (DRE) systems are increasingly used in critical domains such as avionics, vehicle and industrial control as well as in medical systems. They must be designed carefully and have to provide safety properties because a failure could mean loss of life. For these reasons, it is recommended to automatically generate a significant part of the code from the models describing the critical aspects. In our approach, we automatically generate two kinds of code from architectural models. The first one plugs the user functional code in the middleware, the second one provides a significant part of the middleware functions. Both rely on a hand coded written middleware that provides the minimal facilities to plug the generated code and to resolve portability issues. In this paper, we present our code generator and the middleware designed to generate High Integrity (HI) systems. We demonstrate via several use-cases how we succeeded in meeting the requirements of DRE systems (small memory footprint, no dead-code, etc...).
Uploads
Papers by Julien Delange