Minxue Pan,Shouyu Chen,Yu Pei,Tian Zhang,Xuandong Li

DOI: https://doi.org/10.1109/icse.2019.00037

2019-01-01

Abstract:The widespread real-time and embedded systems are mostly interrupt-driven because their heavy interaction with the environment is often initiated by interrupts. With the interrupt arrival being unpredictable and the interrupt handling being preemptive, a large number of possible system behaviours are generated, which makes the correctness assurance of such systems difficult and costly. Model checking is considered to be one of the effective methods for exhausting behavioural state space for correctness. However, existing modelling approaches for interrupt-driven systems are based on either calculus or automata theory, and have a steep learning curve. To address this problem, we propose a new modelling language called interrupt sequence diagram (ISD). By extending the popular UML sequence diagram notations, the ISD supports the modelling of interrupts' essential features visually and concisely. We also propose an automata-based semantics for ISD, based on which ISD can be transformed to a subset of hybrid automata so as to leverage the abundant off-the-shelf checkers. Experiments on examples from both real-world and existing literature were conducted, and the results demonstrate our approach's usability and effectiveness.

Han Liu,Yu Jiang,Huafeng Zhang,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1007/978-3-319-48989-6_48

2016-01-01

Abstract:Multifunction Vehicle Bus controllers (MVBC) are safety-critical sub-systems in the industrial train communication network. As an interrupt-driven system, MVBC is practically hard to verify. The reasons are twofold. First, MVBC introduces the concurrency semantics of deferred interrupt handlers and communication via hardware registers, making existing formalism infeasible. Second, verifying MVBC requires considering the environmental features (i.e., interrupt ordering), which is hard to model and reason. To overcome these limitations, we proposed a novel framework for formal verification on MVBC. First, we formalized the concurrency semantics of MVBC and described a sequentialization technique so that well-designed sequential analyses can be performed. Moreover, we introduced the happen-before interrupt graph to model interrupt dependency and further eliminate false alarms. The framework scaled well on an industrial MVBC product from CRRC Inc. and found 3 severe software bugs, which were all confirmed by engineers.

Longkai Wang,Shilun Du,Guofang Gong,Yong Lei

DOI: https://doi.org/10.1109/M2VIP58386.2023.10413404

2023-01-01

Abstract:Controller Area Network (CAN) plays an important role in vehicle chassis control system, hence the reliability of CAN network relates to driving performance and even passenger safety. However, intermittent connection (IC) faults, including intermittent open connection (IOC) and intermittent short connection (ISC), can potentially affect the performance of the vehicle CAN network. In this work, a hardware-in-the-loop (HIL) real-time simulation platform for the in-vehicle CAN system is constructed, and the effects of IC faults on the system are studied. First, based on the virtualized vehicle dynamics model and the actual bus hardware, the HIL platform of the vehicle CAN system is built. Then, typical connectivity problems such as IOC and ISC faults are emulated on the vehicle chassis CAN system. Finally, the influence law of different electrical character (type, frequency, and intensity) of IC faults on the vehicle speed control performance is analyzed. The results demonstrate the varying performance of CAN-based control systems in terms of signal delay, control performance, system stability, and tolerable fault intensity in the presence of IC faults with different electrical characteristics.

Peng Liu,Ming Cai,Tingting Fu,Jinxiang Dong

DOI: https://doi.org/10.1007/978-3-540-72590-9_147

2007-01-01

Abstract:Traditional model of interrupt managemnent has been used for several decades. But it is often incapacity to incorporate reliability and temporal predictability demanded on real-time systems. Many solutions have been proposed to improve efficiency of interrupt handling such as In-line Interrupt Handling and Predictable Interrupt Management In this paper we propose a model that schedules interrupts in terms of their deadlines. Hard priorities of IRQs are still left to hardware. We only manager interrupts that can enter the kernel space so that hard real-time can be assured. Each interrupt will be scheduled only before its first execution according to their arrival time and deadlines so that the scheme is very simple and easy to be implemented. The scheme tries to make as many as possible ISRs finish their work within the time limit. Finally we do some experiments, which prove there is a big decrease of nested overtime interrupts, by means of task simulation on VxWorks.

Huafeng Zhang,Yu Jiang,Han Liu,Hehua Zhang,Ming Gu,Jiaguang Sung

DOI: https://doi.org/10.1145/2970276.2970280

2016-01-01

Abstract:Synchronous embedded systems are becoming more and more complicated and are usually implemented with integrated hardware/software solutions. This implementation manner brings new challenges to the traditional model-driven design environments such as SCADE and STATEMATE, that supports pure hardware or software design.In this paper, we propose a co-design tool Tsmart-Edola to facilitate the system developers, and automatically generate the executable VHDL code and C code from the formal verified SyncBlock computation model. SyncBlock is a lightweight high-level system specification model with well defined syntax, simulation and formal semantics. Based on which, the graphical model editor, graphical simulator, verification translator, and code generator are implemented and seamlessly integrated into the Tsmart-Edola. For evaluation, we apply Tsmart-Edola to the design of a real-world train controller based on the international standard IEC 61375. Several critical ambiguousness or bugs in the standard are detected during formal verification of the constructed system model. Furthermore, the generated VHDL code and C code of Tsmart-Edola outperform that of the state-of-the-art tools in terms of synthesized gate array resource consumption and binary code size.

Gang Hou,Weiqiang Kong,Kuanjiu Zhou,Jie Wang,Xun Cao,Akira Fukud

DOI: https://doi.org/10.1109/iiai-aai.2018.00026

2018-01-01

Abstract:Vehicles automated driving system belongs to real-time embedded system, which is an important application in the field of intelligent transport. In the design of trustworthy real-time embedded systems, the interrupt mechanism plays an important role. Due to the randomness and non-deterministic of interrupt handling, the behaviors of interrupt are difficult to be analyzed. To solve this problem, we propose an interrupt behavior model based on extended deterministic and stochastic Petri nets (EDSPN). In order to analyze the EDSPN model, we presented the formal definition of labeled Markov regenerative processes (LMRGP) for EDSPN. On the basis of LMRGP, we put forward a probabilistic model checking method of continuous stochastic logic (CSL). Finally, by analyzing the multi-level interrupt model, the non-deterministic behaviors of interrupt are quantitatively analyzed, and effectiveness of the proposed method is proved.

Yu Jiang,Yixiao Yang,Han Liu,Hui Kong,Ming Gu,Jiaguang Sun,Lui Sha

DOI: https://doi.org/10.1109/rtas.2016.7461337

2016-01-01

Abstract:Simulink is widely used for model driven development (MDD) of industrial software systems. Typically, the Simulink based development is initiated from Stateflow modeling, followed by simulation, validation and code generation mapped to physical execution platforms. However, recent industrial trends have raised the demands of rigorous verification on safety-critical applications, which is unfortunately challenging for Simulink. In this paper, we present an approach to bridge the Stateflow based model driven development and a well- defined rigorous verification. First, we develop a self- contained toolkit to translate Stateflow model into timed automata, where major advanced modeling features in Stateflow are supported. Taking advantage of the strong verification capability of Uppaal, we can not only find bugs in Stateflow models which are missed by Simulink Design Verifier, but also check more important temporal properties. Next, we customize a runtime verifier for the generated nonintrusive VHDL and C code of Stateflow model for monitoring. The major strength of the customization is the flexibility to collect and analyze runtime properties with a pure software monitor, which opens more opportunities for engineers to achieve high reliability of the target system compared with the traditional act that only relies on Simulink Polyspace. We incorporate these two parts into original Stateflow based MDD seamlessly. In this way, safety-critical properties are both verified at the model level, and at the consistent system implementation level with physical execution environment in consideration. We apply our approach on a train controller design, and the verified implementation is tested and deployed on a real hardware platform.

LI Kang-jie,QIAN Zhen-jiang,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137x.2013.03.044

2013-01-01

Computer Science

Abstract:It is difficult to describe the correctness and security of the operate system(OS) by quantitative analysis.Formal method is the acknowledged standard one in design and verification for OS.Based on the operate system object semantics model(OSOSM),we designed and verified the interruption mechanism of microkernel architecture using formal method,which was realized on our self-implemented verified trusted operate system(VTOS).Meanwhile,we used the theorem prover Isabelle/HOL to formally describe the design process,and verify the integrality of the interruption mechanism of VTOS.Our research plays certain referential significance on formal design and verification of OS.

Martin Kardos,Yuhong Zhao

DOI: https://doi.org/10.1007/1-4020-8149-9_3

2004-01-01

Abstract:System level design incorporating system modeling and formal specification in combination with formal verification can substantially contribute to the correctness and quality of the embedded systems and consequently help reduce the development costs. Ensuring the correctness of the designed system is, of course, a crucial design criterion especially when complex distributed (realtime) embedded systems are considered. Therefore, this paper aims at presenting a verification framework designated for formal verification and validation of UML-based design of embedded systems. It first introduces an approach of using the AsmL language for acquiring formal models of the UML semantics and consequently presents an on-the-fly model checking technique designed to run the formal verification directly over those semantic models.

Yu Jiang,Han Liu,Houbing Song,Hui Kong,Ming Gu,Jiaguang Sun,Lui Sha

DOI: https://doi.org/10.1109/tits.2017.2778077

2016-01-01

Abstract:In this paper, we present a formal model-driven design approach to establish a safety-assured implementation of multifunction vehicle bus controller (MVBC), which controls the data transmission among the devices of the vehicle. First, the generic models and safety requirements described in International Electrotechnical Commission Standard 61375 are formalized as time automata and timed computation tree logic formulas, respectively. With model checking tool Uppaal, we verify whether or not the constructed timed automata satisfy the formulas and several logic inconsistencies in the original standard are detected and corrected. Then, we apply the code generation tool Times to generate C code from the verified model, which is later synthesized into a real MVBC chip, with some handwriting glue code. Furthermore, the runtime verification tool RMOR is applied on the integrated code, to verify some safety requirements that cannot be formalized on the timed automata. For evaluation, we compare the proposed approach with existing MVBC design methods, such as BeagleBone, Galsblock, and Simulink. Experiments show that more ambiguousness or bugs in the standard are detected during Uppaal verification, and the generated code of Times outperforms the C code generated by others in terms of the synthesized binary code size. The errors in the standard have been confirmed and the resulting MVBC has been deployed in the real train communication network.

Nan Zhou,Di Li,Valeriy Vyatkin,Victor Dubinin,Chengliang Liu

DOI: https://doi.org/10.1109/tase.2020.3038034

IF: 6.636

2022-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Recent technological advances and manufacturing paradigm evolutions in industrial settings will dramatically increase the complexity of automation control systems. Traditional solutions to the software development of low-level control kernels (e.g., numerical control kernel, motion control kernel, and real-time communication tasks) are unable to cope effectively with such complexity due to an inadequate level of abstraction and challenges for dependability. This article presents a formal semantics integrated model-driven design approach as a holistic solution. A domain-specific modeling language (DSML) is specified based on the adaption of IEC 61 499 architecture, along with the extensions of task model, task-to-resource allocation, and nonfunctional specification. Both formal structural and behavioral semantics of the proposed DSML are then explicitly defined. Design-time formal verification is also achieved by automated model transformations. A metaprogrammable environment is adopted to facilitate flexible modeling, verification, and code generation. A case study is demonstrated on implementing a prototype computer numerical control (CNC) system using the proposed solution. Note to Practitioners—The low-level automation control system in the modern manufacturing scenarios require more agility while respecting strict timing constraints. Handling such complexity with manual coding is getting harder and less efficient. The DSML and the supporting development environment presented in this article aim to enhance the level of automation, flexibility, and dependability of the whole design process. For the proposed DSML, its syntax is formalized and defined as metamodels, while the semantics is integrated through model annotation and transformation. These definitions are implemented as external rules for a metaprogrammable environment to establish our proposed development tool. The finding and insight from this article can enhance effi-iency and dependability during the development of common control kernels, such as CNC kernel and motion controller.

automation & control systems

Yonghua Xiong,Ke Li,Zhentao Liu,Jinhua She

DOI: https://doi.org/10.20965/jaciii.2021.p0248

2021-01-01

Journal of Advanced Computational Intelligence and Intelligent Informatics

Abstract:In recent years, there have been several breakthroughs in the theoretical research of servo control algorithms. However most of these control algorithms remain in the simulation stage. They are difficult to be applied directly to practical platforms or complex industrial sites because of the lack of an experimental system suitable for the verification of their effectiveness. To address this problem, we designed a multi-function servo control algorithm verification experiment system (MVES) within the MATLAB/Simulink theoretical simulation model directly to communicate with the TwinCAT 3 PLC master program to perform different servo control experiments. The MVES supports various Simulink models. However, its and the operation is simple and convenient, which greatly reduces the workload of the algorithm test and has important practical value. Two sets of comparative experiments were used to verify the versatility and superiority of MVES.

Julius Adelt,Julian Gebker,Paula Herber

DOI: https://doi.org/10.1007/s10009-024-00743-4

2024-02-21

International Journal on Software Tools for Technology Transfer

Abstract:In embedded systems, the execution semantics of the real-time operating system (RTOS), which is responsible for scheduling and timely execution of concurrent processes, is crucial for the correctness of the overall system. However, existing approaches for the formal verification of embedded systems typically abstract from the RTOS completely, or provide a detailed and synthesizable formal model of the RTOS. While the former may lead to unsafe systems, the latter is not compatible with industrial design processes. In this paper, we present an approach for reusable abstract formal models that can be configured for custom RTOS. Our key idea is to formally capture common execution mechanisms of RTOS like preemptive scheduling, event synchronization, and communication abstractly in configurable timed automata models. These abstract formal models can be configured for a concrete custom RTOS, and they can be combined into a formal system model together with a concrete application. Our reusable models significantly reduce the manual effort of defining a formal model that captures concurrency and real-time behavior, together with the functionality of an application. The resulting formal model enables analysis, verification, and graphical simulation. We validate our approach by formalizing and analyzing a rescue robot application running the custom open source RTOS EV3RT.

computer science, software engineering

Sufyan Samara,Yuhong Zhao,Franz J. Rammig

DOI: https://doi.org/10.1007/978-3-642-15234-4_11

2010-01-01

Abstract:This paper presents a novel flexible, dependable, and reliable operating system design for distributed reconfigurable system on chip. The dependability and reliability are achieved by integrating online model checking technique. Each OS service has different implementations which are further partitioned into small blocks. This operating system design allows the OS service to be adapted at runtime according to the given resource requirements and response time. Such adaptable services may be required by real time safety-critical applications. The flexibility introduced in executing adaptable OS services also gives rise to a potential safety problem. Thus, online model checking is integrated to the operating system so as to improve the dependability, reliability, and fault tolerance of these adaptable OS services.

Guoqing Yang,Minde Zhao,Hong Li,Zhaohui Wu

DOI: https://doi.org/10.1109/ICARCV.2006.345052

2006-01-01

Abstract:Electronic Control Units (ECUs) are widely used to improve the comfort and reliability of vehicles. Due to the increasing degree of distribution and interaction of ECUs, many approaches are adopted to design the in-vehicle networks to ensure the stability and reliability of the holistic network, but none of them support the synchronous development of in-vehicle networks and software in ECUs. This paper put forward a model-based approach to design the in-vehicle networks and the software in ECUs with presenting a dependable platform compliant with OSEK/VDX specifications. The paper presents a tool-chain that covers the entire system development life-cycle including system modeling, model transformation, model analysis, network simulation, code generation, document generation and runtime instrumentation. In addition, a case study is presented to demonstrate the application of the approach. The contribution of the approach is threefold. First, the approach applies the theory of model-based design with OSEK/VDX standard in automotive electronics domain, and implements the transformation between SysML models and OSEK/VDX models through an efficient method. Second, the approach presents a method of software co-design among distributed ECUs. Third, the approach bring forward a simulation model for the system models with in-vehicle networks and provides the designeriAth the simulation results to, optimize the design at the early time of the development.

Ning Ge,Yunduo Wang,Yuan Wang,Yong Wang

DOI: https://doi.org/10.1145/3550356.3559085

2022-01-01

Abstract:The design and implementation of safety-critical human-machine interface (HMI) software typically follow the model-driven development process to guarantee secure reliability pragmatically. Systematic and comprehensive modeling for interactions involved in HMI software is essential when applying the model-driven approach. LIDL Interaction Description Language (LIDL) is an interaction description language well suited to HMI software interaction modeling. Several problems limit the practical adoption of LIDL. LIDL does not have a visual modeling language or debugging tools, resulting in error-prone and inefficient modeling. In addition, there is no toolchain to connect it to the subsequent steps in model-driven development, such as verification and implementation. This paper presents a toolchain developed for LIDL to alleviate the problems it faces in practice. The toolchain consists of three tools, a visual modeling tool, a compiler translating LIDL code to Lustre, and a LIDL debugger. We design the visual modeling tool and debugger to improve LIDL modeling efficiency and the compiler to support the debugger and integrate the LIDL modeling into the whole model-driven development process of the HMI software. Specifically, the modeling tool uses tables and diagrams to visualize LIDL code, pragmatically reducing the possibility of introducing modeling errors while maintaining the semantics of LIDL code. We add management features to LIDL models to form a library of model components that modelers can reuse easily. The modeling tool can also automatically convert LIDL models created by modelers into LIDL code. The debugger helps modelers debug LIDL code to locate problems in the model and correct them quickly.

Lei Wang,Xi Wang,Minling Zhu

DOI: https://doi.org/10.2514/6.2010-8848

2010-01-01

Abstract:Distributed control system plays an important part in the application of satellite systems. However, there are integrated requirements (i.e., reliability, real-time capability, expandability, commonality, usability, economy and efficiency) for communication in these systems often used in hostile environments. The work presented here relates to a protocol named IRCBus (Industry High-Reliability Configurable Bus), which supports these requirements. And it also offers practical solutions. First of all, the protocol is formulated based on ISO/OSI (International Organization Standardization /Open System Interconnection) model and it includes four layers: Physical, DataLink, Network and Transport. And it proposes new ideas and improved methods in each layer draft and realization for these requirements. Then the high reliability is guaranteed by hot backup, three redundancy, bus isolation, retransmission law, data check and intrinsically safe explosion-proof; the real-time capability is realized by hardware system based on Field Programmable Gate Arrays (FPGA) and software system; the expandability for bus functions and network size is considered during the whole design; the usability is solved by system management function, installing law and uninstalling law; the low cost are achieved as follows: adopting common cable as transmission media; utilizing existing chip RS485 chip with rational circuit; the efficiency is improved by taking advantage of 8-bit data and 9-bit data in UART (Universal Asynchronous Receiver/Transmitter) protocol and other features. Moreover, it analyzes the protocol from communication principle perspectives. Lastly, in conclusion, it provides some discussion about extensions for Presentation layer (the sixth layer in ISO/OSI) and bus drive. rds: Protocol, IRCBus, Field bus

Feng Xia,Zhi Wang,Youxian Sun

DOI: https://doi.org/10.1109/ICSMC.2004.1401011

2004-01-01

Abstract:Control delay holds a significant impact on the quality of control (QoC) of a networked control system (NCS), degrading QoC and even causing system instability. With an objective of performance optimization through minimizing control delay, an event-driven approach to NCS design is proposed. The function block model defined in IEC61499 is extended and employed as the component for constructing event-driven NCS. Effective design principles integrating the scheduling methodology of pipelining are presented The NCS design for a DC servo system illustrates the proposed design principles. The impact of control period on QoC is visualized, and the optimal working range of control period is obtained. The QoC of NCS is measured by a general performance criterion. Simulation results for performance evaluation show that our approach leads to better QoC than the sequential system does.

Eun-Young Kang,Dongrui Mu,Li Huang,Qianqing Lan

DOI: https://doi.org/10.48550/arXiv.1803.06103

2018-03-16

Software Engineering

Abstract:The software development for Cyber-Physical Systems (CPS), e.g., autonomous vehicles, requires both functional and non-functional quality assurance to guarantee that the CPS operates safely and effectively. EAST-ADL is a domain specific architectural language dedicated to safety-critical automotive embedded system design. We have previously modified EAST-ADL to include energy constraints and transformed energy-aware real-time (ERT) behaviors modeled in EAST-ADL/STATEFLOW into UPPAAL models amenable to formal verification. Previous work is extended in this paper by including support for SIMULINK and an integration of Simulink/Stateflow within a same tool-chain. Simulink/Stateflow models are transformed, based on extended ERT constraints in EAST-ADL, into verifiable UPPAAL models with stochastic semantics and integrate the translation with formal statistical analysis techniques: Probabilistic extension of EAST-ADL constraints is defined as a semantics denotation. A set of mapping rules is proposed to facilitate the guarantee of translation. Formal analysis on both functional- and non-functional properties is performed using SIMULINK DESIGN VERIFIER/UPPAAL-SMC. The analysis techniques are validated and demonstrated on the autonomous traffic sign recognition vehicle case study.

GQ Yang,MD Zhao,L Wang,ZH Wu

DOI: https://doi.org/10.1109/icess.2005.70

2005-01-01

Abstract:Model-based approaches are gradually applied in embedded system design with Unified Modeling Language (UML) and its profiles, but in terms of automotive electronics domain, few developers adopt UML to design system models because of inadequate tools that support the domain-specific modeling. This paper puts forward a model-based approach for automobile electronics software design and verification with a dependable platform compliant with OSEK/VDX standard. In addition, a case study is presented to demonstrate the application of the approach. The contribution of the approach is threefold. First, the approach applies the theory of model-based design with OSEK/VDX standard in automotive electronics domain. Second, the approach solves the transformation between UML models and OSEK/VDX models through an efficient method. Third, the approach simulates the system models and provides the designer with the results to optimize the design at design-level.