Albert Benveniste

National Institute for Research in Computer Science and Control | INRIA

Graphical models in probability and statistics are a core concept in the area of probabilistic reasoning and probabilistic programming—graphical models include Bayesian networks and factor graphs. For modeling and formal verification of probabilistic systems, probabilistic automata were introduced. This paper proposes a coherent suite of models con...

A key feature of the Modelica language is its object-oriented nature: components are instances of classes and they can aggregate other components, so that extremely large models can be efficiently designed as "trees of compo-nents". However, the structural analysis of Modelica models , a necessary step for generating simulation code, often relies o...

Deriving system-level specifications from component specifications usually involves the elimination of variables that are not part of the interface of the top-level system. This paper presents algorithms for eliminating variables from formulas by computing refinements or relaxations of these formulas in a context. We discuss a connection between th...

Contract-based design is a method to facilitate modular system design. While there has been substantial progress on the theory of contracts, there has been less progress on scalable algorithms for the algebraic operations in this theory. In this paper, we present: 1) principles to implement a contract-based design tool at scale and 2) Pacti, a tool...

Tom Henzinger was among the co-founders of the paradigm of hybrid automata in 1992. Hybrid automata possess different locations, holding different ODE-based dynamics; exit conditions from a location trigger transitions, resulting in starting conditions for the next location. A large research activity was developed in the formal verification of hybr...

de Alfaro and Henzinger’s interface automata brought renewed vigor to the tasks of specifying software formally and reasoning about systems compositionally. The key ingredients to this approach were the separation of concerns between environment and implementation, a light-weight behavioral interface that enabled more comprehensive compatibility ch...

Since its 3.3 release, Modelica offers the possibility to specify models of dynamical systems with multiple modes having different DAE-based dynamics. However, the handling of such models by the current Modelica tools is not satisfactory, with mathematically sound models yielding exceptions at runtime. In this article, we propose several contributi...

Contract theories have been proposed to formally support distributed and decentralized system design while ensuring safe system integration. We propose hypercontracts, a general model with a richer structure for its underlying model of components, subsuming simulation preorders. While general, the new model provides a richer algebra for its notions...

Graphical models in probability and statistics are a core concept in the area of probabilistic reasoning and probabilistic programming-graphical models include Bayesian networks and factor graphs. In this paper we develop a new model of mixed (nondeterministic/probabilistic) automata that subsumes both nondeterministic automata and graphical probab...

Since its version 3.3, the Modelica language offers the possibility to model multimode systems having different DAE-based dynamics in each mode, thanks to the introduction of state machines. When the differentiation index and structure varies with mode changes, compilers generate erroneous simulation code, often resulting in runtime exceptions. We...

Since its 3.3 release, Modelica offers the possibility to specify models of dynamical systems with multiple modes having different DAE-based dynamics. However, the handling of mode changes by the current Modelica tools is not satisfactory. An important difficulty is the occurrence of impulsive behavior at some mode changes, for some variables. In t...

Since its 3.3 release, Modelica offers the possibility to specify models of dynamical systems with multiple modes having different DAE-based dynamics. However, the handling of such models by the current Modelica tools is not satisfactory, with mathematically sound models yielding exceptions at runtime. In this article, we propose a systematic way o...

Since its version 3.3, the Modelica language offers the possibility to model multimode systems having different DAE-based dynamics in each mode, thanks to the introduction of state machines. When the differentiation index and structure varies with mode changes, compilers generate erroneous simulation code, often resulting in runtime exceptions. We...

Contracts (or interface) theories have been proposed to formally support distributed and decentralized system design while ensuring safe system integration. Over the last decades, a number of formalisms were proposed, sometimes very different in their form and algebra. This motivated the quest for a unification by some authors, e.g., specifications...

Modern modeling languages for general physical systems, such as Modelica, Amesim, or Simscape, rely on Differential Algebraic Equations (DAEs), i.e., constraints of the form f(\dot{x},x,u)=0. This drastically facilitates modeling from first principles of the physics, as well as model reuse. In recent works [RR9334], we presented the mathematical th...

Modern modeling languages for general physical systems, such as Modelica, Amesim, or Simscape, rely on Differential Algebraic Equations (DAEs), i.e., constraints of the form f(x′,x,u)=0. This drastically facilitates modeling from first principles of the physics, as well as the reuse of models. In this paper, we develop the mathematical theory neede...

Interface theories are powerful frameworks supporting incremental and compositional design of systems through refinements and constructs for conjunction, and parallel composition. In this report we present a first Interface Theor -- |Modal Mixed Interfaces -- for systems exhibiting both non-determinism and randomness in their behaviour. The associa...

Modern modeling languages for general physical systems, such as Modelica, Amesim, or Simscape, rely on Differential Algebraic Equations (DAE), i.e., constraints of the form f(dot{x},x,u)=0. This drastically facilitates modeling from first principles of the physics and the reuse of models. In this paper we develop the mathematical theory needed to e...

Hybrid systems modeling languages that mix discrete and continuous time signals and systems are widely used to develop cyber-physical systems where control software interacts with physical devices. Compilers play a central role, statically checking source models, generating intermediate representations for testing and verification, and producing se...

Recently, contract-based design has been proposed as an “orthogonal” approach that complements system design methodologies proposed so far to cope with the complexity of system design. Contract-based design provides a rigorous scaffolding for verification, analysis, abstraction/refinement, and even synthesis. Several results have been obtained in t...

Explicit hybrid systems modelers like Simulink/Stateflow allow for programming both discrete- and continuous-time behaviors with complex interactions between them. An important step in their compilation is the static detection of algebraic or causality loops. Such loops can cause simulations to deadlock and prevent the generation of statically sche...

In this short note, we establish a link between the theory of Moore Interfaces proposed in 2002 by Chakraborty et al. as a specification framework for synchronous transition systems, and the Assume/Guarantee contracts as proposed in 2007 by Benveniste et al. as a simple and flexible contract framework. As our main result we show that the operation...

In this short note, we establish a link between the theory of Moore Interfaces proposed in 2002 by Chakraborty et al. as a specification framework for synchronous transition systems, and the Assume/Guarantee contracts as proposed in 2007 by Benveniste et al. as a simple and flexible contract framework. As our main result we show that the operation...

Differential Algebraic Equation (DAE) systems constitute the mathematical model supporting physical modeling languages such as Modelica, VHDL-AMS, or Simscape. Unlike ODEs, they exhibit subtle issues because of their implicit latent equations and related differentiation index. Multi-mode DAE (mDAE) systems are much harder to deal with, not only bec...

Loosely Time-Triggered Architectures (LTTAs) are a proposal for constructing distributed embedded control systems. They build on the quasi-periodic architecture, where computing units execute nearly periodically, by adding a thin layer of middleware that facilitates the implementation of synchronous applications. In this article, we show how the de...

In this paper we propose a framework of Assume / Guarantee contracts for schedulability analysis. Unlike previous work addressing compositional scheduling analysis, our objective is to provide support for the OEM/ supplier subcontracting relation. The adaptation of Assume / Guarantee contracts to schedulability analysis requires some care, due to t...

Aircrafts, trains, cars, plants, distributed telecommunication military or health care systems,and more, involve systems design as a critical step. Complexity has caused system design times and coststo go severely over budget so as to threaten the health of entire industrial sectors. Heuristic methods andstandard practices do not seem to scale with...

Recently, contract based design has been proposed as an ”orthogonal” approach that can beapplied to all methodologies proposed so far to cope with the complexity of system design. Contract baseddesign provides a rigorous scaffolding for verification, analysis and abstraction/refinement. Companionreport RR-8759 proposes a unified treatment of the to...

Hybrid systems modelers exhibit a number of difficulties related to the mix of continuousand discrete dynamics and sensitivity to the discretization scheme. Modular modeling, where subsystemsmodels can be simply assembled with no rework, calls for using Differential Algebraic Equations (DAE).In turn, DAE are strictly more difficult than ODE. In mos...

A foreword to the contributed papers on Branching cells for asymmetric event structures and Application of branching cells to the QoS aware management of composite services.

By allowing service calls to be guarded by contexts, Asymmetric Event Structures (AES for short) and contextual nets are a convenient framework to model composite Web services or service orchestrations. We equip AES with QoS domains as a framework to capture a number of QoS metrics and their combination. We use the resulting model to formalize QoS-...

Explicit hybrid systems modelers like Simulink/Stateflow allow for programming both discrete- and continuous-time behaviors with complex interactions between them. A key issue in their compilation is the static detection of algebraic or causality loops. Such loops can cause simulations to deadlock and prevent the generation of statically scheduled...

This paper proposes an efficient approach to model stochastic hybrid systems and to implement Monte Carlo simulation for such models, thus allowing the calculation of various probabilistic indicators: relia-bility, availability, average production, life cycle cost etc. Stochastic hybrid systems can be considered, most of the time, as Piecewise Dete...

We address the problem of alarm correlation in large distributed systems. The key idea is to make use of the concurrence of events in order to separate and simplify the state estimation in a faulty system. Petri nets and their causality semantics are used to model concurrency. Special partially stochastic Petri nets are developed, that establish so...

We study QoS-aware management of service orchestrations, specifically for orchestrations having a data-dependent workflow. Our study supports multi-dimensional QoS. To capture uncertainty in performance and QoS, we provide support for probabilistic QoS. Under the above assumptions, orchestrations may be non-monotonic with respect to QoS, meaning th...

Contract-based design has been recently proposed as a framework for concurrent system design in the context of complex supplier chains, where sub-system design can be sub-contracted to suppliers while guaranteeing correct system integration. A unifying meta-theory of contracts was proposed in [Benveniste et al. 2012], which subsumes known framework...

By allowing service calls to be guarded by contexts, Asymmetric Event Structures (AES for short) and contextual nets are a convenient framework to model composite Web services or service orchestrations. We equip AES with QoS domains as a framework to capture a number of QoS metrics and their combination. We use the resulting model to formalize QoS-...

Deliverable D.4.1.1 of the ITEA2 Modrio collaborative project

Systems design has become a key challenge and differentiating factor over the last decades for system companies. Aircrafts, trains, cars, plants, distributed telecommunication military or health care systems, and more, involve systems design as a critical step. Complexity has caused system design times and costs to go severely over budget so as to...

This session is dedicated to Paul Caspi. It is made of five talks, each of them addressing one aspect of Paul Caspi's contributions to the development of safe embedded software and systems: synchronous languages and models, the implementation of synchronous languages, the relation between functional and synchronous languages, the relation between c...

Service Level Agreements (SLAs) have been proposed in the context of web services to maintain acceptable quality of service (QoS) performance. This is specially crucial for composite service orchestrations that invoke many atomic services to render functionality. A consequence of SLA management entails efficient negotiation protocols among orchestr...

Hybrid system modelers have become a corner stone of complex embedded system development. Embedded systems include not only control components and software, but also physical devices. In this area, Simulink is a de facto standard design framework, and Modelica a new player. However, such tools raise several issues related to the lack of reproducibi...

In this paper, the authors develop a comprehensive framework for QoS management based on soft probabilistic contracts. The authors approach also encompasses general QoS parameters, with “response time” as a particular case. In addition, the authors support composite QoS parameters, for example, combining timing aspects with “quality of data” or sec...

Web services orchestrations conventionally employ exhaustive comparison of runtime quality of service (QoS) metrics for decision making. The ability to incorporate more complex mathematical packages are needed, especially in case of workflows for resource allocation and queuing systems. By modeling such optimization routines as service calls within...

Micro-electro-mechanical systems (MEMS), has brought both opportunities and challenges to the field of struc- tural dynamics in a different scale, owing primarily to its interdisciplinary nature of research and extremely small feature size. An application of the MEMS is to detect, a target mass particle attached eccentrically to a microcan- tilever...

In this paper we survey our results on model validation, change detection, and diagnosis, based on the local approach. We see this work as a counterpart of the central contribution by Lennart Ljung to a systematic approach to system identification. We reuse conc epts brought by Lennart such as: model set, true system model, identificat ion method,...

Before using a service in a composite framework, designers must ensure that it is compatible with the needs of the application. The inputs and outputs must comply with the intended ranges of data in the composite framework, and the service must eventually return a value. This paper addresses compatibility for modules described with document-based w...

Online services encapsulate enterprises, people, software systems and often operate in poorly understood environments. Using such services in tandem to predictably orchestrate a complex task is one of the principal challenges of service-oriented computing. A composite service orchestration soliciting multiple atomic services is plagued by a number...

Hybrid modelers such as Simulink have become corner stones of embedded systems development. They allow both discrete controllers and their continuous environments to be expressed in a single language. Despite the availability of such tools, there remain a number of issues related to the lack of reproducibility of simulations and to the separation o...

Cyber-Physical Systems require distributed architectures to support safety critical real-time control. Kopetz' Time-Triggered Architectures (TTA) have been proposed as both an architecture and a comprehensive paradigm for systems architecture, for such systems. To relax the strict requirements on synchronization imposed by TTA, Loosely Time-Trigger...

The ever-growing choice in diverse services is making service orchestration variability an essential aspect of a composite web service. Influence of this variation on the Quality of Service (QoS) of a composite service is critical and the focus of our work. In this paper, we present a methodology to first model orchestration variability using a fea...

In this paper, the authors develop a comprehensive framework for QoS management based on soft probabilistic contracts. The authors approach also encompasses general QoS parameters, with "response time" as a particular case. In addition, the authors support composite QoS parameters, for example, combining timing aspects with "quality of data" or sec...

In this paper we extend our previous work on soft probabilistic contracts for QoS management, from the particular case of "response time", to general QoS parameters. Our study covers composite QoS parameters dealing not only with time aspects but also with quality of data. We also study contract composition (how to derive QoS contracts for an orche...

Web Service orchestrations are compositions of different Web Services to form a new service. The services called during the orchestration guarantee a given Quality of Service (QoS) to the orchestrator, usually in the form of contracts. These contracts can then be used by the orchestrator to deduce the contract it can offer to its own clients, by pe...

Abstract—Web,services are,software,applications,that are published over the Web, and can be searched and invoked by other programs. New Web services can be formed,by composing elementary services, such composite services are called Web service orchestrations. Quality of Service (QoS) issues for Web service orchestrations,deeply,differ from,correspo...

This paper aims to simplify recent efforts proposed by the Berkeley school in giving a formal semantics to the Ptolemy toolbox. We achieve this by developing a simple and elegant functional theory of deterministic tag systems that is a generalisation of Kahn Process Network theory (KPN). Our theory extends KPN by encompassing networks of processes...

We extend previous constructions of probabilities for a prime event structure E by allowing arbitrary confusion. Our study builds on results related to fairness in event structures that are of interest per se. Executions of E are captured by the set Ω of maximal configurations. We show that the information collected by observing only fair execution...

Guarded Active XML (GAXML) was proposed by Abiteboul, Segoufin, and Vianu, as a high-level specification language tailored for data-intensive, distributed, dynamic Web services. GAXML consists in XML documents with embedded guarded service calls, thus allowing for the definition of control flows in documents. In this paper we enhance GAXML with the...

While extensive foundational work exist for the functional aspects of Web service orchestrations, very little exists regarding the foundations of Service Level Agreements (SLA), Service Level Specifications (SLS), and more generally Quality of service (QoS) issues. In this paper we develop a comprehensive theory of QoS for Web service Orchestration...

Synchronous systems offer a clean semantics and an easy verification path at the expense of often inefficient implementations. Capturing design specifications as synchronous models and then implementing the specifications in a less restrictive platform allow to address a much larger design space. The key issue in this approach is maintaining semant...

Web services orchestrations and choreographies require establishing Quality of Service (QoS) contracts with the user. This is achieved by performing QoS composition, based on contracts established between the orchestration and the called Web services. These contracts are typically stated in the form of hard guarantees (e.g., response time always le...

We present a compositional theory of heterogeneous reactive systems. The approach is based on the concept of tags marking the events of the signals of a system. Tags can be used for multiple purposes from indexing evolution in time (time stamping) to expressing relations among signals, like coordination (e.g., synchrony and asynchrony) and causal d...

Web Service orchestrations are compositions of different Web Services to form a new service. The services called during the orchestration guarantee a given performance to the orchestrater, usually in the form of contracts. These contracts can be used by the orchestrater to deduce the contract it can offer to its own clients, by performing contract...

We introduce the model of Markov nets, a probabilistic extension of safe Petri nets under the true-concurrency semantics. This means that traces, not firing sequences, are given a probability. This model builds upon our previous work on probabilistic event structures. We use the notion of branching cell for event structures and show that the latter...

We present a compositional theory of heterogeneous reactive systems. The approach is based on the concept of tags marking the events of the signals of a system. Tags can be used for multiple purposes from indexing evolution in time (time stamping) to expressing relations among signals like coordination (e.g., synchrony and asynchrony), and causal d...

Synchronous systems offer a clean semantics and an easy verification path at the expense of often inefficient implementations. Capturing design specifications as synchronous models and then implementing the specifications in a less restrictive platform allow to address a much larger design space. The key issue in this approach is maintaining semant...

In this paper we consider loosely time-triggered architectures (LTTA) as a networked infrastructure for deploying discrete control. LTTA are distributed architectures in which 1/ each computing unit is triggered by its own local clock, 2/ the local clocks are not synchronized, and 3/ communication is by the following principle: each communication l...

One challenge in developing wide-area distributed applications is analyzing the system's non-functional properties, including timing constraints and internal dependencies that can affect quality of service. Analysis of non-functional properties requires a precise formal semantics for the language in which the system is written; but labelled transit...

Abstract Monitoring or diagnosis of large scale distributed Discrete Event Sys- tems with asynchronous communication is a demanding,task. Ensuring that the methods developed for Discrete Event Systems properly scale up to such systems is a challenge. In this paper we explain why the use of partial orders cannot be avoided in order to achieve this o...

We address the problem of mapping a set of processes which communicate synchronously on a distributed platform. The Time Triggered Architecture (TTA) proposed by Kopetz for the communication mechanism of a distributed platform of- fers a direct mapping that would preserve the semantics of the specification. However, its exact implementation may, at...

We study the synchronization of two discrete Markov chains that share common states. Markov chains define transition systems, and we consider the synchronization product of these from the partial orders viewpoint. We propose a randomization of the new, concurrent system. The random concurrent system we construct has two key properties: first it is...

we study the logic and synchronization characteristics of general dynamical systems called Hybrid Dynamical Systems. Our theory generalizes the notion of Discrete Event Dynamical Systems by handling numerics as well as symbolics. Our theory is supported by the programming language SIGNAL and a mathematical model of relational style. This framework...