No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
The SynchAADL2Maude tool
Abstract
SynchAADL2Maude is an Eclipse plug-in that uses Real-Time Maude to simulate and model check Synchronous AADL models. Synchronous AADL is a variant of the industrial modeling standard AADL that supports the modeling of synchronous embedded systems. In particular, Synchronous AADL can be used to define in AADL the synchronous models in the PALS methodology, in which the very hard tasks of modeling and verifying an asynchronous distributed real-time system that should be virtually synchronous can be reduced to the much simpler tasks of modeling and verifying the underlying synchronous design.
... It is avail- Fig. 12 Ocarina-CADP tool-chain able with both academic and commercial licenses. 6 In addition to LNT, it supports many other input languages such as LOTOS, FSP and EXP. It also provides a scripting language SVL (Script Verification Language) [20] for the description of analysis scenarios. ...
... Another work [46] uses a formal real-time rewriting logic semantics, Real-Time Maude to transform an AADL subset with its Behavior annex to an executable semantics with the Real-Time Maude platform (an AADL simulator and LTL model checker). In addition, authors in [4][5][6] are motivated by the PALS pattern that reduces the design and verification of an asynchronous system with its synchronous version. They define a Synchronous AADL sub-language and provide its formal semantics in Real-Time Maude. ...
Formal methods have become a recommended practice in safety-critical software engineering. To be formally verified, a system should be specified with a specific formalism such as Petri nets, automata and process algebras, which requires a formal expertise and may become complex especially with large systems. In this paper, we report our experience in the formal verification of safety-critical real-time systems. We propose a formal mapping for a real-time task model using the LNT language, and we describe how it is used for the integration of a formal verification phase in an AADL model-based
development process. We focus on real-time systems with event-driven tasks, asynchronous communication and preemptive fixed-priority scheduling. We provide a complete tool-chain for the automatic model transformation and formal verification
of AADL models. Experimentation illustrates our results with the Flight control system and Line follower robot case studies.
... Synchronous AADL [8,12,11,28] employs a relatively simple synchronous semantics: all components operate in lockstep, based on inputs from the previous round, and in each iteration, every component is triggered exactly once and does not trigger other actions that must be executed "at the same time." Furthermore, different components do not share variables in Synchronous AADL. ...
In this paper we formalize in rewriting logic the intended discrete-event semantics of the Lingua Franca coordination language for cyber-physical systems in the simplified setting where each reaction has exactly one trigger. We then show how such Lingua Franca models can be simulated and model checked using Maude, and provide functionality that should make the formal analysis easy to perform also for the Maude non-expert. We illustrate such Maude verification on a number of existing Lingua Franca models, including of a car driver assistance system and of train door controllers. To the best of our knowledge, this is the first verification framework for Lingua Franca that captures the intended semantics of the language, and which therefore provides correct (and state-space efficient) model checking analysis for Lingua Franca.
... Synchronous AADL [33,49] and its multi-rate extension [32] support the modeling and analysis of synchronous PALS models of virtually synchronous distributed real-time systems without continuous behaviors in AADL. Since the time when an event takes place can be abstracted away, there is no need to consider clock skews, and any (sufficiently expres- In contrast, HybridSynchAADL must model continuous behaviors and clock skews and must analyze all possible behaviors based on when the continuous components are sampled and actuated, which depend on the imprecise local clocks. ...
This paper presents the HybridSynchAADL modeling language and formal analysis tool for virtually synchronous cyber-physical systems with complex control programs, continuous behaviors, and bounded clock skews, network delays, and execution times. We leverage the Hybrid PALS methodology, so that it is sufficient to model and verify the much simpler underlying synchronous designs. We define the HybridSynchAADL language as a sublanguage of the avionics modeling standard AADL for modeling such synchronous designs in AADL. We define the formal semantics of HybridSynchAADL using Maude with SMT solving, which allows us to represent advanced control programs and communication features in Maude, while capturing timing uncertainties and continuous behaviors symbolically with SMT solving. We have developed new general methods for optimizing the performance of such symbolic rewriting, which makes the analysis of HybridSynchAADL models feasible. We have integrated the formal modeling and analysis of HybridSynchAADL models into the OSATE tool environment for AADL. Finally, we demonstrate the effectiveness of the Hybrid PALS methodology and HybridSynchAADL on a number of applications, including autonomous drones that collaborate to achieve common goals, and compare the performance of our tool with other state-of-the-art formal tools for hybrid systems.
... Our tool extends the SynchAADL tool [7,9,10] for distributed real-time systems without continuous behaviors, where the time when an event takes place can be abstracted away, so there is no need to consider clock skews, and any (sufficiently expressive) explicit-state model checker can be applied. In contrast, HybridSynchAADL must model continuous behaviors and clock skews, and must analyze all possible behaviors based on when the continuous components are sampled and actuated, which depend on the imprecise local clocks. ...
We present the HYBRIDSYNCHAADL modeling language and formal analysis tool for virtually synchronous cyber-physical systems with complex control programs, continuous behaviors, bounded clock skews, network delays, and execution times. We leverage the Hybrid PALS equivalence, so that it is sufficient to model and verify the simpler underlying synchronous designs. We define the HYBRIDSYNCHAADL language as a sublanguage of the avionics modeling standard AADL for modeling such designs in AADL, and demonstrate the effectiveness of HYBRIDSYNCHAADL on a number of applications.
... A third example, also for embedded software components, but with emphasis on safety-critical systems, is given in [65], where an object-based, formal semantics of a behavioral subset of AADL in RTM is used as a formal analysis back-end for AADL specifications. This last work has been extended in [8,10] to handle synchronous AADL models. For a recent survey of these and several other examples, the reader is referred to [54]. ...
The Orc calculus is a simple, yet powerful theory of concurrent computations with great versatility and practical applicability to a very wide range of applications, as it has been amply demonstrated by the Orc language, which extends the Orc calculus with powerful programming constructs that can be desugared into the underlying formal calculus. This means that for: (i) theoretical, (ii) program verification, and (iii) language implementation reasons, the formal semantics of Orc is of great importance. Furthermore, having a semantics of Orc that is executable is essential to provide: (i) a formally-defined interpreter against which language implementations can be validated, and (ii) a (semi-)automatic way of generating a wide range of semantics-based program verification tools, including model checkers and theorem provers.
Many cyber-physical systems (CPSs)-such as aircrafts, cars, robots, and manufacturing plants-have synchronous designs and are realized on platforms with bounded network delays and clock skews. This paper summarizes how we have: (i) defined modeling languages for synchronous CPS designs in the embedded systems modeling standard AADL, and (ii) integrated Maude-based formal model checking ("push-button") analysis of such AADL synchronous designs into the OSATE tool environment for AADL. This enables a "formal model engineering" approach which combines the convenience of domain-specific modeling with automatic "under-thehood" formal analysis. Furthermore, by the PALS synchronizers, the correctness of such synchronous designs implies the correctness of the much more complex and harder-to-analyze asynchronous implementations, greatly simplifying the task of designing and analyzing "virtually synchronous" CPSs.
A promising way of integrating formal methods into industrial system design is to endow industrial modeling tools with automatic formal analyses. In this paper we identify some challenges for providing such formal methods “backends” for cyber-physical systems (CPSs), and argue that Maude could meet these challenges. We then give an overview of our research on integrating Maude analysis into the OSATE tool environment for the industrial CPS modeling standard AADL.
Since many critical distributed CPSs are “logically synchronous,” a key feature making automatic formal analysis practical is the use of synchronizers for CPSs. We identify a sublanguage of AADL to describe synchronous CPS designs. We can then use Maude to effectively verify such synchronous designs, which under certain conditions also verifies the corresponding asynchronous distributed systems, with clock skews and communication delays. We then explain how we have extended our methods to multirate systems and to CPSs with continuous behaviors.
We illustrate the effectiveness of Maude-based formal model engineering of industrial CPSs on avionics control systems and collections of drones. Finally, we identify future directions in this line of research.
Many collective adaptive systems consist of distributed nodes that communicate with each other and with their physical environments, but that logically should operate in a synchronous way. HybridSynchAADL is a recent modeling language and formal analysis tool for such virtually synchronous cyber-physical systems (CPSs). HybridSynchAADL uses the Hybrid PALS equivalence to reduce the hard problem of designing and verifying virtually synchronous CPSs—with network delays, asynchronous communication, imprecise local clocks, continuous dynamics, etc.—to the much easier tasks of designing and verifying their underlying synchronous designs. Up to now HybridSynchAADL has lacked important programming language features, such as compound data types and user-defined functions, which made it difficult to model advanced control logics of collective adaptive systems. In this paper, we extend the HybridSynchAADL language, its formal semantics, and its analysis tool to support these programming language features. We apply our extension of HybridSynchAADL to design and analyze a collection of collaborating autonomous drones that adapt to their environments.
Multirate PALS reduces the design and verification of a virtually synchronous distributed real-time system to the design and verification of the underlying synchronous model. This paper introduces Hybrid Multirate PALS, which extends Multirate PALS to virtually synchronous distributed multirate hybrid systems, such as aircraft and power plant control systems. Such a system may have interrelated local physical environments, each of whose continuous behaviors may periodically change due to actuator commands. We define continuous interrelated local physical environments, and the synchronous and asynchronous Hybrid Multirate PALS models, and give a trace equivalence result relating a synchronous and an asynchronous model. Finally, we illustrate by an example how invariants can be verified using SMT solving.
Many cyber-physical systems are hierarchical distributed control systems whose components operate with different rates, and that should behave in a virtually synchronous way. Designing such systems is hard due to asynchrony, skews of the local clocks, and network delays; furthermore, their model checking is typically unfeasible due to state space explosion. Multirate PALS reduces the problem of designing and verifying virtually synchronous multirate systems to the much simpler tasks of specifying and verifying their underlying synchronous design. To make the Multirate PALS design and verification methodology available within an industrial modeling environment, we define in this paper the modeling language Multirate Synchronous AADL, which can be used to specify multirate synchronous designs using the AADL modeling standard. We then define the formal semantics of Multirate Synchronous AADL in Real-Time Maude, and integrate Real-Time Maude verification into the OSATE tool environment for AADL. Finally, we show how an algorithm for smoothly turning an airplane can be modeled and analyzed using Multirate Synchronous AADL.
Real-Time Maude extends the rewriting-logic-based Maude system to support the executable formal modeling and analysis of real-time systems. Real-Time Maude is characterized by its general and expressive, yet intuitive, specification formalism, and offers a spectrum of formal analysis methods, including: rewriting for simulation purposes, search for reachability analysis, and both untimed and metric temporal logic model checking. Real-Time Maude is particularly suitable for specifying real-time systems in an object-oriented style, and its flexible formalism makes it easy to model different forms of communication.
This modeling flexibility, and the usefulness of both Real-Time Maude simulation and model checking, has been demonstrated in many advanced state-of-the-art applications, including both distributed protocols of different kinds and industrial embedded systems. Furthermore, Real-Time Maude’s expressiveness has also been exploited to define the formal semantics of a number of modeling languages for real-time/embedded systems. Real-Time Maude thereby provides formal analysis for these languages for free, and such analysis has been integrated into the tool environment of a number of modeling languages.
This paper gives an informal overview of Real-Time Maude and some of its applications.
AADL (Architectural Analysis and Design Language) can describe the architecture of an embedded control system at various levels of abstraction. In addition, AADL supports refinement mechanisms for refining abstract models to more detailed ones. However, the refinement mechanism in AADL is of informal nature. Event-B is an independent formal modelling notation for rigorous development of software systems. In Event-B, consistency of a model and refinement relationship can be formally verified. In this paper, we consider a meaningful subset of AADL, and give its semantics in terms of refinement and model decomposition mechanism of Event-B. An AADL model at any level of abstraction can be mapped to an Event-B model, and in the process, the informal refinement relationship between AADL models can be formalized in Event-B. In addition, the decomposition of a component into sub-components can be mapped to Event-B decomposition. We discuss our approach by referring to the case study of a simplified Cruise Controller.
In this paper we show that the satisfaction of timed CTL (TCTL) formulas under the natural continuous semantics for both discrete-time and dense-time timed Kripke structures can be reduced to a model-checking problem in the pointwise semantics for a large class of timed Kripke structures, which includes many discrete-event systems. We then present a TCTL model checking algorithm for the pointwise case. An important consequence of our results is that they together describe a sound and complete TCTL model checking procedure for time-robust real-time rewrite theories also for dense time domains. We have implemented such a TCTL model checker for Real-Time Maude. Our model checker provides for free a sound and complete TCTL model checker for subsets of modeling languages, such as Ptolemy II and (Synchronous) AADL, which have Real-Time Maude analysis integrated into their tool environments.
This paper describes a recent timed CTL (TCTL) model checker for real-time Maude. Our model checker is sound and complete for large classes of systems for which there were previously no TCTL model checkers. Furthermore, since real-time Maude also provides a formal analysis back-end to a number of modeling languages, our model checker also equips such languages with a TCTL model checker for free.
This bibliography compiles, to the best of our knowledge, all the papers on rewriting logic and its applications which have been written during the more than 20 years that have passed since the introduction of rewriting logic in 1990. The papers are classified according to five main areas: foundations, logical and semantic framework, languages, tools, and applications.
Distributed Real-Time Systems (DRTS), such as avionics systems and distributed control systems in motor vehicles, are very hard to design because of asynchronous communication, network delays, and clock skews. Furthermore, their model checking problem typically becomes unfeasible due to the large state spaces caused by the interleavings. For many DRTSs, we can use the PALS methodology to reduce the problem of designing and verifying asynchronous DRTSs to the much simpler task of designing and verifying their synchronous versions. AADL is an industrial modeling standard for avionics and automotive systems. We define in this paper the Synchronous AADL language for modeling synchronous real-time systems in AADL, and provide a formal semantics for Synchronous AADL in Real-Time Maude. We have integrated into the OSATE modeling environment for AADL a plug-in which allows us to model check Synchronous AADL models in Real-Time Maude within OSATE. We exemplify such verification on an avionics system, whose Synchronous AADL design can be model checked in less than 10 seconds, but whose asynchronous design cannot be feasibly model checked.
At present, designers of real-time systems face a dilemma between expressiveness and automatic verification: if they can specify some aspects of their system in some automaton-based formalism, then automatic verification is possible; but more com- plex system components may be hard or impossible to express in such decidable formalisms. These more complex components may still be simulated; but there is then little support for their formal analysis. The main goal of Real-Time Maude is to provide a way out of this dilemma, while complementing both decision pro- cedures and simulation tools. Real-Time Maude emphasizes ease and generality of specification, including support for distributed real-time object-based systems. Because of its generality, falling outside of decidable system classes, the formal anal- yses supported—including symbolic simulation, breadth-first search for failures of safety properties, and model checking of time-bounded temporal logic properties— are in general incomplete (although they are complete for discrete time). These analysis techniques have been shown useful in finding subtle bugs of complex sys- tems, clearly outside the scope of current decision procedures. This paper describes both the semantics of Real-Time Maude specifications, and of the formal analyses supported by the tool. It also explains the tool's pragmatics, both in the use of its features, and in its application to concrete examples.
Many avionics systems must be implemented as redundant, distributed systems in order to provide the necessary level of fault tolerance. To correctly perform their function, the individual nodes of these systems must agree on some part of the global system state. Developing protocols to achieve this agreement is greatly simplified if the nodes execute synchronously relative to each other, but many Integrated Modular Avionics architectures assume nodes will execute asynchronously. This paper presents a simple design pattern, Physically Asynchronous/Logically Synchronous (PALS), that allows developers to design and verify a distributed, redundant system as though all nodes execute synchronously. This synchronous design can then be distributed over a physically asynchronous architecture in such a way that the logical correctness of the design is preserved. Use of this complexity reducing design pattern greatly simplifies the development and verification of fault tolerant distributed applications, ensures optimal system performance, and provides a standard argument for system certification.
Many Distributed Real-Time Systems (DRTSs), such as integrated modular avionics systems and distributed control systems in motor vehicles, are made up of a collection of components communicating asynchronously among themselves and with their environment that must change their state and respond to environment inputs within hard real-time bounds. Such systems are often safety-critical and need to be certified; but their certification is currently hard due to their distributed nature. The Physically Asynchronous Logically Synchronous (PALS) architectural pattern can greatly reduce the design and verification complexities of achieving virtual synchrony in a DRTS. This work presents a formal specification of PALS as a formal model transformation that maps a synchronous design, together with a set of performance bounds of the underlying infrastructure, to a formal DRTS specification that is semantically equivalent to the synchronous design. This semantic equivalence is proved, showing that the formal verification of temporal logic properties of the DRTS in CTL∗ can be reduced to their verification on the much simpler synchronous design. An avionics system case study is used to illustrate the usefulness of PALS for formal verification purposes.
The time-triggered architecture (TTA) provides a computing infrastructure for the design and implementation of dependable distributed embedded systems. A large real-time application is decomposed into nearly autonomous clusters and nodes, and a fault-tolerant global time base of known precision is generated at every node. In the TTA, this global time is used to precisely specify the interfaces among the nodes, to simplify the communication and agreement protocols, to perform prompt error detection, and to guarantee the timeliness of real-time applications. The TTA supports a two-phased design methodology, architecture design, and component design. During the architecture design phase, the interactions among the distributed components and the interfaces of the components are fully specified in the value domain and in the temporal domain. In the succeeding component implementation phase, the components are built, taking these interface specifications as constraints. This two-phased design methodology is a prerequisite for the composability of applications implemented in the TTA and for the reuse of prevalidated components within the TTA. This paper presents the architecture model of the TTA, explains the design rationale, discusses the time-triggered communication protocols TTP/C and TTP/A, and illustrates how transparent fault tolerance can be implemented in the TTA.
- Sae Aadl Team
SAE AADL Team: AADL homepage (2009), http://www.aadl.info/
Synchronous AADL and Its Formal Analysis in Real-Time Maude
- K Bae
- P C Ölveczky
- A Al-Nayeem
- J Meseguer
Bae, K.,Ölveczky, P.C., Al-Nayeem, A., Meseguer, J.: Synchronous AADL and Its
Formal Analysis in Real-Time Maude. In: Qin, S., Qiu, Z. (eds.) ICFEM 2011.
LNCS, vol. 6991, pp. 651-667. Springer, Heidelberg (2011)
Formalization and Correctness of the PALS Architectural Pattern for Distributed Real-Time Systems
- J Meseguer
- P C Ölveczky
Meseguer, J.,Ölveczky, P.C.: Formalization and Correctness of the PALS Architectural Pattern for Distributed Real-Time Systems. In: Dong, J.S., Zhu, H. (eds.)
ICFEM 2010. LNCS, vol. 6447, pp. 303-320. Springer, Heidelberg (2010)