Lean Model-Driven Development through Model-Interpretation: the CPAL design flow
1 like392 views
CPAL is a specialized programming language for developing and simulating embedded systems, addressing limitations in general-purpose languages regarding timing, scheduling, and real-time execution. It enables model-driven development, integrating both functional and non-functional concerns while aiming for improved productivity and quality in software development. The language supports intuitive finite state machine designs and is designed for various use cases, ranging from automotive systems to UAV applications.
![www.designcps.com 2
Amount of software is growing
exponentially – what about
productivity gains in software
development ?
Software has become the key to innovation
Software is disrupting complete
industries
Every company has to learn to
become a software company
Model-Driven Development is certainly
a powerful enabler but ..
Programming environments still lack
the high-level concepts: embedded
system specific language abstractions
automation features ("state the what,
not the how") that would make them
more productive
Innovation increasingly relies on
software
[inspired from posts at http://www.theenterprisearchitect.eu/]](https://image.slidesharecdn.com/4598d828-5e1c-4007-8ba8-1c42fa174f3b-160208115147/85/Lean-Model-Driven-Development-through-Model-Interpretation-the-CPAL-design-flow-2-320.jpg)
![www.designcps.com 4
5-steps of MBD
Matlab/Simulink
Scade CPAL
Figure from [2] and [3]
Inspired from interpreter-based interlocking systems
e.g.: RATP, SNCF [5], Westingshouse](https://image.slidesharecdn.com/4598d828-5e1c-4007-8ba8-1c42fa174f3b-160208115147/85/Lean-Model-Driven-Development-through-Model-Interpretation-the-CPAL-design-flow-4-320.jpg)
![Declaring timing correctness:
designer states the “what”, not the “how”,
environment does the rest
www.designcps.com 21
Requirements: deadline,
frequency, jitters, data-flow
(precedence, prod. rate),
safety, etc
Allocate the models to the processing units
“Scheduler synthesis”
A
B
Ideas discussed in [6],
implementation ongoing](https://image.slidesharecdn.com/4598d828-5e1c-4007-8ba8-1c42fa174f3b-160208115147/85/Lean-Model-Driven-Development-through-Model-Interpretation-the-CPAL-design-flow-21-320.jpg)
![Simulation: Some/IP SD [8,9]
www.designcps.com 23
SOME/IP SD: service discovery for automotive Ethernet
Objective: find the right tradeoff between subscription
latency and SOME/IP SD overhead
Max analysis
4.005ms
Max simulation
3.98ms
Subscription
latency
for a client
Simulation complementary to analysis
Models have been coupled with low-level simulator
Same models could be used to implement testbeds
UC#1](https://image.slidesharecdn.com/4598d828-5e1c-4007-8ba8-1c42fa174f3b-160208115147/85/Lean-Model-Driven-Development-through-Model-Interpretation-the-CPAL-design-flow-23-320.jpg)
![Developing CPS:
a smart parachute for UAV [10]
www.designcps.com 24
UAVs autopilots cannot be trusted –
minimal safety through a remote termination component
Partnership with Alérion company
Termination upon
loss of connection or
pilot’s decision
UC#2](https://image.slidesharecdn.com/4598d828-5e1c-4007-8ba8-1c42fa174f3b-160208115147/85/Lean-Model-Driven-Development-through-Model-Interpretation-the-CPAL-design-flow-24-320.jpg)
![Model-based fault-injection
www.designcps.com 27
Time for the parachute to deploy (in seconds) and satisfaction of
requirement R4 versus network quality ratio [11]](https://image.slidesharecdn.com/4598d828-5e1c-4007-8ba8-1c42fa174f3b-160208115147/85/Lean-Model-Driven-Development-through-Model-Interpretation-the-CPAL-design-flow-27-320.jpg)
![Thales FMTV challenge [12,13]
www.designcps.com 29
Aerial video system to detect and track a moving
object, e.g. a vehicle on a roadway
Challenge timing analysis community
[From 12]
[From 12]
UC#4](https://image.slidesharecdn.com/4598d828-5e1c-4007-8ba8-1c42fa174f3b-160208115147/85/Lean-Model-Driven-Development-through-Model-Interpretation-the-CPAL-design-flow-29-320.jpg)
![FMTV challenge in CPAL [13]
www.designcps.com 30
Functional
architecture
for challenge 1
4 sub-challenges
o Low effort to model vs automata-based formalisms
o Model and graphical representation helped to highlight
ambiguities
o Simulation helped to find errors in the analysis
o Simulation biased towards worst-case helped -> open
problem
o None of the schedulability questions could be automated,
e.g. “the minimum time distance between two frames
produced by the camera that will not reach the display, for
a buffer size n = 3”
“Pen and paper”](https://image.slidesharecdn.com/4598d828-5e1c-4007-8ba8-1c42fa174f3b-160208115147/85/Lean-Model-Driven-Development-through-Model-Interpretation-the-CPAL-design-flow-30-320.jpg)
Lean Model-Driven Development through Model-Interpretation: the CPAL design flow
- 1. The CPAL programming language Design, Simulate, Execute Embedded Systems Nicolas Navet and Sebastian Altmeyer, University of Luxembourg Loïc Fejoz and Lionel Havet, RealTime-at-Work Embedded Real-Time Software and Systems (ERTS 2016) Toulouse, France, January 28, 2016 Lean Model-Driven Development through Model-Interpretation
- 2. www.designcps.com 2 Amount of software is growing exponentially – what about productivity gains in software development ? Software has become the key to innovation Software is disrupting complete industries Every company has to learn to become a software company Model-Driven Development is certainly a powerful enabler but .. Programming environments still lack the high-level concepts: embedded system specific language abstractions automation features ("state the what, not the how") that would make them more productive Innovation increasingly relies on software [inspired from posts at http://www.theenterprisearchitect.eu/]
- 3. CPAL is an embedded systems specific language www.designcps.com 3 Model and program functional and non-functional concerns Simulate possibly embedded within external tools such as RTaW-Pegase™ and Matlab/Simulink ™ Execute bare metal or hosted by an OS - prototypes or real systems A C B A joint project of RealTime-at-Work and University of Luxembourg since 2012
- 4. www.designcps.com 4 5-steps of MBD Matlab/Simulink Scade CPAL Figure from [2] and [3] Inspired from interpreter-based interlocking systems e.g.: RATP, SNCF [5], Westingshouse
- 5. Why a new programming language ? www.designcps.com o General purpose languages do not offer the right abstractions for ES: o Periodic activities and real-time scheduling o Time measurements and manipulation o Finite state machines o High-level interfaces to I/Os o etc o Conceived to facilitate the writing of correct embedded code (incl. restrictions) o “Write once, Run Anywhere” of Java does not guarantee anything about timing behaviour on different platforms o Development environments are unnecessary complex and often expensive o Model interpretation brings benefits: monitoring at run-time, security, no distortion between model and code, WORA, etc. 5 Both functional and non-functional concerns Our view: major productivity and quality improvements still ahead of us through better programming languages and environments
- 6. A glance at the state-of-the-art www.designcps.com 6 o With respect to synchronous languages ? o Less demanding programming model: syntax close to mainstream languages, multiple I/Os per execution o No time-determinism but rather timing-predictability o Not amenable yet to verification in the value domain o Unlike pure Architecture Description languages like Giotto and Prelude, CPAL is also a programming language and an execution platform o Same time-triggered execution model as Giotto o Would benefit from rich data-flow language of Prelude o A large number of related (many discontinued) languages since the mid-80s: Pearl, Real-Time Euclid, C-extensions (real-time concurrent C, PRET-C, mbeddr), Labview RT module, RT and safety- critical Java, SCCharts, Papyrus-RT, etc most are imperative (and not declarative like CPAL) in the non-functional domain
- 7. Outline www.designcps.com 7 Selected highlights of the language CPAL scheduling and task activation model Processes are recurrent Finite State Machines Timing-augmented design flow Use-cases: automotive Ethernet simulation, Thales FMTV challenge, UAV programming A D B C E
- 8. www.designcps.com A few highlights of the language 8
- 10. Hello, world www.designcps.com 10 Aim: intuitive and productive FSM embedded in the process
- 11. www.designcps.com Processes: recurring activities whose logic is described as Finite State Machine 11
- 12. Finite-state Machines to describe the logic of a process www.designcps.com Boolean condition Timed transition Timed transition and condition Code both in states and transitions 12
- 13. A process is periodically activated www.designcps.com Execute first a transition (if possible) then current state best responsiveness to external events Execute transition code Move to next state A transition can be fired ? Wait until period has elapsed NoYes Stay in current state Execute state-specific code One “step” of execution of the FSM Execute common code Activation condition met or none ? No Yes 13
- 14. Process introspection www.designcps.com First time when the current and previous instances obtained the CPU Introspection can serve to implement adaptive behaviours and detect abnormal events at run-time 14
- 15. www.designcps.com CPAL scheduling and task activation model 15
- 16. CPAL’s 2 Execution Modes www.designcps.com Execution is as fast as possible (e.g. periods are not respected) Code executed in zero time – except if stated otherwise with timing annotations CPAL interpreter is hosted by an OS No access to real I/Os Simulation mode Real-Time mode Real-time execution Code (instructions, read/write I/Os) takes time to execute – depends on the platform CPAL can be executed on bare hardware or hosted by an OS DeploymentDevelopment 16 Overhead data on Freescale FRDM-K64F: max. activation jitter: 40us timer interrupt: 0.6us context switch overhead: 2us
- 17. Vision behind CPAL www.designcps.com Timing equivalence needed depends on the application, can be e.g. 1) full determinism 2) order-preserving for observable events, or 3) deadline constraints met 17 In CPAL current release, execution order of processes remains the same in simulation and in real-time mode
- 18. Simulating execution times www.designcps.com 18 Timing annotations can be derived by built-in monitoring facilities and are respected by the simulator
- 19. Process activation model www.designcps.com offset period Activation conditions (aka “guarded executions”) are for implementing functioning modes and executing event-triggered activities 19
- 20. CPAL scheduling model www.designcps.com 20 o The choice of non-preemptive scheduling: – No context-switch + no cache related preemption delays (CRPD) on the WCET + less memory usage – No shared resources, easier to validate, less timing variability – But .. reduced ability to meet tight deadline constraints o Currently FIFO policy is available : – Enforce event-order determinism – Work-conserving unlike static cyclic scheduling o Built-in support for WCET measurements at run-time o Planed to support partitioned multi-processor scheduling
- 21. Declaring timing correctness: designer states the “what”, not the “how”, environment does the rest www.designcps.com 21 Requirements: deadline, frequency, jitters, data-flow (precedence, prod. rate), safety, etc Allocate the models to the processing units “Scheduler synthesis” A B Ideas discussed in [6], implementation ongoing
- 23. Simulation: Some/IP SD [8,9] www.designcps.com 23 SOME/IP SD: service discovery for automotive Ethernet Objective: find the right tradeoff between subscription latency and SOME/IP SD overhead Max analysis 4.005ms Max simulation 3.98ms Subscription latency for a client Simulation complementary to analysis Models have been coupled with low-level simulator Same models could be used to implement testbeds UC#1
- 24. Developing CPS: a smart parachute for UAV [10] www.designcps.com 24 UAVs autopilots cannot be trusted – minimal safety through a remote termination component Partnership with Alérion company Termination upon loss of connection or pilot’s decision UC#2
- 25. Software architecture www.designcps.com 25 On-board module HW control Communication UI
- 26. Executable requirements www.designcps.com 26 Actual max. latency depends on the ground speed target, the minimum acceptable altitude, the weight of the UAS and the characteristics of the parachute (opening time, lift, etc)
- 27. Model-based fault-injection www.designcps.com 27 Time for the parachute to deploy (in seconds) and satisfaction of requirement R4 versus network quality ratio [11]
- 28. Towards a timing augmented design flow www.designcps.com 28 vehicle display CPAL controller Driving scenarios Timing accurate simulation & delays injected in the simulation Execution on target is timing-equivalent to simulation Ongoing research UC#3
- 29. Thales FMTV challenge [12,13] www.designcps.com 29 Aerial video system to detect and track a moving object, e.g. a vehicle on a roadway Challenge timing analysis community [From 12] [From 12] UC#4
- 30. FMTV challenge in CPAL [13] www.designcps.com 30 Functional architecture for challenge 1 4 sub-challenges o Low effort to model vs automata-based formalisms o Model and graphical representation helped to highlight ambiguities o Simulation helped to find errors in the analysis o Simulation biased towards worst-case helped -> open problem o None of the schedulability questions could be automated, e.g. “the minimum time distance between two frames produced by the camera that will not reach the display, for a buffer size n = 3” “Pen and paper”
- 31. Conclusion & ongoing work www.designcps.com 31 o CPAL: an interpreted language on a time-triggered execution engine - imperative programming in the functional domain - declarative programming in the non-functional domain o Positive feedback about CPAL through industrial use-cases and teaching o Code generation feasible for higher performance - hook to native code too o Objectives: timing equivalence between models in simulation and execution / SILx for the execution engine Envisioned use-cases for the execution engine: UAV and robotics Real-time IoT Adaptive and resilient CPS CPAL is free to use for academics (research works and industrial projects), Extensions to the language and toolset are welcome
- 32. www.designcps.com 32 Thank you for your attention! Want to give it a try? Binaries, code examples and playground at https://designcps.com
- 33. References www.designcps.com 33 1. N. Navet N., L. Fejoz L., L. Havet , S. Altmeyer, “Lean Model-Driven Development through Model-Interpretation: the CPAL design flow”, Embedded Real-Time Software and Systems (ERTS 2016), October 2015. 2. A. Brown, “An Introduction to Model Driven Architecture – Part1: MDA and today’s systems”, IBM technical library, 2004. 3. T. Trew, “Creating Embedded Platforms with MDA: Where's the Sweet Spot”, slides presented at ECMDA-FA, 2009. 4. T. A. Henzinger, “Two challenges in embedded systems design: predictability and robustness”, Philosophical Transactions of the Royal Society of London A: Mathematical, Physical and Engineering Sciences, 366(1881):3727–3736, 2008. 5. M. Antoni, “Formal validation method and tools for computerized interlocking system”, 18th International Symposium on Formal Methods (FM 2012), Industry day, August 27- 31, 2012. 6. S. Altmeyer, N. Navet, “Towards a declarative modeling and execution framework for real-time systems”, First IEEE Workshop on Declarative Programming for Real-Time and Cyber-Physical Systems, December 2015. 7. J. Seyler, N. Navet, L. Fejoz, “Insights on the Configuration and Performances of SOME/IP Service Discovery“, in SAE International Journal of Passenger Cars- Electronic and Electrical Systems, 8(1), 124-129, 2015. 8. S. Lampke, S. Schliecker, D. Ziegenbein, A. Hamann, “Resource-Aware Control - Model- Based Co-Engineering of Control Algorithms and Real-Time Systems”, in SAE International Journal of Passenger Cars- Electronic and Electrical Systems ,8(1):106-114, 2015.
- 34. References Continued www.designcps.com 34 9. J. Seyler, T. Streichert, M. Glaß, N. Navet, J. Teich, "Formal Analysis of the Startup Delay of SOME/IP Service Discovery", Design, Automation and Test in Europe (DATE2015), Grenoble, France, March 13-15, 2015. 10. L. Ciarletta, L. Fejoz, A. Guenard, N. Navet, "Development of a safe CPS component: the hybrid parachute, a remote termination add-on improving safety of UAS", Embedded Real-Time Software and Systems (ERTS 2016), Toulouse, France, January 27-29, 2016. 11. F. Boniol, V. Wiels, “The landing gear system case study”, pp1-18, Proc. ABZ 2014, 2014. 12. R. Henia, L. RIOUX, “Formal Methods for Timing Verification - The 2015 FMTV Challenge”, 2014. https://waters2015.inria.fr/files/2014/11/FMTV-2015-Challenge.pdf 13. S. Altmeyer, N. Navet, L. Fejoz, "Using CPAL to model and validate the timing behaviour of embedded systems", 6th International Workshop on Analysis Tools and Methodologies for Embedded and Real-time Systems (WATERS), Lund, Sweden, July 7, 2015. 14. R. Davis, A. Thekkilakattil, O. Gettings, R. Dobrin, S. Punnekkat, “Quantifying the Exact Sub-Optimality of Non-Preemptive Scheduling”, Real-Time Systems Symposium (RTSS), 2015. 15. M. Nasri, G. Fohler, “Non-Work-Conserving Scheduling of Non-Preemptive Hard Real- Time Tasks Based on Fixed Priorities”, Real-Time Network and Systems (RTNS), 2015. 16. M. Stigge, P. Ekberg, N. Guan, W. Yi, “The digraph real-time task model,” 16th IEEE Real-Time and Embedded Technology and Applications Symposium, 2011. 17. M. Grenier, N. Navet, "Fine Tuning MAC Level Protocols for Optimized Real-Time QoS", IEEE Transactions on Industrial Informatics, special issue on Industrial Communication Systems, vol 4, nº1, 2008.