Composing domain-specific physical models with general-purpose software modules in embedded control software

A considerable portion of software systems today are adopted in the embedded control domain. Embedded control software deals with controlling a physical system, and as such models of physical characteristics become part of the embedded control software. In current practices, usually general-purpose languages (GPL), such as C/C++ are used for embedded systems development. Although a GPL is suitable for expressing general-purpose computation, it falls short in expressing the models of physical characteristics as desired. This reduces not only the readability of the code but also hampers reuse due to the lack of dedicated abstractions and composition operators. Moreover, domain-specific static and dynamic checks may not be applied effectively. There exist domain-specific modeling languages (DSML) and tools to specify models of physical characteristics. Although they are commonly used for simulation and documentation of physical systems, they are often not used to implement embedded control software. This is due to the fact that these DSMLs are not suitable to express the general-purpose computation and they cannot be easily composed with other software modules that are implemented in GPL. This paper presents a novel approach to combine a DSML to model physical characteristics and a GPL to implement general-purpose computation. The composition filters model is used to compose models specified in the DSML with modules specified in the GPL at the abstraction level of both languages. As such, this approach combines the benefits of using a DSML to model physical characteristics with the freedom of a GPL to implement general-purpose computation. The approach is illustrated using two industrial case studies from the printing systems domain.     

Populating software repositories: Incentives and domain-specific software

Reusable Software Libraries (RSLs) often form the core on an organizational reuse strategy. Although RSLs provide a place to deposit software for use by others, RSLs do not guarantee reuse success. The implementation of an RSL depends on many factors including the availability of quality and useful software. Domain-specific considerations most often determine the usefulness of software and therefore should influence how an organization populates an RSL. This article presents IBM's¹ experiences with a corporate RSL, reuse incentive programs, and summarizes the results of an enterprise-wide initiative to develop reusable software for the RSL. The article explains some of the issues surrounding a large RSL and defines a three-phased progression typical of corporate reuse libraries.     

Dispatch sequences for embedded control models

We consider the problem of mapping a set of control components to an executable implementation. The standard approach to this problem involves mapping control blocks to periodic tasks, and then generating a schedule. This schedule is platform-dependent, and its execution requires real-time operating system support. We propose an alternative approach which involves generating a dispatch sequence of control blocks in a platform-independent manner. Our solution relies on assigning relative complexity and relative importance measures to control components, and is an adaptation of the classical scheduling algorithms such as earliest–deadline–first. We show the benefits of our approach using simulation experiments on two case studies.     

Intelligent cruise control applications: real-time embedded hybrid control software

This article presents the use of a model-based approach for the development of real-time, embedded, hybrid control software. The concepts are illustrated with a scenario involving speed-profile tracking and vehicle following applications for passenger vehicles. The model-based approach was developed in partnership between the University of California at Berkeley, Ford Research Labs, and GM. An ACC and CACC system has been tested in prototype phase, both at highway speeds and in stop-and-go situations. Robotic technologies, such as range, velocity, and acceleration measurements, and their processing and fusion were used as part of the system. In addition, vehicles can present very nonlinear behavior, especially at low speeds, and their control presents a formidable challenge. The problem domain of intelligent cruise-control applications has been described in detail, along with control and software development methodologies. We are currently working on applying the same model-based approach to the development of intelligent cruise-control systems for automated transit buses.     

Task construction for model-based design of embedded control software

Constructing runtime tasks, or operating system-level processes/threads, from the components of software design models is crucial to the model-based development of embedded control software. A better method should explore more design choices and reduce the overheads of the runtime system to meet the timing and resource constraints of embedded control software. This paper presents a novel, two-step method for systematic and automatic construction of runtime tasks from software design models. It uses graph transformation to construct a task set meeting system-level end-to-end (e2e) timing constraints. Its first step decomposes the system-level e2e timing constraints into the components' timing constraints, which form a necessary condition for any valid and feasible schedule. The second step iteratively merges the components into tasks and sequences their executions. A thus-constructed task set is proven to meet both intercomponent precedence and system-level e2e timing constraints and to minimize runtime overheads by minimizing the total number of resultant tasks. Our evaluation results based on randomly generated software models have shown that the proposed method outperforms commonly used methods and is also scalable.     

Verification of evolving software via component substitutability analysis

This paper presents an automated and compositional procedure to solve the substitutability problem in the context of evolving software systems. Our solution contributes two techniques for checking correctness of software upgrades: (1) a technique based on simultaneous use of over-and under-approximations obtained via existential and universal abstractions; (2) a dynamic assume-guarantee reasoning algorithm—previously generated component assumptions are reused and altered on-the-fly to prove or disprove the global safety properties on the updated system. When upgrades are found to be non-substitutable, our solution generates constructive feedback to developers showing how to improve the components. The substitutability approach has been implemented and validated in the ComFoRT reasoning framework, and we report encouraging results on an industrial benchmark. This is an extended version of a paper, Dynamic Component Substitutability Analysis, published in the Proceedings of the Formal Methods 2005 Conference, Lecture Notes in Computer Science, vol. 3582, by the same authors. This research was sponsored by the National Science Foundation under grant nos. CNS-0411152, CCF-0429120, CCR-0121547, and CCR-0098072, the Semiconductor Research Corporation under grant no. TJ-1366, the US Army Research Office under grant no. DAAD19-01-1-0485, the Office of Naval Research under grant no. N00014-01-1-0796, the ICAST project and the Predictable Assembly from Certifiable Components (PACC) initiative at the Software Engineering Institute, Carnegie Mellon University. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of any sponsoring institution, the US government or any other entity.     

嵌入式实时控制系统软件可靠性建模与应用

嵌入式实时控制系统(ERCS)广泛应用于各种控制系统中,其软件不同于普通软件,除满足实时性要求外,可靠性也是相当重要的。首先对嵌入式实时控制系统软件进行形式化抽象定义,然后对不可再分的软件模块进行可靠性建模,并应用Copula函数对软件系统进行建模,最后应用建立的模型,对具体的系统进行了软件可靠性计算。通过实例计算可知,用Copula函数建立的嵌入式实时控制系统软件可靠性模型,考虑了软件各个模块的相依性,进而得到嵌入式实时控制系统软件模块相依的可靠度较各模块独立时有所提高。     

嵌入式软件系统体系结构可靠性分析方法

AADL是嵌入式领域对SA进行建模、评估的常用方法,但其属于一种半形式化开发语言,无法直接对SA的可靠性进行验证。为此,提出一种基于AADL的可靠性分析框架,对SA的可靠性进行形式化验证。首先通过分析系统体系结构的元素关系,建立AADL可靠性模型;然后设计转换模型及其规则,将AADL模型转换为连续时间马尔科夫链模型;最后采用概率模型检验工具对连续时间马尔科夫链模型进行可靠性定量分析。仿真结果表明,与现有可靠性分析方法相比,该方法在计算效率和转换效率上都有明显的提高。基于AADL的可靠性分析框架实现在软件系统开发早期对SA进行可靠性定量计算,为AADL在嵌入式软件系统可靠性定量分析方面提供了一种新的验证思路。     

利用智能控制流方法的嵌入式软件故障检测

针对现有的嵌入式软件故障检测方法性能低、开销大的缺点,提出一种智能选择检测点的控制流方法,其创新之处主要为:使用变量的频率和基本块的执行频率用作选择重要变量和基本块的两个参数。检测的基本流程是首先过滤器还原标准C语句为伪代码语句,然后扫描仪获取伪代码,并发送它到解析器,进行程序的控制流图提取。最后,解析器提取程序的前后支配树,运用候选块寻找算法进行节点分类,获得块断言和变量。实验结果表明,固化代码中程序执行时间少于RSCFC方法,但是内存开销和代码开销几乎相同,执行时间比率接近1,显著提高故障检测率。     

基于度量的嵌入式软件缺陷风险分析研究

通过对COSMIC-FFP模型的扩展优化提出了嵌入式软件系统度量的方法,从而解决了COSMIC-FFP模型不支持对含有复杂数学算法的嵌入式实时系统度量的问题,基于软件规模度量提出了软件缺陷度量的方法。通过对软件规模的准确度量和对软件缺陷风险的分析,发现软件项目过程风险管理的不足,达到降低软件项目过程风险的目的。     

产品线成本模型的比较与分析

为给软件产品线决策者应用软件产品线模型提供理论上的参考,综合分析比较了近年来的20种软件产品线模型,在对软件产品线模型的投资循环、重用方式、货币时间价值、经济函数、成本因子和重用成本等方面因素进行细致分析的基础上提出了软件产品线模型的比较框架,在该框架内着重分析了其中5种典型的软件产品线模型,对应用软件产品线开发方式的成本估算和投资分析做了细致分析,并对当前软件产品线模型时存在的问题和发展方向进行了探讨.     

Component-based analysis of embedded control applications

The widespread use of embedded systems requires the creation of industrial software technology that will make it possible to engineer systems being correct by construction. That can be achieved through the use of validated (trusted) components, verification of design models, and automatic configuration of applications from validated design models and trusted components. This design philosophy has been instrumental for developing COMDES—a component-based framework for distributed embedded control systems. A COMDES application is conceived as a network of embedded actors that are configured from instances of reusable, executable components—function blocks (FBs). System actors operate in accordance with a timed multitasking model of computation, whereby I/O signals are exchanged with the controlled plant at precisely specified time instants, resulting in the elimination of I/O jitter. The paper presents an analysis technique that can be used to validate COMDES design models in SIMULINK. It is based on a transformation of the COMDES design model into a SIMULINK analysis model, which preserves the functional and timing behaviour of the application. This technique has been employed to develop a feasible (light-weight) analysis method based on runtime observers. The latter are conceived as special-purpose actors running in parallel with the application actors, while checking system properties specified in Linear Temporal Logic. Observers are configured from reusable FBs that can be exported to SIMULINK in the same way as application components, making it possible to analyze system properties via simulation. The discussion is illustrated with an industrial case study—a Medical Ventilator Control System, which has been used to validate the developed design and analysis methods.     

Developing platform specific model for MPSoC architecture from UML-based embedded software models

In this paper, we describe a technique to design UML-based software models for MPSoC architecture, which focuses on the development of the platform specific model of embedded software. To develop the platform specific model, we define a process for the design of UML-based software model and suggest an algorithm with precise actions to map the model to MPSoC architecture. In order to support our design process, we implemented our approach in an integrated tool. Using the tool, we applied our design technique to a target system. We believe that our technique provides several benefits such as improving parallelism of tasks and fast-and-valid mapping of software models to hardware architecture.     

An analysis of several software defect models

Results are presented of an analysis of several defect models using data collected from two large commercial projects. Traditional models typically use either program matrices (i.e. measurements from software products) or testing time or combinations of these as independent variables. The limitations of such models have been well-documented. The models considered use the number of defects detected in the earlier phases of the development process as the independent variable. This number can be used to predict the number of defects to be detected later, even in modified software products. A strong correlation between the number of earlier defects and that of later ones was found. Using this relationship, a mathematical model was derived which may be used to estimate the number of defects remaining in software. This defect model may also be used to guide software developers in evaluating the effectiveness of the software development and testing processes     

Nonlinear control structures based on embedded neural system models

This paper investigates in detail the possible application of neural networks to the modeling and adaptive control of nonlinear systems. Nonlinear neural-network-based plant modeling is first discussed, based on the approximation capabilities of the multilayer perceptron. A structure is then proposed to utilize feedforward networks within a direct model reference adaptive control strategy. The difficulties involved in training this network, embedded within the closed-loop are discussed and a novel neural-network-based sensitivity modeling approach proposed to allow for the backpropagation of errors through the plant to the neural controller. Finally, a novel nonlinear internal model control (IMC) strategy is suggested, that utilizes a nonlinear neural model of the plant to generate parameter estimates over the nonlinear operating region for an adaptive linear internal model, without the problems associated with recursive parameter identification algorithms. Unlike other neural IMC approaches the linear control law can then be readily designed. A continuous stirred tank reactor was chosen as a realistic nonlinear case study for the techniques discussed in the paper.     

Tracing and recording interrupts in embedded software

During the system development, developers often must correct wrong behavior in the software—an activity colloquially called program debugging. Debugging is a complex activity, especially in real-time embedded systems because such systems interact with the physical world and make heavy use of interrupts for timing and driving I/O devices.Debugging interrupts is difficult, because they cause non-linear control flow in programs which is hard to reproduce in software. Record/replay mechanisms have proven their use to debugging embedded systems, because they provide means to recreate control flows offline where they can be debugged.In this work, we present the data tracing part of the record/replay mechanism that is specifically targeted to record interrupt behavior. To tune our tracing mechanism, we use the observed principle of return address clustering and a formal model for quantitative reasoning about the tracing mechanism. The presented heuristic and mechanisms show surprisingly good results—with higher fingerprint widths an 800 percent speedup on the selector function and a 300 percent reduction on duplicates for non-optimal selector functions—considering the leanness of the approach. Using an equal portion for the fingerprint and for the return address lead to the best results in our experiments.     

航空机载嵌入式控制软件需求建模的形式化工程方法

嵌入式控制软件是现代航空飞行器的核心部件之一。构建软件需求的形式化规约精确地刻画人们对软件期望的功能和运行场景,是确保此类安全攸关软件质量的根本途径。在工业界,形式化需求建模的大规模应用尽管有成功的案例,但仍面临众多的困难。其根本性难点在于缺少一种系统化的工程方法来引导工业界软件实践者,从原始需求开始最终完成形式化需求规约,并能确认该规约真实、充分地反映了人们对软件期望的功能。针对上述挑战,提出了一种面向机载控制软件需求建模的形式化工程方法ACSDL-MV,以形式化方法为理论基础,结合软件需求工程的基本原理,引导工程人员从原始需求出发以演化式的过程逐步完成需求规约的构建;定制了航空控制软件的形式化描述语言ACSDL,用以构建形式化规约;为了确认软件需求规约准确、充分地描述了人们对软件期望的功能,该方法给出了基于图形的静态审查和基于模型的动态模拟技术。在航空发动机公司中的实验结果表明,该方法相比传统方法探测到了更多的潜在错误。     

Practical verification of embedded software

Using a new verification algorithm called the compositional backward technique, the authors demonstrate that they can exhaustively verify even the largest industrial applications-comprising more than 1,000 components-in a few minutes on a standard PC     

面向集控嵌入式实时软件的单元测试方法研究

针对集控嵌入式实时软件的组成和特点,搭建了适合该软件的仿真单元测试平台,并详细介绍了基于Testbed对该软件进行单元测试的过程。依据静态分析输出的质量度量模型值定量地评价了软件内在源码的质量,并基于圈复杂度度量值提出了一种优先级的动态分析测试策略,用监控到的控制流信息来分析程序的覆盖率,从而确保单元测试的充分性和有效性,提高测试效率,保证软件的质量。