Wednesday 31 January
We.1.A.114:00add We.1.A.1 to agenda
The objective of SCADE AADL is to: 1) Provide a graphical AADL modeler tool compliant to the AADL standard to benefit from the large set of analysis tools that input AADL models. 2) Simplify the modeling and understanding of AADL models through straightforward, direct, and complete definition of the components as single objects. 3) Provide a seamless path to SCADE Suite, for the development of software components that benefit from the qualified tool chain, code generation and tests. The focus of this paper is to detail how the AADL and SCADE worlds have been connected and how appropriate DSL simplifications made possible by original tool capabilities can make ADDL modeling significantly easier than current methods. The extended abstract focuses on subsection “SCADE AADL as a DSL on SCADE Architect”, the other subsections, along with an example model to illustrate the implemented flow, will be included in the full paper. The conclusion section will compares our work with the AADL-Capella work and gives our vision for the next step: Designing systems with consistent multi-views including compliance with different standards such as AADL and FACE.
We.1.A.214:30add We.1.A.2 to agenda
Capella to SysML Bridge: a Tooled-up Methodology for MBSE Interoperability
Model to model transformation is a critical task in model based system engineering (MBSE). Indeed, the collaboration among industrial actors, using system modeling, increases the ability to be competitive. Capella is a model-based engineering solution that has been successfully deployed in a wide variety of industrial contexts. Based on a graphical modelling workbench, it provides to system, software and hardware architects with rich methodological guidance relying on ARCADIA, a comprehensive model-based engineering method. SysML supports complex modeling for system engineering applications at different steps of the system life cycle. SysML provides architects and system engineers an easy way to collaborate using a unique common language. It enables the management of systems with growing complexity across different development teams with many modeling capabilities: requirement, behavioral and structural definitions. To take advantage of the power of the Capella tool, as well as the standardized SysML language, and increase interoperability, this paper depicts a Capella to SysML mapping and an associated transformation tool. This work is part of the Clarity project.
We.1.B.114:00add We.1.B.1 to agenda
Making Agile Development Processes fit for V-style Certification Procedures
We present a process for the development of safety and security critical components in transportation systems targeting at a high-level certification (CENELEC 50126/50128, DO 178, COMMON CRITERIA). The process adheres to the objectives of an "agile development'' in terms of evolutionary flexibility and continuous improvement. However, it enforces the overall coherence of the development artefacts (ranging from documentation over proofs to tests and code) by a particular environment (CVCE), which integrates version and configuration management together with advanced, continuous validation techniques. In particular, the validation process is build around a formal development based on the interactive theorem proving system Isabelle/HOL linking the a business model of the application over the operating system model down to code and concrete hardware models (ARM7 on Sabre Light Boards) by a series of refinement proofs. We apply CVCE in a case-study that combines a novel model of an odometric service in a railway-system with its implementation refinement integrated in seL4 (an operating system developped by NICTA for which an comprehensive Isabelle refinement stack exists). Novel techniques implemented in Isabelle enforce also the semi-formal conformance to specific to certification procedures and processes in order to improve the cost-effectiveness for developments targeting high-level certifications.
We.1.B.214:30add We.1.B.2 to agenda
ED-12C/DO-178C vs. Agile Manifesto: A Solution to Agile Development of Certifiable Avionics Systems
This paper shows how apparent contradictions between agile practices and avionics software certification objectives have been resolved in a number of Airbus projects. It is demonstrated that significant improvements in quality, schedule and cost have been achieved in the development of highly-complex, high-integrity, embedded real-time software. Moreover, several use cases prove that, when carefully deployed, agile techniques are not only compatible with ED-12C / DO-178C , but through greater visibility and openness actually simplify it.
We.1.C.114:00add We.1.C.1 to agenda
The SEMAPHORO Haptic Interface: a real-time low-cost open-source implementation for dyadic teleoperation
In this paper, a one degree of freedom teleoperation interface is presented. The design of this device focuses on realizing a low-cost controller able to obtain good real-time performances for the acquisition of physical data during the interaction. Design choices and hardware used are presented, as well as the control strategy used for attaining transparency in teleoperation. The controller is able to maintain a 5kHz frequency control for the teleoperation, running on a beagle bone black motherboard. The performances of the interface are presented and analyzed.
We.1.C.214:30add We.1.C.2 to agenda
A Generic Virtual Machine Approach for Programming Microcontrollers : the OMicroB Project
In this paper, we present an original approach of programming microcontrollers. This approach, which stem from our first results with the OCaPIC project of running OCaml on PIC microcontrollers, consists of a generic virtual machine which goal is portability as well as memory saving. We argue that such an approach can lead to safer programs, both by using a high level programming language and by being able to use software tools dedicated to code analysis. Our generic virtual machine, called OMicrob, is foreseen to run both simple hobbyist and entertainment programs as well as critical concurrent applications in embedded systems.
We.1.D.114:00add We.1.D.1 to agenda
Development Framework for Longitudinal Automated Driving Functions with Off-board Information Integration
Increasingly sophisticated function development is taking place with the aim of developing efficient, safe and increasingly Automated Driving Functions. This development is possible with the use of diverse data from sources such as Navigation Systems, eHorizon, on-board sensor data, Vehicle-to-Infrastructure (V2I) and Vehicle-to-Vehicle (V2V) communication. Increasing challenges arise with the dependency on large amounts of real-time data coming from off-board sources. At the core of addressing these challenges lies the concept of a Digital Dependability Identity (DDI) of a component or system. DDIs are modular, composable, and executable components in the field, facilitating: • efficient synthesis of component and system dependability information, • effective evaluation of information for safe and secure composition of highly distributed and autonomous Cyber Physical Systems. In AVL’s Connected Powertrain™, Automated Driving Functions are tailored to Powertrain Control Strategies that predictively increase energy efficiency according to the powertrain type and its component efficiencies. Simultaneously, the burden on the driver is reduced by optimizing the vehicle velocity, whilst minimizing any journey time penalty. In this work, the development of dependable Automated Driving Functions is exemplified by the Traffic Light Assistant, an adaptive strategy that utilizes predictions of preceding traffic, upcoming road curvature, inclination, speed limits, and especially traffic light signal phase and timing information to increase the energy efficiency in an urban traffic environment. A key aspect of this development is the possibility for seamless and simultaneous development. from office simulation to human-in-the-loop and to real-time tests that include vehicle and powertrain hardware. Driver’s acceptance and comfort is rated in an advanced diver simulator mounted on a hexapod, capable of emulating longitudinal and lateral acceleration of a real vehicle. Test results from real-time function validation on a Powertrain Testbed are shown, including real traffic light signal phasing information and traffic flow representation on Graz city roads.
We.1.D.214:30add We.1.D.2 to agenda
Towards Simulation-Based Verification for Continuous Integration and Delivery
The criticality, complexity and authority of automotive embedded systems have major implications on the engineering activities: Development need to be fast and efficient but always result in correct and safe products. These competing needs are both served by using model based continuous integration. In this paper, we discuss a workflow and system representation approach investigated in a Swedish research project, HeavyRoad. The approach entails a component based representation of both software and systems, subject to a systematic variability representation. The simulation methods allow different fidelity for the software-based content as well as for the multi-physics simulations of non-software. The approach is illustrated by an example.
We.2.A.115:00add We.2.A.1 to agenda
Unifying safe hardware system design and implementation through UML-based architecture description languages
The increased complexity of hardware systems, and their new constraints derived from the need to be conform to industrial safety standards, imposes to R&D teams to adopt new methodologies and their associated tools. In the case of hardware design at the system level, such tooled methodologies are scarce and rarely used in practice. There is, furthermore, no mechanism to guarantee traceability and consistency between hardware system design and implementations. We propose a UML-based approach for hardware system design. Our aim is to offer a graphical development environment for hardware system design and implementation conforming to the ISO26262 standard for functional safety of road vehicles. Our methodology is based on several contributions: (1) an architecture description for safe hardware system development, (2) a safety/hardware co-engineering process, mapped to ISO 26262 hardware development process steps, using the elements of the architecture description, and (3) tools developed within the open-source Papyrus UML modeler. The work presented in this paper is motivated by a collaboration between French research institute CEA and automobile manufacturers to design and implement the next modular hardware/software platform for vehicles of the future. The development of the platform must follow the ISO26262 standard. The approach proposed in the paper is applied within the project and this paper shows a case-study.
We.2.A.215:30add We.2.A.2 to agenda
Calur: an Action Language for UML-RT
UML-RT is a profile of UML specifically designed for Real-Time Embedded systems. It has a long, successful track record of application and tool support via, e.g., IBM Rational RoseRT, IBM RSA-RTE, and now Papyrus-RT. Papyrus-RT is an Eclipse-based, open-source modelling and development environment for UML-RT systems. It allows the generation of complete, executable code from models and advances the state-of-art via support for model representation with mixed graphical/textual notations and an extensible code generator. Together with commercial UML-RT tools, Papyrus-RT currently uses C/C++ as the action language to support the definition of behaviour. However, the use of a powerful, general-purpose language such as C/++ can also easily break the abstraction that UML-RT wants to offer developers (e.g., developers have to be familiar with some of the intricate details of the C/C++ syntax and semantics) and greatly complicates almost any kind of analysis. To address this issue, action languages have been proposed for, e.g., UML. However, no suitable action language for UML-RT exists yet. This paper introduces Calur, a proposed action language for UML-RT, intended to be integrated within Papyrus-RT. We describe the syntax and semantics of Calur, and a preliminary implementation.
We.2.A.316:00add We.2.A.3 to agenda
PhiSystem: a tooled methodology for design and validation of ADAS
Advanced driver-assistance systems (ADAS) design is a complex task that naturally involves teams of engineers with different specialties such as requirements modeling, control design, software/hardware development. This task requires a holistic methodology encompassing the whole design process at system level, accounting for multiple viewpoints, dealing with open systems-of-systems, and enabling collaborative modeling and early stage evaluation of design choices. We present PhiSystem, a systemic modeling tool which aims at supporting such a holistic methodology for the development of ADAS applications.
We.2.B.115:00add We.2.B.1 to agenda
Software safety - A journey across domains and safety standards
The position of software regarding the global system safety is subject to significant variations among the various application domains and their safety standards. As a consequence, the position regarding whether, how and to which extent software safety analyses could or should contribute to the global safety assessment also varies. In Civil Aviation [ARP 4754A. ARP 4761. DO 178C], Nuclear [IEC 61513, IEC 60880] and to some extent Space [ECSS Q40. ECSS Q80], safety analyses are performed at system level and on functions, sub-systems and equipment, but not under the form of dedicated safety analyses applied to software. In these domains, the rationale is that software contributes to system safety through adherence to software development and validation rules i.e. through an argument on confidence in software correctness to an extent adapted to the consequences of failures. However it is worth noting that the assessment of the consequences of failures, and hence the determination of the Development Assurance Level, or Software Criticality Category, etc., result from safety analyses performed at system and not at software level. Conversely in domains such as railway [EN 50129] or automotive [ISO 26262], whereas the overall safety rationale is very similar, it is still required to perform in addition dedicated safety analyses applied to software. In the Base Safety Standard [IEC 61508], the software safety analysis encompasses a set of normative means supporting the functional safety assessment. In the process industries domain [IEC 61511], the concept is only emerging. In this paper, from our experience in safety practice and standard in several domains and discussions within a working group dedicated to cross-domains comparison of safety standards, we propose a description of classical software safety analysis techniques and discuss the nature of arguments they can provide, according to their various objectives and situation in the global process and safety argumentation. We also discuss why software complexity increase has progressively made completeness of system functional safety requirements an important issue. Inspired by STPA and contract-based design in software engineering, we make constructive propositions to mitigate the incompleteness risk. We sketch out a general specification setting, in which another kind of “software safety” analysis would come into play. We conclude on whether and how this could fit in the global system safety assessment.
We.2.B.215:30add We.2.B.2 to agenda
A consistent safety case argumentation for artificial intelligence in safety related automotive systems
Regarding the actual automotive safety norms the use of artificial intelligence (AI) in safety critical environments like autonomous driving is not possible. This paper introduces a new conceptual safety modelling approach and a safety argumentation to certify AI algorithms in a safety related context. Therefore, a model of an AI-system is presented first. Afterwards, methods and safety argumentation are applied to the model, whereas it is limited to a specific subset of AI-systems, i.e. off-board learning deterministic neural networks in this case. Other cases are left over for future research. The result is a consistent safety analysis approach that applies state of the art safety argumentations from other domains to the automotive domain. This will enforce the adaptation of the functional safety norm ISO26262 to enable general AI methods in safety critical systems in future.
We.2.B.316:00add We.2.B.3 to agenda
Avionics Certification: Back to Fundamentals with Overarching Properties
In late 2015, the Federal Aviation Administration (FAA) launched several initiatives aimed at answering a request by the US Senate to streamline avionics certification. One of those initiatives was dedicated to the identification and refinement of comprehensive high-level objectives for Development Assurance Processes, providing more flexibility for manufacturers to use new technologies and processes. In Europe, the avionics industry decided to support this FAA initiative on Development Assurance Processes by setting up a research project named RESSAC (Re-Engineering and Streamlining the Standards for Avionics Certification) under the supervision of the AeroSpace and Defence Industries Association of Europe (ASD). The high-level objectives evolved into a set of Overarching Properties that are the fundamental characteristics of any element being certified whether it is a complete system, a subsystem, a software item or a hardware item. Further, a set of Criteria has been defined that characterize the evidence to support each Overarching Property and provide a means to evaluate compliance. This paper describes the achievements to date including the specification of the Overarching Properties, their associated Criteria, and the activities of the RESSAC project to demonstrate the use of the Overarching Properties.
We.2.C.115:00add We.2.C.1 to agenda
A multi-core Basic Software as Key Enabler of Application Software Distribution
In the last 20 years, functional evolution in the automotive Powertrain has been motivated by three main pillars: low CO2 emissions, low particle emissions and increase of torque throughput. In addition to these permanent objectives (e.g. Euro 7 standard), new constraints are rising up, like integrated transmission systems, electrification, autonomous driving, connectivity as well as changed domain architectures. Finally, new complexities have to be handled, which require today 6 times as much computation power as 15 years ago, when 32 bits controllers were introduced (e.g. former Motorola MPC563 @ 40MHz). This demand is answered by the introduction of multi-core micro-controller architectures designed for the automotive environment. And the trend of requiring additional computation power will continue in the future where one might step forward towards more powerful multi-core or even many core systems. But the development of powerful hardware architectures does not release software architecture from careful usage of system resources. This is because a multi-core system can be used in an efficient way only if a high rate of parallelization can be achieved according to Amdahl’s law. Even if AUTOSAR allows a partitioning of software components (SWC) across cores, it does simply not consider a multi-core basic software (BSW) until today. Instead it phrases just concept ideas not realized in the standard. So it is the task of this paper to give an overview about the possibilities of the AUTOSAR standard and to sketch an alternate solution based on the AUTOSAR foundation offering a distributable BSW across cores which allows a distribution of not only a SWC but even the individual runnables of it. It will explain how the BSW itself is distributed, and how the access to the peripherals from different cores is made possible. Furthermore a concept of core abstraction will be described, allowing to share even the same task architecture between projects based on different micro-controllers. Consequently, the paper will propose a qualification of the BSW into 3 multi-core conformance classes. The principles described in this contribution are applied in the daily work in our Powertrain projects, and are already in production since 2016 for a central Powertrain controller of a German OEM, and since 2017 for an engine system of a french OEM. At the date of publication, other engine systems applications and hybrid systems based on this concept are in production, and further ones are planned for 2018.
We.2.C.215:30add We.2.C.2 to agenda
Radiation-Tolerant System-On-Chip (SOC) With Deterministic Ethernet Switching For Scalable Modular Launcher Avionics
In space applications, where the environment is very demanding for electronic components, dedicated devices are needed to ensure the required reliability and availability for different mission profiles. Therefore, a dedicated reconfigurable radiation-tolerant SoC (System-On-Chip) with integrated computing and Ethernet switching supports the design of future modular architectures. This work presents the key SoC properties and advances in high performance networking and semiconductor technology for next-generation scalable space avionics systems.
We.2.C.316:00add We.2.C.3 to agenda
METrICS: a Measurement Environment for Multi-Core Time Critical Systems
With the upcoming shift from single-core to multi-core COTS processor for safety critical products such as avionics, railway or space computer subsystems, the safety critical industry is facing a trade-off in term of performance versus predictability. In multi-core processors, concurrent accesses to shared hardware resources are generating inter-task or inter-application timing interference, breaking the timing isolation principles required by the standards for such critical software. Several solutions have been proposed in the literature to control or regulate these timing interferences, but most of these solutions require to perform some level of profiling, monitoring or dimensioning. As time-critical software is running on top of Real Time Operating Systems (ROTS), classical profiling techniques relying on interrupts, multi-threading, or OS modules are either not available or prohibited for predictability, safety or security reasons. In this paper we present METrICS, a measurement environment for multi-core time-critical systems running on top of the industry-standard PikeOS RTOS. Our framework proposes an accurate real-time runtime and resource usage measurement while having a negligible impact on timing behaviour, allowing us to fully observe and characterize timing interference. Beyond being able to characterize timing interference, we evaluated METrICS in term of accuracy of the timing and resource usage measurements, intrusiveness both in term of timing and impact on the legacy code, as well as adherence to the hardware. We also present a portfolio of the kind of measurements METrICS provides.
We.2.D.115:00add We.2.D.1 to agenda
Enabling Tomorrow’s Road Vehicles by Service-Oriented Platform Patterns.
This paper addresses how a service-oriented pattern can enable to resolve a number of paradoxes that traditionally are seen as hard to solve in the area of E/E design in the automotive domain. The presented pattern is based on a service-oriented paradigm. This is then extended with explicit requirements on design-time analysis and on run-time capabilities required by the services. The services are needed to on the one hand being able to be described in a hierarchical way, and on the other hand being able to be implemented in a service-oriented communication paradigm. These two dimensions are essential to understand to both get the capability to resolve the shown paradoxes and to relate possible solutions to existing automotive standards like adaptive AUTOSAR and SOME/IP. A migration strategy is presented based on this analysis. The concept of vagrant services is introduced and forms an essential part of both solving paradoxes of today and enabling efficient design patterns for tomorrow, including autonomous vehicles and intelligent traffic systems (ITS).
We.2.D.215:30add We.2.D.2 to agenda
An SDN hybrid architecture for vehicular networks: Application to Intelligent Transport System
Vehicular networks are one of the cornerstone of an Intelligent Transportation System (ITS). They are expected to provide ubiquitous network connectivity to moving vehicles while supporting various ITS services, some with very stringent requirements in terms of latency and reliability. Two vehicular networking technologies are envisioned to jointly support the full range of ITS services : DSRC (Dedicated Short Range Communication) for direct vehicle to vehicle/Road Side Units (RSU) communications and cellular technologies. To the best of our knowledge, approaches from the literature usually divide ITS services on each of these networks according to their requirements and one single network is in charge of supporting the each service. Those that consider both network technologies to offer multi-path routing, load balancing or path splitting for a better quality of experience of ITS services assume obviously separately controlled networks. Under the umbrella of SDN (Software Defined Networking), we propose in this paper a hybrid network architecture that enables the joint control of the networks providing connectivity to multi-homed vehicles and, also, explore the opportunities brought by such an architecture. We show through some use cases, that in addition to the flexibility and fine-grained programmability brought by SDN, it opens the way towards the development of effective network control algorithms that are the key towards the successful support of ITS services and especially those with stringent QoS. We also show how these algorithms could also benefit from information related to the environment or context in which vehicles evolve (traffic density, planned trajectory, ..), which could be easily collected by data providers and made available via the cloud.
We.2.D.316:00add We.2.D.3 to agenda
How to Find a Minimum Viable Product in IoTA
IoT in Aerospace (IoTA) sector changed the way aerospace companies seeing the future products. As longer product life cycle in Aerospace & Defense industry, split-second decisions can mean a difference between success and failure. Aerospace majors are thinking differently to change the product innovation and development process by nurturing start-up culture and entrepreneurial mindset in their organization. This investigative research is aimed in developing a methodology to identify the Minimum Viable Product (MVP) using IoT for aerospace companies. House of Quality (HoQ) helped in identifying the positive and negative correlation between the IoT characteristics and its linkage with various aerospace systems. This exploratory research can be used by aerospace system suppliers to develop a MVP IoT product in aerospace systems.
Regular abstract and short paper submission (4 pages): June 18, 2017 extended to July, 9
September 22, 2017
Regular Paper for review (10 pages):
October 27, 2017
Final Paper submission deadline
(Short & Regular):November 24, 2017
SIEMENS - MENTOR GRAPHICS
Institute of Technology Antoine de Saint Exupéry
REGION OCCITANIE / PYRENEES - MEDITERRANEE