WP2 - Application Models and Design Tools for Mixed-Critical, Multi-Core Embedded Systems


In WP2 the application developer entry level for mixed critical applications will be defined. The result will be a design flow starting with application level models including functional and extra-functional specifications down to a fully deployed system model to be executed on an embedded multi-core platform.

Safety-critical design methodologies start from an executable model, typically expressed in a block-diagram language and annotated with non-functional properties for verification and test purposes. This source model is then translated into simulation code, refined or abstracted models for formal verification and design-space exploration, and executable code to be embedded on the electronic controller. Code generators for the safety-critical applications will be certified, traceable, statically analyzable using formal methods, and allow for complete code reviews. EMC² will build on the well-established, rigorous system design and automated flows from the avionics industry, extending it towards dynamic, heterogeneous, compute-intensive, and mixed-critical systems. Putting safety and modularity at the core, the tools will strive to preserve the ideal of a single-source executable model, amenable to formal verification, testing, static analysis of functional and non-functional properties, efficient code generation and platform integration with runtime monitoring.

The complexity of system architectures targeted by this project demands for automated methods allowing finding optimized solutions of resource usage while accounting for the above design aspects (safety and performance). Particularly, the safety aspect requires that interferences between different functions allocated to the same computing resources are provable bounded, which is inevitable for example with respect to certification.

EMC2 aims at novel automated exploration methods that shall provide solutions to the following problems:

  • Supporting an optimized allocation of a system's functionality to the target hardware architecture with respect to performance.
  • Ensuring bounded interferences between different components in mixed-critical settings, including functional and non-functional properties of these components.
  • Support for both single and multi-core processing units.

Work package structure



Task 2.1 provides the design entry for programming and analyzing applications for EMC² systems. This is crucial to collect the requirements of the use case partners from different domains. Since these requirements are expected to be rather heterogeneous, the goal is to consolidate the requirement in a dialog with the users. In order to ease this dialog, structure of this task resembles the main technical tasks of WP2. Each task will then start with a set of requirements to guide their respective research and development process.

This task proposes languages and executable models for mixed criticality applications. EMC² supports a block diagram language for control intensive applications and a highly parallel, portable programming model for computational intensive, lower criticality application tasks. The work will cover the definition and construction of models for the software part and models for hardware aspects like timing and power. An abstract, formal representation will be designed to enable formal analysis and verification of the executable models.

The following domain independent language primitives will be supported:

  • Data Types are the fundamentals of computation since instances of data types represent the objects or operands to be manipulated by corresponding operations.
  • Sequential Behaviour describes control and data flow for the manipulation of data in a sequential order. It is the foundation of sequential imperative and object-oriented programming languages and the most intuitive way of describing algorithms.
  • Parallel Composition of Sequential Behaviour allows the specification of application specific coarse grained concurrency. Parallel composition allows specifying multiple parallel threads of execution.
  • Synchronization is used for managing the parallel composition of sequential behaviours. Synchronization is used to constrain the raw parallelism to guarantee consistency of data shared between parallel threads. Reliable communication between parallel threads relies on a proper synchronization scheme.
  • Time shall be described clearly separated from the behavioural model, but tightly linked to structural and behavioural elements of the model. The provided annotations shall be used to specify timing constraints (such as end-to-end deadline, response times, lower and upper time bound in general) as well as timing properties (e.g. estimated execution time on a dedicated processing element) though flexible back-annotation. To enable the analysis and optimal deployment with respect to timing and spatial segregation, we will formalize the constraints and objectives of the executed tasks. 
  • Hierarchical Composition is completely orthogonal to all design elements mentioned above, since it can be applied to all of them. An important aspect here is to guarantee the consistency of extra-functional properties for hierarchical compositions.

Task 2.3 is about the platform-specific refinement and deployment of complex applications designed with the languages and models proposed. It addresses modeling of the dynamic runtime execution environment with an overall goal to develop a modeling kit for virtual runtime prototypes. The modeling kit provides containers for different types of mixed-critical tasks, schedulers, communication objects and virtual resources (processing and communication). The deployment of tasks and communication services to the VRTP is an important design decision addressed. With the modeling elements designers can combine mixed-critical application models with the virtual runtime environment. The resulting formal executable model captures all relevant properties of the application.

This task will develop the required analysis techniques to support the work on the different living labs. Most hardware advances in the past had a positive impact on performance, energy consumption, weight, etc. but did not change the way the software is designed and developed, that is, the same code can be compiled for the new hardware with minor or no modifications. Unfortunately, the new hardware features (multi-processor and reconfigurable hardware) have a deep impact on the software development process. More powerful and capable hardware devices open the possibility to envision more complex and advanced applications. Applications provide extended services in addition to their core functionalities. In these new applications, elements with different levels of security/criticality/certification requirements will coexist on the same hardware.

In order to get all the benefits from the new hardware architectures, the software must be aware of the underlying facilities. The interactions between the SoC devices (memory affinity, bus access, contention on shared resources, etc.) has to be taken into account when the software elements (processes, threads and routines) are developed, allocated or dynamically re-adjusted to the computing resources.

The methods and tools developed in WP2 will be involved in a variety of design and applicative scenarios. Since method- and tool-centric validation will constitute the bulk of the effort, the main validation tasks have been organized into a dedicated task. The partners will integrate requirements and specifications from the EMC² Living Labs, monitor the progress of the use cases and industrial practices and use this task to incrementally validate the proposed solutions.