Section: Scientific Foundations
Embedded systems and their safe design
The safe design of embedded real-time control systems.
The context of our work is the area of embedded real-time control systems, at the intersection between control theory and computer science. Our contribution consists of methods and tools for their safe design. The systems we consider are intrinsically safety-critical because of the interaction between the embedded, computerized controller, and a physical process having its own dynamics. What is important is to analyze and design the safe behavior of the whole system, which introduces an inherent complexity. This is even more crucial in the case of systems whose malfunction can have catastrophic consequences, for example in transport systems (avionics, trains), production, medical, or energy production systems.
Therefore, there is a need for methods and tools for the design of safe systems. The definition of adequate mathematical models of the behavior of the systems allows the definition of formal calculi. They in turn form a basis for the construction of algorithms for the analysis, but also for the transformation of specifications towards an implementation. They can then be implemented in software environments made available to the users. A necessary complement is the setting-up of software engineering, programming, modeling, and validation methodologies. The motivation of these problems is at the origin of significant research activity, internationally and in particular, in the European IST network of excellence Artist II (Advanced Real-Time Systems) (http://www.systemes-critiques.org/ARTIST ).
Models, methods and techniques.
The state of the art upon which we base our contributions, is twofold.
From the point of view of discrete control, there is a set of theoretical results and tools, in particular in the synchronous approach, often founded on labeled transition systems finite or infinite  ,  . During the past years, methodologies for the formal verification  ,  , control synthesis  and compilation, and extensions to timed and hybrid systems  ,  have been developed. Asynchronous models consider the interleaving of events or messages, and are often applied in the field of telecommunications, in particular for the study of protocols. A well-known formalism for reactive systems is StateCharts  , which can be encoded in a synchronous model  .
From the point of view of verification, we use the methods and tools of symbolic model-checking and of abstract interpretation. From symbolic model-checking, we reuse BDD techniques  for manipulating Boolean functions and sets, and their MTBDD extension for more general functions. Abstract Interpretation  is used to formalize complex static analysis, in particular when one wants to analyze the possible values of variables and pointers of a program. Abstract Interpretation is a theory of approximate solving of fix-point equations applied to program analysis. Most program analysis problems, among others reachability analysis, come down to solving a fix-point equation on the state space of the program. The exact computation of such an equation is generally not possible for undecidability (or complexity) reasons. The fundamental principles of Abstract Interpretation are: ( i) to substitute to the state-space of the program a simpler domain and to transpose the equation accordingly (static approximation); and ( ii) to use extrapolation (widening) to force the convergence of the iterative computation of the fix-point in a finite number of steps (dynamic approximation). Examples of static analysis based on abstract interpretation are the Linear Relation Analysis  and Shape Analysis  .
The synchronous approach (http://www.synalp.org )  ,  to reactive systems design gave birth to complete programming environments, with languages like Argos , Lustre (http://www-verimag.imag.fr/SYNCHRONE ), Esterel (http://www.inria.fr/recherche/equipes/aoste.en.html ), Signal / Polychrony (http://www.irisa.fr/espresso/Polychrony ), SynDEx (http://www-rocq.inria.fr/syndex ), Lucid Synchrone (http://www.lri.fr/~pouzet/lucid-synchrone/ )or Mode Automata (http://www-verimag.imag.fr/PEOPLE/Florence.Maraninchi/MATOU ). This approach is characterized by the fact that it considers periodically sampled systems whose global steps can, by synchronous composition, encompass a set of events (known as simultaneous) on the resulting transition. Generally speaking, formal methods are often used for analysis and verification; they are much less often integrated in the compilation or generation of executives (in the sense of executables of tasks combined with the host real-time operating system). They are notoriously difficult to use by end-users, who are usually specialists in the application domain, not in formal techniques. This is why encapsulating formal techniques in an automated framework can dramatically improve their diffusion, acceptance, and hence impact. Our work is precisely oriented towards this direction.