Section: New Results
Automatic generation of correct controllers
We address the difficulty of safely designing complex system controllers by proposing a method applying formal design techniques to the domain of embedded control systems. Such techniques are considered difficult to use, amongst other things because of the required theoretical competence. A general notion of hidden formal methods advocates for fully automated techniques, integrated into a design process and tool. The formal technique we aim to encapsulate into a tool chain is discrete controller synthesis  , and more particularly following a methodology  adaptated to the synchronous approach  .
Distributed Controller Synthesis using Static Analysis of FIFO channels
We address the controller synthesis for distributed systems modeled as a set of sequential machines communicating via unbounded FIFO channels
The static analysis of stacks and FIFO queues was the topic of the PhD of Tristan Le Gall, defended in June 2008. We proposed in  a new abstract domain for languages on infinite alphabets, which acts as a functor taking an abstract domain for a concrete alphabet, and lifts it to an abstract domain for words on this alphabet.
We studied this year the application of this technique to the controller synthesis of a set of sequential machines communicating via unbounded FIFO channels, for which we consider simple state-avoidance properties. It is well-known that there exists no optimal (most permissive) controller in such a context, so our ambition is to propose a technique for computing “permissive-enough” controller. Our approach is based on the computation of global controller, which is then projected on local sites so as to obtain a controller per site in the controlled distributed system. We exploit the abstract domain mentioned above in the fixpoint computations involved in the computation of a correct controller, and we take into account the following partial observation constraints: the global controller cannot observe the contents of the FIFO channels to take its decisions (they model communication links), and the projected local controller has a knowledge only on their local state.
A technical report on this approach is being written, and we plan to submit a paper at the beginning of 2009. This work is conducted in collaboration with H. Marchand and T. Le Gall ( Vertecs team from Inria Rennes).
Domain-specific language for application of discrete controller synthesis
We have proposed a simple programming language, called Nemo  , specific to the domain of multi-task real-time control systems. We obtain automatically an application-specific task handler that correctly manages the constraints, through a compilation-like process including a phase of discrete controller synthesis.
We have extended this work in the directions of:
the definition of a more general modeling and programming language,
the exploitation of modularity in synthesis, encapsulated in the compilation, in order to make larger models amenable to our techniques.
This work is conducted in collaboration with H. Marchand and G. Delaval ( Vertecs team from Inria Rennes).
Automating the addition of fault tolerance with discrete controller synthesis
We have defined a new framework for the design of fault tolerant embedded systems, based on Discrete controller synthesis (DCS), a formal approach based on the same state-space exploration algorithms as model-checking  . We start with a fault intolerant program, modeled as the synchronous parallel composition of finite labeled transition systems; we specify formally a fault hypothesis; we state some fault tolerance requirements; and we use DCS to obtain automatically a program, having the same behavior as the initial fault intolerant one in the absence of faults, and satisfying the fault tolerance requirements under the fault hypothesis. Our original contribution resides in the demonstration that DCS can be elegantly used to design fault tolerant systems, with guarantees on key properties of the obtained system, such as the fault tolerance level, the satisfaction of quantitative constraints, and so on. We show with numerous examples taken from case studies (some of them previously published  ,  ,  ,  ) that our method can address different kinds of failures (crash, value, or Byzantine) affecting different kinds of hardware components (processors, communication links, actuators, or sensors). Besides, we show that our method also offers an optimality criterion very useful to synthesize fault tolerant systems compliant to the constraints of embedded systems, like power consumption. In summary, the strong advantages of our framework for fault tolerance are:
It is automatic, because DCS produces automatically a fault tolerant system from an initial fault intolerant one.
The separation of concerns, because the fault intolerant system can be designed independently from the fault tolerance requirements.
The flexibility, because, once the system is entirely modeled, it is easy to try several fault hypotheses, several environment models, several fault tolerance goals, several degraded modes, and so on.
The safety, because, in case of positive result obtained by DCS, the specified fault tolerance properties are guaranteed by construction on the controlled system.
The optimalitywhen optimal synthesis is used, modulo the potential numerical equalities (hence a non-strict optimality).
We are extending this work in the direction of optimal synthesis considering weights cumulating along bounded-length paths, and its application to the control of sequences of reconfigurations. We are adapting models in order to take into account the additive costs of e.g., execution time or power consumption, and adapting synthesis algorithms in order to support the association of costs with transitions, and the handling of these new weight functions in the optimal synthesis. We therefore combine, on the one hand, guarantees on the safety of the execution by tolerating faults, and on the other hand, guarantees on the worst cumulated consumption of the resulting dynamically reconfiguring fault tolerant system.
This work is conducted in collaboration with H. Marchand ( Vertecs team from Inria Rennes) and E. Dumitrescu ( Insa Lyon).
Model-based control of adaptative systems
Embedded systems have to be more and more adaptive : they must perform reconfigurations in reaction to changes in their environment, related to resources or dependability. The management of this dynamical adaptivity is approached, e.g. , in autonomic systems, at the middleware level, by sensing the state of a system, deciding upon reconfiguration actions, and performing them. It can be considered as a control loop, on continuous or discrete criteria. We have defined a framework for the model-based control of adaptive systems, especially, considering their discrete aspects  ,  . We base it on our previous work, that gave contributions to different separate issues related to this topic; we are working on a generalisation towards adaptive systems, with applications in embedded middleware for autonomic systems, and reconfigurable architectures.
An experiment has started on the modeling of task management mechanism of the Orccad environment developed in the NeCS team (D, Simon and R. Pissard-Gibollet), and the application of discrete controller synthesis.
This work is conducted in contact with the Sardes (at the middleware level) and NeCS (at the task management level) teams of INRIA in Grenoble.