The Spades project-team aims at contributing to meet the challenge of designing and programming dependable embedded systems in an increasingly distributed and dynamic context. Specifically, by exploiting formal methods and techniques, Spades aims to answer three key questions:

How to program open networked embedded systems as dynamic adaptive modular structures?

How to program reactive systems with real-time and resource constraints on multicore architectures?

How to program reliable, fault-tolerant embedded systems with different levels of criticality?

These questions above are not new, but answering them in the context
of modern embedded systems, which are increasingly distributed, open
and dynamic in nature , makes them more
pressing and more difficult to address: the targeted system properties
– dynamic modularity, time-predictability, energy efficiency, and
fault-tolerance – are largely antagonistic (*e.g.*, having a highly
dynamic software structure is at variance with ensuring that resource
and behavioral constraints are met). Tackling these questions
together is crucial to address this antagonism, and constitutes a key
point of the Spades research program.

A few remarks are in order:

We consider these questions to be central in the construction of future embedded systems, dealing as they are with, roughly, software architecture and the provision of real-time and fault-tolerance guarantees. Building a safety-critical embedded system cannot avoid dealing with these three concerns.

The three questions above are highly connected. For instance, composability along time, resource consumption and reliability dimensions are key to the success of a component-based approach to embedded systems construction.

For us, “Programming” means any constructive process to build a running system. It can encompass traditional programming as well as high-level design or “model-based engineering” activities, provided that the latter are supported by effective compiling tools to produce a running system.

We aim to provide semantically sound programming tools for embedded systems. This translates into an emphasis on formal methods and tools for the development of provably dependable systems.

The SPADES research program is organized around three main themes,
*Components and contracts*, *Real-time multicore
programming*, and *Language-based fault tolerance*, that seek
to answer the three key questions identified in
Section . We plan to do so by developing and/or
building on programming languages and techniques based on formal
methods and formal semantics (hence the use of *“sound
programming”* in the project-team title). In particular, we seek
to support design where correctness is obtained by construction,
relying on proven tools and verified constructs, with programming
languages and programming abstractions designed with verification in
mind.

Component-based construction has long been advocated as a key approach
to the “correct-by-construction” design of complex embedded
systems . Witness component-based toolsets such
as UC Berkeley's Ptolemy , Verimag's
BIP , or the modular architecture frameworks
used, for instance, in the automotive industry
(AUTOSAR) . For building large, complex systems, a
key feature of component-based construction is the ability to
associate with components a set of *contracts*, which can be
understood as rich behavioral types that can be composed and verified
to guarantee a component assemblage will meet desired properties. The
goal in this theme is to study the formal foundations of the
component-based construction of embedded systems, to develop component
and contract theories dealing with real-time, reliability and
fault-tolerance aspects of components, and to develop
proof-assistant-based tools for the computer-aided design and
verification of component-based systems.

Formal models for component-based design are an active area of
research (see *e.g.*, , ). However, we are
still missing a comprehensive formal model and its associated
behavioral theory able to deal *at the same time* with different
forms of composition, dynamic component structures, and quantitative
constraints (such as timing, fault-tolerance, or energy consumption).
Notions of contracts and interface theories have been proposed to
support modular and compositional design of correct-by-construction
embedded systems (see
*e.g.*, , and
the references therein), but having a comprehensive theory of
contracts that deals with all the above aspects is still an open
question . In particular, it is not clear how to
accomodate different forms of composition, reliability and
fault-tolerance aspects, or to deal with evolving component structures
in a theory of contracts.

Dealing in the same component theory with heterogeneous forms of
composition, different quantitative aspects, and dynamic
configurations, requires to consider together the three elements that
comprise a component model: behavior, structure and types.
*Behavior* refers to behavioral (interaction and execution)
models that characterize the behavior of components and component
assemblages (*e.g.*, transition systems and their multiple variants –
timed, stochastic, etc.). *Structure* refers to the organization
of component assemblages or configurations, and the composition
operators they involve. *Types* refer to properties or contracts
that can be attached to components and component interfaces to
facilitate separate development and ensure the correctness of
component configurations with respect to certain properties. Taking
into account dynamicity requires to establish an explicit link between
behavior and structure, as well as to consider higher-order systems,
both of which have a direct impact on types.

We plan to develop our component theory by progressing on two fronts: component calculi, and semantical framework. The work on typed component calculi aims to elicit process calculi that capture the main insights of component-based design and programming and that can serve as a bridge towards actual architecture description and programming language developments. The work on the semantical framework should, in the longer term, provide abstract mathematical models for the more operational and linguistic analysis afforded by component calculi. Our work on component theory will find its application in the development of a Coq-based toolchain for the certified design and construction of dependable embedded systems, which constitutes our third main objective for this axis.

Programming real-time systems (*i.e.*, systems whose correct behavior
depends on meeting timing constraints) requires appropriate languages
(as exemplified by the family of synchronous
languages ), but also the support of
efficient scheduling policies, execution time and schedulability
analyses to guarantee real-time constraints (*e.g.*, deadlines) while
making the most effective use of available (processing, memory, or
networking) resources. Schedulability analysis involves analyzing the
worst-case behavior of real-time tasks under a given scheduling
algorithm and is crucial to guarantee that time constraints are met in
any possible execution of the system. Reactive programming and
real-time scheduling and schedulability for multiprocessor systems are
old subjects, but they are nowhere as mature as their uniprocessor
counterparts, and still feature a number of open research
questions , , in particular in
relation with mixed criticality systems. The main goal in this theme
is to address several of these open questions.

We intend to focus on two issues: multicriteria scheduling on
multiprocessors, and schedulability analysis for real-time
multiprocessor systems. Beyond real-time aspects, multiprocessor
environments, and multicore ones in particular, are subject to several
constraints *in conjunction*, typically involving real-time,
reliability and energy-efficiency constraints, making the scheduling
problem more complex for both the offline and the online
cases. Schedulability analysis for multiprocessor systems, in
particular for systems with mixed criticality tasks, is still very
much an open research area.

Distributed reactive programming is rightly singled out as a major open issue in the recent, but heavily biased (it essentially ignores recent research in synchronous and dataflow programming), survey by Bainomugisha et al. . For our part, we intend to focus on two questions: devising synchronous programming languages for distributed systems and precision-timed architectures, and devising dataflow languages for multiprocessors supporting dynamicity and parametricity while enjoying effective analyses for meeting real-time, resource and energy constraints in conjunction.

Tolerating faults is a clear and present necessity in networked embedded systems. At the hardware level, modern multicore architectures are manufactured using inherently unreliable technologies , . The evolution of embedded systems towards increasingly distributed architectures highlighted in the introductory section means that dealing with partial failures, as in Web-based distributed systems, becomes an important issue. While fault-tolerance is an old and much researched topic, several important questions remain open: automation of fault-tolerance provision, composable abstractions for fault-tolerance, fault diagnosis, and fault isolation.

The first question is related to the old question of “system
structure for fault-tolerance” as originally discussed by Randell for
software fault tolerance , and concerns in part
our ability to clearly separate fault-tolerance aspects from the
design and programming of purely “functional” aspects of an
application. The classical arguments in favor of a clear separation of
fault-tolerance concerns from application code revolve around reduced
code and maintenance complexity . The second
question concerns the definition of appropriate abstractions for the
modular construction of fault-tolerant embedded systems. The current
set of techniques available for building such systems spans a wide
range, including exception handling facilities, transaction management
schemes, rollback/recovery schemes, and replication protocols.
Unfortunately, these different techniques do not necessarily compose
well – for instance, combining exception handling and transactions is
non trivial, witness the flurry of recent work on the topic, see
*e.g.*, and the references therein –, they have
no common semantical basis, and they suffer from limited programming
language support. The third question concerns the identification of
causes for faulty behavior in component-based assemblages. It is
directly related to the much researched area of fault diagnosis, fault
detection and isolation .

We intend to address these questions by leveraging programming
language techniques (programming constructs, formal semantics, static
analyses, program transformations) with the goal to achieve provable
fault-tolerance, *i.e.*, the construction of systems whose
fault-tolerance can be formally ensured using verification tools and
proof assistants. We aim in this axis to address some of the issues
raised by the above open questions by using aspect-oriented
programming techniques and program transformations to automate the
inclusion of fault-tolerance in systems (software as well as
hardware), by exploiting reversible programming models to investigate
composable recovery abstractions, and by leveraging causality analyses
to study fault-ascription in component-based systems. Compared to the
huge literature on fault-tolerance in general, in particular in the
systems area (see *e.g.*, for an interesting but
not so recent survey), we find by comparison much less work exploiting
formal language techniques and tools to achieve or support
fault-tolerance. The works reported
in , , , , , ,
provide a representative sample of recent such works.

A common theme in this axis is the use and exploitation of causality
information. Causality, *i.e.*, the logical dependence of an effect on a
cause, has long been studied in disciplines such as
philosophy , natural sciences,
law , and statistics , but it
has only recently emerged as an important focus of research in
computer science. The analysis of logical causality has applications
in many areas of computer science. For instance, tracking and
analyzing logical causality between events in the execution of a
concurrent system is required to ensure
reversibility , to allow the diagnosis of faults
in a complex concurrent system , or to enforce
accountability , that is, designing systems in
such a way that it can be determined without ambiguity whether a
required safety or security property has been violated, and why. More
generally, the goal of fault-tolerance can be understood as being to
prevent certain causal chains from occurring by designing systems such
that each causal chain either has its premises outside of the fault
model (*e.g.*, by introducing redundancy ), or is
broken (*e.g.*, by limiting fault propagation ).

Our applications are in the embedded system area, typically: transportation, energy production, robotics, telecommunications, systems on chip (SoC). In some areas, safety is critical, and motivates the investment in formal methods and techniques for design. But even in less critical contexts, like telecommunications and multimedia, these techniques can be beneficial in improving the efficiency and the quality of designs, as well as the cost of the programming and the validation processes.

Industrial acceptance of formal techniques, as well as their
deployment, goes necessarily through their usability by specialists of
the application domain, rather than of the formal techniques
themselves. Hence, we are looking to propose domain-specific (but
generic) realistic models, validated through experience (*e.g.*, control
tasks systems), based on formal techniques with a high degree of
automation (*e.g.*, synchronous models), and tailored for concrete
functionalities (*e.g.*, code generation).

The commercially available design tools (such as UML with real-time
extensions, Matlab/ Simulink/
dSpace

Regarding the synchronous approach, commercial tools are available:
Scade

Regarding applications and case studies with industrial end-users of our techniques, we cooperate with Thales on schedulability analysis for evolving or underspecified real-time embedded systems, with Orange Labs on software architecture for cloud services and with Daimler on reduction of nondeterminism and analysis of deadline miss models for the design of automotive systems.

Functional Description

We are developing pyCPA_TWCA, a pyCPA plugin for Typical Worst-Case
Analysis as described in Section . pyCPA is an
open-source Python implementation of Compositional Performance
Analysis developed at TU Braunschweig, which allows in particular
response-time analysis. pyCPA_TWCA is an extension of this tool that
is co-developed by Sophie Quinton, Zain Hammadeh (TU Braunschweig) and Leonie Ahrendts
(TU Braunschweig). It allows in particular the computation of
weakly-hard guarantees for real-time tasks, *i.e.*, the number of deadline
misses out of a sequence of executions. This year, pyCPA_TWCA has
been extended to task chains but remains limited to uniprocessor
systems, scheduled according to static priority scheduling. A public
release is planned but has not yet taken place.

Authors: Zain Hammadeh and Leonie Ahrendts and Sophie Quinton.

Contact: Sophie Quinton.

We address the issue of change after deployment in safety-critical
embedded system applications in collaboration with Thales and also in
the context of the CCC project (http://

The goal of CCC is to substitute lab-based verification with in-field formal analysis to determine whether an update may be safely applied. This is challenging because it requires an automated process able to handle multiple viewpoints such as functional correctness, timing, etc. For this purpose, we propose an original methodology for contract-based negotiation of software updates. The use of contracts allows us to cleanly split the verification effort between the lab and the field. In addition, we show how to rely on existing viewpoint-specific methods for update negotiation. We have validated our approach on a concrete example inspired by the automotive domain in collaboration with our German partners from TU Braunschweig .

In collaboration with Thales we mostly focus on timing aspects with the objective to anticipate at design time future software evolutions and identify potential schedulability bottlenecks. This year we have presented an approach to quantify the flexibility of a system with respect to timing. In particular we have shown that it is possible under certain conditions to identify the task that will directly induce the limitations on a possible software update. If performed at design time, such a result can be used to adjust the system design by giving more slack to the limiting task .

The design of configurable systems can be streamlined and made more systematic by adopting a component-based structure, as demonstrated with the Fractal component model . However, the formal foundations for configurable component-based systems, featuring higher-order capabilities where components can be dynamically instantiated and passivated, and non-hierarchical structures where components can be contained in different composites at the same time, are still an open topic. We have recently introduced the location graph model , where components are understood as graphs of locations hosting higher-order processes, and where component structures can be arbitrary graphs.

We have continued the development of location graphs, revisiting the underlying structural model (hypergraphs instead of graphs), and simplifying its operational semantics while preserving the model expressivity. Towards the development of a behavioral theory of location graphs, we have defined different notions of bisimilarity for location graphs and shown them to be congruences, although a fully fledged co-inductive characterization of contextual equivalence for location graphs is still in the works. This work has not yet been published.

Time predictability (PRET) is a topic that emerged in 2007 as a solution to the ever increasing unpredictability of today's embedded processors, which results from features such as multi-level caches or deep pipelines . For many real-time systems, it is mandatory to compute a strict bound on the program's execution time. Yet, in general, computing a tight bound is extremely difficult . The rationale of PRET is to simplify both the programming language and the execution platform to allow more precise execution times to be easily computed .

Following our past results on the Pret-C programming
language , we have proposed a time predictable
synchronous programming language for multicores, called ForeC. It
extends C with a small set of Esterel-like synchronous primitives to
express concurrency, interaction with the environment, looping, and a
synchronization barrier (like the
`pause` statement in Esterel). ForeC threads communicate with
each other via shared variables, the values of which are
*combined* at the end of each tick to maintain deterministic
execution. We provide several deterministic combine policies for
shared variables, in a way similar as concurrent
revisions . Thanks to this, it benefits from a
deterministic semantics. ForeC is compiled into threads that are then
statically scheduled for a target multicore chip. Our WCET analysis
takes into account the access to the shared TDMA bus and the necessary
administration for the shared variables. We achieve a very precise
WCET (the over-approximation being less than

Furthermore, we have extended the Pret-C compiler in order to make it energy aware. To achieve this, we use dynamic voltage and frequency scaling (DFVS) and we insert DVFS control points in the control flow graph of the Pret-C program. The difficulty is twofold: first the control flow graph is concurrent, and second resulting optimization problem is in the 2D space (time,energy). Thanks to a novel ILP formulation and to a bicriteria heuristic, we are able to address the two objectives jointly and to compute, for each Pret-C program, the Pareto front of the non-dominated solutions in the 2D space (time, energy) .

This is a collaboration with Eugene Yip from Bamberg University, and with Partha Roop and Jiajie Wang from the University of Auckland.

Synchronous programming languages describe functionally centralized
systems, where every value, input, output, or function is always
directly available for every operation. However, most embedded systems
are nowadays composed of several computing resources. The aim of this
work is to provide a language-oriented solution to describe
*functionally distributed reactive systems*. This research
started within the Inria large scale action Synchronics and
is a joint work with Marc Pouzet (ENS, Parkas team from Rocquencourt)
and Gwenaël Delaval (UGA, Ctrl-A team from Grenoble).

We are working on defining a *fully-conservative* extension of a
synchronous data-flow programming language (the Heptagon language,
inspired from Lucid Synchrone ). The
extension, by means of *annotations* adds *abstract location
parameters* to functions, and *communications* of values
between locations. At deployment, every abstract location is assigned
an actual one; this yields an executable for each actual computing
resource. Compared to the PhD of
Gwenaël Delaval , , the goal here is to achieve
*modular* distribution even in the presence of non-static clocks,
*i.e.*, clocks defined according to the value of inputs.

By *fully-conservative*, we have three aims in mind:

A non-annotated (*i.e.*, centralized) program will be compiled
exactly as before;

An annotated program eventually deployed onto only one computing location will behave exactly as its centralized couterpart;

The input-output semantics of a distributed program is the same as its centralized counterpart.

By *modular*, we mean that we want to compile each function of
the program into a single function capable of running on any computing
location. At deployment, the program of each location may be optimized
(by simple Boolean-constant-propagation, dead-code and unused-variable
elimination), yielding different optimized code for each computing
location.

We have formalized the type-system for inferring the location of each variable and computation. In the presence of local clocks, added information is computed from the existing clock-calculus and the location-calculus, to infer necessary communication of clocks between location. All pending theorical and technical issues have been answered, and the new compiler is being implemented, with new algorithms for deployment (and code optimization), achieving the three aims detailed above.

Recent data-flow programming environments support applications whose
behavior is characterized by dynamic variations in resource
requirements. The high expressive power of the underlying models (*e.g.*, Kahn Process Networks or the CAL actor language) makes it challenging
to ensure predictable behavior. In particular, checking
*liveness* (*i.e.*, no part of the system will deadlock) and
*boundedness* (*i.e.*, the system can be executed in finite memory)
is known to be hard or even undecidable for such models. This
situation is troublesome for the design of high-quality embedded
systems.

Recently, we have introduced the *Schedulable Parametric
Data-Flow* (SPDF) MoC for dynamic streaming
applications , which extends the
standard dataflow model by allowing rates to be parametric, and the
*Boolean Parametric Data Flow* (BPDF)
MoC , which combines integer
parameters (to express dynamic rates) and boolean parameters (to
express the activation and deactivation of communication channels).
In the past years, several other parametric dataflow MoCs have
been presented. All these models aim at providing an
interesting trade-off between analyzability and expressiveness. They
offer a controlled form of dynamism under the form of parameters (*e.g.*, parametric rates), along with run-time parameter configuration.

We have written a survey which provides a comprehensive description of the existing parametric dataflow MoCs (constructs, constraints, properties, static analyses) and compares them using a common example . The main objectives are to help designers of streaming applications to choose the most suitable model for their needs and to pave the way for the design of new parametric MoCs.

We have also studied *symbolic* analyses of
data-flow graphs , , , .
Symbolic analyses express the system performance as a function of
parameters (*i.e.*, input and output rates, execution times).
Such functions can be quickly evaluated for each different configuration or
checked *w.r.t.* different quality-of-service requirements.
These analyses are useful for parametric MoCs,
partially specified graphs, and even for completely static SDF graphs.
We provide symbolic analyses for computing the maximal throughput of acyclic
synchronous dataflow graphs, the minimum required buffers for which as
soon as possible (asap) scheduling achieves this throughput, and finally the
corresponding input-output latency of the graph. We first
investigate these problems for a single
parametric edge. The results are then extended to general acyclic
graphs using linear approximation techniques. We assess the proposed
analyses experimentally on both synthetic and real benchmarks.

The use of discrete abstractions for continuous dynamics has become
standard in hybrid systems design (see *e.g.*, and
the references therein). The main advantage of this approach is that
it offers the possibility to leverage controller synthesis techniques
developed in the areas of supervisory control of discrete-event
systems . The first attempts to compute discrete
abstractions for hybrid systems were based on traditional systems
behavioral relationships such as simulation or bisimulation, initially
proposed for discrete systems most notably in the area of formal
methods. These notions require inclusion or equivalence of observed
behaviors which is often too restrictive when dealing with systems
observed over metric spaces. For such systems, a more natural
abstraction requirement is to ask for closeness of observed
behaviors. This leads to the notions of approximate simulation and
bisimulation introduced in .

These approaches are based on sampling of time and space where the sampling parameters must satisfy some relation in order to obtain abstractions of a prescribed precision. In particular, the smaller the time sampling parameter, the finer the lattice used for approximating the state-space; this may result in abstractions with a very large number of states when the sampling period is small. However, there are a number of applications where sampling has to be fast; though this is generally necessary only on a small part of the state-space. We have been exploring two approaches to overcome this state-space explosion .

We are currently investigating an approach using mode sequences of given length as symbolic states for our abstractions. By using mode sequences of variable length we are able to adapt the granularity of our abstraction to the dynamics of the system, so as to automatically trade off precision against controllability of the abstract states.

We focus on the problem of computing tight deadline miss models for real-time systems, which bound the number of potential deadline misses in a given sequence of activations of a task. In practical applications, such guarantees are often sufficient because many systems are in fact not hard real-time .

Our major contribution this year is the extension of our method for computing deadline miss models, called Typical Worst-Case Analysis (TWCA), to systems with task dependencies. This allows us to provide bounds on deadline misses for systems which until now could not be analyzed .

In parallel, we have developed an extension of sensitivity analysis for budgeting in the design of weakly-hard real-time systems. During design, it often happens that some parts of a task set are fully specified while other parameters, e.g. regarding recovery or monitoring tasks, will be available only much later. In such cases, sensitivity analysis can help anticipate how these missing parameters can influence the behavior of the whole system so that a resource budget can be allocated to them. We have developed an extension of sensitivity analysis for deriving task budgets for systems with hard and weakly-hard requirements. This approach has been validated on synthetic test cases and a realistic case study given by our partner Thales. This work will be submitted soon.

Finally, in collaboration with TU Braunschweig and Daimler we have investigated the use of TWCA in conjunction with the Logical Execution Time paradigm according to which data are read and written at predefined time instants. In particular, we have extended TWCA to different deadline miss handling strategies. This work has not been published yet.

The failure of one component may entail a cascade of failures in other components; several components may also fail independently. In such cases, elucidating the exact scenario that led to the failure is a complex and tedious task that requires significant expertise.

The notion of causality *(did an event $e$ cause an event ${e}^{\text{'}}$?)*
has been studied in many disciplines, including philosophy, logic,
statistics, and law. The definitions of causality studied in these
disciplines usually amount to variants of the counterfactual test
“

In his PhD thesis, Yoann Geoffroy proposed a generalization of our fault ascription technique to systems composed of black-box and white-box components. For the latter a faithful behavioral model is given but no specification. The approach leverages results from game theory and discrete controller synthesis to define several notions of causality.

We are currently working on an instantiation of our general semantic
framework for fault ascription in to
acyclic models of computation, in order to compare our approach with
the standard definition of *actual causality* proposed by Halpern
and Pearl.

We have continued our work on multi-criteria scheduling, in two
directions. First, in the context of dynamic applications that are
launched and terminated on an embedded homogeneous multi-core chip,
under execution time and energy consumption constraints, we have
proposed a two layer adaptive scheduling method. In the first layer,
each application (represented as a DAG of tasks) is scheduled
statically on subsets of cores: 2 cores, 3 cores, 4 cores, and so
on. For each size of these sets (2, 3, 4, ...), there may be only
one topology or several topologies. For instance, for 2 or 3 cores
there is only one topology (a “line”), while for 4 cores there are
three distinct topologies (“line”, “square”, and
“T shape”). Moreover, for each topology, we generate statically
several schedules, each one subject to a different total energy
consumption constraint, and consequently with a different Worst-Case
Reaction Time (WCRT). Coping with the energy consumption constraints
is achieved thanks to Dynamic Frequency and Voltage Scaling (DVFS). In
the second layer, we use these pre-generated static schedules to
reconfigure dynamically the applications running on the multi-core
each time a new application is launched or an existing one is
stopped. The goal of the second layer is to perform a dynamic global
optimization of the configuration, such that each running application
meets a pre-defined quality-of-service constraint (translated into an
upper bound on its WCRT) and such that the total energy consumption be
minimized. For this, we *(i)* allocate a sufficient number of
cores to each active application, *(ii)* allocate the unassigned
cores to the applications yielding the largest gain in energy, and
*(iii)* choose for each application the best topology for its
subset of cores (*i.e.*, better than the by default “line”
topology). This is a joint work with Ismail Assayad (U. Casablanca, Morocco) who
visited the team in September 2015.

Second, in the context of a static application (again represented a
DAG of tasks) running on an homogeneous multi-core chip, we have
worked on the static scheduling minimizing the WCRT of the application
under the multiple constraints that the reliability, the power
consumption, and the temperature remain below some given thresholds.
There are multiple difficulties: *(i)* the reliability is not an
invariant measure w.r.t. time, which makes it impossible to use
backtrack-free scheduling algorithms such as list
scheduling ; to overcome this, we adopt instead the
Global System Failure Rate (GSFR) as a measure of the system's
reliability, which is invariant with time ;
*(ii)* keeping the power consumption under a given threshold
requires to lower the voltage and frequency, but this has a negative
impact both on the WCRT and on the GSFR; keeping the GSFR below a
given threshold requires to replicate the tasks on multiple cores, but
this has a negative impact both on the WCRT, on the power consumption,
and on the temperature; *(iii)* keeping the temperature below a
given threshold is even more difficult because the temperature
continues to increase even after the activity stops, so each
scheduling decision must be assessed not based on the current state of
the chip (*i.e.*, the temperature of each core) but on the state of the
chip at the end of the candidate task, and cooling slacks must be
inserted. We have proposed a multi-criteria scheduling heuristics to
address these challenges. It produces a static schedule of the given
application graph and the given architecture description, such that
the GSFR, power, and temperature thresholds are satisfied, and such
that the execution time is minimized. We then combine our heuristic
with a variant of the

In the past years, we have studied the implementation of specific
fault tolerance techniques in real-time embedded systems using program
transformation .
We are now investigating the use of automatic transformations to
ensure fault-tolerance properties in digital circuits. To this aim, we
consider program transformations for hardware description languages
(HDL).
We consider both single-event upsets (SEU) and single-event transients
(SET) and fault models of the form *“at most 1 SEU or SET
within $n$ clock cycles”*.

We have expressed several variants of triple modular redundancy (TMR)
as program transformations. We have proposed a verification-based
approach to minimize the number of voters in
TMR . Our technique guarantees that the
resulting circuit *(i)* is fault tolerant to the soft-errors
defined by the fault model and *(ii)* is functionally equivalent
to the initial one. Our approach operates at the logic level and takes
into account the input and output interface specifications of the
circuit. Its implementation makes use of graph traversal algorithms,
fixed-point iterations, and BDDs. Experimental results on the ITC’99
benchmark suite indicate that our method significantly decreases the
number of inserted voters which entails a hardware reduction of up to

Reversible concurrent models of computation provide natively what appears to be very fine-grained checkpoint and recovery capabilities. We have made this intuition clear by formally comparing a distributed algorithm for checkpointing and recovery based on causal information, and the distributed backtracking algorithm that lies at the heart of our reversible higher-order pi-calculus. We have shown that (a variant of) the reversible higher-order calculus with explicit rollback can faithfully encode a distributed causal checkpoint and recovery algorithm. The reverse is also true but under precise conditions, which restrict the ability to rollback a computation to an identified checkpoint. This work has currently not been published.

Inria and Orange Labs have established this year a joint virtual research laboratory, called I/O Lab. We have been heavily involved in the creation of the laboratory and are actively involved in its operation (Jean-Bernard Stefani is one of the two co-directors of the lab). I/O Lab focuses on the network virtualization and cloudification. As part of the work of I/O Lab, we have cooperated with Orange Lab, as part of a cooperative research contract funded by Orange, on defining architectural principles and frameworks for network cloud infrastructures encompassing control and management of computing, storage and network resources.

With Daimler (subcontracting via iUTBS): We have shown how to extend our current method for computing deadline miss models to real-time systems designed according to the Logical Execution Time paradigm.

With Thales: Early Performance assessment for evolving and variable Cyber-Physical Systems. This CIFRE grant funds the PhD of Christophe Prévot.

Despite recent advances, there exist currently no integrated formal methods and tools for the design and analysis of reconfigurable multi-view embedded systems. This is the goal of the Caserm project.

The Caserm project represents a significant effort towards a Coq-based design method for reconfigurable multi-view embedded systems, in order to formalize the structure and behavior of systems and to prove their main properties. The use of a proof assistant to support such a framework is motivated by the fact that the targeted systems are both extremely complex and critical. The challenges addressed are threefold:

to model software architectures for embedded systems taking into account their dynamicity and multiple constraints (functional as well as non functional);

to propose novel scheduling techniques for dynamically reconfiguring embedded systems; and

to advance the state of the art in automated proving for such systems.

The objectives of Caserm that address these challenges are organized in three tasks. They consist respectively in designing an architecture description framework based on a process calculus, in proposing online optimization methods for dynamic reconfiguration systems (this is the topic of Stephan Plassart's PhD), and in developing a formal framework for real-time analysis in the Coq proof assistant (this is the topic of Xiaojie Guo's PhD). A fourth task focuses on common case studies for the evaluation of the obtained results.

The Caserm consortium gathers researchers from the G-Scop, LIG and Verimag laboratories who are reknown specialists in these fields. The project started in November 2016 and will last three years.

We have a strong collaboration with the Technische Universität
Braunschweig in Germany. In particular, Sophie Quinton is involved in the CCC
project (http://

We also a recent collaboration with the MPI-SWS in Kaiserslautern (Germany) on formal proofs for real-time systems.

Title: Causality Analysis for Safety-Critical Embedded Systems

International Partner (Institution - Laboratory - Researcher):

University of Pennsylvania (United States) - PRECISE center - Oleg Sokolsky

Start year: 2015

See also: https://

Today's embedded systems become more and more complex, while an increasing number of safety-critical functions rely on them. Determining the cause(s) of a system-level failure and elucidating the exact scenario that led to the failure is today a complex and tedious task that requires significant expertise. The CAUSALYSIS project will develop automated approaches to causality analysis on execution logs.

Athena Abdi has been a visitor in the team from October 2015 to June 2016. She is doing her PhD at the Amirkabir University of Technology in Teheran, Iran. In the Spades team, she is working on multi-criteria scheduling for real-time embedded systems, addressing the complex interplay between reliability, power consumption, temperature, and execution time (see ).

Ismail Assayad has been a visitor in the team in September 2015. He is assistant professor at the University of Casablanca, Morocco. In the Spades team, he is working on adaptive scheduling methods and admission control for dynamic embedded applications (see ).

Sophie Quinton was artifact evaluation chair of the 24th International Conference on Real-Time Networks and Systems (RTNS'16).

Sophie Quinton was demo chair of the 22nd IEEE Real-Time Embedded Technology & Applications Symposium (RTAS'16)

Sophie Quinton was co-chair of the 1st Tutorial on Tools for Real-Time
Systems (TuToR'16), held as a satellite event of
CPSWeek'16. http://

Sophie Quinton was co-organizer of the 1st Workshop on Collaboration of
Academia and Industry for Real World Embedded Systems (CAIRES'16),
held as a satellite event of ESWeek'16. http://

Gregor Gössler was co-chair of the 1st international Workshop on Causal
Reasoning for Embedded and safety-critical Systems Technologies
(CREST'16) , held as a satellite event of
ETAPS'16. http://

Sophie Quinton was co-chair of the 7th International Workshop on Analysis
Tools and Methodologies for Embedded and Real-time Systems
(WATERS'16), held as a satellite event of ECRTS'16.
http://

Pascal Fradet served in the program committee of the 15th International Conference on Modularity (MODULARITY'16).

Alain Girault served in the program committees of the International Conference on Design and Test in Europe (DATE'16), the Embedded Software conference (EMSOFT'16), and the International Symposium on Industrial Embedded Systems (SIES'16).

Sophie Quinton served in the program committees of the 28th Euromicro Conference on Real-Time Systems (ECRTS'16), the 24th International Conference on Real-Time Networks and Systems (RTNS'16), the 4th International Workshop on Mixed Criticality Systems (WMC'16), the 10th Junior Researcher Workshop on Real-Time Computing (JRWRTC'16), and in the artifact evaluation committees of ECRTS'16 and the IEEE Real-Time Systems Symposium (RTSS'16).

Jean-Bernard Stefani served on the program committees of the 36th IFIP International Conference on Formal Techniques for Distributed Objects, Components and Systems (FORTE) and the 8th Conference on Reversible Computation.

Alain Girault reviewed an article for ECRTS'16.

Gregor Gössler reviewed articles for EMSOFT'16, FACS'16, and RTNS'16.

Xavier Nicollin reviewed an article for SIES'16.

Sophie Quinton reviewed articles for EMSOFT'16 and DATE'17.

Alain Girault is a member of the editorial board of the EURASIP Journal on Embedded Systems.

Jean-Bernard Stefani is a member of the editorial board of Annals of Telecommunications.

Alain Girault reviewed articles for ACM TECS, Parallel Computing, Embedded Systems Letters, and Microprocessors and Microsystems.

Gregor Gössler reviewed articles for Formal Methods in System Design (FMSD) and IEEE Transactions on Automatic Control (TAC).

Jean-Bernard Stefani reviewed articles for Theoretical Computer Science (TCS) and Science of Computer Programming (SCP).

Pascal Fradet is head of the committee for doctoral studies (“Responsable du comité des études doctorales”) of the Inria Grenoble – Rhône-Alpes research center and local correspondent for the young researchers Inria mission (mission jeunes chercheurs).

Alain Girault is Vice Chair of the Inria Evaluation Committee. As such, he co-organizes in particular the evaluation seminars of the Inria teams (twice a year) and all the juries for the hiring and promotion of Inria's researchers (CR2, CR1, DR2, DR1, and DR0).

Jean-Bernard Stefani is Head of science of the Inria Grenoble – Rhône-Alpes research center. As such, he manages with the research center director all aspects of the scientific life of the research center (creation of the research teams and their evaluation by international panels, scientific relationships with our academic and industrial partners, hiring of the new junior researchers, ...).

Jean-Bernard Stefani is co-director of I/O Lab, the joint research laboratory with Orange Lab.

Licence : Pascal Fradet, Théorie des Langages 1 & 2, 36 HeqTD, niveau L3, Grenoble INP (Ensimag), France

Licence : Gregor Gössler, Théorie des Langages 2, 36 HeqTD, niveau L3, Grenoble INP (Ensimag), France

Master : Xavier Nicollin, Sémantique et Analyse des Programmes, 11,25 HeqTD, niveau M1, Grenoble INP (Ensimag), France

Licence : Xavier Nicollin, Théorie des Langages 2, 36 HeqTD, niveau L3, Grenoble INP (Ensimag), France

Licence : Xavier Nicollin, Bases de la Programmation Impérative, 66 HeqTD, niveau L3, Grenoble INP (Ensimag), France

Licence : Sophie Quinton, Théorie des Langages 2, 18 HeqTD, niveau L3, Grenoble INP (Ensimag), France

Master : Jean-Bernard Stefani, Formal Aspects of Component Software, 9h, MOSIG, Univ. Grenoble Alpes, France

Master : Sophie Quinton, Performance and Quantitative Properties, 6h, MOSIG, Univ. Grenoble Alpes, France

PhD: Yoann Geoffroy, “A general trace-based causality framework for component-based systems”, Univ. Grenoble Alpes, defended on December 7th 2016, advised by Gregor Gössler.

PhD in progress: Sihem Cherrared, “Fault Management in Multi-Tenant Programmable Networks”, Univ. Rennes 1, since October 2016, co-advised by Eric Fabre and Gregor Gössler.

PhD in progress: Christophe Prévot, “Early Performance assessment for evolving and variable Cyber-Physical Systems”, Univ. Grenoble Alpes, since November 2015, co-advised by Alain Girault and Sophie Quinton.

PhD in progress: Xiaojie Guo, “Formal Proofs for the Analysis of Real-Time Systems in Coq”, Univ. Grenoble Alpes, since December 2016, co-advised by Pascal Fradet, Jean-François Monin, and Sophie Quinton.

PhD in progress: Stephan Plassart, “On-line optimization in dynamic real-time systems”, Univ. Grenoble Alpes, since September 2016, co-advised by Alain Girault and Bruno Gaujal.

Alain Girault was president of the HDR jury of Goran Frehse (Univ. Grenoble Alpes).

Sophie Quinton was member of the PhD jury of Houssam Zahaf (U. Lille).

Jean-Bernard Stefani was president of the HDR jury of Tom Hirschowitz (U. Savoie).

Alain Girault gave a lecture to high school math professors, titled “Multi-core architectures, reliability, and optimization” (ISN conference cycle, Grenoble, February 2016).
http://