Keywords
 A1.1.1. Multicore, Manycore
 A1.1.9. Fault tolerant systems
 A1.3. Distributed Systems
 A2.1.1. Semantics of programming languages
 A2.1.6. Concurrent programming
 A2.1.9. Synchronous languages
 A2.3. Embedded and cyberphysical systems
 A2.3.1. Embedded systems
 A2.3.2. Cyberphysical systems
 A2.3.3. Realtime systems
 A2.4.1. Analysis
 A2.4.3. Proofs
 A2.5.2. Componentbased Design
 B6.3.3. Network Management
 B6.4. Internet of things
 B6.6. Embedded systems
1 Team members, visitors, external collaborators
Research Scientists
 Gregor Goessler [Team leader, Inria, Senior Researcher, HDR]
 Martin Bodin [Inria, Researcher, from Oct 2020]
 Pascal Fradet [Inria, Researcher, HDR]
 Alain Girault [Inria, Senior Researcher, HDR]
 Sophie Quinton [Inria, Researcher]
 JeanBernard Stefani [Inria, Senior Researcher]
 Paolo Torrini [Inria, Advanced Research Position, from Jul 2020]
Faculty Member
 Xavier Nicollin [Institut polytechnique de Grenoble, Associate Professor]
PostDoctoral Fellow
 Jia Jie Wang [Inria, until May 2020]
PhD Students
 Xiaojie Guo [Inria, until April 2020]
 Maxime Lesourd [Univ Grenoble Alpes]
 Thomas Mari [Institut polytechnique de Grenoble]
 Stephan Plassart [Inria, until Jun 2020]
 Aina Rasoldier [Inria, from Oct 2020]
 Arash Shafiei [Orange Labs, until Sep 2020]
 Martin Vassor [Inria]
Technical Staff
 Roger PissardGibollet [Inria]
Interns and Apprentices
 Lucca Hoogenbosch [Ministère de l'Education Nationale, Intern, Feb 2020]
 Aina Rasoldier [Inria, Intern, from Feb 2020 until Jul 2020]
 Clement Stefani [Ministère de l'Education Nationale, Intern, Feb 2020]
Administrative Assistants
 Julia Di Toro [Inria, from Oct 2020]
 Helen PouchotRougeBlanc [Inria, until Sep 2020]
External Collaborator
 Aina Rasoldier [INSA Lyon, from Jul 2020 until Sep 2020]
2 Overall objectives
The Spades projectteam aims at contributing to meet the challenge of designing and programming dependable embedded systems in an increasingly distributed and dynamic context. Specifically, by exploiting formal methods and techniques, Spades aims to answer three key questions:
 How to program open distributed embedded systems as dynamic adaptive modular structures?
 How to program reactive systems with realtime and resource constraints?
 How to program faulttolerant and explainable embedded systems?
These questions above are not new, but answering them in the context of modern embedded systems, which are increasingly distributed, open and dynamic in nature 53, makes them more pressing and more difficult to address: the targeted system properties – dynamic modularity, timepredictability, energy efficiency, and faulttolerance – are largely antagonistic (e.g., having a highly dynamic software structure is at variance with ensuring that resource and behavioral constraints are met). Tackling these questions together is crucial to address this antagonism, and constitutes a key point of the Spades research program.
A few remarks are in order:
 We consider these questions to be central in the construction of future embedded systems, dealing as they are with, roughly, software architecture and the provision of realtime and faulttolerance guarantees. Building a safetycritical embedded system cannot avoid dealing with these three concerns.
 The three questions above are highly connected. For instance, composability along time, resource consumption and reliability dimensions are key to the success of a componentbased approach to embedded systems construction.
 For us, “Programming” means any constructive process to build a running system. It can encompass traditional programming as well as highlevel design or “modelbased engineering” activities, provided that the latter are supported by effective compiling tools to produce a running system.
 We aim to provide semantically sound programming tools for embedded systems. This translates into an emphasis on formal methods and tools for the development of provably dependable systems.
3 Research program
The SPADES research program is organized around three main themes, Design and Programming Models, Certified realtime programming, and Fault management and causal analysis, that seek to answer the three key questions identified in Section 2. We plan to do so by developing and/or building on programming languages and techniques based on formal methods and formal semantics (hence the use of “sound programming” in the projectteam title). In particular, we seek to support design where correctness is obtained by construction, relying on proven tools and verified constructs, with programming languages and programming abstractions designed with verification in mind.
3.1 Design and Programming Models
Work on this theme aims to develop models , languages and tools to support a “correctbyconstruction” approach to the development of embedded systems.
On the programming side, we focus on the definition of domain specific programming models and languages supporting static analyses for the computation of precise resource bounds for program executions. We propose dataflow models supporting dynamicity while enjoying effective analyses. In particular, we study parametric extensions where properties such as liveness and boundedness remain statically analyzable.
On the design side, we focus on the definition of componentbased models for software architectures combining distribution, dynamicity, realtime and faulttolerant aspects. Componentbased construction has long been advocated as a key approach to the “correctbyconstruction” design of complex embedded systems 43. Witness componentbased toolsets such as Ptolemy 34, BIP 27, or the modular architecture frameworks used, for instance, in the automotive industry (AUTOSAR) 24. For building large, complex systems, a key feature of componentbased construction is the ability to associate with components a set of contracts, which can be understood as rich behavioral types that can be composed and verified to guarantee a component assemblage will meet desired properties.
Formal models for componentbased design are an active area of research. However, we are still missing a comprehensive formal model and its associated behavioral theory able to deal at the same time with different forms of composition, dynamic component structures, and quantitative constraints (such as timing, faulttolerance, or energy consumption).
We plan to develop our component theory by progressing on two fronts: a semantical framework and domainspecific programming models. The work on the semantical framework should, in the longer term, provide abstract mathematical models for the more operational and linguistic analysis afforded by component calculi. Our work on component theory will find its application in the development of a Coqbased toolchain for the certified design and construction of dependable embedded systems, which constitutes our first main objective for this axis.
3.2 Certified RealTime Programming
Programming realtime systems (i.e., systems whose correct behavior depends on meeting timing constraints) requires appropriate languages (as exemplified by the family of synchronous languages 29), but also the support of efficient scheduling policies, execution time and schedulability analyses to guarantee realtime constraints (e.g., deadlines) while making the most effective use of available (processing, memory, or networking) resources. Schedulability analysis involves analyzing the worstcase behavior of realtime tasks under a given scheduling algorithm and is crucial to guarantee that time constraints are met in any possible execution of the system. Reactive programming and realtime scheduling and schedulability for multiprocessor systems are old subjects, but they are nowhere as mature as their uniprocessor counterparts, and still feature a number of open research questions 25, 33, in particular in relation with mixed criticality systems. The main goal in this theme is to address several of these open questions.
We intend to focus on two issues: multicriteria scheduling on multiprocessors, and schedulability analysis for realtime multiprocessor systems. Beyond realtime aspects, multiprocessor environments, and multicore ones in particular, are subject to several constraints in conjunction, typically involving realtime, reliability and energyefficiency constraints, making the scheduling problem more complex for both the offline and the online cases. Schedulability analysis for multiprocessor systems, in particular for systems with mixed criticality tasks, is still very much an open research area.
Distributed reactive programming is rightly singled out as a major open issue in the recent, but heavily biased (it essentially ignores recent research in synchronous and dataflow programming), survey by Bainomugisha et al. 25. For our part, we intend to focus on devising synchronous programming languages for distributed systems and precisiontimed architectures.
3.3 Fault Management and Causal Analysis
Managing faults is a clear and present necessity in networked embedded systems. At the hardware level, modern multicore architectures are manufactured using inherently unreliable technologies 30, 40. The evolution of embedded systems towards increasingly distributed architectures highlighted in the introductory section means that dealing with partial failures, as in Webbased distributed systems, becomes an important issue.
In this axis we intend to address the question of how to cope with faults and failures in embedded systems?. We will tackle this question by exploiting reversible programming models and by developing techniques for fault ascription and explanation in componentbased systems.
A common theme in this axis is the use and exploitation of causality information. Causality, i.e., the logical dependence of an effect on a cause, has long been studied in disciplines such as philosophy 48, natural sciences, law 49, and statistics 50, but it has only recently emerged as an important focus of research in computer science. The analysis of logical causality has applications in many areas of computer science. For instance, tracking and analyzing logical causality between events in the execution of a concurrent system is required to ensure reversibility 46, to allow the diagnosis of faults in a complex concurrent system 42, or to enforce accountability 45, that is, designing systems in such a way that it can be determined without ambiguity whether a required safety or security property has been violated, and why. More generally, the goal of faulttolerance can be understood as being to prevent certain causal chains from occurring by designing systems such that each causal chain either has its premises outside of the fault model (e.g., by introducing redundancy 38), or is broken (e.g., by limiting fault propagation 51).
4 Application domains
4.1 Industrial Applications
Our applications are in the embedded system area, typically: transportation, energy production, robotics, telecommunications, the Internet of things (IoT), systems on chip (SoC). In some areas, safety is critical, and motivates the investment in formal methods and techniques for design. But even in less critical contexts, like telecommunications and multimedia, these techniques can be beneficial in improving the efficiency and the quality of designs, as well as the cost of the programming and the validation processes.
Industrial acceptance of formal techniques, as well as their deployment, goes necessarily through their usability by specialists of the application domain, rather than of the formal techniques themselves. Hence, we are looking to propose domainspecific (but generic) realistic models, validated through experience (e.g., control tasks systems), based on formal techniques with a high degree of automation (e.g., synchronous models), and tailored for concrete functionalities (e.g., code generation).
4.2 Current Industrial Cooperations
Regarding applications and case studies with industrial endusers of our techniques, we cooperate with Orange Labs on software architecture for cloud services.
5 Social and environmental responsibility
5.1 Footprint of research activities
This is the first time the team has considered assessing the footprint of its activities. However, 2020 has been quite an unusual year (!) in terms of research activities: almost no travel, remote working... In addition, there are currently no Inria guidelines regarding how GHG emissions (or more generally environmental impacts) should be estimated and attributed (e.g. heating of buildings, eating at work). As a result, we are not able at this point to provide a representative estimate of the footprint of our research activities. That said, we support the idea of providing such an estimate in the future and contribute here a few suggestions and questions.
Based on similar assessments in other institutions, one can expect the footprint to be mainly due to the following activities:
 travels (for conferences, project meetings etc.)
 daily commutes (to and from Inria as well as to and from the campus)
 purchase of computers, screens, etc. (how should we account for this?)
 heating, and more generally building costs

all supporting activities (digital infrastructures such as web servers, mail servers, data storage... but also footprint of the activities of nonscientific staff)
Note that SPADES' research activities do not require data intensive computations.
We argue that the last two points should be assessed at the research center level. Besides, we would appreciate supporting tools for the (semi)automatic extraction and analysis of data for travels, as well as specific guidelines for daily commutes and purchases.
5.2 Impact of research results
Research into the connection between ICT (Information and Communication Technologies) and the environmental crisis has started in 2020 within the SPADES team. Sophie Quinton cosupervised the internship of Aina Rasoldier on the assessment of environmental impacts of ICT. Aina is now a PhD candidate in the team, working on the potential and risks of local digital solutions for tackling the environmental crisis. This is the first visible action of a larger move of the team to establish new research directions in the broad topic of environmental impacts.
6 New software and platforms
6.1 New software
6.1.1 pyCPA_TWCA
 Name: Analysis tool for weaklyhard realtime systems
 Keywords: Real time, Scheduling analyses
 Functional Description: pyCPA_TWCA is a pyCPA plugin for Typical WorstCase Analysis. pyCPA is an opensource Python implementation of Compositional Performance Analysis developed at TU Braunschweig, which allows in particular responsetime analysis. pyCPA_TWCA is an extension of that tool that is codeveloped by Sophie Quinton and Zain Hammadeh at TU Braunschweig. It allows in particular the computation of weaklyhard guarantees for realtime tasks, i.e. number of deadline misses out of a sequence of executions. So far, pyCPA_TWCA is restricted to uniprocessor systems of independent tasks. pyCPA_TWCA can handle the following scheduling policies: Fixed Priority Preemptive, Fixed Priority NonPreemptive, Weighted RoundRobin, Earliest Deadline First.
 Contact: Sophie Quinton
6.1.2 CertiCAN
 Name: Certifier of CAN bus analysis results
 Keywords: Certification, CAN bus, Real time, Static analysis
 Functional Description: CertiCAN is a tool, produced using the Coq proof assistant, allowing the formal certification of the correctness of CAN bus analysis results. Result certification is a process that is lightweight and flexible compared to tool certification, which makes it a practical choice for industrial purposes. The analysis underlying CertiCAN, which is based on a combined use of two wellknown CAN analysis techniques, is computationally efficient. Experiments demonstrate that CertiCAN is able to certify the results of RTaWPegase, an industrial CAN analysis tool, even for large systems. Furthermore, CertiCAN can certify the results of any other RTA tool for the same analysis and system model (periodic tasks with offsets in transactions).
 Contacts: Pascal Fradet, Xiaojie Guo, JeanFrançois Monin, Sophie Quinton
7 New results
7.1 Design and Programming Models
Participants: Pascal Fradet, Alain Girault, Xavier Nicollin, Arash Shafiei, JeanBernard Stefani, Martin Vassor.
7.1.1 Hypercells
The Hypercell framework, presented in 52, allows the definition of different component models for dynamic software architectures featuring both sharing and encapsulation. Its behavioral theory is still in its initial stages but features the definition of a form of contextual bisimilarity. This year has seen the further development of the framework with new results on the modeling of encapsulation policies and their characterization by means of contextual bisimilarity, and the development of a first implentation of the framework as a Rust programming language library.
In collaboration with the Spirals team at Inria Lille – Nord Europe, and Orange, we have used hypercells as a pivot model for developing interpretations, formally defined with the Alloy specification language, of various languages and formalisms for the description of software configurations for cloud computing environments. Configuration languages considered include the TOSCA and OCCI standards, as well as the Open Stack Heat Orchestration Template (HOT), Docker Compose, and the Aeolus component model for cloud deployment. This work, developed as part of a bilateral contract with Orange, allowed the development of a verification tool for the correctness of HOT configurations, helped uncover several flaws in the HOT specifications, and in the ETSI NFV standard. The work is reported in 20.
7.1.2 Dynamicity in dataflow models
Recent dataflow programming environments support applications whose behavior is characterized by dynamic variations in resource requirements. The high expressive power of the underlying models (e.g., Kahn Process Networks or the CAL actor language) makes it challenging to ensure predictable behavior. In particular, checking liveness (i.e., no part of the system will deadlock) and boundedness (i.e., the system can be executed in finite memory) is known to be hard or even undecidable for such models. This situation is troublesome for the design of highquality embedded systems. In the past few years, we have proposed several parametric dataflow models of computation (MoCs) 37, 28, we have written a survey providing a comprehensive description of the existing parametric dataflow MoCs 31, and we have studied symbolic analyses of dataflow graphs 32. More recently, we have proposed an original method to deal with lossy communication channels in dataflow graphs 35.
We are nowadays studying models allowing dynamic reconfigurations of the topology of the dataflow graphs. This is required by many modern streaming applications that have a strong need for reconfigurability, for instance to accommodate changes in the input data, the control objectives, or the environment.
We have proposed a new MoC called Reconfigurable Dataflow (RDF) 36. RDF extends SDF with transformation rules that specify how the topology and actors of the graph may be reconfigured. Starting from an initial RDF graph and a set of transformation rules, an arbitrary number of new RDF graphs can be generated at runtime. Transformations can be seen as graph rewriting rules that match some subpart of the dataflow graph and replace it by another one. Transformations can be applied an arbitrary number of times during execution and therefore can produce an arbitrary number of new graphs. The major feature and advantage of RDF is that it can be statically analyzed to guarantee that all possible graphs generated at runtime will be connected, consistent, and live. To the best of our knowledge, RDF is the only dataflow MoC allowing an arbitrary number of topological reconfigurations while remaining statically analyzable. The RDF MoC has been implemented by Arash Shafiei within a software tool that allows the designer to write an initial RDF graph and its transformation rules. The static analyses for connectivity, consistency, and liveness have been implemented too. And a canny edge detector case study shows that dynamic reconfigurations to increase the parallelism level, when the incoming video stream becomes more computationally intensive, can be performed seamlessly. Finally, we have proposed in 2020 a new latency analysis for RDF that allows us to bound the latendy variation incurred by applying a given transformation rule whatever the RDF graph it is applied to.
This is the research topic of Arash Shafiei's PhD, in collaboration with Orange Labs.
7.2 Certified RealTime Programming
Participants: Pascal Fradet, Alain Girault, Xavier Nicollin, Sophie Quinton, Xiaojie Guo, Maxime Lesourd.
7.2.1 A Markov Decision Process approach for energy minimization policies
In the context of independent realtime sporadic jobs running on a singlecore processor equipped with Dynamic Voltage and Frequency Scaling (DVFS), we have proposed a Markov Decision Process approach (MDP) to minimize the energy consumption while guaranteeing that each job meets its deadline. The idea is to leverage on the statistical information on the jobs' characteristics available at design time: release time, worstcase execution time (WCET), and relative deadline. This is the topic of Stephan Plassart's PhD 18, funded by the Caserm Persyval project. We have considered several cases depending on the amount of information available at design time:
 Offline case: In the offline case, all the information is known and we have proposed the first linear complexity offline scheduling algorithm that minimizes the total energy consumption 9, 19: our complexity is $\mathcal{O}\left(n\right)$, where $n$ is the number of jobs to be scheduled, while the previously best known algorithms were in $\mathcal{O}\left({n}^{2}\right)$ and $\mathcal{O}(nlogn)$ 47.
 Clairvoyant case: In the clairvoyant case, the characteristics of the jobs are only known statistically, and each job's WCET and relative deadline are only known at release time. We want to compute the optimal online scheduling speed policy that minimizes the expected energy consumption while guaranteeing that each job meets its deadline. This general constrained optimization problem can be modeled as an unconstrained MDP by choosing a proper state space that also encodes the constraints of the problem. In the finite horizon case we use a dynamic programming algorithm, while in the infinite horizon case we use a value iteration algorithm 10.
 Nonclairvoyant case: In the nonclairvoyant case, the actual execution time (AET) of a job is only known only when this job completes its execution. This AET is of course assumed to be less than the WCET, which is known at the job's release time. Again, by building an MDP for the system with a well chosen state, we compute the optimal online scheduling speed policy that minimizes the expected energy consumption 16.
 Learning case: In the learning case, the only information known for the jobs are a bound on the jobs' WCETs and a bound on their deadlines. We have proposed two reinforcement learning algorithms, one that learns the optimal value of the expected energy (Qlearning), and another one that learns the probability transition matrix of the system, from which we derive the optimal online speed policy.
This work led us to compare several existing speed policies with respect to their feasibility. Indeed, the policies (OA) 54, (AVR) 54, and (BKP) 26 all assume that the maximal speed ${S}_{max}$ available on the processor is infinite, which is an unrealistic assumption. For these three policies and for our (MDP) policy, we have established necessary and sufficient conditions on ${S}_{max}$ guaranteeing that no job will ever miss its deadline 11.
7.2.2 Formal proofs for schedulability analysis of realtime systems
We contribute to Prosa 21, a Coq library of reusable concepts and proofs for realtime systems analysis. A key scientific challenge is to achieve a modular structure of proofs, e.g., for response time analysis. Our goal is to use this library for:
 a better understanding of the role played by some assumptions in existing proofs;
 a formal verification and comparison of different analysis techniques; and

the certification of results of existing (e.g., industrial) analysis tools.
We advanced our work on formal proofs for schedulability analysis of realtime systems mainly in two directions in 2020. First, several optimizations have increased dramatically the timing efficiency of our CertiCAN tool, the first formally proven tool able to certify the results of commercial CAN analysis tools. This work is included in the PhD thesis of Xiaojie Guo (not yet published), who defended in December 2020. Second, Paolo Torrini, who was recruited in July 2020, has opened a new line of work on correct by construction implementation of schedulers.
7.2.3 Scheduling under multiple constraints and Pareto optimization
We have considered the bicriteria minimization problem in the (worstcase execution time – WCET, worstcase energy consumption – WCEC) space for realtime programs. To the best of our knowledge, this is the first contribution of this kind in the literature.
A realtime program is abstracted as a Timed Control Flow Graph (TCFG), where each basic block is labeled with the number of clock cycles required to execute it on the chosen processor at the nominal frequency. This timing information can be obtained, for instance, with a WCET analysis tool. The target processor is equipped with dynamic voltage and frequency scaling (DVFS) and offers several (frequency $f$, voltage $V$) operating points, as is the case with most processors today. The goal is to compute a set of assignments from the set of basic blocks of the TCFG to the set of available $(f,V)$ pairs, such that each such assignment is a nondominated points in the (WCET, WCEC) plane, nondominated in the Pareto sense.
From the TCFG we extract the longest execution path, and then we compute the WCET and the WCEC for this path at a chosen $(f,V)$ pair. By construction, all the other execution paths are shorter, so this WCET and this WCEC hold for the whole program. This ensures that each singlefrequency assignment is a nondominated point, and therefore belongs to the Pareto front. Then, we have studied two frequencies assignments, still for the longest execution path. When the frequency switching costs in time and in energy are assumed to be negligible, we have proved that each two frequencies (say with ${f}_{i}$ and ${f}_{k}$) assignment is a point located in the segment between the single frequency assignment at ${f}_{i}$ and the single frequency assignment at ${f}_{k}$. We have also proposed a linear time heuristic to assign a $(f,V)$ pair to all the other blocks (i.e., those not belonging to the longest path) such that all the other execution paths of the TCFG have a shorter WCET and a lesser WCEC. We have also established conditions under which the resulting assignment corresponds to a nondominated point. Finally, we have generalized these results to the case where the frequency switching costs are not negligible. Surprisingly, this case reduces the size of the search space from exponential (${m}^{n}$, where $n$ is the number of blocks and $m$ is the number of frequencies) to polynomial because all the assignments involving more than three different frequencies will be dominated by an assignment involing either one or two frequencies. This key result allows us to generate the exact Pareto front. This was the topic of Jia Jie Wang's postdoc.
All our algorithms have been evaluated on a set of hard real time benchmark programs. This shows that they perform extremely well. Our DVFS assignment algorithm can also be used as a backend for the compiler of the PretC programming language 22, 23, 1 in order to make it energy aware, thanks to the ability of this compiler to generate TCFGs. Future work will invlove developping similar algorithms but in the much more difficult case of the parallel programming language ForeC 39.
7.3 Fault Management and Causal Analysis
Participants: Gregor Goessler, JeanBernard Stefani, Sihem Cherrared, Thomas Mari.
7.3.1 Fault Ascription in Concurrent Systems
Fault ascription is a precise form of fault diagnosis that relies on counterfactual analysis for pinpointing the causes of system failures. Research on counterfactual causality has been marked, until today, by a succession of definitions of causation that are informally validated against human intuition on mostly simple examples. This approach suffers from its dependence on the tiny number and incompleteness of examples in the literature, and from the lack of objective correctness criteria 41.
We have introduced in 14 a general framework for fault ascription, which consists in identifying, in a concurrent system, the events or components whose faulty behavior has caused the failure of said system. Our framework uses configuration structures as a general semantical model to handle truly concurrent executions, partial and distributed observations in a uniform way. In contrast with most of the current literature on counterfactual analysis which relies heavily on a set of toy examples, we have defined a set of expected formal properties for counterfactual builders, i.e. operators that build counterfactual executions. We have then shown that causality analyses that satisfy our requirements meet a set of elementary soundness and completeness properties. Finally we have presented a concrete causality analysis meeting all our requirements, and we have shown it to be monotonic under two forms of refinement.
7.3.2 Causal Explanations for Embdded Systems
ModelBased Diagnosis of discrete event systems (DES) usually aims at detecting failures and isolating faulty event occurrences based on a behavioural model of the system and an observable execution log. The strength of a diagnostic process is to determine what happened that is consistent with the observations. In order to go a step further and explain why the observed outcome occurred, we borrow techniques from causal analysis. We are currently exploring techniques that are able to extract, from an execution trace, the causally relevant part for a property violation. As part of the SEC project we are investigating how such techniques can be extended to classes of realtime systems.
7.3.3 Fault Management in Virtualized Networks
From a more applied point of view we have been investigating approaches for fault explanation and localization in virtualized networks. In essence, Network Function Virtualization (NFV), widely adopted by the industry and the standardization bodies, is about running network functions as software workloads on commodity hardware to optimize deployment costs and simplify the lifecycle management of network functions. However, it introduces new fault management challenges including dynamic topology and multitenant fault isolation. In her PhD thesis 17, Sihem Cherrared has proposed a modelbased root cause analysis framework for virtualized networks. In order to overcome the lack of accurate previous knowledge, the framework features a selfmodeling algorithm that models the dependencies within and between layers of virtual networks, including autorecovery and elasticity aspects. Modelbased diagnosis is performed using constraint solving on the previous and acquired knowledge.
8 Bilateral contracts and grants with industry
8.1 Bilateral contracts with industry
 Inria and Orange Labs have established in 2015 a joint virtual research laboratory, called I/O Lab. We have been heavily involved in the creation of the laboratory and are actively involved in its operation (JeanBernard Stefani was one of the two codirectors of the lab, till Feb. 2020). I/O Lab focuses on the network virtualization and cloudification. As part of the work of I/O Lab, we have cooperated with Orange Lab, as part of a cooperative research contract funded by Orange, on defining architectural principles and frameworks for network cloud infrastructures encompassing control and management of computing, storage and network resources.
8.2 Grants with Industry
With Orange:
 Fault Management in MultiTenant Programmable Networks. This CIFRE grant funded the PhD of Sihem Cherrared.
 Dynamic dataflow models of computation. This CIFRE grant funds the PhD of Arash Shafiei.
9 Partnerships and cooperations
9.1 National initiatives
9.1.1 ANR
RTproofs
Participants: Pascal Fradet, Xiaojie Guo, Maxime Lesourd, Sophie Quinton.
RTproofs is an ANR/DFG project between Inria, MPISWS, Onera, TU Braunschweig and Verimag, running from 2018 until 2022.
The overall objective of the RTproofs project is to lay the foundations for computerassisted formal verification of timing analysis results. More precisely, the goal is to provide:
 a strong formal basis for schedulability, blocking, and responsetime analysis supported by the Coq proof assistant, that is as generic, robust, and modular as possible;
 correctness proofs for new and wellestablished generalized responsetime analysis results, and a better, precise understanding of the role played by key assumptions and formal connections between competing analysis techniques;
 an approach for the generation of proof certificates so that analysis results – in contrast to analysis tools – can be certified.
The results obtained in 2020 in connection with the RTproofs project are described in Section 7.2.2.
DCore
Participants: Gregor Goessler, JeanBernard Stefani.
DCore is an ANR project between Inria project teams Antique, Focus and Spades, and the Irif lab, running from 2019 to 2023.
The overall objective of the project is to develop a semantically wellfounded, novel form of concurrent debugging, which we call causal debugging, that aims to alleviate the deficiencies of current debugging techniques for large concurrent software systems. The causal debugging technology developed by DCore will comprise and integrate two main novel engines:
 a reversible execution engine that allows programmers to backtrack and replay a concurrent or distributed program execution, in a way that is both precise and efficient (only the exact threads involved by a return to a target anterior or posterior program state are impacted);
 a causal analysis engine that allows programmers to analyze concurrent executions, by asking questions of the form “what caused the violation of this program property?”, and that allows for the precise and efficient investigation of past and potential program executions.
9.1.2 Institute of Technology (IRT)
CAPHCA
Participants: Alain Girault, Nicolas Hili.
Caphca is a project within the Antoine de Saint Exupéry IRT in Toulouse. The general objective of the project is to provide methods and tools to achieve both performance and determinism on modern, highperformance, multicore and FPGAenabled SOCs. Our specific contribution lies withing work packages dedicated to the design of novel PRET architectures and programming languages. This contract has yielded two publications so far 44, 39.
9.2 Regional initiatives
SEC
Participants: Gregor Goessler, Thomas Mari.
SEC (Safe and Explainable Cyberphysical systems, 2019–22) is a joint project by Spades and Verimag, funded by the "Initiative of Excellence" of Grenoble University. It funds Thomas Mari's PhD thesis.
10 Dissemination
10.1 Promoting scientific activities
10.1.1 Scientific events: organisation
General chair, scientific chair
 Alain Girault belongs to the Steering Committee of the international conferences EMSOFT and DISCOTEC.
10.1.2 Scientific events: selection
Chair of conference program committees
 Alain Girault was TPC cochair of the Forum on Specification & Design Languages (FDL'20).
Member of the conference program committees
 Gregor Gössler was a TPC member of the International Conference on Embedded Software (EMSOFT'20) and International Conference on Formal Methods and Models for System Design (MEMOCODE'20).
 Sophie Quinton was a TPC member of the Euromicro Conference on RealTime Systems (ECRTS'20) and the RealTime Systems Symposium (RTSS'20).
Reviewer
 Alain Girault has reviewed articles for the international conferences EMSOFT’20 and RTSS’20.
10.1.3 Journal
Member of the editorial boards
 Alain Girault is guest editor for a special issue of ACM Trans. on Embedded Computing Systems. He is associate editor for RealTime Systems Journal and for Eurasip Journal on Embedded Systems.
Reviewer  reviewing activities
 Alain Girault has reviewed several articles for ACM Trans. on Embedded Computing Systems.
 Gregor Gössler has reviewed an article for the Journal of Computer Security.
10.1.4 Leadership within the scientific community
 Alain Girault is a member of the EMSIG board and he manages its mailing list.
 Sophie Quinton is a member of the ACM SIGBED Executive Committee and Associate Editor of the SIGBED Blog.

Sophie Quinton
cochairs a working group of the GDR CIS associated with the Center for Internet and Society (http://
cis. ) focused on environmental issues.cnrs. fr/
10.1.5 Scientific expertise
 Gregor Gössler has reviewed a project for the French funding agency ANR.
10.1.6 Research administration
 Pascal Fradet is head of the committee for doctoral studies (“Responsable du comité des études doctorales”) of the Inria Grenoble – RhôneAlpes research center and local correspondent for the young researchers Inria mission (“Mission jeunes chercheurs”).
 Alain Girault is Deputy Scientific Director in charge of the domain “Algorithmics, Programming, Software and Architecture”.
 Xavier Nicollin is member of the committee for computing resources users (“Comité des Utilisateurs des Moyens Informatiques”) of the Inria Grenoble – RhôneAlpes research center.
 Sophie Quinton is in charge of organizing discussions and actions regarding the environmental and societal impact of our research at Inria Grenoble RhôneAlpes.
 JeanBernard Stefani is Head of Science of the Inria Grenoble RhôneAlpes research center.
10.2 Teaching  Supervision  Juries
10.2.1 Teaching
 Licence : Pascal Fradet, Théorie des Langages 1 & 2, 36 HeqTD, niveau L3, Grenoble INP (Ensimag), France
 Licence : Pascal Fradet, Modèles de Calcul : $\lambda $calcul, 12 HeqTD, niveau L3, Univ. Grenoble Alpes, France
 Master : Xavier Nicollin, Analyse de Code pour la Sûreté et la Sécurité, 45 HeqTD, niveau M1, Grenoble INP (Ensimag), France
 Licence : Xavier Nicollin, Théorie des Langages 1, 48 HeqTD, niveau L3. Grenoble INP (Ensimag), France
 Licence : Xavier Nicollin, Théorie des Langages 2, 37,5 HeqTD, niveau L3, Grenoble INP (Ensimag), France
 Licence : Xavier Nicollin, Bases de la Programmation Impérative, 30 HeqTD, niveau L3, Grenoble INP (Ensimag), France
 Master : Sophie Quinton, Performance and Quantitative Properties, 8 HeqTD, MOSIG, Univ. Grenoble Alpes, France
 Master: JeanBernard Stefani, Formal Aspects of Component Software, 9h, MOSIG, Univ. Grenoble Alpes, France.
10.2.2 Supervision
 PhD: Sihem Cherrared, “Fault Management in MultiTenant Programmable Networks”; Univ. Rennes 1; defended on June 26, 2020; coadvised by Eric Fabre and Gregor Gössler.
 PhD in progress: Thomas Mari, “Construction of Safe Explainable Cyberphysical systems”; Grenoble INP; since October 2019; coadvised by Gregor Gössler and Thao Dang.
 PhD defended in June 2020: Stephan Plassart, “Online optimization in dynamic realtime systems”; Univ. Grenoble Alpes; coadvised by Bruno Gaujal and Alain Girault.
 PhD defended on December 18 2020: Xiaojie Guo, “Formal Proofs for the Analysis of RealTime Systems in Coq”; Univ. Grenoble Alpes; since December 2016; coadvised by Pascal Fradet, JeanFrançois Monin, and Sophie Quinton.
 PhD in progress: Maxime Lesourd, “Generic Proofs for the Analysis of RealTime Systems in Coq”; Univ. Grenoble Alpes; since September 2017; coadvised by Pascal Fradet, JeanFrançois Monin, and Sophie Quinton.
 PhD in progress: Arash Shafiei, “RDF: A reconfigurable dataflow MoC supporting dynamic topological transformations and static analyzability”; Univ. Grenoble Alpes; since September 2017; coadvised by Pascal Fradet, Alain Girault, and Xavier Nicollin.
 PhD in progress: Martin Vassor, “Analysis and types for safe dynamic software reconfigurations”; Univ. Grenoble Alpes; since November 2017; coadvised by Pascal Fradet and JeanBernard Stefani.
10.2.3 Juries
 Alain Girault was president of the PhD jury of Alexandre Honorat (INSARennes).
 Gregor Gössler was reviewer for the PhD thesis of Valentin Bouziat (Toulouse University).
10.3 Popularization
10.3.1 Education

Sophie Quinton
is part of the scientific committee of the upcoming “COP2 étudiante” (https://
cop2etudiante. ).org/
10.3.2 Interventions
 Sophie Quinton was invited to the panel of Forum 5i on the topic: “Innovation and carbon footprint: which synergies ?”.
11 Scientific production
11.1 Major publications
 1 article'A Predictable Framework for SafetyCritical Embedded Systems'.TC637July 2014, 16001612
 2 article'A Survey of Parametric Dataflow Models of Computation'.ACM Trans. Design Autom. Electr. Syst.2222017, 38:138:25
 3 article'Aspects preserving properties'.Science of Computer Programming7732012, 393422
 4 inproceedings'CertiCAN: A Tool for the Coq Certification of CAN Analysis Results'.RTAS 2019  25th IEEE RealTime and Embedded Technology and Applications SymposiumMontreal, CanadaIEEEApril 2019, 110
 5 inproceedings 'Formal Analysis of Timing Effects on Closedloop Properties of Control Software'. 35th IEEE RealTime Systems Symposium 2014 (RTSS) Rome, Italy December 2014
 6 article'Safety Controller Synthesis for Incrementally Stable Switched Systems Using Multiscale Symbolic Models'.IEEE Transactions on Automatic Control6162016, 15371549
 7 article 'A general framework for blaming in componentbased systems'. Science of Computer Programming 113, Part 3 2015

8
article'Reversibility in the higherorder
$$ calculus'.Theoretical Computer Science6252016, 2584
11.2 Publications of the year
International journals
 9 article 'A PseudoLinear Time Algorithm for the Optimal Discrete Speed Minimizing Energy Consumption'. Discrete Event Dynamic Systems 2020
 10 article'Dynamic Speed Scaling Minimizing Expected Energy Consumption for RealTime Tasks'.Journal of SchedulingJuly 2020, 125
 11 article 'Feasibility of online speed policies in realtime systems'. RealTime Systems April 2020
 12 article'Systemlevel Logical Execution Time: Augmenting the Logical Execution Time Paradigm for Distributed RealTime Automotive Software'.ACM Transactions on CyberPhysical Systems52January 2021, 127
 13 article'Safety Synthesis for Incrementally Stable Switched Systems using DiscretizationFree MultiResolution Abstractions'.Acta Informatica572020, 245269
 14 article'Causality analysis and fault ascription in componentbased systems'.Theoretical Computer Science8372020, 158180
 15 article'Weaklyhard Realtime Guarantees for Earliest Deadline First Scheduling of Independent Tasks'.ACM Transactions on Embedded Computing Systems (TECS)186January 2020, 125
Conferences without proceedings
 16 inproceedings'Discrete and Continuous Optimal Control for Energy Minimization in RealTime Systems'.EBCCSP 2020  6th International Conference on EventBased Control, Communication, and Signal ProcessingKrakow, PolandSeptember 2020, 18
Doctoral dissertations and habilitation theses
 17 thesis 'Fault management of programmable multitenant networks'. Université Rennes 1 June 2020
 18 thesis 'Online optimization in dynamic realtime systems'. Université Grenoble Alpes [2020....] June 2020
Reports & preprints
 19 report 'A Linear Time Algorithm Computing the Optimal Speeds Minimizing Energy Under RealTime Constraints'. Inria Grenoble RhôneAlpes April 2020
 20 report 'Towards a formal reference computational model for cloud configuration management'. INRIA January 2020
11.3 Cited publications
 21 misc 'A Library for formally proven schedulability analysis'. URL: http://prosa.mpisws.org/
 22 inproceedings'Predictable Multithreading of Embedded Applications Using PRETC'.International Conference on Formal Methods and Models for Codesign, MEMOCODE'10Grenoble, FranceIEEEJuly 2010, 159168
 23 article'A Predictable Framework for SafetyCritical Embedded Systems'.IEEE Transactions on ComputersJuly 2014, 13
 24 misc'Automotive Open System Architecture'.2003, URL: http://www.autosar.org
 25 article 'A Survey on Reactive Programming'. ACM Computing Surveys 45 4 2013
 26 article 'Speed Scaling to Manage Energy and Temperature'. Journal of the ACM 54 1 2007
 27 article 'Rigorous ComponentBased System Design Using the BIP Framework'. IEEE Software 28 3 2011
 28 inproceedings 'BPDF: A Statically Analyzable Dataflow Model with Integer and Boolean Parameters'. International Conference on Embedded Software, EMSOFT'13 Montreal, Canada ACM September 2013
 29 article 'The synchronous languages 12 years later'. Proceedings of the IEEE 91 1 2003
 30 article 'Designing Reliable Systems from Unreliable Components: The Challenges of Transistor Variability and Degradation'. IEEE Micro 25 6 2005
 31 article 'A Survey of Parametric Dataflow Models of Computation'. ACM Transactions on Design Automation of Electronic Systems (TODAES) January 2017
 32 article 'Symbolic Analyses of Dataflow Graphs'. ACM Transactions on Design Automation of Electronic Systems (TODAES) January 2017
 33 article 'A Survey of Hard RealTime Scheduling for Multiprocessor Systems'. ACM Computing Surveys 43 4 2011
 34 article 'Taming heterogeneity  the Ptolemy approach'. Proceedings of the IEEE 91 1 2003
 35 inproceedings 'Lossy channels in a dataflow model of computation'. Principles of Modeling, Festschrift in Honor of Edward A. Lee Berkeley, United States Lecture Notes in Computer Science, Springer October 2017
 36 inproceedings'RDF: Reconfigurable Dataflow'.DATE 2019  Design, Automation & Test in Europe Conference & ExhibitionFlorence, ItalyMarch 2019, 17091714
 37 inproceedings 'SPDF: A schedulable parametric dataflow MoC'. Design, Automation and Test in Europe, DATE'12 IEEE 2012
 38 article 'Fundamentals of FaultTolerant Distributed Computing in Asynchronous Environments'. ACM Computing Surveys 31 1 1999
 39 inproceedings'A MultiRate Precision Timed Programming Language for MultiCores'.FDL 2019  Forum for Specification and Design LanguagesSouthampton, United KingdomIEEESeptember 2019, 18
 40 inproceedings 'Architectures for Online Error Detection and Recovery in Multicore Processors'. Design Automation and Test in Europe (DATE) 2011
 41 article'Actual causation: a stone soup essay'.Synthese17522010, 169192
 42 incollection'Diagnosis with Petri Net Unfoldings'.Control of DiscreteEvent Systems433Lecture Notes in Control and Information SciencesSpringer2013, 15
 43 inproceedings 'The Embedded Systems Design Challenge'. Formal Methods 2006 4085 Lecture Notes in Computer Science Springer 2006
 44 inproceedings'WorstCase Reaction Time Optimization on Deterministic MultiCore Architectures with Synchronous Languages'.RTCSA2019 2019  25th IEEE International Conference on Embedded and RealTime Computing Systems and Applications (RTCSA)Hangzhou, ChinaIEEEAugust 2019, 111
 45 inproceedings'Accountability: definition and relationship to verifiability'.ACM Conference on Computer and Communications Security2010, 526535
 46 inproceedings 'Reversing HigherOrder Pi'. 21th International Conference on Concurrency Theory (CONCUR) 6269 Lecture Notes in Computer Science Springer 2010

47
inproceedings'An
$O\left({n}^{2}\right)$ Algorithm for Computing Optimal Continuous Voltage Schedules'.Annual Conference on Theory and Applications of Models of Computation, TAMC'1710185LNCSBern, SwitzerlandApril 2017, 389400  48 incollection'Counterfactual Theories of Causation'.Stanford Encyclopedia of PhilosophyStanford University2009, URL: http://plato.stanford.edu/entries/causationcounterfactual
 49 book 'Causation and Responsibility'. Oxford 1999
 50 article'Causal inference in statistics: An overview'.Statistics Surveys32009, 96146
 51 techreport 'Partitioning for Safety and Security: Requirements, Mechanisms, and Assurance'. CR1999209347 NASA Langley Research Center 1999
 52 inproceedings'Encapsulation and Sharing in Dynamic Software Architectures: The Hypercell Framework'.FORTE 2019  39th International Conference on Formal Techniques for Distributed Objects, Components, and Systems (FORTE)LNCS11535Formal Techniques for Distributed Objects, Components, and SystemsPart 1: Full PapersCopenhagen, DenmarkSpringer International Publishing2019, 242260
 53 misc 'ARTEMIS Strategic Research Agenda'. 2011
 54 inproceedings'A scheduling model for reduced CPU energy'.Proceedings of lEEE Annual Foundations of Computer Science1995, 374382