## Rigorous Component-based Design in BIP

18<sup>th</sup> of October, 2019

IMBSA @ Thessaloniki

Simon Bliudze Inria Lille – Nord Europe



Région Hauts-de-France

## Concurrency...







S.Bliudze @ IMBSA 2019, Thessaloniki, 18th of October, 2019



## ... is everywhere!







#### Embedded

#### Infrastructure

Platform

Services

...you name it!



## Coordination





#### Control-centric

- Synchronisation is primitive
- Locks, semaphores etc.
- Concurrent execution
- Critical systems

Data-centric Data exchange is primitive Messages, split-join etc. Distributed execution Data-intensive computation

## Coordination





#### The two views are complementary

Control-centric

Synchronisation is primitive

Locks, semaphores etc.

Concurrent execution

Critical systems

Data-centric

Data exchange is primitive

Messages, split-join etc.

Distributed execution

Data-intensive computation

#### Semaphores, locks, monitors, etc.



## Coordination based on low-level primitives rapidly becomes unpractical.



A series of semantics-preserving transformations

Correctness decomposed into correctness of transformations correctness of high-level models

Final implementation is correct by construction



S.Bliudze @ IMBSA 2019, Thessaloniki, 18th of October, 2019







# Satellite software design

A collaboration with the EPFL Space Engineering Center

Component-based design in BIP of the control software for a nano-satellite

Control and Data Management System (CDMS)

Communication with other subsystems through an I<sup>2</sup>C bus

A collaboration with ThalesAlenia Space (France) and Aristotle University of Thessaloniki (Greece)

"Catalogue of System and Software Properties"

Funded by ESA







A R I S T O T L E UNIVERSITY OF THESSALONIKI

# Satellite software design

A collaboration with the EPFL Space Engineering Center

Component-based design in BIP of the control software for a nano-satellite

Control and Data Management System (CDMC)

#### BIP = Behaviour-Interaction-Priority

Aristotle University of Thessaloniki (Greece)

"Catalogue of System and Software Properties"

Funded by ESA







A R I S T O T L E UNIVERSITY OF THESSALONIKI

### CubETH: CDMS architecture







S.Bliudze @ IMBSA 2019, Thessaloniki, 18th of October, 2019







#### BIP by example: Mutual exclusion



#### BIP by example: Mutual exclusion



#### BIP by example: Mutual exclusion











16 / 37

S.Bliudze @ IMBSA 2019, Thessaloniki, 18th of October, 2019



S.Bliudze @ IMBSA 2019, Thessaloniki, 18th of October, 2019

# Theory of architectures

Design patterns for BIP

How to model?

How to combine?

How to specify?



Architectures enforce characteristic properties. The crucial question is whether these are preserved by composition?

[Attie et al, SEFM '14]

How to model?















#### An architecture is...



#### ...an operator...

 $A = (\mathcal{C}, P_A, \gamma)$ 

...transforming

a set of components  $\mathcal{B}$ 

into a composed BIP system

 $A(\mathcal{B}) \stackrel{def}{=} (\gamma \ltimes P)(\mathcal{B} \cup \mathcal{C})$ 

where 
$$P \stackrel{def}{=} \bigcup_{B \in \mathcal{B} \cup \mathcal{C}} P_B$$
,  $\gamma \ltimes P \stackrel{def}{=} \{a \subseteq 2^P \mid a \cap P_A \in \gamma\}$ 

## Nice properties

Under suitable conditions

Architectures can be composed before applying

$$A_2(A_1(\mathcal{B})) = (A_1 \oplus A_2)(\mathcal{B})$$

Architecture application can be restricted

$$A_2(A_1(\mathcal{B}_1,\mathcal{B}_2)) = A_2(A_1(\mathcal{B}_1),\mathcal{B}_2)$$

Architecture can be applied partially

$$A(\mathcal{B}_1, \mathcal{B}_2) = A[\mathcal{B}_1](\mathcal{B}_2)$$

#### How to combine?























## Formally

### $A_1 \oplus A_2 \stackrel{\scriptscriptstyle def}{=} (\mathcal{C}_1 \cup \mathcal{C}_2, P_1 \cup P_2, \gamma)$

$$\gamma \stackrel{\text{\tiny def}}{=} \left\{ a \subseteq 2^P \mid a \cap P_1 \in \gamma_1 \land a \cap P_2 \in \gamma_2 \right\}$$
$$= (\gamma_1 \ltimes P) \cap (\gamma_2 \ltimes P)$$

## Main results: Safety

$$\begin{array}{l} A_1(\mathcal{B}) \models \Phi_1 \\ A_2(\mathcal{B}) \models \Phi_2 \end{array} \end{array} \implies (A_1 \oplus A_2)(\mathcal{B}) \models \Phi_1 \land \Phi_2$$

Safety = "Bad states never occur"

## Rigorous System Design flow



## Rigorous System Design flow





### Requirements and design process



/Requirements Engineering for Rigorous Design/

A R I S T O T L E UNIVERSITY OF THESSALONIKI

[Stachtiari et al, JSS '18]

S.Bliudze @ IMBSA 2019, Thessaloniki, 18th of October, 2019



#### Table 1: Representative requirements for CDMS status and HK\_PL

| ID       | Description                                                                                                                        |
|----------|------------------------------------------------------------------------------------------------------------------------------------|
| CDMS-007 | The CDMS shall periodically reset both the internal and external watchdogs and contact the EPS subsystem with a "heartbeat".       |
| HK-001   | The CDMS shall have a Housekeeping activity dedicated to each subsystem.                                                           |
| HK-003   | When line-of-sight communication is possible, housekeeping information shall be trans-<br>mitted through the COM subsystem.        |
| HK-004   | When line-of-sight communication is not possible, housekeeping information shall be writ-<br>ten to the non-volatile flash memory. |
| HK-005   | A Housekeeping subsystem shall have the following states: NOMINAL, ANOMALY and CRITICAL_FAILURE.                                   |

## RERD tool

| Requirem           | nent Editing Pro  | perty Form   | alization Di                                                                                     | ctionary Models                                             |                        |                       |              |          |        |
|--------------------|-------------------|--------------|--------------------------------------------------------------------------------------------------|-------------------------------------------------------------|------------------------|-----------------------|--------------|----------|--------|
| bstractio          | n Level : RB Cate | egory : Con  | textSavingRe                                                                                     | quirement                                                   |                        |                       |              |          |        |
| ID                 | Prefix            | •            | ID 🔺                                                                                             | Main                                                        |                        | ID ▲                  |              | Suffix   |        |
| P2 While           | e State : [ ]     |              | M1                                                                                               | Function : [ ] shall Action : [ ]                           |                        | S1 before Event : [ ] |              |          |        |
| P3 If Ev           | ent : [ ] and S   | tate : [     | M2                                                                                               | Function : [ ] shall Action : [ ] and Action : [ ] :        | [ ]                    | S2                    | sequentially |          |        |
| P1 If Ev           | ent : [ ]         |              | M3                                                                                               | Function : [ ] shall State : [ ]                            |                        | S3                    | atomic       | ally     |        |
| Back to<br>Console | Categories        |              |                                                                                                  | Event:                                                      |                        |                       |              |          |        |
|                    |                   |              |                                                                                                  |                                                             |                        | HK-05                 |              |          |        |
|                    | af                | ailure of th | e PL subsyste                                                                                    | em persists for [TBD] sec                                   |                        | Genera                | te Req IC    | )        |        |
|                    | Function:         | shall        |                                                                                                  | Action:                                                     |                        | DD                    |              |          |        |
|                    | HK PL             | con          | tact the EPS                                                                                     | for a restart of PL                                         |                        | RB                    |              | •        |        |
|                    | <u></u>           |              |                                                                                                  |                                                             |                        | Context               | tSavingR     | equirem  | ent 🔻  |
|                    |                   |              |                                                                                                  |                                                             |                        | Invalid               |              | •        |        |
|                    |                   |              |                                                                                                  |                                                             |                        | Defines               | Def          | and Dec  |        |
| Cause              | Validata          | leer Ne      |                                                                                                  |                                                             |                        | Refines               |              | ned By   |        |
| Save               | Validate C        | lear Ne      | w                                                                                                |                                                             |                        | Concret               | tizes        | Concreti | zed By |
| Search             |                   | Ontolog      | y Validation                                                                                     |                                                             |                        |                       |              |          |        |
| Req. ID            | Status            |              |                                                                                                  | Text                                                        | Category               | Ab                    | sLevel       | Edit     | Delete |
| IK-02              | If [TBD           | ] seconds    | pass and HK                                                                                      | for PL is enabled HK PL shall handle HK data from PL        | ContextSavingRequireme | ent RB                |              | Edit     | Delete |
| IK-03              | If HK h           | as been re   | read from PL and PS for PL is not enabled HK PL shall transmit HK data ti ContextSavingRequireme |                                                             |                        |                       |              | Edit     | Delete |
| IK-04              | While             | PS for PL is | enabled HK                                                                                       | PL shall write HK data to the flash memory                  | ContextSavingRequireme | ent RB                |              | Edit     | Delete |
| K-05               | lf a fai          | lure of the  | PL subsysten                                                                                     | persists for [TBD] sec HK PL shall contact the EPS for a re | ContextSavingRequireme | ent RB                |              | Edit     | Delete |

Requirements for the HK PL function.

| ID    | Requirement                                                                                                                                                                                                                                  |
|-------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| HK-02 | P2: if <event-e003: [tbd]="" pass="" sec=""> and <state-s003: collection="" enabled="" for="" hk="" is="" pl=""></state-s003:></event-e003:>                                                                                                 |
|       | M1: $\langle$ function: HK PL $\rangle$ shall $\langle$ action-a004: handle HK data from the PL $\rangle$                                                                                                                                    |
| HK-03 | P3: if $\langle$ state-s002: PS <sup>a</sup> for PL is not enabled $\rangle$<br>M1: $\langle$ function: HK DL $\rangle$ shall $\langle$ action a002: transmit HK data through the                                                            |
|       | M1: <function: hk="" pl=""> shall <action-a002: data="" hk="" service="" tc="" the="" through="" tm="" transmit=""></action-a002:></function:>                                                                                               |
| HK-04 | P3: while <state-s001: enabled="" for="" is="" pl="" ps=""></state-s001:>                                                                                                                                                                    |
|       | M1: <function: hk="" pl=""> shall <action-a001: data="" flash="" hk="" memory="" the="" to="" write=""></action-a001:></function:>                                                                                                           |
| HK-05 | P1: if <event-e004: [tbd]="" a="" failure="" for="" persists="" pl="" sec=""><br/>M1: <function: hk="" pl=""> shall <action-a003: a="" contact="" eps="" for="" restart<br="" the="">of the PL &gt;</action-a003:></function:></event-e004:> |

<sup>a</sup> PS stands for a packet store structure.



Durations and input sizes of the process steps.

| Step                                                                                                          | Duration                  | Input size                                                                                                   |
|---------------------------------------------------------------------------------------------------------------|---------------------------|--------------------------------------------------------------------------------------------------------------|
| Requirement specification<br>Initial design<br>Architecture instantiation<br>Verification of deadlock freedom | 8 h<br>5 h<br>3 h<br>12 s | <ul><li>38 requirements</li><li>12 components</li><li>47 enforced properties</li><li>46 components</li></ul> |

| Model         | Flow | Mode | Event | Mutex | Failure | Requir. | Deriv. Prop. | Assum. Prop. | Enforced |
|---------------|------|------|-------|-------|---------|---------|--------------|--------------|----------|
| Payload       | 0    | 2    | 0     | 4     | 0       | 12      | 16           | 0            | 16       |
| HK PL         | 0    | 2    | 1     | 1     | 1       | 4       | 6            | 0            | 6        |
| HK EPS        | 0    | 2    | 1     | 1     | 1       | 4       | 6            | 0            | 6        |
| НК СОМ        | 0    | 2    | 1     | 1     | 1       | 4       | 6            | 0            | 6        |
| HK CDMS       | 0    | 2    | 1     | 1     | 0       | 3       | 4            | 0            | 4        |
| Flash memory  | 0    | 1    | 0     | 1     | 0       | 8       | 13           | 4            | 3        |
| CDMS status   | 1    | 0    | 0     | 0     | 0       | 1       | 3            | 0            | 3        |
| Error logging | 0    | 0    | 1     | 1     | 0       | 2       | 3            | 0            | 3        |
| Total         | 1    | 11   | 5     | 10    | 3       | 38      | 57           | 4            | 47       |

## Conclusion

Powerful theoretical tools to build systems that are correct by construction

Going from theory to practice requires a lot of effort and crossdomain collaborations





## Future work

### BIP

Dynamicity, distribution, self-adaptation

### Architectures

- Case studies, case studies, case studies and taxonomies (libraries)
- Data, Real-time, Synthesis, Dynamicity, Probabilities etc.
- DSLs for usability
- Verification and proof of architectures and architecture styles
- Tool support

### RERD

Revamping the ontologies with better understanding of domain specificities How to make generated BIP models understandable by developers?





## Main results: Liveness



### Liveness = "Good states occur infinitely often"