The Signal Synchronous Multiclock Approach to the Design of Distributed Embedded System

Abdoulaye Gamatié, Thierry Gautier

To cite this version:

HAL Id: hal-00550056
https://hal.archives-ouvertes.fr/hal-00550056
Submitted on 23 Dec 2010

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
The Signal Synchronous Multi-clock Approach to the Design of Distributed Embedded Systems

Abdoulaye Gamatié and Thierry Gautier

Abstract—This paper presents the design of distributed embedded systems using the synchronous multi-clock model of the SIGNAL language. It proposes a methodology that ensures a correct-by-construction functional implementation of these systems from high-level models. It shows the capability of the synchronous approach to apply formal techniques and tools that guarantee the reliability of the designed systems. Such a capability is necessary and highly worthy when dealing with safety-critical systems. The proposed methodology is demonstrated through a case study consisting of a simple avionic application, which aims to pragmatically help the reader to understand the manipulated formal concepts, and to apply them easily in order to solve system correctness issues encountered in practice. The application functionality is first modeled as well as its distribution on a generic hardware architecture. This relies on the endochrony and endo-isochrony properties of SIGNAL specifications, defined previously. The considered architectures include asynchronous communication mechanisms, which are also modeled in SIGNAL and proved to achieve message exchanges correctly. Furthermore, the synchronizability of the different parts in the resulting system is addressed after its deployment on a specific execution platform with multi-rate clocks. After all these steps, a distributed code can be automatically generated.

Index Terms—Distributed embedded systems, Correct-by-construction design methodology, Safety-critical domains, Formal validation, Synchronous model, Asynchronous mechanisms, Multi-clock, SIGNAL language

1 INTRODUCTION

There are various reasons to distribute embedded systems: the high performance enabled by the use of several computation units for a better response time, sometimes the geographical delocalization of the system elements, the replication of systems for fault tolerance, etc. Typical domains in which distributed embedded systems are useful are the following:

- transportation: the last generation of cars and aircraft increasingly combine computers and electrical linkages. This combination makes comfortable the control of the engine. This combination leads to so-called fly-by-wire systems, e.g., adopted in Toyota Prius automobile or in the A380.
- telecommunication: cell phone manufacturers and Internet highly face problems related to distributed and mobile embedded systems deployed on networks. A major issue is the compatibility between heterogeneous devices, and the robust and transparent communications in networks, while guaranteeing performance and real-time properties.
- industrial automation: it covers industrial robots and embedded mechatronic systems, which comprise technologies from engineering disciplines in computer software and hardware as well as in mechanics and automatic control. The issues concern the design of distributed architectures for scalable and reconfigurable mechatronic systems, and of embedded control.

The design of distributed embedded systems generally has to take into account several crucial aspects: the used communication mechanisms must be proved to be sufficiently robust, i.e., no loss of messages; for sub-systems located on different sites, the duration of communications must not alter the real-time properties of the overall system, the global functionality must be guaranteed, etc. So, the distribution of a system has to follow well-defined methodologies that offer the suitable means to clearly express its inherent concurrency and to validate its behavior w.r.t. functional and non functional requirements.

In the current study, we consider the synchronous model for design and validation. This model offers an adequate formal basis to deal with the reliable design of embedded systems. Its basic assumption is that computation and communications are instantaneous from the point of view of a logical time, referred to as "synchrony hypothesis". This favors deterministic models of system behaviors for safe analysis.

1.1 The synchronous multi-clock model of SIGNAL

The design of distributed systems has been extensively studied for decades [44, 19]. The asynchrony inherent to these systems appears a priori as an obstacle to their description with the synchronous model. According to [45], a fully synchronous system is characterized by the boundness and knowledge of: (i) processing speed, (ii) message delivery delay, (iii) local clock rate drift, (iv) load pattern, and v) difference among local clocks. A fully asynchronous system assumes none of these characteristics.

Distributed embedded systems are generally implemented with GALS architectures, which are suitably abstracted with the SIGNAL synchronous multi-clock or polychronous model [37]. The multi-clock model is gaining an increasing attention from academia and industry to address the modern electronic designs [13, 24]. According to the polychronous model, the activation clock of a system consists of the set of instants at which its components react. This set is only partially ordered since concurrent components may have their own (independent) activation clocks. When these components do not interact, it is not necessary that their clocks be synchronized. The central question is not to agree on a global time, but to agree on the common event occurrences during the interaction of components. Contrarily to the usual monolithic approach adopted by the other synchronous languages (e.g. LUSTRE, ESTEREL until recently), which consists of compact single-clocked designs, the
polychronous approach aims at designing in a modular fashion systems with multiple loosely coupled clocks so as to be able to deal with the complexity of their distribution.

Compared to the synchrony/asyncrhony definition of [45], the polychronous model offers an intermediate vision: while it assumes the boundness of computation and communication activities, the difference among local activation clocks is a priori unknown. This vision is opposed to the monolithic one, which considers the existence of a unique common clock in a system, represented by a totally ordered set of instants. The SIGNAL language relies on the polychronous model.

Fig. 1 illustrates the design philosophy behind polychrony: to give an adequate abstract model of a system shown in Fig. 1(b) which enables a subsequent choice towards a distributed system implemented by globally asynchronous locally synchronous (GALS) architectures shown in Fig. 1(a) or a single-clocked system implemented by centralized architectures shown in Fig. 1(c).

Fig. 1. Distributed, polychronous and single-clocked systems.

The polychronous system, depicted in Fig. 1(b), consists of two concurrent sub-systems that receive control from events a and b and conditionally communicate via an event c or do something else (d or e). It can be refined into a single-clocked system, Fig. 1(c) by synchronizing the events a and b. It can be also refined into a distributed system, Fig. 1(a) by distributing a and b on two different locations and by implementing c by a FIFO communication channel. In general, the reliability of such channels is implicitly assumed in the polychronous model. However, in this paper, it is explicitly proved.

1.2 Synchronous design of distributed systems

Among the large spectrum of literature devoted to the design of distributed systems [14],[19], we mainly concentrate below on related works that rely on the synchronous model.

As mentioned above, a major advantage of using such a model for the development of distributed embedded systems is that, on the one hand, the global correctness of systems can be trust-worthily guaranteed using the associated formal technology. It is particularly necessary when the system is used in a safety-critical domain such as automotive or avionics. This explains the numerous studies on program distribution problematics in synchronous languages. Most of these studies focus on automatic program distribution methods [27]: given a centralized synchronous program P and a distributed architecture A, the deployment of P on A is defined automatically, with the necessary inserted communication code, so that the resulting distributed program has the same functional behavior as P. However, note that beyond these studies, automatic program distribution has been widely investigated [52].

The major contributions on this topic in the synchronous approach community could be summarized according to the main synchronous languages: ESTEREL, LUSTRE and SIGNAL.

In ESTEREL, we can mention the work of Berry and Sentovich [12] on the construction of GALS systems as synchronous circuits represented by a network of communicating codesign finite state machines. GALS architectures [17] consist of components that execute synchronously and communicate asynchronously. Another relevant work concerns the ESTEREL specification and programming of large-scale distributed real-time systems [33].

The LUSTRE language has been also used in several studies on the design of distributed systems. Girault [26] addressed the distribution of synchronous automata within the framework of this language. Afterwards, he focused on further issues such as automatic deduction of GALS systems from centralised synchronous circuits [28] and the optimized execution of desynchronized embedded reactive programs to guarantee real-time constraints [29]. We must note the very important achievements by Caspi and his colleagues on the same topics (see [27]). They recently proposed an approach to deploy LUSTRE programs on time-triggered architectures [16].

In SIGNAL, there have been lots of results on program distribution, mostly from the theoretical viewpoint. The earlier work of Chéron [18] dealt with the communication of separately compiled SIGNAL programs. Then, Maffeis [39] showed how to abstract such programs into graphs in order to define the qualitative scheduling and partitioning of these graphs. The work of Aubry [6] focused on similar problems as Girault [26] by exploring the manual and semi-automatic distribution of synchronous dataflow programs in SIGNAL. While these studies were mostly devoted to the practical side, Benveniste and Le Guernic lead several theoretical works on the distribution of SIGNAL programs [8],[9],[25],[11],[67],[61]. The approach presented in this paper shows how these theoretical results are exploited in practice to derive correct-by-construction models of distributed embedded systems.

Finally, we can notice other interesting contributions such as [30] in which Grandpierre showed, with Petri nets, how one can derive a distributed implementation from a synchronous dataflow specification, e.g. in LUSTRE or SIGNAL, of a given application while minimizing the response time w.r.t. real-time requirements. The SYNDEX environment [31] aims at providing designers with such program distribution facilities.

1.3 Our contribution: a seamless design methodology

While the above studies mainly concern automatic program distribution, in this paper we focus on how to design entirely distributed embedded systems with a synchronous language by proposing a general methodology, Fig. 2 composed of four steps detailed in the following chronological order:

1) System specification and manual distribution: modeling of application functionality, distributed hardware architecture, and their association. This step is similar to the initial step in usual hardware-software codesign;

2) Automatic transformations: guaranteeing the global functional correctness of the distribution. These transformations exploit the endochrony and endo-isochrony properties of SIGNAL programs, presented in Section 2.2.

3) Deployment on specific platforms: instantiating the parts of the resulting model with components that represent
specific platform mechanisms, e.g., for communication, synchronization. There are only few existing works devoted to the synchronous modeling of asynchronous mechanisms [34], [35], [23].

4) Non functional analysis and automatic code generation: checking the non functional (temporal) constraints induced by the chosen deployment and distributed code generation.

The above methodology is exposed through a case study. It is built on several complementary results obtained previously. The second step of this methodology uses an implementation of the theoretical results of [8], [9]. The third step relies on the insights gained from [21], [23] in which we have proposed a library of components consisting of synchronous models of asynchronous mechanisms for communication, synchronization or execution. Here, we consider the mechanism defined in [21] to describe the communications in the deployed system model of our case study. We also give the proof of queueing order preservation in this mechanism, which was an assumption previously. On the other hand, while the design approach presented in [23] mainly targets integrated modular avionics architectures, the current methodology aims at more general multi-processor architectures and fully makes use of the SIGNAL multi-clocked model. The fourth step uses the non functional analysis techniques proposed in [43], [36] and implements code generation approach defined in [25].

1.4 Example: a Flight Warning System

We consider a running example from the avionic domain, consisting of a Flight Warning System (FWS) to illustrate our methodology. This system is used in the Airbus A340 aircraft. It has been proposed by the Aerospatiale Company (France) as a case study in [38]. The FWS system is in charge of deciding on when and how to emit warning signals whenever there is an anomaly during the operational mode of an airplane. It is illustrated in Fig. 3 together with its implementation architecture. It consists of two cyclic concurrent processes:

- given an alarm $a_i$, the alarm manager process confirms $a_i$ after a given period of time or removes $a_i$ from the set of confirmed alarms depending on the fact that $a_i$ is detected "present" or "absent";
- the alarm notifier process emits warning signals associated with confirmed alarms.

In this paper, the exact way alarms are made present or absent is supposed to be out of scope. This is achieved in another part of the aircraft.

Even though the above two processes interact, they execute independently. So, their activation clocks are $a priori$ not strongly correlated. Such a system is particularly well-suited to be described and analyzed with the polychronous model. The specific choice of executing the processes separately on different processors is one possibility among others. Here, it allows us to illustrate the possible design issues resulting from the distribution of a system functionality and how to address them with our proposed methodology.

1.5 Outline

The remainder of this article is organized as follows: Section 2 introduces the synchronous language SIGNAL and its associated multi-clock semantic model. Then, the next sections present our methodology in detail through the design of FWS on a distributed platform. Section 3 is devoted to the first and second steps. It addresses the SIGNAL description of the FWS system, its associated hardware architecture and its correct distribution on the chosen architecture. Section 4 concentrates on the third step. It deals with the modeling of an asynchronous communication mechanism, represented by a FIFO queue that is proved to be correct w.r.t. its expected services. This mechanism is used for the deployment of the FWS system on a specific platform. Section 5 focuses on the last step of our methodology. It addresses clock synchronizability issues in the
deployed model of the FWS system and the automatic code generation. Finally, our proposition is discussed in Section 6 and concluding remarks are given in Section 7.

2 THE SIGNAL LANGUAGE

In order to define the formal semantics of SIGNAL, we introduce the polychronous semantic model in Section 2.2. Then, we give an overview of the language in Section 2.2.2.

2.1 The polychronous semantic model

We consider the following sets: $\mathcal{X}$ is a countable set of variables; $\mathcal{B} = \{\text{false}, \text{true}\}$ is a set of Boolean values where false and true respectively denote false and true; $\mathcal{V}$ is the domain of operands (at least $\mathcal{V} \supseteq \mathcal{B}$); and $\mathcal{T}$ is a dense set equipped with a partial order relation noted $\leq$, and with a greatest lower bound. The elements of $\mathcal{T}$ are called tags.

We now introduce the notion of observation point.

Definition 1 (observation points): A set of observation points is a set of tags $\mathcal{T}$ such that: i) $\mathcal{T} \subset \mathcal{T}$; ii) $\mathcal{T}$ is countable; iii) each pair of tags admits a lower bound in $\mathcal{T}$.

The set $\mathcal{T}$ provides a discrete time dimension that corresponds to the logical instants at which the presence/absence of events can be observed during a system execution. The set $\mathcal{V}$ provides a continuous (physical) time dimension. So, the mapping of $\mathcal{T}$ on $\mathcal{V}$ allows one to move from “abstract” descriptions to “concrete” descriptions in the semantic model.

A chain $\mathcal{C} \subseteq \mathcal{T}$ is a totally ordered set which admits a lower bound. The set of chains is denoted by $\mathcal{C}$. For a set of observation points $\mathcal{T}$, we denote by $\mathcal{C}_\mathcal{T}$ the set of all chains in $\mathcal{T}$. The notations $\min(\mathcal{C})$ and $\preceq(t)$ respectively mean the minimum of $\mathcal{C}$ and the immediate predecessor of a tag $t \in \mathcal{C}$.

Definition 2 (events, signals and behaviors, Fig. 4):

- An event $\epsilon$ on a given set of observation points $\mathcal{T}$ is a couple $(t, v) \in \mathcal{T} \times \mathcal{V}$.
- A signal on a given set of observation points $\mathcal{T}$ is a partial function $s \in \mathcal{T} \rightarrow \mathcal{V}$, associating values with observation points that belong to a chain $\mathcal{C} \in \mathcal{C}_\mathcal{T}$. The set of signals on $\mathcal{T}$ is noted $\mathcal{S}_\mathcal{T}$. The domain of $s$ is denoted by $\text{dom}(s)$.
- For a given set of observation points $\mathcal{T}$, a behavior $b$ on $\mathcal{X} \subseteq \mathcal{X}$ is a function $b : \mathcal{X} \rightarrow \mathcal{S}_\mathcal{T}$ that associates each variable $x \in \mathcal{X}$ with a signal $s$ on $\mathcal{T}$. We denote by $\mathcal{B}_{\mathcal{T}, \mathcal{X}}$ the set of behaviors of domain $\mathcal{X} \subseteq \mathcal{X}$ on $\mathcal{T}$. The set $\mathcal{B}_{\mathcal{T}, \mathcal{X}}$ represents the set that contains all the behaviors defined on the union of all the sets of variables on $\mathcal{T}$. Finally, we write $\text{vars}(b)$ and $\text{tags}(b) = \bigcup_{x \in \text{vars}(b)} \text{tags}(b(x))$ to respectively denote the domain of $b$ and its associated set of tags.

Fig. 4. Behavior, events and signals.

For any behavior $b$ defined on $\mathcal{X} \subseteq \mathcal{X}$, we note $b_{\mathcal{X}'}$, its projection on a set of variables $\mathcal{X}' \subseteq \mathcal{X}$. In other words, $\text{vars}(b_{\mathcal{X}'}) = \mathcal{X}'$ and $\forall x \in \mathcal{X}', b_{\mathcal{X}'}(x) = b(x)$. The projection of $b$ on the complementary of $\mathcal{X}'$ in $\mathcal{X}$ is denoted by $b_{\mathcal{X}'}$.

A signal can be seen, in fact, as an elastic with ordered marks (its tags). If such an elastic is stretched, the marks remain in the same order but new marks may be inserted between stretched marks. If the elastic gets unstretched, the marks become closer to each other, but they still remain in the same order. The same holds for a set of elastics, i.e., a behavior.

Definition 3 (stretching): For a given set of observation points $\mathcal{T}$, a behavior $b_1$ is less stretched than a behavior $b_2$, noted $b_1 \preceq_{\mathcal{T}} b_2$, iff there exists a bijection $f : \text{tags}(b_1) \rightarrow \text{tags}(b_2)$ following which $b_1$ and $b_2$ are isomorphic:

\[
\forall x \in \text{vars}(b_1), \quad b_1(x) = f(b_2(x)),
\]

\[
\forall x \in \text{vars}(b_1) \forall t \in \text{tags}(b_1(x)), \quad b_1(x)(t) = b_2(x)(f(t)),
\]

\[
\forall t_1, t_2 \in \text{tags}(b_1), \quad t_1 \preceq t_2 \Leftrightarrow f(t_1) \preceq f(t_2),
\]

and such that $\forall C \in \mathcal{C}_\mathcal{T}$, $\forall t \in C, t \preceq f(t)$. □

The stretching relation is a partial order on $\mathcal{B}_{\mathcal{T}}$. It induces an equivalence relation between behaviors.

Definition 4 (stretch-equivalence): For a given set of observation points $\mathcal{T}$, two behaviors $b_1$ and $b_2$ are stretch-equivalent, noted $b_1 \approx_{\mathcal{T}} b_2$, iff there exists a behavior $b_1$ less stretched than $b_1$ and $b_2$, i.e. $b_1 \preceq b_2$ if $\exists b_1 b_1 \preceq_{\mathcal{T}} b_1$ and $b_1 \preceq_{\mathcal{T}} b_2$. □

The class of equivalence of a behavior following the stretch-relations forms a semi-lattice, which admits a minimal element. We call strict behaviors those which are minimal for the stretch-relation on $\mathcal{T}$.

For a given behavior $b$, the set of all behaviors that are stretch-equivalent to $b$ on $\mathcal{T}$ defines its stretch-closure on $\mathcal{T}$, noted $\mathcal{N}_P(b)$.

Definition 5 (stretch-closure of a behavior set): The stretch-closure of a set of behaviors $p$ on a given set $\mathcal{T}$ of observation points is the set $p^*$, which includes all behaviors resulting from the stretch-closure of each behavior $b \in p$, i.e. $p^* = \bigcup_{b \in p} \mathcal{N}_P(b)$.

The stretch-closure allows us to define the following process notion, which is a specific set of behaviors:

Definition 6 (process): For a given set of observation points $\mathcal{T}$, a process $p$ is a stretch-closed set of behaviors, i.e. $p \in \mathcal{P}(\mathcal{B})$ such that $p = p^*$. □

We write $\text{vars}(p)$ to denote the set of variables of a process $p$ (we say equivalently that $p$ is defined on $\text{vars}(p)$). Every non-empty process contains a subset $p_1 \subseteq p$ of strict behaviors (for each $b_1 \in p$, there exists a unique $b_2 \in (p)_1$ such that $b_2 \preceq b_1$).

The notions presented in this section are sufficient to express the semantics of SIGNAL basic concepts within the polychronous model [37]. In the remainder of the paper, we also use them to characterize some model properties.

2.2 An overview of the language

2.2.1 Basics

SIGNAL [37, 14] is a dataflow relational language that handles unbounded series of typed values $(x_t)_{t \in \mathbb{N}_0}$ called signals, implicitly indexed by discrete time, and denoted as $x$. At any logical instant $t \in \mathbb{N}$, a signal may be present or absent: when present, it holds some value; when absent, it holds no value and is denoted by $\perp$ in the semantic notation. There is a particular type of signal called event. A signal of this type always holds the value true when it is present. The set of instants at which a signal $x$ is present is referred to as its clock, noted $\vec{x}$. A process is a system of equations over signals that specifies relations between values and clocks of the signals. A program is a process. The whole SIGNAL language relies on the six primitive constructs, presented below, which define elementary processes. Unlike the LUSTRE and LUCID SYNCHRON languages in which a program expresses a functional dataflow specification, in SIGNAL, a program implicitly expresses constraints on the involved signals, that must be satisfied by their
values on the one hand and by their clocks on the other hand (see TABLE 1).

- **Instantaneous relations**: $y := R(x_1, \ldots, x_n)$ where $y$, $x_1$, $\ldots$, $x_n$ are signals and $R$ is a point-wise n-ary relation/function extended canonically to signals. This construct imposes $y$, $x_1$, $\ldots$, $x_n$ to be simultaneously present, and $ii$) to hold values satisfying the equation $y := R(x_1, \ldots, x_n)$ whenever they occur. Its semantics is the following set of behaviors:

\[
\{ b \in \mathcal{B}_{y,x_1,\ldots,x_n} \mid tags(b(y)) = tags(b(x_1)) = \ldots = tags(b(x_n)) = C \cap \emptyset \} \\
\forall t \in C, b(y)(t) = [R](b(x_1)(t), \ldots, b(x_n)(t))
\]

where $[R]$ is a point-wise interpretation of the relation $R$.

- **Delay**: $y := x \times \mathcal{S} \mathcal{I} \text{ init } c$ where $y$, $x$ are signals and $c$ is an initialization constant. This construct imposes $i$) $x$ and $y$ to be simultaneously present while $ii$) $y$ must hold the value carried by $x$ on its previous occurrence. Its semantics is the following set of behaviors:

\[
\{ b \in \mathcal{B}_{x,y} \mid tags(b(y)) = tags(b(x)) = C \cap \emptyset \} \\
\forall t \in \mathcal{C} \backslash \{\min(C)\}, b(y)(t) = b(x)(\text{pred}_C(t))
\]

- **Under-sampling**: $y := x$ when $b$ where $y$, $x$, $b$ are signals. This construct imposes $i$) $y$ to be present only when $x$ is present and $c$ holds the value true, while $ii$) $y$ must hold the value carried by $x$ at those logical instants. Its semantics is the following set of behaviors:

\[
\{ b \in \mathcal{B}_{x,y,c} \mid tags(b(y)) = \{t \in tags(b(x)) \cap tags(b(c)) \mid b(c)(t) = \mathcal{S}\} \} \\
\forall t \in tags(b(y)), b(y)(t) = b(x)(t)
\]

- **Deterministic merging**: $z := x$ default $y$ where $z$, $x$, $y$ are signals. This construct imposes $i$) $z$ to be present when either $x$ or $y$ are present while $ii$) $z$ must always hold the value of $x$ uppermost, otherwise it takes the value of $y$. Its semantics is the following set of behaviors:

\[
\{ b \in \mathcal{B}_{z,x,y} \mid tags(b(s_1)) + tags(b(s_2)) = tags(b(s_1)) \mid tags(b(s_2)) = C \cap \emptyset \} \\
\forall t \in C, b(s_1)(t) = b(s_2)(t) \text{ if } t \in tags(b(s_1)) \text{ else } b(s_2)(t) = b(s_2)(t)
\]

- **Composition of processes**: union of the equations defined in processes, leading to the conjunction of the constraints associated with these processes. For a given set of observation points $T$, the composition on $T$ of processes $p_1$ and $p_2$, noted $p_1 + p_2$, is a process $p = \{(b \mid b_{\text{vars}(p_1)} \in p_1, b_{\text{vars}(p_2)} \in p_2)\}^*$ and $\text{vars}(p) = \text{vars}(p_1) \cup \text{vars}(p_2)$.

- **Restriction (or Hiding)**: local declarations in a process. The restriction, noted $p \text{ where } x$ (or $p \times x$ for short), of a process $p$ defined on $X \subseteq X$ to a process defined on $X \backslash \{x\}$, is defined as the following set of behaviors: $\{(b_2 \mid \exists b_1 \in p \wedge b_2 = b_1/x)\}^*$.

These constructs are expressive enough to derive new constructs of the language for comfort and structuring.

### 2.2.2 Clock calculus, endochrony and endo-isochrony

In SIGNAL, clocks are fundamentally the main means to express control-related properties, i.e. synchronizations between signals. They are ordered according to the following relation: a clock $\kappa_1$ is said to be greater than a clock $\kappa_2$, which is denoted by $\kappa_1 \geq \kappa_2$, if $\kappa_2$ is included in $\kappa_1$ in terms of sets of instants. The set of clocks associated with this relation is a lattice.

**Clock calculus.** The purpose of the clock calculus is on the one hand, to determine the existence of a greatest clock, called master clock, from which all clocks of a program can be extracted, and on the other hand, to verify the consistency of synchronization relations between signals. Nonetheless, in some programs, such a unique master clock may not exist.

#### Table 1

<table>
<thead>
<tr>
<th>Clock constraints in primitive constructs.</th>
</tr>
</thead>
<tbody>
<tr>
<td>$y := f(x_1, \ldots, x_n)$</td>
</tr>
<tr>
<td>$y := x \times \mathcal{S} \mathcal{I} \text{ init } c$</td>
</tr>
<tr>
<td>$y := x \times \text{ when } b$</td>
</tr>
<tr>
<td>$z := x \text{ default } y$</td>
</tr>
</tbody>
</table>

In this case, there are several local master clocks (see Section 3.1.3). TABLE 1 gives the clock properties associated with primitive constructs of SIGNAL (here, $[b] \equiv [b] \text{ resp. } [b] \equiv [b]$ denotes the set of instants where the Boolean expression $b$ is present and $true \equiv false$). Such properties are automatically inferred by the compiler from any program to be analyzed.

A specific option of the compiler enables to generate a file containing these properties under the form of clock relations defined in a SIGNAL program. Clock hierarchies can therefore be extracted from such a program.

**Signal allows one to explicitly manipulate clocks through some derived constructs such as the following ones (the equivalent expressions are given with primitive operators):**

- **Sampling**: $y := x$ when $b$ def $y := x$ when $b$. It expresses the fact that event signal $y$ occurs whenever the signal $b$ is true.

- **Clock union**: $y := x_1 \wedge x_2$ def $y := x_1 \text{ default } x_2$. It denotes the set of instants at which at least one signal $x_1$ occurs. Clock intersection and difference are also defined.

- **Synchronizer**: $x_1 \sim x_2$ def $\{ x \mid := x_1 \equiv x_2 \} / x$. It means that $x_1$ and $x_2$ have the same clock or are synchronous.

**Endochrony and endo-isochrony: key properties for program distribution.** The safe distribution of SIGNAL programs is possible thanks to two fundamental notions, endochrony and endo-isochrony, which have been formally defined in [37, 37].

In this paper, we only recall them informally and put them to work on our case study introduced in Section 1.4.

An endochronous program $p$ is a program that can be executed in an environment, which only provides $p$ with the values of its inputs, without any information about their status (present or absent). $p$ is able to reconstruct a unique synchronous behavior from any external (asynchronous) input flow of values. It is insensitive to external propagation delays. From the viewpoint of clocks, such a program holds a master clock $\kappa$ that plays the role of its activation clock. All the other clocks of $p$ are necessarily defined recursively from $\kappa$. They are smaller than $\kappa$ following the partial order $\geq$. The global clock hierarchy in $p$ therefore forms a tree where the root node represents the master clock of $p$ (see Section 3.1.1). Given any SIGNAL program $p$, the compiler is able to check whether or not $p$ is endochronous. An endochronous program is deterministic: for the same functional input values it yields the same functional output values whatever the external propagation delays are. The elementary processes defined by the instantaneous relations and delay primitive constructs are examples of very simple endochronous programs. All signals involved in these processes have the same clock, which is also the master clock. On the contrary, the elementary processes defined by the undersampling and merging primitive constructs are not endochronous programs since there is no master clock from which the clocks of involved signals can be inferred in
such a process. A more complex example of non endochronous program is shown in Section 3.1.2.

The isochrony property is used as a criterion under which the synchronous composition of a pair of processes $p_1$ and $p_2$ is equivalent to their asynchronous composition (i.e. involving "send/receive" like communications). It means that the order of the messages exchanged synchronously by $p_1$ and $p_2$ is always preserved when exchanged asynchronously. Thus, $p_1$ and $p_2$ can be safely deployed on GALS architectures. So, isochrony is an interesting property when one needs to have a pair of isochronous processes. It is a stronger criterion than the restriction on their common variables) to be endochronous as well. Endo-isochrony is a criterion that not necessary to have a pair of isochronous processes. It is a stronger criterion. However, its advantage is that it permits to deal with the isochrony property of $p_1$ and $p_2$ using the compiler by checking the endochrony of the different sub-parts of the composition, hence making things more pragmatic. Endo-isochrony is illustrated in Section 3.1.2.

2.2.3 A rich tool-set for validation

The SIGNAL design environment, POLYCHRONY, offers a compiler and a model-checker that support the trustworthy and pragmatically design approaches for safety-critical systems.

Two kinds of functional properties are distinguished about SIGNAL programs: invariant properties, e.g. consistency of clock constraints, endochrony of a program, and dynamical properties, e.g., reachability, liveness (see Section 3.2). The compiler itself statically addresses invariant properties. Dynamical properties are addressed by the SIGALI model checker, which relies on the theory of polynomial dynamical systems. Roughly speaking, a SIGNAL program is abstracted into a system of polynomial equations representing a symbolic automaton over the set $\mathbb{Z}/3\mathbb{Z} = \{-1, 0, 1\}$. This encodes all the possible status of any Boolean signal: 1 for true, 0 for false, and 0 for ⊥. For a non-Boolean signal, only the fact that this signal is present (whatever its value is) or absent is encoded. The presence is denoted by 1, and the absence by 0. It must be noted that this "translation" fully takes into account information about Boolean variables (values and clocks), whereas for non-Boolean signals, information on values are lost. Therefore, it is important that a SIGNAL program that will be analyzed by SIGALI is specified as much as possible using Boolean variables, since reasoning capabilities capture only synchronization and logic properties.

Finding a Boolean abstraction for a program is always possible. However, this abstraction may sometimes be not meaningful enough to adequately capture the properties of interest. Typically, some numerical properties require more powerful abstraction domains such as intervals or polyhedra (which may lead to complex analyses). These possible extensions have been studied previously in the SIGNAL compiler in order to improve its analysis capability. Nevertheless, with SIGALI, the $\mathbb{Z}/3\mathbb{Z}$ ternary abstract encoding is necessary. In general, a good way to obtain analyzable programs in this context consists in defining Boolean signals, usable for characterizing the relevant properties. In most cases, when such properties concern the control of a program behavior, i.e. synchronization constraints, one can easily find a direct Boolean encoding.

3 Specification and Correct Distribution

3.1 Model of the FWS functionality

Given an application, its functionality is first described as a hierarchical SIGNAL process $p = p_1 | \cdot | p_n$. Here, $p_1$ and $p_2$ denote the alarm notifier and manager processes (Section 3.1.1) while $p$ represents the FWS system (Section 3.1.2).

3.1.1 Alarm manager and notifier processes

Fig. gives an excerpt of the models of the processes composing FWS. Both are defined in a very similar way. So, we only present one of them: Alarm_Manager. The interface signals $\text{alarm_in}$ and $\text{alarm_out}$, at lines 3 and 4, are both declared as arrays of alarms. In SIGNAL, the input and output signals are introduced by the symbols "?" and "!" respectively. Here, their dimension is some fixed integer constant $n$. The type of an alarm, called $\text{alarm_type}$, is a structured type with two fields: $\text{pres}$ (resp. $\text{conf}$) of Boolean type that is true when an alarm is "present" (resp. "confirmed") and false when an alarm is "absent" (resp. "removed").

The body of the process is composed of five equations, from line 5 to line 11. The local signals $\text{cnt}$, $z\text{cnt}$ and $\text{start\_confirm}$ are used to specify when the process confirms alarms in equations at lines 5 to 8. The signal $\text{cnt}$ plays the role of a counter of logical instants. It is set to $k-1$ whenever its previous value $\text{cnt}$ becomes zero; otherwise its previous value is decremented by one. The static parameter $k$ at line 2 can be somehow seen as an initialization period value of $\text{cnt}$. The signal $\text{start\_confirm}$ denotes the logical instants at which a confirmation begins, described by equations at lines 8 and 9. It occurs when the counter value reaches some amount of time denoted by $\text{delay}$ within each cycle.

Note that the sub-process Alarm_Confirm, defined at line 15 and invoked at line 10, to produce the output $\text{alarm\_out}$, uses a derived construct of SIGNAL, referred to as array of processes, that enables to describe instantaneous iterations.

From the above equations and according to TABLE.1, we can deduce the following system of clock constraints associated with the process Alarm_Manager (for a signal $s$, we denote by $\text{clk\_s}$ its associated clock):

$$\text{clk\_cnt} = [\text{cnt} = 0] \cup \text{clk\_cnt}$$ (lines 5 & 6)
$$\text{clk\_zcnt} = \text{clk\_cnt}$$ (line 7)
$$\text{clk\_start\_confirm} = [\text{cnt} = \text{delay}]$$ (line 8)
$$\text{clk\_alarm\_in} = \text{clk\_start\_confirm}$$ (line 9)
$$\text{clk\_alarm\_out} = \text{clk\_alarm\_in}$$ (lines 10 & 19)

After reductions of the above system, we obtain the following clock hierarchy:

$$\text{clk\_cnt} \equiv \text{clk\_zcnt}$$
$$[\text{cnt} \neq \text{delay}] \equiv [\text{cnt} = \text{delay}] \equiv \text{clk\_start\_confirm} \equiv \text{clk\_alarm\_in} \equiv \text{clk\_alarm\_out}$$

We can see that the master clock is the one of $\text{cnt}$, which is the same for $\text{zcnt}$. The other clocks of the process are defined following a partitioning of the values of $\text{zcnt}$ w.r.t. the value of $\text{delay}$. As a result, the process Alarm_Manager is
endochronous (hence deterministic). In a similar way, we prove
that the process Alarm_Notifier is also endochronous. More
generally, the SIGNAL compiler allows one to automatically
check the endochrony property of a process based on this
technique and to generate an associated simulation code.

3.1.2 Global model of the FWS system

Fig. 5. Excerpt of the SIGNAL code of alarm manager (left) and notifier processes (right).

process Alarm_Manager =
\{ integer k, delay \}
\{ ? [n] alarm_type alarm_in; \}
\{ ! [n] alarm_type alarm_out; \}
\{ (| s0:= when alarm[0].conf \}
\{ \|; \}
end;

process Alarm_Notifier =
\{ integer k, delay \}
\{ ? [n] alarm_type alarm; \}
\{ ! event s_0,...,s_n-1; \}
\{ (| s0:= when alarm[0].conf \}
\{ \|; \}
end;

We clearly distinguish the clock trees associated with
Alarm_Manager and Alarm_Notifier. There is no master
clock because the clocks of the sub-processes (clk_cnt1 for
Alarm_Manager and clk_cnt2 for Alarm_Notifier) are
included in none of each other. However, they share com-
mon instants at which the alarm transfer is done between
the manager and the notifier processes. Such instants are
defined only when both zcnt in Alarm_Manager and zcnt in
Alarm_Notifier are respectively equal[d1] and d2. Such a
requirement appears under the form of a clock constrai
ment generated by the SIGNAL compiler. The corresponding
code which is automatically produced ("force" option of
the compiler) from such a model contains exception messages
that are thrown whenever the clock constraints are not satisfied
during code execution.

In such a situation, it means that either the environment
of the two concurrent processes is able to guarantee that they
can synchronize at the required specific logical instants, and
the model will execute as expected; or it is not possible, and
the output of the whole system model is undefined whenever
the clocks of the two processes fail to agree. In SIGNAL,
the special construct called assert offers the way to define
assumptions in programs [14]. It could be used here to meet
the requirement on the concurrent execution of Alarm_Manager
and Alarm_Notifier processes.

On the other hand, one can think of another specification of
the FW_System model in which the confirmed alarm values
tmp are transferred via a "clock-less" memory, which is made
available whenever a process needs to make an access to this
memory. This is obtained very easily by introducing a new
equation in the body of FW_System, which defines a local
signal tmp_mem as follows: tmp_mem := (var tmp). Then,
instead of putting tmp as input for Alarm_Notifier at line 7
in FIG.6 we consider tmp_mem. The "var operator allows one
to memorize the value of tmp in tmp_mem [14]. The clock of
tmp_mem is the one of the context in which it is used, i.e., the
memorized value is available whenever required.

In this second version of the FW_System model, there is

1. Note that zcnt in Alarm_Manager and zcnt in
Alarm_Notifier are different instances; they have different
clocks and evolve according to two different logical time scales.
no longer clock constraints on the specific instants at which the concurrent processes must exchange information. Their associated master clocks are completely independent, with a possible empty set of common instants. In this case, the compiler generates no clock constraints and automatically produces a code without any exception message.

A very interesting feature of the FW_System model is that it satisfies the endo-isochrony property: first, Alarm_Manager and Alarm_Notifier models are both endochronous; second, their communicating part which consists of the single signal tmp (see Fig. 6) is trivially endochronous. Indeed, a single signal yields a clock hierarchy with only one clock node, which consequently forms a clock tree. The clock hierarchy associated with FW_System typically illustrates the endo-isochrony of a pair of processes. In particular, the synchronous communication between Alarm_Manager and Alarm_Notifier via tmp can be equivalently replaced by an asynchronous communication while still preserving the semantics of the FW_System model.

At this stage, some preliminary verification can be done on the FW_System model in order to make sure that it conforms to its expected specification requirements. Typically, one may check the absence of null clocks in the defined model using the compiler. The presence of such clocks denote a possible absence of reactions during the execution of the program. This is often undesirable for reactive systems.

3.2 Architecture model and manual distribution

The hardware architecture on which the previous application functionality model will be mapped is now defined. For the sake of simplicity, only processors are represented. Concretely, each processor is graphically modeled as an empty box.

Afterwards, one can proceed to the mapping of the application functionality on the hardware architecture in the POLYCHRONY graphical user interface. A SIGNAL code can be duplicated in different processor boxes; so, code replication is allowed. From this mapping, a new description of the system denoted by \( p' = p_1 \mid \ldots \mid p_m \) is obtained, which reflects the target hardware architecture (\( m \) denotes the number of processors). Fig. 7 illustrates the distribution of the FWS model on a two-processors architecture, i.e. \( m = 2 \).

![Fig. 7. Graphical distributed model of the FWS system.](image)

We can notice that the sub-processes \( p'_i \) may not necessarily endochronous: after the mapping, \( p'_i \) can be obtained from the composition of different sub-processes \( p_i \) characterized by different clock trees without a common root clock.

3.3 Automatic transformations

Let us consider the model \( p' \) resulting from the mapping of the application functionality on the processors. The main purpose is to transform the process \( p' \) so that: i) \( p' \) fully preserves the functional semantics of \( p \) and ii) the sub-processes \( p'_i \) become endochronous and \( p' \) itself becomes endo-isochronous.

So, each process \( p'_i \) is compiled modularly in the context of \( p \): from the clock hierarchy of \( p_i \) the clock hierarchy of \( p'_i \) is transformed in such a way that it becomes a clock tree, i.e. \( p'_i \) becomes endochronous. For that, Boolean interface signals are used (each root node in a clock hierarchy of a non endochronous process is associated with a Boolean signal, and all these signals are made synchronous). On the other hand, some transformations are performed in order to render the communication part endochronous between the endochronous processes \( p'_i \). For that, additional communicating signals are inserted between processes, which enable each process \( p'_i \) to receive all information it requires to execute. The result of these transformations is carried out automatically on the graphical representation of \( p' \) within the POLYCHRONY editor. In the obtained transformed process, denoted by \( p'' \), the information exchanges between processes are described by instantaneous communications. Here again, possible verification techniques can be applied to \( p'' \) in order to ensure that it still preserves the functional properties of \( p \).

For our FWS system model, all the above transformations are not necessarily required since FW_System is already endo-isochronous as shown before. The only effect of these transformations is the automatic insertion of the communicating ports on processor boxes and the connections between these ports.

4 DEPLOYMENT ON SPECIFIC PLATFORMS

In order to refine the descriptions obtained from the previous steps of the methodology, a set of predefined components is proposed, which is usable to instantiate various aspects of the system: asynchronous communication mechanisms such as the FIFO buffer modeled in this paper, execution supports (e.g., tasks and processes), system-level primitives for task management as well as for synchronization and inter-task communication services (e.g. the APEX service models [23]). These components have been modeled in SIGNAL and are grouped in a library available in the POLYCHRONY platform.

4.1 Design of a library of components

We consider the FIFO queue presented in [21], to show how asynchronous communication mechanisms can be defined in SIGNAL, and proved to be correct. This queue is well adapted as mechanism to model a message buffer on which send/receive requests can be achieved by endo-isochronous processes. In addition, in the architecture level, it will be easily extended to model a bus. Compared to [21], here we give a more complete presentation of the design and analysis. A first model of FIFO queue is presented (basic_FIFO); then, a more constrained version (safe_FIFO) is defined from the first one and its key properties are checked.

4.1.1 A basic FIFO queue

We call basic FIFO, a message queue that works as follows.

On a write request, the incoming message is inserted in the queue regardless of its size limit. When the queue was previously full, the oldest message is lost. The other messages are shifted forward, and the incoming one is inserted in the queue. On a read request, there is an outgoing message whatever the queue status is. When it was previously empty, two situations are distinguished: if there is not yet any written message,
Fig. 8. Model of the basic FIFO and an execution trace (msg_type, size and def_msg are respectively integer, 2 and -1).

an arbitrary message called default message is returned; else the outgoing message is the message that has been read last. Furthermore, for simplicity we suppose that simultaneous write/read requests on the queue never occur.

The SIGNAL model corresponding to the basic FIFO is given in Fig. 8. It is defined as a SIGNAL process, represented by the keyword process (line 1). The static parameters msg_type, size and def_msg, declared at line 2, respectively denote the type of messages, the size limit of the queue, and the default message value. The input signals msg_in and access_clock (line 3), are respectively the incoming message (its presence denotes a write request), and the queue access clock (i.e. instants of read/write requests). The output signals (line 4), are msg_out, nbmsg, OK_write and OK_read. They respectively represent the outgoing message, the current number of messages in the queue, and conditions for writing and reading.

Now, we can take a look at the meaning of the statements in the process body. Let us begin with the equation at line 7; it defines the local signal prev_nbmsg, which denotes the previous number of messages in the queue. This signal is used in equations at lines 8 and 9 to define respectively when the queue can be “safely” written (the size limit is not reached), and read (there is at least one message received). This is the meaning of the signals OK_write and OK_read.

The statement at lines 5 and 6 expresses how the current number of messages is calculated. The previous value of this number is incremented by one on a write request when the queue was not full. It is decremented by one on a read request when the queue was not empty. Otherwise, it remains unchanged. The equation at line 14 states that the value of nbmsg is defined whenever there is a request on the queue.

The equation at line 10 defines the message queue. The signal queue is an array of dimension size that contains the size latest values of msg_in (expressed by the window operator). The cell operator makes the signal queue available when access_clock is present. The semantics of these derived constructs is as follows:

- Sliding windows. In y := x window k init y_init, the signal y is an array of size \( k \geq 1 \) whose elements have the same type as signal x; and y_init is an array of dimension \( k' \geq k - 1 \), containing initialization values. This equation defines a sliding windows on x, of constant size k such that:
  \[
  (\forall i \geq 0) \quad ((t + i \geq k) \Rightarrow (y[i] = x_{t-k+i+1}) \lor (1 \leq t + i < k) \Rightarrow (y[i] = y_init[t-k+i+2]))
  \]

- Memory. The expression y := x cell b init c enables to memorize the values of the signal x. It is defined as:
  \[
  (\exists y := x \text{ cell } b \text{ init } c) \quad (y := x \text{ when } b)
  \]

The signal y takes the value of x when x is present. Otherwise, when x is absent and the signal b is present and holds the value true, y memorizes the latest value of x. When b is present and true before the first occurrence of x, y is initialized with the constant c. The clock of y is the union of x and [b].

Finally, the statement at lines 11 and 12 means that on a read request (i.e. at the clock msg_out), the outgoing message is either the previous one if the FIFO is empty (defined at line 13), or the oldest message in the queue.

4.1.2 A safe FIFO queue

In the model depicted in Fig. 8 the interface is slightly different from that of basic_FIFO. The new input signal get_msg denotes a read request. The signal nbmsg is local.

The statement at line 9 defines the access clock as the union of instants at which read/write requests occur. Equations at lines 10 and 11 specify the safe access to the queue in basic_FIFO. The process call at lines 12, 13 and 14 has the same parameters as for basic_FIFO are considered.

Through the above modeling approach, we observe that modularity and reusability are key features of the SIGNAL programming. They favor component-based design.

Fig. 10 shows the FWS model in which the communication between Alarm_Manager and Alarm_Notifier is achieved via the safe_FIFO model. Note the modification in the Alarm_Notifier at line 27 where the new output signal get_msg denotes read requests on safe_FIFO.
4.2 Ensuring the reliability of components

4.2.1 Safety and fairness

To check the properties of the safe_FIFO process, we consider an abstraction based on its state variables, i.e., signals defined by delay or memory operators in the process. These signals feature the dynamics of the system defined by the process. Here, the state variables are nbmsg, queue, and prev_msg_out (defined in basic_FIFO). They entirely reflect the dynamics of the equation system associated with safe_FIFO. Let us represent the state of this system by $\sigma$. When the queue is full (resp. empty), the value of $\sigma$ is noted full (resp. empty); otherwise it is equal to none. Let $[\text{safe_FIFO}]$ denote the set of behaviors associated with safe_FIFO and $b$ a behavior that belongs to this set, we address the following important properties of the safe_FIFO in order to guarantee its robustness:

Property 1 (safe read requests): The safe_FIFO queue never delivers an output message on a read request whenever it is empty (and its state remains unchanged): $\forall b \in [\text{safe_FIFO}], T = \text{tags}(b(\text{get_msg}))$,

$$t \in T \land t \neq \min(T) \land b(\sigma)(\text{pred}(t)) = \text{empty} \Rightarrow b(\sigma)(t) = b(\sigma)(\text{pred}(t)) = \text{empty} \land t \notin \text{tags}(b(\text{msg_out})) \quad (2)$$

Property 2 (write requests): The safe_FIFO queue never accepts an input message on a write request whenever it is full (and its state remains unchanged): $\forall b \in [\text{safe_FIFO}], T = \text{tags}(b(\text{msg_in}))$,

$$t \in T \land t \neq \min(T) \land b(\sigma)(\text{pred}(t)) = \text{full} \Rightarrow b(\sigma)(t) = b(\sigma)(\text{pred}(t)) = \text{full} \land t \notin \text{tags}(b(\text{new_msg_in})) \quad (3)$$

We recall that the signal new_msg_in, which is defined in the safe_FIFO process, at line 10, denotes incoming messages that are effectively enqueued.

Property 3 (fair read requests): A message can always be read from the safe_FIFO queue, whenever it is not empty: $\forall b \in [\text{safe_FIFO}], T = \text{tags}(b(\text{msg_out}))$,

$$t \in T \land t \neq \min(T) \land b(\sigma)(\text{pred}(t)) \neq \text{empty} \Rightarrow t \in \text{tags}(b(\text{msg_out})) \quad (4)$$

Property 4 (write requests): A message can always be written in the safe_FIFO queue, whenever it is not full: $\forall b \in [\text{safe_FIFO}], T = \text{tags}(b(\text{msg_in}))$,

$$t \in T \land t \neq \min(T) \land b(\sigma)(\text{pred}(t)) \neq \text{full} \Rightarrow t \in \text{tags}(b(\text{new_msg_in})) \quad (5)$$

The values of $\sigma$, the state of the system corresponding to safe_FIFO, can be defined by considering the signals OK_write and OK_read. The definition of these signals is itself based on the current number of enqueued messages, represented by nbmsg. Thus, $\sigma$ can be characterized, using nbmsg, as follows: $\forall b \in [\text{safe_FIFO}] \forall t \in \text{tags}(b)$,

$$b(\sigma)(t) = \text{full} \Leftrightarrow b(\text{nb_msg}(t)) = \text{size} \quad (6)$$

$$b(\sigma)(t) = \text{empty} \Leftrightarrow b(\text{nb_msg}(t)) = 0$$

$$b(\sigma)(t) = \text{none} \Leftrightarrow 0 < b(\text{nb_msg})(t) < \text{size}$$

Since SIGALI does not address numerical properties, we must also find a Boolean encoding (or abstraction) for nbmsg.
4.2.2 Abstraction and verification by model-checking

As shown in Fig. 11 a n-FIFO queue can be represented by an automaton with $(n+1)$ states, where a state denotes the current number of messages in the queue. For the sake of simplicity, we consider a 2-FIFO queue since all possible relevant configurations can be addressed. So, the result remains valid for any bounded n-FIFO queue where $n > 2$.

![Fig. 11. Abstraction of a n-FIFO by a 2-FIFO with error states.](image)

The automaton illustrated in Fig. 11 represents a behavior abstraction of a n-FIFO queue by a 2-FIFO queue. It relies on the behavioral isomorphism between both FIFO queues, which can be trivially observed. A state $sk$ (represented by a circle) denotes that the queue contains $k$ messages, i.e. $\forall k \in \{0, 1, 2\}$:

$$nbmsg = k \Rightarrow sk = true \land (nbmsg \neq k \Rightarrow sk = false)$$

The state $s0$ represents the initial state. Labels $msg_in$ and $msg_out$ are respectively write and read requests. Two special states (represented by rectangles) have also been added. They characterize “illegal” accesses to the queue: ERR_empty is reached on an attempt to read an empty queue, and ERR_full is reached when overwriting a full queue. They are also encoded by Boolean variables. Automata are very easy to specify in SIGNAL. For instance the state $s0$ and its associated transitions are defined as follows:

```
1 \{s0:= (true when prev_s1 when (msg_out))
2   default (false when prev_s0 when
3     (msg_in ^ msg_out)) default prev_s0
4     |prev_s0 := s0$1 init true \}
```

All the other states are specified in a similar way. It follows the definitions of signals OK_write and OK_read below:

```
1 \{OK_write:= false when (prev_err_full or prev_s2) default true
2     |OK_read:= false when (prev_err_empty or prev_s0) default true \}
```

The first equation means that a write request is not authorized when there are already two messages in the 2-FIFO queue ($prev_s2$ is true), or when the queue has been overloaded previously ($prev_err_full$ is true); otherwise it can be accepted. In a same way, the other statement specifies when a read request is legal.

The signals $s0, s1, s2, ERR_empty, ERR_full, OK_write$ and $OK_read$ are synchronized with access_clock.

The reachability of “error” states (i.e. safety properties) is concretely checked with SIGNAL by considering the script given in [21].

To verify properties 3 and 4 we consider observers, represented by Boolean state variables. We have to show that these variables are always true. Let $obs4$ and $obs3$ denote respectively the observers for Properties 4 and 5.

- Property 4 is described as follows:
  - On a write request (denoted by the presence of $msg_in$), when the queue is either in $s0$ or $s1$, the signal $obs4$ carries the value true if the message is actually written into the queue (i.e. $new_msg_in$ is present), else $obs4$ is false.
  - Otherwise, $obs4$ keeps its previous value.

The corresponding SIGNAL code is:

```
1 \{|actual_w:= true
2     when(*new_msg_in) default false
3     \}obs4 := actual_w when(z_s0 or z_s1)
4     when(*msg_in) default z_obs4
5     |z_obs4 := obs4 $ 1 init true \}
```

Here also, all the new variables have the same clock as the signal access_clock. Then, the fairness properties can be checked as shown in [21].

4.2.3 Queueing order preservation

We have to prove that the safe_FIFO queue actually preserves the arrival order of enqueued messages. The idea consists in considering the flow of input messages in the call to basic_FIFO at line 13 in Fig. 9. Such a flow corresponds to that of signal new_msg_in. Indeed, only the values of this signal are taken into account and read afterwards. We therefore need to verify the following property:

Property 5 (order preservation):

- $(E_1)$: the order of values present in the input flow is preserved by the definition of the message queue: $\forall b \in \text{safe_FIFO}$ \\ \ $\forall v, v' \in V$ s.t. $\exists t, t'$ with $v = b(new_msg_in)(t), v' = b(new_msg_in)(t')$ and for $i, i'$ the respective indices of $v$ and $v'$ in queue $\Rightarrow t \leq t'$.

- $(E_2)$: the order of values in the output flow is the same as the message queue: $\forall b \in \text{safe_FIFO}$ \\ \ $\forall v, v' \in V$ t.q. $\exists t, t'$ with $v = b(msg_out)(t), v' = b(msg_out)(t')$ and $i, i'$ as above, the following holds: $i \leq i' \Rightarrow t \leq t'$.

The order preservation property is specifically related to the properties of specific SIGNAL constructs used in the FIFO queue model. A proof of this property is in Appendix Section.

4.3 Use of safe_FIFO in architecture model

We have shown that the above FW_System model can be safely described with asynchronous communication mechanisms between its concurrent processes Alarm_Manager and Alarm_Notifier. Now, let us imagine a deployment of this system on a given architecture as illustrated in Fig. 9.

In this architecture, there are two processors Processor 1 and Processor 2 that communicate via a bus called Bus. The main feature of such an architecture that is taken into account in our
models is clock constraint. Each of the three components holds its own activation clock, which is different from those of others. Let us denote by $K_{p1}$, $K_1$ and $K_{p2}$ the clocks corresponding respectively to Processor 1, Bus and Processor 2.

The bus model considered here is obtained from the previous safe_FIFO model on top of which a master clock is defined (see Fig. 12). This clock $K_1$ is represented by $\text{cnt}$ in the Bus process. It enables to define the instants at which incoming and outgoing transferred data are respectively accepted and processed. It enables to define the instants at which incoming data can be accepted by the bus. Its value belongs to the interval $[0..k-1]$ (note that $k$ is also a static parameter in Bus).

### 5.1 Clock synchronizability issues

Affine clocks have been introduced in the SIGNAL clock calculus for this purpose [43], and more precisely in order to deal with synchronizability issues in a more “relaxed” way than usually in synchronous languages. Formally, an affine transformation of parameters $(n, \phi, d)$ applied to a clock $K_1$ produces a clock $K_2$ by inserting $(n-1)$ instants between any two successive instants of $K_1$, and then counting on this fictional set of instants each $d^{th}$ instant, starting with the $\phi^{th}$. Clocks $K_1$ and $K_2$ are said to be in $(n, \phi, d)$-affine relation, noted as $K_1^{(n, \phi, d)} K_2$.

The following trace depicts $K_1^{(3,1,4)} K_2$, where $"i"$ denotes the presence of a clock $K_i$:

$$
\begin{array}{cccccccccc}
& 0 & 1 & 2 & 3 & 4 & 5 & 6 & 7 & 8 & 9 & \ldots \\
K_{p1}: & t & \perp & \perp & t & \perp & \perp & t & \perp & \perp & t & \ldots \\
K_1: & t & \perp & \perp & t & \perp & \perp & t & \perp & \perp & t & \ldots \\
K_{p2}: & t & \perp & \perp & t & \perp & \perp & t & \perp & \perp & t & \ldots \\
\end{array}
$$

In affine clock systems, two different clocks are said to be synchronizable if there is a dataflow preserving way to make them actually synchronous.

To show how such a notion can help to address non-trivial design decisions, let us consider the following allocation choices needed by a designer:

- to allow for a coherent communication protocol in this architecture, the following affine relations are assumed: $K_{p1}^{(1,\phi_1,d_1)} K_1$ and $K_{p2}^{(1,\phi_2,d_2)} K_2$;
- to satisfy some production-consumption rate which enables the Alarm_Manager process to confirm a certain number of alarms before their notification by the Alarm_Notifier process, an affine relation is assumed between their respective clocks $clk_{cnt1}$ and $clk_{cnt2}$: $clk_{cnt1}^{(3,\phi_3,d_3)} \rightarrow clk_{cnt2}$.

While the first constraint is related to the architecture, the second one is purely functional.

Now, let us assume that only the clock $clk_{cnt1}$ of the Alarm_Manager process is identical to the clock of its associated processor, i.e. $K_{p1}$. So, the main question is which parameter values in the affine relations allow the designer to guarantee the synchronizability of the clocks $clk_{cnt2}$ and $K_{p2}$ with respect to the above architectural and functional constraints.

The answer is given by solving the following system:

$$
\begin{align*}
\phi_1 + d_1 \phi_2 &= \phi_3 \\
\phi_2 &= d_3
\end{align*}
$$

The above simple example shows how to practically solve a typical synchronizability problem in a polychronous design by using the SIGNAL compiler. We believe that a great advantage of this technique is that it enables to deal with large designs via adequate clock abstractions: one only needs to capture the relevant clock variables associated with system components and the synchronization relations between these clocks (from the full system specification). This will significantly reduce the size of the system model to be analyzed. Of course, the scalability limitation is that of our compiler [5].

More generally, formal verification tools, offering a support to the analysis of multi-clock systems, significantly help designers to adequately address several issues on the development of distributed embedded systems. An example is the bounded model-checking (BMC) technique, which has been applied to multi-clock systems in [24]. This method is scalable and allows one to check designs very fast thanks to SAT tools. It becomes worthy when, e.g., the compiler does not scale. However, its main inconvenient is that it only gives a partial guarantee.
about proofs. So, BMC is clearly not sufficient alone but is a good complement to the other verification tools.

5.1.2 Applicability to the design of specific systems

Integrated Modular Avionics (IMA) are typical distributed systems that can greatly benefit from the synchronous multi-clock modeling. In particular, the SIGNAL clock synchronizability analysis offers an interesting basis to deal with the very challenging issue of finding suitable resource allocation strategies in IMA architectures.

In such architectures: i) time and memory resources are divided into partitions, which are associated with different functions at run-time; ii) partitions are composed of processes, representing the execution units that communicate within the same partition or with processes from other partitions. Partitions are scheduled according to a static cyclic policy while process scheduling is priority preemptive.

IMA-based implementation platforms assume the specific ARINC 629 Data Bus and the 659 Backplane Data Bus. Both buses adopt cyclic time-triggered message scheduling. In such a context, considering affine clocks can be significantly worth to designers to address the consistency of, on the one hand partition allocation to cyclic processors, and on the other hand cyclic processor schedules with ARINC 629 and 659 buses. This can be carried out on an IMA-based design of the FWS system, where processes are associated with partitions that execute on different processors communicating via ARINC 629 and 659 buses. The system enables to address partition allocation and communication constraints.

Further important implementation platforms for which the previous synchronizability analysis is very useful are those achieving communications with the Avionics Full Duplex Switched Ethernet (AFDX) technology as in the Airbus A380. AFDX is very interesting because it is faster than its predecessors such as ARINC 629. It is based upon Ethernet and TCP/IP general principles. It is not time-triggered unlike the above two buses. Accordingly, with such a technology, dealing with the correct synchronization for the safe communication is more difficult. We believe that the polychronous model could be used to describe partial clock relations that capture the main synchronization points in an AFDX-based system. Then, the available analysis tools and techniques can be again applied to reason about the system behavior.

Large scale system-on-chip. The polychronous model is a good solution to deal with the shortcomings of GALS design frameworks in general, which adopt ad hoc methods where synchronous components are encapsulated with wrappers and communications are achieved by handshake. As illustrated in this paper, it allows one to uniformly model both aspects and formally validate the global system w.r.t. its correctness requirements. In addition, its vision of the synchrony-asynchrony link is suitable for large scale system-on-chip design.

5.2 Automatic code generation

After the non functional analysis of the deployed model of the FWS system, we can now consider an automatic modular code generation. Since, each “processor” is endochronous, the associated code can be generated independently from the other processors. The same holds for communications. This generation is necessarily achieved in the form of clusters. In SIGNAL, a cluster denotes a group of statements that depend on the same sub-set of input data. This type of code generation is particularly interesting in that it enables an efficient execution for each processor. Indeed, the operating system supported by a processor is solicited less often because of the reduced number of commutations. The code corresponding to clusters is generated in various C, C++ or Java. In the current experimental implementation of the code generation process in POLYCHRONY, the obtained code is mainly intended for functional simulation of distributed applications.

6 Discussions

All the design steps and analyses presented in our methodology are achieved within the POLYCHRONY environment, which provides the required tools, e.g. the SIGNAL compiler and the SIGALI model-checker. Along this presentation, we have stressed the advantages of our proposition for the reliable design of distributed embedded systems.

First, compared to mainstream implementation approaches that may rely for instance on C or Java programming, the synchronous programming offers well adapted specification concepts enabling a designer to safely describe systems. As an example, let us consider the endochrony property. Given a program $p$ that satisfies such a property, $p$ is able to read its required input data at the appropriate instants, based on its current state, from any asynchronous streams of input data. There are straightforward conditions in the compilation of SIGNAL programs, enabling to characterize this property of $p$: when the resulting overall clock hierarchy of $p$ yields a tree of clocks. This property is not necessarily easy to achieve in mainstream approaches. In such approaches, test mechanisms for checking the availability of the input data required by a program must be defined. Endochrony will be therefore obtained by associating a given function in C or Java with an additional piece of code conferring this function the ability to decide alone which input data must be read during its execution. There are further benefits of synchronous programming over the use of synchronization mechanisms such as monitors in a language like Java. In synchronous programs, the fact that at any instant, an object, i.e. a signal, is written only once is guaranteed by construction. So, one does not need to consider some additional protection mechanism to enforce safe writes.

As a result, the risk to get errors related to the usage of such delicate mechanisms is avoided. We can also mention the important role that play the formal tools and techniques provided by the synchronous technology for a trustworthy validation of designs.

From a methodological point of view, an interesting feature of our proposition is that it promotes correct-by-construction design: there is no need to (thoroughly) check the correctness of a system after design. This significantly reduces the validation efforts, which can take about 70% of the overall design cost. The abstract level at which the design is addressed (in the synchronous approach) enables to deal with the inherent complexity of distributed systems by leaving away the unnecessary details. It therefore favors a rapid exploration of different alternatives about system distribution so as to get relevant feedback for an adequate design choice.

However, in order to take advantage of all the above features of our approach in the design of real-life systems, the designer must have some knowledge of synchronous programming. In order to overcome this obstacle, there are currently significant efforts to provide a very advanced user-friendly interface for POLYCHRONY. The resulting new environment, referred to as SME, is an Eclipse plugin. It aims to be accessible to a wide
audience and is available online for free at the same address as POLYCHRONY. On the other hand, in the current status of our approach, some expertise in the SIGNAL clock calculus may be required to check the clock hierarchies, which serve to characterize the correctness of a system distribution. An important future improvement of our work is the automatic application of the distribution criteria (endo-isochrony) on any Signal model of a system so as to decide about its partitioning. Finding a solution to this issue will save the designer from analyzing possible complex clock hierarchies generated by the compiler for the distribution. Finally, for real systems, we can also mention another limitation of our approach, resulting from the simplifications considered in the architecture model. All physical components such as memory caches or hardware accelerators and their specific characteristics are not taken into account. Some abstractions of these components could be studied, and taken into account to ameliorate the distribution criteria.

7 Conclusions

In this paper, we presented how safety-critical distributed embedded systems are practically designed using the polychronous model, associated with the synchronous language SIGNAL. This model enables to describe systems with components that hold different activation clocks. We proposed a methodology that ensures a correct-by-construction implementation of these systems from high-level models in POLYCHRONY, the development framework of SIGNAL. This has been demonstrated on a case study from the avionic domain. The endochrony and endo-isochrony properties of SIGNAL specifications have been used as key notions to design the distribution of applications on execution platforms. These platforms contain asynchronous communication mechanisms, which have been also modeled in SIGNAL and proved to achieve message exchanges correctly. An important remark is that the formal verification techniques and tools available in POLYCHRONY are applicable at almost all design steps of our methodology in order to check the correctness of intermediate results. In particular, the analysis of non functional properties of the deployed system model has been addressed by dealing with clock synchronizability issues between the different multirate parts of the system. Finally, a distributed code can be automatically generated from this model.

A very interesting perspective to the presented work concerns the automatic application of the identified design criteria in SIGNAL to distribute a system. That is, given a system $S$, how could the compiler automatically use the endo-isochrony property to distinguish the different sub-parts $S_1, ..., S_n$, to be mapped on different processors such that $S = S_1 | ... | S_n$, and how could it select the suitable communication mechanisms from an existing library? It seems that the answer to these questions, in particular to the former, requires to analyze the combinatorics of the solution space of a system decomposition, which can be a priori large.

References


