Number 75, October 2008 ERCIM NEWS European Research Consortium for Informatics and Mathematics www.ercim.org

Special: Safety-Critical Software Editorial Information

ERCIM News is the magazine of ERCIM. Published quarterly, it reports on joint actions of the ERCIM partners, and aims to reflect the contribution made by ERCIM to the European Community in Information Technology and Applied Mathematics. Through short articles and news items, it provides a forum for the exchange of information between the institutes and also with the wider scientific community. This issue has a circulation of 10,500 copies. The printed version of ERCIM News has a production cost of €8 per copy. Sub- scription is currently available free of charge.

ERCIM News is published by ERCIM EEIG BP 93, F-06902 Sophia Antipolis Cedex, France Tel: +33 4 9238 5010, E-mail: [email protected] Director: Jérôme Chailloux ISSN 0926-4981

Editorial Board: Central editor: Peter Kunz, ERCIM office ([email protected]) Local Editors: Austria: Erwin Schoitsch, ([email protected]) Belgium:Benoît Michel ([email protected]) Denmark: Jens Bennedsen ([email protected]) Czech Republic:Michal Haindl ([email protected]) France: Bernard Hidoine ([email protected]) Germany: Michael Krapp ([email protected]) Greece: Eleni Orphanoudakis ([email protected]) Hungary: Erzsébet Csuhaj-Varjú ([email protected]) Ireland: Ray Walsh ([email protected]) Italy: Carol Peters ([email protected]) Luxembourg: Patrik Hitzelberger ([email protected]) Norway: Truls Gjestland ([email protected]) Poland: Hung Son Nguyen ([email protected]) Spain: Salvador Lucas ([email protected]) Sweden: Kersti Hedman ([email protected]) Switzerland: Harry Rudin ([email protected]) The Netherlands: Annette Kik ([email protected]) United Kingdom: Martin Prime ([email protected]) W3C: Marie-Claire Forgue ([email protected])

Contributions Contributions must be submitted to the local editor of your country

Copyright Notice All authors, as identified in each article, retain copyright of their work

Advertising For current advertising rates and conditions, see http://ercim-news.ercim.org/ or contact [email protected]

ERCIM News online edition The online edition is published at http://ercim-news.ercim.org/

Subscription Subscribe to ERCIM News by: sending email to [email protected] or by filling out the form at the ERCIM News website: http://ercim-news.ercim.org/

Cover photo: An A380 flies over Hong Kong. © Airbus S.A.S.

Next issue: January 2009, Special theme: Sensor Web. ERCIM NEWS 75 October 2008 Keynote

Beware of the Computer: the Invasion of Embedded Systems

Embedded systems are becoming ubiquitous. Most existing computers do not have a screen, a keyboard or a mouse. Instead, they are hidden in innumerable kinds of objects: automobiles, trains, aeroplanes, tractors and cranes, domestic appliances, medical devices, robots, telephones, cameras, TVs, music players, smartcards etc. Because of the flexibility and efficiency of information processing, computerized systems are progres- sively replacing manual, mechanical and hydraulic systems. For instance, railways and subways the world over are being gradually transformed: electronic signalling, switching and dynamic scheduling are becoming the rule. In the near future, computerized objects will communicate with each other without human intervention and will be networked. For Gérard Berry, instance, cars will talk to each other and to the road, which will itself communicate with Chief Scientist, Esterel Technologies; the city in order to organize traffic. Autonomous sensors will detect forest fires or river Member of the ERCIM Advisory Board; floods. One can safely predict that there will be many more autonomous objects than Member Académie des sciences, human beings connected to our networks, including to the Internet. Académie des technologies, and Acade- mia Europaea. On the hardware side, embedded systems are principally composed of sensors, actuators and Systems on Chips (SoCs) that themselves assemble heterogeneous components: processors, DSPs, video engines, radio circuits etc. On the software side, they may involve large programs running on these heterogeneous platforms. Compared to classi- cal screen-and-keyboard computer applications, the constraints are much more stringent: efficiency (especially for power consumption), autonomy, real-time reactivity, usability, dependability, and above all, safety. All these aspects come under analysis in this issue of ERCIM News.

Until the 80s, embedded systems design was quite separate from mainstream computer design. It was mostly done by control engineers who used specific micro-controllers or programmable logic controllers (PLCs), with comparatively low-level programming languages and technology. Little dedicated research was done in the mainstream com- puter science community. In the early 80s, a few research groups recognized the impor- tance of the subject and the need for specific design techniques. Three French groups introduced new formal synchronous languages (Esterel, Lustre and Signal), which led to the embedded hardware and safety-critical software design tools now sold by my com- pany. Several groups worked on program formal verification, for which Joseph Sifakis was given the Turing Award in 2007 (along with E. Clarke and A. Emerson from the USA). In Israel, David Harel introduced Statecharts, a breakthrough graphical formal- ism for hierarchical state machine design, which also had a bright industrial develop- ment. At UC Berkeley, the Ptolemy and Polis groups developed new formal technology with applications ranging from circuit design to distributed control over networks. Other labs joined the movement in the 90s. It has to be noted that all the major breakthroughs were made in labs that gathered people from different areas (control theory, program- ming language semantics, electronic circuit design etc) and that had strong connections with industry. By nature, embedded systems design is multidisciplinary and linked to application.

Nowadays the subject pervades all other industries. It is recognized as one of the major areas of information technology, and has the biggest growth potential and the strongest technical constraints. The European Commission has clearly stated these facts and is actively promoting it. Europe currently ranks very highly, with extensive research activ- ity and remarkable successes such as the Airbus computerized aeroplanes, automatic subways, GSM telephones and smartcards. The field boasts a number of large European cooperative groups and Networks of Excellence, including the FMICS workgroup of ERCIM, which organizes a dedicated workshop every year. It is obviously important to maintain this leader position. An essential condition is for the scientific community to gather and discuss, both internally and with industry, current problems and solutions. This precisely is one of the main roles of ERCIM, and I salute this dedicated issue of ERCIM News for its breadth and openness. Gérard Berry

ERCIM NEWS 75 October 2008 3 JointContents ERCIM Actions

2 Editorial Information SPECIAL THEME

KEYNOTE Introduction to the Special Theme 12 Safety-Critcal Software 3 Beware of the Computer: by Pedro Merino and Erwin Schoitsch the Invasion of Embedded Systems by Gérard Berry, Chief Scientist, Esterel Technologies; Invited Articles Member of the ERCIM Advisory Board; Member 14 Software Safety and Rocket Science Académie des sciences, Académie des technologies, by Gerard J. Holzmann and Academia Europaea. 15 Model-Checking of Safety-Critical Software for Avionics JOINT ERCIM ACTIONS by Darren Cofer, Michael Whalen and Steven Miller

6 Portugal Rejoins ERCIM 17 Software Reliability Assessment by Statistical by Pedro Guedes de Oliveira and João Falcão e Cunha Analysis of Operational Experience by Sven Söhnlein and Francesca Saglietti 7 Network of Excellence in 'Virtual Physiological Human' Research 18 Analysing Human Aspects of Safety-Critical Software 8 ERCIM at ICT2008 by Michael D. Harrison and José Creissac Campos

8 CoreGRID continues as ERCIM Working Group Modelling and Development 19 Model-Driven Development of Embedded Real-Time 9 Cor Baayen Award 2008 to Adam Dunkels Systems by Alexandre David and Brian Nielsen 10 SERENE - An ERCIM Working Group on Software Engineering for Resilient Systems 20 Quasimodo by Nicolas Guelfi by Brian Nielsen

10 ERCIM thanks Costantino Thanos 22 From Rigorous Requirements Engineering to Formal System Design of Safety-Critical Systems 11 FMICS 2008 - 13th International ERCIM Workshop by Christophe Ponsard, Philippe Massonet, Gautier on Formal Methods for Idustrial Critical Systems Dallons by Darren Cofer and Alessandro Fantechi 23 Modelling the Role of Software in the Propagation of Failures across National Critical Infrastructures by Chris W. Johnson

25 Model-Based Development of Distributed Embedded Real-Time Systems with the DECOS Tool-Chain by Wolfgang Herzner, Martin Schlager, György Csertan, Bernhard Huber, Thierry Le-Sergent, Erwin Schoitsch and Rupert Schlick

27 Safe Systems with Software Components in SOFA 2 by Tomáš Bureš and Petr Hnìtynka

Validation, Verification and Standardization 28 New Paradigms and Tools for High-Assurance Systems Modelling by Francesco Flammini, Nicola Mazzocca and Valeria Vittorini

30 Testing Concurrent Software with Ants by Francisco Chicano and Enrique Alba

4 ERCIM NEWS 75 October 2008 32 Verifying Dynamic Properties of Industrial Critical 51 Experimenting with Diversity in the Formal Systems Using TOPCASED/FIACRE Development of Railway Signalling Systems by Bernard Berthomieu, Hubert Garavel, Frédéric Lang Alessandro Fantechi, Stefania Gnesi and Giovanni and François Vernadat Lombardi

33 A Component-Based Approach for the Specification 52 Evaluation of Natural Language Requirements in and Verification of Safety-Critical Software: the MODCONTROL Project Application to a Platoon of Vehicles by Antonio Bucchiarone, Stefania Gnesi, Gianluca by Jeanine Souquières Trentanni and Alessandro Fantechi

35 Checking and Enforcing Safety: Runtime 53 Development of Safety Software for the Paks Verification and Runtime Reflection Nuclear Power Plant by Martin Leucker by Tamás Bartha and István Varga

36 LaQuSo: Using Formal Methods for Analysis, Education and Training Verification and Improvement of Safety-Critical 55 Catalonia boosts Education and Knowledge in Software Safety-Critical Software by Sjaak Smetsers and Marko van Eekelen 55 Requirements Engineering Lab at IPT São Paulo 38 The SHADOWS Story on Implementation, Verification and Property-Guided Autonomy for Self-Healing Systems by Marco Bakera and Tiziana Margaria R&D AND TECHNOLOGY TRANSFER

40 Test Coverage Analysis and Preservation for 56 Developing a Distributed Electronic Health-Record Requirements-Based Testing of Safety-Critical Store for India Systems by Jim Dowling and Seif Haridi by Raimund Kirner and Susanne Kandl 57 Epidemic Intelligence: Satellite-Enabled 41 A Step towards Generating Efficient Test Cases – the Applications for Health Early Warning Systems Project MOGENTES by Catherine Chronaki by Wolfgang Herzner, Rupert Schlick, Manfred Gruber 59 Novel Drug Discovery with SIMDAT Grid 43 SESAME: A Model-Driven Test Selection Process Technology for Safety-Critical Embedded Systems by Yvonne Havertz by Nicolas Guelfi and Benoît Ries 60 Mediated Collaborative Learning 44 ProSE – Promoting Standardization for Embedded by Kostas Pentikousis and Carmen Martinez-Carrillo Systems by Erwin Schoitsch and Laila Gide

Fault Tolerance and Security EVENTS 46 Bicriteria Multi-Processor Static Scheduling by Alain Girault and Hamoudi Kalla 61 Cross-Language Evaluation Forum - CLEF 2008 by Carol Peters 47 Enhancing Java ME Security Support with Resource Usage Monitoring 63 First ERCIM Workshop "Computing and Statistics" by Fabio Martinelli, Paolo Mori, Christian Schaefer, by Erricos Kontoghiorghes Thomas Walter and Fabio Massacci 64 ERCIM/W3C at "Internet of Things-Internet of the Applications Future" in Nice 49 TAS Control Platform: A Platform for Safety- Critical Railway Applications 64 Announcements by Andreas Gerstinger, Heinz Kantz and Christoph Scherrer 66 In Brief

ERCIM NEWS 75 October 2008 5 Joint ERCIM Actions

Portugal Rejoins ERCIM

by Pedro Guedes de Oliveira and João Falcão e Cunha

Portugal is back in ERCIM after more than ten years' absence. While INESC (Instituto de Engenharia de Sistemas e Computadores) was in fact a member of ERCIM back in 1991, internal problems, both financial and organizational, meant it was necessary for it to leave in 1998. It is only now with PEG – the Portuguese ERCIM Grouping – that Portugal again has a representative institution. PEG was a recent initiative to allow the country to have a wide institutional representation, thus providing a wider group of researchers and research groups with access to ERCIM.

PEG brings together IST (Engineering School of the Techni- cal University of Lisbon), FEUP (Faculty of Engineering of the University of Porto) and INESC. IST is the largest engi- neering school in Portugal, with about 8000 undergraduate and 1500 graduate students, and 700 professors. FEUP has about 5000 undergraduate and 1000 graduate students and 400 professors. These two schools are not only the biggest and oldest in Portugal, but still account for about two thirds of the engineers who graduate annually in Portugal. INESC is a private nonprofit research institute, the owners of which are IST, the University of Porto and the University of Coimbra, with a substantial share belonging to Portugal Telecom. It is located in Lisbon, Coimbra and Porto, and its researchers are mostly professors from the universities mentioned.

Both IST and FEUP have several departments in which the general field of information technology is a major discipline. In both schools, IT first became a topic of research in the Departments of Electrical Engineering. Later on, autonomous Informatics Departments were created. Never- theless, the area has many active researchers in other depart- ments such as industrial engineering and management, Sites of the PEG member institutions: From top: Faculty of Engi- mechanical engineering and mathematics. neering of the University of Porto (FEUP), Engineering School of the Technical University of Lisbon (IST), and INESC. But let us revisit history in order to clarify some aspects of the science and technology panorama in Portugal today.

In the early 90s there was a significant input of resources for Aveiro). These institutions are independent, with their own science and technology, leveraged by EC funding. Large pro- boards, strategies and areas of expertise. Their profiles are grammes directed to science (CIENCIA) and industrial devel- also different, but with one exception, they maintain a opment and innovation (PEDIP) helped some institutions to mutual link through INESC by means of a share in their 'cap- grow and others to come into existence. However, EC money ital'. The exception is Aveiro, which became totally inde- requires that there be additional national funding to support pendent. the venture, and this caused problems for some institutions. Growing is sometimes a difficult process and can cause signif- By the late 90s, there was a renewed surge in Portuguese sci- icant stress. Unfortunately this happened to INESC and since ence. Since then, science indicators have increased strongly in these situations, attention and resources tend to be focused and there is a younger, active and much larger community on the immediate and local crisis, leaving ERCIM was one of both in universities and research centres. An institutional the consequences. However, the personal links were never lost assessment process covering all R&D institutes and centres and a return to ERCIM was always intended. Several attempts was started and made public. As a result and by means of a were made and it was always possible to count on the good contract with the Ministry of science and Technology, a will and patience of ERCIM officers. small number of centres recognized as 'very good' or 'excel- lent' took on the label of 'associated labs'. This meant that Meanwhile, INESC itself evolved. From a monolithic coun- certain responsibilities and benefits accrued to them. The ini- try-wide institute, it was split into six autonomous organiza- tial number of about ten labs increased to about 25, includ- tions (three in Lisbon and one each in Porto, Coimbra and ing three of the INESC institutions: INESC Porto, INESC-

6 ERCIM NEWS 75 October 2008 ID Lisbon and INESC MN (Micro-Systems and Nanotech- tional 'Physiome Project'. In particular, the network will nologies), also in Lisbon. develop: • open markup language (XML) standards for describing It is this new INESC reality, together with IST and FEUP in data and models at spatial scales that range from proteins Porto, that shaped PEG: an agreement was reached and a Por- to human organs tuguese institution was finally able to apply to ERCIM in 2007. • application-programming interfaces (APIs) for imple- menting these VPH standards We are proud to have been accepted and are very positive • workflows that use existing middleware for facilitating about the benefits of joining such a European-wide organi- Grid-enabled VPH research zation, to which we hope we can also contribute. At a • Web-accessible repositories for data, models and work- national level, PEG is not intended to be a closed consor- flows based on the VPH standards and including annota- tium, and contacts and negotiations to join have started with tion and tutorials for non-expert biologist users other universities. • a library of open-source computational routines and graphical user interfaces (GUIs). Please contact: Pedro Guedes de Oliveira PEG represenativ on the ERCIM Board of Directors INESC Porto, Portugal E-mail: [email protected]

João Falcão e Cunha PEG representative in the ERCIM Executive Committee University of Porto, Portugal E-mail: [email protected]

Network of Excellence in 'Virtual Physiological Human' Research

ERCIM is a partner in the Virtual Physiological Human Overlay of a patient's tractography (a procedure to demonstrate the Network of Excellence (VPH NoE), which is funded by neural tracts) with anatomic magnetic resonance imaging. This the EU Seventh Framework programme and aims to allows a medical expert to better visualize and localise neuronal connect and support researchers in the VPH field. In fibres. Modelling and visualizing brain function and pathophysiolo- particular, the network will promote and facilitate gy is one of the exemplar projects proposed by the ERCIM Working research in the field of patient-specific computer Group Digital Patient. © INRIA/ASCLEIPOS. models for personalized and predictive healthcare and ICT-based tools for modelling and simulation of human physiology and disease-related processes. Exemplar Projects Several partners of the network will develop exemplar proj- The Virtual Physiological Human (VPH) has previously ects to support interdisciplinary and integrative research, been defined as "a methodological and technological frame- with the aim being to address specific research problems or work that, once established, will enable collaborative inves- challenges. The ERCIM Digital Patient Working Group, for tigation of the human body as a single complex system". As example, proposes a project on modelling and visualizing part of this initiative, the primary purpose of the network brain function and pathophysiology. Other projects are con- will be to function as a service to the community of VPH centrating on a multi-organ core model of arterial pressure researchers. Its aims range from the development of a VPH and body fluids homeostasis; integrated multi-level model- toolkit and associated infrastructural resources, through inte- ling of the musculoskeletal system; fighting aneurysmal dis- gration of models and data across the various relevant levels ease; and multiscale simulation and prediction of the drug of physiological structure and functional organization, to safety problems related with hERG (human Ether-a-go-go VPH community building and support. Related Gene).

VPH Toolkit As one of the thirteen VPH NoE core members, ERCIM is One objective of the network is to develop and promote stan- responsible for communication and information dissemina- dardized markup languages which permit interoperability of tion within and beyond the network, together with Universite models and interoperable codes, so-called 'application sup- Libre de Bruxelles. port capacities'. The standards developed will need to be suitable not only within the European VPH initiative, but In addition to the core membership a general and associate also on a global basis, eg via interaction with the interna- membership of the VPH NoE has also been created, to

ERCIM NEWS 75 October 2008 7 Joint ERCIM Actions

ensure wider engagement of the research community. The network currently counts 29 associated and general mem- bers. Associate and general membership is open to any inter- ested institution, organization or company with an interest in the work of the VPH NoE, and will be subject to a collabo- CoreGRID continues as ration agreement. A publicly accessible forum at the net- work's Web site offers the possibility to discuss VPH topics ERCIM Working Group with the network members (see link below). The CoreGRID Symposium held in Las Palmas de Gran VPH NoE is actively participating in ICT-BIO 2008, the sec- Canaria, Spain, 25-26 August 2008 marked the end of ond conference on Computer Modelling and Simulation for the ERCIM-managed CoreGRID Network of Excellence Improving Human Health, which will be held on 23-24 funded by the European Commission. Most important, it October 2008 in Brussels, Belgium. The event is organized corresponds to the re-launch of CoreGRID as the self- by the European Commission Directorates-General 'Infor- sustained ERCIM Working Group covering research mation Society and Media' and 'Research', in cooperation activities on both Grid and Service Computing while with the US National Institutes of Health. Prior to the con- maintaining the momentum of the European ference, VPH NoE is organizing a 'Concertation Meeting' collaboration on Grid research. with VPH-related projects of DG Information Society on 22 October 2008. This meeting is restricted to project represen- After four years of existence, CoreGRID has indeed carved tatives. A summary report is expected to be published by the out a place for itself in the international Grid research arena. end of November 2008. With 330 researchers from 46 European research institu- tions, it has become one of the largest research centres in Links: Grid computing, encompassing a vast range of research top- http://www.vph-noe.eu/ ics such as knowledge and data management, programming http://www.vph-noe.eu/forum models, middleware, resource management and scheduling, workflow, service infrastructures and peer-to-peer systems, Please contact: just to cite a few. It has now reached its ideal objective: to Philippe Rohou become the European Grid beacon. ERCIM Office E-mail: [email protected] CoreGRID's significant and promising research results in Grid computing are largely promoted at the occasion of the CoreGRID Symposium. This successful event, jointly organized with the Euro-Par 2008 conference gathered hun- dred key researchers and industrials in Grid research, as well ERCIM at ICT2008 as from international projects in the field. According to Thierry Priol (INRIA) in charge of CoreGRID's scientific ERCIM will be present with a booth at ICT 2008 in Lyon, co-ordination and of the symposium's organization, "The France, on 25-27 November. This event is organised by the objective of this event was to definitely demonstrate Core- EC DG Information Society and Media. Some of the Euro- GRID leadership in Grid research". pean projects managed by ERCIM or with ERCIM participa- tion will have a booth too: Vitalas, EchoGRID, GridCOMP, Having been active for four years, CoreGRID has now EuroIndia, and Digital World Forum. 'Networking Sessions' reached a highly visible position: it is recognized worldwide. will be held for InterLink, EchoGRID and EuroIndia. It is really satisfying for the CoreGRID researchers to see that their work has been influential in the development of DIGITAL The Digital World Forum EC project will new technologies and products and has contributed to the WORLD exhibit in the International Village of ICT2008. European economy's growth. It is also an enthusiastic deter- FORUM The Digital World Forum is a FP7 European mination for all CoreGRID partners to continue to work project focusing on the use of ICT to leverage economic together and address new research challenges under this new development in Africa and Latin America. Providing mini- status of ERCIM Working Group. CoreGRID is more than mal services (health, education, business, government, etc.) ever committed to involving further industrial stakeholders to rural communities and under-privileged populations is of in making determinant contributions to Europe's Next Gen- major importance to improve people lives, and to sustain eration Grid vision. development.

Links: http://ec.europa.eu/information_society/events/ict/2008/ Link: Vitalas: http://vitalas.ercim.org http://www.coregrid.eu/ EchoGRID: http://echogrid.ercim.org GridCOMP: http://gridcomp.ercim.org/ Please contact: EuroIndia: http://www.euroindia-ict.org/ Frederic Desprez Interlink: http://interlink.ics.forth.gr/ CoreGRID Working Group coordinator Digital World Forum: http://www.digitalworldforum.eu/ INRIA, France E-mail: [email protected]

8 ERCIM NEWS 75 October 2008 Cor Baayen Award 2008 to Adam Dunkels

Adam Dunkels from SICS, Sweden, is the winner of the 2008 Cor Baayen Award for a promising young researcher in computer science and applied mathematics. Sixteen finalists competed for this award established by ERCIM in 1995 to honour the first ERCIM President Cor Baayen.

Adam Dunkels, PhD, is senior researcher at the networked embedded systems group at SICS. He received his PhD degree from Mälardalen University, Sweden, in February 2007. The title of his thesis is "Programming Memory-con- strained Networked Embedded Systems".

Adam Dunkels' research is experimental computer systems research at its best. The selection committee was impressed by the combination of high-quality research results and out- standing industrial impact, showing that it is possible to have both top-tier publications and far-reaching industrial adop- tion of research results. Adam Dunkels has already received Adam Dunkels (PhD), experimental computer scientist, Networked several prestigious awards for his work. At his young age, he Embedded Systems group, Computer Systems Laboratory, SICS, is already a leading researcher in his field. winner of the 2008 Cor Baayen Award. Photo: Fredrik Olsson. Adam Dunkels has released many of his research results as open source software that has been adopted by hundreds of companies, including Cisco, BMW, NASA, Hewlett Packard, General Electric, and ABB. His software is used in possible to both produce high-quality software systems that products ranging from air planes and container security sys- are widely used in the industry, and publish high-quality tems to network routers and TV production equipment. His research results at the best venues. software is included in software development kits from lead- ing hardware manufacturers such as Xilinx, Altera, and Ana- 2008 Finalists log Devices. Since 2002, Adam Dunkels has published over According to the award rules, each institute is allowed to 40 peer-reviewed papers and one peer-reviewed, invited select up to two finalists from its country. For the 2008 Cor book chapter. Most of his papers are experimental systems Baayen Award, the ERCIM institutes nominated the follow- research papers that involve much implementation and ing sixteen finalists (listed alphabetically): experimentation. • Gianluca Antonini, Switzerland • Joost Batenburg, The Netherlands His large amount of highly influential work clearly demon- • Andreas Bruhn, Germany strates Adam Dunkels' outstanding abilities. He was early in • Augustin Chaintreau, France the field of sensor networks, when he started working alone • Sébastien Collette, Belgium in 2000 at SICS, but has in the last few years built a strong, • Adam Dunkels, Sweden active group that has attracted many young researchers. He • Pierre Genevès, France has participated, both as a researcher and as a research • Georgia Koutrika, Greece leader, in many international research projects both with aca- • Per Ola Kristensson, Sweden demia and with industry. His open source Contiki project has • Santiago Ontañon, Spain attracted several researchers and industry players from • György Ottucsák, Hungary Europe and the USA that now work within the project • Kristiaan Pelckmans, Belgium (http://www.sics.se/contiki). His first paper, for which he • Mika Raento, Finland also was the single author, was published at the prestigious • Inger Dybdahl Sørby, Norway ACM MobiSys 2003. Adam Dunkels is the only European • Stefanos Zafeiriou, Greece who has published three full papers at ACM SenSys, the • Andreas Zimmermann, Germany. most prestigious conference in the area of wireless sensor networks. The winner, Adam Dunkels, was selected by the ERCIM Executive Committee on advice from the ERCIM Advisory Adam Dunkels received the 2007 Xerox Chester Carlson Committee (current members listed at http://www.ercim.org/ science prize, the most prestigious prize for the information contacts/ac.html). sciences in Sweden, for his research and the 2008 ACM EuroSys Roger Needham award for his doctoral thesis. In More information about the Cor Baayen Award: summary, Adam Dunkels' accomplishments shows that it is http://www.ercim.org/activity/cor-baayen.html

ERCIM NEWS 75 October 2008 9 Joint ERCIM Actions

software and system research and development. As comput- SERENE - An ERCIM ers are now spreading into various new domains (including the critical ones) and the complexity of modern systems is Working Group growing, achieving dependability remains central for system developers and users. Accepting that errors always happen in on Software Engineering spite of all the efforts to eliminate faults that might cause for Resilient Systems them is in the core of dependability. SERENE considers resilient systems as open and distributed by Nicolas Guelfi systems that can dynamically adapt in a predictable way to unexpected events. Engineering such systems is a challeng- The rececntly established ERCIM Working Group on ing issue still not solved. Achieving this objective is a very Software Engineering for Resilient Systems (SERENE) is complex task since it implies reasoning explicitly and in a the result of a joint cooperation of the former ERCIM combined way, on system's functional and non-functional Working Group on Rapid Integration of Software characteristics. Engineering Techniques (RISE) and the co-chairs of the conference series "Engineering Fault Tolerant Systems SERENE advocates that resilience should be explicitly (EFTS). The SERENE Working Group will thus benefit included into traditional software engineering theories and from research experts coming from the RISE practices and should become an integral part of all steps of community on software engineering as well as from the software development. As current software engineering prac- EFTS community on fault-tolerance. tices tend to capture only normal behavior, assuming that all abnormal situations can be removed during development, new Building trustworthy systems is one of the main challenges software engineering methods and tools need to be developed faced by software developers, who have been concerned to support explicit handling of abnormal situations. Moreover, with dependability-related issues since the first day com- every phase in the software development process needs to be puter system was built and deployed. Obviously, there have enriched with phase specific resilience means. been many changes since then, including in the nature of faults and failures, the complexity of systems, the services Sub Domains of Interest: they deliver and the way society uses them. But the need to In order not to consider all the scope of software engineer- deal with various threats (such as failed components, deteri- ing, the SERENE working group focuses on: formal, semi- orating environments, component mismatches, human mis- formal modeling of resilience properties; frameworks and takes, intrusions and software bugs) is still in the core of design patterns for resilience; error handling and fault han- dling in the software life-cycle; re-engineering for resilience component-based development and resilience; software development processes for resilience; resilience through ERCIM thanks Costantino Thanos exception handling in the software life-cycle; atomic actions; fault-tolerance; dynamic resilience mechanisms; Costantino Thanos has announced his resilience prediction; resilience Metadata; reasoning and retirement from the ERCIM Executive adaptation services for improving and ensuring resilience; Committee. One of the longest serving intelligent and adaptive approaches to engineering resilient members of the Executive Committee, systems; engineering of self-healing autonomic systems; Costantino was also the prime promoter dynamic reconfiguration for resilience; run-time manage- of CNR and Italy's entry into ERCIM in ment of resilience requirements; verification and validation June 1991. Over the years, Costantino of resilient systems; CASE tools; model driven engineering; has ensured that Italy has played a very software architectures for resilience. active role in ERCIM initiatives, in par- ticular as the coordinator of a number of ERCIM Working Groups are open to any researcher in the spe- important ERCIM projects. The best cific scientific field. Scientist interested in participating in the known of these is, of course, DELOS. ERCIM WG SRENE should contact the WG coordinator. DELOS began life as an ERCIM working group in 1995, and received funding via the 4th, 5th and 6th Framework Programmes, SERENE '08 growing from an ERCIM Working Group and thematic network to The Working Group is organising its annual workshop in become a Network of Excellence with more than 60 members. cooperation with ACM SIGSOFT on 17-19 November 2008 in Newcastle upon Tyne (UK). See announcement on page 64. ERCIM is extremely grateful to Costantino for all his efforts over the years aimed at ensuring that the research activities of the Consortium Link: have a strong impact not just in Europe but globally. http://serene.uni.lu/tiki-index.php

Costantino's place on the Executive Committee will be taken by Please contact: Fausto Rabitti, Head of the Networked Multimedia Information Sys- Nicolas Guelfi tems Laboratory of ISTI-CNR. SERENE Working Group coordinator University of Luxembourg E-mail: [email protected]

10 ERCIM NEWS 75 October 2008 • Impact of the adoption of formal methods on the develop- FMICS 2008 - ment process and associated costs • Application of formal methods in standardization and 13th International industrial forums.

ERCIM Workshop The workshop included six sessions of regular contributions in the areas of model checking, testing, software verification, on Formal Methods for real-time performance, and industrial case studies. There were also three invited presentations given by Steven Miller Industrial Critical Systems of Rockwell Collins, Rance Cleaveland of Reactive Systems Inc., and Werner Damm of OFFIS, covering the application by Darren Cofer and Alessandro Fantechi of formal methods in the avionics and automotive industries.

The 13th FMICS workshop was held in L'Aquila, Italy, on In addition, a panel discussion was organized on the topic 15 and 16 September 2008, co-located with ASE 2008, the "Formal Methods in Commercial Software Development 23rd IEEE/ACM International Conference on Automated Tools." The panel included the three invited speakers, as Software Engineering conference. The aim of the FMICS well as researchers Mark Lawford and Pedro Merino. This series of workshops, yearly organized by the ERCIM session produced a lively discussion about current and fore- FMICS Working Group, is to provide a forum for seen applications of formal methods within model based researchers who are interested in the development and appli- development frameworks that include formal analysis and cation of formal methods in industry. In particular, these code generation methods for software design.

Out of the 36 contributions submitted to FMICS 2008, the Program Committee had the difficult task of selecting 14 papers for the presentation at the work- shop, as well as two short presentations which served as an introduction to the panel discussion. A post-workshop pro- ceedings volume containing revised versions of the papers presented at the workshop will be published by Springer Verlag in the Lecture Notes in Com- puter Science series.

A tradition of FMICS workshop is that the best presented paper receives an award from EASST, the European Association of Software Science and From left: Alessandro Fantechi, Marko van Eekelen and Pedro Merino. Technology. This year, the award was given to Marko van Eekelen from Rad- boud University of Nijmegen (NL) for workshops are intended to bring together scientists and prac- the paper "Reentrant Readers – A Case Study Combining titioners who are active in the area of formal methods and Model Checking with Theorem Proving," written together interested in exchanging their experiences in the industrial with Bernard van Gastel, Leonard Lensink and Sjaak Smet- usage of these methods. These workshops also strive to pro- sers. mote research and development for the improvement of for- mal methods and tools for industrial applications. The award was presented by Pedro Merino, FMICS Working Group coordinator from November 2005 to November 2008, The topics for which contributions to FMICS 2008 were and Alessandro Fantechi, one of the chairs of the 2008 work- solicited included, but were not restricted to, the following: shop and new FMICS Working Group coordinator (see photo). • Design, specification, code generation and testing based on formal methods • Verification and validation of complex, distributed, real- More information: time systems and embedded systems http://www.dsi.unifi.it/fmics08/ • Verification and validation methods that address short- http://www.inrialpes.fr/vasy/fmics comings of existing methods with respect to their industri- al applicability (eg, scalability and usability issues) Please contact: • Tools for the development of formal design descriptions Alessandro Fantechi • Case studies and experience reports on industrial applica- ERCIM FMICS Working Group chair tions of formal methods, focusing on lessons learned or Universita' degli Studi di Firenze, Italy identification of new research directions E-mail: [email protected]

ERCIM NEWS 75 October 2008 11 Introduction to the Special Theme Safety-Critcal Software

by Pedro Merino and Erwin Schoitsch trols of the INFSO Directorate), national funding organiza- tions and industry-driven technology platforms. Each day, our lives become more dependent on 'software- intensive systems' – digital information technology embed- EPoSS, another European Technology Platform launched in ded in our environment. This includes not only automotive July this year (see separate article by the author in this edition) devices and controls, railways, aircraft and aerospace, but focuses on the integration of smart systems, which is considered also the medical devices sector, 'mobile worlds' and 'e- an important emerging area. The key aspects are building sys- worlds', the 'smart' home, clothes, factories and numerous tems from components, a holistic, interdisciplinary approach to other domains. Software is the main driver for innovations in pervasive and ubiquitous computing, fast integration of a vari- all sectors, and most of the innovative features of new prod- ety of technologies, sensors, actuators, energy autonomy and ucts would not be possible without software. New processors networking (http://www.smart-systems-integration.org). and methods of processing, sensors, actuators, communica- tions and infrastructure are enablers for a truly pervasive Several national research programmes in Europe cover essen- computing environment; that is, omnipresent but almost tial aspects of this theme, for example FIT-IT in Austria invisible to the user, and as such the basis for an economic (BMVIT, Federal Ministry for Transport, Innovation and push. Software plays a critical role in this context, having an Technology), with topics such as embedded systems, system- impact in areas such as complexity, security and privacy in a on-a-chip, semantic systems and security. The programmes connected world, validation, verification and certification of focus on radical innovations in these areas. In Spain, the software-intensive systems, and maintenance of these sys- national research programme of the Ministry of Science and tems over long periods. The functional safety standards of Innovation includes methods with which to develop critical the International Electrotechnical Commission (IEC) 61508 software in the area of information technology, with subtopics group (generic and domain-specific standards) and the ISO like embedded and distributed systems. In addition, the 26262 standard on 'road vehicles – functional safety' cur- Department for Information Society gives support to the rently under development, include separate software-spe- national ETPs known as PROMETEO and NESI. cific parts (IEC 61508 part 3, ISO 26262 part 6). The dependability aspect of software-intensive systems is of Dependable software-intensive embedded systems are key if the utmost importance, and great potential has been identified Europe is to remain at the forefront of digital technology. As among ERCIM members with respect to this. Within ERCIM, such, they have been classified as an important research area two Working Groups are active in fields related to dependable, for the European Union's Seventh Framework Programme - safety-critical software, namely the ERCIM Working Group the main financial tool through which the EU supports on Dependable Embedded Software-Intensive Systems (DES- research and development activities. The European Informa- WG), and the ERCIM Working Group on Formal Methods on tion Society Technology/Future and Emerging Technologies Industrial Critical Systems (FMICS). (IST/FET) project 'Beyond the Horizon', coordinated by ERCIM, has pointed out that pervasive or ubiquitous com- This special theme fits in very well with the current European puting, (cognitive) intelligence and software-intensive sys- framework and strategic research discussions. tems together represent the most important challenge for strategic long-term research, and will have a huge impact on The first four articles were invited by the coordinators and society and the economy. The ITEA2 (Information Technol- deal with representative topics. Gerard Holzmann (who ogy for European Advancement) Roadmap has reached the received the ACM award for software systems for his work on same conclusion: that embedded systems technology is cru- the tool SPIN) and Darren Cofer (co-chair of the last FMICS cial for European competitiveness. workshop, see article on page 11), Michael Whalen and Steven Miller defend the advantages of formal methods in general ARTEMIS (Advanced Research and Technology for Embed- and model checking in particular, in the critical area of space ded Intelligence and Systems) is a strong, industry-driven and avionics. Francesca Saglietti and Sven Söhnlein tackle the European Technology Platform (ETP) that aims to establish issue of software reliability, the assessment of which normally a coherent, integrated European research and development requires high testing effort. Efficient exploitation of opera- strategy for embedded systems (http://www.artemis- tional evidence allows to overcome this situation for pre- office.org). As explained in their Strategic Research Area developed software components in component based systems. (SRA), Artemis is mainly system- and software-oriented in Michael D. Harrison and José Creissac Campos discuss the the area of embedded systems. The specific focus is on sys- human aspects to be considered when using formal methods tems with high dependability requirements, since people for modelling, an aspect often underestimated in the process of tend or are forced to rely on the services delivered by such developing safety-critical software. systems. Artemis has become one of the first joint undertak- ings, a new research organization developed for close coop- The papers in the subsections 'Modelling and Development' eration between the EC (Unit Embedded Systems and Con- and 'Validation, Verification and Standardization' represent the

12 ERCIM NEWS 75 October 2008 ERCIM Working Group on Dependable Embedded Software-Intensive Systems

The ERCIM Working Group on Depend- • intelligence (the digital environment Important subareas are hardware/software able Embedded Software-Intensive Sys- adapts to (moving) objects and people, co-design, smart new sensors/actuators, tems (DES-WG) tackles all the aspects of learns and interacts independently, thus continuous connectivity issues and limited software-driven systems that must satisfy providing useful new services) resource management. Horizontal issues high dependability requirements, ie 'criti- • natural interaction (human language, are dependability, system integration, soft- cality', with respect to reliability, availabil- gestures, speech synthesis) ware technology and critical infrastruc- ity, safety and security, and of course • personalization (user-centred, dynamic ture. involving aspects like maintainability, sur- adaptation to changing situation and vivability and resilient computing and user profiles/preferences) The method of work includes Working standardization. Important system attrib- • dependability (time dynamics, timely Group meetings, joint workshops with utes to be looked at include: responsiveness, security, safety, avail- related groups and/or co-located with rele- • context-awareness (the functions of ability etc) and resilience (the property vant conferences like SAFECOMP and identifying, localizing and interacting of a system to evolve and adapt in a Euromicro; the last of these occurred at with people and objects are not location- changing environment, ie the persistence SAFECOMP 2008 in Newcastle upon dependent) of dependability in the face of change). Tyne on September 25th, 2008. core technologies in formal methods for critical software. for both their products and training. Several European Net- They range from specification (or modelling) to automatic works and the Artemis Platform have set up separate groups testing of the final code. Some methods to write specifica- and agendas dealing with education and training, consider- tions, like the component-based approach, or to develop the ing this a crucial issue for the widespread application of whole project, like the model-driven cycle, could make fur- appropriate techniques and mass deployment. The European ther analysis easier. The specifications are then validated by Space for Higher Education should provide a response to automatic verification techniques, like model checking. this demand in the new curriculum for graduates, masters Finally, the code is checked with test cases. A more standard and PhD programmes. way of employing this technique is desirable in the context of standards for the development of embedded systems. Links: DES-WG: http://www.ercim.at The papers under the label 'Fault Tolerance and Security' are FMICS-WG: http://www.inrialpes.fr/vasy/fmics/ examples of the many specific research lines that exist in the broader area of critical software reliability. Relevant exam- Please contact: ples from application areas are given for control systems Erwin Schoitsch development in the area of railway interlocking and nuclear Austrian Research Centers, ARC (AARIT), Austria power plants. E-mail: [email protected] http://www.smart-systems.at This issue also includes two announmcements related to education and training. It is clear that the quality of the soft- Pedro Merino ware for critical systems depends on the techniques used by University of Malaga/SpaRCIM, Spain the software engineers. Many big companies have developed E-mail: [email protected] or are in the process of developing ad-hoc methods and tools http://www.lcc.uma.es/~pedro/

ERCIM Working Group on Formal Methods for Industrial Critical Systems

The ERCIM WG Formal Methods for of increasing the reliability of workshops (now consolidated with LNCS Industrial Critical Systems (FMICS-WG) systems…Nevertheless, the use of formal publication) and several special issues in is very active in the area of foundations methods in the industry is still quite lim- international journals (like Formal Meth- and applications of formal methods to ited". Fortunately our view nowadays is ods in System Design or Software Tools complex critical systems, including both different, and many industries from sec- for Technology Transfer) give a clear pic- hardware and software. The FMICS WG tors like communication, avionics, rail- ture of the potential of FMICS and of the members undertake research in languages, ways, electronics and computer software evolution that has taken place in this area. semantics, algorithms and tools that can are demanding tools based on formal The next workshop is likely to be the most help with specification, validation, verifi- methods or are even developing their own important in this series, because it is part cation, code generation and automation. environments. The first two invited papers of the Formal Methods week to be held in Twelve years ago, on the original Web in this section are clear examples of this Eindhoven in October 2009, where we page of the WG, it was stated that "formal promising industrial scenario. The quality expect to meet a number of main confer- methods have been advocated as a means of papers presented in the series of annual ences on applicable formal methods.

ERCIM NEWS 75 October 2008 13 Special Theme: Safety-Critical Software

Software Safety and Rocket Science

by Gerard J. Holzmann

The amount of software that was used for the first moon landing in 1969 was the equivalent of perhaps 7500 lines of C code. Of course at that time the language C didn't exist – the code was written in assembly and had to fit within the 36864 words of memory that the computer in the lunar lander supported. A lot has changed since then. Today, a desktop PC can have up to a million times more memory. What is fascinating, though, is that today there are hardly any applications that require fewer lines of code than that first lunar lander. Clearly, few of these applications solve problems that are more difficult than landing a spacecraft on the moon.

All this becomes even more interesting unmanned missions over the last few error. Does it really matter how many if we consider NASA's program to decades) would be in the range of 5 to lines of code are written? An industry return astronauts to the moon [1]. The 10 million lines of code. Yet it is clear rule of thumb is that one should expect design of the hardware for the new that the problem of landing on the moon to see roughly one residual defect per spacecraft is already well on its way, and has not become a thousand times harder one thousand lines of code, after all so is the development of the software. in the last forty years. reviews and tests have been completed. My best guess for the final size of the With exceptional effort the defect rates code that will support the new landings The software that controls a spacecraft can sometimes be pushed back further, (based on trend-lines for growth of soft- is a good example of a safety-critical to say one residual defect per ten thou- ware sizes for both manned and application: there is very little room for sand lines of code, but we do not know how to reliably reduce it to zero in large applications like the ones we are con- sidering here.

If we start with 7500 lines of code, it is easy to see that we can reduce the chances of software failure reasonably effectively. Still, even the first lunar missions saw some unanticipated soft- ware issues in flight [2]. If we move to 7.5 million lines of code, even under the best of circumstances we should expect to see more residual defects during a mission. Most of these defects are likely benign and can be worked around, but there is always the chance of the one killer bug that can end a mis- sion completely. We want to do every- thing we can to catch those serious defects before they catch us.

The standard approach in dealing with safety-critical systems is expressed by the acronym PDCR: prevent, detect, contain and recover. The best strategy is to prevent defects from entering the software design cycle entirely. This can be achieved by strengthening the way in which software requirements are cap- tured, checked and tracked. Formalized requirements can also be used both for test generation and for formal design verification with tools such as Spin [3]. Another form of prevention is to look at the defects that have plagued earlier space missions. Alas, this is a richer set than we would like. These software 'les- A concept image of the Ares I rocket now in develpment on the launch pad at NASA's Kennedy sons learned' can be captured in coding Space Center. The software that controls a spacecraft is a good example of a safety-critical standards, ideally with machine check- application. Image: NASA/MSFC. able rules [4]. After all, who is going to

14 ERCIM NEWS 75 October 2008 read through 7.5 million lines of code to jeopardize the correct functioning of down to that precious commodity that find all deviations from the standard? unrelated parts. This defect contain- we all possess but sometimes forget to ment strategy requires not only a well- use: common sense. Our ability to detect defects as early as vetted software architecture, but also possible depends increasingly on tool- coding discipline, eg modularity, and a based verification strategies. Logic generous use of runtime assertions and model-checking techniques [3], for software safety margins. Links: instance, can be invaluable for identify- [1] www.nasa.gov/missions/ ing subtle design errors in multi-threaded Finally, when a software defect reveals solarsystem/cev.html software systems. More basic still is the itself and is successfully contained, a [2] http://www.hq.nasa.gov/alsj/a11/ use of state-of-the-art static source code recovery strategy can help us find a a11.landing.html analysis tools [5]. The best tools can path back to a functional system. This [3] http://spinroot.com/ intercept a range of common coding can be done, for instance, by replacing [4] http://spinroot.com/p10/ defects with low false positive rates. a failing complex module with a sim- [5] http://spinroot.com/static/ pler one that was more thoroughly veri- Since it would be unwise to plan only fiable before flight. Please contact: for perfect software, the next strategy is Gerard J. Holzmann to structure the system in such a way Building reliable software systems is NASA/JPL Laboratory for Reliable that the failure of one part does not not really rocket science. It often boils Software, Caltech, USA

Model-Checking of Safety-Critical Software for Avionics by Darren Cofer, Michael Whalen and Steven Miller

The adoption of model-based development tools is changing the cost-benefit equation for the industrial use of formal methods. The integration of formal methods such as model checking into software development environments makes it possible to fight increasing cost and complexity with automation and rigour.

By any measure, the size and the com- The widespread use of model-based decade ago can now be analyzed in a plexity of the safety-critical software development (MBD) tools is eliminat- matter of seconds. deployed in commercial and military ing the first three barriers. MBD refers aircraft are rising exponentially. Cur- to the use of domain-specific (usually Model checking is a category of formal rent verification methods will not be graphical) modelling languages that can methods that is particularly well suited able to cope effectively with the soft- be executed in simulation before the to integration in MBD environments. A ware being developed for next-genera- actual system is built. The use of such model checker will consider every pos- tion aircraft. New verification modelling languages allows engineers sible combination of system input and processes are being developed that aug- to create a model of the system, execute state, and determine whether or not a ment testing with analysis techniques it on their desktop, and automatically specified set of properties is true. If a such as formal methods. These generate code and test cases. Further- property is not true, the model checker processes will help ensure that the more, tools are now being developed to will produce a counterexample showing advanced functionality needed in mod- translate these design models into how the property can be falsified. ern aircraft can be delivered at a rea- analysis models that can be verified by Model checkers are highly automated, sonable cost and with the required level formal methods tools, with the results requiring little to no user interaction, of safety. translated back into the original model- and provide the verification equivalent ling notation. This process leverages the of exhaustive testing of the model (see In the past, formal methods have not original modeling effort and allows Figure 1). been widely used in industry due to a engineers to work in familiar notations number of barriers: for their domain. Automated Translation Framework In collaboration with the University of • the cost of building separate analysis The fourth barrier is being removed Minnesota under NASA's Aviation models through dramatic improvements in Safety Program, Rockwell Collins has • the difficulty of keeping these models analysis algorithms and the steady developed a translation framework that consistent with the software design increase in computing power readily bridges the gap between some of the • the use of unfamiliar notations for available to engineers due to Moore's most popular industrial MBD lan- modeling and analysis Law. The combined forces of faster guages and several model checkers. • the inadequacy of tools for industrial- algorithms and cheap hardware mean These translators work primarily with sized problems. that systems that were out of reach a the Lustre formal specification lan-

ERCIM NEWS 75 October 2008 15 Special Theme: Safety-Critical Software

guage, developed by the synchronous process while the design was still known as SMT model checkers appears language research group at Verimag. changing. By the end of the project, the promising. Models developed in Simulink, State- product engineers were using the analy- Flow or SCADE are transformed into sis tools to check properties after every Several commercial MBD environ- Lustre, and then successively refined design change. We were able to find ments have begun to incorporate model and optimized through a series of con- and correct 98 errors in the early design checkers. This should make formal figurable translation steps. Each step models, thus improving the quality of analysis more widely accessible to soft- produces a new Lustre model that is the generated code and reducing the ware engineers. However, it is not yet syntactically closer to the target model downstream testing costs. clear whether the same power and flex- checker specification language and pre- ibility can be provided in off-the-shelf serves the semantics of the original In the Certification Technologies for development environments as is avail- model. This customized translation Flight Critical Systems (CerTA FCS) able in custom approaches. approach allows us to select the model project funded by the US Air Force, we checker whose capabilities are best have analyzed several software compo- The impact that the use of formal veri- suited to the model being analyzed, and nents of an adaptive flight control sys- fication technology will have on soft- to generate an analysis model that has tem for an unmanned aircraft. One sys- ware aspects of aircraft certification is a been optimized to maximize the per- tem we analyzed was the redundancy major issue. The international commit- formance of the selected model manager which implements a triplex tee (SC-205/WG-71) responsible for checker. voting scheme for fault-tolerant sensor the next generation of certification inputs. We performed a head-to-head guidance (DO-178C) is addressing this Our translation framework is currently comparison of verification technologies question. able to target eight different formal with two separate teams, one using test- analysis tools. Most of our work has ing and one using model checking. In

TestingTesting examines only only a ModelModel checking checking exhaustively exhaustively a limited number number of of examinesexamines all reachablereachable specificspecific test cases cases statesstates of of thethe systemsystem

Figure 1: Model checkers.

focused on the 'NuSMV' model checker evaluating the same set of system developed jointly by ITC-IRST (Center requirements, the model-checking team for Scientific and Technological discovered twelve errors while the test- Research, Trento, Italy) and Carnegie ing team discovered none. Furthermore, Melon and the Prover model checker the model-checking evaluation required developed by Prover Technologies. one-third less time.

Success Stories Next steps Links: One of the largest and most successful Current research is focused on further Rockwell Collins formal methods: applications of our tools was on the expanding the range of models where http://shemesh.larc.nasa.gov/fm/fm- ADGS-2100, a Rockwell Collins prod- model checking can be effectively collins-intro.html uct that provides the cockpit displays applied. Our framework can deal with and display management logic for large integers and fixed-point data types, but Please contact: commercial aircraft. The software new analysis methods are needed to Darren Cofer requirements were captured as 593 handle larger data types, floating point Rockwell Collins properties to be checked. Verification numbers and nonlinear functions. Work Advanced Technology Center was performed early in the design on the class of analysis algorithms E-mail: [email protected]

16 ERCIM NEWS 75 October 2008 Software Reliability Assessment by Statistical Analysis of Operational Experience by Sven Söhnlein and Francesca Saglietti

Statistical testing represents a well-founded approach to the estimation of software reliability. Its major drawback - namely the prohibitive testing effort it usually requires - can be overcome by efficient exploitation of operational evidence gained with pre-developed software components and by the loss- free combination of component-specific reliability estimates.

The application of software systems in for software components of restricted - if required, extension of operational safety-critical environments requires functionality). experience in order to validate a pre- that prescribed reliability targets are scribed reliability target. demonstrated using extremely rigorous Under these conditions, statistical sam- verification and validation procedures. pling theory allows the following con- The economics of this approach are par- For such systems, statistical testing servative reliability estimate to be ticularly appealing in the case of pre- offers an adequately well-founded derived at confidence level β: developed components for which a cer- approach. While the effort required to tain amount of operational data may apply this technique at a system level already have been collected in the con- may lead to prohibitively extensive test- text of past applications. Once interpreted ing phases, this can be largely mitigated For example, 46 052 successfully in the light of their future operational pro- by the exploitation of past testing and/or processed runs fulfilling all five condi- file, the statistical analysis of such opera- operational experience gained with indi- tions would allow the reliability state- tional data yields (as illustrated above) a vidual components or functionalities. ment p ≤ 10-4 to be validated at a confi- conservative reliability estimate for each dence level of 99%. reusable functionality considered. The potential usefulness of assessing the operational evidence gained with soft- For the purpose of applying this theory For component-based systems consist- ware-based applications is arousing the to operational data gained with software ing of a number of such pre-developed interest of developers in different indus- components, the latter must be functionalities, the assessor is still faced trial domains, especially concerning recorded, analysed and appropriately with the problem of combining several application variants based on pre-devel- filtered. A practicable procedure for component-specific reliability inequali- oped components. Among them, the extracting relevant operational informa- ties into one overall conservative sys- automotive industry plays a major role; tion is currently applied within an tem reliability estimate of high signifi- a study is being conducted on software industrial research project using a soft- cance. State-of-the-art combination reliability assessments tailored to its ware-based automatic gear control sys- approaches based on mere superimposi- particular needs, and making use of the tem. This is structured as follows: tion of inequalities provoke a substan- considerations presented in this article. tial reduction in confidence. 1. Delimitation of scope Statistical sampling theory allows - for - identification of software functionali- Ongoing work aims to improve this sit- any given confidence level ß and suffi- ty to be used to assess reliability uation by providing sharp reliability ciently large amount n of correct opera- - modelling of operational runs includ- estimates. This was recently achieved tional runs (say n > 100) - an upper ing only input parameters relevant to for the special case of parallel compo- bound of the failure probability p to be the functionality considered. nent-based architectures (see link derived, assuming the following testing below). Thanks to the accurate estima- pre-conditions are fulfilled: 2. Analysis of operational experience tion, the newly developed technique • The selection of a test case does not - identification of memory-less suites, ie allows a substantial reduction in the influence the selection of further test sequences of runs whose behaviour amount of operational experience cases. does not depend on history required to demonstrate a prescribed • The execution of a test case does not - determination of frequency of func- reliability target. influence the outcome of further test tional demands during operation cases. - extraction of an operationally repre- Link: • Test cases are selected in accordance sentative subset of independent oper- http://www11.informatik.uni-erlan- with the expected frequency of occur- ational data. gen.de/Forschung/Projekte/CORE/eng rence during operation. _index.html • No failure occurs during the execution 3. Assessment of operational evidence of any of the test cases selected (a more - validation of extracted operational Please contact: general sampling theory allows for a evidence with respect to identifica- Sven Söhnlein, Francesca Saglietti low number of failure observations). tion of incorrect runs University of Erlangen-Nuremberg, • Failure probability can be expected to - assessment of software reliability by Germany be approximately invariant over the statistical sampling theory (as illus- E-mail: {soehnlein, saglietti} input space (may be taken as realistic trated above) @informatik.uni-erlangen.de

ERCIM NEWS 75 October 2008 17 Special Theme: Safety-Critical Software

Analysing Human Aspects of Safety-Critical Software

by Michael D. Harrison and José Creissac Campos

In focusing on human system interactions, the challenge for software engineers is to build systems that allow users to carry out activities and achieve objectives effectively and safely. A well-designed system should also provide a better experience of use, reducing stress and frustration. Many methods aim to help designers to produce systems that have these characteristics. Our research is concerned with the use of formal techniques to help construct such interactive systems.

We have a number of goals in treating tant characteristic here is that users are the case of Promela we explore alterna- our subject formally. The first is to make seen not as exogenous entities but tive designs in which the displays in both the identification and solution of rather as part of the system. each space can show one or a number of usability problems clearly traceable and directions (where the directions are systematic. We wish to use models of Two recent examples of analyses relate tagged with appropriate destinations). interactive behaviour that make usabil- to these two levels. At the device level We have also explored different ity assumptions precise and to use tools we have used the IVY tool (see link assumptions about the capacities of the that enable a systematic and thorough below) to analyse the user interfaces of different rooms and properties related exploration of how these usability a car air-conditioning system and a to the ease with which visitors can assumptions are captured in the system. flight management system, and we are reach their destinations. As well as An important issue in this respect is currently working to build a substantial exploring the information that flows to whether the models capture the relevant repository of useful specifications. The the individual, we are concerned with properties of the system without biasing control panels of the devices are speci- exploring the impact of a potential the analysis inappropriately. We want to fied in Modal Action Logic (MAL). design on collective behaviours using avoid focusing on problems that do not stochastic models. connect well with the actual use of the Standard usability properties of the system. This is an ongoing topic of device are analysed systematically by Traditional usability analysis methods research and one that involves engage- creating instances of standard tem- based on testing and expert reviewing ment with human/computer interaction plates. An important feature of this are challenged by the increasing com- specialists. We have been researching analysis is to provide representations of plexity of new systems being built. This the applicability of model checking to counter-examples that would enable a is particularly true in the case of safety- reasoning about interaction design. This human factors specialist to use the critical systems. We believe formal has included the development of a set of information as a basis for constructing approaches provide answers by deliver- standard property templates that can be and analysing scenarios in which the ing rigorous and repeatable analysis in used systematically to analyse these sys- desirable properties failed. This has an automated manner. Tools are needed tems. Different models can be used to enabled us to explore interactions that streamline the modelling and characterize different features of the between the different modes of the sys- analysis process. At the moment we are system. An important concern is to tem and to explore potential inconsis- moving towards researching support for determine how these analyses can be tencies in the design. Examples of the interpretation of the analysis results performed in a complementary way. design issues detected include the sys- by developers. tem reaching unsafe states due to user Two modelling perspectives are impor- interface mode problems, or inconsis- tant to the approach we take. The first is tencies in the behaviour of user inter- the interactive device. The device could face controls. Link: be a control panel, a desktop computer, IVY tool: a mobile phone or a table-top interface. At the interactive system level we have http://www.di.uminho.pt/ivy The important characteristic from the explored smart environments. For perspective of the analysis is that the example, we have developed models user can be thought of as being in a using Promela, UPPAAL and PEPA to Please contact: dyadic relationship with it. The second explore the characteristics of a building Michael D. Harrison is the interactive system. Here the focus containing situated displays, designed Newcastle University, UK of analysis is the whole system. While to guide people unfamiliar with the E-mail: [email protected] this might be an interactive system environment to their destinations. Prop- http://www.cs.ncl.ac.uk/people/ where the main players are the device erties of the information that flows to michael.harrison and the user, we may also be concerned mobile users are explored as users with several users immersed within a change their context in such smart envi- José Creissac Campos smart environment involving sensors, ronments. Here formal models have Universidade do Minho, Braga, public devices and small handheld been designed to help engineers to visu- Portugal devices that move around as the user alize usability issues in relation to the E-mail: [email protected] moves from place to place. The impor- consequences of different designs. In http://www.di.uminho.pt/~jfc

18 ERCIM NEWS 75 October 2008 Model-Driven Development of Embedded Real-Time Systems by Alexandre David and Brian Nielsen

Model-driven development (MDD) has an enormous potential for improving verification, testing and synthesis of embedded systems. Our UPPAAL tool-suite for MDD of embedded real-time systems has recently been extended with components for automatic test generation and code synthesis. Presentation and demonstration at a European industrial conference on Systematic Testing spawned a lot of interest in these new techniques.

Our research centre was recently invited although these sectors vary in their tech- for errors, even towards zero-defects. to participate in an industrial gathering nical intricacies and level of safety and This is also true of sectors beyond con- on 'Systematic Testing' of embedded sys- reliability requirements, many common ventional safety-critical software. It is tems in Berlin, together with approxi- challenges exist. These include the ever- no longer accepted that systems will 'by mately eighty industrial participants increasing size and complexity of soft- nature' contain a certain number of from various sectors all over Europe ware, demands for reduced time to mar- errors and that the purpose of testing is ranging from the automotive industry, ket, and rapid changes in technology. At to eliminate the worst of them. Quality avionics, control systems and consumer the same time we observed a change in systems are not allowed to misbehave, electronics. It was observed that attitude reflecting a decreased tolerance and certainly not in any way that users would notice. In combination, these Figure 1: UPPAAL developments make conventional qual- tool suite. ity assurance and testing techniques ineffective and too expensive.

MDD is a promising approach that will contribute significantly to solving these challenges by enabling early model analysis (via simulation and model checking, for example) and design space exploration. Furthermore, model- based testing allows the test engineer to focus on the intellectual challenge of specifying and modelling the behaviour of interest at a high level of abstraction, rather than on manual test-case design, laborious scripting and manual test exe- cution. Using model-based testing, a test generation tool generates an appro- priate set of test cases and lets a test automatically execute these.

In the academic world, UPPAAL is a well-known and widely used model- checking tool for real-time systems. It Figure 2: UPPAAL-TRON component for online testing of real-time systems. is jointly developed by Aalborg Univer- sity, Denmark, and Uppsala University, Sweden. The behaviour of timed sys- tems is graphically modelled using the timed automata formalism extended with various modelling features such as concurrency and C-like functions and data structures, to make it practically expressive and user-friendly. UPPAAL contains a graphical editor and anima- tor/simulator, and an efficient model- checker. The latter performs an exhaus- tive symbolic analysis of the model and provides either a proof that the model satisfies a property, or a counter-exam- Figure 3: UPPAAL-TIGA component for controller synthesis based on timed games. ple consisting of a trace of actions and

ERCIM NEWS 75 October 2008 19 Special Theme: Safety-Critical Software

delays exemplifying how the property tion extends the efficient algorithms that computes such strategies on the fly, is violated. It has been applied success- and data structures of the model- ie while exploring states. The tool, in fully to numerous industrial cases. checker engine to enable real-time test- combination with Matlab-Simulink, has ing of many real-time systems. TRON been successfully used to generate exe- UPPAAL was recently extended with is connected to the system under test via cutable code of a climate controller for components for test generation and con- an adaptor component (defined by the pig stables. Recently it was also applied troller synthesis. This is an important user), translating physical I/O or sig- to generate an optimal controller for a step towards the vision of being an inte- nalling to the abstract events of the hydraulic pump. grated tool suite for MDD of embedded model. TRON has for example been systems, where the entire development applied to test an embedded refrigera- However, despite the relative maturity lifecycle – from specification to run- tion controller for industrial cooling of these techniques more work is ning code – is driven by successive plants. needed to integrate with industrial tool- refinements and iterations. chains like Matlab-Simulink or UML- UPPAAL-TIGA is an extension of based tools, to further scale the tech- UPPAAL can now handle both online UPPAAL used to solve two-player niques and to deal with other quantita- and offline test generation. Specifically, timed games. Its main application is for tive constraints beyond real time. UPPAAL-TRON is an online tool for controller synthesis. In a timed game black-box conformance testing of real- automata model, actions are partitioned time systems. In an online tool, test as being either controllable or uncon- events are generated and executed trollable. The idea is to have a con- Link: simultaneously in real time, on the troller playing with controllable actions http://www.uppaal.com/ physical implementation being tested. and an environment playing with A further verdict on the observed inter- uncontrollable actions. The model- Please contact: action sequences may also be made checker tries to compute a so-called Brian Nielsen online. TRON has well-defined formal winning strategy that tells the controller Centre of Embedded Software Sys- semantic and correctness criteria defin- which actions to take (and when) to tems, CISS ing how a correct implementation ensure that a property holds, no matter Aalborg University, Denmark should behave compared to the mod- what the environment does. The tool Tel: +45 9940 8883 elled behaviour. The tool implementa- implements a state-of-the-art algorithm E-mail: [email protected]

Quasimodo

by Brian Nielsen

Existing Model-Driven Development (MDD) tools and methods for real-time embedded systems are rather poor at handling the relevant quantitative constraints. Quasimodo (Quantitative System Properties in Model-Driven Design of Embedded Systems) is a new EU FP7 project whose main goal is to extend current MDD techniques and tools for modelling, verification, testing and code generation with the ability to satisfy these quantitative constraints.

A key characteristic of embedded sys- quantitative properties is drastically of models, abstraction and composi- tems is that they must meet a multitude improved. tionality principles that relate design of quantitative constraints. These models and help to control the size and involve the resources that a system may To focus on aspects central to embed- complexity of the models, exploitation use (computation resources, power con- ded systems such as performance, time- of approximate analysis techniques for sumption, memory usage, communica- liness and efficient usage of resources, partial analysis of very complex models tion bandwidth, costs etc), assumptions the models must provide quantitative and, orthogonally, optimal utilization of about the environment in which it oper- information on timing, cost, data, sto- the given computing platform on which ates (arrival rates, hybrid behaviour), chastics and hybrid phenomena. A chal- the algorithms are implemented. and requirements on the services that the lenge is to develop notations that are system must provide (timing con- expressive, have precise formal seman- In the implementation step, executable straints, quality of service, availability, tics, and that can be analysed efficiently code running on given physical devices fault tolerance etc). Existing MDD tools by automated tools. Quasimodo mostly must be provided. While the theoretical for real-time embedded systems are works with probabilistic, priced, timed framework of the quantitative models quite sophisticated in their handling of game automata and looks at how to link assumes infinitely fast hardware, infi- functional requirements, but their treat- these to industrial tool chains. nitely precise clocks, unbounded mem- ment of quantitative constraints is still ory and so on, real CPUs are subject to very limited. Hence MDD will not real- The analysis methods developed in hard limitations in terms of frequency ize its full potential in the embedded Quasimodo include data structures for and memory size. Being able to guaran- systems area unless the ability to handle symbolic exploration of the behaviour tee that properties established by a

20 ERCIM NEWS 75 October 2008 Figure 1: Accumulator blad- der for a hydraulic pump (left), its electronic controller (top right), and part of the model of the control algo- rithm of accumulator control system (bottom right).

given model are also valid in its imple- The controller must maintain the gas both the control software and its envi- mentation is therefore a major chal- pressure in the bladder within a safe ronment, to ensure that only feasible lenge. pressure range, and should be robust and realistic tests are generated. More- against fluctuations in the energy con- over, to facilitate automatic execution, Current industrial testing is often man- sumption of the machine. The goal is test adaptation software will need to be ual and without effective automation, then to find an optimal controller that developed to allow successful transla- and consequently is rather error prone minimizes the (long-term) energy con- tion between abstract-model events and and costly: it is estimated that 30-70% sumption. Our approach consists of concrete messages to be sent/received of the total development cost is related modelling the accumulator system as from the system under test. to testing. Model-based testing is a timed game automata in our game-solv- novel approach to testing with signifi- ing tool Uppaal Tiga, and using this to Partners in the project are Aalborg Uni- cant potential to improve both cost and automatically synthesize the optimal versity, Denmark (coordinator); efficiency. We intend to extend the controller. We have produced a con- Embedded Systems Institute, the model-based testing technology to the troller that has a 40% gain compared to Netherlands; RWTH Aachen Univer- setting of quantitative models, allowing classical controllers. sity, Germany; Universität des Saarlan- generation, selection, execution and des, Germany; Université Libre de provision of coverage measures to be A second case concerns the modelling Bruxelles, Belgium; ENS- made. Another challenge, similar to and analysis of medium-level access Cachan/CNRS, France; Terma A/S, implementation synthesis, is to develop protocols for a specific type of sensor Denmark; Hydac GmbH, Germany; and a sound and theoretically well-founded network. The interesting properties of Chess Beheer B.V, the Netherlands. The framework and tools for testing quanti- the network will be modelled as proba- total budget is €2 696 000 and the proj- tative systems when these quantities (eg bilistic (timed) automata and linearly ect, which started in January 2008, will timing) cannot be observed and con- priced timed automata, and our model have a duration of 36 months. trolled accurately. checking techniques and tools will be used to determine important system In order to demonstrate the usefulness properties like collision-freeness, trans- of our techniques, we will apply them to mission rate and energy consumption. Link: several complex industrial case studies http://www.quasimodo.aau.dk and provide a collection of unique tool Quasimodo will also model, analyse components to be used as plug-ins in and test the application software for the Please contact: industrial tools or tool chains like Mat- Attitude Control Computer for the Her- Brian Nielsen lab/Simulink. shel/Planck satellites. In particular we Centre of Embedded Software Sys- will evaluate the techniques for model- tems, CISS One case study concerns a controller for based online real-time testing. This Aalborg University, Denmark an oil accumulator system for a work will include producing timed Tel: +45 9940 8883 hydraulic pump. automata models of central aspects of E-mail: [email protected]

ERCIM NEWS 75 October 2008 21 Special Theme: Safety-Critical Software

From Rigorous Requirements Engineering to Formal System Design of Safety-Critical Systems

by Christophe Ponsard, Philippe Massonet, Gautier Dallons

The majority of systems that control our daily lives rely on software. Often this software is embedded in the device and remains invisible to users. While the consequences of a failure may be minor, such as failing to deliver part of the requested service, they may also be dramatic, possibly causing human injury or even fatalities (eg car crashes or train collisions). In recent years, CETIC (Centre d'Excellence en Technologies de l'Information et de la Communication) has devoted significant effort to the development of industrial methods and tools that target safety-critical software, with a specific focus on the early phase of system development.

At this level, the consequences of design flaws are the most dramatic and costly to correct. Large studies like Chaos (Standish Group) have also shown that these flaws remain the principal reason for project failure. To improve this, the following topics, illustrated in Figure 1 using the V reference model, are being investigated from a model-driven engi- neering perspective.

At the start of the life cycle, rigorous engi- neering of requirements aims to provide Figure 1: Scope in the V-model. adequate methods and tools to capture, formalize and perform early verification and validation of critical requirements. system (including its safety properties) • validation of requirements, based on Immediately following this, a strong con- and the characteristics of its environ- an animator able to generate state- nection with industrial development ment of operation. CETIC has adopted based animation that can be displayed methodologies is required. Good candi- KAOS, a major goal-oriented method- in graphical representations from the dates are Event-B/B (a generic proof-ori- ology, which combines two description domain ented formal language) and AADL levels: an informal/graphical level for • verification of the requirements, (architecture description language). At optimal communication and a formal including completeness and consis- the other end of the life cycle, the certifi- layer enabling powerful reasoning tency criteria, based on model-check- cation process should support adequate about the requirements. A toolset called ing technology providing explanatory techniques for a high level of assurance. FAUST (Formal Analysis Using Speci- counter-examples fication Tools), which extends the semi- • acceptance test generation, based on Rigorous Requirements Engineering formal Objectiver tool, was developed the coverage of the system properties, The aim of requirements engineering is to support the formal level. It provides especially those most critical. to capture the intended behaviour of a the following main tools:

Figure 2: Requirements (KAOS) to AADL mapping.

22 ERCIM NEWS 75 October 2008 Providing Connections tion. Bridging the gap between Higher assurance levels require a more with Industrial Development requirements and Event-B models has formal demonstration of correctness. Ensuring full traceability is critical in been identified as a major topic. Formal models, which support the rig- order that changes can be tracked and orous development of the system, can their impact assessed. It is therefore Second, the ITEA2 SPICES (on Sup- also directly support the certification necessary to connect requirements port for Predictable Integration of mis- process. This means not only that the models with more refined models at sion Critical Embedded Systems) proj- effort required for certification is not system and specification levels. While ect is domain-specific: it targets embed- increased for such systems, but that the this connection can be loose, using sim- ded systems and relies on a formal perception of the certification process is ple traceability techniques, richer mod- architectural description language also improved, since it is seen as being els enable a more elaborate and auto- called AADL. Verifications are oriented better integrated with the system prod- mated connection, or even the deriva- towards real-time properties and ucts and not as additional work. Our tion of some design artefacts from the resources management. The connection current work mainly targets the aero- requirements level, hence reducing the with requirements models is currently nautics domain. effort required to produce and maintain developed both for the structural and them. This is currently being investi- dynamic parts of AADL, as shown in gated in two projects with quite differ- Figure 2. Again, Eclipse-based tools are ent approaches. available (TOPCASED). Links: First, the FP7 DEPLOY (industrial Supporting Certification KAOS: http://www.info.ucl.ac.be/~avl/ deployment of system engineering at High Assurances Levels ReqEng.html methods providing high dependability Systematic certification is required for FAUST: http://faust.cetic.be and productivity) project aims at the safety-critical systems. A generic stan- SPICES: http://www.spices-itea.org industrial deployment of the Event-B dard such as IEC-61508 defines safety DEPLOY: method, a system-level variant of the integrity levels and guidelines. These http://www.deploy-project.eu B method. This method is quite generic guidelines are refined in more RODIN/Event-B: generic and is being applied in sectors sector-specific standards such as space http://www.event-b.org/ such as automotive, train, space and (ECSS - European Cooperation on TELECOM: even e-business. Like B, it is mainly Space Standardization), aeronautics http://www.skywin-telecom.be proof-based. It is supported by the (DO-178B) or railways (CENELEC RODIN (Rigorous Open Development 50126/8/9 - European Committee for Please contact: Environment for Complex Systems) Electrotechnical Standardization ). Christophe Ponsard proof environment which is Eclipse- Most of these also define a number of CETIC, Belgium based and includes plug-ins for assurance levels in direct connection Tel: +32 71 490 743 model-checking (ProB) and anima- with risk (probability and impact). E-mail: [email protected]

Modelling the Role of Software in the Propagation of Failures across National Critical Infrastructures by Chris W. Johnson

In recent years, terrorist attacks, system failures and natural disasters have revealed the problems that many countries face in preparing for national civil contingencies. The diversity of critical infrastructures and the interconnections between different systems make it difficult for planners to anticipate everything. For example, the loss of power distribution networks can disrupt rail and road transportation systems. Knock-on effects can also be felt across telecommunications infrastructures as the uninterruptible power supplies (UPS) that protect mobile phone base stations fail over time. In addition, domestic water supplies are affected when pumping and treatment centres lose power.

It is difficult to underestimate the safety nutritional solutions, and the loss of complete their treatment for that night. implications of these interdependencies. power disrupted their treatment. Differ- The blackout lasted several days across For example, Pironi, Spinucci and ent devices responded in different ways, many areas of Italy. This created further Paganelli describe how the Italian black- with some generating alarms and others problems, as stores of parenteral solu- out of 2003 affected patients who relied reverting to battery power. Patients also tion needed to be kept frozen. Other on home parenteral nutrition systems. responded in different ways, as they patients were placed at risk when the These individuals used electronic became worried about whether or not loss of power began to affect water pumps for the overnight infusion of their systems had sufficient power to treatment centres; for instance, it

ERCIM NEWS 75 October 2008 23 Special Theme: Safety-Critical Software

became difficult to guarantee that there time, Hurricane Katrina and the UK cal Information System (GIS) that was no microbiological or toxic con- floods of 2007 have illustrated that it exploits Bayesian techniques to gener- tamination in the water supplies for may be inappropriate to place high lev- ate failure scenarios across national dialysis patients. els of confidence in bespoke networks. critical infrastructures. This approach provides an alternative to the detailed One area of increasing concern is the Forensic techniques can help to identify causal modelling of infrastructure inter- dependencies that are created by the use patterns of failure across digital com- dependencies that are created by the of digital communications systems to munications systems. For example, a increasing integration of digital com- connect key areas of our national criti- number of studies have been conducted munications networks to support every- cal infrastructure. For example, the sep- into the impact of the 2003 US-Canada thing from food distribution to the mon- aration of responsibility for maintaining blackout on Internet traffic. Abnormal itoring of large-volume gas transmis- electricity distribution systems and for Border Gateway Protocol (BGP) events sion. Expert judgement can be used to generating or marketing power has cre- indicate that 3175 networks lost con- assess the dependent probability of a ated a situation where software systems nectivity. Most of these were in the system failing given that problems have are increasingly used to monitor and New York City area. However, we are a been observed in another infrastructure. respond to changing demands across long way from being able to conduct Where possible these estimates can the network. Infrastructure operators more predictive forms of analysis at a steadily be refined, with more accurate

Figure 1: Infrastructure Dependencies GIS (ID-GIS).

rely on digital communications systems regional level. In particular, there are no probability distributions based on par- to balance the complex interactions agreed means of modelling the effects tial causal models or from data obtained between supply and demand, as market of any future power system failures on during previous contingencies. Further pressures encourage large-scale power national computational infrastructures. information about these techniques can transfers between low-cost generators This, in turn, makes it impossible to be obtained from the author and on the and remote end-users. Failures in the anticipate the secondary impact of the Web site indicated below. digital communications systems can loss of Internet connectivity on the propagate to the distribution networks increasing numbers of critical systems and vice versa. Many commercial and that rely upon these networks for the government agencies have recognized exchange of operational information. these vulnerabilities and have Link: responded, for example, by placing reli- It will take many years before we can http://www.dcs.gla.ac.uk/~johnson ability requirements on the networks predict the knock-on effects that would and software that support critical infra- arise if we were to lose significant sec- Please contact: structures. However, there is strong tions of our digital communications and Chris W. Johnson commercial pressure for more systems power distribution networks. Figure 1 University of Glasgow, UK to use the public Internet. At the same illustrates the interface to a Geographi- E-mail: [email protected]

24 ERCIM NEWS 75 October 2008 Model-Based Development of Distributed Embedded Real-Time Systems with the DECOS Tool-Chain by Wolfgang Herzner, Martin Schlager, György Csertan, Bernhard Huber, Thierry Le-Sergent, Erwin Schoitsch and Rupert Schlick

The increasing complexity of distributed embedded systems, as found today in cars, aeroplanes and trains, is becoming a critical cost factor in their development. In the European 'Integrated Project' DECOS (Dependable Embedded Components and Systems), an integrated, model-driven tool-chain has been developed to accompany the system development process from design to deployment.

The development of embedded systems that they do not dis¬turb each other, and distributed – and replicated for reasons still follows a customized design faults must not propagate. of hardware fault-tolerance. approach, resulting in rather isolated applications, the reinvention of system DECOS is based on a settled theory, the DECOS Tool-Chain design concepts, and little reuse of code time-triggered paradigm. It assumes the For effective use and application, DECOS across application domains. For exam- existence of a core architecture provid- established a (prototype) tool-chain, ple, in modern cars each new function ing the following core services: which encompasses all phases from implies a new subsystem. While the • deterministic and timely message model to deployment. It consists of two federated approach supports fault transport vertical 'lanes' (Figure 2). On the left, the encapsulation, it implies increases in • fault-tolerant clock synchronization integrated system configuration is deter- hardware cost, weight and power con- • strong fault isolation mined and middleware generated, while sumption, and severely hampers the • consistent diagnosis of failing nodes. on the right, the application functionality sharing of resources such as sensors. is developed. A third lane not shown here Any core architecture providing these contains the 'generic test bench'. The European project DECOS has services (eg TTP/C, FlexRay or Time- developed basic domain-independent Triggered Ethernet) can form the basis The DECOS tool-chain is completely technology for moving from federated for DECOS systems. On top of these model-based, ie it allows for any gener- to integrated distributed architectures. core services, DECOS provides a mid- ated code to be finally deployed auto- This will reduce the cost of develop- dleware of high-level services: matically from corresponding models. ment, validation and maintenance, and • virtual networks (VN) and gateways The specification starts with the plat- will increase dependability. An inte- • encapsulated execution environment form-independent models (PIMs) of the grated architecture is characterized by (EEE) application subsystems; defining their the inte¬gration of multiple application • fault tolerance layer requirements with respect to perform- subsystems (so-called DASs, a DAS • diagnostics. ance, dependability and communication may consist of severeal jobs, replicated among the application tasks. or not, distributed over a cluster of The DECOS system architecture is nodes, forming a single distributed com- depicted in Figure 1. A job represents To ease the tedious task of capturing puter system). When integrating (criti- the smallest executable software frag- complex application PIMs, the project cal) subsystems, it must be guaranteed ment of a subsystem that can sensibly be has developed PIM-DSE (domain-spe-

Figure 1: Example of a DECOS cluster with four nodes and three DASs (ABC, PQ, UVWXY); A, B and Q have two replicas each, P has three. G denotes a virtual gateway between the red and grey DAS.

ERCIM NEWS 75 October 2008 25 Special Theme: Safety-Critical Software

Figure 2: DECOS tool-chain. The elements address specification (grey), design (yellow), implementation (green) and installation (blue).

cific editor), which also exploits pre- The configuration data (eg for schedul- node. The makefile generator tool also defined PIM-patterns, and a visualiza- ing and fault tolerance) is generated by takes care of (re)generating the code tion tool using GEF (Graphical Editing an adapted tool suite (TTplan, TTbuild) from the models, thus ensuring they are Framework) of Eclipse. from TTTech (a DECOS partner devel- up to date. oping time-triggered systems). This The purpose of the CRD (cluster handles resource restrictions and EEE A rather wide variety of tools comprise resource description) is to capture char- partitioning. the DECOS tool-chain from model to acteristics of the platform for the soft- deployment. A transformation tool VIA- ware-hardware integration. A graphical, SCADE, a certified tool (IEC 61508, TRA (VIsual Automated model TRAns- domain-specific modelling environment DO178B) from Esterel Technologies, is formations) from the Budapest Univer- using the Generic Modelling Environ- used for behaviour modelling. SCADE sity of Technology and Economics is ment (GME) eases CRD creation. is based on a formally defined data flow used as the backbone for model transfor- notation. The PIMs are imported via the mations (PIM to PSM), PIL generation The generation of the PSM (platform- SCADE UML gateway, yielding empty and domain-specific editors. specific model) encompasses a number job skeletons with correct interfaces. of steps including PIM marking (ie Simulink models are imported to The tool chain was successfully vali- adding information such as the resource SCADE via another gateway. SCADE is dated by three application demonstra- requirements of jobs), feasibility used for code generation; to link job tors from the automotive, aerospace and checks, and the allocation process for codes with PIL, 'SCADE-wrappers' are industrial control domains. jobs of different criticality to the generated. (shared) hardware platform, subject to constraints of fault tolerance and real Finally, in the deployment phase, all Links: time. A PSM generation wizard supports parts (application code, either generated http://www.smart-systems.at PSM generation. from SCADE or written manually, gen- http://www.decos.at erated middleware and configuration http://portal.bme.hu In the following steps, the middleware is data) are put together into executables generated. The platform interface layer for the target platform. For the primary Please contact: (PIL) generated from the PSM repre- DECOS platform (encapsulated execu- Erwin Schoitsch sents the technology-neutral interface of tion environment on TriCore TC1796), Austrian Research Centers/AARIT the middleware to the application soft- this is a single file per node that is Tel: +43 50550 4117 ware. loaded into the flash memory of the E-mail: [email protected]

26 ERCIM NEWS 75 October 2008 Safe Systems with Software Components in SOFA 2 by Tomáš Bureš and Petr Hnětynka

Embedded devices like mobile phones, PDAs, set-top boxes and vehicular systems are now an inherent part of daily human life. However, software for these devices must meet additional requirements compared to desktop and server computers. We present the SOFA 2 component system, which is suitable for building safe and configurable applications.

As embedded devices become ubiqui- safety verification (a necessity for soft- Among other capabilities, it provides tous, the efficient and error-free devel- ware in, for example, vehicles). This hierarchical component composition, opment of the necessary software is requirement is reflected in the need for software connectors, dynamic architec- becoming increasingly important. While a formal specification of system behav- tures and formal specifications of a given device will operate in a very iour, verifications of the specification behaviour. similar environment to others of its kind and so forth. SOFA 2 fully satisfies both of the (eg mobile phones, consumer electron- above-mentioned requirements (model- ics or vehicular systems), it may differ A relatively recent approach to coping ling of variability and the use of formal in specific details. Typically, there exists with complexity, variability and safety methods to ensure safety). The former a common core for a family of devices, in embedded systems is the use of com- is satisfied by distinguishing three sep- and a set of optional extensions whose ponent-based development (CBD), arate steps in system development: def- presence depends on the available hard- which employs well-defined compo- inition of components, their assembly ware (eg the presence of Bluetooth in nents as reusable basic building blocks. into a final system, and system deploy- mobile phones, air-conditioning in cars It also carefully captures the dependen- ment. The latter requirement is satisfied etc) or other requirements. One cies and interactions between compo- by inherent usage of formal specifica- approach to this situation is 'software nents, which helps to mitigate the com- tions and verification of component product lines', which allows the specifi- plexity. behaviour. cation of not just one system, but the whole family of systems. However it SOFA 2 (SOFtware Appliances ver- Development of a system in SOFA 2 is places strong requirements on the soft- sion 2) is one representative of existing quite straightforward and is performed ware development platform for support advanced approaches to component chiefly by composing existing compo- for the configuration of application vari- use. It was designed and developed by nents available in the SOFA 2 reposi- ants. the Distributed Systems Research tory. The development process starts Group at Charles University in Prague. with the definition of the architecture of Also commonly required of embedded It features a modern component model a system. Using development tools, a software is support for functional and and a software development platform. developer can browse the repository

Figure 1: An example of a development process. 1. (left): a composite component implementing software for a database client, a set of basic com- ponents implementing different user interfaces, database access, etc. 2. (top right): specific assemblies for particular devices. 3. deployment of assembled software.

ERCIM NEWS 75 October 2008 27 Special Theme: Safety-Critical Software

content and compose existing compo- distribution is completely transparent to system were viewed as a monolithic nents, or build new ones. The individual developers. This is achieved thanks to block, due principally to the exponen- components are defined by a 'compo- automatically generated software con- tial complexity of the verification algo- nent type' and 'component implementa- nectors that, based on final deployment, rithms. tion' (which implements a particular provide either local or remote calls component type). The implementation between components. SOFA 2 is implemented in Java and is is either direct (in a programming lan- freely available (together with the guage) or composed from other compo- For verification of component behav- source code) from its Web page, which nents. These 'sub-components' are iour, SOFA 2 employs 'software behav- is part of the OW2 international consor- themselves defined by component iour protocols'. These are simple tium (formerly ObjectWeb). The down- types. process algebra, which defines the loadable packages contain the runtime externally observable behaviour of a environment for executing components, This separation is crucial for the sup- component type, and are used to verify a repository for storing components, port of product line development. several properties. First, for the com- and development tools for creating Developers can develop a set of basic posite components, they are used to components and verifying behaviour. (direct) components that provide build- determine whether the sub-components Also available are ready-to-run exam- ing blocks of systems. For each compo- of a composite component are com- ples, documentation and publications nent type, there can be several different posed correctly and together imple- describing in detail the principles of implementations that meet specific ment the required behaviour. For the SOFA 2 and its implementation. requirements. In the assembly part of basic components, one can verify that the development process, the compo- the required protocol is correctly Link: nent types in a composite component implemented. In addition, the protocols SOFA 2: http://sofa.ow2.org are 'refined' by chosen component can be used during development for Distributed Systems Research Group: implementations. This assembly testing whether the actual observed http://dsrg.mff.cuni.cz process starts with the top-level compo- behaviour of a component complies nent (that represents a complete system) with the protocol. Please contact: and recursively continues down to the Tomáš Bureš basic components. When the system is The decomposition of a system to its Charles University Prague/CRCIM, fully assembled, it can be deployed in a components makes it possible to per- Czech Republic target environment. SOFA 2 inherently form verification of relatively large sys- Tel: +420 221914236 supports distributed systems, and the tems. This would be unfeasible if the E-mail: [email protected]

New Paradigms and Tools for High-Assurance Systems Modelling

by Francesco Flammini, Nicola Mazzocca and Valeria Vittorini

Modern critical computer systems are rapidly growing in complexity. As a consequence, novel frameworks are needed to support multi-paradigm modelling for the dependability evaluation of such systems. OsMoSys (Object-based multi-formalism modelling of systems) is one of the latest projects in this category, whose originality consists in supporting certain aspects of object orientation and in the model analysis.

Safety-critical computer systems are a fundamental aspect of critical systems or informal verification purposes becoming increasingly large, distributed engineering. Model-based approaches (though a formal specification of UML and heterogeneous. This is one of the are needed both to demonstrate safety- for real-time systems exists and several reasons why industry best practice for related properties (eg by model-check- techniques have been proposed for a high-integrity systems rarely follows the ing or theorem-proving) and to evaluate comprehensive dependability analysis correctness-by-design paradigm. When quantitative attributes (eg mean time to of UML views). this happens, the approach involves just failure, hazard rate) of the system. small subsystems, which need to be In order to master the increasing com- integrated to constitute the final system. Recently, new approaches are being plexity of modern control systems, It is well known that dependability investigated for the software engineer- modular and compositional approaches attributes correspond to properties of the ing of critical systems. One of these fol- have been researched by the scientific whole system, meaning a system-level lows the paradigm introduced by the community that allow engineers to analysis is needed to demonstrate com- Unified Modelling Language (MDE, adopt the modelling formalism most pliance with the required targets. In sys- Model-Driven Engineering). In prac- appropriate to the aspect of the system tem development or verification stages, tice, however, this is mostly used 'as a to be modelled (both hardware and soft- model-based dependability prediction is sketch', that is to say for documentation ware). All the components are then inte-

28 ERCIM NEWS 75 October 2008 grated into a single cohesive model of position). The art of manipulating mod- can hide from the modeller the com- the whole system in order to evaluate els has only recently been extensively plexity of the solving process, issues system-level dependability attributes. studied, and is sometimes given the related to efficiency must be taken into name of model engineering (not to be account in model evaluation and model An attempt has been made to include confused with MDE). Model engineer- checking when dealing with large and these aspects in the theoretical frame- ing also involves multi-level modelling stiff models. work of multi-paradigm modelling, – modelling at different abstraction lev- which includes: els – and multi-layer modelling – the There are two main (non-contrasting) • Meta-Modelling, which is the process hierarchical modelling of different ways of tackling efficiency issues. One is of modelling formalisms. aspects of the same system, possibly related to methodological aspects • Model Abstraction, concerned with including non-technological ones such (divide-et-impera/iterative approaches, the relationship between models at as man-machine interaction. model abstraction, model transformation, different levels of abstraction. model folding, flow-equivalent sub-mod- • Multi-Formalism modelling, con- An example scheme for the multi-para- els etc), while the other is related to tech- cerned with the coupling of and trans- digm modelling of a complex railway nological means (eg distributed multi- formation between models described control system is illustrated in Figure 1. solution on GRID systems). in different formalisms. Each subsystem (on-board, lineside and trackside) has been divided into three All the aforementioned needs have been The objective of the aforementioned layers, and all the sub-models are inter- taken into account in the definition of techniques is to obtain a trade-off connected by means of intra/inter-layer the OsMoSys Modelling Methodology between ease of use, expressive power and intra/inter-subsystem composition (OMM), which is implemented by the and solving efficiency. The explicit use operators. OsMoSys Multi-solution Framework of more formalisms requires that het- (OMF). OsMoSys supports meta-mod- erogeneous models be interconnected While multi-paradigm approaches elling, some aspects of object-orienta- by means of proper operators, which allow engineers to govern modelling tion (ie inheritance and polymorphism) can provide a mechanism for the inter- complexity, this is not the only com- and is built on a workflow-based change of results (connection) or the plexity that needs to be reduced. Even orchestration of (possibly existing) sharing of state, actions or events (com- though multi-formalism frameworks solvers and external applications in

Figure 1: A scheme for the multi-paradigm modelling of a complex railway control system

ERCIM NEWS 75 October 2008 29 Special Theme: Safety-Critical Software

order to achieve the multi-solution way systems supplier). It has been process. The OMF features a graphical applied to the dependability (particu- user interface with which to draw mod- larly maintainability, performability and els and retrieve results. Both formalisms safety) modelling of several critical and models are expressed in the OMF computer-based systems, especially in Links: using the eXtended Markup Language the railway domain. The OMM is also OsMoSys project page in Seclab (XML). The OMF supports both explicit suited to the modelling of complex bio- research group Web site: and implicit multi-formalism: in the lat- logical systems and critical infrastruc- http://www.seclab.unina.it/ ter, a single formalism (eg repairable ture security. fault tree) is shown to the modeller, but International Journal of Critical Com- more formal languages (eg generalized The development of the OMF is a work puter-Based Systems: stochastic Petri nets, Bayesian net- in progress, with additional modules http://www.inderscience.com/ijccbs works) are used for model solution. becoming necessary to wrap solvers for new formalisms and to support new OsMoSys is the result of a multi-year multi-solution paradigms. Future work Please contact: inter-university research project, which will be aimed at the inclusion of addi- Francesco Flammini has involved researchers from the Uni- tional composition operators into the ANSALDO STS Italy and University versities of Naples and Turin, together framework and in the application of the of Naples Federico II, Italy with engineers of Ansaldo STS (a rail- OMM to new real-world case studies. E-mail: [email protected]

Testing Concurrent Software with Ants

by Francisco Chicano and Enrique Alba

Mimicking the behaviour of ants in nature can lead to the identification of subtle errors in concurrent software systems and thereby boost the efficiency of model checking.

Testing, verification and validation Memory poses a challenge to formal In short, the core of our approach is to methods are especially important in methods if we want them to be able to simulate the ants' behaviour in a graph: safety-critical software, such as airplane answer the first question, but the mem- the state graph of the software system. controllers, nuclear power plant control ory requirement can be relaxed if we The objective of the artificial ants is to systems, and medical tools software. focus on the second question, that is, if find error states in the graph by employ- Much effort has been devoted to devel- we focus on the search for error traces ing the same mechanisms used by real oping and improving such methods. The in the software. In effect, if the soft- ants to find food in a real environment main goal of all this research is to obtain ware system contains an error, a (see Figure 1). These mechanisms a practical software tool that is able to guided search can discover the error include indirect information exchange automatically answer the following without having to explore the entire through chemicals (pheromone trail) questions: (1) does my software system state space of the system. This and external guidance (heuristic infor- fulfil the specification?, and (2) if not, approach is especially useful in the ini- mation). This heuristic information is why not? tial and middle stages of software automatically computed from the prop- development and after any mainte- erty being checked (eg from the tempo- One method that automatically nance modification, in which the ral logic formula). Artificial ants tra- approaches both questions is model answer to the first question is most verse the state graph, jumping from one checking. This well-known and fully probably "no". state to another using arcs that represent automatic formal procedure analyses all transitions in the software system. In possible program states (explicitly or In this context we recently started a each jump, ants must select one of sev- implicitly) in order to prove whether or new research line in our research eral successor states using the not a given concurrent system satisfies a group at the University of Málaga pheromone trail (deposited by previous property like, for example, the absence (Spain), using Ant Colony Optimiza- ants) and the heuristic information asso- of deadlocks, the absence of starvation, tion (ACO) algorithms to search for ciated with them. In making this selec- matching an invariant etc. The main error traces in concurrent software sys- tion, ants prefer the states that suggest drawback of model checking is the so- tems. ACO algorithms are inspired by paths most likely to lead to an error called state explosion. The memory the foraging behaviour of real ants. state. When a state is found that violates required for the verification usually These algorithms are a subclass of the software specification, an error is grows exponentially with the size of the metaheuristic algorithms, a well- reported along with its corresponding system being verified. This fact limits known set of techniques for finding error trace (ant path). the size of the systems that model near-optimal solutions to NP-hard checkers can actually verify, making the optimization problems using a reason- The idea described in the previous procedure impractical in large (real) able amount of computational paragraph has proven to be very effec- software systems. resources. tive in practice. The results show that

30 ERCIM NEWS 75 October 2008 State space of the concurrent system

Pheromone trail

Detail of the state space Heuristic information

One and traversing the state space

z = 5 a = ‘g’ b = 4.57 ··· Global vbles.

Process 1 Process 2 Process

p = 2 k = 3 c = ‘d’ x = 3 v = 7 f = -3.5 ··· ··· ··· Local vbles. Local vbles. Local vbles. ··· ··· ··· z = p + x; ← PC if (k < 0) ← PC switch (c) ··· ··· ··· Code Code Code

Detail of one state

Figure 1: Artificial ants traverse the state space of the concurrent system with the goal this approach requires a minimal ACO rather than traditional methods, of finding a state that violates a given proper- amount of memory (tens of megabytes especially when the goal is to look for ty (double line circles). They jump from one at most), even in large software sys- violations of the specification in actual state to another taking into account the tems. In fact, in software systems for software. amount of pheromone deposited by previous which other algorithms traditionally ants (yellow bar) and the heuristic informa- used in the model checking community Encouraged by the results obtained so tion (green bar). (eg Nested Depth First Search) fail due far, we have identified several lines to to memory constraints to find any error follow in the near future. First, we are traces, this method succeeds. And yet studying how to integrate our proposal low memory use is not the only advan- with software tools for automatic test- Link: tage of ACO algorithms. As happens ing and verification (already com- http://neo.lcc.uma.es with real ants in nature, ACO algo- pleted for SPIN and Java PathFinder). rithms exhibit the property of finding This could save a great deal of testing Please contact: short paths to the target. This means time in software companies. Second, Francisco Chicano short error traces, which are very useful we are investigating the application of University of Málaga, Spain during the software development other algorithms inspired by nature, Tel: +34 95213 2815 phases, since shorter error traces can be like Particle Swarm Optimization or E-mail: [email protected] more easily understood by the pro- Simulated Annealing. And last but not grammers. Significant advantages in least, we would like to use ACO algo- Enrique Alba memory utilization and error trace rithms to answer the first question: University of Málaga, Spain length reduction can be derived from does the software system fulfil the Tel: +34 95213 2803 the use of advanced algorithms like specification? E-mail: [email protected]

ERCIM NEWS 75 October 2008 31 Special Theme: Safety-Critical Software

Verifying Dynamic Properties of Industrial Critical Systems Using TOPCASED/FIACRE

by Bernard Berthomieu, Hubert Garavel, Frédéric Lang and François Vernadat

The TOPCASED project (Toolkit in Open source for Critical Applications and SystEm Development) of Aerospace Valley ('Pôle de compétitivité' in aerospace activities) has developed an extensible toolbox that provides graphical environments for mission-critical systems engineering. Within this project, the FIACRE intermediate format allows the connection of several graphical models to verification tools such as CADP and TINA, as well as the factoring of expensive developments.

Mission-critical systems, such as CASED involves 36 partners from both is a great challenge for companies. embedded systems, aeronautic systems, research (CNES, ENSEEIHT, ENSI- Such requirements include dynamic computer architectures or systems on ETA, ESEO, INRIA, IRIT, LAAS- properties such as absence of dead- chip, are becoming increasingly com- CNRS, ONERA, etc) and industry locks, safety properties (guaranteeing plex. To tackle this complexity, systems (AdaCore, AnyWare Technologies, that unexpected events will not happen are often designed as components that ATOS Origin, Communication & Sys- in the system) and liveness properties

The TOPCASED software tools target Aerospace systems. Photos: Airbus (left), ESA (right).

execute concurrently and communicate tems, Continental, EADS-Astrium, (guaranteeing that expected events will with one another. Models of these com- Rockwell & Collins, SodiFrance, eventually happen in the system). ponents can be drawn using graphical Sogeti-HiTech, Sopra Group, Thales Model checking tools have been devel- environments and then transformed into Avionics, TurboMeca, TNI-Software, oped for this. Since model-checking executable code. etc). TOPCASED has used a meta- tools are expensive, it would be unreal- modelling approach to develop an open istic to develop a dedicated tool for Components can be modelled using var- source environment based on Eclipse. each language supported by TOP- ious graphical languages: these can be Release 2.0.0 of the TOPCASED envi- CASED. For this reason, we found it either generic, such as UML, or specific ronment (18 July 2008) provides graph- necessary to develop a common inter- to an application domain, such as DSLs ical tools for several languages, includ- mediate format into which all languages (Domain Specific Languages). Since ing UML, SysML, SAM and AADL. Its converge using transformations. developing dedicated tools for each lan- editors are already in use for several guage would be too expensive, it is industrial projects. The software com- This intermediate format, named desirable wherever possible to employ ponents developed in TOPCASED are FIACRE ('Format Intermédiaire pour tool developments that can be reused for integrated with the French national plat- les Architectures de Composants Répar- several languages. This is the goal of form OPENEMBEDD. tis Embarqués'), was developed within meta-modelling. several projects including TOPCASED As malfunctions in critical systems may and OPENEMBEDD. FIACRE is based TOPCASED is a project of Aerospace have severe human or economic conse- upon the NTIF format ('New Technol- Valley ('Pôle de compétitivité' in aero- quences, guaranteeing behavioural ogy Intermediate Form') developed at space activities). Led by Airbus, TOP- requirements and real-time constraints INRIA, and the COTRE language

32 ERCIM NEWS 75 October 2008 ('Composants Temps Réel') developed and Communication & Systems, and a Thus, the TOPCASED and OPENEM- within the COTRE RNTL project. transformation from Signal/Polychrony BEDD projects are building on the has been developed at INRIA Rennes . efforts of two communities, model- It consists of an extension of usual state driven software engineering and com- machines with a rich notion of transi- FIACRE is also connected to model puter-aided verification, to provide tions borrowed from NTIF, which checkers using two transformation tools. industry with development tools that allows large pieces of sequential code to First, FLAC (Fiacre to LOTOS Adapta- integrate the recent results of these be embedded in each transition, result- tion Component) translates FIACRE communities. ing in compact models and an easy map- programs into LOTOS (an ISO standard ping from real languages and large for concurrent systems specifications), applications. On top of these machines, which can be later checked using CADP, a layer of components inspired by a verification toolbox used by the hard- Links: COTRE allows these communicating ware industry to verify high-perform- http://www.inrialpes.fr/vasy/cadp state machines to be hierarchically com- ance processors and architectures. Sec- http://www.laas.fr/tina posed and real-time constraints to be ond, FRAC (FiacRe to tinA Compiler) http://www.topcased.org specified. Rich behaviours can be translates FIACRE programs into the http://openembedd.inria.fr expressed in a compositional way. input language of the TINA toolbox (Time Petri Net Analyser, Please contact: Several teams are developing transfor- http://www.laas.fr/tina), which may be Frédéric Lang mations from graphical languages into used to check dynamic properties includ- INRIA Grenoble Rhône-Alpes, France FIACRE: transformations from AADL ing real-time constraints on a family of Tel: +33 4 76 61 55 11 and SDL have been specified by IRIT models extending Time Petri nets. E-mail: [email protected]

A Component-Based Approach for the Specification and Verification of Safety-Critical Software: Application to a Platoon of Vehicles by Jeanine Souquières

The platoon of vehicles is a mixture of distributed and embedded systems. The former are usually hard to understand and debug as they can exhibit obscure behaviours. The latter must satisfy safety/security/confidence requirements, both when standing alone and when composed together. To address these problems, we propose a component-based development approach using the CSP||B framework of well-established formal methods: B for the development of provably correct software, and CSP for Communicating Sequential Processes.

We report our experience on the specifi- nately, existing safety standards and machine and its generalization to a col- cation development and verification of a guidelines are inadequate for assessing lection of controlled machines. real case study in the land transportation the safety and reliability of such new domain. It takes place in the context of transportation systems, but in order to Case Study the industrial CRISTAL ('Cellule de be approved and put into services, these A platoon is a set of autonomous vehi- Recherche Industrielle en Systèmes de vehicles do need to be certified. cles that must move in convoy - ie fol- Transports Automatisés légers') and lowing the path of the leader - through ANR (French National Research With the development of this industrial an intangible hooking mechanism. We Agency) projects, which concern the case study, we address the importance consider each vehicle, named a Cristal, development of a new type of self-serv- of formal methods and their utility for to be one agent in a multi-agent system. ice urban vehicle for the cities of tomor- highly practical applications. Our con- The Cristal driving system perceives row. The study is based on fleets of small tribution mainly concerns methodologi- information about its environment electric vehicles specially designed for cal aspects for applying a component- before passing acceleration instructions restricted access zones: historic city cen- based development approach using to its engine. In this context, the pla- tres, airports, train stations or university known results and tool supports: the tooning problem is seen as a situated campuses. These vehicles must be user- model checker FDR2 and the B4Free multi-agent system that evolves follow- friendly and widely available, with fea- proof tool. We show how to use the ing the well-known Influence/Reaction tures such as access control by smart CSP||B framework to compositionally model in which agents are described card, simple manual control through a validate the specifications and prove the separately from the environment. The joystick, door-to-door services, auto- properties of component-based sys- driving control includes both longitudi- matic parking and recharging and a mul- tems, with a precise verification process nal control (maintaining an ideal dis- timedia information terminal. Unfortu- to ensure the consistency of a controlled tance between each vehicle) and lateral

ERCIM NEWS 75 October 2008 33 Special Theme: Safety-Critical Software

Figure 1: Driving control.

control (each vehicle should follow the Lessons Learned raises the question of what impact the track of its predecessor), as shown in In the proposed approach, B models expression of more complex emerging Figure 1. Both controls can be studied describe the agents' behaviour and are properties does have on the model. independently. seen as the smallest abstract compo- nents representing various parts of a Further model development requires The description of the case study Cristal vehicle. On the other hand, CSP other refinement relations to be checked. involves detailing two architectural lev- is used to put these components It also includes evolution, in order to els. We first consider a single Cristal together, to describe higher-level com- study what happens when a Cristal joins composed of two parts, the vehicle and pounds such as a vehicle or a whole con- or leaves the platoon and which commu- the driving system controlling the vehi- voy and to make them communicate. nication protocols must be obeyed for cle. Each part is itself built upon a B this to be achieved safely. We plan to machine controlled by an associated This work highlights the main draw- take into account perturbations such as CSP process. Once we identify the cor- back of the CSP||B approach. At the pedestrians or other vehicles. rect model for a single Cristal, we focus interface between the two models, aug- on the specification of a platoon as pre- mented B machines corresponding to With the evolution of the model, we sented in Figure 2. We want the various CSP controllers are not automatically illustrate a novel use of CSP||B theoret- Cristals to avoid 'going stale' when they generated, and to perform this task ical results. Indeed, theorems about move in a platoon; that is, we do not manually requires a high level of refinement or equivalences of CSP||B want communications in the convoy to expertise. In our opinion, the user components are usually used to ease deadlock. This might happen, for exam- should be able to conduct all the verifi- verification by allowing one to re- ple, because a Cristal is waiting for cation steps automatically; this could be express a CSP controller into a simpler information from its leader. In order to a direction for future work. one. We used these results to show how collect detailed information about the to insert new behaviours by splitting up vehicle engine and its location, reflect- Taking the case study further, we are cur- a controller/model compound without ing the separation of concerns within rently studying new properties such as breaking previously verified properties. the platoon component, we allow the non-collision, non-unhooking and non- Cristal model to evolve. This evolution oscillation: which of these are express- Links: introduces new components and is ible with CSP||B, and which are tractable http://tacos.loria.fr achieved by adapters that connect these and verifiable? This particular perspec- http://www.projet-cristal.net new components within the initial tive is related to similar work by the architecture. authors of CSP||B dealing with another Please contact: kind of multi-agent system. So far our use Jeanine Souquières of CSP||B for the platooning model has led LORIA, Nancy-Université, France us to similar conclusions. This nonetheless E-mail: [email protected]

Figure 2: Specification of a platoon.

34 ERCIM NEWS 75 October 2008 Checking and Enforcing Safety: Runtime Verification and Runtime Reflection by Martin Leucker

Ultimately, a safety-critical software system should meet its safety requirements if it is continuously monitored, and corrected when safety violations are detected. We present Runtime Verification and Runtime Reflection as promising techniques that respectively monitor and steer safety-critical systems so that they always meet their safety requirements.

While success has been had with pro- checking, often some variant of linear might be different reasons why a moni- gram analysis techniques that identify temporal logic is employed. In practice tored client does not follow a certain possible flaws in a program, and auto- however, one might use more readable protocol, such as that it uses an old ver- matic verification techniques like model languages such as SALT (Structured sion of the protocol. If this is identified checking, there is always the risk that an Assertion Language for Temporal as the failure, a reconfiguration may a priori verified program behaves Logic), which can automatically be switch the server to work with the old slightly differently - and faultily - at run- translated to lower-level logics. version of the protocol. time. This may simply be the result of compiler bugs, or it may be due to mis- Besides checking safety properties Within runtime reflection, the FDIR matches between the expected and actual directly using the monitors generated scheme is instantiated using runtime behaviour of the execution environment, from them, runtime verification can verification, diagnosis, and mitigation. say with respect to timing issues or also be used with partially verified sys- The logical architecture of an applica- memory behaviour. Moreover, the tems. Such partial correctness proofs tion following the runtime reflection emerging scheme of 'software as serv- ices', in which applications are estab- lished by composing software services Figure 1: Logical provided by different parties at runtime, architecture of an and likewise highly adaptive systems, application following the render the analysis of such systems prior runtime reflection. to execution next to impossible.

Runtime verification is a lightweight ver- ification technique that complements tra- ditional techniques such as model check- ing and testing. It checks whether the cur- rent execution of a system under scrutiny satisfies or violates a given correctness property. One of the main distinguishing features of runtime verification is that – as the name suggests – it is performed at often depend on assumptions made pattern is shown in Figure 1, in which runtime. This opens up the possibility not about the behaviour of the environment. we see that the monitoring layer is pre- only to detect incorrect behaviour of a These can be easily checked using run- ceded by a logging layer. The role of software system but to react whenever time verification techniques. the logging layer is to observe system misbehaviour is encountered. This is events and to provide them in a suitable addressed within runtime reflection. Runtime verification itself deals (only) format for the monitoring layer. The with detecting whether correctness logging layer can be realized either by Checking whether an execution meets a properties are violated (or satisfied). adding code annotations within the sys- correctness property is typically per- Thus, if a violation is observed, it typi- tem to be built, or as separated stand- formed using a monitor. In its simplest cally does not influence or change the alone loggers, logging for example net- form, a monitor decides whether the program's execution, say by trying to work traffic. current execution satisfies a given cor- repair the observed violation. rectness property by outputting either The monitoring layer takes care of fault yes/true or no/false. More detailed Runtime reflection (RR) is an architec- detection and consists of a number of assessments, like the probability with ture pattern for the development of monitors that observe the stream of sys- which a given correctness property is safety-critical and reliable systems. It tem events provided by the logging satisfied, can also be given. follows the well-known FDIR scheme, layer. Its task is to detect the presence of which stands for Failure Detection, faults in the system without actually In runtime verification, monitors are Identification and Recovery. The gen- affecting its behaviour. In runtime typically generated automatically from eral idea of FDIR is that detecting a reflection, it is assumed to be imple- some high-level specification. As run- fault in a system does not typically mented using runtime verification tech- time verification has its roots in model identify the failure: for example, there niques. If a violation of a correctness

ERCIM NEWS 75 October 2008 35 Special Theme: Safety-Critical Software

Figure 2: Example of the logical architecture of a reflective system.

property is detected in some part of the nostic layer is not directly communicat- In cooperation with NASA JPL, runtime system, the generated monitors will ing with the application. It can easily be verification and runtime reflection respond with an alarm signal for subse- implemented in a generic manner based techniques are currently being enhanced quent diagnosis. on SAT solving techniques. An example and tailored for application in the of the logical architecture of a reflective embedded systems world, as found for Following FDIR, we separate the detec- system in shown in Figure 2. example in the automotive sector. tion of faults from the identification of failures. The diagnosis layer collects the The results of the system's diagnosis are Links: verdicts of the distributed monitors and then used to recover the system and if http://www.runtime-verification.org deduces an explanation for the current possible mitigate the failure. However, http://runtime.in.tum.de system state. For this purpose, the diag- depending on the diagnosis and the par- nosis layer may infer a (minimal) set of ticular failure, it may not always be pos- Please contact: system components, which must be sible to re-establish a particular system Martin Leucker assumed to be faulty in order to explain behaviour. In some situations, such as Technical University Munich, the currently observed system state. The the occurrence of fatal errors, a recovery Germany procedure is based solely upon the system may only be able to store Tel: +49 89 289 17376 results of the monitors and general infor- detailed diagnosis information for E-mail: mation on the system. Thus, the diag- offline treatment. [email protected]

LaQuSo: Using Formal Methods for Analysis, Verification and Improvement of Safety-Critical Software

by Sjaak Smetsers and Marko van Eekelen

Due to its great complexity, it is inevitable that modern software will suffer from the presence of numerous errors. These software bugs are frequent sources of security vulnerabilities, and in safety-critical systems, they are not simply expensive annoyances: they can endanger lives. The growing demand for high availability and reliability of computer systems has led to a formal verification of such systems.

There are two principal approaches to that the advantages of both methods are code refactoring. However, the latter formal verification: model checking fully exploited. Additionally, we replaces existing code with the same and theorem proving. enhance existing or develop new tech- functionality. It does not fix bugs; rather niques to support the various transla- it improves the understandability of the Goal tions of conversions that are needed in code by changing its internal structure. The goal of this project is to develop a this process. methodology for improving the quality Approach of software by combining model The proposed methodology resembles The proposed methodology consists of checking with theorem proving such what in software engineering is called the following steps:

36 ERCIM NEWS 75 October 2008 • the software system is analysed to abstraction occurs at the level of the these invariants is that they are usual- identify and localize 'suspicious' parts model itself. Using succinct data ly very subtle and therefore very dif- • a formal model of these parts is cre- structures and symbolic algorithms, ficult to specify. One may easily ated state information can be compressed, overlook a detail, thus making the • the model is verified by the model thus helping to keep state explosion invariant invalid. Instead of immedi- checker and, if necessary, improved under control. ately checking invariants in the theo- until it is approved by the checker rem prover itself, we propose using • for full reliability the model is con- • Conversion. At present, no tool exists the model checker to quickly trace verted into a PVS specification. PVS to convert a model into a PVS speci- and repair flaws before we start prov- (Prototype Verification System) is a fication. This is future work. ing the invariants. This step requires a proof tool providing a theorem speci- translation of PVS properties to fication language and support for • Code generation. From the PVS equivalent statements in the language developing correctness proofs. This specification, code will be generated of the model checker. As far we tool is used to construct a full formal that can replace the original (possibly know, this has not been done before. proof of the system faulty) code. Most theorem provers • from this PVS specification new code (Isabelle, Coq, PVS) are already Applications is derived that replaces the original equipped with code generators, We apply our methodology in the context (possibly erroneous) code. In this way which have in common that they pro- of the Laboratory for Quality Software one obtains highly reliable code, since duce functional code. We are current- (LaQuSo), which is a joint activity it corresponds directly to a fully ly developing a generator capable of between the Technical University Eind- proven formal model. generating code for imperative lan- hoven and the Radboud University guages like Java. An interesting Nijmegen. Within LaQuSo, successful These steps are illustrated in Figure 1. aspect is the extension of Java code case studies have been performed for We will briefly discuss each of them. with proof information leading to so- safety-critical software components. In called proof-carrying code. the near future we expect to apply our • Identification. Most of the time, the approach to cases such as control soft- software system will be too large to be The figure has two feedback steps: ware for the Dutch 'Maeslantkering' handled completely. Instead one must water barrier and to programmable first identify the safety-critical or • Counterexample. If the attempt to hardware to replace traditional compo- erroneous parts. The process of deter- check the abstract model fails, there nents in nuclear plants

Figure 1: The LaQuSo FM based approach.

mining the parts of a program relevant is a counterexample which can be to the property to be checked is often used directly to adjust the source called slicing. code, provided that the counterexam- ple was genuine. If the latter is not the Links: • Abstraction. There exist several tech- case, our abstract model is probably LaQuSo: niques by which formal models can be too coarse and must be refined fur- http://www.laquso.nl obtained from source code. Due to the ther. A technique is developed which state explosion problem, a direct iteratively uses spurious Related publications: instruction-wise translation of source counter¬examples to create an http://www.cs.ru.nl/~marko/research/ code is unsuitable. The methods for abstract model with the right level of pubs alleviating this problem can be divid- abstraction. ed into two categories: abstraction and symbolic evaluation. With • Validation. The theorem-proving Please contact: abstraction, the state space is reduced process is very sensitive to the way in Marko van Eekelen by employing specific knowledge which properties are formulated. In Radboud University Nijmegen, The about the system in order to model the case of state transition systems, Netherlands only the relevant features. In the sym- this boils down to the right formula- Tel: +31 24 365 3410 bolic evaluation approach, the tion of invariants. The problem with E-mail: [email protected]

ERCIM NEWS 75 October 2008 37 Special Theme: Safety-Critical Software

The SHADOWS Story on Implementation, Verification and Property-Guided Autonomy for Self-Healing Systems

by Marco Bakera and Tiziana Margaria

Industry-grade, large-scale software systems have an inherent need for autonomous mechanisms of adaptation. In our approach, a new game-based model-checking technique succeeds as a natural solution to the verification and adaptation task: the system becomes a player in a hostile world, and competes against any potential problems or mishaps.

Software self-healing is an emerging approach to addressing the problems of handling and fixing large complex soft- ware systems. In the European SHAD- OWS project on Self-Healing Approach to Designing Complex Software Sys- tems, research institutions (University of Potsdam- D, Milano Bicocca - I, and Brno - CZ, and the IBM Research Labs in Haifa - IL) and industry (Telefonica I&D - E, Net Tech - GR, Artisys - CZ, Israel Avionics Industries - IL) are extending the state of the art for self- healing systems in several dimensions: innovative technology enables self- healing for a wide range of problems not solved elsewhere, several forms of self-healing technology are integrated into a common solution, and a model- based approach enables models of desired software behaviour to direct the self-healing process. This life-cycle support of self-healing is directly applied to industrial systems.

The specific formal verification and adaptation techniques we develop are based on games: they help engineers to Figure 1: ExoMars rover - phase B1 concept (courtesy of ESA). describe, design and ensure the func- tional healing aspects of autonomous system behaviours. For example, once ESA's ExoMars Rover (see Figure 1) is properties that are required or guaran- on Formal Methods for Industrial Criti- sent on a surface mission on Mars, it teed. Hence, this new technique gives cal Systems (FMICS). must accomplish several tasks, includ- them verification, diagnosis and adapta- ing the acquisition of subsurface soil tion of temporal properties for free. This modelling style closely matches samples using a drill. If anything goes the descriptions given by the ExoMars wrong, it should adequately adapt its The central acceptance issue for the designers: actions are the atomic, Lego- behaviour: by reconfiguring itself to new technique, based on the GEAR like basic building blocks of the robot's complete the task in a different way, model checker, is that it can be seam- behaviour, tasks are structured as flow choosing a different task it can still per- lessly integrated with the engineer's graphs of actions, and mission plans are form or at least returning to a basic safe working experience. The robot's formal composed of tasks in a similar fashion. behaviour. With our game-based but intuitive behavioural model is cre- This leads to a hierarchical model of the model-checking approach, engineers ated in terms of processes within the entire behaviour. can play with a model of the system just jABC framework – a mature, model- as they are accustomed to doing in driven, service-oriented process defini- The blend of model and property that today's common simulation approaches. tion platform. The jABC is also at the reveals their interplay in a user-friendly However, at the same time they can core of the FMICS-jETI and Bio-jETI way is a game played by two players: a express, modify and prove the behav- platforms developed at Dortmund/Pots- demonic player (the hostile environ- iour of the system (the model) and the dam within the ERCIM Working Group ment) that tries to refute the property,

38 ERCIM NEWS 75 October 2008 and an angelic player (the system) that proofs. As with a simulator or debugger, case at a time, the game provides a tries to verify it. The result of the game commonly used today in integrated property-oriented exploration of the corresponds to the result of the property development environments, playing the model, characterizing all the system verification process. The game graphs game exposes executions of the system behaviours that violate the property. are at the same interactive counter that violate the property. In contrast to examples, that reveal problems between ordinary simulation and step-by-step Used for diagnosis, the game approach specification and implementation in an debugging however, which establishes fosters a more general and concise interactive way, and mathematical understanding for only one concrete understanding of the property violation. Used for repair, the elaborate informa- tion on the property violation obtained from the game graph helps engineers to adapt the system or the property, thus realigning them.

Whenever the system violates crucial behavioural properties, the game-based verification and adaptation approach provides a deeper and global behav- ioural insight into the nature of the problem. Behavioural properties become more demanding for more complex systems; adaptation proper- ties, as addressed in SHADOWS, are very well suited to this game-based abstract exploration of alternatives driven by properties that represent cor- rectness goals.

The quest continues: for more proper- ties, more elaborate adaptation schemes, and for a natural inclusion of the new game-based verification in the everyday experience of engineers.

Links: SHADOW project: https://sysrun.haifa.il.ibm.com/shadows/ jABC: http://jabc.cs.uni-dortmund.de/ GEAR: http://jabc.cs.uni-dortmund.de/gear FMICS-jETI: http://eti.informatik.uni- dortmund.de/fmics/ Bio-jETI: http://eti.informatik.uni-dortmund.de/ biojeti/

Please contact: For SHADOWS, FMICS-jETI and Bio-jETI: Tiziana Margaria University of Potsdam, Germany Tel: +49 331 9773040 E-mail: [email protected]

For jABC and GEAR: Figure 2: Acquire Sample Bernhard Steffen Task as storytelling model – TU Dortmund, Germany the basis for the game play. Tel: +49 231 755 5801 E-mail: [email protected]

ERCIM NEWS 75 October 2008 39 Special Theme: Safety-Critical Software

Test Coverage Analysis and Preservation for Requirements-Based Testing of Safety-Critical Systems

by Raimund Kirner and Susanne Kandl

The testing process for safety-critical systems is usually evaluated with code coverage criteria such as MC/DC (Modified Condition/Decision Coverage) defined in the standard DO-178B, Software Considerations in Airborne Systems and Equipment Certification (a de-facto standard for certifying software in the civil avionic domain). For requirements-based testing techniques we work on coverage metrics that are defined on a higher level of program representation (eg on the requirements), and that are independent of a specific implementation. For that purpose we analyse the relationship between existing definitions for structural requirement-coverage metrics and structural code-coverage metrics. In addition, we work on techniques that preserve structural code- coverage between different program-representation levels.

We work on requirements-based testing erty of n-version programming, the log- which means that the condition cover- following the two-step approach of the ical structure of the formal require- age of source code is equivalent to DO-178B for testing a safety-critical sys- ments and the program code may be branch coverage at machine code. At tem (see Figure 1). Test cases are gener- different, thus the achieved structural higher abstraction levels, notions like ated from the requirements until all code coverage at the program code model coverage are used. At model requirements are covered (inner dotted must be analysed empirically. level, structural coverage is used in a loop in the figure). Then the structural rather ad hoc fashion, without having code coverage is determined. If the cov- Structural Code Coverage established definitions as they are com- erage is insufficient, additional test cases Structural code coverage is a class of mon for source-code level. are generated (outer dotted loop in the coverage metrics often used to reason figure). The aim is to achieve full about the sufficiency of a given test Within the project SECCO (Sustaining requirement coverage, ie toverify that all suite. A variety of metrics exists, Entire Code-Coverage on Code Opti- requirements are correct and fully cover including statement coverage, decision mization), we work on the mapping and the intended system behaviour. coverage etc. In the safety-critical preservation of structural code coverage domain, one established structural cov- between the different program repre- Formal Requirements erage metric is the modified sentation levels. As shown in Figure 2, as a Program Implementation condition/decision coverage (MC/DC). the implementation is done in a The informal requirements given by the The basic idea of MC/DC is to test domain-specific modelling environ- software specification are the primary whether each condition of a decision ment (SCADE, Simulink etc), from source of information for the software can independently control the outcome which a code generator produces source developer implementing the system. The of the decision (ie without changing the code that is then transformed into requirements are also used to derive the outcome of the other decision's condi- machine code. The SECCO approach is test suite for testing purposes. To enable tions). to define the properties of code trans- the automatic systematic test-case gener- The terms condition and decision refer formations such that the chosen struc- ation, the informal requirements are to the structure of the source code. At tural code-coverage metrics is pre- specified as formal requirements using the machine-code level there is no served by the code transformation. With an appropriate specification language, eg grouping of conditions into decisions, this approach one can use the source based on temporal logic.

We consider formal requirements to be another implementation of the specifica- tion. The logical conjunction of all the formal requirements should summarize the software behaviour. In fact, formal- izing the requirements together with the original software implementation is an example of n-version programming. Treating the formal requirements as a program implementation, we work on defining requirement-coverage metrics as structural coverage criteria. These structural coverage metrics will be used to guide the test-data generation to derive a test suite. As an inherent prop- Figure 1: Software testing process in [DO-178B].

40 ERCIM NEWS 75 October 2008 code or the model to generate test cases automatically and independently of the Figure 2: Principle of require- hardware platform. ments-based test case generation.

Matching Coverages There exist basic definitions for struc- tural requirement coverage. Experimen- tal results show that there is a weak cor- relation between structural requirement coverage and structural code coverage, ie full requirement coverage yields less code coverage. On the basis of these results we want to identify what is nec- essary to guarantee the preservation of coverage criteria starting from struc- tural requirement-coverage criteria to achieve structural code coverage. We address the following questions: Is there a better structural coverage metric for the requirements than the existing coverage metrics? Which type of for- the conditions and decisions of the metrics that are more robust against the mal requirements yields good values for source code. But given the (low-level) logical restructuring of programs. MC/DC? Which requirements are 'hard' specification there is no hint about what to test (ie the derived test suite executes logical structures should be grouped Link: only a subset of the necessary paths into one decision. The same is true for http://ti.tuwien.ac.at/rts/research/proj- defined by MC/DC)? Which implemen- automatically generating code out of a ects/SECCO tation variants are possible and how do modelling environment like Simulink. they affect the MC/DC criterion? This is a serious issue for testing safety- Please contact: critical systems, since with a given test Raimund Kirner It is rather challenging to match current suite, the different logical structuring of Real-Time Systems Group, Vienna coverage metrics between the different a program results in different structural University of Technology, Austria program representations shown in Fig- code coverages. Within the project Tel: +43 1 58801 18223 ure 2. For example, MC/DC is based on SECCO we are working on coverage E-mail: [email protected]

A Step towards Generating Efficient Test Cases – the Project MOGENTES by Wolfgang Herzner, Rupert Schlick, Manfred Gruber

The goal of MOGENTES (MOdel-based GENeration of Tests for Embedded Systems) is to significantly enhance testing and verification of dependable embedded systems. This is achieved by automatically generating efficient test cases by relying on the development of new approaches as well as innovative integration of state-of-the-art techniques. In particular, MOGENTES will apply this technology in large industrial systems in the automotive, railway control and off-road vehicle industries.

Embedded computer systems are to 50% of the overall development VDM or NuSMV), making it hard for increasingly being integrated with effort into test and verification. domain experts to efficiently apply safety-relevant applications such as these methods vehicles, medical equipment and control One conceptually perfect means of • a 'sufficiently' complete formal specifi- systems. Every possible measure must proving the correctness of some (soft- cation of the system is hard to establish be taken to ensure the dependability of ware) system is formal verification, eg (it is noteworthy that the standards EN such systems. As a consequence, the model checking. However in general, 50128 and IEC 61508 recommend the cost of testing software, verifying its formal verification approaches have use of formal methods at higher safety correctness, or validating it against several limitations and drawbacks: integrity levels, but do not enforce it as functional and safety requirements • for larger systems, computing the only highly recommended method) accounts for an increasing fraction of resources quickly go beyond what is • the notion of faults and fault effects the overall cost. A small survey that we feasibly available are rarely included in formal models recently carried out among some 35 • the notations used for the formal • means for dependability (eg fault tol- people revealed that more than 40% of specification of systems and require- erance) are poorly addressed by exist- the participants put at least 20% and up ments are highly abstract (eg Z or ing tools.

ERCIM NEWS 75 October 2008 41 Special Theme: Safety-Critical Software

Figure 1: MOGENTES main activities and relations to develop- ment process.

Testing is therefore still the preferred A means to achieving this goal is the • use (bounded) model-checking tech- method of verification. Manual testing, reduction of test cases by selecting the niques to generate stress test scenarios though, is expensive. In the survey men- most effective ones. MOGENTES • provide semantics-aware transforma- tioned before, in 60% of all addressed therefore has the following objectives: tions from system models to inputs of projects the number of test cases lies in • to generate efficient test cases from specific tools. the range of 1000–10 000, representing system and fault models a significant effort. There is conse- • to establish a framework for the inte- The partners in MOGENTES are Aus- quently a huge demand for test-case gration of involved tools, including trian Research Centers - ARC (AT), generation (TCG) and tools. However, model transformations Budapest University of Technology and in 60% of all addressed projects essen- • to provide traceability of require- Economics (HU), Swiss Federal Insti- tially none of the test cases were auto- ments and to match them to test tute of Technology Zurich (CH), Graz matically generated, while in fewer than analysis results University of Technology (AT), Prover 5% of projects were more than 60% of • to foster the application of automated Technology (SE), SP Technical test cases automatically generated. testing for satisfying functional safe- Research Institute of Sweden (SE), and ty standards requirements. four industrial partners: Ford One reason is that TCG requires abstract Forschungszentrum Aachen (DE), models of the target systems. Unfortu- These objectives shall be achieved with Prolan Irányítástechnikai (HU), Thales nately, testers are often forced to manu- the following concepts: Rail Signalling Solutions (AT) and ally reverse-engineer the implementa- • define common modelling lan- Re:Lab (IT), who not only provide the tion in order to achieve the coverage guages and semantics (meta-mod- applications and requirements to be required for a successful certification els), with UML as the primary candi- addressed, but will also evaluate the (eg Modified Condition/Decision Cov- date, to model domain-specific results and develop the final demonstra- erage (MC/DC) as suggested by the requirements tors. RTCA DO-178B standard), because an • develop a test theory that defines the abstract model of the system is not conformance relation between the MOGENTES is a Specific Targeted available or no longer conforms to the model and the implementation, and Research Project (STREP) in the 7th final product. As a consequence, model- success and failure of a test case Framework Programme partially funded based development must be comple- • define fault models (for hardware and by the EC, and commenced in 2008. mented by corresponding improvements software) and extend the modelling in model-based testing technology. languages to represent faults in (application) models Link: MOGENTES (MOdel-based GENera- • define new coverage criteria under https://www.mogentes.eu/ tion of Tests for Embedded Systems) consideration of minimal cut sets, will demonstrate that with a combina- fault injection, mutation testing and Please contact: tion of new and existing techniques, not safety aspects Wolfgang Herzner, Rupert Schlick, only can the testing effort be signifi- • use model-based fault injection Manfred Gruber, Austrian Research cantly reduced by means of model- (MBFI) for automatically calculating Centers GmbH – ARC based test case generation, but that this minimal cut sets Tel: +43 50 550 {4231/4124/4183} can also be realized in a way accepted • validate fault models and the gener- E-mail: by domain experts with limited experi- ated test cases with physical fault {wolfgang.herzner, rupert.schlick, ence in formal methods. injection manfred.gruber}@arcs.ac.at

42 ERCIM NEWS 75 October 2008 SESAME: A Model-Driven Test Selection Process for Safety-Critical Embedded Systems by Nicolas Guelfi and Benoît Ries

SESAME (Specification based testing of safety-critical small-sized embedded systems) is an industrial research project in the field of embedded systems test methodologies. The first targeted systems are small embedded systems developed by the Luxembourg company IEE S.A. for the control of airbags through sensors or infrared cameras.

SESAME (Specification based testing requirements specifications, which may precise knowledge of the test coverage. of safety-critical small-sized embedded have important consequences in our Further study of this methodology, in systems) is an industrial research project context of specification-based testing. particular the specification and test in the field of embedded systems test In particular, a supplier may neglect its phases, will promote methodologies methodologies. The first targeted sys- own requirements and tests, both com- integrated with software engineering tems are small embedded systems ing from its development and test plat- tools. Using this approach within an developed by the Luxembourg company forms. industrial framework will aid evalua- IEE S.A. for the control of airbags tion of the suggested solutions. through sensors or infrared cameras. Product quality can be improved by fol- lowing a verification process that pro- In order to ease the transfer of the The objective is to develop an approach poses the execution of a tractable test SESAME methodology into industry, for specification-based testing that is phase for which test cases are selected the concrete syntax of the software adapted to the needs and constraints of in order to address explicit quality requirements modelling language used safety-critical small-sized embedded systems. This approach aims to improve the efficiency of activities performed by test engineers, particularly during tests based on software specifications. This approach must have a sound theoretical foundation and must be usable by test engineers. In particular, it is a question of proposing a model transformation language that simplifies software speci- fication models and thus the selection of test cases. This approach should be inte- grated in a semi-formal approach for the specification and testing of safety-criti- 3D-MLI camera: an embed- cal embedded systems. ded system developed at IEE. (Photo: IEE.) SESAME is a joint project between the University of Luxembourg and IEE; it started in April 2003 and will finish in objectives. The SESAME approach for this project has been selected with March 2009. The work is performed uses simple software requirement mod- respect to the recent Unified Modelling both at the LASSY (Laboratory of els as an input, in order to add more Language 2 (UML2) notation standard- Advanced Software Systems of the Uni- weight to the requirements analysis ized by the Object Management Group versity of Luxembourg) and within the phase of a project. This has correspon- (OMG). In particular, UML2 protocol Embedded Software Team of the Inno- ding benefits for the project, especially state machines (PSMs) have been cho- vation Department of IEE, also located in the subsequent design phase. The sen to describe the dynamic behaviour in Luxembourg. SESAME method focuses on the soft- of the software interface, and UML2 ware boundary; this helps reduce the class diagrams are indeed used to Embedded software systems introduce a number of hidden software defects and describe the data associated with the bias toward system testing by customers potentially the total time taken to dis- behaviour defined in the PSMs. and suppliers. The companies that cover and remove defects from the sys- develop embedded software systems tem as a whole. The precise description of the test space previously spent significant time devel- uses a domain-specific language (DSL) oping non-programmable physical sys- To summarize, the SESAME approach defined expressly for the purpose of test tems. The first bias is that customer tests for process improvement addresses selection. Test constraints specifica- focus on physical attributes and thus do three objectives. First, it is based on a tions defined with this language are not cover the attributes introduced for simple software requirements model; interpreted as model transformations on the purpose of the embedded software. second, it includes a precise description the analysis model, and result in a test A similar bias is introduced for the of the test space; and third, it offers a model containing the test selection

ERCIM NEWS 75 October 2008 43 Special Theme: Safety-Critical Software

information. At the same time, we will ification language (eg Alloy). This for- also concentrate on the identification of mal specification, automatically Links: best practices in test selection activities derived from the graphical analysis and IEE S.A.: http://www.iee.lu in an industrial context, in order to tailor test models, is used for formal valida- LASSY: http://lassy.uni.lu/ the SESAME approach to the automo- tion purposes. SESAME: http://wiki.lassy.uni.lu/ tive industry. projects/SESAME Future activities will focus on the In order to precisely validate the impact industry transfer of the approach, and in Please contact: of the test selection, we provide the particular on the full deployment of the Nicolas Guelfi semantics of the modelling language SESAME process for the test selection University of Luxembourg (class diagram together with protocol of the software for new system products Tel: +352 46 66 44 5251 state machine) in terms of a formal spec- from IEE. E-mail: [email protected]

ProSE – Promoting Standardization for Embedded Systems

by Erwin Schoitsch and Laila Gide

During the last few years, standardization was identified both by the European Commission (EC) and by industry as a new issue of strategic importance for the creation of markets. It was one of the concerns of the EC, especially of the Embedded Systems Unit of the Directorate General 'Information Society and Media', that the results of funded research projects are having only a minimal impact on standardization. The Standards Working Group of ARTEMIS, the European Technology Platform for Embedded Intelligence and Systems, proposed an FP7 support action ProSE (Promotion of Standardization for Embedded Systems), to promote standardization in the (dependable) embedded systems field. This was accepted and it commenced in May 2008.

In the 6th Framework Programme, the work will now be performed as part of sectors by promoting standardization COPRAS (Co-operation Platform for the ProSE project, with the long-term and generating a related strategic Research and Standards) initiative was objective of having ARTEMIS act as a research agenda. created, linking research and standardi- supporting organization that will take zation in different areas, mainly outside over the Strategic Agenda for Standard- The key objective for ProSE is to: embedded systems. The work resulted ization as part of its long-term strategy. • structuring and disseminating knowl- in several action plans for specific edge of existing standards within the domains, which provided some guid- The partners in this project are Thales various embedded systems domains ance as to how researchers and research SA (co-ordinator, France); FhG-IGD • providing a set of criteria for identify- projects could achieve some impact on (Darmstadt, Germany); ESI (European ing and prioritizing good candidates standardization. The major problem is SW Institute, Bilbao, Spain); Austrian for standardization in a systematic to find sustainable solutions to perform Research Centers – ARC (Austria); and selective manner this task, since – taking into account AVL List (Graz, Austria); ST Micro- • proposing a practicable methodology that research results are only available electronics (Belgium); Commissariat à for their maturation towards their as projects come to an end – the time l'Energie Atomique - CEA (France); eventual acceptance, so as to enable schedules of new or evolving standards Acciona (Spain); and Ericsson AB or facilitate cross-domain compatibil- are outside the scope of research proj- (Sweden). This represents a good mix ity and a higher degree of reusability. ects. of research and industry, with both This is dependent mainly on software, groups represented by partners involved protocols and interfaces. In the 7th Framework Programme, in diverse fields of dependable embed- ARTEMIS, the European Technology ded systems research, applications and Technical Approach Platform for Embedded Intelligence and standardization. ProSE will provide a vision and recom- Systems (now part of a 'joint undertak- mendations on the way in which embed- ing'), focused on a variety of depend- Key Issues ded systems standards can create syner- ability issues relating to (critical) ProSE is driven by the ARTEMIS Tech- gies between business domains: embedded systems and was mainly ori- nology Platform's objectives, which are • by addressing specific cross-domain ented toward systems and software. It to overcome the fragmentation of indus- issues such as the reusability and reli- organized a standards working group to try and research in the embedded sys- ability of embedded software, and its prepare an ARTEMIS Strategic tems sectors, and to support the embed- verification and certification Research Agenda (SRA) for standardi- ded systems industry such that it is able zation (as a supplement to the to supply cross-domain tools and tech- • by addressing the adaptation of exist- ARTEMIS SRA, see Figure 1). This nology for a wide range of application ing standards, and influencing the

44 ERCIM NEWS 75 October 2008 Figure 1: ARTEMIS SRA segmentation with respect to research domains and application context domains.

evolution of or promoting potential tion), IEC (International Electrotech- Expected Impact new standards in areas not properly nical Commission), etc), and the The ProSE project will directly address addressed until now research community (particularly the complexity challenge by promoting Networks of Excellence) and facilitating new approaches to • by investigating existing specific embedded system design. This is pri- domains (aeronautics, automotive, • by delivering a strategic agenda for marily a system and software issue, and energy, telecom, consumer, medical standardization. This strategic agenda is critical in many application domains etc) in order to identify potential would serve as an input to the future because of the reliance that people and cross-domain synergies, and by pro- EU and national work programmes, society place on the services delivered moting the ProSE vision towards and would complement the by these systems. It will also contribute standardization bodies ARTEMIS SRA. to the changeover from 'design by decomposition' to 'design by composi- • by establishing links between the The project will develop a framework tion' by supporting existing and emerg- embedded systems industry (facilitat- for analysing the present standardiza- ing standards that will enable it. ing the engagement of SMEs), EU tion position, and a method by which standardization bodies (CEN (Euro- to determine standardization priorities It will help to better meet the increasing pean Standardization Committee), for embedded systems. The goal is to demand for innovation activities in the CENELEC (European electrotechni- promote and initiate standards and embedded systems domains by shorten- cal/electronic Standards Committee), standards adaptations rather than to ing the process of selection of candidate ETSI (telecommunications industry), write standards, which would be out- standards, and facilitating the emer- AUTOSAR (automotive system/soft- side the scope (in terms of both time gence of high-quality standards and of ware architecture, etc) and worldwide and resources) of this support action. new services, cross-domain products standardization bodies (ARINC (air- The long-term perspective is the and solutions. craft), ITU (transportation), ISO expected take-up by the ARTEMIS (International Standards Organiza- Platform.

Links: http://www.prose-project.eu/ http://www.smart-systems.at/

Please contact: Erwin Schoitsch Austrian Research Centers – ARC, ARC (AARIT) Tel: +43 50550 4117 E-mail: [email protected]

Laila Gide THALES, France Figure 2: ProSE supporting activities – linking research and standards. E-mail: [email protected]

ERCIM NEWS 75 October 2008 45 Special Theme: Safety-Critical Software

Bicriteria Multi-Processor Static Scheduling

by Alain Girault and Hamoudi Kalla

The reliability of a system indicates its continuity of service. It is formally defined as the probability that it will function correctly during a given time interval. With the advent of ubiquitous computing and distributed embedded systems, it is becoming an increasingly crucial aspect. We propose a framework for designing highly reliable real-time systems, thanks to a novel bicriteria (length and reliability) static multiprocessor scheduling heuristic. The first criterion is the schedule's length, which assesses the system's real-time property, while the second is reliability, assessing the system's dependability.

Our new multi-processor static schedul- Also given is a table of the worst-case duces no output at all. Besides, the ing heuristic, BSH, takes as input two execution time of each operation onto occurrences of the failures of all hard- graphs: a data-flow graph (ALG) each processor, and the worst-case ware components follow a constant describing the algorithm of the applica- transmission time of each data depend- parameter Poisson law: according to tion, and a graph (ARC) describing the ency onto each communication link. this model, the reliability of any given target distributed architecture. Figure 1 The architecture being heterogeneous, hardware component during the interval (left) shows an example of an algorithm these need not be identical. Below is an of time d is equal to e-λd, where λ is the graph: it has nine operations (repre- example of such a table for the opera- failure rate per time unit of the compo- sented by circles) and eleven data tions of ALG. The infinity sign nent. The table of the individual failure dependences (represented by green expresses the fact that the operation I rates per time unit of all the hardware arrows). Among the operations, one is a cannot be executed by the processor P3, components is also given. Again, the sensor operation (I), one is an actuator for instance to account for the require- architecture being heterogeneous, these operation (O), and the seven others are ments of certain dedicated hardware. need not be identical. computations (A to G). On the right is an example of an architecture graph: it Our fault hypothesis is that the hard- From these four inputs, our BSH has three processors (P1, P2, and P3) ware components are fail-silent, mean- heuristic distributes the operations of and three point-to-point communication ing that a component is either healthy ALG onto the processors of ARC and links (L1.2, L1.3, and L2.3). and works well, or is faulty and pro- schedules them statically, as well as the

Figure 1: Example of an algorithm graph.

46 ERCIM NEWS 75 October 2008 communications induced by these scheduling decisions. The output of the heuristic is therefore a multiprocessor static schedule, from which embedda- ble code can be generated.

Our contribution is twofold. First, we redefine the framework of bicriteria (length, reliability) scheduling, because the reliability criterion depends intrin- sically on the length criterion. This incurs three major drawbacks, common to all bicriteria (length, reliability) scheduling heuristics found in the liter- ature. First, the length criterion over- powers the reliability criterion; second, it is very tricky to control precisely the replication factor of the operations onto the processors, from the beginning to the end of the schedule (in particular, it Figure 2: can cause a 'funnel' effect); and third, A Pareto curve produced on a ten-processor system for an ALG graph of 100 operations. the reliability is not a monotonic func- tion of the schedule. To solve this prob- lem, we propose a new criterion to replace reliability, which we call the lems mentioned above. Furthermore, Global System Failure Rate (GSFR). for a given instance of the problem The GSFR is the failure rate per time BSH is able to produce a set of non- Link: unit of the static schedule, seen as if it dominated solutions in the Pareto sense Fault-tolerance: http://pop-art.inri- were a single operation placed onto a (ie the Pareto curve), from among alpes.fr/~girault/Projets/FT/ single processor. which the user can choose the solution that best fits the application's require- Please contact: We have conducted extensive simula- ments. Figure 2 is an example of such a Alain Girault tions that demonstrate that our new Pareto curve produced on a ten-proces- INRIA Grenoble Rhône-Alpes bicriteria (length, GSFR) scheduling sor system for an ALG graph of 100 Tel: +33 476 61 53 51 algorithm BSH avoids the three prob- operations. E-mail: [email protected]

Enhancing Java ME Security Support with Resource Usage Monitoring by Fabio Martinelli, Fabio Massacci, Paolo Mori, Christian Schaefer and Thomas Walter

Capabilities and Ubiquity of mobile devices have dramatically increased in the last few years, with many mobile devices now able to run Java applications, create Internet connections, send SMS messages, and perform other expensive or dangerous operations. As a consequence, better security support is required. We propose an approach to enhance the security support of Java Micro Edition using MIDlets to monitor the usage of mobile device resources.

In recent years, the market for mobile ware on mobile devices is becoming the MIDlet is allowed to perform any devices such as mobile phones or per- more popular. security-relevant action. On the other sonal digital assistants (PDAs) has hand, MIDlets from unknown providers grown significantly. The capabilities of Yet, the security model provided by are not allowed to perform such actions, mobile devices have also increased, and Java ME is not flexible enough to allow and the mobile device user is asked to up-to-date units can be used to connect the spread of MIDlets developed by explicitly allow each of them. to the Internet, read and write e-mails, third-party companies, because it only and also to run Java Micro Edition (Java takes into account the trust in the To overcome the limitations posed by ME) applications (MIDlets). Moreover, MIDlet provider. If the principal that the model adopted by the standard Java the increase in available bandwidth due signed the MIDlet is on the list of ME security support, the European to UMTS means that downloading soft- trusted principals stored on the device, S3MS project (Security of Software and

ERCIM NEWS 75 October 2008 47 Special Theme: Safety-Critical Software

Figure 1: Mobile device operating system.

Services for Mobile Systems) proposes the MIDlet tries to perform on the a new paradigm: security by contract. A underlying mobile device, asks the contract is a claim by a mobile applica- policy decision point to decide tion on the interaction with relevant whether the action is allowed and security features of a mobile platform. enforces the decision by actually exe- At the same time, a policy defines the cuting the action or by returning an security requirements of a mobile error to the MIDlet. device, and resides on the device itself. • The policy decision point is responsi- The contract should be published by ble for evaluating whether a given applications and understood by devices action is permitted in the current state and all stakeholders (users, mobile by the policy on the mobile device. It operators, developers, platform devel- is invoked by the execution monitor opers etc). The contract is specified at and contacts the policy information development time as a requirement to service to get the policy and to man- the application development teams or as age the policy state, while it exploits derivation from the analysis of the the system information service to application. When the application is retrieve information about the mobile downloaded onto the device, the con- device state. tract-matching step is performed to • The policy information service is check whether the contract claimed by responsible for managing the policy the application is compliant with the state. In particular, it stores the policy mobile device policy. If the contract- variables, which could have different matching step succeeds, the MIDlet can scopes. be safely executed on the mobile • The system information service is device. responsible for providing information about the system, such as the current If the contract-matching step is unable date and time, the battery state, the Link: to verify whether the MIDlet is compli- CPU load and so on. http://www.s3ms.org/ ant with the device policy, the policy • The policy loader is responsible for enforcement is performed at runtime. loading the mobile policy on the Please contact: The enforcement is based on the contin- mobile device. Fabio Martinelli, Paolo Mori uous monitoring of the MIDlets to con- • The MIDlet loader is responsible for IIT-CNR, Italy trol the usage of the mobile device loading the MIDlet on the mobile E-mail: {fabio.martinelli, resources. device. paolo.mori}@iit.cnr.it

The architecture for the runtime moni- To confirm the effectiveness of our Christian Schaefer, Thomas Walter toring of MIDlets follows the reference approach, we also developed a proto- DoCoMo Euro-Labs, Germany monitor model, and consists of the fol- type of the modified Java ME runtime E-mail: {schaefer, lowing main components: environment that runs on a real mobile walter}@docomolab-euro.com • The execution monitor is responsible device, namely an HTC Universal for monitoring the MIDlet during its smart-phone running Openmoko Linux Fabio Massacci execution. Specifically, it intercepts and exploiting the PhoneME Feature Università di Trento, Italy all the security-relevant actions that Software MR2 Java Virtual Machine. [email protected]

48 ERCIM NEWS 75 October 2008 TAS Control Platform: A Platform for Safety-Critical Railway Applications by Andreas Gerstinger, Heinz Kantz and Christoph Scherrer

Within the railway industry, the need for computer systems to perform safety-critical tasks is constantly increasing. A typical application is the railway interlocking system (Figure 1): these systems control the state of the signals and switches on railway lines and are therefore responsible for safe train operation. An incorrect output from such a system may in the worst case lead to a train collision. Other applications in the railway domain are axle counters along railway lines, computer systems on board trains, and field element controllers that operate under rough environmental conditions.

All these systems have an important form that fulfils them, and thus enables middleware that implements the safety common feature: they are safety-critical the application programmers to fully functions is strictly separated from the and must therefore be developed accord- concentrate on developing the correct rest of the system. This layered struc- ing to the highest safety integrity level application. Due to the increasing com- ture can be seen in Figure 2. (SIL4), as defined in the standards plexity of applications, it is also neces- applicable to the railway industry sary that the platform be able to keep up The core hardware containing the CPU (CENELEC 50126, 50128, 50129, Rail- with ever increasing demands for pro- board and the interfaces represents the way Applications Standards [RAMS, cessing power, memory consumption lowest level, and is cleanly separated software and electronics]). Apart from and connectivity. from the rest of the system. This means being suitable for safety-critical opera- that the hardware best suited for each tion, railway systems must also be This trend can only be addressed by the purpose is utilized (eg for rail signalling highly reliable and available, and in use of off-the-shelf hardware and oper- systems powerful processors and a most cases must meet stringent real- ating systems. In order to be able to large amount of memory is needed, time requirements. keep up with the advances in hardware whereas for on-board systems low-end and operating systems, these compo- hardware with increased environmental Due to the variety of applications with nents should be as interchangeable as resistance is preferred), and that CPU these common requirements, THALES possible, such that exchanging them upgrades can be easily performed for Rail Signalling Solutions has developed does not compromise the system's new platform generations without a generic fault-tolerant computer plat- safety integrity. For this reason, the major impact on the rest of the system.

The operating system is compliant with POSIX (Portable Operating System Interface), and is currently based on a microkernel. The next platform genera- tion will be based on a more powerful operating system with a Linux kernel, which will bring benefits regarding hardware support and real-time per- formance.

The main innovation of the platform is its safety middleware, which is the decisive element that makes it suitable for safety-critical applications. The safety middleware ensures the clean separation of the lower levels (hardware and operating system) from the applica- tion, and provides all services to ensure safety. The safety middleware also pro- vides the ability to run the platform in redundant configurations.

The applications on top of the layered architecture provide the actual services. The platform can be operated in three architecture variants (Figure 3). The 2oo3 ('2-out-of-3') configuration pro- Figure 1: Electronic interlocking for mainline rail. vides both the required level of safety

ERCIM NEWS 75 October 2008 49 Special Theme: Safety-Critical Software

Figure 2: TAS control platform layer structure.

and fault-tolerance mechanisms to The safety middleware layer (Figure 2) To ensure that no latent faults are aggre- enhance availability. In this configura- provides the communication services to gated in the hardware, the platform also tion, all safety-critical decisions are sub- globalize data amongst replicated hard- performs continuous online testing of ject to a majority voting procedure, such ware and thus ensures a consistent view the hardware. This online testing, which that a failure of one element is detected even in the case that one replica is is performed by a background task, and tolerated. A 2oo2 configuration pro- faulty and sends erroneous and incon- covers the CPU, memory, buses, clocks vides the same level of safety but a lower sistent data messages. The API to and disks. Finally, the platform allows level of availability, since in the case of a access these services is implemented as safety-critical applications to access conflict of output values between two voted message queues. An application only a limited part of the operating sys- elements, a failure of one element is transparent voting service enables the tem, so that the safe execution environ- detected but not tolerated, since it cannot reliable detection of faults and the isola- ment of the application is guaranteed. be decided which one is correct. Finally, tion of the faulty replica. This runtime a 1oo1 configuration allows an applica- environment for safety-critical applica- The platform, launched in 2001, is a tion to be safely operated on a single tions also ensures replica determinism well-established product and in opera- hardware element, but requires the gen- which is a prerequisite for software exe- tion in more than twenty countries on eration of a diverse application accord- cution and voting on redundant hard- four continents. It has demonstrated ing to specified diversification rules. ware. In addition, the platform allows that its safety and reliability approach Software diversity ensures that the same safety-critical applications to access fits for all vital railway applications level of safety is achieved. only a limited part of the operating sys- within THALES Rail Signalling Solu- tem API, so that replica determinism tions. To cope with rapid technology and safe execution within the runtime changes in hardware and software, environment is guaranteed. functional enhancements and new con- cepts for fault detection and tolerance are currently being developed. The next generation of the platform will provide enhanced support for software and hardware diversity, to ensure that the same level of safety can be maintained in the long term with future hardware and software.

Links: http://www.thalesgroup.com/markets/ Activities/Ground-Transportation.html

Please contact: Andreas Gerstinger, Heinz Kantz, Christoph Scherrer Thales Rail Signalling Solutions GesmbH, Austria E-mail: [email protected], [email protected], Figure 3: Architecture variants. [email protected]

50 ERCIM NEWS 75 October 2008 Experimenting with Diversity in the Formal Development of Railway Signalling Systems

Alessandro Fantechi, Stefania Gnesi and Giovanni Lombardi

As a result of collaborations with ALSTOM FERROVIARIA, the Formal Methods & Tools (FMT) group of ISTI-CNR has had access to real-world specifications for signalling equipment together with the complete environment needed to produce an industrial application, from a formal model to the final code. This opportunity has been exploited in an additional research activity aimed at reviewing the existing development process in terms of safety regulations. The underlying idea has been to introduce diversity in order to improve the safety of the equipment produced.

The Formal Methods & Tools group of tems have been employed: the propri- in how the generated code interfaces ISTI-CNR has collaborated on a number etary embedded platform with its dedi- with the operating system or in how it is of joint projects with ALSTOM FER- cated compiler and a commercial com- compiled. ROVIARIA SpA, with the objective of piler on the Windows platform. Parallel introducing formal specification and testing of the two versions with the However, even when sophisticated ver- verification tools into the software same set of tests (taken from the official ification tools such as model checking development process of railway sig- suite of acceptance tests) has been are used, it cannot be guaranteed that nalling products. The most recent col- employed in order to reveal differences the process of writing a formal model laborations have investigated the feasi- bility of automatic code generation, High level mode starting from a specification of the sys- tem's logic using the SCADE tool devel- oped by Esterel Technologies. The focus has been on issues of performance of SCADE diagram specific proprietary hardware architec- tures and on integration with existing software modules. These collaborations have provided the opportunity for some Code generation additional research into the introduction of diversity with the aim of improving the level of safety in the design and development process. Embedded code Embedded code The introduction of diversity has been considered in those cases where an analysis of the safety measures Execution one Execution two employed to limit design faults has revealed possible weaknesses in the Figure 1: Compilation and operating system diversity. development process. A formal model of the (components of the) equipment is first developed using SCADE, with the added possibility of simulating the Relays model UML model model and using model checking to ver- ify that there are no software faults. Code is then generated by the SIL 4 val- idated SCADE code generator. A first SCADE diagram SCADE diagram possible weakness of this process has been identified in the supporting soft- ware: the underlying operating system and the compilation environment, which Code generation Code generation are not validated software components. We therefore introduced the first form of diversity at the level of the compilation Embedded code Embedded code of the generated code, with the aim of discovering possible faults due either to the compilation environment or to the underlying operating system (Figure 1). Execution Execution Two different compilation environments running on two different operating sys- Figure 2: Specification diversity.

ERCIM NEWS 75 October 2008 51 Special Theme: Safety-Critical Software

has faithfully captured the (informal) of verification/code generation/compi- In contrast, the introduction of diversity system requirements. Diversity can help lation/deployment have been imple- in specifications requires at least the at this stage as well, by considering two mented (Figure 2). The final compari- additional effort of writing an inde- independent formal specifications. A son is made by running the set of offi- pendent specification. The overall cost second form of diversity can thus be cial acceptance tests for the equipment of producing diverse specifications is introduced at the level of specification; developed on both versions. therefore twice that of a single formal this will impact the whole development specification process. However, the process. The results of our experiments on the higher costs of this form of diversity introduction of diversity in compilation can be justified by lower testing and The application of this idea to the rail- have been encouraging, and their rela- debugging costs due to the early discov- way signalling domain has provided a tively low cost should facilitate indus- ery of design faults, and by the higher direct way of conceiving diverse speci- trial acceptance of the approach. In level of safety achieved. fications: the relay schemas that still fact, the added cost of the first approach constitute a common language for rail- is limited to repeat compilation and Link: way signalling engineers have been testing on a Windows-based machine, http://fmt.isti.cnr.it used for one version, while a more with practically no cost for additional 'modern' and increasingly popular nota- hardware or software resources. More- Please contact: tion – UML sequence diagrams – have over, replication of compilation and Stefania Gnesi been used for the other. From these two testing can be automated to a high ISTI–CNR, Italy specifications, two independent chains extent. E-mail: [email protected]

Evaluation of Natural Language Requirements in the MODCONTROL Project

by Antonio Bucchiarone, Stefania Gnesi, Gianluca Trentanni and Alessandro Fantechi

We describe QuARS (Quality Analyzer for Requirement Specifications) Express, a customized version of the QuARS tool. It is designed to evaluate natural language requirements, can handle complex and structured data formats containing metadata, and is able to produce an analysis report with categorized information.

On behalf of ERCIM, the FMT Group of at as early a stage as possible. An auto- mation. The new reporting feature ISTI-CNR has participated in MOD- matic analysis of the requirements improves on the simple text-based report CONTROL, a subproject of the recently expressed in natural language should provided by QuARS by exploiting concluded European Integrated Project help to guarantee the successful out- HTML technology to produce structured MODTRAIN. MODTRAIN stands for come of a project by highlighting hypertext pages. Innovative Modular Vehicle Concepts potential sources of ambiguity and for an Integrated European Railway other weaknesses. Using QuARS Express, we analysed System, and was the first Integrated Pro- the functional and system requirements ject to focus on joint European railway In the context of MODCONTROL, we of TCMS, which included more than research. The objective of MODTRAIN have developed the QuARS Express 5700 requirements. The results showed was to define the functional, electrical tool, a customized version of the QuARS that an analysis based on QuARS and mechanical interfaces and valida- tool (see ERCIM News No. 58), able to Express not only identifies linguistic tion procedures for a range of inter- handle complex and structured data for- defects, but can also provide some indi- changeable modules that will form the mats containing metadata and to produce cation of the diverse styles used by dif- basis for the next generation of intercity an analysis report with categorized infor- ferent partners to express requirements trains and universal locomotives. MOD- CONTROL addressed the standardiza- tion of an innovative Train Control and Monitoring System (TCMS) designed for future interoperable European trains.

Achieving high quality in the definition of software requirements is a must in the development of reliable and dependable software products. The availability of techniques and tools for the analysis of requirement documents may help to remove inconsistencies and ambiguities Figure 1: QUARS graphical user interface.

52 ERCIM NEWS 75 October 2008 in natural language, thus laying the basis for improvements in the formula- tion of requirements.

The overall quality analysis process adopted in the project is shown in Fig- ure 2 and is summarized in the follow- ing points: • The project partners create a new project using IBM RequisitePro and insert the requirements with all the required attributes (Name, Text, Responsibility, Package etc). • The different requirements are stored in a requirements file, one for each requirement class, ie Functional Requirements (ie, FREQ) and System Requirements (ie, SREQ). • The IBM tool SoDA is used to gener- ate a text document containing the requirements and the relevant attrib- utes, which is saved in text format. A Figure 2: MODCONTROL evaluation process. specific template has been defined for SoDA in order to allow QuARS Express to properly interpret the • If QuARS Express should point to Links: information contained in the generat- some (possible) defect, the DRR http://www.modtrain.com ed document. should be filtered by experts in a http://quars.isti.cnr.it/ • The text file obtained is input to 'false defect survey', in order to http://www- QuARS Express, which analyses the establish whether or not a refinement 306.ibm.com/software/awdtools/reqpro sentences (requirements) and gives as is really necessary. In this case, a output the Defective Requirement new cycle of quality analysis may be Please contact: Reports (DRR) for both FREQ and initiated. Gianluca Trentanni SREQ documents, together with the • Otherwise, the approved require- ISTI-CNR, Italy calculation of relevant metrics. ments document is released. E-mail: [email protected]

Development of Safety Software for the Paks Nuclear Power Plant by Tamás Bartha and István Varga

Software development in a safety-critical environment requires that a rigorous process be followed in all phases of the system life cycle. Members of the Systems and Control Laboratory of SZTAKI are working together with experts at the Paks nuclear power plant in Hungary to develop new tools and support systems that will improve the dependability of the safety software.

The Systems and Control Laboratory 2. Development and implementation: Formal Verification of Functional (SCL) of SZTAKI has a long-term suc- - Microcontroller level: the hardware Block-based Specifications cessful research and development col- and software for the microcon- Each reactor unit of the nuclear power laboration with the Paks nuclear power troller-based smart test plugs of the plant is supervised by a Reactor Protec- plant to provide new methods and tools Universal Test System (UTS) tion System (RPS), which continuously for the development of safety software - Programmable Logic Controller monitors the nuclear process in order to in the plant. Some notable recent results level: the distributed control hard- intervene and safely shut down the unit of this work (listed according to their ware and software of the new Pri- in an emergency situation. The plant role in the development life cycle) are mary Pressure Controller experts specify the safety functions of the following: - Application level: the UTS test the RPS using the Functional Block management software. Diagram (FBD) description method. 1. Specification: the verification of The software for the RPS is then cre- detailed functional specifications of 3. Testing: ated automatically by a certified code safety functions with formal methods. the Universal Test System. generation process.

ERCIM NEWS 75 October 2008 53 Special Theme: Safety-Critical Software

The primary means for finding errors in 1. The Central Test Machine is an indus- Controller (PLC) and connected by an the specification are simulation and trial PC that provides the user inter- Ethernet network. The pressure is meas- testing. However, this approach cannot face to the UTS, initiates test execu- ured by a high-precision instrument guarantee the correctness and complete- tion, controls the testing process by located in a hermetically sealed area. ness of the specification. Formal analy- communicating with the Local Test The pressure measurement loop has a sis of the safety functions is therefore Machines (LTMs), and queries and redundant architecture. The data are required to prove that the system cannot automatically evaluates the test transferred to a Siemens S300 control enter into unsafe states; remains opera- results from the plant database. unit using the Profibus PA protocol. This controller checks the status of the pres- sure measurements and transfers them to the other units. The endpoints of the sys- Figure 1: The new tem are three Wago intelligent con- pressure controller trollers that operate the electric heaters system in the testbed and the valves: these are the real actua- environment. tors in the system, located at different points in the power plant. The three con- trollers are able to work independently in reduced mode in case of a failure.

The software of each PLC contains the control algorithm and performs the com- munication in the distributed system. Both the Siemens and the Wago PLCs were programmed using development tools compliant with IEC 61131-3.

The main feature of the new controller is that it uses a continuous range (0-360 kW) of heating power to guarantee a very stable pressure value. The ampli- tude of the pressure oscillations was reduced from 1 bar to 0.1 bar compared tional (no deadlock or livelock); does 2. The LTMs download the tests to the to the old controller. This made possible not trigger the safety actions unneces- appropriate active test plugs and a safe increase in the thermal power of sarily (no spurious activation); and supervise the tests that use the com- the units by 1-2%. The operational always triggers them when required (no munication interfaces. results are very good: using the more activation masking). 3. The active test plugs are intelligent, efficient control, a much smoother microcontroller-based cards, which overall operation has been obtained. The Systems and Control Laboratory perform their dedicated part of the test These developments are part of the supplemented the development process procedure autonomously. For safety complete refurbishment of the instru- with a verification procedure based on reasons the cards are backlash-free mentation and control infrastructure at the formal modelling of the RPS safety and are powered only during the test. the Paks nuclear power plant. In these functions. The basic function blocks are days of the 'nuclear renaissance', there described by Coloured Petri Net (CPN) The functional and physical distribution are more and more refurbishment and subnets. The formal model of a given of the components means the LTMs and life-time extension projects in Europe safety function is obtained by the the active test plugs have a simple and and throughout the world. As the old proper composition of these subnets robust design. Various software devel- analogue and wired logic is replaced into a hierarchical CPN, copying the opment methods and environments with modern digital programmable structure of the FBD-based specifica- were used due to the heterogeneous equipment, the amount of safety-critical tion. This formal model is then analysed hardware platforms. software multiplies, meaning such using the behavioural properties of the developments are vital to maintain and CPN and model-checking methods. The new Primary Pressure Controller ideally increase the safety and effi- A new pressurizer control system for ciency of the nuclear power. Functional Testing of the RPS During maintaining the pressure safely within Normal Operation the range of 122.75-123.25 bar was Link: The Universal Test System is a distrib- designed and successfully implemented http://www.sztaki.hu/scl uted, computerized test system devel- by the members of SCL. The control oped by members of the Systems and algorithm is based on the simplified Please contact: Control Laboratory to facilitate the test- dynamic model of the pressurizer. Tamás Bartha, István Varga ing of the RPS during the start-up stage SZTAKI, Hungary and also during normal operation. The redesigned pressure controller is a Tel: +36 1 279 6227 The UTS is composed of three main distributed digital system comprised of E-mail: [email protected], components: units based on the Programmable Logic [email protected]

54 ERCIM NEWS 75 October 2008 Catalonia boosts Education and Knowledge in Safety-Critical Software

A recent collaboration has led to the development of a professional training course in quality assurance for safety-critical software and systems, focused on the biomedical, transport and aerospace sectors.

The Aerospace Research and Technology The difficulty frequently remarked upon Additionally, a review of real-time operat- Centre (CTAE) and the Technical Univer- by companies lies in finding trained pro- ing systems and control systems (includ- sity of Catalonia (UPC) joined forces in fessionals in this complex field, which ing specifications, closed-loop, structural late 2006 to organize an innovative profes- includes quality assurance according to conditions) is also given, as well as practi- sional training course in quality assurance the relevant standards, methods, processes cal aspects in coding, verifying and vali- for critical software and systems, with the and techniques. This course was created dating (V&V) software in these systems. support of UPC Foundation and the Uni- with the aim of providing the participant versity of Ohio. To date, two successful with the academic state-of-the-art knowl- The course also fosters the exchange of editions of the course have been held with edge and advances, together with a practi- ideas among different institutions and international participation, and a third edi- cal view of how these solutions are imple- builds up partnering and networking initia- tion is scheduled for February 2009, in mented in current and future projects with tives, all of which is helping Catalonia to Barcelona. industry. The three participating compa- become a centre of excellence in this area. nies bring hands-on expertise in a spec- We understand as critical those software trum of applications ranging from biomed- Links: items and systems in which a malfunction ical and space-borne systems (NTE), http://www.upc.edu may harm humans and/or animals, dam- flight segment and avionics in launchers http://www.ctae.org age the environment, destroy infrastruc- (GTD), and ground segment and naviga- http://www.fundacio.upc.edu ture, or cause structural damage. An illus- tion systems (INDRA). Moreover, each http://www.nte.es trative example is the challenge that must edition of the course features an invited http://www.indra.es be addressed to seamlessly introduce speaker to complement the lectures. http://www.gtd.es Unmanned Aerial Vehicles (UAVs) into non-segregated airspace from an Air Traf- The course covers the following main top- Please contact: fic Management (ATM) perspective. ics: an introduction to safety, an overview Josep Maria Fuertes i Armengol There is a growing demand for safety-crit- of systems and systems engineering, life- Universitat Politècnica de Catalunya, ical software and systems whose risks are cycle models, an exhaustive view of safety Spain managed with the methods and tools of analysis methods (including functional Tel: +34 93 401 72 90 safety engineering. A life-critical system is hazards models, fault tree analysis, E-mail: [email protected] designed to behave as needed even when Markov analysis, failure mode and effect pieces fail; this is illustrated by the US analysis), standards and certifications at Marcel Quintana Claramunt Federal Aviation Administration (FAA) American and European levels, require- Aerospace Research and Technology specification that fewer than one life per ments and traceability, software safety, Centre (CTAE), Spain billion (109) hours of operation should be verification, tool qualification, configura- Tel: +34 93 664 26 44 lost (Advisory Circular 25.1309-1A). tion management and certification aspects. E-mail: [email protected]

Requirements Engineering Lab at IPT São Paulo

To contribute to research in requirements the purpose of developing requirements 6. Domain languages and models engineering, the Instituto de Pesquisas engineering techniques and tools to 7. Domain and requirements model Tecnológicas do Estado de São Paulo deliver more reliable and accurate safety- transformation: (IPT) decided to create the Requirements critical applications. 8. Software requirements verification Engineering Laboratory. and validation (V&V) To meet the objectives, ten research areas 9. Software requirements management The main objective of the Requirements have been defined: 10. Software requirements modelling Engineering Laboratory is to create, 1. Software requirements fundamentals tools. deploy and disseminate a research envi- 2. Software requirements engineering ronment to post-graduate IPT students. It processes Link: is particularly aimed at those enrolled in 3. Software requirements elicitation and http://www.ensino.ipt.br/ software engineering courses but is also analysis methods: open to other researchers, helping them to 4. Software requirements specification: Please contact: develop academic research and artifacts investigates software requirements Paulo Sérgio Muniz Silva related to software requirements engineer- models from a system viewpoint. Instituto de Pesquisas Tecnológicas do ing. The laboratory also intends to foster 5. Formal methods applied to software Estado de São Paulo – IPT, Brazil academic and industrial partnerships for requirements engineering: E-mail: [email protected]

ERCIM NEWS 75 October 2008 55 R&D and Technology Transfer

Developing a Distributed Electronic Health-Record Store for India

by Jim Dowling and Seif Haridi

The DIGHT project is addressing the problem of building a scalable and highly available information store for the Electronic Health Records (EHRs) of the over one billion citizens of India.

There has been much recent interest in care information systems that store for the distributed storage aspects of the information services that offer to man- Electronic Health Records (EHRs) for project, while C-DAC will work age an individual's healthcare records in their citizens. towards evolving an EHR standard for electronic form, with systems such as India. The project will embrace both Microsoft HealthVault and Google The DIGHT (Distributed Information open-source technology and open stan- Health receiving widespread media store for Global Healthcare Technol- dards to ensure that information is man- attention. These systems are, however, ogy) project is addressing the chal- aged and secured in an accountable and proprietary and fears have been lenges of building a scalable and highly transparent manner. We are not aware expressed over how the information reliable information store for EHRs for of any existing government-run infor- stored in them will be used. In relation the citizens of India. The project part- mation system that manages the enor- to these developments, countries with ners are SICS and the Indian Centre for mous number of users that would be nationalized healthcare systems are also Development of Advanced Computing stored in an Indian EHR information investigating the construction of health- (C-DAC), where SICS is responsible store.

In many Western countries, the main Photo: Staffan Truvé problem of building a one-stop shop for patients' EHRs is the cost of integrating disparate existing healthcare systems. Typically, these systems do not easily interoperate due to the use of different relational databases and different media storage software, which makes data transfer across systems inconvenient or impossible. Another challenge for such systems is the use of distributed stor- age, as a centralized system of this scale would lead to limited scalability and poor availability characteristics. We are building a healthcare system from the ground up; less emphasis is placed on the integration problem due to a rela- tively small number of existing health- care systems and EHRs in India.

The requirements for our EHR storage system include: • high data availability even in the presence of faults in the network or computer hardware (eg due to power outages, environmental disasters and regional strife) • high performance to ensure the sys- tem can function even under the high loads that may arise in emergency sit- uations (such as a pandemic, large- scale accident or war) • security to protect patient data from misuse, unauthorized access or attacks.

While current relational database tech- nology has matured to the extent that Electronic Health Records for the more than one billion citizens of India. systems can store terabytes of data in a

56 ERCIM NEWS 75 October 2008 database cluster, existing centralized partially synchronous networks that can different sets of information in an EHR information storage architectures pro- enable us to overcome this limitation. depending on the consistency needs of vide impediments to scalability and the system. high availability. DIGHT will make use State-of-the-art open-source replication of lower-cost computer clusters that can for wide area networks (WANs) such as As the system will be of extreme scale, be used to provide higher availability MySQL cluster, only support asynchro- with many clusters located throughout and better performance characteristics nous replication: they provide no data India, client software that accesses data for lower hardware costs. consistency guarantees between clus- in the information store will need to ters for data replicated between geo- provide routing and lookup functional- As part of this distributed approach, the graphical locations. Consequently, in ity to enable data updates and queries to project will develop data replication the event of the crash of a cluster there be sent to the cluster where the repli- algorithms to ensure that security, per- is potential for data loss. This is not cated EHR of current interest is stored. formance and data availability require- acceptable in the healthcare domain. In particular, we are investigating the ments are met. The EHR store will be While strict consistency of multiple use of Distributed Hash Table technol- huge in size and the network environ- copies of replicated EHRs is intuitively ogy to build a scalable solution for dis- ment will be challenging, with frequent the most desirable consistency model, covery and retrieval of EHRs from clus- network partitions. Our replication this may unnecessarily degrade per- ters. Finally, we will incorporate suit- algorithms must take into consideration formance due to high latencies over able security policies and mechanisms Brewer's Conjecture: it is impossible WANs. However, since an EHR is a to prevent corruption, misuse or theft of for a data store in an asynchronous net- huge set of information, not all infor- EHR data in distributed environments. work to simultaneously provide (i) par- mation will require strict consistency of tition tolerance, (ii) availability and (iii) data for the information system to func- Link: consistency. Typically, systems can be tion correctly. Hence, there is scope to http://dight.sics.se/ built that simultaneously provide two of identify and implement weaker consis- these three properties and it is generally tency models to enable the system to Please contact: assumed that designers of new systems function both efficiently and correctly. Jim Dowling should pick the two properties that are The idea is to define a set of consis- SICS, Sweden most important to their requirements. In tency models with varying degrees of Tel: +46 8 633 1694 DIGHT we will investigate the design of consistency and to associate them with E-mail: [email protected]

Epidemic Intelligence: Satellite-Enabled Applications for Health Early Warning Systems by Catherine Chronaki

An earthquake-readiness exercise in November 2007 in Crete, Greece, assessed the added value of satellite-enabled applications for epidemiological surveillance and health early warning systems in post-disaster health management.

The risk of epidemics and emerging or lion and FORTH-ICS, involved around Red Cross used triage protocols avail- re-emerging diseases is rising and can 300 people from more than twenty able in handhelds connected to the emer- only be contained with prevention, early organizations. Observers from ESA, the gency coordination system and a central warning and prompt management. World Health Organization (WHO), the hospital. A WiFi camera conveyed sights Readiness exercises are critical in European Center for Disease Control and sounds of the disaster to decision improving readiness, in testing means, (ECDC) and other organizations makers in the operations centre. methods, master plans and procedures, assessed the added value of satellite- and above all in training civil protection enabled services not only in the acute On the second day, epidemiology sce- personnel. phase following the disaster but also in narios of post-disaster health manage- post-disaster health management and ment unfolded in a refugee camp coordi- The SAFE (Satellites For Epidemiol- epidemiological surveillance. nated by the Hellenic Red Cross and the ogy) project is co-funded by the Euro- Prefecture of Heraklion. Upon arrival, pean Space Agency (ESA) and coordi- On the first day, the exercise scenarios the state of health and the medication nated by MEDES (FRANCE). In a two- covered search and rescue operations in needs of refugees were recorded in a pri- day earthquake readiness exercise that a power plant and a large hotel complex, mary care Electronic Health Record was held on the island of Crete, Greece, as well as averting pollution and envi- (EHR) system that was extended to sup- on November 5-6, 2007, it demonstrated ronmental disaster after a fuel leakage. port rapid data entry of health problems a component-based system for health The SAFE van offered satellite commu- and medication using Personal Digital early warning. The exercise that was nication and deployed a WiFi network in Assistants (PDAs). Summary reports coordinated by the Prefecture of Herak- the crisis area. Volunteers of the Hellenic that reflected the overall status and

ERCIM NEWS 75 October 2008 57 R&D and Technology Transfer

health needs of the camp were then SAFE succeeded in successfully Technical interoperability and integra- automatically generated. employing satellite, radio and wireless tion of the different systems involved is networks, geographic information sys- a key requirement for the seamless sup- Soon afterwards, the first signs of a Sal- tems, integration technology and data port of streamlined workflows when monella enteritidis outbreak appeared in mining to promptly identify and time is critical. The HL7 Clinical Doc- the camp. Suspicious cases of gastroen- respond to a disease outbreak. ument Architecture and Arden Syntax teritis raised an alert in the epidemiolog- are vital tools that should be further ical surveillance system and triggered Satellite communication can augment investigated as part of our future work investigation. In collaboration with the overloaded telecommunication infra- for seamless service integration. experts, an epidemiological protocol structure, thereby providing connectivity was tailored and promptly deployed to to remote and inaccessible areas at short The exercise identified significant the PDAs of the data collection team. notice and contributing to better coordi- strengths as well as weaknesses that Decision makers followed the progress nation and clearer assessment of the cri- need to be addressed in health early of the investigation online, using the sis. The time required to set up satellite warning systems for public health. At Web version of the SAFE data collec- connectivity turned out to be quite short. the same time, participants and tion system. Water sources were shown However, in disaster situations connec- observers recognized that SAFE offers in the Geographic Information System tivity can be unpredictable and is valuable tools to the 'Epidemic Intelli- (GIS) via a dedicated layer and the rele- affected by location and weather condi- gence' and paves the way towards vant risk was assessed. As biological tions. The ability of the SAFE system to advanced preparedness and response by samples were analysed in the mobile operate in disconnected mode turned out lifting communication barriers, promot- laboratory, expert centres provided to be a critical advantage. ing collaboration and reducing the iso- remote support in laboratory analysis lation of affected areas. and interpretation based on images The effective use of ICT in disaster situ- transmitted via satellite. A tourist with ations, real or 'simulated', requires orga- FORTH-ICS coordinated the SAFE Salmonella typhi was identified and the nizational changes and targeted staff demonstration in close collaboration health alert was communicated interna- training. At the same time, ICT usability with local authorities, MEDES, France (project coordinator); GMV, Spain; TTSA, France; REMIFOR, France; and medical experts from the University of Verona and the University of Crete. Institutes of epidemiology in Spain (ISCIII-CNE) and France (InVS) ensured compliance with the practices and policies of epidemiological moni- toring.

Links: ICS-FORTH: http://www.ics.forth.gr SAFE: http://www.medes.fr/safe Institute for Space Medicine and Physiology, MEDES-IMPS: Earthquake-readiness exercises. http://www.medes.fr European Space Agency: http://www.esa.int SAFE exercise video: tionally to ECDC and WHO by the in disaster and post-disaster management http://www.esa.int/esaTE/ Early Warning and Response System is a major issue. Online services need to SEM7DK73R8F_index_0.html (EWRS) via the Center for Disease Con- be simple, flexible and streamlined, tak- European Center for Disease Control: trol (ΚΕΕΛ ΠΜΟ) and the Center of ing advantage of different forms of con- http://www.ecdc.europa.eu/ Emergency Operations in the Hellenic nectivity in a cost-aware fashion. As a Early Warning and Response System: Ministry of Health. consequence, satellite-enabled services https://ewrs.ecdc.europa.eu/ need to be refined, adapted and exten- World Health Organization: The exercise proved that ICT can assist sively tested in the context of readiness http://www.who.int in rapidly assessing an epidemiological exercises to improve our capacity to situation and taking appropriate meas- issue health early warning and promptly Please contact: ures. Decision makers were able to track manage outbreaks. Audrey Berthier the progress of the epidemiological MEDES, France (project coordinator): investigation online, while data mining Security and confidentiality are further E-mail: [email protected] and statistical analysis identified water major issues that can be a source of from a tank as the most likely cause of inefficiencies in the presence of inter- Catherine Chronaki the epidemic before the laboratory mittent connectivity if password-based FORTH-ICS, Greece results were available! authentication is required. E-mail: [email protected]

58 ERCIM NEWS 75 October 2008 Novel Drug Discovery with SIMDAT Grid Technology by Yvonne Havertz

Within the European SIMDAT project (Grids for Industrial Product Development) a substantial progress in pharmaceutical analysis has been achieved. It enables pharmaceutical companies to virtualise and globalise their research and development chain, lowering costs as well as considerably improving knowledge exchange between industrial and academic partners.

"One of the most important R&D strate- gies to achieve a significant gain of effi- ciency is to tap into external knowledge and expertise through a network of external alliances, sharing the risk, reward and control. Given the large investments in drug research, Virtualisa- tion provides a great savings potential," summarizes Professor Ulrich Trotten- berg, director of Fraunhofer Institute for Algorithms and Scientific Computing SCAI, the SIMDAT project co-ordina- tor, the current challenges in pharma- ceutical drug discovery.

"With the distributed nature and diverse location of biological data for disease and medical treatment, it is becoming vital to be able to fast and flexible con- nect to these resources. Grid as a key part of Information Technology supports the organisations' rapid movement into the virtualised and now more globalised information market," says Rob Gill, Head of Biology Domain Architecture at GlaxoSmithKline (GSK). "The SIM- DAT Grid technologies developed by Gene sequence analysis at GlaxoSmithKline. SIMDAT enables pharmaceutical companies to GSK, NEC, Inpharmatica (Galapagos), virtualise and globalise their research and development chain. © GlaxoSmithKline InforSense and Fraunhofer Institute for Algorithms and Scientific Computing SCAI provide a new business model in the life science sector, which can be Knowledge exchange within SIMDAT both industrial and academic partners considered as a success of the project as is not bound to local infrastructure but is and take advantage of its great savings a whole." tending away from organisational, potential. In addition, globalisation is process and technology limitations. getting more and more crucial to keep Usually, establishing new relationships Thus, pharmaceutical companies like up in an international context, especially by creating a new virtual organisation GSK have now the possibility to scale considering the rate of growth of scien- (VO) may take up to several months. their business relationship with both tific and technical graduates in Asia is But the 'Data Grid' paradigm can biotech companies like Inpharmatica already outpacing the United States and reduce this to weeks or even days. The (Galapagos) and academic partners. Europe. Virtualisation has also the VO in this case demonstrates how a That is, they can restrict themselves to means to benefit from this wealth of pharmaceutical company could partner exactly those resources they are inter- knowledge along with developments in with an academic group and a vendor ested in and are not forced to subscribe the global market. company to look at a specific disease to a complete and costly product. This and drug target. The duration of this can be realised by new, grid-based mid- Current industry applications can relationship depends on the questions dleware components, used to securely already take advantage of SIMDAT asked and the costs incurred by the and transparently integrate distributed technologies. This was successfully interaction. Biotech, on the other hand, data repositories, in combination with demonstrated by a workflow-based test has the opportunity to get access to distributed execution of process chains. system implemented at GSK by new markets and, hence, is in the posi- InforSense, consisting of five different tion to increase its commercial offer by Through Virtualisation pharmaceutical remote sites and including data services implementing a finer grained product companies like GSK are now capable of of two external companies. The devel- portfolio. scaling their business relationship with opment of this workflow is driven by the

ERCIM NEWS 75 October 2008 59 R&D and Technology Transfer

need to get high quality, state of the art chain and is able to import the best of industrial prototypes in the aerospace, analysis for pharmaceutical companies bread analysis from both academia and automotive, pharmacology and meteor- from wherever it is best sourced. Thus vendors at appropriate costs. It is an ology sectors. was shown that pharmaceutical R&D ideal showcase for potential providers processes can be outsourced across mul- who are interested in working with phar- Link: tiple organizations, even if they are maceutical partners in a more collabora- http://www.simdat.eu/ using different specifications. Thereby tive and beneficial manner rather than the central industrial requirement for a purely in a simple vendor consumer Please contact: controlled and secure interaction has relationship. Clemens-August Thole been fully addressed through internet SIMDAT coordinator security models provided by NEC. SIMDAT has been funded by the Euro- Fraunhofer Institute for Algorithms and pean Commission under the Information Scientific Computing SCAI As a powerful tool for knowledge Society Technologies Programme (IST). Tel: +49 2241 14 27 39 exchange, SIMDAT technology broad- Since it's launch in 2004 SIMDAT has E-mail: ens the scope of the drug discovery successfully installed Grids in various [email protected]

Mediated Collaborative Learning

by Kostas Pentikousis and Carmen Martinez-Carrillo

Wikis should be a very familiar Web application for most ERCIM News readers. Once used mainly by the open-source community, wikis are now increasingly being adopted for day-to-day work in large multi-partner and company-internal projects. We have recently been exploring the application of wikis to Computer-Assisted Language Learning (CALL). As we explain below, language in wikis is produced in a collaborative fashion, with all participating members developing and improving the contents of the wiki. Individual contributions motivate the rest of the group to participate in the process of knowledge creation in numerous ways. Following a three-semester study looking at the use of wikis for CALL, our results indicate that they facilitated the simultaneous appropriation of language, technological tools and collaborative skills, often referred to as 'multiacquisition'.

Wikipedia is a classic example of a wiki the ability to collaboratively produce standing of human interactions online. that has reached international acclaim, and edit content. On the other hand, fea- The Vygotskian sociocultural theories and is one of the most frequently cited tures such as tagging (see Figure 1), the of learning provide a solid interpreta- sources in recent years. While wikis listing of friends, connections and fol- tion framework for the acquisition of may look like regular Web sites to unini- lowers, and the ability to rate content foreign language competence in online tiated readers, they typically follow an are far more common. In effect, such environments like wikis. In Vygotsky's editorial process that is different to tra- Web 2.0 applications emphasize indi- view, new knowledge is produced ditional Web sites. In principle, users viduality. Moreover, the most success- though the social interaction of partici- can edit any wiki page, start new pages, ful content providers tend to focus on pants and mediated by cultural artifacts and comment and expand on the collec- very specialized topics, often the that influence the development of the tively assembled material. Technically dominion of a few. Unlike other Web mind. Learning is mainly understood as speaking, a wiki is a 'thin-client' applica- 2.0 applications, wikis put the focus on a social action, mediated by instruments tion, intuitive in its use with minimal teamwork, emphasizing the importance whose nature depends on the pursued requirements for training, software and of the collective end result. At the same goals. Moreover, sociocultural theories hardware. Wikis scale well and benefit time, wikis allow the primary and sec- present learning as a process that goes from participation of many users. In ondary contributors to be identified and from interpersonal to intrapersonal, first Wikipedia for example, large user par- rewarded accordingly, without losing at the social level and then at the indi- ticipation was crucial in identifying con- track of teamwork achievements. vidual level. troversial entries. As with open-source software, wikis allow all interested par- Currently, the biggest challenge in Given this theoretical background, ties to raise a flag when content is out of CALL is to find ways to interconnect wikis can be considered as cultural line, and corrective actions can be taken second-language acquisition theories instruments suitable for mediating promptly. with those of computer-mediated col- knowledge. The structure and func- laborative learning. Advances in this tional characteristics of a wiki call for Wikis are part of the so-called 'Web 2.0', area are fundamental for developing language production that is open, yet Cormode and Krishnamurthy (First effective interfaces for learning foreign dynamic and expansive in nature. In Monday, July 2008) point out that popu- languages. As language learning can fact, the possibility of linking to new lar Web 2.0 sites such as YouTube, only occur through socializing, the empty pages stands as an explicit open Flickr, Facebook and MySpace steer effective use of computers for didacti- invitation to language and knowledge clear of incorporating (and promoting) cal purposes requires a clear under- production for the learner. Language

60 ERCIM NEWS 75 October 2008 lective knowledge of the topics, and the emergence of polycontextuality. The wiki as a cultural artifact mediated the collaborative process of language pro- duction and enabled the creation of a shared common final product, 'owned' by all the contributors. This is an essen- tial characteristic of collective language production in wikis, and it is fundamen- tally different from that observed in other synchronous and asynchronous interfaces. Of course, further work is necessary to establish quantitatively the benefits of adopting wikis for CALL.

In the future, we would like to look at the use of wikis in other contexts. This Figure 1: Tagging is a popular feature of Web 2.0. Illustration: Luca Cremonini, includes both the use of wikis in stan- Source: http://upload.wikimedia.org/wikipedia/commons/a/a7/Web_2.0_Map.svg dard curriculum courses in subjects not related with learning foreign languages and in extracurricular activities. We are also actively looking for partners to acquisition occurs in a polycontextual Applied Sciences in Oulu, Finland. expand our current work towards multi- manner that compels group members to After a pilot study with a group of nine disciplinary projects and establish new apply different skills, depending on the students in the spring of 2007, we collaborations. phase of development. Overall, wikis repeated the study with another group are a polycontextual tool that enables of eighteen students in the fall. In the Link: the integration of multiple contexts and spring of 2008 we expanded the wiki http://ipv6.willab.fi/kostas/?wikis voices in the common task of language use to a group of more than sixty stu- building. dents. Our first results of the didactical Please contact: use of the wiki indicate that it is effec- Kostas Pentikousis We completed a set of studies using tive in supporting the shift from indi- VTT Technical Research Centre of wikis for mediated collaborative learn- vidual to collaborative writing. We Finland ing of Spanish as a second language observed three key changes towards Tel: +358 40 536 9052 (Spanish L2) at the Oulu University of collective responsibility, broad and col- E-mail: [email protected]

Cross-Language Evaluation Forum – CLEF 2008 by Carol Peters

The Cross-Language Evaluation Forum (CLEF) has been running for nine years now. The results of the CLEF 2008 campaign were presented at a two-and-a-half day workshop held in Aarhus, Denmark, 17-19 September, immediately following the twelfth European Conference on Digital Libraries (ECDL 2008).

The objective of the Cross Language guages to the implementation of com- CLEF 2008 Tracks Evaluation Forum is to promote plete multilingual multimedia search CLEF 2008 offered seven tracks research in the field of multilingual sys- services. The aim is to stimulate the designed to evaluate the performance of tem development. This is done through development of next generation multi- systems for: the organisation of annual evaluation lingual IR systems. • multilingual textual document campaigns offering tasks designed to retrieval (Ad Hoc) test different aspects of mono- and This year 100 groups, mainly but not • mono- and cross-language informa- cross-language information retrieval only from academia, participated in the tion on structured scientific data systems. The intention is to encourage campaign. Most of the groups were (Domain-Specific) experimentation with all kinds of multi- from Europe but there was also a good • interactive cross-language retrieval lingual information access – from the contingent from North America and (iCLEF) development of systems for monolin- Asia plus a few participants from South • multiple language question answering gual retrieval operating on many lan- America and Africa. (QA@CLEF)

ERCIM NEWS 75 October 2008 61 Events

CLEF 2008 final session.

• cross-language retrieval in image col- • Hamshahri Persian newspaper corpus system developers. The schedule was lections (ImageCLEF) • Library catalog records belonging to divided between plenary track over- • multilingual retrieval of Web docu- The European Library and derived views, plus parallel, poster and breakout ments (WebCLEF) from the archives of the British sessions. There were several invited • cross-language geographical informa- Library, the Austrian National Library talks. Noriko Kando, National Institute of tion retrieval (GeoCLEF) and the Bibliothèque Nationale de Informatics Tokyo, reported on the activ- France ities of NTCIR-7 (NTCIR is an evalua- Two new tracks were offered as pilot • English/German and Russian social tion initiative focussed on testing IR sys- tasks: science data tems for Asian languages), while John • cross-language video retrieval • The ImageCLEF track used collec- Tait of the Information Retrieval Facility, (VideoCLEF) tions for both general photographic Vienna, presented a proposal for an Intel- • multilingual information filtering and medical image retrieval: lectual Property track which would focus (INFILE@CLEF) - IAPR TC-12 photo database; INEX on cross-language retrieval of legal Wikipedia image collection patents in CLEF 2009. In addition, MorphoChallenge 2008, an - ARRS Goldminer database of radi- activity of the EU Network of Excel- ographs; IRMA collection for med- The presentations given at the CLEF lence Pascal, was organized in collabo- ical image annotation Workshops and detailed reports on the ration with CLEF. • Dutch and English documentary tele- experiments of CLEF 2008 and previ- vision programs provided by Sound & ous years can be found on the CLEF Test Collections Vision, The Netherlands website. The preliminary agenda for Most of the tracks adopt a corpus-based • Agence France Press (AFP) compara- CLEF 2009 will be available from mid- automatic scoring method for the ble newswire stories in Arabic, French November. assessment of system performance. The and English. test collections consist of sets of state- CLEF and Treble-CLEF ments representing information needs Diverse sets of topics or queries were CLEF 2008 is organized under the aus- known as topics (queries) and collec- prepared in many languages according pices of TrebleCLEF, a Coordination tions of documents (corpora). System to the needs of the various tracks. At the Action of the Seventh Framework Pro- performance is evaluated by judging the end of the campaign, the result is a num- gramme Over the years, CLEF has done documents retrieved in response to a ber of valuable and reusable test collec- much to promote the development of topic with respect to their relevance (rel- tions. multilingual IR systems. However, the evance assessment) and computing focus has been on building and testing recall and precision measures. Workshop research prototypes rather than develop- The Workshop plays an important role ing fully operational systems. Treble- A number of document collections were by providing the opportunity for all the CLEF is building on and extending the used to build the test collections for groups that have participated in the eval- results achieved by CLEF. The objective CLEF2008: uation campaign to get together compar- is to support the development and con- • CLEF multilingual corpus of more ing approaches and exchanging ideas. It solidation of expertise in the multidisci- than 3 million news documents in 14 was held in Aarhus, Denmark, this year plinary research area of multilingual European languages and was attended by 150 researchers and information access and to promote a dis-

62 ERCIM NEWS 75 October 2008 semination action in the relevant appli- with the possibility to identify the most the Summer School will be on "How to cation communities. appropriate technology. For this pur- build effective MLIA systems and How posem a series of best practice work- to evaluate them". Treble-CLEF thus has three main goals: shops are being organised: • to promote high standards of evalua- More information on the activities of tion in MLIA systems using three • Workshop on Best Practices for the TrebleCLEF can be found on the Web approaches: test collections; user Development of Multilingual Infor- site. evaluation; and log file analysis mation Access Systems, Segovia, • to sustain an evaluation community Spain, June 2008 by providing high quality access to • Workshop on Best Practices for Sys- past evaluation results tem Developers: Bringing Multilin- Links: • to disseminate knowhow, tools, gual Information Access to Opera- CLEF: http://www.clef-campaign.org resources and best practice guidelines, tional Systems, Winterthur, Switzer- NTCIR: http://research.nii.ac.jp/ntcir/ enabling DL creators to make content land, October 2008 TrebleCLEF: http://www.trebleclef/eu and knowledge accessible, usable and • Workshop on Best Practices in Query IRF: http://www.ir-facility.org/ exploitable over time, over media and Log Analysis, Spring 2009. over language boundaries. Please contact: A Summer School on Multilingual Carol Peters The aim will be to provide applications Information Access is also being organ- ISTI-CNR, Italy that need multilingual search solutions ised for June 2009 in Pisa. The focus of E-mail: [email protected]

First ERCIM Workshop "Computing and Statistics" by Erricos Kontoghiorghes

The first workshop of the ERCIM Working Group on Computing and Statistics was hosted by the Department of Computer Science at the University of Neuchatel, Switzerland, 20-22 June 2008.

The workshop was organized jointly "The FINRISK (Swiss National Centre computing are considered. Applications with the 5th International Workshop on of Competence in Research "Financial of computational statistics in diverse dis- Parallel Matrix Algorithms and Applica- Valuation and Risk Management") Lec- ciplines will be strongly represented. tions (PMAA'08) and the 2nd Interna- ture: Iterative smoothing algorithms and These areas include economics, medicine tional Conference on Computational their application in finance"; and Her- and epidemiology, biology, finance, and Financial Econometrics. All three man Van Dijk, Erasmus University Rot- physics, chemistry, climatology and workshops were founded within the terdam, The Netherlands presented "The communication. The aimof the WG is framework of the ERCIM Working CSDA (Computational Statistics and twofold: first, to consolidate the research Group and were organized by its mem- Data Analysis) Lecture: Possibly ill- in computational statistics that is scat- bers. PMAA'08, which was sponsored behaved posteriors in econometric mod- tered throughout Europe; second to pro- by the ERCIM WG, was organized in els: On the connection between model vide researches with a network from honour of Bernard Philippe (IRISA, structures, non-elliptical credible sets which they can obtain an unrivalled Rennes, France), cofounder of the previ- and neural network Simulation" source of information about the most ous WG on Matrix Computations and recent developments in computational Statistics. PMAA'08 had four plenary The workshop also provided an occa- statistics and applications. talks, more than eighty sessions with sion to discuss the activities of the some 380 presentations, and over 400 Working Group, enhance network activ- ERCIM Working Groups are open to participants. ities among its members, and consider any researcher in the specific scientific future research collaboration within field. Scientists interested in participa- Plenary talks were given by Bernard European projects. The next ERCIM tion should contact the WG coordinator. Philippe, INRIA-IRISA, Rennes, France Working Group meeting will take place on "A parallel GMRES method precon- in Cyprus in October 2009. Links: ditioned by a Multiplicative Schwarz http://www.dcs.bbk.ac.uk/ercim08/ iteration. Michael W. Berry fom the The ERCIM Working Group "Comput- http://www.dcs.bbk.ac.uk/ercim/ University of Tennessee, Knoxville, ing and Statistics focuses on all computa- USA, gave a presentation entitled: tional aspects of statistics. Of particular Please contact: "Exploiting nonnegativity in matrix and interest is research in important statistical Erricos Kontoghiorghes tensor factorizations to improve topic applications areas where both computing ERCIM Computing and Statistics WG detection and tracking in text mining". techniques and numerical methods have coordinator, University of London Oliver Linton, London School of Eco- a major impact. All aspects of statistics E-mail: nomics and Political Science, UK gave which make use, directly or indirectly, of [email protected]

ERCIM NEWS 75 October 2008 63 Events

ERCIM/W3C at "Internet of Things – Internet of the Future" in Nice

ERCIM/W3C participated in the conference 'Internet of Things – Internet of the Future', which took place in Nice on 6-7 October. More than 800 delegates attended this French European Union Presidency Conference, which was comple- mented by an exhibition. ERCIM was a sponsor and had a booth and a speaker: Alois Ferscha of the University of Call for Papers Vienna (AARIT) gave a talk in the session 'Architectural issues of the Internet of things'. W3C gave its support to the HCI International 2009 – conference and Philipp Hoschka, W3C Europe Deputy Direc- tor, participated in the round table on 'Applications and serv- 13th International ices of the mobile Internet' by presenting the 'Web of Things' within the scope of the European MobiWeb2.0 project. These Conference on Human- activities led to fruitful contacts, in particular with the RFID community. Computer Interaction

San Diego, USA, 19-24 July 2009

HCI International 2009, jointly with the affiliated Confer- ences, which are held under one management and one Reg- istration, invite you to San Diego, California, USA, to par- ticipate and contribute to the international forum for the dis- semination and exchange of up-to-date scientific informa- tion on theoretical, generic and applied areas of HCI through the following modes of communication: Plenary / Keynote Presentation(s), Parallel Sessions, Poster Sessions, Tutorials and Exhibition. The Conference will start with three days of Tutorials. Parallel Sessions, Poster Sessions and the Exhibi- ERCIM booth at the conference. tion will be held during the last three days of the Conference.

Deadlines for abstract receipt European ministers in charge of the digital economy also Papers: 20 October 2008 gathered in Nice for the first European ministerial meeting Posters: 23 February 2009 dedicated to the future Internet. The focus was on the Tutorials: 20 October 2008 deployment of ultra-high broadband networks, on the cre- ation of new services, and on trust, security and governance Proceedings of the Internet. The results will be presented at the EU Tele- The HCI International 2009 Conference Proceedings, com- com Council on 27 November 2008. prising the papers to be presented at the Conference, will be published by Springer in a multi-volume set in the LNCS According to the French Secretary of State for the Develop- and LNAI series. They will be available on–line through the ment of Digital Economy, "Europe possesses enough key LNCS Digital Library, readily accessible by all subscribing assets to become a leader on technologies and services of the libraries around the world. All Conference participants will future Internet. Indeed, Europe benefits from both a strong receive in their registration bags the Conference Proceedings unified market for mobile telecommunications and a world- published by Springer in DVD format. This DVD will also unique cultural and geographical legacy. Combined together, include, in addition to the papers, the extended abstracts of these resources may trigger Internet-related jobs and services the posters that will be presented during the Conference. As in Europe. However, Civil Liberties and Privacy protection the DVD will have its own separate ISBN number, posters will have to be taken into account so that the future Internet can also be easily referenced. can harmoniously coexist with EU citizens' principles and val- ues. Networks security and stability have also become a major More information: concern for companies and governments. Today, these issues http://www.hcii2009.org require an enhanced international cooperation."

More information: http://www.internet2008.fr/

64 ERCIM NEWS 75 October 2008 over, every phase of the software development process needs to be enriched with the phase-specific resilience means. W3C Workshop SERENE workshop will focus on topics including: • formal and semi-formal modelling of resilience properties on Semantic Web • re-engineering for resilience • software development processes for resilience in Energy Industries • requirement engineering processes for resilience • model Driven Engineering of resilient systems Houston, Texas, USA, 9-10 December 2008 • verification and validation of resilient systems • error and fault handling in the software life-cycle W3C is organizing a Workshop on Semantic Web in Energy • resilience through exception handling in the software life- Industries; Part I: Oil & Gas. The high level goal of this cycle workshop is to gather and share possible use cases and/or • frameworks and design patterns for resilience case studies for Semantic Web in the O&G industry in order • software architectures for resilience to understand the business drivers and benefits of using • component-based development and resilience Semantic Web in that particular area of industry. Participants • system structuring for resilience will explore how Semantic Web technologies can play a role • atomic actions in the management and analysis of the huge amounts of data • dynamic resilience mechanisms gathered from highly diverse sources in this sector of the • resilience prediction energy industry. • resilience metadata • reasoning and adaptation services for improving and More information: ensuring resilience http://www.w3.org/2008/07/ogws-cfp • intelligent and adaptive approaches to engineering resilient systems • engineering of self-healing autonomic systems • dynamic reconfiguration for resilience ERCIM Working Group Event • run-time management of resilience requirements SERENE '08 • CASE tools for developing resilient systems. More information: International Workshop http://serene2008.uni.lu/ on Software Engineering for Resilient Systems

Newcastle upon Tyne, 17-19 November 2008

The SERENE 2008 workshop, held in cooperation with ACM SIGSOFT, is an international forum for researchers and practitioners interested in the advances in Software Engineering for Resilient Systems. SERENE 2008 views W3C Workshop resilient systems as open distributed systems that have capa- bilities to dynamically adapt, in a predictable way, to unex- on Security for Access to pected and harmful events, including faults and errors. Engi- neering such systems is a challenging issue which needs Device APIs from the Web urgent attention from and combined efforts by people work- ing in various domains. Achieving this objective is a very London, UK, 10-11 December 2008 complex task, since it implies reasoning explicitly and in a consistent way about systems functional and non-functional W3C invites people to participate in a Workshop on Security characteristics. for Access to Device APIs from the Web to be hosted by Vodafone in London (UK) on 10-11 December 2008. The SERENE advocates the idea that resilience should be explic- goal of this workshop is to bring together people from a wide itly included into traditional software engineering theories variety of backgrounds (API designers, security experts, and practices and should become an integral part of all steps usability experts, etc.) to discuss the security challenges of software development. As current software engineering involved in allowing Web applications and widgets to access practices tend to either capture only normal behaviour, or to the APIs that allow to control these features (e.g., cameras, deal with all abnormal situations only at the late develop- gps, address books, etc.). ment phases, new software engineering methods and tools need to be developed to support explicit handling of abnor- More information: mal situations through the whole software life cycle. More- http://www.w3.org/2008/security-ws/

ERCIM NEWS 75 October 2008 65 In Brief

Three Researchers from INRIA European Technology Platforms Receive ERC Advanced Grants Evaluated

The European Research Council awarded three INRIA European Science and Research Commissioner Janez researchers in the "Advanced Grant" category in the Potočnik has welcomed the results of a recent evaluation of domains of physical sciences and engineering: Serge Abite- the 34 European Technology Platforms (ETPs). At a meet- boul and Olivier Faugeras, research directors at INRIA, and ing of industrial leaders of European Technology Platforms Rémi Abgrall, professor at the University of Bordeaux I, on 30 September, Commissioner Potočnik praised the seconded to INRIA. ETPs, calling them 'unique and exceptional', and welcomed the results of the survey as overwhelmingly positive. Serge Abiteboul was awarded for the WebDam (Founda- tions of Web Data Management) project. The project aims European Technology Platforms were introduced in 2002 as to develop a formal and universal framework for describing a way of bringing together basic research and industry to Web applications that involve complex and flexible interac- produce 'a long-term strategic plan for research and devel- tions. This framework should also serve as a basis for future opment of specific technologies with a significant economic Web developments, especially data management software. and societal impact'. They now cover 34 diverse research areas, including road transport, space technology, wind The ADDECCO (Adaptive Schemes for Deterministic and energy, hydrogen and fuel cell technology, nanotechnolo- Stochastic Flow Problems) project of Rémi Abgrall, a spe- gies for medical applications, robotics and water supply and cialist in scientific computation, deals with new, increas- sanitation technology, to name a few. ingly less costly mathematical methods for building numer- ical models of fluid dynamics that are increasingly more The evaluation was carried out at the request of the Euro- reliable. Rémi Abgrall is a professor at the University of pean Commission. Its main objectives were to map the Bordeaux I, seconded to the Bordeaux - Sud Ouest INRIA functioning, concept development and objectives of the research center. ETPs; list and analyse their output, results and impact; iden- tify successes, limiting factors and best practices; and for- The NERVI project of Olivier Faugeras, world-renowned mulate recommendations for the future. The report made 18 specialist in computer assisted vision, consists of develop- targeted recommendations to policymakers and ETPs, and ing a formal framework for describing and understanding 12 concluding points. The evaluation recommended that EU complex visual information handling processes in man or and national policymakers 'clearly and unambiguously con- machines. Olivier Faugeras is a research director at the tinue to support the ETP concept', promoting them more Sophia Antipolis - Méditerranée INRIA research center. forcefully on the political level.

Each ERC grant constitutes a subsidy over a maximum However, the evaluation also highlights the failure of the period of five years that may amount to more than € 2 mil- ETPs to make research results more easily translatable into lion to carry out a large-scale project. This amount allows new products and services. To remedy the situation, the the researcher receiving the grant to enjoy stable financial evaluation recommends that ETPs "move beyond scientific and intellectual conditions to bring such a project to and technological challenges" and instead start focusing on fruition. the application of research results. Those platforms which are more advanced and have already developed their SRAs The ERC announced the first successful candidates in the should focus on "the regulations and standards that affect Advanced Grants competition in the domain Physical Sci- the commercialisation of research". In addition, the evalua- ences and Engineering (PE) in August. The first call for tion concludes that the platforms have "underachieved" Advanced Grant proposals was announced at the end of last regarding the identification of future education and training year with deadlines throughout the first half of 2008. The 28 needs and recommends the introduction of more initiatives February deadline for the PE domain generated 997 appli- in this field in the near future. cations. The peer review process in this domain ran from March to June and involved ten evaluation panels, which The main conclusions of the evaluation were that, generally have selected 105 Advanced Grants candidates. speaking, all ETP stakeholders are fairly satisfied (score of 3.5 out of 5). Commissioner Potočnik concluded by saying, Scientists from ERCIM member institutes in Austria 'Over 90% of the nearly 950 respondents to the evaluators' (Vienna University of Technology, University of Vienna), survey of your members and stakeholders said that they Belgium (Université catholique de Louvain), Denmark would, given their experience of ETPs' involvement so far, (Aarhus University), Switzerland (ETHZ, EPFL, Université gladly renew their membership. de Genève) have also been awarded. Source: CORDIS, euractiv.com. More information: A list of the first 105 winners in the PE domain: Links: http://erc.europa.eu/pdf/AdG1_ListPE_2008-07-31final.pdf ETPs: http://cordis.europa.eu/technology-platforms/

Statistics on all proposals submitted to the first ERC The full evaluation report is available at: Advanced Grant competition: http://erc.europa.eu/pdf/ ftp://ftp.cordis.europa.eu/pub/technology-platforms/ PressRelease_ERC_AdG1_Statistics_1.pdf docs/evaluation-etps.pdf

66 ERCIM NEWS 75 October 2008 Changes in the Italian Delegates his academic, clinical on the ERCIM Board and industrial partners, he has developed The new member of the ERCIM Board of Directors for CNR groundbreaking multi- is Professor Francesco Beltrame, Director of the Department dimensional image for Information and Communications Technologies of the analysis and simulation Italian National Research Council. The Department is methods and image- responsible for the coordination of the scientific and techni- guided surgery proto- cal activities of all the CNR Institutes working in the ICT types. The purpose of sector. Professor Beltrame holds the Chair of BioEngineer- his research is to help ing at the University of Genoa and is President of the Scien- doctors improve diagno- tific and Technical Committee for Industrial Research of the sis and therapy. Italian Ministry of Education, University and Research. Dr

Fausto Rabitti, Head of the Networked Multimedia Informa- Created in 2006, the © INRIA / Photo C. Lebedinsky tion Systems Laboratory of ISTI-CNR, is the new member Microsoft Award is Nicolas Ayache of the Executive Committee. designed to recognise and reward scientists working in Europe who have made a major contribution to the advancement of science through the use of computational methods. This award of 250 000 euros is handed each year World Wide Web Foundation by the French Academy of Sciences and the Royal Society. It aims to support the future researches of the winner Tim Berners-Lee, inventor of the World Wide Web, unveiled http://royalsociety.org/news.asp?id=8010 on 14 September 2008 the World Wide Web Foundation, to http://www-sop.inria.fr/members/Nicholas.Ayache/ fulfill a vision of the Web as humanity connected by technol- ogy. The World Wide Web Foundation seeks to advance One Web that is free and open, to expand the Web's capability and robustness, and to extend the Web's benefits to all people on the planet. The Web Foundation brings together business New CWI spin-off MonetDB B.V. leaders, technology innovators, academia, government, To stimulate commercial applications and to disseminate sci- NGOs, and experts in many fields to tackle challenges that, entific research, CWI founded MonetDB B.V. This inde- like the Web, are global in scale. The launch of the World pendent company will market software products to enhance Wide Web Foundation was supported by the John S. and societal and economic impact of research results. MonetDB James L. Knight Foundation with a $5 million seed grant. http://www.webfoundation.org/

Nicholas Ayache wins the 2008 Microsoft Award

On 20 October in London, the Royal Society and the French Academy of Sciences give the Microsoft 2008 Award to Nicholas Ayache, a research director at INRIA. The honour rewards the outstanding work by this researcher, a pioneer in computational medical image analysis. Photo: Nan Tang, CWI.

Nicolas Ayache first thought of going to medical school MonetDB B.V. founders Peter Boncz, Dick Broekhuis (on behalf of before eventually deciding on a career in science. Through- CWI) and Martin Kersten. Not in the photograph are founders out his years of study, he never lost sight of medicine, taking Stefan Manegold, Sjoerd Mullender and Niels Nes. an interest in information technology's role in medical image data processing. With backing from former INRIA chairman Gilles Kahn, in 1989 he set up a first research project dedi- cated to medical applications. Today he leads one of the B.V. facilitates the efforts of scientific personnel and stimu- most important computational medical image analysis lates joint ventures in specific market segments. "A high tech teams. He has actively contributed to structuring this emerg- company, on the one hand close to research and on the other ing new discipline in France and internationally, in particu- at armslength from venture capitalists, is a very good base to lar by co-founding a journal, Medical Image Analysis, and facilitate technical innovation", Martin Kersten, founder and co-founding the first International Medical Image Comput- Director of MonetDB B.V. said. The company's primary task ing and Computer Assisted Intervention Conference (MIC- is to control, maintain and spread the open source database CAI). Nicolas Ayache has spearheaded many scientific inno- management system MonetDB. vations and breakthroughs. In particular, with his team and http://www.monetdb.com/

ERCIM NEWS 75 October 2008 67 ERCIM – the European Research Consortium for Informatics and Mathematics is an organisation dedicated to the advancement of European research and development, in information technology and applied mathematics. Its national member institutions aim to foster collaborative work within the European research community and to increase co-operation with European industry.

ERCIM is the European Host of the World Wide Web Consortium.

Austrian Association for Research in IT Irish Universities Association c/o Österreichische Computer Gesellschaft c/o School of Computing, Dublin City University Wollzeile 1-3, A-1010 Wien, Austria Glasnevin, Dublin 9, Ireland http://www.aarit.at/ http://ercim.computing.dcu.ie/

Norwegian University of Science and Technology Consiglio Nazionale delle Ricerche, ISTI-CNR Faculty of Information Technology, Mathematics and Area della Ricerca CNR di Pisa, Electrical Engineering, N 7491 Trondheim, Norway Via G. Moruzzi 1, 56124 Pisa, Italy http://www.ntnu.no/ http://www.isti.cnr.it/

Portuguese ERCIM Grouping Czech Research Consortium c/o INESC Porto, Campus da FEUP, for Informatics and Mathematics PEG Rua Dr. Roberto Frias, nº 378, FI MU, Botanicka 68a, CZ-602 00 Brno, Czech Republic 4200-465 Porto, Portugal http://www.utia.cas.cz/CRCIM/home.html   ÿ Polish Research Consortium for Informatics and Mathematics Wydział Matematyki, Informatyki i Mechaniki, Centrum Wiskunde & Informatica  Uniwersytetu Warszawskiego, ul. Banacha 2, 02-097 Warszawa, Poland Kruislaan 413, NL-1098 SJ Amsterdam, http://www.plercim.pl/ The Netherlands      http://www.cwi.nl/ Science and Technology Facilities Council, Rutherford Appleton Laboratory Danish Research Association for Informatics and Mathematics Harwell Science and Innovation Campus c/o Aalborg University, Chilton, Didcot, Oxfordshire OX11 0QX, United Kingdom Selma Lagerlöfs Vej 300, 9220 Aalborg East, Denmark http://www.scitech.ac.uk/ http://www.danaim.dk/ Spanish Research Consortium for Informatics and Mathematics c/o Esperanza Marcos, Rey Juan Carlos University, Fonds National de la Recherche C/ Tulipan s/n, 28933-Móstoles, Madrid, Spain, 6, rue Antoine de Saint-Exupéry, B.P. 1777 http://www.sparcim.org/ L-1017 Luxembourg-Kirchberg http://www.fnr.lu/

Swedish Institute of Computer Science FWO FNRS Box 1263, Egmontstraat 5 rue d'Egmont 5 SE-164 29 Kista, Sweden B-1000 Brussels, Belgium B-1000 Brussels, Belgium http://www.sics.se/ http://www.fwo.be/ http://www.fnrs.be/

Swiss Association for Research in Information Technology Foundation for Research and Technology – Hellas c/o Professor Daniel Thalmann, EPFL-VRlab, Institute of Computer Science CH-1015 Lausanne, Switzerland P.O. Box 1385, GR-71110 Heraklion, Crete, Greece http://www.sarit.ch/ http://www.ics.forth.gr/ FORTH

Fraunhofer ICT Group Magyar Tudományos Akadémia Friedrichstr. 60 Számítástechnikai és Automatizálási Kutató Intézet 10117 Berlin, Germany P.O. Box 63, H-1518 Budapest, Hungary http://www.iuk.fraunhofer.de/ http://www.sztaki.hu/

Institut National de Recherche en Informatique Technical Research Centre of Finland et en Automatique PO Box 1000 B.P. 105, F-78153 Le Chesnay, France FIN-02044 VTT, Finland http://www.inria.fr/ http://www.vtt.fi/

Order Form I wish to subscribe to the If you wish to subscribe to ERCIM News  printed edition  online edition (email required) free of charge or if you know of a colleague who would like to Name: receive regular copies of ERCIM News, please fill in this form and we Organisation/Company: will add you/them to the mailing list. Address: Send, fax or email this form to: ERCIM NEWS 2004 route des Lucioles BP 93 Postal Code: F-06902 Sophia Antipolis Cedex Fax: +33 4 9238 5011 City: E-mail: [email protected] Country

Data from this form will be held on a computer database. By giving your email address, you allow ERCIM to send you email E-mail:

You can also subscribe to ERCIM News and order back copies by filling out the form at the ERCIM Web site at http://ercim-news.ercim.org/