Study of Lustre and Study of Lustre and Scade for Safety Critical Scade for Safety Critical

SystemsSystems

Presented By :Presented By :Bharat Jain Bharat Jain 0930502909305029

Guided By :Guided By :Prof Kavi AryaProf Kavi Arya

ContentsContents IntroductionIntroduction Safety Critical SystemsSafety Critical Systems Synchronous LanguagesSynchronous Languages LustreLustre

Basics and constructsBasics and constructs CompilationCompilation verification verification

ScadeScade Basics and constructsBasics and constructs Scade toolsScade tools

ConclusionConclusion ImplementationImplementation

IntroductionIntroduction

Problems related to Safety critical Problems related to Safety critical systems.systems.

Choice of programming language for Choice of programming language for Safety critical system.Safety critical system.

Why conventional languages are not Why conventional languages are not used ?used ?

Requires different class of language.Requires different class of language. Synchronous languages.Synchronous languages.

Safety critical system Safety critical system

Reactive systems (Deterministic, Time Reactive systems (Deterministic, Time constraint, Concurrent, Reliable).constraint, Concurrent, Reliable).

Systems whose failure leads to Systems whose failure leads to unacceptable consequences is Safety unacceptable consequences is Safety critical system.critical system.

Correctness and completenessCorrectness and completeness No bugNo bug Ex : Traffic signal system, aircraft Ex : Traffic signal system, aircraft

Chronology Chronology

Hardware implementationHardware implementation Assembly languageAssembly language Classical languages (C, PASCAL etc)Classical languages (C, PASCAL etc) General purpose languages (ADA, General purpose languages (ADA,

Occam etc)Occam etc) Synchronous languages like Lustre, Synchronous languages like Lustre,

Scade, Esterel, Signal, Argos etcScade, Esterel, Signal, Argos etc

Synchronous languagesSynchronous languages

Synchrony Synchrony hypothesishypothesis

Multiform notion Multiform notion of time.of time.

Global vision.Global vision.

Architecture of Architecture of synchronous languagessynchronous languages

Interactive (I/O) interfaceInteractive (I/O) interface header filesheader files

Reactive KernelReactive Kernel synchronous language programssynchronous language programs

Data managementData management host languageshost languages

ReactiveKernel

Interface

Data management

LustreLustre

Developed by Developed by P.Caspi and N.Halbwachs. Synchronous, Declarative, Deterministic,

Functional, Dataflow language. Program is collection of nodes. Flow (stream , clock) Cyclic execution Node contains Interface and Body.

Constants , variables.Constants , variables. Operators :Operators :

Point wise (arithmetic, relational etc)Point wise (arithmetic, relational etc)Temporal (pre, ->, current, when)Temporal (pre, ->, current, when)

Causality : no unique and deterministic Causality : no unique and deterministic meaning.meaning.like x = not x (no solution)like x = not x (no solution) x = x non deterministicx = x non deterministic

Assertions : assert (boolean-exp)Assertions : assert (boolean-exp)

CompilationCompilation

Causality check (like x = not x ; x = x etc) Causality check (like x = not x ; x = x etc) and clock checking (due to clock and clock checking (due to clock inconsistencies).inconsistencies).

To generate sequential code , nodes are To generate sequential code , nodes are expanded called expanded code.expanded called expanded code.

Sequential automata is generated and Sequential automata is generated and used as intermediate code called object used as intermediate code called object code.code.

Translator to Sequential code in (C, ADA) Translator to Sequential code in (C, ADA) languages.languages.

Code generated in host language is Code generated in host language is partial.partial.

No main program.No main program. User has to write main program.User has to write main program.

Main program contains :Main program contains : Input procedures call;Input procedures call; Output procedures call;Output procedures call;

VerificationVerification

For checking correctness of system.For checking correctness of system. Two properties :Two properties :

Liveness propertiesLiveness properties Safety properties.Safety properties.

Lustre can be used to describe Lustre can be used to describe properties of system (Liveness properties of system (Liveness properties).properties).

Create its own temporal operator.Create its own temporal operator.

Safety properties are described Safety properties are described by Synchronous Observer.by Synchronous Observer.

Property to be checked under Property to be checked under assumption.assumption.

Synchronous Observer is a Synchronous Observer is a program contains program program contains program node ,safety properties and node ,safety properties and assertions.assertions.

If property satisfied then If property satisfied then output is yes else no.output is yes else no.

Lesar tool is used.Lesar tool is used. Advantages of this Advantages of this

specification technique.specification technique.

Synchronous Observer

Reusability and tupleReusability and tuple

Nodes can be reused in other nodes.Nodes can be reused in other nodes. Using include<node.lus>Using include<node.lus> Nodes have several outputs can be Nodes have several outputs can be

expressed in the form of tuple.expressed in the form of tuple.

SCADESCADE(safety critical application development environment)

Commercial tool developed for Commercial tool developed for designing Safety critical systems , designing Safety critical systems , product of Esterel Technologies.product of Esterel Technologies.

Used in various application areas like Used in various application areas like Defense, Transportation, Energy etc.Defense, Transportation, Energy etc.

Commercial applications include Commercial applications include Euro copter, Airbus A380 etc.Euro copter, Airbus A380 etc.

Integrated development environment.Integrated development environment. Scade tools are : Scade editor, scade Scade tools are : Scade editor, scade

simulator, DV, KCG etc.simulator, DV, KCG etc.

It is Graphical, Deterministic, Dataflow, It is Graphical, Deterministic, Dataflow, declarative language.declarative language.

Scade is based on Synchronous and Scade is based on Synchronous and Dataflow model.Dataflow model.

Operators in Scade :Operators in Scade :

Pointwise (arithmetic, relational Pointwise (arithmetic, relational etc)etc)

Temporal (followed, pre, when etc)Temporal (followed, pre, when etc) Scade contains some advanced features Scade contains some advanced features

not present in Lustre. not present in Lustre.

User can also define its own operators by using User can also define its own operators by using node or function.node or function.

Library operators from different libraries in Library operators from different libraries in Scade. Ex : to use operator like Has never been Scade. Ex : to use operator like Has never been true.true.

Two computational parts :Two computational parts : Continuous control : Always computation Continuous control : Always computation

(numerical algorithms etc) represented as data (numerical algorithms etc) represented as data blocks.blocks.

Discrete control : Computation when condition Discrete control : Computation when condition satisfy (decision logic, modes etc) represented as satisfy (decision logic, modes etc) represented as state machines.state machines.

Activation of operator Activation of operator

Activation of operator/node when Activation of operator/node when needed.needed.

Ex : Ex : count = (activate counter every

condition initial default(0))(reset,init,incr);

Here node is activated when condition is satisfied.

PolymorphismPolymorphism

Scade provides a facility for generic Scade provides a facility for generic nodes also called as polymorphic nodes also called as polymorphic node.node.

Type is generalized.Type is generalized. Ex :Ex :

node sum (a, b :’T) returns (c :’T)let

c=a + b;tel;

Design VerifierDesign Verifier Tool used for verification of system.Tool used for verification of system. To verify safety properties, which would To verify safety properties, which would

otherwise be tested.otherwise be tested. Consist of property node (property to be Consist of property node (property to be

satisfied) and Observer node (consist of satisfied) and Observer node (consist of property node and main node).property node and main node).

If property fail generate counter example.If property fail generate counter example. Properties can be expressed in scade Properties can be expressed in scade

itself.itself.

KCGKCG

Also called qualified code generation.Also called qualified code generation. Scade to C code. Scade to C code. Code generated is sequential and simple Code generated is sequential and simple

(no loops, jump etc).(no loops, jump etc). Code generated is qualified and hence Code generated is qualified and hence

no need to check its conversion.no need to check its conversion. Deterministic behavior is guaranteed.Deterministic behavior is guaranteed.

ConclusionConclusion Synchronous code converted to efficient Synchronous code converted to efficient

sequential code .sequential code . Automatic Code generated is a Subset C Automatic Code generated is a Subset C

code (no loop, no jump).code (no loop, no jump). The execution time is always bounded and The execution time is always bounded and

make system Deterministic and predictable.make system Deterministic and predictable. This make system easier to Verify.This make system easier to Verify. Verification can be done easily by writing Verification can be done easily by writing

synchronous observer in the same language. synchronous observer in the same language. Express specification in same language.Express specification in same language.

Temporal bugs can be find out easily.Temporal bugs can be find out easily.

Implementation ofImplementation ofLustre on FirebirdVLustre on FirebirdV

Whiteline follower using Lustre.Whiteline follower using Lustre. Lustre code generated is translated Lustre code generated is translated

into C code.into C code. This C code is partial, no main This C code is partial, no main

program.program. Main programMain program

Initialize deviceInitialize device Input proceduresInput procedures Output proceduresOutput procedures

White line sensorsWhite line sensors

Three whiteline sensors Three whiteline sensors Receives integer values. If Receives integer values. If

less than 40 means less than 40 means whitelinewhiteline LEFT_WHITELINE_VALUELEFT_WHITELINE_VALUE MIDDLE_WHITELINE_VALMIDDLE_WHITELINE_VAL

UEUE RIGHT_WHITELINE_VALUERIGHT_WHITELINE_VALUE

Infrared SensorsInfrared Sensors

Three Infra red sensorsThree Infra red sensors Integer values as inputs Integer values as inputs

(i.e distance in terms of (i.e distance in terms of mm)mm) FRONT_IRFRONT_IR LEFT_IRLEFT_IR RIGHT_IRRIGHT_IR

Stepper motorStepper motor

Three type of movements Three type of movements are possible.are possible.

Take Boolean value.Take Boolean value. MOVE_FWDMOVE_FWD MOVE_LEFTMOVE_LEFT MOVE_RIGHTMOVE_RIGHT

Code :Code :

node firebird (FRONT_IR_VALUE :int) node firebird (FRONT_IR_VALUE :int) returns (LCD_DISPLAY_INT1 : int);returns (LCD_DISPLAY_INT1 : int);letletLCD_DISPLAY_INT1 LCD_DISPLAY_INT1 =FRONT_IR_VALUE;=FRONT_IR_VALUE;tel;tel;

RefrencesRefrences N.Halbwachs, P.Caspi, P.Raymond. The Synchronous

dataflow programming language LUSTRE. W.J. Cullyer, S.J. Goodenough, B.A. Wichmann. The

choice of languages for use in safety critical systems. Gerard Berry. Real Time Programming : Special

Purpose or General Purpose languages. Nicolas Halbwachs. A Synchronous Language at

Work: the story of Lustre. Scade-Language-Suite. www.esterel

technologies.com. Andrew J. Kornecki. Automatic Code

Generation:Model-Code Semantic Consistency.

Andrew J. Kornecki. Automatic Code Generation: Model-Code Semantic Consistency.

Florence Maraninchi, Yann Remond. Argos : An automaton based Synchronous Language.

Nicolas Halbwachs. Synchronous Programming of Reactive Systems.

Nicolas Halbwachs, Christophe Ratel. Programming and verifying real time system, by means of synchronous data flow language: Lustre

SYNALP. Synchronous Applications, Languages and Programs.

Thank YouThank You