Whitepaper
A timing annex for the AADL
AADL Meeting at SAE AeroTech
Montréal, September 26th., 2013
Loïc Besnard, CNRS
Thierry Gautier, Paul Le Guernic, Jean-Pierre Talpin, INRIA
Contributions and discussions with Peter, Oleg, Jérôme, Etienne, Franck, Pierre
Whitepaper
A timing annex for the AADL
RECAP
Goal of the proposal
.
✔
State of the art and background
✔
A model of time and clock automata ✔
Synchrony as a timing annex ç
Workplan ✔
The behavioral annex as a foundation
A refinement of the variables, stats and transitions of the BA with
•  Compound events (made of events, states, transitions, …)
•  Constraints (state-less or full) and/or guarded actions
Example of the sender [AADL BA, Sec. D.4]
The behavioral annex as a foundation
• 
Events
• 
States
• 
Transitions
Compound events
Compound events for coarser transitions and less states
trigger ::= on event
a(1) to mean
in state at transition | trigger and trigger | trigger or trigger
| trigger andnot trigger
timeout/d(1)
a(1)
a(1)
ST
SF
a(0)
a(0)
timeout/d(0)
1. dispatch a
2. read a
3. value equals 1
synchronously
i.e. in the same transition
Constraints and refinement
A constraint section to define compound events and triggers
annex timing_specification {** constraints … **};
A refinement directive to specialize the automaton
sender.v3 refines sender.v2 fto: timeout/d(1)
t1: a(1)
t1: a(1)
ST
SF
t0: a(0)
t0: a(0)
fto: imeout/d(0)
Guarded actions
Guard transitions with labels
l0: st –[on fto]->sf
Attach actions to labels on l0 {d!(1)}
fto: timeout/l0: d(1)
t1: a(1)
t1: a(1)
ST
SF
t0: a(0)
t0: a(0)
fto: imeout/l1: d(0)
Constraints as abstractions of actions
Actions on label l0
on l0 {d!(1)}
implements the constraint
d=1 iff on fto and in st
fto: timeout/l0: d(1)
t1: a(1)
t1: a(1)
ST
SF
t0: a(0)
t0: a(0)
fto: imeout/l1: d(0)
From automata …
Automaton describes operational behavior: accept a and b
T1: S1 –[on dispatch a]-> S2
T2: S2 –[on dispatch b]-> S1
We want to refine it to alternate a and b T1: a
S1
b
a,b
T2: b
a
S2
… to constraints
Automaton describes operational behavior: alternate a and b
T1: S1 –[on dispatch a]-> S2
T2: S2 –[on dispatch b]-> S1
Constraint describes requirement
never a and b
T1: a
S1
b
a
S2
T2: b
Constraints and guarded actions
Constraint specifies intended behavior: alternate a and b
forever (a andnot b); (b andnot a)
i.e. S1 –[on dispatch a andnot b]-> S2; S2 –[on dispatch b andnot a]-> S1
Action describes operation
on b { c! }
T1: a
S1
S2
T2: b/c
Constraint refinement
Constraint specifies intended behavior: alternate a and b
forever (a andnot b); (b andnot a)
forever (b andnot a) and c
Action complies specification
on b { c! }
T1: a
S1
S2
T2: b/c
Applicability to real-time constraints
Constraint specifies requirement: send post 60 seconds after pre
forever pre; ms[60]; post(x)
pre
S1
S2
post(x)
ms[60]
Conclusions
A synchronous timing annex
Constraints over events, states and transitions
Guarded actions and regular expressions
The behavioral annex as foundation
Syntax unchanged
Design and implementation choice
An extension of behavioral annexes (?)
An embedding of behavioral annexes (hierarchic)
A refinement of behavioral annexes (modular)
Automata and regular expressions in Polychrony
(Eclipse and Polarsys project POP) as implementation
support for code generation