Reactive Programming of Event-Driven Automotive Systems

Project 2

Reactive Programming of Event-Driven Automotive Systems Johan Nordlander, Jan van Deventer April 2005

Construction and verification of modern automotive system software is inherently hard and costly. A primary source of this complexity can be found in the inadequate support for eventdriven programming offered by contemporary software technology. This project seeks to develop and demonstrate the concept of reactive programming as an approach to reducing this complexity. Projected outcomes include both practical proofs of shortened development cycles, as well as theoretical advances enabling an increased focus on formal verification for establishing timing correctness of automotive systems. Background Software is playing an increasingly important role in the construction of modern automotive systems. Typical examples include anti-lock braking systems, computer controlled fuel injection and ignition, automatic cruise control, active suspension, and systems for enhanced driver interfacing and feedback. These systems are also becoming interconnected to high degree, shifting development focus from the individual embedded computer boxes, to the view of a car as a distributed computerized system in itself. The construction and verification of software for distributed embedded systems is well known for being inherently difficult. In comparison to traditional desktop computer programming, several properties of embedded automotive systems contribute to this complexity: 1. Input is produced by a multitude of independent event-generating sources like sensors, clocks, and network ports, rather than emanating from a single interactive user and/or simple disk storage. 2. Specified output is often accompanied by explicit timeliness constraints, rather than a vague desire that output be produced ”as soon as possible”. 3. Embedded systems must be able to work continuously without user supervision, which excludes such programming shortcuts as exiting with an error message in response to a failure condition. 4. Despite the previous point, each node in a distributed automotive system must be able to tolerate failures of all other nodes in a controlled fashion, in order not to jeopardize human safety by ad hoc degradation of the system as a whole in the presence of component breakdowns. Unfortunately, established software technology – by which we understand languages, operating systems, libraries, as well as established programming practice – is still very much aimed at the traditional problem domain. Direct support for asynchronous events, distributed components, real-time constraints, and partitioned failure handling is rare, and the embedded systems programmer is forced to concentrate much effort on finding adequate encodings for these notions in terms of traditional concepts [6]. The result is a semantic gap that has to be crossed, before a design can be subject to systematic testing, as depicted in Figure 1. This semantic gap affects the process of establishing correctness of embedded automotive systems in two different ways:

•

Test results, which only apply to the concrete software that actually runs, are hard to relate back to the high-level system model in order to suggest design changes.

•

Formal verification techniques, which seldom offer to establish properties of anything but abstract system models, are generally unable to guarantee that a chosen software encoding actually corresponds to the verified model.

In both cases, the net effects on the automotive industry are extensive testing phases, a prevailing risk of unexpected system performance under extreme conditions, complicated software maintenance procedures, and prohibitive development costs. Objective As an overall goal, this research proposal seeks to reduce the cost of automotive system software development by leveraging on reactive programming technology. Within this goal, the concrete objectives of the proposal are: •

To develop Timber as a practical automotive system design tool, by means of ground work on the Timber compiler and libraries, integration with vehicle simulation and modeling frameworks, and extensive case studies.

•

To develop and extend existing schedulability analysis techniques and tools, to the point where they can be readily applied in the formal verification of timing correctness of a reactive ABS implementation.

•

To quantitatively determine the reduction in test cases that follows from a purely reactive design of a fault-tolerant distributed vehicle control system.

•

To demonstrate the practical utility of all the above objectives, by performing a full iteration of designverify-test cycles on a real test vehicle running the described systems.

Approach In this project we propose to attack the aforementioned problems by applying the notion of reactive programming to the construction of automotive software. Reactive programming lies at the heart of research in embedded system architectures conducted at EISLAB, Luleå University of Technology, and has, in conjunction with partners at Oregon Health and

Science University and Chalmers University of Technology, lead to the definition of the realtime programming and modeling language Timber [2, 5]. Reactive programming is an active research area which emphasizes that the role of a computer system is to react to events, rather than to actively request input from its environment as in traditional programming. Timber takes this idea several steps further, by purifying and formalizing the concept of reactivity. The core notion of Timber is the reactive object, which directly corresponds to the idea of a system component communicating via messages. With reference to the previous discussion on embedded automotive systems programming, the distinguishing features of Timber are as follows. 1. Any reactive object may respond to all of its input sources in every state. Concurrency between objects is implicit, but reactions within a single object are mutually exclusive. 2. Real-time constraints can be declared for each reaction, and chains of time-driven reactions can be constructed with arbitrary precision. 3. Timber systems are self-contained, and from the outset designed to run without neither operating system support nor user supervision. 4. The consistent treatment of input through reactions enforces a program structure where the absence of livens dependencies between distributed nodes is guaranteed. Depending on one’s perspective, Timber can be thought of as a concrete programming language powerful enough to directly express the structure of distributed event-driven systems, or as a high-level real-time modeling formalism with the additional benefit of automatic generation of efficient executable code, without intermediate manual encodings. In any case, the semantic gap between model and software encoding referred to above is not present in a Timber design, as illustrated in Figure 2.

In addition, Timber comes equipped with a formal semantics definition, something which is instrumental to the prospect of using the language as a vehicle for formal system verification. Moreover, the notions of functions and equations used in Timber bear close resemblance to the corresponding notions in mathematics and physics, a property that carries a potential of very close integration of Timber with discretized modelling approaches in general, such as those used by the car industry to model vehicle dynamics [1].

Project plan In order to achieve proposed objectives, a combination of theoretical, experimental, and engineering work will be required. The projected research plan consists of five distinct activities: 1. Adaption of the Timber development environment, libraries and documentation to the platforms currently utilized by the automotive industry. This work also includes interfacing the tools to major frameworks used for dynamic vehicle simulation and modeling, such as MSC.ADAMS [1]. Expected outcomes are an easily deployable tool suite and accompanying tutorial material enabling further experimentation with Timber technology within the car industry. 2. Construction of case study software implementations, initially identified as an anti-lock braking system, a cruise control system, and an active suspension system. Expected outcomes are executable software models that can be studied, discussed and modified in cooperation with active developers from the industry, in order to increase common knowledge of the problem domain, identify hidden complications, and establish the crucial timing and fault-tolerance properties of the implemented systems. 3. Extension and integration of previous work in deadline-based schedulability analysis [4], to cater for the time-separated chains of reaction patterns typically contained in specifications for automotive control systems such as ABS. The concrete research question to be studied here is how to generalize existing verification techniques to the hybrid case where a reaction pattern is neither strictly periodic nor fully sporadic. Expected outcomes are theoretical advances in the field of deadline-based scheduling and analysis, and tools leveraging on these advances in the context of reactive programming. 4. Systematic scrutinization of the failure scenarios a distributed integration of the implemented systems might be exposed to, both according to current industry practice, and by special consideration to the inherent robustness of a purely reactive design. Expected outcomes are detailed test plans for both cases, which can be compared in order to establish a quantitative measurement of reduction in test complexity imposed by reactive programming. 5. Full-scale deployment of the implemented systems on a real test vehicle, including formal verification of all important timing properties, and systematic testing according to established industry standards. Expected outcomes are hands-on proof and a credible illustration that reactive programming with well founded formal underpinnings is able to substantially reduce the complexity of developing and testing automotive embedded software. The project is expected to occupy one Ph.D. student full-time for a period of four years. Current work in the projected direction include initial steps in the theoretical developments of activity no. 3 above, as well as a first sketch of the ABS system contained under activity no. 2. Recent work on the Timber language has been extensive, and the compiler itself has been offered as open source to further facilitate its ongoing development [2]. The proposed work is also expected to draw from current work within EISLAB in the neighbouring areas of worstcase execution time analysis [7], real-time memory management [8], and sensor-based networking [3]. References [1] MSC.ADAMS. http://www.mscsoftware.com/products/products detail.cfm?PI=413. [2] Timber homepage. http://www.csee.ltu.se/index.php?subject=timber. [3] Ambient Intelligence Lab (under construction), 2005. Luleå University of Technology.

[4] T.P. Baker. Stack-based scheduling for real-time processes. Real-Time Systems, 3(1):67–99, 1991. [5] Magnus Carlsson, Johan Nordlander, and Dick Kieburtz. The semantic layers of Timber. In Atsushi Ohori (ed.), First Asian Symposium on Programming Languages and Systems (APLAS 2003), Beijing, China, volume 2895 of Lecture Notes in Computer Science. Springer, November 2003. [6] Bruce Powell Douglass. Real-Time UML: Developing Efficient Objects for Embedded Systems. Addison-Wesley, 1998. [7] Linus Svensson, Joakim Eriksson, Per Lindgren and Johan Nordlander. LanguageBased WCET Analysis of Reactive Programs. Submitted to ECRTS ’05. [8] Martin Kero. Incremental Copying Memory-Management for Reactive Systems. Master’s thesis, Luleå University of Technology (to appear), 2005.