The development of complex embedded control systems can be improved significantly by applying formal techniques from control engineering and software engineering. It is shown how these approaches can be combined to improve the design and analysis of high-tech systems, both in theory and practice. The semantics of the integration of two established rigorous techniques has been defined formally in this work. The strength of this integrated semantics is demonstrated by means of a significant industrial case study: the embedded control of a printer paper path, whereby the full development life-cycle from model to realization is covered. The resulting model-driven design approach fits the current engineering practice in industry and is both flexible and effective.

Key challenges in the performance estimation of distributed real-time embedded (DRE) systems include the systematic measurement of coverage by simulations, and the automated generation of directed test vectors. This paper investigates how DRE systems can be represented as discrete event systems (DES) in continuous time, and proposes an automated method for the performance evaluation of such systems. The proposed method also provides a way for the verification of dense time properties for a large class of DRE systems. This approach provides a formal executable model allowing to bridge the gap between simulations and formal verification. Our results show that the proposed DES-based evaluation method can achieve better coverage in large-scale DRE systems than alternative methods.

We present a tool-supported approach to the validation of system-level timing properties in formal models of distributed real-time embedded systems. Our aim is to provide system architects with rapid feedback on the timing characteristics of alternative designs in the often volatile early stages of the development cycle. The approach extends the Vienna Development Method (VDM++), a formal objectoriented modeling language with facilities for describing real-time applications deployed over a distributed infrastructure. A new facility is proposed for stating and checking validation conjectures (assertions concerning real-time properties) against traces derived from the execution of scenarios on VDM++ models. We define validation conjectures and outline their semantics. We describe the checking of conjectures against execution traces as a formallydefined extension of the existing VDM++ tool set, and show tools to visualise traces and validation conjecture violations. The approach and tool support are illustrated with a case study based on an in-car radio navigation system.

Abstract. To support model-based development and analysis of embedded systems, the specification language VDM++ has been extended with asynchronous communication and improved timing primitives. In addition, we have defined an interface for the co-simulation of a VDM++ model with a continuous-time model of its environment. This enables multi-disciplinary design space exploration and continuous validation of design decisions throughout the development process. We present an operational semantics which formalizes the precise meaning of the VDM extensions and the co-simulation concept.

To ensure correctness and performance of real-time embedded systems, early evaluation of properties is needed. Based on design experience for real-time systems and using the concepts of the POOSL language, we introduce modelling patterns that allow easy composition of models for design space exploration. These patterns cover different types of real-time tasks, resources and mappings, and include also aspects that are usually ignored in classical analysis approaches, like task activation latency or execution context switches. The construction of system models can be done by integrating the necessary patterns, as illustrated in two case studies. 1.

buffers is an essential task since buffers are a major source of cost and power consumption. This paper proposes flow regulation and has defined a regulation spectrum as a means for system-on-chip architects to control delay and backlog bounds. The regulation is performed per flow for its peak rate and burstiness. However, many flows may have conflicting regulation requirements due to interferences with each other. Based on the regulation spectrum, this paper optimizes the regulation parameters aiming for buffer optimization. Three timing-constrained buffer optimization problems are formulated, namely, buffer size minimization, buffer variance minimization, and multiobjective optimization, which has both buffer size and variance as minimization objectives. Minimizing buffer variance is also important because it affects the modularity of routers and network interfaces. A realistic case study exhibits 62.8 % reduction of total buffers, 84.3 % reduction of total latency, and 94.4 % reduction on the sum of variances of buffers. Likewise, the experimental results demonstrate similar improvements in the case of synthetic traffic patterns. The optimization algorithm has low run-time complexity, enabling quick exploration of large design spaces. This paper concludes that optimal flow regulation can be a highly valuable instrument for buffer optimization in NoC designs. Index Terms—Buffer size, buffer variance, interior point method, network-on-chip (NoC), optimization problem. I.

Abstract. Designing architectures requires the balancing of multiple system quality objectives. In this paper, we present techniques that support the exploration of the quality properties of component-based architectures deployed on multiprocessor platforms. Special attention is paid to real-time properties and efficiency of resource use. The main steps of the process are (1) a simple way of modelling properties of software and hardware components, (2) from the component properties, a model of an execution architecture is composed and analyzed for system-level quality attributes, (3) for the composed system, selected execution scenarios are evaluated, (4) Pareto curves are used for making design trade-offs explicit. The process has been applied to several industrial systems. A Car Radio Navigation system is used to illustrate the method. For this system, we consider architectural alternatives, show their specification, and present their trade-off with respect to cost, performance and robustness. 1

To ensure correctness and performance of real-time embedded systems, early evaluation of properties is needed. Based on design experience for real-time systems and using the concepts of the POOSL language, we introduce modelling patterns that allow easy composition of models for design space exploration. These patterns cover different types of real-time tasks, resources and mappings, and include also aspects that are usually ignored in classical analysis approaches, like task activation latency or execution context switches. The construction of system models can be done by integrating the necessary patterns, as illustrated in two case studies. 1

Software systems are becoming more and more important for all industrial fields. Software developers are asked to produce high-quality software products, which require lower costs and resource consumption. However, some designs are good for some quality attributes while bad for others. Therefore we need a technique to evaluate multiple quality properties in order to motivate design trade-offs. Our project aims to develop quantitative techniques and to build a tool to assess a number of quality properties of architectural designs. This tool calculates the effect of applying the alternative architectures to relevant quality properties. We use a methodology that applies multiple analysis methods to assess different quality properties of component-based architecture, which we call DAX (Design, Analyze, eXplore, [1]). In this paper we apply the DAX methodology to two case studies, assessing the reliability, performance and cost criteria. One case

Design space exploration of embedded systems typically focuses on classical design goals such as cost, timing, buffer sizes, and power consumption. Robustness criteria, i.e. sensitivity of the system to variations of properties like execution and transmission delays, input data rates, CPU clock rates, etc., has found less attention despite its practical relevance. In this paper we introduce multi-dimensional robustness metrics, expressing the static and dynamic design robustness of a given system, the former assuming a fixed parameter configuration, and the latter including parameter adaptations as response to property variations. Additionally, we propose a metric measuring the robustness gain that can be achieved through system reconfigurability. Since determining multi-dimensional robustness is computationally expensive we introduce efficient exploration methods based on a stochastic sensitivity analysis technique capable of deriving upper and lower robustness bounds for a given system with low computational effort. We demonstrate the robustness optimization methods by means of a small but realistic case study.