The ASSERT Virtual Machine: A Predictable Platform for Real-Time Systems ⋆ Juan A. de la Puente * Juan Zamorano * Jos´ e A. Pulido * Santiago Urue˜ na * * Universidad Polit´ ecnica de Madrid (UPM), E-28040 Madrid, Spain Abstract: The development of real-time control systems is a complex process which has to face often conflicting requirements, especially those related to the performance of the control methods and the real-time behaviour of the system. The ASSERT Virtual Machine provides a reliable execution platform for such systems, which allows developers to cope with functional and real-time aspects separately. In order to guarantee the required real-time properties, the virtual machine only accepts software components which have a predictable temporal behaviour which can be analysed at system design time. Such components can be automatically generated from a high-level description of a system which embodies the functional components (e.g. control algorithms) into a set of containers providing the appropriate concurrent and real- time behaviour. The ASSERT Virtual Machine has been implemented in Ada 2005, using a predictable tasking subset of the language known as the Ravenscar profile. A prototype has been validated on several pilot-scale spacecraft control systems, with good results. Keywords: Computers for control, real-time systems, programming environments, software engineering, model-driven development. 1. INTRODUCTION Real-time control systems have complex, and often con- flicting requirements. On one side, control algorithms have to be designed and tuned for the required performance metrics. On the other side, the execution of control al- gorithms on the chosen computer platform must exhibit an appropriate temporal behaviour, e.g. with respect to periodic execution, limited jitter, etc. Additional require- ments may refer to dependabilty or security properties, power consumption, or overall cost. This complexity often makes the development process of such systems extremely difficult to manage, and results in added cost and long development times. A common approach to real-time system development is based on the concept of separation of concerns. Control algorithms and other functional parts of the software are developed from scratch or, more often, with the help of some model-based tool such as Simulink. Support for con- currency and real-time is added at a later stage, usually by hand, using a cyclic executive or better a real-time kernel [see e.g. Liu 2000]. Although there are indeed interactions between the design of control algorithms and the real- time aspects of the system [Albertos and Crespo, 2001, Cervin et al., 2003], in many cases the separation approach provides a convenient way to ensure the desired control and real-time performance in an industrial framework. Its main problem is the difficulty of decoupling the functional ⋆ This work has been partially funded by the Spanish Ministry of Education, project no. TIC2005-08665-C03-01 (THREAD), and by the IST Programme of the European Commission under project IST- 004033 (ASSERT). algorithms from the design of concurrent and real-time features of the system. The ASSERT 1 project is aimed at developing enhanced development processes for a particular kind of real-time control systems, embedded on-board aerospace systems. The project has been carried out by a consortium of 29 industrial and academic partners led by the European Space Agency (ESA) 2 . Since the application domain is representative of control systems with hard real-time and high-integrity requirements, its results may be expected to be applicable to other domains as well. The approach adopted relies on the development of a set of building blocks which can be used in open frameworks in order to develop software for system families, i.e. sets of related system products with a common architecture. Software component models and formal methods are used when appropriate in order to verify the correctness of the soft- ware. To this purpose, a new software development process has been devised, based on the separation principle: func- tional code is embedded into containers which provide the required concurrency and timing elements (e.g. threads and synchronization mechanisms). Containers undergo a series of transformations until they are in a form that can be directly executed on a specialised platform, the ASSERTVirtual Machine, which guarantees that the be- haviour of the synchronization and timing mechanisms is correct. 1 Automated proof-based System and Software Engineering for Real- Time systems. 2 http://www.assert-project.net