Modeling Mixed-critical Systems in Real-time BIP Dario Socci, Peter Poplavko, Saddek Bensalem and Marius Bozga UJF-Grenoble 1 CNRS VERIMAG UMR 5104, Grenoble, F-38041, France {Dario.Socci | Petro.Poplavko | Saddek.Bensalem | Marius.Bozga}@imag.fr Abstract—The proliferation of multi- and manycores creates an important design problem: the design and verification for mixed-criticality constraints in timing and safety, taking into account the resource sharing and hardware faults. In our work, we aim to contribute towards the solution of these problems by using a formal design language – the real time BIP, to model both hardware and software, functionality and scheduling. In this paper we present the initial experiments of modeling mixed- criticality systems in BIP. I. I NTRODUCTION The introduction of many-cores and multi-cores is leading to an increasing trend in embedded systems towards imple- menting multiple subsystems upon a single shared platform. However, in most applications, not all the subsystems are equally critical. Especially this observation is important when human lives depend on correct functionality, e.g. in avionics systems. In mixed criticality systems different degrees of failures, from minor, hazardous to major, need to be distin- guished [1]. The previous work mostly assumes time or space isolation of subsystems having different levels of criticality. However, when integrating different subsystems on a single multi-core die there is a need to share hardware resources (pro- cessors, on-chip memory, and global interconnect) between different subsystems. Also, handling safely the hardware fail- ure is another design problem, that will only increase as multi- core will become more and more commonplace. This problem already manifested itself in popular many-core systems – the GPUs – so it is relatively well studied how to manage the resource sharing and safety when all subsystems have the same level of criticality. However, adding the mixed criticality assumption may easily boost the complexity from tractable to intractable [2], and a general lack of design methodology can be stated. A popular language for programming safety-critical sys- tems is Ada, and a great interest exists today to express multi-core and especially mixed-critical applications in this language [3], [4]. However, for verification of safety properties (i.e., automatic check for absence of bugs), any program has to be translated to a formal model, which is a non-trivial task even for Ada, which was designed to facilitate an easier static analysis of code [5]. Formalization is required not only for analysis of safety properties, but also for timing [6]. Formal models play important role in the analysis of hardware faults and fault correction [7] and of the shared resource conflicts in multicores [8]. Therefore in our mixed-criticality project The research leading to these results has received funding from CERTAINTY – European Community’s Seventh Framework Programme [FP7/2007-2013], grant agreement no. 288175. we target many-core systems addressing the technological challenges by using a formal design language – BIP. The design input can be either provided in BIP or obtained by translation from other languages. A wide range of formal design languages exist, but most of them, referred to as models of computation, enable tractable analysis in exchange of lack of expressiveness. The software- based embedded systems would ideally be designed similarly as hardware, i.e., using a language such as Verilog/VHDL, for which all important physical properties like timing, consumed energy, occupied space can be formally imposed and/or derived in a fully automated design process. This is unfortunately very often not the case for the software and it requires a significant effort up to even a change in mentality of software developers to write programs that are ‘aware’ of non-functional constraints [9]. Synchronous languages, such as Lustre [10], are an important step in the direction of solving this problem, and they are actively developing in the direction of multi-core mapping [11] and are becoming an important subject of re- search for mixed critical systems [12]. Also application written in widely used data-flow languages as Simulink can be trans- lated into synchronous languages [13]. However, unlike their hardware-language ‘brothers’, Verilog/VHDL, for software the synchronous languages by far do not present a ‘one-size-fits- all’ solution, because they assume very specific properties of the system behavior, and it can be very difficult and costly to tailor a given software project to fit these properties [14]. Therefore, rigorous embedded system design frameworks, such as BIP, do not restrict themselves to synchronous languages and offer themselves more openly and in more general way to the functionality to be implemented in various safety- critical systems. At the same time they share with synchronous languages the ability to reason on the behavior formally and the potential to achieve full automation for the given physical constraints in terms of timing, energy and space/weight. The BIP framework is expressive enough to model various models of computations. Due to its unique expressiveness, it takes a very special role in our design methodology. The same language is used to express both the application and the hardware, timing and functionality, scheduling and mapping. The paradigm of updating and analyzing a homogeneous intermediate formal model of a real design object to support the design decisions is a well-recognized paradigm in the field of electronic design automation in hardware design. The tools for logic synthesis and physical synthesis exploit so-called timing graphs, which provide an intermediate timing model of the digital logic design, being updated in conjunction to the modifications made in the design by the design flow and being used to guide the decisions made in the flow. The idea to use