Verifying Service Continuity in a Dynamic Reconfiguration Procedure: Application to a Satellite System L. APVRILLE apvrille@ece.concordia.ca GET/ENST/COMELEC/Lab SoC, Institut Eurecom BP 193, 2229 route des cr` etes, 06904 Sophia, Antipolis Cedex, France P. de SAQUI-SANNES desaqui@ensica.fr P. S ´ ENAC senac@ensica.fr ENSICA, 1 place Emile Blouin, 31056 Toulouse Cedex 05, France; LAAS-CNRS, 7 avenue du Colonel Roche, 31077 Toulouse Cedex 04, France C. LOHR lohr@laas.fr LAAS-CNRS, 7 avenue du Colonel Roche, 31077 Toulouse Cedex 04, France; Concordia University, Electrical and Computer Engineering Department, 1455 de Maisonneuve W., Montreal, QC, H3G 1M8, Canada Abstract. The paper discusses the use of the TURTLE UML profile to model and verify service continuity during dynamic reconfiguration of embedded software, and space-based telecommunication software in particular. TURTLE extends UML class diagrams with composition operators, and activity diagrams with temporal operators. Translating TURTLE to the formal description technique RT-LOTOS gives the profile a formal semantics and makes it possible to reuse verification techniques implemented by the RTL, the RT-LOTOS toolkit developed at LAAS-CNRS. The paper proposes a modeling and formal validation methodology based on TURTLE and RTL, and discusses its application to a payload software application in charge of an embedded packet switch. The paper demonstrates the benefits of using TURTLE to prove service continuity for dynamic reconfiguration of embedded software. Keywords: dynamic reconfiguration, real-time UML, RT-LOTOS, formal validation, satellite 1. Introduction Formerly limited to signal processing, satellite payloads nowadays perform cell switching and dynamic multiplexing. Consequently, they request heavier network signaling and more complex software support. The complexity in building and maintaining such systems is increased by the fact that multimedia data streams handled by payloads evolve in nature throughout satellite’s lifetime (a fifteen year average). Two avenues have been explored to answer this problem. The first solution corresponds to the active networking paradigm (Chen, 2000): a programming code embedded in data streams implements a per-user or per stream network customization. In the second solution, a satellite operation center performs regular dynamic reconfiguration on the embedded software (Boutry, 2000). The paper addresses the second solution, in particular the dynamic reconfiguration of em- bedded and software-implemented network functions. The problem to be solved is service