Damien Chabrol, PhD

AI-ML suffers from a reliability glass-ceiling phenomenon (e.g. ~10e-3 error/inference), making it incompatible with safety-criticality. Several orders of magnitude are missing. We explain why, we point to the characteristics of ML that conflict with the assurance objectives assigned to safety-critical developments. Could encapsulation of ML constituents into fault-tolerant architectures, ML development assurance, and software/hardware development assurance, altogether mitigate the gap? We… Voir plus

AI-ML suffers from a reliability glass-ceiling phenomenon (e.g. ~10e-3 error/inference), making it incompatible with safety-criticality. Several orders of magnitude are missing. We explain why, we point to the characteristics of ML that conflict with the assurance objectives assigned to safety-critical developments. Could encapsulation of ML constituents into fault-tolerant architectures, ML development assurance, and software/hardware development assurance, altogether mitigate the gap? We argue that in spite of impressive progress of ML state-of-the-art, the answer is negative. Drawing from Topological Data Analysis (TDA) and set-based non-linear control, we propose to supplement ML point-based specification and verification with volume-based specification and verification to meet 10e-5 err./ inf. levels, as a minimum. We outline the rationale of a new research field we name (Ultra) Reliable Machine Learning, at the confluence of TDA, statistics on manifolds, and ML safety assurance. Some cross-domain safety regulation principles guide the underlying rationale. We illustrate the methodology on image classification. Voir moins

The aerospace industry is moving towards digital systems that are both more condensed (merging criticality-heterogenous functions on a same equipment) and more distributed (for robustness, availability, actuators/sensors closeness) while software-defined. This makes integration activities highly critical for next-generation systems, due to the interaction complexity between the software components and their deployment on the hardware platform, combined with outdated development processes with… Voir plus

The aerospace industry is moving towards digital systems that are both more condensed (merging criticality-heterogenous functions on a same equipment) and more distributed (for robustness, availability, actuators/sensors closeness) while software-defined. This makes integration activities highly critical for next-generation systems, due to the interaction complexity between the software components and their deployment on the hardware platform, combined with outdated development processes with regard to the multicore transition. Therefore, predictability, testability, and ultimately strong determinism are crucial high-level properties needed not only at equipment level but at the whole system scope, which cannot be tackled without changes in the design process. This paper deals with an innovative solution, based on the sLET paradigm, to bring drastic integration time reduction whatever the underlying architecture (multicore, multi-node). Already proved worthy for multicore platforms, sLET deployment is applied to an aerospace landing system over a distributed system architecture. Voir moins

Task models for Real-Time Scheduling (RTS) and Synchronous Reactive
(SR) languages are two prominent classes of formalisms for
the design and analysis of time-critical embedded systems. Task
models allow to provide deadlines, periods, or other such kinds of
interval time boundaries that make the system description fit for
schedulability analysis. Synchronous reactive languages use logical
clocks to be activation condition triggers in languages providing
programmability. We… Voir plus

Task models for Real-Time Scheduling (RTS) and Synchronous Reactive
(SR) languages are two prominent classes of formalisms for
the design and analysis of time-critical embedded systems. Task
models allow to provide deadlines, periods, or other such kinds of
interval time boundaries that make the system description fit for
schedulability analysis. Synchronous reactive languages use logical
clocks to be activation condition triggers in languages providing
programmability. We consider here synchronous LET (sLET) extensions
that intend to re-use notions of logical clocks and logical
time, for the purpose of providing schedulability boundaries. As
its name indicates, sLET borrows deeply from Logical Execution
Time ideas, where timing dimensions are all provided at logical
design time, but they extend asynchronous events as in xGiotto
with SR-inspired programmability and “first-class citizen” logical
clock constructs. Our work results in a two-level semantics of the
programming language PsyC. The benefits are to reuse techniques
from both RTS and SR. Big-step RTS models provide inputs for
task model schedulability analysis and implementation. Meanwhile,
SR small-step models provide methodological tools to view any
events as a time base (logical clock) and verification technologies
(but they do not consider the WCET of tasks to be kept within time
boundaries by the scheduling). We show the semantic equivalence
of those two semantics at visible time interval boundaries. Voir moins

Real-Time industrial systems are not so much of those that have to perform tasks incredibly fast, but in a time predictable manner; they rather focus on meeting previously specified timing requirements in a provable way. Consequently, time must be taken into account from the very start of the design.
However, exact timing constants may not be available yet in early design stages as they may depend on the target. In answer, formalisms based on the Multiform Logical Time have been introduced… Voir plus

Real-Time industrial systems are not so much of those that have to perform tasks incredibly fast, but in a time predictable manner; they rather focus on meeting previously specified timing requirements in a provable way. Consequently, time must be taken into account from the very start of the design.
However, exact timing constants may not be available yet in early design stages as they may depend on the target. In answer, formalisms based on the Multiform Logical Time have been introduced to abstract real-time durations. The SynchronousReactive (SR) approach introduced a discretized abstraction of
time on which computations happen logically instantaneously.
Contrary to SR, Logical Execution Time (LET) mandates to specify the actual logical duration a task has to fulfill. This allows a more efficient compilation, at the price of a lower expressiveness. Classical LET (i.e. as introduced in Giotto/TDL) sticks to uniform pseudo-physical time, i.e. based on one logical
clock mapped to the real-time. In this paper, we introduce a new paradigm called synchronous Logical Execution Time (sLET) that builds upon both SR and LET paradigms. It keeps the idea of logical durations coming from the LET paradigm, while having logical instants based on logical clocks. This extends the
expressivity of LET, as time is totally abstracted as sequences of events. The various schedulings provide physically timed versions that, while having distinct non-functional properties (in terms of performance mostly), remain mutually functionally equivalent (in the logical time realm). A particular instance, where computations are executed ”in a single instant”, and then time is advanced (as in classical event-driven simulation), can lead to a direct translation into synchronous formalisms (in our case Esterel). We started inquiring how this could open new ways of verification and analysis on PsyC programs Voir moins

Embedded real-time systems integrate more and more real-time application functions on the same execution unit with heterogeneous real-time requirements but also dissimilar safety requirements. It is not realistic to apply the highest safety level to all functions, which leads to the problem of mixed-criticality. Hypervisors seem to have become a popular solution, but they consider real-time features as a secondary issue. Their main drawback is the difficulty (or impossibility) to manage… Voir plus

Embedded real-time systems integrate more and more real-time application functions on the same execution unit with heterogeneous real-time requirements but also dissimilar safety requirements. It is not realistic to apply the highest safety level to all functions, which leads to the problem of mixed-criticality. Hypervisors seem to have become a popular solution, but they consider real-time features as a secondary issue. Their main drawback is the difficulty (or impossibility) to manage different time-scales and jitters as a real-time operating system is supposed to. To cope with this problem, we propose an approach that we briefly introduce in this article. Kron-OS is a software suite to design, implement and execute realtime solutions mixing strong real-time requirements along with low-criticality features. It also provides a set of automatic code generation tools and a safety-oriented real-time kernel that includes temporal and spatial partitioning methodology and mechanisms. Voir moins

L’objectif de cette communication est de présenter un outil innovant de développement de systèmes temps-réel, déterministes et partitionnés qui répondent à des exigences de sécurité fonctionnelle.
En effet les industriels, concevant et intégrant des systèmes embarqués relatifs à la sécurité, sont confrontés à des contraintes issues du marché (contraintes de temps, de complexité…), mais aussi à des contraintes normatives dans le but d’une certification (notamment la CEI 61508, norme de… Voir plus

L’objectif de cette communication est de présenter un outil innovant de développement de systèmes temps-réel, déterministes et partitionnés qui répondent à des exigences de sécurité fonctionnelle.
En effet les industriels, concevant et intégrant des systèmes embarqués relatifs à la sécurité, sont confrontés à des contraintes issues du marché (contraintes de temps, de complexité…), mais aussi à des contraintes normatives dans le but d’une certification (notamment la CEI 61508, norme de sécurité fonctionnelle). Ce papier présente d’un côté la technologie KRONO-SAFE, et de l’autre l’intérêt de son intégration dans des démarches de certification. Voir moins

Over the last years, the amount of software integrated in products like cars, planes, or trains has considerably grown in order to get more intelligent, more open and more communicating embedded systems. Due to this trend, the ability to manage the software complexity while respecting the safety constraints is now key for competitiveness in industrial domains such as automotive, aeronautic or railway.
To achieve this challenge, the real‐time kernel plays a major role. Unfortunately the… Voir plus

Over the last years, the amount of software integrated in products like cars, planes, or trains has considerably grown in order to get more intelligent, more open and more communicating embedded systems. Due to this trend, the ability to manage the software complexity while respecting the safety constraints is now key for competitiveness in industrial domains such as automotive, aeronautic or railway.
To achieve this challenge, the real‐time kernel plays a major role. Unfortunately the current technologies proposed by the market are handicapped by programming models with poor or nonexistent temporal semantics. This weakness is a really blocking point to keep under control the cost and the time‐tomarket of safety‐related and always more complex embedded systems.
To address these issues, KRONO‐SAFE has extended its real‐time kernel, called KRON‐OS, in order to support an innovative programming model enabling to mix periodic and aperiodic real‐time references while guaranteeing the freedom from interference among treatments and the determinism of system behavior on single‐core and multi‐core processors. Voir moins

This paper provides an overview of some principles and mechanisms to securely operate mixed-criticality real-time systems on embedded platforms. Those principles are illustrated with PharOS a complete set of tools to design, implement and execute real-time systems on automotive embedded platforms. The keystone of this approach is a dynamic time-triggered methodology that supports full temporal isolation without wasting CPU time. In addition, memory isolation is handled through automatic… Voir plus

This paper provides an overview of some principles and mechanisms to securely operate mixed-criticality real-time systems on embedded platforms. Those principles are illustrated with PharOS a complete set of tools to design, implement and execute real-time systems on automotive embedded platforms. The keystone of this approach is a dynamic time-triggered methodology that supports full temporal isolation without wasting CPU time. In addition, memory isolation is handled through automatic off-line generation of fine-grained memory protection tables used at runtime. These isolation mechanisms are building blocks for the support of mixed-criticality applications. Several extensions have been brought to this model to expand the support for mixed-criticality within the system. These extensions feature fault recovery, support for the cohabitation of event-triggered with time-triggered tasks and paravirtualization of other operating systems. The contribution of this paper is to provide a high-level description of these extensions, along with an analysis of their impact on the global system safety, in particular on the determinism property of the PharOS model. Voir moins

Automotive industrials aim to reduce quantity of execution control units (ECU) in order to control vehicle cost and energy consumption. Following this trend, next-generation of automotive body/engine controllers will integrate more real-time functions on a same ECU with different safety levels and application domains. To reach this new challenge, safety must therefore be improved to ensure no interference among functions. This paper deals with PharOS, a technology for the design and the… Voir plus

Automotive industrials aim to reduce quantity of execution control units (ECU) in order to control vehicle cost and energy consumption. Following this trend, next-generation of automotive body/engine controllers will integrate more real-time functions on a same ECU with different safety levels and application domains. To reach this new challenge, safety must therefore be improved to ensure no interference among functions. This paper deals with PharOS, a technology for the design and the implementation of embedded real-time systems in highly-constrained environments. It provides a safety-oriented kernel including earliest error detection and confinement techniques. This is realized through partitioning mechanisms allowing to keep stable and available the system even in degraded mode and to realize specific failure management policy. Voir moins

In 2006, DELPHI and CEA decided to work jointly on the “D2OS” project in order to develop a new OS for the next-generation of automotive body controllers. The DELPHI needs regarding a new OS are the following:
· ROM and RAM consumption equivalent to current automotive OS,
· time triggered but also event triggered support,
· spatial and temporal protection,
· NTF (No Trouble Found) eradication,
· dual-core support,
· AutoSAR compliance.
The challenge to which these R&D works… Voir plus

In 2006, DELPHI and CEA decided to work jointly on the “D2OS” project in order to develop a new OS for the next-generation of automotive body controllers. The DELPHI needs regarding a new OS are the following:
· ROM and RAM consumption equivalent to current automotive OS,
· time triggered but also event triggered support,
· spatial and temporal protection,
· NTF (No Trouble Found) eradication,
· dual-core support,
· AutoSAR compliance.
The challenge to which these R&D works rise up is the introduction of safety in the design and execution of automotive applications, taking benefit of previously works performed in the
safety-critical domain of nuclear science, and nevertheless Voir moins

We present a new dynamic scheduling on multicore architectures. This is an improvement of the Optimal Finish Time (OFT) scheduler introduced by Lemerre reducing preemptions. Our result is compared with other schedulers and we show that our algorithm can handle with more general scheduling problems.

Distributed real-time systems have found widespread use in most key industries (nuclear, avionics, automotive, etc).This trend continues, with increasingly intricate systems performing safety-critical functions. Given the current emphasis on system reliability, major efforts must be devoted to demonstrating and guaranteeing their safety.
OASIS provides a real-time multitasking and communication approach with a complete set of development tools (e.g. code generation, validation, simulation… Voir plus

Distributed real-time systems have found widespread use in most key industries (nuclear, avionics, automotive, etc).This trend continues, with increasingly intricate systems performing safety-critical functions. Given the current emphasis on system reliability, major efforts must be devoted to demonstrating and guaranteeing their safety.
OASIS provides a real-time multitasking and communication approach with a complete set of development tools (e.g. code generation, validation, simulation and execution) to facilitate the design, testing and validation stages complying with prevailing
standards. OASIS is specifically geared to building deterministic systems whose behavior is predictable and reproducible in both the logical and temporal domains. Its development package is industrially available for single processor architectures and is presently being qualified for 1E-class nuclear systems. This paper describes our research, which focuses on implementing distributed safety-critical real-time systems. Voir moins

In the domain of embedded systems, the design and the realization of performant and safety-critical real-time systems still constitute today a true scientific, technical and economical challenge [STANKOVIC88]. The difficulty is to realize, not only critical real-time systems that include more complex functions, but also to have an easier development, including verification and validation. The new solutions must be as safe as those already existing and be in accordance with the enforced… Voir plus

In the domain of embedded systems, the design and the realization of performant and safety-critical real-time systems still constitute today a true scientific, technical and economical challenge [STANKOVIC88]. The difficulty is to realize, not only critical real-time systems that include more complex functions, but also to have an easier development, including verification and validation. The new solutions must be as safe as those already existing and be in accordance with the enforced standards ofthe concerned industrial domain, such as DO-178A and ARINC-653 in aerospace or CEI-880 and RFS in nuclear domain. The realization of safety-critical embedded systems with lower costs has resulted into the implementation and integration of several activities on one processor, in order to decrease the hardware costs. These systems run today correctly, but they are still expensive, difficult to maintain and do not guarantee determinism [STANKOVIC90] at the system level, therefore are inapplicable for industry. This paper begins with a presentation of the OASIS approach to mono processor architectures and presents the current research works on the distributed ones. Voir moins