RAMSES, mastering the time of embedded systems

What is the RAMSES platform used for?

Étienne Borde: RAMSES is a design support platform for mission-critical real-time embedded systems. By this technical term, we mean embedded systems where the time dimension is particularly important: if a computing operation takes longer than expected to complete, there may be a critical system failure. From a software point of view, time is managed by a real-time operating system, whose configuration RAMSES automates while guaranteeing compliance with the system's time requirements.

What applications are concerned by this kind of system configuration aid?

EB: The transport sector is particularly concerned, and we have a railway case study that illustrates the platform's contribution. RAMSES is used to estimate the worst-case data transmission times in a train control system. The most critical messages transmitted are to ensure that the train does not collide with another train. To ensure safety, calculations are performed on three ECUs at the rear of the train, and simultaneously on three ECUs at the front of the train. What RAMSES brings is better control of latency times, and improved flow management in transmission operations.

How does RAMSES help to better configure these mission-critical real-time embedded systems?

EB: RAMSES is a compiler for the AADL language. This language is used to describe computer architectures. The basic principle of AADL is to define categories of software or hardware components that correspond to physical objects in the daily life of a computer scientist or electronics engineer. For example, one of the categories is processors: AADL lets you describe the computer's computing unit by its parameters, such as its frequency. RAMSES will facilitate the assembly of these categories to represent the system at different levels of abstraction. This is where the platform gets its name: Refinement of AADL Models for Synthesis of Embedded Systems.

What does a compiler like RAMSES offer professionals?

EB: At present, professionals develop their systems by hand in the programming language of their choice, or by generating the code from a model. They can evaluate the data transmission time on the final product, but with little traceability to the initial model. If an order takes longer than expected, developers can hardly isolate the problematic step. RAMSES provides intermediate representations as the project progresses. The tool analyzes the time associated with each task to check for excessive drift. As soon as an accumulation of mechanisms introduces too great a divergence from the imposed time limits, RAMSES alerts the professional. The platform can indicate which steps are problematic, and facilitate correction of the AADL code.

How the RAMSES platform works

So RAMSES is primarily a decision-making tool?

EB: Decision support is part of what we can do. The design of mission-critical real-time embedded systems is very complex. Developers don't have all the information about system behavior in advance. RAMSES does not eliminate all uncertainties, but it does help to mitigate them. The tool enables reasoning based on these uncertainties to decide what can be done. Without such a tool, the alternative is to make decisions without sufficient analysis. But decision support is not the only use for RAMSES. The platform can also improve system resilience, for example.

How does configuration optimization impact system resilience?

EB: Recent work by the systems security research community has focused on mixed criticality. The aim is to use multi-core architectures to deploy both critical and less critical functions on the same computer. When time constraints for critical functions are exceeded, non-critical functions are degraded. The computing resources freed up in this way are made available to critical functions, guaranteeing their resilience.

Is this something you're working on?

EB: In our team, we have been working to ensure that critical tasks will always have sufficient resources, whatever happens. At the same time, we are working on the minimum availability of resources for less critical functions. This ensures that non-critical functions are not degraded too often. On a train, for example, this ensures that it doesn't stop unexpectedly due to undersized computing resources. In this kind of context, RAMSES assesses the availability of functions according to their degree of criticality, while ensuring that sufficient resources are available for the most critical functions.

What are the main industrial sectors interested in RAMSES applications?

EB: The transport sector is our main area of application, where real-time-critical embedded systems are used extensively. We have partnerships with Thales, Dassault and SAFRAN in avionics, Alstom in the rail sector and Renault in the automotive sector. Beyond transport, robotics could also be an interesting field of application. Systems have a critical dimension in this sector, especially when it comes to large machines that can present a danger to people in the vicinity in the event of failure. This is an area where there could be good use cases.