EDONA: an Open Integration Platform for Automotive Systems ...

EDONA: an Open Integration Platform for Automotive SystemsDevelopment ToolsF. Ougier 1 , F. Terrier 21: Renault, 1 avenue du Golf, Guyancourt, F-78288, France – francois.ougier@renault.com2: CEA LIST, Gif-sur-Yvette, F-91191, France – francois.terrier@cea.frAbstract: Launched in autumn 2007, EDONA is aFrench collaborative effort of automotivemanufacturers and suppliers, research laboratoriesand software vendors. It was built in order toguarantee seamless inter-operation of existingcommercial tools and advanced academictechnologies necessary to develop automotivesoftware-based systems.This project aims at developing open developmentenvironments supporting the full set of futureAUTOSAR specifications, as well as theforthcoming ISO 26262 standard for safety ofelectronics components for the automotive industry.The article describes the environment frameworksbased on a tool repository and a set of interfacesbacked by the Eclipse environment, and how tooledsolutions will be built for dependability and hard realtime support across the whole V-cycle, namely in thefollowing areas:• System specification and requirementtraceability• Functional and temporal validation• Safe design of real-time and deterministicsolutions• Integration of MMI component under safetyconstraintsIt concludes on discussing the orientation of theexploitation strategy considered for the projectresults.Keywords: Automotive open tool platform,component development, design for safety, modelbased validation1. IntroductionA vital goal for automakers and parts manufacturersis to control the quality of embedded systems.Indeed, surviving in global markets, but alsoincreasing market share requires the implementationof differentiating innovations. This leads tosignificantly increase the complexity and interactionsof the developed features. Since most of them arebased on the implementation of electronic andsoftware technologies, the volume and complexity ofthis software is undergoing a very significant growth.The quality risk there is either to prevent thematuration of innovations involved (thus no tenderson the market -not increased turnover 'affairs), or togenerate perceptible non-quality of the products(thus to generate a poor image - decline in sales).The growth of technological and economic weight ofthe automotive electronics as well as its increasingcomplexity requires, in order to guarantee the cost,quality and timeliness of implementation, acomprehensive approach: from product featurespecification to electronics and software design andvalidation. The challenge for the automotive industryis to control these electronic-board computerarchitectures, in order to: offer a dependability at level of the state of theart (with dependability objectives allocation andevidence demonstration in accordance with ISO26262 standard recommendations); have the flexibility to provide differentconfigurations (the diversity of featuresdepending on the variety of target markets); have an ability to dissociate electronics andsoftware developments and integrate them intomulti-stakeholders (manufacturers, suppliers)processes.According to these objectives, the automotiveindustry has launched two important standardisationactions: AUTOSAR TM , a standard defining platformarchitectures, and formats to design, integrateexecute and operate software components; ISO 26262, a standard providing automotive riskclasses and recommendations regarding alllifecycle activities for safety-related systemscomprised of electrical, electronic, and softwareelements.The challenge is now to provide efficient processesto each actor of the development of automotiveembedded software components according to thosestandards. Moreover, the wide variety of applicationsand stakeholders involved in the process cycle leadsto integrate a large variety of practices and toolswithin the constraints and orientations of thesestandards.To deal with the consequent tool interoperationcomplexity, the Num@tec Automotive [1] consortiumhas set up the EDONA platform project in order toprovide an open framework from which dedicateddevelopment environments can be instantiated orderived for the needs of each development context.Next section will discuss some key elements of theautomotive standard context. The project approachand framework platform are then presented, followedby four short focuses on complementarydevelopment processes:Page 1/10

development environments that meet the needs ofthe various players is a major factor in the controland improvement of productivity, but also the qualityand safety of these products.Setting up such a platform for the automotive domainaccording to AUTOSAR TM orientation is one of thetwo main objectives of EDONA. The second one is astronger integration of safety concerns in thedevelopment process.2.2. The “26262”, an ISO standard on lifecyclemanagement for safety-related electronic systemsISO 26262 is an adaptation of the IEC61508 for theautomotive industry. It has been motivated bylessons learnt from voluntary application of IEC61508 in the automotive industry. They underlinedthat it is not really adapted to real-time embeddedsystems, nor to automotive development and lifecycles. It does not either take into considerationrequirements for manufacturer / supplier relationshipor ‘consumer-goods’ orientation of automotiveproducts.It applies to safety related electrical, electronics andsoftware (E/E) systems installed in road vehicles. Itaddresses hazards caused by safety related E/Esystems due to malfunctions, excluding nominalperformances of active and passive safety systems.One main evolution provided by ISO26262 is theadoption of a customer risk-based approach for thedetermination of the risks at the vehicle level. Thishas lead to provide automotive-specific analysismethods to identify the safety integrity level (ASIL)associated with each undesired effects. These ASILare used for assigning qualitative and quantitativetargets to functions to be implemented by E/Eautomotive systems.The standard provides ASIL-dependentrequirements for the whole lifecycle of E/E system(incl. H/w and S/w components).Impact of safety analysis on the development cycle -(figure from [3])As an ISO standard, the 26262 does not specifyformally whether to use given development orvalidation tools of formalisms. However, therecommendations made for the development of thesafety-related systems emphasize the interest to usemodel based testing techniques and advantages ofusing generation, configuration and calibration toolsto produce the code. Moreover, as for all safetycritical systems, it is clear that compliance to thisstandard requires a tight control of the requirementtraceability along the whole development processand will benefit from using deterministic computationmodels for the highest critical functions andcomponents.Integration of tools and technologies supportingthese formalisms thus becomes the second mainobjective of EDONA.3. EDONA approachObtaining integrated development chains open toseveral leading companies grouped together in acommon approach requires to be based on: a standardization (de facto, commercial ornormative) of the interfaces and formalisms, interfacing upon these standards the commercialand internal tools, and developing complementary component tools tomeet specific needs.It must be accompanied by substantial work on thedata structures and their organizations to enable theconstruction of libraries of reusable components andapplications and to facilitate exchanges betweengroups working on similar projects.The platform should enable the construction of toolchains with easy adaptation and customizationthrough parameters or proprietary extension creationfor companies seeking to automate certain types ofdevelopment (e.g.: engine computers). It must beconstructed in the form of tool components, at a finelevel of granularity. It must ensure sustainabilitythrough the simple ability to change or through thereplacement of application modules whentechnological changes or changes in methodologyoccur, without jeopardizing previous investments inthe applications.EDONA proposes to make possible theimplementation of such tool chains through theconstruction of an open platform for the realization ofbusiness dedicated and modular developmentchains, covering the entire system developmentcycle and adaptable to the different needs of theactors and business of the automotive industry.In parallel, several projects are underway that willprovide bricks for such tools chains either focusedon AUTOSAR TM component based development oron integrating the ISO 26262 in development cycle.EDONA approach is to federate, integrate andcapitalize all these elementary results in order tocombine them into efficient and business dedicatedtool chains.Page 3/10

As illustrated by the following figure, it will intensivelyreuse results from projects implemented inNum@tec Automotive under the System@ticcompetitive cluster either for automotive specifictechnologies (such as: MeMVaTEx, Scarlet,HeCoSim, SysPEO, D2OS [1], [4], [5]), or providinggeneric technologies partly applicable to theautomotive domain (e.g.: Usine Logicielle [6]). It willalso benefit from results of projects developed inother competitive clusters (such as O4A from“Automobile Haut de Gamme” cluster [7] orTOPCASED from Aerospace Valley cluster [8]) or inother collaboration frameworks (such as theOpenEmbeDD platform of RNTL French program,the ATESST IST European project or the TIMMOITEA European project).The EDONA project is located downstream fromthese various projects, and includes the goal ofintegrating for the AUTOSAR TM computers thedifferent outcomes of these projects.EicoseTool specificationsO4AAutosar MetamodelInteroperability ArchitectureUsineLogicielleUML Test Gen.TOPCASEDTramWayRequirement traceability,…IISpec. evolutionsTemporalaspectTIMMOADLEAST-ADL2(AUTOSAR(‏extensionMARTE(‏final‏)‏MARTE (initial) +Fault TolerancexUMLActionLanguageEditorAutomotive(integratedstakes &in(‏Papyrusperpetuation« OPEES »Papyrus modeler(UML & EAST(‏ADLEDONA relation with existing projects and initiativesApproachThe form chosen for the implementation of EDONAis the creation of a reference technology platformand its specialization based on clear specific needsof particular business sectors.Each specialized platform will be built on the threefollowing elements: an expression of needs and functional definitionsdriven by an industrial partner particularlyinterested in the technology, and carried outjointly by different laboratories and industrialpartners; a coherent integration supporting and improvingexisting work processes. Integration isperformed from the generic platform extendedby different tool modules provided by thelaboratories and SMEs (depending ontechnology maturity regarding the objectives andstandard compliance, these tool modules will beavailable at the launch of the project, or resultfrom the projects mentioned above, or will beextended / enhanced during the EDONA projectitself);a full-scale experiment conducted by at leastone industrial for each specific platform.The project will be conducted to enable iterativeintegration and tool chain delivery during its wholeduration (3 years).To be compliant to AUTOSAR TM standard, eachintegrated tool will be associated with its adaptationto the exploitation of AUTOSAR TM architecture anddata format. In addition, to allow compliance withISO 26262 recommendations, a specific focus hasbeen made in order to support model basedvalidation and testing and automatic codegeneration.Page 4/10

Major technical challengesThe EDONA project is a project for integration oftechnology platforms based on the studies, projectsand technologies that are already completed orunderway. We can consider that the majority oftechnical challenges for the realization of theseplatforms have been achieved or will be achieved inthe context of the various “source” projects on whichEDONA is based.Thus, the major challenge is on the integration ofdifferent bricks to provide technologicalenvironments more effective and better tailored tothe needs of different actors. That must beaddressed from two inseparable and complementaryaxes:1: The constitution of a common basis for bothtechnologies (interfaces, formats, communicationservices, management of consistency, etc.) andconcepts (reference meta-models, organizationalelements of development and exchange processes,etc.). The conceptual basis will be built on thestandards of the automotive domain: AUTOSAR TMand ISO 26262. The first defines a technical targetfor the deployment of software components and thesecond criteria for characterizing functions theyprovide according to their levels of criticality. Thehard point here is to trace the design constraints thatarise from these standards in the modeling,validation and production environments, whileensuring maximum independence with the modelingformalisms upstream. This is the role of theintegration platform subproject (WP5).2: Integration and finalization of technological bricksissued by upstream projects and dedicated to theautomotive domain. In particular: introduction of the concept of softwarecomponent (especially in accordance with itsdefinition given by AUTOSAR TM ) in the initialphases of the deployment (design, verification)and in the validation methodologies (simulation,verification, test). This will be addressed in acomprehensive manner by WP1 – Requirementmodeling for AUTOSAR TM components. processing of safety requirements at each stepand setting up of involved technology supports(models, compilers, execution infrastructures,etc.). This item, is processed by the WP2 –Critical system development.integration of the various tools and usedformalisms (such as, Matlab®, C Language,UML) through interoperation interfaces andbridges ensuring semantic consistency ofinformation and correctness of verification /validation or code production. This will beaddressed mainly in WP3 - Functional testing ofMatlab® / Simulink® algorithms. reliable design and validation of automotive HMIis a new topic addressed by Num@tecAutomotive; the challenge is to ensure flexibilityand completeness of the modeling of the HMI, inparticular, on the behavioural aspects and tontegrate it into the development process tools foreffective and incremental validation. It is thpurpose of the WP4 – HMI design case tool.WP 0 - « Management »- Promotion, dissemination andperpetuation strategyTooled upprocessesRequirement modelingfor AUTOSARcomponentsCritical systemdevelopmentFunctionaltesting ofMatlab/Simulink®algorithmsHMIsoftwaredesignworkbenchIndustrialapplicationsWP 1WP 2WP 3WP 4WP 5 - « Interoperation and integration platform »- Requirements definition- Interoperability and interchange architecturefor automotive development processes and toolsEDONA project organisationPage 5/10

4. Integration platformThe general principle of the integration platform is toprovide access to a common storage spaceaccessible by any tool chain from vertical subprojects.Global architectureFor that, the first step is to have a common metamodelto define the data exchanged and integratedbetween the partners in a project for an automotiveelectronics system. It will be built from the existingelements, namely: Incoming AUTOSAR TM meta-model (V3) [2], EAST-ADL 2 meta-model for automotivearchitecture description, defined from UML andSysML meta-models and already aligned to theAUTOSAR TM meta-model [9], [10]. Timing aspects provided by the UML MARTEprofile [11] that will be integrated at variouslevels into both the second phase versions ofAUTOSAR TM meta-model and the next upgradeof EAST-ADL 2 itself. Safety aspects integrating concepts from anUML extension for QoS, Fault Tolerance andSafety Analysis provided by Usine Logicielle [6].They will be integrated also to both the secondphase versions of AUTOSAR TM meta-model andthe next upgrade of EAST-ADL 2. Complex object and GUI definition aspectscoming from the second phase versions ofAUTOSAR TM meta-model, eventually extendedfor the needs of the project.Meta ModelAUTOSAR TMMeta ModelEAST ADL 2EDONA Meta ModelFT&SafetyUML + SysML + MARTEMeta ModelSafetyAspectsMeta ModelTemporalAspectsDefining a global and common conceptual referenceMeta ModelComplexObject, GUIThe technical architecture is based on the EclipseEquinox platform and on EMF as a model repository.It is enhanced through various services specializedfor AUTOSAR TM in the Tool Development Kit issuedfrom O4A and other collaborative projects involvingGeensys. It provides support for automotivecomponent development: Ecore-EMF implementation of AUTOSAR TMmeta-model; Tree AUTOSAR TM Basic Editor; Model Merger: includes consistency verificationof AUTOSAR TM entities defined in multiple files; OCL Rules Checker for model verification andnavigation in AUTOSAR TM context; AUTOSAR TM software component (SWC) Editor; Interface Generator for AUTOSAR TM SWC;This is completed by generic facilities to manipulatemodels and generate code through script-based andtemplate-based technologies. Component descriptionmeta models and APIs OCL rules checker Model mergerTool Development Kit (TDK)AUTOSAR TMMeta ModelEMFTransactionEclipse Rich Client Platform Script-based descriptionmodel manipulation Template-based targetcode generationExisting AUTOSAR TM development toolsIn addition to these AUTOSAR TM dedicated tools,EDONA platform provides a second set of moregeneric tools and tool interoperation bridges, allintegrated to Eclipse and based on EMF repositoryusage. They are issued namely from UsineLogicielle, OpenEmbeDD or TOPCASED projectsand provide, for instance: EAST-ADL2, an Open Source meta-modeldefined as an UML 2 profile [9]; Papyrus, an Open Source UML editor withextensions for SysML, MARTE and EAST-ADL 2profiles [12]; ATL, an Open Source language and engine,from INRIA for model to model transformation[14]; Acceleo®, an Open Source plugin for model totext transformation based on templates andprovided by Obeo []; UML to SCADE Suite® bridge developped byEsterel Technologies in Usine Logicielle projectand integrated to Eclipse and Papyrus [6]. UML to Agatha bridge developped by CEA LISTin Usine Logicielle for automatic test generationfrom UML specification and instantiation at theTTCN-3 format [6].The following figures illustrate with some of theintegrated tools two examples of interoperationarchitecture. On the right part of next figure, anexample is shown of tool interoperation for importingan UML system architecture model into the SCADESuite® tool. In addition, on the left side, the figurePage 6/10

shows the use of Acceleo® for C Misra codeModel interoperationModel specialisationAcceleoModeltotexttransfo.EngineUML toC MisraEAST-ADLMARTEgeneration.SysMLUML to Scadetransfo. rulesATLModeltoModeltransfo.EngineModel exploitationModel basic supportUML2modeler(Papyrus)UML2EMFScademetaMSynchronousData flowmodeler(Scade)Basic tool interoperationExamples of tool interoperation around Eclipse platform and EMF repositoryThe next figure illustrates interoperation for testgeneration. On the right part, it focuses on testgeneration from Matlab® models:1. Models are created with the Matlab® editorunder the constraint of making the modelanalyzable through formal execution;2. They are imported in Eclipse-EMF andtranslated into an intermediate model based onextended finite state machines (EFSM);3. This intermediate model is exploited by theAgatha test generator;4. Results are translated into the adequate outputformat, e.g.: in the TTCN-3 format as done inthe Usine Logicielle project and proposed forAUTOSAR TM implementation testing [6].Model interoperationEFSM toTTCN3UML toEFSMMatlab toEFSMModel specialisationUMLforanalysablerequir.MatlabanalysablesubsetModel exploitationModel basic supportTestGenerator(Agatha)UML2modeler(Papyrus)EFSMmetamodelUML2metaMEMFMatlabMetaMMatlabeditorBasic tool interoperationTool interoperation example for model based testing5. Business instantiations of the platformThe EDONA platform is used as a basis to builddedicated tool chains for particular purposes andcontext usages. Four of them have been defined inthe project. This initial set of tool chains will beenriched later by additional focused projects andplatform promotion activities.5.1 From requirements to AUTOSAR componentarchitecturesThe first vertical sub-project aims to provide acoherent and continuous tool chain for modelingrequirements and refining models starting at a highlevel and until obtaining a detailed architecturedescription in terms of AUTOSAR TM componentsready for deployment. This will be achieved throughthe integration of a range of existing tools and resultsof ongoing projects and, in particular, through theindustrial transfer of an open source modelersupporting the EAST-ADL2 architecture descriptionlanguage resulting from the project IST ATESST.EAST-ADL2 aims coverage of the needs andviewpoints specific to the automotive trades frommodeling requirements to the implementationmodels. At the implementation level it is based onthe AUTOSAR TM meta-model. This standard coversthe last steps of the development process. Itsentities populate architectures at the ImplementationLevel and are referenced from higher levels byrequirements, variability constructs or traceabilityPage 7/10

elations. The behavioral semantics of EAST-ADL2has been adapted to match the AUTOSARbehavioral concepts.VehicleLevelAnalysisLevelDesignLevelImplement.LevelOperationalLevelEnvironment ModelVehicleFeatureModelAnalysisArchitectureFunctionalAnalysisArchitectureDesignArchitectureFunctionalDesignArchitectureBasicSWImplementationArchitectureArchitecture-ApplicationSWArchitectureAUTOSAR - AUTOSAR TMTMEAST ADL2 System ModelHardwareArchitecture-AUTOSAR TMAUTOSAR TM - OperationalArchitecture – OS – COM – MWRelations between EAST-ADL and AUTOSAR TMTechnically, the EAST-ADL 2 language isconstructed in the form of a dedicated UML profilebased on the AUTOSAR TM meta-model [10]. Themodeler itself was developed by the CEA LIST onthe basis of the open source UML 2 modeler,Papyrus [12]. EDONA will ensure tight interoperationbetween the EAST-ADL 2 modeler and AUTOSAR TMauthoring tool, in order to be able to generate anexecutable application with the platform.The management of refining models of requirementsand traceability will be achieved by integration ofRNTL MemVaTEx project results [13]. MemVaTExdevelops a requirement modeling and traceabilitymethodology that will be aligned for using EAST-ADL 2. The TRAMway tool under development in theTOPCASED project will equip this traceability [8].This is extended by the integration of complementaryelements: analyzing model schedulability (this item willbenefit from the results related to thestandardization of MARTE and results of theITEA project TIMMO) [17]; extending the architecture description languageto integrate real-time deterministic specificationsaccording to the OASIS technology used in WP2for the development of safety critical systems. formalisation of heterogeneous execution modelfor simulation or formal analysis on basis of theUML profile for modeling computation andcommunication models [6], [16], [18]. studying the ability to generate tests from EAST- ADL2 architecture models havingheterogeneous component modeling formalisms;this is based on results from Usine Logicielle [6](test generation from UML models), WP3 (testgeneration from Matlab® models) and HeCoSim(Heterogeneous component simulation) [5].5.2 Safety critical system designThe purpose of WP2 is to ensure the safeimplementation of a specification of critical functions.Implementation will be based on the OASIS toolchain developed by the CEA LIST [19] providing atime deterministic programming model andlanguage, an optimized compiler and safe executionwith its kernel. This approach is complementedaccording to several points of view:Because the specifications provided for theapplications are already established in Matlab® /Simulink®, bridges between specificationexpressed in Matlab® / Simulink® and theOASIS programming language will be developedby Monditech. The Matlab® / Simulink® implementation modelis based on a model of the computingenvironment: it is used at design time forsimulating the execution of real-timeapplications, in order to analyze their dynamics.Threfore, the current environmental models, asprovided by Sherpa Engineering, must beupgraded in order to provide AUTOSAR TMcompliant computing and I/0 models. At the machine implementation level, it remainsnecessary to check the resolution and accuracyof the digital processing technology compared tothe original specifications.This last point can be analyzed using CEA LIST'sapproach implemented in the Fluctuat tool [20]. Itallows assessment of resolution/accuracyconstraints propagated in a program, namely, in aformat like Matlab® / Simulink® after its translationinto C. These resolution constraints typically comefrom accuracy constraints identified in the functionaldesign.5.3 Early validationThe WP3 sub-project aims to integrate a set of toolsto achieve validation of Matlab® / Simulink® models.They will establish test cases of both discrete andcontinuous models developed and implemented onAUTOSAR TM calculators. This work is totallycomplementary to those of WP2 by focusing onfunctional and structural validation instead of on theverification of the accuracy of digital processing.The technical approach adopted has beendeveloped by the CEA LIST and implemented in theAGATHA tool [21]. It consists of using formaltechniques (such as symbolic execution) to buildautomated simulation scenarios (or concrete tests)and representative behaviors of the system, and todemonstrate certain properties on the models tested.Completeness of the simulation can be reached,because the "partitioning" directed by symbolicexecution on all possible simulations avoids thecombinatorial explosion which might have occurredwhen using the methods of traditional numericalsimulation [22].The proposed work is the integration of symbolicsimulation on the fully discrete or hybrid model todeal with realistic models as built by the automotivePage 8/10

The virtuous triangleAt least 32 technologies (components tools) will beintegrated, transferred or developed in a context ofstrong industrial exploitation, with: 10 transfer oftechnology from laboratories; 15 innovations fromtechnology providers; 3 innovations fromlaboratories; 4 common innovations from a joinedwork of the whole consortium. 13 of thesetechnologies are foreseen to be exploited throughopen source or EDONA common source strategycreating a strong link between the project consortiumand existing or emerging open source communitiesin the domain of embedded systems development,locally like the OPEES initiative or more widely withthe Eclipse community. This is the challenge to beaddressed in the next 3 years.7. AcknowledgementsThe authors acknowledge the contribution of allEdona project partners and especially from the subprojectleaders and project steering committeemembers: L. Tossa (PSA – WP5), B. Sanchez(Continental – WP1), K. Maaziz (Delphi – WP2), P.Le Corre (Johnson Control – WP3), H. Dufau(Visteon – WP4), M. Frouin (Geensys – WP5).Edona is partially funded by: “Direction générale desEntreprises” from the French Ministry of Industry,“Region Ile de France”, “Conseil général desYvelines”, “Conseil général de l’Essonne“, “Conseilgénéral des Hauts-de-Seine”, “Conseil général duVal d’Oise“.8. References[1] www.numatec-automotive.com[2] www.autosar.com[3] Matthias Findeis, Ilona Pabst: Functional Safety inthe Automotive Industry, Process and methods,VDA Alternative Refrigerant Winter Meeting,Saalfelden, Austria, 16-02-2006 - http://www.vdawintermeeting.de[4] www.memvatex.org (Modeling Methods forValidation and Traceability of softwareRequirements)[5] projet-hecosim.org (Heterogeneous co-simulation &Hybrid simulation of Systems)[6] www.usine-logicielle.org (Tool platform for modeldriven design, validation and component basedexecution of complex systems)[7] www.poleautomobilehautdegamme.org (project“Open for AutoSar” – O4A)[8] www.topcased.org (Open Source developmentenvironment for embedded systems)[9] www.atesst.org (Enhancing the EAST-ADLarchitecture description language for safety relatedsystem design upon AUTOSAR TM )[10] P. Cuenot et al.: Managing Complexity ofAutomotive Electronics Using the EAST-ADL.. inproc IEEE ICECCS, Los Alamitos, CA, USA,August 2007.[11] www.omgmarte.org (UML profile for Modeling andanalyzing Real Time Embedded systems)[12] www.papyrus-uml.org (Open UML 2 modeling tool)[13] A. Albinet, et al.: Model-based methodology forrequirements traceability in embedded systems, 3rdECMDA workshop on traceability, June 07, Haifa,Israel[14] www.eclipse.org/m2m/atl (Model to modeltransformation engine)[15] www.acceleo.org (Model to code transformationengine)[16] www.thesys.eu.org (Tackling heterogeneity forembedded system development)[17] H. Espinoza et al.: Towards a UML-BasedModeling Standard for Schedulability Analysis ofReal-Time Systems, in proc of MARTES Workshopat MODELS Conference, 2006, Jamaica.[18] C. Hardebolle et al.: Execution Framework forModels of Computation, in proc. MOMPES, Braga,Portugal, 31 mars 2007[19] D. Chabrol et al.: Deterministic Distributed Safety-Critical Real-Time Systems within the OasisApproach, in proc. PDCS 2005, Phoenix, AZ, USA,nov. 2005.[20] S. Putot, et al.: Static Analysis of the Accuracy inControl Systems: Principles and Experiments, inproc. FMICS 2007, Berlin, Germany, July 2007.[21] C Gaston, et al.: Symbolic execution techniques fortest purpose definition, in proc. TestCom 2006,Springer - LNCS 3964.[22] S. Labbé, et al.: Slicing Communicating AutomataSpecifications for Efficient Model Reduction, inproc. ASWEC'07, Australia, 2007.[23] www.intempora.fr/maps (RTMaps® executionengine for advance HMI)[24] www.esterel-technologies.com (Scade Suite andScade Display development environments)Page 10/10