Lightweight Real-Time Operating Systems have gained widespread use in implementing embedded software on lightweight nodes. However, bare metal solutions are chosen, e.g., when the reactive (interrupt-driven) paradigm better matches the programmer’s intent, when the OS features are not needed, or when the OS overhead is deemed too large. Moreover, other approaches are used when real-time guarantees are required. Establishing real-time and resource guarantees typically requires expert knowledge in the field, as no turn-key solutions are available to the masses.In this paper we set out to bridge the gap between bare metal solutions and traditional Real-Time OS paradigms. Our goal is to meet the intuition of the programmer and at the same time provide a resource-efficient (w.r.t. CPU and memory) implementation with established properties, such as bounded memory usage and guaranteed response times. We outline a roadmap for Real-Time For the Masses (RTFM) and report on the first step: an intuitive, platform-independent programming API backed by an efficient Stack Resource Policy-based scheduler and a tool for kernel configuration and basic resource and timing analysis.

The IEC 61499 standard provides means to specify distributed control systems in terms of function blocks. For the deployment, each device may hold one or many logical resources, each consisting of a function block network with service interface blocks at the edges. The execution model is event driven (asynchronous), where triggering events may be associated with data (and seen as a message). In this paper we propose a low complexity implementation technique allowing to asses end-to-end response time of event chains spanning a networked devices. Based on a translation of IEC 61499 to RTFM-tasks and resources, the response time for each task in the system can be derived using established scheduling techniques. In this paper we develop a method to provide safe end-to-end response time taking both intra- and inter-device delivery delays into account. As a use case we study the implementation onto (single-core) ARMcortex based devices communicating over a switched Ethernet network. For the analysis we define a generic switch model, and an experimental setup allowing us to study the impact of network topology as well as 802.1Q quality of service in a mixed critical setting. Our results indicate that safe sub milli-second end-to-end response times can be obtained using the proposed approach.

The IEC 61499 standard provides means to specify distributed control systems in terms of function blocks. For the deployment, each device may hold one or many logical resources, each consisting of a function block network with service interface blocks at the edges. The execution model is event driven (asynchronous), where triggering events may be associated with data (and seen as messages). In this paper, we propose a low complexity implementation technique allowing to assess end-to-end response times of event chains spanning over a set of networked devices. Based on a translation of IEC 61499 to RTFM1-tasks and resources, the response time for each task in the system at device-level can be derived using established scheduling techniques. In this paper, we develop a holistic method to provide safe end-to-end response times taking both intra- and inter-device delivery delays into account. The novelty of our approach is the accuracy of the system scheduling overhead characterization. While the device-level (RTFM) scheduling overhead was discussed in previous works, the network-level scheduling overhead for switched Ethernets is discussed in this paper. The approach is generally applicable to a wide range of COTS Ethernet switches without a need for expensive custom solutions to provide hard real-time performance. A behavior characterization of the utilized switch determines the guaranteed response times. As a use case, we study the implementation onto (single-core) ARMcortex based devices communicating over a switched Ethernet network. For the analysis, we define a generic switch model and an experimental setup allowing us to study the impact of network topology as well as 802.1Q quality of service in a mixed critical setting. Our results indicate that safe sub millisecond end-to-end response times can be obtained using the proposed approach.

In an embedded system, functions often operate under different requirements. In the extreme, a failing safety critical function may cause collateral damage (and hence consider to be a system failure) while non critical functions affect only the quality of service. Approaches by partitioning the system's functions into sandboxes require virtualization mechanisms by the underlying platform and thus prohibit deployment to the bulk of microcontroller based systems. In this paper we discuss an alternative approach based on static semantic analysis performed directly on the system specification expressed in the form of an object oriented (00) model in the experimental language RTFM-lang. This would allow to (at compile time) to discriminate in between critical and non-critical functions, and assign these (by means of statically checkable typing rules) appropriate access rights. In particular, one can imagine dynamic memory allocations to be allowed only in non-critical functions, while on the other hand, direct interaction with the environment may be restricted to the critical parts. With respect to scheduling, a static task and resource configuration allows e.g. Stack Resource Policy (SRP) based approaches to be deployed. In this paper we discuss how this can be achieved in a mixed critical setting.

Real-Time For the Masses (RTFM) is a set of languages andtools being developed to facilitate embedded software developmentand provide highly ecient implementations gearedto static verication. The RTFM-kernel is an architecturedesigned to provide highly ecient and predicable Stack ResourcePolicy based scheduling, targeting bare metal (singlecore)platforms.We contribute by introducing a platform independent timerabstraction that relies on existing RTFM-kernel primitives.We develop two alternative implementations for the ARMCortex-M family of MCUs: a generic implementation, usingthe ARM dened SysTick/DWT hardware; and a targetspecic implementation, using the match compare/free runningtimers. While sacricing generality, the latter is moreexible and may reduce overall overhead. Invariants for correctnessare presented, and methods to static and run-timeverication are discussed. Overhead is bound and characterized.In both cases the critical section from release timeto dispatch is less than 2us on a 100MHz MCU. Queue andtimer mechanisms are directly implemented in the RTFMcorelanguage (-core in the following) and can be includedin system-wide scheduling analysis.

Robustness, real-time properties and resource eciency arekey properties to embedded devices of the CPS/IoT era. Inthis paper we propose a language approach RTFM-core,and show its potential to facilitate the development processand provide highly ecient implementations amendablefor static verication. Our programming model is reactive,based on the familiar notions of concurrent tasksand (single-unit) resources. The language is kept minimalistic,capturing the static task, communication and resourcestructure of the system. Whereas C-source can be arbitrarilyembedded in the model, and/or externally referenced,the instep to mainstream development is minimal, and asmooth transition of legacy code is possible. A prototypecompiler implementation for RTFM-core is presented. Thecompiler generates C-code output that compiled togetherwith the RTFM-kernel primitives runs on bare metal. TheRTFM-kernel guarantees deadlock-lock free execution andeciently exploits the underlying interrupt hardware forstatic priority scheduling and resource management underthe Stack Resource Policy. This allows a plethora of wellknownmethods to static verication (response time analysis,stack memory analysis, etc.) to be readily applied. The proposedlanguage and supporting tool-chain is demonstratedby showing the complete process from RTFM-core sourcecode into bare metal executables for a light-weight ARMCortexM3 target.

Function Blocks provides a means to model andprogram industrial control systems. The recently acclaimed IEC61499 standard allows such system models to be partitioned andexecuted in a distributed fashion. At device level, such models aretraditionally implemented onto programmable logic controllersthat underneath have an operating system and a softwarerun-time environment which implies high resource demands.However, there is a current trend to involve small embeddedsystems (so called Internet of Things devices) integrated into suchdistributed control systems. To this end, we seek to address theoutsets for real-time execution of Function Block based designsonto light-weight controllers (MCUs) with limited resources(memory and CPU). Furthermore, we propose a mapping ofthe Function Block execution semantics onto the RTFM-kernel,and discuss opportunities for off-line (design time) analysis withrespect to response time, overall schedulability and memoryrequirements.

Function Blocks provides a means to model andprogram industrial control systems. The recently acclaimed IEC61499 standard allows such system models to be partitioned andexecuted in a distributed fashion. At device level, such models aretraditionally implemented onto programmable logic controllersand industrial PCs. In this paper, we discuss work in progresson developing a mapping allowing to implement a subset of IEC61499 models onto light-weight embedded devices (MCUs). Wepropose and detail an event semantics, and its mapping to thenotions of tasks and resources for Stack Resource Policy basedanalysis and scheduling. Moreover, we show how the proposedmapping can be efficiently implemented under the RTFM-kernel.Finally we outline a prototype tool-chain and discuss related,ongoing and future work.

Robustness, real-time properties and resource efficiency are key properties to embedded devices of the CPS/IoT era. In this paper we propose a language approach RTFMcore, and show its potential to facilitate the development process and provide highly efficient and statically verifiable implementations. Our programming model is reactive, based on the familiar notions of concurrent tasks and (single-unit) resources. The language is kept minimalistic, capturing the static task, communication and resource structure of the system. Whereas C-source can be arbitrarily embedded in the model, and/or externally referenced, the instep to mainstream development is minimal, and a smooth transition of legacy code is possible. A prototype compiler implementation for RTFM-core is presented. The compiler generates C-code output that compiled together withtheRTFM-kernelprimitivesrunsonbaremetal.TheRTFMkernel guarantees deadlock-lock free execution and efficiently exploits the underlying interrupt hardware for static priority scheduling and resource management under the Stack Resource Policy. This allows a plethora of well-known methods to static verification (response time analysis, stack memory analysis, etc.) to be readily applied. The proposed language and supporting tool-chain is demonstrated by showing the complete process from RTFM-core source code into bare metal executables for a lightweight ARM-Cortex M3 target.

The mainstream of embedded software development as of today is dominated by C programming. To aid the development, hardware abstractions, libraries, kernels and lightweight operating systems are commonplace. Such kernels and operating systems typically impose a thread based abstraction to concurrency. However, in general thread based programming is hard, plagued by hazards of race conditions and dead-locks. For this paper we take an alternative outset in terms of a language abstraction, RTFM-core, where the system is modelled directly in terms of tasks and resources. In compliance to the Stack Resource Policy (SRP) model, the language enforces (well formed) LIFO nesting of claimed resources, thus SRP based analysis and scheduling can be readily applied. For the execution onto bare-metal single core architectures, the rtfm-core compiler performs SRP analysis on the model, and render an executable that is deadlock free and (through RTFM-kernel primitives) exploits the underlying interrupt hardware for efficient scheduling. The RTFM-core language embeds C-code and links to C-object files and libraries, and is thus applicable to the mainstream of embedded development. However, while the language enforces well formed resource management, control flow in the embedded C-code may violate the LIFO nesting requirement, thus correctness is left with the programmer to ensure well formed nesting (through restricted control flow). In this paper we address this issue by lifting a subset of C into the RTFM-core language allowing arbitrary control flow at the model level. In this way well formed LIFO nesting can be enforced, and models ensured to be correct by construction. We demonstrate the feasibility trough a prototype implementation in the rtfm-core compiler. Additionally, we develop a set of running examples, and show in detail how control flow is handled at compile time and during run-time execution.

The IEC 61499 standard provides an executable model for distributed control systems in terms of interacting function blocks. However, the current IEC 61499 standard lacks appropriate timing semantics for the specification of timing requirements, reasoning on timing properties at the model level, and for the timing verification of a specific deployment. In this paper we address this fundamental shortcoming by proposing Real-Time-4-FUN, a real-time semantics for IEC 61499. The key property is the preservation of non-determinism, allowing us to reason on (and verify) timing properties at the model level without assuming any specific scheduling policy or stipulating specific order of execution for the deployment. This provides for a clear separation of concerns, where the designer can focus on properties of the application prior to, and separately from, deployment verification. The proposed timing semantics is backwards compatible to the current standard, thus allow for reuse of existing designs. The transitional property allows timing requirements to propagate to downstream sub-systems, and can be utilized for scheduling both at device and network level. Based on a translation to RTFM-tasks and resources, IEC 61499 the models can be analyzed, compiled and executed. As a proof of concept the timing semantics has been experimentally implemented in the RTFM-core language and the accompanying (thread based) RTFM-RT run-time system.

The IEC 61499 standard proposes an event driven execution model for distributed control applications for which an informal execution semantics is provided. Consequently, run-time implementations are not rigorously described and therefore their behavior relies on the interpretation made by the tool provider. In this paper, as a step towards a formal semantics, we focus on the Execution Control Chart semantics, which is fundamental to the dynamic behavior of Basic Function Block elements. In particular we develop a well-formedness criterion that ensures a finite number of Execution Control Chart transitions for each triggering event. We also describe the first step towards the mechanization of the well-formedness checking algorithm in the Coq proof-assistant so that, ultimately, we are able to show, once andforall,thatthisalgorithmiseffectivelycorrectwithrespectto our proposed execution semantics. The algorithm is extractable from the mechanization in a correct-by-construction way, and can be directly incorporated in certified toolchain for analysis, compilation and execution of IEC 61499 models. As a proof of concept a prototype tool RTFM-4FUN has been developed. It performs well-formedness checks on Basic Function Blocks using the extracted algorithm’s code.

Concurrent programming is dominated by threadbased solutions with lock based critical sections. Careful attentionhas to be paid to avoid race and deadlock conditions. Real-Timefor The Masses (RTFM) takes an alternative language approach,introducing tasks and named critical sections (via resources)natively in the RTFM-core language. RTFM-core programs canbe compiled to native C-code, and efficiently executed ontosingle-core platforms under the Stack Resource Policy (SRP)by the RTFM-kernel. In this paper we formally define thewell-formedness criteria for SRP based resource management,and develop a certified (formally proven) implementation ofthe corresponding compilation from nested critical sections ofthe input RTFM-core program to a resulting flat sequence ofprimitive operations and scheduling primitives. Moreover weformalise the properties for resource ceilings under SRP anddevelop a certified algorithm for their computation.The feasibility of the described approach is shown throughthe adoption of the Why3 platform, which allows the necessaryverification conditions to be automatically generated and dischargedthrough a variety of automatic external SMT-solversand interactive theorem provers. Moreover, Why3 supports theextraction of certified Ocaml code for proven implementationsin WhyML. As a proof of concept the certified extracteddevelopment is demonstrated on an example system.

The IEC 61449 standard provides an outset for designing and deploying distributed control systems. Recently, a mapping from IEC 61499 to the RTFM-kernel API has been presented. This allows predictable real-time execution of IEC 61499 applications on light-weight single-core platforms. However, integrating the RTFM-kernel (bare-metal runtime) into potential deployments requires developing device drivers, protocol stacks, and the like. For this presentation, we apply the mapping from IEC 61499 to the RTFM-MoC task and resource modelimplementedbytheRTFM-corelanguage.Thecompilation from RTFM-core can be targeted to both, RTFM-kernel and the introduced runtime system RTFM-RT. In this paper, we detail thegenericRTFM-RTruntimearchitecture,whichallowsRTFMcore programs to be executed on top of thread based environments. Furthermore, we discuss our implementation regarding scheduling specifics of Win32 threads (Windows) and Pthreads (Linux and Mac OS X). Using our RTFM-RT implementation for deployment,predictableIEC61499executiontogetherwithaccess to abovementioned operating system functions are achieved. For further developments, we discuss the needed scheduling options to achieve hard real-time and analysis required to eliminate deadlocks.

Studies about the industrial standard IEC 61499 and its relation to the RTFM Model of Computation represent the basis of this thesis. An overview of industrial automation software in general and in the scope of Svenska Kraftnät introduces the subject of software related issues. The thesis focuses on selected properties, which are important for software development to improve the robustness of industrial automation software. Among others, timing is essential due to its importance in real-time applications. An example case of the nuclear power plant Forsmark in Sweden illustrates problems correlated with timing issues and makes the lack of an overall system modelling (including timing) evident. A review of the relevant industrial standards for software development in industrial applications provides a background for various aspects of software compliance to safety requirements. Special attention lies on the standards IEC 61131 and IEC 61499 for industrial software development and their programming and execution model. The presented RTFM framework defines a concurrent model of execution based on tasks and resources together with a timing semantics that was designed from the outset for the development of embedded real-time systems. It can serve as a scheduling and resource management for the run-time environments of industrial applications, while addressing the aforementioned issues. Mappings from the functional layer (IEC 61499 function block networks) and safety layer (PLCopen safety function blocks) to RTFM show the applicability and possibility of using IEC 61499 as an overall, distributed, and hierarchical model. A discussion on options for future work presents choices to pursue the second half of the PhD studies. Formal methods for program specification and verification open up an interesting path to further increase the robustness of industrial automation software.

The focus of our research work is on readily accessible, embedded, real-time development with concurrency support. To this end, we develop the Real-Time For the Masses (RTFM) programming framework with a model of computation based on tasks and resources and that stipulates a timing semantics. Typically, hard real-time requirements are a characteristic of safety-critical applications. In contrast to runtime verification, such applications primarily require static assurances concerning safety and security attributes. This thesis discusses the building blocks for a statically analyzable programming paradigm for embedded real-time applications and its implementation. Svenska kraftnät funded the research presented in this thesis and set the scope to industrial automation. Consequently, we also investigate the applicability of our RTFM framework for scheduling and resource management for the runtime environments of industrial applications. We start by reviewing relevant and well-established industry standards to build background knowledge of the state-of-the-art safety and security requirements in software development. Special attention is placed on the IEC 61131 and IEC 61499 standards for industrial software development and their programming and execution model. We show the feasibility of using IEC 61499 as a holistic, distributed, and hierarchical model with mappings from the functional layer (IEC 61499 function block networks) and safety layer (PLCopen safety function blocks) to RTFM. We also demonstrate that our Rust-based RTFM implementation enables static verification for a myriad of safety and security attributes. Moreover, our investigations reveal a mutual dependency of safety and security in the context of software systems. For this reason, we believe and argue that safety and security cannot be considered independent during the design and implementation of safety-critical applications. Upon closer examination, we even conclude that safety and security are equivalent.

C programming dominates the mainstream of embedded development as of today. To aid the development, hardware abstractions, libraries, kernels, and light-weight operating systems are commonplace. However, these typically offer little or no help to automatic worst-case execution time (WCET) estimation, and thus manual test and measurement based approaches remain the de facto standard. For this paper, we take the outset from the Real-Time For the Masses (RTFM) framework, which is developed to facilitate embedded software development for IoT devices and provides highly efficient implementations, suitable to the mainstream of embedded system design. Although the Rust language plays currently a minor part in embedded development, we believe its properties add significant improvements and thus implement our RTFM framework in Rust. We present an approach to worst-case execution time estimation in the context of RTFM tasks and critical sections, which renders sufficient information for further response time and schedulability analysis. We introduce our test bench, which utilizes the KLEE tool for automatic test vector generation and subsequently performs cycle accurate hardware-in-the-loop measurements of the generated tests. The approach is straightforward and fully automatic. Our solution bridges the gap in between measurement based and static analysis methods for WCET estimation. We demonstrate the feasibility of the approach on a running example throughout the paper and conclude with a discussion on its implications and limitations.

The course in Compiler Construction is part of the ComputerScience second cycle curriculum at Lulea Universityof Technology (LTU). Starting this year, the course is nowto be given by the Embedded Systems group at LTU. Thispaper outlines the course syllabus, and its relation to CPS/IoT and embedded systems in general. In particular, thecourse will now introduce domain specic language designwith the outset from the RTFM-core language. Studentswill be exposed to design choices for the language, spanningfrom programming model, compiler design issues, backendtools and even run-time environments. The intention is togive a holistic perspective, and motivate the use of compilationtechniques towards robust, ecient and veriable (embedded)software. Of course, developing basic skills will notbe overlooked, and as part of the laboratory assignments,students will extend the minimalistic Object Oriented languageRTFM-cOOre and develop the compiler accordinglytargeting the RTFM-core language as an intermediate representation.As the RTFM-core/-cOOre compilers are implementedunder OCaml/Menhir, the students will be exposedto the advantages of functional languages in the contextof compiler construction. However, for their own developmentthey may choose alternative design tools and languages(such as ANTLR/Java). This will give us the opportunityto review and correlate achievements and eciencyto the choice of tools and languages and be an outset forfuture course development.

The course in Compiler Construction is part of the Computer Science masters program at Luleå University of Technology (LTU). Since the fall of 2014, the course is given by the Embedded Systems group. This paper outlines the course syllabus and its relation to CPS/IoT and embedded systems in general. In particular, the course introduces domain specific language design with the outset from the imperative RTFM-core language. Students are exposed to design choices for the language, spanning from programming model, compiler design issues, back-end tools, and even runtime environments. The intention is to give a holistic perspective and motivate the use of compilation techniques towards robust, efficient, and verifiable (embedded) software. Of course, developing basic skills is not overlooked and as part of the laboratory assignments, students extend the min-imalistic Object Oriented language RTFM-cOOre and develop the compiler accordingly targeting the RTFM-core language as an intermediate representation. As the RTFM-core/-cOOre compilers are implemented using OCaml/Men-hir, the students are also exposed to functional languages and to their advantages in the context of compiler construction. However, for their own development they may choose alternative design tools and languages. This gives us the opportunity to review and correlate achievements and efficiency to the choice of tools and languages and it is an outset for future course development.

Embedded systems for critical applications are typicallyspecified with requirements on predictable timing andsafety. While ensuring predictable timing, the RTFM-lang (Real-Time For the Masses) model of computation (MoC) currentlylacks memory access protection among real-time tasks. In thispaper, we discuss how to safely verify task execution given aspecification using the RTFM-MoC. Furthermore, an extensionto the RTFM-core infrastructure is outlined and tested with usecases of embedded development. We propose a method for runtime verification exploiting memory protection hardware. Forthis purpose, we introduce memory resources to the declarativelanguage RTFM-core allowing compliance checks. As a proofof concept, compiler support for model analysis and automaticgeneration of run time verification code is implemented togetherwith an isolation layer for the RTFM-kernel. With this verificationfoundation, functional run time checks as well as furtheroverhead assessments are future research questions.

Embedded systems are commonplace, often with real-time requirements, limited resources and increasingly complex workloads with high demands on security and reliability. The complexity of these systems calls for extensive developer experience and many tools has been created to aid in the development of the software running on such devices. One of these tools, the Real-Time For the Masses (RTFM) concurrency framework developed at Luleå University of Technology (LTU), is built upon a pre-existing, well established and theoretically underpinned execution model providing deadlock free execution and strong guarantees about correctness. The framework is further enhanced by the memory safety provided by Rust, a modern systems programming language. This thesis documents the work done towards improving the framework by studying the possibility to make it extendable. For this, a model of the present layout is required, which in turn requires a solid understanding of Rust's way to structure code. To realise such a large structural change it was advisable to join the open-source RTFM community as a core developer. This role included new responsibilities and required work within different areas of the framework, not only directly related to the primary goal. It also provided the insight that in order to reach the desired extendable structure, many other improvements had to be done first, including the removal of large experimental features. To aid the development, usage of state of the art Continuous Integration testing (CI) were key. Changes to such systems are also part of the development process. The name of the project changed in the middle of this thesis work, going from RTFM to Real-Time Interrupt-driven Concurrency (RTIC). The implemented features and usability fixes detailed in this thesis improves the user experience for embedded system developers resulting in increased productivity while making the development process of such systems more accessible. These general improvements will be part of the next release of the framework. A version v0.6.0-alpha.0 of the framework has been released for testing. The experiences gained related to open-source project governance during this work are also presented.