Validation of Safety-Critical Systems with AADL



Similar documents
Methods and Tools For Embedded Distributed System Scheduling and Schedulability Analysis

Model-Based Software Quality Assurance with the Architecture Analysis and Design Language

System Architecture Virtual Integration: An Industrial Case Study

Presentation of the AADL: Architecture Analysis and Design Language

174: Scheduling Systems. Emil Michta University of Zielona Gora, Zielona Gora, Poland 1 TIMING ANALYSIS IN NETWORKED MEASUREMENT CONTROL SYSTEMS

Trends and New Directions in Software Architecture

Mixed-Criticality Systems Based on Time- Triggered Ethernet with Multiple Ring Topologies. University of Siegen Mohammed Abuteir, Roman Obermaisser

Predictable response times in event-driven real-time systems

METHOD & TOOLS TO SECURE AND SUPPORT COLLABORATIVE ARCHITECTING OF CONSTRAINED SYSTEMS

Proactive, Resource-Aware, Tunable Real-time Fault-tolerant Middleware

SAVI Behavior Model Integration Virtual Integration Process

Requirements Engineering Management Findings Report

Applying 4+1 View Architecture with UML 2. White Paper

Real-Time Component Software. slide credits: H. Kopetz, P. Puschner

Making Multicore Work and Measuring its Benefits. Markus Levy, president EEMBC and Multicore Association

AADL et la conception des logiciels

Safety Issues in Automotive Software

Advanced Operating Systems (M) Dr Colin Perkins School of Computing Science University of Glasgow

Study on Real-Time Test Script in Automated Test Equipment

Lecture 3 - Model-based Control Engineering

SCADE System Technical Data Sheet. System Requirements Analysis. Technical Data Sheet SCADE System

Chapter 13 Embedded Operating Systems

StreamStorage: High-throughput and Scalable Storage Technology for Streaming Data

ELEC 5260/6260/6266 Embedded Computing Systems

Automotive System and Software Architecture

Trends in Embedded Software Engineering

A Model-Based Design Methodology with Contracts to Enhance the Development Process of Safety-Critical Systems

Partition Scheduling in APEX Runtime Environment for Embedded Avionics Software

Weighted Total Mark. Weighted Exam Mark

Study Plan Masters of Science in Computer Engineering and Networks (Thesis Track)

ARINC-653 Inter-partition Communications and the Ravenscar Profile

R&D and Topcased (led by Silvia Mazzini)

Chapter 11 I/O Management and Disk Scheduling

AFDX Emulator for an ARINC-based Training Platform. Jesús Fernández Héctor Pérez J. Javier Gutiérrez Michael González Harbour

Customer Experience. Silicon. Support & Professional Eng. Services. Freescale Provided SW & Solutions

Safety Analysis and Certification of Open Distributed Systems. P. M. Conmy; Department of Computer Science, University of York, York, YO10 5DD U.K.

Real-Time Operating Systems.

Trends and New Directions in Software Architecture

RETIS Lab Real-Time Systems Laboratory

SCADE Suite in Space Applications

Using Multipathing Technology to Achieve a High Availability Solution

The Microsoft Windows Hypervisor High Level Architecture

Advanced Electronic Platform Technologies Supporting Development of Complicated Vehicle Control Software

Architectures for Distributed Real-time Systems

Certification Authorities Software Team (CAST) Position Paper CAST-13

Overview. Stakes. Context. Model-Based Development of Safety-Critical Systems

A distributed approach to File Management in IMA2G

White Paper. How Streaming Data Analytics Enables Real-Time Decisions

Chap 1. Introduction to Software Architecture

Architecture Description Languages

System Software and TinyAUTOSAR

Notes and terms of conditions. Vendor shall note the following terms and conditions/ information before they submit their quote.

Recommendations for Performance Benchmarking

4. Fixed-Priority Scheduling

Software Stacks for Mixed-critical Applications: Consolidating IEEE AVB and Time-triggered Ethernet in Next-generation Automotive Electronics

Safe Automotive software architecture (SAFE) WP3 Deliverable D3.6.b: Safety Code Generator Specification

Best Practices for Verification, Validation, and Test in Model- Based Design

Real-time Operating Systems. VO Embedded Systems Engineering Armin Wasicek

White Paper. Real-time Capabilities for Linux SGI REACT Real-Time for Linux

ARINC 653. An Avionics Standard for Safe, Partitioned Systems

Frameworks of Process Improvement for Mobile Applications

EMBEDDED SOFTWARE DEVELOPMENT: COMPONENTS AND CONTRACTS

POSIX. RTOSes Part I. POSIX Versions. POSIX Versions (2)

Technical Report CMU/SEI-88-TR-024 ESD-TR

The SPES Methodology Modeling- and Analysis Techniques

Safety and Security Features in AUTOSAR

TASTE: A Real-Time Software Engineering Tool-Chain Overview, Status, and Future

F-16 Modular Mission Computer Application Software

Designing Real-Time and Embedded Systems with the COMET/UML method

Lecture 9 Modeling, Simulation, and Systems Engineering

Enterprise Applications

Certification Authorities Software Team (CAST) Position Paper CAST-9

Real Time Developer Studio. Emmanuel Gaudin

Boeing B Introduction Background. Michael J. Morgan

ATC Case Study. Air Traffic Control Case Study. ATC Requirements. SE380-F'02-Lecture 17 11/4/ by Eric A. Durant, Ph.D. 1.

Extending AADL for Security Design Assurance of the Internet of Things

Eastern Washington University Department of Computer Science. Questionnaire for Prospective Masters in Computer Science Students

HP Smart Array Controllers and basic RAID performance factors

Effective Application of Software Safety Techniques for Automotive Embedded Control Systems SAE TECHNICAL PAPER SERIES

Seven Challenges of Embedded Software Development

DIPLODOCUS: An Environment for. the Hardware/Software Partitioning of. Institut Mines-Telecom. Complex Embedded Systems

Tackling the Complexity of Timing-relevant Deployment Decisions in Multicore-based Embedded Automotive Software Systems Rolf Schneider, AUDI AG

Antonio Kung, Trialog. HIJA technical coordinator. Scott Hansen, The Open Group. HIJA coordinator

Resource Utilization of Middleware Components in Embedded Systems

Transcription:

Validation of Safety-Critical Systems with AADL Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Peter H Feiler April 11, 2008 2006 Carnegie Mellon University

Outline Multiple aspects of system validation System & software engineers working together Multi-fidelity model-based analysis Property preserving transformations Conclusions 2

Dimensions of System Validation Validation of models against system The system Model-based vof system System models Validation of implementation against system models System implementation 3

Single Source Annotated Architecture Model Availability & Reliability MTBF FMEA Hazard analysis Predictive Analysis Across Engineering Dimensions Architecture Model Security Intrusion Integrity Confidentiality 4 Data Quality Data precision/ accuracy Temporal correctness Confidence Fewer independently developed models reduces model validation Real-time Performance Execution time/ Deadline Deadlock/starvation Latency Resource Consumption Bandwidth CPU time Power consumption Low incremental cost for additional analyses & simulations 4

Architecture-Driven Modeling Automatically derived analytical models Annotated architecture System generation from validated models Validation of generators 5

AADL and Safety-Criticality Fault management Architecture patterns in AADL Redundancy, health monitoring, Fault tolerant configurations & modes Dependability Error Model Annex Specification of fault occurrence and fault propagation information Use for hazard and fault effect modeling Reliability & fault tree analysis Behavior validation Behavior Annex Model checking Source code validation 6 6

Outline Multiple aspects of system validation System & software engineers working together Multi-fidelity model-based analysis Property preserving transformations Conclusions 7

Traditional Embedded System Engineering System Engineer Control Engineer System Under Control Control System 8

Software-Intensive Embedded Systems System Engineer Control Engineer Hardware Engineer System Under Control System Control Compute Runtime Application Platform Architecture Software Embedded SW System Engineer Application Developer 9

Mismatched Assumptions System Engineer Physical Plant Characteristics Control Engineer Hardware Engineer System Under Control Compute Platform Data Stream Characteristics Distribution Redundancy Runtime Architecture Embedded SW System Engineer Control System Application Software Concurrency Communication Precision Units Application Developer 10

Predictable Embedded System Engineering Cruise Control Parking Assistance Navigation System Antilock Braking System Airbag Deployment Electronic Fuel Injection Application Software Emission Management Document the Runtime Architecture Abstract, but Precise System Analysis Schedulability Performance Reliability Fault Tolerance Dynamic Configurability External Environment.......... Execution Platform System Construction AADL Runtime System Application Software Integration 11

Working Together Conceptual architecture UML-based component model Architecture views (DoDAF, IEEE1471) Platform independent model (PIM) System engineering SysML as standardized UML profile Focus on system architecture and operational environment Embedded software system engineering SAE AADL OMG MARTE profile based on AADL AADL as MARTE sub-profile Non-functional properties require deployment on platform Data modeling UML, ASN,, 12 12

Outline Multiple aspects of system validation System & software engineers working together Multi-fidelity model-based analysis Property preserving transformations Conclusions 13

Impact of Sampling Latency Jitter Impact of Scheduler Choice on Controller Stability A. Cervin, Lund U., CCACSD 2006 Sampling jitter due execution time jitter and application-driven send/receive 14

Latency Contributors Operational Environment System Engineer System Under Control Control Engineer Control System Processing latency Sampling latency Physical signal latency 15

ARINC 653 Partitions & Communication Frame-delayed inter-partition communication Timing semantics are insensitive to partition order Partition A T1 T2 Partition B T3 T4 T1 T2 T3 T4 T1 T2 T3 T4 t 0 Partition A t 1 t 2 Partition B Partition A Partition B 16

Latency Impact of Partitions Sensor Request for new page Display Manager New page content Lower bound on worst-case latency Page Content Manager Latency contribution: Partition period per partition hop Flight Manager Flight Director 17

Intended Data Flow in Task Architecture From other Partitions Pr 2 Preemption & concurrency affect read/write order Navigation Sensor Processing Pr 3 Pr 1 20Hz Periodic I/O Integrated Navigation Pr 4 10Hz 20Hz Guidance Processing 20Hz Shared data area Pr 6 Flight Plan Processing 5Hz To other Partitions Decreasing Priority Priority assignment achieves desired data flow Pr 9 Aircraft Performance Calculation 2Hz 18

Frame-level Latency Jitter of Data Stream Example: Non-deterministic downsampling Desired sampling pattern 2X: n, n+2, n+4 (2,2,2, ) Worst-case sampling pattern: n, n+1, n+4 (1,3, ) NavSensor Processing 20Hz Integrated Navigation 10Hz Read Thread IntegratedNavigation Write Thread NavSensorProcessing Timeline 19

Managed Latency Jitter through Deterministic Sampling From Partitions Nav signal data Navigation Sensor Processing Nav sensor data 20Hz Nav sensor data Integrated Navigation 10Hz Nav data Guidance Processing 20Hz Periodic I/O 20Hz Guidance To Partitions Input-compute-output AADL thread semantics Immediate and delayed data port connections for deterministic sampling Fuel Flow Nav data FP data Aircraft Performance Calculation 2Hz Flight Plan Processing Performance data 5Hz FP data 20

Rate Group Optimization Logical threads to execute at a specific rate Multiple logical threads to execute with the same rate Placement of units with same rate in same operating system thread Reduced number of threads and context switches 21

Rate Group Order Can Affect Latency Data flow from sensor T s to control T c to actuator T a with midframe communication Effect of rate groups: T c to T a becomes delayed Occurs when pairwise immediate connections in opposite direction OS Thread 50ms OS Thread 100ms Ts Tc Ta OST 100ms Tc OST 50ms Ts Ta Ts Ta t 0 t 50 t 100 22

Software-Based Latency Contributors Execution time variation: algorithm, use of cache Processor speed Resource contention Preemption Legacy & shared variable communication Rate group optimization Protocol specific communication delay Partitioned architecture Migration of functionality Fault tolerance strategy 23

Latency and Age of Data Latency: the amount of time between a sensor reading and an output to an actuator based on the sensor reading Age: amount of time that has passed since the sensor reading Age Contributors Oversampling Missing sensor readings Failed processing Missed deadlines 24

Outline Multiple aspects of system validation System & software engineers working together Multi-fidelity model-based analysis Property preserving transformations Conclusions 25

Efficient Runtime System Generation From Partitions 20Hz Preserve timing Nav signal Navigation semantics of data Sensor execution and communication Processing Nav sensor data Nav sensor data Integrated Navigation 10Hz Nav data Guidance Processing 20Hz Periodic I/O 20Hz Guidance To Partitions Input-compute-output AADL thread semantics Immediate and delayed data port connections for deterministic sampling Fuel Flow Nav data FP data Aircraft Performance Calculation 2Hz Flight Plan Processing Performance data 5Hz FP data 26

Will This Implementation Work? From other Partitions Pr 2 Simulink: single variable per connection Navigation Sensor Processing Pr 3 20Hz Pr 1 Integrated Navigation Pr 4 10Hz 20Hz Periodic I/O Buffer Variable Guidance Processing Buffer Variable Buffer Variable Buffer Variable 20Hz Pr 6 Flight Plan Processing 5Hz Buffer Variable To other Partitions Pr 9 Aircraft Performance Calculation 2Hz 27

Overlapping Message Lifespan Periodic thread MP and MC MP ->> MC Need for double buffering MP i MP i+1 MC i-1 MC i 28

Optimization of General Port Buffer Model Producer Consumer/Producer Consumer MP j MC j MP k MC k Send Receive Send Receive Xfer Xfer MS j MR j MS k MR k Send/receive with or without copy Transfer with or without copy Processing with or without copy MP: producer copy MS: send copy MR: receive copy MC: consumer copy 29

Message Streaming Lifespan Framework Producer task B MP i E T P, Mi+1 MP i+1 D P, Mi+1 Send S Mi Send buffer MS i MS i+1 Xfer Receive buffer Receive X Mi MR i R Mi MR i+1 Consumer task MC i MC i+1 T X T C, Mi D C, Mi 30

Message Lifespan Properties MC input-compute-output guarantee T C, Mi R Mi = B MCi E MCi T C, Mi+1 R mi+1 Message operation ordering condition S Mi < X Mi < R Mi MP bounded by producer dispatches T P, Mi B MPi E MPi = S Mi T P, Mi+1 MS bounded by sends and transfer S Mi = B MSi X * M i E MSi < S Mi+1 MR bounded by transfers and receive X ** M i B MRi E MRi = R *** M i < X Mi+1 * Completion of transfer ** Start of transfer *** Latest of multiple receivers 31

Sequential Execution of Periodic Tasks (τ P ; τ C )* Collapse to single buffer MP i MP i+1 MS MS MR MR MC i-1 MC i 32

Application-based Send and Receive (ASR) (τ P τ C )* MP 3 buffers α P S&X Ω P MR T P α P S Ω P D P T C α C R Ω C D C α C R Ω C α : actual execution start time MC Ω : actual completion time α P - Ω P α C - Ω C non-deterministic S/R order 33

Dispatch-based Send and Receive (DSR) (τ P τ C )* MP MP 2 buffers α P S&X Ω P T P α P S Ω P D P MR D P R T C α : actual execution start time R Ω : actual completion time MC MC α P - Ω P D P - T C = deterministic S/R 34

Buffer Optimization Considerations Periodic & aperiodic task dispatch Send and receive execution As part of application (ASR) As part of task dispatch/completion (DSR) Task execution order Concurrent: τ C τ P Atomic non-deterministic: τ C τ P Ordered: τ C ; τ P or τ P ; τ C Message transfer Immediate to consumer (IMT) Direct to delayed consumer (DMT) Period-delayed to consumer (PMT) 35

Periodic Task Communication Summary Periodic Same period ASR IMT PMT τ P ; τ C MF:1B PD:2B S X R DSR IMT PMT PD:2B R PD:2B S X/R DMT MF:1B τ C ; τ P PD:1B PD:1B PD:1B PD:1B PD:1B τ P τ ND:1B PD:2B PD:2B PD:2B ND:1B C τ P τ C MF: Mid-Frame PD: Period Delay ND: Non-Deterministic NDI: No Data Integrity ND:3B S/X C R C X PD:2B X 1B: Single buffer 2B: Two buffers 3B: Three buffers 4B: Four buffers R PD:2B R X/R PD:2B X/R S, X, R : data copy NDI:2B S/X/R C S/X : IMT combined send/xfer S/X/R : DMT combined S, X, R X/R: DSR/PMT combined X, R o1 o2 : One operation copy 36

Outline Multiple aspects of system validation System & software engineers working together Multi-fidelity model-based analysis Property preserving transformations Conclusions 37

Predictable Model-based Engineering Reduce the risks Analyze system early and throughout life cycle Understand system wide impact Validate assumptions across system Increase the confidence Validate models to complement integration testing Validate model assumptions in operational system Evolve system models in increasing fidelity Reduce the cost Fewer system integration problems Fewer validation steps through use of validated generators 38

Traditional Development Model Requirements Engineering Acceptance Test System Design System Test Software Architectural Design Integration Test Component Software Design Unit Test Code Development 39

Low fidelity Benefits of Predictive Architecting High fidelity Adequate confidence Requirements Engineering Top-Level Verification Items Virtual System Integration Strong confidence Acceptance Test System Design High-level AADL Model System Test Software Architectural Design Detailed AADL Model Integration Test Component Software Design Specify Model- Code Interfaces Unit Test generation of test cases Code Development updating models with actual data 40

Industrial Embedded Systems Initiatives OpenGroup Real-Time Forum EU + US partners COTRE Aviation Systems 2002-2004 EAST ADL Consortium AutoSAR Automotive IST ARTIST2 Embedded Systems Center of Excellence 2007-2011 MBE SAE AADL Standard Nov 2004 AADL Meta Model & XMI June 2006 AADL Error Annex Standard June 2006 AADL UML Profile Std 2008 OSATE Toolset SEI IST ARTIST Embedded Systems 2001-2006 TOPCASED Open Source Embedded Systems Tool Framework 28 partners 20+M 2005-2008 ITEA SPICES Model-Driven Embedded Systems Engineering 15 partners 16M 2006-2009 US AVSI Avionics Consortium Analysis-based System Validation 12+ partners $40+M 2008-2011 ESA Satellite Architectures 2002-2004 Avionics EC ASSERT Proof-based Satellite Architectures ESA + 30 partners 15M 2004-2007 Aerospace 41

A Research Transition Platform RMA Lehoczky Klein Simplex Dependable Upgrade Sha MetaH Vestal Honeywell RTQT Lehoczky DASADA Slack Stealer In MetaH Vestal Binns Honeywell Aging in Asynchronous Architectures Vestal Honeywell Runtime System Verification Hybrid Automata Vestal Honeywell Sporadic server RTQT Klein PACC Resource Management INSERT/Simplex Sha Lehoczky Klein Feiler EDCS MetaH/Acme Feiler AMRDEC Runtime System Generation Verification Runtime System Generation & Verification AADL/PetriNet ENST (Paris) MBE SAE AADL Standard Nov 2004 Formalized Execution Semantics Rolland IRIT Runtime System Code Verification Verimag/IRIT QRAM Rajkumar EDCS AADL Error Annex Standard June 2006 Configuration Consistency Krogh Feiler Li EDCS Reliability Fault Tree Vestal Honeywell OSATE Toolset SEI Reliability Analysis GSPN LAAS QRAM/RMA Feiler Dynamic QRAM Rajkumar Feiler DASADA Model Validation Alloy Verification Jackson (MIT) Dependability Reliability Modeling Mobius UIUC Resource Scheduling Singhoff (Brest) Network Calculus Vestal Honeywell Predictable Caching In Embedded Systems Feiler Hansson DeNiz Alloy-based Architecture Verification DeNiz Garlan SEI SCS Formalized AADL Temporal Semantics IRIT (Toulouse) Wireless Security ISIS Vanderbilt Confidentiality In AADL Feiler Hansson SEI IR&D TimeWeaver Rajkumar MoBIES Security OSATE Binpacker RMA ARINC653 Feiler DeNiz Partitioned Architectures Reliability Analysis Fault Propagation Markov Safety-Critical Systems FPTC & AADL Embry-Riddle Feiler, April Wallace 2008 (York U.) AADL Latency ARINC653 Feiler Hansson Process algebra ACSR Sokolsky (U.Penn) Sensornet Resources ANDES Stankovic Son UVA System Fault Impact Feiler Sha SEI UIUC 42

Peter H Feiler phf@sei.cmu.edu at ENST until June 9, 2008