Transcript DASC AADL Tutorial

The Emerging SAE AADL Standard:
An Architecture Analysis & Design
Language for Building Embedded
Real-Time Systems
Society of Automotive Engineers
Avionic Systems Division
Embedded Computing Systems Committee
AS-2C Avionics Architecture Description Language Subcommittee
Software Engineering Institute
Embry-Riddle Aeronautical University
Welcome
Bruce Lewis
Chair, SAE AS-2C Subcommittee
Army AMCOM SED
[email protected]
256-876-3224
Peter Feiler
Secretary & Technical Co-editor
Software Engineering Institute
[email protected]
412-268-7790
John Hudak
Software Engineering Institute
[email protected]
412-268-5291
Dave Gluch
Embry-Riddle Aeronautical University &
Software Engineering Institute
[email protected]/[email protected]
386-226-6455
http://www.aadl.info
AADL Tutorial
I-2
Architecture Analysis & Design
Language (AADL)
•
Specification of computer systems and SoS.
– Real-time
– Embedded
– Fault-tolerant
– Securely partitioned
– Dynamically configurable
•
Software task and communication architectures
– Component interface and structure, behavior, properties
•
Bound to
– Distributed multiple processor, integrated hardware architectures
•
Fields of application
– Avionics, Automotive, Aerospace, Autonomous systems, …
•
Context and vocabulary for the integration of System Eng Technology
– Capture of Architecture (& driving requirements), Analysis of Integration
Impact (through model checking), Automated Integration to specification.
AADL Tutorial
I-3
Typical Software Development Process
Requirements
Analysis
Design
Implementation
Integration
manual, paper intensive, error prone, resistant to change
AADL Tutorial
I-4
Model-Based System Engineering
Model-Based & Architecture-Driven
System
Integration
Requirements
Analysis
Explicit Architecture
M. Engineering Models
Use of AADL
Design, Analysis
and Implementation
AADL Tutorial
Predictable System
Rapid Integration
Upgradeability
I-5
Lifecycle Impact
• Requirements that impact computer software and
hardware architecture modeled early with partial data
• System specification refined during design, coding and
integration to final system – each change modeled /
model checked against multiple analysis approaches.
• Specification is used to integrate system, generating
middleware to control system execution and
communication, generation is done in compliance with
the formal analysis on RT O/S
• Specification used throughout the development
process – not out of date so always ready for the next
system evolution and additional analysis capability.
AADL Tutorial
I-6
AADL-Based System Engineering
System Construction
System Analysis
• Schedulability
• Performance
• Reliability
• Fault Tolerance
• Dynamic Configurability
• AADL Runtime System
• Application Software
Integration
Software
System
Engineer
Model the
Architecture
Abstract, but
Precise
Automatic
Target
Recognition
Guidance
& Control
Mechanized
Application
Software
Execution
Platform
Supply
Chain
Application
Sensor
Developer
Ambulatory & Signal
Processing
..........
Information
Fusion
AADL Tutorial
I-7
An SAE Standard
• Sponsored by
– Society of Automotive Engineers (SAE)
– Avionics Systems Division (ASD)
– Embedded Systems (AS2)
Largest Provider of
Avionics Standards
– Avionics Architecture Description Language
Subcommittee (AS2C)
• Contact
– Bruce Lewis AS2C chair, [email protected]
– http://www.aadl.info
– For Information email to [email protected]
• Balloted April 2004, expecting Core standard July.
AADL Tutorial
I-8
AS-2C ADL Subcommittee
• Bruce Lewis (AMCOM): Chair, technology user
• Peter Feiler (SEI): Secretary, main author, editor,
technology user
• Steve Vestal (Honeywell): MetaH originator, coauthor
• Ed Colbert (USC): AADL & UML Mapping
• Joyce Tokar (Pyrrhus Software): Ada & C Annex
Members
• Boeing, Rockwell, Honeywell, Lockheed Martin,
Raytheon, Smith Industries, Airbus, Axlog, Dassault,
EADS , Canadair, High Integrity Systems
• NAVAir, Open Systems JTF, British MOD, US Army
• European Space Agency
Coordination with
• NATO, COTRE, OMG-UML
AADL Tutorial
I-9
Priority Processing
• Systems interested in immediate use
– Common Missile (August)
- Eglin AFB Weapons Integration (Toolset SBIRs)
– Navy version of BlackHawk (possibly starting
training in June with pre-standard toolset)
– European Space Agency (expected Fall 2004)
– Airbus (prototype tool building started)
– FCS and 7E7 (probably too late now but the sooner
the better)
– Plug and Play (GD Immediate)
– SEI Toolset development (started)
– TNI Toolset development (started)
– UML/OMG RFC – waiting, need to submit ASAP
AADL Tutorial
I-10
MetaH Case Study at AMCOM
•
Missile Application reengineered
– Missile on-board software and 6DOF environment simulation
executing on dual i80960MC, Tartan Ada, VME Boards
– Built to Generic Missile Reference Architecture
– Specified in MetaH, 12 to 16 concurrent processes
– MetaH reduced total re-engineering cost 40% on first project
it was used on. Missile prime estimated savings at 66%.
• Missile Application ported to a new execution
environment
– multiple ports to single and dual processor implementations
– new processors (Pentium and PowerPC), compilers, O/S
– first time executable, flew correctly on each target
environment
– ports took a few weeks rather than 10 months.
AADL Tutorial
I-11
AMCOM Effort Saved Using MetaH
Total project savings 50%, re-target savings 90%
8000
Benefit During
Platform Retarget
7000
6000
Man Hours
Benefit During
Application Rewrite
5000
4000
3000
Traditional
Approach
2000
1000
0
Review
Using
MetaH
3-DOF
Translate
6-DOF
RT6DOF
Current
Transform
Test
6DOF
AADL Tutorial
RTMissile
MetaH
Build
Debug
Debug
Re-target
I-12
Why AADL
Architecture Analysis and Design Language
• Concept - Applies systems engineering (analytical)
approach to software intensive systems rather than brute
force. Early analysis instead of late failure.
• Needed – analyzable architecture =>key to sizable decrease
in rework, integration and upgrade costs as well as
program risk, complexity.
• Enables – rapid system evolution for complex, RT, safety
critical systems with cross cutting constraints, predictable
change to both HW and SW components.
• Open – Becoming a Standard, SAE, NATO, UML.
• Readiness - 12 years of DARPA investment + experiments
• Extendable – good foundation for additional capabilities in
analysis, automated system integration, system of systems,
distribution, dynamics.
AADL Tutorial
I-13
An XML-Based AADL Tool
Strategy
Graphical
AADL
Textual
AADL
AADL Model
XML
Complete Execution
Platform Binding
AADL Instance
XML
Scheduling
Analysis
Commercial
Tool like
TimeWiz
AADL Runtime
Generator
Reliability
Analysis
Filter to Markov
Analysis
Safety
Analysis
Project-Specific
In-House
AADL Tutorial
I-14
An Open Source AADL Environment
Java
Development
Tools
(JDT)
Eclipse Platform
Workbench
JFace
SWT
Plug-in
Development
Environment
(PDE)
Workspace
Help
Team
Debug
Platform Runtime
AADL
Textual
Editor
AADL
Graphical
Editor
AADL Environment
Analysis
Tool
Via Java
Analysis
Tool
Via XML
Eclipse Environment
AADL
Parser
Standalone
Generation
Tool
AADL
Object
API
AADL Tutorial
XML
Document
Persistence
I-15
Some MetaH History
MetaH - Precursor
1991 DARPA DSSA program begins
to AADL
1992 Partitioned PFP target (Tartan MAR/i960MC)
1994 Multi-processor target (VME i960MC)
1995 Slack stealing scheduler
1998 Portable Ada 95 and POSIX middleware configurations
1999 Hybrid automata verification of core middleware modules
Numerous evaluation and demonstration projects, e.g.
Missile G&C reference architecture, demos, others (AMCOM SED)
Hybrid automata formal verification (AFOSR, Honeywell)
Missile defense (Boeing)
Fighter guidance SW fault tolerance (DARPA, CMU, Lockheed-Martin)
Incremental Upgrade of Legacy Systems (AFRL, Boeing, Honeywell)
Comanche study (AMCOM, Comanche PO, Boeing, Honeywell)
Tactical Mobile Robotics (DARPA, Honeywell, Georgia Tech)
Advanced Intercept Technology CWE (BMDO, MaxTech)
Adaptive Computer Systems (DARPA, Honeywell)
Avionics System Performance Management (AFRL, Honeywell)
Ada Software Integrated Development/Verification (AFRL, Honeywell)
FMS reference architecture (Honeywell)
JSF vehicle control (Honeywell)
IFMU reengineering (Honeywell)
AADL Tutorial
I-16
AADL in Context
DARPA Funded
Research since 1990
Research ADLs
• MetaH
– Real-time, modal, system family
– Analysis & generation
– RMA based scheduling
• Rapide, Wright, ..
Extension
– Behavioral validation
• ADL Interchange
– ACME, xADL
– ADML (MCC/Open Group, TOGAF)
AADL
Extensible
Real-time
Dependable
Industrial Strength
• UML 2.0, UML-RT
• HOOD/STOOD
• SDL
Airbus & ESA
AADL Tutorial
I-17
AADL/UML Relationship
To Be submitted to
OMG for Adoption
Extensible AADL Annexes
UML Working Groups
AADL
Core
AADL
UML Profile
Security
Dependability
UML 2.0
UML 1.4
Detailed design
UML-RT
Performance
Timeliness
AADL Tutorial
I-18
What Is Involved In Using The AADL?
• Specify software & hardware system architectures
• Specify component interfaces and implementation
properties
• Analyze system timing, reliability, partition isolation
• Tool-supported software and system integration
• Verify source code compliance & middleware
behavior
Model and analyze early and
throughout product life cycle
AADL Tutorial
I-19
A Control Engineer Perspective
K1
+
-
K2s
Continuous
feedback
in a controller
Simulink
with Text_IO;
package Main is
Matlab
begin
type real is digits 14;
type flag is boolean;
x : real := 0.0;
ready : flag := TRUE;
with Text_IO;
package Main is
begin
type real is digits 14;
type flag is boolean;
x : real := 0.0;
ready : flag := TRUE;
Continuous feedback for
a control engineer
AADL Tutorial
I-20
A Software System Engineer Perspective
with Text_IO;
package Main is
with Text_IO;
package Main is
begin
begin
Application
Components
type real is digits 14; type real is digits 14;
type flag is boolean; type flag is boolean;
Continuous feedback for
software system engineer
x : real := 0.0;
x : real := 0.0;
ready : flag := TRUE;ready : flag := TRUE;
Execution
Platform
package Dispatcher is
AADL Tools
AADL Runtime
A.p1 := B.p2;
Case 10ms:
dispatch(a);
dispatch(b);
T1 T2 T3 T4
12 12 5R16R2 R3 R4
23 34 8 8
12 12 5 6
24 23 234
23 34 8 8
24 23 234
Runtime
Data
T1 T2 T3 T4
T1 T2 T3 T4
12 12 5 6
23 34 12
8 812 5 6
24 23 234
23 34 8 8
24 23 2 34
R1 R2 R3 R4
12 12 5 6
23 34 8 8
24 23 234
AADL-based
Architecture Model
AADL Tutorial
I-21
A Combined Perspective
K1
+
-
K2s
Simulink
Matlab
with Text_IO;
package Main is
with Text_IO;
package Main is
begin
begin
Continuous interaction
between
Control engineer
& system engineer
type real is digits 14;
type flag is boolean;
type real is digits 14;
type flag is boolean;
x : real := 0.0;
ready : flag := TRUE;
x : real := 0.0;
ready : flag := TRUE;
package Dispatcher is
AADL Tools
AADL-based
Architecture Models
AADL Runtime
A.p1 := B.p2;
Case 10ms:
dispatch(a);
dispatch(b);
T1 T2 T3 T4
12 12 5R16R2 R3 R4
23 34 8 8
12 12 5 6
24 23 234
23 34 8 8
24 23 234
AADL Tutorial
Runtime
Data
T1 T2 T3 T4
T1 T2 T3 T4
12 12 5 6
23 34 12
8 812 5 6
24 23 234
23 34 8 8
24 23 2 34
R1 R2 R3 R4
12 12 5 6
23 34 8 8
24 23 234
I-22
Application Components as Plug-ins
Application
Software
Component
Application
Software
Component
Application
Software
Component
Application
Software
Component
AADL Runtime System
Real-Time Operating System
Embedded Hardware Target
Strong Partitioning
• Timing Protection
• OS Call Restrictions
• Memory Protection
Interoperability/Portability
• Tailored Runtime Executive
• Standard RTOS API
• Application Components
AADL Tutorial
I-23
Predictable System Integration
• Required, predicted, and actual runtime properties
• Application components designed against functional
and non-functional properties
• Application code separated from task dispatch &
communication code
• Consistency between task & communication model
and implementation through generation
• Feedback into model parameters: refinement of
estimated performance values
AADL Tutorial
I-24
Potential Users
New System Engineering
Approach based on AADL
•
•
•
•
•
•
•
•
•
•
Airbus
ESA
Rockwell Collins
Lockheed Martin
Smith Industries
Raytheon
Boeing FCS
Automotive OEPs
Common Missile
RT Plug and Play
Modeling of Satellite Systems,
proposed ASSERT with AADL
Modeling of Helicopter Avionics
Software System
New System Engineering tools
using AADL.
Leading Candidate for system of
systems modeling, analysis
Adopted for system integration
analysis to support standard
AADL Tutorial
I-25
AADL Components
- Graphical
Application Software
Execution Platform
data
device
Thread
process
memory
bus
System Composition
processor
System
AADL Tutorial
I-26
Modeling Vocabulary
•
Application System
–
–
–
–
–
–
–
–
–
–
–
–
–
Thread
Thread Group
Process
System
Package
Subprogram
Data (shared/message)
Data Port
Event
Event Port
Event Data Port
Connection
Mode
•
Execution Platform
–
–
–
–
–
•
Processor
Memory
Device
Bus
System
Extension
– Inheritance
– Properties
– Sublanguages (safety, flow, user
defined, … component behavior
….)
– Domain Specific Annexes
AADL Tutorial
I-27
Graphical & Textual Notation
system Data_Acquisition
provides
speed_data: in data metric_speed;
GPS_data: in data position_carthesian;
user_input_data: in data user_input;
s_control_data:out data state_control;
data port
data type
of port
end Data_Acquisition;
speed
_data
Data_Acquisition
s_control_data
GPS
_data
user
input
data
data port
AADL Tutorial
I-28
AADL Component Interaction
1553
Flight Mgr
• Unidirectional data & event flow
• Synchronous call/return
• Managed shared data access
data
Weapons
Mgr
MFD Pilot
Warnings
Annunciations
MFD Copilot
AADL Tutorial
I-29
Application System & Execution Platform
1553
Application system binding to
execution platform
Flight Mgr
Weapons
Mgr
MFD Pilot
Warnings
Annunciations
data
MFD Copilot
High speed network
Mission
Processor
1553 bus
Display
Processor
Display
Processor
Pilot Display
CoPilot Display
AADL Tutorial
I-30
Thread Properties
•
•
•
•
•
•
•
•
•
•
Dispatch_Protocol => Periodic;
Period => 100 ms;
Dispatch execution
Compute_Deadline => Period;
properties
Compute_Execution_Time => 20 ms;
Initialize_Deadline => 10 ms;
Initialize_Execution_Time => 1 ms;
Compute_Entrypoint => “Calculate_Trajectory”;
Source_Text => “waypoint.java”;
Source_Code_Size => 1.2 KB;
Code function to be
executed on dispatch
Source_Data_Size => .5 KB;
File containing the
application code
AADL Tutorial
I-31
Thread Hybrid Automata
AADL Tutorial
I-32
Task & Interaction Architecture
System System1
Typed and
constrained
data streams
Immediate and delayed
communication
System Subsystem1
Thread Dispatch
Protocols
Periodic
Aperiodic
Sporatic
Background
Client - Server
Process Prc1
Data1:
Pos
Shared data
Thread T3
E1
Process Prc2
Data1:
Pos
Thread T1
Data1:
Pos
Data1
E1
Server Thread T2
SP1
Thread T1
RSP1
Subprogr
SP2
Thread T2
E1
SP3
Directional
Data, event, message ports
Queued and unqueued xfer
Call/Return
Local subprogram
Client/server subprogram
AADL Tutorial
Shared Access
Persistent, shareable
data
Access coordination
I-33
Thread States
Uninitialized
Thread
Initialize
Active
Member of current
mode
InitializeComplete:
Inactive
Not member of
current mode
Initialized
Thread
InactiveInInitMode:
Activate
ActiveIn
NewMode:
ActiveInInitMode:
ActivateComplete:
Active
Dispatch:
Suspended
Complete:
Inactive
Compute
Fault:
Repaired:
Recovered:
Recover
DeactivateComplete:
Deactivate
InactiveInNewMode:
Terminate:
Thread State
Thread State with
Source Code
Execution
Finalize
FinalizeComplete:
Terminated
Thread
Application Source Entrypoints
Application as Plug-in
AADL Tutorial
I-34
Hierarchical Modes
System System1
Mode as Alternative Configuration
E1
System Subsystem1
A
Initial Mode A: Prc1, Prc2;
Mode B: Prc1, Prc3;
Initial Mode A: T1, T2, T3;
Mode B: T1, T2;
Process Prc3
Process Prc1
E1
A
Data1:
Pos
Shared data
Thread T3
E1
Process Prc2
Data1:
Pos
Thread T1
Data1:
Pos
Data1
E1
Server Thread T2
SP1
Thread T1
RSP1
Subprog
SP2
E1
Thread T2
A
E1
SP3
Application Source Internal Mode
Conditional code
AADL Tutorial
I-35
Systems & Execution Platforms
Processors, buses, memory, and
devices as Virtual Machines
System System1
System LinuxNet
System LinuxBox
System Subsystem1
Memory
Process Prc1
Process Prc2
Processor PC1
Bus
Thread T3
Thread T3
Memory
Processor PC2
Threads as logical unit
of concurrency
AADL Tutorial
I-36
AADL and Scheduling
• AADL provides precise dispatch & communication
semantics via hybrid automata
• AADL task & communication abstraction does not
prescribe scheduling protocols
– Cyclic executive can be supported
• Specific scheduling protocols may require additional
properties
• Predefined properties support rate-monotonic fixed
priority preemptive scheduling
This scheduling protocol is analyzable,
requires small runtime footprint, provides
flexible runtime architecture
AADL Tutorial
I-37
Faults and Modes
• AADL provides a fault handling framework with
precisely defined actions
• AADL supports runtime changes to task &
communication configurations
• AADL defines timing semantics for task coordination
on mode switching
• AADL supports specification of mode transition actions
• System initialization & termination are explicitly
modeled
AADL Tutorial
I-38
Behavior Modeling
• Operational modes (in core AADL)
• Runtime reconfiguration (in core AADL)
• End-to-end flows (in core AADL)
• Interaction behavior (extension)
– Port interaction pattern of component
– Interaction protocol of connection
State reachability
Flow traceability
Protocol verification
Model checking
• Error models & reliability analysis (extension)
AADL Tutorial
I-39
System Safety Engineering
Capture the results of
• hazard analysis
• component failure modes & effects analysis
Specify and analyze
Supported by Error
• fault trees
Model Annex
• Markov models
• partition isolation/event independence
Integration of system safety with architectural design
• enables cross-checking between models
• insures safety models and design architecture are
consistent
• reduces specification and verification effort
AADL Tutorial
I-40
AADL Version 2 Research Ideas
• 1. Dynamic Reconfigurable Real-Time Fault-Tolerant
Asynchronous Architectures
• 2. Additional trackable automated modeling and analysis methods
for architectural specs (composition, pattern recognition to reduce
state space)
• 3. Rigorous links/relations between multiple engineering modeling
approaches – Simulink/VHDL – AADL, SDL – AADL,
compositional scheduling
• 4. Architectural verification -(is the Architecture spec correct and
do components comply with their specs, stronger plug and play )
• 5. Mode transition modeling, state space reduction for mode
analysis/scheduling
• 6. Modeling of specific system building approaches/patterns –
example RT CORBA that can be applied as abstractions at a
higher level but used to generate an implementation.
• 7. Modeling sublanguages and properties to support special areas
of analysis for high integrity systems – Current Error modeling
annex, safety and security annex, component behavior annex etc.
AADL Tutorial
I-41
AADL Status
• Requirements document SAE ARD 5296
– Input from aerospace industry
– Balloted and approved in 2000
• SAE AADL document SAE AS 5506
– Core language: In ballot April 2004, July availability
– UML profile, XML schema, Error Model Annex, Ada and C
Annex in review, to be balloted in June 2004
AADL Tutorial
I-42