1. No category

SEI Presentation (Basic): Preformatted Design and Template Items

Technical Presentation
Model-Based Software
Assurance with the SAE
Architecture Analysis &
Design Language (AADL)
September 2008
Dave Gluch
Carnegie Mellon University
Pittsburgh, PA 15213
California Institute of Technology
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Outline
Project Overview
AADL Overview
MDS Architecture and Models
Peter Feiler & Dave Gluch
Carnegie Mellon University
Pittsburgh, PA 15213
MBA with the AADL
Kenny Meyer &Katie Weiss
Analysis Examples
California Institute of Technology
Next Steps
Kurt Woodham
Summary and Discussions
Ken Evensen
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
2
Project Overview
Year 2 objectives
• Objective: Formulate and demonstrate AADL-driven model-based
engineering in software assurance for NASA development
—
Activity: extend the case study using focused example models and
analysis products taken from the JPL Mission Data System (MDS)
• Objective: Generate an AADL practice framework
— Activity: extend the year 1 beta AADL practice framework to define
model-based analysis practices with the AADL for software assurance
in NASA development project V&V and IV&V
• Objective: Lay a foundation for technology transition
— Activity: develop a plan for transitioning practices into JPL
(Three-year project overview provided in executive session)
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
3
Technical Accomplishments Post-SAS 07
Report on the case study MDS (12/2007)
•
Demonstrated the use of AADL in the analysis of critical MDS performance
elements and system assurance concerns (e.g. latency, task scheduling,
integral fault protection)
• Addressed key MDS architectural themes (e.g. state-based closed loop
control, separation of estimation from control, ground-to-flight migration)
Beta version of the AADL Practice Framework (12/2007)
•
•
Applied practices to MDS example adaptations
Defined analysis views that address critical concerns
Current activities
•
Investigating goal planning and re-planning issues within MDS case study
•
Conducting analyses of the MDS integral fault protection capabilities
•
Developing exemplar applications of the Practice Framework
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
4
Tech Transfer Accomplishments
JPL On-site 11/8/2007
• AADL overview presentation (approximately 25 participants)
• Working session with MDS project to discuss case study and future
analysis
JPL On-site 6/18/2008
• Process/technology transfer approach discussions
• Working session with MDS project to provide status on 11/8/2007 direction
• Meet with Europa project as potential case study target
SEI On-site 7/24/2008
• Discuss transfer plan approach and potential inhibitors of successful
transition
• Condensed overview of AADL language, tools, and analysis capabilities
Tech Transfer
• Maturing practice framework focusing on detailing analysis practices –
applied directly to case studies as demonstration of framework instantiation
and execution
• Out-year goals focused on migration of practice framework into embedded
development and assurance activities
• Configuring additional case studies to target typical analytical activities
beneficial to both development verification/validation and independent
assurance
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
5
Transition Considerations
Technology Readiness Level of the work
•
SAE standard – in use/evaluation on real applications (TRL 7)
•
Open Source tool environments for design and analysis
•
Integration with UML
Potential applications in IV&V
•
Space flight systems – demonstrated on case study (TRL 5)
•
Ground support systems
Availability of data or case studies
•
Project results
•
Legacy system analysis and system development
Barriers to research or application (challenges)
•
New technology
•
Integration with existing practices and technology
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
6
Technology Readiness Level
Technology Readiness Level
1. Basic principles observed and reported
2. Technology concept and/or application formulated
3. Analytical and experimental critical function and/or
characteristic proof of concept
4. Component and/or breadboard validation in laboratory
environment
5. Component and/or breadboard validation in relevant
environment
Application to
IV&V (this project)
AADL technology
at large
6. System/subsystem model or prototype demonstration in a
relevant environment (ground or space)
7. System prototype demonstration in a space
environment
8. Actual system completed and 'flight qualified' through test
and demonstration (ground or space)
9. Actual system 'flight proven' through successful mission
operations
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
7
Outline
Project Overview
AADL Overview
•
Core modeling elements
•
Analysis
MDS Architecture and Models
MBA with the AADL
Analysis Examples
Next Steps
Summary and Discussions
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
8
Overview of the AADL
Model-Based Engineering (MBE) language for architectural analysis and
specification of real-time embedded systems with stringent performance
requirements (e.g. fault-tolerance, security, safety-critical)
Static and dynamic component-based system architecture representation
Precise semantics for accurate system representation and analysis
•
•
•
Early (high level) feasibility analyses
Progressive fidelity added as desired
Multi-dimensional analysis
Single system architecture model
•
•
•
Accommodates diverse analyses
Standardized interchange formats
Tool integration & interoperability
Based on 15 years of architecture
language research
SAE Standard (AS-5506) Nov 2004
Complementary to other modeling languages
•
•
SysML, UML, (UML 2.0 Profile for AADL is in balloting)
OMG MARTE (real-time UML)
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
9
AADL Language Elements
Specifies a well-formed interface
External interaction points defined as features
Multiple implementations per component type
Properties to specify component characteristics
Components organized into system hierarchy
AADL
Language
Elements
Components
core modeling
Interactions
Properties
engineering
support
Abstractions
Organization
Extensions
infrastructure
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
10
AADL Components
core
modeling elements
Components
Interactions
Properties
Application Software
•
•
•
•
•
thread
thread group
process
data
subprogram
thread
thread group
data
process
Subprogram
Execution Platform
•
•
•
•
processor
memory
bus
device
Composite
•
system
System
processor
memory
bus
device
Each component has predefined
properties associated with its
declaration.
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
11
Component Interactions
core
modeling elements
Interactions
Properties
data ports
Connections (explicit declarations)
• ports (data and events [control] transfer)
• access (to data & bus components)
• parameters (sequential subprogram calls)
Components
in
out
in out
bus access
event ports
data access
in
Calls (explicit declarations & property associations)
• subprogram
out
in out
subprograms
Bindings (property associations)
• software -> execution platform
event data ports
parameters
in
in
out
in out
out
thread
port groups
in out
processor
immediate
connection
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
12
Some Standard Properties
core
modeling elements
Components
Interactions
Properties
Dispatch execution
Dispatch_Protocol => Periodic;
Thread
properties
Period => 100 ms;
Compute_Deadline => value (Period);
Code to be executed
Compute_Execution_Time => 10 ms .. 20 ms;
on dispatch
Compute_Entrypoint => “speed_control”;
Source_Text => “waypoint.java”;
File containing the
Source_Code_Size => 12 KB;
application code
Thread_Swap_Execution_Time => 5 us.. 10 us;
Clock_Jitter => 5 ps;
Allowed_Message_Size => 1 KB;
Propagation_Delay => 1ps .. 2ps;
bus_properties::Protocols => CSMA;
Processor
Users can define
custom properties
Bus
Protocols is a user
defined property
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
13
Comprehensive Representation
An AADL Model is…
a comprehensive model of a system’s architecture that
— includes software and hardware components
— can include project-specific properties and specialized analysis
representations
• organized within packages (libraries of elements) and specification files
• comprised of components, interactions, and properties, including explicit
data exchange and the binding of software to hardware
•
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
14
Model-Based System and Software Assurance
Assure system performance and dependability prior to system
integration, test, or upgrade through…
• quantitative analysis and simulation of system architecture models
• focus on system-wide integration aspects
• continual model-based verification from early abstractions through
detailed design
20Hz
Navsignal
data
Navigation
Sensor
Processing
From
Partitions
To
Partitions
Nav
sensor
data
10Hz
Navsensor
data
Integrated
Navigation
Nav
data
20Hz
Guidance
Processing
Guidance
5Hz
Flight Plan
Processing
Performance
data
FP data
2Hz
Fuel Flow
Navdata
Aircraft
Performance
Calculation
FP data
Modeling
Analysis
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
15
Model-Based Assurance with AADL
Availability
& Reliability
Analysis Across Perspectives
Security
MTBF
Intrusion
FMEA
Hazard
analysis
Integrity
Architecture Model
Confidentiality
Resource
Consumption
Data
Quality
Bandwidth
Data precision/
accuracy
CPU time
Temporal
correctness
Real-time
Performance
Confidence
Execution time/
Deadline
Power
consumption
Deadlock/starvation
Latency
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
16
Outline
Project Overview
AADL Overview
MDS Architecture and Models
•
Reference Architecture
•
Adaptation Instances
MBA with the AADL
Analysis Examples Analysis
Next Steps
Summary and Discussions
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
17
The Mission Data System - Perspectives
A reference architecture
• To be instantiated for different applications
An embedded systems architecture
• Consists of physical system, computing hardware,
application software
A control systems architecture
• Feedback loops in application architecture
• Feedback loops in data management system
A multi-layered architecture
• From low-level control loops to goal-oriented planning and plan
execution
Generic Architecture Pattern with Connection Topology
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
18
Case Study: MDS Reference Architecture
Textual & Graphical Representations
Excerpt from the Textual Specification:
system implementation complete.MDS_system
subcomponents
Hardware_Being_Controlled: system
controlled_systems.sensors_actuators;
State_Knowledge: system state.knowledge;
Mission_Planning_Execution: system
planning.mission_and_execution;
State_Estimation: system estimators.of_state;
State_Control: system contollers.of_state;
Hardware_Adapter: system adapters.hardware;
MDS Principles
• Closed loop
• Goal-Directed
• Explicit models
• Separation of Concerns
• Integral Fault Protection
MDS Control System
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
19
Model of the MDS Control System
Excerpt from the Textual Specification:
process implementation MDSControlSystem.basic
subcomponents
GoalPlanner: thread group ControlSoftware::GoalPlanner;
GoalExecutive: thread group ControlSoftware::GoalExecutive;
GoalMonitor: thread group ControlSoftware::XGoalMonitor;
StateEstimation: thread group ControlSoftware::estimator;
StateControl: thread group ControlSoftware::controller;
OperatorConsole: thread group
ControlSoftware::OperatorConsole;
Goal-oriented Mission Tasks
Time-sensitive Continuous Control Tasks
Focus on Information Flow
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
20
Reference Architecture Instantiation
Temperature
measurement
Switch 1
command
System
System
Under
Under
Control
Control
Camera
Temperature
Sensor
Switch 1
Actuator
PS1
Heater 1
PS2
Heater 2
Instantiation of reference architecture
through refinement of AADL model
+
-
Switch 2
Actuator
Deployment on different
Switch 2
command
computing hardware platforms
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
21
Outline
Project Overview
AADL Overview
MDS Architecture and Models
MBA with the AADL
Analysis Examples
Next Steps
Summary and Discussions
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
22
AADL Model-Based Analysis Practice Framework
AADL Analysis Repository
Component Library
Reference Architectiures
Custom Property Sets
Analysis Guidelines
Key:
Activities
Focus
Requirements
Build
Analyze
Includes Risks and
Quality Attributes
AADL
Models
Artifacts
Process Flow
Relationship btw
Activities and
Supporting Artifacts
Relationship btw
Activities and
Process Artifacts
V&V or
IV&V Plan
Analysis
Plan
Analysis
Products
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
23
Example Component Library
Utilizes Library Components
NASA Facility
Constellation
ISS
MDS Reference
Architecture
Mars Rover
AADL models are developed as part of
individual analysis viewpoints and views
within an Analysis Portfolio
Analysis Portfolio
security
resource consumption
MDS rover model
dependability
data quality
Each viewpoint addresses
specific concerns and may
involve multiple views and
models
performance
behavior
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
24
Developing Analysis Views within an Analysis
Portfolio
Analysis Portfolio
Required Component
MDS Rover Model
extends
extends
AADL Analysis Repository
Component Library
Reference Architectiures
Custom Property Sets
Analysis Guidelines
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
25
AADL Rover Wheel Control
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
26
Outline
Project Overview
AADL Overview
MDS Architecture and Models
MBA with the AADL
Analysis Examples
•
Latency
•
Goal Network
Next Steps
Summary and Discussions
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
27
Temperature Control AADL Representation
Control engineering concerns:
Processing latency, sampling latency,
physical signal latency
Software systems engineering concerns:
Preemption, processor speed, resource
contention, communication delay, rate
group optimization, partitioned
architecture, migration of functionality
Use of immediate & delayed
connections to achieve
deterministic sampling
flow path
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
28
Temperature Control AADL Representation
flow path
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
29
Transport Latency Analysis Results
Analysis Results*:
Analysis can be extended
to the thread level
Excerpt from the Textual Specification*:
flows
TempRsp: end to end flow camera_hardware.TempRsp1 -> DC02
-> temperature_sensor_adapter.TempRsp -> DC04 ->
state_estimation.TempRsp
-> DC07 -> State_Variables.TempRsp -> DC08 -> state_control.TempRsp
-> DC06 -> switch_actuator_hardware_adapter.TempRsp
-> DC03 -> camera_hardware.TempRsp {latency => 50 ms;};
flows
TempRsp: flow path control_goals -> commands {Latency
=> 20 ms;};
flows
TempRsp: flow sink switch_command -> DataConnection1
-> switch_actuator.TempRsp;
TempRsp1: flow source temperature_sensor.TempRsp
-> DataConnection5 -> temperature_measurement;
* Note that illustrative values are used for this model and the results are not indicative of the results for any existing MDS implementation.
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
30
Outline
Project Overview
AADL Overview
MDS Architecture and Models
MBA with the AADL
Analysis Examples
•
Latency
•
Goal Network
Next Steps
Summary and Discussions
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
31
Modeling and Analysis of Mission Processing
Mission planning & plan execution
•
Modeling and analysis framework in place by MDS
• Represent planning & plan execution tasks
• Represent goal-based fault management
Modeling of execution of goal network execution
•
AADL modes to represent active components and connections
• Identify operational modes/states in the execution of the goal network
• Identify layers and patterns in goal network
• Recognize different categories of faults and fault management strategies
Analyze impact of runtime architecture
•
Alternative hardware platforms, e.g., multi-core
• Workload and scheduling analysis driven by goal sequences
• Consistency of delegation & safing
• Responsiveness of replanning & consistent migration to new plans
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
32
Error Model Specification
Parameterization of error model
Architecture topology & mapping drive system fault model
Traceability between system fault model and system architecture
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
33
Outline
Project Overview
AADL Overview
MDS Architecture and Models
MBA with the AADL
Analysis Examples
Next Steps
Summary and Discussions
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
34
Next Steps
Phase 2 - Initiate transition and extend development verification efforts
•
•
Complete extended case studies and case study report
—
Goal network analysis
—
Integral fault protection
—
Expanded control system analyses
Develop analysis framework document
—
•
Detailed examples
Develop a JPL transition plan
Phase 3 – Mature transition
•
Conduct a pilot study in-line with a development project
•
Support implementation of the JPL transition plan
•
Develop an IV&V transition plan
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
35
Next Steps
Confirm and extend interim results
•
Continue models and conduct analyses of the MDS and its adaptations
•
Address the critical aspects and MDS themes identified in the case study
•
Assess ability to predict critical architecture properties in MDS
implementations
•
Explore the appropriateness of the AADL as an architectural framework for
system and software assurance
Refine the model-based AADL Practice Framework to addresses the
concerns of software assurance in project V&V and IV&V
Pursue the issues and research directions arising out of the case study
that have long term implications for model-based software assurance
Continuing case study efforts
•
Addressing the issues of handling state variables in the application model
•
Investigating transport latency and latency jitter
•
Modeling integral fault protection
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
36
Summary: AADL for Project V&V and IV&V
AADL
•
•
•
•
•
•
•
SAE standard
Models embedded software, computing platform, and physical environment
Focus is the runtime essence of an architecture
Precise & analyzable (lightweight, formal, qualitative, or quantitative)
Separates application from computational system concerns
Extensible (individualized property sets, specialized annexes)
OMG MARTE AADL profile provides a migration path for UML community
Basis for a V&V Analysis Practice
•
•
•
•
•
•
Broad computing system (software and hardware) perspective
Layered levels of analysis
Lightweight analyses
Detailed quantitative analyses
Specialized analyses
Single integrated architectural analysis representation
MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
37

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz