Julien Delange <julien dot delange at esa dot int>
The ASSERT Set of Tools for Engineering
(TASTE)
Julien Delange <[email protected]>
This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/ or
send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.
Julien Delange <julien dot delange at esa dot int>
Overview
• Introduction, rationale & approach overview
• System & application modeling
• TASTE toolset
• Case studies
• Conclusion, perspectives
Julien Delange <julien dot delange at esa dot int>
Overview
• Introduction, rationale & approach overview
• System & application modeling
• TASTE toolset
• Case studies
• Conclusion, perspectives
Julien Delange <julien dot delange at esa dot int>
Introduction – identified issues
• Communication problems• How to synchronize teams ?
• System representation
• Technical issues• Correct implementation
• Integration
• Verification activities• Standards requirements
• Associated cost
Julien Delange <julien dot delange at esa dot int>
Introduction – increasing issues
• System contain more functions• Communication through more teams
• More integration issues
• Functions complexity increase• Impossible to make bug-free system
• Involve large team, lead to management issues
• Verification are more and more restrictive• Cost is going bigger
• New tools and approaches required
Julien Delange <julien dot delange at esa dot int>
Actual solutions
• Bruteforce approach• Increase the task force resource
• Spend more resources
• Software reuse• Take old components that works and are already verified …
• … tailoring for integration of new functions
• Modeling and code generation• Abstraction to cope with actual issues
• Integration issues still occur
• Cannot handle all system aspects
Julien Delange <julien dot delange at esa dot int>
Limit of actual solutions
• Bruteforce approach: costly (time & money)
• Components reuse: still need to revalidate/certify
• Modeling: do not address all system aspects
Julien Delange <julien dot delange at esa dot int>
TASTE toolchain
• Implementation of ASSERT process
• Abstract all system artifacts, from software to runtime
• Generate everything, build a“correct by construction” system
Julien Delange <julien dot delange at esa dot int>
Overview
• Introduction, rationale & approach overview
• System & application modeling
• TASTE toolset
• Case studies
• Conclusion, perspectives
Julien Delange <julien dot delange at esa dot int>
Modeling levels
• Data view• Types to be used by system functions
• Ex: TM/TC for a satellite
• Interface view• Functions to be executed by the system
• Implementation language independence
• Ex: mode change, TC handling
• Deployment view• Execution of functions by computers
• Describe execution constraints
Julien Delange <julien dot delange at esa dot int>
Model processing
• Generate a single model• Vertical transformation approach
• Transform user models into AADL models
• Automatic generation from model• Generate all required code
• Automatic interface with application code
• Validation/verification activities• Validate/verify AADL models
• Reduce certification manual efforts
Data view
Interface view
Deployment view
Ver
tica
l tr
an
sfo
rma
tio
n
AADL model
Validation &verification
Automaticimplementation
Julien Delange <julien dot delange at esa dot int>
Data view
• Rely on well-known technique: ASN.1
• Use in interface view functions• Description of data sent/received by system functions
• Auto-generate types and encoders• Automatic use by functions
• Ensure data consistency
Julien Delange <julien dot delange at esa dot int>
Interface view: functions
• Define system functions and their properties• Implementation language, period, protection level, ...
• Ex: TC/TM management
• Interfaces for communication with other functions• Provided Interfaces (PI)
• Required Interfaces (RI)
• Interfaces characteristics• Interface parameters specification with ASN.1
• Active interface: executed in its own context
• Passive interface: executed in a caller context
• Interface property (inter-arrival time, …)
Julien Delange <julien dot delange at esa dot int>
Interface view: supported languages
• Regular languages• Ada
• C
• Application-level models• SDL/RTDS
• Matlab/Simulink
• Hybrid languages• GUI
• Python interfaces
• Data exchanges based on ASN.1 !!!
Julien Delange <julien dot delange at esa dot int>
Interface view: functions interfaces
• Periodic (active)• No parameter
• Execution on a periodic basis
• Sporadic (active)• One input parameter, activated on data reception
• Execution constrained by a minimal inter-arrival time
• Protected (passive)• Several input/output parameters
• Lock other function interfaces
• Unprotected (passive)• Several input/output parameters
• No lock mechanisms
Julien Delange <julien dot delange at esa dot int>
Interface viewexample
Function pingerFunction pingee
System specificationTwo functions: one that pings (sends a number)to the other on a periodic basis.
Function pinger● One provided periodic interface (activator) to activate
system function.● One required interface to the receive_number
interface of the pingee function
Function pingee● One provided sporadic interface (receive_number) to
receive numbers.● Interface to be triggered by the pinger function
receive_number(sporadic)
Activator (periodic)
Julien Delange <julien dot delange at esa dot int>
Deployment view
• Capture execution environment• Processor: architecture and OS specification
• Bus : protocol specification
• Drivers : devices contained on a computer/board
• Allocate function to boards• Implicit description of distribution strategy
• High level representation of system
Julien Delange <julien dot delange at esa dot int>
Deployment view example
Board x86
Function pinger
Board x86● Intel processor 64 bits, little endian● Run a regular Linux● Send data through ethernet using the TCP/IP protocol
Board PPC● PowerPC processor, 32 bits, big endian● Run RTEMS executive runtime● Receive data using the TCP/IP protocol
Bus ethernet
Board PPC
Function pingee
Driver eth Driver eth
CPU x86_64/OS Linux CPU PPC/OS RTEMS
Julien Delange <julien dot delange at esa dot int>
Overview
• Introduction, rationale & approach overview
• System & application modeling
• TASTE toolset
• Case studies
• Conclusion, perspectives
Julien Delange <julien dot delange at esa dot int>
Toolset overview
TASTE GUI
ASN.1 source
Interface View
Deployment View
Text Editor
TASTE-IV
TASTE-DV
Data View
Buildsupport
Ocarina
Functional code
asn1Scc
Concurrency View
Architecture code
Functional code
Data mgmtcode
Glue code
Julien Delange <julien dot delange at esa dot int>
Toolset: ASN1Scc
• Convert ASN.1 description into AADL models• Used for functional blocks communication
• Integration of ASN.1 types into AADL models
• Convert ASN.1 source into source code• Types definition in C/Ada
• Generation of encoding functions
• Ensure safety-critical requirements
ASN.1 source
Data View(AADL)
asn1Scc
Data mgmtcode (Ada/C)
Julien Delange <julien dot delange at esa dot int>
Toolset: TASTE-IV (Interface view)
• Capture system functions• Specify properties and requirements
• Output AADL models with software components
• Describe functions interfaces• Periodic/sporadic/protected/unprotected
• Specify timing properties (MIAT/period/)
• Connect functions using the provided/required interface mechanism
Julien Delange <julien dot delange at esa dot int>
Toolset: TASTE-DV (Deployment view)
• Capture distributed architecture• Include all system nodes to be used
• Output AADL model with hardware components
• Describe system nodes• Architecture concerns
• Device drivers to be used
• Embedded functions
• Specify communication buses• e.g: spacewire, ethernet, 1553, etc.
Julien Delange <julien dot delange at esa dot int>
Toolset: TASTE-CV (Concurrency view)
• Edit Concurrency View
• Perform schedulability analysis/feasability tests (Cheddar)
• Simulate timing behavior (Marzhin)
Julien Delange <julien dot delange at esa dot int>
Toolset: buildsupport
• Transform interfaces into resources• Task/data to be deployed on each system
• Output AADL models with hardware and software components
• Integration into the architecture• Separate functions and resources across nodes of the DV
• Assign configuration properties to AADL components
• Generate glue between architecture andapplication layers
• Inject data from/to architecture (drivers)to application code (C/Ada)
Interface View
Deployment View
Data View
Buildsupport
Concurrency View(AADL models)
Glue code (C/Ada)
Julien Delange <julien dot delange at esa dot int>
Toolset: orchestrator
• Handle the development process• Input: interface/deployment views & ASN.1 source
• Output: system binaries
• Workflow• Call buildsupport, generate concurrency view & glue code
• Generate ASN.1 encoders & types definitions (ASN1Scc)
• Call Ocarina, generate architecture code
• Compile architecture code & functional code
• Python script• see. assert-builder-ocarina.py
Julien Delange <julien dot delange at esa dot int>
Toolset: Ocarina
• AADL → C/Ada architecture code• Generate generic architecture code
• Avoid manual coding errors
• No useless resource or code due to the use of AADL descriptions
• Rely on µmiddleware for OS integration• Translate generic code into OS-specific request
• PolyORB-HI-C & PolyORB-HI-Ada
• Similar to OSAL from NASA
OcarinaConcurrency View
µmiddleware code
Generic code
OS/executive runtimeGen
era
t ed
bin
ary
Julien Delange <julien dot delange at esa dot int>
Toolset: TASTEGUI
• Graphical interface to handle development process• Similar to orchestrator
• Assist users in system design• Code edition, generate skels
• Advanced functionalities• Timing analysis
• Memory analysis
• Automatic system deployment
• Function testing
Julien Delange <julien dot delange at esa dot int>
Overview
• Introduction, rationale & approach overview
• System & application modeling
• TASTE toolset
• Case studies
• Conclusion, perspectives
Julien Delange <julien dot delange at esa dot int>
Robotic example: exoarm
• Human movement acquisition
• Data processing using Simulink models
• Reproduction of movements on robots
Movement capture
Movement reproductionData processingData acquisition
Julien Delange <julien dot delange at esa dot int>
Automotive domain: thermal control
• Thermal regulation control (e.g: motor temperature control)
• Assessment of TASTE regarding AUTOSAR requirements
Julien Delange <julien dot delange at esa dot int>
Avionics domain: radar/GPS control
• Typical satellite system with TC/TM packets
• Configure TC/TM encryption• According to satellite position
• Avoid data transmission over unsafe area
• Evaluation with different deployment strategies• PC
• PC → <ethernet> → PC
• PC → <serial> LEON → <spw> → LEON → <serial> → PC
• Demonstrate deployment functionalities
Julien Delange <julien dot delange at esa dot int>
Toy: unmanned drone
• Automatically control with wireless devices
• Integration of device drivers• Wireless drivers
• Serial communication with Arduino board
• Interface with Arduino platform• Handle electronic aspects
Julien Delange <julien dot delange at esa dot int>
Overview
• Introduction, rationale & approach overview
• System & application modeling
• TASTE toolset
• Case studies
• Conclusion, perspectives
Julien Delange <julien dot delange at esa dot int>
Conclusion
• Reduce the human factor• Avoid bugs !
• Reduce development cost• Time & money
• Verify, verify, verify !• As soon as possible
• Everywhere !
Julien Delange <julien dot delange at esa dot int>
Perspectives
• Enhance toolchains• Flexible vertical transformation
• Extend application models• Support other modeling approaches
• More than validation: certification !• Automatic certification (DO178B, ECSS)
• To be discussed … (very costly !)
Julien Delange <julien dot delange at esa dot int>The ASSERT Set of Tools for Engineering(TASTE)Julien Delange <[email protected]>This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.
Julien Delange <julien dot delange at esa dot int>Overview•Introduction, rationale & approach overview•System & application modeling•TASTE toolset•Case studies•Conclusion, perspectives
Julien Delange <julien dot delange at esa dot int>Overview•Introduction, rationale & approach overview•System & application modeling•TASTE toolset•Case studies•Conclusion, perspectives
Julien Delange <julien dot delange at esa dot int>Introduction – identified issues•Communication problems•How to synchronize teams ?•System representation•Technical issues•Correct implementation•Integration•Verification activities•Standards requirements•Associated cost
Julien Delange <julien dot delange at esa dot int>Introduction – increasing issues•System contain more functions•Communication through more teams•More integration issues•Functions complexity increase•Impossible to make bug-free system•Involve large team, lead to management issues•Verification are more and more restrictive•Cost is going bigger•New tools and approaches required
Julien Delange <julien dot delange at esa dot int>Actual solutions•Bruteforce approach•Increase the task force resource•Spend more resources•Software reuse•Take old components that works and are already verified …•… tailoring for integration of new functions•Modeling and code generation•Abstraction to cope with actual issues•Integration issues still occur•Cannot handle all system aspects
Julien Delange <julien dot delange at esa dot int>Limit of actual solutions•Bruteforce approach: costly (time & money)•Components reuse: still need to revalidate/certify•Modeling: do not address all system aspects
Julien Delange <julien dot delange at esa dot int>TASTE toolchain•Implementation of ASSERT process•Abstract all system artifacts, from software to runtime•Generate everything, build a“correct by construction” system
Julien Delange <julien dot delange at esa dot int>Overview•Introduction, rationale & approach overview•System & application modeling•TASTE toolset•Case studies•Conclusion, perspectives
Julien Delange <julien dot delange at esa dot int>Modeling levels•Data view•Types to be used by system functions•Ex: TM/TC for a satellite•Interface view•Functions to be executed by the system•Implementation language independence•Ex: mode change, TC handling•Deployment view•Execution of functions by computers•Describe execution constraints
Julien Delange <julien dot delange at esa dot int>Model processing•Generate a single model•Vertical transformation approach•Transform user models into AADL models•Automatic generation from model•Generate all required code•Automatic interface with application code•Validation/verification activities•Validate/verify AADL models•Reduce certification manual effortsData viewInterface viewDeployment viewVertical transformationAADL modelValidation &verificationAutomaticimplementation
Julien Delange <julien dot delange at esa dot int>Data view•Rely on well-known technique: ASN.1•Use in interface view functions•Description of data sent/received by system functions•Auto-generate types and encoders•Automatic use by functions•Ensure data consistency
Julien Delange <julien dot delange at esa dot int>Interface view: functions•Define system functions and their properties•Implementation language, period, protection level, ...•Ex: TC/TM management•Interfaces for communication with other functions•Provided Interfaces (PI)•Required Interfaces (RI)•Interfaces characteristics•Interface parameters specification with ASN.1•Active interface: executed in its own context•Passive interface: executed in a caller context•Interface property (inter-arrival time, …)
Julien Delange <julien dot delange at esa dot int>Interface view: supported languages•Regular languages•Ada•C•Application-level models•SDL/RTDS•Matlab/Simulink•Hybrid languages•GUI•Python interfaces•Data exchanges based on ASN.1 !!!
Julien Delange <julien dot delange at esa dot int>Interface view: functions interfaces•Periodic (active)•No parameter•Execution on a periodic basis•Sporadic (active)•One input parameter, activated on data reception•Execution constrained by a minimal inter-arrival time•Protected (passive)•Several input/output parameters•Lock other function interfaces•Unprotected (passive)•Several input/output parameters•No lock mechanisms
Julien Delange <julien dot delange at esa dot int>Interface viewexampleFunction pingerFunction pingeeSystem specificationTwo functions: one that pings (sends a number)to the other on a periodic basis.Function pinger●One provided periodic interface (activator) to activate system function.●One required interface to the receive_number interface of the pingee function Function pingee●One provided sporadic interface (receive_number) to receive numbers.●Interface to be triggered by the pinger functionreceive_number(sporadic)Activator (periodic)
Julien Delange <julien dot delange at esa dot int>Deployment view•Capture execution environment•Processor: architecture and OS specification•Bus : protocol specification•Drivers : devices contained on a computer/board•Allocate function to boards•Implicit description of distribution strategy•High level representation of system
Julien Delange <julien dot delange at esa dot int>Deployment view exampleBoard x86Function pingerBoard x86●Intel processor 64 bits, little endian●Run a regular Linux●Send data through ethernet using the TCP/IP protocolBoard PPC●PowerPC processor, 32 bits, big endian●Run RTEMS executive runtime●Receive data using the TCP/IP protocolBus ethernetBoard PPCFunction pingeeDriver ethDriver ethCPU x86_64/OS LinuxCPU PPC/OS RTEMS
Julien Delange <julien dot delange at esa dot int>Overview•Introduction, rationale & approach overview•System & application modeling•TASTE toolset•Case studies•Conclusion, perspectives
Julien Delange <julien dot delange at esa dot int>Toolset overviewTASTE GUIASN.1 sourceInterface ViewDeployment ViewText EditorTASTE-IVTASTE-DVData ViewBuildsupportOcarinaFunctional codeasn1SccConcurrency ViewArchitecture codeFunctional codeData mgmtcodeGlue code
Julien Delange <julien dot delange at esa dot int>Toolset: ASN1Scc•Convert ASN.1 description into AADL models•Used for functional blocks communication•Integration of ASN.1 types into AADL models•Convert ASN.1 source into source code•Types definition in C/Ada•Generation of encoding functions•Ensure safety-critical requirementsASN.1 sourceData View(AADL)asn1SccData mgmtcode (Ada/C)
Julien Delange <julien dot delange at esa dot int>Toolset: TASTE-IV (Interface view)•Capture system functions•Specify properties and requirements•Output AADL models with software components•Describe functions interfaces•Periodic/sporadic/protected/unprotected•Specify timing properties (MIAT/period/)•Connect functions using the provided/required interface mechanism
Julien Delange <julien dot delange at esa dot int>Toolset: TASTE-DV (Deployment view)•Capture distributed architecture•Include all system nodes to be used•Output AADL model with hardware components•Describe system nodes•Architecture concerns•Device drivers to be used•Embedded functions•Specify communication buses•e.g: spacewire, ethernet, 1553, etc.
Julien Delange <julien dot delange at esa dot int>Toolset: TASTE-CV (Concurrency view)•Edit Concurrency View•Perform schedulability analysis/feasability tests (Cheddar)•Simulate timing behavior (Marzhin)
Julien Delange <julien dot delange at esa dot int>Toolset: buildsupport•Transform interfaces into resources•Task/data to be deployed on each system•Output AADL models with hardware and software components•Integration into the architecture•Separate functions and resources across nodes of the DV•Assign configuration properties to AADL components•Generate glue between architecture andapplication layers•Inject data from/to architecture (drivers)to application code (C/Ada)Interface ViewDeployment ViewData ViewBuildsupportConcurrency View(AADL models)Glue code (C/Ada)
Julien Delange <julien dot delange at esa dot int>Toolset: orchestrator•Handle the development process•Input: interface/deployment views & ASN.1 source•Output: system binaries•Workflow•Call buildsupport, generate concurrency view & glue code•Generate ASN.1 encoders & types definitions (ASN1Scc)•Call Ocarina, generate architecture code•Compile architecture code & functional code•Python script•see. assert-builder-ocarina.py
Julien Delange <julien dot delange at esa dot int>Toolset: Ocarina•AADL → C/Ada architecture code•Generate generic architecture code•Avoid manual coding errors•No useless resource or code due to the use of AADL descriptions•Rely on µmiddleware for OS integration•Translate generic code into OS-specific request•PolyORB-HI-C & PolyORB-HI-Ada•Similar to OSAL from NASAOcarinaConcurrency Viewµmiddleware codeGeneric codeOS/executive runtimeGeneratedbinary
Julien Delange <julien dot delange at esa dot int>Toolset: TASTEGUI•Graphical interface to handle development process•Similar to orchestrator•Assist users in system design•Code edition, generate skels•Advanced functionalities•Timing analysis•Memory analysis•Automatic system deployment•Function testing
Julien Delange <julien dot delange at esa dot int>Overview•Introduction, rationale & approach overview•System & application modeling•TASTE toolset•Case studies•Conclusion, perspectives
Julien Delange <julien dot delange at esa dot int>Robotic example: exoarm•Human movement acquisition•Data processing using Simulink models•Reproduction of movements on robotsMovement captureMovement reproductionData processingData acquisition
Julien Delange <julien dot delange at esa dot int>Automotive domain: thermal control•Thermal regulation control (e.g: motor temperature control)•Assessment of TASTE regarding AUTOSAR requirements
Julien Delange <julien dot delange at esa dot int>Avionics domain: radar/GPS control•Typical satellite system with TC/TM packets•Configure TC/TM encryption•According to satellite position•Avoid data transmission over unsafe area•Evaluation with different deployment strategies•PC•PC → <ethernet> → PC•PC → <serial> LEON → <spw> → LEON → <serial> → PC•Demonstrate deployment functionalities
Julien Delange <julien dot delange at esa dot int>Toy: unmanned drone•Automatically control with wireless devices•Integration of device drivers•Wireless drivers•Serial communication with Arduino board•Interface with Arduino platform•Handle electronic aspects
Julien Delange <julien dot delange at esa dot int>Overview•Introduction, rationale & approach overview•System & application modeling•TASTE toolset•Case studies•Conclusion, perspectives
Julien Delange <julien dot delange at esa dot int>Conclusion•Reduce the human factor•Avoid bugs !•Reduce development cost•Time & money•Verify, verify, verify !•As soon as possible•Everywhere !
Julien Delange <julien dot delange at esa dot int>Perspectives•Enhance toolchains•Flexible vertical transformation•Extend application models•Support other modeling approaches•More than validation: certification !•Automatic certification (DO178B, ECSS)•To be discussed … (very costly !)