The Emerging SAE AADL Standard: An Architecture Analysis & Design Language for Building Embedded...

The Emerging SAE AADL Standard: An Architecture Analysis & Design Language for Building Embedded

Real-Time Systems

Society of Automotive EngineersAvionic Systems Division

Embedded Computing Systems CommitteeAS-2C Avionics Architecture Description Language Subcommittee

Software Engineering InstituteEmbry-Riddle Aeronautical University

AADL TutorialAADL Tutorial I-2

Welcome

Bruce Lewis

Chair, SAE AS-2C Subcommittee

Army AMCOM SED

[email protected]

256-876-3224

http://www.aadl.info

Peter Feiler

Secretary & Technical Co-editor

Software Engineering Institute

[email protected]

412-268-7790

Dave Gluch

Embry-Riddle Aeronautical University &


[email protected]/[email protected]

386-226-6455

John Hudak


[email protected]

412-268-5291


Architecture Analysis & Design Language (AADL)

• Specification of computer systems and SoS.– Real-time

– Embedded

– Fault-tolerant

– Securely partitioned

– Dynamically configurable

• Software task and communication architectures – Component interface and structure, behavior, properties

• Bound to– Distributed multiple processor, integrated hardware architectures

• Fields of application– Avionics, Automotive, Aerospace, Autonomous systems, …

• Context and vocabulary for the integration of System Eng Technology– Capture of Architecture (& driving requirements), Analysis of Integration

Impact (through model checking), Automated Integration to specification.


Typical Software Development Process

Requirements Analysis

Design Implementation Integration

manual, paper intensive, error prone, resistant to change


Model-Based System Engineering

RequirementsAnalysis

Design, Analysis and

Implementation

System Integration

Predictable System Rapid Integration Upgradeability

Explicit Architecture M. Engineering ModelsUse of AADL

Model-Based & Architecture-Driven


Lifecycle Impact

• Requirements that impact computer software and hardware architecture modeled early with partial data

• System specification refined during design, coding and integration to final system – each change modeled / model checked against multiple analysis approaches.

• Specification is used to integrate system, generating middleware to control system execution and communication, generation is done in compliance with the formal analysis on RT O/S

• Specification used throughout the development process – not out of date so always ready for the next system evolution and additional analysis capability.


Ambulatory

InformationFusion

Supply Chain

Mechanized

Sensor& SignalProcessing

System Construction• AADL Runtime System • Application Software Integration

Devices Memory Bus Processor

AADL-Based System Engineering

AutomaticTargetRecognition

Guidance& Control

System Analysis• Schedulability• Performance• Reliability• Fault Tolerance• Dynamic Configurability

Model the ArchitectureAbstract, but

Precise

HTTPSDBGPS Ada Runtime

Execution Platform

. . . . . . . . . .

Application Software

SoftwareSystemEngineer

Application Developer


An SAE Standard• Sponsored by

– Society of Automotive Engineers (SAE)

– Avionics Systems Division (ASD)

– Embedded Systems (AS2)

– Avionics Architecture Description Language Subcommittee (AS2C)

• Contact– Bruce Lewis AS2C chair,

[email protected]

– http://www.aadl.info

– For Information email to [email protected]

• Balloted April 2004, expecting Core standard July.

Largest Provider of Avionics Standards


AS-2C ADL Subcommittee

• Bruce Lewis (AMCOM): Chair, technology user• Peter Feiler (SEI): Secretary, main author, editor,

technology user• Steve Vestal (Honeywell): MetaH originator, co-author• Ed Colbert (USC): AADL & UML Mapping• Joyce Tokar (Pyrrhus Software): Ada & C AnnexMembers• Boeing, Rockwell, Honeywell, Lockheed Martin,

Raytheon, Smith Industries, Airbus, Axlog, Dassault, EADS , Canadair, High Integrity Systems

• NAVAir, Open Systems JTF, British MOD, US Army• European Space AgencyCoordination with • NATO, COTRE, OMG-UML


Priority Processing

• Systems interested in immediate use– Common Missile (August)- Eglin AFB Weapons Integration (Toolset SBIRs)– Navy version of BlackHawk (possibly starting

training in June with pre-standard toolset)– European Space Agency (expected Fall 2004)– Airbus (prototype tool building started)– FCS and 7E7 (probably too late now but the sooner

the better)– Plug and Play (GD Immediate)– SEI Toolset development (started)– TNI Toolset development (started)– UML/OMG RFC – waiting, need to submit ASAP


MetaH Case Study at AMCOM• Missile Application reengineered

– Missile on-board software and 6DOF environment simulation executing on dual i80960MC, Tartan Ada, VME Boards

– Built to Generic Missile Reference Architecture

– Specified in MetaH, 12 to 16 concurrent processes

– MetaH reduced total re-engineering cost 40% on first project it was used on. Missile prime estimated savings at 66%.

• Missile Application ported to a new execution environment – multiple ports to single and dual processor implementations

– new processors (Pentium and PowerPC), compilers, O/S

– first time executable, flew correctly on each target environment– ports took a few weeks rather than 10 months.


AMCOM Effort Saved Using MetaH

Review 3-DOF Trans-late

6-DOF RT-6DOF

Trans-form

Test6DOF

RT-Missile

BuildDebug

Debug Re-target

MetaH

Current

TraditionalApproach

UsingMetaH0

1000

2000

3000

4000

5000

6000

7000

8000

Ma

n H

ou

rs

Total project savings 50%, re-target savings 90%

Benefit During Application Rewrite

Benefit During Platform Retarget


Why AADLArchitecture Analysis and Design Language

• Concept - Applies systems engineering (analytical) approach to software intensive systems rather than brute force. Early analysis instead of late failure.

• Needed – analyzable architecture =>key to sizable decrease in rework, integration and upgrade costs as well as program risk, complexity.

• Enables – rapid system evolution for complex, RT, safety critical systems with cross cutting constraints, predictable change to both HW and SW components.

• Open – Becoming a Standard, SAE, NATO, UML. • Readiness - 12 years of DARPA investment + experiments • Extendable – good foundation for additional capabilities in

analysis, automated system integration, system of systems, distribution, dynamics.


An XML-Based AADL Tool Strategy

AADL Model XML

TextualAADL

GraphicalAADL

SchedulingAnalysis

ReliabilityAnalysis

Filter to MarkovAnalysis

AADL InstanceXML

CommercialTool likeTimeWiz

Complete Execution Platform Binding

SafetyAnalysis

Project-SpecificIn-House

AADL RuntimeGenerator


Platform Runtime

Workspace

Help

TeamWorkbench

JFace

SWT

Eclipse Environment

JavaDevelopment

Tools(JDT)

AnalysisTool

Via XMLAADL

TextualEditor

AADL Parser

An Open Source AADL Environment

Plug-inDevelopmen

tEnvironment

(PDE)

Eclipse Platform

Debug

AADLGraphical

Editor

AADL Environment

AADL Object

API

XMLDocument

Persistence

AnalysisTool

Via Java

StandaloneGeneration

Tool


Some MetaH History

1991 DARPA DSSA program begins1992 Partitioned PFP target (Tartan MAR/i960MC)1994 Multi-processor target (VME i960MC)1995 Slack stealing scheduler1998 Portable Ada 95 and POSIX middleware configurations1999 Hybrid automata verification of core middleware modules

Numerous evaluation and demonstration projects, e.g.Missile G&C reference architecture, demos, others (AMCOM SED)Hybrid automata formal verification (AFOSR, Honeywell)Missile defense (Boeing)Fighter guidance SW fault tolerance (DARPA, CMU, Lockheed-Martin)Incremental Upgrade of Legacy Systems (AFRL, Boeing, Honeywell)Comanche study (AMCOM, Comanche PO, Boeing, Honeywell)Tactical Mobile Robotics (DARPA, Honeywell, Georgia Tech)Advanced Intercept Technology CWE (BMDO, MaxTech)Adaptive Computer Systems (DARPA, Honeywell)Avionics System Performance Management (AFRL, Honeywell)Ada Software Integrated Development/Verification (AFRL, Honeywell)FMS reference architecture (Honeywell)JSF vehicle control (Honeywell)IFMU reengineering (Honeywell)

MetaH - Precursor to AADL


AADL in Context

Research ADLs• MetaH

– Real-time, modal, system family– Analysis & generation– RMA based scheduling

• Rapide, Wright, ..– Behavioral validation

• ADL Interchange– ACME, xADL– ADML (MCC/Open Group, TOGAF)

Industrial Strength• UML 2.0, UML-RT• HOOD/STOOD• SDL

AADLExtensibleReal-time

Dependable

Basis

Influence

Alignment

Enhancement

Airbus & ESA

Extension

DARPA Funded Research since 1990


AADL/UML Relationship

UML 2.0

UML-RTPerformanceTimeliness

UML 1.4Detailed design

AADLCore

Dependability

Security

Extensible AADL AnnexesUML Working Groups

To Be submitted to OMG for Adoption

AADLUML Profile


What Is Involved In Using The AADL?

• Specify software & hardware system architectures

• Specify component interfaces and implementation properties

• Analyze system timing, reliability, partition isolation

• Tool-supported software and system integration

• Verify source code compliance & middleware behavior

Model and analyze early and throughout product life cycle


A Control Engineer Perspective

with Text_IO;package Main is

begin

type real is digits 14;type flag is boolean;

x : real := 0.0;ready : flag := TRUE;

K1 K2s+

-

Matlab

Component Analysis

Application Code


begin



Simulink

Tune parameters

Continuous feedback for a control engineer

Validate simulation

Continuous feedback

in a controller


A Software System Engineer Perspectivewith Text_IO;package Main is

begin



AADL Tools


begin



AADL Runtimepackage Dispatcher is

A.p1 := B.p2;Case 10ms: dispatch(a);dispatch(b);

T1 T2 T3 T4

12 12 5 623 34 8 824 23 234

Timing analysisReliability analysis R1 R2 R3 R4

12 12 5 623 34 8 824 23 234

T1 T2 T3 T4

12 12 5 623 34 8 824 23 234

T1 T2 T3 T4

12 12 5 623 34 8 824 23 2 34

RuntimeData

R1 R2 R3 R4

12 12 5 623 34 8 824 23 234

Refine properties

Continuous feedback for software system engineer

ApplicationComponents

AADL-based Architecture Model

ExecutionPlatform


A Combined Perspective


begin



K1 K2s+

-

MatlabComponent Analysis

Application Code


begin



SimulinkTune parameters

Continuous interaction between

Control engineer & system engineer

Validate simulationAADL-based

Architecture Models

AADL Tools AADL Runtimepackage Dispatcher is

A.p1 := B.p2;Case 10ms: dispatch(a); dispatch(b);

T1 T2 T3 T4

12 12 5 623 34 8 824 23 234

Timing analysisReliability analysis R1 R2 R3 R4

12 12 5 623 34 8 824 23 234

T1 T2 T3 T4

12 12 5 623 34 8 824 23 234

T1 T2 T3 T4

12 12 5 623 34 8 824 23 2 34

RuntimeData

R1 R2 R3 R4

12 12 5 623 34 8 824 23 234

Refine properties


Application Components as Plug-ins

Strong Partitioning • Timing Protection• OS Call Restrictions• Memory Protection

Interoperability/Portability• Tailored Runtime Executive• Standard RTOS API• Application Components

Real-Time Operating System


Component

Embedded Hardware Target

AADL Runtime System


Component


Component


Component


Predictable System Integration

• Required, predicted, and actual runtime properties• Application components designed against functional

and non-functional properties• Application code separated from task dispatch &

communication code• Consistency between task & communication model

and implementation through generation• Feedback into model parameters: refinement of

estimated performance values


Potential Users

• Airbus• ESA • Rockwell Collins• Lockheed Martin• Smith Industries• Raytheon• Boeing FCS• Automotive OEPs• Common Missile• RT Plug and Play

Leading Candidate for system of systems modeling, analysis

Modeling of Satellite Systems, proposed ASSERT with AADL

Modeling of Helicopter Avionics Software System

New System Engineering Approach based on AADL

New System Engineering tools using AADL.

Adopted for system integration analysis to support standard


AADL Components - Graphical

process


System Composition

Thread

Execution Platform

processor

memory

System

data

device

bus


Modeling Vocabulary• Application System

– Thread– Thread Group– Process– System– Package– Subprogram– Data (shared/message)– Data Port– Event– Event Port– Event Data Port– Connection– Mode

• Execution Platform– Processor– Memory– Device– Bus– System

• Extension– Inheritance– Properties– Sublanguages (safety, flow, user

defined, … component behavior ….)

– Domain Specific Annexes


Graphical & Textual Notation

system Data_Acquisition provides speed_data: in data metric_speed; GPS_data: in data position_carthesian; user_input_data: in data user_input; s_control_data:out data state_control;

end Data_Acquisition;

speed_data

userinputdata

GPS_data

Data_Acquisition

s_control_data

data port

data type of port

data port


AADL Component Interaction

Flight Mgr

WarningsAnnunciations

MFD Pilot

MFD Copilot

data

1553

Weapons Mgr

• Unidirectional data & event flow

• Synchronous call/return

• Managed shared data access


Application System & Execution Platform

Flight Mgr

WarningsAnnunciations

MFD Pilot

MFD Copilot

data

1553

Weapons Mgr

CoPilot Display

Display Processor

Pilot Display

Display Processor

High speed network

MissionProcessor

1553 bus

Application system binding to execution platform


Thread Properties

• Dispatch_Protocol => Periodic;• Period => 100 ms;• Compute_Deadline => Period;• Compute_Execution_Time => 20 ms; • Initialize_Deadline => 10 ms;• Initialize_Execution_Time => 1 ms;• Compute_Entrypoint => “Calculate_Trajectory”;• Source_Text => “waypoint.java”;• Source_Code_Size => 1.2 KB;• Source_Data_Size => .5 KB;

File containing the application code

Dispatch execution properties

Code function to be executed on dispatch


Thread Hybrid Automata


SubprogrThread T1

Server Thread T2

Process Prc1

System Subsystem1

SP1

SP2

SP3RSP1

Data1:Pos

Process Prc2

Thread T3Data1:

Pos

Thread T1Data1

Data1:Pos

System System1

Thread T2E1

E1

E1

Typed and constrained data streams

Thread Dispatch Protocols

PeriodicAperiodicSporaticBackgroundClient - Server

Immediate and delayed communication

Shared data

Task & Interaction Architecture

DirectionalData, event, message portsQueued and unqueued xfer

Call/ReturnLocal subprogram

Client/server subprogram

Shared AccessPersistent, shareable

dataAccess coordination


Suspended

Initialized Thread

Inactive

UninitializedThread

Active

DeactivateComplete:

ActiveInNewMode:

Terminate:

Terminated Thread

Dispatch:

Complete:

Fault:Recovered:

InitializeComplete:

ActiveInInitMode:InactiveInInitMode:

InactiveInNewMode:

ActivateComplete:

FinalizeComplete:Thread State with Source Code Execution

Initialize

Activate

Deactivate

Finalize

Compute

Recover

Thread State

Repaired:

Thread States

ActiveMember of

current mode

InactiveNot member of current mode

Application Source EntrypointsApplication as Plug-in


SubprogThread T1

Server Thread T2

Process Prc1

System Subsystem1

SP1

SP2

SP3RSP1

Data1:Pos

Process Prc2

Thread T3Data1:

Pos

Thread T1Data1

Data1:Pos

System System1

Thread T2E1

E1

E1Shared data

Hierarchical Modes

Initial Mode A: Prc1, Prc2;Mode B: Prc1, Prc3; Process Prc3

Initial Mode A: T1, T2, T3;Mode B: T1, T2;

E1 A

E1 A

E1 A

Application Source Internal ModeConditional code

Mode as Alternative Configuration


Process Prc1

System Subsystem1

Thread T3

System System1

Process Prc2

Thread T3

Processor PC1

System LinuxBox

Memory

System LinuxNet

Processor PC2

Memory

Bus

Systems & Execution Platforms

Processors, buses, memory, and devices as Virtual Machines

Threads as logical unit of concurrency


AADL and Scheduling

• AADL provides precise dispatch & communication semantics via hybrid automata

• AADL task & communication abstraction does not prescribe scheduling protocols– Cyclic executive can be supported

• Specific scheduling protocols may require additional properties

• Predefined properties support rate-monotonic fixed priority preemptive scheduling

This scheduling protocol is analyzable, requires small runtime footprint,

provides flexible runtime architecture


Faults and Modes

• AADL provides a fault handling framework with precisely defined actions

• AADL supports runtime changes to task & communication configurations

• AADL defines timing semantics for task coordination on mode switching

• AADL supports specification of mode transition actions• System initialization & termination are explicitly

modeled


Behavior Modeling

• Operational modes (in core AADL)

• Runtime reconfiguration (in core AADL)

• End-to-end flows (in core AADL)

• Interaction behavior (extension)– Port interaction pattern of component

– Interaction protocol of connection

• Error models & reliability analysis (extension)

State reachability

Flow traceability

Protocol verification

Model checking


System Safety Engineering

Capture the results of• hazard analysis• component failure modes & effects analysis

Specify and analyze• fault trees• Markov models• partition isolation/event independence

Integration of system safety with architectural design• enables cross-checking between models• insures safety models and design architecture are consistent

• reduces specification and verification effort

Supported by Error Model Annex


AADL Version 2 Research Ideas

• 1. Dynamic Reconfigurable Real-Time Fault-Tolerant Asynchronous Architectures

• 2. Additional trackable automated modeling and analysis methods for architectural specs (composition, pattern recognition to reduce state space)

• 3. Rigorous links/relations between multiple engineering modeling approaches – Simulink/VHDL – AADL, SDL – AADL, compositional scheduling

• 4. Architectural verification -(is the Architecture spec correct and do components comply with their specs, stronger plug and play )

• 5. Mode transition modeling, state space reduction for mode analysis/scheduling

• 6. Modeling of specific system building approaches/patterns – example RT CORBA that can be applied as abstractions at a higher level but used to generate an implementation.

• 7. Modeling sublanguages and properties to support special areas of analysis for high integrity systems – Current Error modeling annex, safety and security annex, component behavior annex etc.


AADL Status

• Requirements document SAE ARD 5296– Input from aerospace industry– Balloted and approved in 2000

• SAE AADL document SAE AS 5506– Core language: In ballot April 2004, July availability– UML profile, XML schema, Error Model Annex, Ada and C

Annex in review, to be balloted in June 2004

Date post:	20-Dec-2015
Category:	Documents
View:	233 times
Download:	0 times

The Emerging SAE AADL Standard: An Architecture Analysis & Design Language for Building Embedded...

Documents