Date post: | 20-Dec-2015 |
Category: |
Documents |
View: | 233 times |
Download: | 0 times |
The Emerging SAE AADL Standard: An Architecture Analysis & Design Language for Building Embedded
Real-Time Systems
Society of Automotive EngineersAvionic Systems Division
Embedded Computing Systems CommitteeAS-2C Avionics Architecture Description Language Subcommittee
Software Engineering InstituteEmbry-Riddle Aeronautical University
AADL TutorialAADL Tutorial I-2
Welcome
Bruce Lewis
Chair, SAE AS-2C Subcommittee
Army AMCOM SED
256-876-3224
http://www.aadl.info
Peter Feiler
Secretary & Technical Co-editor
Software Engineering Institute
412-268-7790
Dave Gluch
Embry-Riddle Aeronautical University &
Software Engineering Institute
[email protected]/[email protected]
386-226-6455
John Hudak
Software Engineering Institute
412-268-5291
AADL TutorialAADL Tutorial I-3
Architecture Analysis & Design Language (AADL)
• Specification of computer systems and SoS.– Real-time
– Embedded
– Fault-tolerant
– Securely partitioned
– Dynamically configurable
• Software task and communication architectures – Component interface and structure, behavior, properties
• Bound to– Distributed multiple processor, integrated hardware architectures
• Fields of application– Avionics, Automotive, Aerospace, Autonomous systems, …
• Context and vocabulary for the integration of System Eng Technology– Capture of Architecture (& driving requirements), Analysis of Integration
Impact (through model checking), Automated Integration to specification.
AADL TutorialAADL Tutorial I-4
Typical Software Development Process
Requirements Analysis
Design Implementation Integration
manual, paper intensive, error prone, resistant to change
AADL TutorialAADL Tutorial I-5
Model-Based System Engineering
RequirementsAnalysis
Design, Analysis and
Implementation
System Integration
Predictable System Rapid Integration Upgradeability
Explicit Architecture M. Engineering ModelsUse of AADL
Model-Based & Architecture-Driven
AADL TutorialAADL Tutorial I-6
Lifecycle Impact
• Requirements that impact computer software and hardware architecture modeled early with partial data
• System specification refined during design, coding and integration to final system – each change modeled / model checked against multiple analysis approaches.
• Specification is used to integrate system, generating middleware to control system execution and communication, generation is done in compliance with the formal analysis on RT O/S
• Specification used throughout the development process – not out of date so always ready for the next system evolution and additional analysis capability.
AADL TutorialAADL Tutorial I-7
Ambulatory
InformationFusion
Supply Chain
Mechanized
Sensor& SignalProcessing
System Construction• AADL Runtime System • Application Software Integration
Devices Memory Bus Processor
AADL-Based System Engineering
AutomaticTargetRecognition
Guidance& Control
System Analysis• Schedulability• Performance• Reliability• Fault Tolerance• Dynamic Configurability
Model the ArchitectureAbstract, but
Precise
HTTPSDBGPS Ada Runtime
Execution Platform
. . . . . . . . . .
Application Software
SoftwareSystemEngineer
Application Developer
AADL TutorialAADL Tutorial I-8
An SAE Standard• Sponsored by
– Society of Automotive Engineers (SAE)
– Avionics Systems Division (ASD)
– Embedded Systems (AS2)
– Avionics Architecture Description Language Subcommittee (AS2C)
• Contact– Bruce Lewis AS2C chair,
– http://www.aadl.info
– For Information email to [email protected]
• Balloted April 2004, expecting Core standard July.
Largest Provider of Avionics Standards
AADL TutorialAADL Tutorial I-9
AS-2C ADL Subcommittee
• Bruce Lewis (AMCOM): Chair, technology user• Peter Feiler (SEI): Secretary, main author, editor,
technology user• Steve Vestal (Honeywell): MetaH originator, co-author• Ed Colbert (USC): AADL & UML Mapping• Joyce Tokar (Pyrrhus Software): Ada & C AnnexMembers• Boeing, Rockwell, Honeywell, Lockheed Martin,
Raytheon, Smith Industries, Airbus, Axlog, Dassault, EADS , Canadair, High Integrity Systems
• NAVAir, Open Systems JTF, British MOD, US Army• European Space AgencyCoordination with • NATO, COTRE, OMG-UML
AADL TutorialAADL Tutorial I-10
Priority Processing
• Systems interested in immediate use– Common Missile (August)- Eglin AFB Weapons Integration (Toolset SBIRs)– Navy version of BlackHawk (possibly starting
training in June with pre-standard toolset)– European Space Agency (expected Fall 2004)– Airbus (prototype tool building started)– FCS and 7E7 (probably too late now but the sooner
the better)– Plug and Play (GD Immediate)– SEI Toolset development (started)– TNI Toolset development (started)– UML/OMG RFC – waiting, need to submit ASAP
AADL TutorialAADL Tutorial I-11
MetaH Case Study at AMCOM• Missile Application reengineered
– Missile on-board software and 6DOF environment simulation executing on dual i80960MC, Tartan Ada, VME Boards
– Built to Generic Missile Reference Architecture
– Specified in MetaH, 12 to 16 concurrent processes
– MetaH reduced total re-engineering cost 40% on first project it was used on. Missile prime estimated savings at 66%.
• Missile Application ported to a new execution environment – multiple ports to single and dual processor implementations
– new processors (Pentium and PowerPC), compilers, O/S
– first time executable, flew correctly on each target environment– ports took a few weeks rather than 10 months.
AADL TutorialAADL Tutorial I-12
AMCOM Effort Saved Using MetaH
Review 3-DOF Trans-late
6-DOF RT-6DOF
Trans-form
Test6DOF
RT-Missile
BuildDebug
Debug Re-target
MetaH
Current
TraditionalApproach
UsingMetaH0
1000
2000
3000
4000
5000
6000
7000
8000
Ma
n H
ou
rs
Total project savings 50%, re-target savings 90%
Benefit During Application Rewrite
Benefit During Platform Retarget
AADL TutorialAADL Tutorial I-13
Why AADLArchitecture Analysis and Design Language
• Concept - Applies systems engineering (analytical) approach to software intensive systems rather than brute force. Early analysis instead of late failure.
• Needed – analyzable architecture =>key to sizable decrease in rework, integration and upgrade costs as well as program risk, complexity.
• Enables – rapid system evolution for complex, RT, safety critical systems with cross cutting constraints, predictable change to both HW and SW components.
• Open – Becoming a Standard, SAE, NATO, UML. • Readiness - 12 years of DARPA investment + experiments • Extendable – good foundation for additional capabilities in
analysis, automated system integration, system of systems, distribution, dynamics.
AADL TutorialAADL Tutorial I-14
An XML-Based AADL Tool Strategy
AADL Model XML
TextualAADL
GraphicalAADL
SchedulingAnalysis
ReliabilityAnalysis
Filter to MarkovAnalysis
AADL InstanceXML
CommercialTool likeTimeWiz
Complete Execution Platform Binding
SafetyAnalysis
Project-SpecificIn-House
AADL RuntimeGenerator
AADL TutorialAADL Tutorial I-15
Platform Runtime
Workspace
Help
TeamWorkbench
JFace
SWT
Eclipse Environment
JavaDevelopment
Tools(JDT)
AnalysisTool
Via XMLAADL
TextualEditor
AADL Parser
An Open Source AADL Environment
Plug-inDevelopmen
tEnvironment
(PDE)
Eclipse Platform
Debug
AADLGraphical
Editor
AADL Environment
AADL Object
API
XMLDocument
Persistence
AnalysisTool
Via Java
StandaloneGeneration
Tool
AADL TutorialAADL Tutorial I-16
Some MetaH History
1991 DARPA DSSA program begins1992 Partitioned PFP target (Tartan MAR/i960MC)1994 Multi-processor target (VME i960MC)1995 Slack stealing scheduler1998 Portable Ada 95 and POSIX middleware configurations1999 Hybrid automata verification of core middleware modules
Numerous evaluation and demonstration projects, e.g.Missile G&C reference architecture, demos, others (AMCOM SED)Hybrid automata formal verification (AFOSR, Honeywell)Missile defense (Boeing)Fighter guidance SW fault tolerance (DARPA, CMU, Lockheed-Martin)Incremental Upgrade of Legacy Systems (AFRL, Boeing, Honeywell)Comanche study (AMCOM, Comanche PO, Boeing, Honeywell)Tactical Mobile Robotics (DARPA, Honeywell, Georgia Tech)Advanced Intercept Technology CWE (BMDO, MaxTech)Adaptive Computer Systems (DARPA, Honeywell)Avionics System Performance Management (AFRL, Honeywell)Ada Software Integrated Development/Verification (AFRL, Honeywell)FMS reference architecture (Honeywell)JSF vehicle control (Honeywell)IFMU reengineering (Honeywell)
MetaH - Precursor to AADL
AADL TutorialAADL Tutorial I-17
AADL in Context
Research ADLs• MetaH
– Real-time, modal, system family– Analysis & generation– RMA based scheduling
• Rapide, Wright, ..– Behavioral validation
• ADL Interchange– ACME, xADL– ADML (MCC/Open Group, TOGAF)
Industrial Strength• UML 2.0, UML-RT• HOOD/STOOD• SDL
AADLExtensibleReal-time
Dependable
Basis
Influence
Alignment
Enhancement
Airbus & ESA
Extension
DARPA Funded Research since 1990
AADL TutorialAADL Tutorial I-18
AADL/UML Relationship
UML 2.0
UML-RTPerformanceTimeliness
UML 1.4Detailed design
AADLCore
Dependability
Security
Extensible AADL AnnexesUML Working Groups
To Be submitted to OMG for Adoption
AADLUML Profile
AADL TutorialAADL Tutorial I-19
What Is Involved In Using The AADL?
• Specify software & hardware system architectures
• Specify component interfaces and implementation properties
• Analyze system timing, reliability, partition isolation
• Tool-supported software and system integration
• Verify source code compliance & middleware behavior
Model and analyze early and throughout product life cycle
AADL TutorialAADL Tutorial I-20
A Control Engineer Perspective
with Text_IO;package Main is
begin
type real is digits 14;type flag is boolean;
x : real := 0.0;ready : flag := TRUE;
K1 K2s+
-
Matlab
Component Analysis
Application Code
with Text_IO;package Main is
begin
type real is digits 14;type flag is boolean;
x : real := 0.0;ready : flag := TRUE;
Simulink
Tune parameters
Continuous feedback for a control engineer
Validate simulation
Continuous feedback
in a controller
AADL TutorialAADL Tutorial I-21
A Software System Engineer Perspectivewith Text_IO;package Main is
begin
type real is digits 14;type flag is boolean;
x : real := 0.0;ready : flag := TRUE;
AADL Tools
with Text_IO;package Main is
begin
type real is digits 14;type flag is boolean;
x : real := 0.0;ready : flag := TRUE;
AADL Runtimepackage Dispatcher is
A.p1 := B.p2;Case 10ms: dispatch(a);dispatch(b);
T1 T2 T3 T4
12 12 5 623 34 8 824 23 234
Timing analysisReliability analysis R1 R2 R3 R4
12 12 5 623 34 8 824 23 234
T1 T2 T3 T4
12 12 5 623 34 8 824 23 234
T1 T2 T3 T4
12 12 5 623 34 8 824 23 2 34
RuntimeData
R1 R2 R3 R4
12 12 5 623 34 8 824 23 234
Refine properties
Continuous feedback for software system engineer
ApplicationComponents
AADL-based Architecture Model
ExecutionPlatform
AADL TutorialAADL Tutorial I-22
A Combined Perspective
with Text_IO;package Main is
begin
type real is digits 14;type flag is boolean;
x : real := 0.0;ready : flag := TRUE;
K1 K2s+
-
MatlabComponent Analysis
Application Code
with Text_IO;package Main is
begin
type real is digits 14;type flag is boolean;
x : real := 0.0;ready : flag := TRUE;
SimulinkTune parameters
Continuous interaction between
Control engineer & system engineer
Validate simulationAADL-based
Architecture Models
AADL Tools AADL Runtimepackage Dispatcher is
A.p1 := B.p2;Case 10ms: dispatch(a); dispatch(b);
T1 T2 T3 T4
12 12 5 623 34 8 824 23 234
Timing analysisReliability analysis R1 R2 R3 R4
12 12 5 623 34 8 824 23 234
T1 T2 T3 T4
12 12 5 623 34 8 824 23 234
T1 T2 T3 T4
12 12 5 623 34 8 824 23 2 34
RuntimeData
R1 R2 R3 R4
12 12 5 623 34 8 824 23 234
Refine properties
AADL TutorialAADL Tutorial I-23
Application Components as Plug-ins
Strong Partitioning • Timing Protection• OS Call Restrictions• Memory Protection
Interoperability/Portability• Tailored Runtime Executive• Standard RTOS API• Application Components
Real-Time Operating System
Application Software
Component
Embedded Hardware Target
AADL Runtime System
Application Software
Component
Application Software
Component
Application Software
Component
AADL TutorialAADL Tutorial I-24
Predictable System Integration
• Required, predicted, and actual runtime properties• Application components designed against functional
and non-functional properties• Application code separated from task dispatch &
communication code• Consistency between task & communication model
and implementation through generation• Feedback into model parameters: refinement of
estimated performance values
AADL TutorialAADL Tutorial I-25
Potential Users
• Airbus• ESA • Rockwell Collins• Lockheed Martin• Smith Industries• Raytheon• Boeing FCS• Automotive OEPs• Common Missile• RT Plug and Play
Leading Candidate for system of systems modeling, analysis
Modeling of Satellite Systems, proposed ASSERT with AADL
Modeling of Helicopter Avionics Software System
New System Engineering Approach based on AADL
New System Engineering tools using AADL.
Adopted for system integration analysis to support standard
AADL TutorialAADL Tutorial I-26
AADL Components - Graphical
process
Application Software
System Composition
Thread
Execution Platform
processor
memory
System
data
device
bus
AADL TutorialAADL Tutorial I-27
Modeling Vocabulary• Application System
– Thread– Thread Group– Process– System– Package– Subprogram– Data (shared/message)– Data Port– Event– Event Port– Event Data Port– Connection– Mode
• Execution Platform– Processor– Memory– Device– Bus– System
• Extension– Inheritance– Properties– Sublanguages (safety, flow, user
defined, … component behavior ….)
– Domain Specific Annexes
AADL TutorialAADL Tutorial I-28
Graphical & Textual Notation
system Data_Acquisition provides speed_data: in data metric_speed; GPS_data: in data position_carthesian; user_input_data: in data user_input; s_control_data:out data state_control;
end Data_Acquisition;
speed_data
userinputdata
GPS_data
Data_Acquisition
s_control_data
data port
data type of port
data port
AADL TutorialAADL Tutorial I-29
AADL Component Interaction
Flight Mgr
WarningsAnnunciations
MFD Pilot
MFD Copilot
data
1553
Weapons Mgr
• Unidirectional data & event flow
• Synchronous call/return
• Managed shared data access
AADL TutorialAADL Tutorial I-30
Application System & Execution Platform
Flight Mgr
WarningsAnnunciations
MFD Pilot
MFD Copilot
data
1553
Weapons Mgr
CoPilot Display
Display Processor
Pilot Display
Display Processor
High speed network
MissionProcessor
1553 bus
Application system binding to execution platform
AADL TutorialAADL Tutorial I-31
Thread Properties
• Dispatch_Protocol => Periodic;• Period => 100 ms;• Compute_Deadline => Period;• Compute_Execution_Time => 20 ms; • Initialize_Deadline => 10 ms;• Initialize_Execution_Time => 1 ms;• Compute_Entrypoint => “Calculate_Trajectory”;• Source_Text => “waypoint.java”;• Source_Code_Size => 1.2 KB;• Source_Data_Size => .5 KB;
File containing the application code
Dispatch execution properties
Code function to be executed on dispatch
AADL TutorialAADL Tutorial I-32
Thread Hybrid Automata
AADL TutorialAADL Tutorial I-33
SubprogrThread T1
Server Thread T2
Process Prc1
System Subsystem1
SP1
SP2
SP3RSP1
Data1:Pos
Process Prc2
Thread T3Data1:
Pos
Thread T1Data1
Data1:Pos
System System1
Thread T2E1
E1
E1
Typed and constrained data streams
Thread Dispatch Protocols
PeriodicAperiodicSporaticBackgroundClient - Server
Immediate and delayed communication
Shared data
Task & Interaction Architecture
DirectionalData, event, message portsQueued and unqueued xfer
Call/ReturnLocal subprogram
Client/server subprogram
Shared AccessPersistent, shareable
dataAccess coordination
AADL TutorialAADL Tutorial I-34
Suspended
Initialized Thread
Inactive
UninitializedThread
Active
DeactivateComplete:
ActiveInNewMode:
Terminate:
Terminated Thread
Dispatch:
Complete:
Fault:Recovered:
InitializeComplete:
ActiveInInitMode:InactiveInInitMode:
InactiveInNewMode:
ActivateComplete:
FinalizeComplete:Thread State with Source Code Execution
Initialize
Activate
Deactivate
Finalize
Compute
Recover
Thread State
Repaired:
Thread States
ActiveMember of
current mode
InactiveNot member of current mode
Application Source EntrypointsApplication as Plug-in
AADL TutorialAADL Tutorial I-35
SubprogThread T1
Server Thread T2
Process Prc1
System Subsystem1
SP1
SP2
SP3RSP1
Data1:Pos
Process Prc2
Thread T3Data1:
Pos
Thread T1Data1
Data1:Pos
System System1
Thread T2E1
E1
E1Shared data
Hierarchical Modes
Initial Mode A: Prc1, Prc2;Mode B: Prc1, Prc3; Process Prc3
Initial Mode A: T1, T2, T3;Mode B: T1, T2;
E1 A
E1 A
E1 A
Application Source Internal ModeConditional code
Mode as Alternative Configuration
AADL TutorialAADL Tutorial I-36
Process Prc1
System Subsystem1
Thread T3
System System1
Process Prc2
Thread T3
Processor PC1
System LinuxBox
Memory
System LinuxNet
Processor PC2
Memory
Bus
Systems & Execution Platforms
Processors, buses, memory, and devices as Virtual Machines
Threads as logical unit of concurrency
AADL TutorialAADL Tutorial I-37
AADL and Scheduling
• AADL provides precise dispatch & communication semantics via hybrid automata
• AADL task & communication abstraction does not prescribe scheduling protocols– Cyclic executive can be supported
• Specific scheduling protocols may require additional properties
• Predefined properties support rate-monotonic fixed priority preemptive scheduling
This scheduling protocol is analyzable, requires small runtime footprint,
provides flexible runtime architecture
AADL TutorialAADL Tutorial I-38
Faults and Modes
• AADL provides a fault handling framework with precisely defined actions
• AADL supports runtime changes to task & communication configurations
• AADL defines timing semantics for task coordination on mode switching
• AADL supports specification of mode transition actions• System initialization & termination are explicitly
modeled
AADL TutorialAADL Tutorial I-39
Behavior Modeling
• Operational modes (in core AADL)
• Runtime reconfiguration (in core AADL)
• End-to-end flows (in core AADL)
• Interaction behavior (extension)– Port interaction pattern of component
– Interaction protocol of connection
• Error models & reliability analysis (extension)
State reachability
Flow traceability
Protocol verification
Model checking
AADL TutorialAADL Tutorial I-40
System Safety Engineering
Capture the results of• hazard analysis• component failure modes & effects analysis
Specify and analyze• fault trees• Markov models• partition isolation/event independence
Integration of system safety with architectural design• enables cross-checking between models• insures safety models and design architecture are consistent
• reduces specification and verification effort
Supported by Error Model Annex
AADL TutorialAADL Tutorial I-41
AADL Version 2 Research Ideas
• 1. Dynamic Reconfigurable Real-Time Fault-Tolerant Asynchronous Architectures
• 2. Additional trackable automated modeling and analysis methods for architectural specs (composition, pattern recognition to reduce state space)
• 3. Rigorous links/relations between multiple engineering modeling approaches – Simulink/VHDL – AADL, SDL – AADL, compositional scheduling
• 4. Architectural verification -(is the Architecture spec correct and do components comply with their specs, stronger plug and play )
• 5. Mode transition modeling, state space reduction for mode analysis/scheduling
• 6. Modeling of specific system building approaches/patterns – example RT CORBA that can be applied as abstractions at a higher level but used to generate an implementation.
• 7. Modeling sublanguages and properties to support special areas of analysis for high integrity systems – Current Error modeling annex, safety and security annex, component behavior annex etc.
AADL TutorialAADL Tutorial I-42
AADL Status
• Requirements document SAE ARD 5296– Input from aerospace industry– Balloted and approved in 2000
• SAE AADL document SAE AS 5506– Core language: In ballot April 2004, July availability– UML profile, XML schema, Error Model Annex, Ada and C
Annex in review, to be balloted in June 2004