1. INTRODUCTION. four years and by 2014 the cost of 27M SLOC of software is estimated to exceed $10B (see Figure 1).

Size: px
Start display at page:

Download "1. INTRODUCTION. four years and by 2014 the cost of 27M SLOC of software is estimated to exceed $10B (see Figure 1)."

Transcription

1 Model-Based Validation of Safety-Critical Embedded Systems Peter H. Feiler Software Engineering Institute Carnegie Mellon University 4500 Fifth Ave Pittsburgh, PA Abstract Safety-critical systems have become increasingly software reliant and the current development process of build, then integrate has become unaffordable. 1,2 This paper examines two major contributors to today s exponential growth in cost: system-level faults that are not discovered until late in the development process; and multiple truths of analysis results when predicting system properties through model-based analysis and validating them against system implementations. We discuss the root causes of such system-level problems, and an architecturecentric model-based analysis approach of different operational quality aspects from an architecture model. A key technology is the SAE Architecture Analysis & Design Language (AADL) standard for embedded software-reliant system. It supports a single source approach to analysis of operational qualities such as responsiveness, safetycriticality, security, and reliability through model annotations. The paper concludes with a summary of an industrial case study that demonstrates the feasibility of this approach. four years and by 2014 the cost of 27M SLOC of software is estimated to exceed $10B (see Figure 1). TABLE OF CONTENTS 1. INTRODUCTION LATE DISCOVERY OF SYSTEM-LEVEL FAULTS MULTIPLE TRUTHS IN ANALYSIS RESULTS SAE AADL: AN EMBEDDED SOFTWARE SYSTEM MODELING STANDARD ARCHITECTURE-CENTRIC ROOT CAUSE ANALYSIS AN INDUSTRIAL CASE STUDY CONCLUSION...8 REFERENCES...9 BIOGRAPHY INTRODUCTION Embedded software systems have become a key component of systems, both in terms of contribution to the safetycriticality of the system and in terms of cost. Aerospace industry is experiencing exponential growth in size, complexity, errors, rework and cost of their onboard software. The current development process is reaching the limit of affordability of building safe aircraft. The size with respect to source lines of code (SLOC) has doubled every Figure 1 - Estimated Onboard SLOC Growth In this paper we are first examining two major contributors to this exponential growth in cost: system-level faults that are not discovered until late in the development process; and multiple truths of analysis results when predicting system properties through model-based analysis and validating them against system implementations. Then we are discussing a technical solution that addresses these challenges and summarize an industrial case study that demonstrates the feasibility of this approach /10/$ IEEE 2 IEEEAC paper#1614, Version 1, Updated 2009:10:30 1

2 2. LATE DISCOVERY OF SYSTEM-LEVEL FAULTS Several studies [1,2,3] have examined where in the life cycle faults are introduced, where they are discovered, and the cost of repair. Figure 2 shows that 70% of faults are introduced early in the life cycle through design, while only 3.5% are discovered during that period. 20% of faults are introduced during code development and unit testing, while 16% are discovered during that time. During integration, system, and acceptance testing 10% of faults are introduced while 60% are discovered during that time with the remaining 20% discovered during operation. If we can discover a reasonable portion of these late system-level faults through model-based validation earlier in the development process we can expect considerable cost savings. Figure 2: Benefits of Early Fault Discovery In order to gain insight into this problem let us examine the question: Why do system-level failures occur despite the deployment of best design methods and fault-tolerance techniques? Hazard analysis by system engineers considers the system in its operational environment to address safetycriticality concerns of key capabilities. Similarly, fault tolerance approaches such as hardware redundancy for managing hardware failures are well established in both system engineering and computer hardware engineering. However, the focus is on the system as a whole and on the failure of hardware components, while fault contribution of embedded software has been increasing. Figure 3: Mismatched Assumptions The problem is due to mismatched assumptions made by different members of an engineering team. This is illustrated in Figure 3. In addition to the potential mismatch between operator procedures and the system interface and the assumptions control engineers make about the physical plant under control, the translation of the functionality into software, the execution of the software components as a communicating set of tasks, their deployment on a distributed computer platform, and the flow of timesensitive information through the embedded software all have the potential for introducing faults. For example, in a functional hazard assessment (FHA) [4] the system engineer may make the assumption that the pilot does not have to manually intervene in the communication between a dual redundant fuel quantity indicator system (FQIS) and the fuel management computer (FMC) of an aircraft. This unwarranted assumption led to an emergency landing on an Air Canada flight [5]. After inconsistencies were discovered between the dual FQIS the pilot disabled the unit and entered the fuel amount manually into the FMC. At the time Canada was switching to the metric system and the FMC was already expecting metric units. In the process of converting from the fuel volume in liters provided by the ground crew to the expected fuel data in terms of weight the pilot incorrectly used the conversion factor for imperial measures. The weight in pounds was entered into the FMC and accepted as weight in kilograms. In short, the subsystems were designed to interact without human intervention and communicate data in terms of expected measurement units; a mismatch of measurement units was not discovered and manually entered measurements were not validated. Another example of mismatched assumptions in the translation of functionality into application software involves the destruction of an Ariane 5 rocket during her maiden flight. Overflow of a 16-bit signed integer variable in reused Ariane 4 software to perform a function that was not required for Ariane 5 was not caught due to a disabled handler [6]. The reason for the overflow was the representation of vertical velocity which exceeded the 16- bit signed integer range due to a different flight path. In short, the choice of data representation in the software may place range limits on domain variables. In the late 1990 s an attempt at a well-intentioned performance improvement of ground station software that tracks objects close to a spacecraft had unplanned side effects. The subsystem collecting the tracking information had originally sent a complete map of tracked objects to the command and control subsystem. In order to reduce the load on the network, a change was made to communicate only changes to the map. Unfortunately, this communication occurred over a network protocol that drops packets under overload conditions. As result, during integration testing, it was discovered that state changes randomly were not delivered causing the recipient to have an inconsistent view 2

3 of the communicated state. In short, distributed maintenance of state is sensitive to whether state or state changes are communicated, the latter assuming guaranteed delivery in the communication protocol. When laptops with dual core processor came out ITunes crashed randomly when ripping a music CD [7]. ITunes was designed as multi-threaded application, with one thread determining the db level of tracks, while the second thread converting the audio. A single processor system executed first one task, then the second task. On a dual core processor, the two concurrently executing threads were attempting to update the same music catalogue without explicit synchronization. The original implementation assumed sequential execution of tasks to assure mutually exclusive access without the need for a synchronization mechanism. Mutual exclusion is often implemented by locking data structures, which when used with Rate- Monotonic Scheduler (RMS) can lead to unbounded priority inversion. The Mars Pathfinder had a classic case of priority inversion [8]. Once recognized, the priority ceiling protocol (PCP) [9] was enabled and the problem resolved. However, the PCP implementation makes the assumption that the tasks to be synchronized are scheduled by a single processor. When migrated to a dual-core processor, the original protocol will not guarantee mutual exclusion a distributed priority ceiling protocol (DPCP) must be used instead. In short, multi-tasking embedded software is often designed with assumptions about the execution behavior of a particular runtime architecture and a change in the computer platform or runtime system may violate those assumptions. When system components become virtualized assumptions about physical redundancy will be violated. In 1986, the Internet, then ARPA-net, was accidentally split into two networks [10]. All seven trunk lines to New England, which used to be separate physical lines, were severed when AT&T suffered a fiber optic cable break, which lasted 11 hours. When AT&T had gone fiber optic, these physically redundant trunk lines became logical trunk lines on this much higher bandwidth connection, losing all physical redundancy. The same virtualization occurs when embedded software is migrated to ARINC653 [11] partitions or hard drives are partitioned into multiple logical drives. In short, virtualization of physical resources places requirements on the deployment of the virtual resources on the physical hardware in order to maintain physical redundancy. After years of development, F/A-22 flight tests began in late 1997, but the aircraft still experienced serious avionics instability problems as late as According to testimony from the U.S. General Accounting Office (GAO), The Air Force told us avionics have failed or shut down during numerous tests of F/A-22 aircraft due to software problems. The shutdowns have occurred when the pilot attempts to use the radar, communication, navigation, identification, and electronic warfare systems concurrently. [12] This was due to the use of an asynchronous system design with sampled processing that resulted in inconsistent state representations. In short, systems that handle time sensitive state information through sampled processing in a globally asynchronous setting are susceptible to state information inconsistency and loss. In the 1990 s the flight software for a fighter was migrated to an IMA architecture. The application software was originally implemented as a cyclic executive with periodic sampling tasks. When ported to a rate-monotonic fixed priority pre-emptive scheduler, the display showing tracked objects randomly blurred. The transfer of target data from the sensor to the display, which predictably took four frames in the original system, now varied between four and eight frames due to pre-emption and depending on the workload. The display of time-sensitive data was affected by a change in the scheduling protocol and the use of a nondeterministic sampling communication scheme. This showed itself as an oscillating target symbol of the tracked object [13]. In short, a number of contributors to age and latency jitter due to runtime system mechanisms and communication protocols must be taken into account when processing time sensitive information. In 2008, a Qantas flight unexpectedly dropped up to 650 feet multiple times within a few minutes [14]. A fault in one of three Air Data Inertial Reference Units (ADIRU) caused the unit to supply incorrect data to other aircraft systems and led to automatic disengagement of the autopilot, false stall warnings, and loss of attitude information on the pilot display. With the autopilot off, two minutes later the primary flight control computer still received false data from the ADIRU and commanded a major pitch down. A failure in one component of a triple redundant unit caused an operational mode change and operational response to a data stream by another subsystem without recognizing its faulty nature, i.e., assuming a correct data stream due to the redundant nature of the source. In short, systems with operational modes and dynamic reconfiguration of subsystems to manage fault tolerance may result in mode state combinations whose component interfaces have mismatched assumptions about their data interchange. In summary, assumptions were made by different engineers about the interaction of their subsystem with other subsystems, their use of infrastructure services and resources. In section 4 we will examine the root causes of these mismatched assumptions that led to the system-level failure. 3. MULTIPLE TRUTHS IN ANALYSIS RESULTS Modeling, analysis and simulation has been practiced by engineers for a number of years. For example, computer hardware models have been created in Very High Speed 3

4 Integrated Circuits Hardware Description Language (VHDL) [15] and validated through model checking [16]. Control engineers have used modeling languages such as Simulink for years to represent the physical characteristics of the system to be controlled and the behavior of the control system. Characteristics of physical system components, such as thermal properties, fluid dynamics, and mechanics, have been modeled and simulated. Even for software systems analytical models have been used for resource and timing analysis, fault impact and reliability analysis, safety-criticality, and security analysis. Despite these modeling efforts system-level problems remain late into the development life cycle due to inconsistency between the analytical models and the evolving system being modeled. fact that it uses send and receive calls in the application code and the sender and receiver execute concurrently on different cores of a dual-core processor. As a result, higher than expected latency jitter may result in controller instability. This multiple truth problem can be addressed through the use of the SAE AADL standard [17], an architecture modeling language for embedded systems. AADL supports the concept of an architecture model with well-defined semantics that is annotated with information relevant for analysis and validation of different operational quality dimensions. As such, an AADL model is the single source for analysis of multiple quality dimensions of the same system. Their auto-generation ensures model consistency and single truth of the analysis results (Figure 5). In addition, this single source approach facilitates automatic propagation of system architecture changes, such as the replacement of a processor component by a higher capacity one, into different analytical models, each addressing a separate quality aspect, e.g., the reconfigured processor is reflected in budget and scheduling analysis, as well as weight, and power consumption analysis. Figure 4: Inconsistent Analysis Truth Figure 4 illustrates a scenario that has been encountered repeatedly in development project in Aerospace and other industries. Analytical models are created based on evolving architecture design documentation by separate teams at different times. For example, the timing model is created by the performance team based on task information in the architecture design document. A little later the security team creates a security model based on the information it has available about the evolving system at that time. Independently, the team responsible for the reliability of the system has created a fault tree model based on their reading of the architecture design document and performs fault tree analysis. These analytical models may not accurately reflect the architecture of the evolving system and they may not be consistent with each other. For example, the security team may switch to a higher bit encryption algorithm to satisfy a security requirement, but the increased compute time may not be reflected in the timing model. In addition, the analytical models may not reflect the implementation of the system in software code. For example, a reliability model may distinguish between transient and permanent fault in determining availability, while a programmer decides to invoke the same fault handler for both, causing the system to shut down more quickly than expected. Similarly, in a communication timing model we have specified that a control system communicates its data stream through deterministic sampling, while the implementation shows nondeterministic sampling behavior. This may be due to the Figure 5: Single Source Annotated Architecture Model AADL supports this single source architecture model approach by standardized its Meta model and XML interchange format [18]. This allows architecture models that are annotated with properties and detailed design models to be maintained in a model repository and automatically translated into analytical models, such as timing models or fault trees, through a model bus concept. Changes to the architecture, its components and connections are automatically propagated to the analytical models that support analysis along different quality attribute dimensions. We also have to ensure that the models are also consistent with the implementation. We can do this by using a validated code generator for the application code and the runtime executive [19], or we can apply tools to validate the hand-written source code against the model. 4

5 Safety-criticality is supported by AADL in a number of ways. 4. SAE AADL: AN EMBEDDED SOFTWARE SYSTEM MODELING STANDARD The SAE AADL standard [17] is an architecture modeling language for embedded systems to capture the architecture of the computer platform, the architecture of the operational application, and the architecture of the physical system and their interactions. An AADL model may be used during a broad range of life-cycle activities, e.g. for documentation during preliminary specification, for schedulability or reliability analysis during design studies and during verification, for generation of system integration code during implementation. AADL provides a set of concepts with well-defined semantics to represent a system as a component-based model. These allow us to capture relevant aspects of the embedded system in order to address these root cause areas analytically. AADL has: threads, whose semantics are defined by hybrid automata in the standard, to represent concurrent tasks; processes to represent protected address spaces (space partitions); sampling and queued port connections with timing specifications, including deterministic sampling requirements to minimize jitter; virtual processors and virtual buses to represent partitions, hierarchical schedulers, protocols, and virtual channels; processors, buses, memory, and devices to represent hardware and physical system architectures; allocation bindings of software to hardware to represent deployment decisions; abstract specification of flows through components and end-to-end flows to support flow-related analyses; partial model specifications and their refinement to support evolution of models at multiple levels of granularity and architectural patterns; packages to organize models into manageable units that can be developed and analyzed independently by different team members and suppliers; and an extensible set of properties to annotate model elements with information relevant to different analyses with many properties already defined with the base standard and others standardized through annex documents. (1) AADL is strongly typed. For example, A processor specification indicates that it requires access to a Peripheral Component Interconnect (PCI) bus and an Ethernet, then only a PCI bus can get connected to the one bus access feature. (2) The protected address space enforcement of processes and resource allocation enforcement of virtual processors ensure time and space partitioning. (3) A safety level property on system components, initially used for major subsystems and later attached to more detailed components, is used to ensure that components with high safety criticality are not controlled by or receive critical input from low criticality components. (4) AADL has a built-in fault-handling model for application threads and extends into an explicit representation of a health monitoring architecture, and fault management by reconfiguration, which is modeled through AADL modes. (5) AADL support fault modeling through the Error Model Annex standard [20], which allows us to introduce intrinsic faults, error state machines, and fault propagations across components including stochastic properties such as probability of fault occurrence. These annotations to the architecture support hazard and fault impact analysis as well as reliability and availability analysis. (6) The dynamic behavior of the architecture is represented by modes and further refined through the Behavior Annex standard [21]. This allows us to apply formal methods such as model checking to validate system behavior, as was done for the mode logic of a dual redundant flight guidance system [22]. 5. ARCHITECTURE-CENTRIC ROOT CAUSE ANALYSIS System-level problems discussed in Section 2 are due to undocumented and mismatched assumptions about the impact of the runtime architecture execution semantics on the processing of time sensitive data. Those are system problems that are not addressed through traditional software testing such as path coverage. The time sensitive nature of problems such as race conditions and workload dependent end-to-end latency jitter are difficult to reproduce in test bed settings. By performing analysis on the architecture of a system to discover system problems earlier in the development process we can greatly reduce development cost and time to market. 5

6 In this section we will examine four root cause areas of system-level problems that have been identified [23] and outline an approach for addressing them through analysis of AADL models. The first root cause area is the end-to-end flow of data streams through the system. As multiple components are involved in its handling, all can affect its characteristics and can be affected by such changes. Therefore, it is essential to document assumptions made about such data streams. These assumptions fall into several categories: Characteristics of data such as the application data type, e.g., temperature, its base type, e.g., 16 bit signed integer, and measurement unit. The sender and recipient of the data may make different assumptions. AADL supports modeling of port-based communication between system components. Ports are typed with data types of the data being communicated. These data types represent the application data type and can be annotated with properties to characterize their base type, measurement unit, etc. Analysis tools for AADL models, such as OSATE, can check whether the supplied data from a sender port meets the expectations specified with a receiver port. Time sensitivity of the data in the form of age, latency, and latency jitter. Contributors to age, latency, and latency jitter are not only the transfer time through the physical device and wire, processing time, and sampling delay, but also elements of the software runtime system such as pre-emptive scheduling, rate group optimization, concurrency, or protocol overhead. AADL supports the specification of flows from component input to component output as well as endto-end flows and their annotation with flow related properties, such as timing or precision. Latency analysis tools, such as found in OSATE [24], take into account latency contributions by the task and communication architecture as well as the computer hardware. Expected data stream characteristics such as missing stream elements, complete transmission of all stream elements, acceptable limits in value changes between elements of the stream, must be satisfied by the sender. Data stream characteristics can be reflected as properties on the ports through which data streams are communicated. An analysis tool can check the expected data stream characteristics of incoming ports against those of the data stream provider. A second root cause area is execution of distributed and replicated state-based systems, such as hand-shaking protocols, operational modes, and reconfiguration of operational systems. Assumptions made in the state machine logic for nominal operation in a synchronous system setting without failure may not hold in actual deployment Coordination of state machines: Communication of state transition events vs. sampling of transmitted state responds differently to protocol message loss. AADL supports modeling of both sampled data stream processing and message-based processing through data ports and event data ports. The ports can be annotated with properties indicating whether state information or state transition events are being communicated. Furthermore, the runtime system can be characterized as a synchronous or asynchronous system. This provides the basis for an analysis tool to identify mismatched expectations. Event observations: Sampling of state to observe events in periodically executing control system applications may result in event observation loss and protocol lockup. Not only temporal ordering assumptions, but also temporary inconsistency time intervals must be taken into account in validation. The above information in an AADL model can also be the basis for applying model checking tools to determine whether state transitions may be missed as result of state sampling due to clock drift and race conditions [22]. A third root cause area is virtualization of processor, network, and memory resources. System architectures utilize these virtual resources and assume certain guarantees. Resource isolation guarantee: Virtual resource concepts of processor partitioning (ARINC 653) and virtual channels represent apportionments of physical resources as well as information access and fault propagation boundaries that must be validated and enforced. The AADL process concept represents desired address space protection within a processor. A processor may or may not support such address space protection at runtime. AADL supports modeling of physical and virtual processor to represent such support. Similarly, AADL supports modeling of resource isolation at the network level through the bus and virtual bus concepts. Those realizations can be captured in an AADL model for automated analysis. Redundancy guarantee: Virtualization turns physical redundancy into logical redundancy. Appropriate deployment is necessary to ensure reliability and availability. AADL models include deployment binding of application threads to virtual processors and to processors through binding properties. Similarly, connections are bound to appropriate virtual buses and buses representing virtual channels and physical 6

7 networks. For application components the modeler can indicate via property whether redundant components require deployment on separate physical components. Reference time guarantee: Sampling of data on a dedicated processor is performed relative to the processor clock, while the same software executing as tasks in partitions sample the data in terms of virtual time, i.e., the time the application code actually executes relative to other tasks and partitions. Similarly, applications may process time-sensitive data by time stamping assuming a common reference time despite potentially multiple time sources. Virtual time is implicitly reflected in virtual processor and thread components executing on a shared processor resource according to a scheduling protocol. AADL provides property support for characterizing different scheduling protocols including ARINC 653 partition scheduling. AADL also supports modeling of the fact that different parts of a computer platform may execute on separate clocks through multiple reference time components. Their characterization includes bounds on clock drift. Fair use guarantee: Mixed-criticality applications such as periodic & event driven processing, scheduling priorities & load scheduling priorities, multiple security layers, safety-criticality levels, and redundancy requirements, must utilize shared resources consistently despite conflicting demands. Resource capacities and resource budgets can be associated with physical resources as well as logical resources and application components. The OSATE toolset includes a resource analysis capability for processor, memory, and network (bus) resources. In the case of safety and security concerns modeling and tool support ranges from simple safety & security level consistency checking along port connections to fullscale security analysis based on Bell LaPadula and Chinese Wall models [25]. A fourth root cause area deals with performance impact. The computer resources as well as physical resources are shared and concurrent use can lead to resource contention. Therefore, assumptions about availability of resources and resource guarantees must be validated. These problems fall into several categories: Undocumented direct and indirect demands on all logical and physical resources by all application and infrastructure units for peek demands. AADL provides categories of processor, memory, and bus to represent physical computer architectures. Similarly, virtual resources can be represented in AADL models as virtual processors and virtual buses to both require resources as well as provide resource capacity. Application level resource demands can be specified through resource budget properties and calculated from task execution rates and times. The generated resource demand on processors, memory, and networks can be derived from deployment bindings. Impedance mismatch of resource demand and capacity such as high volume transfers over a bus flooding a low-speed processor with interrupts to handle the traffic - resulting in denial of service and lower than expected processor speed. In AADL models, computer hardware components are interconnected via buses through bus access connections. Bus access features of processor, memory, bus, and device components can have properties that indicate maximum contributions to network traffic. Lack of resource guarantees of shared hardware resources such as delay of low volume data transfer due to high-volume traffic by a Direct Memory Access transfer. An AADL-based analysis capability has recently been developed to extend the analysis capabilities in OSATE to address this resource contention issue [26]. In summary. an AADL model can be used as the basis for a number of different architecture-centric analyses. The feasibility of supporting analysis of different root cause areas has been demonstrated in an industrial case study, which is discussed in the next section. 6. AN INDUSTRIAL CASE STUDY The Aerospace Vehicle Systems Institute (AVSI) has launched an international, industry-wide initiative called System Architecture Virtual Integration (SAVI) that has performed a proof-of-concept (POC) case study [27] to demonstrate: an architecture-centric, multi-aspect, model repository as the single source of truth, a component-based framework in support of modelbased and proof-based engineering, a model bus for consistent model repository and tool interchange, and an architecture-centric acquisition process throughout the system life cycle that is supported by industrial standards and tool infrastructure. This case study was the first of multiple phases to establish an improved industry-wide practice with the following goals: 7

8 document the main differences between a conventional acquisition process and the projected SAVI acquisition process and identify potential benefits of the SAVI acquisition process, evaluate the feasibility and scalability of the multiaspect model repository and model bus concepts central to the SAVI project, assess the cost, risk, and benefits of the SAVI approach through a return on investment (ROI) study and development of a SAVI development roadmap. Members of the POC phase included Boeing, Lockheed Martin, Airbus, Rockwell Collins, Honeywell, BAE Systems, GE Aviation, FAA, and DoD. The SAE AADL industry standard and its supporting tools was chosen as the key technology for the POC phase in an independent study. The SEI then participated in the POC case study by bringing to the table their expertise in AADL and the open source AADL tool environment (OSATE) with its modeling, model management, and an extensible set of analysis capabilities. The SEI also led the effort to create and validate a predictive ROI model with blended industry data. A number of virtual integration activities were exercised to replace traditional design reviews by: recording subsystem requirements in an initial system model during request for proposals, verifying supplier model compatibility and initial resource allocations during proposal evaluation, verifying interfaces and functionality during preliminary design integration, and verifying performance during critical design integration. Early and continuous virtual model integration based on standardized representations insures that: errors are detected as early as possible, models with well-defined semantics facilitate autoanalysis to identify and eliminate inconsistencies, automated compatibility analyses at the architecture level scale, and industrial investment in tools is leveraged through well-defined interchange formats. 8 Figure 6: Multi-level Multi-dimensional System Analysis For the POC demonstration a multi-tier aircraft model was created and analyzed in two months and analyzed along multiple quality dimensions (see Figure 6). The demonstration illustrated analyses at the Tier 1 level for system properties such as mass and electrical power consumption, and at the Tier 2 level focusing on the Integrated Modular Avionics (IMA) architecture by revisiting the previous analyses and adding computer resource analyses and end-to-end latency analysis across subsystems. The demonstration continued by showing AADL support to manage subtracting with suppliers through a model repository. Negotiated subsystem specification could be virtually integrated and inconsistencies between supplier specifications such as inconsistent data representation, mismatched measurement units, and mapping into the ARINC 429 protocol could be detected. Three suppliers then developed a task-level specification of their subsystem and performed local validation through analysis. In one case, the subsystem was elaborated into behavioral specifications via UML diagrams, and an implementation in Ada. During this process the suppliers routinely delivered AADL models back to the airframer for repeated revalidation through virtual integration with increasing model fidelity. The demonstration model itself was developed by a team located in Iowa, Pennsylvania, France, and the UK utilizing the model repository located in Texas. At the end of the POC demonstration the SAVI team concluded that the results of the demonstrations indicate that the SAVI concept is sound and should be implemented with further development. In addition, the ROI study provided sufficient evidence the technology investment would be more than recovered by the first development of an aircraft using this new architecture-centric paradigm. 7. CONCLUSION In this paper, we have identified two major contributors to the rapid increase in cost of software-reliant embedded systems: system-level faults due to undocumented and mismatched assumptions, and multiple truths in modelbased analysis and validation of the implementation. We have shown that the ability to represent embedded software

9 systems in terms of architecture models whose semantics are well defined is key to understanding the root causes of such system-level faults and analyzing system models to validate its safety criticality requirements. We have shown that AADL is able to play this role and act as the single source annotated architecture representation for analytical models. The AVSI SAVI POC industrial case study has demonstrated the feasibility of using AADL as the basis for a model repository and model bus approach to addressing the multiple truth problem in model-based analysis results. Finally, we have outlined an approach to end-to-end validation of reliability. The benefits of this architecture-centric model-based engineering approach with focus on the system architecture include: Reduced risk through analysis early in and throughout the life cycle, understanding of system-wide impact of changes, and validation of assumption across the system architecture; Increased confidence through model validation to complement integration testing, validation of assumption made by models against the implementation, and analysis of evolving model into higher fidelity; Reduced cost through fewer system integration problems, and fewer validation steps through the use of a single source model repository and generation of analytical models as well as implementation code. REFERENCES [1] NIST Planning report 02-3, The Economic Impacts of Inadequate Infrastructure for Software Testing, May [2] D. Galin, Software Quality Assurance: From Theory to Implementation. Boston: Pearson/Addison-Wesley, [3] B.W. Boehm, Software Engineering Economics. Englewood Cliffs, NJ: Prentice Hall, [4] SAE International Aerospace Division, Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne Systems and Equipment, Aerospace Recommended Practice ARP4761, Dec [5] Air Canada Flight 143, en.wikipedia.org/wiki/ Gimli_Glider. [6] Ariane 5 Flight 501, en.wikipedia.org/wiki/ Ariane_5_Flight_501. [7] ITunes Crashes on Dual-core Processors, discussions.apple.com/thread.jspa?messageid= & [8] Jones M., What Really Happened on Mars, [9] Sha L., R. Rajkumar, and John P. Lehoczky (September 1990). "Priority Inheritance Protocols: An Approach to Real-Time Synchronization". IEEE Transactions on Computers 39 (9): [10] History of the Internet, internet/internet2.htm. [11] Avionics Application Software Standard Interface. ARINC 653 Standard Document, [12] Li A., Testimony by Allen Li, Director, Acquisition and Sourcing Management, U.S. General Accounting Office, to the House Subcommittee on Tactical Air and Land Forces, Committee on Armed Services, April [13] Feiler P., Upgrading Avionics Systems: A Case Study, DARPA EDCS Project Report, June [14] Qantas Flight 72., en.wikipedia.org/wiki/ Qantas_Flight_72. [15] VHSIC (Very High Speed Integrated Circuits) hardware description language. en.wikipedia.org/wiki/ VHDL. [16] Model checking hardware. en.wikipedia.org/wiki/ Model_checking. 9

10 [17] SAE International, Architecture Analysis & Design Language (AADL)", SAE Document AS-5506A, Jan [18] SAE International, Architecture Analysis & Design Language (AADL) Annex Volume 1: AADL Meta Model & XML Interchange Format Annex", SAE Document AS- 5506/1, June [19] Vestal, S. Formal Verification of the MetaH Executive Using Linear Hybrid Automata, Proceedings of the Sixth IEEE Real Time Technology and Applications Symposium (RTAS 2000), May [20] SAE International, Architecture Analysis & Design Language (AADL) Annex Volume 1: Error Model Annex", SAE Document AS-5506/1, June [21] Frana, R.B. Bodeveix, J.-P. Filali, M. Rolland, J.-F. The AADL Behavior Annex -- Experiments and Roadmap, 2nd IEEE International Workshop UML and AADL, Proceedings of the 12th IEEE International Conference on Engineering Complex Computer Systems (ICECCS 2007), July BIOGRAPHY Peter Feiler is a 24 year veteran at the Software Engineering Institute (SEI) at Carnegie Mellon University. He is a senior member of the Research, Technology, and Systems Solutions (RTSS) program of the SEI. He has been the technical lead and author of the SAE International Architecture Analysis & Design Language (AADL) standard, which was originally published in Nov 2004 with a revision in Jan 2009, as well as the AADL Annex standards published in July His interests include dependable real-time systems, architecture languages for embedded software systems, and predictable embedded system engineering. Previously he was employed by Siemens Corp. in Princeton, NJ, in research and advanced product development. He has a Ph.D. in Computer Science from Carnegie Mellon. He recently received the Carnegie Science Award for Information Technology. [22] de Niz, D. and Feiler, P. H., Verification of Replication Architectures in AADL. 4th IEEE International Workshop UML and AADL, Proceedings 14th International Conference on Engineering of Complex Computer Systems (ICECCS 2009), May [23] Peter H. Feiler, Challenges in Validating Safety- Critical Embedded Systems, Proceedings of SAE International AeroTech Congress, Nov [24] Peter H. Feiler, Jörgen Hansson, Impact of Runtime Architectures on Control System Stability, Proceedings of 4th International Congress on Embedded Real-Time Systems, Jan [25] Jorgen Hansson, Peter H. Feiler, and John Morley. Building Secure Systems Using Model-Based Engineering and Architectural Models. CrossTalk The Journal of Defense Software Engineering. September [26] Sha L. et.al. Rapid Early-Phase Virtual Integration. Proceedings of 30th IEEE Real-time Systems Symposium. Dec [27] Feiler P.H., Hansson J., de Niz D., Wrage L. System Architecture Virtual Integration: An Industrial Case Study, Software Engineering Institute Technical Report, CMU/SEI-2009-TR-017, Nov

Investigation of System Timing Concerns in Embedded Systems: Tool-based Analysis of AADL Models

Investigation of System Timing Concerns in Embedded Systems: Tool-based Analysis of AADL Models Investigation of System Timing Concerns in Embedded Systems: Tool-based Analysis of AADL Models Peter Feiler Software Engineering Institute phf@sei.cmu.edu 412-268-7790 2004 by Carnegie Mellon University

More information

Model-based Architectural Verification & Validation

Model-based Architectural Verification & Validation Model-based Architectural Verification & Validation Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Peter H Feiler Feb. 2009 2006 Carnegie Mellon University Outline Architecture-Centric

More information

Impact of Runtime Architectures on Control System Stability

Impact of Runtime Architectures on Control System Stability Impact of Runtime Architectures on Control System Stability P. Feiler, J. Hansson Software Engineering Institute, Pittsburgh, PA Abstract: Control systems are sensitive to the endto-end latency and age

More information

Presented by Greg Pollari (Rockwell Collins) and Nigel Shaw (Eurostep)

Presented by Greg Pollari (Rockwell Collins) and Nigel Shaw (Eurostep) System Architecture Virtual Integration (SAVI) Project : Intermodel Error Checking and Consistency Review and Demonstration An Aerospace Vehicle Systems Institute Project (AVSI) Presented by Greg Pollari

More information

Pattern-Based Analysis of an Embedded Real-Time System Architecture

Pattern-Based Analysis of an Embedded Real-Time System Architecture Pattern-Based Analysis of an Embedded Real-Time System Architecture Peter Feiler Software Engineering Institute phf@sei.cmu.edu 412-268-7790 Outline Introduction to SAE AADL Standard The case study Towards

More information

Complexity-Reducing Design Patterns for Cyber-Physical Systems. DARPA META Project. AADL Standards Meeting January 2011 Steven P.

Complexity-Reducing Design Patterns for Cyber-Physical Systems. DARPA META Project. AADL Standards Meeting January 2011 Steven P. Complexity-Reducing Design Patterns for Cyber-Physical Systems DARPA META Project AADL Standards Meeting 24-27 January 2011 Steven P. Miller Delivered to the Government in Accordance with Contract FA8650-10-C-7081

More information

Modeling the Implementation of Stated-Based System Architectures

Modeling the Implementation of Stated-Based System Architectures Modeling the Implementation of Stated-Based System Architectures Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Peter H Feiler June 2009 Are Everywhere What is a state-based

More information

Model-Based Embedded System Engineering & Analysis of Performance-Critical Systems

Model-Based Embedded System Engineering & Analysis of Performance-Critical Systems Sponsored by the U.S. Department of Defense 2005, 2006 by Carnegie Mellon University Model-Based Embedded System Engineering & Analysis of Performance-Critical Systems Peter H. Feiler Jan 2007 1 page 1

More information

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context Test and Evaluation of Autonomous Systems in a Model Based Engineering Context Raytheon Michael Nolan USAF AFRL Aaron Fifarek Jonathan Hoffman 3 March 2016 Copyright 2016. Unpublished Work. Raytheon Company.

More information

System Architecture Virtual Integration (SAVI) Presentation to PDT Europe 2016

System Architecture Virtual Integration (SAVI) Presentation to PDT Europe 2016 System Architecture Virtual Integration (SAVI) to PDT Europe 2016 Greg Pollari, Rockwell Collins Nigel Shaw, Eurostep Limited Agenda SAVI The problem SAVI The constium Two examples Conclusions Looking

More information

Analytical Architecture Fault Models

Analytical Architecture Fault Models Analytical Architecture Fault Models Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Peter H. Feiler Dec 4, 2012 Copyright 2012 Carnegie Mellon University and IEEE This material

More information

Flow Latency Analysis with the Architecture Analysis and Design Language (AADL)

Flow Latency Analysis with the Architecture Analysis and Design Language (AADL) Flow Latency Analysis with the Architecture Analysis and Design Language (AADL) Peter Feiler Jőrgen Hansson December 2007 TECHNICAL NOTE CMU/SEI-2007-TN-010 Performance-Critical Systems Initiative Unlimited

More information

OSATE Analysis Support

OSATE Analysis Support OSATE Analysis Support Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Julien Delange/Peter Feiler 07/08/2013 Overview of OSATE2 Eclipse-based AADL editor Support for AADLv2.1,

More information

An Information Model for High-Integrity Real Time Systems

An Information Model for High-Integrity Real Time Systems An Information Model for High-Integrity Real Time Systems Alek Radjenovic, Richard Paige, Philippa Conmy, Malcolm Wallace, and John McDermid High-Integrity Systems Group, Department of Computer Science,

More information

When Embedded Systems Attack. Unit 22. Therac-25. Therac-25. Embedded Failures. Embedded systems can fail for a variety of reasons

When Embedded Systems Attack. Unit 22. Therac-25. Therac-25. Embedded Failures. Embedded systems can fail for a variety of reasons 22.1 22.2 When Embedded Systems Attack Unit 22 Embedded Failures Embedded systems can fail for a variety of reasons Electrical problems Mechanical problems Errors in the programming Incorrectly specified

More information

Methods and Tools for Embedded Distributed System Timing and Safety Analysis. Steve Vestal Honeywell Labs

Methods and Tools for Embedded Distributed System Timing and Safety Analysis. Steve Vestal Honeywell Labs Methods and Tools for Embedded Distributed System Timing and Safety Analysis Steve Vestal Honeywell Labs Steve.Vestal@Honeywell.com 5 April 2006 Outline Preliminary Comments Timing and Resource Utilization

More information

Time-Triggered Ethernet

Time-Triggered Ethernet Time-Triggered Ethernet Chapters 42 in the Textbook Professor: HONGWEI ZHANG CSC8260 Winter 2016 Presented By: Priyank Baxi (fr0630) fr0630@wayne.edu Outline History Overview TTEthernet Traffic Classes

More information

Chapter 39: Concepts of Time-Triggered Communication. Wenbo Qiao

Chapter 39: Concepts of Time-Triggered Communication. Wenbo Qiao Chapter 39: Concepts of Time-Triggered Communication Wenbo Qiao Outline Time and Event Triggered Communication Fundamental Services of a Time-Triggered Communication Protocol Clock Synchronization Periodic

More information

ARINC653 AADL Annex. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Julien Delange 07/08/2013

ARINC653 AADL Annex. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Julien Delange 07/08/2013 ARINC653 AADL Annex Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Julien Delange 07/08/2013 Context, Rationale ARINC653 Avionics standard Standardized API (called APEX

More information

Flight Systems are Cyber-Physical Systems

Flight Systems are Cyber-Physical Systems Flight Systems are Cyber-Physical Systems Dr. Christopher Landauer Software Systems Analysis Department The Aerospace Corporation Computer Science Division / Software Engineering Subdivision 08 November

More information

A Data-Centric Approach for Modular Assurance Abstract. Keywords: 1 Introduction

A Data-Centric Approach for Modular Assurance Abstract. Keywords: 1 Introduction A Data-Centric Approach for Modular Assurance Gabriela F. Ciocarlie, Heidi Schubert and Rose Wahlin Real-Time Innovations, Inc. {gabriela, heidi, rose}@rti.com Abstract. A mixed-criticality system is one

More information

Architecture Description Languages. Peter H. Feiler 1, Bruce Lewis 2, Steve Vestal 3 and Ed Colbert 4

Architecture Description Languages. Peter H. Feiler 1, Bruce Lewis 2, Steve Vestal 3 and Ed Colbert 4 Architecture Description Languages An Overview of the SAE Architecture Analysis & Design Language (AADL) Standard: A Basis for Model-Based Architecture-Driven Embedded Systems Engineering Peter H. Feiler

More information

AADL Webinar. Carnegie Mellon University Notices Architecture Analysis with AADL The Speed Regulation Case-Study... 4

AADL Webinar. Carnegie Mellon University Notices Architecture Analysis with AADL The Speed Regulation Case-Study... 4 AADL Webinar Table of Contents Carnegie Mellon University Notices... 4 Architecture Analysis with AADL The... 4 What this talk is about?... 7 Agenda... 8 Agenda... 9 Polling Question 1... 10 Safety-Critical

More information

SAE AADL Error Model Annex: Discussion Items

SAE AADL Error Model Annex: Discussion Items SAE AADL Error Model Annex: Discussion Items Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Peter Feiler phf@sei.cmu.edu April 2012 Sponsored by the U.S. Department of Defense

More information

Priya Narasimhan. Assistant Professor of ECE and CS Carnegie Mellon University Pittsburgh, PA

Priya Narasimhan. Assistant Professor of ECE and CS Carnegie Mellon University Pittsburgh, PA OMG Real-Time and Distributed Object Computing Workshop, July 2002, Arlington, VA Providing Real-Time and Fault Tolerance for CORBA Applications Priya Narasimhan Assistant Professor of ECE and CS Carnegie

More information

AADL Fault Modeling and Analysis Within an ARP4761 Safety Assessment

AADL Fault Modeling and Analysis Within an ARP4761 Safety Assessment AADL Fault Modeling and Analysis Within an ARP4761 Safety Assessment Julien Delange Peter Feiler David P. Gluch John Hudak October 2014 TECHNICAL REPORT CMU/SEI-2014-TR-020 Software Solutions Division

More information

Ensuring Schedulability of Spacecraft Flight Software

Ensuring Schedulability of Spacecraft Flight Software Ensuring Schedulability of Spacecraft Flight Software Flight Software Workshop 7-9 November 2012 Marek Prochazka & Jorge Lopez Trescastro European Space Agency OUTLINE Introduction Current approach to

More information

Probabilistic Worst-Case Response-Time Analysis for the Controller Area Network

Probabilistic Worst-Case Response-Time Analysis for the Controller Area Network Probabilistic Worst-Case Response-Time Analysis for the Controller Area Network Thomas Nolte, Hans Hansson, and Christer Norström Mälardalen Real-Time Research Centre Department of Computer Engineering

More information

LabVIEW FPGA in Hardware-in-the-Loop Simulation Applications

LabVIEW FPGA in Hardware-in-the-Loop Simulation Applications LabVIEW FPGA in Hardware-in-the-Loop Simulation Applications Publish Date: Dec 29, 2008 38 Ratings 4.16 out of 5 Overview Hardware-in-the-loop (HIL) simulation is achieving a highly realistic simulation

More information

FPGA-Based Embedded Systems for Testing and Rapid Prototyping

FPGA-Based Embedded Systems for Testing and Rapid Prototyping FPGA-Based Embedded Systems for Testing and Rapid Prototyping Martin Panevsky Embedded System Applications Manager Embedded Control Systems Department The Aerospace Corporation Flight Software Workshop

More information

DESIGN AND IMPLEMENTATION OF AN AVIONICS FULL DUPLEX ETHERNET (A664) DATA ACQUISITION SYSTEM

DESIGN AND IMPLEMENTATION OF AN AVIONICS FULL DUPLEX ETHERNET (A664) DATA ACQUISITION SYSTEM DESIGN AND IMPLEMENTATION OF AN AVIONICS FULL DUPLEX ETHERNET (A664) DATA ACQUISITION SYSTEM Alberto Perez, Technical Manager, Test & Integration John Hildin, Director of Network s John Roach, Vice President

More information

Dependability Modeling Based on AADL Description (Architecture Analysis and Design Language)

Dependability Modeling Based on AADL Description (Architecture Analysis and Design Language) Dependability Modeling Based on AADL Description (Architecture Analysis and Design Language) Ana Rugina, Karama Kanoun and Mohamed Kaâniche {rugina, kanoun, kaaniche}@laas.fr European Integrated Project

More information

ARINC-818 TESTING FOR AVIONICS APPLICATIONS. Ken Bisson Troy Troshynski

ARINC-818 TESTING FOR AVIONICS APPLICATIONS. Ken Bisson Troy Troshynski ARINC-818 TESTING FOR AVIONICS APPLICATIONS Ken Bisson Troy Troshynski 2007 The ARINC-818 Specification is an industry standard that defines a digital video interface link and protocol that is used for

More information

CDA 5140 Software Fault-tolerance. - however, reliability of the overall system is actually a product of the hardware, software, and human reliability

CDA 5140 Software Fault-tolerance. - however, reliability of the overall system is actually a product of the hardware, software, and human reliability CDA 5140 Software Fault-tolerance - so far have looked at reliability as hardware reliability - however, reliability of the overall system is actually a product of the hardware, software, and human reliability

More information

Deterministic Ethernet & Unified Networking

Deterministic Ethernet & Unified Networking Deterministic Ethernet & Unified Networking Never bet against Ethernet Mirko Jakovljevic mirko.jakovljevic@tttech.com www.tttech.com Copyright TTTech Computertechnik AG. All rights reserved. About TTTech

More information

A ROADMAP TO STANDARDIZING THE IRIG 106 CHAPTER 10 COMPLIANT DATA FILTERING AND OVERWRITNG SOFTWARE PROCESS

A ROADMAP TO STANDARDIZING THE IRIG 106 CHAPTER 10 COMPLIANT DATA FILTERING AND OVERWRITNG SOFTWARE PROCESS A ROADMAP TO STANDARDIZING THE IRIG 106 CHAPTER 10 COMPLIANT DATA FILTERING AND OVERWRITNG SOFTWARE PROCESS Item Type text; Proceedings Authors Berard, Alfredo; Manning, Dennis; Kim, Jeong Min Publisher

More information

Multi-Epoch Scheduling Within the Real-Time Execution Performance Agent Framework

Multi-Epoch Scheduling Within the Real-Time Execution Performance Agent Framework Multi-Epoch Scheduling Within the Real-Time Execution Performance Agent Framework Sam Siewert siewerts@thinker.colorado.edu Department of Computer Science University of Colorado, Boulder, CO 80309-0520

More information

Distributed IMA with TTEthernet

Distributed IMA with TTEthernet Distributed IMA with thernet ARINC 653 Integration of thernet Georg Gaderer, Product Manager Georg.Gaderer@tttech.com October 30, 2012 Copyright TTTech Computertechnik AG. All rights reserved. Introduction

More information

Simulink/Stateflow. June 2008

Simulink/Stateflow. June 2008 Simulink/Stateflow Paul Caspi http://www-verimag.imag.fr/ Pieter Mosterman http://www.mathworks.com/ June 2008 1 Introduction Probably, the early designers of Simulink in the late eighties would have been

More information

Testing Under Time Pressure. Versatile Test Benches for Avionic Systems

Testing Under Time Pressure. Versatile Test Benches for Avionic Systems Testing Under Time Pressure Versatile Test Benches for Avionic Systems In the future, test benches will be made up from subsystems that are manufactured by specialized suppliers. It is very important to

More information

AADL Requirements Annex Review

AADL Requirements Annex Review Dominique Blouin Lab-STICC Université de Bretagne-Occidentale Université de Bretagne-Sud Bretagne, France 1 AADL Standards Meeting, April 23 th, 2013 Agenda Comments from Annex Document Review Motivations

More information

SAE AS5643 and IEEE1394 Deliver Flexible Deterministic Solution for Aerospace and Defense Applications

SAE AS5643 and IEEE1394 Deliver Flexible Deterministic Solution for Aerospace and Defense Applications SAE AS5643 and IEEE1394 Deliver Flexible Deterministic Solution for Aerospace and Defense Applications Richard Mourn, Dap USA Inc. AS5643 coupled with IEEE-1394 Asynchronous Stream capability provides

More information

Integrated Modular Avionics Development Guidance and Certification Considerations

Integrated Modular Avionics Development Guidance and Certification Considerations René L.C. Eveleens National Aerospace Laboratory NLR P.O. Box 90502 1006BM Amsterdam Netherlands eveleens@nlr.nl ABSTRACT From 2001 to 2005 a working group within the European Organisation for Civil Aviation

More information

Evolving the CORBA standard to support new distributed real-time and embedded systems

Evolving the CORBA standard to support new distributed real-time and embedded systems Evolving the CORBA standard to support new distributed real-time and embedded systems Tom Bracewell Senior Principal Software Engineer Raytheon Integrated Defense Systems Sudbury, MA. / (978) 440-2539

More information

Rapid Control Prototyping Solutions Electrical Drive, Power Conversion and Power Systems

Rapid Control Prototyping Solutions Electrical Drive, Power Conversion and Power Systems Rapid Control Prototyping Solutions Electrical Drive, Power Conversion and Power Systems Presented by Guillaume Boué guillaume.boue@opal-rt.com 2013 OPAL-RT www.opal-rt.com Presentation outline WHY INTRO

More information

ARINC Project Initiation/Modification (APIM)

ARINC Project Initiation/Modification (APIM) Project Initiation/Modification proposal for the AEEC Proposed: October 11, 2016 ARINC Project Initiation/Modification (APIM) 1.0 Name of Proposed Project APIM 17-001 Internet Protocol version 6 (IPv6)

More information

The SAE Architecture Analysis and Description Language (AADL) Standard: A Basis for Architecture- Driven Embedded Systems Engineering

The SAE Architecture Analysis and Description Language (AADL) Standard: A Basis for Architecture- Driven Embedded Systems Engineering The SAE Architecture Analysis and Description Language (AADL) Standard: A Basis for Architecture- Driven Embedded Systems Engineering DSN 2006 Workshop on Architecting Dependable Systems (WADS) 27 June

More information

CS4514 Real-Time Systems and Modeling

CS4514 Real-Time Systems and Modeling CS4514 Real-Time Systems and Modeling Fall 2015 José M. Garrido Department of Computer Science College of Computing and Software Engineering Kennesaw State University Real-Time Systems RTS are computer

More information

SWITCHED ETHERNET TESTING FOR AVIONICS APPLICATIONS. Ken Bisson Troy Troshynski

SWITCHED ETHERNET TESTING FOR AVIONICS APPLICATIONS. Ken Bisson Troy Troshynski SWITCHED ETHERNET TESTING FOR AVIONICS APPLICATIONS Ken Bisson Troy Troshynski 2007 Switched Ethernet is being implemented as an avionics communication architecture. A commercial standard (ARINC-664) and

More information

UNCLASSIFIED. R-1 ITEM NOMENCLATURE PE D8Z: Data to Decisions Advanced Technology FY 2012 OCO

UNCLASSIFIED. R-1 ITEM NOMENCLATURE PE D8Z: Data to Decisions Advanced Technology FY 2012 OCO Exhibit R-2, RDT&E Budget Item Justification: PB 2012 Office of Secretary Of Defense DATE: February 2011 BA 3: Advanced Development (ATD) COST ($ in Millions) FY 2010 FY 2011 Base OCO Total FY 2013 FY

More information

Data Acquisition in High Speed Ethernet & Fibre Channel Avionics Systems

Data Acquisition in High Speed Ethernet & Fibre Channel Avionics Systems Data Acquisition in High Speed Ethernet & Fibre Channel Avionics Systems Troy Troshynski Avionics Interface Technologies (A Division of Teradyne) Omaha, NE U.S.A. troyt@aviftech.com http://www.aviftech.com/aggregator

More information

Just-In-Time Certification

Just-In-Time Certification Just-In-Time Certification John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Just-In-Time Certification: 1 Certification Provides assurance that deploying

More information

What are Embedded Systems? Lecture 1 Introduction to Embedded Systems & Software

What are Embedded Systems? Lecture 1 Introduction to Embedded Systems & Software What are Embedded Systems? 1 Lecture 1 Introduction to Embedded Systems & Software Roopa Rangaswami October 9, 2002 Embedded systems are computer systems that monitor, respond to, or control an external

More information

AADL Graphical Editor Design

AADL Graphical Editor Design AADL Graphical Editor Design Peter Feiler Software Engineering Institute phf@sei.cmu.edu Introduction An AADL specification is a set of component type and implementation declarations. They are organized

More information

Amrita Vishwa Vidyapeetham. ES623 Networked Embedded Systems Answer Key

Amrita Vishwa Vidyapeetham. ES623 Networked Embedded Systems Answer Key Time: Two Hours Amrita Vishwa Vidyapeetham M.Tech Second Assessment February 2013 Second Semester Embedded Systems Roll No: ES623 Networked Embedded Systems Answer Key Answer all Questions Maximum: 50

More information

Reaching for the sky with certified and safe solutions for the aerospace market

Reaching for the sky with certified and safe solutions for the aerospace market www.tttech.com/aerospace Reaching for the sky with certified and safe solutions for the aerospace market More about our certified and safe products inside Advancing safe technologies, improving human lives

More information

Measurement Challenges and Opportunities for Developing Smart Grid Testbeds

Measurement Challenges and Opportunities for Developing Smart Grid Testbeds Measurement Challenges and Opportunities for Developing Smart Grid Testbeds 10th Carnegie Mellon Conference on the Electricity Industry April 1, 2015 Paul Boynton boynton@nist.gov Testbed Manager Smart

More information

Summary of Proposed Responses to CSD

Summary of Proposed Responses to CSD Summary of Proposed Responses to CSD IEEE 802.3 400 Gb/s Ethernet Study Group John D Ambrosia, Dell Indian Wells, CA, USA IEEE 802.3 Jan 2014 Interim Page 1 Introduction This presentation summarizes all

More information

Providing Real-Time and Fault Tolerance for CORBA Applications

Providing Real-Time and Fault Tolerance for CORBA Applications Providing Real-Time and Tolerance for CORBA Applications Priya Narasimhan Assistant Professor of ECE and CS University Pittsburgh, PA 15213-3890 Sponsored in part by the CMU-NASA High Dependability Computing

More information

Issues in Programming Language Design for Embedded RT Systems

Issues in Programming Language Design for Embedded RT Systems CSE 237B Fall 2009 Issues in Programming Language Design for Embedded RT Systems Reliability and Fault Tolerance Exceptions and Exception Handling Rajesh Gupta University of California, San Diego ES Characteristics

More information

Communication in Avionics

Communication in Avionics Communication in Avionics 1 Outline Basic Overview Communication architectures Event Triggered Time Triggered Communication architecture examples Case Study: How Data Communication Affects Scheduling 2

More information

3. Quality of Service

3. Quality of Service 3. Quality of Service Usage Applications Learning & Teaching Design User Interfaces Services Content Process ing Security... Documents Synchronization Group Communi cations Systems Databases Programming

More information

Ontology Engineering for Product Development

Ontology Engineering for Product Development Ontology Engineering for Product Development Henson Graves Lockheed Martin Aeronautics Company Fort Worth Texas, USA henson.graves@lmco.com Abstract. This analysis is to identify requirements for a Description

More information

5/4/2016 ht.ttlms.com

5/4/2016 ht.ttlms.com Order Template Screen 1 Free Form Lesson Overview 2 Free Form Performance Based CNS Requirements 3 Free Form Performance Based CNS Requirements 4 Single Answer Knowledge Check 5 Free Form Related ICAO

More information

Data Model Considerations for Radar Systems

Data Model Considerations for Radar Systems WHITEPAPER Data Model Considerations for Radar Systems Executive Summary The market demands that today s radar systems be designed to keep up with a rapidly changing threat environment, adapt to new technologies,

More information

Platform modeling and allocation

Platform modeling and allocation Platform modeling and allocation Systems Engineering BSc Course Budapest University of Technology and Economics Department of Measurement and Information Systems Traceability Platform-based systems design

More information

An Encapsulated Communication System for Integrated Architectures

An Encapsulated Communication System for Integrated Architectures An Encapsulated Communication System for Integrated Architectures Architectural Support for Temporal Composability Roman Obermaisser Overview Introduction Federated and Integrated Architectures DECOS Architecture

More information

SEI/CMU Efforts on Assured Systems

SEI/CMU Efforts on Assured Systems Unclassified//For Official Use Only SEI/CMU Efforts on Assured Systems 15 November 2018 *** Greg Shannon CERT Division Chief Scientist Software Engineering Institute Carnegie Mellon University Pittsburgh,

More information

SUBMARINE CABLE DEVELOPMENTS. Karthik Kailasam Jan 16, 2017; PTC Hawaii

SUBMARINE CABLE DEVELOPMENTS. Karthik Kailasam Jan 16, 2017; PTC Hawaii SUBMARINE CABLE DEVELOPMENTS Karthik Kailasam Jan 16, 2017; PTC 2017- Hawaii Why Should Submarine Cable Players Care About Modular Solutions? Jan 16, /2017 PTC 2017- Hawaii 2 The world is shifting from

More information

Designing and debugging real-time distributed systems

Designing and debugging real-time distributed systems Designing and debugging real-time distributed systems By Geoff Revill, RTI This article identifies the issues of real-time distributed system development and discusses how development platforms and tools

More information

Introduction to Real-time Systems. Advanced Operating Systems (M) Lecture 2

Introduction to Real-time Systems. Advanced Operating Systems (M) Lecture 2 Introduction to Real-time Systems Advanced Operating Systems (M) Lecture 2 Introduction to Real-time Systems Real-time systems deliver services while meeting some timing constraints Not necessarily fast,

More information

Next Generation Backup: Better ways to deal with rapid data growth and aging tape infrastructures

Next Generation Backup: Better ways to deal with rapid data growth and aging tape infrastructures Next Generation Backup: Better ways to deal with rapid data growth and aging tape infrastructures Next 1 What we see happening today. The amount of data businesses must cope with on a daily basis is getting

More information

02 - Distributed Systems

02 - Distributed Systems 02 - Distributed Systems Definition Coulouris 1 (Dis)advantages Coulouris 2 Challenges Saltzer_84.pdf Models Physical Architectural Fundamental 2/60 Definition Distributed Systems Distributed System is

More information

Don t Be the Developer Whose Rocket Crashes on Lift off LDRA Ltd

Don t Be the Developer Whose Rocket Crashes on Lift off LDRA Ltd Don t Be the Developer Whose Rocket Crashes on Lift off 2015 LDRA Ltd Cost of Software Defects Consider the European Space Agency s Ariane 5 flight 501 on Tuesday, June 4 1996 Due to an error in the software

More information

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives

NORTH CAROLINA NC MRITE. Nominating Category: Enterprise IT Management Initiatives NORTH CAROLINA MANAGING RISK IN THE INFORMATION TECHNOLOGY ENTERPRISE NC MRITE Nominating Category: Nominator: Ann V. Garrett Chief Security and Risk Officer State of North Carolina Office of Information

More information

Decommissioning Legacy Networks

Decommissioning Legacy Networks ERTIX Consulting Decommissioning Legacy Networks How Vertix Consulting Helped a Top US Wireless Carrier Decommission Its CDMA Network in Mexico for Future LTE Deployments ERTIX Consulting Decommissioning

More information

Implementing Sporadic Servers in Ada

Implementing Sporadic Servers in Ada Technical Report CMU/SEI-90-TR-6 ESD-90-TR-207 Implementing Sporadic Servers in Ada Brinkley Sprunt Lui Sha May 1990 Technical Report CMU/SEI-90-TR-6 ESD-90-TR-207 May 1990 Implementing Sporadic Servers

More information

Error Model Annex Revision

Error Model Annex Revision Error Model Annex Revision Peter H Feiler phf@sei.cmu.edu Jan 2011 Goal A core set of reliability concepts and error types Interaction of systems with nominal behavior and threats in the form of defects,

More information

Executable AADL. Real Time Simulation of AADL Models. Pierre Dissaux 1, Olivier Marc 2.

Executable AADL. Real Time Simulation of AADL Models. Pierre Dissaux 1, Olivier Marc 2. Executable AADL Real Time Simulation of AADL Models Pierre Dissaux 1, Olivier Marc 2 1 Ellidiss Technologies, Brest, France. 2 Virtualys, Brest, France. pierre.dissaux@ellidiss.com olivier.marc@virtualys.com

More information

Overview of Potential Software solutions making multi-core processors predictable for Avionics real-time applications

Overview of Potential Software solutions making multi-core processors predictable for Avionics real-time applications Overview of Potential Software solutions making multi-core processors predictable for Avionics real-time applications Marc Gatti, Thales Avionics Sylvain Girbal, Xavier Jean, Daniel Gracia Pérez, Jimmy

More information

Curriculum 2013 Knowledge Units Pertaining to PDC

Curriculum 2013 Knowledge Units Pertaining to PDC Curriculum 2013 Knowledge Units Pertaining to C KA KU Tier Level NumC Learning Outcome Assembly level machine Describe how an instruction is executed in a classical von Neumann machine, with organization

More information

Involved subjects in this presentation Security and safety in real-time embedded systems Architectural description, AADL Partitioned architectures

Involved subjects in this presentation Security and safety in real-time embedded systems Architectural description, AADL Partitioned architectures Introduction Problem: security and reliability Purpose: design and implementation of safe/secure systems Help system designers to describe their requirements Ensure safety and security policies enforcement

More information

Executable Requirements: Opportunities and Impediments

Executable Requirements: Opportunities and Impediments Executable Requirements: Oppotunities and Impediments Executable Requirements: Opportunities and Impediments G. A. Shaw and A. H. Anderson * Abstract: In a top-down, language-based design methodology,

More information

Software Quality. What is Good Software?

Software Quality. What is Good Software? Software Quality CS A470 What is Good Software? Depends on your point of view Five perspectives Transcendental view. Quality can be recognized but hard to define User view. Fitness for purpose Often adopted

More information

Static Analysis of Embedded Systems

Static Analysis of Embedded Systems Static Analysis of Embedded Systems Xavier RIVAL rival@di.ens.fr Outline Case study Certification of embedded softwares Demo Static Analysisof Embedded Systems p.2/12 Ariane 5 Flight 501 Ariane 5: sattelite

More information

ARINC653 toolset: Ocarina, Cheddar and POK

ARINC653 toolset: Ocarina, Cheddar and POK ARINC653 toolset: Ocarina, Cheddar and POK Julien Delange Laurent Pautet 09/11/09 Context ARINC653 systems Layered architecture Enforce isolation across partitions High-integrity,

More information

Automatic Code Generation Technology Adoption Lessons Learned from Commercial Vehicle Case Studies

Automatic Code Generation Technology Adoption Lessons Learned from Commercial Vehicle Case Studies 08AE-22 Automatic Code Generation Technology Adoption Lessons Learned from Commercial Vehicle Case Studies Copyright 2007 The MathWorks, Inc Tom Erkkinen The MathWorks, Inc. Scott Breiner John Deere ABSTRACT

More information

The Impact of SOA Policy-Based Computing on C2 Interoperation and Computing. R. Paul, W. T. Tsai, Jay Bayne

The Impact of SOA Policy-Based Computing on C2 Interoperation and Computing. R. Paul, W. T. Tsai, Jay Bayne The Impact of SOA Policy-Based Computing on C2 Interoperation and Computing R. Paul, W. T. Tsai, Jay Bayne 1 Table of Content Introduction Service-Oriented Computing Acceptance of SOA within DOD Policy-based

More information

Chapter 5 Ad Hoc Wireless Network. Jang Ping Sheu

Chapter 5 Ad Hoc Wireless Network. Jang Ping Sheu Chapter 5 Ad Hoc Wireless Network Jang Ping Sheu Introduction Ad Hoc Network is a multi-hop relaying network ALOHAnet developed in 1970 Ethernet developed in 1980 In 1994, Bluetooth proposed by Ericsson

More information

TELEMETRY SYSTEMS OF THE FUTURE

TELEMETRY SYSTEMS OF THE FUTURE TELEMETRY SYSTEMS OF THE FUTURE Item Type text; Proceedings Authors Rauch, William D. Publisher International Foundation for Telemetering Journal International Telemetering Conference Proceedings Rights

More information

02 - Distributed Systems

02 - Distributed Systems 02 - Distributed Systems Definition Coulouris 1 (Dis)advantages Coulouris 2 Challenges Saltzer_84.pdf Models Physical Architectural Fundamental 2/58 Definition Distributed Systems Distributed System is

More information

Model-Based Safety Approach for Early Validation of Integrated and Modular Avionics Architectures

Model-Based Safety Approach for Early Validation of Integrated and Modular Avionics Architectures Model-Based Safety Approach for Early Validation of Integrated and Modular Avionics Architectures Marion Morel THALES AVIONICS S.A.S., 31036 Toulouse, France marion.morel@fr.thalesgroup.com Abstract. Increasing

More information

A Framework for the Formal Verification of Time-Triggered Systems

A Framework for the Formal Verification of Time-Triggered Systems A Framework for the Formal Verification of Time-Triggered Systems Lee Pike leepike@galois.com Indiana University, Bloomington Department of Computer Science Advisor: Prof. Steven D. Johnson December 12,

More information

MIL-STD-1553 INTERFACES TO TELEMETRY SYSTEMS

MIL-STD-1553 INTERFACES TO TELEMETRY SYSTEMS MIL-STD-1553 INTERFACES TO TELEMETRY SYSTEMS Ray Nicolais Product Manager Digital Data Systems AYDIN VECTOR Division Newtown, Pennsylvania Donald H. Ellis System Engineer AEROSYSTEMS ASSOCIATES Huntsville,

More information

An Implementation of the Behavior Annex in the AADL-toolset Osate2

An Implementation of the Behavior Annex in the AADL-toolset Osate2 2011 16th IEEE International Conference on Engineering of Complex Computer Systems An Implementation of the Behavior Annex in the AADL-toolset Osate2 Gilles Lasnier, Laurent Pautet Inst. TELECOM - TELECOM

More information

Huawei Railway Communication Service Solution Guide

Huawei Railway Communication Service Solution Guide Huawei Railway Communication Service Solution Guide Huawei Technologies Co., Ltd. Keywords Railway transport, service solution, subsystem, design,, solution implementation Abstract Huawei Railway Communication

More information

Timing in Cyber Physical Systems. Marc Weiss, Ph.D. NIST, Time and Frequency Division WSTS 2015

Timing in Cyber Physical Systems. Marc Weiss, Ph.D. NIST, Time and Frequency Division WSTS 2015 Timing in Cyber Physical Systems Marc Weiss, Ph.D. mweiss@nist.gov NIST, Time and Frequency Division WSTS 2015 Timing in Cyber Physical Systems: Outline The term Timing used here as a general term: frequency,

More information

Commercial Real-time Operating Systems An Introduction. Swaminathan Sivasubramanian Dependable Computing & Networking Laboratory

Commercial Real-time Operating Systems An Introduction. Swaminathan Sivasubramanian Dependable Computing & Networking Laboratory Commercial Real-time Operating Systems An Introduction Swaminathan Sivasubramanian Dependable Computing & Networking Laboratory swamis@iastate.edu Outline Introduction RTOS Issues and functionalities LynxOS

More information

Department of Defense Emerging Needs for Standardization

Department of Defense Emerging Needs for Standardization Department of Defense Emerging Needs for Standardization Robert Gold Director, Engineering Enterprise Office of the Deputy Assistant Secretary of Defense for Systems Engineering SAE International 2016

More information

Data-Centric Architecture for Space Systems

Data-Centric Architecture for Space Systems Data-Centric Architecture for Space Systems 3 rd Annual Workshop on Flight Software, Nov 5, 2009 The Real-Time Middleware Experts Rajive Joshi, Ph.D. Real-Time Innovations Our goals are the same but not

More information