Pattern-Based Analysis of an Embedded Real-Time System Architecture

Transcription

1 Pattern-Based Analysis of an Embedded Real-Time System Architecture Peter Feiler Software Engineering Institute Outline Introduction to SAE AADL Standard The case study Towards preemptive scheduling Partition scheduling End-to-end flows System redundancy 2

2 SAE Architecture Analysis & Design Language Notation for specification of task and communication architectures of Real-time, Embedded, Fault-tolerant, Secure, Safety-critical, Software-intensive systems Fields of application: Avionics, Automotive, Aerospace, Autonomous systems, Based on 15 Years of DARPA funded technologies Standard approved by SAE in Sept AADL-Based System Engineering System Analysis Schedulability Performance Reliability Fault Tolerance Dynamic Configurability Model the Architecture Abstract, but Precise Automatic Target Recognition Guidance & Control Supply Chain Mechanized Composable Components Sensor Ambulatory & Signal Application Software Information Fusion Software System Engineer System Integration Runtime System Generation Application Composition System Configuration Execution Platform Predictive System Engineering Reduced Development & Operational Cost GPS DB HTTPS Ada Runtime Devices Memory Bus Processor 4

3 Outline Introduction to SAE AADL Standard The case study Towards preemptive scheduling Partition scheduling End-to-end flows System redundancy 5 AADL-Based Pattern Analysis SAE AADL employs Components with precisely defined execution semantics Explicit component interactions Separation of concerns Pattern-based architecture analysis approach Uses design patterns in analysis Identifies systemic problems early Enables the right choices with confidence Provides analysis-based decisions 6

4 Avionics Systems Embedded avionics system designs are evolving to From federated to integrated systems From static timelines to predictable preemptive scheduling Deterministic signal stream processing Efficient execution and footprint Fault tolerance & reconfiguration Towards extensible system architectures There are distinct perspectives in the design control and domain engineers application software engineers system software engineers 7 Avionics Subsystem Architecture Display Observation: No direct connection between flight director and page content manager Warning Annunciation Page Content Flight Flight Director Situation Awareness Weapons Comm. Nav Radio 1553 Access GPS 8

5 Outline Introduction to SAE AADL Standard The case study Towards preemptive scheduling Partition scheduling End-to-end flows System redundancy 9 From other Partitions A Cyclic Executive Implementation Switch clock mod Hyperperiod Case : call PIO call NSP call GP Case 2*: -- 10Hz call PIO call NSP call IN call GP Case 3*:... Case 4*: -- 5Hz 1 Periodic I/O 2 Navigation Sensor 3 10Hz Integrated Navigation Shared data area 4 Guidance 5 5Hz Flight Plan Cyclic callout implementation To other Partitions 6 2Hz Aircraft Performance Calculation 10

6 From other Partitions Interface to message-based communication A Naïve Thread-based Design Pr 2 Navigation Sensor Pr 1 Periodic I/O Pr 3 10Hz Integrated Navigation Fixed-priority threads Shared data area Pr 4 Guidance Pr 6 5Hz Flight Plan Priority assignment by developer To other Partitions Pr 9 2Hz Aircraft Performance Calculation Decreasing Priority 11 Design Decisions Taken Shared variable communication within partition Achieve efficient resource utilization Accommodate legacy code Preemptive fixed-priority thread scheduling Used Schedulability analysis (RMA) to confirm schedulability Benefit of more flexible system and efficient resource usage Priority assignment for precedence ordering to achieve desired flow Needed because of shared data communication Results in potential priority inversion and non-deterministic communication 12

7 Flight in AADL From Partitions Nav signal data Navigation Sensor Nav sensor data Nav sensor data Integrated Navigation 10Hz Nav data Phase delay of Periodic I/O Guidance Guidance To Partitions 5Hz Flight Plan FP data Fuel Flow FP data Nav data 2Hz Aircraft Performance Calculation Performance data 13 SAE AADL & Control Supports mid-frame communication & single sample delay Shows application rates & desired phase delay explicitly Focus on what communication is desired, not how it is implemented Assures deterministic communication when desired Support efficient communication implementation Does not prescribe scheduling protocol Supports schedulability analysis Opens dialogue between control engineers and software system engineers regarding performance tradeoffs 14

8 Outline Introduction to SAE AADL Standard The case study Towards preemptive scheduling Partition scheduling End-to-end flows System redundancy 15 The Partition Concept Found in ARINC 653 Runtime protected address space A virtual processor scheduled on a static timeline Contained threads (ARINC processes) are scheduled within the bounds of a scheduled partition Different partitions can use different thread scheduling protocols Communication of queued and unqueued data Inter vs. intra partition communication 16

9 Partition Order Side Effects Partition communication via send/receive Partition A T1 T2 Partition B T3 T4 T1 T2 T3 T4 T1 T2 T3 T4 t 0 Partition A t 1 t 2 Partition B Partition A Partition B 17 Partitioned System Design in AADL Partition as a core AADL extension Focus on partition order isolation Delayed connections insensitive to partition order Delayed connections insensitive to partition concurrency Delayed connections contribute to latency Focus on latency Immediate connections reduce latency Immediate connections constrain partition order Immediate connection cycles Detectable by analysis Direct cycle: P A.T1 -> P B.T2 -> P A.T3 Pair-wise cyclic: P A.T1 -> P B.T2 & P B.T4 -> P A.T3 Focus on flexibility Acceptable variation in phase delay Document as property 18

10 Outline Introduction to SAE AADL Standard The case study Towards preemptive scheduling Partition scheduling End-to-end flows System redundancy 19 Connection Patterns Connection sequences Pipeline, flow Connection tree Analyzable in AADL Branching flow Different endpoint latencies Directed acyclic graph (DAG) Flow with merge points Phase delay difference of branches at merge point Effects of phase delay oscillation in non-deterministic case Cyclic connections Feedback control, action/observation Phase delay breaks cycle 20

11 Flow Specification in AADL pt1 System S1 flow path F1 flow path F2 pt2 pt3 Flow Specification flow path F1: pt1 -> pt2 flow path F2: pt1 -> pt3 pt1 System implementation S1.impl C1 flow path F5 Process P2 pt2 Connection C3 flow path F7 C5 pt3 Process P1 Flow Implementation flow path F1: pt1 -> C1 -> P2.F5 -> C3 -> P1.F7 -> C5 -> pt2 21 Flight Director Command Flow Cockpit Display Request for new page Display New page content Page Content Flight Flight Director 22

12 Data Stream Latency Analysis Flow specifications in AADL Properties on flows: expected & actual end-to-end latency Properties on ports: expected incoming & end latency End-to-end latency contributors Delayed connections result in sampling latency Immediate periodic & aperiodic sequences result in cumulative execution time latency Phase delay shift & oscillation Potential hazard Noticeable at flow merge points Variation interpreted as noisy signal to controller Latency calculation & jitter accumulation 23 Other Flow Characteristics Miss rate of data stream Accommodates incomplete sensor readings Allows for controlled deadline misses State vs. state delta communication Data reduction technique Implies requirement for guaranteed delivery Data accuracy Reading accuracy Computational error accumulation Message acknowledgment semantics In terms of flow steps 24

13 Outline Introduction to SAE AADL Standard The case study Towards preemptive scheduling Partition scheduling End-to-end flows System redundancy 25 System Redundancy DM DM DM DM WAM WAM WAM WAM PCM Typical chart PCM High High speed speed bus bus FM SA CM CM FD FD FM WM SA CM WM bus bus 26

14 Redundancy Specification Redundancy abstraction Co-location constraints on execution platform binding 2X SS X MFD DM1 WM WAM FM MFD DM2 SS2 SA 2X PCM 2X MFD DM3 CM FD Redundancy characteristics as properties MFD DM4 27 Primary/Backup Patterns Passive Backup CSS1 Primary SS1.1 SS1.2 CSS1 Backup SS1.1 SS1.2 Hot Standby CSS1 Primary SS1.1 SS1.2 CSS1 Backup SS1.1 SS1.2 Continuous State Exchange CSS1 SS1.1 State SS1.2 Voted Output SS1.1 CSS1 SS1.2 SS1.3 28

15 Primary Backup Synchronization External and internal mode control Errors reported as events Supports reasoning about Primary/Backup logic Primary WAM Init/restart Primary Primaryfail Backup Mode state Primaryok init Backu p WAM state Observer 29 Observations On System Redundancy Redundancy as an abstraction Multiple redundant instances Grouping of redundant instances Redundancy protocol selection Deployment constraints Redundancy mechanism as pattern An orthogonal architecture view Nominal & anomalous behavior Modeling of redundancy logic Understandable and analyzable 30

16 Final Observations We demonstrated a pattern-based analysis approach Use of SAE AADL as notation for capturing architecture patterns in actual systems Early identification of systemic issues thanks to precise execution semantics of SAE AADL Full scale architecture modeling and analysis provides prediction and validation of non-functional properties 31