Model-Based Embedded System Engineering & Analysis of Performance-Critical Systems

Similar documents
Investigation of System Timing Concerns in Embedded Systems: Tool-based Analysis of AADL Models

Pattern-Based Analysis of an Embedded Real-Time System Architecture

Data quality attributes in network-centric systems

Model-based Architectural Verification & Validation

OSATE Analysis Support

The SAE Architecture Analysis and Description Language (AADL) Standard: A Basis for Architecture- Driven Embedded Systems Engineering

Modeling the Implementation of Stated-Based System Architectures

Flow Latency Analysis with the Architecture Analysis and Design Language (AADL)

Model-Based Engineering with AADL: An Overview

AADL Webinar. Carnegie Mellon University Notices Architecture Analysis with AADL The Speed Regulation Case-Study... 4

ARINC653 AADL Annex. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Julien Delange 07/08/2013

Impact of Runtime Architectures on Control System Stability

Architecture Analysis and Design Language (AADL) Part 3

Architecture Description Languages. Peter H. Feiler 1, Bruce Lewis 2, Steve Vestal 3 and Ed Colbert 4

AADL v2.1 errata AADL meeting Sept 2014

CSSE 490 Model-Based Software Engineering: More MBSD. Shawn Bohner Office: Moench Room F212 Phone: (812)

1. INTRODUCTION. four years and by 2014 the cost of 27M SLOC of software is estimated to exceed $10B (see Figure 1).

Analytical Architecture Fault Models

Methods and Tools for Embedded Distributed System Timing and Safety Analysis. Steve Vestal Honeywell Labs

CSSE 490 Model-Based Software Engineering: Architecture Description Languages (ADL)

An Information Model for High-Integrity Real Time Systems

Involved subjects in this presentation Security and safety in real-time embedded systems Architectural description, AADL Partitioned architectures

AADL : about code generation

Ensuring Schedulability of Spacecraft Flight Software

Platform modeling and allocation

xuml, AADL and Beyond

Introduction to AADL analysis and modeling with FACE Units of Conformance

Exam Review TexPoint fonts used in EMF.

The SAE AADL Standard - An Architecture Analysis & Design Language for Embedded Real-Time Systems

CSSE 490 Model-Based Software Engineering: Transformation Systems

Schedulability Analysis of AADL Models

MATLAB Expo Simulation Based Automotive Communication Design using MATLAB- SimEvent. Sudhakaran M Anand H General Motors

Priya Narasimhan. Assistant Professor of ECE and CS Carnegie Mellon University Pittsburgh, PA

CIS 890: High-Assurance Systems

Subsystem Hazard Analysis (SSHA)

ARINC653 AADL Annex Update

Reducing Uncertainty in Architectural Decisions with AADL

Developing Dependable Software-Intensive Systems: AADL vs. EAST-ADL

CS4514 Real-Time Systems and Modeling

Department of Computer Science Institute for System Architecture, Operating Systems Group REAL-TIME MICHAEL ROITZSCH OVERVIEW

Parallel Scheduling for Cyber-Physical Systems: Analysis and Case Study on a Self-Driving Car

Scheduling Multi-Periodic Mixed-Criticality DAGs on Multi-Core Architectures

AADL Fault Modeling and Analysis Within an ARP4761 Safety Assessment

Architecture Modeling and Analysis for Embedded Systems

Generating high-integrity systems with AADL and Ocarina. Jérôme Hugues, ISAE/DMIA

Verifying Periodic Programs with Priority Inheritance Locks

Data-Centric Architecture for Space Systems

Providing Real-Time and Fault Tolerance for CORBA Applications

Architecture Analysis and Design Language (AADL) Part 2

Computing and Communications Infrastructure for Network-Centric Warfare: Exploiting COTS, Assuring Performance

Overall Structure of RT Systems

UML-AADL 09: Towards a Model- Driven Approach for Mapping Requirements on AADL Mathieu DELEHAYE Christophe PONSARD

Presentation of the AADL: Architecture Analysis and Design Language

Software Architectures. Lecture 2

An Extensible Open Source AADL Tool Environment (OSATE)

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

AADL to build DRE systems, experiments with Ocarina. Jérôme Hugues, ENST

Presentation of the AADL: Architecture Analysis and Design Language

Update on Behavior Language for Embedded Systems with Software for Proof Based Analysis of Behavior

Analysis of AADL Models Using Real-Time Calculus With Applications to Wireless Architectures

Designing a Compositional Real-Time Operating System. Christoph Kirsch Universität Salzburg

Chapter -5 QUALITY OF SERVICE (QOS) PLATFORM DESIGN FOR REAL TIME MULTIMEDIA APPLICATIONS

Flight Systems are Cyber-Physical Systems

02 - Distributed Systems

AirTight: A Resilient Wireless Communication Protocol for Mixed- Criticality Systems

02 - Distributed Systems

PROCESS SCHEDULING Operating Systems Design Euiseong Seo

Architecture Modeling in embedded systems

Evolving the CORBA standard to support new distributed real-time and embedded systems

RAMSES. Refinement of AADL Models for the Synthesis of Embedded Systems. Etienne Borde

Executable AADL. Real Time Simulation of AADL Models. Pierre Dissaux 1, Olivier Marc 2.

Multimedia Systems 2011/2012

Intrusion Detection Types

Real-Time Internet of Things

Automatic Selection of Feasibility Tests With the Use of AADL Design Patterns

SAE AADL Error Model Annex: Discussion Items

Software Architecture. Lecture 4

ExCuSe A Method for the Model-Based Safety Assessment of Simulink and Stateflow Models

Dependability Modeling Based on AADL Description (Architecture Analysis and Design Language)

Resource-bound process algebras for Schedulability and Performance Analysis of Real-Time and Embedded Systems

Ch 1: The Architecture Business Cycle

From the Prototype to the Final Embedded System Using the Ocarina AADL Tool Suite

Update on AADL Requirements Annex

Efficient Embedded Runtime Systems through Port Communication Optimization

Alexandre Esper, Geoffrey Nelissen, Vincent Nélis, Eduardo Tovar

COMPLEX EMBEDDED SYSTEMS

Copyright Notice. COMP9242 Advanced Operating Systems S2/2014 Week 9: Real-Time Systems. Real-Time System: Definition

What is Software Architecture

Real Time Operating Systems and Middleware

The Montana Toolset: OSATE Plugins for Analysis and Code Generation

What are Embedded Systems? Lecture 1 Introduction to Embedded Systems & Software

Weapon Systems Open Architecture Overview

Managing data for Curiosity, fun and profit. Rajeev Joshi NASA / Jet Propulsion Laboratory, California Institute of Technology

Taking the Right Turn with Safe and Modular Solutions for the Automotive Industry

Modeling and Simulation for Heterogeneous systems

SAE AADL Error Model Annex: An Overview

ARINC653 annex: examples

Learn AADL concepts in a pleasant way

System Configurations

Transcription:

Sponsored by the U.S. Department of Defense 2005, 2006 by Carnegie Mellon University Model-Based Embedded System Engineering & Analysis of Performance-Critical Systems Peter H. Feiler Jan 2007 1 page 1

Outline Model-based Embedded System Engineering Resource Consumption: Resource Budgeting Real-time Performance: Concurrency & Timing Real-time Performance: End-to-end Latency Security: Confidentiality Analysis Data Quality: Temporal Data Consistency Availability & Reliability: Fault Tree Analysis Conclusions 2

Software & System Engineering System Engineering SysML Embedded Software System Engineering SAE AADL Operational System Physical System Model Physical Component Physical characteristics relevant to embedded application as properties in AADL model Computing Platform Application Domain Embedded Software System Embedded Software 3

A Control Engineer Perspective K 1 + - K 2 s Matlab Tune parameters Component Analysis Application Code with Text_IO; package Main is begin type real is digits 14; type flag is boolean; Validate simulation x : real := 0.0; ready : flag := TRUE; Simulink with Text_IO; package Main is begin type real is digits 14; type flag is boolean; x : real := 0.0; ready : flag := TRUE; Validate expected control behavior 4

Control & Software Engineering K 1 + - Matlab K 2 s Tune parameters Component Analysis Application Code with Text_IO; package Main is Simulink with Text_IO; package Main is begin Interaction with other system components begin type real is digits 14; type flag is boolean; x : real := 0.0; ready : flag := TRUE; type real is digits 14; type flag is boolean; x : real := 0.0; ready : flag := TRUE; Shared processors and networks Runtime Architecture Model 5

Control & Software Engineering K 1 + Matlab - K 2 s Validation of assumptions Data content properties Data stream characteristics Range, delta, miss rate, age, variation Tune parameters Component Analysis Application Code with Text_IO; package Main is begin type real is digits 14; type flag is boolean; x : real := 0.0; ready : flag := TRUE; Simulink with Text_IO; package Main is begin type real is digits 14; type flag is boolean; x : real := 0.0; ready : flag := TRUE; AADL Tools Runtime Architecture Model AADL Runtime Timing analysis Reliability analysis Validate simulation package Dispatcher is A.p1 := B.p2; Case 10ms: dispatch(a); dispatch(b); T1 T2 T3 T4 Refine properties 12 12 5 R1 6R2 R3 R4 23 34 8 8 24 23 234 12 12 5 6 23 34 8 8 24 23 234 T1 T2 T3 T4 T1 T2 T3 T4 12 12 5 6 23 34 12 8 812 5 6 24 23 234 34 8 8 24 23 2 34 Runtime Data R1 R2 R3 R4 12 12 5 6 23 34 8 8 24 23 234 6

Annotated Architecture Model AADL Model Schedulability analysis Latency analysis Alternative Hardware Bindings Application Platform Timing annotations Fault annotations Examples of analyses from same model Low incremental cost for additional analyses & simulations!!! Safety analysis Reliability analysis 7

Intrusion Integrity Impact Analysis from Models Confidentiality Bandwidth CPU time Power consumption Security Resource Consumption Real-time Performance Data Quality Execution time/deadline Deadlock/starvation Latency Availability & Reliability Data precision/accuracy Temporal correctness Confidence MTBF FMEA Hazard analysis 8

Outline Model-based Embedded System Engineering Resource Consumption: Resource Budgeting Real-time Performance: Concurrency & Timing Real-time Performance: End-to-end Latency Security: Confidentiality Analysis Data Quality: Temporal Data Consistency Availability & Reliability: Fault Tree Analysis Conclusions 9

Resource Budgeting Resource management throughout life cycle Resource budgets for processors, memory, bus/networks Compute resources: MIPS, MB, bandwidth Physical resources: power consumption Budgets for major subsystems System wide & resource specific budget totals System decomposition & budget refinement Task & communication model Budgets against execution & communication rates Scheduling analysis 10

Resource Budget Properties Property definition: Example CPU resource MIPSCapacity:aadlreal units SEI::Processor_Speed_Units applies to (processor, system); Processor_Speed_Units : type units (KIPS, MIPS => KIPS * 1000, GIPS => MIPS * 1000); Property use processor missionprocessor properties SEI::MIPSCapacity => 1500 MIPS; end missionprocessor; System AvionicsSystem properties SEI::MIPSBudget => 300 MIPS; 11

Basic System Architecture DM DM DM DM WAM WAM WAM WAM PCM PCM Application component bound to processor High High speed speed bus bus FM SA CM CM FD FD FM WM 1553 1553 SA CM WM 1553 1553 bus bus 12

Resource Budget Analysis Demo Parts model of major subsystems Does the total system budget exceed the total capacity? Initial subsystem/partition assignment Does the budget total of assigned subsystems exceed processor & memory capacity? Subsystems interactions Does the bandwidth budget total exceed network backbone capacity? What are network/bus-specific workloads? 13

Outline Model-based Embedded System Engineering Resource Consumption: Resource Budgeting Real-time Performance: Concurrency & Timing Real-time Performance: End-to-end Latency Security: Confidentiality Analysis Data Quality: Temporal Data Consistency Availability & Reliability: Fault Tree Analysis Conclusions 14

From other Partitions Migration of Legacy Implementation Flight Manager Pr 2 Navigation Sensor Processing Pr 3 Latency variation Pr 1 20Hz Periodic I/O Integrated Navigation Pr 4 Potential Priority Inversion 10Hz 20Hz Guidance Processing 20Hz Shared data area Pr 6 Flight Plan Processing Pr 9 5Hz Aircraft Performance Calculation To other Partitions Legacy code uses shared data area Efficient thread communication 2Hz Decreasing Priority 15

From other Partitions Pr 2 Intended flow documented in design document table Intended Data Flow Navigation Sensor Processing Pr 3 Pr 1 20Hz Periodic I/O Integrated Navigation Pr 4 10Hz 20Hz Guidance Processing 20Hz Shared data area Pr 6 Flight Plan Processing 5Hz To other Partitions Decreasing Priority Priority assignment achieves desired data flow Pr 9 Aircraft Performance Calculation 2Hz 16

Flow-based Flight Manager Model From Partitions Nav signal data Navigation Sensor Processing Nav sensor data 20Hz Nav sensor data Integrated Navigation 10Hz Nav data Guidance Processing Periodic I/O 20Hz Guidance 20Hz To Partitions Phase delay of Periodic I/O Flight Plan Processing 5Hz FP data Fuel Flow FP data Nav data Aircraft Performance Calculation 2Hz Performance data 17

Scheduling Analysis Scheduling protocol determines analysis Processor budget for static time line (cyclic executive) Rate-monotonic Analysis (RMA) for preemptively scheduled fixed-priority tasks 100% utilization for Earliest Deadline First (EDF) What if analysis of Schedulability under different dispatch & scheduling schemes Miss-estimated worst case execution times (WCET) Commercial real-time system analysis tools provide such support 18

Scheduling Analysis Demo If a single processor system is not schedulable Explore these options using AADL and analysis tools Leverage operational modes Processor speed dependent execution time Rebind to different execution platform Reduce worst-case execution time Identify schedulable rate from sensitivity analysis results Might consider Repartition system Use faster processor Add second processor Rewrite code to make it faster Consider lower signal processing rate for controller 19

Outline Model-based Embedded System Engineering Resource Consumption: Resource Budgeting Real-time Performance: Concurrency & Timing Real-time Performance: End-to-end Latency Security: Confidentiality Analysis Data Quality: Temporal Data Consistency Availability & Reliability: Fault Tree Analysis Conclusions 20

Flow Concept in AADL Brake Pedal Cruise Control Throttle Actuator device brake_pedal features brake_status: out data port bool_type; flows Flow1: flow source brake_status; end brake_pedal; system cruise_control features brake_status: in data port; throttle_setting: out data port; flows brake_flow_1: flow path brake_status -> throttle_setting; end cruise_control; device throttle_actuator Features throttle_setting: in data port float_type; flows Flow1: flow sink throttle_setting; end throttle_actuator; 21

High-level Flow Analysis Determine minimum response time, maximum command rate Display Manager Cockpit Display Warning Annunciation Manager Page Content Manager Flight Manager Flight Director Situation Awareness Weapons Manager Comm. Manager Indirect connectivity due to late addition 1553 Access Subystems mapped to partitions 22

Response Time Analysis Demo High-level end-to-end analysis Account for latency impact of partition hops Account for device latency Account for subsystem processing Detailed end-to-end latency analysis AADL model from design data base Task model with 165 end-to-end flows 23

Outline Model-based Embedded System Engineering Resource Consumption: Resource Budgeting Real-time Performance: Concurrency & Timing Real-time Performance: End-to-end Latency Security: Confidentiality Analysis Data Quality: Temporal Data Consistency Availability & Reliability: Fault Tree Analysis Conclusions 24

Distributed Data Processing f(s i ) Freshness? Confidence? Security? s i Freshness: 10s Confidence: 70% Security: secret 25

Security: Objective Confidentiality concerns that sensitive data should only be disclosed to or accessed/modified by authorized users, i.e., enforcing prevention of unauthorized disclosure of information. Objective: Model security attributes for an architecture to verify that data is properly accessed and handled by users and applications. Confidentiality Means to achieve confidentiality include enforcing access control, perform encryption, partitioning of system Confidentiality frameworks Bell-LaPadula framework: military applications Chinese wall framework: commercial applications Access role/role-based access framework. 26

Bell-LaPadula: Subjects and Objects In Bell La Padula, subjects operate on objects. Subjects need permission, expressed as security level, to use objects. Confidentiality The security level of a subject or object is a pair: Classification Drawn from a partial order of classifications (e.g., unclassified < confidential < secret < top secret). Set of categories Drawn from a set of labels (e.g., NATO, Nuclear, Crypto). (Class1, Set1) dominates (Class2, Set2) if and only if Class1 >= Class2 Set1 Set2 27

Minimum security level required is (secret, {a,b}) Example Uncontrolled sanitization as (conf, {a}) is dominated by max(class i,cat i ), i=1..3 O 1 (secret,{a}) S 1 (topsecret, {a,b,c}) O 4 (secret,{a}) Access matrix Confidentiality O 2 (conf,{b}) O 3 (secret,{b}) O 1 O 2 O 3 O 4 O 5 S 1 read, append read, write read read append O 5 (conf, {a}) Error: O 4 is read-only Warning: O 1 are O 2 shared more freely than necessary. 28

Analyzed System: Errors Confidentiality Src1: Producer1 (unclassified, {A}) Src2: Producer2 (unclassified, {B}) output (unclassified, {A}) output c1 c2 (unclassified, {B}) CompleteSystem.Impl in1 (Secret, {A, B}) in2 Comp: Computer result (Secret, {A, B}) c3 (confidential, {B, C}) input (confidential, {A, B}) Dest: Consumer (confidential, {B, C}) 29

Outline Model-based Embedded System Engineering Resource Consumption: Resource Budgeting Real-time Performance: Concurrency & Timing Real-time Performance: End-to-end Latency Security: Confidentiality Analysis Data Quality: Temporal Data Consistency Availability & Reliability: Next presentation Conclusions 30

Performance Improvement Gone Bad Ground station to accommodate sensor load growth Reduce load in network Two subsystems communicate state change instead of state The impact Other subsystems increase network load sporadically Receiving subsystem goes down The cause A real customer experience Transmission protocol without guaranteed delivery Overload result in dropping of transmitted state deltas Missing deltas result in inconsistent receiver state 31

Avoiding Future Mistakes Relevant charactistics as properties State vs. state-change communication through ports Bus protocols with or without guaranteed delivery Annotating the model Application engineer characterizes data stream Embedded system engineer characterizes hardware & protocols The analysis tool Check that connections carrying state changes are bound to buses with guaranteed delivery 32

Capturing Domain Characteristics Safe upgrading of controllers Data range limits and units of measurement for input & output Documenting setpoint constraints as bounded value deltas Consistency checking along connections Security levels & information flow Components with security levels Security levels & containment hierarchy Security levels and connections Security levels & execution platform components Safety criticality & control of components Component have safety criticality levels Impact on high criticality components 33

Outline Model-based Embedded System Engineering Resource Consumption: Resource Budgeting Real-time Performance: Concurrency & Timing Real-time Performance: End-to-end Latency Security: Confidentiality Analysis Data Quality: Temporal Data Consistency Availability & Reliability: Next presentation Conclusions 34

Outline Model-based Embedded System Engineering Resource Consumption: Resource Budgeting Real-time Performance: Concurrency & Timing Real-time Performance: End-to-end Latency Security: Confidentiality Analysis Data Quality: Temporal Data Consistency Availability & Reliability: Fault Tree Analysis Conclusions 35

Predictable Embedded System Engineering Tracking of requirements, planned and actual resource usage Analysis at multiple levels of fidelity Multiple analysis perspectives from annotated architecture model Validated timing & data stream semantics for control algorithm and software implementation Codified engineering rules of thumb 36

An Extensible Engineering Environment Embry-Riddle/Honeywell Reliability Analysis Airbus Concurrency Analysis Axlog Architecture Simulator ENST Ocinara Generator AADL Extensions Annex sublanguages Architecture Import & Extraction Architecture Export MetaH, TTA Object Model Interface Network model Execution model Error model Honeywell Scheduling analysis Isolation analysis Fault tree analysis U.Penn Hybrid Systems Models AADL XML U.Brest Resource management U.Penn Process Algebra Ellidiss STOOD Ada/C UML/HOOD CMU/Emmeskay Simulink & Dymola models Honeywell MetaH Runtime system generation TriPacific RapidRMA Scheduling analysis Execution trace analysis 37

Model-Based Engineering Benefits Analyzable models drive development Prediction of runtime characteristics at different fidelity Bridge between control & software engineer Prediction early and throughout lifecycle Reduced integration & maintenance effort Benefits of AADL as SAE standard Common modeling notation across organizations Single architecture model augmented with properties Interchange & integration of architecture models Tool interoperability & integrated engineering environments 38

SEI AADL Application & Education Open source AADL Tool environment (OSATE) Embedded Engineering With AADL Tutorial Public two-day course offering by SEI Model-based Engineering with SAE AADL Pilot projects with customers Case studies of Model-based Engineering AADL User Guide & Embedded Systems Engineering Handbook 39

Sponsored by the U.S. Department of Defense 2005, 2006 by Carnegie Mellon University For more information: Peter H. Feiler Email: phf@sei.cmu.edu Phone: 412-268-7790 SEI: www.sei.cmu.edu AADL: www.aadl.info 40 page 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback