Model-based Architectural Verification & Validation

Similar documents
Model Checking of Aerospace Domain Models in an Industrial Context

Investigation of System Timing Concerns in Embedded Systems: Tool-based Analysis of AADL Models

Pattern-Based Analysis of an Embedded Real-Time System Architecture

Semantics of Statecharts

Impact of Runtime Architectures on Control System Stability

Model-Based Embedded System Engineering & Analysis of Performance-Critical Systems

Beyond Static Code Analysis

Why We Model: Using MBD Effectively in Critical Domains

Efficient Embedded Runtime Systems through Port Communication Optimization

Analytical Architecture Fault Models

Modeling the Implementation of Stated-Based System Architectures

Mixed Critical Architecture Requirements (MCAR)

Flow Latency Analysis with the Architecture Analysis and Design Language (AADL)

1. INTRODUCTION. four years and by 2014 the cost of 27M SLOC of software is estimated to exceed $10B (see Figure 1).

AADL v2.1 errata AADL meeting Sept 2014

Bridging the Gap Between Model-Based Development and Model Checking

A Multi-Modal Composability Framework for Cyber-Physical Systems

SAE AADL Error Model Annex: Discussion Items

Complexity-Reducing Design Patterns for Cyber-Physical Systems. DARPA META Project. AADL Standards Meeting January 2011 Steven P.

Evolving the CORBA standard to support new distributed real-time and embedded systems

Chapter 39: Concepts of Time-Triggered Communication. Wenbo Qiao

AADL Webinar. Carnegie Mellon University Notices Architecture Analysis with AADL The Speed Regulation Case-Study... 4

OSATE Analysis Support

Tools for Formally Reasoning about Systems. June Prepared by Lucas Wagner

02 - Distributed Systems

02 - Distributed Systems

Priya Narasimhan. Assistant Professor of ECE and CS Carnegie Mellon University Pittsburgh, PA

The SAE Architecture Analysis and Description Language (AADL) Standard: A Basis for Architecture- Driven Embedded Systems Engineering

Deterministic Ethernet & Unified Networking

ExCuSe A Method for the Model-Based Safety Assessment of Simulink and Stateflow Models

AirTight: A Resilient Wireless Communication Protocol for Mixed- Criticality Systems

Time-Triggered Ethernet

System Models for Distributed Systems

QuartzV: Bringing Quality of Time to Virtual Machines

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

xuml, AADL and Beyond

Architecture-driven development of Climate Control Software LMS Imagine.Lab Embedded Software Designer Siemens DF PL

Real-Time Component Software. slide credits: H. Kopetz, P. Puschner

Middleware for Embedded Adaptive Dependability (MEAD)

System Models 2. Lecture - System Models 2 1. Areas for Discussion. Introduction. Introduction. System Models. The Modelling Process - General

Providing Real-Time and Fault Tolerance for CORBA Applications

Distributed IMA with TTEthernet

CS4514 Real-Time Systems and Modeling

Verified Switched Control System Design using Real- Time Hybrid Systems Reachability

CORBA in the Time-Triggered Architecture

Methods and Tools for Embedded Distributed System Timing and Safety Analysis. Steve Vestal Honeywell Labs

Simulink, simulation, code generation and tasks. Marco Di Natale Associate Professor, Scuola S. Anna - Italy, UTRC Visiting Fellow

ARINC653 AADL Annex. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Julien Delange 07/08/2013

SAE AS5643 and IEEE1394 Deliver Flexible Deterministic Solution for Aerospace and Defense Applications

Introduction. Distributed Systems IT332

Ensuring Schedulability of Spacecraft Flight Software

Applications of Program analysis in Model-Based Design

CIS 890: High-Assurance Systems

A Data-Centric Approach for Modular Assurance Abstract. Keywords: 1 Introduction

Model-Based Engineering with AADL: An Overview

Chapter 1: Distributed Systems: What is a distributed system? Fall 2013

Functional Safety and Safety Standards: Challenges and Comparison of Solutions AA309

Alexandre Esper, Geoffrey Nelissen, Vincent Nélis, Eduardo Tovar

What are Embedded Systems? Lecture 1 Introduction to Embedded Systems & Software

An Encapsulated Communication System for Integrated Architectures

Guidelines for deployment of MathWorks R2010a toolset within a DO-178B-compliant process

DISTRIBUTED SYSTEMS Principles and Paradigms Second Edition ANDREW S. TANENBAUM MAARTEN VAN STEEN. Chapter 1. Introduction

Multiple Views and Relationships for Quality Driven Architecture with AADL: A Multimodel for Software Product Lines

ARINC653 annex: examples

MPI in 2020: Opportunities and Challenges. William Gropp

Architecture Description Languages. Peter H. Feiler 1, Bruce Lewis 2, Steve Vestal 3 and Ed Colbert 4

From synchronous models to distributed, asynchronous architectures

3. Quality of Service

A Component Model and Software Architecture for CPS

Traditional Approaches to Modeling

Data-Centric Architecture for Space Systems

Subsystem Hazard Analysis (SSHA)

CSE 5306 Distributed Systems. Consistency and Replication

Chapter Outline. Chapter 2 Distributed Information Systems Architecture. Distributed transactions (quick refresh) Layers of an information system

Distributed Systems. 05. Clock Synchronization. Paul Krzyzanowski. Rutgers University. Fall 2017

CA464 Distributed Programming

FROM TIME-TRIGGERED TO TIME-DETERMINISTIC REAL-TIME SYSTEMS

Industrial Verification Using the KIND Model Checker Lucas Wagner Jedidiah McClurg

COMPASS: FORMAL METHODS FOR SYSTEM-SOFTWARE CO-ENGINEERING

Resource-bound process algebras for Schedulability and Performance Analysis of Real-Time and Embedded Systems

Developing deterministic networking technology for railway applications using TTEthernet software-based end systems

EE249 Discussion Petri Nets: Properties, Analysis and Applications - T. Murata. Chang-Ching Wu 10/9/2007

Introduction to Real-time Systems. Advanced Operating Systems (M) Lecture 2

CSSE 490 Model-Based Software Engineering: Architecture Description Languages (ADL)

Curriculum 2013 Knowledge Units Pertaining to PDC

AADL Fault Modeling and Analysis Within an ARP4761 Safety Assessment

Eventual Consistency Today: Limitations, Extensions and Beyond

Model-based Analysis of Event-driven Distributed Real-time Embedded Systems

Chapter 4: Distributed Systems: Replication and Consistency. Fall 2013 Jussi Kangasharju

System Models. 2.1 Introduction 2.2 Architectural Models 2.3 Fundamental Models. Nicola Dragoni Embedded Systems Engineering DTU Informatics

Safety and Reliability of Software-Controlled Systems Part 14: Fault mitigation

The Embedded Systems Design Challenge. EPFL Verimag

Wireless Sensor Networks: Clustering, Routing, Localization, Time Synchronization

Maintaining Mutual Consistency for Cached Web Objects

Real-Time Architectures 2003/2004. Resource Reservation. Description. Resource reservation. Reinder J. Bril

Embedded Software Programming

Verifying Periodic Programs with Priority Inheritance Locks

to-end System Test Architecture

An Introduction to TTEthernet

An Architect s Point of View. TSP Symposium Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

Transcription:

Model-based Architectural Verification & Validation Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Peter H Feiler Feb. 2009 2006 Carnegie Mellon University

Outline Architecture-Centric Model-based Engineering Multi-fidelity Model-based Analysis Validation of Implementations 2

Airbus Auto-Pilot Problem Fallback solution also computer-controlled 3

Mismatched Assumptions System Engineer Physical Plant Characteristics Control Engineer Hardware Engin neer System Under Control Compute Platform Data Stream Characteristics Distribution Redundancy Runtime Architecture Embedded SW System Engineer Control System Application Software Concurrency Communication Precision Units Applicat tion Developer Why do system level failures still occur despite fault tolerance techniques being deployed in systems? 4

System Level Fault Root Causes Data (stream) consistency End-to-end latency analysis Stream miss rates, Mismatched data representation, Latency jitter & age Violation of data stream assumptions Partitions as Isolation Regions Space, time, and bandwidth partitioning Isolation not guaranteed due to undocumented resource sharing fault containment, security levels, safety levels, distribution Fault propagation security analysis Logical vs. physical redundancy redundancy patterns Virtualization of time & resources Time stamping of data & asynchronous systems Inconsistent System States & Interactions Modal systems with modal components Concurrency & redundancy management Application level interaction protocols Modeling of partitioned architectures Validation by model checking & proofs 5

Potential Model-based Engineering Pitfalls The system Inconsistency between independently developed analytical models System models Confidence that model reflects implementation System implementation Models are more than Powerpoint pictures or block diagrams 6

Architecture-Centric Modeling Approach Availability & Reliability MTBF FMEA Hazard analysis Single Source Annotated Architecture Model Architecture Model Security Intrusion Integrity Confidentiality Data Quality Data precision/ accuracy Temporal correctness Confidence Auto-generated analytical models Real-time Performance Execution time/ Deadline Deadlock/starvation Latency Resource Consumption Bandwidth CPU time Power consumption Impact Across Quality Dimensions 7 7

Outline Architecture-Centric Model-based Engineering Multi-fidelity Model-based Analysis Validation of Implementations 8

Latency Contributors Operational Environment System Engineer System Under Control Control Engineer Control System Processing latency Sampling latency Physical signal latency 9

Impact of Sampling Latency Jitter Impact of Scheduler Choice on Controller Stability A. Cervin, Lund U., CCACSD 2006 Sampling jitter due execution time jitter and application-driven send/receive 10

11

Partition-Level Flow Latency Subsystem latency exceeds expected latency Lower bound latency inherent to partition architecture 12

Managed Latency Jitter through Deterministic Sampling From Partitions Nav signal data Navigation Sensor Processing Nav sensor data 20Hz Nav sensor data Integrated Navigation 10Hz Nav data Guidance Processing 20Hz Periodic I/O 20Hz Guidance To Partitions Input-compute-output (ICO) AADL thread semantics Immediate and delayed data port connections for deterministic sampling Fuel Flow Nav data FP data Aircraft Performance Calculation 2Hz Flight Plan Processing Performance data 5Hz FP data 13

Latency Revisited Latency has increased 14 14

Software-Based Latency Contributors Execution time variation: algorithm, use of cache Processor speed Resource contention Preemption Legacy & shared variable communication Rate group optimization Protocol specific communication delay Partitioned architecture Migration of functionality Fault tolerance strategy 15

Outline Architecture-Centric Model-based Engineering Multi-fidelity Model-based Analysis Validation of Implementations 16

Options Implements model semantics Validate generator vs. source code 17

Double Buffering From Customer Design Document The 200 Hz update rate was used because the MUX data needed to be processed at twice the rate of the fastest channel to avoid a race condition. Because channel 3 operates at 100 Hz, the IO processor had to operate at 200 Hz. The race condition has been fixed by double-buffering data, but the IO processor execution rate was left at 200 Hz to reduce latency of MUX data. Did double buffering solved the problem or do we need to do more buffering? 18 18

33 Application-based Send and Receive (ASR) (τ P τ C )* MP 3 buffers for ICO guarantee α P S&X Ω P MR T P α P S Ω P D P T C α C R Ω C D C α C R Ω C α : actual execution start time MC Ω : actual completion time α P - Ω P α C - Ω C non-deterministic sampling (S/R) order 19

34 Periodic Task Communication Summary Periodic ASR DSR DMT Same period IMT PMT IMT PMT τ P ; τ C MF:1B PD:2B S X R PD:2B R PD:2B S X/R MF:1B τ C ; τ P PD:1B PD:1B PD:1B PD:1B PD:1B τ P τ C ND:1B PD:2B X ND:1B PD:2B PD:2B PD:2B ND:1B R X/R τ P τ C ND:3B S/X C R C PD:2B X PD:2B R PD:2B X/R NDI:2B S/X/R C MF: Mid-Frame PD: Period Delay ND: Non-Deterministic NDI: No Data Integrity 1B: Single buffer 2B: Two buffers 3B: Three buffers 4B: Four buffers S, X, R : data copy S/X : IMT combined send/xfer S/X/R : DMT combined S, X, R X/R: DSR/PMT combined X, R o1 o2 : One operation copy 20

Dual Redundant Flight Guidance System 21

Mode Logic Specification Synchronous system case Asynchronous system case Component failure case Implementation Samples Distributed Mode State To validate: 1) At least one output 2) Exactly one output 3) Two outputs in critical mode Increased complexity of property 22

Modeling & Validation Issues Observation of events by sampling state Modeling in AADL helped identify issues Corrected asynchronous solution ignores pilot input events Push button requires complete event stream Distributed processing of mode state machine Central vs. distributed logic Fail safe coordination of state transitions Properties during mode transition Clock drift in asynchronous system Acceptable drift: bounded vs. fault Built-in drift bound through period: period wrap-around Loss of data stream element due to wrap around Button input as event to data port Reduced property complexity by mode transition as state Synchronization domains & fault conditions Event processing vs. data sampling 23

Quantified Out-of-sync Modes 24

Subtle Errors LM Aero UAV Sensor Voting OFP Triplex Voter 96 Simulink Subsystems 3 Stateflow Diagrams 6x10 13 Reachable States Formal Verification 25 Informal Requirements 57 Formal Properties 10 100+ 40 Minutes reachable to Analyze states in Rockwell examples 1 sync 2 input_a 3 input_b 4 input_c 5 status_a 6 status_b 7 status_c 8 dst_index DOC Text Resulting In sync<> [trigger] [A] [B] [C] [status_a] [status_b] [status_c] [DSTi] [trigger] [A] [B] [C] trip_level trip_level1 persist_lim persistence limit [MS] totalizer_lim persistence limit1 [DSTi] DST Data Store Read trip_level persist_lim Index Vector input_a input_b input_c trip_level persist_lim MS totalizer_lim Extract Bits u16 [0 3] failreport triplex_input_monitor pc tc failreport [MS] [status_a] [status_b] [status_c] [prev_sel] [A] [B] [C] persistence_cnt<pc> 24 Counterexamples 3 totalizer_cnt<tc> totalizer_cnt 10 Design Modifications Formal verification has found Several subtle Requirements errors that Clarifications would likely be missed by traditional testing. mon_failure_report status_a status_b status_c prev_sel input_a input_b input_c 2 persistence_cnt [trigger] [A] [B] [DSTi] failure_report Failure_Isolation pc trigger input_a input_b input_c DST_index input_sel triplex_input_selector - Lockheed Martin [DSTi] 1 failure_report 25 [C] 4 input_sel 1 z Unit Delay failure_report dst_index Failure_Processing [prev_sel] 25

Towards Architecture Centric Engineering Build on architecture tradeoff analysis (e.g., SEI ATAM) Provides focused evaluation method MBE/AADL provides quantitative analysis & starter models to build on Facilitate pattern-based technical architecture root cause analysis Identify systemic risks in technology migration and refresh AADL provides semantic framework to reason about technical problem areas and potential mitigation strategies Scalability through architecture extraction Leverage existing design data bases Challenge: abstract away from design details Focus on what instead of how Support system and software assurance Provides structured approach to safety/dependability assurance MBE/AADL provides evidence based on validated models 26

Peter H Feiler phf@sei.cmu.edu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback