Hierarchical Composition and Abstraction In Architecture Models

Similar documents
Methods and Tools for Embedded Distributed System Timing and Safety Analysis. Steve Vestal Honeywell Labs

An Information Model for High-Integrity Real Time Systems

Architecture Description Languages. Peter H. Feiler 1, Bruce Lewis 2, Steve Vestal 3 and Ed Colbert 4

Static and dynamic analysis: synergy and duality

Resource-bound process algebras for Schedulability and Performance Analysis of Real-Time and Embedded Systems

StateClock: a Tool for Timed Reactive Modules

Distributed Systems Programming (F21DS1) Formal Verification

Software Architectures

Contemporary Design. Traditional Hardware Design. Traditional Hardware Design. HDL Based Hardware Design User Inputs. Requirements.

Kami: A Framework for (RISC-V) HW Verification

Applications of Program analysis in Model-Based Design

Automatic synthesis of switching controllers for linear hybrid systems: Reachability control

This project has received funding from the European Union s Horizon 2020 research and innovation programme under grant agreement No

A Modeling Framework for Schedulability Analysis of Distributed Avionics Systems. Pujie Han MARS/VPT Thessaloniki, 20 April 2018

Verifiable Hierarchical Protocols with Network Invariants on Parametric Systems

Lecture 2. Decidability and Verification

Compositional Model Based Software Development

Lecture 9: Reachability

HYBRID PETRI NET MODEL BASED DECISION SUPPORT SYSTEM. Janetta Culita, Simona Caramihai, Calin Munteanu

Parametric Real Time System Feasibility Analysis Using Parametric Timed Automata

A set-based approach to robust control and verification of piecewise affine systems subject to safety specifications

Hybrid Systems Analysis of Periodic Control Systems using Continuization

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

Negations in Refinement Type Systems

Semantic Subtyping. Alain Frisch (ENS Paris) Giuseppe Castagna (ENS Paris) Véronique Benzaken (LRI U Paris Sud)

Lecture Little s Law Flux Queueing Theory Simulation Definition. CMPSCI 691ST Systems Fall 2011

Xuandong Li. BACH: Path-oriented Reachability Checker of Linear Hybrid Automata

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

these developments has been in the field of formal methods. Such methods, typically given by a

HyLAA: A Tool for Computing Simulation-Equivalent Reachability for Linear Systems

The Basics of Graphical Models

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

FUSED Framework for System Engineering Hands-on Tutorial SAE AADL 19 April 2012

COMPASS: FORMAL METHODS FOR SYSTEM-SOFTWARE CO-ENGINEERING

Duet: Static Analysis for Unbounded Parallelism

Subtyping. Lecture 13 CS 565 3/27/06

Petri Nets ~------~ R-ES-O---N-A-N-C-E-I--se-p-te-m--be-r Applications.

Modelling and verification of cyber-physical system

OMG Systems Modeling Language Tutorial May, 2012

Computer Science Technical Report

Introduction to Formal Methods

Multiple Viewpoint Contract-Based Specification and Design

Solving the Live-out Iterator Problem, Part I

Kernel Korner AEM: A Scalable and Native Event Mechanism for Linux

Statistical Model Checking in UPPAAL

The Embedded Systems Design Challenge. EPFL Verimag

A Modelling and Analysis Environment for LARES

Enhancing The Fault-Tolerance of Nonmasking Programs

Composability Test of BOM based models using Petri Nets

Recursive Types and Subtyping

Foundations of a New Software Engineering Method for Real-time Systems

Hierarchical Shape Abstraction of Dynamic Structures in Static Blocks

Implementing Architectures

Formal Modelling of Railway Interlockings Using Event-B and the Rodin Tool-chain

Reading 1 : Introduction

Foundations of Data Warehouse Quality (DWQ)

Temporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols

Analysis of BPMN Models

Software Design. Levels in Design Process. Design Methodologies. Levels..

A Gentle Introduction to Program Analysis

Recursive Types and Subtyping

Using Hybrid Automata for Early Spacecraft Design Evaluation

Cover Page. The handle holds various files of this Leiden University dissertation

Analysis of Replication Control Protocols

Safety Property Analysis Techniques for Cooperating Embedded Systems using LTS

Software Specification Refinement and Verification Method with I-Mathic Studio

Architecture Modeling and Analysis for Embedded Systems

DISCRETE-event dynamic systems (DEDS) are dynamic

Software Engineering of Robots

RATCOP: Relational Analysis Tool for Concurrent Programs

Just-In-Time Certification

Model Checking. Automatic Verification Model Checking. Process A Process B. when not possible (not AI).

Some notes about Event-B and Rodin

6.231 DYNAMIC PROGRAMMING LECTURE 14 LECTURE OUTLINE

Part 4. Decomposition Algorithms Dantzig-Wolf Decomposition Algorithm

Development of dynamically evolving and self-adaptive software. 4. Incrementality

VHDL framework for modeling fuzzy automata

CMPT Data and Program Organization

Embedded software design with Polychrony

Advanced Tool Architectures. Edited and Presented by Edward A. Lee, Co-PI UC Berkeley. Tool Projects. Chess Review May 10, 2004 Berkeley, CA

Software Engineering: A Practitioner s s Approach, 6/e Roger Pressman. Chapter 28 Formal Methods

Describing the architecture: Creating and Using Architectural Description Languages (ADLs): What are the attributes and R-forms?

Monads. Mark Hills 6 August Department of Computer Science University of Illinois at Urbana-Champaign

Investigation of System Timing Concerns in Embedded Systems: Tool-based Analysis of AADL Models

clustering SVG shapes

Modeling Requirements, Architectures, Behaviour...

Web Services Annotation and Reasoning

TSW Reliability and Fault Tolerance

In this Lecture you will Learn: Testing in Software Development Process. What is Software Testing. Static Testing vs.

Formal Verification for UML/SysML models

Cyber Physical System Verification with SAL

A Typed Calculus Supporting Shallow Embeddings of Abstract Machines

3.4 Data-Centric workflow

High-Level Hybrid Systems Analysis with Hypy

Model Editing & Processing Tools. AADL Committee, San Diego February 4th, Pierre Dissaux. Ellidiss. Technologies w w w. e l l i d i s s.

Statistical Model Checking in UPPAAL

CoVaC: Compiler Verification by Program Analysis of the Cross-Product. Anna Zaks, Amir Pnueli. May 28, FM 08, Turku, Finland

Simulation and Verification of Timed and Hybrid Systems

Decomposition Instead of Self- Composition for Proving the Absence of Timing Channels

Topic Formal Methods. ICS 121 Lecture Notes. What are Formal Methods? What are Formal Methods? Formal Specification in Software Development

Transcription:

Hierarchical Composition and Abstraction In Architecture Models Pam Binns and Steve Vestal Honeywell Labs {pam.binns, steve.vestal}@honeywell.com Supported by the Air Force Office of Scientific Research

Compositional Modeling Compositional Modeling: Specify models for individual components Automatically generate system model from architecture specification and component models Desired Benefits: Improved reuse of component models More easily modifiable architecture specifications Improved traceability between designs, models and analyses Models that can be used to guide and verify implementations

Compositional Modeling Challenges Define ADL features and semantic composition rules Good level of abstraction (architecture vs component) Concise and intuitive for architecture developer Permit checks for consistency and completeness Permit modular and modifiable architecture specification Support the development process Traceability between well-structured specifications, models, analyses Provide design decision insight (e.g. traceable parametric analyses) Generate models useful during implementation and verification Tractable model analysis Decomposition analysis methods Abstractions Mixed-fidelity models

Related Work (that we know of) For discrete state models implements relations conformance relations abstract interpretations compositional model-checking For hybrid models hierarchical specification languages conformance relations For stochastic models stochastic automata lumpability theory

Hierarchical Model Composition for Hierarchical Specifications system S type M S model composition system implementation A B C M A M B M C S may be a component of a larger system, so M S is composable with other system models.

Hierarchical Model Abstraction system S type M S M S Replace M S with a simpler abstract model M S when composing the higher-level system models. We assume M S is given (e.g. a specification) We want to show the abstraction is safe with respect to the fully detailed compositional model.

Types of Models Linear Hybrid Automata for timing/sequencing Stochastic Automata for safety/reliability

Abstract Linear Hybrid Automata Thread Model assert t 200000 Failed c =0, t =1 Computing c ={0,1}, t =1 c 100000? t =200000 t 0, c 0 Awaiting_Dispatch c =0, t =1 t 200000 Definition of a classical periodic real-time thread.

Concrete Linear Hybrid Automata Thread Model assert t 200000 Failed c=0, t=1 Abstract Failed Initializing c={0,1}, t=1 c 90000 Starting c={0,1}, t=1 c 90000 Stopped c=0, t=1 t 200000? t=200000 t 0, c 0 assert t 200000 assert t 200000 Computing c={0,1}, r=0, t=1 c 90000 r 0? t=200000 t 0, c 0, r 0 Awaiting_Dispatch c=0, r=0, t=1 t 200000 Abstract Computing Recovering c=0, r={0,1}, t=1 r 10000 assert t 200000 Abstract Awaiting Dispatch Generated from a portion of the MetaH middleware code.

When is the Abstract Model Safe? The abstraction is safe if t deadline at thread completion in abstract model implies t deadline in concrete model. We show the set of reachable states of the concrete model is a subset of the reachable states of the abstract model according to the abstraction mapping: failed failed initializing, starting, computing, recovering computing stopped, awaiting dispatch awaiting dispatch t t c+r c

Proving Containment Apply a region enumeration algorithm to both models. Check for polyhedral containment subject to the abstraction mapping. This succeeds for any given compute rate, but we need to argue that the abstract model can be substituted for the concrete in a system consisting of composed concrete models.

Composing Thread Automata Instead of this: X & = S 2 S 3 & 1 = 1 x &= 2 r 2 x &= 3 r 3 x S 1 r Do this: X & = S( S S S ) 1 2 3 S is a scheduler function.

Restricting the Scheduler Function S is a scheduling function for a system of concrete models S is a scheduling function when some are replaced by abstract models Impose the restriction S(..a..) S (..a..) when a a ( accounts for abstraction mapping) Then each thread is scheduled the same regardless of whether other threads are modeled concretely or abstractly the abstract variables accumulate at the same rate as their corresponding abstraction mapping, e.g. t = t c+r= c are invariant as the two systems run (assuming this is initially true) Model-checking needs to cover a class of S S (e.g. we looked at proportional share)

An Abstract Safety Model Working µ λ Broken

A Concrete Safety Model Working {1,2} {1} Broken {1,2,3} {1,3} {2,3} {2} {3} { }

Abstraction Mappings A many-to-one mapping of concrete to abstract states An edge between a pair of abstract states exists only if an edge between a pair of concrete states exists where the two concrete states map to the two abstract states. (Corresponding abstract and concrete edges do not necessarily have the same rates.)

Safe Steady State Abstractions Let π s be the steady state probability of being in state s. Let C a be the concrete states that map to abstract state a. In general, user may want to specify π a π c C a π a π c C a for some given C a for other given C a We investigated the case π = a π c C a

Issues Abstractions of Markovian concrete models are not necessarily Markovian Abstract rates are not necessarily uniquely determined by concrete rates A concrete model is lumpable if there exists a partitioning of its states (an abstraction) that is Markovian. Thm: If the abstract model is a lumping of the concrete model, then there is a unique mapping between abstract and concrete rates.

Two Abstractions Working {1,2} {1} Broken B f/r W {1,2,3} {1,3} {2,3} {2} {3} { } Non-Lumpable Abstracton f r λ = µ 2 λ + 3µ 3λ + µ [3] [2] [1] [0] 3 2λ/2µ λ/3µ Lumpable Abstraction [# operational components] transition rates uniquely defined by concrete rates

Transient Analysis Lumpable abstractions have precisely defined transition rates, so transient analyses for safe probability of being in an abstract state appears to hold (using time-varying equality notion of safety) For non-lumpable abstractions, might approach this with a looser definition for safe abstraction.

Remarks Need more general and powerful methods for proving that a given abstract model is a safe abstraction of a given concrete model. What abstraction mappings and safety relations are adequate in practice? Does putting the human in the loop help with the tractability problem? What methodology helps define good abstractions (e.g. is a good specification a good abstraction)? What tool support would help?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback