Complexity-Reducing Design Patterns for Cyber-Physical Systems. DARPA META Project. AADL Standards Meeting January 2011 Steven P.

Similar documents
Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

Mike Whalen Program Director, UMSEC University of Minnesota

AADL Requirements Annex Review

Flight Systems are Cyber-Physical Systems

PSL for Assume-Guarantee Contracts in AADL Models

Tools for Formally Reasoning about Systems. June Prepared by Lucas Wagner

Model Checking of Aerospace Domain Models in an Industrial Context

An Information Model for High-Integrity Real Time Systems

Investigation of System Timing Concerns in Embedded Systems: Tool-based Analysis of AADL Models

Model-based Architectural Verification & Validation

Requirements Analysis of a Quad-Redundant Flight Control System

Pattern-Based Analysis of an Embedded Real-Time System Architecture

Boeing Certification Techniques for Advanced Flight Critical Systems Challenge Problem Integration (CerTA FCS CPI) Briefing at the

Software architecture in ASPICE and Even-André Karlsson

MARTE Based Modeling Tools Usage Scenarios in Avionics Software Development Workflows

xuml, AADL and Beyond

Specifying and Proving Broadcast Properties with TLA

Discussion of Failure Mode Assumptions for IEEE 802.1Qbt

Architectural Blueprint

TSW Reliability and Fault Tolerance

Basic vs. Reliable Multicast

Model driven Engineering & Model driven Architecture

What are Embedded Systems? Lecture 1 Introduction to Embedded Systems & Software

Verification & Validation of Open Source

Lecture 1: Introduction to distributed Algorithms

Industrial Verification Using the KIND Model Checker Lucas Wagner Jedidiah McClurg

Chapter 4 Objectives

Mixed Critical Architecture Requirements (MCAR)

Hardware/Software Co-design

SCADE. SCADE Architect System Requirements Analysis EMBEDDED SOFTWARE

Verifying Periodic Programs with Priority Inheritance Locks

Using Source Lines of Code As A Size Input For Estimating Software Effort & Schedule

Modelling & Simulation of Complex Socio-Cyber- Physical Systems and Large Scale Systems of Systems

Presented by Greg Pollari (Rockwell Collins) and Nigel Shaw (Eurostep)

Automated Requirements-Based Testing

Low Level Design Activities. Implementation (Low Level Design) What is a Good Low Level Module? Black Box Aspects. Black box aspects White box aspects

SAE Architecture Analysis and Design Language. AS-2C ADL Subcommittee Meeting June 6-9, 2011 Paris, France

Introduction to AADL analysis and modeling with FACE Units of Conformance

A Framework for the Formal Verification of Time-Triggered Systems

Fast and Accurate Source-Level Simulation Considering Target-Specific Compiler Optimizations

Software Verification and Validation (VIMMD052) Introduction. Istvan Majzik Budapest University of Technology and Economics

Distributed Systems (ICE 601) Fault Tolerance

02 - Distributed Systems

02 - Distributed Systems

Formal Development of Fault Tolerant Transactions for a Replicated Database using Ordered Broadcasts

Software Engineering (CSC 4350/6350) Rao Casturi

Update on AADL Requirements Annex

Automated Freedom from Interference Analysis for Automotive Software

1. INTRODUCTION. four years and by 2014 the cost of 27M SLOC of software is estimated to exceed $10B (see Figure 1).

Distributed Systems. 09. State Machine Replication & Virtual Synchrony. Paul Krzyzanowski. Rutgers University. Fall Paul Krzyzanowski

Developing Reliable Software Rapidly

COMPASS: FORMAL METHODS FOR SYSTEM-SOFTWARE CO-ENGINEERING

Rockwell Collins Evolving FM Methodology

A Data-Centric Approach for Modular Assurance Abstract. Keywords: 1 Introduction

Analytical Architecture Fault Models

Introduction to Software Engineering

Failure Modelling in Software Architecture Design for Safety

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Fault Tolerance. Distributed Software Systems. Definitions

Formal Verification in Aeronautics: Current Practice and Upcoming Standard. Yannick Moy, AdaCore ACSL Workshop, Fraunhofer FIRST

Platform modeling and allocation

SEI/CMU Efforts on Assured Systems

Chapter 1: Programming Principles

Introduction to Formal Methods

Engineering High- Assurance Software for Distributed Adaptive Real- Time Systems

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

Analysis and Design Language (AADL) for Quantitative System Reliability and Availability Modeling

Software Architecture in Action. Flavio Oquendo, Jair C Leite, Thais Batista

System Models for Distributed Systems

Software Engineering Fall 2015 (CSC 4350/6350) TR. 5:30 pm 7:15 pm. Rao Casturi 11/10/2015

Distributed IMA with TTEthernet

System-level co-modeling AADL and Simulink specifications using Polychrony (and Syndex)

Arvind Krishnamurthy Fall Collection of individual computing devices/processes that can communicate with each other

IVI. Interchangeable Virtual Instruments. IVI-3.10: Measurement and Stimulus Subsystems (IVI-MSS) Specification. Page 1

Chapter 39: Concepts of Time-Triggered Communication. Wenbo Qiao

Compatible Qualification Metrics for Formal Property Checking

Combining Complementary Formal Verification Strategies to Improve Performance and Accuracy

Software Engineering Fall 2014

IronFleet. Dmitry Bondarenko, Yixuan Chen

Introduction to Software Fault Tolerance Techniques and Implementation. Presented By : Hoda Banki

Chapter 1: Principles of Programming and Software Engineering

Database Integrity Policy for Aeronautical Data

Timing Analysis on Complex Real-Time Automotive Multicore Architectures

Your What is My How: Iteration and Hierarchy in System Design

Distributed Systems Programming (F21DS1) Formal Verification

Safety Assurance in Software Systems From Airplanes to Atoms

Pragmatic Simulation-Based Verification of Clock Domain Crossing Signals and Jitter using SystemVerilog Assertions

Minsoo Ryu. College of Information and Communications Hanyang University.

Requirement Analysis

Static Analysis of Embedded Systems

Click ISO to edit Master title style Update on development of the standard

For presentation at the Fourth Software Engineering Institute (SEI) Software Architecture Technology User Network (SATURN) Workshop.


Certification of Model Transformations

Lecture Chapter 2 Software Development

High-Level Information Interface

An Encapsulated Communication System for Integrated Architectures

From MDD back to basic: Building DRE systems

Sensor Open Systems Architecture (SOSA)

Testing for the Unexpected Using PXI

Transcription:

Complexity-Reducing Design Patterns for Cyber-Physical Systems DARPA META Project AADL Standards Meeting 24-27 January 2011 Steven P. Miller Delivered to the Government in Accordance with Contract FA8650-10-C-7081 Approved for public release: distribution unlimited

META is Part of the DARPA AVM Program 2

What is META? Devise, implement, and demonstrate a radically different approach to the design, integration/manufacturing, and verification of defense systems/vehicles Enhance designer s ability to manage system complexity Foundry-style model of manufacturing Five technical areas 1. Metrics of complexity 2. Metrics of adaptability 3. Meta-language for system design 4. Design flow & tools 5. Verification flow & tools 3

In modern combat systems, the software architecture is the integration mechanism for electrical, mechanical, and software components Software development, including verification, poses the single greatest risk to program schedule and successful delivery 40% of Commercial Aircraft Cost due to [cyber-physical] Systems Don Winter, VP Boeing, CPS Transportation Workshop, November 2008 SLOC Doubles Every Four Years in Commercial Aircraft AVSI SAVI Summary Final Report, October 8, 2009 Current Generation of Commercial Aircraft Software Exceeds 25M SLOC AVSI SAVI Summary Final Report, October 8, 2009 Cost of 27.5M SLOC of Commercial Aircraft Code = $10 Billion AVSI SAVI Summary Final Report, October 8, 2009 30% of Automobile Cost Due to Electronics US Council for Automotive Research 2006 Estimate of 34M SLOC for Future Combat Systems The Army s Future Combat System Program, CBO, April 2006 Future Systems will Likely Exceed One Billion SLOC Don Winter, VP, Boeing, Congressional Testimony, NITRD Program, July 31, 2008 Develop and demonstrate a new design flow based on complexity-reducing design patterns with formally guaranteed properties, and automated formal verification deeply embedded within the system design process 4

Complexity-Reducing Design Patterns for Cyber Physical Systems Objective Achieve dramatic reduction in the time required to design and verify complex, mixed-criticality cyber-physical systems Key innovations Complexity-reducing system design patterns with formally guaranteed properties Architectural modeling and analysis to support virtual integration, composition, and verification of system-level properties Automated formal verification deeply embedded in the system design process ARCH PATTERN MODELS ANNOTATE & VERIFY MODELS COMPONENT MODELS PATTERN & COMP SPEC LIBRARY COMPONENT LIBRARY INSTANTIATE ARCH PATTERNS & CHECK CONSTRAINTS SYSTEM MODEL SYSTEM MODELING ENVIRONMENT COMPOSITIONAL REASONING & ANALYSIS AUTO GENERATE SPECIFICATION SYSTEM DEVELOPMENT FOUNDRY SYSTEM IMPLEMENTATION REQUIREMENTS DESIGN REWORK REWORK IMPLEMENTATION TRADITIONAL DEVELOPMENT PROCESS DESIGN BUILD TEST REDESIGN REWORK VERIFICATION DELIVERY PATTERN & COMP. LIBRARY DESIGN WITH VERIFICATION CORRECT-BY-CONSTRUCTION PROCESS SUPPORTS ACCELERATED SCHEDULE Impact Dramatic schedule efficiencies Correct by construction eliminates rework cycles Integrated verification eliminates rework & retest direct to foundry Team Rockwell Collins ATC University of Illinois at U-C University of Minnesota WW Technology Group Technology Transition Focus on open standard modeling languages 5

Complexity-Reducing Architectural Design Patterns Design pattern = model transformation p : M M (partial function) Reuse of verification is key Not software reuse Guaranteed behaviors Reduce/manage system complexity Separation of concerns System logic vs. application logic Process complexity vs. design complexity Encapsulate & standardize good solutions Raise level of abstraction Take the soldering iron out of the hands of systems engineers 6

Task 1 - Design Problems Design Problem Description Approach 1 Asynchronous Computation Race conditions lead to inconsistent state information across asynchronous nodes. Implement logical synchrony to simplify agreement on global state. Evaluate design problems and possible solutions Data sources SAVI ROI report RC SCR database Fault-tolerance literature Patterns PALS Replication Leader Selection Active-Standby Simplex 2 Unreliable Computing Platform 3 Unreliable Data Sources 4 Unintended Interaction/ Interference Incorrect designs for fault tolerance result in system failures. Incorrect designs for voting or selection of redundant sensors lead to use of invalid inputs. Failure or unexpected behavior of a component causes the failure of a unrelated component. 5 Resource Contention Incorrect use of shared resources leads to inconsistent global state, corrupted resource, or denial of service. 6 Platform Hardware Dependencies 7 SW-HW Task Allocation 8 Untrusted/ Unreliable Components Dependencies on low-level hardware or platform behavior make it prohibitively expensive to port systems to new platforms. Inflexible allocation of functions to hardware or software makes it difficult to optimize system performance/cost. Use of complex components that provide highly desirable performance are prohibitively expensive to verify. 9 Requirements Errors Missing or incorrect requirements are not discovered until system integration resulting in extensive rework. 10 Unspecified Dependencies Missing or incorrect dependencies of components on other components are not discovered until system integration. Use of verified architectural design patterns for fault tolerant design. Use of verified architectural design patterns for source selection and voting. Use of verified architectures that prevent interference. Use of assume/guarantee contracts. Use of verified architectural design patterns for concurrent access to shared resources. Use of layered virtual interfaces based on formally specified assume/ guarantee contracts. Automated generation of each level of design refinement. Auto-generation of correct-byconstruction implementations from system specification. Use of formally verified simplex design pattern that monitors boundary conditions and switches to a simpler reliable controller. Use executable system models and compositional verification of to enable early identification of requirements errors. Use of formal assume/guarantee contracts and compositional verification of to enable early identification of unspecified dependencies. 7

Task 2 - Design Flow EDICT OSATE ARCH PATTERN MODELS pattern args components SYSTEM MODELING ENVIRONMENT Create/edit system design ANNOTATE & VERIFY MODELS PATTERN & COMP SPEC LIBRARY INSTANTIATE ARCH PATTERNS & CHECK CONSTRAINTS SYSTEM MODEL AUTO GENERATE SYSTEM IMPLEMENTATION COMPONENT MODELS COMPONENT LIBRARY COMPOSITIONAL REASONING & ANALYSIS Model Checker Assumptions Guarantees System props SPECIFICATION SYSTEM DEVELOPMENT FOUNDRY Encapsulate Good Solutions Reduce System Complexity Pre (Formal) Verification Standardize System Design Reuse of Verification Compositional Reasoning Correct-By-Construction Avoid Redesign 8

Task 3 - Initial Design Patterns In Progress Under Consideration PALS Physically Asynchronous/Logically Synchronous Design and verify an asynchronous system as a synchronous system Orders of magnitude reduction in temporal complexity Eliminate deadlock and race conditions Replication Replicates components, ports, and connections Foundation for more complex fault-tolerance patterns Leader Selection Common problem of selecting the active node in a distributed design Formally (pre) verified for N nodes Active Standby Common fault-tolerant design for Simplex Common fault-tolerant design for hardware failures software failures 9

Task 3 - PALS Pattern i i + 1 i i + 1 NODE 1 NODE 1 NODE 2 NODE 2 NODE 3 NODE 3 T SYNCHRONOUS NETWORK CLOCK JITTER ASYNCHRONOUS BOUNDED DELAY NETWORK WITH PALS Goal: Host synchronous designs transparently on distributed asynchronous platforms Assumptions Access to global time Monotonic local clocks Bounded computation and communication times Fail silent nodes Guarantees All nodes see the same input values at the logical step boundaries 10

Task 4 Example Architectural Models Initial System Active Standby Pattern Replicate Leader Selection PALS Replicate Final System Flight Guidance Flight Control Avionics System System Hie erarchy Pattern Application 11

Task 5 - Pattern Verification Leader Selection pattern Generic for n nodes Synchronous (requires PALS) Used to implement Active-Standby Assume Nodes connected in model (can exchange messages) Synchronous communication (dramatic state-space reduction) Guarantee (for n 8) All non-failed nodes always agree on a leader. If a node is leader and has not failed, it is still the leader in the next step. If any non-failed nodes exist, then in the next step there is a leader. No failed node will be the leader in the next step. Verified using NuSMV model checker Working on parametric proof for arbitrary number of nodes 12

Task 6 Tools for Pattern Specification & Application WW Technology Group EDICT Tool Suite Pattern Specification Pattern Library Checking Pattern Constraints Pattern Application Generation of Revised AADL Model 13

Task 7 Verify System Properties Compositional reasoning Component and pattern specifications Assume (environmental invariants) Guarantee (properties/requirements proved) & C INSTANTIATE ARCH PATTERNS & CHECK CONSTRAINTS SYSTEM MODEL SYSTEM MODELING ENVIRONMENT G AFRL CerTA FCS Effector blender example Proof carried out iteratively, starting with top-level obligations imposed by properties, and propagating through the architecture Lemmas developed, model checked, and propagated outward until satisfied or counterexamples found T Model Checker Assumptions Guarantees System props SYSTEM DEVELOPMENT COMPOSITIONAL REASONING & ANALYSIS EffectorBlender EffectorBlender PreProcessing GenericEffectorBlender PostProcessing PreProcessingInputs cneg_checkeffectiveness umin umax cneg_solve cnegs_select PreProcessingStateflow NoDelta cnegs_whileiterator cnegsws_limitandscale cne_limitandscalevector 14

FAA Requirements Engineering Management Handbook Two Year Study for the FAA Recommended Practices Examples Based on SCR and CoRE Elements of SpecTRML Written with AADL in Mind 15

SysML, AADL, and MARTE SysML (Systems Modeling Language) Applicable Across Most of the Systems Engineering Domain Modeling OMG Standard SysML Widely Known with Improving Commercial Tool Support Lacks Specificity and Rigor for Embedded Systems MARTE UML 2 AADL (Architectural Analysis and Design Language) Tailored Analysis to Real-Time Embedded AADL Systems Domain SAE Standard (AS5506) Active Research Community, Particularly in Europe Physical World Tools are Primarily Open Source with Uncertain Future Support Real Time Embedded Systems Intended Domain MARTE (Modeling & Analysis of Real-Time Embedded Systems) Tailored to Real-Time Embedded Systems Domain UML2 Profile Software Best Known in France and Europe Few Existing Tools with Uncertain Future Support 16

Summary Complexity Reducing Patterns for Cyber-physical Systems Objective Achieve dramatic reduction in the time required to design and verify complex, mixed-criticality cyber-physical systems Key Innovations Complexity-reducing system design patterns with formally guaranteed properties Architectural modeling and analysis to support virtual integration, composition, and verification of system-level properties Automated formal verification deeply embedded in the system design process Integrate Then Build 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback