DASC AADL Tutorial - Part I

1
The Emerging SAE AADL Standard An Architecture
Analysis Design Language for Building
Embedded Real-Time Systems
Society of Automotive Engineers Avionic Systems
Division Embedded Computing Systems
Committee AS-2C Avionics Architecture Description
Language Subcommittee Software Engineering
Institute Embry-Riddle Aeronautical University
2
Welcome
Peter Feiler Secretary Technical
Co-editor Software Engineering Institute phf_at_sei.c
mu.edu 412-268-7790

• Bruce Lewis
• Chair, SAE AS-2C Subcommittee
• Army AMCOM SED
• bruce.lewis_at_sed.redstone.army.mil
• 256-876-3224

Dave Gluch Embry-Riddle Aeronautical University
Software Engineering Institute gluchd_at_erau.edu/dp
g_at_sei.cmu.edu 386-226-6455
John Hudak Software Engineering
Institute jhudak_at_sei.cmu.edu 412-268-5291
http//www.aadl.info
3
Architecture Analysis Design Language (AADL)

• Specification of computer systems and SoS.
• Real-time
• Embedded
• Fault-tolerant
• Securely partitioned
• Dynamically configurable
• Software task and communication architectures
• Component interface and structure, behavior,
  properties
• Bound to
• Distributed multiple processor, integrated
  hardware architectures
• Fields of application
• Avionics, Automotive, Aerospace, Autonomous
  systems,
• Context and vocabulary for the integration of
  System Eng Technology
• Capture of Architecture ( driving requirements),
  Analysis of Integration Impact (through model
  checking), Automated Integration to specification.

4
Typical Software Development Process

Requirements Analysis
Design
Implementation
Integration
manual, paper intensive, error prone, resistant
to change
5
Model-Based System Engineering
Model-Based Architecture-Driven
System Integration
Requirements Analysis
Predictable System Rapid Integration
Upgradeability
Explicit Architecture M. Engineering Models Use
of AADL
Design, Analysis and Implementation
6
Lifecycle Impact

• Requirements that impact computer software and
  hardware architecture modeled early with partial
  data
• System specification refined during design,
  coding and integration to final system each
  change modeled / model checked against multiple
  analysis approaches.
• Specification is used to integrate system,
  generating middleware to control system execution
  and communication, generation is done in
  compliance with the formal analysis on RT O/S
• Specification used throughout the development
  process not out of date so always ready for the
  next system evolution and additional analysis
  capability.

7
AADL-Based System Engineering

• System Construction
• AADL Runtime System
• Application Software Integration

• System Analysis
• Schedulability
• Performance
• Reliability
• Fault Tolerance
• Dynamic Configurability

Software System Engineer
SAE AADL
Model the Architecture Abstract, but Precise
Application Software
Execution Platform
DB
Ada Runtime
HTTPS
GPS
Application Developer
. . . . . . . . . .
Devices
Memory
Bus
Processor
8
An SAE Standard

• Sponsored by
• Society of Automotive Engineers (SAE)
• Avionics Systems Division (ASD)
• Embedded Systems (AS2)
• Avionics Architecture Description Language
  Subcommittee (AS2C)
• Contact
• Bruce Lewis AS2C chair, bruce.lewis_at_sed.redstone.a
  rmy.mil
• http//www.aadl.info
• For Information email to info_at_aadl.info
• Balloted April 2004, expecting Core standard July.

Largest Provider of Avionics Standards
9
AS-2C ADL Subcommittee

• Bruce Lewis (AMCOM) Chair, technology user
• Peter Feiler (SEI) Secretary, main author,
  editor, technology user
• Steve Vestal (Honeywell) MetaH originator,
  co-author
• Ed Colbert (USC) AADL UML Mapping
• Joyce Tokar (Pyrrhus Software) Ada C Annex
• Members
• Boeing, Rockwell, Honeywell, Lockheed Martin,
  Raytheon, Smith Industries, Airbus, Axlog,
  Dassault, EADS , Canadair, High Integrity Systems
• NAVAir, Open Systems JTF, British MOD, US Army
• European Space Agency
• Coordination with
• NATO, COTRE, OMG-UML

10
Priority Processing

• Systems interested in immediate use
• Common Missile (August)
• - Eglin AFB Weapons Integration (Toolset SBIRs)
• Navy version of BlackHawk (possibly starting
  training in June with pre-standard toolset)
• European Space Agency (expected Fall 2004)
• Airbus (prototype tool building started)
• FCS and 7E7 (probably too late now but the sooner
  the better)
• Plug and Play (GD Immediate)
• SEI Toolset development (started)
• TNI Toolset development (started)
• UML/OMG RFC waiting, need to submit ASAP

11
MetaH Case Study at AMCOM

• Missile Application reengineered
• Missile on-board software and 6DOF environment
  simulation executing on dual i80960MC, Tartan
  Ada, VME Boards
• Built to Generic Missile Reference Architecture
• Specified in MetaH, 12 to 16 concurrent processes
• MetaH reduced total re-engineering cost 40 on
  first project it was used on. Missile prime
  estimated savings at 66.
• Missile Application ported to a new execution
  environment
• multiple ports to single and dual processor
  implementations
• new processors (Pentium and PowerPC), compilers,
  O/S
• first time executable, flew correctly on each
  target environment
• ports took a few weeks rather than 10 months.

12
AMCOM Effort Saved Using MetaH
Total project savings 50, re-target savings 90
8000
Benefit During Platform Retarget
7000
6000
Benefit During Application Rewrite
5000
Man Hours
4000
3000
Traditional
Approach
2000
1000
Using
0
MetaH
Review
3-DOF
Trans-
6-DOF
Current
RT-
late
Trans-
Test
MetaH
6DOF
RT-
form
Build
6DOF
Debug
Missile
Re-target
Debug
13
Why AADLArchitecture Analysis and Design
Language

• Concept - Applies systems engineering
  (analytical) approach to software intensive
  systems rather than brute force. Early analysis
  instead of late failure.
• Needed analyzable architecture gtkey to sizable
  decrease in rework, integration and upgrade costs
  as well as program risk, complexity.
• Enables rapid system evolution for complex, RT,
  safety critical systems with cross cutting
  constraints, predictable change to both HW and SW
  components.
• Open Becoming a Standard, SAE, NATO, UML.
• Readiness - 12 years of DARPA investment
  experiments
• Extendable good foundation for additional
  capabilities in analysis, automated system
  integration, system of systems, distribution,
  dynamics.

14
An XML-Based AADL Tool Strategy
Graphical AADL
Textual AADL
AADL Model XML
Complete Execution Platform Binding
AADL Instance XML
Scheduling Analysis
AADL Runtime Generator
Reliability Analysis
Safety Analysis
Commercial Tool like TimeWiz
Project-Specific In-House
Filter to Markov Analysis
15
An Open Source AADL Environment
Java Development Tools (JDT)
Eclipse Platform
Help
Standalone Generation Tool
Workbench
Team
JFace
SWT
Debug
Plug-in Development Environment (PDE)
Analysis Tool Via Java
Workspace
Platform Runtime
Analysis Tool Via XML
Eclipse Environment
XML Document Persistence
AADL Environment
16
Some MetaH History
MetaH - Precursor to AADL
1991 DARPA DSSA program begins 1992 Partitioned
PFP target (Tartan MAR/i960MC) 1994
Multi-processor target (VME i960MC) 1995 Slack
stealing scheduler 1998 Portable Ada 95 and POSIX
middleware configurations 1999 Hybrid automata
verification of core middleware modules Numerous
evaluation and demonstration projects,
e.g. Missile GC reference architecture, demos,
others (AMCOM SED) Hybrid automata formal
verification (AFOSR, Honeywell) Missile defense
(Boeing) Fighter guidance SW fault tolerance
(DARPA, CMU, Lockheed-Martin) Incremental Upgrade
of Legacy Systems (AFRL, Boeing,
Honeywell) Comanche study (AMCOM, Comanche PO,
Boeing, Honeywell) Tactical Mobile Robotics
(DARPA, Honeywell, Georgia Tech) Advanced
Intercept Technology CWE (BMDO, MaxTech) Adaptive
Computer Systems (DARPA, Honeywell) Avionics
System Performance Management (AFRL,
Honeywell) Ada Software Integrated
Development/Verification (AFRL, Honeywell) FMS
reference architecture (Honeywell) JSF vehicle
control (Honeywell) IFMU reengineering
(Honeywell)
17
AADL in Context
DARPA Funded Research since 1990

• Research ADLs
• MetaH
• Real-time, modal, system family
• Analysis generation
• RMA based scheduling
• Rapide, Wright, ..
• Behavioral validation
• ADL Interchange
• ACME, xADL
• ADML (MCC/Open Group, TOGAF)
• Industrial Strength
• UML 2.0, UML-RT
• HOOD/STOOD
• SDL

Basis
AADL Extensible Real-time Dependable
Extension
Influence
Alignment
Enhancement
Airbus ESA
18
AADL/UML Relationship
To Be submitted to OMG for Adoption
Extensible AADL Annexes UML Working Groups
AADL Core
UML 2.0
AADL UML Profile
UML 1.4 Detailed design
Security
UML-RT Performance Timeliness
Dependability
19
What Is Involved In Using The AADL?

• Specify software hardware system architectures
• Specify component interfaces and implementation
  properties
• Analyze system timing, reliability, partition
  isolation
• Tool-supported software and system integration
• Verify source code compliance middleware
  behavior

Model and analyze early and throughout product
life cycle
20
A Control Engineer Perspective
Tune parameters
Simulink
Continuous feedback in a controller
Component Analysis
with Text_IO package Main is begin type real
is digits 14 type flag is boolean x real
0.0 ready flag TRUE
with Text_IO package Main is begin type real
is digits 14 type flag is boolean x real
0.0 ready flag TRUE
Matlab
Application Code
Validate simulation
Continuous feedback for a control engineer
21
A Software System Engineer Perspective
with Text_IO package Main is begin type real
is digits 14 type flag is boolean x real
0.0 ready flag TRUE
with Text_IO package Main is begin type real
is digits 14 type flag is boolean x real
0.0 ready flag TRUE
Application Components
Continuous feedback for software system engineer
Execution Platform
package Dispatcher is A.p1 B.p2 Case 10ms
dispatch(a) dispatch(b)
AADL Tools
AADL Runtime
Runtime Data
Timing analysis
T1 T2 T3 T4 12 12 5 6 23 34 8 8 24 23 234
R1 R2 R3 R4 12 12 5 6 23 34 8 8 24 23 234
Reliability analysis
R1 R2 R3 R4 12 12 5 6 23 34 8 8 24 23 234
T1 T2 T3 T4 12 12 5 6 23 34 8 8 24 23 234
T1 T2 T3 T4 12 12 5 6 23 34 8 8 24 23 2 34
Refine properties
AADL-based Architecture Model
22
A Combined Perspective
Tune parameters
Simulink
Component Analysis
Matlab
with Text_IO package Main is begin type real
is digits 14 type flag is boolean x real
0.0 ready flag TRUE
with Text_IO package Main is begin type real
is digits 14 type flag is boolean x real
0.0 ready flag TRUE
Application Code
Continuous interaction between Control engineer
system engineer
Validate simulation
AADL-based Architecture Models
23
Application Components as Plug-ins
Application Software Component
Application Software Component
Application Software Component
Application Software Component
AADL Runtime System
Real-Time Operating System
Embedded Hardware Target

• Strong Partitioning
• Timing Protection
• OS Call Restrictions
• Memory Protection

• Interoperability/Portability
• Tailored Runtime Executive
• Standard RTOS API
• Application Components

24
Predictable System Integration

• Required, predicted, and actual runtime
  properties
• Application components designed against
  functional and non-functional properties
• Application code separated from task dispatch
  communication code
• Consistency between task communication model
  and implementation through generation
• Feedback into model parameters refinement of
  estimated performance values

25
Potential Users
New System Engineering Approach based on AADL

• Airbus
• ESA
• Rockwell Collins
• Lockheed Martin
• Smith Industries
• Raytheon
• Boeing FCS
• Automotive OEPs
• Common Missile
• RT Plug and Play

Modeling of Satellite Systems, proposed ASSERT
with AADL
Modeling of Helicopter Avionics Software System
New System Engineering tools using AADL.
Leading Candidate for system of systems modeling,
analysis
Adopted for system integration analysis to
support standard
26
AADL Components - Graphical
Application Software
Execution Platform
process
Thread
memory
bus
System Composition
processor
27
Modeling Vocabulary

• Application System
• Thread
• Thread Group
• Process
• System
• Package
• Subprogram
• Data (shared/message)
• Data Port
• Event
• Event Port
• Event Data Port
• Connection
• Mode

• Execution Platform
• Processor
• Memory
• Device
• Bus
• System
• Extension
• Inheritance
• Properties
• Sublanguages (safety, flow, user defined,
  component behavior .)
• Domain Specific Annexes

28
Graphical Textual Notation
data port

• system Data_Acquisition
• provides
• speed_data in data metric_speed
• GPS_data in data position_carthesian
• user_input_data in data user_input
• s_control_dataout data state_control
• end Data_Acquisition

data type of port
data port
29
AADL Component Interaction

• Unidirectional data event flow
• Synchronous call/return
• Managed shared data access

Flight Mgr
data
MFD Pilot
Warnings Annunciations
MFD Copilot
30
Application System Execution Platform
Application system binding to execution platform
Flight Mgr
MFD Pilot
Warnings Annunciations
data
MFD Copilot
High speed network
Display Processor
Display Processor
Mission Processor
1553 bus
31
Thread Properties

• Dispatch_Protocol gt Periodic
• Period gt 100 ms
• Compute_Deadline gt Period
• Compute_Execution_Time gt 20 ms
• Initialize_Deadline gt 10 ms
• Initialize_Execution_Time gt 1 ms
• Compute_Entrypoint gt Calculate_Trajectory
• Source_Text gt waypoint.java
• Source_Code_Size gt 1.2 KB
• Source_Data_Size gt .5 KB

Dispatch execution properties
Code function to be executed on dispatch
File containing the application code
32
Thread Hybrid Automata
33
Task Interaction Architecture
Thread Dispatch Protocols Periodic Aperiodic Spora
tic Background Client - Server
System System1
Typed and constrained data streams
Immediate and delayed communication
System Subsystem1
Process Prc1
Process Prc2
E1
Data1 Pos
Data1 Pos
Shared data
Thread T3
Thread T1
Data1 Pos
Data1
Server Thread T2
E1
SP1
Thread T1
Thread T2
Subprogr
SP2
RSP1
E1
SP3
Directional Data, event, message ports Queued and
unqueued xfer
Shared Access Persistent, shareable data Access
coordination
Call/Return Local subprogram Client/server
subprogram
34
Thread States
Uninitialized Thread
Initialize
Active Member of current mode
InitializeComplete
InactiveInInitMode
ActiveInInitMode
Initialized Thread
Inactive Not member of current mode
ActivateComplete
Activate
Active
Dispatch
ActiveIn NewMode
Suspended
Complete
Inactive
Compute
Recovered
Repaired
Fault
Recover
DeactivateComplete
Deactivate
InactiveInNewMode
Terminate
Thread State
Terminated Thread
Finalize
Thread State with Source Code Execution
FinalizeComplete
Application Source Entrypoints Application as
Plug-in
35
Hierarchical Modes
System System1
Mode as Alternative Configuration
System Subsystem1
Initial Mode A Prc1, Prc2 Mode B Prc1, Prc3
Process Prc3
Process Prc1
Initial Mode A T1, T2, T3 Mode B T1, T2
Process Prc2
E1
Data1 Pos
Data1 Pos
Shared data
Thread T3
Thread T1
Data1 Pos
Data1
Server Thread T2
E1
SP1
Subprog
Thread T1
Thread T2
SP2
RSP1
E1
SP3
Application Source Internal Mode Conditional code
36
Systems Execution Platforms
Processors, buses, memory, and devices as Virtual
Machines
System System1
System LinuxNet
System Subsystem1
System LinuxBox
Memory
Process Prc1
Process Prc2
Processor PC1
Bus
Thread T3
Thread T3
Memory
Processor PC2
Threads as logical unit of concurrency
37
AADL and Scheduling

• AADL provides precise dispatch communication
  semantics via hybrid automata
• AADL task communication abstraction does not
  prescribe scheduling protocols
• Cyclic executive can be supported
• Specific scheduling protocols may require
  additional properties
• Predefined properties support rate-monotonic
  fixed priority preemptive scheduling

This scheduling protocol is analyzable, requires
small runtime footprint, provides flexible
runtime architecture
38
Faults and Modes

• AADL provides a fault handling framework with
  precisely defined actions
• AADL supports runtime changes to task
  communication configurations
• AADL defines timing semantics for task
  coordination on mode switching
• AADL supports specification of mode transition
  actions
• System initialization termination are
  explicitly modeled

39
Behavior Modeling

• Operational modes (in core AADL)
• Runtime reconfiguration (in core AADL)
• End-to-end flows (in core AADL)
• Interaction behavior (extension)
• Port interaction pattern of component
• Interaction protocol of connection
• Error models reliability analysis (extension)

State reachability Flow traceability Protocol
verification Model checking
40
System Safety Engineering

• Capture the results of
• hazard analysis
• component failure modes effects analysis
• Specify and analyze
• fault trees
• Markov models
• partition isolation/event independence
• Integration of system safety with architectural
  design
• enables cross-checking between models
• insures safety models and design architecture are
  consistent
• reduces specification and verification effort

Supported by Error Model Annex
41
AADL Version 2 Research Ideas

• 1. Dynamic Reconfigurable Real-Time
  Fault-Tolerant Asynchronous Architectures
• 2. Additional trackable automated modeling and
  analysis methods for architectural specs
  (composition, pattern recognition to reduce
  state space)
• 3. Rigorous links/relations between multiple
  engineering modeling approaches Simulink/VHDL
  AADL, SDL AADL, compositional scheduling
• 4. Architectural verification -(is the
  Architecture spec correct and do components
  comply with their specs, stronger plug and play )
• 5. Mode transition modeling, state space
  reduction for mode analysis/scheduling
• 6. Modeling of specific system building
  approaches/patterns example RT CORBA that can
  be applied as abstractions at a higher level but
  used to generate an implementation.
• 7. Modeling sublanguages and properties to
  support special areas of analysis for high
  integrity systems Current Error modeling annex,
  safety and security annex, component behavior
  annex etc.

42
AADL Status

• Requirements document SAE ARD 5296
• Input from aerospace industry
• Balloted and approved in 2000
• SAE AADL document SAE AS 5506
• Core language In ballot April 2004, July
  availability
• UML profile, XML schema, Error Model Annex, Ada
  and C Annex in review, to be balloted in June 2004