AADL and MDAEarly Experience Applied to Aircraft-Weapon Integration

Yves LaCerte Yves.LaCerte@gd-ais.com

3 February 2005

2

Agenda

� Introduction� Weapon Management System - WMS� Embedded Systems� Plug and Play Concept� Architecture Analysis and Description

Language - AADL� Model Driven Architecture - MDA

3

Introduction

� The aircraft-weapon integration challenge is part of a larger integration problem, i.e.� Independent system-specific models often

create unsolvable interoperability problems

� Tower of Babel� Build a tower to the sky � Workers speak different languages� Cooperation collapsed

4

Introduction

� Semiotics, a field of linguistics� A science which studies the role of signs as part

of social life * � Syntax: structure of signs� Semantics: meaning of signs as captured by

syntax� Pragmatics: adaptable interpretation of signs

based on context

* Saussure, Ferdinand de, “Course in General Linguistics” (trans. Roy Harris), London: Duckworth, 1983

5

Agenda

� Introduction� Weapon Management System - WMS� Embedded Systems� Plug and Play Concept� Architecture Analysis and Description

Language - AADL� Model Driven Architecture - MDA

http://www.fas.org/man/dod-101/sys/ac/f-18.htm

6

Definition

NAVIGATION SYSTEM BI TSONO

SAFE

KILL

SAFE

INV

PORT

WICEO/IR

MSN

SYSCYZ

TAC

MCNAV RA D TMPS A/CTAP

LATIT UDE:

LONGITUDE:

ALTIT UDE:

AIR SP EED:

HEA DI NG:

X VELOCITY:

Y VELOCITY:

Z VELOCITY:

AZIMUT H:

PITCH:

ROLL:

WAN DE R A NGLE:

MESSAGE COU NT:

MESSAGE ERRO RS:

N42:°32’31.008”

W104°21’19.266”

18000 FT

295 KTS

45.0°T

0.111

0.222

0.333

10.0°

3.222°

1.000°

-45°

2300

1

LATIT UDE:

LONGITUDE:

ALTIT UDE:

AIR SP EED:

HEA DI NG:

X VELOCITY:

Y VELOCITY:

Z VELOCITY:

AZIMUT H:

PITCH:

ROLL:

WAN DE R A NGLE:

MESSAGE COU NT:

MESSAGE ERRO RS:

N42:°32’31.008”

W104°21’19.266”

18000 FT

295 KTS

45.0°T

0.111

0.222

0.333

10.0°

3.222°

1.000°

- 45°

3500

0

RIN U

1

BUS

A

BUS

B

RIN U

2

BUS

A

BUS

B

PortStarboard

XMIT

AIMS

SS- 3

POD

AVAIL

SLMRPRELNCH

STA 11 STA 13 CO OP STA 14 STA 16

INV

POD CONTROLSLAM ER POST LAUNCH

SONOSAFE

KILLSAFE

SYNCOFF

XMITHI

STRTTTV

ACPTTGT

PREVTGT

TRCKMODE

RJCTTGT

TOOASUW

FULLSCRN

09/1258:59

12/1259:59

12/1259:59

12 /1259 :59

12 /1259 :59

09/1258:59

12/1259:59

12/1259:59

12 /1259 :59

12 /1259 :59

09/1258:59

12/1259:59

12/1259:59

12 /1259 :59

12 /1259 :59

ARM HAZARD

KILL READY

SONO DISABLE

MASTER ARM BOMB BAY SRCH PWR

ON

OFF

OFF

ARM HAZARD RESET

ON OPEN

CLOSED

JET

TIS

ON

JET

TIS

ON

JET

TISO

N

JET

TI

SO

N

WING ONLY

ARM HAZARD

KILL READY

SONO DISABLE

MASTER ARM BOMB BAY SRCH PWR

ON

OFF

OFF

ARM HAZARD RESET

ON OPEN

CLOSED

JET

TIS

ON

JET

TIS

ON

JET

TISO

N

JET

TI

SO

N

WING ONLYWING ONLYWING ONLY

MissionSystem

Video

Radar

1553

RS-232

Video

Eth

A ircra ftD is cre tes

R IN U

1553

Racks 1760 ASI Legacy ASI

Weapons Bay

5 3 176 4 28

5 3 176 4 28

Weapons Bay

5 3 176 4 28

5 3 176 4 28 18

RA17

L RA16

L RA15

RA14

L RA18

RA18

RA17

L RA17

L RA16

L RA15

RA15

RA14

L RA14

L RA

Port Wing Stations18

RA18

RA17

L RA17

L RA16

L RA15

RA15

RA14

L RA14

L RA18

RA18

RA17

L RA17

L RA16

L RA15

RA15

RA14

L RA14

L RA

Port Wing Stations9

R A10

LR A11

LR A12

R A13

LR A9

R A10

LR A11

LR A12

R A13

LR A

Starboard Wing Stations9

R A10

LR A11

LR A12

R A13

LR A9

R A10

LR A11

LR A12

R A13

LR A

Starboard Wing Stations9

R A10

LR A11

LR A12

R A13

LR A9

R A10

LR A11

LR A12

R A13

LR A

Starboard Wing Stations

…

…

…

1553

RS-232

Video

Eth

Primary electrical, functional and logical interface between theMission Management Computer(s), weapons, launchers and

other equipment used to release and deliver stores

7

Motivation

� Today, $100M (typically)*

� 40% to 60% is software updates (typically)*

Platformsoftware

Aerodynamics

MissionPlanning

System Eng.Int. & Test

Misc.

* Source: AFRL/MN, 1999

8

Test and Integration Challenges

� Platform Perspective� Provide relevant

functions and data

� Observe resource, performance and timing constraints

� Do not change platform software

� Weapon Perspective *� Identify/define relevant

functions and data

� Identify/define resource, performance and timing constraints

* Weapon software does change over time, which may impact the platform

9

Cost / Schedule Perspective (Notional)

Do not change platform software

Traditional New

Weapon 1

Weapon 2

Weapon 3

New WMS

$

WMS Development Costs

TraditionalNew

Weapon 1

Weapon 2

Weapon 3

Number of Months to Integrate a New Weapon

No need to take down the whole

squadron

10

Agenda

� Introduction� Weapon Management System - WMS� Embedded Systems� Plug and Play Concept� Architecture Analysis and Description

Language - AADL� Model Driven Architecture - MDA

11

State of the Art

� Increasing complexity / decreasing productivity � six (or fewer!) lines per day *

� The inefficiency of the embedded software development process will prevent novel technologies from entering the marketplace in time

* Typical of embedded software industry

12

Characteristics

� Resource constrained� CPU, memory, size, weight and power

� Hard Real Time � Functional and non-functional aspects

� Safety Critical� Dependable / Certifiable

� Long Lifetime � Several upgrades / increasing complexity

13

Embedded Systems: Solutions / Trends

� Components � Less dedication to specific functions� Design - Improved abstraction� Synthesis - Auto code generation

� Models - Assess before final implementation� Specification languages

� Unambiguous representation of behavior and constraints - Rigorous semantics

� Widely accepted

14

Embedded Systems: Solutions / Trends

� Dynamic Reflective Systems� Change internal behavior depending upon

attached devices� Capable of integrating devices which provide

new functions� Capable of providing unforeseen functionality� Foundation of aspect-oriented programming

15

Embedded Systems: Solutions / Trends

� Semantic Interface Specification� Syntax can be performed by any type of

Interface Definition Language (IDL, XML) � Assess semantic properties of an interface by

an executable interface model� Assess interoperability by analyzing provided

and required interfaces, and contracts� Adapt interface to improve interoperability

AADL Semantic Interface Specification

16

Embedded Systems: Solutions / Trends

� Applied to Aircraft-Weapon Integration� Integrate new capabilities within a given design

space (domain)� Prevent waiting for an aircraft upgrade cycle to

integrate new weapons� But

� Likely difficult to implement a dynamic system that meets performance constraints

� Aircraft-Weapon interface standards is a recent development, change is slow

17

Agenda

� Introduction� Weapon Management System - WMS� Embedded Systems� Plug and Play Concept� Architecture Analysis and Description

Language - AADL� Model Driven Architecture - MDA

18

The Plug and Play Concept

� Demonstrate interoperability at design time� In terms of Functionality and Data

� Open system approach via standards

� In terms of Non-Functional Quality Attributes� Safety, real-time, reliability, fault tolerance, security….

� A system that can exchange information and services with multiple systems is more interoperable than one that can't� Assess the quality of interoperability� Formulate strategies to improve interoperability

Semantic Interface Specifications

19

Domain Model – Weapon Interface View

WMS

Select Missile

Configure

Select State

Get Status

Platform

The WMS accepts generic missile commands.These are subsequently passed on to the missile.

Missile

Apply power

Initialize

Set mission parameters

Set missile modes etc

Release

Jettison

IBIT

Get current configuration

20

Domain Model – Mission Interface View

WMSPlatform

Set Environment

Set Platform Characteristics

Set Target Acquisition

Set Mission Plan

The WMS offers mission services that are non-missile specific. Configuration data is subsequently passed on to the missile.

Missile

Configure

Configure

Configure

Configure

21

Domain Model - Life-Cycle View

Missile Selected

Standby

Setup

Identification

Initialization

Identification

Initialization

Status

IBIT On

IBIT Off

IBIT On

IBIT Off

Ready

Mission Configure

Ready for Release

Mission Configure

Ready for Release

Non Operational Mission Committed

Prepare to Release

Release Prepare to Release

Release

Failed

Missile Selected

Standby

Setup

Identification

Initialization

Identification

Initialization

Status

IBIT On

IBIT Off

IBIT On

IBIT Off

Ready

Mission Configure

Ready for Release

Mission Configure

Ready for Release

Non Operational Mission Committed

Prepare to Release

Release Prepare to Release

Release

Failed

Disabled JettisonDisabled Jettison

Executing Mission

Hung Flight

Detonation

Hung Flight

Detonation

Start Mission

System Off

22

Domain Model - Data View

Launch

Acceptability

Region

Weapon

23

State Machines

� Preferred for the specification of controllers

� Useful for� Verification against

requirements� Test-case generation� Automatic code

generationAPI and events used to cause state changes

Operational State

Progress to Jettison

IBIT Control

Progress To Release

Operational State

Jettison>Prepare for Jettison>

Running IBITNot Running IBIT>

Prepare For Release Release

Initialization>Off>

Non-Operational

Apply_Operational_Power

Remove_Operational_Power

Error

Remove_Operational_Power

24

Ports – Connectors – Contracts

Weapon requires power…. Power provided by WMS

Power

Connector

Contract

Pre and Post conditions

Parameter types

Synchronization constraints

QoS features

Required Interface

Weapon

«interface»Power

115 volts()

AC

3 phase

<<interface>> Power

WMS

Component

Port

Provided Interface

115 volts()

AC

3 phase

25

Agenda

� Introduction� Weapon Management System - WMS� Embedded Systems� Plug and Play Concept� Architecture Analysis and Description

Language - AADL� Model Driven Architecture - MDA

MissileMissile

LauncherLauncher

Weapon

ManagementSystem

External

Comm

Mission

PlanningSystem

LaserImagingSystem

NavigationSystem

Fire ControlSystem

Operator I/F

Power

Controller

Launcher

Weapon

1553_A

Discre

te_A

Generic

Power_A

1553_B

Power_B

Discrete_B

MissileMissile

LauncherLauncher

Weapon

ManagementSystem

External

Comm

Mission

PlanningSystem

LaserImagingSystem

NavigationSystem

Fire ControlSystem

Operator I/F

Power

Controller

Launcher

Weapon

1553_A

Discre

te_A

Generic

Power_A

1553_B

Power_B

Discrete_B

26

Platform Challenge

� Component models and supporting frameworks often rely on the specifics of the underlying platform

� There is a need for techniques to handle functional and non-functional properties of components and systems

AADL addresses non-functional properties

27

AADL Summary

� Purpose� Analyze embedded systems

� Focus � Software system architecture model of an

execution platform � Software components bound to hardware

components

Standardization Efforts SAE AS5506 UML profiles

28

Embedded

Systems

UML Profiles

UML 2.0

SysML

Parametric Diagrams

Requirement Diagrams

Activity Diagrams

Assembly Diagrams

AADL

29

AADL Components Types

UML 1.x and UML 2.0 profile… work in progress…

30

AADL Components Types

processor

memory

device

bus

ThreadGroup

Process

Thread

Subprogram

System

DataIcons from

SAE AS5506 AADL Annex

Physical devices that interface with an external environment Composition of

software and execution platform

components

Communication channels that can exchange control and data between processors, memories, and devices

Abstraction of hardware and software that is responsible for

scheduling and executing threads

Randomly accessible physical storage such as RAM or ROM

Static data in source text

Units of concurrent execution

Structural grouping of threads within a process

Space partitions in terms of virtual address spaces

Source text that is executed sequentially

31

System Example

32

System Construction Examplesystem MILSystem

end MILSystem ;

subcomponents

-- buses

Power_A : bus MILPower;

…

-- components

WMS1 : system WMS.WMS;

FCS : system FireControlSystem.FCS;

…

connections

-- bus access

bus access Power_A -> Power1.IFPower_A;

bus access Power_A -> WMS1.IFPower_A;

…

-- ports

port group WMS1.Out1553_A -> Launcher1.In1553_A;

…

system implementation MILSystem.MissilePlatform

subcomponents

…

connections

…

end MILSystem.MissilePlatform ;

33

System Construction Example

system FireControlSystem

features

IFGeneric: requires bus access MILGeneric;

InMission: port group Rx_Port;

OutMission: port group Tx_Port;

end FireControlSystem;

system implementation FireControlSystem.FCS

end FireControlSystem.FCS ;

Black BoxPower

Connector

Contract

Pre and Post conditions

Parameter types

Synchronization constraints

QoS features

Power

Connector

Contract

Pre and Post conditions

Parameter types

Synchronization constraints

QoS features

Required Interface

Weapon

«interface»Power

115 volts()

AC

3 phase

Required Interface

Weapon

«interface»Power

115 volts()

AC

3 phase

<<interface>> Power

WMS

Component

Port

Provided Interface

115 volts()

AC

3 phase

<<interface>> Power

WMS

Component

Port

Provided Interface

115 volts()

AC

3 phase

WMS

Component

Port

Provided Interface

WMS

Component

Port

Provided Interface

115 volts()

AC

3 phase

34

System Construction Examplesystem WMS

features

-- Buses

IF1553_A: requires bus access MIL1553;

IFGeneric: requires bus access MILGeneric;

IFPower_A: requires bus access MILPower;

IFDiscrete_A: requires bus access MILDiscrete;

-- Ports

In1553_A: port group Rx_Port;

Out1553_A: port group Tx_Port;

InDiscrete_A: port group Rx_Port;

OutDiscrete_A: port group Tx_Port;

OutPower_A: port group Tx_Port;

InMission: port group Rx_Port;

OutMission: port group Tx_Port;

end WMS ;

port group Rx_Port

features

Rx: in data port;

inverse of Tx_Port

end Rx_Port;

port group Tx_Port

features

Tx: out data port;

end Tx_Port;

Black Box

35

WMS System Implementation Example

system implementation WMS.WMS

subcomponents

…

connections

…

modes

…

end WMS.WMS ;

subcomponents

--- processors

--- processes

--- bindings

connections

--- port groups

modes

MainMode: initial mode;

BackupMode: mode;

Factory

Pattern

White Box

36

Process

process PlugandPlayDispatcher

features

InGeneric: port group Rx_Port;

OutGeneric: port group Tx_Port;

InLauncher: port group Rx_Port;

OutLauncher: port group Tx_Port;

InWeapon: port group Rx_Port;

OutWeapon: port group Tx_Port;

end PlugandPlayDispatcher;

37

Process Implementation

process implementation PlugandPlayDispatcher.WMS

subcomponents

Bus_Listener: thread Listener.Bus_Listen;

PnP_Dispatcher: thread PnPDispatcher.WMS;

connections

port group InGeneric -> Bus_Listener.Bus_Listener;

port group Bus_Listener.Buffer_Update -> PnP_Dispatcher.InPnP;

port group PnP_Dispatcher.OutLauncher -> OutLauncher;

port group InLauncher -> PnP_Dispatcher.InLauncher;

port group PnP_Dispatcher.OutWeapon -> OutWeapon;

port group InWeapon -> PnP_Dispatcher.InWeapon;

end PlugandPlayDispatcher.WMS;

38

Time-Space Partitioning

Processor

…Partition 1 Partition 2 Partition n

Processor PPC

End PPC;

Processor implementation PPC.two

Subcomponents

partition1: processor RMA.impl;

partition2: processor RMA.impl;

End PPC.two;

System implementation ESys.impl

Subcomponents

platform: processor PPC.two;

app: system userApp;

Properties

Binding => platform applies to app;

End ESys.impl;

A

Process

B

Process

N

Process…

39

Thread

thread Dispatcher

features

Buffer_Listener: port group Rx_Port;

Bus_Dispatcher: port group Tx_Port;

Buffer_2: requires data access Buffer;

properties

Source_Text => "abc";

Source_Code_Size => 100 kb;

Source_Data_Size => 10 kb;

Source_Stack_Size => 10 kb;

Source_Heap_Size => 10 kb;

Dispatch_Protocol => periodic;

Period => 100 ms;

Deadline => 100 ms;

Compute_Execution_Time=> 5ms;

Producer – Consumer

40

Trade-offsProducer – Consumer

Event-Driven with Publish-Subscribe

41

Tools - OSATE

� Open source AADL tool environment � Software Engineering Institute� www.aadl.info

� Set of plug-ins on top of Eclipse� www.eclipse.org

42

OSATE Plug-ins

� Analysis� Schedulability� System scalability� Safety

� End-to-end flow analysis

� AADL support from UML vendors

43

Agenda

� Introduction� Weapon Management System - WMS� Embedded Systems� Plug and Play Concept� Architecture Analysis and Description

Language - AADL� Model Driven Architecture - MDA

44

Approach to MDA

TE = Transformation Engine

CG = Code Generator

VE = Validation Engine

Domain

Domain

Requirements

Platform

Independent

Model

ProductInstance

Platform

Requirements

Platform

Specific

Model

ExecutableProduct

Executable

System

CG

ValidatedProduct

Validated

System

V

E

Application

Application

Requirements

Platform

Independent

Model

Core Reusable

CorporateAssets

TE

45

Approach to MDA / AADL

Product

Instance

Platform

Requirements

AADL

Model

TE

Product

Instance

Platform

Requirements

AADL

Model

TE

Executable

Product

Executable

System

CG

Executable

Product

Executable

System

CG

Validated

Product

Validated

System

AADL

Validated

Product

Validated

System

AADL

Prove system propertiesProve system properties

Product

Instance

Platform

Requirements

UML

Model

Executable

Product

Executable

System

CG

Derive system properties

46

MDA Work Products

Application

Application

Requirements

Platform

Independent

Model

Context ViewRequirements ViewAnalysis ViewDesign View

… Queries …

ProductInstance

Platform

Requirements

Platform

Specific

Model

TE

Guidelines and Rules

Platform Model

Libraries

Patterns

AADL Model ready for analysis

UML Model ready for code generation

47

MDA / AADL Expectation

Traditional New

Weapon 1

Weapon 2

Weapon 3

New MWS

$

Development Costs for New Weapons

MDA

Traditional New

Weapon 1

Weapon 2

Weapon 3

New WMS

$

Development Costs for New Weapons

Without

MDA