open source aadl workbench for virtual system integration engineering institute ... track canneal...
TRANSCRIPT
© 2015 Carnegie Mellon University
Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213
Distribution Statement A: Approved for Public Release; Distribution is Unlimited
Open Source AADL Workbench for Virtual System IntegrationPeter FeilerOct 2015
2SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
OutlineMission and Safety-Critical System Challenges
Virtual System Integration with SAE AADL
Samples of AADL Workbench Capabilities
3SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
We Rely on Software for Safe Aircraft Operation
Embedded software systems introduce a new class of problems
not addressed by traditional system safety analysis
4SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
Safety-Critical System Challenges
Total System Cost Boeing 777 $12B F-35 $59B
Software as % of total system development cost1997: 45% → 2010: 66% → 2024: 88%
RequirementsArchitecture Design
Acceptance Test
Unit Test
Code Integration Test
Operation
Where Faults are Found
Where Faults are Introduced
Nominal Cost Per Fault for Fault Removal
80% of faults discovered post unit test
70% of faults introduce in requirements and architecture design80% of faults discovered post unit test
5SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
OutlineMission and Safety-Critical System Challenges
Virtual System Integration with SAE AADL
Samples of AADL Workbench Capabilities
6SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
SAE Architecture Analysis & Design Language (AADL) Standard to the Rescue
The Physical System
Computer SystemHardware & OS
Aircraft, Car, Train
Command & Control
Deployed onUtilizes
Physical interfacePlatform component
AADL focuses on interaction between the three elements of a software-reliant mission and safety-critical systems.
Embedded Operational Avionics & Mission
Software
The Software System
SW Design & Runtime Architecture
The Computer System
7SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
Analysis of Virtually Integrated Software Systems
Security• Intrusion• Integrity• Confidentiality
Safety & Reliability• MTBF• FMEA• Hazard analysis
Real-timePerformance• Execution time/Deadline • Deadlock/ starvation• Latency
ResourceConsumption• Bandwidth• CPU time• Power consumption
• Data precision/accuracy• Temporal correctness• Confidence
Data Quality
Architecture Model
Single Annotated Architecture Model Addresses Impact Across Operational Quality Attributes
Auto-generated analytical models
Change of Encryption from 128 bit to 256 bit
Higher CPU demandIncreased latency
Affects temporalcorrectness
Potential new hazard
8SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
Assure the System
Early Discovery through Virtual System Integration
Reduced cost through Early Discovery 80% Post Unit Test Discovery
9SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
OutlineMission and Safety-Critical System Challenges
Virtual System Integration with SAE AADL
Samples of AADL Workbench Capabilities
10SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
MAST Scheduling
Resolute
AgreeOcarina Code
GenerationDeOS, VxWorks
External Contributions
Role specific workflow
UsabilityCapabilities
Context sensitive help
Graphical Editor
Expanded Navigation Views
ResourceBudgetLatencySafety
RMA/EDF SchedulingResource AllocationFunctionalIntegration
AnalysisCapabilities
ARINC653 Support
AADL Workbench* @ www.aadl.info/wiki
AADLEMV2
BA
SemanticConsistency
TypeConsistency
ModelingCapabilities
Team Mgnt
Independent contributions
* aka Open Source AADL Tool Environment (OSATE)
11SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
Graphical Editing and Deployment View
Table-based property view and editing of selected component
Nested components
Partition binding
12SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
Type-sensitive Data Entry
Content Assist & QuickFix
Context-Sensitive Editing
13SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
Latency analysis throughout life cycle• Functional & system architecture: latency budgets• Task & communication architecture: processing, sampling, transfer• Platform architecture: partitions, protocols, computer hardware
Latency contributors• Systems: processing, sampling, queuing latency• Connections: protocol overhead, physical transfer, sampling• Partitions: sampling, window schedule
Trade studies• Best-case & worst-case, latency jitter• Mid-frame and frame-delayed communication• Synchronous and asynchronous systems• Partition end and major frame output policy• Empty & full queue
Top-down & bottom-up• Latency budgets & rate, size, time based actuals
End to End Latency Analysis
Utilizes end-to-end flows Incremental refinement
Interprets deployment bindingsOperational mode specific analysis
14SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
Latency Analysis Views and Results
15SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
Multicore Schedulers• Rate-Monotonic with Memory Partitioning• Global Earliest-Deadline-First (GEDF) Scheduler for Parallelized Tasks• Memory Profiler for Multicore Processors• GEDF for Parallelized Task with Memory Partitioning
Mixed-Criticality Scheduling (Zero-Slack Rate Monotonic)• Asymmetric protection: protect high-criticality tasks from lower-criticality
but allow higher-criticality to steal CPU cycles from lower-criticality
Advanced Scheduling Capabilities
16SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
Rate Monotonic with Memory Partitioning
L1/L2
Core 1
L1/L2
Core 2
L1/L2
Core 3L1/L2
Core N…
Last-Level Cache (L3)
Memory Bus (and Mem Controller)
DRAMBank 0
DRAMBank 1
DRAMBank 2
DRAMBank 3
DRAMBank B…
Main Mem
DRAMBank 0
DRAMBank 1
DRAMBank N
… 0
200
400
600
800
1000
1200
Nor
m. e
xecu
tion
time
(%)
black-scholes
body-track
canneal ferret fluid-animate
freq-mine
ray-trace
stream-cluster
swap-tions
vips x264
12x increase observed
020406080
100120140160180
Nor
m. R
espo
nse
Tim
e (%
)
Average over-estimates are 8% (13% for a shared bank)Observed
Predicted
black-scholes
body-track
canneal ferret fluid-animate
freq-mine
ray-trace
stream-cluster
swap-tions
vips x264
17SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
Support of SAE ARP4761 System Safety Assessment Practice
& Error Model V2FunctionalHazard
Assessment(FHA)
Fault Tree Analysis
(FTA)
ProbabilisticReliability &Availability Analysis
Failure Mode &Effects Analysis
(FMEA)Common CauseAnalysis (CCA)
18SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
Architectural Security Verification
DARPA High-Assurance Cyber Military Systems (HACMS)
AADL Model of QuadCopter Software System
Secure Mathematically-Assured Composition of Control Models (SMACCM) Project
19SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
SAE AADL Standard & AADL Workbench: Research Transition Platform
2004 2016
Army and other Government Shadow Projects
CommonAvionics
ArchitectureSystem
ApacheBlock IIIATAM CH47F
Health Monitor
JPLMission Data
System
DARPAMetaHACME
AADLError Model
US & European Research Initiatives
EuropeanCommissionSLIM/FIACRE
DARPAMETA
DARPAHACMSSecurity
Other Standards and Regulatory Guidance
OMG MARTE
EmbeddedSystems
ARINC653Partitions
Regulatory GuidanceNRC, FDA, UL
Avionics Network Standards
System Safety Practice Standards
System Architecture Virtual Integration (SAVI) Software & Systems Engineering
AADLSoftware & System
Co-engineeringRequirements
AssuranceMulti-team
Safety
JMR TD: ACVIP Shadow Projects
Future Vertical Lift
Virtual System Integration System Assurance
Architecture-centric Acquisition
Towards an Architecture-Centric Virtual Integration Practice (ACVIP)
20SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
Peter Feiler/Lutz WrageSoftware Solutions DivisionEmail: phf/[email protected]
U.S. MailSoftware Engineering InstituteCustomer Relations4500 Fifth AvenuePittsburgh, PA 15213-2612USA
Webwww.aadl.infowww.aadl.info/wiki
Customer RelationsEmail: [email protected] Phone: +1 412-268-5800SEI Fax: +1 412-268-6257
Contact Information
21SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited
Copyright 2015 Carnegie Mellon University
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
This material has been approved for public release and unlimited distribution except as restricted below.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at [email protected].
Carnegie Mellon® is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.
DM-0002757