open source aadl workbench for virtual system integration engineering institute ... track canneal...

© 2015 Carnegie Mellon University

Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213

Distribution Statement A: Approved for Public Release; Distribution is Unlimited

Open Source AADL Workbench for Virtual System IntegrationPeter FeilerOct 2015

2SEI Research Review 2015October 7–8, 2015© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited

© 2015 Carnegie Mellon UniversityDistribution Statement A: Approved for Public Release; Distribution is Unlimited

OutlineMission and Safety-Critical System Challenges

Virtual System Integration with SAE AADL

Samples of AADL Workbench Capabilities


We Rely on Software for Safe Aircraft Operation

Embedded software systems introduce a new class of problems

not addressed by traditional system safety analysis


Safety-Critical System Challenges

Total System Cost Boeing 777 $12B F-35 $59B

Software as % of total system development cost1997: 45% → 2010: 66% → 2024: 88%

RequirementsArchitecture Design

Acceptance Test

Unit Test

Code Integration Test

Operation

Where Faults are Found

Where Faults are Introduced

Nominal Cost Per Fault for Fault Removal

80% of faults discovered post unit test

70% of faults introduce in requirements and architecture design80% of faults discovered post unit test


SAE Architecture Analysis & Design Language (AADL) Standard to the Rescue

The Physical System

Computer SystemHardware & OS

Aircraft, Car, Train

Command & Control

Deployed onUtilizes

Physical interfacePlatform component

AADL focuses on interaction between the three elements of a software-reliant mission and safety-critical systems.

Embedded Operational Avionics & Mission

Software

The Software System

SW Design & Runtime Architecture

The Computer System


Analysis of Virtually Integrated Software Systems

Security• Intrusion• Integrity• Confidentiality

Safety & Reliability• MTBF• FMEA• Hazard analysis

Real-timePerformance• Execution time/Deadline • Deadlock/ starvation• Latency

ResourceConsumption• Bandwidth• CPU time• Power consumption

• Data precision/accuracy• Temporal correctness• Confidence

Data Quality

Architecture Model

Single Annotated Architecture Model Addresses Impact Across Operational Quality Attributes

Auto-generated analytical models

Change of Encryption from 128 bit to 256 bit

Higher CPU demandIncreased latency

Affects temporalcorrectness

Potential new hazard


Assure the System

Early Discovery through Virtual System Integration

Reduced cost through Early Discovery 80% Post Unit Test Discovery


MAST Scheduling

Resolute

AgreeOcarina Code

GenerationDeOS, VxWorks

External Contributions

Role specific workflow

UsabilityCapabilities

Context sensitive help

Graphical Editor

Expanded Navigation Views

ResourceBudgetLatencySafety

RMA/EDF SchedulingResource AllocationFunctionalIntegration

AnalysisCapabilities

ARINC653 Support

AADL Workbench* @ www.aadl.info/wiki

AADLEMV2

BA

SemanticConsistency

TypeConsistency

ModelingCapabilities

Team Mgnt

Independent contributions

* aka Open Source AADL Tool Environment (OSATE)


Graphical Editing and Deployment View

Table-based property view and editing of selected component

Nested components

Partition binding


Type-sensitive Data Entry

Content Assist & QuickFix

Context-Sensitive Editing


Latency analysis throughout life cycle• Functional & system architecture: latency budgets• Task & communication architecture: processing, sampling, transfer• Platform architecture: partitions, protocols, computer hardware

Latency contributors• Systems: processing, sampling, queuing latency• Connections: protocol overhead, physical transfer, sampling• Partitions: sampling, window schedule

Trade studies• Best-case & worst-case, latency jitter• Mid-frame and frame-delayed communication• Synchronous and asynchronous systems• Partition end and major frame output policy• Empty & full queue

Top-down & bottom-up• Latency budgets & rate, size, time based actuals

End to End Latency Analysis

Utilizes end-to-end flows Incremental refinement

Interprets deployment bindingsOperational mode specific analysis


Latency Analysis Views and Results


Multicore Schedulers• Rate-Monotonic with Memory Partitioning• Global Earliest-Deadline-First (GEDF) Scheduler for Parallelized Tasks• Memory Profiler for Multicore Processors• GEDF for Parallelized Task with Memory Partitioning

Mixed-Criticality Scheduling (Zero-Slack Rate Monotonic)• Asymmetric protection: protect high-criticality tasks from lower-criticality

but allow higher-criticality to steal CPU cycles from lower-criticality

Advanced Scheduling Capabilities


Rate Monotonic with Memory Partitioning

L1/L2

Core 1

L1/L2

Core 2

L1/L2

Core 3L1/L2

Core N…

Last-Level Cache (L3)

Memory Bus (and Mem Controller)

DRAMBank 0

DRAMBank 1

DRAMBank 2

DRAMBank 3

DRAMBank B…

Main Mem

DRAMBank 0

DRAMBank 1

DRAMBank N

… 0

200

400

600

800

1000

1200

Nor

m. e

xecu

tion

time

(%)

black-scholes

body-track

canneal ferret fluid-animate

freq-mine

ray-trace

stream-cluster

swap-tions

vips x264

12x increase observed

020406080

100120140160180

Nor

m. R

espo

nse

Tim

e (%

)

Average over-estimates are 8% (13% for a shared bank)Observed

Predicted

black-scholes

body-track

canneal ferret fluid-animate

freq-mine

ray-trace

stream-cluster

swap-tions

vips x264


Support of SAE ARP4761 System Safety Assessment Practice

& Error Model V2FunctionalHazard

Assessment(FHA)

Fault Tree Analysis

(FTA)

ProbabilisticReliability &Availability Analysis

Failure Mode &Effects Analysis

(FMEA)Common CauseAnalysis (CCA)


Architectural Security Verification

DARPA High-Assurance Cyber Military Systems (HACMS)

AADL Model of QuadCopter Software System

Secure Mathematically-Assured Composition of Control Models (SMACCM) Project


SAE AADL Standard & AADL Workbench: Research Transition Platform

2004 2016

Army and other Government Shadow Projects

CommonAvionics

ArchitectureSystem

ApacheBlock IIIATAM CH47F

Health Monitor

JPLMission Data

System

DARPAMetaHACME

AADLError Model

US & European Research Initiatives

EuropeanCommissionSLIM/FIACRE

DARPAMETA

DARPAHACMSSecurity

Other Standards and Regulatory Guidance

OMG MARTE

EmbeddedSystems

ARINC653Partitions

Regulatory GuidanceNRC, FDA, UL

Avionics Network Standards

System Safety Practice Standards

System Architecture Virtual Integration (SAVI) Software & Systems Engineering

AADLSoftware & System

Co-engineeringRequirements

AssuranceMulti-team

Safety

JMR TD: ACVIP Shadow Projects

Future Vertical Lift

Virtual System Integration System Assurance

Architecture-centric Acquisition

Towards an Architecture-Centric Virtual Integration Practice (ACVIP)


Peter Feiler/Lutz WrageSoftware Solutions DivisionEmail: phf/[email protected]

U.S. MailSoftware Engineering InstituteCustomer Relations4500 Fifth AvenuePittsburgh, PA 15213-2612USA

Webwww.aadl.infowww.aadl.info/wiki

Customer RelationsEmail: [email protected] Phone: +1 412-268-5800SEI Fax: +1 412-268-6257

Contact Information

http://www.aadl.info/

http://www.aadl.info/wiki


Copyright 2015 Carnegie Mellon University

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This material has been approved for public release and unlimited distribution except as restricted below.

This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at [email protected].

Carnegie Mellon® is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.

DM-0002757

open source aadl workbench for virtual system integration engineering institute ... track canneal...

Documents