SAS_08_AADL_Exec_GluchMAC-T IVV-08-149

Model-Based Software Assurance with the SAE Architecture Analysis & Design Language (AADL)

California Institute of Technology

Carnegie Mellon University Pittsburgh, PA 15213

September 2008

Executive Presentation

Dave Gluch – SEI/ERAU

Peter Feiler – SEIKurt Woodham – L-3 CommunicationsKenny Meyer & Katie Weiss – JPLKen Evensen - ERAU

2MAC-T IVV-08-149

SAS_08_AADL_Exec_Gluch

Problem/Approach

Problem - Current software development and assurance practices often do not adequately address broad system-level concerns until integration.

• Detailed evaluation of correct software operation in the system context is often relegated to front-end book-keeping (timing sheets) and ad-hoc analyses followed by extensive testing at integration.

Approach - A sound systems engineering approach involves early evaluation of system architecture characteristics relevant to the operation of the software, such as

• Sensor/command data latency• CPU throughput• Synchronous/asynchronous task management• Data-bus packet definitions and update rates

Extend the use of the SAE Architectural Analysis and Design Language (AADL) and corresponding toolset capabilities as effective tools for rigorous model-based analysis of software architectures early in the development lifecycle and to transition these into NASA project V&V and IV&V software assurance practices.

• Strengthens assurance capabilities• Defines a process framework that is adaptable to life-cycle phases (abstraction levels) • Integrates established analysis techniques and tools

3MAC-T IVV-08-149

SAS_08_AADL_Exec_Gluch

Relevance to NASA

Early identification of significant system issues is key to reducing risk to development cost and schedule

Typical analytical tools are not adaptable and require high degree of data specificity to provide meaningful insight

• Fidelity that is often unavailable until design phase activities

• Multiple specialized and independent tools required

AADL inherently flexible – allows analysis at various levels of abstraction

• Early feasibility studies conducted with resource bounds or existing models of typical architecture components (buses, processors, etc...)

• Precision of analysis refined as design matures – reducing level of abstraction within targeted model elements and facilitating root cause analysis of identified anomalies

• Integration of multiple analysis approaches

Benefit demonstrated in FY06 ISS case study

• Required round-trip command response latency violation. Uncovered in Stage Testing, but would have been easily identified in analysis of relatively abstract model

4MAC-T IVV-08-149

SAS_08_AADL_Exec_Gluch

Project Overview

Three-Phase extension of successful FY06 Facility Initiative: “Application of SAE Architecture Analysis & Design Language (AADL) to IV&V of NASA Flight Projects”

Phase 1

• Demonstrate AADL-driven Model-Based Engineering (MBE) in software assurance for NASA development— JPL Mission Data System (MDS) case study

• Generate a beta version of an AADL practice framework

Phase 2 (current activities)

• Refine AADL practice framework using case study results as applicable• Elaborate/extend case study

— Continued development of MDS case study; evaluating additional options • Develop and initiate execution of JPL transfer plan

Phase 3

• Continue JPL case studies aligned with transition of mature framework• Develop and initiate execution of IV&V transfer plan• Execute IV&V pilot study aligned with IV&V transfer plan

5MAC-T IVV-08-149

SAS_08_AADL_Exec_Gluch

Case Study: MDS Reference Model

Textual & Graphical RepresentationsTextual & Graphical Representations

Excerpt from the Textual Specification:system implementation complete.MDS_system subcomponents Hardware_Being_Controlled: system controlled_systems.sensors_actuators; State_Knowledge: system state.knowledge; Mission_Planning_Execution: system planning.mission_and_execution; State_Estimation: system estimators.of_state; State_Control: system contollers.of_state; Hardware_Adapter: system adapters.hardware;

Excerpt from the Textual Specification:system implementation complete.MDS_system subcomponents Hardware_Being_Controlled: system controlled_systems.sensors_actuators; State_Knowledge: system state.knowledge; Mission_Planning_Execution: system planning.mission_and_execution; State_Estimation: system estimators.of_state; State_Control: system contollers.of_state; Hardware_Adapter: system adapters.hardware;

MDS Principles• Closed loop• Goal-Directed • Explicit models• Separation of Concerns• Integral Fault Protection

MDS Principles• Closed loop• Goal-Directed • Explicit models• Separation of Concerns• Integral Fault Protection

MDS Control System

6MAC-T IVV-08-149

SAS_08_AADL_Exec_Gluch

Technical Accomplishments & Outcomes

Milestones

• Completed initial case study investigations into the MDS control system (8/2007)

• Completed a report on the MDS year 1 case study efforts (12/2007)

• Developed a beta practice framework document for project V&V and IV&V (12/2007)

Specific Case Study and Practice Framework Accomplishments• Demonstrated that the AADL can effectively model MDS top level constructs and can

address key MDS architectural themes (e.g. state-based closed loop control) • Shown that MBE and AADL can provide a foundation for the analysis of critical MDS

performance elements and system assurance concerns (e.g. latency, scheduling)• Applied practices to MDS example adaptations

• Defined analysis views that address critical concerns

Current activities • Investigating goal planning and re-planning issues within MDS case study• Conducting analyses of the MDS integral fault protection capabilities• Developing exemplar applications of the Practice Framework

7MAC-T IVV-08-149

SAS_08_AADL_Exec_Gluch

Tech Transfer Accomplishments

JPL On-site 11/8/2007— AADL overview presentation (approximately 25 participants) — Working session with MDS project to discuss case study and future analysis

JPL On-site 6/18/2008— Process/technology transfer approach discussions— Working session with MDS project to provide status on 11/8/2007 direction— Meet with Europa project as potential case study target

SEI On-site 7/24/2008— Discuss transfer plan approach and potential inhibitors of successful transition— Condensed overview of AADL language, tools, and analysis capabilities

(excerpts from on-site SEI training material)Conference paper – currently under revision for near-term submission

Tech Transfer• Maturing practice framework focusing on detailing analysis practices – applied

directly to case studies as demonstration of framework instantiation and execution• Out-year goals focused on migration of practice framework into embedded

development and assurance activities• Configuring additional case studies to target typical analytical activities beneficial to

both development verification/validation and independent assurance

8MAC-T IVV-08-149

SAS_08_AADL_Exec_Gluch

Next Steps

Phase 2 - Initiate IV&V Transition and Extend Development Verification

• Update analysis framework document

• Complete extended case studies and Case Study Report

• Develop a JPL transition plan

Phase 3 – Mature Transition

• Conduct a pilot study in-line with a development project

• Support implementation of the JPL transition plan

• Develop an IV&V transition plan and support initial implementation