MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Model-Based Software Assurance with the SAE Architecture Analysis & Design Language (AADL)
California Institute of Technology
Carnegie Mellon University Pittsburgh, PA 15213
September 2008Dave Gluch
Technical Presentation
2MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Outline
Carnegie Mellon University Pittsburgh, PA 15213
Peter Feiler & Dave Gluch
California Institute of Technology
Kenny Meyer &Katie Weiss
Kurt Woodham
Ken Evensen
Project Overview
AADL Overview
MDS Architecture and Models
MBA with the AADL
Analysis Examples
Next Steps
Summary and Discussions
3MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Project Overview
Year 2 objectives• Objective: Formulate and demonstrate AADL-driven model-based
engineering in software assurance for NASA development— Activity: extend the case study using focused example models and
analysis products taken from the JPL Mission Data System (MDS)
• Objective: Generate an AADL practice framework — Activity: extend the year 1 beta AADL practice framework to define
model-based analysis practices with the AADL for software assurance in NASA development project V&V and IV&V
• Objective: Lay a foundation for technology transition— Activity: develop a plan for transitioning practices into JPL
(Three-year project overview provided in executive session)
4MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Technical Accomplishments Post-SAS 07
Report on the case study MDS (12/2007)• Demonstrated the use of AADL in the analysis of critical MDS performance
elements and system assurance concerns (e.g. latency, task scheduling, integral fault protection)
• Addressed key MDS architectural themes (e.g. state-based closed loop control, separation of estimation from control, ground-to-flight migration)
Beta version of the AADL Practice Framework (12/2007)• Applied practices to MDS example adaptations• Defined analysis views that address critical concerns
Current activities • Investigating goal planning and re-planning issues within MDS case study• Conducting analyses of the MDS integral fault protection capabilities• Developing exemplar applications of the Practice Framework
5MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Tech Transfer Accomplishments
JPL On-site 11/8/2007• AADL overview presentation (approximately 25 participants) • Working session with MDS project to discuss case study and future
analysisJPL On-site 6/18/2008
• Process/technology transfer approach discussions• Working session with MDS project to provide status on 11/8/2007 direction• Meet with Europa project as potential case study target
SEI On-site 7/24/2008• Discuss transfer plan approach and potential inhibitors of successful
transition• Condensed overview of AADL language, tools, and analysis capabilities
Tech Transfer• Maturing practice framework focusing on detailing analysis practices –
applied directly to case studies as demonstration of framework instantiation and execution
• Out-year goals focused on migration of practice framework into embedded development and assurance activities
• Configuring additional case studies to target typical analytical activities beneficial to both development verification/validation and independent assurance
6MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Transition Considerations
Technology Readiness Level of the work• SAE standard – in use/evaluation on real applications (TRL 7)• Open Source tool environments for design and analysis• Integration with UML
Potential applications in IV&V • Space flight systems – demonstrated on case study (TRL 5)• Ground support systems
Availability of data or case studies • Project results• Legacy system analysis and system development
Barriers to research or application (challenges)• New technology• Integration with existing practices and technology
7MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Technology Readiness Level
Technology Readiness Level
1. Basic principles observed and reported
2. Technology concept and/or application formulated
3. Analytical and experimental critical function and/or characteristic proof of concept
4. Component and/or breadboard validation in laboratory environment
5. Component and/or breadboard validation in relevant environment6. System/subsystem model or prototype demonstration in a relevant environment (ground or space)
7. System prototype demonstration in a space environment8. Actual system completed and 'flight qualified' through test and demonstration (ground or space)
9. Actual system 'flight proven' through successful mission operations
AADL technology at large
Application to IV&V (this project)
8MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Outline
Project Overview AADL Overview
• Core modeling elements• Analysis
MDS Architecture and ModelsMBA with the AADLAnalysis ExamplesNext StepsSummary and Discussions
9MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Overview of the AADL
Model-Based Engineering (MBE) language for architectural analysis and specification of real-time embedded systems with stringent performance requirements (e.g. fault-tolerance, security, safety-critical)
Static and dynamic component-based system architecture representation
Precise semantics for accurate system representation and analysis• Early (high level) feasibility analyses• Progressive fidelity added as desired• Multi-dimensional analysis
Single system architecture model• Accommodates diverse analyses• Standardized interchange formats• Tool integration & interoperability
Complementary to other modeling languages• SysML, UML, (UML 2.0 Profile for AADL is in balloting) • OMG MARTE (real-time UML)
Based on 15 years of architecture language research
SAE Standard (AS-5506) Nov 2004
10MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
AADL Language Elements
AADLLanguageElements
engineeringsupport
infrastructure
core modeling
AbstractionsOrganizationExtensions
ComponentsInteractionsProperties
Specifies a well-formed interface External interaction points defined as features Multiple implementations per component type Properties to specify component characteristics Components organized into system hierarchy
11MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
process
thread
data
processor memory
devicebus
AADL Components
Application Software• thread• thread group• process• data• subprogram
Execution Platform• processor• memory• bus• device
Composite • system
System
Each component has predefined properties associated with its declaration.
thread group
Subprogram
coremodeling elements
ComponentsInteractionsProperties
12MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Component Interactions
Connections (explicit declarations)• ports (data and events [control] transfer)• access (to data & bus components)• parameters (sequential subprogram calls)
Calls (explicit declarations & property associations)• subprogram
Bindings (property associations)• software -> execution platform
coremodeling elements
ComponentsInteractionsProperties
out
in
in out
parameters
data access
bus access
out in
in out
data ports
port groups
event ports
in out
in out
event data ports
out in
in out
subprograms
thread
processor immediateconnection
13MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Bus
Processor
Some Standard Properties
Dispatch_Protocol => Periodic;Period => 100 ms;Compute_Deadline => value (Period);Compute_Execution_Time => 10 ms .. 20 ms; Compute_Entrypoint => “speed_control”;Source_Text => “waypoint.java”;Source_Code_Size => 12 KB;
Thread_Swap_Execution_Time => 5 us.. 10 us;Clock_Jitter => 5 ps;
Allowed_Message_Size => 1 KB;Propagation_Delay => 1ps .. 2ps; bus_properties::Protocols => CSMA;
File containing the application code
Code to be executed on dispatch
Thread
Users can define custom properties
Protocols is a user defined property
Dispatch execution properties
coremodeling elements
ComponentsInteractionsProperties
14MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Comprehensive Representation
An AADL Model is…• a comprehensive model of a system’s architecture that
— includes software and hardware components— can include project-specific properties and specialized analysis
representations• organized within packages (libraries of elements) and specification files• comprised of components, interactions, and properties, including explicit
data exchange and the binding of software to hardware
15MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Model-Based System and Software Assurance
Assure system performance and dependability prior to system integration, test, or upgrade through…
• quantitative analysis and simulation of system architecture models• focus on system-wide integration aspects• continual model-based verification from early abstractions through
detailed design
Modeling
Navigation Sensor
Processing
Integrated Navigation Guidance
Processing
Flight PlanProcessing
Aircraft Performance Calculation
20Hz
10Hz 20Hz
5Hz
2Hz
From Partitions
To Partitions
Navigation Sensor
Processing
Integrated Navigation Guidance
Processing
Flight PlanProcessing
Aircraft Performance Calculation
20Hz
10Hz 20Hz
5Hz
2Hz
From Partitions
To Partitions
Fuel Flow
Guidance
Navsensor data
Navsignaldata
FP dataPerformancedata
NavdataNavsensor
data
NavdataFP data
Navigation Sensor
Processing
Integrated Navigation Guidance
Processing
Flight PlanProcessing
Aircraft Performance Calculation
20Hz
10Hz 20Hz
5Hz
2Hz
From Partitions
To Partitions
Navigation Sensor
Processing
Integrated Navigation Guidance
Processing
Flight PlanProcessing
Aircraft Performance Calculation
20Hz
10Hz 20Hz
5Hz
2Hz
From Partitions
To Partitions
Fuel Flow
Guidance
Navsensor data
Navsignaldata
Navsignaldata
FP dataPerformancedata
NavdataNavsensor
data
NavdataFP data
Analysis
16MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Model-Based Assurance with AADL
Real-timePerformanceExecution time/Deadline Deadlock/starvationLatency
Analysis Across PerspectivesSecurityIntrusionIntegrityConfidentiality
Availability & ReliabilityMTBFFMEAHazard analysis
Data precision/accuracyTemporal correctnessConfidence
Data Quality
Architecture Model
ResourceConsumptionBandwidthCPU timePower consumption
17MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Outline
Project Overview AADL OverviewMDS Architecture and Models
• Reference Architecture• Adaptation Instances
MBA with the AADL
Analysis Examples AnalysisNext StepsSummary and Discussions
18MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
The Mission Data System - Perspectives
A reference architecture• To be instantiated for different applications
An embedded systems architecture• Consists of physical system, computing hardware,
application software
A control systems architecture• Feedback loops in application architecture• Feedback loops in data management system
A multi-layered architecture• From low-level control loops to goal-oriented planning and plan
execution Generic Architecture Pattern with Connection Topology
19MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Case Study: MDS Reference Architecture
Textual & Graphical Representations
Excerpt from the Textual Specification:system implementation complete.MDS_system subcomponents Hardware_Being_Controlled: system controlled_systems.sensors_actuators; State_Knowledge: system state.knowledge; Mission_Planning_Execution: system planning.mission_and_execution; State_Estimation: system estimators.of_state; State_Control: system contollers.of_state; Hardware_Adapter: system adapters.hardware;
MDS Principles• Closed loop• Goal-Directed • Explicit models• Separation of Concerns• Integral Fault Protection
MDS Control System
20MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Model of the MDS Control System
Excerpt from the Textual Specification: process implementation MDSControlSystem.basic
subcomponents
GoalPlanner: thread group ControlSoftware::GoalPlanner;
GoalExecutive: thread group ControlSoftware::GoalExecutive;
GoalMonitor: thread group ControlSoftware::XGoalMonitor;
StateEstimation: thread group ControlSoftware::estimator;
StateControl: thread group ControlSoftware::controller;
OperatorConsole: thread group ControlSoftware::OperatorConsole;
Focus on Information Flow
Goal-oriented Mission Tasks
Time-sensitive Continuous Control Tasks
21MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Reference Architecture Instantiation
Instantiation of reference architecture
through refinement of AADL model
Deployment on different
computing hardware platforms
22MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Outline
Project Overview AADL OverviewMDS Architecture and Models
MBA with the AADL
Analysis Examples
Next StepsSummary and Discussions
23MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
AADL Analysis Repository
Component Library Analysis GuidelinesCustom Property Sets
Focus Build Analyze
RequirementsIncludes Risks and Quality Attributes
Key:
AADL Models
V&V or IV&V Plan
Analysis Plan
Analysis Products
Activities Artifacts
Process Flow
Relationship btw Activities and Supporting Artifacts
Relationship btw Activities and Process Artifacts
Reference Architectiures
AADL Model-Based Analysis Practice Framework
24MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Example Component Library
Constellation ISS Mars Rover
NASA Facility MDS Reference MDS Reference ArchitectureArchitecture
Utilizes Library Components
performance
resource consumption behaviordata quality
AADL models are developed as part of individual analysis viewpoints and views within an Analysis Portfolio
Analysis Portfolio
security
MDS rover model
dependability
Each viewpoint addresses specific concerns and may involve multiple views and
models
25MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
AADL Analysis Repository
Component Library Analysis GuidelinesCustom Property SetsReference Architectiures
Developing Analysis Views within an Analysis Portfolio
Analysis Portfolio
MDS Rover Model Required Component
extends
extends
26MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
AADL Rover Wheel Control
27MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Outline
Project Overview AADL OverviewMDS Architecture and Models
MBA with the AADL
Analysis Examples• Latency• Goal Network
Next StepsSummary and Discussions
28MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Temperature Control AADL Representation
Use of immediate & delayed connections to achieve deterministic sampling
flow path
Control engineering concerns:Processing latency, sampling latency,
physical signal latencySoftware systems engineering concerns:
Preemption, processor speed, resource contention, communication delay, rate group optimization, partitioned architecture, migration of functionality
29MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Temperature Control AADL Representation
flow path
30MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Transport Latency Analysis Results
* Note that illustrative values are used for this model and the results are not indicative of the results for any existing MDS implementation.
Excerpt from the Textual Specification*: flows TempRsp: end to end flow camera_hardware.TempRsp1 -> DC02 -> temperature_sensor_adapter.TempRsp -> DC04 -> state_estimation.TempRsp -> DC07 -> State_Variables.TempRsp -> DC08 -> state_control.TempRsp -> DC06 -> switch_actuator_hardware_adapter.TempRsp -> DC03 -> camera_hardware.TempRsp {latency => 50 ms;};
flows TempRsp: flow path control_goals -> commands {Latency => 20 ms;};
flows TempRsp: flow sink switch_command -> DataConnection1 -> switch_actuator.TempRsp; TempRsp1: flow source temperature_sensor.TempRsp -> DataConnection5 -> temperature_measurement;
Analysis Results*: Analysis can be extended to the thread level
31MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Outline
Project Overview AADL OverviewMDS Architecture and Models
MBA with the AADL
Analysis Examples• Latency• Goal Network
Next StepsSummary and Discussions
32MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Modeling and Analysis of Mission Processing
Mission planning & plan execution• Modeling and analysis framework in place by MDS• Represent planning & plan execution tasks• Represent goal-based fault management
Modeling of execution of goal network execution• AADL modes to represent active components and connections• Identify operational modes/states in the execution of the goal network• Identify layers and patterns in goal network• Recognize different categories of faults and fault management strategies
Analyze impact of runtime architecture• Alternative hardware platforms, e.g., multi-core• Workload and scheduling analysis driven by goal sequences• Consistency of delegation & safing• Responsiveness of replanning & consistent migration to new plans
33MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Error Model Specification
Parameterization of error modelArchitecture topology & mapping drive system fault model
Traceability between system fault model and system architecture
34MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Outline
Project Overview AADL OverviewMDS Architecture and Models
MBA with the AADL
Analysis ExamplesNext StepsSummary and Discussions
35MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Next Steps
Phase 2 - Initiate transition and extend development verification efforts • Complete extended case studies and case study report
— Goal network analysis— Integral fault protection— Expanded control system analyses
• Develop analysis framework document — Detailed examples
• Develop a JPL transition plan
Phase 3 – Mature transition• Conduct a pilot study in-line with a development project
• Support implementation of the JPL transition plan
• Develop an IV&V transition plan
36MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Next Steps
Confirm and extend interim results • Continue models and conduct analyses of the MDS and its adaptations • Address the critical aspects and MDS themes identified in the case study• Assess ability to predict critical architecture properties in MDS
implementations • Explore the appropriateness of the AADL as an architectural framework for
system and software assurance
Refine the model-based AADL Practice Framework to addresses the concerns of software assurance in project V&V and IV&V
Pursue the issues and research directions arising out of the case study that have long term implications for model-based software assurance
Continuing case study efforts • Addressing the issues of handling state variables in the application model• Investigating transport latency and latency jitter • Modeling integral fault protection
37MAC-T IVV-08-150
SAS_08_AADL_Tech_Gluch
Summary: AADL for Project V&V and IV&V
AADL • SAE standard • Models embedded software, computing platform, and physical environment • Focus is the runtime essence of an architecture • Precise & analyzable (lightweight, formal, qualitative, or quantitative)• Separates application from computational system concerns• Extensible (individualized property sets, specialized annexes) • OMG MARTE AADL profile provides a migration path for UML community
Basis for a V&V Analysis Practice• Broad computing system (software and hardware) perspective• Layered levels of analysis • Lightweight analyses• Detailed quantitative analyses• Specialized analyses • Single integrated architectural analysis representation