model-based software assurance with the sae architecture analysis & design language (aadl)

MAC-T IVV-08-150

SAS_08_AADL_Tech_Gluch

Model-Based Software Assurance with the SAE Architecture Analysis & Design Language (AADL)

California Institute of Technology

Carnegie Mellon University Pittsburgh, PA 15213

September 2008Dave Gluch

Technical Presentation

2MAC-T IVV-08-150


Outline

Carnegie Mellon University Pittsburgh, PA 15213

Peter Feiler & Dave Gluch

California Institute of Technology

Kenny Meyer &Katie Weiss

Kurt Woodham

Ken Evensen

Project Overview

AADL Overview

MDS Architecture and Models

MBA with the AADL

Analysis Examples

Next Steps

Summary and Discussions

3MAC-T IVV-08-150


Project Overview

Year 2 objectives• Objective: Formulate and demonstrate AADL-driven model-based

engineering in software assurance for NASA development— Activity: extend the case study using focused example models and

analysis products taken from the JPL Mission Data System (MDS)

• Objective: Generate an AADL practice framework — Activity: extend the year 1 beta AADL practice framework to define

model-based analysis practices with the AADL for software assurance in NASA development project V&V and IV&V

• Objective: Lay a foundation for technology transition— Activity: develop a plan for transitioning practices into JPL

(Three-year project overview provided in executive session)

4MAC-T IVV-08-150


Technical Accomplishments Post-SAS 07

Report on the case study MDS (12/2007)• Demonstrated the use of AADL in the analysis of critical MDS performance

elements and system assurance concerns (e.g. latency, task scheduling, integral fault protection)

• Addressed key MDS architectural themes (e.g. state-based closed loop control, separation of estimation from control, ground-to-flight migration)

Beta version of the AADL Practice Framework (12/2007)• Applied practices to MDS example adaptations• Defined analysis views that address critical concerns

Current activities • Investigating goal planning and re-planning issues within MDS case study• Conducting analyses of the MDS integral fault protection capabilities• Developing exemplar applications of the Practice Framework

5MAC-T IVV-08-150


Tech Transfer Accomplishments

JPL On-site 11/8/2007• AADL overview presentation (approximately 25 participants) • Working session with MDS project to discuss case study and future

analysisJPL On-site 6/18/2008

• Process/technology transfer approach discussions• Working session with MDS project to provide status on 11/8/2007 direction• Meet with Europa project as potential case study target

SEI On-site 7/24/2008• Discuss transfer plan approach and potential inhibitors of successful

transition• Condensed overview of AADL language, tools, and analysis capabilities

Tech Transfer• Maturing practice framework focusing on detailing analysis practices –

applied directly to case studies as demonstration of framework instantiation and execution

• Out-year goals focused on migration of practice framework into embedded development and assurance activities

• Configuring additional case studies to target typical analytical activities beneficial to both development verification/validation and independent assurance

6MAC-T IVV-08-150


Transition Considerations

Technology Readiness Level of the work• SAE standard – in use/evaluation on real applications (TRL 7)• Open Source tool environments for design and analysis• Integration with UML

Potential applications in IV&V • Space flight systems – demonstrated on case study (TRL 5)• Ground support systems

Availability of data or case studies • Project results• Legacy system analysis and system development

Barriers to research or application (challenges)• New technology• Integration with existing practices and technology

7MAC-T IVV-08-150


Technology Readiness Level

Technology Readiness Level

1. Basic principles observed and reported

2. Technology concept and/or application formulated

3. Analytical and experimental critical function and/or characteristic proof of concept

4. Component and/or breadboard validation in laboratory environment

5. Component and/or breadboard validation in relevant environment6. System/subsystem model or prototype demonstration in a relevant environment (ground or space)

7. System prototype demonstration in a space environment8. Actual system completed and 'flight qualified' through test and demonstration (ground or space)

9. Actual system 'flight proven' through successful mission operations

AADL technology at large

Application to IV&V (this project)

8MAC-T IVV-08-150


Outline

Project Overview AADL Overview

• Core modeling elements• Analysis

MDS Architecture and ModelsMBA with the AADLAnalysis ExamplesNext StepsSummary and Discussions

9MAC-T IVV-08-150


Overview of the AADL

Model-Based Engineering (MBE) language for architectural analysis and specification of real-time embedded systems with stringent performance requirements (e.g. fault-tolerance, security, safety-critical)

Static and dynamic component-based system architecture representation

Precise semantics for accurate system representation and analysis• Early (high level) feasibility analyses• Progressive fidelity added as desired• Multi-dimensional analysis

Single system architecture model• Accommodates diverse analyses• Standardized interchange formats• Tool integration & interoperability

Complementary to other modeling languages• SysML, UML, (UML 2.0 Profile for AADL is in balloting) • OMG MARTE (real-time UML)

Based on 15 years of architecture language research

SAE Standard (AS-5506) Nov 2004

10MAC-T IVV-08-150


AADL Language Elements

AADLLanguageElements

engineeringsupport

infrastructure

core modeling

AbstractionsOrganizationExtensions

ComponentsInteractionsProperties

Specifies a well-formed interface External interaction points defined as features Multiple implementations per component type Properties to specify component characteristics Components organized into system hierarchy

11MAC-T IVV-08-150


process

thread

data

processor memory

devicebus

AADL Components

Application Software• thread• thread group• process• data• subprogram

Execution Platform• processor• memory• bus• device

Composite • system

System

Each component has predefined properties associated with its declaration.

thread group

Subprogram

coremodeling elements


12MAC-T IVV-08-150


Component Interactions

Connections (explicit declarations)• ports (data and events [control] transfer)• access (to data & bus components)• parameters (sequential subprogram calls)

Calls (explicit declarations & property associations)• subprogram

Bindings (property associations)• software -> execution platform



out

in

in out

parameters

data access

bus access

out in

in out

data ports

port groups

event ports

in out

in out

event data ports

out in

in out

subprograms

thread

processor immediateconnection

13MAC-T IVV-08-150


Bus

Processor

Some Standard Properties

Dispatch_Protocol => Periodic;Period => 100 ms;Compute_Deadline => value (Period);Compute_Execution_Time => 10 ms .. 20 ms; Compute_Entrypoint => “speed_control”;Source_Text => “waypoint.java”;Source_Code_Size => 12 KB;

Thread_Swap_Execution_Time => 5 us.. 10 us;Clock_Jitter => 5 ps;

Allowed_Message_Size => 1 KB;Propagation_Delay => 1ps .. 2ps; bus_properties::Protocols => CSMA;

File containing the application code

Code to be executed on dispatch

Thread

Users can define custom properties

Protocols is a user defined property

Dispatch execution properties



14MAC-T IVV-08-150


Comprehensive Representation

An AADL Model is…• a comprehensive model of a system’s architecture that

— includes software and hardware components— can include project-specific properties and specialized analysis

representations• organized within packages (libraries of elements) and specification files• comprised of components, interactions, and properties, including explicit

data exchange and the binding of software to hardware

15MAC-T IVV-08-150


Model-Based System and Software Assurance

Assure system performance and dependability prior to system integration, test, or upgrade through…

• quantitative analysis and simulation of system architecture models• focus on system-wide integration aspects• continual model-based verification from early abstractions through

detailed design

Modeling

Navigation Sensor

Processing

Integrated Navigation Guidance

Processing

Flight PlanProcessing

Aircraft Performance Calculation

20Hz

10Hz 20Hz

5Hz

2Hz

From Partitions

To Partitions

Navigation Sensor

Processing


Processing



20Hz

10Hz 20Hz

5Hz

2Hz

From Partitions

To Partitions

Fuel Flow

Guidance

Navsensor data

Navsignaldata

FP dataPerformancedata

NavdataNavsensor

data

NavdataFP data

Navigation Sensor

Processing


Processing



20Hz

10Hz 20Hz

5Hz

2Hz

From Partitions

To Partitions

Navigation Sensor

Processing


Processing



20Hz

10Hz 20Hz

5Hz

2Hz

From Partitions

To Partitions

Fuel Flow

Guidance

Navsensor data

Navsignaldata

Navsignaldata

FP dataPerformancedata

NavdataNavsensor

data

NavdataFP data

Analysis

16MAC-T IVV-08-150


Model-Based Assurance with AADL

Real-timePerformanceExecution time/Deadline Deadlock/starvationLatency

Analysis Across PerspectivesSecurityIntrusionIntegrityConfidentiality

Availability & ReliabilityMTBFFMEAHazard analysis

Data precision/accuracyTemporal correctnessConfidence

Data Quality

Architecture Model

ResourceConsumptionBandwidthCPU timePower consumption

17MAC-T IVV-08-150


Outline

Project Overview AADL OverviewMDS Architecture and Models

• Reference Architecture• Adaptation Instances

MBA with the AADL

Analysis Examples AnalysisNext StepsSummary and Discussions

18MAC-T IVV-08-150


The Mission Data System - Perspectives

A reference architecture• To be instantiated for different applications

An embedded systems architecture• Consists of physical system, computing hardware,

application software

A control systems architecture• Feedback loops in application architecture• Feedback loops in data management system

A multi-layered architecture• From low-level control loops to goal-oriented planning and plan

execution Generic Architecture Pattern with Connection Topology

19MAC-T IVV-08-150


Case Study: MDS Reference Architecture

Textual & Graphical Representations

Excerpt from the Textual Specification:system implementation complete.MDS_system subcomponents Hardware_Being_Controlled: system controlled_systems.sensors_actuators; State_Knowledge: system state.knowledge; Mission_Planning_Execution: system planning.mission_and_execution; State_Estimation: system estimators.of_state; State_Control: system contollers.of_state; Hardware_Adapter: system adapters.hardware;

MDS Principles• Closed loop• Goal-Directed • Explicit models• Separation of Concerns• Integral Fault Protection

MDS Control System

20MAC-T IVV-08-150


Model of the MDS Control System

Excerpt from the Textual Specification: process implementation MDSControlSystem.basic

subcomponents

GoalPlanner: thread group ControlSoftware::GoalPlanner;

GoalExecutive: thread group ControlSoftware::GoalExecutive;

GoalMonitor: thread group ControlSoftware::XGoalMonitor;

StateEstimation: thread group ControlSoftware::estimator;

StateControl: thread group ControlSoftware::controller;

OperatorConsole: thread group ControlSoftware::OperatorConsole;

Focus on Information Flow

Goal-oriented Mission Tasks

Time-sensitive Continuous Control Tasks

21MAC-T IVV-08-150


Reference Architecture Instantiation

Instantiation of reference architecture

through refinement of AADL model

Deployment on different

computing hardware platforms

22MAC-T IVV-08-150


Outline


MBA with the AADL

Analysis Examples

Next StepsSummary and Discussions

23MAC-T IVV-08-150


AADL Analysis Repository

Component Library Analysis GuidelinesCustom Property Sets

Focus Build Analyze

RequirementsIncludes Risks and Quality Attributes

Key:

AADL Models

V&V or IV&V Plan

Analysis Plan

Analysis Products

Activities Artifacts

Process Flow

Relationship btw Activities and Supporting Artifacts

Relationship btw Activities and Process Artifacts

Reference Architectiures

AADL Model-Based Analysis Practice Framework

24MAC-T IVV-08-150


Example Component Library

Constellation ISS Mars Rover

NASA Facility MDS Reference MDS Reference ArchitectureArchitecture

Utilizes Library Components

performance

resource consumption behaviordata quality

AADL models are developed as part of individual analysis viewpoints and views within an Analysis Portfolio

Analysis Portfolio

security

MDS rover model

dependability

Each viewpoint addresses specific concerns and may involve multiple views and

models

25MAC-T IVV-08-150


AADL Analysis Repository

Component Library Analysis GuidelinesCustom Property SetsReference Architectiures

Developing Analysis Views within an Analysis Portfolio

Analysis Portfolio

MDS Rover Model Required Component

extends

extends

26MAC-T IVV-08-150


AADL Rover Wheel Control

27MAC-T IVV-08-150


Outline


MBA with the AADL

Analysis Examples• Latency• Goal Network


28MAC-T IVV-08-150


Temperature Control AADL Representation

Use of immediate & delayed connections to achieve deterministic sampling

flow path

Control engineering concerns:Processing latency, sampling latency,

physical signal latencySoftware systems engineering concerns:

Preemption, processor speed, resource contention, communication delay, rate group optimization, partitioned architecture, migration of functionality

29MAC-T IVV-08-150


Temperature Control AADL Representation

flow path

30MAC-T IVV-08-150


Transport Latency Analysis Results

* Note that illustrative values are used for this model and the results are not indicative of the results for any existing MDS implementation.

Excerpt from the Textual Specification*: flows TempRsp: end to end flow camera_hardware.TempRsp1 -> DC02 -> temperature_sensor_adapter.TempRsp -> DC04 -> state_estimation.TempRsp -> DC07 -> State_Variables.TempRsp -> DC08 -> state_control.TempRsp -> DC06 -> switch_actuator_hardware_adapter.TempRsp -> DC03 -> camera_hardware.TempRsp {latency => 50 ms;};

flows TempRsp: flow path control_goals -> commands {Latency => 20 ms;};

flows TempRsp: flow sink switch_command -> DataConnection1 -> switch_actuator.TempRsp; TempRsp1: flow source temperature_sensor.TempRsp -> DataConnection5 -> temperature_measurement;

Analysis Results*: Analysis can be extended to the thread level

31MAC-T IVV-08-150


Outline


MBA with the AADL

Analysis Examples• Latency• Goal Network


32MAC-T IVV-08-150


Modeling and Analysis of Mission Processing

Mission planning & plan execution• Modeling and analysis framework in place by MDS• Represent planning & plan execution tasks• Represent goal-based fault management

Modeling of execution of goal network execution• AADL modes to represent active components and connections• Identify operational modes/states in the execution of the goal network• Identify layers and patterns in goal network• Recognize different categories of faults and fault management strategies

Analyze impact of runtime architecture• Alternative hardware platforms, e.g., multi-core• Workload and scheduling analysis driven by goal sequences• Consistency of delegation & safing• Responsiveness of replanning & consistent migration to new plans

33MAC-T IVV-08-150


Error Model Specification

Parameterization of error modelArchitecture topology & mapping drive system fault model

Traceability between system fault model and system architecture

34MAC-T IVV-08-150


Outline


MBA with the AADL

Analysis ExamplesNext StepsSummary and Discussions

35MAC-T IVV-08-150


Next Steps

Phase 2 - Initiate transition and extend development verification efforts • Complete extended case studies and case study report

— Goal network analysis— Integral fault protection— Expanded control system analyses

• Develop analysis framework document — Detailed examples

• Develop a JPL transition plan

Phase 3 – Mature transition• Conduct a pilot study in-line with a development project

• Support implementation of the JPL transition plan

• Develop an IV&V transition plan

36MAC-T IVV-08-150


Next Steps

Confirm and extend interim results • Continue models and conduct analyses of the MDS and its adaptations • Address the critical aspects and MDS themes identified in the case study• Assess ability to predict critical architecture properties in MDS

implementations • Explore the appropriateness of the AADL as an architectural framework for

system and software assurance

Refine the model-based AADL Practice Framework to addresses the concerns of software assurance in project V&V and IV&V

Pursue the issues and research directions arising out of the case study that have long term implications for model-based software assurance

Continuing case study efforts • Addressing the issues of handling state variables in the application model• Investigating transport latency and latency jitter • Modeling integral fault protection

37MAC-T IVV-08-150


Summary: AADL for Project V&V and IV&V

AADL • SAE standard • Models embedded software, computing platform, and physical environment • Focus is the runtime essence of an architecture • Precise & analyzable (lightweight, formal, qualitative, or quantitative)• Separates application from computational system concerns• Extensible (individualized property sets, specialized annexes) • OMG MARTE AADL profile provides a migration path for UML community

Basis for a V&V Analysis Practice• Broad computing system (software and hardware) perspective• Layered levels of analysis • Lightweight analyses• Detailed quantitative analyses• Specialized analyses • Single integrated architectural analysis representation

model-based software assurance with the sae architecture analysis & design language (aadl)

Documents

mact ivv

aadl modelsvv

flows temprsp

temprsp temprsp1

temprsp dc07

temprsp dc04

temprsp dataconnection5

temprsp dc08