AADL-UML Tutorial - LA ACM 2002
17 Pages
English
Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

AADL-UML Tutorial - LA ACM 2002

-

Downloading requires you to have access to the YouScribe library
Learn all about the services we offer
17 Pages
English

Description

‰‰‰‰‰‰‰‰‰‰‰‰‰‰‰Avionics Architecture Description Language 9 January 2002and UMLAADL OverviewAvionics Architecture Society of Automotive Engineers (SAE) is developing standard Avionics Architecture Description LanguageDescription Language and Basic research funded bythe Unified Modeling Language – U.S. Defense Advance Research Agency– Office of U.S. Secretary of Defense’s Open Systems – Joint Task Ed Colbert Force (OS – JTF)President, Absolute Softwarecolbert@abssw.com Based on (760) 929-0612 – MetaH• Design by Honeywell for specification of real-time, fault-tolerant, securely Director, USC Software Engineering Certificate Programpartitioned, dynamically reconfigurable multi-processor system ecolbert@usc.eduarchitectures (213) 821-1240– Unified Modeling language (UML) • Object Management Group’s (OMG) standard language for object–Based on presentation developed with Bruce Lewis, U.S. Army Aviation and Missile oriented software developmentCommand (AMCOM)1/16/2002 2Problems Developing Embedded Real-Time Outline SystemsDeveloping & maintaining has always been difficultProblems Developing Embedded Real-Time Systems– More capabilities required in each new system or upgradeHow Avionics Architecture Description Language Will Help • e.g. multimedia, situation awareness, mission simulation & trainingOverview of AADL – Reliability, safety, & performance are constant concerns• Wrong or late answer could be deadlyDraft Language Elements– ...

Subjects

Informations

Published by
Reads 64
Language English

Exrait

Avionics ArchitceuterD sercpiit Longuane agd an9LMUnaJ yrau002 ACM/2LA  200IEEEdEC  2--tr1loeb
Outline ‰ Problems Developing Embedded Real-Time Systems ‰ How Avionics Architecture Description Language Will Help ‰ Overview of AADL ‰ Draft Language Elements ‰ Extending UML ‰ Draft UML Metamodel & Profile for AADL ‰ AADL/UML Generic Missile Example ‰ AADL Standard Process ‰ Final Notes 1/16/2002
Problems Developing Embedded Real-Time Systems ‰ Developing & maintaining has always been difficult  More capabilities required in each new system or upgrade  e.g. multimedia, situation awareness, mission simulation & training  Reliability, safety, & performance are constant concerns  Wrong or late answer could be deadly  During development  Difficult to integrate  Few means of assessing impact of decisions early  Often, by time developers perceive that system exceeds processor resources, its so late that adding or changing resources is expensive, if possible » Many projects cut back on capabilities so software fits hardware (despite increased costs of integration, maintenance, & upgrading) 1/16/2002 4
Problems Developing Embedded Real-Time Systems (cont.) ‰ Current development process  Manual, paper intensive, error prone, resistant to change
3
5
ReAquniarleymsiesnts DesignImplementationIntegration 1/16/2002 6
Avionics Architecture Description Language and the Unified Modeling Language Ed Colbert President, Absolute Software colbert@abssw.com (760) 929-0612 Director, USC Software Engineering Certificate Program ecolbert@usc.edu (213) 821-1240 Based on presentation developed with Bruce Lewis, U.S. Army Aviation and Missile Command (AMCOM)
Problems Developing Embedded Real-Time Systems (cont.) ‰ Embedded systems typically have very long lives & must be upgraded throughout  Capacity on original processors is soon exhausted as user needs increase  If not exhausted when fielded  Hardware becomes obsolete  Either condition can force expensive re-hosting of software to new hardware  Millions of dollars and years of effort can be spent 1/16/2002
AADL Overview ‰ Society of Automotive Engineers (SAE) is developing standard Avionics Architecture Description Language ‰ Basic research funded by  U.S. Defense Advance Research Agency  Office of U.S. Secretary of Defenses Open Systems  Joint Task Force (OS  JTF) ‰ Based on  MetaH  Design by Honeywell for specification of real-time, fault-tolerant, securely partitioned, dynamically reconfigurable multi-processor system architectures  Unified Modeling language (UML)  Object Management Groups (OMG) standard language for object oriented software development 1/16/2002 2
1/16/2002
A New Engineering Paradigm ‰ Formal specification of architecture & properties ‰ Early detection: repeated system analyses ‰ Error elimination: automatic generation & integration ‰ Rapid evolution: refinement of models & components ‰ Managed change impact: Separation of concerns design feed-back formal modeling verification and analysis methods and tools discipline-specific design notations and editing and visualization tools implementation methods and tools d ration co e gene 1/16/2002
11
Outline ‰ Problems Developing Embedded Real-Time Systems ‰ How Avionics Architecture Description Language Will Help ‰ Overview of AADL ‰ Draft Language Elements ‰ Extending UML ‰ Draft UML Metamodel & Profile for AADL ‰ AADL/UML Generic Missile Example ‰ AADL Standard Process ‰ Final Notes 1/16/2002
8
Problems Developing Embedded Real-Time Systems (cont.) ‰ Welldesigned architecture is essential ‰ Yet, [Garlan, Kompanek, et al. 2000] say that in practice  Most architectural descriptions are  Informal documents  Usually centered on box-and-line diagrams, with explanatory prose  Visual conventions are idiosyncratic & usually project-specific  Results  Are only vaguely understood by developers  Cannot be analyzed for consistency or completeness  Are only hypothetically related to implementations  Properties cannot be enforced as system evolves  Cannot be supported by tools to help software architects with their tasks 1/16/2002
7
10
AADL is Domain-Specific Architecture Description Language ‰ Provides notations that support domain-specific architectural style or styles  Notations for common computation & communication paradigms  Architecture formally specified using notation or notations ‰ Models & methods to analysis  Estimate characteristics  Verify product characteristics ‰ Provides/supports domain-specific software patterns ‰ Library of configurable/generic components  Components that satisfy architecture guidelines for plug-in use  Components organized by some taxonomy
1/16/2002
Model-Based AADL Process
What is an Architecture Description Language? ‰ Describe high-level designs ‰ Treats system as collection of connected components  Layout of components defines structure  Connectors define communication  Component interfaces are first-class citizens  Attributes narrowly defines  semantics for component interactions, systemic behaviors, and emergent properties ‰ Does NOT describe algorithms, data structures or circuits
9
ments stem Int ra ReAquniarleysisegtion EExnpgliinceiet rAinrgc hMiteocdteulrePRraepdiidc tIanbtleeg rSaytsitoenm  Upgradeability Design and Implementation 1/16/2002
12
ebtrC lo2guage and UML9 JD sercpiitnoL naIEM/ 2EE2 00Ed--auna2 yrL200CA AerutcetihcrA scionviA
1/16/2002
SAE AADL Based on MetaH MetaH Standardization In-Progress ADL AADL TO -ANALYZE (Schedulabil Safety, Secur y -(SAYuStoT-EgenMe rCatOesN sSTchReUduClTerI OanNd  Future compiles/links all software for  URpTg rSaadfeedt ya/nMdi sSstiaonn dCarridtiizceald   Production integrated production system) Extended Large scale systems, Toolsets event and dynamic architecture capabilities
MetaH Language ‰ Textual & graphical forms ‰ Allows specification of  Code modules that form application  e.g. subprograms, processes, packages, monitors  Execution behavior of application  including timing, safety level, security level, modes of operation, & fault recovery  Target  Hardware  e.g. Processors, devices, memory, channels  Software environment  Allocation of application to hardware 1/16/2002 18
17
What is MetaH? ‰ ADL with supporting toolset for specifying, analyzing, & integrating computer control systems  Supports system architectures that are  Real-time,  Fault-tolerant  Securely partitioned  Dynamically reconfigurable  Multi-processor ‰ Design by Honeywell 1/16/2002
Model-Based Development Process using AADL ‰ Create model of architecture with its properties ‰ Analyze model  Schedulability  General Rate Monotonic Scheduling with extensions.  Reliability  Stochastic Concurrent Processes and Markov Chains  Safe/secure partition  Graph Theory for Dependence Modeling  Impact of component failure  Graph Theory for Dependence Modeling ‰ Generate system ‰ Effect of change is understandable from analysis 1/16/2002 14
16
15
1/16/2002
Outline ‰ Problems Developing Embedded Real-Time Systems ‰ How Avionics Architecture Description Language Will Help ‰ Overview of AADL ‰ Language Elements ‰ Draft Language Elements ‰ Extending UML ‰ Draft UML Metamodel & Profile for AADL ‰ AADL/UML Generic Missile Example ‰ AADL Standard Process ‰ Final Notes
Model-Based AADL Engineering Software Analyses Engineer System Build Schedulability Executive Generation Reliability Component Integration Fault Tolerance Real-Tim cture Model Software Hardware Automatic Target
Navi ati gna gProcessing 1/16/2002
13
 -02d -EEE/I20E bloC3treAvionia dnaueg 9aJU LMy 20nuar ACM02LAihcrA sc erutcetptriscDengLan io
ivAcinorA stihctuec DrecrestiipnoL naugga ena dUML9 January 200/MCA AL2002 EEEI CEd--2 4rtbeol
21
22
MetaH Generated Partitioned Architecture Software Software Software Software Component Component Component Component MetaH Executive Fault Recovery, Execution Control, Mode Control, Timing Control, Data Synchronization, MetaH Kernel Interprocess Communication Operating Environment Embedded Hardware Target Strong Partitioning Portability Timing Protection Application Components OS Call Restrictions Tailored MetaH Executive Memory Protection MetaH Kernel
1/16/2002
20
MetaH Toolset (cont.) source modules AADL specifications graphical textual editor editor compliance syntax and checker semantics checker HW/SW binder executive schedulability reliability partition configurer analyzer analyzer analyzer make load image linfeoarrm hayl bvreidri fiacuatotimonata
MetaH Target Environments ‰ Current Tartan 80960 MP ‰ In Process  Standard Ada95  LynxOS MP  Aonix Pentium MP  ICC.LynxOS.PowerPC  GNAT NT  Aonix.LynxOS.PowerPC  GNAT Solaris Green Hills.Integrity  Ada, C, C++ processes  750 PowerPC  GNAT RT Solaris  750 PowerPC MP  Green Hills.VxW.PowerPC
1/16/2002
1/16/2002
1/16/2002
MetaH Toolset ‰ Analyzes  Schedulability  Reliability  Safety ‰ Generates integrated, environment-specific code for  Application components  Executive  Architectural glue
MetaH Evaluation & Demonstration Projects ‰ Missile G&C reference architecture (AMCOM SED) ‰ Missile Re-engineering demonstration (AMCOM SED) ‰ Space Vehicle Attitude Control System (AMCOM SED) ‰ Reconfigurable Flight Control (AMCOM SED) ‰ Hybrid automata formal verification (AFOSR, Honeywell) ‰ Missile defense (Boeing) ‰ Fighter guidance SW fault tolerance (DARPA, CMU, Lockheed-Martin) ‰ Incremental Upgrade of Legacy Systems (AFRL, Boeing, Honeywell) ‰ Comanche study (AMCOM, Comanche PO, Boeing, Honeywell) ‰ Tactical Mobile Robotics (DARPA, Honeywell, Georgia Tech) ‰ Advanced Intercept Technology CWE (BMDO, MaxTech) ‰ Adaptive Computer Systems (DARPA, Honeywell) ‰ Avionics System Performance Management (AFRL, Honeywell) ‰ Ada Software Integrated Development/Verification (AFRL, Honeywell) ‰ FMS reference architecture (Honeywell) ‰ JSF vehicle control (Honeywell) ‰ IFMU reengineering (Honeywell) 1/16/2002 24
23
MetaH History ‰ 1991 DARPA DSSA program begins ‰ 1992 First partitioned target operational (Tartan MAR/i960MC) ‰ 1994 First multi-processor target operational (VME i960MC) ‰ 1998 Portable Ada 95, POSIX executive configurations ‰ 1991present Evaluation & demonstration projects  See next page 1/16/2002
19
20- E- doCblre5ty 20nuar9 Ja UML E02I/EEA MC20ALptriscDee urcttedna egaugnaL noiscA crihvAoiin
Graphical MetaH Example: Top Level
AADL v0.1 (MetaH) Language Summary Component Description Primitive Event Signal declared in a non-primitive components interface, indicating that the component can receive that signal. Port Persistent typed data object declared in a non-primitive components interface, which is used to exchange data with other connected non-primitive components. Type Reusable data description. Connection Link between interface elements that establishes a communication path or equivalance. Non-Primitive Application Highest-level object, which specifies the software object and the hardware system on which that software runs. Subprogram Function or procedure. Process Self-contained schedulable unit that provides security, fault, memory containment (used to represent software processes). Package Collection of subprograms and persistent data objects. Types Package Collection of types. Monitor Package that enforces synchronous access to its data objects (implemented using a real-time semaphore or an Ada protected record). Processor Active hardware entity capable of executing software processes. Device Active hardware entity which cannot execute software processes, but which may send or receive messages via ports, and may share memories with processors. Channel Hardware entity that connects processors and devices, and provides for passing messages between ports. Memory Passive block of physical memory, which may be shared between processors. Macro Reusable collection of processes, with specification of how their ports and events are connected and how packages and monitors are shared between processes. When multiple macros are included in an application, the processes in all the macros are concurrent, unless there is more than one mode (see below). Mode Collection of processes like a macro, but unlike macros only one mode (i.e., its processes) is active at any time. Path Sequence of execution through component subprograms. System Collection of hardware entities. 1/16/2002 27
Software Hardware Object Object ‰ Application declarations combine a software architecture with a hardware architecture ‰ An architecture consists of communicating, typed objects ‰ Many attributes of the software objects can be made conditional on the type of hardware object being used 1/16/2002
28
Application Structure
MetaH Benefits ‰ Structure & behavior captured in single model ‰ Architecture can be optimized early & incrementally ‰ Highly portable software with strong isolation from hardware, operating system, & compiler dependencies ‰ Conformance between specified architecture model & implemented system architecture ‰ Significantly reduced cost for IV&V & recertification on upgrades  Due to strong partitioning (memory and time).  Extensions for kernel certification automation & testing support will further automate certification process ‰ Architecture changes made in ADL  Cost effective  e.g. very rapid processor upgrades  Allows low cost rapid system evolution  e.g. retarget SW to new bus, CPU, I/O ‰ Rapid retargeting allows Software First approach 1/16/2002 26
Effort Saved on AMCOM Generic Missile Project Using MetaH ‰ Total project 50% ‰ Port Phase 90% 8000 7000 6000 5000 4000 3000 Current 2000 1000 Using 0 MetaH Revi Current MetaH - Build Debug Port 1/16/2002 MetaH Current form6DOFMissileDebug 25
1/16/2002
A.I B C A A.J B D Interface to A- There can be several type objects implementations for the interface
29
AADL Hierarchical and Compositional
30
1/16/2002
 scinoivcetihcrAAuggaL na dMU ena DesturetioncripCA AEI/M2 EE 200 JL9uaan 2ry2L00--Ed Colbert6
32
Source Descriptions and Composition Application sGorourucpei nmgos doufl es Mode Macro abnetd wceoennn tehcetimons Connections Process Package/Monitor Subprogram Port Type Port Variable Event
Graphical MetaH Example: Application Implementation
1/16/2002
35
Process Attributes ‰ A process is the fundamental unit of scheduling and computation ‰ A periodic process is automatically dispatched at specified regular (periodic) intervals ‰ An aperiodic process is dispatched in response to one of a set of events ‰ A process execution time is monitored and optionally enforced ‰ Processes can have ports, send events and share monitors, packages and subprograms 1/16/2002
1/16/2002
34
33
31
A Process Is . . . ‰ Unit of scheduling with a period, deadline and criticality. ‰ Protected address space in a partitioned system. Shareable ‰ Unit of binding to a processor Object  Shareable objects within a process Process can be bound to a specific memory accessible from that processor.  A monitor is a shareable object with mechanism for enforcing mutual exclusion 1/16/2002
36
Process States Stopped Unhandled fault Restarting Awaiting Await dispatch call Dispatch Unhandled fault Computing
Mapping Software Objects to Source Files package Kalman is ... end Kalman; with Kalman; MetaH Object package Nav_Data is Rates, Accelerations: Vector; SourceFile := end Nav Data; _ with Kalman; _ with Nav Data; procedure Navigate is begin A MetaH software object Initialize; specification can describe multiple loMoeptaH.AwaitDispatch; _ files containing multiple compilation Update; units and declarations. enedn dN alvoigoapt;e; 1/16/2002
1/16/2002
Message Connection Types ‰ Imply sequencing & timing requirements ‰ Single sample delay  Transfer of data at deterministic time  Data is copied  From out port at sending components deadline  To in port at start of receiving components next execution  Allows feed-back loops ‰ Undelayed  Data copied  From out port completion of sending components execution  To in port at start of receiving components next execution  Constrain order of execution & communication  Allow end-to-end deadlines, minimize latency  Must be acyclic, criticality monotonic ‰ Connections between periodic processes have deterministic timing and function dependence 1/16/2002
41
1/16/2002
42
Process Main Procedure ‰ A process is implemented as  An Ada or C procedure and,  If process has ports, a port package. ‰ E.g. for a process called P1 that has no ports with MetaH; #include <metah.h> procedure P1 is void p1(void) -- local declarations begin { -- initialize process //**  lionictiaal lidzee cplarroacteiosnss* /*/ loop  -- wait for period: while (metah_true) { H.Await Dis atch /* wait for period: */ Meta _ p ; -- do periodic activity _ t_dispatch(); metah awai end loop; /* do periodic activity */ end P1; } } 1/16/2002
37
39
38
1/16/2002
1/16/2002
Port ‰ Ports allow processes to exchange information via messages ‰ Processes, macros, modes, unshared monitors, and unshared packages, and subprograms may contain ports ‰ Ports are strongly typed  Connected ports must have same type ‰ Ports are either in or out
Graphical MetaH Example: Port Descriptions
1/16/2002
Message Connections ‰ Every connection  Effectively,  Starts at out port of a process  May actually started at port of nested subprogram  Ends at in port of a process  May actually end at port of nested subprogram  Connections between components at same level must be from out port to in port  Connections between container & component must be between ports with same direction  i.e. in to in , out to out 40
Event Connections ‰ Events are sent by processes ‰ An event can trigger execution of one or more aperiodic processes ‰ Mode changes are initiated by events
 ega dna9LMUnaJ crestiip Longuan srAhcticeuterD Avionic7rtbeol2 00EIEEdEC  2-- 200uaryACM/2LA 
8trebly ar0220 ALA/ICM EEE2002E-- oC dscription Languaega dnU LM 9aJuncsniioAvetihcrA eD erutc
1/16/2002
47
1/16/2002
43
Concurrent Modes . . .
1/16/2002
Possible configurations: A.X+B.U A.X+B.V A.Y+B.U A.Y+B.V (Not yet supported.)
Macro A Macro B Mode X Mode Y Mode U Mode V
A Macro Is . . . ‰ Hierarchical group of related processes (and other macros and modes) ‰ It allows connections between its own ports and events, and the ports and events of its implementation objects ‰ Allows equivalency between shareable objects of the contained object and of the macro itself. ‰ Allows setting attributes for components, connections, equivalences and the macro itself.
Graphical MetaH Example: Macro Implementation
Macro
1/16/2002
44
Submodes are Modes Inside Modes
45
1/16/2002
A Mode Is . . . ‰ A configuration of active processes. ‰ Mode changes stop and Process start subsets of processes B and change patterns of Mode message and event ProAcess connections. ‰ There is always an initial mode. Process ‰ Event connections create a C mode transition diagram. Mode B
48
1/16/2002
A B X Y U V Possible configurations: A.X A.Y B.U B.V
46
Graphical MetaH Example: Mode Implementation
52
Graphical MetaH Example: Hardware Implementation
Processor Specification ‰ Describes a computer  built around a particular type of CPU  running a particular µ− kernel or RTOS  targeted by a particular cross-development toolset ‰ Multiple processors may be present in a MetaH specification ‰ Name of a processor is used to select software implementations bound to it (i.e., ADA95) 1/16/2002 50
Outline ‰ Problems Developing Embedded Real-Time Systems ‰ How Avionics Architecture Description Language Will Help ‰ Overview of AADL ‰ Draft Language Elements ‰ Extending UML ‰ Draft UML Metamodel & Profile for AADL ‰ AADL/UML Generic Missile Example ‰ AADL Standard Process ‰ Final Notes 1/16/2002
51
1/16/2002
54
UML Profile ‰ Predefined set of stereotypes, tagged values, constraints, & notation icons that collectively specialize UML for specific domain or process ‰ Does not extend UML by adding any new basic concepts ‰ Provides conventions for applying & specializing standard UML to particular environment or domain ‰ (as defined in UML 1.3) 1/16/2002
53
Extending UML ‰ UML provides modeling concepts & notations for typical software modeling projects ‰ Users may need  Additional features and/or notations  Non-semantic information attached to models ‰ UML core concepts can be extended or specialized by users  3 built-in extension mechanisms  Stereotype  Constraint  Tagged Value  Can be used separately or together ‰ Can extend UML metamodel by explicitly adding new metaclasses & other metaconstructs  Depends on modeling tools or use of meta-metamodel facility 1/16/2002
Hardware Object Types ‰ SYSTEM: collection of processors and devices ‰ PROCESSOR: hosts one executable image ‰ DEVICE: Active device with ports and events, but cannot host an image ‰ CHANNEL: Hardware support for port-to-port messages, shared between processors and devices ‰ MEMORY: Object to which monitors, packages can be bound; shareable between processors and devices ‰ PORT, EVENT, MONITOR: Hardware (platform) versions of the corresponding software objects 1/16/2002 49
itpiL nougna egad anL9UMan Jryua2 00L2 ACA/MEIEE 2002 --Ed Colbe9trrcseD erutcetihcArs iconviA
vAoinics ArchitecturLM 9dnU ega gnaun Laptioscrie DeE-- 2002 EEEI/MC ALA0220y arnuJat10d Colber
Constraints ‰ Semantic condition or restriction  Boolean expression associated with model element(s)  Must be true for the model to be well formed  Assertion not an executable statement Certain constraints are predefined in UML ‰ 3 forms  Invariant  Precondition  Postcondition ‰ May be expressed in UMLs Object-Constraint Language (OCL) ‰ May be associated with specific stereotype to define semantics  Inheritable 1/16/2002
Stereotypes (Cont.) ‰ Names of new stereotypes must not clash with  Names of predefined metamodel elements  Names of other stereotypes ‰ A model element can be marked by 1 stereotype  Also called classified by or "stereotyped"  Stereotype can be constructed as specialization of other stereotypes  Receives features & semantics defined for stereotype ‰ Intent is that tools & repositories be able to manipulate stereotyped element  Same as ordinary element for most editing & storage purposes  Differentiating it for certain semantic operations, such as well-formedness checking, code generation, or report writing 1/16/2002 56
Stereotypes ‰ Classify model elements at object-model level  Instances of stereotyped element behave as if they were instances of new metamodel classes whose form is based on existing "base" metaclasses ‰ Augment UML classification mechanism based on built-in UML metamodel class hierarchy ‰ Adds "virtual" UML metaclasses with new  Semantics  Meta-attributes  Property lists  Constraints  Graphical representation 1/16/2002
58
57
Property Lists & Tagged Values ‰ Any modeling element may have arbitrary information attached in form of property list ‰ Property List consists of tag-value pairs Tag is user-definable unique name string for property  Value is string  Arbitrary from UMLs perspective  May be constrained by definer  May be meaningful to tools ‰ Stereotype may require specific  Set of tags pseudo-attributes  Optional default values  constraints 1/16/2002
60
Draft Metamodel & Profile for AADL ‰ Following UML Class Diagrams show  Metamodel for MetaH concepts  Hierarchy of stereotypes defined for MetaH concepts ‰ Most MetaH concepts defined as stereotypes of UML class  Some MetaH concepts semantically closer to more specialized UML concepts, but  May be semantic incompatibilities  Some tools restrict  Types of diagrams that more specialized UML concepts can appear on  Kinds of relations that can be drawn between the more specialized UML concepts ‰ MetaH component defined as a stereotype of UML feature  UML feature supports current way that Graphical MetaH represents components  MetaH component semantically closer to a UML association ‰ MetaH attribute is represented as a UML property ‰ Need deeper study to resolve issues 1/16/2002
59
Outline ‰ Problems Developing Embedded Real-Time Systems ‰ How Avionics Architecture Description Language Will Help ‰ Overview of AADL ‰ Draft Language Elements ‰ Extending UML ‰ Draft UML Metamodel & Profile for AADL ‰ AADL/UML Generic Missile Example ‰ AADL Standard Process ‰ Final Notes 1/16/2002
55