Formalizing Software Architectures for Embedded Systems Pam Binns and Steve Vestal This work has been brought to you by DARPA AFOSR AMCOM Outline Avionics Architecture Description Language (MetaH) Overview and motivation Structure and syntax Computation and communication Reliability and safety Implementing systems Research Activities Integrated partitioned time-and-event workloads Efficient low-latency distributed system scheduling Hybrid automata scheduling and analysis Integrated reliability and system safety Dynamic reconfiguration Integrated and Traceable Specification, Analysis, Implementation design feed-back formal modeling verification and analysis methods and tools discipline-specific design notations and editing and visualization tools implementation methods and tools implementation Increase assurance the implementation behaves the way the models say it will behave Improve quality of system design through more accurate and rapid design-time evaluation Decreased modeling, implementation, debugging and verification effort Integrated Modular Avionics System Integration Target Hardware Specifications MatLab Re-engineering of legacy software ControlH MetaH Software & Systems M MATRIXx Integration Toolset Traditional Development Other Complete Specialized Toolsets Executable System Meta-Tooling An Open Systems Solution • Compatible with existing standards (e.g. Ada, C/C++, POSIX) • Emerging SAE standard Avionics Architecture Description Language • first ballot scheduled 2003 • industry and government participation, e.g. Army Boeing Dassault NIST Rockwell/Collins Smiths Industries Navy Lockheed-Martin Honeywell Pratt/Whitney Raytheon Airbus • Potential UML-RT profile for safety-critical hard real-time MetaH Toolset Functions source modules AADL specifications graphical textual editor editor compliance syntax and checker semantics checker HW/SW binder middleware schedulability reliability partition configurer analyzer analyzer analyzer make linear hybrid automata load image formal verification AMCOM Effort Saved Using MetaH total project savings 50%, re-target savings 90% 8000 7000 6000 Man Hours 5000 4000 3000 Traditional 2000 Approach 1000 Using 0 MetaH Review 3-DOF Trans- Current 6-DOF RT- late Trans- Test MetaH 6DOF form RT- MetaH Current 6DOF Build Debug Missile Debug Re-target Development cost (NRE) is usually a small fraction of life cycle cost (LCC). Maximizing design quality is often more important than minimizing design effort. Outline Avionics Architecture Description Language (MetaH) Overview and motivation Structure and syntax Computation and communication Reliability and safety Implementing systems Research Activities Integrated partitioned time-and-event workloads Efficient low-latency distributed system scheduling Hybrid automata scheduling and analysis Integrated reliability and system safety Dynamic reconfiguration Specification Language is Hierarchical and Compositional A A Interface to B C objects of type A A.X B C D E F Leaf objects describe software Implementation X for and hardware components objects of type A (zero or more allowed) Software Descriptions and Composition Application Groupings of functional Mode subsystems and connections between Macro them Connections Process Package/Monitor Subprogram Port Type Port Variable Event Descriptions of source code Hardware Descriptions and Composition Application Groupings of functional System subsystems and connections between Connections them Descriptions of physical Device hardware objects Memory Processor Channel AADL will combine application, macro and system into a single more powerful system category with improved support for software/hardware co-design, virtual machine and layered system specification, etc. Outline Avionics Architecture Description Language (MetaH) Overview and motivation Structure and syntax Computation and communication Reliability and safety Implementing systems Research Activities Integrated partitioned time-and-event workloads Efficient low-latency distributed system scheduling Hybrid automata scheduling and analysis Integrated reliability and system safety Dynamic reconfiguration Computation and Communication process release time deadline execution time message in message out Process are repetitively dispatched periodic (time-triggered) aperiodic (event-triggered) Message input/output occurs at release times and deadlines Periodic workloads have deterministic functional dependency independent of execution and communication times (if schedulable) independent of software/hardware binding Shared objects are supported Messages Data is copied by an automatically configured executive – from an out port variable after sender completion – to an in port variable before the start of receiver execution Connections and transfers may – be undelayed (with implied execution order constraints) – have single sample delay There is a combined event-with-data connection User selection among real-time semaphore protocols for shared objects Events Have Continuous Signal Semantics Event signal rise time may be time different on different processors. rise times fall time Event signal fall time is identical and fault-tolerant on all processors. • default event duration is the period of the raising process • mode changes occur at the falling edge of the triggering event • events arriving at executing aperiodics may nudge, signal or interrupt • meaningful semantics for logical operations on events Dynamic Reconfiguration A mode is a configuration of active processes and connections. Process B Mode changes stop and start subsets Mode A of processes and change patterns of Process message and event connections. A Event connections create a hierarchical mode transition diagram. Process C Mode B Schedulability Analysis Given • process/processor and message/channel bindings • process periods, deadlines, criticalities • sequence of modules executed by a process • module nominal and worst-case compute times Compute • processor and channel schedulability • processor, channel, process, module utilizations • parametric compute time sensitivity analysis Outline Avionics Architecture Description Language (MetaH) Overview and motivation Structure and syntax Computation and communication Reliability and safety Implementing systems Research Activities Integrated partitioned time-and-event workloads Efficient low-latency distributed system scheduling Hybrid automata scheduling and analysis Integrated reliability and system safety Dynamic reconfiguration Stochastic Automata Fault Model error_free error_free permanent error propagation permanent fault synchronization fault failed propagate propagate failed processor processor Component error models are specified as stochastic automata Error propagation synchronizations can be determined from • architecture specification • voting protocol specifications For Poisson rates, Markov chain system model can be generated Fault-Tolerance and Safety Features A process may be time and space partitioned Safety/design assurance level may be specified for any component Hazardous run-time capabilities enabled on a per-process basis Executive consensus protocol is plug-replaceable Message data errors detected and reported (but not corrected) Process error handling semantics are defined Model generators output human-readable, structured models Reliability Analysis Given • possible fault types and error states • system architecture (potential propagation paths) • consensus/voting planes • operational versus failed system configurations • mission duration Compute • Pr(fail) Partition Isolation Analysis Given • time-and-space partitions in architecture • safety/assurance level (A..E) for each component Verifies • no error in a component with lower safety level can propagate to a component with higher safety level Outline Avionics Architecture Description Language (MetaH) Overview and motivation Structure and syntax Computation and communication Reliability and safety Implementing systems Research Activities Integrated partitioned time-and-event workloads Efficient low-latency distributed system scheduling Hybrid automata scheduling and analysis Integrated reliability and system safety Dynamic reconfiguration Code Integration/Generation Automatically configures an executive/middleware – Generates time-driven dispatcher for periodic processes and messages – Generates message passing code – Generates code to vector events for processes, messages, mode changes – Tailors an API to the services required by and authorized for each process Automatically performs compiles and links needed for each processor image Middleware Structure Application Application Application Application Application process process process process process Automatically generated MetaH executive components MetaH executive library components target-specific library components Run-time or RTOS Processor A Processor B One downloadable image file is generated for each processor. Outline Avionics Architecture Description Language (MetaH) Overview and motivation Structure and syntax Computation and communication Reliability and safety Implementing systems Research Activities Integrated partitioned time-and-event workloads Efficient low-latency distributed system scheduling Hybrid automata scheduling and analysis Integrated reliability and system safety Dynamic reconfiguration Complex Embedded Workload Issues and Goals Hard real-time scheduling theory limited to • repetitive weakly-interacting tasks • fixed bounds on arrival rates and compute times Event-driven models are more