

# Validation of Safety-Critical Systems with AADL

Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

Peter H Feiler April 11, 2008

Software Engineering Institute Carnegie Mellon

© 2006 Carnegie Mellon University

# Outline

#### Multiple aspects of system validation

System & software engineers working together Multi-fidelity model-based analysis Property preserving transformations Conclusions



Software Engineering Institute

Carnegie Mellon

# **Dimensions of System Validation**



Software Engineering Institute Carnegie Mellon

Safety-Critical Systems & AADL Feiler, April 2008 © 2008 Carnegie Mellon University

#### **Single Source Annotated Architecture Model**



4

# **Architecture-Driven Modeling**



Software Engineering Institute Carnegie Mellon

Safety-Critical Systems & AADL Feiler, April 2008 © 2008 Carnegie Mellon University

# **AADL and Safety-Criticality**

#### Fault management

- Architecture patterns in AADL
  - Redundancy, health monitoring, ...
- Fault tolerant configurations & modes

#### Dependability

- Error Model Annex
- Specification of fault occurrence and fault propagation information
- Use for hazard and fault effect modeling
- Reliability & fault tree analysis

#### Behavior validation

- Behavior Annex
- Model checking
- Source code validation

# Outline

Multiple aspects of system validation

#### System & software engineers working together

Multi-fidelity model-based analysis

Property preserving transformations

Conclusions



Software Engineering Institute

Carnegie Mellon

# **Traditional Embedded System Engineering**





Software Engineering Institute

**Carnegie Mellon** 

### **Software-Intensive Embedded Systems**



# **Mismatched Assumptions**



### **Predictable Embedded System Engineering**



<sup>© 2008</sup> Carnegie Mellon University

# **Working Together**

#### Conceptual architecture

- UML-based component model
- Architecture views (DoDAF, IEEE1471)
- Platform independent model (PIM)

#### System engineering

- SysML as standardized UML profile
- Focus on system architecture and operational environment

#### Embedded software system engineering

- SAE AADL
- OMG MARTE profile based on AADL
- AADL as MARTE sub-profile
- Non-functional properties require deployment on platform
  Data modeling
  - UML, ASN,, ...

# Outline

Multiple aspects of system validation

System & software engineers working together

#### Multi-fidelity model-based analysis

Property preserving transformations

Conclusions



Software Engineering Institute

**Carnegie Mellon** 

### **Impact of Sampling Latency Jitter**

Impact of Scheduler Choice on Controller Stability

• A. Cervin, Lund U., CCACSD 2006

Sampling jitter due execution time jitter and application-driven send/receive

Unstable System

Software Engineering Institute

10





**Carnegie Mellon** 

STM

Safety-Critical Systems & AADL Feiler, April 2008 © 2008 Carnegie Mellon University

# **Latency Contributors**



- Sampling latency
- Physical signal latency



Software Engineering Institute

**Carnegie Mellon** 

# **ARINC 653 Partitions & Communication**

Frame-delayed inter-partition communication Timing semantics are insensitive to partition order



Software Engineering Institute | Carnegie Mellon

Safety-Critical Systems & AADL Feiler, April 2008 © 2008 Carnegie Mellon University

# **Latency Impact of Partitions**



#### Intended Data Flow in Task Architecture



**Software Engineering Institute** Carnegie Mellon

Safety-Critical Systems & AADL Feiler, April 2008 © 2008 Carnegie Mellon University

### Frame-level Latency Jitter of Data Stream

Example: Non-deterministic downsampling

- Desired sampling pattern 2X: n, n+2, n+4 (2,2,2,...)
- Worst-case sampling pattern: n, n+1, n+4 (1,3,...)



Software Engineering Institute | Carnegie Mellon

#### Managed Latency Jitter through Deterministic Sampling



© 2008 Carnegie Mellon University

Logical threads to execute at a specific rate

Multiple logical threads to execute with the same rate

Placement of units with same rate in same operating system thread

Reduced number of threads and context switches



Software Engineering Institute

### **Rate Group Order Can Affect Latency**

Data flow from sensor  $T_s$  to control  $T_c$  to actuator  $T_a$  with mid-frame communication

Effect of rate groups:  $T_c$  to  $T_a$  becomes delayed

Occurs when pairwise immediate connections in opposite direction



# **Software-Based Latency Contributors**

Execution time variation: algorithm, use of cache

Processor speed

**Resource contention** 

Preemption

Legacy & shared variable communication

Rate group optimization

Protocol specific communication delay

Partitioned architecture

Migration of functionality

Fault tolerance strategy



Software Engineering Institute Car

# Latency and Age of Data

Latency: the amount of time between a sensor reading and an output to an actuator based on the sensor reading

Age: amount of time that has passed since the sensor reading

Age Contributors

- Oversampling
- Missing sensor readings
- Failed processing
- Missed deadlines



Software Engineering Institute Ca

# Outline

Multiple aspects of system validation

System & software engineers working together

Multi-fidelity model-based analysis

#### **Property preserving transformations**

Conclusions



Software Engineering Institute

Carnegie Mellon

#### **Efficient Runtime System Generation**



Feiler, April 2008

© 2008 Carnegie Mellon University

### Will This Implementation Work?



**Software Engineering Institute** | Carnegie Mellon

Safety-Critical Systems & AADL Feiler, April 2008 © 2008 Carnegie Mellon University

### **Overlapping Message Lifespan**

Periodic thread MP and MC

MP ->> MC

Need for double buffering



### **Optimization of General Port Buffer Model**



# **Message Streaming Lifespan Framework**



Software Engineering Institute Carnegie Mellon

Safety-Critical Systems & AADL Feiler, April 2008 © 2008 Carnegie Mellon University

# **Message Lifespan Properties**

MC input-compute-output guarantee  $\mathsf{T}_{\mathsf{C},\mathsf{M}_{i}} \leq \mathsf{R}_{\mathsf{M}_{i}} = \mathsf{B}_{\mathsf{MC}_{i}} \leq \mathsf{E}_{\mathsf{MC}_{i}} \leq \mathsf{T}_{\mathsf{C},\mathsf{M}_{i+1}} \leq \mathsf{R}_{\mathsf{m}_{i+1}}$ Message operation ordering condition  $S_{M_i} < X_{M_i} < R_{M_i}$ MP bounded by producer dispatches  $T_{P, M_i} \leq B_{MP_i} \leq E_{MP_i} = S_{M_i} \leq T_{P, M_{i+1}}$ MS bounded by sends and transfer  $S_{M_i} = B_{MS_i} \le X_{M_i}^* \le E_{MS_i} < S_{M_{i+1}}$ MR bounded by transfers and receive  $X_{M_i}^{**} \le B_{MR_i} \le E_{MR_i} = R_{M_i}^{***} < X_{M_{i+1}}$ 

- \* Completion of transfer
- \*\* Start of transfer

\*\*\* Latest of multiple receivers

### **Sequential Execution of Periodic Tasks**

( $\tau_{P}$ ;  $\tau_{C}$ )\*

Collapse to single buffer



#### **Application-based Send and Receive (ASR)**



 $(\tau_P \mid \tau_C)^*$ 

**3 buffers** 

 $T_{P} \le \alpha_{P} \le S \le \Omega_{P} \le D_{P}$  $T_{C} \le \alpha_{C} \le R \le \Omega_{C} \le D_{C}$ 

 $\boldsymbol{\alpha}$  : actual execution start time

 $\boldsymbol{\Omega}$  : actual completion time

 $\alpha_{\mathsf{P}} \text{-} \Omega_{\mathsf{P}} \cap \alpha_{\mathsf{C}} \text{-} \Omega_{\mathsf{C}} \neq \varnothing \Rightarrow \text{non-deterministic S/R order}$ 

#### **Dispatch-based Send and Receive (DSR)**



# **Buffer Optimization Considerations**

Periodic & aperiodic task dispatch

Send and receive execution

- As part of application (ASR)
- As part of task dispatch/completion (DSR)

Task execution order

- Concurrent:  $\tau_{C} \mid \tau_{P}$
- Atomic non-deterministic:  $\tau_{C} \neq \tau_{P}$
- Ordered:  $\tau_{C}$  ;  $\tau_{P}~~or~\tau_{P}$  ;  $\tau_{C}$

Message transfer

- Immediate to consumer (IMT)
- Direct to delayed consumer (DMT)
- Period-delayed to consumer (PMT)

### **Periodic Task Communication Summary**

| Periodic                                                                             | ASR                                         |                                                                               | DSR        |                                                                                                                                                 | DMT                          |
|--------------------------------------------------------------------------------------|---------------------------------------------|-------------------------------------------------------------------------------|------------|-------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------|
| Same period                                                                          | IMT   PMT                                   |                                                                               | IMT   PMT  |                                                                                                                                                 |                              |
| $	au_{\mathrm{P}}$ ; $	au_{\mathrm{C}}$                                              | MF:1B                                       | PD:2B<br>SvXvR                                                                | PD:2B<br>R | PD:2B<br>SvX/R                                                                                                                                  | MF:1B                        |
| $\tau_{C}; \tau_{P}$                                                                 | PD:1B                                       | PD:1B                                                                         | PD:1B      | PD:1B                                                                                                                                           | PD:1B                        |
| $\tau_P \neq \tau_C$                                                                 | ND:1B                                       | PD:2B<br>X                                                                    | PD:2B<br>R | PD:2B<br>X/R                                                                                                                                    | ND:1B                        |
| $\tau_{\rm P} \mid \tau_{\rm C}$                                                     | ND:3B<br>S/X <sub>C</sub><br>R <sub>C</sub> | PD:2B<br>X                                                                    | PD:2B<br>R | PD:2B<br>X/R                                                                                                                                    | NDI:2B<br>S/X/R <sub>C</sub> |
| MF: Mid-Frame<br>PD: Period Delay<br>ND: Non-Deterministic<br>NDI: No Data Integrity |                                             | 1B: Single buffer<br>2B: Two buffers<br>3B: Three buffers<br>4B: Four buffers |            | S, X, R : data copy<br>S/X : IMT combined send/xfer<br>S/X/R : DMT combined S, X, R<br>X/R: DSR/PMT combined X, R<br>o1∨o2 : One operation copy |                              |



# Outline

Multiple aspects of system validation

System & software engineers working together

Multi-fidelity model-based analysis

Property preserving transformations

#### Conclusions



Software Engineering Institute

Carnegie Mellon

# **Predictable Model-based Engineering**

#### Reduce the risks

- Analyze system early and throughout life cycle
- Understand system wide impact
- Validate assumptions across system

#### Increase the confidence

- Validate models to complement integration testing
- Validate model assumptions in operational system
- Evolve system models in increasing fidelity

#### Reduce the cost

- Fewer system integration problems
- Fewer validation steps through use of validated generators

#### **Traditional Development Model**



### **Benefits of Predictive Architecting**



### **Industrial Embedded Systems Initiatives**







Peter H Feiler

phf@sei.cmu.edu

at ENST until June 9, 2008