© 2014 Carnegie Mellon University

Architecture Analysis with AADLThe Speed Regulation Case-StudySoftware Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213

Julien Delange

2Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Copyright 2014 Carnegie Mellon University

This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.

Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This material has been approved for public release and unlimited distribution except as restricted below.

This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu.

Carnegie Mellon® is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.

DM-0001524

3Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

What this talk is about?

1. Actual issues for Safety-Critical systems design

2. Why Model-Based Engineering techniques are helpful

3. How AADL can detect issues early and avoid potential rework

4Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

AgendaIntroduction on Model-Based Engineering

Presentation of the Case Study

System Overview

AADL model description

Architecture Analysis

Conclusion

5Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

AgendaIntroduction on Model-Based Engineering

Presentation of the Case Study

System Overview

AADL model description

Architecture Analysis

Conclusion

6Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Polling Question 1Do you know what Model-Based Engineering is?

7Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Safety-Critical Systems are Intensively Software-Reliant

Source: “Delivering Military Software Affordably” in Defense AT&L

8Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Errors are introduced early but detected (too) lately

9Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Many Errors stems from Architecture or Integration IssuesGlobal Variable used among different functions

Potential issues: inconsistent values, concurrent accessesRoot Cause: Architecture Design (use of encapsulation)

Use of COTS components without validationPotential impact: do not fit with the environment, crashRoot Cause: No Validation of Components Integration

Timing issuesPotential impact: deadlines not enforced, bad valuesRoot Cause: poor integration policy, lack of analysis

Should I continue this list?

10Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Why Model-Based Engineering Matters?Capture system architecture with designers requirements

Focus on system structure/organization (e.g. shared components)

Tailor architecture to specific engineering domain (e.g. safety)

Validate the architectureCheck requirements enforcement (e.g. no global variable)

Detect Potential issues (e.g. interfaces consistency)

Early AnalysisAvoid late re-engineering efforts (e.g. less rework after integration)

Support decisions between different architecture variations

11Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Polling Question 2Do you already know AADL?

12Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Architecture Analysis Design LanguageSAE Standard for Model-Based Engineering

First version in 2003, actual version 2.1Definition of System and Software Architecture

Specialized components with interfaces (not just “blocks”)Interaction with the Execution Environment (processor, buses)

Extension mechanismsUser-Defined Properties (integrate your own constraints)Annexes (existing for safety, behavior, etc.)

13Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

AADL Model ExampleTasks Process

CommunicationInterfaces

Memory

Processor

Bus

14Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Architecture Analysis Design LanguageSecurity•Intrusion•Integrity•Confidentiality

Safety & Reliability•MTBF•FMEA

•Hazard analysis

Real-time Performance•Execution time/Deadline

•Deadlock/starvation

•Latency

ResourceConsumption•Bandwidth•CPU time•Power consumption

•Data precision/accuracy

•Temporal correctness

•Confidence

Data Quality

Architecture Model

Auto-generated analytical models

15Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

AgendaIntroduction on Model-Based Engineering

Presentation of the Case Study

System Overview

AADL model description

Architecture Analysis

Conclusion

16Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Objectives of this StudyLearn Architecture Modelling with AADL and the OSATE workbench

Model a family of systems with their variability factors

Analyze the Architecture from a performance perspective

Discover Safety Issues using Architecture Models

Support Architecture Alternatives Selection

Illustrate the Process with a relevant case study

17Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Case-Study DescriptionSelf-Driving car speed regulation

Obstacle detection with user warningCamera detectionInfra-red sensor

Automatic Speed and BrakeTwo speed (wheel, laser) sensorsRedundant GPS

18Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Polling Question 3On what aspect would you like to focus?

19Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Case-Study ObjectivesHelp designers to choose the best Architecture

Best reliability, avoid potential failure/errorMeet timing and performance requirements

Analyze Architecture according to stakeholders criteriaTry to analyze what really matters

Quantify architecture quality from different perspectivesLatencyResources and BudgetsSafety/Reliability

20Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

AgendaIntroduction on Model-Based Engineering

Presentation of the Case Study

System Overview

AADL model description

Architecture Analysis

Conclusion

21Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Functional Architecture

SensorsActuators

GPS devices

Obstacle Detection Speed Sensors

SensingControl

Compute

22Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Functional Architecture, timing perspective

Max end-to-end latency = 900 ms

23Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Functional Architecture, criticality perspective

Redundancy Groups (performs the same function)

24Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Deployment AlternativesAlternative 1: reduce cost and complexity

Two processors and one shared busPotential interactions for functions collocated on the same

processor

Alternative 2: reduce potential fault impactIncrease potential production cost (more hardware)Three processors inter-connected with two buses

25Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Architecture Alternative 1

50 MIPS 50 MIPS

Bandwidth: 500 kbpsAcquisition time: 10 to 30ms

Transmission time: 1 to 10 us per byte

Reduce Cost and Complexity Potential interactions for functions collocated on the same processor

26Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

50 MIPS50 MIPS

50 MIPS

Bandwidth: 5 kBpsAcquisition time: 50 to 100ms

Transmission time: 10 to 50 us per byte

Reduce Fault ImpactMight increase production costs

Architecture Alternative 2

27Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

AgendaIntroduction on Model-Based Engineering

Presentation of the Case Study

System Overview

AADL model description

Architecture Analysis

Conclusion

28Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Modeling GuidelinesSeparate architecture aspects in different files

Leverage AADL extension and refinement mechanismsCapture common characteristics, avoid copy/pasteExtend generic components

Use properties to quantify quality attributesProcessed by tools to evaluate architecture qualitySpecify once, use by several analysis toolsEnsure Analyses Consistency

29Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Model Organization – devicesGeneric components

Extension and refinements

30Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Model Organization – devices – textual modelComponent Name

Timing constraints(latency analysis) Error propagations and flows

Types of faults(all safety analysis tools)

Documenting the faults(safety analysis)

31Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Model Organization – Interfaces Specifications

Data size properties(resource allocation and latency analysis)

One property, several analyses

Ensure Analyses Consistency

Data types being used tocommunicate across functions

32Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Model Organization – platform

Timing information(latency analysis)

Generic Processor Component(common for all the architecture)

Processor extension, specify bus connectionsShare properties of inherited component

33Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Model Organization – software (1)

One software function = 1 AADL process + 1 AADL thread

AADL Process

AADL Thread

34Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Model Organization – software – textual notation (1)

Data flow specification(latency analysis)

Error specification(safety analyses)

Subcomponentsand connections

Component type

Component implementation

Communication interfaces

35Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Model Organization – software – textual notation (2)

Data flow(latency analysis)

Time information(latency analysis)

Resource Budgets(resource allocation analysis)

36Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Model Organization – safety specificationError types that could be raised

Reusable error state machinesto be attached to components

Operational

Failed

Error states

Component-specific error transitions(to be added on a component-basis)

37Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Model Organization – define error flows – error source

Reuse predefined types

Define error types propagatedon component interfaces

Define the error sources,what interfaces initiates an error flow

Component camera pictureNoValue error propagated

38Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Model Organization – define error flows – error pathReuse predefined types and behavior

Define error types propagated on component interfaces

Define the propagations flows

Component

obstacle_distance / NoValueobstacle_distance / InvalidValue

Processor / SoftwareErrorProcessor / HardwareError

obstacle_detected / NoValue

obstacle_detected / InvalidValue

39Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Model Organization – error sink & define component error behavior

Use predefined error types and component behavior

Define component-specificerror events

Component-specificerror transitions

Operational

Failed

Reset NoValueInvalidValue

40Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Model Organization – architecture alternatives

System implementation withall common components

Capture architecturealternatives variability

(processors, buses, etc.)

Common type for allarchitecture alternativeCapture common

components characteristics

41Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Architecture Alternative 1: model instance

42Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Architecture Alternative 2: model instance

Variability Factors with Alternative 1

43Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

AgendaIntroduction on Model-Based Engineering

Presentation of the Case Study

System Overview

AADL model description

Architecture Analysis

Conclusion

44Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Latency Analysis, principles

Potential impacton latency

Bus characteristicsAlternative1 Alternative2

Acquisition Time 10 to 30 ms 200 to 500 ms

Transmission Time (/B) 1 to 10us 2 to 5 ms

45Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Latency Analysis, results

ArchitectureAlternative 1

ArchitectureAlternative 2

46Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Resources Allocation Analysis, principles

47Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Resources Allocation Analysis, results

ArchitectureAlternative 1

ArchitectureAlternative 2

48Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Safety Analyses OverviewFunctional Hazard Analysis (FHA)

Failures inventory with description, classification, etc.Fault-Tree Analysis (FTA)

Dependencies between errors event and failure modesFault-Impact Analysis

Error propagations from an error source to impacted componentNeed to combine analyses

Connect results to see impact on critical components

49Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Safety Analysis, FHA, resultsArchitecture Alternative 1: 15 errors contributors

Architecture Alternative 2: 17 errors contributors

Difference stems from additional platform components (ecu)Have to consider criticality of fault impacts

50Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Safety Analysis, FTA resultsArchitecture Alternative 1: 15 errors contributors

Architecture Alternative 2: 17 errors contributors

Difference stems from additional platform components (ecu)Have to consider criticality of fault impacts

51Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Safety Analysis, Fault Impact, resultsArchitecture Alternative 1 & 2: 443 error paths

Use the same pathsThe additional ECU in alternative 2 covers path from ecu2 in Alternative 1

Impact on components criticalityDefect on the additional bus in Architecture 2 impact low-critical

functionsIsolate defect from low-critical functions to affect high-critical

52Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Analysis Summary

Architecture 1 Architecture 2

Latency

Resources Budgets

Safety

Cost

What is the “best” architecture?

53Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

AgendaIntroduction on Model-Based Engineering

Presentation of the Case Study

System Overview

AADL model description

Architecture Analysis

Conclusion

54Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

ConclusionsSafety-Critical Systems Development issues is not a fatality

Late detection of errors is no longer possibleNeed for new methods and tools

AADL supports Architecture Study and ReasoningEvaluate quality among several architecturesEase decision making between different architecture variationsAnalysis of Architectural change on the whole system

User-friendly and open-source workbenchGraphical NotationInterface with other Open-Source Tools

55Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Useful ResourcesAADL wiki – http://www.aadl.info/wiki

Model-Based Engineering with AADL book

SEI blog post series http://blog.sei.cmu.edu

Mailing-List see. https://wiki.sei.cmu.edu/aadl/index.php/Mailing_List

56Speed Regulation Case-StudyJulien Delange© 2014 Carnegie Mellon University

Questions & ContactDr. Julien DelangeMember of the Technical StaffArchitecture PracticeTelephone: +1 412-268-9652Email: info@sei.cmu.edu

U.S. MailSoftware Engineering InstituteCustomer Relations4500 Fifth AvenuePittsburgh, PA 15213-2612USA

Webwww.sei.cmu.eduwww.sei.cmu.edu/contact.cfm

Customer RelationsEmail: info@sei.cmu.eduTelephone: +1 412-268-5800SEI Phone: +1 412-268-5800SEI Fax: +1 412-268-6257