model and verify the architecture of a satellite central...

EADS Astrium © 2006

AADL Subcommittee Meeting, Überlingen – 10. to 13. July 2006

Model and Verify the architecture of a Satellite Central Flight Software

-Dave Thomas ([email protected])

Satellite central flight software modeling - AADL Subcommittee Meeting, Uberlingen - 2006/07/12 EADS Astrium © 2006

The ArchiDyn study

• Goal: to use AADL (with the behavior annex provided by IRIT) to describe the dynamics of satellite central flight software and analyze the contribution of modeling techniques in its validation.

• Modeling part: three levels of abstraction corresponding to three AADL models

– L0: functional architecture (specification)

– L1: logical architecture (design)

– L2: concrete architecture (detailed design / implementation).

• Process & Methodology exploration part: a model-based approach for the construction and the validation of software architectures, allowing to check as soon as possible and gradually the implementation of satellite central software.


AADL modeling: Views and Concerns

125ms

AOCS_CYCLRQ

ACC

ICB_END_ACQ

AOCS_END_ACC

AVB_DORIS_ACQ

DO

AOCS

AOCS_MGR

DHS

TC_BUS

APFW_BASE

Dynamic View (ADD)

Structural View (SRD)

Dataflows View (URD)

ACC DeviceDevice

AOCS

L0

L1

L2

ARCHITECTURE : Views

Logical behavior

ANALYSIS : Concerns

Temporal behavior

Ressource analysis


Levels of abstractions

��

��

��

��

� �� !�� "��#��

��$��

��

�%

&�� '�� '�� (�

)��*&��+� �� '��,��'��

�-

.��.��.��.��/ ��/ ��/ ��/ �� '��'��'��'��


L0 Level: Functional Architecture (specification)

• Modes (L0.1)

– Communicating automata

– Mode switching procedures

• Structural / Data flow (L0.2)

– TM/TC

– FDIR alarms

– Devices

FDIR Strategy

(mode dependant)

TMReq TMhandling

(mode dependant)

REQhandling

(mode dependant)

Functions

(mode dependant)

Mode1

Mode 2Manager

(mode dependant)

FDIR Req

SYSTEMMode1

Mode 2

AOCSMode1

Mode 2

Mode 2

PAYLOADMode1

Mode 2


L0 Level: some AADL issues

• Mode switch procedures: how to describe actions to start when a mode switch occurs

SYSTEMMode1

Mode 2

AOCSMode1

Mode 2

Mode 2

PAYLOADMode1

Mode 2

• Composites states/modes

1

3

2.1

2.2

1

2.1

2.2

3

1

2

3

2.1

2.2


L1 Model: dynamic architecture (design)

• L1.0: semi-automatically generatedmodel from L0.2

– Support to design through the use of patterns

– Reuse L0 information through thread binding mechanism

• L1.1: temporal properties (L1.1)

– Dispatch protocol

– Compute execution time

– Deadline

• Simulation possible using Cheddar

TC

SYSTEMAOCS

125ms

20 ms

SYSTEM

CYCL

ASYNC

AOCS

CYCL1

ASYNC

CYCL2

125ms

125ms

20ms

N0.2

N1.0

RQMGR

SYSTEM

CYCL

ASYNC

AOCS

CYCL1

ASYNC

CYCL2

125ms

125ms

20ms


L1 Model: Thread binding

• Traceability link: which thread executes a given function

Mode switching Monitoring

TC

BUS

SYSTEM

AOCS

SYS_CYCL

125ms


L1 Model: how to model tasks synchronizations ?

• L1.2: Periodic tasks have to synchronize with IO events

– Tasks “with suspension”

T1.1

T1.2

T2.1

T2.2

125ms

125ms

CompleteDispatch

Dispatch

Dispatch

&

Complete

?

T1.1

T1.2

T2.1

T2.2

Depends_Upon => (T2.1, T1.1) ;

Depends_Upon => (T1.1) ;

125ms

125ms

Computation (2ms)

Computation (2ms)

Synchro ?

Synchro !

Computation (5ms)

Computation (1ms)

125ms

125ms

T1 T2

Depends_Upon => (T2.1, T1.1) ;

BehaviourAnnex


L1 Model: modeling issues

• Event combination• Multiple deadlines

RQ

ACC

DO

125msPL_CYCL

PLB_PL_ACQ

&

1.9 ms

3.8 ms

1.9 ms

PF_END_ACC

AOCS_END_ACC

75.4 ms

74.3 ms

114.7 ms


L1 Model: Environment model (contracts ?)

– New properties to describe hypothesis on features

– Allow to simulate and verify step by step the model (even non-complete)

– Unitary tests when ports are not connected (hypothesis on env.)

– Then port connections replace arrival laws (integration tests)

RQ

ACC

DO

125msAOCS_CYCL

AVB_AOCS_ACQ

AVB_DORIS_ACQ

AOCS_DAS

2.5 ms

20 ms

2.5 ms

&

ICB_AOCS_ACQ

(79 ms)

(38 ms)

(36 ms)

AVB_AOCS_ACQ

AVB_DORIS_ACQ

INIT

EOF

125msAVB_HDLR

INT_IT

INT_IT

EOF_IT

(38 ms, 79 ms)

(116 ms)

(38 ms, 79 ms)

(116 ms)


L2 model: Concrete architecture (detailed design)

• SW static architecture + Platform • Object-oriented design : objects,

methods, data => data components• RTOS API, User libraries => packages

& hierarchical data components

Get_State

Switch_On

THR_CTRL

Switch_Of

MGR

CTRLFCT

SWR

HAL


L2 model: platform dependent design

• Manage the way the architecture is implemented through connections mapping

– Which object, mechanism or primitive provided by the execution platform is

used to implement the L1 model

PF SYS

PF.GetFailed

ARO_REQ

TC_HDLR SYS

TC

TC_POOL

AOCS

PF

PL

TC_HDLR SYS

TC

AOCS

PF

PL

TC_BUSPF

PF SYS

ARO_REQ

PF

Receive_Primitive=>

« PF.GetFailed »

• Can be semi-automatically generated from L1 through implementation patterns

• Allow to detect a shared data that has to be protected


Process & Methodology: steps

• Identify functions & interactions

• Build a functional architecture• Build a hardware architecture• Bind functional to hardware

• Specify / Design execution components (tasks)

• Choose / Customize execution platform (RTOS and means of communication)

L0

L1

L2

Functional architecture

Logical architecture

Concrete architecture


Process & Methodology: steps

• Identify functions & interactions

• Build a functional architecture• Build a hardware architecture• Bind functional to hardware

• Specify / Design execution components (tasks)

• Choose / Define execution platform (RTOS and means of communication)

L0

L1

L2

Objectives:

Incremental & Iterative approach� using patterns and refinements between each increment or iteration

Go downward to code generation� progressive modeling, the model is kept during all the life cycle

Functional architecture

Logical architecture

Concrete architecture


T1

T2

Ti

Critical tasksscheduling

ANALYSIS

CPU Load63 %

ProcessorTC

SYSTEM

AOCS

125ms

20 msRTC

ICB

Mode1

Mode2

L0 -> L1 Patterns

RTC_HDLR

SYSTEM

CYCL

ASYNC

AOCS

ASYNC

CYCL2

125ms

ICB_HDLR

125ms

CYCL2

20ms

Temporal characteristics

RTC_HDLR

SYSTEM

6 ms

4 ms

AOCS

2500 ms

33 ms

125ms

ICB_HDLR

125ms

5 ms

20ms


Concrete mechanisms Implementation Patterns

Automata(behavior refinement

RTC_HDLR

SYSTEM AOCS

125ms

ICB_HDLR

125ms

20ms

Data flows

RTC_HDLR

SYSTEM AOCS

125ms

ICB_HDLR

125ms

20ms

T1

T2

Ti

&�� 0�"��

��"��

RTC_HDLR

SYSTEM AOCS

125ms

ICB_HDLR

125ms

20ms �� ,��'��


v1 v2

N0

N1

N2

v3

Progressive modeling


Models layout

HW ADD CDD

OBSW.v1 OBSW.v2 OBSW.v3

URD/SRD

OBSW


AADL Assessment: Benefits

• Currently no language is used to support Level 1 activities. AADL is a very good candidate to improve them.

• System view : functional, software, hardware

• Modes: highly used in space systems– AOCS modes– System modes– Hardware modes

• Reuse– Components– Patterns / Frameworks


AADL Assessment: some issues…

Modeling issues• Structure Vs Behavior• Linked threads or behavior

annex• Logical / Concrete (dispatch,

protocols, …)

Wish list• Composite states• Mode dependent features• Connection binding• Interrupt handling (IT handlers)• Thread dispatch refinement• Nested port connections• Multiple inheritance• Double-Port memory modeling• Variable dequeue protocols• Event combination• Abstract ports• Data subprogram reference• …

Osate issues• Subpackages• Data subcomponent access• …

Topcased issues• Access connections• Diagram export function• …


Limitations

• Tools– Graphical editor

– Model transformation, links between models (binding),

– Analysis

• Language– Behavior annex status

• Modeling– Modeling rules for quality

– Version management (iterations, increments, …)

– Behavior description guidelines (several abstraction levels)


Perspectives: Model-based engineering at Astrium

• Objectives– Support to system & software design (including reuse)– Support to early V&V– Support to automatic code generation (also for rapid prototyping)

• Perspectives– L-1: Matlab/Simulink and UML– L0: UML– L1: AADL– L2: we do not really require such a detailed model

model and verify the architecture of a satellite central...

Documents