A tool for model-based engineering by Nam, Min Young
A TOOL FOR MODEL-BASED ENGINEERING
BY
MIN YOUNG NAM
DISSERTATION
Submitted in partial fulfillment of the requirements
for the degree of Doctor of Philosophy in Computer Science
in the Graduate College of the
University of Illinois at Urbana-Champaign, 2012
Urbana, Illinois
Doctoral Committee:
Professor Lui Sha, Chair
Professor Ralph Johnson
Associate Professor Marco Caccamo
Principal Software Engineer Richard M. Bradford, Rockwell Collins Inc.
Abstract
In many hard real-time avionics systems, more and more features are being added to faster but cheaper
hardware. Thus, hardware resources such as computation and network bandwidth are increasingly
being shared by multiple applications, leading to rapid increases in the size and complexity of the
overall system. In the design and development process, system level performance analysis should
precede implementation in order to save cost and to optimize the system architecture during a relatively
earlier development phase when such changes are less costly to make.
To provide system level performance analysis, Model-Based Engineering (MBE) or virtual inte-
gration is becoming more popular in the avionics industry as well as other manufacturers of Cyber-
Physical Systems (CPS), which also include the automotive and medical industries. Virtual integration
helps system designers to test multiple options, upgrade existing systems with modifications and check
safety-critical, schedulability, and performance requirements relatively quickly using models.
With a) the advance in high performance processors, including multi-core processors, b) the trend
of designing Integrated Modular Avionics (IMA) systems that allows multiple applications to coexist
on a platform, and c) the requirement for I/O intensive applications for better service, building an
elaborate I/O architecture can bring great benefits in the overall design. Much previous work does not
model the I/O architecture with sufficient detail to provide valuable feedback in improving the design,
or it requires too much detail that it cannot be used for early analysis.
This dissertation describes the problems that we have been addressing in the current area of uti-
lizing architectural Model-Based Engineering (MBE) for avionics systems and the solutions that we
have developed along the way. First, we show a framework including our tool named ASIIST (Appli-
cation Specific I/O Integration Support Tool) which is a MBE analysis tool that we have developed for
ii
I/O architecture design and integrated processor and I/O scheduling. The computer-aided I/O design
framework demonstrates what elements need to be considered when creating a software analysis tool
taking benefit of MBE. Later we present how ASIIST supports IMA systems in ways of handling side
effects of I/O traffic that are known but difficult to keep up-to-date due to complexity.
In addition, we provide a framework for auto-generation of a robust tree-shaped I/O architecture
where the user can easily search for an architecture that can improve the tolerance against I/O work-
load uncertainties, especially for an IMA system. ASIIST allows for rapid evaluation of schedulability
impacts of I/O architecture designs in the context of IMA. Here we do a design space search approach
and investigate how MBE can be applied. This early consideration of I/O effects would increase the
likelihood that the system remains schedulable after actual coding and integration of multiple applica-
tions.
Finally, we have built a model-based approach to extend existing analysis algorithms. The extensi-
bility of Architecture Analysis and Design Language (AADL) and the loose syntax rules can often lead
to difficulties for actual users to make changes to a existing model without the worry of making existing
analysis tools break. Thus, a concept of Open Analytic Runtime (OAR) Models is created where we
express the details of analysis algorithms in the modeling components. This provides an open develop-
ment environment where anybody can inspect and update the analysis implementation from the model.
The analysis annex, is an implementation of OAR models for AADL.
With the capability of modeling analysis algorithms, we were able to provide services that assist in
the implementation of multiple correlated analysis algorithms. The analysis annex solver can search for
correct order of execution for analysis algorithms and also verify the compatibility of assumptions from
Resource Allocation (RA) algorithms and also connect assumptions of algorithms with the properties
(guarantees) that other algorithms provide in order to ensure that all assumptions and all runtime quality
attributes (RQA) are satisfied.
iii
To my loving wife, Nayun.
iv
Table of Contents
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Overview of Requirements and Solutions . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Prospective Usage for ASIIST and Webpage . . . . . . . . . . . . . . . . . . . . . . . 12
1.4 References and Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 2 Model-Based Real-Time System Integration . . . . . . . . . . . . . . . . . . . 15
2.1 Computer-aided I/O Design Framework Overview . . . . . . . . . . . . . . . . . . . . 19
2.2 Modeling of Bus Communication using AADL . . . . . . . . . . . . . . . . . . . . . 20
2.3 PCI Analysis Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.4 Application Specific I/O Integration Support Tool . . . . . . . . . . . . . . . . . . . . 35
2.5 Graphical User Interface of ASIIST . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
2.6 Integrated Modular Avionics Systems and Problem Review . . . . . . . . . . . . . . . 46
2.7 IMA System Design with ASIIST . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
2.8 Case Study Demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
2.9 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
2.10 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Chapter 3 Towards the Model-based Auto-generation of Robust I/O Architectures . . . . 69
3.1 Robust I/O Architecture Framework Overview . . . . . . . . . . . . . . . . . . . . . . 71
3.2 Objective Function for Robustness Evaluation . . . . . . . . . . . . . . . . . . . . . . 76
3.3 Model-based Design of I/O Architecture using AADL . . . . . . . . . . . . . . . . . . 79
3.4 ASIIST Support for Design Space Management . . . . . . . . . . . . . . . . . . . . . 85
v
3.5 Case Study Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
3.6 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
3.7 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Chapter 4 Open Analytic Runtime Models . . . . . . . . . . . . . . . . . . . . . . . . . . 93
4.1 The Hidden Semantics of Analysis Algorithms . . . . . . . . . . . . . . . . . . . . . 94
4.2 OAR Models in AADL: The Analysis Annex . . . . . . . . . . . . . . . . . . . . . . 95
4.3 A Type System for Model Reuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
4.4 OAR Sample Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
4.5 Resource Allocation Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
4.6 Resource Allocation Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
4.7 Illustrative Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
4.8 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
4.9 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Chapter 5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Appendix A Formal Model for Resource Allocation Contracts . . . . . . . . . . . . . . . 138
A.1 System Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
A.2 Modeling Concurrency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
A.3 Modeling Resource Allocation Policies . . . . . . . . . . . . . . . . . . . . . . . . . 140
A.4 Modeling Contracts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
A.5 Consistency of Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
A.6 Alloy Implementation for Resource Allocation Contracts . . . . . . . . . . . . . . . . 143
Appendix B AADL Model Example with Analysis Annex . . . . . . . . . . . . . . . . . . 145
Appendix C AADL Model Example for System Integration . . . . . . . . . . . . . . . . . 159
vi
Chapter 1
Introduction
In many hard real-time avionics systems, more and more features are being added to faster but cheaper
hardware. Thus, hardware resources such as computation and network bandwidth are increasingly
being shared by multiple applications, leading to rapid increases in the size and complexity of the
overall system. In the design and development process, system level performance analysis should
precede implementation in order to save cost and to optimize the system architecture during a relatively
earlier development phase when architectural changes are less costly to make.
A typical large passenger airplane has hundreds of processors and thousands of software tasks. In
a typical avionics company, the software and hardware engineers engaged in design and development
outnumber the real-time analysts several hundreds to one. The current approach of assigning a few
real-time analysts to interview engineers and manually build schedulability models cannot support the
need to rapidly evaluate different real-time related design alternatives. To compound the difficulty,
the given logical data flows among applications may also be modified during the design process and
the accompanying change of work load flows may require corresponding changes in schedulability
and reconfigurations of I/O architectures. The system design architects are generally not specialized
in building the tool specific schedulability models by themselves from the modeling blocks a tool
provides, especially for large complex systems. As a result, the system level schedulability analysis
often lags behind the actual designs to be done by the few real-time analysts. As one senior engineer
has remarked,
1
“Architecture performance is a type of problem that is commonly injected during the de-
sign of an architecture but rarely identified at this stage - usually the problem surfaces
during integration, where it is difficult and expensive to remedy.” [68]
Fortunately, a better approach is now becoming available, in the form of Model-Based Engineering
(MBE) or virtual integration [62] which is being adopted by the avionics industry as well as other man-
ufacturers of Cyber-Physical Systems (CPS), including the automotive and medical industries. Virtual
integration is a concept of performing all the required high level analysis and estimation before actual
integration using software and hardware models of a system. Virtual integration helps system designers
to test multiple options, upgrade existing systems with modifications and check safety-critical, schedu-
lability, and performance requirements relatively quickly.
1.1 Related Work
For use in MBE, several Architecture Description Languages (ADL)s for embedded systems have
emerged during the recent years including, Architecture Analysis and Design Language (AADL) [31],
Systems Modeling Language (SysML) [43], and Modeling and Analysis of Real-Time and Embedded
Systems (MARTE) [30]. Using an ADL to specify accurately all relevant properties of a system for an
appropriate level of abstraction is very important because the analysis can only be as good as the model
of the system.
The SAE AADL is an architecture description language which has become popular for virtual
integration of avionics systems. AADL is standardized by the Society of Automotive Engineers (SAE)
and is defined in SAE Standard AS5506 [5]. Open Source AADL Tool Environment (OSATE)1 is a
set of plug-ins built on top of the open source Eclipse2 platform to give the front-end interface to build
AADL models. Thus, tool developers can freely build and add new plug-ins that perform specialized
analysis on AADL models. In our work, we have selected AADL from among the many ADLs due
to its increasing popularity in the avionics industry and the cooperating relationship we have with the
Software Engineering Institute (SEI) at Carnegie Mellon University which is where AADL was created.
1Open Source AADL Tool Environment (OSATE) http://www.aadl.info
2Eclipse http://www.eclipse.org
2
For real-time systems integration, especially for early system-level design, the main requirement
for users is to know the schedulability of processors for a given set of applications and to make sure
latency requirements of data flows are satisfied as well. There are a few schedulability analysis efforts
that support AADL [9, 85, 83]. ADeS [9] is a simulation tool for AADL that displays the thread
activation and execution for each processor in the model based on the standard scheduling policies
that it supports. Currently, based on the official ADeS webpage, further development seems to have
stopped in 2007. Sokolsky et al. [85] presents how we could translate AADL models into the real-time
process algebra ACSR (Algebra of Communicating Shared Resources) [16] that allows schedulability
analysis of AADL models. ACSR [22] is a timed process formal algebra which supports synchronous
timed actions and asynchronous instantaneous events. Timed actions are used to represent the usage
of resources and to model the passage of time. Events are used to capture synchronization between
processes. The ACSR-VP [16], which is the AADL translation in [85], is an extension to ACSR
with value passing communication and dynamic priorities. ACSR models can be analyzed using the
VERSA tool [23]. Schedulability problems are reduced in ACSR to the problem of deadlock detection,
and VERSA is used to detect this deadlock through state-space exploration.
Cheddar [83, 84], is another tool set that supports AADL for schedulability analysis. It performs
scheduling simulations and feasibility tests for quick prototyping of real-time schedulers. Users can test
existing published schedulers or define new schedulers to simulate their performance and visually check
how tasks are executed in a time line as in ADeS. Feasibility tests would compute schedulability without
simulation and automatically explain results using publish equations with references. The limitation
of Cheddar is that it focuses on only the software model. It assumes that all effects from the physical
hardware environments are known and specified in the model as properties of the software components.
For example, any I/O waiting time should be included in the worst-case execution time of the thread so
that real-time schedulability theory can be applied or simulated. While this approach may be practical
if we assume that the hardware will not change, it takes away all the benefit of modeling a detailed
hardware architecture. Cheddar would not be able to quickly or automatically capture changes in
hardware configurations or I/O architectures or provide analysis results based on hardware components
such as I/O bus bottlenecks.
Previous work that uses MBE for latency analysis either considers local delay as homogenous [37],
3
meaning communication costs between processors are all the same, or relies on testing and simulation
to measure delay [88, 92, 50] and simplify the modeling of the bus architecture. Such approaches
do not require a detailed hardware architecture model but also remove the potential of identifying
problems and solutions from a hardware design perspective. In most cases, a single bus was used
between processors to represent the whole path that includes internal hardware connections as well as
the network. These approaches also rely on special hardware that guarantees constant performance for
analysis results to be accurate which is generally not the case with Commercial off-the-shelf (COTS)
components that are being increasingly used these days to save cost [14, 74] in avionics.
When compared to traditional system-on-chip (SoC) communication architecture design ([52] and
others), the level of control when using COTS components is different from SoC design. The silicon
area is no longer a critical cost factor for computer board-level designs which is our case. Existing
system-on-chip (SoC) work that is related to communication architectures mainly try to search for best
configurations for I/O for a given target architecture ([59, 67, 51]). These target architectures are very
limited in flexibility which is inherent in the nature of SoC. Most of these works try to find the best
combination of configurations from a predetermined set, either by simulation [69] or static analysis [35]
or their combination [52]. Since the bus topology is considered another configuration, they resort to
searching a small number of instances and not reasoning the analysis results for a specific design of the
bus.
With the advance in high performance processors, including multi-core processors, more appli-
cations are now implemented to share resources and take advantage of the increased computational
power. However, in modern days, more applications are also becoming visual and data intensive to
provide user experiences that are more informative and easy to understand. As a whole, this trend
increases the amount of I/O data that needs to be handled in a system. Building a sophisticated I/O
architecture is more required than ever to safely support multiple applications in an I/O intensive real-
time system. As a quick illustration, Figure 1.1 shows two different bus topologies where the I/O side
effects on the overall schedulability can change greatly. In the example, there exist two applications
that are assigned to different Integrated Modular Avionics (IMA) [7] partitions A and B. IMA is an
architectural concept for hosting multiple software applications on a temporal partitioned CPU3. The
3IMA will be explained later in Section 2.6
4
Figure 1.1: Example of different bus topologies
application in partition A requires a large amount of data to be received constantly through the network
adapter and saved in the local memory. The application in partition B is an application with high fre-
quency that sends a small amount of data to the display adapter. In Figure 1.1 (a), we have a simple bus
architecture which consists of a common PCI bus. The data that is received through the network adapter
will delay the data that is sent to the display adapter during partition B. If the application waits for the
completion of the data transfer, the wait time must be considered for schedulability analysis. Since the
frequency of the application in partition B is high, the overall increase in the utilization (computation
time divided by period) will be much higher. On the other hand, if we were to change the bus topology
to Figure 1.1 (b), there is no longer contention between the two bus transactions. The tradeoff is the
increased delay of reading from the local memory that now has two bridges to pass from the CPU in
Figure 1.1 (b). As we can recognize from this example, the overall effect of I/O on the schedulability
for an IMA system is a question involving many tradeoff decisions.
To the best of our knowledge, currently there is no work that supports AADL and takes advantage
of modeling the internal bus topology of computing modules for schedulability and latency analysis.
Computing modules may use specialized Application-Specific Integrated Circuit (ASIC) devices or
Field-Programmable Gate Array (FPGA) devices that regulates I/O data before it leaves through the
network or after data is received from the network based on some criteria. I/O data can be directly sent
to registers, or large data can be saved in local memories to be read later. Modeling such I/O behavior
5
with hardware topology provides a broader perspective in solving I/O related problems and building
I/O tolerant systems.
1.2 Overview of Requirements and Solutions
In the following Section, I will summarize the requirements that I am trying to fulfill throughout this
thesis and then summarize how they were addressed. Following is a list of requirements that we will
elaborate further more.
• R1: Providing a virtual integration I/O modeling framework for early system-level design and
analysis.
• R2: Capturing side effects of I/O data, especially for IMA systems, to create an input model for
schedulability and latency analysis.
• R3: Providing tool-based support for safe architectural model changes.
• R4: Supporting extensible analysis tools through model-based engineering.
• R5: Supporting correct implementation of multiple correlated analysis algorithms for AADL
models.
1.2.1 Requirements
R1: Providing a virtual integration I/O modeling framework for early system-level design and
analysis
The level of fidelity in a model depends on many factors. These include the time line of when the
model is expected to become useful, what kind of information is available to build the model, and what
type of analysis and requirements are needed. Our work has always focused on relatively early system-
level design and analysis. The reason for such focus is to allow architects to concentrate on the critical
aspects so that system design problems can be addressed early. Also, we realized that in later phases
when actual implementation has already started, engineers would like to have a fixed design that does
not change until the first testing becomes possible. After this stage, engineers would also try to solve
6
problems on the actual product rather than spend time on the model. Thus, it is important to provide
informative and analytical guidance through models as early as possible. For example, users need to
know which part of analysis is based on estimates and which part is based on real data and how they
are combined. This allows engineers to develop prototypes to provide real data for critical areas.
Being able to model the I/O architecture which includes the hardware bus topology, I/O data path,
and bus protocol-dependent behavior in an early stage is much more beneficial for systems-level design
because analysis results can be more accurate, and users would know what was caused by I/O effects.
Less favorable decisions can be avoided for IMA and I/O intensive systems which would have caused
serious setbacks. The challenge is in selecting the right level of detail so that it can still be meaningful
while simple for early analysis.
R2: Capturing side effects of I/O data, especially for IMA systems, to create an input model for
schedulability and latency analysis
The I/O traffic that exists in a system affects the real-time performance of the application that is running
on the CPU through various ways, including interfering with the cache fetch on the front side bus
as well as changing the I/O wait time for read and write bus transactions to a local memory. Such
interference is difficult to measure until all the applications that share the processor are implemented
and tested. The total development cost may increase greatly when one or more applications turn out
to be unschedulable for the assigned partition with no remaining time from any of the other partitions
in the processor. In the development of IMA, the design of I/O has been a challenge due to multiple
applications’ real time traffic sharing limited I/O channels.
However, it is a very tedious job to require the model developer to model every aspect of behavior
that matters. For example, when an application is added to one partition, a subset of its I/O will
coexist during other IMA partitions. This interpretation should be handled by the tool ratherthan being
modeled. Not all algorithms support IMA systems and even if they do, it would greatly increase the
complexity of the algorithm. Having the tool translate a model to build low level abstractions for
analysis extends the applicability of existing algorithms to new architectural designs, including IMA
systems. Also, rework of supporting IMA system behavior or other specialized I/O designs can be
removed from the analysis implementation which is a huge benefit.
7
R3: Providing tool-based support for safe architectural model changes
Developing a high fidelity model takes many person-hours away from development. To ensure value,
a model, must support the analysis of architecture modifications during the entire design process. One
aspect that contribute greatly to its usefulness is the ability to make architectural changes to the model to
answer “what if” type questions for designs. While model-based engineering promotes this capability
to test alternative designs, the extensibility of AADL and the loose syntax rules can often lead to
difficulties for actual users to make changes to a existing model without the worry of invalidating the
model. For instance, one can move an application to a different processor without updating its worst-
case execution time (WCET) which is specified in the application and can become invalid without
knowing. Any tool would have no way of telling if the WCET is invalid and give a wrong result. It
becomes an important role of the software tool to act as the moderator between users and the model
so that users can safely make architectural model changes while maintaining a valid model for correct
analysis results. As models include I/O information and the complexity of the model increases due to
the dependencies, tool-based support becomes more essential.
R4: Supporting extensible analysis tools through model-based engineering
As AADL is becoming more popular for industry companies and researchers, the need for different
tools is increasing, whether they are implementations of existing proven analysis algorithms or newly
developed theories. While the theory of an analysis is inspected and reviewed by other peers through
publications, the correct application of tools onto their input AADL models remains hidden in the
tool implementation. Although one of the objectives of AADL is to define a standardized semantic
for hardware and software systems, it also allows extensions. Users can define new properties or
customized components that are recognized by their custom-made tool which performs a new analysis
of interest. Such extensions are beneficial in the sense that a user has the freedom to quickly modify or
complement an AADL model for a new analysis. However, as more extensions are added to a model,
problems may occur where other already-built tools would perform wrongly or not as desired with the
added extensions. Even when existing analysis tools are used on a new AADL model from a different
group, the analysis tool may give false results due to newly introduced extensions. In the past, people
8
would either update the tool or fix the model to comply with the tool. However, this gradually increases
the complexity of the tool itself, or the model change may cause yet other existing tools to give false
results. A model-based approach of implementing analysis algorithms is required to quickly update
analysis tools in a modular method.
R5: Supporting correct implementation of multiple correlated analysis algorithms for AADL
models
As MBE tool environments become more evolved, more analysis algorithms which support different
domains are integrated into the environment. The current approach for multiple analysis support in
MBE is to have different models for each type of analysis. While this approach is preferable when the
modeled components are independent from one another, this is rarely the case in real life. There can be
numerous algorithms that directly or indirectly depend on other properties. Initially, a tool could have
been implemented assuming a certain set of properties is given and specified. Another tool can later
be added to fulfill this requirement so that the combined tool set can be used on a model which was
missing some of the initial property values. As models are integrated and more analysis algorithms are
added, correlation between algorithms increases. A set of analysis would be required to be executed
in a certain sequence and assumption conflicts may exist between algorithms. Automated checking for
such problems would become very valuable for a multiple-analysis tool environment.
1.2.2 Summary of Solutions
Solutions for R1
The modeling framework for building a fairly high-level model of the I/O architecture is described in
Section 2.2 and 3.3. Initially the hardware architecture model is built as simply as possible for early
design while it is specific enough to represent data paths and I/O handling behaviors from any type of
peripherals. This representation of the hardware is also sufficient to support the latency analysis algo-
rithm that is presented in 2.3. Once the model of the hardware is available, we need to be able to bind
logical data connections between applications to the physical data path. This is not a single hardware
list but a set of hardware lists, depending on the I/O handling of the data. Several AADL proper-
9
ties were defined to be used as specifying primitive types of bus transactions to support the general
case of data flows (Section 2.2.4). This was followed by the implementation of a tool named ASIIST
(Application Specific I/O Integration Support Tool) which loads all of these I/O modeling elements to
perform worst-case latency analysis. Before running the analysis, ASIIST takes care of model valida-
tion to make sure that the modeling elements are correctly recognized and any requirements are met
for analysis (Section 2.4).
In Section 3.3.2, we added new properties that represent common I/O configurations. By defining
special hardware component types such as network adapters and I/O controllers, it is now possible to
derive a set of bus transactions using the set of saved I/O configuration properties. This provides a
much easier method than iterating every hardware component in a data path to model the I/O. ASIIST
is also updated to translate these I/O configurations based on semantic rules and also provide a GUI
based interface to make sure that users input only valid I/O configurations that are recognizable based
on the hardware architecture. I/O configuration is also used to quantify the design space when using
design space search algorithms to find a targeted I/O architecture (work of Chapter 3).
Solutions for R2
In Section 2.6 we explain how ASIIST supports IMA systems by capturing known side effects of
I/O data and integrating them into the schedulability and latency analysis results. For schedulability
analysis, it has been demonstrated that WCET can increase by up to 44% [70] when a peripheral is
trying to read or write to the main memory due to cache fetch interference. Depending on whether
the given WCET is estimated with this interference or not, ASIIST lets the user add the increased
time before running the schedulability analysis. For latency analysis, I/O data that is intended for
other applications running on a different IMA partition can still exist during a different application’s
partition time. This is due to the fact that only the processor time is required to be partitioned in an
IMA system. DMA devices can keep on moving application-specific large data to local memories
during other application partitions. There is also no regulation of when network data can arrive through
the network and be copied. All of these I/O behaviors and others contribute to a worst-case I/O data
load for each bus in the model. ASIIST does the job of selecting which data flows on a bus would
coexist during a partition. Thus, latency and bus utilization results are given per IMA partition. This
10
is also considered when analyzing I/O cache interference on the main memory. Note that this is all
handled by ASIIST while the model remains localized so that application developers need only to
focus on modeling their own application and I/O model. In Section 2.7 we also explain the steps to
design an IMA system by utilizing all of these features of ASIIST.
Solutions for R3
Guaranteeing safe architectural model changes is a challenging task when the model itself is extensible.
Initially, we supported this by making sure that the user would only change the model through ASIIST.
Simple graphical representation of the model based on the domain of interest is the most effective way
to interact with users. ASIIST has a few GUIs to guide users in such a way. These include the most
useful functionalities of moving applications to different processors or IMA partitions and redesigning
the hardware bus topology. Each change requires many I/O related specifications to be updated by
ASIIST to remain a valid model. Section 2.5 demonstrates these GUIs. By using ASIIST, we can
at least make sure that the I/O model remains valid when architectural model changes occur. While
ASIIST can handle all the property values that we are interested in, this approach is still fragile against
new abstractions that can be added to the model in the future. ASIIST would have to be carefully
updated which is not a scalable approach.
Another approach to supporting architectural model changes is to use Open Analytic Runtime
(OAR) Models which is introduced in Chapter 4. In summary, OAR models embed analysis algo-
rithms in the model type definition based on an Object-oriented programming fashion. Thus, each
component specification shows how the component is used in any algorithm. The intuition is that if
something is modeled, it is likely used in one or more analyses. By implementing analysis capabilities
through an OAR model, we are able to accumulate dependency information between property values.
For example, if the schedulability algorithm of a processor checks the value of the WCET, we would
know that the schedulability should be invalidated when the WCET is changed. This part is left for
future work.
11
Solutions for R4
When models are extended or integrated with other models, it is possible that existing tools may func-
tion wrongly, even without knowing. Open Analytic Runtime (OAR) Models, explained in Section 4.2
and 4.3, was initially made to solve these problems in a model-based approach. Compared to being
implemented in software code, analysis algorithms can easily be inspected by users and corrected if
needed by checking the model specification. The analysis annex, which is an implementation of OAR
models for AADL, describes how the algorithm computes its results. This includes how the model was
queried to find the correct components of interest and what property values were read (including units
information) in the equation. When models are extended, polymorphism can be used to overwrite an
existing function in the model so that the algorithm still performs correctly. This allows the analysis
algorithms to be up-to-date with the changes in the model.
Solutions for R5
To support correct implementation of multiple correlated analysis algorithms, we address two aspects
of the problem. One is finding the correct order of executing algorithms and the other is verifying
whether there is a resource allocation (RA) assumption violation among the set of analysis algorithms.
This work is presented in Sections 4.5, 4.6, and 4.7. The analysis annex is extended with RA contracts
which defines the type of resource allocation behavior that the analysis assumes or guarantees. This is
verified for the set of algorithms that are specified in the model. After making sure that there is no RA
violation, the analysis annex solver can search for a valid sequence to execute all the algorithms. The
analysis annex solver is a tool that we made to provide these services for OAR models. Any algorithm
can be executed from the solver to get results and update the AADL model. For multiple algorithms,
the user only needs to execute each algorithm according to the presented order through the solver.
1.3 Prospective Usage for ASIIST and Webpage
Towards the end of year 2012, there are several future plans for the usage of ASIIST. The industry
consortium, Aerospace Vehicle Systems Institute (AVSI) is interested in using ASIIST for a shadow
project. ASIIST was successfully demonstrated in two recent internal projects at Rockwell Collins Inc.
12
(RCI) For proprietary reasons, we only give a short description. One project was related to testing an
alternative architecture of an existing aircraft system model where we wanted to check what would
change with schedulability and bus utilization when one application’s functionality was integrated with
another application that exists in a different computing module. The other project was to create the
model of a network system from scratch through ASIIST, with the exclusion of the hardware model
which is currently not supported and was created manually. Then we added end-to-end flows to the
model which traverse through multiple applications and measured bus load and network delays. There
are several other RCI internal projects that are considering the trial use of ASIIST. For details, please
contact Richard Bradford (rmbradfo@rockwellcollins.com).
The webpage for ASIIST is at (https://wiki.engr.illinois.edu/display/realTimeSystems/ASIIST) for
downloads. We also provide links to a variety of demo videos.
1.4 References and Acknowledgements
This thesis includes some material previously published in peer-reviewed conferences, in particular
[65, 64]. This work would not have been possible without the contribution of all coauthors of the
referenced publications. I would like to give great thanks to my advisor Prof. Lui Sha for all the
guidance that he has given me throughout my research in finding the correct problems to solve and
supporting my ideas and work. I would have never experienced the amount of practical application and
experience stories in such a short time without his mentoring. I am also very grateful to Richard M.
Bradford for all the effort that he has spent on supporting the tools that I have developed. He has made
tremendous effort in finding users for my tool from the industry as well as spent numerous hours of
discussions on how to improve the tool for practical use. A lot of my work would not have been visible
without his support. I would like to also thank Rodolfo Pellizzoni for all of his contribution in building
the network calculus based latency analysis algorithms that were used in ASIIST as well as all the time
he has spent on giving me great advice for ideas and implementations. I thank Dionisio de Niz for all
the work he had done on building formal models of resource allocation contracts that were used with
the OAR model work. I also thank Sibin Mohan for his work on applying the worst-case execution time
analysis results to be used in ASIIST. Last but not least, I would like to give thanks to Kyungtae Kang,
13
although not a coauthor of the paper presented here, who has worked with me on several applications
of the ASIIST tool to publish many other publications in the domains of avionics switched networks
and medical/video wireless systems. Following is a summary of some of the portions in this thesis that
were mainly written by the assistance of the colleagues mentioned above.
• Rodolfo Pellizzoni and Richard M. Bradford for writings of Section 2.3.
• Dionisio de Niz for Sections 4.5 and 4.6 and Appendix A.
Also I would like to state that there may be small portions of writings from other coauthors that
exist in the thesis due to review-activities which I am also thankful for.
Note that material previously appeared in [65] is copyright of the Institute of Electrical and Elec-
tronics Engineers (IEEE) and material previously appeared in [64] is copyright of the Association for
Computing Machinery (ACM). In more detail, portions of Sections 2.1, 2.2, 2.4, and 2.7.2 of Chapter 2
appeared in [65] and Sections 4.5, 4.6, 4.7, and 4.8 of Chapter 4 and Appendix A appeared in [64].
They are reprinted with permission.
1. Min-Young Nam, Rodolfo Pellizzoni, Lui Sha, Richard M. Bradford, “ASIIST: Application Spe-
cific I/O Integration Support Tool for Real-Time Bus Architecture Designs,” Proceedings of the
14th IEEE International Conference on Engineering of Complex Computer Systems, pp.11-22,
2-4 June 2009, Washington. c©2009 IEEE. Reprinted by permission.
2. Min-Young Nam, Dionisio de Niz, Lutz Wrage, and Lui Sha. 2011. “Resource allocation con-
tracts for open analytic runtime models,” In Proceedings of the 9th ACM International Confer-
ence on Embedded Software (EMSOFT ’11). ACM, New York, NY, USA, 13-22. c©2011 ACM,
Inc. Reprinted by permission. http://doi.acm.org/10.1145/2038642.2038647.
14
Chapter 2
Model-Based Real-Time System
Integration
Hard real-time systems, such as avionics, typically use customized computer board level designs to
meet specific reliability and real-time I/O requirements. Before building the customized board, we
do our best to make sure that at least the design of the system meets all requirements. Traditionally,
engineers manually build the model for system-level schedulability analysis which is error prone and
tedious In the past few years, schedulability analysis tools that use systematic approaches to generate
equations have been developed. The analysis algorithm they use safely bounds the worst case usage of
resources, e.g. processing or communication. We have been collaborating with researchers and pro-
duction engineers from Rockwell Collins in the development of an analysis framework and prototype
computer-aided I/O analysis tool called ASIIST (Application Specific I/O Integration Support Tool).
The avionics industry is moving towards the adoption of architecture description languages, such as
SAE AADL [5], to support model based system engineering processes. An AADL model is more of an
architecture centric model than an equation centric model. This is possible because AADL lets the user
model the hardware platform separately from the software logical model. Thus, the hardware model-
ing blocks have a one-to-one correspondence with the actual hardware components, which makes the
architect’s job simpler. Although AADL provides separation of hardware and software specification,
there still remains the job of defining modular reusable abstractions on top of AADL components for
15
Figure 2.1: Bus Architecture Examples
selected bus components to support analysis. The definition should be made with the following two
goals in mind:
• The model abstractions should correspond to actual hardware building blocks so that they are
easy to use and reuse by system designers.
• The abstractions should be limited to a set of components that have well-defined real-time be-
haviors and can be scaled up for complex I/O-intensive real-time applications.
From the point of view of the architect, alternative designs should be easily expressed and analyzed.
Thus, careful consideration needs to be taken when defining the level of abstraction used for the mod-
eling blocks of a tool. It should be expressive enough to model the subset of the chosen architectural
specifications while only utilizing judiciously selected components that are suitable for hard real-time
application.
Figure 2.1 shows an example of a system which is a network in the form of a tree of bridges and bus
segments shared by processors, storage elements, and I/O devices, using a PCI bus for communication.
For each possible given hardware architecture, there exist different types of bus transactions and differ-
ent ways to route data flows. Any change in the tree architecture, the selection of bus transaction types,
16
Figure 2.2: Input/Output Configuration Example
or routes will create a different set of complex schedulability equations that the user must analyze.
With the frequent architectural modifications that will occur to check new alternatives, a modular and
architectural level of abstraction such as the modeling blocks shown in Figure 2.1 needs to be defined
for the ease of use and to reduce human error for even the well trained user.
As a comparison, tools that are built to analyze heterogenous systems ([90], [41]) have the benefit
of being capable of supporting a larger set of possible architectures. However, the price to pay is having
to analyze existing bus protocols and complex scheduling policies in order to translate them into the
general modeling blocks required by the tool. For instance, a PCI delayed read bus transaction actually
needs request-messages to be sent before the actual data is transferred. The standard PCI protocol
imposes a mixed scheduling policy of round robin and fixed priority scheduling. All these additional
messages and implicit scheduling policy need to be considered for safety. This translation requires a
fair amount of learning curve and is still error prone if done manually because it is very tedious. These
complications discourage a user from making frequent architectural changes which may result in a
considerable amount of rework in modeling the changes.
By using an extended AADL model as the input for ASIIST, annotated AADL designs of software
17
tasks, communication flows and hardware designs will be used to automatically generate schedulability
equations. These analysis results are then used to support application specific hardware design deci-
sions. Figure 2.1 and Figure 2.2 actually shows the level of abstraction for our tool to work which is
considered to be user friendly from the architect’s perspective.
In this chapter, we focus on presenting a framework including our tool named ASIIST. As a first
step to show its usefulness, we focus on a specific communication architecture, PCI, simply because
PCI is very common and it is typical of peripheral interconnections. We choose I/O related design
problems because avionics components are often I/O bound and I/O scheduling problems have been a
major source of integration problems found in practice. When data is exchanged through a PCI bus, the
overall delay for data transfer could be inserted in the schedulability equation as the blocking time for
the case when a thread would wait for data to be updated. However, this value greatly depends on the
architecture of the hardware including the bus topology and the behavior of peripheral devices that share
the bus. Failure to capture the effect of I/O devices is a major cause of incorrect schedulability analysis
in avionics. Each new I/O data flow instance will affect all the other flows that share the bus, it is highly
beneficial to have it computed automatically based on the architectural changes made by the designer,
so as to deliver correct information for alternative configurations during early development stages.
Without a tool like ASIIST, it would be time consuming and human error prone to test alternative
designs as frequently as needed.
The rest of the chapter is organized as follows. In Section 2.1, we give an overview of our I/O
design framework. Section 2.2 gives an overview of AADL, how we define modeling blocks, how we
specify data flows, and the extensions we have made to AADL. Section 2.3 explains the algorithm we
are using to analyze PCI buses. In Section 2.4 we explain the architecture of ASIIST and the benefits
of using it. Section 2.6 discusses about the ASIIST support for IMA systems and Section 2.7 presents
the steps of how to design an IMA system with ASIIST. Section 2.8 demonstrates the use of ASIIST
on a case study example. Finally, Section 2.9 explains related work and Section 2.10 concludes this
chapter with future work.
18
2.1 Computer-aided I/O Design Framework Overview
In this section, we will itemize the components of our framework to show the big picture. The frame-
work consists of the following four abstractions.
• Modeling of Bus Communication using AADL: We define abstractions on top of AADL to
better support the modeling of bus communication for ease of use. To support a certain protocol,
such as PCI, protocol-specific modeling blocks are defined. By defining these blocks, we also
restrict users from applying the analysis to invalid models which are not suitable for hard real-
time systems. Other bus protocols can be supported in a similar manner.
• Bus Analysis Algorithm: For ASIIST to be able to analyze an AADL model, we need a bus
analysis algorithm which can incorporate existing bus protocols. In Section 2.3 we briefly in-
troduce a candidate PCI analysis algorithm that ASIIST is supporting which can compute worst
case delay of data transfer and buffer backlog of bridges. However, ASIIST can be extended to
use new algorithms for bus analysis as long as it can be applied to the modeling blocks.
• ASIIST (Application Specific I/O Integration Support Tool): ASIIST is a tool that reads input
from a system model specified in AADL and can perform bandwidth and delay analysis of data
flows that exist for a customized hardware platform. Having a tool which will read large system
designs and build complex scheduability equations to solve is critical to the development of hard
real-time systems.
• A Heuristic System Design Procedure: Even with the information of data flows that exist for a
set of applications, it is an open research problem to derive an algorithm that generates the best
bus architecture. Thus, we introduce the design steps for deriving a schedulable system which
utilizes a heuristic algorithm for building the bus architecture. ASIIST gives greater flexibility
in coming up with a better heuristic algorithm because we are able to analyze the real-time
performance of the architecture generated by the heuristic algorithm in a relatively quick manner.
19
2.2 Modeling of Bus Communication using AADL
We will give a brief overview of AADL in this section and show how it is used or extended to specify
bus communication, using PCI as an example. This includes the modeling blocks for the hardware
architecture, specification of logical data flows, PCI protocol-specific hardware flows, and I/O config-
uration options.
2.2.1 Overview of AADL
AADL is a language based on 15 years of research, including the MetaH language developed by Hon-
eywell Labs and several DARPA programs [18], and it has been applied to many industry examples.
Currently its development is led by Peter Feiler at the Software Engineering Institute (SEI). AADL
provides means of specifying the hardware and the software architecture of embedded systems. With
AADL, we are able to perform various kinds of analyses, such as safety analysis, fault tolerance,
schedulability, system latency, etc. It provides textual and graphical interfaces to allow users to build
the architecture of a system composed of “components” and to specify the interaction among the com-
ponents. The Open Source AADL Tool Environment (OSATE) also supports the development of tools
that perform dynamic or static analysis based on the system specification.
AADL Components
AADL components are divided into three categories: software, execution platform, and system. Soft-
ware components include process, thread, thread group, subprogram and data com-
ponents. To represent the infrastructure, we have the processor, memory, bus and device as
execution platform components. The system component is a special composite component which is
used to divide components into groups or encapsulate components to distinguish them from others as
a separate system object. It could also be used to substitute any new abstract entity that is not pre-
defined above. Software components are bound to execution platform components to represent where
it is executed, for threads, or for data components, where it resides.
Property specification plays a major role in AADL since properties add extra information that
cannot be expressed by structural descriptions. The core AADL has standard pre-declared properties
20
that support real-time scheduling as well as other areas of research. All bindings are done by property
associations in AADL. AADL also provides the syntax to add new user-defined properties.
AADL is also extensible so that we can add sub-languages as annexes to describe more complicated
semantics that can be processed as part of the specification of an AADL model.
Modal Specification
A system can operate in different modes. Each mode can be represented in the form of an AADL
modal specification. In the same manner, property assignment can include mode specification to re-
strict the validity of the property value to certain operational modes. Thus, modes can be used to
represent alternative hardware flow paths for a single logical data flow connection. For multiple mode
specifications among different connections, the OSATE API provides convenient interfaces to check
for every combinatory instance of modes. More information about AADL can be found in [31] or at
http:www.aadl.info.
2.2.2 Modeling Block Definition for PCI Bus Architecture
The general method of defining modeling blocks in AADL is using the standard components that
AADL provides. However, AADL does not include every specific kind of component we may en-
counter during development. For example, AADL does not have bridges, switches, registers, or batter-
ies. However, we would need to identify these types of components if they are to be used for analysis.
These non-standard components are represented by using available component types in AADL that
have a somewhat similar syntax. For example bridges can be represented by device components be-
cause they would be connected to buses and should be considered as a hardware component. If nothing
matches the syntax, there is always the system component, which can be used in almost any possible
syntax.
Basics of PCI Bus Standard
Before explaining the extensions we made for PCI, it would be beneficial to go over the basics of the
PCI protocol. The Peripheral Component Interconnect (PCI) is the current standard family of commu-
21
Figure 2.3: PCI-based platform Example
nication architectures for motherboard-peripheral interconnection in the personal computer market; it
is also widely popular in the embedded domain [4]. The standard can be divided into two parts: a log-
ical specification, which details how the CPU configures and accesses peripherals through the system
controller, and a physical specification, which details how peripherals are connected to and communi-
cate with the motherboard. In this section we focus on the PCI/PCI-X physical specification, which
uses a shared bus architecture with support for multiple bus segments connected by bridges. A typical
PCI-based platform is shown in Figure 2.3. The CPU and main memory are connected through the
Front Side Bus (FSB), which has a CPU-manufacturer dependent implementation. A host bridge is
also connected to the FSB and offers access to the rest of the system using the PCI standard. Each
further PCI-to-PCI bridge connects two PCI bus segments together. The architecture resembles a tree,
where the host bridge represents the root, bridges are intermediate nodes, and peripherals represent
leaves. Data transfers are carried out on each bus segment as non-preemptive bus transactions; the
entity that starts a transaction (either a peripheral or the CPU) is known as the initiator, while the entity
that receives the transaction (either another peripheral or a memory) is known as the target. Each bus
segment has a separate arbiter which determines the order in which initiators are allowed to transmit.
22
If the initiator and target of a transaction reside on different bus segments, then the transaction data is
stored and forwarded by intermediate bridges; note that due to the tree-shaped structure of PCI, there is
a single path between any two bus segments. The PCI standard offers support for several types of both
read and write transactions. Please refer to [4] for details on the PCI bus standard.
Modeling Blocks for PCI
PCI bus is not designed for real-time systems. Since our approach is to develop modeling blocks
corresponding to architecture building blocks for hard real-time applications, the selection of building
blocks, configuration rules and transaction types are important. After receiving hardware architecture
models from industry companies, it became natural to pre-define modeling blocks that represent the
PCI bridge and PCI bus, as shown in Figure 2.3. These are pre-defined in AADL so that users can use
them or extend them. Using these modeling blocks lets us express any tree shape of PCI bus architecture
and easily understand the architecture. AADL allows components to be extended. We use extension
for checking the applicability of an analysis. An analysis could distinguish between a general and an
extended component. In this case, the tool will pass the extended component to the analysis. If the
analysis does not tell any difference, then the tool passes it as a general component to the analysis. In
our examples, host bridge and FSB will be modeled with general bridge and bus components because
the analysis described in Section 2.3 does not consider any extension of these kinds (host bridge and
FSB). Analysis supports general components by assuming worst case scenarios (see Section 2.3).
2.2.3 Logical Data Flows in AADL
Logical data flows are the exchange of data which is required by applications executing in a system.
AADL plays an important role of specifying logical data flows. Figure 2.2 (a) is a graphical example
of a logical flow specified using AADL. It is independent of the hardware through which the data is
physically transmitted and any protocols that are applied to the hardware components. Properties of a
logical data flow include but are not limited to data size, period, deadline, source, and destination.
The standard AADL provides a reasonable syntax for expressing the interactions between software
components by using event ports, data ports, or event data ports and connections.
23
AADL flows can be specified to express a sequence of connections to trace data or control. Connec-
tions can also be bound to buses to analyze the effect of the I/O bus architecture.
2.2.4 Extension for H/W Flow Descriptions
A logical data flow, in reality, will go through multiple hardware components to get to a destination.
If the source and destination applications run on different CPUs that are located in separate systems, it
would even go through a network. Depending on the type of the hardware used, the data is regulated
to experience the already defined protocol for the COTS components it goes through. A designer can
also make I/O configurations, as shown in Figure 2.2, to improve system performance. The real system
performance is dependent on these hardware flows that are derived from the logical data flows and I/O
configurations.
The standard AADL provides a property to specify the hardware flow path for a port connection.
The property Actual Connection Binding is used for this purpose and can have a list of exe-
cution platform references as its value to specify the execution platform resources that are to be used
for the logical data flow. For the example shown in Figure 2.2 (b), we could assign a list value of
“Peripheral, PCI Bus, Bridge, FSB, CPU” to represent the hardware flow path of the data.
However, just using the Actual Connection Binding property is not expressive enough
to represent the various multiple hardware flows that will be used for a single data port connection.
For Figure 2.2 (c), we may try considering a list value of “Peripheral, PCI Bus, Bridge, FSB, System
Memory, FSB, CPU” which somewhat expresses the fact that the data goes through the system memory.
However, this is invalid for the standard AADL property Actual Connection Binding because
it includes a memory reference which is not allowed. The description also does not specify in what
period the peripheral writes to the system memory or what kind of PCI transaction it uses. In the
following, we will extend AADL to address these issues in describing H/W flows for the PCI protocol.
Extensions to AADL for PCI Protocol
We have defined a set of properties to extend AADL to be capable of describing the hardware flows
needed for our new analysis. Adding new properties to AADL is a common practice for new tool
24
Figure 2.4: Hardware Flow Property Definition
developers because additional information needed may be missing in the standard.
Figure 2.4 describes the properties that we have defined. We used the fact that derived set of hard-
ware flows can be categorized into write/read transactions. Write Actual Connection Binding
and Read Actual Connection Binding hold the list of execution platform components for each
write or read hardware flow. Depending on the protocol that PCI bus provides, PCI Write Type and
PCI Read Type can have the values Posted Write, or Delayed Write, and Delayed Read
respectively. These are the transactions that can be supported for hard real-time analysis. Previous ver-
sions of PCI transactions, before 3.0, which utilize blocking, should not be used for real-time systems
because transaction delay can be extremely large in the worst case. Delayed Write is used when
an initiator would like to get acknowledgements that the write transaction has finished. Useful exten-
sions can eventually evolve into annexes and can also be standardized. Although AADL has a standard
property named Period which is used to represent the period of a task, when there are multiple hard-
ware flows, each hardware flow could have a different period. Thus, we have included the properties
PCI Write Period and PCI Read Period to specify the period of each hardware flow.
25
Figure 2.5: Modal Property Assignment Example
2.2.5 Using Modal Specification for I/O Configuration
As we mentioned in Section 2.2.1, design decisions that can be expressed as an AADL property value
can be preserved by using modal specification of the property assignment. Figure 2.5 shows how we
can express the three different I/O configuration options introduced in Figure 2.2. The three types of
configurations are given mode descriptions (option1, option2, and option3) to represent the
options. The period value for each hardware flow can be assigned if it is different from the period of
the logical data connection. The OSATE API will automatically generate different model instances for
analysis based on the collection of available sets of modes for different data connections.
26
Figure 2.6: Equivalence of Bus segments and Subflows
2.3 PCI Analysis Support
In this section, we will give a brief summary of the analysis algorithms that ASIIST currently supports
for PCI bus analysis. Additional details are explained in a technical report [72], but we present a shorter
version for completeness.
The simplest type of PCI bus transaction is posted write. A posted write completes at the initiator
before it completes at the target: in other words, after data has been moved from the initiator to the first
intermediate bridge, the initiator can disconnect from the bus and considers the transaction successfully
completed. In this way, data is posted from bridge to bridge until the target is reached, similarly to
what happens in a packet-switched network. As a matter of fact, we base our analysis on network
calculus theory [20], which is able to compute deterministic delay bounds for network traffic. We
treat all system communication as a set of N flows {f1, . . . , fN}, each between a specified source (an
initiator) and destination (a target). For each flow fi, let Ri(t) be its cumulative function, i.e. the
total number of bytes transmitted by transactions that belong to the flow during interval [0, t] (with the
assumption that Ri(0) = 0). We then model each flow fi using an arrival curve αi(t) : ∀s, t, s ≤
t : Ri(t) − Ri(s) ≤ αi(t − s). Intuitively, αi(t) is a worst-case bound on the amount of traffic
generated by the initiator in any interval of length t. The arrival curve captures the burstiness of the
initiator; as the flow goes through the network, it is buffered multiple times and as a result the worst
case burstiness increases. Network calculus provides a way to compute the burstiness at each stage
27
Figure 2.7: Linearized arrival and service, with theorem bounds
and relates it to the maximum delay encountered by any byte in the flow. More specifically, if fi goes
through Mi network elements, we can define Mi + 1 subflows, where f0i represents the flow produced
at the initiator, f ji , 0 < j < Mi is the flow after passing through j network elements, and f
Mi
i is the
output flow. The goal is then to compute an arrival curve αji for each subflow f
j
i , with α
0
i = αi. There
remains a problem: network calculus considers a system comprised of multiple network elements, or
routers, connected by point-to-point lines, but the PCI architecture employs shared buses. We can still
rely on the network calculus model using the following transformation: we treat each bus segment,
together with all bridges that transmit data on it, as a unique network element. Network elements are
then connected if the corresponding bus segments are interconnected by a bridge. A clarifying picture
is shown in Figure 2.6, for a flow fi that goes through Mi = 4 bus segments numbered B1, B2, B3, B4.
To simplify the analysis, we introduce the following notation: for each subflow f ji , 0 < j ≤Mi, we let
outji be its output network element / bus segment, and for each subflow f
j
i , 0 ≤ j < Mi, we let inji be
its input network element / bus segment. For example, in Figure 2.6 out2i = B2, in
2
i = B3. It follows
that inji = out
j+1
i , which expresses the condition that subflows are concatenated.
Using the network calculus approach, for each subflow f ji we then define a service curve β
j
i :
∀s, t, s ≤ t : Rji (t) − Rj−1i (s) ≥ βji (t − s). The intuitive idea is that in any interval of length t, the
“service” provided to f ji (i.e., how much more traffic is seen on f
j
i at the end of the interval compared
to the traffic seen on f j−1i at the beginning of the interval) is at least β
j
i (t). Service curves are important
because of the following three essential network calculus theorems:
Theorem 1 (backlog bound, Theorem 1.4.1 in [20]) The maximum backlog (number of buffered bytes)
28
suffered by bytes going from subflow f j−1i to subflow f
j
i is B
j
i = sups≥0{αj−1i (s)− βji (s)}.
Theorem 2 (delay bound, Theorem 1.4.2 in [20]) The maximum delay suffered by a byte going from
subflow f j−1i to subflow f
j
i is D
j
i = sups≥0{t : αj−1i (s) = βji (s+ t), t ≥ 0}.
Theorem 3 (flow concatenation, Theorem 1.4.3 in [20]) αji (t) = (α
j−1
i  βjj )(t) where (α  β)(t)
is called the min-plus deconvolution of α by β and is defined as sups≥0 {α(t+ s)− β(s)}.
The flow concatenation theorem lets us compute the arrival curve αji at each step. Delay bounds are
used to obtain the total flow delay Di =
∑
1≤j≤Mi D
j
i . The backlog expresses an important condition
on buffer sizes: in particular, our analysis is valid only under the assumption that buffers never overflow,
which is true if buffer sizes are at least equal to the computed backlog. Unfortunately, Theorems 1-3 are
hard to compute for general arrival and service curves. To simplify the analysis, we therefore propose
to adopt a linearized representation. We consider an upper bound to the arrival curve αji (t) of the form
δji +tρ
j
i , where δ
j
i represents the burstiness and ρ
j
i the arrival rate for α
j
i (t). As for service curve β
j
i (t),
we consider a lower bound (which itself is a valid service curve) of the form max(0, (t−T ji )Sji ), where
T ji is the service delay and S
j
i is the service rate. For simplicity, given this representation we write
αji (t) ≡ (δji , ρji ) and βji (t) ≡ (T ji , Sji ). Figure 2.7 shows examples of arrival and service curves αj−1i
and βji , respectively. Theorems 1-3 can then be rewritten as follows [20]:
Theorem 4 (linearized backlog bound) The maximum backlogBji is bounded iff ρ
j−1
i ≤ Sji , in which
case Bji = δ
j−1
i + ρ
j−1
i T
j
i .
Theorem 5 (linearized delay bound) The delay Dji is bounded iff ρ
j−1
i ≤ Sji , in which case Dji =
T ji +
δj−1i
Sji
.
Theorem 6 (linearized flow concatenation) αji (t) is bounded iff ρ
j−1
i ≤ Sji , in which case ρji =
ρj−1i , δ
j
i = δ
j−1
i + ρ
j−1
i T
j
i .
Intuitively, the delay bound is the maximum horizontal deviation of αj−1i , β
j
i and the backlog and
burstiness are both equal to the maximum vertical deviation. Also note that ρji = ρ
j−1
i , i.e. only the
burstiness changes among subflows of the same flow, not the arrival rate. We can therefore use a single
29
Figure 2.8: Periodic task Arrival Curve derivation for the Initiator
rate ρi for the entire flow and compute just δ
j
i for each subflow. Finally, note that delay and backlog
are bounded if and only if the rate provided by the service curve is at least equal to the rate required by
the subflow, which is to be expected. What remains to be done is to compute the arrival curve α0i for
the input subflow f0i and the service curves β
j
i for all successive subflows of fi.
The computation of α0i depends on the characteristics of the initiator and its produced data. Assume
that initiator traffic is strictly periodic, i.e. the initiator generates ei bytes of traffic every pi time units.
A clarifying example is provided in Figure 2.8, where we plot the cumulative function Ri(t) for the
flow and its arrival upper bound (δi, ρi).
Lemma 7 Consider an initiator with strictly periodic traffic ei, pi. Then α0i ≡ (δ0i = ei, ρi = eipi ) is
an arrival curve for the peripheral traffic.
Proof.
Let R¯(t) be the cumulative function where ei bytes of data are first produced at time t = 0, and at each
subsequent period thereafter. It is easy to verify that R¯(t) captures the critical instant, i.e. for any other
cumulative function R(t), R¯(t − s − 0) ≥ R(t) − R(s). To show that α0i is a valid arrival curve, we
then only need to check that α0i (t) ≥ R¯(t) for all t, which is trivial. 2
We now focus on the derivation of a service curve βji for subflow f
j
i . Assume that f
j
i is produced
by element Bk, i.e. out
j
i = Bk. Intuitively, the service curve β
j
i depends on two elements: the
subflows that are input to Bk, and the transmission policy followed by all elements that comprise Bk
(bus segment arbiter and bridges that transmit on Bk). The PCI standard does not impose any strict
30
constraint on bus segment arbitration, instead mentioning only a weak fairness condition, in the sense
that a backlogged subflow must eventually be allowed to transmit. Since bus arbitration logic designs
are work-conserving: if subflow f j−1i is backlogged and Bk is free, then f
j
i must be transmitted. This
is equivalent to assuming that f j−1i has the lowest priority among all other input flows to Bk (f
j
i
is transmitted iff no other input flow is backlogged). To simplify the analysis, we define the set of
interfering input flows as follows:
interji = {f ql : l 6= i, inql = outji}. (2.1)
In other words, interji is the set of all input flows to Bk except for f
j−1
i . Furthermore, let C be the
speed of bus segment Bk in bytes/s. The following result can then be proved:
Theorem 8 (Proposition 1.3.4 in [20]) A valid service curve βji is (T
j
i =
∑
f
q
l
∈interj
i
δql
C−∑
f
q
l
∈interj
i
ρl
, Sji = C −∑
fql ∈interji
ρl).
We can then apply Theorem 6 to obtain arrival curve αji .
Corollary 9 αji (t) is bounded iff
∑
fql :in
q
l =out
j
i
ρl ≤ C, in which case:
δji = δ
j−1
i + ρi
∑
fql ∈interji
δql
C −∑
fql ∈interji
ρl
. (2.2)
The inequality
∑
fql :in
q
l =out
j
i
ρl ≤ C expresses the necessary condition that the sum of the rates of
all incoming flows to a bus segment must be smaller than C, i.e. the bus segment utilization must not
exceed one.
If we know more about the implementation of arbiters and bridges, we can improve the bound of
Corollary 9. In particular, most bridges buffer all posted writes transmitted on the same bus segment in
a single FIFO queue. In network calculus terminology, subflows stored in the same FIFO are referred
to as aggregate traffic. We can formally define aggregate subflows as follows:
aggrji = {f ql : l 6= i, outql = outj−1i ∧ inql = inj−1i = outji}. (2.3)
In other words, aggregate subflows are all subflow between the same input and output network elements
as f j−1i . Aggregate subflows must be removed from the interfering set:
interji = {f ql : l 6= i, inql = outji ∧ f qi 6∈ aggrji }. (2.4)
31
Figure 2.9: PCI Delayed Read Transaction
Arrival curve αji can then be computed using the following theorem:
Theorem 10 αji (t) is bounded iff
∑
fql :in
q
l =out
j
i
ρl ≤ C, in which case:
δji = δ
j−1
i + ρi
∑
fql ∈interji
δql +
∑
fql ∈aggrji
δql
C −∑
fql ∈interji
ρl
. (2.5)
Proof.
The proof follows directly by computing the service curve of Theorem 8 for subflow f ji and all aggre-
gate flows, and then using such service curve in Theorem 6.4.1 in [20], which expresses flow concate-
nation in the aggregate case. 2
The difference between Equations 2.5 and 2.2 is that the rate of aggregate flows does not need to be
subtracted from C. Intuitively, this is because after a byte from f j−1i enters the FIFO, it cannot suffer
interference from later bytes of aggregate flows.
We now extend the analysis to cover read transactions in the form of delayed reads. Delayed PCI
transactions are very complex. In the following, our analysis uses a worst case approximation. If the
initiator and target reside on different bus segments, a read transaction requires two flows: a forward
flow that carries requests for data read, and a backward flow that carries the read data. An example of
delayed read is shown in Figure 2.9, where {f0i , . . . f4i } represent the forward flow, and {f¯0i , . . . , f¯4i }
represent the backward flow. Note that fMi−1i ≡ f¯0i and fMii ≡ f¯1i , i.e. the forward subflow on the
last bus segment, which obtains the data from the peripheral, is now the part of the backward flow
32
Figure 2.10: Periodic task Arrival Curve derivation for the Target
which receives its input flow from f¯0i . As shown in Figure 2.9, we can interpret the backward flow
to be a posted write in the opposite direction with f¯0i as the flow generated by an initiator. Requests
take very little time on the bus; hence, we assume that the impact of the forward flow on the first
Mi − 1 segments (B1 to B3 in the example) is negligible and we exclude {f0i , . . . fMi−2i } (f0i to
f2i in the example) from the analysis. Instead, we assume that the designer specifies both maximum
and minimum delay ∆max,∆min required to propagate a read request at each stage1 , such that the
maximum forward delay for the first Mi−1 segments is (Mi−1)∆max. Since the output forward flow
fMii carries data, we need to analyze the last bus segment (B4 in the example); this implies deriving
an arrival curve for fMi−1i ≡ f¯0i (f3i in the example). Again suppose that the flow is periodic with ei
bytes of traffic in every period pi. The worst case arrival pattern for the cumulative function Ri(t) for
subflow f¯0i is shown in Figure 2.10, where we assume that in one period the read request reaches the
target after the maximum delay (Mi − 1)∆max, and in all subsequent periods it reaches the target after
the minimum delay (Mi− 1)∆min. The following result can then be proved using the same strategy as
Lemma 7.
Lemma 11 Consider an initiator issuing a delayed read for ei bytes every period pi. Then α¯0i ≡ (δ¯0i =
ei(1 +
(Mi−1)(∆max−∆min)
pi
), ρ¯i = eipi ) is an arrival curve for subflow f¯
0
i ≡ fMi−1i .
Using the result of Lemma 11 together with Equation 2.2 we can first compute burstiness for fMii ≡ f¯1i ,
and then for all remaining backward subflows. However, we need to apply one simple modification for
1In general, ∆max depends on the bus arbitration; for example, in the case of round-robin it can be computed assuming
that each device attached to the segment transmits a single transaction before the bridge is allowed to send the request.
33
Figure 2.11: Two Flows Circular Example
posted writes: according to PCI specification, delayed transactions have lower priority than posted
writes buffered in the same bridge. Hence, we remove delayed subflows from the interfering set of
posted writes. Finally, the overall read delay can be obtained by summing the forward delay and the
backward delay computed according to Theorem 5.
2.3.1 Example
We now provide an example to show how the analysis can be applied to a concrete case. It is important
to note that the burstiness bounds of Equations 2.2, 2.5 directly hold only for feed-forward configura-
tions, where there are no circular dependencies among flows. In this case, Equations 2.2, 2.5 can be
applied to iteratively compute all burstiness terms dji . In practice, many configurations do have circu-
lar dependencies among flows. Consider the system with two posted write flows f1, f2 and three bus
segments depicted in Figure 2.11, where we assume that δ01 , δ
0
2 are known and ρ1 = ρ2 = ρ ≤ 0.5C.
Using Corollary 9 would yield six equations for burstiness δ11 , δ
2
1 , δ
3
1 , δ
1
1 , δ
2
1 , δ
3
1 :
δ11 = δ1 + ρ1
δ22
C−ρ2 δ
1
2 = δ2 + ρ2
δ21
C−ρ1
δ21 = δ
1
1 + ρ1
δ12
C−ρ2 δ
2
2 = δ
1
2 + ρ2
δ11
C−ρ1
δ31 = δ
2
1 + ρ1
δ2
C−ρ2 δ
3
2 = δ
2
2 + ρ2
δ1
C−ρ1
(2.6)
Note that there is a circular dependencies between δ21 , δ
1
2 and between δ
2
2 , δ
1
1 , hence we cannot compute
them directly. To solve this problem, we follow the methodology delineated in Proposition 2.4.1 in
[20]. We first note that Equations 2.2, 2.5 are linear in the burstiness terms. We can therefore use
them to obtain a linear system of equations of the form ~x = A~x +~b, where ~x is a vector of unknown
burstiness values, A is a square matrix and~b is a vector of known values. Furthermore, it can be shown
34
that following Equations 2.2, 2.5 both A and ~b are non negative. Hence, if all eigenvalues of A are
within the unit circle, (I − A)−1 is also non negative and ~x can be computed as ~x = (I − A)−1~b. By
following the time stopping principle [20], it can then be proven that ~x indeed provides a valid upper
bound for burstiness.
Following the above technique, we can compute δ11 , δ
2
1 , δ
1
1 , δ
2
1 using the following system:
~x =

δ11
δ21
δ12
δ22

, A =

0 0 0 k
1 0 k 0
0 k 0 0
k 0 1 0

,~b =

δ1
0
δ2
0

, (2.7)
where k = ρC−ρ . The eigenvalues are ±
√
k2 + k and ±√k2 − k; by solving for ρ we obtain that a
solution exists if ρ ≤ 3−
√
5
2 C ≈ 0.382C. It is interesting to see that the condition implies that we
are not able to find delay bounds even when bus utilization is as low as 77%. Note, however, that
the derived condition on A is only sufficient: if all eigenvalues are within the unit circle, then we
can compute bounded delay and backlog, but even if the eigenvalues are outside the unit circle, delay
and backlog can still be bounded. In fact, the derivation of necessary stability conditions for general
networks is still an open problem.
This concludes the explanation of the PCI bus analysis algorithm that ASIIST will be using. As
already mentioned, for more detail please refer to the technical report [72] which includes full details
of the analysis. Note that for non-PCI buses, ASIIST would use the worst-case analysis case which
assumes that any other flow that shares a bus would have a higher priority than itself with round-robin.
2.4 Application Specific I/O Integration Support Tool
ASIIST (Application Specific I/O Integration Support Tool) is a plug-in tool that is added to the OSATE
working environment to support application specific design of I/O architectures.
2.4.1 ASIIST Architecture
The architecture of ASIIST is shown in Figure 2.12. The thick-lined squares represent the inputs that
need to be provided to ASIIST. The OSATE API provides the AADL instance model of the system.
35
The user can configure three additional inputs to have ASIIST perform a customized bus analysis. All
of the following configurations are stored as an XML [1] file that will be filled out through a graphical
user interface. This helps assure that no invalid input is given.
• HW Component Identification Rules: Previously in Section 2.2.2 we have explained that ex-
tension is used for modeling blocks and that it is also used to identify the components that an
analysis would support. To identify any component that is needed by the analysis, identification
rules need to be expressed explicitly to assure the user that the model is read correctly into the
tool. An example rule would be to check component type identifiers.
• Bus Protocol Validity Checking Rules: For any analysis, there are assumptions about the struc-
ture of the model in hand. For a PCI bus protocol, we would have to assume that each PCI bridge
can only have two buses and that the structure is a tree. This and many other conditions need
to be satisfied for the analysis to hold later. It is much less error prone to have these structural
conditions checked prior to running the actual analysis. Also, a user interface guides the user in
defining the rules and will confine the structural aspects of the model to instances that are valid
for analysis.
• Bus Analysis Configuration: Bus analysis configuration provides the optional settings of the ac-
tual bus analysis. When developing an analysis mechanism, we often confront situations where
more than one method of analysis could be valid. One method might be better for certain situa-
tions, while another may be better for others; one method may give a better result but is appli-
cable for only a subset of the possible models. Bus analysis configuration represents the various
optional methods available for general cases and shows the ones covered by the current tool.
With the above inputs for the tool, we will briefly explain the rest of the architecture shown in
Figure 2.12. Using the AADL instance model and the component identification rules, the AADL
component handler will pass on a component to the component builder. The bus protocol builder
will have all the data to verify that the instance model is valid when the model is interpreted with
the component builder. With the combination of the two builders, we will have a model, specific
to bus analysis, that can be analyzed by the bus delay analyzer. For any complicated mathematical
36
Figure 2.12: ASIIST Architecture
computation, such as matrix inversion, we use the Mathematica Kernel [6] as a computational engine.
In order to use the Mathematica Kernel from a Java environment, we use a toolkit named J/Link to
communicate mathematical expressions to the kernel and get the answers back. Using Mathematica
enables us to solve linear equations easily and to symbolically get solutions for unknown parameters.
The user can modify the database after it is initially loaded from the AADL instance model to try new
parameter values, such as period values, to manage the delay factors of all the hardware flows. For
instance, to assist the decisions on the periods, the user can change the value of a period into a variable
to see how it is related to delay values as an equation. Finally, when the user has a satisfiable selection,
we reload the changes back to the AADL instance model for update.
We have designed the architecture of ASIIST to allow users to specify preferences within a type
of bus protocol and bus analysis algorithm that is to be used. Since the actual bridge implementation
is flexible for manufacturers, this architecture also allows the user to configure the model to match
the actual implementation of the hardware as closely as possible and check whether it is a supported
model for the analysis. Checking for the correct models and using the correct analysis method is very
important and should be automated in case users are not familiar with the details of buses.
37
2.4.2 Benefits of using ASIIST
In this section, we discuss the benefits of using ASIIST.
Evaluation of Larger Design Spaces
In evolutionary designs, old software is upgraded and then ported to new hardware platforms. In this
case, the system architect provides hardware engineers with the logical software architecture in the
terms of memory requirement, task processing requirement in terms of MIPS, and I/O requirement in
terms of device I/O period and deadlines, I/O flow topology and workload (MB per sec). For one-of-a-
kind new systems, the software architecture may be significantly modified during the hardware design
process.
The design of complex I/O is particularly challenging due to the large set of design alternatives,
due to the time consuming process of developing schedulability equations by hand for each alternative.
This is especially challenging for one-of-a-kind new systems. The lack of capability to accurately
and rapidly analyze design alternatives often results in I/O hardware that does not meet requirements.
Should this be discovered during system integration, the redesign may result in serious schedule and
cost overrun. Using ASIIST, a designer can check the real-time I/O performance as soon as (s)he enters
a design alternative into annotated AADL, investigating a much large number of design alternatives and
find the near optimal one before committing to implementation.
Extensibility and Scalability
Extensibility is achieved by using three isolated layers of data structures involved in the process of
analyzing a system model for I/O analysis. As shown in Figure 2.13, any new bus protocol or bus
analysis algorithm will only affect the usage of the upper layer’s data structure. Interfaces are defined
to acquire the upper level’s data flow information. The bus protocol is used to interpret the logical data
flows and create a complete list of the actual hardware flows that exist in the system. Protocols often
mandate priorities among the types of flows as well, so this information should be included in Layer
2. Using the list of hardware flows and the priority relations, the bus analysis algorithm generates the
proper data structure that is needed for the analysis. From this layered data structure, new bus protocols
38
Figure 2.13: Layered Data Structure for Extensibility
or analysis algorithms can be changed without affecting the format of the other layers.
Scalability of a tool is especially important when it is used for frequent analysis of large systems.
ASIIST manages the change in data flows to identify situations when new analysis can be localized
and does not have to be rerun for the whole system. The locality of an analysis also depends on the
algorithm that is being used. Some algorithms will have a better capability of localized analysis while
others would require all the flows to be computed at once. The abstraction model that ASIIST maintains
to provide scalability is depicted in Figure 2.14. Because each bus segment can correspond to the upper
bridge which is the arbiter, we can represent the workload of each bus segment as Bi(Win,Wout) for
each bridge. Win represents the list of H/W flows that is contained in the bus segment of a flow that
moves downward from the upper bridge and into the bus. Wout is the list of H/W flows that goes upward
through the upper bridge to another bus segment. Wout of a lower level bridge will fill in the Win or
Wout of the upper bridge depending on where the flow goes afterwards. Having Wout as a separate
list assists in managing the propagation of data flows because a flow in Wout must always exist in at
least two other lists of Wins. Using this abstraction model, any alteration of hardware flows caused
by modification of the system specification can then be analyzed to search which bus segments need
to be locally analyzed and updated. Whenever the list of flows in Win or Wout changes for a bridge,
the corresponding bus segments and the lower bridges that also have changed should be reanalyzed.
39
Figure 2.14: Abstraction Model for Scalability
Moreover, we have the option of deferring analysis in cases when the list of Win decreases because it
will not increase the delay for the flows within the bus segment.
Low Overhead of Usage and Reduction of Human error
ASIIST is benefited by the current movement in avionics of adopting AADL to model their systems.
Thus, there is less overhead of building a separate model in AADL for this particular analysis. The
reusability of model-based engineering encourages developers to put forth the extra effort to specify
additional information for the complex analysis.
With hundreds of flow specifications and the changes that are made to the hardware architecture,
it is error prone to have a human build the schedulability equations by pencil and paper. ASIIST will
greatly reduce the human error factor in doing analysis with its automation capability.
2.5 Graphical User Interface of ASIIST
In this section we will go through the GUI-based features of ASIIST. Figure 2.15 shows the main
window of ASIIST with schedulability analysis tab selected. Each type of analysis in ASIIST has a
dedicated tab. In each tab, the left side contains a table of existing operational modes that are defined
in AADL (Section 2.2.5). If there are no modes defined in the model, it will show “No Modes” as
in Figure 2.15. Every tab has a table in the middle which shows all analysis-related model elements
as a tree. For schedulability analysis, the tree starts with a root processor and then expands to all the
40
Figure 2.15: Main window of ASIIST
applications that are bound to the processor. Depending on the software model, they could include
multiple levels of thread groups. For IMA systems, partitions are included between the processors and
the process. At least one thread in a process is required for schedulability analysis. A root processor
can be single core or multi-core processors where multi-core processors are represented as a system
with multiple processors (cores). Any yellow column in the table contains editable parameters and any
non yellow columns are analysis results. Some analysis results are yellow which means that users can
overwrite the analysis result to save tested data into the model. On the right side of the tab are the
control buttons. These buttons are used for activities such as reloading the model, running analyses,
and opening additional GUI windows for property input and architectural model changes.
2.5.1 GUI-based Software Model Design
Figure 2.16 shows the GUI for designing the software model with ASIIST. In the left side window is a
tree of all the software components and device components that exists in the model. Blue edges repre-
sent an incoming connection and green edges represent outgoing connections. In the right side window,
there are multiple tables that show any type definition that exists in the model for software components
and devices. Users can drag-and-drop from the table to the left side window to add instances of such
types to the model. Right clicking on any component would open a pop-up menu to edit properties,
41
Figure 2.16: Software Design Support
Figure 2.17: Software Design - Popup Menu
42
Figure 2.18: Software Design - Editing Port Wizard
add/delete ports, add/delete connections, add/delete end-to-end flows and also to remove the instance
(Figure 2.17 and 2.18).
Wizards are always used to guide the user into being aware of the property values that we are
interested in for schedulability analysis and latency analysis as well as changing (Figure 2.19).
2.5.2 Application Resource Assignment
Once a software model is built, the Resource Assignment Model View window (Figure 2.20) can be
opened to assign applications to any computational resource such as a processor or an IMA partition.
This is done by a drag-and-drop from the right table in Figure 2.20 to one of the resources in the left
tree. The right side table contains any software process component that is not yet assigned to a resource.
Applications can be moved around from the left window by detaching the process component and
reassigning it another resource. ASIIST does the job of making sure that when moving a component
to another processor the I/O configurative properties are updated to the new hardware model based on
searching for the same hardware component types as before. When a matching component is not found,
it would remove the property and notify the user. We can also configure IMA partition sizes and IMA
schedules from this window by pop-up menus and wizards.
43
Figure 2.19: Software Design - Editing Thread Property Wizard
Figure 2.20: Resource Assignment Model View
44
Figure 2.21: Internal Hardware architecture and Data flows
2.5.3 Internal Hardware architecture and Data flows
Figure 2.21 is a screen shot of the ASIIST GUI for viewing the internal hardware architecture. This
view is used to check the internal I/O behavior for computing modules without network flows. On
the left is a graph of the hardware model with data flows drawn on top of them based on data paths.
There can be many data flows inside a single module. Thus, we have implemented many methods of
filtering flows that are not of interest. Coloring schemes for the data flows can be changed. A bus flow
filter is used to show only the data flows that are analyzed to be close to their deadlines by a selected
percentage. Also, logical connections from the table can be selected to check only those connections.
From the hardware graph, hardware components can be highlighted to show only the data flows that
go through these hardware components. For IMA systems, highlighting a partition would highlight to
only the data flows that exist during that partition.
In Figure 2.22 we show the before and after of when a user detaches “peripheral4” (inside the red
dashed line box) and drops it into a different bus to analyze a different hardware architecture instance.
I/O data flows are rerouted accordingly.
45
Figure 2.22: Hardware Architecture Change
2.5.4 Network architecture and Data flows
ASIIST also supports modeling of the network flows. Since applications can always be assigned to
processors that are connected through a network, ASIIST provides the user with a graphical view of
the network architecture and network data flows. Figure 2.23 demonstrates a small model. GUI usage
is similar to the internal hardware architecture view.
Figure 2.24 is a screen shot of a real aircraft model where there are more than 3000 network
connections. The figure is intentionally blurred for proprietary reasons and presented with permission.
A subset of network flows are shown because it is filtered by selecting an application on the right side
table. Only network connections that go in and out of the selected application are displayed. The
hardware network model includes LAN buses, switches, and various computing modules. The red
components are buses that have a bus utilization higher than 50%, a limit that is configured by moving
one of the sliders.
2.6 Integrated Modular Avionics Systems and Problem Review
Large and complex hard real-time systems such as avionics require numerous decisions to be made
during design. These may include the PCI [4] bus architecture design using COTS (Commercial off-the-
shelf) components, the tradeoff between computation time and bandwidth, and the usage of DMA-like
46
Figure 2.23: Network architecture and Data flows
Figure 2.24: Real aircraft model (Intentionally blurred)
47
transactions. With the avionics industry moving toward using Integrated Modular Avionics (IMA) [7],
more decisions such as assignment of software applications to partitions, partition sizing, and partition
order are required as well.
IMA is an architectural concept for hosting multiple software applications on a networked set of
computational nodes. Each node may contain several software applications with temporal and spatial
isolation guaranteed for safety. The ARINC 653 standard [10] defines the constraints that ensure the
necessary partitioning of the processing resource among the software applications that share a proces-
sor, so that lower-criticality functions cannot affect the execution of higher-criticality functions. The
standard also defines an API so that applications can be ported to different OSes that support ARINC
653. The Avionics Full-Duplex (AFDX) [8] switched ethernet specification supports the development
of highly reliable, deterministic data networks to support IMA. These standards, along with the flexi-
bility of hosting software on any of the multiple processors, are intended to simplify the development
and integration of complex avionics architectures.
While applying IMA to commercial airliners has been successful, some, such as the Boeing 777,
used a specialized backplane data bus, commercially known as SAFEBus [42], to handle the unpre-
dictable I/O traffic [29]. However, with modern applications requiring large amounts of visual display
data, the SAFEBus (60Mbps) is no longer fast enough. Inventing a new faster specialized bus to re-
place SAFEBus would only be a temporary solution until the new bus also becomes obsolete. Using
COTS-based systems has been considered to be an attractive solution in terms of overall cost ([14, 74]),
and major avionics companies are trying to implement IMA on COTS-based systems. Because of the
nature of resource sharing in IMA systems and the use of COTS components, many side effects exist
across temporal partitions due to I/O traffic. The problems that we are interested in are the following,
P1: I/O cache interference across partitions: I/O traffic that accesses the main memory can
increase the execution time of the application that is currently executing on the CPU by delaying its
cache fetches [70, 79]. This phenomenon can even happen due to I/O traffic that originally exists for an
application running on a different partition. I/O transactions can be initiated by a DMA peripheral at
any time and thus the temporal isolation is not guaranteed for I/O. As a result, execution time will vary
depending on applications running on different partitions and cannot be fully tested until all partitions
are integrated. This necessitates the use of a tool like ASIIST, that can also support IMA, to analyze
48
such effects and determine correct partition sizes for schedulability.
P2: Indirect bus overload across partitions: With the increase in visual display data in modern
applications, applications require more data to be received and stored periodically. It may be small
enough to be stored in main memory or it could be stored in a much larger storage (such as flash mem-
ory) for playback features. While such I/O data is intended for an application that executes during one
partition, the arrival and storage can happen during any partition. When using general high perfor-
mance bus architectures for these types of data intensive applications, the large bus transactions can
easily overload a bus segment for a certain partition. Then, the number of applications that is supported
by one computational node will be constrained by the bus load. This also needs the assistance of a tool
that supports IMA because it is difficult to manage and analyze all possible I/O traffic that can exist for
one partition. Such information is not limited to the set of applications assigned to one partition and
will change dynamically as other developers modify their separate applications.
P3: Increased latency in IMA systems: Although the total load on a bus segment may be less
than the bus speed, this does not mean that its real-time properties such as delay or latency are guaran-
teed. In avionics, the age of data is very important for the quality of responsiveness of control related
applications. The latency of safety-critical flows must meet its requirements. The ARINC 653 and
664 (AFDX) standard do not define how I/O data is actually handled, which is OS implementation
and configuration dependent, once it arrives at a computation module. As data passes through local
buses inside the computation module, the bus delay will add up to the age of data depending on the bus
architecture and other data flows that coexist. In IMA systems, there is an additional phase delay due
to the time that applications wait for their partitions. Depending on the frequency of the partition, the
maximum phase delay will vary and change the worst case latency of data flows.
With these problems in mind, one approach to designing a COTS-based IMA system is to use an
iterative heuristic algorithm to make design decisions. However, this can easily become unrealistic
for early architectural decisions when the decisions have complex interactions and when each iteration
takes significant time to be evaluated. Iterative heuristic algorithms require repeated evaluation after
incremental changes. For example, in Figure 2.25, a simple architectural change of the PCI bus tree
architecture from Figure 2.25 (a) to Figure 2.25 (b) results in changes to the data flows as well as to
the structure of the schedulability equations. Only when we have a software tool with the capability to
49
Figure 2.25: Architectural Change of COTS Components
analyze schedulability while taking into account the previously mentioned concerns in a COTS-based
IMA environment can we apply an efficient iterative heuristic algorithm.
2.6.1 Schedulability Analysis with I/O Cache Interference
ASIIST can perform two types of analysis: (a) schedulability analysis and (b) bus delay analysis.
Schedulability analysis is performed using WCET information obtained from other tools [40, 91, 61].
Once the WCET for each task in the application is measured, it is specified in the AADL model and
then presented as inputs to ASIIST. Note though, that the WCET analysis was performed in isolation
from other applications and also assuming that no external bus traffic exists. When multiple applica-
tions execute together on a CPU with caches, the effects of interfering communication flows must be
considered. Since memory is a shared resource, whenever a CPU cache controller tries to fetch a cache
line after a cache miss, it can potentially be delayed by a peripheral reading/writing in memory. This
will, in turn, delay the application by increasing its total WCET. It has been shown that this WCET
increment can be up to 44% [70], which can be quite significant.
Our analysis techniques are able to compute upper bounds on such increases in WCET, given infor-
mation about both the task under analysis as well as the peripheral traffic in main memory. Tasks are
statically divided into a series of sequential superblocks {s1, . . . , sSi}. Each superblock could include
50
Figure 2.26: Hardware Flow across Partitions
branches and loops, but superblocks must be executed in sequence. We assume that the WCET (with-
out considering peripheral traffic) and the number of cache misses (worst case) for each superblock is
available. As for peripherals, we assume that a bound on the total traffic to main memory is known.
This can be computed based on the bus analysis techniques presented in [72]. Given this information,
the algorithm introduced in [70] is able to compute maximum cache delay for each superblock and
hence derive a new modified WCET for the task.
ASIIST then uses this modified WCET and the scheduling algorithm described in [82] to determine
the schedulability of applications sharing a CPU in an IMA system. ASIIST will show a graphical
table of the components and their schedulability result along with other parameters of interest. Users
can make simple changes to some of the parameters (changes that do not require architectural changes)
to test new values without reloading the whole model. Figure 2.32 is an example of the output that
ASIIST shows.
51
2.6.2 Bus Delay Analysis with IMA Specification
As mentioned in the previous section, ASIIST can also perform bus delay analysis. A logical data
flow that is specified as a connection between two processes in AADL will, in reality, go through
multiple hardware components to get to its destination. For example, a PCI [4] interconnection has a
tree structure where peripherals transmit on bus segments connected by bridge components. If CPUs
from separate computing platforms exchange data, the flow could even go through a network.
A designer could also specify, as input, a different I/O configuration (Figure 2.26) to improve
system performance. System performance is dependent on the hardware flows that are derived from
logical data flows and I/O configurations. Hardware flows are defined by the sequence of hardware
components through which the data actually flows. In Figure 2.26, there are three hardware flows.
One hardware flow exists for the request message that is initiated by an application executed on the
CPU (f1). The second hardware flow is the actual data that is sent from the local memory to the
processor or main memory to be read (f2). The third is the hardware flow where the peripheral sends
data to the local memory to be stored (f3).
With IMA support, ASIIST characterizes logical data flows and infers their effects on each partition
based on what kind of component is initiating the bus transaction. If the component is an application
running on a CPU, any hardware flow that the application directly initiates (f1) or requests (f2) would
be considered to exist only in the same partition as the application. If a general peripheral were to
initiate a bus transaction (f3), the hardware flow is considered to exist across all partitions in its system
unless specified otherwise. If the application which requires these data flows is assigned to partition A,
the hardware flows will exist as described in Figure 2.26. Thus, having an application that is assigned to
one partition, but requires such data flows, will eventually increase the data traffic across all partitions
for the bus components that f3 always goes through.
While this is a simple fact that should be noticed by system developers, it is very difficult to be
recognized by conventional testing methods. Each partition of an IMA system is developed by separate
entities and tested in isolation. During this phase of development, other hardware flows that exist for
other applications in different partitions do not exist and become untestable. Thus, using a tool, such
as ASIIST, that supports IMA is valuable during the phase of hardware I/O architecture design.
52
2.6.3 Real-Time Bridge Support
ASIIST now supports the specification of real-time I/O management systems through Real-Time Bridges
[13]. Real-time bridges are transparent components that control the behavior of one or more COTS pe-
ripherals. In particular, a real-time bridge can intercept all incoming and outgoing traffic to and from
a peripheral and buffer it in a provided local RAM. The traffic can then be delivered from and to the
main system RAM in a predictable manner as specified by the system designer. This framework is
completely COTS-compatible, allows driver reuse and requires minimal OS modifications.
Real-time bridges are used to limit the interference of bus flows that are intended for a different
partition: master peripherals can use real-time bridges to store their data and send them out at pre-
configured partitions. This allows high-bandwidth peripherals to be blocked from the bus for relatively
long periods of time without suffering from data loss. When real-time bridges are used, ASIIST updates
the flow parameters of all the data flows that are initiated by the peripheral and limits their effects to
only the partitions where they are allowed.
With ASIIST, we can now use iterative heuristic algorithms as part of an IMA system design that
considers schedulability to decide upon architecture tradeoff decisions. ASIIST improves the time
requirement for each iteration step and assists the designer to make design decisions based on I/O
interferences that exist across temporal partitions in IMA systems.
2.7 IMA System Design with ASIIST
In this section, we define the formal steps of building a COTS-based IMA system architecture which
incorporates the influence of I/O traffic. The process is divided into two parts, partition management
and I/O bus architecture design. First of all, partition management is done to make sure that the CPU is
schedulable considering the I/O requirements of the applications that are assigned to it. Next, knowing
the predetermined I/O data flows that need to exist for each partition, we build an application-specific
design of a COTS-based I/O architecture that would balance the workloads for each partition just
enough so that all the deadlines of the flows are met.
53
Figure 2.27: Example of Partition Assignment
2.7.1 Partition Management (PM)
During IMA system design, partition management (CPU scheduling) and bus architecture design are
generally simplified to be independent. However, the effect of I/O cache fetch interference is apparent
for I/O data intensive applications. We do partition management before deciding upon a bus architecture
because the influence of migrating an application on bus architecture design is much greater than the
other way around. We would like to consider problem P1 during partition management. This mostly
occurs because of DMA transactions.
DMA transactions that are unrelated to the application running in the current CPU partition can still
exist in a partition. This is due to the capability of master peripherals that can initiate bus transactions.
Although this type of bus transaction can violate the isolation property of IMA systems in the sense that
bus traffic for one partition exists within another, this is still needed because some data are required to
be up to date prior to its partition so that when a partition starts, it would read fresh data. However, this
poses unpredictable side effects on schedulability analysis. If we consider data to arrive at any time,
due to the uncertainty of network delay, we have to assume that this data flow exists throughout all the
partitions as the worst case. When the data flow accesses the main memory, it can increase the WCET
of all the applications in all partitions. This increase in WCET is also difficult to detecte in real life
because each partition is likely to be tested in isolation and the final integration only happens towards
the end of the development cycle. Applications that were schedulable with their CPU partition budget
will unexpectedly miss their deadlines after integration.
The steps to carry out partition management (PM) are:
PM Step1: Each application is initially assigned to a partition. This is decided by many reasons which
54
include fault tolerance, safety, and concurrent engineering of different development parties. The par-
tition size is given as a reservation and depends on the WCET of the set of applications running in
the partition. The frequency of a partition and the size of the major cycle are decided by the highest
frequency of the tasks and the required partition table size. Partition table size needs to be kept small
for efficiency. Partition size can be represented as the percentage of the CPU cycles or the duration in
time. Figure 2.27 shows an example of a partition assignment example. We assume that such partition
sizes are initially determined and the schedulability of each partition is proven in isolation by their
development teams.
PM Step2: Check schedulability of all partitions as a whole. ASIIST is used for schedulability anal-
ysis because it supports I/O cache interference as described in Section 2.6.1. This is possible at this
stage because the AADL model of the applications already includes the specifications about the bus
traffic it requires and produces, regardless of the bus architecture. This is enough information to do
an initial analysis of the I/O cache interference among the partitions to check the side effects and redo
schedulability analysis with updated WCET.
PM Step3: If a partition is unschedulable after applying I/O cache interference, there are two types of
fixes that can be done. One is to increase the partition size to support the increase in WCET. Another
method is to use real-time bridges, as described in Section 2.6.3, to reduce the increase of WCET. Of
course, using more real-time bridges would increase manufacturing costs.
After several iterations of PM Step2 and PM Step3, we will end up with a partition assignment
which is schedulable. The next step is to design a bus architecture that would balance the workloads of
buses so that the partition assignment would actually be feasible with no bus flow deadline misses.
2.7.2 I/O Bus Architecture Design for IMA
After all the applications for each partition are decided and checked for schedulability, we use the
data flow information of each application to build an application specific I/O bus architecture for IMA
systems. This part handles problem P2 and P3. We first define a measure of allocation priority.
55
Allocation priority represents the difficulty of scheduling a partition or a data flow. It is used as the
metric for ordering the partitions to manage first and the data flows to schedule first. Flows that have
larger data and higher frequency would have a higher allocation priority. Also, if the speed of the bus
that it goes through is lower, it would be more difficult to schedule that flow. Another related factor is
the deadline requirement of the flow. For data flows, relative deadlines can be larger than the period
of the flow. Compared to the period, relatively shorter deadlines will increase the allocation priority.
Considering all the above, we can express allocation priority as the following for all data flows,
w · L
d · C . (2.8)
w is a weight factor that can be adjusted by the designer with the initial value of 1. It is used to
artificially increase the allocation priority of (failed to schedule) data flows. L is the load which is
calculated by the data size divided by the period. d is the deadline and C is the minimum speed of the
buses the flow goes through.
The allocation priority of each partition can be defined, as one wishes, using the allocation priority
of the data flows that exist in the partition. For example, it can be the sum of the allocation priorities
or the maximum allocation priority of the data flows. Using the measure of allocation priority, we will
define a designer guided iterative heuristic algorithm that is used for I/O bus architecture design in the
context of IMA systems.
First Fit Decreasing (FFD) algorithm for I/O balancing
In this section, we will give a summary of a sub-level iterative heuristic algorithm that can utilize
ASIIST to come up with an application-specific design for an I/O architecture within a partition. This
is used as a step in the extended version of the algorithm which is explained later in Section 2.7.2.
Building the best bus architecture, based on the applications that use the bus, is an open research
problem. Thus, we suggest a promising iterative heuristic algorithm. The availability of ASIIST greatly
facilitates the development of such heuristic algorithms for solving this problem. This is due to the
nature of changing the bus architecture which causes the structure of the schedulability equations to be
changed. With numerous data flows, it easily becomes a unrealistic job to rebuild equations every time
we try a new bus architecture.
56
Figure 2.28: First Fit Decreasing Heuristic Algorithm
The main intuition of our heuristic algorithm is to maximize parallelism of the flows that have
higher allocation priorities. Figure 2.28 describes the following steps with an example set of data
flows. ASIIST is used to maintain validity of the bus architecture and to identify when to stop increas-
ing parallelism. As long as all the data flows meet their deadline with enough slack, extending the bus
tree only increases complexity and should be avoided.
The steps to carry out First Fit (FFD) Decreasing are:
FFD Step1: For a set of flows that share a bus segment, find the two flows that have the highest alloca-
tion priority and can have parallelism between each other, in other words, that do not have a common
initiator or target. Initiator is an entity that starts a bus transaction while a target is one that receives it.
Divide the two flows into separate sets that hold the initiator and target of each data flow. We do not
consider the flows that go through the upper bridge.
FFD Step2: For the rest of the flows, following the order of the allocation priority, assign flows to
57
one of the sets if possible. When a flow is assigned to a set, its initiator and target are added to the sets
as in Figure 2.28(c). In doing so, if one of the initiator or target is already in one set, the flow should
be added to the same set. A flow cannot be assigned if the initiator and target of the flow are already in
different sets.
FFD Step3: Compare the two sets to select who gets direct access to the upper bridge. The selec-
tion criteria can be flexible. It could be the sum of all the allocation priority of the flows that goes
through the upper bridge. Another criteria would be only to compare the maximum allocation priority
of the flows that go through the upper bridge for each set of flows. Depending on the selection, we can
extend the tree as shown in Figure 2.28(d) for increased parallelism, where Set1 consisting of periph-
erals 3 and 4 is given higher allocation priority. In cases when the two sets are comparable within a
bound, we can use a different type of extension as in Figure 2.28(e).
FFD Step4: Use ASIIST to check if all the deadlines are met for all flows. If all the deadlines are
met, finish. If not, do step 1 for the set of flows which has a flow that missed its deadline. This will
extend the bus tree for the problematic bus subtree and increase parallelism.
If the above sequence does not produce a feasible solution, increase w of the flow that missed the
deadline by a factor of 2 and retry the process.
Extended First Fit Decreasing (EFFD) algorithm for IMA
For IMA systems, we have to build a I/O bus architecture that balances the workload for all partitions.
Considering all the partitions at once and trying out every possible bus tree architecture can easily lead
to design space explosion. Thus, we build the architecture for each partition in an incremental way,
starting from the partition which has the highest allocation priority. This guarantees that the final bus
architecture best fits the partition which is most difficult to schedule.
EFFD Step1: For the set of partitions that share a processor, find the partition which has the high-
est allocation priority. Considering only the peripherals used as initiators or targets, apply the FFD
algorithm which was explained above. When the algorithm is finished, we would have multiple sets
58
Figure 2.29: Extended First Fit Decreasing Algorithm
Figure 2.30: Bus Merging
59
of peripherals which are directly connected to a common bus segment which was the case in Fig-
ure 2.28(c).
EFFD Step2: Find the next partition with the highest allocation priority. If there are common initiators
or targets that were used during a previous step, they are initially assigned to their sets (Figure 2.29(b)).
We apply the FFD algorithm to assign the other peripherals to sets and increase data flow parallelism
(Figure 2.29(c)). Some peripherals are added depending on the bus architecture selected previously
(Figure 2.29(d) and (e)). Repeat for all the partitions in allocation priority order. Note that during
the FFD algorithm, the final bus architecture is analyzed by ASIIST so that all data flows meet their
deadlines.
EFFD Step3: Merge bus architectures of each partition. When each set of peripherals is defined in
EFFD Step2, they become associated in the same sequence of upper bridges. Thus, after building
the bus architecture for each partition, we can merge the buses according to the bridges. Figure 2.30
demonstrates how it is done. After merging the bridges, it is important to check if any constraint for
the bus is violated. If we were to use PCI [4], the maximum number of peripherals, including the upper
bridge, connected to a bus can only be up to five. Thus, if the resulting architecture is more than 5, the
bus tree architecture should be extended and reanalyzed with ASIIST.
If the above sequence does not produce a feasible solution, the first thing to do would be to increase
the allocation priority of the partition that is problematic. Another method would be to use real-time
bridges to decrease the flows in certain partitions, if allowed.
2.8 Case Study Demonstration
We will present a case study example here to emphasize the challenge of our research. An advanced
Search And Rescue (SAR) system for a helicopter is considered as the target system in this paper. The
set of tasks and features that the system supports includes the following:
• Automatic Flight Control System (FCS).
60
Figure 2.31: Hardware Components
• Inertial Navigation System (INS)/Global Positioning System (GPS)/Doppler navigation system
that uses motion sensor (accelerometers, gyroscopes) and satellite data.
• Forward looking infrared radar (FLIR) for human detection and imaging in sea water.
• Night vision imaging system (NVIS).
• Color Weather Radar (CWR) system for weather visualization via satellite.
• Video data recording for zooming and replay.
Safety-critical hard real-time tasks, such as the FCS and INS/GPS/Doppler navigation system,
which are directly related to the aircraft’s safety are included. Other tasks are focused on visual display
data because they constitute most of the heavy data traffic in modern avionics systems. In an IMA
system, these tasks should safely share the resources of a computer system. With multi-functional sys-
tems and advanced hardware, more tasks are included to be analyzed for schedulability and it becomes
tedious and challenging to be done manually.
Special hardware components which are required for the system to handle the aforementioned fea-
tures are shown in Figure 2.31. Some components such as the flight display or the flight control panel
are used by multiple applications. These components must be connected through predefined buses and
bridges to build the hardware platform for our system. The system designer would now need to decide
the H/W architecture, image-data decompression parameters, I/O configuration, and partition assign-
ments for this IMA system. Multiple data from external devices come through a common network card
depending on the network protocol the device supports. In a similar manner, we have assigned all the
H/W components in Figure 2.31 to 5 different peripheral devices. Table 2.1 shows each assignment.
61
H/W peripheral
Servo, AHRS 1
Navigation Radar, Gyroscope, Infrared Camera 2
Accelerometer, Color Weather Radar 3
GPS Receiver, NVGoggle, FD 4
Doppler Radar, Camera, FCP 5
Table 2.1: Hardware Component to Peripheral assignment
Application partitions
Flight Control System (FCS) vm0
INS/GPS/Doppler (Navigation System) vm1
FLIR, CWR vm2
NVIS, Video Record/Replay vm3
Table 2.2: Partition Assignment of Applications
Also, we assume that each application is already assigned to partitions because of the reasons explained
in Section 2.7.1. Some will be sharing partitions as shown in Table 2.2.
WCET, data size of data flows and periods are shown in the result screen shots of ASIIST in
Figures 2.32 and Figure 2.35.
2.8.1 Case Study: Partition Management
Partition sizes are managed to have all partitions schedulable. Figure 2.32 is a screen shot capture of
ASIIST’s output which shows that all partitions are schedulable with partition sizes 4%, 1%, 8%, and
11% for each partition. After applying the I/O cache interference, three partitions become unschedula-
ble. In Figure 2.33, you will see that the WCET has increased. Partition sizes are adjusted to 5%, 1%,
11%, and 13%, as in Figure 2.34, to be schedulable again.
62
Figure 2.32: Partition management before I/O Cache fetch Interference
Figure 2.33: After I/O Cache Fetch Interference
63
Figure 2.34: Partition size Readjustment
2.8.2 Case Study: Extended FFD Algorithm
After all the applications are well assigned to their partitions, we build the I/O bus architecture using the
extended FFD algorithm described in Section 2.7.2. Figure 2.35 and Figure 2.36 show a comparison
of the improvement in communication delay. If the deadline were to be 0.1 seconds for some of the
connections, the architecture of Figure 2.35 would be unfeasible.
2.9 Related Work
In order to analyze a system model, we need an Architecture Description Language (ADL) which
is able to specify the software logical architecture, hardware platform architecture, behaviors of the
components, and assumptions of environmental components that are not directly specified.
Building an ADL to specify accurately all the properties of a system is very important because
the analysis can only be as good as the model of the system. The Institute for Software Integrated
Systems (ISIS) at Vanderbilt University has been developing a framework for this purpose, calling the
approach Model Integrated Computing (MIC) [46]. MAST (Modeling and Analysis Suite for Real-
Time Applications) [36] is another suite that defines a model capable of describing the timing behavior
of a large set of real-time systems, including distributed systems and event-driven systems with complex
64
Figure 2.35: General bus architecture
Figure 2.36: Improvement using Extended FFD Algorithm
65
synchronization schemes. These MAST descriptions are used as the input to the MAST tools for hard
and soft real-time analysis.
An industry standard for modeling embedded systems has also been developed, called AADL (Ar-
chitecture Analysis & Design Language), which is what we have used. AADL [31] is standardized by
the Society of Automotive Engineers (SAE) and is defined in SAE Standard AS5506 [5]. Following
this trend, more researchers as well as major industrial companies are starting to utilize this language
for system development and analysis.
Open Source AADL Tool Environment (OSATE)2 is a set of plug-ins built on top of the open
source Eclipse3 platform to give the front-end interface to build AADL models. Thus, tool developers
can freely build and add new plug-ins that perform specialized analysis on AADL models. There
are also several tool sets that support AADL, such as Ocarina [44], Cheddar [83], ANDES [73] and
ADAPT [75].
Cheddar is a set of tools that performs scheduling simulations and feasibility tests for quick pro-
totyping of real-time schedulers. Ocarina is a tool set which proposes AADL model manipulation,
generates formal models, performs scheduling analysis and generates distributed applications. The
work of [85] presents a translation of AADL models into the real-time process algebra ACSR (Algebra
of Communicating Shared Resources) that allows schedulability analysis of AADL models.
ADAPT is a tool which aims at facilitating the evaluation of various dependability measures (such
as reliability and availability) from AADL models. It is based on model transformation rules, from
AADL to Generalized Stochastic Petri Nets (GSPNs). ANDES is used for modeling a wireless sensor
network system and analyzing its performance before deployment. It supports communication schedu-
lability analysis, target tracking analysis and real-time capacity analysis. It extends AADL with the
semantics needed for specifying sensor networks.
MARTE (Modeling and Analysis of Real Time and Embedded systems) [30] is a UML profile
extension for real-time embedded systems which is standardized by the OMG (Object Management
Group). It also provides an annex that relates to AADL based models. The authors of [55] further
investigates how specific AADL concepts required for end-to-end flow latency analysis can be repre-
2Open Source AADL Tool Environment (OSATE) http://www.aadl.info
3Eclipse http://www.eclipse.org
66
sented in MARTE.
In [90], the authors describe a tool that is able to derive and solve schedulability equations for a
general communication and computation architecture. The tool is based on Real-Time Calculus [87],
an extension of the network calculus theory [20] that we use in Section 2.3. However, the level of
abstraction of the tool is much lower than in our approach: it requires the designer to model each
communication element as one or more basic blocks, and then manually compose blocks to represent
the whole system. This requires a deep understanding of the inner working of hardware elements and
can be error prone for avionics systems comprised of hundreds of flows.
SymTA/S [41] is a tool that has been developed for system-level performance of real-time proper-
ties. However, they do not use explicit abstractions of bus protocols mainly because they are targeted
for system-on-chip which uses heterogeneous scheduling techniques.
As the avionics companies try to benefit from using more COTS components to reduce overall costs
and shorten system integration schedules, building a deterministic and reliable IMA system becomes
more challenging. New standards such as the ARINC 664 [8] (star topology switched ethernet network)
that follow this trend of utilizing COTS components are emerging with their benefits [80]. Previous
IMA system implementations used the ARINC 659, also commercially known as SAFEBus [42], as
a backplane data bus. SAFEBus is a fault tolerant time division multiplexed bus which requires Bus
Interface Units (BIU) that are synchronized to handle bus accesses. This has been successfully used for
the Boeing 777 integrated Airplane Information Management System (AIMS) [29]. Previous analyses
assumed this specialized I/O [12] and tools that supported IMA [56] also did not need to handle the
side effects of using COTS components due to the usage of the SAFEBus.
However, as COTS hardware components become more advanced, it has become the interest of
avionics companies to try to use more COTS based components to reduce cost as a whole [14, 74]. Ini-
tially the network is standardized by ARINC 664 and research on estimating the end-to-end delay for
the network is gaining attention [77]. Still the architectural design of COTS-based IMA bus architec-
tures has not been studied. Compared to system-on-chip communication architecture design( [52] and
others), the level of control when using COTS components is different. The silicon area is no longer a
critical cost factor for computer board-level designs. Also, with no IMA support, these design explo-
ration methods would have to assume that all data flows exist for every partition and build a pessimistic
67
bus architecture design.
Our work is different from others by the fact that, to the best of our knowledge, none of the tools
incorporate the specific bus architecture design of COTS-based IMA systems as well as the other side
effect problems that are inherent in such systems. The tools that use a specification of buses generally
use a single bus component to represent the relation between all the data flows that would interfere with
each other. This type of specification simplifies the true nature of the bus architecture. Although a set
of data flows interfere with each other, the effect is dependent on the bus architecture, e.g., some flows
will go through multiple bridges while only one bus segment is shared with another flow. Also, this
type of specification requires the user to extract the relations from a given bus architecture design and a
set of all the data flows. Modifying the bus architecture will invalidate the relations and make the user
do the whole modeling again. Our tool, ASIIST, can analyze any valid arbitrary bus architecture, and
its extensibility makes it adaptable to different bus protocols for analysis.
2.10 Future Work
This chapter introduced a framework for modeling and designing an application specific I/O bus ar-
chitecture with the assistance of a model-based engineering tool called ASIIST. For modeling, ASIIST
allows the user to concentrate on modeling each software component separately without the worries
of capturing the IMA I/O related side effects which ASIIST does itself. By no means will analysis
tools like ASIIST replace rigorous testing, but it will enhance the designer’s capability to make more
promising decisions. It is up to the designer to decide upon alternatives, but this tool will provide au-
tomation to quickly analyze a bus architecture as part of the algorithm. The frequent changes in the
schedulability equations used for new iterations makes ASIIST essential.
For our future work, we plan to develop more advanced algorithms that make better estimation of
cache fetch interference and bus performance with stronger constraints. We will perform a benchmark
testing with a real avionics system that has been implemented, to compare the estimated performance.
With the new version release of AADLv2, some changes will be made to accommodate the new features
in extending AADL.
68
Chapter 3
Towards the Model-based
Auto-generation of Robust I/O
Architectures
Model-Based Engineering (MBE) tools can be used to quickly analyze a high-level system model and
quickly give feedback to the system designer for a certain instance of a system architecture. While
designers can rather quickly analyze an architectural model with the appropriate tools to figure out
whether it is a valid design, the user still has to guess what to change in the model when a requirement,
such as the schedulability of a partition or the end-to-end delay of a data connection is not satisfied.
Increasing the IMA partition size would be a simple solution for schedulability problems if there were
extra slack in the CPU. However, other more significant changes include reducing a partitions CPU
time allocation to accommodate new applications, modifying the bus architecture and I/O configuration.
Since the I/O effect of a certain bus architecture is widely spread across multiple applications in an IMA
system, it is challenging to pick the best I/O architecture. We define I/O architecture as a composite
design of bus topology, hardware component connections, I/O configuration, and IMA partition sizes
to accommodate the I/O side effects to processing time. Depending on the characteristics or the stage
of the working project, any small increase in the assumed I/O workload may result in one of the IMA
partitions becoming unschedulable and may require a redesign of the whole system.
69
In this chapter, we provide a heuristic for auto-generation of a robust tree-shaped I/O architecture.
We define robustness as being more tolerant against I/O workload uncertainty. More discussion about
robustness is presented in Section 3.2.1. I/O traffic that exists in a system affects the real-time per-
formance of the application that is running on the CPU in various ways such as: (a) interfering in the
main memory to increase cache fetching time and (b) changing the I/O wait time for read and write bus
transactions to a local memory. It is difficult to measure such interference until all the applications that
share the processor are implemented and tested with their accompanying I/O traffic. This is why I/O
traffic is one of the main causes of scheduling problems during system integration and testing.
During an early system design phase, our framework provides an auto-generated robust I/O archi-
tecture which is able to tolerate unforseen future increases in I/O traffic1. Since there is a large number
of possible combinations of I/O configurations and hardware architectures, manually modeling and an-
alyzing each of them is infeasible. Our tool allows a system designer to use an initial model of the
hardware architecture and other configurative information from the software model, to auto-generate
and search for a robust I/O architecture. We focus on tree-shaped bus topologies that consist of bridges
and buses. This is common for the standard PCI-based components that have not yet transitioned to
PCI Express. When determining the I/O architecture, the intuition is to search for an I/O model where
the increase in execution time for higher frequency threads is minimized. After finding the architecture
that minimizes the total utilization from all applications that share a processor, we update the initial par-
tition sizes so that all partitions would be evenly tolerant against I/O traffic and prevent the processor
from becoming unschedulable due to a single sensitive partition.
The main contribution of our work in this chapter is that we present the requirements and steps
for designing a robust IMA I/O architecture and describe how to utilize model-based engineering in
the early system design phase when such changes are much less costly. We consider a concurrent
engineering environment, as used in IMA system development, where multiple applications share the
hardware resources but have to be built by many subcontractors or project groups concurrently. This
requires an early distribution of available CPU resources for each group and an I/O architecture that is to
be shared. With our suggested architecture, the system would have a higher likelihood for applications
to remain schedulable for all IMA partitions with better tolerance to changes in the I/O workload.
1improvement of tolerance against uncertainties will be demonstrated in Section 2.3.1 with a case study.
70
This work is different from others by the fact that, to the best of our knowledge, no other concentrate
on managing design space for a robust I/O architecture using model-based engineering nor do they
incorporate the specific bus architecture design of COTS-based IMA systems. The remaining sections
are organized as follows. Section 3.1 gives an overview of our framework. Then we explain the
objective function in Section 3.2. Model-based designing aspects are explained in Section 3.3 and the
ASIIST support is introduced in Section 3.4 with the design search algorithm. We present a case study
example that uses our framework in Section 3.5. Section 3.6 explains related work and Section 3.7
concludes this chapter with future work.
3.1 Robust I/O Architecture Framework Overview
Customized board-level designs that are used in avionics systems tend to have a more general purpose
design (single shared bus) for I/O. This is due to the design goal of using the same hardware for different
sets of applications to reduce implementation and verification costs. This generally worked fine for
computation bound systems in the past. However, with modern applications requiring large amounts
of visual display data and the increasingly popular multi-core processors, industrial companies are
trying to use more high speed COTS-based bus components ([14, 74]). In this environment, we see the
possibility of having more applications share a single CPU and thus require a more sophisticated I/O
architecture to minimize the uncertainty effect of COTS-based components. Unlike general purpose I/O
system design research, our tool is designed to support custom avionics system designs. In this section,
we first demonstrate the effect of alternative I/O architectures as a motivation and then enumerate the
components of our framework.
3.1.1 Effect of Alternative I/O Architectures
As explained earlier, the I/O traffic that exists in a system affects the real-time performance of applica-
tions that are running on the CPU. Figure 3.1 shows examples of different bus topologies where the side
effects on the overall schedulability can change greatly. In the example, there exist two applications
that are assigned to different partitions A and B. The application in partition A requires a large amount
of data to be received constantly through the network adapter and saved in the local memory. The
71
Figure 3.1: Example of different bus topologies
application in partition B is an application with high frequency that sends a small amount of data to the
display adapter. In Figure 3.1 (a), we have a simple bus architecture which consists of a common PCI
bus. The data that is received through the network adapter will delay the data that is sent to the display
adapter during partition B. If the application waits for the completion of the data transfer, the wait time
must be considered for schedulability analysis. Since the frequency of the application in partition B is
high, the overall increase in the utilization (computation time divided by period) will be much higher.
On the other hand, if we were to change the bus topology to Figure 3.1 (b), there is no longer con-
tention between the two bus transactions. The tradeoff is the increased delay of reading from the local
memory that now has two bridges to pass from the CPU in Figure 3.1 (b). As we can recognize from
this example, the overall effect of I/O on the schedulability for an IMA system is a question involving
many tradeoff decisions. A static algorithm for designing the I/O architecture is a research challenge.
Thus, we resort to design space exploration (DSE) methods to find a proper I/O architecture.
Designing the I/O architecture during the early system development phase is challenging due to
the size of the design space. The design space for I/O architecture that includes changes in the bus
topology can easily explode if all valid options are allowed. Thus, it is important to capture any kind of
obvious or intuitive constraints to selectively reduce the design space through computer-aided model-
based engineering. Figure 3.2 shows a basic flow of information where software/functional models and
hardware models exist initially. S/W components represents entities such as threads or processes that
72
Figure 3.2: Simplified Model-based Analysis
require computational resources to be executed. Logical connections represent data exchange connec-
tions between these S/W components. The mappings of these components are either done manually or
by tool support for analysis. Most previous work generally concentrates on one aspect, whether it is
the processor mapping or the connection mapping, depending on the targeted usage and the analysis
support. Simulation based analyses are generally limited by their computational efficiency to search a
large design space. This limits their capability of allowing the hardware model to fully change.
3.1.2 Framework Components
The main goal of our framework is to auto-generate a robust I/O architecture during an early system
design phase. Many applications for avionics have been around for decades. It would be rare for an
application to be rewritten from scratch. Thus, application developers do have a good sense of the
resource requirements when the application is executed alone. While IMA partition sizes are carefully
determined to match this estimate, it is very difficult to consider the I/O interference or I/O effect
caused by applications running on other partitions, especially for a new aircraft design where the set
of applications that share the processor is changed. In practice, partition sizes are over-estimated to
accommodate this uncertainty, and the bus architecture is very simplistic for average performance. If
the size of the partition ends up to be too small, a fix will be required at a later stage of the development
cycle. At this later stage, it is very costly and time consuming to make fundamental changes such as
modifying the bus architecture or moving one application to another processor to fix schedulability
problems. Many simpler solutions are tried, if any exist, until a fundamental change is inevitably
made. Many of these later scheduling problems are caused by variance in I/O traffic. This is why using
73
a robust I/O architecture from the start is much more promising for a successful integration.
We present the components of our framework with short explanations.
•Objective function for robustness: The objective function for evaluating a design instance is
the total additional processor utilization (execution time divided by period) that is caused by I/O effect
which we name as the Sum of I/O Effect. We will assume uniform distribution of I/O uncertainty for
unknown changes.
•Hardware modeling blocks: We define how predefined modeling blocks are used for design
space pruning so that only the intended valid instances are generated. The type of modeling blocks
include bridges, network adapters, I/O controllers, as well as the standard AADL [5] hardware compo-
nents (processor, memory, device, and bus).
•I/O Configuration definition: To define the design space for I/O configuration, I/O configuration
settings are defined and modeled for logical connections. Combined with the predefined hardware
modeling blocks for each setting, the design space includes most of the commonly used data path
patterns.
•Design space of Tree-based I/O bus topology: To limit the design space of the possible I/O
bus topologies, we require user contraints. Avionics still use tree-based bus topologies, including the
commonly used PCI-based platforms. By specifying the maximum depth of the tree as well as the
maximum number of bridges that are allowed to be used, the set of I/O bus topologies to test becomes
limited.
•Tool support for design space management: ASIIST is used to assist the user in configuring
the design space as well as graphically displaying the search instances in the search space. Initially
ASIIST loads an AADL model and the user may increase the search space by adding changes that the
user would like to allow.
•Design space search algorithm: A simulated annealing based algorithm is used to discover the
best I/O architecture which minimizes the I/O effect on execution time.
74
Figure 3.3: Overall Design flow
3.1.3 Overall Design Procedure
The flow graph in Figure 3.3 depicts the overall design procedure. Compared with Figure 3.2, we have
added many modeling components to control the design space. We start with the software model and
a set of predefined hardware modeling blocks. We leave the processor/partition mapping to be user
determined because such mappings are decided based on other factors such as isolation, functionality,
safety, and working groups for large safety-critical systems. By using each of the optional components
(I/O configuration, Initial H/W model, User constraints for bus topology), one can control the auto-
generated components of the I/O base model which are used to create search instances for simulated
annealing. I/O configuration represents how a logical connection should be handled given a set of
available H/W blocks. The optional initial H/W model acts as the maximum available set of hardware
components. The initial H/W model can also be a model of an existing hardware platform where we do
not want to add any more H/W components to the search. User constraints for the bus topology include
the maximum tree depth and maximum number of bridges that can be used. For each possible skeleton
bus topology (consisting of only buses and bridges), we have an I/O base model which includes all
the information to generate a search instance for simulated annealing. Initially, H/W components are
randomly connected to one of the buses to create the first search instance.
From static analysis results of a search instance, we isolate the I/O effects and do a robustness
evaluation based on the objective function that we introduce in Section 3.2. Simulated annealing is
used for each bus topology instance to explore the search space of H/W component access points and
find an I/O model that minimizes the I/O effect. When finished, we compare the objective function
75
(sum of I/O effects) with the previous simulated annealing result from a different bus topology and
save the search instance that gives us the minimum sum of I/O effects. For instances that have similar
sums of I/O effect values, we would collect the cases to later determine what to choose based on other
cost factors such as the total number of bridges and buses required. After going through each bus
topology, we would finally have a model of the bus topology with each H/W component connected to
one of the buses. We use this approach of going through all the bus topologies because, in practical
designs, the maximum depth of the tree would not be so large due to increased delay from bridges.
Partition sizes are initially determined without any I/O effect in consideration. This assumes that
existing I/O workloads from other coexistent applications were not considered when deriving the worst-
case execution time (WCET) of each application. Generally, this is the case when WCET is estimated
in such an early phase where neither the actual hardware platform nor its architecture is available.
Using the final model from simulated annealing and the distribution of I/O effects across the partitions,
we increase the partitions’ sizes according to Equation (3.6) to have a schedulable IMA system that is
robust against I/O uncertainties.
In the next few sections, we explain the objective function and each of the modeling aspects used
to prune the design search space.
3.2 Objective Function for Robustness Evaluation
The analyses that we support for our models include schedulability analysis, and bus delay analysis.
Timing analysis [40] based methods can be used to derive worst case execution time (WCET) bounds
for existing tasks. The schedulability analysis for a CPU with cache considers the WCET increase due
to I/O traffic that accesses the main memory (peripheral-cache interference) and returns an updated
WCET for each application. We adapted a similar analysis algorithm that was presented by the authors
in [71]. Bus delay analysis estimates the worst case end-to-end bus delay for each logical connection
using a network calculus based method that was introduced by R. Pellizzoni et al. in [72]. The arrival
curves of data flows that are calculated from the bus delay analysis are used in the schedulability
analysis to measure peripheral-cache interference. Many safety critical applications actually wait for
confirmation of finished read and write bus transactions for functional safety reasons. This I/O wait
76
time is only a portion of the overall bus delay for a logical connection; for read transactions, it is the
time for the data to be requested and to be received from memory, while the end-to-end bus delay
includes other bus transactions that update the data in the memory. The wait time for write transactions
is considered in a similar fashion.
The objective function is the following,
I(T ) =
∑
t∈T
(
Icache(t) + Iwait(t)
Pt
) (3.1)
where,
Icache(t) =
∑
l∈Lt
Icache(t, l) (3.2)
Iwait(t) =
∑
l∈Lt
Iwait(t, l). (3.3)
I(T ) is defined as the Sum of I/O Effect for a set of tasks, T , that executes on the CPU. Pt is the period
of task t and Lt is the set of all logical connections that exchanges I/O data with task t. Icache(t, l) is
the amount of peripheral-cache interference that occurs due to logical connection l for task t. Icache(t)
is the sum of all the peripheral-cache interference that is caused by every logical connection in Lt to
task t. In a similar manner, Iwait(t) is the sum of all the I/O wait time that exists for task t. The
simulated annealing process will try to minimize the value of I(T ) for robustness. A case study is
given at Section 3.5.
3.2.1 Robust IMA Partition Sizing
Partition size (np) is expressed as a natural number that represents the percentage of CPU time that is
assigned to a partition. Partition sizes cannot be any arbitrary number due to real-time operating system
(RTOS) requirements. For example, the LynxOS-178B [3] allows a granularity of 1 millisecond out of
a 50 millisecond period for configuring partition sizes. We will assume that partition sizes can be any
natural number up to 100 percent.
After finding the I/O model instance that generates the minimum sum of I/O effects, we would
like to increase the partition size of each partition in a manner that is proportional to the I/O effect
that each partition receives from the selected I/O model instance. This makes sure that each partition
will be evenly robust against increases in I/O data traffic. We assume that I/O uncertainty is uniformly
77
distributed across bus components. Note that for IMA systems, even if one partition becomes un-
schedulable, it would require a significant redesign effort to rebuild an efficient system; this is why
we want an evenly robust system. Partition sizing is done by the equations below. We use the IMA
scheduling algorithm that is presented in [82] for independent periodic application tasks with deadlines
equal to their periods. The following utilization bound is defined in [82] for schedulability analysis,
Up ≤ ln(2/(2− sinit(p))) (3.4)
where Up is the total utilization of all the tasks in a partition p and sinit(p) is the initial partition
size of partition p in decimals (ninit(p) = 100 · sinit(p)). We assume Up to be estimated without
any I/O effect and thus sinit(p) is determined without any I/O effect as well. In practice, sinit(p) is
determined by testing with the consideration of WCET profile and inherent partition change overhead
which is dependent on the RTOS and the CPU architecture. However, testing without the inclusion of
I/O effects makes the estimate more deterministic and reliable. We then create another inequality from
Equation (3.4) that includes the additional utilization from I/O effects with a factor of α.
Up + α · I(p) ≤ ln(2/(2− sinit(p))) + α · I(p)
≤ ln(2/(2− snew(p)))
(3.5)
I(p) =
∑
t∈p
(
Icache(t) + Iwait(t)
Pt
)
I(p) is the sum of I/O effect from all tasks in partition p and α is a real number that represents a metric
for robustness. snew(p) is the new partition size that we would like to determine for partition p to be
schedulable with the additional I/O effect of α · I(p). Equation (3.5) can be simplified as,
ln(2/(2− sinit(p))) + α · I(p) ≤ ln(2/(2− snew(p)))
α · I(p) ≤ ln(2/(2− snew(p)))− ln(2/(2− sinit(p)))
eα·I(p) ≤ 2− sinit(p)
2− snew(p)
snew(p) ≥ 2− 2− sinit(p)
eα·I(p)
for a large enough partition size of snew(p). Since we need natural numbers for the partition size
percentage, we can say,
np(α) = d100 · (2− 2− sinit(p)
eα·I(p)
)e (3.6)
78
and then test with increasing values of α until we find a case when
∑
p∈P
np(α) = 100 (3.7)
where P is the set of all partitions. When Equation 3.7 is satisfied, the value of np(α) is the natural
number for the partition size of each partition p, with totals of 100 percent for all existing partitions.
One important fact to discuss is that we many wonder if changing the partition sizes would again
effect the selection of the robust I/O model and cause a cyclic dependency problem. We believe this
is not true or has minimal effect because increasing the partition size does not mean that periodic
tasks will be executed more frequently. Any task will take on the I/O effect every period when it is
executed. The frequency of each partition is matched with the highest frequency task that is scheduled
in each partition, but the size of the partition only determines whether tasks can meet their deadlines,
in other words, be schedulable. It is actually the set of applications, that populate all the partitions
for a given CPU, which determines the design of the I/O architecture. In our work, we assumed this
processor/partition mapping to be pre-determined by the designer, as explained in Section 3.1.3.
3.3 Model-based Design of I/O Architecture using AADL
Model-Based Engineering (MBE) is commonly used to reduce system design errors by utilizing high-
level models that can be analyzed before the actual integration of a system. Analysis results will guide
the user toward a more favorable design that has a higher likelihood of becoming successful. AADL [5]
is an architecture description language (ADL) that has been developed based on 15 years of research.
It is based on the MetaH language that was developed by Honeywell Labs as well as several DARPA
programs [18]. The Software Engineering Institute (SEI) is currently leading its development and stan-
dardization. AADL provides standard syntax and semantics for specifying the software and hardware
architecture of embedded systems. By using such specifications, developers can use analysis tools to
analyze such systems and provide valuable information for use in model-based engineering. Systems
in AADL are composed of “components” which are divided into three categories: software, hardware,
and system. Software components include process, thread group, thread, subprogram
and data components. These software components are connected through logical connections. As
79
for hardware components, they include processor, memory, bus and device. Hardware com-
ponents are connected through the bus component by bus access. The system component is a
special composite component that can be used for any purpose such as encapsulation or to define new
components that do not match with any of the standard AADL component types. Software components
are bound to hardware components by certain property values of the software component that refer-
ence the hardware component. For example, the property Actual Processor Binding is used to
bind a software component to a processor to represent where it is executed. While there are numerous
standard properties that are defined for different areas of research, users could add new property
definitions with their property types to include any information in the model, whether it
is a simple numeric value or a list of references to other AADL components in the model. Although
we have implemented our framework with AADL, the modeling abstractions of our framework can be
implemented in other ADLs.
The design space of the I/O architecture depends on the analysis for which it is used. During
system-level design, the model should be as simple as possible and only focus on the analysis that it
needs to support. If a variable or an architectural change in the model is not recognized by the intended
analysis, it should not be considered as a variant for the design space definition. Our analyses require
an I/O base model (Figure 3.3) to build the various mathematical equations. The I/O base model is
dependent on the hardware modeling blocks, I/O configuration, and the bus topology. Eventually, these
three components define our design space. In the following sections, we will explain each component
in more detail.
3.3.1 Hardware Modeling Blocks
In our framework, we require the hardware platform to be modeled in a level of detail that provides
options for the various physical data paths that may exist. At the same time, it is loosely modeled so that
understanding and making changes that matter is simple during early analysis. We model the tree-based
hardware platform as a graph of the following modeling blocks which include processors, front-side bus
(FSB), main memory, (local) memory, buses, bridges, network adapters, I/O controllers, and general
devices. Bridge components are used to connect different bus components but also to represent the
80
isolation between bus components. Non-bus components should all have a physical path through buses
and bridges to any component that they exchange data with. Network adapters are used to specify the
arrival and departure points of the I/O data. When data is received, it is initially received by the network
adapter and eventually carried out to the processor. When data is sent through the network to a different
application running on a network-connected processor, data is moved to the network adapter to be sent.
I/O controllers represent any device that is used to read and write I/O data. They would act as master
devices that can periodically copy data from one storage component to another. Any other peripherals
that receive or send data can be modeled as a general device. In Figure 3.1 we have already shown
samples of the hardware platform model that we require for analysis.
A library of modeling blocks can be created by defining AADL hardware component types of such
modeling blocks. More often than not, we would like to limit the type of components and limit the
number of instances used for design space generation. A definition of a hardware component is used to
generate instances of such types. Thus, it does not have any information to limit the number of instances
that should exist. To provide selection and limit the instances, we require the user to build an initial
H/W model. The initial H/W model can be as simple as the model in Figure 3.1 (a) or it can remain
as the current hardware model, if any exists. Attaching a certain number of the same components
such as the local memory would cause the design space to include up to the number of local memory
components to exist. The type of components that exist in the initial H/W model is used as a sub-library
for design space generation.
3.3.2 I/O Configuration
In AADL, logical connections, which represent the data exchange between applications, are spec-
ified by using event, data, or event data ports and connections. Since these connec-
tions are between software components2, their specification are independent of the hardware through
which the data is physically transmitted. The current standard AADL provides a property named
Actual Connection Binding to specify the physical data path of a logical connection. This
property is expressed by a list of hardware components that represents the data path. While using
Actual Connection Binding may be enough to specify the path through which the data flows,
2Note that AADL does allow connections to exist with device components to represent special cases
81
it does not clearly express the underlying reasoning behind the path. Without a more detailed abstrac-
tion for expressing common data paths, it would be very difficult to evaluate the validity of data paths
as well as define the design space for such physical data paths.
We have defined a fundamental set of AADL properties to express the physical I/O data paths
based on bus transactions. In our set of properties, each physical data path that exists for a single logical
connection is largely divided into subpaths that exist in the source computing module, the network, and
the destination computing module. The source and destination subpaths are again split into read and
write bus transactions. Data size and period values for each bus transaction can be specified for cases
when they are different from the default value which is derived from the logical connection. Protocol
values are used to specify the bus protocol in cases when there are multiple types of bus transactions for
read and writes. Users may refine the AADL property definition to add additional bus protocols that are
supported. By using a subset of these properties and associating it with each logical connection, one is
able to more accurately specify the existing data flows to support the analysis of bus delay. Priorities
that are based on bus transaction types can be included in the analysis for more accurate results.
The abstraction of physical data paths is more focused on the expressiveness to support various
possible instances of data flow paths. This rather low level of abstraction is suitable for analysis tools
to use due to the simplicity of interpretation. For each hardware component, we would easily recognize
the set of bus transactions that interact with the component. A higher level of abstraction is still needed
to represent the “change” that can happen for different design options. For this purpose, we have defined
another set of AADL properties to represent I/O configurations in a way that the actual physical data
path can be derived automatically through these configurations. The following properties exist for the
sending and receiving computing modules with the postfix Src and Dst and can be associated with
any logical connection.
•IO Configuration (required): represents the type of I/O configuration and is one of the values
of Direct, Main Memory, and Local Memory.
•IO Controller (optional): refers to one of the hardware components that is used as the I/O
controller for the associated logical connection.
•IO Network Adapter (optional): refers to one of the network adapters that is used as the
arrival or departure points for the data of the logical connection.
82
Table 3.1: Valid I/O Configuration
IO Configuration IO Controller IO Network Adapter IO Local Memory Comments
Direct × × √ Case 1, Used for local communication
× √ × Case 2
Main Memory
√ √ × Case 3
× √ × Case 4
√ √ √
Case 5
√ × √ Case 6, Used for local communication
Local Memory
√ √ √
Case 7
√ √ × Case 8
(Same for source and destination modules)
•IO Local Memory (optional): refers to a local storage memory component that is used to tem-
porarily store data for the logical connection.
Since not having a property value can mean a different I/O configuration, optional properties should
only be specified when they are in use. While these properties sets are required for each logical con-
nection, they can be inherited from end-point components which hold the ports of the connection
for both the starting point and ending point. By using inheritance, one may specify, for example, that
any connection that is received by a thread should use a common I/O configuration in the receiving
computing module. We also use this inheritance to reduce the design space by creating common I/O
configuration groups. If threads inherit their configuration from the same inheritance, they will also
change together when a design instance is created. With the support of these newly defined properties,
when the topology of the hardware architecture is changed, the I/O configuration can remain the same
and a updated set of physical data paths can be generated.
I/O Configuration Semantics
Physical data paths are derived from I/O configurations for analysis. Table 3.1 shows the set of config-
urations that are valid for I/O configurations. A total of 8 types of configuration exist for the source and
for the destination. While more complex configurations may exist, we believe that these cases are very
rare and should not be considered in the design space. Any rare case can still be supported by using the
physical data path specification directly. Figure 3.4 shows the set of physical data paths that exist for
83
Figure 3.4: Physical data paths that are derived from I/O configuration Case 5 from Table 3.1
Case 5 of Table 3.1. The generation obviously depends on the hardware architecture as well. However,
the configuration itself only depends on the set of available H/W components that are inferred from the
initial H/W model. The value of IO Configuration represents where the data is immediately read
or written by the CPU. In Figure 3.4 (a), data is first written to the main memory and then copied by
the I/O controller to a local memory. The network adapter reads in the data from the local memory. For
the receiving module (Figure 3.4 (b)), the direction of data paths are opposite and the read and write
bus transactions are switched to one another. Other cases of I/O configurations are interpreted in the
same manner. Some configurations, such as Case 1 and 6, are used for local communication where the
sending and receiving applications are assigned to the same CPU but different partitions.
3.3.3 Design Space of Tree-based I/O Bus Topology
While the sub-library of hardware components that are to be used is defined by the initial H/W model,
we still need to build a bus topology with buses and bridges for the H/W components to be connected.
We focus on tree-based topologies because avionics system still requires them. A switch-based archi-
tecture can still be interpreted as a tree as long as there exist no cycles. Switch-based architectures are
left for future work. To limit the number of tree-based bus topologies, we require the user to specify
84
Figure 3.5: Example of Tree-based bus topology instances for Max Depth=2, Max Num Bridge=3
the maximum depth of the tree and the maximum number of bridges that are allowed to be used. The
bus topology is only generated for the tree beneath the host bridge that is connected to the FSB. We
assume that the CPU and main memory are connected to a single representative FSB. Figure 3.5 shows
the set of bus topologies that are generated when a user configures the maximum depth to be 2 and the
maximum number of bridges to be 3. Once the bus topology is created, H/W components from the
initial H/W model are attached to one of the bus components to create a H/W design instance.
3.4 ASIIST Support for Design Space Management
ASIIST is extended to support our framework of generating a robust I/O architecture. The tool pro-
vides a graphical user interface (GUI) to manage the design space using the modeling aspects (H/W
components, I/O configuration, bus topology) that we have introduced in the previous sections. After
pruning the design space, the user can initiate the analysis for the design space and get a result file
with the required information. The tool basically lets users configure and turn on and off any of the
modeling aspects that we would like to use. For instance, the change in I/O configuration can be static
for a subset of logical connections or we could have the bus topology to not be changed and remain
85
Figure 3.6: Screen shot of design space search user interface
the same as the initial H/W model. This is used for cases when the designer would like to minimize
changes to save cost but still want to find an alternative solution. Figure 3.6 shows a screen shot of
ASIIST with two logical connections highlighted. Any search instance can be shown when selected
from the table on the right.
3.4.1 Design Space Search Algorithm
Even though we prune the design space through model-based configurations, the design space can
easily explode exponentially due to the various architectural possibilities related with I/O design. In
real life, the type of I/O configuration or available H/W components are generally predetermined and
not changed. Possible bus topology variations do not increase very much with allowed tree depth and
maximum number of bridges. What really matters is where each hardware component is connected
(access point) when a bus topology is given (numnumhwbus instances). We use a simulated annealing
based algorithm, which was depicted in Figure 3.3 to search the access point design space for each bus
topology. The algorithm follows the general procedure of simulated annealing [63] using Equation 3.1
86
as the objective function. The heuristic for generating the next instance (PERTURB(M)) utilizes
the bus delay analysis results of the current instance, as shown in Algorithm 1. What Algorithm 1
does is to search for a H/W component candidate that is connected to a bus which provides the largest
delay to a read or write bus transaction b that cause maximum I(b). When there is no component
to move, it would search for the next order in line of Lbt and Lbus(b). The function move(bus,M)
randomly selects a H/W component from SHW (bus) to disconnect from the current bus and reconnect
to a randomly selected bus of M that is not bus. When going through every bus topology, we compare
the sum of I/O effect (Equation (3.1)) to arrive at a final I/O architecture. We then update each IMA
partition size, based on Equation 3.7, to configure a robust I/O architecture.
Algorithm 1 Generation of next instance for model M
1: function PERTURB(M )
2: b: a read or write bus transaction that exist in M
3: I(b): I/O effect caused by b of M .
4: Lbt: list of all b in decreasing I(b) order.
5: Lbus(b): list of buses that b uses in decreasing delay order.
6: SHW (bus): set of H/W components connected to bus.
7: for all b ∈ Lbt do
8: for all bus ∈ Lbus(b) do
9: if |SHW (bus)| > 0 then
10: move(bus,M).
11: return M .
12: end if
13: end for
14: end for
15: end function
87
H/W Components Network adapter
Servo, AHRS Net adapter 1
Navigation Radar, Gyroscope, Infrared Cam. Net adapter 2
Accelerometer, Color Weather Radar Net adapter 3
GPS Receiver, NVGoggle, FD Net adapter 4
Doppler Radar, Camera, FCP Net adapter 5
Table 3.2: Hardware Component to Network Adapter Assignment
Figure 3.7: Design Search Result (Max Depth=2, Max Num Bridge=4)
3.5 Case Study Example
An advanced Search And Rescue (SAR) system for a helicopter is considered as the target system. The
set of tasks and features that the system supports includes Automatic Flight Control System (FCS), In-
ertial Navigation System (INS)/Global Positioning System (GPS)/Doppler navigation system, Forward
looking infrared radar (FLIR), Night vision imaging system (NVIS), Color Weather Radar (CWR) sys-
tem, and Video data recording for zooming and replay. This is the same example that we have used in
Section 2.8.
Special hardware components which are required for the system to handle the aforementioned fea-
88
tures send data through the network. Multiple data from external devices can come through a common
network adapter depending on network protocols the device supports. We have assigned all required
H/W components to 5 different network adapter devices. Table 3.2 shows each assignment. Also, we
assume that each application is already assigned to one of 4 partitions based on other safety related
criteria. Connections with large visual data are configured to use an I/O controller and a local memory.
All partitions (vm0, vm1, vm2, and vm3) were given an initial size, as shown in Table 3.3; based on
the initial worst-case execution time of the applications before applying I/O effects.
3.5.1 Design Space Search Algorithm Settings
We allowed the bus topology to have a maximum depth of 2 and use up to 4 bridges. These numbers
were decided after running a preliminary test with depth 3 and checking that it was too deep to provide
valuable candidates. The design space size is 444280 instances with 12 different bus topologies. The
simulated annealing algorithm consists of two loops. The inner loop continues for a given number of
iterations. In our case study, we used 5. The stopping criterion for the outer loop is to count the number
of times when the recently accepted objective function value did not change between each inner loop
iteration. Any consecutive inner loop iterations, 3 in our case, that do not find a better model instance
would terminate the algorithm. Adjusting these constants would obviously change the performance of
the design space search. 0.05 was used for the initial value of the control parameter (temperature) TE.
It should not be too large because the objective function’s value should be less than 1 to be schedulable.
The updating rule for TE is TEnext = γ(TEprev) · TEprev where 0 < γ < 1. γ is defined to slowly
reduce TE when the objective function’s value decreases rapidly.
3.5.2 Result and Discussion
The result of running our design space search algorithm is shown in Figure 3.7. Approximately 350
instances were visited throughout the search. From Figure 3.7, we can see that most of the early bus
topologies did find architectures, colored in red, that had a small sum of I/O effect close to each other
(shown with dotted red line). The small amount of difference in I/O effect encouraged us to select the
model that required the fewest bridges and buses.
89
Applications partition init. size new size
Flight Control System (FCS) vm0 4% 7%
INS/GPS/Doppler (Nav. Sys.) vm1 1% 2%
FLIR, CWR vm2 8% 49%
NVIS, Video Record/Replay vm3 11% 42%
Table 3.3: Partition Assignment of Applications
Figure 3.8: New Hardware Architecture
Figure 3.9: Discovered best ar-
chitecture
To demonstrate robustness, we would like to compare two architectures that are described in Fig-
ure 3.8. Figure 3.8 (a) is an architecture that originally looked promising and Figure 3.8 (b) is the
architecture that we have found by design search. From Equation 3.7, new sizes for partitions are cal-
culated as in Table 2.1, which resulted in same new sizes for both architectures. The value for α, which
is the metric for robustness, was 1.785 for the original and 2.07 for the new architecture. For each
architecture, we gradually reduced the speed of the buses, which was originally 133 (MB/s), in steps
of 1 (MB/s) to have the effect of increased I/O data while checking whether any of the IMA partitions
becomes unschedulable. Both partition vm0 and vm1 never became unschedulable due to the small
amount of I/O interference received in both architectures. For the original hardware architecture, vm2
became unschedulable for bus speeds less than or equal to 69 MB/s. For vm3, it became unschedulable
at 67 MB/s. On the other hand, for the new hardware architecture, vm2 and vm3 became unschedu-
lable at 59 and 54 MB/s respectively. Since the partition sizes for both architectures were determined
90
using Equation 3.7, both architectures already have an evenly robust partition size which is clear from
the similar speeds at which vm2 and vm3 become unschedulable. This would have been difficult to
achieve if the partition slack sizes were determined only by intuition. Still the new architecture proves
to be more robust against I/O traffic, becoming unschedulable at 54 MB/s.
While we did not use multiple initial instances for each bus topology, doing so does provide better
likelihood of reaching a better model at the expense of more time for searching. We did test the search
space with 5 randomly selected initial instances for each bus topology. Around 1800 instances were
explored. The best architecture that was found is shown in Figure 3.9. This coincided with the best
instance that was discovered when we exhaustively analyzed every model for a maximum depth of
2 and maximum number of 2 bridges (4053 instances). The analysis resulted in minimum value of
0.20556518 for the sum of I/O effect which is very close to the analysis result that we found in our case
study example (0.20559273).
3.6 Related Work
Existing system-on-chip (SoC) work that is related to communication architectures mainly try to search
for best configurations for I/O for a given target architecture ([59, 67, 51]). However, it has been rarely
the case that they allow the search to include the bus topology of the system. The design of SoC
tends to concentrate on other configurative aspects to be application-specific for optimization and high
performance. More recent research concentrates on the fast exploration of bus-based communication
architectures with bus topology changes. S. Pasricha et al. introduced a new modeling abstraction
named Cycle Count Accurate at Transaction Boundaries (CCATB) for faster and accurate simulation
performance ([69]) during exploration. S. Kim et al.’s work in [48] very much relates with our objective
of considering the I/O effect on schedulability of processing entities. Our work is different from others
in that we emphasize and focus on the robustness of a system against I/O uncertainties that can happen
due to later changes in the long development cycle of avionics systems.
The importance of Model-based engineering and supporting tools ([58, 81, 24]) is apparent as the
complexity and scale of hard real-time systems increases. Component-based development ([38, 19]) is
also in line with handling such complexity with higher-level abstractions. Tools need to guide the user
91
in correctly designing systems with the support of analysis from multiple domains of research. None of
the above tools put emphasis on smartly designing the I/O architecture using model-based semantics.
Thus, either they would not support bus topologies or it is very difficult for a user to change the bus
topology knowing that nothing will go wrong in the model.
3.7 Future Work
This chapter presented a framework for applying model-based engineering methods during system-
level design phases to build a robust tree-based I/O architecture. With such a robust I/O architecture,
we can allocate partition sizes to different project groups with reduced risk of needing to alter the
partition sizes due to I/O uncertainties after integration. This also enables the system to accept new
applications with minimum changes to existing applications due to I/O effect. As future work, we
can tailor the model to take advantage of anticipated skewed distribution of I/O for future applications.
Current work assumed that the chances of increased I/O for each bus component are the same. However,
this is not always the case. Certain peripherals are expected to support more functionalities than others
in the future. In these cases, we would want these potentially more utilized components to be located
where they can handle more uncertainties in I/O. This lets us design a system that can last much longer
without changes.
92
Chapter 4
Open Analytic Runtime Models
Cyber-Physical Systems (CPS) are complex software-reliant systems that interact with physical pro-
cesses. These systems require specific runtime quality attributes (RQA) such as meeting execution
deadlines, protecting confidential, information, or maximizing battery lifetime. Designers of CPS sys-
tems rely on models of the runtime architecture and analytic algorithms to verify these RQAs. These
models are commonly developed in modeling languages that support multiple analytic domains. This
is the case of the Architecture Analysis and Design Language (AADL). AADL defines not only a stan-
dard syntax but also a standard semantics. However, this semantics is restricted to be structural in
nature to be able to support multiple analytic domains.
Analysis domains offer algorithms to not only verify properties of a system but also to synthesize
specific design parameters (e.g. task-to-processor deployment). Furthermore, because these algorithms
are implemented in modeling tools they live outside the model itself leaving models with incomplete
semantics. This is an important problems in development environments where the final system is com-
posed of independently-developed parts and models of the parts are used to analyze the final system.
This can lead to the use of algorithms with conflicting modifications to the model. In order to bring
the whole semantics back into the model and avoid conflicting modifications we developed the Open
Analytic Runtime Models (OAR models). OAR models embed analysis algorithms inside the models
declaring the parts of the model they access. This declaration enables the discovery of conflicting
accesses to the model.
93
The incorporation of analytic algorithms into OAR models consolidates the semantics of these
models. However, independently-developed algorithms can make incompatible assumptions about the
system. For instance, one algorithm may rely on the use of the highest priority in the system to ensure
that a thread is not preempted by any other thread as a form of mutual exclusion to protect shared
memory. However, if a thread-allocation algorithm assigns the threads sharing the memory to different
processors, the highest-priority mutual-exclusion property is invalidated because they can now run
completely parallel to each other.
In system integrated out of independently-developed parts, the RQAs of the final system are built
on top of properties of its parts. As a result, it is desirable to integrate models of the parts into a full
model where the assumptions and invariants of the system RQAs are derived from the properties of
the parts. In this work we developed resource allocation contracts that both verify the compatibility of
the assumptions of Resource Allocation (RA) algorithms and connect assumptions of algorithms with
the properties (guarantees) that other algorithms provide in order to ensure that all assumptions and all
RQA are satisfied.
4.1 The Hidden Semantics of Analysis Algorithms
The fast evolution of computational technology has enabled us to increase our control of physical
processes to create powerful new capabilities. One of the recent examples is the Mercedez Benz F700
concept car. In [89] the author discusses how the engine of this car combines features from diesel and
gasoline engines, but more importantly he highlights the fact that even though the concept had existed
for years it was not until recently that the performance of the processors was sufficient to be able to
implement the system that controls it. Unfortunately, the addition of more complex features compounds
the complexity of CPS systems.
In order to counteract the complexity trend in CPS systems it is necessary to use the same com-
putational advantages to augment the human designer’s capacity to make scalable design decisions.
Scalable design decisions require two critical steps. First, it is necessary to raise the level of abstraction
of the design artifacts that the designer manipulates. And secondly, modifications to design artifacts
must be transformed into a correct and predictable low-level implementation. This is in fact the aim
94
of OAR models. These models raise the level of abstraction to an architectural level and use analytic
algorithms to verify and/or synthesize the low-level behavior of the design decisions. These algorithms
have a critical role in the design process and contain an important portion of the semantic content of
the model.
Analysis algorithms hide three important elements of the model semantics. First, they can hide a
complex behavior that the algorithm explores implicitly. This is the case, for instance, when a schedu-
lability algorithm, which is given the name of a scheduling policy (as part of the model description),
simulates and analyzes a complex task execution schedule to validate the correctness of the completion
time of a set of tasks. The details of this simulation and analysis can embed a large set of assumptions
(e.g. that tasks never perform system calls), subtle practical decisions not explicitly addressed in the
literature (e.g. that for two tasks with same period the one with lower task ID can be given a slightly
higher priority), and more importantly detailed knowledge of how this behavior interacts with other
algorithms in the model.
The second semantic element hidden in analysis algorithms is the interpretation of the model. For
instance, a schedulability algorithm takes timing parameters such as execution time and period. How-
ever, the algorithm may internally convert them into an integer number of milliseconds, microseconds,
or nanoseconds. This limits how small a task (in terms of execution time) it can handle.
Finally, an analysis algorithm can hide assumptions of the behavior of other parts of the model.
For instance, following the case of our scheduling algorithms, they assume that the only item that can
affect the execution time of a task is another task. This may not be the case in a system with peripherals
with direct memory access (DMA). This is because a DMA peripheral may start a memory transfer
while a task running in the processor tries to access memory. This access in fact gets delayed until
the peripheral transfer finishes. All such assumptions are fully exposed when the the algorithms are
included in the models.
4.2 OAR Models in AADL: The Analysis Annex
We have implemented our OAR models in AADL with the analysis annex. The analysis annex defines
new modeling elements for AADL types to incorporate analysis algorithms and their access to different
95
parts of the model.
In the discussion of the new language constructs we use the following conventions.
• We describe a language phrase whose structure description is deferred with a phrase type identi-
fier within angle brackets as follows: <phrase type identifier>
• We use bold face to identify characters and keywords that need to be added literally to an annex.
For instance: functions
• We use IDENTIFIER when a valid AADL identifier is to be used.
• Optional parts of a statement are presented inside brackets ([]).
4.2.1 Annex Structure
The analysis annex is divided into four different sections: properties, queries, functions, and updates.
The properties section is used to declare the AADL properties that functions access to implement an
algorithm. Such a declaration takes the form of a list of property names separated by semicolons.
The queries section defines queries that return sets of elements that can be accessed in other queries
or functions. These queries are defined in a Model Query Language (MQL). We will discuss this
language in Section 4.2.2.
The functions section contains the analysis algorithm as a set of functions. This functions may or
may not return values and can be called by the designer to validate specific properties.
Finally, the updates section identifies the functions that modify the model along with the part of the
model that these functions modify. An update statement has the following structure:
• <element type>.<property access> <– IDENTIFIER()
The IDENTIFIER is the name of the function and both<element type>and<property access>will
be defined in the model query language of Section 4.2.2.
The update statements define the main functions that verify our models. The result from these
models can be synthesized parameters (properties) or simply a property that states that the verification
was successful.
96
4.2.2 The Model Query Language
The model query language is one of the key elements that allows us to raise the level of abstraction of
our models. It defines information retrieval operations based on a model-traversal specification. The
high level structure of a query has two possible forms as follows:
• IDENTIFIER <– <type specification>:IDENTIFIER [in IDENTIFIER] | <filter condition>
Where:
– The first IDENTIFIER defines a name for the resulting set. This name will be used in other
queries or inside functions to reference the result of the query.
– The second IDENTIFIER names a variable that identifies each of the members of the query
in order to identify them in the conditions inside the <filter condition>. These elements
are filtered by type with the <type specification>.
– The<type specification>is a single<AADL name>or a list of<AADL name>s separated
by the + sign and within parentheses. These names represent AADL types that include
the predefined component categories (e.g. thread, process, processor, etc) or user-defined
extensions of these categories.
∗ An <AADL name>is an identifier that may contain a package name followed by a
double colon (::).
– The third IDENTIFIER is the name of a set from which model elements are selected. The
reserved keyword this can be used here to select elements inside the component that con-
tains the annex (annex holder). This can also identify a set returned by a previous query.
Finally, notice that this is an optional part of the statement. This means that if it is not
present then all the elements of the model are explored.
– The <filter condition>is a Boolean condition that compares property values of the ele-
ments of the set (named with the second identifier) and properties of the current component
(identified with the keyword this) or literals. Properties are accessed with a <property
access>phrase of the form:
97
∗ <package name>::<property name>[ [ <index>]] [(<unit identifier>)]
where
· The <package name>is a sequence of identifiers separated by double colon (as
defined in the AADL standard),
· the <property name>is a valid identifier in AADL,
· an optional <index> indicator within square brackets, and
· an optional property <units identifier> within parenthesis to convert the result to
these units.
• IDENTIFIER <–(<type specification>:<var name>[in IDENTIFIER] | <filter condition>).
<property access>
The elements in this form of the statement are the same as in the previous form except that in this
case the <property access>identifies a property that must contain references to elements (e.g.
Allowed Processor Binding) that will be the result of the query.
It is worth noting that the queries section can contain multiple queries. These queries can be linked
to each other to perform recursive refinement based on previous results. In the end, the queries section
contains a set of query results whose identifiers can be used inside the functions.
4.2.3 Analysis Functions
The functions section of the annex contains the set of functions that comprises the analysis algorithm.
These functions can be called from within other functions. When a call is performed from another
function within the same annex the keyword this must prefix the function name followed by its list of
arguments with the following structure:
• this.IDENTIFIER(<list of arguments>)
The same call syntax is used when we call a function that is inherited from an annex in a parent (or
predecessor) type.
Functions can also be called on the result of queries. To do this we use a similar syntax but we
replace the keyword this by the name of the query result.
98
Properties are accessed in a similar fashion to function calls but in this case we use the property
name instead of the function name and its parameters.
Implementing Functions in Mathematica
A function is a description of a set of mathematical expressions that are given one or more input
arguments and which then produces a numerical result. We chose Mathematica [6] to implement these
functions due to its expressiveness and popularity among various academic domains, including non-
engineering areas. In this section we explain how we interface with Mathematica.
Mathematica provides a command-line interface called the Mathematica kernel which can be ac-
cessed through J/Link. J/Link includes APIs for Java applications. Each function that is defined in
the analysis annex of an AADL component type is stored in memory with Mathematica’s functional
programming features (Mathematica Function) with a unique (modified) name that represents the
AADL component and function name. The body of the functions of our analysis annex follows the
Mathematica syntax with the following exceptions.
Mathematica normally assumes that all variables are global. However, this can cause problems
because any other function defined for another AADL component type may use the same variable name.
Users have limited knowledge of all the variables that exist in other AADL component definitions.
Thus, we require the user to declare local variables in the functions with primitive types such as double,
int, boolean, etc. followed by the variable name. Since Mathematica does not have such keywords, it
considers them as variable names. Thus, we preprocess the function to identify local variables and
remove the keywords. Local variables can be added to the function declaration using Mathematica
Modules.
Any reference to a value that is model dependent in the function body is replaced with a query.
Such model dependant values include the following cases,
• A property of the AADL component instance that contains the annex (using this.<property
name>).
• The set of component instances returned by a model query result (using the IDENTIFIER that
represents the query result).
99
• A set of property values which consist of the property from each component of a model query
result. (using IDENTIFIER.<property name> where IDENTIFIER represents a query result)
Such specifications are replaced by a variable which is updated through querying when the function
is called. Thus, the query is inserted just before the actual function body. When our tool executes these
functions, it loads the AADL model and builds a relational database that includes only the model
information that may be used by the functions.
There are two types of function calls. (1) Calls to a local function that is defined in the same
AADL component type. (2) Calls to an external function on the component set returned by a query.
By describing IDENTIFIER.<function name> where IDENTIFIER represents a query result, we get
a set of numerical values that are returned from each component’s function call. (1) is handled by
simply rephrasing this.functionname into the modified function name which includes the component
type. Input arguments are translated to Mathematica syntax as well. In (2), we replace the function
with a Mathematica expression which uses the component instance returned from the query and the
function name to obtain the correct modified name of the function for each component in the query
result set and execute each function to give all the return values as a set.
After loading the database and the functions into the Mathematica kernel, a single command line
input is used for any function we wish to execute.
4.3 A Type System for Model Reuse
Analysis algorithms reuse has a parallel to code reuse in traditional programming languages. In partic-
ular, our understanding of code reuse has evolved over the years, starting with procedures and functions
in structural programming and leading us to object-oriented programming where code and data struc-
tures are bundled in abstract data types inside a type system. Analysis algorithms are in fact just
a special type of code with a much higher level of abstraction and special data structures: models.
However, the reuse challenges and patterns are very similar. Specifically, analysis algorithms are also
concerned with data structures and the executable statements that manipulate these structures. These
algorithms can be decomposed into a hierarchy of smaller pieces each with their own data and exe-
cutable statements. Each of these pieces can also form an abstract data type. Similarly, the refinement
100
model offered by object-oriented type system inheritance mechanisms can also be applied to models.
As a result, we decided to organize our analysis algorithms in a type system.
4.3.1 The AADL Analysis Annex Type System
Our type system is based on the AADL type system. Hence, the data aspect of the type system is
already implemented in AADL. This type system already give us primitives (integers, reals, booleans,
etc.), structural restrictions (e.g. threads can only be parts of either processes or thread groups), and
property restrictions based on types (e.g. the Actual Processor Binding property can only be assigned
to thread and processes). This is a strong base over which we build the code (or algorithmic) part of
the abstract data types and their inheritance mechanisms.
Our analysis annex allows us to attach analytic code to AADL types. As presented in Section 4.2.3,
this code is organized in functions. These functions can access the type’s properties directly by name.
However, to fully access the part of the model linked to this type, these functions rely on queries.
Similarly, the functions use updates to modify the model. While there is a one-to-one correspondence
between properties and the typical attributes of an object-oriented language, queries are a more complex
data-access mechanism. Specifically, queries are full-fledged information retrieval operations based on
a model-traversal specification. These operations are in fact one of the key mechanisms to raise the
level of abstraction.
The Inheritance Mechanism
The data structures defined in AADL (features, subcomponents, modes, properties, etc.) are inherited
through the AADL extension mechanism. Such an extension works both with a component type that
extends another and with a component implementation that implements a component type. Analysis
annexes follow this inheritance structure and the full annex is inherited from a type to the ones that
extend it.
Annex inheritance offers a functional decomposition based on data types where the functions are
bundled with the model type they analyze. This inheritance allows a function in a type’s annex to
call the function in its parent’s (or any predecessor) type annex. However, queries are restricted to be
101
accessed exclusively by the functions in the annex where they are defined. This limitation is aimed at
avoiding confusion about the query conditions.
The encapsulation of model structure and algorithms into abstract data types enables the creation
of analysis libraries with a set of basic types. With these basic types, new models are created by simply
extending them to create the types that describe the system of interest. Then we simply call the inherited
analysis algorithms of these types to perform the required verification.
Inheriting Multiple Annexes
A type can inherit multiple analysis annexes that verify different properties in a system. For instance,
to verify both the real-time timing properties and security properties of a system, two different annexes
can be inherited in a single type. However, this inheritance is limited to the single-parent inheritance of
AADL. This means that in order for a type to inherit two annexes, its parent type (the one it extends)
needs to contain one annex and the parent of this type needs to contain the other one. In addition,
it should be noted that we address only the aggregated use of resources from a real time computing
perspective.
4.4 OAR Sample Model
In this section we present an example that integrates three different analysis algorithms. These
algorithms are: (1) a confidentiality assurance algorithm [39] aimed at protecting the confidentiality
of information at different levels of security; (2) a bin packing algorithm that assigns tasks to proces-
sors [27] to minimize the number of processors needed by the system; and (3) a frequency scaling
algorithm [76] that reduces the frequency of the processors while ensuring that the deadlines of all the
real-time tasks of the system are respected.
The example system1 describes parts of a defense ship that highlights how these algorithms interact.
The software of our system is composed of seven threads with the following functionality:
• RadarTracking interfaces with the radar device and creates tracks of the objects in the sky
1Academic example was provided by Dionisio de Niz from the Software Engineering Institute (SEI) at Carnegie Mellon
University.
102
Listing 1 Example Model for Frequency Scaling
package PowerEfficiency
public
thread PowerEfficientThread
annex analysis {**
queries
higherPriorityThreads <- thread:x | x.Actual_Processor_Binding =
this.Actual_Processor_Binding and
x.Deadline(ms) <= this.Deadline(ms); --query for higher priority threads
functions
double EnergyMinFreq(int maxClockFreq){ --function declaration
double omega;
...
S = 0; I = 0; beta = 0; delta = 0; alpha = 1; inbzp = True; omegaPrime = 0;
d = this.Deadline(ms);
omega = this.Compute_Execution_Time[max](ms) / maxClockFreq;
While[omega < d,
If[inbzp == True,
delta = d - omega;
While[(omega < d) && (delta > 0),
subOmega = higherPriorityThreads.getSubOmega(omega, maxClockFreq);
omegaPrime = Total[subOmega] + S;
delta = omegaPrime - omega;
omega = omegaPrime
];
inbzp = False,
subIdleDuration = higherPriorityThreads.getSubIdleDuration(omega, d);
I = Min[subIdleDuration]; S = S + I;
omega = omega + I;
t = omega;
beta = omega - S;
If[(beta / t) < alpha, alpha = (beta / t), ];
inbzp = True;
Break[]
]
];
alpha --return value
}
double getSubOmega(double omega, int maxClockFreq){ --function declaration
this.Compute_Execution_Time[max](ms) / maxClockFreq *
(Floor[(omega / this.Period(ms))] +1) }
103
Listing 2 Example Model for Frequency Scaling (Continued)
double getSubIdleDuration(double omega,double deadline){
Min[(this.Period(ms) * Ceiling[omega / this.Period(ms)]) -omega, (deadline-omega)]}
double getScaledUtilization(double scaleFactor){
this.Compute_Execution_Time[max](ms) / this.Period(ms) }
**};
end PowerEfficientThread;
processor PowerEfficientProcessor
annex analysis {**
queries --query for bound threads
BoundThreads <- thread:t | t.Actual_Processor_Binding = this;
functions
double AllEnergyMinFreq(){
double setEnergyMinFreq; int maxFreq;
maxFreq = this.ACE::Max_Clock_Freq;
setEnergyMinFreq = BoundThreads.EnergyMinFreq(maxFreq) }
double MaxEnergyMinFreq(){
double setEnergyMinFreq;
setEnergyMinFreq = this.AllEnergyMinFreq();
If[Length[setEnergyMinFreq] == 0, 0, Max[setEnergyMinFreq]] }
**};
end PowerEfficientProcessor;
system PowerEfficientSystem
annex analysis {**
queries --query for processors in system
AllSubProcessors <- processor:p in this;
functions
int minFrequencyPairs(){
...
minfreq = AllSubProcessors.MaxEnergyMinFreq(); --call function of AllSubProcessors
allprocs = AllSubProcessors;
pairs = {};
For[i=1,i<=Length[allprocs],i++,
pairs = Append[pairs,allprocs[[i]],minfreq[[i]]]
];
pairs } --return value is a integer set
updates --saves result to model using return value of minFrequencyPairs()
processor:p.ACE::CurrentFrequency <- minFrequencyPairs(); **};
end PowerEfficientSystem;
end PowerEfficiency;
104
• UAVTracking consolidates the tracking information received from UAVs (Unmanned Aerial
Vehicles)
• EngagementPlanning processes the tracking information received from the RadarTracking
and UAVTracking threads and develops engagement strategies
• AssetControl receives the engagement strategies from the EngagementPlanning threads and
coordinates the assets in an engagement
• RequestPressRelease receives press release requests from news agencies
• PressReleaseClearance sanitizes the engagement information received from the engage-
ment planning module and generates responses to the press release request forwarded by the
RequestPressRelease thread
• PressReleaseDissemination transmits the sanitized information to the news agencies
In addition, the systems contain four processors connected through a bus where the threads must
be run.
4.4.1 Model Organization
To simulate the independent-part development process of a virtual integration environment we devel-
oped simplified versions of the algorithms mentioned at the beginning of this section. We then put
these algorithms into analysis annexes in AADL types (threads, processors, and system types) of three
different AADL packages. Then, we built a type hierarchy among the different types to inherit all the
annexes when building the final system. This final system is then built with the combined types.
In the following Listings, we will show a truncated version of the AADL models with the anal-
ysis annex. The full version of the model is included in Appendix B. Listings 1 and 2 show the
PowerEfficiency AADL package. Queries and functions that are required for frequency scaling
are packaged together as an analysis library. With two more packages from Listing 3 and 4, our model
contains three different packages, or libraries, linked by inheritance. Each of the system types shows
their respective annex. The constructs of all three of these annexes are inherited into the final system.
105
Time units are always communicated through ms as we can see from any property reference in the
annex. This ensures correctness of units among different analyses.
In Listing 1, we have a PowerEfficientThread definition which includes a query that asks for
all the higher priority threads (higherPriorityThreads). This query is specified by giving the
conditions as, only threads such that the processor it is bound to is equal to the annex holder’s processor
(x.Actual Processor Binding = this.Actual Processor Binding) and its deadline
is equal or less than the annex holder’s deadline. The algorithm requires the annex holder thread
itself to be included in this set. Three functions are included in the same thread (EnergyMinFreq,
getSubOmega, getSubIdleDuration). Inside the function bodies, you will see how the query
result identifier (higherPriorityThreads) is used. We can get a list of the SubOmega values
from the higher priority threads by writing higherPriorityThreads.getSubOmega(oemga,
maxClockFreq). These SubOmega values are calculated from the local property values of each
thread as shown in the body of function getSubOmega.
In the PowerEfficientSystem definition, we have an updates section which shows that the
analysis eventually updates the ACE::CurrentFrequency property of processors by using the
return value of the function minFrequencyPairs. The minFrequencyPairs function calls
the MaxEnergyMinFreq function of all the processors that exist in the system by using the query
AllSubProcessors. Function MaxEnergyMinFreq is using the result of the EnergyMinFreq
function from all of its bound threads (query result BoundThreads) which is why EnergyMinFreq
is defined for each thread in Listing 1.
In Listing 3 we show the confidentiality assurance algorithm which eventually assigns the property
Not Collocated of threads as shown in the the updates section. This property holds the set of
threads that should not be bound to the same processor for each thread. The security class of threads
are presented by the property Security Attributes::Class in the AADL model.
Listing 4 describes only a fraction of the bin packing algorithm. The complete implementa-
tion is included in Appendix B. However, we are able to recognize that it eventually updates the
Actual Processor Binding property of each thread which represents the assignment of threads
to its processors. In the queries section of RealTimeSystem, the BPAllThreads query uses
the return set of the BPAllProcesses query to get the set of all the threads that exist in the
106
Listing 3 Example Model for Confidentiality Assurance
package Security
public
thread SecureThread extends
PowerEfficiency::PowerEfficientThread
annex analysis {**
functions
String getSecurityClass() {
this.Security_Attributes::Class }
**};
end SecureThread;
system SecureSystem extends
PowerEfficiency::PowerEfficientSystem
annex analysis {**
queries
AllProcesses <- process:p in this; --query for all processes
AllThreads <- thread:t in AllProcesses; --query for all threads in AllProcesses
functions
int Security(){
int ts; int others;
int notCollocated;
int classes;
notCollocated = ;
ts = AllThreads;
classes = AllThreads.getSecurityClass();
For[i = 1, i <= Length[classes], i++,
others = ;
For[j = 1, j <= Length[classes], j++,
If[i != j && classes[[i]] != classes[[j]], others = Append[others, ts[[j]]],];
];
notCollocated = Append[notCollocated, ts[[i]], others]
];
notCollocated --return set
}
updates --saves result to model using return value of Security()
thread:t.Not_Collocated <- Security(); --as property value Not_Collocated
**};
end SecureSystem
end Security;
107
Listing 4 Example Model for Bin packing
package RealTime
public
thread RealTimeThread extends
Security::SecureThread
annex analysis {**
functions
double getUtilization(){
int p; int c; int u;
p=this.Period(ms);
c=this.Compute_Execution_Time[max](ms);
u= c/p;
u }
int getNotCollocated(){
this.Not_Collocated } **};
end RealTimethread;
system RealTimeSystem extends
Security::SecureSystem
annex analysis {**
queries
BPAllProcesses <- process:p in this;
BPAllThreads <- thread:t in BPAllProcesses;
AllProcessors <- processor:pr in this;
functions
int indexOf(int threadName, int threads){ ... }
int getNotCollocatedLists(){ ... }
BinPack(){ ... }
int orderDecreasing(double t, int ti0){ ... }
int orderIncreasing(double t, int ti0){ ... }
double getProcUtilizations(double threadUtilizations, int assignments){ ... }
double getProcUtilization(int procIndex, double threadUtils, int assignments){ ... }
updates
thread:t.Actual_Processor_Binding <- BinPack();
**};
end RealTimeSystem;
end RealTime;
108
Table 4.1: Summary of Analysis Results
Analysis Updated components Property type Property value
assetControl (secret) Not Collocated engage, clearance, dissemination,
radar, req Release, uavTracking
engagementPlanning (top secret) Not Collocated asset, dissemination, req Release
Confidentiality pressReleaseClearance (top secret) Not Collocated asset, dissemination, req Release
Assurance pressReleaseDissemination (unclassified) Not Collocated asset, engage, clearance, radar,
uavTracking
radarTracking (top secret) Not Collocated asset, dissemination, req Release
requestForPressRelease (unclassified) Not Collocated asset, engage, clearance, radar,
uavTracking
uavTracking (top secret) Not Collocated asset, dissemination, req Release
assetControl Actual Processor Binding processor p1
engagementPlanning Actual Processor Binding processor p2
pressReleaseClearance Actual Processor Binding processor p2
Bin Packing pressReleaseDissemination Actual Processor Binding processor p3
radarTracking Actual Processor Binding processor p2
requestForPressRelease Actual Processor Binding processor p3
uavTracking Actual Processor Binding processor p2
processor p1 ACE::CurrentFrequency 0.3
Frequency processor p2 ACE::CurrentFrequency 1.0
Scaling processor p3 ACE::CurrentFrequency 0.6
processor p4 ACE::CurrentFrequency 0.0
(Security class is described inside parenthesis)
system. This strictly follows the syntax of AADL where all the threads have to exist as subcom-
ponents of processes or thread groups. From the getNotCollocated function, we notice that
this algorithm also considers the Not Collocated property which is assigned by the previously
explained confidentiality assurrance algorithm. Only after the bin packing algorithm updates the
Actual Processor Binding property, can the frequency scaling algorithm be executed.
Listing 5 partially depicts the final integrated system along with the definition of the processes
and threads inside. Complete specification is shown in Appendix C. In the complete model, we have
seven definitions; each process and thread represents each functionality that we have described earlier
in this section with numerical properties such as their security class, period, deadline, and execu-
tion time. The processor type RealTime::RealTimeProcessor is the one that integrates all
109
Listing 5 Example Integrated System
thread RadarTrackingThread extends
RealTime::RealTimeThread
properties
Security Attributes::Class => top secret;
Period => 100 ms;
Deadline => 100 ms;
Compute_Execution_time => 25 ms .. 30 ms;
end RadarTrackingThread;
process implementation RadarTrackingProcess.i
subcomponents
t: thread RadarTrackingThread;
end RadarTrackingProcess.i;
system AnalyticCompSystem
extends RealTime::RealTimeSystem
end AnalyticCompSystem;
system implementation AnalyticCompSystem.i
subcomponents
p1: processor RealTime::RealTimeProcessor;
...
p4: processor RealTime::RealTimeProcessor;
radarTracking: process RadarTrackingProcess.i;
uavTracking: process UAVTrackingProcess.i;
engagementPlanning: process EngagementPlanningProcess.i;
assetControl: process AssetControlProcess.i;
requestForPressRelease: process RequestForPressReleaseProcess.i;
pressReleaseClearance: process PressReleaseClearanceProcess.i;
pressReleaseDissemination: process PressReleaseDisseminationProcess.i;
connections
c1: event data port radarTracking.tracks -> engagementPlanning.tracks;
...
end AnalyticCompSystem.i;
110
Figure 4.1: Analysis annex Solver
the annexes together. The RadarTrackingThread type also extends the annex-integrating type
RealTime::RealTimeThread. Processors and processes are introduced as direct subcomponents
of the top level system (AnalyticCompSystem) which is why the queries in Listing 4 were defined
in such a way. We have allowed for up to four processors to be available for the bin packing algorithm
to use as candidates.
After running the three analyses in the order of confidentiality assurance, bin packing, and then the
frequency scaling, we get the scaling factors of 0.3, 1.0, and 0.6 for each processor p1, p2, and p3.
We discovered that we did not need the fourth processor for the given set of tasks. Table 4.1 shows a
summary of the results for each analysis. Each component is updated with the property value for the
specified property type and used in the subsequent analysis. Finally, Figure 4.1 is a screen shot of our
analysis annex solver tool where the user can select any function or update to be executed and show the
final result.
4.5 Resource Allocation Assumptions
In multi-tier manufacturing environments, such as in the avionics and automotive industries, the final
system is composed of independently-developed components. In these industries there is an increased
interest in the use of models to verify the integration of early component designs before any physical
development takes place. This is known as virtual integration.
One of the key elements in virtual integration is the integration of component models. These mod-
els must be developed by independent component suppliers and hence are loosely coordinated. The
integration of these models results in a final system model for which properties are verified with anal-
111
ysis algorithms. In order for this verification to be successful, the suppliers must ensure that their
components also exhibit properties upon which the final system properties will be based. As a result,
the suppliers also use analysis algorithms to verify their component properties. This implies that the
multiple algorithms involved in the final model must be integrated in what we call an analytic integra-
tion.
In order for the analytic integration of different models to be successful, their analysis algorithms
must be compatible with each other. Our work focuses on the analytic integration of resource allocation
(RA) algorithms and other algorithms that rely on or constrain their allocations.
RA algorithms are typically designed as global optimization algorithms that rely on initial condi-
tions and invariants. This is the case, for instance, of the rate-monotonic scheduling algorithm that
relies on the use of the fixed-priority scheduling mechanism to guarantee the absence of missed dead-
lines. RA algorithms calculate the parameters of resource allocation (RA) mechanisms (e.g. define the
priorities of the tasks in the system) to achieve specific Runtime Quality Attributes (RQAs).
Resource allocation (RA) analysis algorithms are used to verify that RA algorithms exhibit their
intended RQA. These analysis algorithms verify properties and invariants of the runtime mechanisms
when configured in a specific manner. These mechanisms in turn, dynamically allocate resources during
the execution of the system. Unfortunately, when RA mechanisms are configured and analyzed inde-
pendently they can violate each other’s initial conditions and invariants, as well as, the final intended
properties, i.e., the intended RQA of the final system. For instance, this is the case of a frequency
scaling algorithm used to minimize the power consumption of the processors of the system that as-
sumes that threads are not preempted by other threads with longer deadlines. In this case if we use a
scheduling mechanism that violates this assumption, the analytic results will be invalidated.
A number of other Quality Attributes (QA) depend on either the physical location of the compu-
tations or resource-sharing invariants or both. As a result, the analysis algorithms that verify these
QAs also inherit that dependency. This is the case, for instance, of the security properties that rely
on avoiding a resource sharing situation that can compromise information-isolation properties. These
properties can be violated if an RA algorithm assigns the same computational resource, that does not
provide information isolation, to two functions that are supposed to not have the possibility of sharing
information.
112
Because the QAs of the final system are based on the properties and invariants of its components,
the properties of these components must be used to contribute to these final QAs. As a result, not
only do we need to verify that their assumptions are compatible, but also we need to use the component
properties to satisfy the underlying assumptions of the final QAs and other component algorithms. This
linking takes the form of contracts [17] that is the focus of this work.
4.6 Resource Allocation Contracts
Resource allocation contracts are used to define the resource allocation assumptions and guarantees
between analysis algorithms. These contracts are defined on a model that describes the resource allo-
cation actions of the system. The formal definition of the contracts are presented in Appendix A along
with its implementation in Alloy [45]. The Alloy model is generated from the analysis annex contract
constructs and verified by the Alloy analyzer to find counter examples.
4.6.1 Analysis Annex Contract Constructs
The analysis annex includes two sections for the contracts: contracts and predicates. The contracts
section can contain any number of statements of the following four constructs:
1. Assumes encode the assumption of the algorithm. Its syntax is:
assumes [each<variable name>:<set name>] {<Alloy Expression>} [ scopes<var name 1>
: <number>, . . .<var name n> : <number>]
where the optional each clause takes a result (set) from a query and creates an Alloy assert and
check with the <Alloy Expression> as the content. The <Alloy Expression> is an expression
in Alloy to generate the assert and check as explained in the previous bullet. Finally, the optional
scopes expression assigns scopes to Alloy sets to set the bounds of the verification.
The assumes construct is translated into an assert Alloy statement that includes the <Alloy
Expression> and a corresponding check statement that includes the scopes defined here.
2. Guarantees encode the properties the algorithm guarantees if it runs successfully. Its syntax is
as follows.
113
guarantees [each<variable name>:<set name>] { <Alloy Expression>}
where the optional each part is defined as in the assumes statement and the<Alloy Expression>
encodes the fact that is true if the algorithm runs successfully.
This construct is translated into an Alloy fact.
3. Facts are used to encode properties of the system configuration that are independent of the anal-
ysis algorithms. The syntax is
fact {<Alloy Expression> }
with <Alloy Expression> as explained before. This is directly translated into an Alloy fact.
4. Implications are used to incorporate facts into the Alloy model when a Mathematica condition
involving queries to the AADL model is true. Its syntax is:
{<Mathematica Condition>} − > {<Alloy Expression>}
Where the <Mathematica Condition> is a Mathematica condition involving query results and
<Alloy Expression>, which is defined before.
This construct is translated into an Alloy fact containing the <Alloy Expression> only if the
<Mathematica Condition> evaluates to be true.
The predicates section enables the definition of parameterized Alloy predicates (separated by semi-
colons) with the same syntax as in Alloy:
<Predicate Name>[ <Parameters>] {<Alloy Expression>}
Where <Parameters> is a comma-separated list of <variable name>:<Alloy type> pairs to rep-
resent parameters. The <Alloy Expression> is an expression that involves the parameters of the pred-
icate.
Alloy expressions can access AADL elements and properties through the special keyword this. This
keyword is replaced by the proper Alloy signature used to represent the appropriate subcomponent. In
addition, it is possible to suffix the keyword with Type (i.e., this.Type) to access the corresponding
AADL-based type of the subcomponent instead. Finally, properties are accessed adding the name of
the property to the this keyword or to the name of a query result. For instance, this.Period accesses
114
Listing 6 Sample Contract
package PowerEfficiency
public
system PowerEfficientSystem
annex analysis {**
properties
ACE::Max_Clock_Freq, Scheduling_Protocol, Actual_Processor_Binding;
queries
AllSubProcessors <- processor:p in this;
predicates none
contracts
fact {
all s:this.Type{
PriorityScheduling[s.threads,AllSubProcessors]
FixedPriority[s.threads]
PartitionedScheduling[s.threads, AllSubProcessors]
all j:s.threads.jobs{
some p:AllSubProcessors{ j in p.jobs }}}};
functions
...
end PowerEfficientSystem;
end PowerEfficiency;
the period of the current subcomponent and AllThreads.Period is replaced by the set of periods from
each and every thread in the set AllThreads assuming this set is the result of a query returning a set of
threads.
AADL elements and properties are interpreted based on the context of the contract statements. For
instance, consider the sample annex attached to an AADL system shown in Listing 6.
In the annex presented in Listing 6, the set presented as this.Type is composed of all the AADL
instance objects of the type PowerEfficientSystem. The AllSubProcessors set, on the
other hand, is the set of all the processors returned from the query statement at the beginning of the
annex.
Contract constructs access the same elements defined in our MQL statements. As a result, their
dependencies are also defined by these statements and their properties and update statements. Our tool
implementation (a modification of the OSATE tool) includes an algorithm scheduler that presents valid
115
Figure 4.2: Screenshot of Schedule QA Analyses Result
execution sequences based on their dependencies.
4.7 Illustrative Example
In this section we will extend the example model that we have used in Section 4.4 with properties,
predicates and contracts.
In the following Listings, we will show a truncated version of the AADL models with the RA
contracts of the algorithms. The full version of the model is included in Appendix B. In order to verify
the RA contracts and execute the algorithms, as described in Section A.5, we also upgraded the analysis
annex solver tool so that it suggests a valid sequence of running the set of analyses in the model, as
well as checks whether all the assumptions in the model hold.
Listing 7 shows the thread and processor AADL types with their respective annexes that comple-
ment the description of the PowerEfficiency package from Listing 6. The analysis algorithms and
their contracts are defined inside AADL types that in turn are packaged together as an analysis library
in AADL packages. The two other annexes with their respective algorithms are presented in Listings 8
and 9. The constructs of all three of these annexes and the type of our final system are linked through
the AADL type inheritance mechanism as before.
Algorithm Dependencies
The dependencies in our annexes are encoded as follows. The annex in the PowerEffiicentSystem
type in Listing 6 depends on the properties: ACE::Max Clock Freq, Scheduling Policy, and
Actual Processor Binding. This annex depends on the bin-packing algorithm in Listing 9,
given that it updates the Actual Processor Binding property. In turn, the bin-packing algo-
rithm’s results depend on the Not Collocated property which is updated by the security algorithm
in Listing 8.
116
Listing 7 Example Model for Frequency Scaling with Contracts
package PowerEfficiency
public
thread PowerEfficientThread
annex analysis {**
properties
Compute_Execution_Time, Actual_Processor_Binding, Deadline, Period;
queries
...
predicates none
contracts
assumes {
all s:this {
no o:s.concurrent {
some p:Processor {
(s+o) in p.threads and o.deadline > s.deadline }}}} with scopes job:5, thread:5;
{this.Period(ms) == this.Deadline(ms)} -> {all t:this { t.deadline = t.period }};
functions
...
**};
end PowerEfficientThread;
processor PowerEfficientProcessor
annex analysis {**
properties
ACE::Max_Clock_Freq, Scheduling_Protocol;
queries
BoundThreads <- thread:t | t.Actual_Processor_Binding=this;
predicates none
contracts
{this.Scheduling_Protocol == {"DMS"}} -> {DeadlineMonotonicPriority[this.threads]};
{this.Scheduling_Protocol == {"RMS"}} -> {RateMonotonicPriority[this.threads]};
functions
...
**};
end PowerEfficientProcessor;
end PowerEfficiency;
117
Listing 8 Example Model for Confidentiality Assurance with Contracts
package Security
public
...
system SecureSystem extends PowerEfficiency::PowerEfficientSystem
annex analysis {**
properties
Not_Collocated;
...
contracts
assumes each t:AllThreads {
GuaranteeNotCollocated[t, t.Not_Collocated]
};
...
**};
end SecureSystem
end Security;
Our solver use the annex dependencies to produce a valid execution sequence. This sequence
is presented to the user as a list of enabled and disabled algorithms that tracks their execution (and
property updates). Algorithms are enabled as the properties they depend on are updated. Figure 4.2
shows a screenshot of our solver interface before any algorithm is run. In this case, only the security
analysis is enabled due to the dependencies described before.
Contracts
The contracts of our sample model describe their corresponding assumptions and the facts and guaran-
tees as follows. The power minimization algorithm in the thread type in Listing 7 depends on a test of
the response time of the deadline-monotonic algorithm. This is encoded as a contract assumption that
states that no thread should be preempted by another thread with a shorter deadline. This assumption
is satisfied with scheduling facts from the system configuration, the scheduler properties in the proces-
sors, and the timing properties of the threads. Specifically, three system-wide scheduling configuration
properties are encoded as a fact in the PowerEfficientSystem in Listing 6. This fact contains
three predicates that state that the system is scheduled with a priority scheduler, with fixed priorities and
118
Listing 9 Example Model for Bin packing with Predicates
package RealTime
public
...
system RealTimeSystem extends Security::SecureSystem
annex analysis {**
properties
Allowed_Processor_Binding;
queries
AllSubProcessors <- processor:p in this;
predicates
PriorityScheduling [thethreads: set Thread, processors: set Processor]{...}
FixedPriority [threads: set Thread ]{...}
PartitionedScheduling [thethreads: set Thread, processors: set Processor ]{...}
RateMonotonicPriority[threads: set Thread ]{
no disj t1,t2:threads{
t1.period < t2.period and
t1.priority >= t2.priority }};
DeadlineMonotonicPriority[threads: set Thread]{
no disj t1,t2:threads{
t1.deadline < t2.deadline
and t1.priority >= t2.priority}};
contracts ...
functions
...
end RealTimeSystem;
end RealTime;
119
Figure 4.3: Assumption Checking
with fixed assignment of threads to processors (a.k.a. partitioned scheduling). These predicates in turn
are defined in the RealTimeSystem type in Listing 9 because they are part of the possible configurations
of the real-time system model.
The Scheduling Policy property of the processors in the final system is then translated into
facts with predicates (DeadlineMonotonicScheduling or RateMonotonicScheduling)
that encode the behavior of the schedulers in our resource allocation model in Alloy. This is done with
implications in the RealTimeProcessor type in Listing 9.
The detailed encoding of the scheduling behavior allows us to use different facts to satisfy an
assumption. In our sample model, we use this to encode that a rate-monotonic scheduler can satisfy
the power minimization assumption when threads have periods equal to their deadlines. We encode
this with an implication in the PowerEfficientThread type that translates this condition into an
Alloy fact.
Once encoded, the RA contracts of our model are verified by first executing the algorithms and then
running the Alloy analyzer with the generated Alloy model.
After running the three analyses in the order of confidentiality assurance, bin packing, and then the
frequency scaling, we get the scaling factors of 0.3, 1.0, and 0.6 for each processor p1, p2, and p3. We
discovered that we did not need the fourth processor for the given set of tasks.
Finally, after running all the analyses, if we check all the assumptions, the solver shows in Fig-
ure 4.3 that all the assumptions defined in PowerEfficientThread of Listing 7 hold because
each thread has the same value for its period and deadline, and because the processors were assigned
120
Listing 10 Example Integrated System for Resource Allocation Verification
thread RadarTrackingThr extends RealTime::RealTimeThread
properties
Security Attributes::Class => top secret;
Period => 100 ms; Deadline => 100 ms;
Compute_Execution_time => 25 ms .. 30 ms;
end RadarTrackingThr;
process implementation RadarTrackingProcess.i
subcomponents
t: thread RadarTrackingThr;
end RadarTrackingProcess.i;
system AnalyticCompSys extends RealTime::RealTimeSystem
end AnalyticCompSys;
system implementation AnalyticCompSys.i
subcomponents
p1: processor RealTime::RealTimeProcessor;
...
p4: processor RealTime::RealTimeProcessor;
radarTracking:process RadarTrackingProcess.i;
engagementPlanning:process EngagementPlanningProc.i;
...
connections
c1: event data port radarTracking.tracks ->
engagementPlanning.tracks;
...
properties
Scheduling_Protocol => DMS applies to p1;
Scheduling_Protocol => RMS applies to p2;
Scheduling_Protocol => DMS applies to p3;
Scheduling_Protocol => DMS applies to p4;
...
end AnalyticCompSys.i;
121
the DMS (p1, p3, p4) and RMS (p3) scheduling protocols in AnalyticCompSys.i of Listing 10
Complete specification of the system is shown in Appendix C.
4.8 Related Work
Our research relates to work in two large areas; Assumptions management and Models & analysis al-
gorithms. Perhaps the most well-known work is related to Design-by-Contract. Design-by-Contract
(DBC) [60] is a software methodology for using contract specification to verify the correctness of the
composition of systems. DBC has been used in object-oriented (OO) languages such as Java [32],
JML [54], Eiffel [60], and Spec# [15]. These approaches still face many open challenges related to
a number of aspects that include numeric models, side effects of computations, aliasing, and call-
backs [53]. Other works complement these approaches with runtime checks [25] or model instance
queries [21] to verify the validity of the implementation. However, none of the above work focuses on
analysis algorithms as our work does.
The notion of contracts has been applied to the area of Architecture Description Languages (ADLs)
for system architecture design [17, 26] to guarantee safe and correct composition of software and hard-
ware components. Additionally, work that has been done for RT-CORBA [78, 49] lets the user make
explicit assumptions about the resource that a software requires in a distributed system environment.
However, none of these works address analysis algorithms themselves; hence they cannot be used to
verify the correctness of the integration of multiple analysis algorithms.
VEST (Virginia Embedded Systems Toolkit) [86] is also a tool for providing hidden dependency
checks and non-functional analysis using aspect [47] checks and prescriptive aspects for domain spe-
cific components. VEST focuses on the development of effective composition methods for real-time
systems. Trying to ensure that proper analysis is used and to automatically identify the task model from
the system description during design time matches with our perspective. In particular, the End-to-End
Real-Time Scheduling Aspect check in VEST comes close to our motive. However, with the lack of
integration with analysis algorithms specification in the model, it hides how analysis is performed in
the model.
In the model & analysis algorithms area, multiple modeling languages for embedded systems have
122
emerged over the years. Among them the Unified Modeling Language (UML) [33] is perhaps the most
widely adopted. The core of UML is composed of a set of diagrams to describe software artifacts.
Unfortunately, because UML aims at capturing all kinds of software systems, its semantics is loosely
defined. However, given its popularity, multiple efforts to strengthen its semantics have taken place.
Two of the most closely related to our work are SysML and MARTE. SysML (Systems Modeling Lan-
guage) [43] is a profile that uses all of the UML diagrams and provides two additional ones with firm
semantics: the requirements diagram and the parametric diagram. The requirements diagram is aimed
at capturing both functional and non-functional requirements in a hierarchical fashion. The parametric
diagram, on the other hand, enables the modeling of behaviors described through mathematical rela-
tions. Thus, this is perhaps the closest to our approach. However, SysML is aimed at physics modeling
with differential equations while we focus on the runtime system. In addition, there is no explicit
strategy to define equation assumptions that can be automatically verified as in our work.
MARTE (Modeling and Analysis of Real-Time and Embedded Systems) [30] is a UML profile
designed to capture the execution behavior and scheduling of real-time systems. Hence, it works at the
same level as our base modeling language: AADL. In fact, part of MARTE’s semantics was developed
based on AADL. MARTE adds more flexibility to the definition of resources, clocks, and scheduling
disciplines. Unfortunately, this flexibility complicates the verification of consistency like the one we
propose in this paper.
The Object Constraint Language (OCL) is a standardized language for specifying constraints for
UML itself. It can also be used on MOF (Meta Object Facility) or EMF (Eclipse Modeling Framework)
and other domain specific languages to specify constraints for automated verification. The Dresden
OCL Toolkit [28] provides such tools to translate OCL to Java code for verification of OCL constraints.
With the second version of OCL, OCL includes the features to be used for querying relational data
bases [66]. Contrasting with our work, OCL is aimed at expressing syntactic constraints and it lacks
the semantic framework that our work has.
Another closely related work is the Equation-based Object-Oriented (EOO) modeling languages.
Among them the most prominent are: Modelica [34], gPROMS [2], and VHDL-AMS [11]. These
languages cover multiple application domains combining equation descriptions and reusable model
components. The EOO modeling languages are mainly focused on data flow models to which equations
123
are attached. This focus makes these models better suited to describe the behavior of physical processes.
However, these languages do not provide the semantic base to model the software execution behavior.
None of the related work addresses the model-integration consistency issue faced with virtual in-
tegration due to usage of independently-developed analysis algorithms in a self-contained manner. To
the best of our knowledge, this is the first work that focuses on this issue and provides the first holistic
solution.
4.9 Future Work
As a future work, supporting the analytical integration of static software tools, such as ASIIST, and
OAR models so that these two methods can seamlessly work with one another and support correct
modification and integration of architectural models would be valuable. Correctness is defined by
the valid execution of analytical algorithms that the model and the available analysis implementations
support. Tool developers should have the freedom of creating stand alone analysis tools or OAR models
for analysis. Advanced analysis tools rarely just perform analysis. They can support numerical or
architectural changes to a model for ease-of-usage. Such changes can unknowingly affect other analysis
results that are implemented by another analysis tool or OAR model. To resolve these problems, we
will have to define semantics for tool developers to openly declare a profile of how it interacts with an
AADL input model. We believe that this can be implemented using Eclipse based plug-in extensions.
At the current stage, we will only support tools that are implemented on the Open Source AADL Tool
Environment (OSATE) which uses the Eclipse platform. By utilizing these set of profiles, assumptions
management services can be extended to include static analysis tools.
124
Chapter 5
Conclusions
Model-Based Engineering is becoming more popular as real-time systems become larger and more
complex. In the past, I/O traffic has not been the most important thing to model due to its minimal
or deterministic effect on schedulability and the high speed of buses compared to application require-
ments. However, the recent development of powerful CPUs, compared to buses, has brought the need
to carefully design efficient I/O architectures to take full benefit of high performance processors, in-
cluding multi-core processors.
I/O architecture is a design factor that needs to be determined early so that other integration can
proceed based on it. It is also very costly to make any significant change to the I/O architecture late in
the design process. Thus, evaluating the effect of I/O and designing better architectures through MBE
tools, especially during an early design stage, is a promising work to accomplish.
Following is the list of requirements for our work that was presented in Chapter 1.
• R1: Providing a virtual integration I/O modeling framework for early system-level design and
analysis.
• R2: Capturing side effects of I/O data, especially for IMA systems, to create an input model for
schedulability and latency analysis.
• R3: Providing tool-based support for safe architectural model changes.
• R4: Supporting extensible analysis tools through model-based engineering.
125
• R5: Supporting correct implementation of multiple correlated analysis algorithms for AADL
models.
Through the activities of building and enhancing our tool named ASIIST, we have devised a frame-
work for modeling I/O at an early system-level design phase (R1: Section 2.2 and 3.3). With the I/O
model, we have presented what kind of side effects can be captured for schedulability and latency anal-
ysis in an IMA system environment (R2: Section 2.6). While we tried to make the specification of I/O
as simple as possible, it still requires the support of tools for users to safely make architectural changes
such as assigning applications to different processors or testing different bus topologies. ASIIST pro-
vides GUI support (R3: Section 2.5) to intervene in these actions and make sure that all I/O related
properties remain valid after architectural model changes. Also, we have implemented a design space
search functionality in ASIIST (R3: Section 3.4) where the tool will go through a configurable set of
design instances to find a targeted I/O architecture, in our case the most robust I/O design. In this case,
users would no longer have to manually change the I/O architecture in search of a design.
Once we had a tool like ASIIST, we discovered that it is very difficult to maintain such static tools
when AADL is so extensible, and models with unexpected semantics from different entities can be in-
tegrated together. We started a new approach of implementing analysis tools by building Open Analytic
Runtime (OAR) Models (R4: Section 4.2) so that users can openly inspect the implementation of algo-
rithms and make corrections when the model is extended. The analysis annex is an implementation of
OAR models in AADL. When models are extended, polymorphism can be used to overwrite an existing
function in the model so that the algorithm still performs correctly. By using the meta information of
analysis algorithms, it was then possible to support the correct usage of multiple correlated analysis
algorithms by identifying correct order of execution and resource allocation violations (R5: Sections
4.5 and 4.6).
As for future work, the integration of static software tools, such as ASIIST, with OAR models is
an interesting task. Tool developers should have the freedom of creating stand alone analysis tools or
OAR models for analysis. For complex analysis, building an OAR model can actually be more difficult
because of its limited support for data structures. Advanced analysis tools rarely just perform analysis.
They can support numerical or architectural changes to a model for ease-of-usage, just like ASIIST.
126
Such changes can unknowingly affect other analysis results that are implemented by another analysis
tool or OAR model. To resolve this problem, we will have to define semantics for tool developers to
openly declare a profile of how the tool interacts with an AADL input model. This can be used with
OAR models to maintain a reliable MBE tool environment.
127
Bibliography
[1] Extensible Markup Language (XML). http://www.w3.org/XML/.
[2] gPROMS. http://www.psenterprise.com/gproms/.
[3] LynxOS-178. http://www.lynuxworks.com/rtos/lynxos-178.pdf.
[4] PCI-SIG. http://www.pcisig.com/specifications/.
[5] SAE Standards Architecture Analysis & Design Language (AADL).
http://www.sae.org/technical/standards/AS5506).
[6] Wolfram research, inc. http://www.wolfram.com/.
[7] Aeronautical Radio Inc., Design guidance for Integrated Modular Avionics - ARINC specification
651., 1991.
[8] Aeronautical Radio Inc., 664P7 Aircraft Data Network, Part 7, Avionics Full Duplex Switched
Ethernet (AFDX) Network, 2005.
[9] ADeS, a simulator for AADL from Axlog, 2006. http://www.axlog.fr/aadl/ades en.html.
[10] Aeronautical Radio Inc., Avionics Application Software Standard Interface, Part 1 - Required
Services - ARINC Specification 653., 2006.
[11] Peter J. Ashenden, Gregory D. Peterson, and Darrell A. Teegarden. The System Designer’s Guide
to VHDL-AMS: Analog, Mixed-Signal, and Mixed-Technology Modeling. Morgan Kaufmann,
2002.
128
[12] N. Audsley and A. Wellings. Analysing APEX applications. In Proceedings of the 17th IEEE
Real-Time Systems Symposium (RTSS ‘96), page 39, 1996.
[13] Stanley Bak, Emiliano Betti, Rodolfo Pellizzoni, Marco Caccamo, and Lui Sha. Real-Time Con-
trol of I/O COTS Peripherals for Embedded Systems. In Proceedings of the 30th Real-Time
Systems Symposium, December 2009.
[14] Thomas G. Baker. Lessons Learned Integrating COTS into Systems. In ICCBSS ’02: Proceedings
of the First International Conference on COTS-Based Software Systems, pages 21–30, London,
UK, 2002. Springer-Verlag.
[15] Mike Barnett, K. Rustan M. Leino, and Wolfram Schulte. The Spec# Programming System: An
Overview. pages 49–69. Springer, 2004.
[16] Hanene Ben-Abdallah, Jin-Young Choi, Duncan Clarke, Young Si Kim, Insup Lee, and Hong-
Liang Xie. A Process Algebraic Approach to the Schedulability Analysisof Real-Time Systems.
Real-Time Syst., 15(3):189–219, November 1998.
[17] Albert Benveniste, Benoit Caillaud, and Roberto Passerone. A Generic Model of Contracts for
Embedded Systems. Research Report RR-6214, INRIA, 2007.
[18] Pam Binns, Matt Englehart, Mike Jackson, and Steve Vestal. Domain Specific Software Architec-
tures for Guidance, Navigation and Control. International Journal of Software Engineering and
Knowledge Engineering, 6(2):201–227, 1996.
[19] E. Bondarev, M. Chaudron, H. Byelas, and P.H.N. de With. A Toolkit for Design and Performance
Analysis of Real-Time Component-Based Software Systems. In Software Engineering Advances,
International Conference on, page 4, oct. 2006.
[20] J.-Y. Le Boudec and P. Thiran. Network Calculus: A Theory of Deterministic Queuing Systems
for the Internet. Springer, 2001.
[21] Yoonsik Cheon, Gary Leavens, Murali Sitaraman, and Stephen Edwards. Model variables: cleanly
supporting abstraction in design by contract: Research Articles. Softw. Pract. Exper., 35(6):583–
599, 2005.
129
[22] J-Y. Choi, I. Lee, and H-L. Xie. The Specification and Schedulability Analysis of Real-Time
Systems using ACSR. In Proceedings of The IEEE Real-Time Systems Symposium, pages 266–
275, Dec. 1995.
[23] Duncan Clarke, Insup Lee, and Hong liang Xie. VERSA: A Tool for the Specification and Anal-
ysis of Resource-Bound Real-Time Systems. Journal of Computer and Software Engineering, 3,
1995.
[24] Joseph E. Coffland and Andy D. Pimentel. A software framework for efficient system-level perfor-
mance evaluation of embedded systems. In Proceedings of the 2003 ACM symposium on Applied
computing, SAC ’03, pages 666–671, New York, NY, USA, 2003. ACM.
[25] Sverine Colin and Leonardo Mariani. Run-Time Verification. In Manfred Broy, Bengt Jonsson,
Joost-Pieter Katoen, Martin Leucker, and Alexander Pretschner, editors, Model-Based Testing of
Reactive Systems, volume 3472 of Lecture Notes in Computer Science, pages 525–555. Springer.
[26] Werner Damm. Controlling speculative design processes using rich component models. In ACSD
’05: Proceedings of the Fifth International Conference on Application of Concurrency to System
Design, pages 118–119, Washington, DC, USA, 2005. IEEE Computer Society.
[27] Dionisio de Niz and Raj Rajkumar. Partitioning bin-packing algorithms for distributed real-time
systems. International Journal of Embedded Systems, 2(3/4):196–208, 2006.
[28] Birgit Demuth and Claas Wilke. Model and Object Verification by Using Dresden OCL. In
Proceedings of the Russian-German Workshop Innovation Information Technologies: theory and
practice, pages 687–690, Ufa, Russia, 2009.
[29] K. Driscoll and K. Hoyme. The Airplane Information Management System: an integrated real-
time flight-deck control system. In Real-Time Systems Symposium, 1992, pages 267–270, Dec
1992.
[30] M. Faugere, T. Bourbeau, R. De Simone, and S. Gerard. MARTE: Also an UML Profile for
Modeling AADL Applications. In Proceedings of the 12th IEEE International Conference on
Engineering Complex Computer Systems, pages 359–364, July 2007.
130
[31] P.H. Feiler, B.A. Lewis, and S. Vestal. The SAE Architecture Analysis & Design Language
(AADL) A Standard for Engineering Performance Critical Systems. In Proceedings of the 2006
IEEE Conference on Computer Aided Control Systems Design, pages 1206–1211, Oct. 2006.
[32] Cormac Flanagan, K. Rustan M. Leino, Mark Lillibridge, Greg Nelson, James B. Saxe, and
Raymie Stata. Extended static checking for Java. In PLDI ’02: Proceedings of the ACM SIG-
PLAN 2002 Conference on Programming language design and implementation, pages 234–245,
New York, NY, USA, 2002. ACM.
[33] Martin Fowler and Kendall Scott. UML Distilled: A Brief Guide to the Standard Object Modeling
Language. Addison-Wesley, 1999.
[34] P. Fritzson and P. Bunus. Modelica - a general object-oriented language for continuous and
discrete-event system modeling and simulation. In Simulation Symposium, 2002. Proceedings.
35th Annual, pages 365 – 380, 14-18 2002.
[35] M. Gasteier and M. Glesner. Bus-based communication synthesis on system-level. In System
Synthesis, 1996. Proceedings., 9th International Symposium on, pages 65 –70, nov 1996.
[36] M. Gonzalez Harbour, J.J. Gutierrez Garcia, J.C. Palencia Gutierrez, and J.M. Drake Moyano.
MAST: Modeling and analysis suite for real time applications. In Proceedings of the 13th Eu-
romicro Conference on Real-Time Systems, pages 125–134, June 2001.
[37] Zonghua Gu, S. Kodase, Shige Wang, and K.G. Shin. A model-based approach to system-level
dependency and real-time analysis of embedded software. In Real-Time and Embedded Technol-
ogy and Applications Symposium, 2003. Proceedings. The 9th IEEE, pages 78 – 85, may 2003.
[38] Zonghua Gu and K.G. Shin. Synthesis of real-time implementations from component-based soft-
ware models. In Real-Time Systems Symposium, 2005. RTSS 2005. 26th IEEE International,
pages 10 pp. –176, dec. 2005.
[39] Jorgen Hansson, Lutz Wrage, Peter H. Feiler, John Morley, Bruce Lewis, and Jerome Hugues.
Architectural modeling to verify security and nonfunctional behavior. IEEE Security and Privacy,
8:43–49, 2010.
131
[40] C. A. Healy, D. B. Whalley, and M. Harmon. Integrating the Timing Analysis of Pipelining and
Instruction Caching. In Proc. IEEE 16th Real-Time Systems Symp., pages 288–297, Dec. 1995.
[41] R. Henia, A. Hamann, M. Jersak, R. Racu, K. Richter, and R. Ernst. System level perfor-
mance analysis - the SymTA/S approach. Computers and Digital Techniques, IEE Proceedings -,
152(2):148–166, Mar 2005.
[42] K. Hoyme and K. Driscoll. SAFEbus. In Digital Avionics Systems Conference, 1992. Proceed-
ings., IEEE/AIAA 11th, pages 68–73, Oct 1992.
[43] E. Huang, R. Ramamurthy, and L.F. McGinnis. System and simulation modeling using sysml. In
Simulation Conference, 2007 Winter, pages 796 –803, 9-12 2007.
[44] Jerome Hugues, Bechir Zalila, Laurent Pautet, and Fabrice Kordon. From the prototype to the
final embedded system using the Ocarina AADL tool suite. ACM Trans. on Embedded Computing
Sys., 7(4):1–25, 2008.
[45] Daniel Jackson. Alloy: A lightweight object modelling notation. ACM Transactions on Software
Engineering and Methodology, 2002.
[46] Gabor Karsai, Janos Sztipanovits, Akos Ledeczi, and Ted Bapty. Model-Integrated Development
of Embedded Software. Proceedings of the IEEE, 91(1):145–164, January 2003.
[47] Gregor Kiczales, Erik Hilsdale, Jim Hugunin, Mik Kersten, Jeffrey Palm, and William Griswold.
Getting started with ASPECTJ. Commun. ACM, 44:59–65, October 2001.
[48] Sungchan Kim, Chaeseok Im, and Soonhoi Ha. Schedule-aware performance estimation of com-
munication architecture for efficient design space exploration. Very Large Scale Integration
(VLSI) Systems, IEEE Transactions on, 13(5):539 –552, May 2005.
[49] Yamuna Krishnamurthy, Irfan Pyarali, Christopher Gill, Louis Mgeta, Yuanfang Zhang, Stephen
Torri, and Douglas C. Schmidt. The Design and Implementation of Real-Time CORBA 2.0:
Dynamic Scheduling in TAO. In In Proceedings of RealTime and Embedded Technology and
Applications Symposium, 2004.
132
[50] M. Lafaye, M. Gatti, D. Faura, and L. Pautet. Model driven early exploration of IMA execution
platform. In Digital Avionics Systems Conference (DASC), 2011 IEEE/AIAA 30th, pages 7A2–1
–7A2–11, oct. 2011.
[51] K. Lahiri, A. Raghunathan, and S. Dey. Efficient exploration of the SoC communication archi-
tecture design space. In Computer Aided Design, 2000. ICCAD-2000. IEEE/ACM International
Conference on, pages 424 –430, 2000.
[52] K. Lahiri, A. Raghunathan, and S. Dey. System-level performance analysis for designing on-chip
communication architectures. Computer-Aided Design of Integrated Circuits and Systems, IEEE
Transactions on, 20(6):768–783, Jun 2001.
[53] Gary Leavens, K. Leino, and Peter Mller. Specification and verification challenges for sequential
object-oriented programs. Formal Aspects of Computing, 19:159–189, 2007.
[54] Gary T. Leavens, Yoonsik Cheon, Curtis Clifton, Clyde Ruby, and David R. Cok. How the design
of JML accommodates both runtime assertion checking and formal verification. Sci. Comput.
Program., 55(1-3):185–208, 2005.
[55] Su-Young Lee, F. Mallet, and R. de Simone. Dealing with AADL End-to-End Flow Latency with
UML MARTE. In Proceedings of the 13th IEEE International Conference on Engineering of
Complex Computer Systems, ICECCS 2008, pages 228–233, April 2008.
[56] Y.-H. Lee, D. Kim, M. Younis, and J. Zhou. Scheduling tool and algorithm for integrated modular
avionics systems. In Digital Avionics Systems Conferences, 2000. Proceedings. DASC. The 19th,
volume 1, pages 1C2/1–1C2/8 vol.1, 2000.
[57] C. L. Liu and J. W. Layland. Scheduling Algorithms for Multiprogramming in a Hard Real-Time
Environment. J. ACM, 20(1):46–61, Jan. 1973.
[58] J.W.S. Liu, J.L. Redondo, Z. Deng, T.S. Tia, R. Bettati, A. Silberman, M. Storch, R. Ha, and
W.K. Shih. PERTS: A prototyping environment for real-time systems. In Real-Time Systems
Symposium, 1993., Proceedings., pages 184 –188, dec 1993.
133
[59] D. Lyonnard, S. Yoo, A. Baghdadi, and A.A. Jerraya. Automatic generation of application-
specific architectures for heterogeneous multiprocessor system-on-chip. In Proc. Design Automa-
tion Conference, 2001, pages 518–523, 2001.
[60] Bertrand Meyer. Object-oriented Software Construction, 1997.
[61] S. Mohan, F. Mueller, D. Whalley, and C. Healy. Timing Analysis for Sensor Network Nodes
of the Atmega Processor Family. In Real-Time Technology and Applications Symposium, pages
405–414, March 2005.
[62] S. Mohan, Min-Young Nam, R. Pellizoni, Lui Sha, R. Bradford, and S. Fliginger. Rapid Early-
Phase Virtual Integration. In Proceedings of the 30th IEEE Real-Time Systems Symposium
(RTSS’09), pages 33–44, Los Alamitos, CA, December 2009. IEEE.
[63] Surendra Nahar, Sartaj Sahni, and Eugene Shragowitz. Simulated annealing and combinatorial
optimization. In Proceedings of the 23rd ACM/IEEE Design Automation Conference, DAC ’86,
pages 293–299, Piscataway, NJ, USA, 1986. IEEE Press.
[64] Min-Young Nam, Dionisio de Niz, Lutz Wrage, and Lui Sha. Resource Allocation Contracts for
Open Analytic Runtime Models. In Proceedings of the 9th ACM International Conference on
Embedded software, EMSOFT ’11, pages 13–22, New York, NY, USA, 2011. ACM.
[65] Min-Young Nam, Rodolfo Pellizzoni, Lui Sha, and Richard M. Bradford. ASIIST: Application
Specific I/O Integration Support Tool for Real-Time Bus Architecture Designs. In Proceedings of
the 14th IEEE International Conference on Engineering of Complex Computer Systems, ICECCS
2009, June 2009.
[66] Audrey Occello, Anne-Marie Dery-Pinna, and Michel Riveill. Validation and Verification of an
UML/OCL Model with USE and B: Case Study and Lessons Learnt. In ICSTW ’08: Proceed-
ings of the 2008 IEEE International Conference on Software Testing Verification and Validation
Workshop, pages 113–120, Washington, DC, USA, 2008. IEEE Computer Society.
[67] R.B. Ortega and G. Borriello. Communication synthesis for distributed embedded systems. In
Computer-Aided Design, 1998. ICCAD 98., pages 437 – 444, nov 1998.
134
[68] Norman L. Ovens. Rockwell Collins, Private Communication, Aug. 2007.
[69] Sudeep Pasricha, Nikil Dutt, and Mohamed Ben-Romdhane. Fast exploration of bus-based
communication architectures at the CCATB abstraction. ACM Trans. Embed. Comput. Syst.,
7(2):22:1–22:32, January 2008.
[70] R. Pellizzoni, B.D. Bui, M. Caccamo, and Lui Sha. Coscheduling of CPU and I/O Transactions
in COTS-Based Embedded Systems. In Real-Time Systems Symposium, 2008, pages 221–231, 30
2008-Dec. 3 2008.
[71] R. Pellizzoni and M. Caccamo. Impact of peripheral-processor interference on wcet analysis of
real-time embedded systems. Computers, IEEE Transactions on, 59(3):400 –415, march 2010.
[72] Rodolfo Pellizzoni, Min-Young Nam, Richard M. Bradford, and Lui Sha. A network calculus
based analysis for the PCI bus. Technical report, University of Illinois at Urbana-Champaign,
http://ece.uwaterloo.ca/ rpellizz/techreps/busanal.pdf, 2008.
[73] Vibha Prasad, Ting Yan, Praveen Jayachandran, Zengzhong Li, Sang Hyuk Son, John A.
Stankovic, Jo¨rgen Hansson, and Tarek F. Abdelzaher. ANDES: An ANalysis-Based DEsign Tool
for Wireless Sensor Networks. In Real-Time Systems Symposium, 2007. RTSS 2007. 28th IEEE
International, pages 203–213, 2007.
[74] B. Reynolds. An application of COTS Ethernet for avionics. In Digital Avionics Systems Confer-
ence, 1998. Proceedings., 17th DASC. The AIAA/IEEE/SAE, volume 2, pages J13/1–J13/8 vol.2,
Oct-7 Nov 1998.
[75] A.-E. Rugina, K. Kanoun, and M. Kaaniche. The ADAPT Tool: From AADL Architectural
Models to Stochastic Petri Nets through Model Transformation. In Dependable Computing Con-
ference, 2008. EDCC 2008. Seventh European, pages 85–90, May 2008.
[76] Saowanee Saewong and Ragunathan (Raj) Rajkumar. Practical voltage-scaling for fixed-priority
rt-systems. In RTAS ’03: Proceedings of the The 9th IEEE Real-Time and Embedded Technology
and Applications Symposium, page 106, Washington, DC, USA, 2003. IEEE Computer Society.
135
[77] J.-L. Scharbarg, F. Ridouard, and C. Fraboul. A probabilistic analysis of end-to-end delays on an
afdx avionic network. Industrial Informatics, IEEE Transactions on, 5(1):38–49, Feb. 2009.
[78] Douglas C. Schmidt and Fred Kuhns. An Overview of the Real-Time CORBA Specification.
Computer, 33:56–63, June 2000.
[79] S. Schonberg. Impact of pci bus load on applications in a pc architecture. In Real-Time Systems
Symposium, 2003. RTSS 2003. 24th IEEE, pages 430–439, Dec. 2003.
[80] T. Schuster and D. Verma. Networking concepts comparison for avionics architecture. In Digital
Avionics Systems Conference, 2008. DASC 2008. IEEE/AIAA 27th, pages 1.D.1–1–1.D.1–11, Oct.
2008.
[81] Severine Sentilles, Anders Pettersson, Dag Nystrom, Thomas Nolte, Paul Pettersson, and Ivica
Crnkovic. Save-IDE - A tool for design, analysis and implementation of component-based em-
bedded systems.
[82] Lui Sha. Real-time virtual machines for avionics software porting and development. In RTCSA,
pages 123–135, 2003.
[83] F. Singhoff, J. Legrand, L. Nana, and L. Marce´. Scheduling and memory requirements analysis
with AADL. In Proceedings of the 2005 anuual ACM SIGAda international conference on Ada,
volume 25, pages 1–10, Atlanta, Georgia, USA, 2005. ACM.
[84] Frank Singhoff and Alain Plantec. AADL modeling and analysis of hierarchical schedulers. In
Proceedings of the 2007 ACM international conference on SIGAda annual international confer-
ence, SIGAda ’07, pages 41–50, New York, NY, USA, 2007. ACM.
[85] O. Sokolsky, I. Lee, and D. Clarke. Schedulability analysis of AADL models. 20th International
Parallel and Distributed Processing Symposium, (IPDPS) 2006, pages 8 pp.–, April 2006.
[86] J.A. Stankovic, Ruiqing Zhu, R. Poornalingam, Chenyang Lu, Zhendong Yu, M. Humphrey, and
B. Ellis. VEST: an aspect-based composition tool for real-time systems. In Real-Time and Em-
bedded Technology and Applications Symposium, 2003. Proceedings. The 9th IEEE, pages 58 –
69, May 2003.
136
[87] L. Thiele, Chakraborty, and M. S., Naedele. Real-Time Calculus for scheduling hard real-time
systems. In Proceedings of IEEE International Symposium on Circuits and Systems (ISCAS),
volume 4, pages 101–104, 2000.
[88] R. Varona-Gomez and E. Villar. AADL Simulation and Performance Analysis in SystemC. In
Engineering of Complex Computer Systems, 2009 14th IEEE International Conference on, pages
323 –328, june 2009.
[89] J. Voelcker. Top 10 tech cars. IEEE Spectrum, 2008.
[90] Ernesto Wandeler, Lothar Thiele, Marcel Verhoef, and Paul Lieverse. System architecture evalu-
ation using modular performance analysis: a case study. International Journal on Software Tools
for Technology Transfer (STTT), 8(6):649–667, 2006.
[91] R. White. Bounding Worst-Case Data Cache Performance. PhD thesis, Dept. of Computer Sci-
ence, Florida State University, April 1997.
[92] Yufeng Zhu, Yunwei Dong, Chunyan Ma, and Fan Zhang. A Methodology of Model-Based
Testing for AADL Flow Latency in CPS. In Secure Software Integration Reliability Improvement
Companion (SSIRI-C), 2011 5th International Conference on, pages 99 –105, june 2011.
137
Appendix A
Formal Model for Resource Allocation
Contracts
In order to formally define our contracts we follow the contract modeling strategy presented in [17]
substituting the variable history with resource allocation actions.
A.1 System Model
A system is defined as a set of components. Their interfaces and protocol govern their interaction. From
the perspective of real time system integration, we focus on the resource usage of these components.
Each component is of one of two types: an executable or a resource. An executable represents the
code to run and the resource, the computational resource the executable needs to run (e.g. a processor).
An executable can be of any of three types: a thread, a job, or a segment. A thread is an infinite
sequence of jobs that arrive with some arrival pattern (e.g. periodically). A job in turn can be divided
into a sequence of segments. The sequence of jobs that belong to a thread ti is identified as ti.jobs.
Similarly, the sequence of segments that belong to a job ji is identified as ji.segments. We restrict
both jobs and segments sequences to be strictly sequential, preventing a job (or segment) to be released
if the previous job (or segment) has not finished.
The sets of all threads, jobs, and segments are simply identified by the labels threads, jobs, and
segments respectively. Similarly, the sets of all components and resources are identified with the labels
138
components and resources respectively. The resource allocation execution of the system is modeled as
a history of resource allocations to executables that enables them to run. Resources can be allocated to
whole threads, individual jobs, or individual segments. When a resource is allocated to a thread, all of
its jobs inherit this assignment. Similarly, when a job is assigned a resource, all of its segments inherit
the allocated resource. Resource allocation algorithms define constraints on the resource allocation
patterns to describe a policy.
Resources are mutually-exclusive and executables require one resource to execute. However, our
model is not concerned with instantaneous resource allocation decisions. Instead, it models time in-
tervals during which a resource is offered to an executable. During these intervals, the executable is
allowed to take the resource to execute.
A resource can be offered to multiple executables in the same interval. Without further restrictions,
this means that the resource can be taken away from any executable by any other executable at any
instant in that interval. This simplifies the encoding of unconstrained allocation behavior.
A.2 Modeling Concurrency
The set of executables that are offered a resource in the same interval are said to be concurrent to each
other. Constraints to this concurrency are modeled from an executable point of view, i.e., we constrain
the set of executables that are concurrent to a specific executable ei. This modeling allows us to have
an asymmetric point of view of concurrency that is common in scheduling algorithms. This is the
case, for instance, of priority in single processor scheduling. To describe this scheduling in our model
we include jobs jj in the concurrency set of another job ji of lower priority than jj . This effectively
enables jj to take the processor away from ji. In contrast, ji is not considered part of the concurrency
set of jj since it has lower priority and cannot take the processor away from jj .
Components have properties attached to them. The properties of a component or set of components
are identified as set.properties. An allocation algorithm can use these properties to define its allocation
policies. With these elements we now provide our basic definitions:
Definition 1 The concurrency mapping Γ is a mapping (or function) (a 7→ R) of type (executable 7→
P(executable)) with a /∈ R that identifies the set of executables R that are allowed to take their
139
resource while a is executing, as explained at the beginning of this section.
Definition 2 An executable ei preempts another executable ej when ei ∈ Γ(ej) and both executables
are assigned the same resource.
Definition 3 An executable ei is parallel to another executable ej if ei ∈ Γ(ej) and they are assigned
different resources.
Currently, this approach supports fixed priority based scheduling methods. More work is left to be
done for investigating how to formally model dynamic priority schedules, such as the Early Deadline
First scheduling [57].
A.3 Modeling Resource Allocation Policies
Resource allocation policies are encoded as restrictions to resource allocation executions. To encode
this, we use resource allocation executions and schedules defined as follows.
Definition 4 A resource allocation execution X =< x > is a history (sequence) of assignments.
Each assignment x = (A, V,Γ) is an ordered tuple of a set of allocation A = {a} where each a =
(executable 7→ resource) is an executable-to-resource mapping, a set of property value assignments
V = {v} where v = ((component, property) 7→ value), and a set of concurrency mappings Γ as
defined in Definition 1.
Definition 5 A resource allocation assertion E is a predicate over a set of executables, resources, and
property values, that is identified with the set of executions it accepts. The set of executables and
resources involved in an assertion are identified as E.executables and E.resources respectively and
E.components = E.executables ∪ E.resources.
Definition 6 A resource allocation schedule S (schedule for short) of a system is an assertion, i.e., a set
of executions {X}, that describes all valid resource allocation executions permitted by the scheduling
policies it represents. This set is identified as S.X∗.
140
A.4 Modeling Contracts
Definition 7 A resource allocation contract C is a pair (A,G) where A, the assumption, and G, the
guarantee are resource allocation assertions. The assumption of the contract is identified by C.A and
its guarantee as C.G.
Contracts are associated with analysis algorithms to encode the assumptions and guarantees they
have on the system. In addition, some system configuration choices that are not related to any algorithm
can also impose resource allocation constraints on the system. In order to encode these constraints we
use a set of global facts, facts for short, defined as follows.
Definition 8 The global facts F = {Fi} is the set of assertions Fi that describe valid resource alloca-
tion executions permitted by the system configuration choices.
Definition 9 A schedule S satisfies a contract C = (A,G) under F , written S |= (C ∩ F ) if and only
if
S ∩ (A ∩ F ) ⊆ G
Definition 10 The signature of an analysis algorithm is a tuple N = (I, C,O) where C is the contract
of the algorithm and I and O are the input and output of the algorithm. I and O are sets of either com-
ponents M or ordered pairs (M,P ) where M is a component and P is a property of that component.
We will refer to the signature of the analysis algorithm as simply analysis algorithm when the context
is clear.
Analysis algorithms are assumed to read components and properties of the model and produce
modified components and properties.
A.4.1 Contract Example:Fixed Priority Scheduling
Let us now illustrate the use of our model with a sample contract for fixed priority scheduling.
We define the fixed-priority scheduling algorithm [57] as FP = (Ifp, Cfp, Ofp). Its contract is
defined as Cfp = (Afp, Gfp) where Afp is defined as:
141
Afp = ∀(A, V,Γ) ∈ X|
A(ei) = A(ej)∧
V (ei, priority) > V (ej , priority)
⇒ ej /∈ Γ(ei)
and Gfp as:
Gfp = ∀(Ai, Vi,Γi), (Aj , Vj ,Γj) ∈ X|
Ai(er) = Ai(es) ∧Aj(er) = Aj(es)∧
er /∈ Γi(es)⇒ er /∈ Γj(es)
In this example the assumption of the contract is priority scheduling, i.e., higher-priority executa-
bles cannot be preempted by lower-priority ones. The guarantee, on the other hand, states that the same
preemption behavior will be observed across all resource allocations in an execution.
A.5 Consistency of Algorithms
Our definition of algorithm interface allows us to verify whether a set of algorithms applied to a model
are consistent with each other. This is done by identifying the algorithm dependencies and creating a
contract dependency graph that is used to guide the verification of algorithm dependencies. In order to
do this we first define algorithm dependency as follows.
Definition 11 An analysis algorithm Ni = (Ii, Ci, Oi) depends on the algorithm Nj = (Ij , Cj , OJ) if
either Ii ∩Oj 6= ∅ or Ci.A.components ∩ Cj .G.components 6= ∅.
Then the contract dependency graph is defined as follows.
Definition 12 A contract dependency graph is a set of edges D = {d} where each d = (Ni, Nj)
identifies that Nj depends on Ni as defined in Definition 11. In our current model we assume a graph
without cycles (directed acyclic graph).
The contract dependency graph D is then used to verify the consistency of the model M (identified
as M.D) and its algorithms M.N with the global facts M.F as follows.
142
1. The resource allocation behavior of the initial model is derived from the global facts M.F yield-
ing an initial schedule M.S0 (M.S0 ←M.F ).
2. Then we initialize an iteration schedule Si with the initial schedule of the model Si ←M.S0 and
the iteration dependency graph Di ←M.D.
3. We then apply the set of contracts that has no dependencies in the dependency graph and produce
the next schedule Si+1 and dependency graph Di+1 verifying that their assumptions hold.
∀Nr, Ns ∈M.N |∃(Nr, Ns) ∈ Di ∧ @Nx|(Nx, Nr) ∈ Di
∧Si ∩ ¬Nr.A = ∅ ⇒ Si+1 = Si ∩Nr.G∧
Di+1 = Di \ (Nr, Ns)
4. Then we reset the iteration schedule to Si ← Si+1 and the dependency graph Di ← Di+1 and
repeat Step 3 until the contract dependency graphDi is empty or an assertion fails (Si∩¬Nr.A 6=
∅), i.e., the resulting schedule Si contain behaviors that are included in the complement of the
behaviors of the depending algorithm ¬Nr.A.
A.6 Alloy Implementation for Resource Allocation Contracts
We implemented our resource allocation contracts in Alloy [45]. Alloy is a language to describe first-
order relational logic models that can be automatically verified. These models are used by the Alloy
analyzer to find counter examples that violate properties in the model. In particular, Alloy models
define relationships between sets of elements and properties of these relationships. These properties
are encoded either as facts when the properties are known to be true, or assertions when we want to find
out if they can be derived from the known facts. The Alloy analyzer then searches for model instances
that violate these assertions.
Alloy sets are defined as signatures. These signatures define types that can extend other types
(considered as subsets with the possibility of having additional relationships). A signature declaration
contains fields that define relationships with other types (one object from one set to another object of
143
the other set). A field can be defined as a set field. In such a case, the field defines a relationship from
an object of the containing signature to a set of objects of the type defined by the field.
We encode our base system model with signatures for the systems, threads, jobs, segments, and
resources. The system signature includes fields for the threads and resources it contains. Then, threads,
jobs, and segments contain fields as described in Sections A.1 and A.2.
To create the final verification model for an OAR model, we start with the base model. Then
subtypes are added for each AADL system, thread, and processor types. Also subtypes that extend
the just created types are added for each of the subcomponent in the AADL implementations. Finally,
we add facts and assertion-check pairs resulting from the translation of the contract statements in our
analysis annex.
144
Appendix B
AADL Model Example with Analysis
Annex
This chapter includes the AADL model packages that were defined to implement the three types of
analysis algorithms used as an example in Chapter 4.
145
Listing 11 AADL PowerEfficiency package for Frequency Scaling
package PowerEfficiency
public
thread PowerEfficientThread
annex analysis {**
queries
higherPriorityThreads <- thread:x | x.Actual_Processor_Binding =
this.Actual_Processor_Binding and
x.Deadline(ms) <= this.Deadline(ms); --query for higher priority threads
predicates none
contracts
assumes {
all s:this {
no o:s.concurrent {
some p:Processor {
(s+o) in p.threads and o.deadline > s.deadline }}}} with scopes job:5, thread:5;
{this.Period(ms) == this.Deadline(ms)} -> {all t:this { t.deadline = t.period }};
functions
double EnergyMinFreq(int maxClockFreq){ --function declaration
double S;
double I;
double beta;
double delta;
double alpha;
boolean inbzp;
double omega;
double omegaPrime;
double subOmega;
double subIdleDuration;
double t;
double d;
S = 0; I = 0; beta = 0; delta = 0; alpha = 1; inbzp = True; omegaPrime = 0;
d = this.Deadline(ms);
omega = this.Compute_Execution_Time[max](ms) / maxClockFreq;
While[omega < d,
If[inbzp == True,
delta = d - omega;
While[(omega < d) && (delta > 0),
subOmega = higherPriorityThreads.getSubOmega(omega, maxClockFreq);
omegaPrime = Total[subOmega] + S;
146
Listing 12 AADL PowerEfficiency package for Frequency Scaling (Continued)
delta = omegaPrime - omega;
omega = omegaPrime
];
inbzp = False,
subIdleDuration = higherPriorityThreads.getSubIdleDuration(omega, d);
I = Min[subIdleDuration]; S = S + I;
omega = omega + I;
t = omega;
beta = omega - S;
If[(beta / t) < alpha, alpha = (beta / t), ];
inbzp = True;
Break[]
]
];
alpha --return value
}
double getSubOmega(double omega, int maxClockFreq){ --function declaration
this.Compute_Execution_Time[max](ms) / maxClockFreq *
(Floor[(omega / this.Period(ms))] +1) }
double getSubIdleDuration(double omega,double deadline){
Min[(this.Period(ms) * Ceiling[omega / this.Period(ms)]) -omega, (deadline-omega)]}
double getScaledUtilization(double scaleFactor){
this.Compute_Execution_Time[max](ms) / this.Period(ms) }
updates
none
**};
end PowerEfficientThread;
processor PowerEfficientProcessor
annex analysis {**
properties
ACE::Max_Clock_Freq, Scheduling_Protocol;
queries
BoundThreads <- thread:t | t.Actual_Processor_Binding=this;
predicates none
contracts
{this.Scheduling_Protocol == {"DMS"}} -> {DeadlineMonotonicPriority[this.threads]};
{this.Scheduling_Protocol == {"RMS"}} -> {RateMonotonicPriority[this.threads]};
147
Listing 13 AADL PowerEfficiency package for Frequency Scaling (Continued)
functions
double AllEnergyMinFreq(){
double setEnergyMinFreq; int maxFreq;
maxFreq = this.ACE::Max_Clock_Freq;
setEnergyMinFreq = BoundThreads.EnergyMinFreq(maxFreq) }
double MaxEnergyMinFreq(){
double setEnergyMinFreq;
setEnergyMinFreq = this.AllEnergyMinFreq();
If[Length[setEnergyMinFreq] == 0, 0, Max[setEnergyMinFreq]] }
updates
none
**};
end PowerEfficientProcessor;
system PowerEfficientSystem
annex analysis {**
properties
ACE::Max_Clock_Freq, ACE::Scheduling_Protocol, Actual_Processor_Binding;
queries --query for processors in system
AllSubProcessors <- processor:p in this;
queries
BoundThreads <- thread:t | t.Actual_Processor_Binding=this;
predicates none
contracts
fact {
all s:this.Type{
PriorityScheduling[s.threads,AllSubProcessors]
FixedPriority[s.threads]
PartitionedScheduling[s.threads, AllSubProcessors]
all j:s.threads.jobs{
some p:AllSubProcessors{
j in p.jobs
}
}
}
};
148
Listing 14 AADL PowerEfficiency package for Frequency Scaling (Continued)
functions
int minFrequencyPairs(){
int minfreq;
int allprocs;
int pairs;
int i;
minfreq = AllSubProcessors.MaxEnergyMinFreq(); --call function of AllSubProcessors
allprocs = AllSubProcessors;
pairs = {};
For[i=1,i<=Length[allprocs],i++,
pairs = Append[pairs,allprocs[[i]],minfreq[[i]]]
];
pairs } --return value is a integer set
updates --saves result to model using return value of minFrequencyPairs()
processor:p.ACE::CurrentFrequency <- minFrequencyPairs(); **};
end PowerEfficientSystem;
end PowerEfficiency;
Listing 15 AADL Security package for Confidentiality Assurance
package Security
public
thread SecureThread extends
PowerEfficiency::PowerEfficientThread
annex analysis {**
properties
Security_Attributes::Class;
queries
none
predicates
none
contracts
none
functions
String getSecurityClass() {
this.Security_Attributes::Class }
**};
end SecureThread;
149
Listing 16 AADL Security package for Confidentiality Assurance (Continued)
system SecureSystem extends
PowerEfficiency::PowerEfficientSystem
annex analysis {**
properties
Not_Collocated;
queries
AllProcesses <- process:p in this; --query for all processes
AllThreads <- thread:t in AllProcesses; --query for all threads in AllProcesses
predicates none
contracts
assumes each t:AllThreads {
GuaranteeNotCollocated[t, t.Not_Collocated]
};
functions
int Security(){
int ts; int others;
int notCollocated;
int classes;
notCollocated = {};
ts = AllThreads;
classes = AllThreads.getSecurityClass();
For[i = 1, i <= Length[classes], i++,
others = {};
For[j = 1, j <= Length[classes], j++,
If[i != j && classes[[i]] != classes[[j]], others = Append[others, ts[[j]]],];
];
notCollocated = Append[notCollocated, ts[[i]], others]
];
notCollocated --return set
}
updates --saves result to model using return value of Security()
thread:t.Not_Collocated <- Security(); --as property value Not_Collocated
**};
end SecureSystem
end Security;
150
Listing 17 AADL RealTime package for Bin packing
package RealTime
public
thread RealTimeThread extends
Security::SecureThread
annex analysis {**
properties
Compute_Execution_Time;
queries
none
predicates
none
contracts
none
functions
double getUtilization(){
int p; int c; int u;
p=this.Period(ms);
c=this.Compute_Execution_Time[max](ms);
u= c/p;
u }
int getNotCollocated(){
this.Not_Collocated } **};
updates
none
end RealTimethread;
system RealTimeSystem extends
Security::SecureSystem
annex analysis {**
properties
Not_Collocated;
queries
BPAllProcesses <- process:p in this;
BPAllThreads <- thread:t in BPAllProcesses;
AllProcessors <- processor:pr in this;
151
Listing 18 AADL RealTime package for Bin packing (Continued)
predicates
PriorityScheduling [thethreads: set Thread, processors: set Processor]{
no disj s1,s2:thethreads.jobs.segms{
some p:processors{
s1 in p.segms and s2 in p.segms and
s1.priority < s2.priority and s2 in s1.concurrent
}
}
no disj j1,j2:thethreads.jobs{
some p:processors{
j1 in p.jobs and j2 in p.jobs and
j1.priority < j2.priority and j2 in j1.concurrent
}
}
no disj t1,t2:thethreads{
some p:processors{
t1 in p.threads and t2 in p.threads and
t1.priority < t2.priority and t2 in t1.concurrent
}
}
};
FixedPriority [threads: set Thread]{
all t1:threads{
no j:t1.jobs{
j.priority != t1.priority
}
no disj j1,j2:t1.jobs{
j1.priority != j2.priority
}
all j1:t1.jobs{
no disj s1,s2:j1.segms{
s1.priority != s2.priority
}
no s:j1.segms{
s.priority != j1.priority
}
}
}
};
152
Listing 19 AADL RealTime package for Bin packing (Continued)
PartitionedScheduling[thethreads: set Thread, processors: set Processor]{
thethreads = processors.threads
thethreads.concurrent in thethreads
all t1:thethreads{
no disj j1,j2:t1.jobs, disj p1,p2:processors{
j1 in p1.jobs and
j2 in p2.jobs
}
}
};
GlobalScheduling[threads: set Thread, processors: set Processor]{
some t1: threads{
some disj p1,p2:processors{
some disj j1,j2:t1.jobs{
j1 in p1.jobs and j2 in p2.jobs
}
}
}
};
DistributedScheduling[threads: set Thread, processors: set Processor]{
some j:threads.jobs{
some disj s1,s2:j.segms{
some p1,p2:processors{
s1 in p1.segms and
s2 in p2.segms
}
}
}
};
RateMonotonicPriority[threads: set Thread ]{
no disj t1,t2:threads{
t1.period < t2.period and t1.priority >= t2.priority }};
DeadlineMonotonicPriority[threads: set Thread]{
no disj t1,t2:threads{
t1.deadline < t2.deadline and t1.priority >= t2.priority}};
153
Listing 20 AADL RealTime package for Bin packing (Continued)
GuaranteeNotCollocated[t:Thread, notcollocated: set Thread]{
no o:notcollocated{
some p:Processor{
(o+t) in p.threads
}
}
};
contracts
guarantees each t:BPAllThreads{
GuaranteeNotCollocated[t, t.Not_Collocated]
};
functions
int indexOf(int threadName, int threads){
int index;
int i;
index = -1;
For[i=1,i<=Length[threads],i++,
If[threads[[i]] == threadName, index = i, ];
];
index
}
int getNotCollocatedLists(){
int nc;
int lol;
int l;
int i;
int j;
int threads;
nc = BPAllThreads.getNotCollocated();
threads=BPAllThreads;
lol={};
For[i=1,i<=Length[nc],i++,
l={};
For[j=1,j<=Length[nc[[i]]],j++,
l=Append[l,this.indexOf(nc[[i]][[j]],threads)]; ];
lol = Append[lol,l];
];
lol
}
154
Listing 21 AADL RealTime package for Bin packing (Continued)
int BinPack(){
double threadUtilizations;
double procUtilizations;
int assignments;
int threadAssignments;
int threads;
int processors;
int threadIndices;
int procIndices;
int pairs;
int i;
int notCollocatedLists;
notCollocatedLists = this.getNotCollocatedLists();
threadUtilizations = Flatten[BPAllThreads.getUtilization()];
threads = BPAllThreads;
processors = AllProcessors;
threadIndices = {};
For[i=1,i<=Length[threadUtilizations],i++,
threadIndices = Append[threadIndices,i];
];
threadIndices = this.orderDecreasing(threadUtilizations,threadIndices);
procIndices = {};
assignments = {};
threadAssignments = {};
For[i=1,i<=Length[processors],i++,
procIndices = Append[procIndices,i];
assignments = Append[assignments,{}];
threadAssignments = Append[threadAssignments,{}];
];
procUtilizations = this.getProcUtilizations(threadUtilizations,assignments);
procIndices = this.orderDecreasing(procUtilizations,procIndices);
unassigned = False;
pairs={};
While[(Length[threadIndices]>0 && !unassigned),
currThread = threadIndices[[1]];
unassigned = True;
155
Listing 22 AADL RealTime package for Bin packing (Continued)
For[i=1,(i<=Length[procIndices] && unassigned),i++,
If[procUtilizations[[procIndices[[i]]]]+threadUtilizations[[currThread]]<=1 &&
Intersection[assignments[[i]],notCollocatedLists[[currThread]]] == {},
assignments[[i]] = Append[assignments[[i]],currThread];
threadAssignments[[i]] = Append[threadAssignments[[i]],threads[[currThread]]];
pairs = Append[pairs,List[threads[[currThread]],processors[[i]]]];
unassigned = False,
]
];
If[!unassigned,
threadIndices = Delete[threadIndices,1];
procUtilizations = this.getProcUtilizations(threadUtilizations,assignments);
procIndices = this.orderDecreasing(procUtilizations,procIndices);
,
threadIndices = Delete[threadIndices,1];
]
];
pairs
}
int orderDecreasing(double t, int ti0){
int tmp;
int i;
int j;
int ti;
ti = ti0;
For[i = 1, i <= Length[t], i++,
For[j = i, j <= Length[t], j++,
tmp = ti[[i]];
If[t[[tmp]] < t[[ti[[j]]]],
ti[[i]] = ti[[j]];
ti[[j]] = tmp,
ti[[i]] = tmp
]
]
];
ti
}
156
Listing 23 AADL RealTime package for Bin packing (Continued)
int orderIncreasing(double t, int ti0){
int tmp;
int i;
int j;
int ti;
ti = ti0;
For[i = 1, i <= Length[t], i++,
For[j = i, j <= Length[t], j++,
tmp = ti[[i]];
If[t[[tmp]] > t[[ti[[j]]]],
ti[[i]] = ti[[j]];
ti[[j]] = tmp,
ti[[i]] = tmp
]
]
];
ti
}
double getProcUtilizations(double threadUtilizations, int assignments){
int assignedThreads;
double procUtilizations
int i;
int j;
procUtilizations = {};
For[i=1,i<=Length[assignments],i++,
procUtilizations = Append[procUtilizations,0]
]
For[i=1,i<=Length[procUtilizations],i++,
assignedThreads = assignments[[i]];
For[j=1,j<=Length[assignedThreads],j++,
procUtilizations[[i]] = procUtilizations[[i]] +
threadUtilizations[[assignedThreads[[j]]]]
]
];
procUtilizations
}
157
Listing 24 AADL RealTime package for Bin packing (Continued)
double getProcUtilization(int procIndex, double threadUtilizations, int assignments){
int assignedThreads;
double procUtil;
int i;
procUtil = 0;
assignedThreads = assignments[[procIndex]];
For[i=1,i<=Length[assignedThreads],i++,
procUtil = procUtil + threadUtilizations[[assignedThreads[[i]]]]
];
procUtil
}
updates
thread:t.Actual_Processor_Binding <- BinPack();
**};
end RealTimeSystem;
end RealTime;
158
Appendix C
AADL Model Example for System
Integration
This chapter includes the AADL model that represents the modeling components of the example used
in Chapter 4. For each software thread type, they extend the RealTime::RealTimeThread that is defined
in Appendix B to inherit the necessary analysis annex.
159
Listing 25 AADL Integrated System
thread RadarTrackingThr extends RealTime::RealTimeThread
features
tracks: out event data port;
properties
Security Attributes::Class => top secret;
Period => 100 ms; Deadline => 100 ms;
Compute_Execution_time => 25 ms .. 30 ms;
end RadarTrackingThr;
process RadarTrackingProcess
features
tracks: out event data port;
end RadarTrackingProcess;
process implementation RadarTrackingProcess.i
subcomponents
t: thread RadarTrackingThr;
connections
c1: event data port t.tracks -> tracks;
end RadarTrackingProcess.i;
thread UAVTrackingThread extends RealTime::RealTimeThread
features
surveillanceStream: out event data port;
properties
Security Attributes::Class => top secret;
Period => 100 ms; Deadline => 60 ms;
Compute_Execution_time => 25 ms .. 30 ms;
end UAVTrackingThread;
process UAVTrackingProcess
features
surveillanceStream: out event data port;
end UAVTrackingProcess;
160
Listing 26 AADL Integrated System (Continued)
process implementation UAVTrackingProcess.i
subcomponents
t: thread UAVTrackingThread;
connections
c1: event data port t.surveillanceStream -> surveillanceStream {
Security_Attributes::Class => top_secret;
};
end UAVTrackingProcess.i;
thread EngagementPlanningThread extends RealTime::RealTimeThread
features
surveillanceStream: in event data port;
tracks: in event data port;
assetAllocations: out event data port;
engagementIncidents: out event data port;
properties
Security Attributes::Class => top secret;
Period => 100 ms; Deadline => 70 ms;
Compute_Execution_time => 25 ms .. 30 ms;
end EngagementPlanningThread;
process EngagementPlanningProcess
features
surveillanceStream: in event data port;
tracks: in event data port;
assetAllocations: out event data port;
engagementIncidents: out event data port;
properties
Security Attributes::Class => top secret;
Period => 100 ms; Deadline => 70 ms;
Compute_Execution_time => 25 ms .. 30 ms;
end EngagementPlanningThread;
161
Listing 27 AADL Integrated System (Continued)
process EngagementPlanningProcess
features
surveillanceStream: in event data port;
tracks: in event data port;
assetAllocations: out event data port;
engagementIncidents: out event data port;
end EngagementPlanningProcess;
process implementation EngagementPlanningProcess.i
subcomponents
t: thread EngagementPlanningThread;
connections
c1: event data port surveillanceStream -> t.surveillanceStream {
Security_Attributes::Class => top_secret; };
c2: event data port tracks -> t.tracks;
c3: event data port t.assetAllocations -> assetAllocations;
c4: event data port t.engagementIncidents -> engagementIncidents;
end EngagementPlanningProcess.i;
thread AssetControlThread extends RealTime::RealTimeThread
features
assetAllocations: in event data port;
properties
Security Attributes::Class => secret;
Period => 100 ms; Deadline => 80 ms;
Compute_Execution_time => 25 ms .. 30 ms;
end AssetControlThread;
process AssetControlProcess
features
assetAllocations: in event data port;
end AssetControlProcess;
162
Listing 28 AADL Integrated System (Continued)
process implementation AssetControlProcess.i
subcomponents
t: thread AssetControlThread;
connections
c1: event data port assetAllocations -> t.assetAllocations;
end AssetControlProcess.i;
thread RequestForPressReleaseThread extends RealTime::RealTimeThread
features
requestRelease: out event data port;
properties
Security Attributes::Class => unclassified;
Period => 100 ms; Deadline => 90 ms;
Compute_Execution_time => 25 ms .. 30 ms;
end RequestForPressReleaseThread;
process RequestForPressReleaseProcess
features
requestRelease: out event data port;
end RequestForPressReleaseProcess;
process implementation RequestForPressReleaseProcess.i
subcomponents
t: thread RequestForPressReleaseThread;
connections
c1: event data port t.requestRelease -> requestRelease;
end RequestForPressReleaseProcess.i;
thread PressReleaseClearanceThread extends RealTime::RealTimeThread
features
requestRelease: in event data port;
engagementIncidents: in event data port;
pressReleases: out event data port;
properties
Security Attributes::Class => top_secret;
Period => 100 ms; Deadline => 40 ms;
Compute_Execution_time => 25 ms .. 30 ms;
end PressReleaseClearanceThread;
163
Listing 29 AADL Integrated System (Continued)
process PressReleaseClearanceProcess
features
requestRelease: in event data port;
engagementIncidents: in event data port;
pressReleases: out event data port;
end PressReleaseClearanceProcess;
process implementation PressReleaseClearanceProcess.i
subcomponents
t: thread PressReleaseClearanceThread;
connections
c1: event data port requestRelease -> t.requestRelease;
c2: event data port engagementIncidents -> t.engagementIncidents;
c3: event data port t.pressReleases -> pressReleases;
end PressReleaseClearanceProcess.i;
thread PressReleaseDisseminationThread
extends RealTime::RealTimeThread
features
pressReleases: in event data port;
properties
Security Attributes::Class => unclassified;
Period => 100 ms; Deadline => 30 ms;
Compute_Execution_time => 25 ms .. 30 ms;
end PressReleaseDisseminationThread;
process PressReleaseDisseminationProcess
features
pressReleases: in event data port;
end PressReleaseDisseminationProcess;
process implementation PressReleaseDisseminationProcess.i
subcomponents
t: thread PressReleaseDisseminationThread;
connections
c1: event data port pressReleases -> t.pressReleases;
end PressReleaseDisseminationProcess.i;
164
Listing 30 AADL Integrated System (Continued)
system AnalyticCompSys extends RealTime::RealTimeSystem
end AnalyticCompSys;
system implementation AnalyticCompSys.i
subcomponents
p1: processor RealTime::RealTimeProcessor;
p2: processor RealTime::RealTimeProcessor;
p3: processor RealTime::RealTimeProcessor;
p4: processor RealTime::RealTimeProcessor;
radarTracking:process RadarTrackingProcess.i;
uavTracking: process UAVTrackingProcess.i;
engagementPlanning:process EngagementPlanningProc.i;
assetControl: process AssetControlProcess.i;
requestForPressRelease: process RequestForPressReleaseProcess.i;
pressReleaseClearance: process PressReleaseClearanceProcess.i;
pressReleaseDissemination: process PressReleaseDisseminationProcess.i;
connections
c1: event data port radarTracking.tracks -> engagementPlanning.tracks;
c2: event data port uavTracking.surveillanceStream ->
engagementPlanning.surveillanceStream {
Security_Attributes::Class => top_secret; };
c3: event data port engagementPlanning.engagementIncidents ->
pressReleaseClearance.engagementIncidents;
c4: event data port engagementPlanning.assetAllocations ->
assetControl.assetAllocations;
c5: event data port requestForPressRelease.requestRelease ->
pressReleaseClearance.requestRelease;
c6: event data port pressReleaseClearance.pressReleases ->
pressReleaseDissemination.pressReleases;
properties
Scheduling_Protocol => DMS applies to p1;
Scheduling_Protocol => RMS applies to p2;
Scheduling_Protocol => DMS applies to p3;
Scheduling_Protocol => DMS applies to p4;
ACE::Max_Clock_Freq => 1 applies to p1;
ACE::Max_Clock_Freq => 1 applies to p2;
ACE::Max_Clock_Freq => 1 applies to p3;
ACE::Max_Clock_Freq => 1 applies to p4;
end AnalyticCompSys.i;
165
