Mapping AADL models to a repository of multiple schedulability analysis techniques

To fill the gap between the modeling of real-time systems and the scheduling analysis, we propose a framework that supports seamlessly the two aspects: 1) modeling a system using a methodology, in our case study, the Architecture Analysis and Design Language (AADL), and 2) helping to easily check temporal requirements (schedulability analysis, worst-case response time, sensitivity analysis, etc.). We introduce an intermediate framework called MoSaRT, which supports a rich semantic concerning temporal analysis. We show with a case study how the input model is transformed into a MoSaRT model, and how our framework is able to generate the proper models as inputs to several classic temporal analysis tools

The SAE Architecture Analysis & Design Language (AADL) A Standard for Engineering Performance Critical Systems

International audienceThe Society of Automotive Engineers (SAE) Architecture Analysis & Design Language, AS5506, provides a means for the formal specification of the hardware and software architecture of embedded computer systems and system of systems. It was designed to support a full Model Based Development lifecycle including system specification, analysis, system tuning, integration, and upgrade over the lifecycle. It was designed to support the integration of multiple forms of analyses and to be extensible in a standard way for additional analysis approaches. A system can be automatically integrated from AADL models when fully specified and when source code is provided for the software components. Analysis of large complex systems has been demonstrated in the avionics domain

Translation Of AADL To PNML To Ensure The Utilization Of Petri Nets

Architecture Analysis and Design Language (AADL), which is used to design and analyze software and hardware architectures of embedded and real-time systems, has proven to be a very efficient way of expressing the non-functional properties of safety-critical systems and architectural modeling. Petri nets are the graphical and mathematical modeling tools used to describe and study information processing systems characterized as concurrent and distributed. As AADL lacks the formal semantics needed to show the functional properties of such systems, the objective of this research was to extend AADL to enable other Petri nets to be incorporated into Petri Net Markup Language (PNML), an interchange language for Petri nets. PNML makes it possible to incorporate different types of analysis using different types of Petri net. To this end, the interchange format Extensible Markup Language (XML) was selected and AADL converted to AADL-XML (the XML format of AADL) and Petri nets to PNML, the XML-format of Petri nets, via XSLT script. PNML was chosen as the transfer format for Petri nets due to its universality, which enables designers to easily map PNML to many different types of Petri nets. Manual conversion of AADL to PNML is error-prone and tedious and thus requires automation, so XSLT script was utilized for the conversion of the two languages in their XML format. Mapping rules were defined for the conversion from AADL to PNML and the translation to XSLT automated. Finally, a PNML plug-in was designed and incorporated into the Open Source AADL Tool Environment (OSATE)

Traceability of Requirements and Software Architecture for Change Management

At the present day, software systems get more and more complex. The requirements of software systems change continuously and new requirements emerge frequently. New and/or modified requirements are integrated with the existing ones, and adaptations to the architecture and source code of the system are made. The process of integration of the new/modified requirements and adaptations to the software system is called change management. The size and complexity of software systems make change management costly and time consuming. To reduce the cost of changes, it is important to apply change management as early as possible in the software development cycle. Requirements traceability is considered crucial in change management for establishing and maintaining consistency between software development artifacts. It is the ability to link requirements back to stakeholders’ rationales and forward to corresponding design artifacts, code, and test cases. When changes for the requirements of the software system are proposed, the impact of these changes on other requirements, design elements and source code should be traced in order to determine parts of the software system to be changed. Determining the impact of changes on the parts of development artifacts is called change impact analysis. Change impact analysis is applicable to many development artifacts like requirements documents, detailed design, source code and test cases. Our focus is change impact analysis in requirements and software architecture. The need for change impact analysis is observed in both requirements and software architecture. When a change is introduced to a requirement, the requirements engineer needs to find out if any other requirement related to the changed requirement is impacted. After determining the impacted requirements, the software architect needs to identify the impacted architectural elements by tracing the changed requirements to software architecture. It is hard, expensive and error prone to manually trace impacted requirements and architectural elements from the changed requirements. There are tools and approaches that automate change impact analysis like IBM Rational RequisitePro and DOORS. In most of these tools, traces are just simple relations and their semantics is not considered. Due to the lack of semantics of traces in these tools, all requirements and architectural elements directly or indirectly traced from the changed requirement are candidate impacted. The requirements engineer has to inspect all these candidate impacted requirements and architectural elements to identify changes if there are any. In this thesis we address the following problems which arise in performing change impact analysis for requirements and software architecture. Explosion of impacts in requirements after a change in requirements. In practice, requirements documents are often textual artifacts with implicit structure. Most of the relations among requirements are not given explicitly. There is a lack of precise definition of relations among requirements in most tools and approaches. Due to the lack of semantics of requirements relations, change impact analysis may produce high number of false positive and false negative impacted requirements. A requirements engineer may have to analyze all requirements in the requirements document for a single change. This may result in neglecting the actual impact of a change. Manual, expensive and error prone trace establishment. Considerable research has been devoted to relating requirements and design artifacts with source code. Less attention has been paid to relating Requirements (R) with Architecture (A) by using well-defined semantics of traces. Designing architecture based on requirements is a problem solving process that relies on human experience and creativity, and is mainly manual. The software architect may need to manually assign traces between R&A. Manual trace assignment is time-consuming, expensive and error prone. The assigned traces might be incomplete and invalid. Explosion of impacts in software architecture after a change in requirements. Due to the lack of semantics of traces between R&A, change impact analysis may produce high number of false positive and false negative impacted architectural elements. A software architect may have to analyze all architectural elements in the architecture for a single requirements change. In this thesis we propose an approach that reduces the explosion of impacts in R&A. The approach employs semantic information of traces and is supported by tools. We consider that every relation between software development artifacts or between elements in these artifacts can play the role of a trace for a certain traceability purpose like change impact analysis. We choose Model Driven Engineering (MDE) as a solution platform for our approach. MDE provides a uniform treatment of software artifacts (e.g. requirements documents, software design and test documents) as models. It also enables using different formalisms to reason about development artifacts described as models. To give an explicit structure to requirements documents and treat requirements, architecture and traces in a uniform way, we use metamodels and models with formally defined semantics. The thesis provides the following contributions: A modeling language for definition of requirements models with formal semantics. The language is defined according to the MDE principles by defining a metamodel. It is based on a survey about the most commonly found requirements types and relation types. With this language, the requirements engineer can explicitly specify the requirements and the relations among them. The semantics of these entities is given in First Order Logic (FOL) and allows two activities. First, new relations among requirements can be inferred from the initial set of relations. Second, requirements models can be automatically checked for consistency of the relations. Tool for Requirements Inferencing and Consistency Checking (TRIC) is developed to support both activities. The defined semantics is used in a technique for change impact analysis in requirements models. A change impact analysis technique for requirements using semantics of requirements relations and requirements change types. The technique aims at solving the problem of explosion of impacts in requirements when semantics of requirements relations is missing. The technique uses formal semantics of requirements relations and requirements change types. A classification of requirements changes based on the structure of a textual requirement is given and formalized. The semantics of requirements change types is based on FOL. We support three activities for impact analysis. First, the requirements engineer proposes changes according to the change classification before implementing the actual changes. Second, the requirements engineer indentifies the propagation of the changes to related requirements. The change alternatives in the propagation are determined based on the semantics of change types and requirements relations. Third, possible contradicting changes are identified. We extend TRIC with a support for these activities. The tool automatically determines the change propagation paths, checks the consistency of the changes, and suggests alternatives for implementing the change. A technique that provides trace establishment between R&A by using architecture verification and semantics of traces. It is hard, expensive and error prone to manually establish traces between R&A. We present an approach that provides trace establishment by using architecture verification together with semantics of requirements relations and traces. We use a trace metamodel with commonly used trace types. The semantics of traces is formalized in FOL. Software architectures are expressed in the Architecture Analysis and Design Language (AADL). AADL is provided with a formal semantics expressed in Maude. The Maude tool set allows simulation and verification of architectures. The first way to establish traces is to use architecture verification techniques. A given requirement is reformulated as a property in terms of the architecture. The architecture is executed and a state space is produced. This execution simulates the behavior of the system on the architectural level. The property derived from the requirement is checked by the Maude model checker. Traces are generated between the requirement and the architectural components used in the verification of the property. The second way to establish traces is to use the requirements relations together with the semantics of traces. Requirements relations are reflected in the connections among the traced architectural elements based on the semantics of traces. Therefore, new traces are inferred from existing traces by using requirements relations. We use semantics of requirements relations and traces to both generate/validate traces and generate/validate requirements relations. There is a tool support for our approach. The tool provides the following: (1) generation/validation of traces by using requirements relations and/or verification of architecture, (2) generation/validation of requirements relations by using traces. A change impact analysis technique for software architecture using architecture verification and semantics of traces between R&A. The software architect needs to identify the impacted architectural elements after requirements change. We present a change impact analysis technique for software architecture using architecture verification and semantics of traces. The technique is semi-automatic and requires participation of the software architect. Our technique has two parts. The first part is to identify the architectural elements that implement the system properties to which proposed requirements changes are introduced. By having the formal semantics of requirements relations and traces, we identify which parts of software architecture are impacted by a proposed change in requirements. We have extended TRIC for determining candidate impacted architectural elements. The second part of our technique is to propose possible changes for software architecture when the software architecture does not satisfy the new and/or changed requirements. The technique is based on architecture verification. The output of verification is a counter example if the requirements are not satisfied. The counter example is used with a classification of architectural changes in order to propose changes in the software architecture. These changes produce a new version of the architecture that possibly satisfies the new or the changed requirements

Specification and use of component failure patterns

Safety-critical systems are typically assessed for their adherence to specified safety properties. They are studied down to the component-level to identify root causes of any hazardous failures. Most recent work with model-based safety analysis has focused on improving system modelling techniques and the algorithms used for automatic analyses of failure models. However, few developments have been made to improve the scope of reusable analysis elements within these techniques. The failure behaviour of components in these techniques is typically specified in such a way that limits the applicability of such specifications across applications. The thesis argues that allowing more general expressions of failure behaviour, identifiable patterns of failure behaviour for use within safety analyses could be specified and reused across systems and applications where the conditions that allow such reuse are present.This thesis presents a novel Generalised Failure Language (GFL) for the specification and use of component failure patterns. Current model-based safety analysis methods are investigated to examine the scope and the limits of achievable reuse within their analyses. One method, HiP-HOPS, is extended to demonstrate the application of GFL and the use of component failure patterns in the context of automated safety analysis. A managed approach to performing reuse is developed alongside the GFL to create a method for more concise and efficient safety analysis. The method is then applied to a simplified fuel supply and a vehicle braking system, as well as on a set of legacy models that have previously been analysed using classical HiP-HOPS. The proposed GFL method is finally compared against the classical HiP-HOPS, and in the light of this study the benefits and limitations of this approach are discussed in the conclusions

Expérimentation d'une suite d'outils pour automatiser le passage d'une conception basée sur un modèle vers la réalisation d'une implémentation, en passant par l'exploration architecturale

RÉSUMÉ Aujourd’hui, les systèmes embarqués sont de plus en plus complexes à développer surtout s’il s’agit de systèmes temps réel. Ces projets intègrent des technologies à la fine pointe de la recherche, qui sont compliquées à mettre en place. La complexité de conception de ces systèmes repose sur la nécessité de trouver un équilibre entre la puissance de calcul requise, la surface de carte et le nombre de ressources matérielles utilisées, ou encore la consommation du circuit. En ajoutant à tout cela des temps de mise en marché de plus en plus stricts pour ce genre de systèmes, les besoins d’outils et de flots de conception efficaces deviennent de plus en plus pressants. Dans cette optique, de nombreux langages de spécification de système ont été mis au point. Ils sont échelonnés à différents niveaux d’abstraction allant des langages de haut niveau d’abstraction comme sysML ou AADL jusqu’au bas niveau RTL en passant par des spécifications pour ESL (Electronic system level) comme SystemC. Ces langages sont liés à des méthodologies basées sur les modèles. Le projet de recherche présenté dans ce mémoire consiste à mettre en avant une méthodologie de conception d’un système embarqué. Cette méthodologie s’illustre au travers d’un flot de conception utilisant le langage de description de système AADL ainsi que la plateforme de codesign SpaceStudio. Elle vise à développer en parallèle des applications logicielles ainsi que les plateformes matérielles sur lesquelles ces applications doivent s’exécuter. Le défi de ce projet consiste donc à réaliser la jonction entre le langage AADL et la plateforme SpaceStudio. L’outil chargé de réaliser cette jonction compile du code AADL et génère un script python. Ce script est lu par l’API du logiciel SpaceStudio qui permet de générer un projet sur sa plateforme de coconception. L’outil créé durant ce projet et nommé AADL2Space est testé à travers un exemple de modèle AADL disponible sur Internet. Par la suite, une application de décodage vidéo MJPEG est utilisée pour illustrer le flot de conception. Un modèle AADL de cette application a été développé afin de fournir la description architecturale du système. La partie applicative du système a été codée en C et associée au modèle AADL. Ainsi, un système complet est compilé par AADL2Space pour ainsi générer un projet SpaceStudio. Une fois le projet instancié sur la plateforme de coconception, celui-ci est simulé et analysé afin d’obtenir des métriques permettant de valider ou non l’architecture. De cette façon, plusieurs architectures sont testées afin de satisfaire les contraintes d’ordonnancement temps réel, de taux d’utilisation des processeurs, d’utilisation des ressources matérielles, etc. L’architecture choisie est enfin synthétisée pour être implémentée sur carte. Ce projet a conduit à l’écriture d’un article de conférence à EEE international Symposium on Rapid System Prototyping (RSP)----------ABSTRACT Nowadays, embedded systems are increasingly complex to design. These system’s design complexity is based on the need to find a balance between the required power, the used area on ship and hardware resources, and the system consumption. This issue mainly occurs for real-time systems. For such systems, times to market are more and more demanding. Consequently, new tools and design flows are definitely needed. This project bridges and validates two of these technologies. To reach our goal, numerous system description languages and libraries have been worked out. They have different abstraction levels from high abstraction level languages as SysML or AADL, to low level abstraction RTL, through ESL (Electronic system level) as systemC. The aim of the research project introduced in this work is to show an embedded system design methodology. This methodology is illustrated through a design flow using the description language AADL and the SpaceStudioTM HW/SW co-design platform. It targets a parallel design of software applications and hardware platform on which applications will be executed. This project’s challenge is to fill the gap between the description language AADL and SpaceStudio platform. SpaceStudio is a scriptable tool. All the graphic manipulations can also be achieved through a Python script. The proposed tool filling this gap acts as a compiler of an AADL code and generate a Python script that can be used as an input description of SpaceStudio. The created tool called AADL2Space is tested thanks to an AADL model example available on Internet. Next, an MJPEG video decoder application is used to illustrate the design flow. An AADL model of this application has been designed to provide the system’s architectural description. The software part of the system has been coded in C language and bound to the AADL model. Thereby, a complete system is compiled by the designed tool and generated as a SpaceStudio project. Once the project has been instantiated on the co-design platform, it is simulated and analyzed to validate metric performances. Different architecture configurations are tested to meet system’s constraints as real time scheduling, processor’s use rate, use of hardware resources, etc. The chosen architecture configuration is finally synthetized to be implemented on a FPGA

A model-driven development and verification approach for medical devices

Master of ScienceDepartment of Computing and Information SciencesJohn HatcliffMedical devices are safety-critical systems whose failure may put human life in danger. They are becoming more advanced and thus more complex. This leads to bigger and more complicated code-bases that are hard to maintain and verify. Model-driven development provides high-level and abstract description of the system in the form of models that omit details, which are not relevant during the design phase. This allows for certain types of verification and hazard analysis to be performed on the models. These models can then be translated into code. However, errors that do not exist in the models may be introduced during the implementation phase. Automated translation from verified models to code may prevent to some extent. This thesis proposes approach for model-driven development and verification of medical devices. Models are created in AADL (Architecture Analysis & Design Language), a language for software and hardware architecture modeling. AADL models are translated to SPARK Ada, contract-based programming language, which is suitable for software verification. Generated code base is further extended by developers to implement internals of specific devices. Created programs can be verified using SPARK tools. A PCA (Patient Controlled Analgesia) pump medical device is used to illustrate the primary artifacts and process steps. The foundation for this work is "Integrated Clinical Environment Patient-Controlled Analgesia Infusion Pump System Requirements" document and AADL Models created by Brian Larson. In addition to proposed model-driven development approach, a PCA pump prototype was created using the BeagleBoard-xM device as a platform. Some components of PCA pump prototype were verified by SPARK tools and Bakar Kiasan

Une approche intégrée pour la validation et la génération de systèmes critiques par raffinement incrémental de modèles architecturaux

The increasing complexity of distributed realtime and embedded (DRE) systems and their implication in various domains imply new design and development methods. In safety- criticial domains such as space, aeronautical, transport or medicine, their failure could result in the failure of the mission, or in dramatic damages such as human losses. This particular class of systems comes with strong requirements to satisfy safety, reliability and security properties. The Model-driven Engineering (MDE) introduces the concept of «model» - an abstract description of the system and a set of tools (editor, transformation engine, code generator) to simplify and automatize the design, the validation and the implementation of the system. Thus, various abstractions are realized using different domain-specific modeling languages in order to assess one particular aspect of the system and to re-use model-based analysis tools and generative technologies. These various representations may share some commonalities but the consistency between them is hard to validate (for example : Is the analyzed system the same as the generated one ?).This PhD thesis leverages MDE concepts and mechanisms, to enhance the reliability of the model-based development process of DRE systems. Our approach is based on the definition of the architectural and behavioral modeling language AADLHI Ravenscar, a restriction of AADL (Architecture Analysis & Design Language) and its behavioral annex. This subset of AADL constructs, comes up with a semantic close to the one of an imperative programming language, to drive both the analysis and the code generation of the application components and its relying execution platform (middleware) components...L’augmentation de la complexité des systèmes temps-réel répartis embarqués (TR2E) et leur implication dans de nombreux domaines de notre quotidien imposent de nouvelles mé thodes de réalisation. Dans les domaines dits critiques (transport, médecine...) ces systèmes doivent satisfaire des contraintes dures pour garantir leur bon fonctionnement et éviter toutes défaillances qui engendreraient des conséquences financières ou humaines dramatiques. L’Ingénierie Dirigée par les Modèles (IDM) introduit le “modèle” - i.e. une description abstraite du système - et un ensemble d’outils (édition, transformation...) permettant la simplification et l’automatisation des étapes de conception, de validation et de génération du système. Ainsi, différentes abstractions du système sont élaborées dans des formalismes spécifiques de manière à couvrir un aspect du système et à permettre la réutilisation des outils d’analyse et de génération existants. Cependant, ces multiples représentations évoluent à des niveaux d’abstractions différents et il n’est pas toujours évident de mettre en corrélation système analysé et système généré. Ce travail de thèse exploite les concepts et les mécanismes offerts par l’IDM pour améliorer la fiabilité du processus de réalisation des systèmes critiques basé sur les modèles. L’approche que nous avons définie repose sur la définition du langage de modélisation architecturale et comportementale AADL-HI Ravenscar - un sous-ensemble du langage AADL (Architecture Analysis & Design Language) et de son annexe comportementale - contraint pour permettre conjointement l’analyse et la génération de l’ensemble des composants de l’application y compris de son exécutif, avec une sémantique proche d’un langage de programmation impératif..

Proceedings of Monterey Workshop 2001 Engineering Automation for Sofware Intensive System Integration

The 2001 Monterey Workshop on Engineering Automation for Software Intensive System Integration was sponsored by the Office of Naval Research, Air Force Office of Scientific Research, Army Research Office and the Defense Advance Research Projects Agency. It is our pleasure to thank the workshop advisory and sponsors for their vision of a principled engineering solution for software and for their many-year tireless effort in supporting a series of workshops to bring everyone together.This workshop is the 8 in a series of International workshops. The workshop was held in Monterey Beach Hotel, Monterey, California during June 18-22, 2001. The general theme of the workshop has been to present and discuss research works that aims at increasing the practical impact of formal methods for software and systems engineering. The particular focus of this workshop was "Engineering Automation for Software Intensive System Integration". Previous workshops have been focused on issues including, "Real-time & Concurrent Systems", "Software Merging and Slicing", "Software Evolution", "Software Architecture", "Requirements Targeting Software" and "Modeling Software System Structures in a fastly moving scenario".Office of Naval ResearchAir Force Office of Scientific Research Army Research OfficeDefense Advanced Research Projects AgencyApproved for public release, distribution unlimite