Architecture Modeling - SPES 2020

More documents

Recommendations

Info

Architecture Modeling evidence (such as through testing or through formal analysis methods) that their implementation complies to their contract, the final integration of subsystems to the complete system will be free of all classes of integration errors covered by contracts in the virtual integration test. Note that this method allows to protect the IP of subsystem suppliers – the only evidence required, is the confirmation that their implementation meets the subsystem contract specification. 5.2.1.3 Layered Design Layered design copes with complex systems by focusing on those aspects of the system pertinent to support the design activities at the corresponding level of the V diagram. This approach is particularly powerful if the details of a lower layer of abstraction are encapsulated when the design is carried out at the higher layer. Layered approaches are well understood and standard in many application domains. As an example, AUTOSAR defines several abstraction layers. Moving from “bottom” to “top”, the microcontroller abstraction layer encapsulates completely the specifics of underlying microcontrollers, the second layer abstracts from the concrete configuration of the Electronic Control Unit (ECU), the employed communication services and the underlying operating system, whereas the (highest) application layer is not aware of any aspect of possible target architectures, and relies on purely virtual communication concepts in specifying communication between application components. Similar abstraction levels are defined by the ARINC standard in the avionic domains [1]. The benefits of using layered design are manifold. Using AUTOSAR’s layer structure as example, the complete separation of the logical architecture of an application (as represented by a set of components interconnected using the so-called virtual function bus) and target hardware is a key design objective of AUTOSAR, in that it allows complete decoupling of the number of automotive functions from the number of hardware components. In particular, it is flexible enough to mix components from different applications on one and the same ECU. This illustrates the double role of abstraction layers, in allowing to focus completely in this case on the logic of the application and abstracting from the underlying hardware, while at the same time imposing a minimal (or even no) constraint on the design space of possible hardware architectures. In particular, this allows re-using the application design across multiple platforms, varying in number of bus-systems and/or number and class of ECUs. Such design layers can, in addition, be used to match the boundaries of either organizational units within a company, or to define interfaces between different organizations in the supply chain. The challenge, then, rests in providing the proper abstractions of lower-level design entities, which must meet the double criteria of on one hand being sufficiently detailed so as to support – among others – virtual integration testing even with respect to non-functional viewpoints on the next higher level, while at the same time not overly restricting the space of possible lower-level implementations. As a concrete example, consider the AUTOSAR application layer and an application requiring guaranteed service under a given failure hypothesis. Such failure hypothesis would typically relate both to failures observable on the application layer itself (such as a component sending an incorrect value, or a component flushing its neighbors with unwanted messages), as well as to failures depending on the underlying (unknown!) target hardware. This points to an inherent dilemma: on one side, the desire of completely abstracting from the underlying hardware, while at the same time wishing to perform analysis of properties which inherently depend on it. This dilemma can be solved by using what we call vertical assumptions as abstractions of the underlying target hardware. Returning to the above example, such vertical assumptions could explicate the failure hypothesis of either execution platforms or communication platforms, and 96/ 156
Architecture Modeling thus decorate either (individual runnables of) components, or entities of the virtual function bus. More general, any logical communication must be seen as a (fictitious) component itself, which, at deployment time, will be mapped to communication services of the operating system inducing either bus-based communication or ECU local communication e. g. through shared memory within one ECU. 5.2.1.4 Component-Based Design Whereas layered designs decompose complexity of systems “vertically”, by splitting the design into multiple design layers, component-based approaches reduce complexity “horizontally” whereby designs are obtained by assembling (composing) strongly encapsulated design entities called “components” equipped with concise and rigorous interface specifications. While these interface specifications are key and relevant for any system, the “quality attribute” of perceiving a subsystem as a component is typically related to two orthogonal criteria, that of “small interfaces”, and that of minimally constraining the deployment context, so as to maximize the potential for re-use. “Small interfaces”, i. e., interfaces which are both small in terms of number of interface variables or ports, as well as “logically small”, in that protocols governing the invocation of component services have compact specifications not requiring deep levels of synchronization, constitute evidence of the success of encapsulation. The second quality attribute is naturally expressible in terms of contract-based interface specifications, where re-use can be maximized by finding the weakest assumptions on the environment sufficient to establish the guarantees on a given component implementation. One challenge, then, for component-based design of embedded systems, is to provide interface specifications that are rich enough to cover all phases of the design cycle. The need to thus include non-functional characteristics as part of the component interface specifications was the key motivation in proposing rich components [20] offering multi-viewpoint contracts with both vertical and horizontal assumptions as enablers of true component re-use in embedded system design. Current component interface models, in contrast, are typically restricted to purely functional characterization of components, and thus cannot capitalize on the benefits of contract-based virtual integration testing, as outlined above. The second challenge is related to product line design. While systematic approaches to derive a weakest set of restrictions on environments exist [12], these assume a given set of service guarantees. The challenge, then, rests in anticipating the space of future deployments of components when formulating component guarantees, balancing the contradicting goals of striving for generality versus achieving efficient component implementations. Methods for systematically deriving “quotient” specifications for compensating for “minor” differences between required and offered component guarantees by composing a component with a wrapper component compensating for such differences as characterized by quotient specifications exists for restricted classes of contracts and restricted classes of component models [36]. The third challenge is in the choice of granularity of the components. “Smaller” components are intrinsically more re-usable since it is more likely that a fairly small component has functionality that can be shared on a larger scale, but the gain in design time is less. “Larger” components are less re-usable since it is relatively rare that a large part of the design can be used as is in other designs, but if it can be re-used then the savings are considerable. A way of balancing these trade-offs is to leverage layered design in that a component can be itself considered as an assembly of lower complexity components. If both the component and its “subcomponents” are considered part of the design library we are not giving up potential re-use by choosing larger granularity components! 97/ 156
Page 1 and 2:
Architecture Modeling ∗ Andreas B
Page 3 and 4:
Contents 1 Introduction 1 2 Quick-T
Page 5 and 6:
1 Introduction This document propos
Page 7 and 8:
Architecture Modeling allowing to m
Page 9 and 10:
Architecture Modeling creating a vi
Page 11 and 12:
Architecture Modeling the design it
Page 13 and 14:
Architecture Modeling of the logica
Page 15 and 16:
Architecture Modeling realization o
Page 17 and 18:
Architecture Modeling can usually o
Page 19 and 20:
3 The Architecture Meta-Model In Se
Page 21 and 22:
Abstraction-Levels (detail increase
Page 23 and 24:
3.2.2 Functional Perspective Archit
Page 25 and 26:
Architecture Modeling The semantics
Page 27 and 28:
Architecture Modeling expressed by
Page 29 and 30:
Architecture Modeling computing cap
Page 31 and 32:
3.2.5 Geometrical Perspective Archi
Page 33 and 34:
ShapeCompositionOperator intersecti
Page 35 and 36:
Architecture Modeling The constrain
Page 37 and 38:
Architecture Modeling of particular
Page 39 and 40:
Architecture Modeling Shape that de
Page 41 and 42:
Architecture Modeling Conjugation o
Page 43 and 44:
RichComponent Architecture Modeling
Page 45 and 46:
MultiplicityElement +part 0..* Rich
Page 47 and 48:
ComponentC Architecture Modeling pa
Page 49 and 50: 4 Steps in Component-Based Design T
Page 51 and 52: Architecture Modeling Assume/guaran
Page 53 and 54: Architecture Modeling When specifyi
Page 55 and 56: Architecture Modeling next selectio
Page 57 and 58: Architecture Modeling ports must ha
Page 59 and 60: established if (and only if): Archi
Page 61 and 62: 12°C < tempSelect < 35°C actTemp
Page 63 and 64: Architecture Modeling The component
Page 65 and 66: Architecture Modeling 4.3.2 Establi
Page 67 and 68: Architecture Modeling a mapping is
Page 69 and 70: Architecture Modeling Another impor
Page 71 and 72: 5 Using the Architecture Meta-Model
Page 73 and 74: Architecture Modeling Design proces
Page 75 and 76: Architecture Modeling abstraction l
Page 77 and 78: Pwr1 Pedal_Pos1 Pwr2 Pedal_Pos2 CMD
Page 79 and 80: Architecture Modeling Figure 5.4: O
Page 81 and 82: Architecture Modeling Figure 5.7: L
Page 83 and 84: Architecture Modeling Figure 5.9: T
Page 85 and 86: Architecture Modeling Figure 5.12:
Page 89 and 90: Architecture Modeling However this
Page 91 and 92: Architecture Modeling The considera
Page 97 and 98: Architecture Modeling tasks Command
Page 99: Architecture Modeling of the V, suc
Page 103 and 104: Architecture Modeling In summary, P
Page 105 and 106: Architecture Modeling OEMs are incr
Page 107 and 108: Architecture Modeling provide effec
Page 111 and 112: Architecture Modeling patterns, cap
Page 113 and 114: Architecture Modeling 6.1 Syntax an
Page 115 and 116: 6.1.1.1.1 Attribuute Definit tion a
Page 117 and 118: Constrrain Eventts with Co ondition
Page 119 and 120: These events used in the “and the
Page 121 and 122: Formalization: whenever StartButton
Page 123 and 124: Architecture Modeling Basic bloock
Page 125 and 126: 6.1.1.1.1.3 Conditions Conditions c
Page 127 and 128: 6.1.1.1.2.2 Seammless Con ncatenati
Page 129 and 130: e3 && (clk==0) e1 idle pre e1 idle
Page 131 and 132: Pattern whenever event occurs condi
Page 133 and 134: If the brake force is above 80% for
Page 135 and 136: Pattern S3: Failure shall not be ca
Page 137 and 138: Pattern S9: failureCondition failur
Page 139 and 140: Pattern R2: Event occurs each perio
Page 141 and 142: idle e1 |clk:=0 e2 && (l
Page 143 and 144: The function : allocates a singl
Page 145 and 146: Examplees of clocks: • Run: {c=0@
Page 147 and 148: Architecture Modeling 1. For σ ∈
Page 149 and 150: Architecture Modeling Traces accord
Page 151 and 152:
Architecture Modeling Definition 6.
Page 153 and 154:
Architecture Modeling the one given
Page 155 and 156:
Architecture Modeling Decomposition
Page 157 and 158:
Bibliography [1] ARINC 653 - Avioni
Page 159 and 160:
Architecture Modeling [26] Holger G
show all

Architecture Modeling - SPES 2020

Create successful ePaper yourself

Delete template?

Save as template?