Architecture Modeling - SPES 2020

More documents

Recommendations

Info

AirTempSystem C1 C temp occurs each 50ms temp occurs each 50ms with jitter 5ms C2 Architecture Modeling Delay between temp and actTemp within [5ms,7ms] actTemp occurs each 50ms with jitter 10ms temp actTemp Capture Delay between temp and control within [15ms,20ms] Delay between actTemp and control within [10ms,12ms] AirTempControl Figure 4.7: VIT Example with Real-Time Contracts control Due to the fact that, when C1 is satisfied, then also the assumption of C2 is satisfied (remind that C1 and C2 are compatible), we can eliminate A2s. If both guarantees G1 and G2 are satisfied, both together satisfy G because the result of G1 ∧ G2 is a simple addition of delays. This completes the proof chain. temp occurs each 50ms temp occurs each 50ms with jitter 5ms Delay between temp and actTemp within [5ms,7ms] actTemp occurs each 50ms with jitter 7ms actTemp occurs each 50ms with jitter 10ms ! Delay between temp and control within [15ms,20ms] Delay between temp and control within [15ms,19ms] " Delay between actTemp and control within [10ms,12ms] Figure 4.8: VIT Example with Real-Time Contracts: Proof Chain VIT Example for Safety Contracts Modeling safety aspects is usually more elaborated than for real-time, since specification of failure conditions and dependencies are often rather complex. A simple application example of VIT for safety shall however be discussed. Figure 4.9 shows an abstract model of a wheel brake system. The BSCU controls a hydraulic system, that provides the brake force to a wheel, by sending commands via CMD AS. The braking system is redundantly implemented. Both BSCU and Hydraulic contain the relevant parts twice. The figure shows that BSCU is composed of two redundant control units BSCU1 and BSCU2. The control units take the (also redundant) brake pedal positions (PedalPos1 and PedalPos2) and calculate respective commands (CMD AS1 and CMD AS2) to control the hydraulic system. Both controls units maintain validation ports (Valid1 and Valid2) indicating whether the commands send are valid or not. 58/ 156
Architecture Modeling The component ValidSwitch takes these signals and decides whether the BSCU is considered to deliver valid commands. The SelectSwitch finally takes the commands send by the respective control units. In normal operation mode, it relays the commands from the first control unit to the hydraulic system. If the first units fails, SelectSwitch switches over to the second unit. In order to keep the example simple, the redundancy concept of the hydraulic system is not shown here. PedalPos1 BSCU1 CMD_AS1 C always not(fail(PedalPos1)) && not(fail(PedalPos2)) BSCU Valid1 Valid2 Valid Switch Select Switch PedalPos2 BSCU2 CMD_AS2 always not(fault(BSCU1)) or always not(fault(BSCU2)) C1 always not(fail(PedalPos1)) C2 always not(fail(PedalPos2)) CMD_AS Valid Hydraulic always not(fail(CMD_AS1)) or always not(fail(CMD_AS2)) always not(fault(BSCU1)) always not(fault(BSCU2)) Wheel Figure 4.9: VIT Example with Safety Contracts always not(fail(CMD_AS1)) always not(fail(CMD_AS2)) Figure 4.9 also shows some safety contracts. The top-level contract C = (As,Aw,G) defines as the strong assumption that the brake pedals never fail to send correct position values. The weak assumption of C states that the contract holds for such situations where not both redundant control units fail together. In this case, the contract guarantees that at least one of the command lines delivers correct commands to the hydraulic. Note, that this safety case is strongly simplified. A comprehensive safety analysis usually would incorporate much more complex situations. For example, none of the components ValidSwitch and SelectSwitch are considered here. It is furthermore a rather unrealistic requirement that both brake pedals never fail. We however assume that a further outcome of safety analysis are two local contracts for the redundant control units. C1 strongly assumes that PedalPos1 never fails. The weak assumptions captures situations where BSCU1 does not have a fault. In this case, C1 = (A1s,A1w,G1) guarantees that the commands send by BSCU1 are correct. A similar contract C2 is defined for BSCU2. Showing satisfaction of VIT for this example is simple. We can firstly observe that As =⇒ A1s ∧ A2s, since As equals to A1s ∧ A2s. This proofs the strong VIT condition. Furthermore, it holds that Aw =⇒ A1w ∨ A2w because Aw equals to A1w ∨ A2w. Assuming satisfaction of C1 and C2, we get A1s ∧ A1w =⇒ G1 for C1, and A2s ∧ A2w =⇒ G2 for C2 by definition. If we put all four implications together, we can derive As ∧ Aw =⇒ G1 ∨ G2. Since G1 ∨ G2 =⇒ G because of, again, equivalence, we have shown dominance. This concludes the VIT. 59/ 156
Page 1 and 2:
Architecture Modeling ∗ Andreas B
Page 3 and 4:
Contents 1 Introduction 1 2 Quick-T
Page 5 and 6:
1 Introduction This document propos
Page 7 and 8:
Architecture Modeling allowing to m
Page 9 and 10:
Architecture Modeling creating a vi
Page 11 and 12: Architecture Modeling the design it
Page 13 and 14: Architecture Modeling of the logica
Page 15 and 16: Architecture Modeling realization o
Page 17 and 18: Architecture Modeling can usually o
Page 19 and 20: 3 The Architecture Meta-Model In Se
Page 21 and 22: Abstraction-Levels (detail increase
Page 23 and 24: 3.2.2 Functional Perspective Archit
Page 25 and 26: Architecture Modeling The semantics
Page 27 and 28: Architecture Modeling expressed by
Page 29 and 30: Architecture Modeling computing cap
Page 31 and 32: 3.2.5 Geometrical Perspective Archi
Page 33 and 34: ShapeCompositionOperator intersecti
Page 35 and 36: Architecture Modeling The constrain
Page 37 and 38: Architecture Modeling of particular
Page 39 and 40: Architecture Modeling Shape that de
Page 41 and 42: Architecture Modeling Conjugation o
Page 43 and 44: RichComponent Architecture Modeling
Page 45 and 46: MultiplicityElement +part 0..* Rich
Page 47 and 48: ComponentC Architecture Modeling pa
Page 49 and 50: 4 Steps in Component-Based Design T
Page 51 and 52: Architecture Modeling Assume/guaran
Page 53 and 54: Architecture Modeling When specifyi
Page 55 and 56: Architecture Modeling next selectio
Page 57 and 58: Architecture Modeling ports must ha
Page 59 and 60: established if (and only if): Archi
Page 61: 12°C < tempSelect < 35°C actTemp
Page 65 and 66: Architecture Modeling 4.3.2 Establi
Page 67 and 68: Architecture Modeling a mapping is
Page 69 and 70: Architecture Modeling Another impor
Page 71 and 72: 5 Using the Architecture Meta-Model
Page 73 and 74: Architecture Modeling Design proces
Page 75 and 76: Architecture Modeling abstraction l
Page 77 and 78: Pwr1 Pedal_Pos1 Pwr2 Pedal_Pos2 CMD
Page 79 and 80: Architecture Modeling Figure 5.4: O
Page 81 and 82: Architecture Modeling Figure 5.7: L
Page 83 and 84: Architecture Modeling Figure 5.9: T
Page 85 and 86: Architecture Modeling Figure 5.12:
Page 89 and 90: Architecture Modeling However this
Page 91 and 92: Architecture Modeling The considera
Page 97 and 98: Architecture Modeling tasks Command
Page 99 and 100: Architecture Modeling of the V, suc
Page 101 and 102: Architecture Modeling thus decorate
Page 103 and 104: Architecture Modeling In summary, P
Page 105 and 106: Architecture Modeling OEMs are incr
Page 107 and 108: Architecture Modeling provide effec
Page 111 and 112: Architecture Modeling patterns, cap
Page 113 and 114:
Architecture Modeling 6.1 Syntax an
Page 115 and 116:
6.1.1.1.1 Attribuute Definit tion a
Page 117 and 118:
Constrrain Eventts with Co ondition
Page 119 and 120:
These events used in the “and the
Page 121 and 122:
Formalization: whenever StartButton
Page 123 and 124:
Architecture Modeling Basic bloock
Page 125 and 126:
6.1.1.1.1.3 Conditions Conditions c
Page 127 and 128:
6.1.1.1.2.2 Seammless Con ncatenati
Page 129 and 130:
e3 && (clk==0) e1 idle pre e1 idle
Page 131 and 132:
Pattern whenever event occurs condi
Page 133 and 134:
If the brake force is above 80% for
Page 135 and 136:
Pattern S3: Failure shall not be ca
Page 137 and 138:
Pattern S9: failureCondition failur
Page 139 and 140:
Pattern R2: Event occurs each perio
Page 141 and 142:
idle e1 |clk:=0 e2 && (l
Page 143 and 144:
The function : allocates a singl
Page 145 and 146:
Examplees of clocks: • Run: {c=0@
Page 147 and 148:
Architecture Modeling 1. For σ ∈
Page 149 and 150:
Architecture Modeling Traces accord
Page 151 and 152:
Architecture Modeling Definition 6.
Page 153 and 154:
Architecture Modeling the one given
Page 155 and 156:
Architecture Modeling Decomposition
Page 157 and 158:
Bibliography [1] ARINC 653 - Avioni
Page 159 and 160:
Architecture Modeling [26] Holger G
show all

Architecture Modeling - SPES 2020

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?