Dr. Kathryn Anne Weiss Jet Propulsion Laboratory, California ...

© 2009 California Institute
of Technology. Government
sponsorship acknowledged.
Dr. Kathryn Anne Weiss
Jet Propulsion Laboratory,
California Institute of Technology
Dr. Peter Feiler
Software Engineering Institute
Dr. Dave Gluch
Software Engineering Institute &
Embry-Riddle Aeronautical University
Kurt Woodham
L-3 Communications (now NASA Langley)

Objectives:
To present a rigorous framework for the independent
verification and validation of software systems
through the systematic modeling and analysis of
formal architecture representations.
To demonstrate the framework on an existing system.
AADL Architecture Analysis and Design Language
MDS the Mission Data System
Topics:
An AADL Practice Framework for IV&V
Modeling MDS with AADL
Applying the AADL Practice Framework to an MDS
Adaptation
SAS_09_Technical_Weiss_AADL_PF
2

Topic 1:
SAS_09_Technical_Weiss_AADL_PF
3

Software Quality Assurance
Ensuring that the software system adheres to quality
attribute requirements
Quality attributes are measured using Figures of Merit
(FOMs), which also make QA requirements testable
Example:
Quality Attribute Performance
FOM 1 Data Transport Latency
FOM 2 Processor Utilization
Example:
Quality Attribute Reliability
FOM Mean Time Between Failures
Adherence to quality attribute requirements
independently verified and validated
How can we facilitate that process?
SAS_09_Technical_Weiss_AADL_PF
4

Model-Based Software Quality Assurance
Enable quality attribute requirement verification
and validation through the use of models
1
`
2 3 4
SAS_09_Technical_Weiss_AADL_PF
5

Provides:
Analysis Guidelines
Descriptions of methodologies, tool usage instructions,
viewpoint definitions, and other supporting documents
Component Library
A collection of reusable AADL component type and
implementation declarations that can be used to
create models of a target system
Custom Property Sets
Specialized AADL Property definitions that can be
integrated into standard AADL models
SAS_09_Technical_Weiss_AADL_PF
6

Create the foundation for analysis
Inputs:
Requirements
Includes Risks and QAs / FOMs
V&V or IV&V Plan
Analysis Repository: Analysis Guidelines
Outputs:
Analysis Plan
Partially Completed Analysis View Reports
SAS_09_Technical_Weiss_AADL_PF
7

Create the models
Inputs:
Analysis Repository: Component Library
Utilize existing AADL models
Analysis Repository: Custom Property Sets
Utilize existing Custom Property Sets
Analysis Plan
Partially Completed Analysis View Reports
Outputs:
Analysis Repository: Component Library
Add new or modified AADL models
Analysis Repository: Custom Property Sets
Add new or modified Custom Property Sets
Partially Completed Analysis View Reports
SAS_09_Technical_Weiss_AADL_PF
8

Using AADL and OSATE
OSATE Open Source AADL Tool Environment
For more information on AADL and OSATE, please visit:
http://www.aadl.info
SAS_09_Technical_Weiss_AADL_PF
9

Analyze the models and report results
Inputs:
Analysis Plan
Partially Completed Analysis View Reports
Analysis Repository: Component Library
Outputs:
Analysis View Reports
SAS_09_Technical_Weiss_AADL_PF
10

Topic 2:
SAS_09_Technical_Weiss_AADL_PF
11

MDS: The Mission Data System
An advanced reference architecture for real-time
embedded control systems
Mission Planning & Execution
Knowledge
Goals
Control
Goals
State
Functions
State
Knowledge
Models
State
Values
State
Estimation
State
Control
System
Under
Control
Measurements
& Commands
Sense
Hardware
Adapter
Commands
Act
Report
Telemetry
SAS_09_Technical_Weiss_AADL_PF
12

Take an Architectural Approach
Knowledge
Goals
Ground-to-Flight Migration
State
Functions
State and Models are Central
State
Explicit Use of Models
Estimation
System
Under
Measurements
Goal-Directed Operations
Control
& Commands
Closed-Loop Control
Resource Management
Separate State Estimation from State Control
Integral Fault Protection
Acknowledge State Uncertainty
Separate Data Management from Data Transport
Join Navigation with Attitude Control
Instrument the Software
Upward Compatibility
Mission Planning & Execution
Sense
Act
State
Knowledge
Models
Hardware
Adapter
Report
State
Values
State
Control
Commands
For more information on MDS, please visit: http://mds.jpl.nasa.gov
Telemetry
Control
Goals
SAS_09_Technical_Weiss_AADL_PF
13

State and Models are
Central
Data Ports between producer
and consumer tasks represent
state variables
Separate State
Estimation from State
Control
AADL Package concept
organizes and
compartmentalizes estimators
and controllers
Resource Management
MDS Architectural Theme
Explicit modeling of the
compute platform and
budget-based resource
analysis
AADL Modeling Approach
SAS_09_Technical_Weiss_AADL_PF
14

Mission Planning & Execution
Knowledge
Goals
Control
Goals
State
Functions
State
Knowledge
Models
State
Values
State
Estimation
State
Control
System
Under
Control
Measurements
& Commands
Sense
Hardware
Adapter
Commands
Act
Report
Telemetry
SAS_09_Technical_Weiss_AADL_PF
15

Topic 3:
SAS_09_Technical_Weiss_AADL_PF
16

Rover Wheel Control Example
Wheel 5 Wheel 3 Wheel 1
Drive
Thread
Drive
Thread
Drive
Thread
Steer
Thread
goals
goals
goals
goals
MDS Rover Example
goals
goals
Pilot Thread
goals
Rover Position
& Heading
State Variables
goals
Drive
Thread
Drive
Thread
Drive
Thread
Steer
Thread
Wheel 6
Wheel 4
Wheel 2
Any values in this presentation are illustrative and should not be
taken as representative of any existing MDS adaptation.
SAS_09_Technical_Weiss_AADL_PF
17

Analysis Plan
Task
Use the AADL Analysis Framework to
analyze the MDS Rover for Project Group
Eta. This is a IV&V project and existing
models are available for use.
Analysis
Critical Issues:
Resource Consumption – CPU
Utilization must not exceed 75%.
Components to Model:
Drive Control System
Analyses to Perform:
Schedulability
Logistics
Team:
John Smith – Lead
Jack Anderson – Developer
Paul Jones – Developer
Responsibilities:
John Smith – Review models and
analysis results
Jack Anderson – Develop and modify
model
Paul Jones – Analyze model
SAS_09_Technical_Weiss_AADL_PF
18

Analysis Plan (Detailed Analysis Summary)
Analysis Summary
Quality Attributes Important to the System
ID Quality Attribute Driving Issue
1
Performance:
Schedulability
Processor utilization must not exceed 75%.
Scope
Component Details Analysis Activity/Activities
Drive Control
System
Contains all the
controlling threads
Scheduling Analysis
Compute
Platform
Methods
Build model for
scheduling
analysis. Bind
and schedule
threads tool.
Contains Processor
Scheduling Analysis
Analysis Techniques
Properties
Components Required
Required
Period;
Compute_Execution
_Time;
Rover Wheel Control System -
Actual_Processor_ MDS adaptation
Binding;
Clock_Period
High
Priority
SAS_09_Technical_Weiss_AADL_PF
19

-- There are three thread types created.
-- 1.) Pilot thread (one for the vehicle)
-- 2.) Driving thread (one for each wheel)
-- 3.) Steering thread (for the front two wheels)
thread pilot
features
intent_in: in data port;
goals_input: in data port;
goals_output: out data port;
commands_in: port group;
commands_out: out data port;
end pilot;
-- base implementation
thread implementation pilot.rover
end pilot.rover;
-- driving and steering threads have the same interface
thread wheel
features
goals_input: in data port;
commands_out: port group;
end wheel;
thread implementation wheel.drive
end wheel.drive;
thread implementation wheel.steer
end wheel.steer;
Refine RA models
by creating various
controller threads
SAS_09_Technical_Weiss_AADL_PF
20

SAS_09_Technical_Weiss_AADL_PF
21

Property Description Property Association
Period
Time between each execution of
a periodically scheduled thread
Period => 50 ms
Compute_Execution_Time
Best and worst case execution
times of a thread.
Compute_Execution_Time => 2 Ms..3Ms
Actual_Processor_Binding
Threads must be bound to a Actual_Processor_Binding =>
processor in the model. MDSComputePlatform.MDSProcessor
Clock_Period
The cycle period for the
processor.
Clock_Period => 1000 ps
SAS_09_Technical_Weiss_AADL_PF
22

View Identifier: Rover Scheduling-1
Process Identifier (optional):
Scope: The rover drive control system
Perspective: Use thread, thread group,
process, and processor components.
Include all relevant scheduling
properties.
Constraints: Include only components
that contribute to the schedulability of the
drive control system.
Analyses: Using execution periods,
times, and processor clocks, assess the
schedulability of the drive control
system threads.
Specific Guidelines: Extract useful items
from existing models. Add necessary
threads for performing analysis.
Model File Name (*.aadl or *.aaxl): Rover_Scheduling_Model.aaxl
Results
Analysis ID Expected Results Actual Results Assessment and Action(s)
1 Load

MB-SQA is an effective approach to independently verifying and validating
quality attribute requirements
Demonstrated via the modeling and analysis of the Mission Data
System reference architecture
Camera Heater Control System Adaptation latency analysis
Rover Drive Control System Adaptation schedulability analysis
The AADL Practice Framework provides processes, tools, and artifacts for
performing MB-SQA in the IV&V context
A well-defined process with supporting infrastructure, not merely the
application of a modeling language
The AADL Practice Framework is currently being expanded to address
development V&V at JPL
“Integrating Model-Based Software Assurance using AADL into Software
Development V&V Process”
Apply AADL Practice Framework for Model-Based Software Quality
Assurance to a pilot project at the IV&V Facility
Original pilot was the Juno Project
Limited in scope due to schedule and budget constraints
SAS_09_Technical_Weiss_AADL_PF
24

Article:
Feiler P., Gluch D., Weiss K., Woodham K., “Model-Based
Software Quality Assurance with the Architecture Analysis and
Design Language”, Proceedings of AIAA Infotech @Aerospace 2009
(April 2009).
NASA reports:
Report on Applying the AADL to the Modeling and Analysis of the
MDS Architecture
Report on A Practice Framework for Model-Based Analysis Using
the Architecture Analysis & Design Language (AADL)
Juno Mini study Report: (5 person week effort) requested approval
for public release
Reports shortly available as SEI reports.