Safety, Dependability and Performance Analysis of Extended AADL Models 1 Marco Bozzano 2 Alessandro Cimatti 2 Marco Roveri 2 Joost-Pieter Katoen 1 Viet Yen Nguyen 1 Thomas Noll 1 1 Software Modelling and Verification Group RWTH Aachen University, Germany 2 Embedded Systems Group Fondazione Bruno Kessler, Italy ROCKS Kick-Off Meeting 28 September 2009 1 Funded by ESA/ESTEC under Contract No. 21171/07/NL/JD
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Safety, Dependability and PerformanceAnalysis of Extended AADL Models1
Marco Bozzano2 Alessandro Cimatti2 Marco Roveri2
Joost-Pieter Katoen1 Viet Yen Nguyen1 Thomas Noll1
1Software Modelling and Verification GroupRWTH Aachen University, Germany
2Embedded Systems GroupFondazione Bruno Kessler, Italy
ROCKS Kick-Off Meeting28 September 2009
1Funded by ESA/ESTEC under Contract No. 21171/07/NL/JD
Safety, Dependability and PerformanceAnalysis of Extended AADL Models
1. Scope2. AADL Syntax3. Formal Characterisation4. Injecting Faults5. COMPASS Toolset6. Conclusions
How System Engineers Build Space Systems (in Europe)
2009,Viet Yen Nguyen 3/23
AADL: Industry Standard for Modelling Embedded Systems
• 1989 MetaH
• 1998 SAE AS-2C
• 2004 AADL 1.0
• 2006 Error Annex
• 2009 AADL 2.0
ParadigmI Architecture-based and
model-driven top-down andbottom-up engineering
I Real-time and performancecritical distributed systems
I Complements component-basedproduct-line development
2009,Viet Yen Nguyen 4/23
Integrated and Coherent Approach for Codesigning Systems
Modelling LanguageI AADL + Error AnnexI Hardware/SoftwareI Error PropagationI Recovery MechanismsI Timing, Probability, HybridI Formal Semantics
COMPASS ToolsetI NuSMVI FSAPI RATI SigrefI MRMC
AnalysesI Symbolic Model CheckingI SAT-SolvingI Probabilistic Model CheckingI FTAI FMEA
Case StudiesI Satellite Thermal Regulation
ManagerI Satellite FDIRI European Train Control
System Level 3
2009,Viet Yen Nguyen 5/23
Integrated and Coherent Approach for Codesigning Systems
Modelling LanguageI AADL + Error AnnexI Hardware/SoftwareI Error PropagationI Recovery MechanismsI Timing, Probability, HybridI Formal Semantics
COMPASS ToolsetI NuSMVI FSAPI RATI SigrefI MRMC
AnalysesI Symbolic Model CheckingI SAT-SolvingI Probabilistic Model CheckingI FTAI FMEA
Case StudiesI Satellite Thermal Regulation
ManagerI Satellite FDIRI European Train Control
System Level 3
2009,Viet Yen Nguyen 5/23
Integrated and Coherent Approach for Codesigning Systems
Modelling LanguageI AADL + Error AnnexI Hardware/SoftwareI Error PropagationI Recovery MechanismsI Timing, Probability, HybridI Formal Semantics
COMPASS ToolsetI NuSMVI FSAPI RATI SigrefI MRMC
AnalysesI Symbolic Model CheckingI SAT-SolvingI Probabilistic Model CheckingI FTAI FMEA
Case StudiesI Satellite Thermal Regulation
ManagerI Satellite FDIRI European Train Control
System Level 3
2009,Viet Yen Nguyen 5/23
AADL Syntax
AADL Example: Redundant Power System
Power
primary
backup
batt1
voltage
empty
voltage
batt2
voltage
empty
We shall show:I hybrid behaviour of the batteries,I composition of the power system,I formalisation to automata,I semantics as transition systems,I interweaving of errors.
2009,Viet Yen Nguyen 7/23
AADL: Modelling the BatteryComponent Type and Implementation
device type Battery
featuresempty: out event port;voltage: out data port real initially 6.0;
end Battery;
device implementation Battery.Imp
subcomponentsenergy: data continuous initially 100.0;
modescharged: activation modewhile energy’=-0.02 and energy>=20.0;
depleted: modewhile energy’=-0.03;
transitionscharged -[]-> charged;charged -[empty]-> depleted;depleted -[]-> depleted;
end Battery.Imp;
2009,Viet Yen Nguyen 8/23
AADL: Modelling the BatteryComponent Type Defines the Interface
device type Batteryfeaturesempty: out event port;voltage: out data port real initially 6.0;
end Battery;
device implementation Battery.Imp
subcomponentsenergy: data continuous initially 100.0;
modescharged: activation modewhile energy’=-0.02 and energy>=20.0;
depleted: modewhile energy’=-0.03;
transitionscharged -[]-> charged;charged -[empty]-> depleted;depleted -[]-> depleted;
end Battery.Imp;
2009,Viet Yen Nguyen 8/23
AADL: Modelling the BatteryAdding Modes Behaviour
device type Batteryfeaturesempty: out event port;voltage: out data port real initially 6.0;
end Battery;
device implementation Battery.Imp
subcomponentsenergy: data continuous initially 100.0;
modescharged: activation mode
while energy’=-0.02 and energy>=20.0;
depleted: mode
while energy’=-0.03;
transitionscharged -[]-> charged;charged -[empty]-> depleted;depleted -[]-> depleted;
end Battery.Imp;
2009,Viet Yen Nguyen 8/23
AADL: Modelling the BatteryAdding Hybrid Behaviour
device type Batteryfeaturesempty: out event port;voltage: out data port real initially 6.0;
end Battery;
device implementation Battery.Impsubcomponentsenergy: data continuous initially 100.0;
modescharged: activation modewhile energy’=-0.02 and energy>=20.0;
depleted: modewhile energy’=-0.03;
transitionscharged -[then voltage:=energy/50.0+4.0]-> charged;charged -[empty when energy<=20.0]-> depleted;depleted -[then voltage:=energy/50.0+4.0]-> depleted;
end Battery.Imp;
2009,Viet Yen Nguyen 8/23
AADL: Modelling the Redundant Power SystemPower System with Battery Subcomponents
system Powerfeaturesvoltage: out data port real;
end Power;
system implementation Power.Impsubcomponentsbatt1: device Battery.Impbatt2: device Battery.Imp
connectionsdata port batt1.voltage -> voltage in modes (primary);data port batt2.voltage -> voltage in modes (backup);
modesprimary: initial mode;backup: mode;
transitionsprimary -[batt1.empty]-> backup;backup -[batt2.empty]-> primary;
end Power.Imp;
2009,Viet Yen Nguyen 9/23
AADL: Modelling the Redundant Power SystemAdding Dynamic Reconfiguration
system Powerfeaturesvoltage: out data port real;
end Power;
system implementation Power.Impsubcomponentsbatt1: device Battery.Imp in modes (primary);batt2: device Battery.Imp in modes (backup);
connectionsdata port batt1.voltage -> voltage in modes (primary);data port batt2.voltage -> voltage in modes (backup);
modesprimary: initial mode;backup: mode;
transitionsprimary -[batt1.empty]-> backup;backup -[batt2.empty]-> primary;
end Power.Imp;
2009,Viet Yen Nguyen 9/23
AADL: Modelling the Redundant Power SystemAdding Port Connections
system Powerfeaturesvoltage: out data port real;
end Power;
system implementation Power.Impsubcomponentsbatt1: device Battery.Imp in modes (primary);batt2: device Battery.Imp in modes (backup);
connectionsdata port batt1.voltage -> voltage in modes (primary);data port batt2.voltage -> voltage in modes (backup);
modesprimary: initial mode;backup: mode;
transitionsprimary -[batt1.empty]-> backup;backup -[batt2.empty]-> primary;
end Power.Imp;
2009,Viet Yen Nguyen 9/23
Formal Characterisation
Formalising AADL Components as Event-Data Automata
Definition (Event-Data Automaton)
An event-data automaton (EDA) is a tuple
A = (M ,m0,X , v0, ι,E , −→ )
withI M finite set of modesI m0 ∈ M initial modeI X = IX ]OX ] LX finite set of input/output/local variablesI V := {v | v : X → . . .} valuationsI v0 ∈ V initial valuationI ι : M → (V → B) mode invariants (where ι(m0, v0) = true)I E = IE ]OE finite set of input/output eventsI −→ ⊆M × Eτ︸︷︷︸
trigger
× (V → B)︸ ︷︷ ︸guard
× (V → V )︸ ︷︷ ︸effect
×M
(mode) transition relation (where Eτ := E ∪ {τ})
2009,Viet Yen Nguyen 11/23
Formalising AADL Components as Event-Data Automata
I AADL modes/invariants/transitions; EDA modes/invariants/transitions
I Incoming/outgoing data ports ; input/output variablesI Data subcomponents ; local variablesI AADL incoming/outgoing event ports ; EDA input/output events
Example (Battery)I M = {charged, depleted}, m0 = charged
I IX = ∅, OX = {voltage}I LX = {energy}I IE = ∅, OE = {empty}
2009,Viet Yen Nguyen 12/23
Formalising AADL Components as Event-Data Automata
I AADL modes/invariants/transitions; EDA modes/invariants/transitions
I Incoming/outgoing data ports ; input/output variables
I Data subcomponents ; local variablesI AADL incoming/outgoing event ports ; EDA input/output events
Example (Battery)I M = {charged, depleted}, m0 = chargedI IX = ∅, OX = {voltage}
I LX = {energy}I IE = ∅, OE = {empty}
2009,Viet Yen Nguyen 12/23
Formalising AADL Components as Event-Data Automata
I AADL modes/invariants/transitions; EDA modes/invariants/transitions
I Incoming/outgoing data ports ; input/output variablesI Data subcomponents ; local variables
I AADL incoming/outgoing event ports ; EDA input/output events
Example (Battery)I M = {charged, depleted}, m0 = chargedI IX = ∅, OX = {voltage}I LX = {energy}
I IE = ∅, OE = {empty}
2009,Viet Yen Nguyen 12/23
Formalising AADL Components as Event-Data Automata
I AADL modes/invariants/transitions; EDA modes/invariants/transitions
I Incoming/outgoing data ports ; input/output variablesI Data subcomponents ; local variablesI AADL incoming/outgoing event ports ; EDA input/output events
Example (Battery)I M = {charged, depleted}, m0 = chargedI IX = ∅, OX = {voltage}I LX = {energy}I IE = ∅, OE = {empty}
2009,Viet Yen Nguyen 12/23
LTS Semantics of Event-Data Automata
I States := M ×VI Transitions: timed or internal or event-labeled
Example (Battery)
〈mode = charged, energy = 100.0, voltage = 6.0〉↓ 30.0
〈mode = charged, energy = 40.0, voltage = 6.0〉↓ τ〈voltage:=...〉
〈mode = charged, energy = 40.0, voltage = 4.8〉↓ 10.0
〈mode = charged, energy = 20.0, voltage = 4.8〉↓ τ〈voltage:=...〉
〈mode = charged, energy = 20.0, voltage = 4.4〉↓ empty
〈mode = depleted, energy = 20.0, voltage = 4.4〉↓ · · ·
2009,Viet Yen Nguyen 13/23
LTS Semantics of Event-Data Automata
I States := M ×VI Transitions: timed or internal or event-labeled
Example (Battery)
〈mode = charged, energy = 100.0, voltage = 6.0〉
↓ 30.0〈mode = charged, energy = 40.0, voltage = 6.0〉
↓ τ〈voltage:=...〉〈mode = charged, energy = 40.0, voltage = 4.8〉
↓ 10.0〈mode = charged, energy = 20.0, voltage = 4.8〉
↓ τ〈voltage:=...〉〈mode = charged, energy = 20.0, voltage = 4.4〉
↓ empty〈mode = depleted, energy = 20.0, voltage = 4.4〉
↓ · · ·
2009,Viet Yen Nguyen 13/23
LTS Semantics of Event-Data Automata
I States := M ×VI Transitions: timed or internal or event-labeled
Example (Battery)
〈mode = charged, energy = 100.0, voltage = 6.0〉↓ 30.0
〈mode = charged, energy = 40.0, voltage = 6.0〉
↓ τ〈voltage:=...〉〈mode = charged, energy = 40.0, voltage = 4.8〉
↓ 10.0〈mode = charged, energy = 20.0, voltage = 4.8〉
↓ τ〈voltage:=...〉〈mode = charged, energy = 20.0, voltage = 4.4〉
↓ empty〈mode = depleted, energy = 20.0, voltage = 4.4〉
↓ · · ·
2009,Viet Yen Nguyen 13/23
LTS Semantics of Event-Data Automata
I States := M ×VI Transitions: timed or internal or event-labeled
Example (Battery)
〈mode = charged, energy = 100.0, voltage = 6.0〉↓ 30.0
〈mode = charged, energy = 40.0, voltage = 6.0〉↓ τ〈voltage:=...〉
〈mode = charged, energy = 40.0, voltage = 4.8〉
↓ 10.0〈mode = charged, energy = 20.0, voltage = 4.8〉
↓ τ〈voltage:=...〉〈mode = charged, energy = 20.0, voltage = 4.4〉
↓ empty〈mode = depleted, energy = 20.0, voltage = 4.4〉
↓ · · ·
2009,Viet Yen Nguyen 13/23
LTS Semantics of Event-Data Automata
I States := M ×VI Transitions: timed or internal or event-labeled
Example (Battery)
〈mode = charged, energy = 100.0, voltage = 6.0〉↓ 30.0
〈mode = charged, energy = 40.0, voltage = 6.0〉↓ τ〈voltage:=...〉
〈mode = charged, energy = 40.0, voltage = 4.8〉↓ 10.0
〈mode = charged, energy = 20.0, voltage = 4.8〉
↓ τ〈voltage:=...〉〈mode = charged, energy = 20.0, voltage = 4.4〉
↓ empty〈mode = depleted, energy = 20.0, voltage = 4.4〉
↓ · · ·
2009,Viet Yen Nguyen 13/23
LTS Semantics of Event-Data Automata
I States := M ×VI Transitions: timed or internal or event-labeled
Example (Battery)
〈mode = charged, energy = 100.0, voltage = 6.0〉↓ 30.0
〈mode = charged, energy = 40.0, voltage = 6.0〉↓ τ〈voltage:=...〉
〈mode = charged, energy = 40.0, voltage = 4.8〉↓ 10.0
〈mode = charged, energy = 20.0, voltage = 4.8〉↓ τ〈voltage:=...〉
〈mode = charged, energy = 20.0, voltage = 4.4〉
↓ empty〈mode = depleted, energy = 20.0, voltage = 4.4〉
↓ · · ·
2009,Viet Yen Nguyen 13/23
LTS Semantics of Event-Data Automata
I States := M ×VI Transitions: timed or internal or event-labeled
Example (Battery)
〈mode = charged, energy = 100.0, voltage = 6.0〉↓ 30.0
〈mode = charged, energy = 40.0, voltage = 6.0〉↓ τ〈voltage:=...〉
〈mode = charged, energy = 40.0, voltage = 4.8〉↓ 10.0
〈mode = charged, energy = 20.0, voltage = 4.8〉↓ τ〈voltage:=...〉
〈mode = charged, energy = 20.0, voltage = 4.4〉↓ empty
〈mode = depleted, energy = 20.0, voltage = 4.4〉
↓ · · ·
2009,Viet Yen Nguyen 13/23
LTS Semantics of Event-Data Automata
I States := M ×VI Transitions: timed or internal or event-labeled
Example (Battery)
〈mode = charged, energy = 100.0, voltage = 6.0〉↓ 30.0
〈mode = charged, energy = 40.0, voltage = 6.0〉↓ τ〈voltage:=...〉
〈mode = charged, energy = 40.0, voltage = 4.8〉↓ 10.0
〈mode = charged, energy = 20.0, voltage = 4.8〉↓ τ〈voltage:=...〉
〈mode = charged, energy = 20.0, voltage = 4.4〉↓ empty
〈mode = depleted, energy = 20.0, voltage = 4.4〉↓ · · ·
2009,Viet Yen Nguyen 13/23
Complete AADL Specifications as Networks of EDAs
Dynamic reconfiguration=⇒ component activity and port connections mode dependent
Definition (Networks of Event-Data Automata)
A network of event-data automata (NEDA) is a tuple
N = ((Ai)i∈[n], α,EC ,DC )
with n ≥ 1, [n] := {1, . . . , n}, andI each Ai an EDA Ai = (Mi,m
i0,Xi, v
i0, ιi,Ei, −→ i)
I M :=∏ni=1 Mi set of global modes
I α : M → 2[n] activation mappingI EC : M → ({i.e | i ∈ [n], e ∈ Ei})2 event connection mappingI DC : M → ({i.x | i ∈ [n], x ∈ Xi})2 data connection mapping
2009,Viet Yen Nguyen 14/23
Complete AADL Specifications as Networks of EDAs
I AADL subcomponent in modes declarations; activation mapping:
I root component always activeI c active and in mode m, sc is subcomponent of c, sc in modes m
=⇒ sc active
Example (Power System)
For Power︸ ︷︷ ︸1
/Battery1︸ ︷︷ ︸2
/Battery2︸ ︷︷ ︸3
:
I α(primary, charged, charged) = {1, 2}α(primary, charged, depleted) = {1, 2}
. . .α(backup, charged, depleted) = {1, 3}
. . .
2009,Viet Yen Nguyen 15/23
Complete AADL Specifications as Networks of EDAs
I AADL event/data connections ; EC /DC mappings:follow all end-to-end chains of port connections
c c’
in−to−in
out−to−in
out−to−out
Root
Example (Power System)
For Power︸ ︷︷ ︸1
/Battery1︸ ︷︷ ︸2
/Battery2︸ ︷︷ ︸3
:
I EC (primary,m1,m2) = {(2.empty, 1.batt1.empty)}EC (backup,m1,m2) = {(3.empty, 1.batt2.empty)}
DC (primary,m1,m2) = {(2.voltage, 1.voltage)}DC (backup,m1,m2) = {(3.voltage, 1.voltage)}
2009,Viet Yen Nguyen 15/23
LTS Semantics of NEDAs
I States := (M1 ×V1)× . . .× (Mn ×Vn)I Transitions determined by active EDAs:
1. Perform local transitions:I timed local transition in all EDAs orI internal transition in EDA orI multiway event communication from EDA to ≥ 1 connected EDAs
2. Initialize (re-)activated subcomponents3. Establish consistency w.r.t. DC (copy source→ target data port)
Example (Power system)〈m=primary, v=6.0〉 〈m=charged, e=100.0, v=6.0〉 〈m=charged, e=100.0, v=6.0〉
⇓ 40.0〈m=primary, v=6.0〉 〈m=charged, e=20.0, v=6.0〉 〈m=charged, e=100.0, v=6.0〉
⇓ τ〈voltage:=...〉〈m=primary, v=4.4〉 〈m=charged, e=20.0, v=4.4〉 〈m=charged, e=100.0, v=6.0〉
⇓ τ〈empty〉〈m=backup, v=6.0〉 〈m=depleted, e=20.0, v=4.4〉 〈m=charged, e=100.0, v=6.0〉
⇓ 40.0〈m=backup, v=6.0〉 〈m=depleted, e=20.0, v=4.4〉 〈m=charged, e=20.0, v=6.0〉
⇓ · · ·
2009,Viet Yen Nguyen 16/23
LTS Semantics of NEDAs
I States := (M1 ×V1)× . . .× (Mn ×Vn)I Transitions determined by active EDAs:
1. Perform local transitions:I timed local transition in all EDAs orI internal transition in EDA orI multiway event communication from EDA to ≥ 1 connected EDAs
2. Initialize (re-)activated subcomponents3. Establish consistency w.r.t. DC (copy source→ target data port)
Example (Power system)〈m=primary, v=6.0〉 〈m=charged, e=100.0, v=6.0〉 〈m=charged, e=100.0, v=6.0〉
⇓ 40.0〈m=primary, v=6.0〉 〈m=charged, e=20.0, v=6.0〉 〈m=charged, e=100.0, v=6.0〉
⇓ τ〈voltage:=...〉〈m=primary, v=4.4〉 〈m=charged, e=20.0, v=4.4〉 〈m=charged, e=100.0, v=6.0〉
⇓ τ〈empty〉〈m=backup, v=6.0〉 〈m=depleted, e=20.0, v=4.4〉 〈m=charged, e=100.0, v=6.0〉
⇓ 40.0〈m=backup, v=6.0〉 〈m=depleted, e=20.0, v=4.4〉 〈m=charged, e=20.0, v=6.0〉
⇓ · · ·
2009,Viet Yen Nguyen 16/23
LTS Semantics of NEDAs
I States := (M1 ×V1)× . . .× (Mn ×Vn)I Transitions determined by active EDAs:
1. Perform local transitions:I timed local transition in all EDAs orI internal transition in EDA orI multiway event communication from EDA to ≥ 1 connected EDAs
2. Initialize (re-)activated subcomponents3. Establish consistency w.r.t. DC (copy source→ target data port)
Example (Power system)〈m=primary, v=6.0〉 〈m=charged, e=100.0, v=6.0〉 〈m=charged, e=100.0, v=6.0〉
⇓ 40.0〈m=primary, v=6.0〉 〈m=charged, e=20.0, v=6.0〉 〈m=charged, e=100.0, v=6.0〉
⇓ τ〈voltage:=...〉〈m=primary, v=4.4〉 〈m=charged, e=20.0, v=4.4〉 〈m=charged, e=100.0, v=6.0〉
⇓ τ〈empty〉〈m=backup, v=6.0〉 〈m=depleted, e=20.0, v=4.4〉 〈m=charged, e=100.0, v=6.0〉
⇓ 40.0〈m=backup, v=6.0〉 〈m=depleted, e=20.0, v=4.4〉 〈m=charged, e=20.0, v=6.0〉
⇓ · · ·
2009,Viet Yen Nguyen 16/23
LTS Semantics of NEDAs
I States := (M1 ×V1)× . . .× (Mn ×Vn)I Transitions determined by active EDAs:
1. Perform local transitions:I timed local transition in all EDAs orI internal transition in EDA orI multiway event communication from EDA to ≥ 1 connected EDAs
2. Initialize (re-)activated subcomponents3. Establish consistency w.r.t. DC (copy source→ target data port)
Example (Power system)〈m=primary, v=6.0〉 〈m=charged, e=100.0, v=6.0〉 〈m=charged, e=100.0, v=6.0〉
⇓ 40.0〈m=primary, v=6.0〉 〈m=charged, e=20.0, v=6.0〉 〈m=charged, e=100.0, v=6.0〉
⇓ τ〈voltage:=...〉〈m=primary, v=4.4〉 〈m=charged, e=20.0, v=4.4〉 〈m=charged, e=100.0, v=6.0〉
⇓ τ〈empty〉〈m=backup, v=6.0〉 〈m=depleted, e=20.0, v=4.4〉 〈m=charged, e=100.0, v=6.0〉
⇓ 40.0〈m=backup, v=6.0〉 〈m=depleted, e=20.0, v=4.4〉 〈m=charged, e=20.0, v=6.0〉
⇓ · · ·
2009,Viet Yen Nguyen 16/23
LTS Semantics of NEDAs
I States := (M1 ×V1)× . . .× (Mn ×Vn)I Transitions determined by active EDAs:
1. Perform local transitions:I timed local transition in all EDAs orI internal transition in EDA orI multiway event communication from EDA to ≥ 1 connected EDAs
2. Initialize (re-)activated subcomponents3. Establish consistency w.r.t. DC (copy source→ target data port)
Example (Power system)〈m=primary, v=6.0〉 〈m=charged, e=100.0, v=6.0〉 〈m=charged, e=100.0, v=6.0〉
⇓ 40.0〈m=primary, v=6.0〉 〈m=charged, e=20.0, v=6.0〉 〈m=charged, e=100.0, v=6.0〉
⇓ τ〈voltage:=...〉〈m=primary, v=4.4〉 〈m=charged, e=20.0, v=4.4〉 〈m=charged, e=100.0, v=6.0〉
⇓ τ〈empty〉〈m=backup, v=6.0〉 〈m=depleted, e=20.0, v=4.4〉 〈m=charged, e=100.0, v=6.0〉
⇓ 40.0〈m=backup, v=6.0〉 〈m=depleted, e=20.0, v=4.4〉 〈m=charged, e=20.0, v=6.0〉
⇓ · · ·
2009,Viet Yen Nguyen 16/23
LTS Semantics of NEDAs
I States := (M1 ×V1)× . . .× (Mn ×Vn)I Transitions determined by active EDAs:
1. Perform local transitions:I timed local transition in all EDAs orI internal transition in EDA orI multiway event communication from EDA to ≥ 1 connected EDAs
2. Initialize (re-)activated subcomponents3. Establish consistency w.r.t. DC (copy source→ target data port)
Example (Power system)〈m=primary, v=6.0〉 〈m=charged, e=100.0, v=6.0〉 〈m=charged, e=100.0, v=6.0〉
⇓ 40.0〈m=primary, v=6.0〉 〈m=charged, e=20.0, v=6.0〉 〈m=charged, e=100.0, v=6.0〉
⇓ τ〈voltage:=...〉〈m=primary, v=4.4〉 〈m=charged, e=20.0, v=4.4〉 〈m=charged, e=100.0, v=6.0〉
⇓ τ〈empty〉〈m=backup, v=6.0〉 〈m=depleted, e=20.0, v=4.4〉 〈m=charged, e=100.0, v=6.0〉
⇓ 40.0〈m=backup, v=6.0〉 〈m=depleted, e=20.0, v=4.4〉 〈m=charged, e=20.0, v=6.0〉
⇓ · · ·
2009,Viet Yen Nguyen 16/23
LTS Semantics of NEDAs
I States := (M1 ×V1)× . . .× (Mn ×Vn)I Transitions determined by active EDAs:
1. Perform local transitions:I timed local transition in all EDAs orI internal transition in EDA orI multiway event communication from EDA to ≥ 1 connected EDAs
2. Initialize (re-)activated subcomponents3. Establish consistency w.r.t. DC (copy source→ target data port)
Example (Power system)〈m=primary, v=6.0〉 〈m=charged, e=100.0, v=6.0〉 〈m=charged, e=100.0, v=6.0〉
⇓ 40.0〈m=primary, v=6.0〉 〈m=charged, e=20.0, v=6.0〉 〈m=charged, e=100.0, v=6.0〉
⇓ τ〈voltage:=...〉〈m=primary, v=4.4〉 〈m=charged, e=20.0, v=4.4〉 〈m=charged, e=100.0, v=6.0〉
⇓ τ〈empty〉〈m=backup, v=6.0〉 〈m=depleted, e=20.0, v=4.4〉 〈m=charged, e=100.0, v=6.0〉
⇓ 40.0〈m=backup, v=6.0〉 〈m=depleted, e=20.0, v=4.4〉 〈m=charged, e=20.0, v=6.0〉
⇓ · · ·
2009,Viet Yen Nguyen 16/23
Injecting Faults
Specifying Faulty Behavior
error model BatteryFailurefeatures
ok: initial state;dead: error state;batteryDied: out error propagation;
end BatteryFailure;
error model implementation BatteryFailure.Impevents
fault: error event occurrence poisson 0.01;transitions
ok -[fault]-> dead;dead -[batteryDied]-> dead;
end BatteryFailure.Imp;
Fault InjectionIn error state dead, voltage:=0
2009,Viet Yen Nguyen 18/23
Specifying Faulty Behavior
error model BatteryFailurefeatures
ok: initial state;dead: error state;batteryDied: out error propagation;
end BatteryFailure;
error model implementation BatteryFailure.Impevents
fault: error event occurrence poisson 0.01;transitions
ok -[fault]-> dead;dead -[batteryDied]-> dead;
end BatteryFailure.Imp;
Fault InjectionIn error state dead, voltage:=0
2009,Viet Yen Nguyen 18/23
Battery ComponentNominal Specification
device type Batteryfeaturesempty: out event port;voltage: out data port real initially 6.0;
batteryDied: out event port;
end Battery;
device implementation Battery.Impsubcomponentsenergy: data continuous initially 100.0;
modescharged: activation mode while ...;
charged#ok: activation mode while ...;
depleted: mode while ...;
depleted#ok, charged#dead, depleted#dead: mode while ...;
transitionscharged -[then voltage:=...]-> charged;
charged#ok -[then voltage:=...]-> charged#ok;
charged -[empty when energy<=20.0]-> depleted;
charged#ok -[empty when energy<=20.0]-> depleted#ok;
depleted -[then voltage:=...]-> depleted;
depleted#ok -[then voltage:=...]-> depleted#ok;charged#ok -[then voltage:=0]-> charged#dead;depleted#ok -[then voltage:=0]-> depleted#dead;charged#dead -[then voltage:=0]-> charged#dead;charged#dead -[empty when energy<=20.0]-> depleted#dead;depleted#dead -[then voltage:=0]-> depleted#dead;depleted#dead -[batteryDied]-> depleted#dead;charged#dead -[batteryDied]-> charged#dead;
end Battery.Imp;2009,Viet Yen Nguyen 19/23
Battery Component After Model ExtensionProduct Construction for Modes and Error States
device type Batteryfeaturesempty: out event port;voltage: out data port real initially 6.0;
batteryDied: out event port;
end Battery;
device implementation Battery.Impsubcomponentsenergy: data continuous initially 100.0;
modescharged#ok: activation mode while ...;depleted#ok, charged#dead, depleted#dead: mode while ...;
transitionscharged -[then voltage:=...]-> charged;
charged#ok -[then voltage:=...]-> charged#ok;
charged -[empty when energy<=20.0]-> depleted;
charged#ok -[empty when energy<=20.0]-> depleted#ok;
depleted -[then voltage:=...]-> depleted;
depleted#ok -[then voltage:=...]-> depleted#ok;charged#ok -[then voltage:=0]-> charged#dead;depleted#ok -[then voltage:=0]-> depleted#dead;charged#dead -[then voltage:=0]-> charged#dead;charged#dead -[empty when energy<=20.0]-> depleted#dead;depleted#dead -[then voltage:=0]-> depleted#dead;depleted#dead -[batteryDied]-> depleted#dead;charged#dead -[batteryDied]-> charged#dead;
end Battery.Imp;2009,Viet Yen Nguyen 19/23
Battery Component After Model ExtensionIntegrate Nominal Transitions
device type Batteryfeaturesempty: out event port;voltage: out data port real initially 6.0;
batteryDied: out event port;
end Battery;
device implementation Battery.Impsubcomponentsenergy: data continuous initially 100.0;
modescharged#ok: activation mode while ...;depleted#ok, charged#dead, depleted#dead: mode while ...;
transitionscharged#ok -[then voltage:=...]-> charged#ok;charged#ok -[empty when energy<=20.0]-> depleted#ok;depleted#ok -[then voltage:=...]-> depleted#ok;
charged#ok -[then voltage:=0]-> charged#dead;depleted#ok -[then voltage:=0]-> depleted#dead;charged#dead -[then voltage:=0]-> charged#dead;charged#dead -[empty when energy<=20.0]-> depleted#dead;depleted#dead -[then voltage:=0]-> depleted#dead;depleted#dead -[batteryDied]-> depleted#dead;charged#dead -[batteryDied]-> charged#dead;
end Battery.Imp;2009,Viet Yen Nguyen 19/23
Battery Component After Model ExtensionAdd Fault Injections
device type Batteryfeaturesempty: out event port;voltage: out data port real initially 6.0;
batteryDied: out event port;
end Battery;
device implementation Battery.Impsubcomponentsenergy: data continuous initially 100.0;
modescharged#ok: activation mode while ...;depleted#ok, charged#dead, depleted#dead: mode while ...;
transitionscharged#ok -[then voltage:=...]-> charged#ok;charged#ok -[empty when energy<=20.0]-> depleted#ok;depleted#ok -[then voltage:=...]-> depleted#ok;charged#ok -[then voltage:=0]-> charged#dead;depleted#ok -[then voltage:=0]-> depleted#dead;
charged#dead -[then voltage:=0]-> charged#dead;charged#dead -[empty when energy<=20.0]-> depleted#dead;depleted#dead -[then voltage:=0]-> depleted#dead;depleted#dead -[batteryDied]-> depleted#dead;charged#dead -[batteryDied]-> charged#dead;
end Battery.Imp;2009,Viet Yen Nguyen 19/23
Battery Component After Model ExtensionNominal Transitions with Fault Effects
device type Batteryfeaturesempty: out event port;voltage: out data port real initially 6.0;
batteryDied: out event port;
end Battery;
device implementation Battery.Impsubcomponentsenergy: data continuous initially 100.0;
modescharged#ok: activation mode while ...;depleted#ok, charged#dead, depleted#dead: mode while ...;
transitionscharged#ok -[then voltage:=...]-> charged#ok;charged#ok -[empty when energy<=20.0]-> depleted#ok;depleted#ok -[then voltage:=...]-> depleted#ok;charged#ok -[then voltage:=0]-> charged#dead;depleted#ok -[then voltage:=0]-> depleted#dead;charged#dead -[then voltage:=0]-> charged#dead;charged#dead -[empty when energy<=20.0]-> depleted#dead;depleted#dead -[then voltage:=0]-> depleted#dead;
depleted#dead -[batteryDied]-> depleted#dead;charged#dead -[batteryDied]-> charged#dead;
end Battery.Imp;2009,Viet Yen Nguyen 19/23
Battery Component After Model ExtensionAdd Error Propagations
device type Batteryfeaturesempty: out event port;voltage: out data port real initially 6.0;batteryDied: out event port;
end Battery;
device implementation Battery.Impsubcomponentsenergy: data continuous initially 100.0;
modescharged#ok: activation mode while ...;depleted#ok, charged#dead, depleted#dead: mode while ...;
transitionscharged#ok -[then voltage:=...]-> charged#ok;charged#ok -[empty when energy<=20.0]-> depleted#ok;depleted#ok -[then voltage:=...]-> depleted#ok;charged#ok -[then voltage:=0]-> charged#dead;depleted#ok -[then voltage:=0]-> depleted#dead;charged#dead -[then voltage:=0]-> charged#dead;charged#dead -[empty when energy<=20.0]-> depleted#dead;depleted#dead -[then voltage:=0]-> depleted#dead;depleted#dead -[batteryDied]-> depleted#dead;charged#dead -[batteryDied]-> charged#dead;
end Battery.Imp;2009,Viet Yen Nguyen 19/23
COMPASS Toolset &Conclusions
First Version of Toolset is Up & Running as of April 2009
AnalysesI Requirements ConsistencyI SimulationI BDD + SAT-based Bounded Model
CheckingI Hybrid Systems SMT-based
Bounded Model CheckingI Probabilistic Model CheckingI (Prob.) Dynamic Fault TreeI Failure Modes and Effects TablesI Fault ToleranceI DiagnosabilityI Fault Detection, Isolation & Recovery
2009,Viet Yen Nguyen 21/23
Summary + What Hasn’t Been DiscussedFirst ResultFormal semantics of AADL and its Error Annex in terms of (Networkof) Event-Data Automata.
Second ResultAnalyses for correctness, performance, dependability and RAMSaspects over these models with graphical tool support.
AlsoI AADL Standards Body (plans to incorporate our extensions)I Underlying formal models (TwinPlant, Markov Chains, etc.)I Underlying algorithms (lumping, transient, SMT, etc.)I Issues (numerical stability, bottlenecks, usability, etc.)I Case studies (satellite, ETCS)I Demo of toolset (GUI and console)I Comparison to other tools and approaches (BIP, Arcade, etc.)I Methodological integration (into ECSS framework)
2009,Viet Yen Nguyen 22/23
Summary + What Hasn’t Been DiscussedFirst ResultFormal semantics of AADL and its Error Annex in terms of (Networkof) Event-Data Automata.
Second ResultAnalyses for correctness, performance, dependability and RAMSaspects over these models with graphical tool support.
AlsoI AADL Standards Body (plans to incorporate our extensions)I Underlying formal models (TwinPlant, Markov Chains, etc.)I Underlying algorithms (lumping, transient, SMT, etc.)I Issues (numerical stability, bottlenecks, usability, etc.)I Case studies (satellite, ETCS)I Demo of toolset (GUI and console)I Comparison to other tools and approaches (BIP, Arcade, etc.)I Methodological integration (into ECSS framework)
2009,Viet Yen Nguyen 22/23
References
By Marco Bozzano, Alessandro Cimatti, Joost-Pieter Katoen,Viet Yen Nguyen, Thomas Noll and Marco Roveri:
I Codesign of Dependable Systems: A Component-BasedModeling Language in proceedings of 7th MEMOCODE, 2009.
I The COMPASS Approach: Correctness, Modelling andPerformability of Aerospace Systems in proceedings of 28thSAFECOMP, 2009.
I Verification and Performance Evaluation of AADL Models inproceedings of ESEC/FSE, 2009.
I Model-Based Codesign of Critical Embedded Systems inproceedings of 2nd ACES-MB, 2009.
Slides of COMPASS 2009 workshop talks at ETAPS’09 are available:
compass.informatik.rwth-aachen.de
2009,Viet Yen Nguyen 23/23
Related Documents
