Cadena: An Integrated Environment for Developing HighAssurance Componentbased Systems

1
CadenaAn Integrated Environment for Developing
High-Assurance Component-based Systems
SAnToS Laboratory, Kansas State University, USA
http//www.cis.ksu.edu/cadena
Principal Investigators
Students
Matt Dwyer John Hatcliff Masaaki Mizuno Mitch
Neilsen Gurdip Singh
William Deng Georg Jung Shufeng Li Venkatesh
Ranganath Ye Su Paul Zeng
2
Goals of the Project
light-weight specification, analysis, and
verification techniques
specification and analysis of
inter/intra-component dependencies
leverage dependency information to provide
advice about real-time, distribution, and
scheduling aspects
reasoning about modal behavior using
model-checking technology
component-based product-line development
reduce cost across life-cycle of multiple
platform development using loosely-coupled
components
RT CORBA middleware infrastructure
assess extent to which program
generation/transformation can be used to obtain
certifiable middleware
experimentation with other RC-ATC supported
components (MACH Data Service, FACET
event-channel)
3
Key Leverage CCM IDL
CCM IDL
4
Analysis Verification of Fighter Aircraft
Mission Control Systems

• Mission-control software for Boeing military
  aircraft, e.g., F-18 E/F, Harrier, UCAV
• Boeings Bold Stroke Avionics Middleware
• CORBA event-based systems
• Focus is developing a rigorous design process
  with formal design artifacts that can be
  automatically checked for common design flaws

5
Boeing Bold Stroke Platform
Periodic Aperiodic
Constrained Tactical Links
Many Computers
Mission Computer
Multiple Safety Criticalities
Radar
Vehicle Mgmt
COTS
Information Security
Multiple Buses
O(106) Lines of Code
Hard Soft Real-Time
6
Control-Push Data-Pull
Typical situation
Component A computes some data that is to be read
by one or more components Bi
B1
A
Bk
7
Control-Push Data-Pull Structure
1. Logical GPS component receives a periodic
event indicating that it should read the physical
GPS device.
1
2. Logical GPS publishes DATA_AVAILABLE event
3. Airframe component fetches GPS data by calling
GPS GetData method
2
4. Airframe updates its position data and
publishes DATA_AVAILABLE event
3
6
5. NavDisplay component fetches AirFrame data by
calling AirFrame GetData method
5
6. NavDisplay updates the physical display
8
Larger Configuration
moving up to 1000 components
9
System Design Aspects
Declare rates/priorities for intermediate event
handlers
Off
10
Development Process
Component Development
11
Current Challenges

• Systems with 1000 components
• Development team of 100 developers
• Process moves directly from informal textual
  requirements documents to C coding (!)
• UML artifacts (e.g., collaboration diagrams) are
  usually produced only as documentation
• not automatically analyzed
• not leveraged in any way to e.g., generate
  configuration information
• usually show partial descriptions and are not
  maintained
• Still resistance by legacy developers to
  higher-level descriptions
• moving away from machine code has been difficult
  for some developers

12
Next
Short-comings in Bold Stroke development that we
will attempt to address
13
Lack of Modeling
C component library
development
Informal natural language requirements
ltCONFIGURATION_PASSgt ltHOMEgt ltgt
ltCOMPONENTgt ltIDgt ltgtlt/IDgt
ltEVENT_SUPPLIERgt ltevents this component
suppliesgt lt/EVENT_SUPPLIERgt
lt/COMPONENTgt lt/HOMEgt lt/CONFIGURATION_PASSgt
XML configurator information

• Current development includes little high-level
  modeling
• Design errors appear late in development cycle
  and correction is more costly
• what are the ramifications of switching from
  lazy-active to eager-active components?
• what are the ramifications of distributing
  components to different boards?

14
Unleveraged Artifacts

• Current design/model artifacts are used as
  informal documentation
• not connected to analysis/visualization tools
• not connected to configuration generation
• not connected to code generation

15
Lack of Model Analysis
Boeing OEP Challenge Problems
1. Forward backward data and event dependencies
2. Dependency intersections
3. Components with high data coupling
also mode-aware dependences
16
Lack of Model Analysis
Boeing OEP Challenge Problems
If component 1 is in mode A when component 2
produces event E, then component 3 will consume
event F (Section 4.1.5.3.6)
A temporal property well-suited for
model-checking!
17
No Unifying Mechanism
?
C Component Code
UML Design Artifacts
ltCONFIGURATION_PASSgt ltHOMEgt ltgt
ltCOMPONENTgt ltIDgt ltgtlt/IDgt
ltEVENT_SUPPLIERgt ltevents this component
suppliesgt lt/EVENT_SUPPLIERgt
lt/COMPONENTgt lt/HOMEgt lt/CONFIGURATION_PASSgt
High-level Specification Language
Bold Stroke XML Configurator Info
Integrated Development Environment
Analysis and QoS Aspect Synthesis
18
Cadena
Cadena
CCM Interface Definition Language
Java/C Component Code
RT Extensions
UML Design Artifacts
State Transitions
System Configuration
ltCONFIGURATION_PASSgt ltHOMEgt ltgt
ltCOMPONENTgt ltIDgt ltgtlt/IDgt
ltEVENT_SUPPLIERgt ltevents this component
suppliesgt lt/EVENT_SUPPLIERgt
lt/COMPONENTgt lt/HOMEgt lt/CONFIGURATION_PASSgt
High-level Specification Language
Eclipse Plug-In
Bold Stroke XML Configurator Info
Integrated Development Environment
Analysis and QoS Aspect Synthesis
19
Next
Cadena functionality and capabilities
20
Example System
21
Example System
Basic components seen earlier
22
Example System
Navigation Steering Subsystem
23
Example System
Tactical Steering Subsystem
24
Example System
Display Control
25
Outline
26
Component Ports
CORBA 3 CCM IDL
eventtype TimeOut eventtype DataAvailable
interface ReadData readonly attribute any
data component BMDevice consumes TimeOut
timeout publishes DataAvailable dataCurrent
provides ReadData dataOut
27
Component Ports
CORBA 3 CCM IDL
eventtype TimeOut eventtype DataAvailable
interface ReadData readonly attribute any
data component BMDevice consumes TimeOut
timeout publishes DataAvailable dataCurrent
provides ReadData dataOut
event source
28
Component Ports
CORBA 3 CCM IDL
eventtype TimeOut eventtype DataAvailable
interface ReadData readonly attribute any
data component BMDevice consumes TimeOut
timeout publishes DataAvailable dataCurrent
provides ReadData dataOut
data source (facet)
29
Component Code Generation
Currently in Bold Stroke
8-12 classes drawn by hand in Rational Rose, then
code templates generated from this (component
structure must be re-specified each time).

Push()
GetData()
tacticalSteering
BM__ModalComponent
Push()
GetData()
30
Outline
31
Cadena Component Assembly
abstract distribution nodes
system ModalSP locations l1,l2,l3 rates
1,5,20,60 instance AirFrame of
BMLazyActive on l2 connect dataAvailable
to GPS.dataCurrent atRate 20 connect
dataIn to GPS.dataOut instance GPS
of BMDevice on l2 connect timeout
to EventChannel.timeout20
32
Cadena Component Assembly
system ModalSP locations l1,l2,l3 rates
1,5,20,60 instance AirFrame of
BMLazyActive on l2 connect dataAvailable
to GPS.dataCurrent atRate 20 connect
dataIn to GPS.dataOut instance GPS
of BMDevice on l2 connect timeout
to EventChannel.timeout20
rate group declaration
33
Cadena Component Assembly
system ModalSP locations l1,l2,l3 rates
1,5,20,60 instance AirFrame of
BMLazyActive on l2 connect dataAvailable
to GPS.dataCurrent atRate 20 connect
dataIn to GPS.dataOut instance GPS
of BMDevice on l2 connect timeout
to EventChannel.timeout20
create instance of LazyActive component called
AirFrame
34
Cadena Component Assembly
connect event INPUT port of current component
to event OUTPUT port of GPS component
system ModalSP locations l1,l2,l3 rates
1,5,20,60 instance AirFrame of
BMLazyActive on l2 connect dataAvailable
to GPS.dataCurrent atRate 20 connect
dataIn to GPS.dataOut instance GPS
of BMDevice on l2 connect timeout
to EventChannel.timeout20
35
Cadena Component Assembly
connect data INPUT port of current component to
data OUTPUT port of GPS component
system ModalSP locations l1,l2,l3 rates
1,5,20,60 instance AirFrame of
BMLazyActive on l2 connect dataAvailable
to GPS.dataCurrent atRate 20 connect
dataIn to GPS.dataOut instance GPS
of BMDevice on l2 connect timeout
to EventChannel.timeout20
36
Cadena Component Assembly
system ModalSP locations l1,l2,l3 rates
1,5,20,60 instance AirFrame of
BMLazyActive on l2 connect dataAvailable
to GPS.dataCurrent atRate 20 connect
dataIn to GPS.dataOut instance GPS
of BMDevice on l2 connect timeout
to EventChannel.timeout20
create instance of DeviceComponent called GPS
37
Cadena Component Assembly
system ModalSP locations l1,l2,l3 rates
1,5,20,60 instance AirFrame of
BMLazyActive on l2 connect dataAvailable
to GPS.dataCurrent atRate 20 connect
dataIn to GPS.dataOut instance GPS
of BMDevice on l2 connect timeout
to EventChannel.timeout20
connect event INPUT port of current component
to event OUTPUT port of EventChannel
38
Cadena Component Assembly
39
Cadena Visualization
40
Code Generation Overview
Component Code Generation

BM.Device
BM.LazyActive
BM.Modal
41
Outline
42
Light-weight Dependency Specs
dependencydefault none dependencies
dataWriteOut.set_data() -gt outDataAvailable
behavior ...
43
Light-weight Dependency Specs
dependencydefault all dependencies
modeChange() -gt case modeChange.modeVar of
enabled inDataAvailable -gt
dataIn.get_data(),
outDataAvailable disabled inDataAvailable
-gt behavior ...
44
Light-weight Dependency Specs
dependencydefault all dependencies
modeChange() -gt case modeChange.modeVar of
enabled inDataAvailable -gt
dataIn.get_data(),
outDataAvailable disabled inDataAvailable
-gt behavior ...
45
Light-weight Dependency Specs
dependencydefault all dependencies
modeChange() -gt case modeChange.modeVar of
enabled inDataAvailable -gt
dataIn.get_data(),
outDataAvailable disabled inDataAvailable
-gt behavior ...
46
Aspect Synthesis
Dependency-driven rate assignment to event
handlers
5Hz
5Hz
20Hz
20Hz
20Hz
5Hz
20Hz
1Hz
20Hz
20Hz
47
Cadena User Interface
48
Aspect Synthesis
Look at coupling and traffic as indicated by rates
Synthesis of distribution information
5Hz
5Hz
20Hz
20Hz
20Hz
20Hz
1Hz
20Hz
20Hz
49
Aspect Synthesis
Asynchronous message delivery to synchronous
method calls (must be co-located and run at same
rate)
Automatic detection of optimization opportunties
5Hz
5Hz
20Hz
20Hz
20Hz
20Hz
1Hz
20Hz
20Hz
50
Outline
51
Ultimate Modeling View
CCM IDL Model Layer
Check mode behaviors, temporal properties, timing
constraints
Generate code, fill-in skeletons, check for
refinement
52
Component Behavior
input ports
component BMModal uses ReadData dataIn
consumes DataAvailable inDataAvailable
publishes DataAvailable outDataAvailable
provides ReadData dataOut provides
ChangeMode modeChange enum Modes
enabled,disabled Modes m behavior
handles dataInReady (DataAvailable e)
case m of enabled
dataOutdata lt- dataIn.getData()
push dataOutReady
disabled
53
Component Behavior
component BMModal uses ReadData dataIn
consumes DataAvailable inDataAvailable
publishes DataAvailable outDataAvailable
provides ReadData dataOut provides
ChangeMode modeChange enum Modes
(enabled,disabled) Modes m behavior
handles dataInReady (DataAvailable e)
case m of enabled
dataOutdata lt- dataIn.getData()
push dataOutReady
disabled
output ports
54
Component Behavior
component BMModal uses ReadData dataIn
consumes DataAvailable inDataAvailable
publishes DataAvailable outDataAvailable
provides ReadData dataOut provides
ChangeMode modeChange enum Modes
(enabled,disabled) Modes m behavior
handles dataInReady (DataAvailable e)
case m of enabled
dataOutdata lt- dataIn.getData()
push dataOutReady
disabled
mode declaration using CORBA IDL
55
Component Behavior
component BMModal uses ReadData dataIn
consumes DataAvailable inDataAvailable
publishes DataAvailable outDataAvailable
provides ReadData dataOut provides
ChangeMode modeChange enum Modes
(enabled,disabled) Modes m behavior
handles dataInReady (DataAvailable e)
case m of enabled
dataOutdata lt- dataIn.getData()
push dataOutReady
disabled
behavior for events on dataInReady port
56
Component Behavior
component BMModal uses ReadData dataIn
consumes DataAvailable inDataAvailable
publishes DataAvailable outDataAvailable
provides ReadData dataOut provides
ChangeMode modeChange enum Modes
(enabled,disabled) Modes m behavior
handles dataInReady (DataAvailable e)
case m of enabled
dataOutdata lt- dataIn.getData()
push dataOutReady
disabled
behavior mode cases
57
Component Behavior
component BMModal uses ReadData dataIn
consumes DataAvailable inDataAvailable
publishes DataAvailable outDataAvailable
provides ReadData dataOut provides
ChangeMode modeChange enum Modes
(enabled,disabled) Modes m behavior
handles dataInReady (DataAvailable e)
case m of enabled
dataOutdata lt- dataIn.getData()
push dataOutReady
disabled
data flow specification
58
Component Behavior
component BMModal uses ReadData dataIn
consumes DataAvailable inDataAvailable
publishes DataAvailable outDataAvailable
provides ReadData dataOut provides
ChangeMode modeChange enum Modes
(enabled,disabled) Modes m behavior
handles dataInReady (DataAvailable e)
case m of enabled
dataOutdata lt- dataIn.getData()
push dataOutReady
disabled
publish event
59
Functional Properties
Property I System never reaches a state where
TacticalSteering and NavSteering are both
disabled
Property II If navSteering is enabled when 20Hz
timeout occurs, then airFrame should fetch
navSteering data before end of frame
60
Temporal Property Specs
61
Assessment

• We believe the Cadena capabilities that we have
  already illustrated can provide a basis for
  effective experimentation with CCM-based systems
• Weve begun to take steps to incorporate various
  middleware components developed-at/funded-by RC
  ATC

62
Using FACET Event Channel
63
Using MACH Data Service
Use MACH to support data connections (especially
remote connections)

• A couple of example systems already coded up
• Issues
• Bold Stroke emphasizes control-push data-pull
• MACH naturally supports data-push
• We want to look at more realistic systems and
  carry out performance experiments to determine
  how these might be combined

64
Conclusions

• We believe that Cadena can tie together several
  different research threads of interest to RC-ATC
• IDE for building systems on top of avionics
  middleware
• MACH, RT Event-channel, etc.
• framework for incorporating specifications and
  analysis into CCM-based development
• good vehicle for addressing concerns related to
  certification
• framework for considering program transformations
  (specializations, etc.) dedicated to customizing
  code for avionics domain

65
Looking Ahead

• Integrated case studies/experiments
• We have a good idea regarding what Boeing wants
• We would like to have a similar understanding of
  the types of applications are being considered at
  RC
• Full-time developer to increase the robustness of
  the tool and develop UI and APIs dedicated to RC
  applications and certification issues
• Research issues
• context for test generation, traceability, and
  associated certification issues
• context for partial evaluation and specialization
  

66
MACH as a CCM Component
connect to what is happing in the control-push
data-pull stuff