the assert set of tools for engineeringsend a letter to creative commons, 171 second street, suite...

Julien Delange <julien dot delange at esa dot int>

The ASSERT Set of Tools for Engineering

(TASTE)

Julien Delange <[email protected]>

This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/ or

send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.


Overview

• Introduction, rationale & approach overview

• System & application modeling

• TASTE toolset

• Case studies

• Conclusion, perspectives


Introduction – identified issues

• Communication problems• How to synchronize teams ?

• System representation

• Technical issues• Correct implementation

• Integration

• Verification activities• Standards requirements

• Associated cost


Introduction – increasing issues

• System contain more functions• Communication through more teams

• More integration issues

• Functions complexity increase• Impossible to make bug-free system

• Involve large team, lead to management issues

• Verification are more and more restrictive• Cost is going bigger

• New tools and approaches required


Actual solutions

• Bruteforce approach• Increase the task force resource

• Spend more resources

• Software reuse• Take old components that works and are already verified …

• … tailoring for integration of new functions

• Modeling and code generation• Abstraction to cope with actual issues

• Integration issues still occur

• Cannot handle all system aspects


Limit of actual solutions

• Bruteforce approach: costly (time & money)

• Components reuse: still need to revalidate/certify

• Modeling: do not address all system aspects


TASTE toolchain

• Implementation of ASSERT process

• Abstract all system artifacts, from software to runtime

• Generate everything, build a“correct by construction” system


Overview



• TASTE toolset

• Case studies



Modeling levels

• Data view• Types to be used by system functions

• Ex: TM/TC for a satellite

• Interface view• Functions to be executed by the system

• Implementation language independence

• Ex: mode change, TC handling

• Deployment view• Execution of functions by computers

• Describe execution constraints


Model processing

• Generate a single model• Vertical transformation approach

• Transform user models into AADL models

• Automatic generation from model• Generate all required code

• Automatic interface with application code

• Validation/verification activities• Validate/verify AADL models

• Reduce certification manual efforts

Data view

Interface view

Deployment view

Ver

tica

l tr

an

sfo

rma

tio

n

AADL model

Validation &verification

Automaticimplementation


Data view

• Rely on well-known technique: ASN.1

• Use in interface view functions• Description of data sent/received by system functions

• Auto-generate types and encoders• Automatic use by functions

• Ensure data consistency


Interface view: functions

• Define system functions and their properties• Implementation language, period, protection level, ...

• Ex: TC/TM management

• Interfaces for communication with other functions• Provided Interfaces (PI)

• Required Interfaces (RI)

• Interfaces characteristics• Interface parameters specification with ASN.1

• Active interface: executed in its own context

• Passive interface: executed in a caller context

• Interface property (inter-arrival time, …)


Interface view: supported languages

• Regular languages• Ada

• C

• Application-level models• SDL/RTDS

• Matlab/Simulink

• Hybrid languages• GUI

• Python interfaces

• Data exchanges based on ASN.1 !!!


Interface view: functions interfaces

• Periodic (active)• No parameter

• Execution on a periodic basis

• Sporadic (active)• One input parameter, activated on data reception

• Execution constrained by a minimal inter-arrival time

• Protected (passive)• Several input/output parameters

• Lock other function interfaces

• Unprotected (passive)• Several input/output parameters

• No lock mechanisms


Interface viewexample

Function pingerFunction pingee

System specificationTwo functions: one that pings (sends a number)to the other on a periodic basis.

Function pinger● One provided periodic interface (activator) to activate

system function.● One required interface to the receive_number

interface of the pingee function

Function pingee● One provided sporadic interface (receive_number) to

receive numbers.● Interface to be triggered by the pinger function

receive_number(sporadic)

Activator (periodic)


Deployment view

• Capture execution environment• Processor: architecture and OS specification

• Bus : protocol specification

• Drivers : devices contained on a computer/board

• Allocate function to boards• Implicit description of distribution strategy

• High level representation of system


Deployment view example

Board x86

Function pinger

Board x86● Intel processor 64 bits, little endian● Run a regular Linux● Send data through ethernet using the TCP/IP protocol

Board PPC● PowerPC processor, 32 bits, big endian● Run RTEMS executive runtime● Receive data using the TCP/IP protocol

Bus ethernet

Board PPC

Function pingee

Driver eth Driver eth

CPU x86_64/OS Linux CPU PPC/OS RTEMS


Overview



• TASTE toolset

• Case studies



Toolset overview

TASTE GUI

ASN.1 source

Interface View

Deployment View

Text Editor

TASTE-IV

TASTE-DV

Data View

Buildsupport

Ocarina

Functional code

asn1Scc

Concurrency View

Architecture code

Functional code

Data mgmtcode

Glue code


Toolset: ASN1Scc

• Convert ASN.1 description into AADL models• Used for functional blocks communication

• Integration of ASN.1 types into AADL models

• Convert ASN.1 source into source code• Types definition in C/Ada

• Generation of encoding functions

• Ensure safety-critical requirements

ASN.1 source

Data View(AADL)

asn1Scc

Data mgmtcode (Ada/C)


Toolset: TASTE-IV (Interface view)

• Capture system functions• Specify properties and requirements

• Output AADL models with software components

• Describe functions interfaces• Periodic/sporadic/protected/unprotected

• Specify timing properties (MIAT/period/)

• Connect functions using the provided/required interface mechanism


Toolset: TASTE-DV (Deployment view)

• Capture distributed architecture• Include all system nodes to be used

• Output AADL model with hardware components

• Describe system nodes• Architecture concerns

• Device drivers to be used

• Embedded functions

• Specify communication buses• e.g: spacewire, ethernet, 1553, etc.


Toolset: TASTE-CV (Concurrency view)

• Edit Concurrency View

• Perform schedulability analysis/feasability tests (Cheddar)

• Simulate timing behavior (Marzhin)


Toolset: buildsupport

• Transform interfaces into resources• Task/data to be deployed on each system

• Output AADL models with hardware and software components

• Integration into the architecture• Separate functions and resources across nodes of the DV

• Assign configuration properties to AADL components

• Generate glue between architecture andapplication layers

• Inject data from/to architecture (drivers)to application code (C/Ada)

Interface View

Deployment View

Data View

Buildsupport

Concurrency View(AADL models)

Glue code (C/Ada)


Toolset: orchestrator

• Handle the development process• Input: interface/deployment views & ASN.1 source

• Output: system binaries

• Workflow• Call buildsupport, generate concurrency view & glue code

• Generate ASN.1 encoders & types definitions (ASN1Scc)

• Call Ocarina, generate architecture code

• Compile architecture code & functional code

• Python script• see. assert-builder-ocarina.py


Toolset: Ocarina

• AADL → C/Ada architecture code• Generate generic architecture code

• Avoid manual coding errors

• No useless resource or code due to the use of AADL descriptions

• Rely on µmiddleware for OS integration• Translate generic code into OS-specific request

• PolyORB-HI-C & PolyORB-HI-Ada

• Similar to OSAL from NASA

OcarinaConcurrency View

µmiddleware code

Generic code

OS/executive runtimeGen

era

t ed

bin

ary


Toolset: TASTEGUI

• Graphical interface to handle development process• Similar to orchestrator

• Assist users in system design• Code edition, generate skels

• Advanced functionalities• Timing analysis

• Memory analysis

• Automatic system deployment

• Function testing


Overview



• TASTE toolset

• Case studies



Robotic example: exoarm

• Human movement acquisition

• Data processing using Simulink models

• Reproduction of movements on robots

Movement capture

Movement reproductionData processingData acquisition


Automotive domain: thermal control

• Thermal regulation control (e.g: motor temperature control)

• Assessment of TASTE regarding AUTOSAR requirements


Avionics domain: radar/GPS control

• Typical satellite system with TC/TM packets

• Configure TC/TM encryption• According to satellite position

• Avoid data transmission over unsafe area

• Evaluation with different deployment strategies• PC

• PC → <ethernet> → PC

• PC → <serial> LEON → <spw> → LEON → <serial> → PC

• Demonstrate deployment functionalities


Toy: unmanned drone

• Automatically control with wireless devices

• Integration of device drivers• Wireless drivers

• Serial communication with Arduino board

• Interface with Arduino platform• Handle electronic aspects


Overview



• TASTE toolset

• Case studies



Conclusion

• Reduce the human factor• Avoid bugs !

• Reduce development cost• Time & money

• Verify, verify, verify !• As soon as possible

• Everywhere !


Perspectives

• Enhance toolchains• Flexible vertical transformation

• Extend application models• Support other modeling approaches

• More than validation: certification !• Automatic certification (DO178B, ECSS)

• To be discussed … (very costly !)

Julien Delange <julien dot delange at esa dot int>The ASSERT Set of Tools for Engineering(TASTE)Julien Delange <[email protected]>This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA.

Julien Delange <julien dot delange at esa dot int>Overview•Introduction, rationale & approach overview•System & application modeling•TASTE toolset•Case studies•Conclusion, perspectives

Julien Delange <julien dot delange at esa dot int>Introduction – identified issues•Communication problems•How to synchronize teams ?•System representation•Technical issues•Correct implementation•Integration•Verification activities•Standards requirements•Associated cost

Julien Delange <julien dot delange at esa dot int>Introduction – increasing issues•System contain more functions•Communication through more teams•More integration issues•Functions complexity increase•Impossible to make bug-free system•Involve large team, lead to management issues•Verification are more and more restrictive•Cost is going bigger•New tools and approaches required

Julien Delange <julien dot delange at esa dot int>Actual solutions•Bruteforce approach•Increase the task force resource•Spend more resources•Software reuse•Take old components that works and are already verified …•… tailoring for integration of new functions•Modeling and code generation•Abstraction to cope with actual issues•Integration issues still occur•Cannot handle all system aspects

Julien Delange <julien dot delange at esa dot int>Limit of actual solutions•Bruteforce approach: costly (time & money)•Components reuse: still need to revalidate/certify•Modeling: do not address all system aspects

Julien Delange <julien dot delange at esa dot int>TASTE toolchain•Implementation of ASSERT process•Abstract all system artifacts, from software to runtime•Generate everything, build a“correct by construction” system

Julien Delange <julien dot delange at esa dot int>Modeling levels•Data view•Types to be used by system functions•Ex: TM/TC for a satellite•Interface view•Functions to be executed by the system•Implementation language independence•Ex: mode change, TC handling•Deployment view•Execution of functions by computers•Describe execution constraints

Julien Delange <julien dot delange at esa dot int>Model processing•Generate a single model•Vertical transformation approach•Transform user models into AADL models•Automatic generation from model•Generate all required code•Automatic interface with application code•Validation/verification activities•Validate/verify AADL models•Reduce certification manual effortsData viewInterface viewDeployment viewVertical transformationAADL modelValidation &verificationAutomaticimplementation

Julien Delange <julien dot delange at esa dot int>Data view•Rely on well-known technique: ASN.1•Use in interface view functions•Description of data sent/received by system functions•Auto-generate types and encoders•Automatic use by functions•Ensure data consistency

Julien Delange <julien dot delange at esa dot int>Interface view: functions•Define system functions and their properties•Implementation language, period, protection level, ...•Ex: TC/TM management•Interfaces for communication with other functions•Provided Interfaces (PI)•Required Interfaces (RI)•Interfaces characteristics•Interface parameters specification with ASN.1•Active interface: executed in its own context•Passive interface: executed in a caller context•Interface property (inter-arrival time, …)

Julien Delange <julien dot delange at esa dot int>Interface view: supported languages•Regular languages•Ada•C•Application-level models•SDL/RTDS•Matlab/Simulink•Hybrid languages•GUI•Python interfaces•Data exchanges based on ASN.1 !!!

Julien Delange <julien dot delange at esa dot int>Interface view: functions interfaces•Periodic (active)•No parameter•Execution on a periodic basis•Sporadic (active)•One input parameter, activated on data reception•Execution constrained by a minimal inter-arrival time•Protected (passive)•Several input/output parameters•Lock other function interfaces•Unprotected (passive)•Several input/output parameters•No lock mechanisms

Julien Delange <julien dot delange at esa dot int>Interface viewexampleFunction pingerFunction pingeeSystem specificationTwo functions: one that pings (sends a number)to the other on a periodic basis.Function pinger●One provided periodic interface (activator) to activate system function.●One required interface to the receive_number interface of the pingee function Function pingee●One provided sporadic interface (receive_number) to receive numbers.●Interface to be triggered by the pinger functionreceive_number(sporadic)Activator (periodic)

Julien Delange <julien dot delange at esa dot int>Deployment view•Capture execution environment•Processor: architecture and OS specification•Bus : protocol specification•Drivers : devices contained on a computer/board•Allocate function to boards•Implicit description of distribution strategy•High level representation of system

Julien Delange <julien dot delange at esa dot int>Deployment view exampleBoard x86Function pingerBoard x86●Intel processor 64 bits, little endian●Run a regular Linux●Send data through ethernet using the TCP/IP protocolBoard PPC●PowerPC processor, 32 bits, big endian●Run RTEMS executive runtime●Receive data using the TCP/IP protocolBus ethernetBoard PPCFunction pingeeDriver ethDriver ethCPU x86_64/OS LinuxCPU PPC/OS RTEMS

Julien Delange <julien dot delange at esa dot int>Toolset overviewTASTE GUIASN.1 sourceInterface ViewDeployment ViewText EditorTASTE-IVTASTE-DVData ViewBuildsupportOcarinaFunctional codeasn1SccConcurrency ViewArchitecture codeFunctional codeData mgmtcodeGlue code

Julien Delange <julien dot delange at esa dot int>Toolset: ASN1Scc•Convert ASN.1 description into AADL models•Used for functional blocks communication•Integration of ASN.1 types into AADL models•Convert ASN.1 source into source code•Types definition in C/Ada•Generation of encoding functions•Ensure safety-critical requirementsASN.1 sourceData View(AADL)asn1SccData mgmtcode (Ada/C)

Julien Delange <julien dot delange at esa dot int>Toolset: TASTE-IV (Interface view)•Capture system functions•Specify properties and requirements•Output AADL models with software components•Describe functions interfaces•Periodic/sporadic/protected/unprotected•Specify timing properties (MIAT/period/)•Connect functions using the provided/required interface mechanism

Julien Delange <julien dot delange at esa dot int>Toolset: TASTE-DV (Deployment view)•Capture distributed architecture•Include all system nodes to be used•Output AADL model with hardware components•Describe system nodes•Architecture concerns•Device drivers to be used•Embedded functions•Specify communication buses•e.g: spacewire, ethernet, 1553, etc.

Julien Delange <julien dot delange at esa dot int>Toolset: TASTE-CV (Concurrency view)•Edit Concurrency View•Perform schedulability analysis/feasability tests (Cheddar)•Simulate timing behavior (Marzhin)

Julien Delange <julien dot delange at esa dot int>Toolset: buildsupport•Transform interfaces into resources•Task/data to be deployed on each system•Output AADL models with hardware and software components•Integration into the architecture•Separate functions and resources across nodes of the DV•Assign configuration properties to AADL components•Generate glue between architecture andapplication layers•Inject data from/to architecture (drivers)to application code (C/Ada)Interface ViewDeployment ViewData ViewBuildsupportConcurrency View(AADL models)Glue code (C/Ada)

Julien Delange <julien dot delange at esa dot int>Toolset: orchestrator•Handle the development process•Input: interface/deployment views & ASN.1 source•Output: system binaries•Workflow•Call buildsupport, generate concurrency view & glue code•Generate ASN.1 encoders & types definitions (ASN1Scc)•Call Ocarina, generate architecture code•Compile architecture code & functional code•Python script•see. assert-builder-ocarina.py

Julien Delange <julien dot delange at esa dot int>Toolset: Ocarina•AADL → C/Ada architecture code•Generate generic architecture code•Avoid manual coding errors•No useless resource or code due to the use of AADL descriptions•Rely on µmiddleware for OS integration•Translate generic code into OS-specific request•PolyORB-HI-C & PolyORB-HI-Ada•Similar to OSAL from NASAOcarinaConcurrency Viewµmiddleware codeGeneric codeOS/executive runtimeGeneratedbinary

Julien Delange <julien dot delange at esa dot int>Toolset: TASTEGUI•Graphical interface to handle development process•Similar to orchestrator•Assist users in system design•Code edition, generate skels•Advanced functionalities•Timing analysis•Memory analysis•Automatic system deployment•Function testing

Julien Delange <julien dot delange at esa dot int>Robotic example: exoarm•Human movement acquisition•Data processing using Simulink models•Reproduction of movements on robotsMovement captureMovement reproductionData processingData acquisition

Julien Delange <julien dot delange at esa dot int>Automotive domain: thermal control•Thermal regulation control (e.g: motor temperature control)•Assessment of TASTE regarding AUTOSAR requirements

Julien Delange <julien dot delange at esa dot int>Avionics domain: radar/GPS control•Typical satellite system with TC/TM packets•Configure TC/TM encryption•According to satellite position•Avoid data transmission over unsafe area•Evaluation with different deployment strategies•PC•PC → <ethernet> → PC•PC → <serial> LEON → <spw> → LEON → <serial> → PC•Demonstrate deployment functionalities

Julien Delange <julien dot delange at esa dot int>Toy: unmanned drone•Automatically control with wireless devices•Integration of device drivers•Wireless drivers•Serial communication with Arduino board•Interface with Arduino platform•Handle electronic aspects

Julien Delange <julien dot delange at esa dot int>Conclusion•Reduce the human factor•Avoid bugs !•Reduce development cost•Time & money•Verify, verify, verify !•As soon as possible•Everywhere !

Julien Delange <julien dot delange at esa dot int>Perspectives•Enhance toolchains•Flexible vertical transformation•Extend application models•Support other modeling approaches•More than validation: certification !•Automatic certification (DO178B, ECSS)•To be discussed … (very costly !)

the assert set of tools for engineeringsend a letter to creative commons, 171 second street, suite...

Documents