docAADL Error Model
download 
Plainte Transcription
AADL Error Model
Modèles de sûreté de fonctionnement à partir
de description AADL
(Architecture Analysis and Design Language)
Ana Rugina, Karama Kanoun, Mohamed Kaâniche
{rugina, kanoun, kaaniche}@laas.fr
European Integrated Project ASSERT
Cercle "Conception et validation pour la sûreté de fonctionnement"
Atelier "Analyse et évaluation de la sûreté de fonctionnement à base de modèles"
Paris — 2 février 2006
1
Context
Means:
Analytical Modelling
Industrial practice:
Petri nets,
Markov chains
UML, AADL
models
Objectives:
Dependability Measures
UML = Unified Modelling Language
2
Overview of our Modeling Approach
AADL Dependability Model (AADL_DM)
AADL Architecture Model
(AADL_AM)
+
AADL Error Model
(AADL_EM)
Model transformation
GSPN Dependability Model
Model processing
Dependability Measures
3
Outline
• AADL language
• General approach
• Transformation rules
• Glimpse on a case study
• Summary
4
AADL Core Language
• Objectives: analyze the impact of architecture choices
⇒ Scheduling policy
⇒ Redundancy
• Architecture specification in AADL
⇒ How components are combined
⇒ How they interact
• Hierarchical description
• Dynamic architecture behavior ➝ operational modes for components
⇒ Mode transition triggered by events passing through a specified port
⇒ Dynamic behavior = switching between configurations and changes
in components internal characteristics
5
AADL Core Language — Components
Basic element of an AADL architecture
Categories
⇒ Software: process, subprogram, data, thread, thread group
⇒ Platform: processor, memory, device, bus
⇒ Composite: system
Composed, interconnected through features
⇒ Ports, subprogram call, parameters
Two levels of description
⇒Type: how the environment sees that component (properties and features)
⇒ Implementation (subcomponents, subprogram calls, operational modes)
⇒ Different system implementation structures lead to different
implementations associated with the same component type
6
AADL Error Model (AADL_EM)
• The AADL_EM is:
• built on the AADL_AM's (AADL architecture model) skeleton
• associated with an AADL_AM component model
• Component AADL_EM characterizes the behavior in the presence of
• Internal faults and repair events
• External propagations from the component environment
• AADL_EM = a model type + one or more error model implementations
• Vote properties (Vote_in, Vote_out)
• Control propagations by means of Boolean expressions and predicates
• Associated to ports, data components, client and server subprograms
• Not all the details of the AADL_AM are necessary for the AADL_DM
• Only components that have associated AADL_EMs and all connections
between them are part of the AADL_DM
7
AADL Error Model (AADL_EM)
•
Error model type declares
Set of error states
Set of events
Set of incoming/outgoing propagation names
• Error model implementation
Transitions between states, triggered by events, in the error model type
Occurrence properties: arrival rates / probability of propagations and events
• Interactions (name matching and vote)
The source error model sends the propagation out through all ports of the
AADL component to which this error model is associated
This out propagation arrives to one or more receiver component's error
models
Only receivers declaring In propagation with the same name (name
matching) are influenced by this propagation
The state transitions and operational mode changes triggered by the In
propagation are simultaneous
8
Error Model Example
error model Basic
features
Error_Free: initial error state;
Failed: error state;
Fail, Repair: error event;
No_Data: out error propagation;
end Basic;
error model implementation Basic.Nominal
transitions
Error_Free-[Fail]->Failed;
Failed-[Repair]->Error_Free;
Failed-[out No_Data]->Failed;
properties
Fail.Occurrence=>poisson λ;
Repair.Occurrence=>poisson μ;
No_Data.Occurrence => fixed 0.5;
end Basic.Nominal;
9
AADL_DM Construction
AADL Dependability Model (AADL_DM)
AADL Architecture Model
(AADL_AM)
+
AADL Error Model
(AADL_EM)
Model transformation
GSPN Dependability Model
Model processing
Dependability Measures
10
AADL_DM Construction
• Independent components:
The system AADL_DM is composed of the AADL_DMs of its components
• Dependencies ➝ structured and iterative approach for building
progressively the AADL_EM / AADL_DM
• First step
Basic AADL_EM associated to components (isolated behavior)
• Next steps
Introduce incrementally dependencies between basic AADL_EMs
• Dependencies
Architecture-based: structural, functional, fault-tolerance properties
Maintenance
Hierarchy
11
AADL Dependability Model
• Architecture-based dependency
Component 1
Component 2
Error model 1
Error model 2
1-2 Dependency
1-2 Dependency
error model implementation for1.ex
transitions
[…]
Failed-[out No_Data]->Failed;
properties
[…]
No_Data.Occurrence => fixed 0.5;
end for1.ex;
error model implementation for2.ex
transitions
[…]
Error_Free-[in No_Data]->Failed;
end for2.ex;
12
AADL Dependability Model
• Maintenance dependency
Component 1
Component 2
Component 1
Component 2
Component 3
Component 4
Component 3
Component 4
Error model 3
Error model 4
Sharing a repairman
Error model 3
Error model 4
Maintenance
Maintenance
Repairman
Error model
Repairman
Maintenance
13
AADL Dependability Model
• Hierarchical systems
• Derived dependency -> derived error model
• Ignore containment details -> abstract error model
Component 1
Component 1.1
Error model 1.1
Component 1.2
Error model 1.2
Error model 1
derived
14
AADL to GSPN Model Transformation
Component 1
Component 2
Error model 1
Error model 2
1-2 Dependency
1-2 Dependency
GSPN
Component 1
GSPN
Component 2
GSPN
1-2 Dependency
• Modular GSPN
• One block for each isolated component behaviour
• One block for each dependency
• Progressive validation of the model
15
Transformation Rules
• Isolated components
AADL error model element
GSPN element
State
Place
Initial State
Token in the corresponding place
Event
GSPN transition (timed or immediate)
Occurrence property of event
Distribution of probability
characterising the occurrence of
associated GSPN transition
AADL transition
(Source_State-[event]-> Destination_State)
Arcs connecting places (corresponding
to AADL Source_State and
Destination_State) via GSPN transition
(corresponding to AADL event)
16
Transformation Rules
• Name matching propagations
Propagation sender
Dependency
Error_Free
Propagation receiver
Error_Free
Fail (λ)
p
Fail (λ)
Failed
Failed
Sender_Failed
Propagation sender
Dependency
1
Error_Free
Fail (λ)
Propagation receiver
Error_Free
p
1
Failed
Fail (λ)
Failed
=
Number of GSPN transitions
describing an AADL transition
=
Number of AADL transitions
triggered by the out propagation in
the sender
=
Number of AADL transitions
triggered by the in propagation in
the receiver i (i=1..p)
Sender_Failed
17
Complex Transformation Rules
• Vote/Filtering properties
Vote_In and Vote_Out
(filtering AADL propagations according to Boolean expressions)
• Hierarchical systems
Derived dependencies
(system behaviour depending on the behaviour of subcomponents)
• Modal systems
Vote_Event and Vote_Transition properties
(triggering mode changes at architectural level according to Boolean expression)
18
Transformation Rules – Vote_In
Receiver
in
in
Data_OK
a1 a3
b2
b3
Corrupted
out
out
Sender 1
Sensor1[Data_OK]
2
b2 b3
a1 a3
Sensor1[Corrupted]
a3
a2
b2
b1
2
a4
a3
2
mask mask
a1
a4
2
b1
b1
b4
b4
a1
b4
b3
a2
Sensor2[Corrupted]
Sensor2[Data_OK]
out
Sender 2
out
19
Case Study: Duplex System
duplex_system
System2:sub_system.basic_backup
System1:sub_system.basic_primary
SW1:software.basic_primary
Primary
SW2:software.basic_backup
Backup
Primary
Backup
LAN
HW:computer.basic
HW:computer.basic
20
AADL Dependability Model
SW1:software.basic_primary
Primary
SW2: software.basic_backup
Primary
Backup
Backup
Error model
SW.HWSW_SWSWdep
Error model
SW.HWSW_SWSWdep
SW-SW dependency
SW-SW dependency
HW-SW dependency
HW-SW dependency
HW:computer.basic
HW:computer.basic
Error model
HW.HWSW_HWHWdep
Error model
HW.HWSW_HWHWdep
HW-SW dependency
HW-SW dependency
HW-HW dependency
HW-HW dependency
Repairman: repairman.basic
Error model
Repairman.Simple
HW-HW dependency
21
GSPN Dependability Model
SW1:software.basic_primary
Primary
SW2: software.basic_backup
Primary
Backup
Backup
Er
Errror
or model
model
SW.HWSW_S
SW.HWSW_SWSWdep
WSWdep
Er r or model
SW.HWSW_S WSWdep
SW-SW dependency
SW-SW dependency
HW-SW dependency
HW-SW dependency
GSPN
M.SW_SWdep
HW:computer.basic
HW:computer.basic
Er r or model
HW.HWSW_HWHWdep
Er r or model
HW.HWSW_HWHWdep
HW-SW dependency
HW-SW dependency
HW-HW dependency
HW-HW dependency
Repairman: repairman.basic
GSPN
M.SW
GSPN
M.SW
GSPN
M.HW_SWdep
GSPN
M.HW_SWdep
GSPN
M.HW
GSPN
M.HW
GSPN
M.HW_HWdep
GSPN
M.HW_HWdep
Er r or model Repair man.Simple
HW-HW dependency
GSPN
M.Repairman
22
Summary
• AADL system error model
• Stepwise construction
Building error models as if components were isolated
Adding dependencies progressively
• Model transformation: manual ⇒ automatic
• Error Model Annex assessment
• Evolution proposals
23
Error Model Annex Evolution
• Occurrence properties
Fixed values ➞ unvaluated parameters
• Link between the mode model and the error model
⇒mode-dependent behaviour in presence of faults
• Vote_In and Vote_Out properties
⇒evaluate Boolean error expressions only when needed
• Inheritance and refinements
⇒similarly to the core standard mechanisms
24
