CBSE and dependable systems CBSE and dependable systems Ivica Crnkovic ivica.crnkovic@mdh.se http://www.idt.mdh.se/~icc Mälardalen University Page 1, April 15, 2003
Västerås Stockholm Page 2, April 15, 2003
Ivica Crnkovic Prof. in Software Engineering http://www.idt.mdh.se/~icc ivica.crnkovic@mdh.se • Chair of Software Engineering Lab at Mälardelen Mälardelen University University • Chair of Software Engineering Lab at CBSE activities: CBSE activities: •Participating ARTIST (EU project, WP: CBD for embedded systems) • Participating ARTIST (EU project, WP: CBD for embedded systems) •Co Co- -organizer CBSE workshop at ICSE (May 2003) organizer CBSE workshop at ICSE (May 2003) • •Program Chair Program Chair Euromicro Euromicro Conference CBSE track ( Conference CBSE track (Antalya Antalya, Turkey) , Turkey) • •Co Co- -editor of “Building reliable component editor of “Building reliable component- -based software systems”) based software systems”) • Page 3, April 15, 2003
Outline Outline � Motivation example � Dependability � The questions: Dependability and CBSE � Challenges of CBSE - Component and system properties � (CBSE for embedded systems) Page 4, April 15, 2003
A Distributed Real- -time System for vehicular systems time System for vehicular systems A Distributed Real � Networks instead of cables � Nothing must go wrong ⇒ Robust Design with Predictable Real-time behavior � Strong constraints related to the production costs Volvo S80 Volvo ~ 80 Electronic Control Units S80 Page 5, April 15, 2003
The car architecture - - today today The car architecture gateway (CAN) BUS ECU ECU ECU Sensor Sensor Sensor Sensor Actuator Sensor Actuator Sensor Actuator Vehicle mechanics Page 6, April 15, 2003
The architectural design challenge The architectural design challenge Vehicle stability Suspension Drive by wire …… Complex functions Local Control Functions Local Control Functions Basic functions Sensor Sensor Sensor Actuator Sensor Actuator How to implement complex functions based on local control functions? Page 7, April 15, 2003
Problem: resource sharing Problem: resource sharing Network Execution resources resources Sensor 1 ++++++++++ Node 1 Actuator 1 Sensor 2 Node 2 Actuator 2 Sensor 3 ++++++++++ Node 3 Actuator 3 Sensor .. Node … Actuator … Sensor .. ++++++++++ Node … Actuator … Can functions of different criticality be allowed to share resources? Page 8, April 15, 2003
Challenge – – open and dependable platform open and dependable platform Challenge Antispin Cruise control Global Vehicle stability local Engine Control Local brake Control Transmission ……… sensors actuators Vehicle Application compnents Middleware ECU ECU ECU Input/output drivers Hardware Page 9, April 15, 2003
Constraints and Questions Constraints and Questions � Constraints � Safety – critical systems � Real-time constraints � Low consumptions of resources � Low production costs � Which architecture to use? � Which component technology and model to use? � Analysis and verification techniques? � Development process? � Component properties and system emerging properties � Which extra-functional properties are of interest for safety- critical real-time embedded systems? Page 10, April 15, 2003
The Challenge The Challenge � Conflicting requirements � Safety vs. Cost and time-to-market � Safety and Real-Time constraints vs. complexity � Possible solution: � Combination of architectural and component-based design with predictability, analysis and verification Page 11, April 15, 2003
Dependability Dependability 1. Ability of a system to deliver service that can justifiably be trusted � Ability of a system to avoid failures that are more frequent or more severe than is acceptable to user(s) Related to Trustworthiness (assurance that a system will perform as expected) Page 12, April 15, 2003
Dependability Attributes Jean-Claude Laprie Ability to Absence Absence of Absence of Continuity Readiness Undergo of improper unauthorized catastrophic of services for usage repairs and system disclosure of consequences alternations evolutions information Availability Reliability Safety Confidentiality Integrity Maintainability Page 13, April 15, 2003
Dependability (Extension definition) Dependability (Extension definition) Dependability Safety-critical systems Mission-critical systems Business-critical systems NASA Industrial systems Airplanes Ariane Information systems Cars Traffic control systems Nuclear power stations …… Traffic control systems Energy supply and distribution systems?? Telecommunication systems??? Very often dependable systems are: - Real-time systems - Embedded systems Page 14, April 15, 2003
Dependability attributes Availability Reliability Safety Confidentiality Attributes Integrity Maintainability Faults Dependability Threats Errors Failures Fault Prevention Fault Tolerance Means Fault Removal Fault Forecasting Page 15, April 15, 2003
Faults, Errors, Failures Faults, Errors, Failures Activation propagation Fault Error Failure Value failures domain Timing failures Consistent failures … Perception by Failures users Inconsistent failures (Byzantine) Consequences Minors failures ….. Catastrophic Page 16, April 15, 2003
Faults Faults Natural Phenomenological Human made Cause Accidental Deliberate, non-malicious Intent Deliberate, malicious Developmental Faults Production Phase of creation Operational Physical Domain Information Internal System boundaries External Permanent Persistence Transient Page 17, April 15, 2003
The means to attain the dependability The means to attain the dependability Fault Prevention How to prevent occurrence or introduction of faults Fault Tolerance How to deliver correct service in the presence of faults Fault Removal How to reduce the number of severity of faults Fault Forecasting How to estimate the present number, the future incidents, the probability of different consequences Page 18, April 15, 2003
Fault Tolerance Fault Tolerance Error detection concurrent error detection preemptive error detection Recovery error handling (rollback, rollforward) Fault handling fault diagnosis Fault isolation System reconfiguration system re-initialization Fault masking (redundancy) Page 19, April 15, 2003
Fault forecasting Fault forecasting Evaluation of system behavior qualitative (identify, classify, rank the failure modes, the event combinations, environmental conditions that would lead to system failures Quantitative (probabilistic) Page 20, April 15, 2003
Question: Is CBSE feasible for Dependable Systems? Question: Is CBSE feasible for Dependable Systems? � How to build dependable component-based systems? � How to specify the components to be able to use them for the dependable systems? � To which extent the system properties can be determined from the component properties? � To which extent can uncertainty in predictability of these properties be minimized and how much is that related to the uncertainty of specification of the component properties? � In which phase of the development process are these properties addressed mostly. Page 21, April 15, 2003
Component Specification Component Specification Component Specification Levels: 1. Syntactic interface, or signature (i.e. types, fields, methods, signals, ports etc., that constitute the interface). 2. Constraints on values (of parameters and state variables: Invariants, pre- and post-conditions on methods and signals). 3. Protocols (i.e. constraints on the temporal ordering of signals and method calls). 4. Extra-functional properties (real-time attributes, performance, QoS (i.e. constraints on response times, throughput, etc.), resource management, etc. Page 22, April 15, 2003
Extra- -functional properties specifications functional properties specifications Extra Credentials (Mary Shaw) � A Credential is a triple <Attribute, Value, Credibility> � Attribute: is a description of a property of a component � Value: is a measure of that property � Credibility: is a description of how the measure has been obtained � Implementations � Attributes in .NET � A component developer can associate attribute values with a component and define new attributes by sub-classing an existing attribute class. � ADL UniCon � Allows association of <Attribute, Value> to components Page 23, April 15, 2003
Extra- -functional Properties functional Properties Extra Component 1 * * * * in-interfaces Credential * Attribute Interface Value Credibility * 1 out-interfaces IsPostulate : Boolean * * * Operation 1 1 * Type Parameter 1 * Page 24, April 15, 2003
Generalization of a component model Generalization of a component model SEI/CMU Kurt Wallnau Page 25, April 15, 2003
Recommend
More recommend