Error ontologies and altarica transformation aadl meeting florida jan 24-27
22
A Semantic Web Architecture for Model based Safety Engineering Presentation to the AADL standards meeting Hollywood Florida, Jan 26, 2011
-
Upload
vangelis-vassiliadis -
Category
Technology
-
view
407 -
download
0
description
Transcript of Error ontologies and altarica transformation aadl meeting florida jan 24-27
A Semantic Web Architecture for Model based Safety Engineering
Presentation to the AADL standards meeting Hollywood Florida,
Jan 26, 2011
2
Agenda
• The context: Semantic Web architecture for model based safety engineering.
• Component and Error Model Ontology
• TASTE tool ‘Error View’ extensions
• Transformation to Altarica
• Discussion and examples from AOCS case study.
3
Semantic Web Architecture for Model-based Safety Engineering
Trasform to Altarica model
Component and FM Ontology
FM Ontology Front End (UI)
Ontology Engineering Environment
(Protégé)
TASTE[Interface and
Deployment View]
TA
ST
E U
I ex
ten
sio
ns
for
Err
or
Vie
w Failure Model Ontology Server
ARCModel Checking
Tool
AADL/AAXL components /error models[Web/HTTP Service]
[Web/HTTP Service]
Error View[AADL generated code]
4
The MBSE Process
5
Component and Error Model Ontology
Function Hierarchy AADL Hierarchy (Structure) Error Model Hierarchy
belongs
belongs
Component Error Model
belongs
Subcomponents ConnectionsFeatures
Transitions
States Events
has
hashas has has
has
has_transition_code
Error Model ImplementationTransitionCode
has_error_model
6
Error model hierarchy
7
Device Error model hierarchy
8
Error model compositionalityDeviceErrorModel
em_features NominalState
SensorErrorModel
em_features TCAsseptanceFailureStateTCAcceptanceFailureEvent
activate trDeviceTCAcceptanceFailure
SensorDataErrorModel
em_features DataFailureStateDataFailureEvent
activate trDeviceDataFailure
RecoverableErrorModel
recover RecoverTrans
TemperatureErrorModel
em_features TemperatureFailureStateTemperatureEvent
activate trTemperatureFailure
AvionicsSensorErrorModel
CSS
More…
GYRO
More…
IRES
More…
9
Compositionality rules and assumptions
• Same name/symbol implies same feature – Unique Name Assumption.– Multiple instances of same symbol are merged.
• Each model contains complete transitions.• Events are independent from each other.
– One event triggered at a time
• Merging results in the union of transactions.• Deterministic transitions.• More structure in Error models possible:
– E.g. Organise Events and States into • Event Activation, Event Detection, Event Perceptions.• Permanent and Temporary Faults.
10
Ontology Server
Implements the Ontology API
Use of external OWL reasoner ( Pellet).Java Owl API (Jena)
Contains also a parser and a serialiser between OWL axioms and components and error model frames to AADL and AAXL.
Repository / Storage
Ontology Server
Clients
Get / Post Custom layer
Ont
olog
y A
PI
Pel
let +
Jen
a
11
TASTE tool Error View Extensions - IV
12
Front-End: Components to Error Model association
Get applicable error model list
• Use the getApplicableErrorModels (Comp)
Select an error model
• from the list of applicable error models
Enter the error model
association
• for the component, i.e. the way in which a component ‘implements’ the specific error model.
13
TASTE tool Error View Extensions - IV
14
TASTE tool Error View Extensions - DV
15
Transformation: AADL Error View to Altarica
• AADL Error View– Combined IV + DV AADL code for a system. – Augmented with Error model information (Error
Annex).– Behavior coded used Behavior Annex.
16
Transformation processAADL
Component
Implementations
to Altarica Nodes
•Components to Nodes•Data Features to Flows•Event Features to boolean type flows•For each subprogram a data structure is defined containing the subprogram parameters.•The subprogram itself is defined as a node with a flow of this data structure. •Connections as Assertions•Boolean and Enumerated types only•Possibility to define enumerations for complex data type abstractions.
Error Models and
BA•Events, State and Transitions from the Error model •BA state variables used within a call are dereferenced.•Implicit error_model_state variable enumerates all EA states.•EA transitions to error_model_state variable conditions and assignments•BA Transition codes to Assertions guarded by the error_model_state.•Implicit OK OK transition generates unguarded assertion.
Error Propagations
•Standard AADL Error Propagation and Inheritance rules apply.•Implemented through Altarica synchronizations. •Weak synchronizations also supported (Altarica extensions).•Guard_In /Out properties partially supported. (Full Semantics not supported by Altarica)
17
Transformation example - DeviceSYSTEM CSS_taste FEATURES CSS_PI_obj86 : PROVIDES SUBPROGRAM ACCESS interfaceview::FV::CSS_PI_obj86.othersSensor_TC_obj98 : PROVIDES SUBPROGRAM ACCESS interfaceview::FV::Sensor_TC_obj98.othersEND CSS_taste;
SYSTEM IMPLEMENTATION CSS_taste.impl SUBCOMPONENTS CSS_PI_obj86_impl : SUBPROGRAM interfaceview::FV::CSS_PI_obj86.others Sensor_TC_obj98_impl : SUBPROGRAM interfaceview::FV::Sensor_TC_obj98.othersCONNECTIONS SUBPROGRAM ACCESS CSS_PI_obj86_impl -> CSS_PI_obj86; SUBPROGRAM ACCESS Sensor_TC_obj98_impl -> Sensor_TC_obj98; ANNEX ERROR_MODEL {** MODEL => error_models::IV::CSS_error.impl; **}; ANNEX BEHAVIOR_SPECIFICATION {** STATES TCAcceptanceFailureState , TemperatureFailureState , DataFailureState : FINAL STATE; NominalState : INITIAL STATE; TRANSITIONS normal : NominalState -[ ]-> NominalState { CSS_PI.dataCSS_out:=DataType_dataCSS_T; Sensor_TC.TC_SW:=DataType_TC_T; Sensor_TC.TC_Acceptance:=DataType_TM_Status }; out_TCAcceptanceFailureEvent : TCAcceptanceFailureState -[ ]-> TCAcceptanceFailureState { Sensor_TC.TC_Acceptance:=NO_DATA }; out_TemperatureFailureEvent : TemperatureFailureState -[ ]-> TemperatureFailureState { CSS_PI.dataCSS_out:=BAD_DATA }; out_DataFailureEvent : DataFailureState -[ ]-> DataFailureState { CSS_PI.dataCSS_out:=NO_DATA }; **}; END CSS_taste.impl;
DOMAIN interfaceview_FV_CSS_PI_domain = STRUCT dataCSS_out : { DataType_dataCSS_T , NO_DATA , BAD_DATA , OUT_OF_RANGE } ; TCURTS; DOMAIN interfaceview_FV_Sensor_TC_domain = STRUCT TC_Acceptance : { DataType_TM_Status , NO_DATA , BAD_DATA , OUT_OF_RANGE } ; TC_SW : { DataType_TC_T , NO_DATA , BAD_DATA , OUT_OF_RANGE } ; TCURTS;
node interfaceview_IV_AOCS_CSS_taste_impl FLOW CSS_PI : interfaceview_FV_CSS_PI_domain ; Sensor_TC : interfaceview_FV_Sensor_TC_domain ; STATE error_model_state : { TCAcceptanceFailureState , TemperatureFailureState ,
DataFailureState , NominalState } ; INIT error_model_state := NominalState; EVENT TCAcceptanceRecoverEvent , TemperatureRecoverEvent , DataRecoverEvent ,
TCAcceptanceFailureEvent , TemperatureFailureEvent , DataFailureEvent ; TRANS error_model_state = TCAcceptanceFailureState |- TCAcceptanceFailureEvent ->
error_model_state := TCAcceptanceFailureState ; error_model_state = NominalState |- TCAcceptanceFailureEvent -> error_model_state :=
TCAcceptanceFailureState ;……. SUB CSS_PI_impl : interfaceview_FV_CSS_PI_others ; Sensor_TC_impl : interfaceview_FV_Sensor_TC_others ; ASSERT CSS_PI_impl.self = CSS_PI ; Sensor_TC_impl.self = Sensor_TC ; error_model_state = NominalState & ( CSS_PI.dataCSS_out = DataType_dataCSS_T &
Sensor_TC.TC_SW = DataType_TC_T & Sensor_TC.TC_Acceptance = DataType_TM_Status ) | error_model_state = TCAcceptanceFailureState & ( Sensor_TC.TC_Acceptance = NO_DATA ) | error_model_state = TemperatureFailureState & ( CSS_PI.dataCSS_out = BAD_DATA ) | error_model_state = DataFailureState & ( CSS_PI.dataCSS_out = NO_DATA ) ;
edon
11
2
2
2
3 3
3
3
4
4
5
5
6
6
18
Transformation example - ThreadSYSTEM SMU FEATURES SensorAcquisition : PROVIDES SUBPROGRAM ACCESS SensorAcquisition.others ControlLoop : PROVIDES SUBPROGRAM ACCESS …ControlLoop.others ActuatorMgt : PROVIDES SUBPROGRAM ACCESS …ActuatorMgt.others cmdRW1 : REQUIRES SUBPROGRAM ACCESS default::FV::cmdRW_PI_obj578 …. cmdTHR8 : REQUIRES SUBPROGRAM ACCESS default::FV::THR_PI_obj875 SMU_IO_Mgt_RI : REQUIRES SUBPROGRAM ACCESS …SMU_IO_Mgt_PI_obj234 tcCSS_RI : REQUIRES SUBPROGRAM ACCESS default::FV::CSS_TC_obj102 ….END SMU; SYSTEM IMPLEMENTATION SMU.others SUBCOMPONENTS SensorAcquisition_impl : SUBPROGRAM default::FV::SensorAcquisition.others ControlLoop_impl : SUBPROGRAM default::FV::ControlLoop.others ActuatorMgt_impl : SUBPROGRAM default::FV::ActuatorMgt.others CONNECTIONS …ANNEX ERROR_MODEL {** Model =>
AOCS_error_models::AOCSThread_error.impl; **}; ANNEX BEHAVIOR_SPECIFICATION {** … TRANSITIONS normal : s -[ ]-> s { SMU_IO_Mgt_RI!(di,ds,dg,dc,frw1,frw2,frw3,frw4) ;
SensorAcquisition_impl!( dg, di, dc, ds, d);
ControlLoop_impl!(d,c); ActuatorMgt_impl!(c, crw1, crw2, … , cthr6, cthr7, cthr8); … ;
memoryaccess : stMemoryAccessError -[ ]-> stMemoryAccessError {SMU_IO_Mgt_RI.dataIRES := BAD_DATA }; **};
END SMU.others;
node default_IV_AOCS_SMU_others FLOW SensorAcquisition : default_FV_SensorAcquisition_domain ; … SMU_IO_Mgt_RI : default_FV_SMU_IO_Mgt_PI_domain ; STATE error_model_state : { stErrorFree , stMemoryAccessError , …INIT error_model_state := stErrorFree; EVENT evMemoryAccessError , evSubCallError , evReset , HWError ,
HWRepair , MemoryAccessError , SubCallError ; TRANS error_model_state = stErrorFree |- evMemoryAccessError ->
error_model_state := stMemoryAccessError ; … SUB SensorAcquisition_impl : default_FV_SensorAcquisition_others ; ControlLoop_impl : default_FV_ControlLoop_others ; ASSERT SensorAcquisition_impl.self = SensorAcquisition ; ControlLoop_impl.self = ControlLoop ; ActuatorMgt_impl.self = ActuatorMgt ; error_model_state = stMemoryAccessError &
( SMU_IO_Mgt_RI.dataIRES = BAD_DATA ) | error_model_state = stErrorFree | error_model_state = stSubCallError | error_model_state = stHWError ;
ControlLoop_impl.self.dataAOCS = SensorAcquisition_impl.self.dataAOCS ; ActuatorMgt_impl.self.commandAOCS =
ControlLoop_impl.self.commandAOCS ; edon
1
1
19
Error propagations• Observe AADL EA Propagation and Inheritance rules
– From HW components to SW bound to that HW– Through component connections.– Via shared access.– Via subprogram calls.– Errors of a component are propagated to its subcomponents and vice versa.
• Transformed as Altarica (Weak) Event Synchronizations• Restricted support for Guard_In and Guard_Out (event mapping):
Guard_in => MappedEvent when OriginalEvent {, [MappedEvent when Original Event]}*
Guard_out => MappedEvent when OriginalEvent
{, [MappedEvent when Original Event]}*
Source Component Destination Component
Source Event
Guard_OutMapping
Mapped Out Event
Guard_InMapping
Destination Event
20
Full AOCS propagations
21
Propagations exampleSource Component / Feature
Out Propagations Destination Component / Feature
In Propagations & Guards Final In Propagation
SMU MemoryAccess (a1)HWError(b1)
Guard_Out => BadData(b2) WHEN HWErrorMemError(a2) WHEN MemoryAccess ;
SensorAcquisition NoData, BadData, evOverUnderFlow, evDivideByZero, evInsufficientPrecision, Disconnected, Crash, PowerOutage, HWError, Reset, RepairGuard_InBadData(b3) WHEN BadData,BadData(a3) WHEN MemError
BadData(a3,b3)
SensorAcquisition PowerOutage, HWError, Crash, Reset
NO Guard_Out
SMU PowerOutage, HWError, Crash, Reset
NO Guard_In
< Crash ? , SensorAcquisition_impl.Crash > ; < MemoryAccess ? , SensorAcquisition_impl.BadData > ; < PowerOutage ? , SensorAcquisition_impl.PowerOutage > ; < HWError ? , SensorAcquisition_impl.BadData > ; < Reset ? , SensorAcquisition_impl.Reset > ;
< SensorAcquisition_impl.PowerOutage ? , PowerOutage > ; < SensorAcquisition_impl.HWError ? , HWError > ; < SensorAcquisition_impl.Crash ? , Crash > ; < SensorAcquisition_impl.Reset ? , Reset > ;
Thank you.
