Modeling & Validation of Redundancy Policies · SRI2 EPC1 EPC2 Bus 1 Bus 2 4 / 13. Example: Ariane...
Transcript of Modeling & Validation of Redundancy Policies · SRI2 EPC1 EPC2 Bus 1 Bus 2 4 / 13. Example: Ariane...
Modeling & Validation of Redundancy Policies
Hamza Chouh Charlotte Callon Ghita JalalFrédéric Boulanger Safouan Taha
Supélec E3S – Department of Computer Science
This work has been supported by CNES www.cnes.fr
Miami, September 29 2013
CRÉATION CARRÉ NOIRSEPTEMBRE 2005
LOGOTYPE TONS MONOCHROME
294CLOGOTYPE COMPLET
(SYMBOLE ET TYPOGRAPHIE)
2013-09-13 17:38
1 / 13
Agenda
Introduction
Architecture & Redundancy
Tool Chain & Example
Discussion
Conclusion
2 / 13
Introduction
Context
I Some critical systems must tolerate failures to preserve safetyI Safety must be taken into account from the beginning
in the design of a systemI Safety puts constraints on the architecture of the system
3 / 13
Introduction
Context
I Some critical systems must tolerate failures to preserve safetyI Safety must be taken into account from the beginning
in the design of a systemI Safety puts constraints on the architecture of the system
Issue
I Evaluate different redundancy policies during designI Evaluate architectures that support these policies
I Make a choice while the system is not yet designed!
3 / 13
Introduction
Context
I Some critical systems must tolerate failures to preserve safetyI Safety must be taken into account from the beginning
in the design of a systemI Safety puts constraints on the architecture of the system
Issue
I Evaluate different redundancy policies during designI Evaluate architectures that support these policiesI Make a choice while the system is not yet designed!
3 / 13
Example: Ariane 5
OBC1
OBC2
SRI1
SRI2
EPC1
EPC2
Bus 1
Bus 2
4 / 13
Example: Ariane 5
OBC1
OBC2
SRI1
SRI2
EPC1
EPC2
Bus 1
Bus 2
4 / 13
Example: Ariane 5
OBC1
OBC2
SRI1
SRI2
EPC1
EPC2
Bus 1
Bus 2
4 / 13
Example: Ariane 5
OBC1
OBC2
SRI1
SRI2
EPC1
EPC2
Bus 1
Bus 2
4 / 13
Example: Ariane 5
OBC1
OBC2
SRI1
SRI2
EPC1
EPC2
Bus 1
Bus 2
4 / 13
Architecture
Software
Measureperiod
Computeperiod
Actionperiod
data size data size
HardwarebandwidthBus
5 / 13
Architecture
Software
Measureperiod
Computeperiod
Actionperiod
data size data size
HardwarebandwidthBus
5 / 13
Architecture
Software
Measureperiod
Computeperiod
Actionperiod
data size data size
HardwarebandwidthBus
Allocation constraints
exec time
exec
time exec
time
5 / 13
Redundancy
High level description
I Which software and hardware entities are duplicated?I Nature of the redundancy: hot, warm or coldI Maximum number of items that may fail in a clusterI Requirements for valid configurations
Example
I 2 hot copies of measures on 6= SRIsI 2 warm copies of computations on 6= OBCsI 2 cold copies of corrections on 6= EPCsI At least one of each should be running
6 / 13
Redundancy
High level description
I Which software and hardware entities are duplicated?I Nature of the redundancy: hot, warm or coldI Maximum number of items that may fail in a clusterI Requirements for valid configurations
Example
I 2 hot copies of measures on 6= SRIsI 2 warm copies of computations on 6= OBCsI 2 cold copies of corrections on 6= EPCsI At least one of each should be running
6 / 13
Redundancy
Low level description
I Which software and hardware entities are OK?I Concrete allocation of computations
and communications on hardware
Example
I 2 running copies of measures on 2 working SRIsI 1 failed OBCI 1 running copy of computations on the working OBCI 1 running copy of corrections on one of the working EPCs
7 / 13
Redundancy
Low level description
I Which software and hardware entities are OK?I Concrete allocation of computations
and communications on hardware
Example
I 2 running copies of measures on 2 working SRIsI 1 failed OBCI 1 running copy of computations on the working OBCI 1 running copy of corrections on one of the working EPCs
7 / 13
Problems
Finding low level configurations
I Describe the software architectureI Describe the hardware architectureI Describe allocation constraintsI Model the redundancy policyI Find all possible matching configurations
Checking low level configurations
I For each low level configuration:I Check execution timing constraintsI Check communications (path and timing)
8 / 13
Problems
Finding low level configurations
I Describe the software architectureI Describe the hardware architectureI Describe allocation constraintsI Model the redundancy policyI Find all possible matching configurations
Checking low level configurations
I For each low level configuration:I Check execution timing constraintsI Check communications (path and timing)
8 / 13
Tool Chain
RedundancyMetamodel
M2Ttransformation
Alloy
T2Mtransformation
RedundancyMetamodel
M2Ttransformation
SynDEX
9 / 13
Tool Chain
RedundancyMetamodel
M2Ttransformation
Alloy
T2Mtransformation
RedundancyMetamodel
M2Ttransformation
SynDEX
HL model
9 / 13
Tool Chain
RedundancyMetamodel
M2Ttransformation+predicate library
Alloy
T2Mtransformation
RedundancyMetamodel
M2Ttransformation
SynDEX
Alloy spec.
9 / 13
Tool Chain
RedundancyMetamodel
M2Ttransformation
Alloy
T2Mtransformation
RedundancyMetamodel
M2Ttransformation
SynDEX
Alloy modelsatisfies policy
9 / 13
Tool Chain
RedundancyMetamodel
M2Ttransformation
Alloy
T2Mtransformation
RedundancyMetamodel
M2Ttransformation
SynDEX
LL model
9 / 13
Tool Chain
RedundancyMetamodel
M2Ttransformation
Alloy
T2Mtransformation
RedundancyMetamodel
M2Ttransformation
SynDEX
SynDEX model
9 / 13
Tool Chain
RedundancyMetamodel
M2Ttransformation
Alloy
T2Mtransformation
RedundancyMetamodel
M2Ttransformation
SynDEX
Diagnostictiming and com OK
9 / 13
Example
Initial specification
I At least 2 running computationsI Computations must run on different OBCsI 2 OBCs available, 1 OBC fails
) Alloy finds no solution
Second specification
I At least 2 running computationsI Computations may run on the same OBCI 2 OBCs available, 1 OBC fails
) Alloy allocates 2 computations on the working OBC
When requesting only one running computation:Alloy finds a configuration and SynDEX finds a schedule for it
10 / 13
Example
Initial specification
I At least 2 running computationsI Computations must run on different OBCsI 2 OBCs available, 1 OBC fails
) Alloy finds no solution
Second specification
I At least 2 running computationsI Computations may run on the same OBCI 2 OBCs available, 1 OBC fails
) Alloy allocates 2 computations on the working OBC
When requesting only one running computation:Alloy finds a configuration and SynDEX finds a schedule for it
10 / 13
Example
Checking the configuration
I 2 computations running on the same OBCI Exec time is 20 per computationI Communication from the SRIs takes 5I Communication to the EPCs takes 10I Period of the computations is 45
) SynDEX finds no schedule: 2(5 + 20 + 10) > 45
When requesting only one running computation:Alloy finds a configuration and SynDEX finds a schedule for it
10 / 13
Example
Checking the configuration
I 2 computations running on the same OBCI Exec time is 20 per computationI Communication from the SRIs takes 5I Communication to the EPCs takes 10I Period of the computations is 45
) SynDEX finds no schedule: 2(5 + 20 + 10) > 45
When requesting only one running computation:Alloy finds a configuration and SynDEX finds a schedule for it
10 / 13
Discussion
No safety analysis
I We assume failures are detectedI No reconfiguration policy
We propose
I An approach for exploring possible architectures/policiesI Models and model transformations for reusing existing tools
Limitations
I Reconfiguration time is not modeledI Cost of failure detection is not modeled
11 / 13
Discussion
No safety analysis
I We assume failures are detectedI No reconfiguration policy
We propose
I An approach for exploring possible architectures/policiesI Models and model transformations for reusing existing tools
Limitations
I Reconfiguration time is not modeledI Cost of failure detection is not modeled
11 / 13
Discussion
No safety analysis
I We assume failures are detectedI No reconfiguration policy
We propose
I An approach for exploring possible architectures/policiesI Models and model transformations for reusing existing tools
Limitations
I Reconfiguration time is not modeledI Cost of failure detection is not modeled
11 / 13
Conclusion
Contribution
I A metamodel for software and hardware architectureswith redundable elements
I Modeling of redundancy policieswith allocation and timing constraints
I Model transformations to use Alloy and SynDEXfor finding and checking configurations that satisfy the constraints
Perspectives
I Take dynamicity and reconfiguration tasks into accountI Take fault detection tasks into accountI Add qualitative criterions in the models to rate configurations
12 / 13
Questions?
Thanks for your attention
13 / 13