Languages and Tools for Embedded Software Architectures
We have developed languages and tools to support two complementary views of
a system. In one view, the ControlH architecture specification language
and toolset are used by GN&C engineers to model physical processes and
specify GN&C algorithms. In the second view, the MetaH architecture
specification language and toolset are used by computer system engineers to
analyze and combine software and hardware components to form a complete
computer system. Each view allows different types of design issues to be
dealt with, different product characteristics to be analyzed, and software
to provide different types of functionality to be generated. Our approach
allows different views of an overall system architecture to be developed in
a consistent way that supports concurrent multi-disciplinary engineering.
Languages and tools to support additional views may be added, and we have
used MetaH with a number of specialized code generators and in a number of
reengineering exercises.
ControlH is a
block diagram style
of language that allows models of physical
systems together with algorithms to monitor and control those systems to be
specified. ContolH specifications are constructed by connecting together
operators such as integrators, filters and state space systems to transform
time-varying scalar, vector or matrix signals. Specifications are
hierarchical, where an operator (block) in a diagram may itself be implemented
as a subdiagram containing other connected operators. ControlH is primarily a
functional or signal flow language rather than a procedural one (though
procedural features are available when needed).
Tools
are available to automatically generate Ada or C software from a
ControlH specification by composing implementations provided for a set of
primitive operators. These source modules can then be used by tools that
solve for equilibria points, perform linearizations, and simulate the
specified system. Interfaces allow linear models and test signals to be
exchanged with existing toolsets such as MatLab and gnuplot, and external
source modules can be included by defining them as new primitive operators. A
MetaH specification that defines the scheduling and communication requirements
of the generated source code can also be produced, which allows subsysems
produced from ControlH specifications to be conveniently integrated into an
overall computer system architecture.
Two major classes of features distinguish ControlH from other
block diagram toolsets.
- ControlH provides language features that support the development of
reusable specifications. A rich set of types is available for signals,
including vectors, matrices, state spaces and look-up tables. Generic types
and operators allow users to develop reusable operator specifications, where
certain details (e.g. the exact dimensions of the input and output signals)
are automatically adjusted depending on the context in which the operator is
used.
- The ControlH tools produce structured code and allow
users to control implementation trade-offs. The user can control the
application of advanced optimizations such as sparse matrix operations and
procedure inlining. This allows users to control the time/space trade-offs in
the generated code. The generated source modules have a subprogram call graph
that mirrors the hierarchical operator structure of the original
specification, with a well-defined mapping between operators in a ControlH
specification and the generated source files and subprograms. This greatly
facilitates change and configuration management, multi-disciplinary trade-off
studies, and V&V activities.
MetaH specifies how software modules developed in a variety of styles are
composed together with hardware objects to form a complete system
architecture. MetaH itself exhibits elements of real-time process and concurrent state machine
styles. MetaH specifications allow developers to compose software objects such
as subprograms, packages and processes and hardware objects such as
memories and processors. Hierarchical specification is supported, where
macros and modes hierarchically combine software objects, and systems
hierarchically combine hardware objects. MetaH allows computer system
engineers to integrate the source modules for all the various functional
subsystems to form the final real-time, fault-tolerant, securely
partitioned multi-processor system.
Tools
are available to perform a software/hardware binding, real-time
schedulability analysis, reliability analysis, and safety/security
analysis. A tool is available to generate the "glue" code needed to
provide the scheduling, communication, event handling and fault containment
behavior specified in MetaH. Finally, a make tool is available to manage
change propagation and automatically perform the series of compilations and
links needed to produce binary load images for multi-processor systems.
Three major classes of features distinguish MetaH from existing approaches
to designing and integrating software using CASE tools and real-time
operating systems.
- MetaH specifications can be used to drive automatic software and
system integration. Users do not need to design and hand-code
configuration-specific sequences of calls to the various application
modules and real-time operating system services. This reduces development
effort and reduces defects in the code that integrates the application
modules. Because the integration code is automatically generated, it is
possible to rapidly reconfigure systems. Finally, static analysis by the
tools allows many operations to be preplanned at development time rather
than dynamically computed at run-time, which can significantly reduce
on-board code size and overhead.
- MetaH specifications can be subjected to formal analysis. Partial
MetaH specifications can be partially analyzed, which supports design
trade-off studies beginning very early in the development process. The
co-generation of code and analytic models from a common specification
provides high assurance that the analysis results accurately predict and
bound final implementation behavior. The accuracy of analysis results can
be relied upon during design trade-offs, and analysis results can be used
in the V&V process.
- The MetaH architecture specification language
includes as part of its definition a discussion of the coding guidelines used
for source modules. These guidelines together with the MetaH language features
define a set of common software/software and software/hardware interface
mechanisms. Source modules can thus be more independent of the application,
hardware and software context in which they are used. MetaH supports increased
reuse of source modules, and MetaH allows system architectures to be rapidly
reconfigured to adapt to changing hardware and functional requirements without
making changes to application source modules.
It isn't necessary to use MetaH and ControlH together. ControlH code has
been hand-integrated into existing real-time systems, and MetaH has been
used to compose code generated by several other specialized generators
(e.g. MATRIXx/Autocode) and reverse-engineered from existing products.
However, there is synergy in using domain-specific toolsets for various
engineering disciplines (such as ControlH for GN&C engineering) that
have been integrated with the MetaH toolset. This provides tool support
for concurrent, multi-disciplinary engineering and systems engineering and
integration. There is an intuitive mapping between certain concepts and
objects that appear in both the ControlH and MetaH languages: time;
processes; operators and subprograms; and signals and port connections.
This intuitive mapping makes it possible for engineers from different
disciplines to analyze an architecture from different perspectives, yet be
able to identify and communicate effectively about common objects. For
example, the impacts of the timing properties of a particular operator and
changes to those properties can be discussed, where the computer engineer
can assess the impact on real-time schedulability and the control engineer
can assess the impact on control system performance and robustness.
Integrated Development, Verification and Testing
Verification is a major element of any development effort. We couple
architecture analysis with a methodical and automated process for producing
implementations that behave as the analysis predicts. This allows analysis
results to contribute to verification. However, testing and debugging
will always remain important steps in the life cycle.
On the related (Ada Software
Integrated Development/Verification System) program, we developed a
test specification language for ControlH with associated tools. Test
specifications written in the Software Integrated Flight Test (SIFT)
language can be automatically performed by the toolset. The toolset
captures and manages traceability information between the test
specifications, vehicle management system requirements, and ControlH
specifications of the control algorithms. Test and V&V
documents can be automatically generated.
On the related Avionics System Performance Management (ASPM) program, we
are integrating an instrumentation and monitoring toolset with our MetaH
toolset. When the developer specifies that a software application be
hosted on an instrumented target, a large class of run-time events and
associated data will be available for real-time viewing using a
workstation-hosted interactive instrumentation toolset. Developers will be
able to include calls in application code to add new run-time events and
data (such calls will be compiled to null statements on non-instrumented
targets). A specification language is available that will allow developers
to select events and data of interest, to perform various post-processing
on these events and data, and to display the results in various formats
while the system is executing.