1 / 27

Robust Design Strategies III

Robust Design Strategies III. Gruia-Catalin Roman and Christopher Gill Washington University in St. Louis. Robust Design Strategies. Overview [3.1] Motivating factors [3.2] Design principles [3.3] Architectural styles [3.4] Design themes and design patterns.

jsomers
Download Presentation

Robust Design Strategies III

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Robust Design Strategies III Gruia-Catalin Roman and Christopher Gill Washington University in St. Louis

  2. Robust Design Strategies Overview [3.1] Motivating factors [3.2] Design principles [3.3]Architectural styles [3.4] Design themes and design patterns

  3. 3.4 Design Themes and Design Patterns • Role of architecture • relies on fundamental modeling assumptions • captures essential aspects of the system behavior • provides a basis for behavior analysis • Designer goal • an architecture that ensures specific product qualities • Mode of operation • reuse design patterns as a starting point • exploit know-how embodied in design patterns

  4. Fundamental Principles • Understand product goals and critical concerns • Reuse design and analysis strategies • Design for analyzability • with respect to critical concerns • Practice design and analysis integration

  5. Functional composition promotes predictability the behavior of one function is always the same for the same input (system state) functions are independent of each other there are no side effects there is no concurrency computations are deterministic 3.4.1 Theme: Predictable Behavior elevator control select destination control movement handledoors rapid travel floor approach alignment …

  6. Analysis • Composition mechanics • localized and readily identifiable for analysis • components of interest • elevator control • control movement • strict sequential behavior: (a (x y z) b)* • deterministic • repeatable • No concurrency anywhere in the system • Interface consistency • parameter syntax and interpretation • e.g., null vs. empty message • implicit parameters (e.g., shared objects)

  7. Analysis • The specification method impacts analysis • Use of pre and post assertions is critical • defines behavior independently of implementation • provides the basis for independent testing • promotes interface consistency • makes static analysis possible • makes run-time checking feasible • enables run-time self-healing • Example: alignment • pre: stopped at some floor; ± 20 cm of horizontal; confirmed • post: stopped at some floor; ± 1 cm of horizontal; confirmed

  8. Decoupled computing facilitates reconfiguration adding/removing of components and data Blackboard architecture access by name Tuple space coordination access by contents Decoupling by design encoding a traditional design is not a good solution safer braking policy brake analyzer 3.4.2 Theme: Expandability road conditions temperature braking policy brake actuator settings car speed foot pressure tire spin

  9. Analysis • Invariant property • characterization of the system state • holds at initialization • holds after every operation • precise definition of an “operation” is required • procedure invocation, block, statement, etc. • Static analysis offers maximal benefits • isolated evaluation of each individual operation • Run-time enforcement and verification is feasible • testing during development • protection during field operation

  10. Analysis • Structural invariants for dynamic systems • one and only one brake actuator • Data representation • all measurements are in the metric system • <“speed”, 12, m/s, “at”, 1236, ms> • Data consistency • brake application and cruise control cannot coexist • Operating assumptions • freshness and accuracy

  11. Concurrent processes can interfere with each other Data inconsistencies lead to incorrect conclusions patient has been loaded … … but the ambulance is empty Wide range of patterns specialized to varying situations Monitor object (POSA2) Allow only one thread at a time in the incident object Strategized locking (POSA2) Allow null, mutex, readers/writer 3.4.3 Theme: Non-Interference ambulance reporting supervisory monitoring incident patient status ambulance status

  12. Assessing non-interference syntactic methods: no shared data semantic methods: no concurrent access to shared data (by analysis) Design: double buffer atomic copy on read atomic swap on write Analysis: no interference possible Analysis ambulance reporting supervisory monitoring incident patient status to buffer copy of old record ambulance status to buffer atomic update copy of new record

  13. Controlling interference explicit scheduling record locking barrier synchronization Analysis ambulance reporting supervisory monitoring incident (a) (b) locked record (c) all shared data is updated

  14. Precise specification of relevant requirements Designed partitioned for analyzability separation of concerns Design rules limit scope and cost of analysis Partition enhance ability to carry complete analysis 3.4.4 Theme: Strong Guarantees elevator control select destination control movement handledoors rapid travel floor approach alignment …

  15. Requirement when doors are openelevator must bestopped at some floor Architectural implications handle doors:pre: stopped at floorpost: doors closed invariant:inside handle doors elevator is stopped at floor[no access to elevator travel motor]outside handle doors doors are closed[no access to door activation motor] control movement select destination floor approach alignment rapid travel elevator control Analysis handledoors …

  16. Requirements when doors are open elevator must bestopped at some floor alignment must be within tolerance New design is needed to ensure analyzability elevator motor is in use while doors are open New alignment guarantee invariant: inside alignment if stopped at a floor the elevator remains at that floor control movement select destination floor approach alignment rapid travel elevator control Analysis handledoors …

  17. Strong real time guarantees demand strict design rules Predictable scheduling deterministic order in which tasks are executed analyzable timing behavior Predictable component behavior restricted constructs bounded loops no recursion computable worst case timing/behavior 3.4.5 Theme: Real Time Guarantees

  18. Static analyzer T sec. allocation worst case bound tk  tk ≤ T Dynamic analyzer priority based preemption admission control Collision detection most critical task long duration must run in the background reserved fraction of time Analysis event(k) collision detector analyzer analysis task(k)

  19. Safety is a requirement driven concern under design-specific faults Precise specification Easy traceability between architecture and requirements isolation visibility Analyzable with respect to a specific set of faults failure analysis fault model 3.4.6 Theme: Safety Guarantees on board vehicle controller emergency brake control

  20. Drive-by-wire emergency brake safety specifications brake can be engaged only when the car is parked stalled on a ramp? brake can be engaged when the car is parked or the engine is off even at high speed? brake can be engaged when the car is parked or the engine is off at a low speed Analysis parked parked orengine off-------------------brake on stopped engine on-------------------brake off slow moving true-------------------brake off fast moving

  21. Drive-by-wire emergency brake hazard analysis car may accelerate fast if hit from behind missing transitions must be added and implications on the specification must be clarified visibility make both analysis and modification feasible Analysis parked parked orengine off-------------------brake on stopped engine on-------------------brake off slow moving fast moving engine on-------------------brake off

  22. Certain behavior anomalies are well understood and have standard remedies Encapsulating relevant behaviors as part of controllers simplifies analysis Deadlock prevention impose ordering on processes of resources Live-lock avoidance introduce asymmetry in the decision process (e.g., normally distributed random) 3.4.7 Theme: Anomaly Prevention assembly task select cart no free cart cart selected select bins load parts deliver parts

  23. Live-lock may happen when cart is unable to find the required parts but is reselected repeatedly reselection must be inhibited if other requests are pending Deadlock may occur when groups of parts are needed together, e.g., (A, B, C) or (X, Y) bins must be reserved in the same order by all carts Analysis select bins no options a pending cart request [release cart] no options no pending cart request [try again] successful selection of A<B<C lock bin A lock bin B lock bin C

  24. Object integrity prescribed patterns of usage are often required must be enforced for proper functioning objects may be unable to provide proper enforcement exception handling may be undesirable Global consistency objects are not used alone local states may need to be consistent across multiple objects Behavior encapsulation and analysis facilitate enforcement 3.4.8 Theme: Behavioral Integrity

  25. Home security alarm audible alarm activation must be of limited duration due to local ordinances visual alarm must be on any time the audible alarm is on due to disabled protection legislation easy traceability to requirements is required by contractual obligation Analysis siren off strobe off key -------------------siren off alarm disarmed key -------------------na key -------------------na alarm armed reset -------------------siren off strobe off intrusion -------------------siren on strobe on alert intrusion -------------------siren on timeout -------------------siren off warning

  26. Pattern Description Strategy • Pattern name • promotes communication, identifies reusable design abstraction • Critical concerns (problem and context) • systems are highly complex, may involve many design patterns • multiple critical considerations may be relevant • patterns focus on specific problems, within relevant contexts • Solution sketch • provides initial design structure (only a starting point) • creativity and experience guide the refinement process • relies on specification techniques used in architectural design • Consequences • Results of applying the pattern (resolved/unresolved design forces)

  27. Conclusions • Software architecture design is central to • bridging requirements and implementation • ensuring and assessing the satisfiability of both functional and non-functional requirements • effective planning of the development effort • Design patterns provide a reasonable starting point for formulating the architectural features • Analysis must be an integral part of the design process • Designing for analyzability is critical to ensuring credibility in the design, reducing analysis costs, and achieving desired level of quality

More Related