This document provides an agenda and overview of a presentation on a semantic web architecture for model-based safety engineering. The presentation covers an component and error model ontology, extensions to the TASTE tool's error view, and the transformation of AADL error models to Altarica models. It includes examples of how component and error models are structured in the ontology and how AADL error models are transformed to Altarica, including the propagation of errors through component connections and subprogram calls.

1. A Semantic Web Architecture for Model based Safety Engineering Presentation to the AADL standards meeting Hollywood Florida, Jan 26, 2011

2. Agenda The context: Semantic Web architecture for model based safety engineering. Component and Error Model Ontology TASTE tool ‘Error View’ extensions Transformation to Altarica Discussion and examples from AOCS case study. 2

3. Semantic Web Architecture for Model-based Safety Engineering 3

4. The MBSE Process 4

5. 5 Component and Error Model Ontology

6. Error model hierarchy 6

7. Device Error model hierarchy 7

8. Error model compositionality 8

9. Compositionality rules and assumptions Same name/symbol implies same feature Unique Name Assumption. Multiple instances of same symbol are merged. Each model contains complete transitions. Events are independent from each other. One event triggered at a time Merging results in the union of transactions. Deterministic transitions. More structure in Error models possible: E.g. Organise Events and States into Event Activation, Event Detection, Event Perceptions. Permanent and Temporary Faults. 9

10. 10 Ontology Server

11. TASTE tool Error View Extensions - IV 11

12. Front-End: Components to Error Model association 12

13. TASTE tool Error View Extensions - IV 13

14. 14 TASTE tool Error View Extensions - DV

15. Transformation: AADL Error View to Altarica AADL Error View Combined IV + DV AADL code for a system. Augmented with Error model information (Error Annex). Behavior coded used Behavior Annex. 15

16. 16 Transformation process

17. Transformation example - Device SYSTEM CSS_taste FEATURES CSS_PI_obj86 : PROVIDES SUBPROGRAM ACCESS interfaceview::FV::CSS_PI_obj86.others Sensor_TC_obj98 : PROVIDES SUBPROGRAM ACCESS interfaceview::FV::Sensor_TC_obj98.others END CSS_taste; SYSTEM IMPLEMENTATION CSS_taste.impl SUBCOMPONENTS CSS_PI_obj86_impl : SUBPROGRAM interfaceview::FV::CSS_PI_obj86.others Sensor_TC_obj98_impl : SUBPROGRAM interfaceview::FV::Sensor_TC_obj98.others CONNECTIONS SUBPROGRAM ACCESS CSS_PI_obj86_impl -> CSS_PI_obj86; SUBPROGRAM ACCESS Sensor_TC_obj98_impl -> Sensor_TC_obj98; ANNEX ERROR_MODEL {** MODEL => error_models::IV::CSS_error.impl; **}; ANNEX BEHAVIOR_SPECIFICATION {** STATES TCAcceptanceFailureState, TemperatureFailureState, DataFailureState: FINAL STATE; NominalState : INITIAL STATE; TRANSITIONS normal : NominalState -[ ]-> NominalState { CSS_PI.dataCSS_out:=DataType_dataCSS_T; Sensor_TC.TC_SW:=DataType_TC_T; Sensor_TC.TC_Acceptance:=DataType_TM_Status}; out_TCAcceptanceFailureEvent : TCAcceptanceFailureState -[ ]-> TCAcceptanceFailureState { Sensor_TC.TC_Acceptance:=NO_DATA }; out_TemperatureFailureEvent: TemperatureFailureState -[ ]-> TemperatureFailureState { CSS_PI.dataCSS_out:=BAD_DATA }; out_DataFailureEvent: DataFailureState -[ ]-> DataFailureState { CSS_PI.dataCSS_out:=NO_DATA }; **}; END CSS_taste.impl; DOMAIN interfaceview_FV_CSS_PI_domain = STRUCT dataCSS_out : { DataType_dataCSS_T , NO_DATA , BAD_DATA , OUT_OF_RANGE } ; TCURTS; DOMAIN interfaceview_FV_Sensor_TC_domain = STRUCT TC_Acceptance : { DataType_TM_Status , NO_DATA , BAD_DATA , OUT_OF_RANGE } ; TC_SW : { DataType_TC_T , NO_DATA , BAD_DATA , OUT_OF_RANGE } ; TCURTS; node interfaceview_IV_AOCS_CSS_taste_impl FLOW CSS_PI : interfaceview_FV_CSS_PI_domain ; Sensor_TC : interfaceview_FV_Sensor_TC_domain ; STATE error_model_state : { TCAcceptanceFailureState , TemperatureFailureState , DataFailureState , NominalState } ; INIT error_model_state := NominalState; EVENT TCAcceptanceRecoverEvent , TemperatureRecoverEvent , DataRecoverEvent , TCAcceptanceFailureEvent , TemperatureFailureEvent , DataFailureEvent ; TRANS error_model_state = TCAcceptanceFailureState |- TCAcceptanceFailureEvent -> error_model_state := TCAcceptanceFailureState ; error_model_state = NominalState |- TCAcceptanceFailureEvent -> error_model_state := TCAcceptanceFailureState ; ……. SUB CSS_PI_impl : interfaceview_FV_CSS_PI_others ; Sensor_TC_impl : interfaceview_FV_Sensor_TC_others ; ASSERT CSS_PI_impl.self = CSS_PI ; Sensor_TC_impl.self = Sensor_TC ; error_model_state = NominalState & ( CSS_PI.dataCSS_out = DataType_dataCSS_T & Sensor_TC.TC_SW = DataType_TC_T & Sensor_TC.TC_Acceptance = DataType_TM_Status ) | error_model_state = TCAcceptanceFailureState & ( Sensor_TC.TC_Acceptance = NO_DATA ) | error_model_state = TemperatureFailureState & ( CSS_PI.dataCSS_out = BAD_DATA ) | error_model_state = DataFailureState & ( CSS_PI.dataCSS_out = NO_DATA ) ; edon 17 2 2 1 1 4 2 5 3 3 3 3 6 4 5 6

18. Transformation example - Thread SYSTEM SMU FEATURES SensorAcquisition : PROVIDES SUBPROGRAM ACCESS SensorAcquisition.others ControlLoop : PROVIDES SUBPROGRAM ACCESS …ControlLoop.others ActuatorMgt : PROVIDES SUBPROGRAM ACCESS …ActuatorMgt.others cmdRW1 : REQUIRES SUBPROGRAM ACCESS default::FV::cmdRW_PI_obj578 …. cmdTHR8 : REQUIRES SUBPROGRAM ACCESS default::FV::THR_PI_obj875 SMU_IO_Mgt_RI : REQUIRES SUBPROGRAM ACCESS …SMU_IO_Mgt_PI_obj234 tcCSS_RI : REQUIRES SUBPROGRAM ACCESS default::FV::CSS_TC_obj102 …. END SMU; SYSTEM IMPLEMENTATION SMU.others SUBCOMPONENTS SensorAcquisition_impl : SUBPROGRAM default::FV::SensorAcquisition.others ControlLoop_impl : SUBPROGRAM default::FV::ControlLoop.others ActuatorMgt_impl : SUBPROGRAM default::FV::ActuatorMgt.others CONNECTIONS … ANNEX ERROR_MODEL {** Model => AOCS_error_models::AOCSThread_error.impl; **}; ANNEX BEHAVIOR_SPECIFICATION {** … TRANSITIONS normal : s -[ ]-> s { SMU_IO_Mgt_RI!(di,ds,dg,dc,frw1,frw2,frw3,frw4) ; SensorAcquisition_impl!( dg, di, dc, ds, d); ControlLoop_impl!(d,c); ActuatorMgt_impl!(c, crw1, crw2, … , cthr6, cthr7, cthr8); … ; memoryaccess : stMemoryAccessError -[ ]-> stMemoryAccessError { SMU_IO_Mgt_RI.dataIRES := BAD_DATA }; **}; END SMU.others; node default_IV_AOCS_SMU_others FLOW SensorAcquisition : default_FV_SensorAcquisition_domain ; … SMU_IO_Mgt_RI : default_FV_SMU_IO_Mgt_PI_domain ; STATE error_model_state : { stErrorFree , stMemoryAccessError , … INIT error_model_state := stErrorFree; EVENT evMemoryAccessError , evSubCallError , evReset , HWError , HWRepair , MemoryAccessError , SubCallError ; TRANS error_model_state = stErrorFree |- evMemoryAccessError -> error_model_state := stMemoryAccessError ; … SUB SensorAcquisition_impl : default_FV_SensorAcquisition_others ; ControlLoop_impl : default_FV_ControlLoop_others ; ASSERT SensorAcquisition_impl.self = SensorAcquisition ; ControlLoop_impl.self = ControlLoop ; ActuatorMgt_impl.self = ActuatorMgt ; error_model_state = stMemoryAccessError & ( SMU_IO_Mgt_RI.dataIRES = BAD_DATA ) | error_model_state = stErrorFree | error_model_state = stSubCallError | error_model_state = stHWError ; ControlLoop_impl.self.dataAOCS = SensorAcquisition_impl.self.dataAOCS ; ActuatorMgt_impl.self.commandAOCS = ControlLoop_impl.self.commandAOCS ; edon 18 1 1

19. Error propagations Observe AADL EA Propagation and Inheritance rules From HW components to SW bound to that HW Through component connections. Via shared access. Via subprogram calls. Errors of a component are propagated to its subcomponents and vice versa. Transformed as Altarica (Weak) Event Synchronizations Restricted support for Guard_In and Guard_Out (event mapping): Guard_in => MappedEvent when OriginalEvent {, [MappedEvent when Original Event]}* Guard_out => MappedEvent when OriginalEvent {, [MappedEvent when Original Event]}* 19

20. Full AOCS propagations 20

21. Propagations example 21 < Crash ? , SensorAcquisition_impl.Crash > ; < MemoryAccess ? , SensorAcquisition_impl.BadData > ; < PowerOutage ? , SensorAcquisition_impl.PowerOutage > ; < HWError ? , SensorAcquisition_impl.BadData > ; < Reset ? , SensorAcquisition_impl.Reset > ; < SensorAcquisition_impl.PowerOutage ? , PowerOutage > ; < SensorAcquisition_impl.HWError ? , HWError > ; < SensorAcquisition_impl.Crash ? , Crash > ; < SensorAcquisition_impl.Reset ? , Reset > ;

22. Thank you.