1

Developing Reliable Systems withSDL Design Patterns and Design Components

Christian Webel, Ingmar Fliege, Alexander Geraldy,Reinhard Gotzhein

University of Kaiserslautern

{webel, fliege, geraldy, gotzhein}@informatik.uni-kl.de

Christian Webel2

Topics

1. Motivation

2. SDL Design Patterns

3. Micro Protocols

4. Comparison

5. Example: “Airship Control”

6. Conclusion

Christian Webel3

1. Motivation

• Problem: – solution from scratch– existing systems: lack of reliability– difficult to integrate reliability

• Solution:– defining SDL design patterns and design components– using these software artefacts to augment system reliability step-

by-step– reuse– SDL as a design language to develop reliable systems

Christian Webel4

1. Motivation

Concepts

Reliability:

ability of a system to perform its tasks under given conditions for a certain period of time

Watchdog:

component or functionality monitoring the operation of a system by observing an alive-signal

Heartbeat:

component or functionality sending a periodic alive-signal

Christian Webel5

2. Adding Reliability through SDL Design Patterns

• generic solution for recurring design problems

• reusable software artefact

• SDL as design language

• to be selected, adapted and embedded

Christian Webel6

2. Adding Reliability through SDL Design Patterns

• B provides data for A• B needs to be monitored by A• A is refined by applying the Watchdog pattern• B by applying the Heartbeat pattern

Christian Webel7

2. Adding Reliability through SDL Design Patterns

Design pattern Watchdog

Christian Webel8

2. Adding Reliability through SDL Design Patterns

Design pattern Heartbeat

Christian Webel9

3. Adding Reliability through Micro Protocols

• encapsulate a single (distributed protocol) functionality using a specific mechanism

• self-contained and ready-to-use

• well-defined interfaces (operators)

• can be composed yielding macro protocols

Christian Webel10

3. Adding Reliability through Micro Protocols

• A, B, Watchdog and Heartbeat as described• ready-to-use solutions, no modifications within A or B needed• useful if A or B cannot or should not be modified (e.g. 3rd party

components)

Christian Webel11

3. Adding Reliability through Micro Protocols

Micro protocol

Watchdog

• one single process type

• may be refined to match the requirements of the embedding context

• needs a periodic trigger alive

process type Watchdog

Timer watchdogT;DCL safeInterval Duration;

OPTIONAL REFINE GATE:extend gate with signal sigX

disabled

virtual alive

safeInterval := 3; redefine with correcttimeout interval

set(NOW + safeInterval, watchdogT)

disabled enabled

enabled dead

OPTIONAL REFINE STATE:add new transition to disable watchdog-> input sigX -> TASK: reset(watchdogT)[-> sigX]->nextstate disabled

alive virtualwatchdogT

virtual alive

OPTIONAL REFINE:add output of reanimatesignal sigZ

REFINE:add output of fail-safesignal sigYset(NOW +

safeInterval, watchdogT)set(NOW +

safeInterval, watchdogT)

- dead REFINE GATE:extend gate with signal sigY [sigX,sigZ]

enabled

wdInalive

wdOut

Christian Webel12

3. Adding Reliability through Micro Protocols

Micro protocol

Heartbeat

• one single process type

• may be refined to match the requirements of the embedding context

• provides a periodic trigger alive

process type Heartbeat

TIMER heartbeatT;DCL heartbeatInterval Duration := 1;

virtual beating

/*optionalheartbeatInterval Duration := X */

heartbeatT

set(NOW +heartbeatInterval, heartbeatT)

alive

beating set(NOW +heartbeatInterval, heartbeatT)

optional:redefine start transitionto set needed heartbeat interval

-

g

alive

Christian Webel13

Design Patterns vs. Micro Protocols

4. Comparison

Advantages

• no change of the system architecture necessary

• optimization of heartbeat traffic

• reusable solution

• no change of the behaviour of the other system components necessary

• ready-to-use solution

• reusable solution

Disadvantages

• engineering knowledge required • change of the system architecture necessary

Christian Webel14

5. Example: “Airship Control”

• application to control an airship via WLAN

• two parts:– airshipClient

transmits the control values to the airship

– airshipServerreceives the values and controls the airship hardware

• reliability is needed !!!

Christian Webel15

5. Example: “Airship Control”

Application of the Heartbeat pattern

process airShipClientDCL id ID, newVal Integer, val1 CtrlValue := 0, val2 CtrlValue := 0, val3 CtrlValue := 0;

Timer heartbeatT;DCL hbInterval Duration := 1;processValue

/*start*/ disabled enabled *

disabled value(id, newVal)

value(id, newVal)

heartbeatT

id id alive

processValuestartAirshipvia airship

stopAirshipvia airship

newCtrlValues(val1, val2,val3)via airship

set(NOW +hbInterval, heartbeatT)

reset(heartbeatT) set(NOW +hbInterval, heartbeatT)

enabled - disabled - -

StartStop

elseelse

StartStop

Christian Webel16

5. Example: “Airship Control”

Application of the Watchdog pattern

process airShipServerTIMER t := 0.1;

DCL val1 CtrlValue := 128, val2 CtrlValue := 0, val3 CtrlValue := 128;

TIMER watchdog;DCL safeInterval Duration := 3;

DCL fail1 CtrlValue := 128, fail2 CtrlValue := 0, fail3 Ctrlvalue := 128;

disabled running *

disabled startAirship newCtrlValues(val1,val2,val3)

t stopAirship alive watchdog

set(t) ctrlValue(val1)via servo

ctrlValue(val1)via servo

SET(NOW + safeInterval, watchdog);

ctrlValue(fail1)via servo

running ctrlValue(val2)via motor1

ctrlValue(val2)via motor1

ctrlValue(fail2)via motor1

ctrlValue(val3)via motor2

ctrlValue(val3)via motor2

RESET(t) ctrlValue(fail3)via motor2

SET(t) SET(t) RESET(watchdog) val1 := fail1;val2 := fail2;val3 := fail3;

- - disabled - -

Christian Webel17

5. Example: “Airship Control”

Using the Watchdog and Heartbeat Micro Protocols

• selected and glued together

• Watchdog:– redefine timeout-transition– add stop-transition

• Heartbeat:– just select and integrate

• also possible to use design patterns und micro protocols together

INHERITS Watchdog;

process type MyWatchdog

enabled

redefinedwatchdogT

stopAirship

newCtrlValues(128,0,128)

stopAirshipvia wdOut

reset(watchdogT)

dead disabled

wdInstopAirship

wdOut

newCtrlValues,stopAirship

Christian Webel18

6. Conclusion

• systematic approach to augment existing systems with reliability aspects

• reuse and reliability (design patterns, micro protocols)

Outlook:• Validation

• Compositional testing– Each component tested– Resulting system tested for composition faults

• Developing more micro protocols– QoS, Routing, Scheduling, Medium Access, Flow Control, …

Christian Webel19

Thank you for your attention!

Questions?