软件体系结构5aATC案例分析课件.ppt

1、1 案例分析：Air Traffic Control张平健华南理工大学软件学院2Air Traffic Control (ATC)l The problem is to control a very large number of aircraft from take-off to landing.l Problem features:Hard real time no tolerance for missing deadlinesUltra High availabilitySafety criticalHighly distributed3Flying from point A to po

2、int B in the U.S. air traffic control system4En route centers in the United States5Flight Monitoringl Flight from Key West to DCKey west ground control (to taxi to runway)Key West Tower (take off till leaving airport airspaceZMA enroute zone centerZJX enroute zone centerZTL enroute zone centerZDC en

3、route zone centerDC Tower (arrival airport)ground-control (to taxi again)l Advanced Automation System (AAS) ComponentsGround ControlAirport TowerEn Route Centers Initial Sector Suite System (ISSS)l This study will focus on ISSS only.6ISSS Influencesl ISSS was only one part of AASl Notes on Design of

4、 ISSSMany components in commonlInterfaces to: radio systems, flight-plan DB, each otherCommon quality requirements for availability, reliability So ISSS was influenced by requirements for all of AASl HistoryISSS real system, designed, most of code developedNot deployed, scaled back to more economica

5、l, more staged solution (budget cuts)Outside Audit the architecture and design were analyzed by an independent audit team that judged “satisfies requirements.”The system deployed borrowed heavily from ISSShttp:/ of the Air Traffic Control System8Requirements and Quality Attributesl ATC system is hig

6、hly visible with enormous commercial, governmental and public interestl Great potential for loss of life and costly property.l Thus the two most important quality attributes were:l Ultrahigh availabilityEssential that “unavailability” limited to very short periodsAvailability requirement .99999: una

7、vailable less than 5 minutes in a year;however short recover periods ( en route zone center - arrival airportAlso within zone: sector - sector - - sector before passing to the next center12ISSS Designl ISSS requires flexibility in number of control stations per sector (1 to 4)l At least two controll

8、ers per sector:l 1. Radar controllerMonitors radarCommunicates with aircraftResponsible for maintaining separation of aircraftl 2. Data controllerRetrieves flight plans etc.Supplies radar controller with “intentions” of aircraft13ISSS Implementation Metricsl The system contains about 1 million lines

9、 of Ada codel Designed to support up to 210 consoles per en route center. Each console was a workstation with IBM RS/6000 processorl Requirements to handle from 400 to 2440 aircraft simultaneouslyl There may be from 16 to 40 radar units to support a single facility l A center may have from 60 to 90

10、control positions in each center14ISSS Functionality Summaryl Acquire radar targets reports from existing ATC system, the Host Computer System (henceforth “Host”)l Convert radar reports for display and broadcast to all consoles (consoles can switch areas that are displayed)l Handle conflict alerts (

11、potential collisions)l Interface with Host for input and to retrieve flight plansl Provide extensive monitoring of the system itself to allow dynamic reconfigurationl Provide recording capability for later playbackl Provide nice GUIl Provide reduced backup capability in the event of the failure of t

12、he Host, the primary network, the primary radar sensors15ISSS Architecturel Views1. Physical View2. Module decomposition view3. Process View4. Client-Server View5. Code View6. Layered View7. Fault Tolerance View16Physical View17Physical View Notesl HCS A Host computer System A (primary)Processes rad

13、ar and flight-plan info.Output to consoles (radar) and flight-strip printers (flight-plans)l HCS B backup Hostl Common Consoles the workstationsl Local Communications Network Consoles HostsEach host has two LCN interface units called LIU-HLCN composed of 4 parallel token ring networks1. One supports

14、 broadcast of radar info2. One for point-to-point between workstations3. One provides for recording data for later playback4. A spare18Physical View Notesl Backup Communication Network (BCN) is an Ethernet using TCP/IPl Both LCN and BCN have monitor and control consoles for maintenance personnel l E

15、nhance Direct Access Radar Channel (EDARC) provides backup display of info in case of loss of Host. EDARC supplies raw data to the External System Interface (EIS) processorl Central processors mainframes that provided record and playback for early version of ISSSl Testing and training subsystem allo

16、w training of new personnel and testing of new equipment without interfering19Module Decomposition Viewl Elements called Computer Software Configuration Items (CSCIs) as required by the government software development standard required by the customerl 5 CSCIs:1. Display Management2. Common Systems

17、ServicesGeneral ATC utilities; ISSS is 1/3 of AAS3. Recording, analysis and playback4. National Airspace System ModificationModifying software on host5. IBM AIX operating system20Module Decomposition View: Tacticsl The CSCIs formed deliverable units software and documentationl Tactics:Semantic coher

18、ence main one guiding the well-defined and non-overlapping decompositionAbstract common services Common System Services ModuleRecord/playback tactics - testability Generalizing module well designed interfaces21Process Viewl Concurrency resides in “applications”, roughly processes in Dijkstras cooper

19、ating sequential processes Ada Main unit a process schedulable by OSl ISSS designed to work on more than one processorProcessors grouped into “processor groups”Critical to fault tolerance and thus availabilityOne primary, the rest backuplPAS primary address spacelSAS standby address spaceOperational

20、 unit the collection of primary and its standbysFunction groups are the components not implemented in this fault tolerant fashion (replicated on several groups)22Process view23Primary Failure Switchover1. PAS fails2. A standby system SAS is promoted to PAS3. The new PAS sends messages notifying of t

21、he failure and starts providing all services4. A new SAS is started up to replace to old failed PAS5. The new SAS sends message to notify the new PAS6. Adding an new operational unit is similar but more complexl state resynchronization and passive redundancy24Adding a new Operational Unit1. Identify

22、 necessary input data and its location.2. Identify where (which Operation Unit / FG) to send output3. Fit operational units communication patterns into system wide acyclic graph such that it remains acyclic and deadlocks will not occur.4. Design messages to achieve this.5. Identify internal state da

23、ta that must be used for check-pointing. (must be included in PAS - SASs)6. Define messages: message types, data7. Plan for switchover on failure; test for consistency8. Ensure processing steps complete within a heartbeat9. Plan data-sharing and synchronization with other Operational Units25C/S View

24、26Client-Server Viewl Communication between PAS elements within operational units (client and server)The client sends a “service request message”The server acknowledges and responds with resultsl Within operational units PASs send updated state to SASsl Within FGs nothing extra just ACK and results2

25、7Code Viewl Code view describes how functionality is mapped into code unitsl ISSS Code viewl Ada main programl Subprograms grouped into packages (separately compilable)l Ada program consists of one or more tasks (threads)l Applications (operational units and functional groups) decomposed into Ada pa

26、ckages28Layered Viewl Shared memory (Tables and Message Storage)l AAS applicationl Shared Memory (Tables and Message Storage)l CAS AIX Kernel Extensionl AIX Kernel2930Fault Tolerance Viewl M&C consolel Global Availability Managerl Local/Group Availability Managerl ATC consolel Application Software O

27、perational Unit (Thread Processing Model)l OS extensions Address Space Modelsl Networkl Operating Systeml Processorl I/O devices31component-and-connector view for fault tolerance 32Fault Tolerance Hierarchyl Each level of the hierarchyDetects errors in itself, peers, and all lower levelsHandles exce

28、ptions from lower levelsDiagnoses, recovers, reports or raises exceptionsl Levels from Top to BottomSystem monitor and controlGlobal availability managerGroup availability managerLocal availability managerApplicationRuntime environmentOperating SystemPhysical level: processors, networks, devices33Fa

29、ult Tolerance Hierarchyl Fault Detection at each level byBuilt-in testsEvent time-outsNetwork circuit testsGroup membership protocolsHuman reaction to alarmsl Fault recovery can be automatic or manualFor availability managers recovery is decision table drivenIn a PAS there are 4 types of recovery1.

30、In a switchover the SAS takes over for the old PAS2. A warm restart uses checkpoint data saved to non-volatile memory3. Cold restart uses default start-up data4. A cutover is used to transition to new logic or data34Fault Tolerance Hierarchyl Fault tolerance of the hardware is done via redundancyl L

31、CN, BCN, various bridgesl Backup radar and separate channel for itl Processor hardware replicated within processor groupl Tactics added here l component availability used for fault tolerancel “Ping/echo”l “Heartbeat”l “Exception” to transfer errors to the correct placel “spare” to perform recovery35

32、Relating the Viewsl Additional insight is provided by examining relationships between viewsl Mapping one view to anotherl In ISSSl CSCIs are the elements in the module decomposition view (composed of applications)l Applications (processes) are the elements in the process view and in the client-serve

33、r viewl Applications are implemented in Ada packages and programs elements of the Code viewl Applications are turned into threads at runtime elements of the concurrency viewl The special quality attribute view (fault-tolerance) uses elements from the process, layer and module views36“Configuration F

34、iles” Tacticl ISSS makes extensive use of the modifiability tactic “configuration files” (called this adaptation data).l Site-specific data allows configuration of ISSS for each of the 22 en route centersl This configuration is fairly extensive and powerfulE.g., splitting an ATC console window into

35、two“generalize the module” tactic l Negative sideIt takes powerful interpretation mechanism to support this level of adaptability at run-timeIt therefore is complex to maintain the mechanism if changes are required there.Different configurations substantially complicates testing.37“Abstract Common S

36、ervices” Tacticl PAS and SAS really comes from the same sourceNo difference in the codeJust dynamic state boolean variable “primaryStatus”Code Template Structure for all operation units“Abstracting Common Services” tacticlCommon part is abstracted to template38Code Template affects other Tacticsl Ot

37、her modifiability tactics addressed by code templatel “anticipation of expected changes”l “Semantic coherence”l “generalizing the module”l Making interfaces part of the template “maintain interface stability” and “adherence to defined protocols”39GoalHow AchievedTacticsHigh AvailabilityHardware redu

38、ndancy (both processor and network); software redundancy (layered fault detection and recovery)Shadowing; state resynchronization; passive redundancy; limit exposure; ping/echo; heartbeat; exception; spareHigh PerformanceDistributed multiprocessors; front-end schedulability analysis, and network mod

39、elingIntroduce concurrency40GoalHow AchievedTacticsModifiabilityTemplates and table-driven adaptation data; careful assignment of module responsibilities; strict use of specified interfacesAbstract common services; semantic coherence; maintain interface stability; anticipate expected changes; genera

40、lize the module; component replacement; adherence to defined protocols; configuration files41GoalHow AchievedTacticsOpennessInterface wrapping and layeringAbstract common services; maintain interface stabilityAbility to Field SubsetsAppropriate separation of concernsAbstract common servicesInteroper

41、abilityClient-server division of functionality and message-based communicationsAdherence to defined protocols; maintain interface stability42ISSS Summaryl Architectural solutions can be the key to achieving the needs of an application (especially quality attribute requirements)l High availability : fault tolerancel Longevity : high modifiability, interoperabilityl Audit of ISSS before abandoning