软件体系结构5aATC案例分析课件

案例分析：AirTrafficControl张平健华南理工大学软件学院1AirTrafficControl(ATC)Theproblemistocontrolaverylargenumberofaircraftfromtake-offtolanding.Problemfeatures:Hardrealtime–notoleranceformissingdeadlinesUltraHighavailabilitySafetycriticalHighlydistributed2FlyingfrompointAtopointBintheU.S.airtrafficcontrolsystem3EnroutecentersintheUnitedStates4FlightMonitoringFlightfromKeyWesttoDCKeywestgroundcontrol(totaxitorunway)KeyWestTower(takeofftillleavingairportairspaceZMAenroutezonecenterZJXenroutezonecenterZTLenroutezonecenterZDCenroutezonecenterDCTower(arrivalairport)ground-control(totaxiagain)AdvancedAutomationSystem(AAS)ComponentsGroundControlAirportTowerEnRouteCenters–InitialSectorSuiteSystem(ISSS)ThisstudywillfocusonISSSonly.5ISSSInfluencesISSSwasonlyonepartofAASNotesonDesignofISSSManycomponentsincommonInterfacesto:radiosystems,flight-planDB,eachotherCommonqualityrequirementsforavailability,reliability…SoISSSwasinfluencedbyrequirementsforallofAASHistoryISSSrealsystem,designed,mostofcodedevelopedNotdeployed,scaledbacktomoreeconomical,morestagedsolution(budgetcuts)OutsideAudit–thearchitectureanddesignwereanalyzedbyanindependentauditteamthatjudged“satisfiesrequirements.”ThesystemdeployedborrowedheavilyfromISSShttp:///lusch/blharris.html6ABCoftheAirTrafficControlSystem7RequirementsandQualityAttributesATCsystemishighlyvisiblewithenormouscommercial,governmentalandpublicinterestGreatpotentialforlossoflifeandcostlyproperty.Thusthetwomostimportantqualityattributeswere:UltrahighavailabilityEssentialthat“unavailability”limitedtoveryshortperiodsAvailabilityrequirement.99999:unavailablelessthan5minutesinayear;howevershortrecoverperiods(<10sec)didnotcountHighperformanceHandleupto2440aircraftseffectivelyandefficiently8OtherRequirementsandQualityAttributesOpenness-meaningthesystemneedstobeabletoincorporatecommerciallydevelopedcomponentsAbilitytofieldsubsetsofthesystemModifiability–modificationstofunctionalityandtohandleupgradesinhardwareandsoftwareInteroperability–theabilitytooperatewithandinterfaceawiderangeofexternalsystems9StakeholdersFAAControllers(endusers)–couldrejectthissystemifitwasnottotheirlikingevenifitmetallfunctionalrequirementsUsabilityattribute?Actuallyhandledbytakinggreatcarewithrequirementsanddesign(thusslowingtheprocess)10SectorSuitesSectorSuites–asuiteofair-trafficcontrollerseachwiththeirownconsolethatcollectivelyhandlealltheaircraftinthesectorSectorscouldbedefineddifferentlyateachcenterCouldbedonephysicallyCouldbedonetobalancetheloadLessdenselytraveledsectorscouldbemadelargerPlanesarepassedofffromDepartureairport->enroutezonecenter->…->arrivalairportAlsowithinzone:sector->sector->…->sectorbeforepassingtothenextcenter11ISSSDesignISSSrequiresflexibilityinnumberofcontrolstationspersector(1to4)Atleasttwocontrollerspersector:1.RadarcontrollerMonitorsradarCommunicateswithaircraftResponsibleformaintainingseparationofaircraft2.DatacontrollerRetrievesflightplansetc.Suppliesradarcontrollerwith“intentions”ofaircraft12ISSSImplementationMetricsThesystemcontainsabout1millionlinesofAdacodeDesignedtosupportupto210consolesperenroutecenter.EachconsolewasaworkstationwithIBMRS/6000processorRequirementstohandlefrom400to2440aircraftsimultaneouslyTheremaybefrom16to40radarunitstosupportasinglefacilityAcentermayhavefrom60to90controlpositionsineachcenter13ISSSFunctionalitySummaryAcquireradartargetsreportsfromexistingATCsystem,theHostComputerSystem(henceforth“Host”)Convertradarreportsfordisplayandbroadcasttoallconsoles(consolescanswitchareasthataredisplayed)Handleconflictalerts(potentialcollisions)InterfacewithHostforinputandtoretrieveflightplansProvideextensivemonitoringofthesystemitselftoallowdynamicreconfigurationProviderecordingcapabilityforlaterplaybackProvideniceGUIProvidereducedbackupcapabilityintheeventofthefailureoftheHost,theprimarynetwork,theprimaryradarsensors14ISSSArchitectureViews1.PhysicalView2.Moduledecompositionview3.ProcessView4.Client-ServerView5.CodeView6.LayeredView7.FaultToleranceView15PhysicalView16PhysicalViewNotesHCSA–HostcomputerSystemA(primary)Processesradarandflight-planinfo.Outputtoconsoles(radar)andflight-stripprinters(flight-plans)HCSB–backupHostCommonConsoles–theworkstationsLocalCommunicationsNetwork–Consoles<-->HostsEachhosthastwoLCNinterfaceunitscalledLIU-HLCNcomposedof4paralleltokenringnetworks1.Onesupportsbroadcastofradarinfo2.Oneforpoint-to-pointbetweenworkstations3.Oneprovidesforrecordingdataforlaterplayback4.Aspare17PhysicalViewNotesBackupCommunicationNetwork(BCN)isanEthernetusingTCP/IPBothLCNandBCNhavemonitorandcontrolconsolesformaintenancepersonnel

EnhanceDirectAccessRadarChannel(EDARC)providesbackupdisplayofinfoincaseoflossofHost.EDARCsuppliesrawdatatotheExternalSystemInterface(EIS)processorCentralprocessorsmainframesthatprovidedrecordandplaybackforearlyversionofISSSTestingandtrainingsubsystem–allowtrainingofnewpersonnelandtestingofnewequipmentwithoutinterfering18ModuleDecompositionViewElementscalledComputerSoftwareConfigurationItems(CSCIs)asrequiredbythegovernmentsoftwaredevelopmentstandardrequiredbythecustomer5CSCIs:1.DisplayManagement2.CommonSystemsServicesGeneralATCutilities;ISSSis1/3ofAAS3.Recording,analysisandplayback4.NationalAirspaceSystemModificationModifyingsoftwareonhost5.IBMAIXoperatingsystem19ModuleDecompositionView:TacticsTheCSCIsformeddeliverableunitssoftwareanddocumentationTactics:Semanticcoherence–mainoneguidingthewell-definedandnon-overlappingdecompositionAbstractcommonservices–CommonSystemServicesModuleRecord/playbacktactics-testabilityGeneralizingmodule–welldesignedinterfaces20ProcessViewConcurrencyresidesin“applications”,roughlyprocessesinDijkstra’scooperatingsequentialprocessesAdaMainunit–aprocessschedulablebyOSISSSdesignedtoworkonmorethanoneprocessorProcessorsgroupedinto“processorgroups”CriticaltofaulttoleranceandthusavailabilityOneprimary,therestbackupPAS–primaryaddressspaceSAS–standbyaddressspaceOperationalunit–thecollectionofprimaryanditsstandbysFunctiongroupsarethecomponentsnotimplementedinthisfaulttolerantfashion(replicatedonseveralgroups)21Processview22PrimaryFailureSwitchover1.PASfails2.AstandbysystemSASispromotedtoPAS3.ThenewPASsendsmessagesnotifyingofthefailureandstartsprovidingallservices4.AnewSASisstarteduptoreplacetooldfailedPAS5.ThenewSASsendsmessagetonotifythenewPAS6.Addingannewoperationalunitissimilarbutmorecomplexstateresynchronizationandpassiveredundancy23AddinganewOperationalUnit1.Identifynecessaryinputdataanditslocation.2.Identifywhere(whichOperationUnit/FG)tosendoutput3.Fitoperationalunit’scommunicationpatternsintosystemwideacyclicgraphsuchthatitremainsacyclicanddeadlockswillnotoccur.4.Designmessagestoachievethis.5.Identifyinternalstatedatathatmustbeusedforcheck-pointing.(mustbeincludedinPAS->SASs)6.Definemessages:messagetypes,data7.Planforswitchoveronfailure;testforconsistency8.Ensureprocessingstepscompletewithinaheartbeat9.Plandata-sharingandsynchronizationwithotherOperationalUnits24C/SView25Client-ServerViewCommunicationbetweenPASelementswithinoperationalunits(clientandserver)Theclientsendsa“servicerequestmessage”TheserveracknowledgesandrespondswithresultsWithinoperationalunitsPASssendupdatedstatetoSASsWithinFGsnothingextrajustACKandresults26CodeViewCodeview–describeshowfunctionalityismappedintocodeunitsISSSCodeviewAdamainprogramSubprogramsgroupedintopackages(separatelycompilable)Adaprogramconsistsofoneormoretasks(threads)Applications(operationalunitsandfunctionalgroups)decomposedintoAdapackages27LayeredViewSharedmemory(TablesandMessageStorage)AASapplicationSharedMemory(TablesandMessageStorage)CASAIXKernelExtensionAIXKernel2829FaultToleranceViewM&CconsoleGlobalAvailabilityManagerLocal/GroupAvailabilityManagerATCconsoleApplicationSoftwareOperationalUnit(ThreadProcessingModel)OSextensionsAddressSpaceModelsNetworkOperatingSystemProcessorI/Odevices30component-and-connectorviewforfaulttolerance31FaultToleranceHierarchyEachlevelofthehierarchyDetectserrorsinitself,peers,andalllowerlevelsHandlesexceptionsfromlowerlevelsDiagnoses,recovers,reportsorraisesexceptionsLevelsfromToptoBottomSystemmonitorandcontrolGlobalavailabilitymanagerGroupavailabilitymanagerLocalavailabilitymanagerApplicationRuntimeenvironmentOperatingSystemPhysicallevel:processors,networks,devices32FaultToleranceHierarchyFaultDetectionateachlevelbyBuilt-intestsEventtime-outsNetworkcircuittestsGroupmembershipprotocolsHumanreactiontoalarmsFaultrecoverycanbeautomaticormanualForavailabilitymanagersrecoveryisdecisiontabledrivenInaPASthereare4typesofrecovery1.InaswitchovertheSAStakesoverfortheoldPAS2.Awarmrestartusescheckpointdatasavedtonon-volatilememory3.Coldrestartusesdefaultstart-updata4.Acutoverisusedtotransitiontonewlogicordata33FaultToleranceHierarchyFaulttoleranceofthehardwareisdoneviaredundancyLCN,BCN,variousbridgesBackupradarandseparatechannelforitProcessorhardwarereplicatedwithinprocessorgroupTacticsaddedhere–componentavailabilityusedforfaulttolerance“Ping/echo”“Heartbeat”“Exception”totransfererrorstothecorrectplace“spare”toperformrecovery34RelatingtheViewsAdditionalinsightisprovidedbyexaminingrelationshipsbetweenviewsMappingoneviewtoanotherInISSSCSCIsaretheelementsinthemoduledecompositionview(composedofapplications)Applications(processes)aretheelementsintheprocessviewandintheclient-serverviewApplicationsareimplementedinAdapackagesandprogramselementsoftheCodeviewApplicationsareturnedintothreadsatruntimeelementsoftheconcurrencyviewThespecialqualityattributeview(fault-tolerance)useselementsfromtheprocess,layerandmoduleviews35“ConfigurationFiles”TacticISSSmakesextensiveuseofthemodifiabilitytactic“configurationfiles”(calledthisadaptationdata).Site-specificdataallowsconfigurationofISSSforeachofthe22enroutecentersThisconfigurationisfairlyextensiveandpowerfulE.g.,splittinganATCconsolewindowintotwo“generalizethemodule”tacticNegativesideIttakespowerfulinterpretationmechanismtosupportthislevelofadaptabilityatrun-timeItthereforeiscomplextomaintainthemechanismifchangesarerequiredthere.Differentconfigurationssubstantiallycomplicatestesting.36“AbstractCommonServices”TacticPASandSASreallycomesfromthesamesourceNodifferenceinthecodeJustdynamicstatebooleanvariable“primaryStatus”CodeTemplateStructureforalloperationunits“AbstractingCommonServices”tacticCommonpartisabstractedtotemplate37CodeTemplateaffectsotherTacticsOthermodifiabilitytacticsaddressedbycodetemplate“anticipationofexpectedchanges”“Semanticcoherence”“generalizingthemodule”Makinginterfacespartofthetemplate“maintaininterfacestability”and“adherencetodefinedprotocols”38GoalHowAch