版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)
文檔簡(jiǎn)介
案例分析:AirTrafficControl張平健華南理工大學(xué)軟件學(xué)院1AirTrafficControl(ATC)Theproblemistocontrolaverylargenumberofaircraftfromtake-offtolanding.Problemfeatures:Hardrealtime–notoleranceformissingdeadlinesUltraHighavailabilitySafetycriticalHighlydistributed2FlyingfrompointAtopointBintheU.S.airtrafficcontrolsystem3EnroutecentersintheUnitedStates4FlightMonitoringFlightfromKeyWesttoDCKeywestgroundcontrol(totaxitorunway)KeyWestTower(takeofftillleavingairportairspaceZMAenroutezonecenterZJXenroutezonecenterZTLenroutezonecenterZDCenroutezonecenterDCTower(arrivalairport)ground-control(totaxiagain)AdvancedAutomationSystem(AAS)ComponentsGroundControlAirportTowerEnRouteCenters–InitialSectorSuiteSystem(ISSS)ThisstudywillfocusonISSSonly.5ISSSInfluencesISSSwasonlyonepartofAASNotesonDesignofISSSManycomponentsincommonInterfacesto:radiosystems,flight-planDB,eachotherCommonqualityrequirementsforavailability,reliability…SoISSSwasinfluencedbyrequirementsforallofAASHistoryISSSrealsystem,designed,mostofcodedevelopedNotdeployed,scaledbacktomoreeconomical,morestagedsolution(budgetcuts)OutsideAudit–thearchitectureanddesignwereanalyzedbyanindependentauditteamthatjudged“satisfiesrequirements.”ThesystemdeployedborrowedheavilyfromISSShttp:///lusch/blharris.html6ABCoftheAirTrafficControlSystem7RequirementsandQualityAttributesATCsystemishighlyvisiblewithenormouscommercial,governmentalandpublicinterestGreatpotentialforlossoflifeandcostlyproperty.Thusthetwomostimportantqualityattributeswere:UltrahighavailabilityEssentialthat“unavailability”limitedtoveryshortperiodsAvailabilityrequirement.99999:unavailablelessthan5minutesinayear;howevershortrecoverperiods(<10sec)didnotcountHighperformanceHandleupto2440aircraftseffectivelyandefficiently8OtherRequirementsandQualityAttributesOpenness-meaningthesystemneedstobeabletoincorporatecommerciallydevelopedcomponentsAbilitytofieldsubsetsofthesystemModifiability–modificationstofunctionalityandtohandleupgradesinhardwareandsoftwareInteroperability–theabilitytooperatewithandinterfaceawiderangeofexternalsystems9StakeholdersFAAControllers(endusers)–couldrejectthissystemifitwasnottotheirlikingevenifitmetallfunctionalrequirementsUsabilityattribute?Actuallyhandledbytakinggreatcarewithrequirementsanddesign(thusslowingtheprocess)10SectorSuitesSectorSuites–asuiteofair-trafficcontrollerseachwiththeirownconsolethatcollectivelyhandlealltheaircraftinthesectorSectorscouldbedefineddifferentlyateachcenterCouldbedonephysicallyCouldbedonetobalancetheloadLessdenselytraveledsectorscouldbemadelargerPlanesarepassedofffromDepartureairport->enroutezonecenter->…->arrivalairportAlsowithinzone:sector->sector->…->sectorbeforepassingtothenextcenter11ISSSDesignISSSrequiresflexibilityinnumberofcontrolstationspersector(1to4)Atleasttwocontrollerspersector:1.RadarcontrollerMonitorsradarCommunicateswithaircraftResponsibleformaintainingseparationofaircraft2.DatacontrollerRetrievesflightplansetc.Suppliesradarcontrollerwith“intentions”ofaircraft12ISSSImplementationMetricsThesystemcontainsabout1millionlinesofAdacodeDesignedtosupportupto210consolesperenroutecenter.EachconsolewasaworkstationwithIBMRS/6000processorRequirementstohandlefrom400to2440aircraftsimultaneouslyTheremaybefrom16to40radarunitstosupportasinglefacilityAcentermayhavefrom60to90controlpositionsineachcenter13ISSSFunctionalitySummaryAcquireradartargetsreportsfromexistingATCsystem,theHostComputerSystem(henceforth“Host”)Convertradarreportsfordisplayandbroadcasttoallconsoles(consolescanswitchareasthataredisplayed)Handleconflictalerts(potentialcollisions)InterfacewithHostforinputandtoretrieveflightplansProvideextensivemonitoringofthesystemitselftoallowdynamicreconfigurationProviderecordingcapabilityforlaterplaybackProvideniceGUIProvidereducedbackupcapabilityintheeventofthefailureoftheHost,theprimarynetwork,theprimaryradarsensors14ISSSArchitectureViews1.PhysicalView2.Moduledecompositionview3.ProcessView4.Client-ServerView5.CodeView6.LayeredView7.FaultToleranceView15PhysicalView16PhysicalViewNotesHCSA–HostcomputerSystemA(primary)Processesradarandflight-planinfo.Outputtoconsoles(radar)andflight-stripprinters(flight-plans)HCSB–backupHostCommonConsoles–theworkstationsLocalCommunicationsNetwork–Consoles<-->HostsEachhosthastwoLCNinterfaceunitscalledLIU-HLCNcomposedof4paralleltokenringnetworks1.Onesupportsbroadcastofradarinfo2.Oneforpoint-to-pointbetweenworkstations3.Oneprovidesforrecordingdataforlaterplayback4.Aspare17PhysicalViewNotesBackupCommunicationNetwork(BCN)isanEthernetusingTCP/IPBothLCNandBCNhavemonitorandcontrolconsolesformaintenancepersonnel
EnhanceDirectAccessRadarChannel(EDARC)providesbackupdisplayofinfoincaseoflossofHost.EDARCsuppliesrawdatatotheExternalSystemInterface(EIS)processorCentralprocessorsmainframesthatprovidedrecordandplaybackforearlyversionofISSSTestingandtrainingsubsystem–allowtrainingofnewpersonnelandtestingofnewequipmentwithoutinterfering18ModuleDecompositionViewElementscalledComputerSoftwareConfigurationItems(CSCIs)asrequiredbythegovernmentsoftwaredevelopmentstandardrequiredbythecustomer5CSCIs:1.DisplayManagement2.CommonSystemsServicesGeneralATCutilities;ISSSis1/3ofAAS3.Recording,analysisandplayback4.NationalAirspaceSystemModificationModifyingsoftwareonhost5.IBMAIXoperatingsystem19ModuleDecompositionView:TacticsTheCSCIsformeddeliverableunitssoftwareanddocumentationTactics:Semanticcoherence–mainoneguidingthewell-definedandnon-overlappingdecompositionAbstractcommonservices–CommonSystemServicesModuleRecord/playbacktactics-testabilityGeneralizingmodule–welldesignedinterfaces20ProcessViewConcurrencyresidesin“applications”,roughlyprocessesinDijkstra’scooperatingsequentialprocessesAdaMainunit–aprocessschedulablebyOSISSSdesignedtoworkonmorethanoneprocessorProcessorsgroupedinto“processorgroups”CriticaltofaulttoleranceandthusavailabilityOneprimary,therestbackupPAS–primaryaddressspaceSAS–standbyaddressspaceOperationalunit–thecollectionofprimaryanditsstandbysFunctiongroupsarethecomponentsnotimplementedinthisfaulttolerantfashion(replicatedonseveralgroups)21Processview22PrimaryFailureSwitchover1.PASfails2.AstandbysystemSASispromotedtoPAS3.ThenewPASsendsmessagesnotifyingofthefailureandstartsprovidingallservices4.AnewSASisstarteduptoreplacetooldfailedPAS5.ThenewSASsendsmessagetonotifythenewPAS6.Addingannewoperationalunitissimilarbutmorecomplexstateresynchronizationandpassiveredundancy23AddinganewOperationalUnit1.Identifynecessaryinputdataanditslocation.2.Identifywhere(whichOperationUnit/FG)tosendoutput3.Fitoperationalunit’scommunicationpatternsintosystemwideacyclicgraphsuchthatitremainsacyclicanddeadlockswillnotoccur.4.Designmessagestoachievethis.5.Identifyinternalstatedatathatmustbeusedforcheck-pointing.(mustbeincludedinPAS->SASs)6.Definemessages:messagetypes,data7.Planforswitchoveronfailure;testforconsistency8.Ensureprocessingstepscompletewithinaheartbeat9.Plandata-sharingandsynchronizationwithotherOperationalUnits24C/SView25Client-ServerViewCommunicationbetweenPASelementswithinoperationalunits(clientandserver)Theclientsendsa“servicerequestmessage”TheserveracknowledgesandrespondswithresultsWithinoperationalunitsPASssendupdatedstatetoSASsWithinFGsnothingextrajustACKandresults26CodeViewCodeview–describeshowfunctionalityismappedintocodeunitsISSSCodeviewAdamainprogramSubprogramsgroupedintopackages(separatelycompilable)Adaprogramconsistsofoneormoretasks(threads)Applications(operationalunitsandfunctionalgroups)decomposedintoAdapackages27LayeredViewSharedmemory(TablesandMessageStorage)AASapplicationSharedMemory(TablesandMessageStorage)CASAIXKernelExtensionAIXKernel2829FaultToleranceViewM&CconsoleGlobalAvailabilityManagerLocal/GroupAvailabilityManagerATCconsoleApplicationSoftwareOperationalUnit(ThreadProcessingModel)OSextensionsAddressSpaceModelsNetworkOperatingSystemProcessorI/Odevices30component-and-connectorviewforfaulttolerance31FaultToleranceHierarchyEachlevelofthehierarchyDetectserrorsinitself,peers,andalllowerlevelsHandlesexceptionsfromlowerlevelsDiagnoses,recovers,reportsorraisesexceptionsLevelsfromToptoBottomSystemmonitorandcontrolGlobalavailabilitymanagerGroupavailabilitymanagerLocalavailabilitymanagerApplicationRuntimeenvironmentOperatingSystemPhysicallevel:processors,networks,devices32FaultToleranceHierarchyFaultDetectionateachlevelbyBuilt-intestsEventtime-outsNetworkcircuittestsGroupmembershipprotocolsHumanreactiontoalarmsFaultrecoverycanbeautomaticormanualForavailabilitymanagersrecoveryisdecisiontabledrivenInaPASthereare4typesofrecovery1.InaswitchovertheSAStakesoverfortheoldPAS2.Awarmrestartusescheckpointdatasavedtonon-volatilememory3.Coldrestartusesdefaultstart-updata4.Acutoverisusedtotransitiontonewlogicordata33FaultToleranceHierarchyFaulttoleranceofthehardwareisdoneviaredundancyLCN,BCN,variousbridgesBackupradarandseparatechannelforitProcessorhardwarereplicatedwithinprocessorgroupTacticsaddedhere–componentavailabilityusedforfaulttolerance“Ping/echo”“Heartbeat”“Exception”totransfererrorstothecorrectplace“spare”toperformrecovery34RelatingtheViewsAdditionalinsightisprovidedbyexaminingrelationshipsbetweenviewsMappingoneviewtoanotherInISSSCSCIsaretheelementsinthemoduledecompositionview(composedofapplications)Applications(processes)aretheelementsintheprocessviewandintheclient-serverviewApplicationsareimplementedinAdapackagesandprogramselementsoftheCodeviewApplicationsareturnedintothreadsatruntimeelementsoftheconcurrencyviewThespecialqualityattributeview(fault-tolerance)useselementsfromtheprocess,layerandmoduleviews35“ConfigurationFiles”TacticISSSmakesextensiveuseofthemodifiabilitytactic“configurationfiles”(calledthisadaptationdata).Site-specificdataallowsconfigurationofISSSforeachofthe22enroutecentersThisconfigurationisfairlyextensiveandpowerfulE.g.,splittinganATCconsolewindowintotwo“generalizethemodule”tacticNegativesideIttakespowerfulinterpretationmechanismtosupportthislevelofadaptabilityatrun-timeItthereforeiscomplextomaintainthemechanismifchangesarerequiredthere.Differentconfigurationssubstantiallycomplicatestesting.36“AbstractCommonServices”TacticPASandSASreallycomesfromthesamesourceNodifferenceinthecodeJustdynamicstatebooleanvariable“primaryStatus”CodeTemplateStructureforalloperationunits“AbstractingCommonServices”tacticCommonpartisabstractedtotemplate37CodeTemplateaffectsotherTacticsOthermodifiabilitytacticsaddressedbycodetemplate“anticipationofexpectedchanges”“Semanticcoherence”“generalizingthemodule”Makinginterfacespartofthetemplate“maintaininterfacestability”and“adherencetodefinedprotocols”38GoalHowAch
溫馨提示
- 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
- 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
- 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
- 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
- 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。
最新文檔
- 2024常規(guī)終止解除勞動(dòng)合同證明書
- 2024年城市供水工程建設(shè)項(xiàng)目特許經(jīng)營(yíng)合同
- 2024年廢棄物處理拆除勞務(wù)合同
- 有關(guān)產(chǎn)品加工合同經(jīng)典范文
- 2024工傷賠償協(xié)議書示例
- 私營(yíng)店主用人勞動(dòng)合同范本2024年
- 互聯(lián)網(wǎng)接入服務(wù)合同范本
- 標(biāo)準(zhǔn)建房合同范本
- 工程分包合同書范本專業(yè)
- 全面店面出租合同模板
- 砌體工程監(jiān)理實(shí)施細(xì)則
- 運(yùn)輸車輛衛(wèi)生安全檢查記錄表
- 房建裝修修繕工程量清單
- 部編版四年級(jí)道德與法治上冊(cè)第8課《網(wǎng)絡(luò)新世界》優(yōu)質(zhì)課件
- 柴油發(fā)電機(jī)組應(yīng)急預(yù)案
- 格力2匹柜機(jī)檢測(cè)報(bào)告KFR-50LW(50530)FNhAk-B1(性能)
- 分級(jí)護(hù)理制度考試題及答案
- 小學(xué)生勞動(dòng)課炒菜教案(精選8篇)
- 高考作文模擬寫作:“德”與“得”導(dǎo)寫及范文
- 江蘇專轉(zhuǎn)本《大學(xué)語文》考綱
- 中國(guó)青瓷藝術(shù)鑒賞智慧樹知到答案章節(jié)測(cè)試2023年麗水學(xué)院
評(píng)論
0/150
提交評(píng)論