Presentation is loading. Please wait.

Presentation is loading. Please wait.

ECE 720T5 Winter 2014 Cyber-Physical Systems Rodolfo Pellizzoni.

Published byDorthy Hamilton Modified over 8 years ago

Similar presentations

Presentation on theme: "ECE 720T5 Winter 2014 Cyber-Physical Systems Rodolfo Pellizzoni."— Presentation transcript:

1 ECE 720T5 Winter 2014 Cyber-Physical Systems Rodolfo Pellizzoni

2 / 20 Administrative Next week: project presentations. –12 minutes per project + 3 minutes for questions. –If you cannot stay the whole lecture, please let me know by email. –Time is limited, so ensure you focus on: 1. overview of the project 2. what you set out to accomplish 3. what are your (preliminary) results. –Class presentations end today – plan is to have all comments out by Thursday. 2

3 / 20 Topic Today: Models & Verification Remember verification: ensuring that a subsystem (or step in the design) meets the objectives for that subsystem, i.e. it does what we want it to do. How to verify a system/subsystem? –(Exhaustive) testing –Formal verification 3

4 / 20 Formal Verification: Key Issues Modeling –Formal verification verifies a model of the system, not the system implementation! –Models must represents both hardware as well as software component. –System-level verification – need architecture description language. –How can different models (ex: differential equations and automata) interact? Complexity –Most applicable techniques scale poorly – allows only for verification of limited-scale subsystems. 4

5 / 20 Example: Timed Automata Finite-state Machines extended with timers. –Timers are continuous – effectively infinite-state. Time is explicit – very useful to model real-time systems. 5

6 / 20 UPPAAL Automatic verification of Real-Time Communicating Systems by Constraint-Solving. Verification tool for real-time systems. Model-checking based on composition of timed automata. –Parallel timed automata can exchange signals. –Determines whether the system can reach a particular state or set of states. Very powerful property – model-checking can be reduced to verifying a set of linear constraints on clocks. 6

7 / 20 Ex: Train Controller 7 Controller Train i Safety property: no two trains in their cross state at the same time

8 / 20 An Alternative Solution: Run-Time Monitoring Divide the system is a set of simple, verifiable safety-critical components and a set of complex, untrusted components. A formal requirement specification is attached to each unverified component. The specification acts as a certificate: if the component behaves according to the specification, the system remain safe. At run-time, we monitor (check) the actual component behavior against its requirement specification expressed as a set of properties. If a requirement violation is detected, we perform a recovery action to restore the system to a safe state. Key idea: it is simpler to check the certificate that to verify the inner working of the unverified component. 8

9 / 20 The Big Picture: Event-Based Monitoring 9 Event Generator E1 - - E2 E3 E1 - - - - t Monitor Handler (Recovery) Violation / Validation Event Specification Formula 1.The system to be monitored (HW/SW) 2. User specifies a set of events. Ex: a specified variable is modified 3. Event Generator generates a trace of observed events over time. 4. User specifies a formula using defined events. Ex: (E1 E2) * 5. Monitor checks if formula is validated / violated based on event trace. 6. A recovery handler is called if a validation / violation is detected. System

10 / 20 Monitoring Overhead Two main issues: 1.How do we generate the events? Answer – architecture specific. 2.Where do we run the monitors? Most available frameworks use software-based solutions. –Event generation hooks are inserted by the compiler into the code. –Monitors are run in SW either on the same processor or a separate processor. Problem: the overhead is typically not predictable – how many events gets generated? 10

11 / 20 Predictable Monitoring Solutions Sampling-based monitoring –Instead of running the monitor every time an event is generated, sample the system periodically. –Analysis is required to ensure that the sampling happens often enough to capture the properties of interest. Hardware-base monitoring –Required for HW components with no corresponding SW code –Run both the event generator and the monitors in HW –Potentially zero timing overhead (if done right) 11

12 Cyberphysical System Runtime Verification 12

13 / 20 Simplex Model Run-time verification for Control Systems. Under normal conditions, run a complex controller. If the complex controller fails, switch to a simpler, verified one. 13

14 / 20 Model: Hybrid Automata Similar to timed automata + continuous state –Discrete states and transitions –Timers, guards on transitions, invariants on states –New: continuous-state variables (ex: position, velocity, …) –New: dynamic in each state (differential equations) 14

15 / 20 Model: Hybrid Automata Similar to timed automata + continuous state –Discrete states and transitions –Timers, guards on transitions, invariants on states –New: continuous-state variables (ex: position, velocity, …) –New: dynamic in each state (differential equations) 15

16 / 20 How does it work? Discretize the continuous state space. From each discretized state space, compute the set of all reachable states in Delta time. 16

17 / 20 How does it work? Discretize the continuous state space. From each discretized state space, compute the set of all reachable states in Delta time. 17

18 / 20 How does it work? Discretize the continuous state space. From each discretized state space, compute the set of all reachable states in Delta time. 18

19 / 20 Model Checking the System Result: we reduce the model to a discrete system (automata). –The automata does not need to keep implicit track of time – time is encoded in the transition overapproximation. We can then apply standard model checking to check that safety is guaranteed – the system can never reach an unsafe state. There are some constraints on the modeled dynamics… –Most importantly, no cyclic dependencies among variables in the dynamic of the system modeled by dx/dt = F(x). –Follow-up paper solves the problem… 19

20 / 20 Case Study Autonomous off-road vehicle. John Deere is largest manufacturer of agricultural machinery. Over 30 parameters in the vehicle model. Goal: avoid roll-over. Automatic generation of Decision Module in VHDL. 20

Download ppt "ECE 720T5 Winter 2014 Cyber-Physical Systems Rodolfo Pellizzoni."

Similar presentations

1 Fault Diagnosis for Timed Automata Stavros Tripakis VERIMAG.

1 Fault Diagnosis for Timed Automata Stavros Tripakis VERIMAG.
ECE 720T5 Fall 2011 Cyber-Physical Systems Rodolfo Pellizzoni.

ECE 720T5 Fall 2011 Cyber-Physical Systems Rodolfo Pellizzoni.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Timed Automata.

Timed Automata.
Supervisory Control of Hybrid Systems Written by X. D. Koutsoukos et al. Presented by Wu, Jian 04/16/2002.

Supervisory Control of Hybrid Systems Written by X. D. Koutsoukos et al. Presented by Wu, Jian 04/16/2002.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.

ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.
1 Formal Models for Stability Analysis : Verifying Average Dwell Time * Sayan Mitra MIT,CSAIL Research Qualifying Exam 20 th December.

1 Formal Models for Stability Analysis : Verifying Average Dwell Time * Sayan Mitra MIT,CSAIL Research Qualifying Exam 20 th December.
Establishing IV&V Properties Steve Raque, NASA IV&V Facility Dr. Doron Drusinsky, Naval Postgraduate School 9/4/20091Establishing IV&V Properties.

Establishing IV&V Properties Steve Raque, NASA IV&V Facility Dr. Doron Drusinsky, Naval Postgraduate School 9/4/20091Establishing IV&V Properties.
Robust Hybrid and Embedded Systems Design Jerry Ding, Jeremy Gillula, Haomiao Huang, Michael Vitus, and Claire Tomlin MURI Review Meeting Frameworks and.

Robust Hybrid and Embedded Systems Design Jerry Ding, Jeremy Gillula, Haomiao Huang, Michael Vitus, and Claire Tomlin MURI Review Meeting Frameworks and.
CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Behavioral Design Outline –Design Specification –Behavioral Design –Behavioral Specification –Hardware Description Languages –Behavioral Simulation –Behavioral.

Behavioral Design Outline –Design Specification –Behavioral Design –Behavioral Specification –Hardware Description Languages –Behavioral Simulation –Behavioral.
ECE 667 - Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.

ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.
G22.3250-001 Robert Grimm New York University Extensibility: SPIN and exokernels.

G Robert Grimm New York University Extensibility: SPIN and exokernels.
Review of “Embedded Software” by E.A. Lee Katherine Barrow Vladimir Jakobac.

Review of “Embedded Software” by E.A. Lee Katherine Barrow Vladimir Jakobac.
The Rare Glitch Project: Verification Tools for Embedded Systems Carnegie Mellon University Pittsburgh, PA Ed Clarke, David Garlan, Bruce Krogh, Reid Simmons,

The Rare Glitch Project: Verification Tools for Embedded Systems Carnegie Mellon University Pittsburgh, PA Ed Clarke, David Garlan, Bruce Krogh, Reid Simmons,
CSC 402, Fall 20001 Requirements Analysis for Special Properties Systems Engineering (def?) –why? increasing complexity –ICBM’s (then TMI, Therac, Challenger...)

CSC 402, Fall Requirements Analysis for Special Properties Systems Engineering (def?) –why? increasing complexity –ICBM’s (then TMI, Therac, Challenger...)
November 18, 2004 Embedded System Design Flow Arkadeb Ghosal Alessandro Pinto Daniele Gasperini Alberto Sangiovanni-Vincentelli

November 18, 2004 Embedded System Design Flow Arkadeb Ghosal Alessandro Pinto Daniele Gasperini Alberto Sangiovanni-Vincentelli

Similar presentations

Ads by Google