Model-Based Design Challenges for Cyber-Physical Systems

Transcription

1 Model-Based Design Challenges for Cyber-Physical Systems Akshay Rajhans, PhD Senior Research Scientist Advanced Research and Technology Office MathWorks ExCAPE PI Meeting, University of Pennsylvania May 5, The MathWorks, Inc. 1

2 2

3 3

4 4

5 ?? 5

6 Cooperative Intersection Collision Avoidance System: Stop-Sign Assist (CICAS-SSA) Can we assist in the decision making? 6

7 CICAS-SSA Schematic Y Prototypical heterogeneous CPS Sensing Communication Computation Physical dynamics lag ß Roadside Unit Can we formally verify such a system? n lanes à gap lag Dynamic sign next to stop sign Intersection area Instrumented area 7 7

8 Formal Verification Model Specification Analysis Procedure Yes With formal guarantee No Counterexample or some feedback Don t Know 8

9 Formal Verification Model Specification Analysis Procedure Yes With formal guarantee No Counterexample or some feedback Don t Know 9

10 Heterogeneity in modeling formalisms and analysis techniques CICAS-SSA Different formalisms suited for different aspects of system design Each model represents some design aspect well Models make interdependent assumptions Tools work only with their formalisms How do we ensure correctness of the system? 10

11 Cyber-Physical System Architecture MPM 09 There is no system model, but there is a system architecture CPS architectural style palette in AcmeStudio 11

12 Architectural views Models as architectural views ERTS2 10 Structural consistency using graph morphisms ICCPS 11 Model structure vs system structure Analysis: Consistency, completeness 1212

13 Semantic domains of models and specifications : semantic interpretation of M in a behavior domain B Model M A behavior b that M exhibits 1) overshoot is no more than 1.3 units and settling time is less than τ 2) (x < 1.3) τ (x [1±ϵ]) x ±ϵ : semantic interpretation of S in B Specification S τ A behavior b that S allows time Behavior domains B precisely defined in behavior formalisms B (e.g., discrete traces, continuous trajectories, hybrid traces) 13

14 The semantic domain of a dynamic system Points, [ ] On N On R x N Intervals, [ ñ (á ñ, á ]) On R MATLAB, Stateflow Discrete time Simulink SimEvents Simulink Hybrid point/interval On R Simulink, Simscape On R x N Simulink, Simscape 14

15 Abstraction and Implication Model M 1 abstracts M 0 in B, written if Specification S 1 implies S 0 in B, written if 15

16 Mappings between semantic domains via behavior relations Approach: Create behavior relations between domains R 1 B 0 X B 1 Given R 1 B 0 X B 1 set-based inverse map R 1-1 ( α )={c,d, } B 0 : 1-d continuous trajectories in x B 1 ={α, α,}* {α, α,} ω 16

17 Heterogeneous Abstraction and Implication Heterogeneous extensions of behavior-set inclusions A B C Heterogeneous Abstract level C (in words) A (pictorially) B Detailed level 17

18 Multi-model Verification Problem 18

19 Multi-model conjunctive and disjunctive heterogeneous verification Typical use case Each model captures a different aspect Specs pertain to only the relevant one Typical use case Each model captures a different subset of behaviors, e.g., a specific nondeterministic choice 19

20 Hierarchical Verification Conjunctive and disjunctive verification constructs can be nested arbitrarily 20

21 Het. Verification of CICAS Time-to-exitintersection Time-tointersection Order POV SV Discrete Protocol SV and POV not in the intersection at the same time Single POV (POV initial condition safe) /\ \/* Single POV (POV initial SV and POV not condition unsafe in the intersection Only stay stopped) at the same time (trivially safe) N models with one lane each /\ /\ SV and POV not /\ in the intersection at the same time Node 21 Node 22 Node 23 Driver behavior model (empirical information) Driver response time \/ SV and another car not in the intersection at the same time Node 13 Computation model Verification model Computation time with hybrid dynamics /\ Sensing model Sensing error Communication model Communication delay Universal system model (cannot be created in practice) SV and another car not in the intersection at the same time /\ conjunctive abstraction \/ disjunctive coverage \/* discrete coverage with inter-model switching Model info Spec 21

22 Heterogeneous verification of CICAS-SSA SV and POV not in the intersection at the same time Time-to-exitintersection Time-tointersection Order Node 52 Discrete POV SV Protocol Node 51 Node 53 Single POV (POV initial condition safe) /\ Node 41 \/* Single POV (POV initial SV and POV not condition unsafe in the intersection Only stay stopped) at the same time (trivially safe) N models with one lane each /\ /\ SV and POV not /\ in the intersection at the same time Driver behavior model (empirical information) SV and another car not in the intersection at the same time Computation model Computation time \/ Verification model with hybrid dynamics Sensing model Sensing error Communication model Communication delay Driver response time /\ Universal system model (cannot be created in practice) SV and another car not in the intersection at the same time /\ conjunctive abstraction \/ disjunctive coverage \/* discrete coverage with inter-model switching Model info Spec 22

23 Semantic and Structural Hierarchies Semantic side Structural side TAC 14 (CPS Special Issue) 23

24 References A. Rajhans, Multi-Model Heterogeneous Verification of Cyber-Physical Systems, PhD Thesis, Carnegie Mellon University, A. Rajhans, A. Bhave, I. Ruchkin, B. Krogh, D. Garlan, A. Platzer and B. Schmerl, Supporting Heterogeneity in Cyber-Physical System Architectures, IEEE Transactions on Automatic Control s Special Issue on Control of Cyber-Physical Systems, Vol. 59, Issue 12, pages A. Rajhans and B. H. Krogh, Compositional Heterogeneous Abstraction, 16th International Conference on Hybrid Systems: Computation and Control, A. Rajhans and B. H. Krogh, Heterogeneous Verification of Cyber-Physical Systems Using Behavior Relations, 15th International Conference on Hybrid Systems: Computation and Control, A. Rajhans, A. Bhave, S. Loos, B. H. Krogh, A. Platzer and D. Garlan, Using Parameters in Architectural Views to Support Heterogeneous Design and Verification, 50th IEEE Conference on Decision and Control, A. Bhave, D. Garlan, B. Krogh, A. Rajhans and B. Schmerl, Augmenting Software Architectures with Physical Components, Embedded Real Time Software and Systems (ERTS^2), A. Rajhans, S.-W. Cheng, B. Schmerl, D. Garlan, B. H. Krogh, C. Agbi and A. Bhave, An Architectural Approach to the Design and Analysis of Cyber-Physical Systems, Third International Workshop on Multi-Paradigm Modeling (MPM), Preprints available at 24

25 25