A Multi-Modal Composability Framework for Cyber-Physical Systems

Transcription

1 S5 Symposium June 12, 2012 A Multi-Modal Composability Framework for Cyber-Physical Systems Linh Thi Xuan Phan Insup Lee PRECISE Center University of Pennsylvania

2 Avionics, Automotive Medical Devices Cyber-physical systems are everywhere Our daily lives depend on them! Industrial Automation 2 Power plant

3 Characteristic: Timing critical If unstable, UAV must go to recovery mode and perform the recovery tasks within a deadline UAV may crash if a recovery task misses deadline! 3

4 Goal Provide timing and performance guarantees for cyber-physical systems an old problem, but many new challenges Increasing adaptivity Increasing complexity 4

5 Challenge #1: Adaptivity UAV Systems run in multiple modes of operation Mode transitions triggered by system failure or environment changes 5 a task active in this mode

6 Problem with mode transitions Autopilot Control modified Recovery A B unstable A D C D B B C inactive active Need to execute unfinished jobs of the old mode Potential overload and deadline misses immediately after changing mode, even if each mode works correctly in isolation How to guarantee timing during mode changes? 6

7 Percent of functionality provided by software Challenge #2: Complexity Source: NASA Study on Flight Software Complexity (F-4) 1964 (A-7) 1970 (F-111) 1975 (F-15) 1982 (F-16) 1990 (B-2) 2000 (F-22) Year of production Increasing number of software components Increasing resource sharing, due to SWaP constraints Problem: State space explosion 7

8 Approach: Compositional analysis Idea: Analyze compositionally via component abstraction and interface composition Interface exposes only as much information as is required Analysis must capture mode change behaviors Traditional focus: functional and behavioral aspects e.g., AADL interfaces Need abstraction of timing and resource aspects CPS components manage their own resources Use Multi-modal resource-aware interfaces 8

9 Outline Motivation Framework overview Modeling multi-modal components Compositional analysis process Abstracting components into interfaces Composing interfaces Results 9

10 Modeling an adaptive component Mode: a set of tasks + scheduling policy Task parameters: WCET, deadline, arrival function of input data Transition: triggered by a timing constraint or an event Mode change protocol 10

11 Mode change protocol Autopilot Flight modified Recovery A B unstable A D C D B C inactive active Formally defines what exactly happens during a mode transition Example: A is not affected, C is released immediately, unfinished jobs of D are discarded 11

12 ARINC 653: Compositional analysis Core module hardware Partition level schedule Partition 1 Partition 2... Partition n Process level schedules P 11,,P 1m1 P 21,,P 2m2 P n1,,p nmn Partition Modes: Mode changes: COLD_START/WARM_START: Only the initialization process is executed NORMAL: All processes except the initialization process are executed IDLE: No process is executed Triggered by either a partition process or an external event 12

13 ARINC 653: Compositional analysis Core module hardware Partition level schedule Partition 1 Partition 2... Partition n Partition 1 Interface Partition 2 Interface Partition n Interface P 11,,P 1m1 P 21,,P 2m2 P n1,,p nmn captures the resources required to guarantee correct timing behaviors of the partition s processes 13

14 ARINC 653: Compositional analysis Core module hardware Partition level schedule Partition 1 Partition 1 Interface Partition 2 Subsystem Interface Partition 2 Interface... Partition n Partition n Interface P 11,,P 1m1 P 21,,P 2m2 P n1,,p nmn Subsystem s interface: captures the resources required to guarantee correct timing behaviors of its partitions 14

15 Outline Motivation Framework overview Modeling multi-modal components Compositional analysis overview Abstracting components into interfaces Composing interfaces Results 15

16 resource demand Single mode: Use service function Service function: minimum number of resource units must be provided to the mode over any time interval of length t to guarantee schedulability of all tasks Computed by combining demands of all tasks A β EDF B A: deadline = 4, WCET = 1 Interface of the mode time worst-case arrival pattern of A # resource units 16 β: min service required time interval length Mode Task B Task A t

17 Multiple modes: A single transition B A C D Mode 1 mode change condition B A β β 1 2 C D abstract Mode 1 Mode 2 Mode 2 Demands vary significantly across modes Demand of each task T i at mode m: #1: Need to capture mode-dependent demands Tasks may not finish when mode change occurs unfinished tasks [ ] wcet i new tasks mode Mode 1 Mode 2 change deadline 17 #2: Need to account for carried-over demands of unfinished tasks No buffer overflow No deadline miss during initial duration after moving to mode m All new tasks meet deadlines

18 Multiple modes: An automaton Component may change modes one after another #3: Need to capture cascading mode changes Component C Explore each transition of a reachable mode Intermediate interface β 1 β 3 β 2 iterate Fixed point computation Termination: always guaranteed converged Interface of C 18

19 Multiple multi-mode components Interface needs to expose synchronization events detect incompatible communication avoid overestimating total demands of the composition a B a b Component 1 Component 2 Composition of interfaces Compute the product of interfaces Combine service functions of a composed mode Interface refinements 19

20 Outline Motivation Framework overview Modeling multi-modal components Compositional analysis overview Abstracting components into interfaces Composing interfaces Results 20

21 Results Accuracy: No deadline misses during mode transitions Unimodal analysis can underestimate resource requirements! 21

22 Results Accuracy: No deadline misses during mode transitions End-to-end Delay (ms) Need 700MHz Need 900 MHz Multimode Unimode Design Requirement: Delay 13ms Processor Frequency (MHz) Efficiency: Analysis is more precise Same guarantees with fewer resources 22

23 Open challenges Interfaces for multicore, distributed settings Moving theory to practice Implementation issues: reduce overheads (e.g., context switches) Connecting with functional interfaces (e.g.,aadl) Composability for safety certification Apply multi-mode modeling to capture mixed-criticality systems with different certification levels Integrate mode switches with fault-tolerant techniques Combine compositional analysis with assurance cases 23

24 Summary Problem: Systems are becoming complex and adaptive Existing techniques are not sufficient Focus primarily on composability of functional aspects Do not consider mode change behavior (hence, can be unsafe) Approach: Compositional analysis based on multi-modal resource-aware interfaces Benefits Accurate and scalable analysis Analysis results can be used to optimize resource needs Support incremental component-based development 24