Guaranteeing Proper-Temporal-Embedding Safety Rules in Wireless CPS: A Hybrid Formal Modeling Approach

Transcription

1 Guaranteeing Proper-Temporal-Embedding Safety Rules in Wireless CPS: A Hybrid Formal Modeling Approach Feng Tan *, Yufei Wang *, Qixin Wang *, Lei Bu, Rong Zheng, Neeraj Suri ** * Embedded Systems & Networking Lab, Dept. of Computing, The Hong Kong Polytechnic Univ. State Key Lab for Novel Software Tech., Dept. of Computer Sci. & Tech., Nanjing Univ., China Dept. of Computing and Software, McMaster Univ., Canada ** Dept. of Computer Science, TU Darmstadt, Germany June 26, 2013

2 Overview Related Work Demand Problem Evaluation Solution Background

3 Cyber-Physical Systems (CPS) are typically distributed and life/mission critical. Life/Mission critical CPS demand wireless Conflict Wireless is unreliable

4 Cyber-Physical Systems (CPS) are typically distributed and life/mission critical. Life/Mission critical CPS demand wireless Conflict PTE Safety Guarantee Wireless is unreliable

5 Cyber-Physical Systems (CPS) are typically distributed and life/mission critical. Life/Mission critical CPS demand wireless Conflict Design Pattern Hybrid Modeling PTE Safety Guarantee Wireless is unreliable

6 Cyber Physical Systems (CPS): systems involving tight/complex coupling of computer and physical subsystems Avionics Manufacturing Medical

7 CPS Features Typically distributed and life/mission-critical Real-time (in addition to logical time) matters Modeling must integrate both discrete and continuous aspects

8 Distributed life/mission critical CPS demand wireless communications.

9 Distributed life/mission critical CPS demand wireless communications.

10 Distributed life/mission critical CPS demand wireless communications.

11 Distributed life/mission critical CPS demand wireless communications. Wireless is unreliable

12 How to guarantee the safety of life/mission critical wireless CPS? Life/Mission critical CPS demand wireless Conflict Wireless is unreliable

13 How to guarantee the Proper-Temporal-Embedding (PTE) safety rule of life/mission critical wireless CPS? Life/Mission critical CPS demand wireless Conflict PTE Safety Guarantee Wireless is unreliable

14 What is Proper-Temporal-Embedding (PTE) safety rule?

15 CPS Feature 2: real-time (in addition to logical time) matters!

16 CPS Feature 2: real-time (in addition to logical time) matters! risky state dwelling time upper bound

17 CPS Feature 2: real-time (in addition to logical time) matters! enter-risky safeguard interval

18 CPS Feature 2: real-time (in addition to logical time) matters! exit-risky safeguard interval

19 How to guarantee PTE safety despite of arbitrary wireless link failures?

20 How to guarantee PTE safety despite of arbitrary wireless link failures? Leasing Design Pattern: risky state dwelling time must be leased.

21 General concepts of Leasing design pattern: each CPS entity takes one of the 3 roles. 3. approve 2. lease 2. lease Supervisor 1. request Initiator Participant Participant

22 CPS Features: 1. real-time matters; 2. real-time PTE even when aborting/canceling. (+ 3. arbitrary comm. failures) active Initiator fallback active Participant fallback active Participant fallback

23 How to formally describe, analyze, and use Leasing design pattern in the context of CPS?

24 How to formally describe, analyze, and use Leasing design pattern in the context of CPS? CPS Feature 3 implies the use of hybrid automata modeling

25 Hybrid Automaton is a state-of-the-art modeling tool for CPS. Bouncing Ball Example

26 Leasing Design Pattern for PTE Safety Rules: detailed Supervisor's hybrid automaton

27 Leasing Design Pattern for PTE Safety Rules: detailed Initiator's hybrid automaton

28 Leasing Design Pattern for PTE Safety Rules: detailed Participant's hybrid automaton

29 Leasing Design Pattern for PTE Safety Rules: detailed Participant's hybrid automaton

30 Leasing Design Pattern for PTE Safety Rules: detailed Participant's hybrid automaton

31 Validity of the design pattern Theorem 1: If the temporal parameters of the design pattern hybrid automata satisfy a certain set of linear inequalities, then PTE safety is guaranteed despite of arbitrary communications link failures.

32 Validity of the design pattern

33 Using the design pattern: how to turn design pattern into detailed CPS designs?

34 We proposed a formal procedure to elaborate a design pattern hybrid automaton into a detailed design hybrid automaton. Elaborate

35 Validity of elaboration Theorem 2: If detailed design hybrid automata are respectively derived by elaborating corresponding design pattern hybrid automata, then PTE safety is guaranteed despite of arbitrary communications link failures.

36 Laser Tracheotomy Medical CPS: interconnect/interlock smart medical devices to increase safety Laser Tracheotomy without Device Interlock

37 Laser Tracheotomy Medical CPS: interconnect/interlock smart medical devices to increase safety Laser Tracheotomy CPS

38 Demand to use wireless links for safety and efficiency concerns. Laser Tracheotomy CPS wireless links

39 Demand to use wireless links for safety and efficiency concerns.

40 Demand to use wireless links for safety and efficiency concerns. Laser Tracheotomy CPS wireless links

41 Laser Tracheotomy CPS PTE safety rule. 3sec 60sec 1.5sec

42 System architecture and roles of the design pattern: Initiator, Supervisor, Participant

43 System architecture and roles of the design pattern: Initiator, Supervisor, Participant

44 System architecture and roles of the design pattern: Initiator, Supervisor, Participant

45 System architecture and roles of the design pattern: Initiator, Supervisor, Participant

46 Following the Leasing design pattern and Elaboration procedure, we derive detailed designs

47 Emulation Scheme

48 Emulation Results

49 Related Work Leasing Protocol [7,8,9,10,11,12][24] check-point & roll-back logical time vs. real-time PTE uncontrollable physical world parameters

50 Related Work Use of formal modeling in design pattern [30~33]. Hybrid modeling mostly used for verification [3],[13~16]. Tichakorn [34] proposes use a subclass of hybrid automata for designing periodical hybrid control systems.

51 Conclusion 1. Proposed a Lease based design pattern to guarantee PTE safety rules in wireless CPS, under arbitrary communication link failures. 2. Derived the corresponding closed-form linear constraints for temporal configuration parameters. 3. Formal description of design pattern with hybrid modeling. 4. Proposed a formal methodology to elaborate design pattern hybrid automata to detailed design hybrid automata, while maintaining PTE safety properties.

52 Thank you! Life/Mission critical CPS demand wireless Conflict Design Pattern Hybrid Modeling PTE Safety Guarantee Wireless is unreliable

53 Cyber Physical Systems (CPS): systems involving tight/complex coupling of computer and physical subsystems Surgical Medicine Anesthesiology Nursing Computer Communications Mechanics Control

54 Cyber Physical Systems (CPS): systems involving tight/complex coupling of computer and physical subsystems Chemical Engineering Control Mechanics Computer Thermal Engineering Communications

55 Cyber Physical Systems (CPS): systems involving tight/complex coupling of computer and physical subsystems Computer Mechanics Aerodynamics Communications Control Material

56 Demand to use wireless links for safety and efficiency concerns. The Operation Room Spider Web

57 Demand to use wireless links for safety and efficiency concerns. The Operation Room Spider Web, after medical CPS safety interlocks

58 Demand to use wireless links for safety and efficiency concerns. Spider Web OR vs. Wireless OR

59 How to guarantee PTE safety despite of arbitrary wireless link failures? Leasing Design Pattern Hybrid Automata Modeling: formally describe, analyze, and use the design pattern

60 General concept of Leasing Design Pattern for CPS PTE guarantee Supervisor Initiator Participant Participant

61 General concept of Leasing Design Pattern for CPS PTE guarantee Fallback Supervisor Fallback Fallback Participant Fallback Participant Initiator

62 General concept of Leasing Design Pattern for CPS PTE guarantee Fallback Supervisor Request Fallback Participant Fallback Participant Initiator

63 General concept of Leasing Design Pattern for CPS PTE guarantee Supervisor Lease Request Fallback Participant Fallback Participant Initiator

64 General concept of Leasing Design Pattern for CPS PTE guarantee Supervisor Lease Request Fallback Initiator Participant Participant

65 General concept of Leasing Design Pattern for CPS PTE guarantee Lease Lease Supervisor Request Fallback Initiator Participant Participant

66 General concept of Leasing Design Pattern for CPS PTE guarantee Lease Lease Supervisor Request Initiator Participant Participant

67 General concept of Leasing Design Pattern for CPS PTE guarantee Lease Lease Supervisor Approve Request Initiator Participant Participant

68 General concept of Leasing Design Pattern for CPS PTE guarantee active Initiator fallback active Participant fallback active Participant fallback

69 The same scenario can also apply to purely cyber systems. What's the difference that CPS makes? active Initiator fallback active Participant fallback active Participant fallback

70 CPS Features: 1. real-time matters; 2. real-time PTE even when aborting/canceling. (+ 3. arbitrary comm. failures) active Initiator fallback active Participant fallback active Participant fallback

71 Leasing Design Pattern for PTE Safety Rules: sketch of Supervisor's hybrid automaton

72 Leasing Design Pattern for PTE Safety Rules: sketch of Initiator's hybrid automaton

73 Leasing Design Pattern for PTE Safety Rules: sketch of Participant's hybrid automaton

74 Emulation Scheme ) 1.5( ), 3( PTE safeguard intervals: ) 6( ), 35( ), 3( Ventilator : ) 1.5( ), 20( ), 10( ), 5( : Initiator ) 3( ), 13( : Supervisor min 1 :2 min 2 :1,1 max,1 max,1,2 max,2 max,2 max,2 max min,0 s T s T s T s T s T s T s T s T s T s T s T safe risky exit run enter exit run enter req wait fb

75 Example Scenario Surgeon Supervisor SpO 2 Sensor Ventilator Laser Scalpel Patient

76 Example Scenario Surgeon Supervisor SpO 2 Sensor Ventilator Laser Scalpel Patient

77 Example Scenario Surgeon Supervisor SpO 2 Sensor Ventilator Laser Scalpel Patient

78 Example Scenario Surgeon Supervisor SpO 2 Sensor Ventilator Pausing Laser Scalpel Patient

79 Example Scenario Surgeon Supervisor SpO 2 Sensor Ventilator Pausing Laser Scalpel Patient

80 Example Scenario Surgeon Supervisor SpO 2 Sensor Ventilator Pausing Laser Scalpel Shooting Patient

81 Example Scenario Surgeon Supervisor SpO 2 Sensor Ventilator Pausing Laser Scalpel Patient

82 Example Scenario Supervisor lost Surgeon SpO 2 Sensor Ventilator Pausing Laser Scalpel Patient

83 Example Scenario Surgeon Supervisor SpO 2 Sensor Ventilator Pausing Laser Scalpel Patient

84 Example Scenario Surgeon Supervisor SpO 2 Sensor Ventilator Laser Scalpel Patient

85 Example Scenario Surgeon Supervisor SpO 2 Sensor Ventilator Laser Scalpel Patient

86 Example Scenario Surgeon Supervisor SpO 2 Sensor Ventilator Laser Scalpel Patient

87 Example Scenario Surgeon Supervisor SpO 2 Sensor Ventilator Pausing Laser Scalpel Patient

88 Example Scenario Surgeon Supervisor SpO 2 Sensor Ventilator Pausing Laser Scalpel Patient

89 Example Scenario Surgeon Supervisor SpO 2 Sensor Ventilator Pausing Laser Scalpel Shooting Patient

90 Example Scenario Surgeon Supervisor SpO 2 Sensor Ventilator Pausing Laser Scalpel Patient

91 Example Scenario Supervisor lost Surgeon SpO 2 Sensor Ventilator Pausing Laser Scalpel Patient

92 Example Scenario Surgeon Supervisor SpO 2 Sensor Ventilator Pausing Laser Scalpel Patient

93 Example Scenario Surgeon Supervisor SpO 2 Sensor Ventilator Pausing Laser Scalpel Patient

94 Example Scenario Surgeon Supervisor SpO 2 Sensor Ventilator Laser Scalpel Patient