Verification of Cyber-Physical Controller Software Using the AVM Meta Tool Suite and HybridSAL

Similar documents
Institute for Software-Integrated Systems. Technical Report

ADAS Virtual Prototyping using Modelica and Unity Co-simulation via OpenMETA

Webinar on Design Automation for Cyber-Physical Systems

M U L T I - M O D E L L A N G U A G E S U I T E F O R C Y B E R P H Y S I C A L S Y S T E MS F I N A L R E P O R T

MODEL-BASED VERIFICATION TOOLCHAIN FOR INCREASING TRUST ON AUTOMATED CODE-GENERATORS. Akshay Agrawal. Thesis. Submitted to the Faculty of the

Applications of Program analysis in Model-Based Design

CS/ECE 5780/6780: Embedded System Design

Institute for Software-Integrated Systems. Technical Report

Distributed Systems Programming (F21DS1) Formal Verification

Flight Systems are Cyber-Physical Systems

Semantic Specifications for Domain-Specific Modeling Languages

Administrivia. ECE/CS 5780/6780: Embedded System Design. Acknowledgements. What is verification?

Qualitative Reasoning with Modelica Models

Model and Tool Integration Platforms for Cyber-Physical System Design

Guidelines for deployment of MathWorks R2010a toolset within a DO-178B-compliant process

Unication or integration? The Challenge of Semantics in Heterogeneous Modeling Languages

Hardware Design Verification: Simulation and Formal Method-Based Approaches William K Lam Prentice Hall Modern Semiconductor Design Series

Model-Based Design of Connected and Autonomous Vehicles

Incremental development A.Y. 2018/2019

POTENTIAL AND BENEFITS OF FUNCTIONAL MOCK-UP INTERFACE - FMI FOR VIRTUAL VEHICLE INTEGRATION

Developing AUTOSAR Compliant Embedded Software Senior Application Engineer Sang-Ho Yoon

Institute for Software-Integrated Systems. Technical Report

Complexity-Reducing Design Patterns for Cyber-Physical Systems. DARPA META Project. AADL Standards Meeting January 2011 Steven P.

GUIDING AND VERIFYING EARLY DESIGN USING QUALITATIVE SIMULATION

Simulation and Verification of Timed and Hybrid Systems

Test and Evaluation of Autonomous Systems in a Model Based Engineering Context

Increasing Design Confidence Model and Code Verification

Injecting Model-Based Diagnosis Thinking into the Design Process. Johan de Kleer

Introduction to Control Systems Design

Tsmart-BIPEX: An Integrated Graphical Design Toolkit for Software Systems

Modeling and Simulation for Heterogeneous systems

Exercise Unit 2: Modeling Paradigms - RT-UML. UML: The Unified Modeling Language. Statecharts. RT-UML in AnyLogic

ModelicaML: Getting Started Issue April 2012

OpenMETA: A Model- and Component-Based Design Tool Chain for Cyber-Physical Systems

Automating Best Practices to Improve Design Quality

Model Checking with Automata An Overview

Learning algorithms for physical systems: challenges and solutions

Model-Based Design Challenges for Cyber-Physical Systems

Requirements Specifications

AADL Graphical Editor Design

Verification, Validation and Test in Model Based Design Manohar Reddy

This project has received funding from the European Union s Horizon 2020 research and innovation programme under grant agreement No

User-centric dynamic service composition

Formal Modeling of BPEL Workflows Including Fault and Compensation Handling

Simulink 모델과 C/C++ 코드에대한매스웍스의정형검증툴소개 The MathWorks, Inc. 1

OBJECT ORIENTED SYSTEM DEVELOPMENT Software Development Dynamic System Development Information system solution Steps in System Development Analysis

ExCuSe A Method for the Model-Based Safety Assessment of Simulink and Stateflow Models

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

Design and Verify Embedded Signal Processing Systems Using MATLAB and Simulink

Increasing Embedded Software Confidence Model and Code Verification. Daniel Martins Application Engineer MathWorks

Leveraging Formal Methods for Verifying Models and Embedded Code Prashant Mathapati Application Engineering Group

Modeling Kernel Language (MKL)

Anticipatory Shifting Optimization of a Transmission Control Unit for an Automatic Transmission through Advanced Driver Assistance Systems

Reducing the cost of FPGA/ASIC Verification with MATLAB and Simulink

Aerospace Software Engineering

Automating Best Practices to Improve Design Quality

Formal specification of semantics of UML 2.0 activity diagrams by using Graph Transformation Systems

Verification and Validation Introducing Simulink Design Verifier

Verification Finite-state process modeling and reachability analysis

Modeling physical properties. Controller, plant and environment model

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Decoupling Among Design Concerns

Industrial Verification Using the KIND Model Checker Lucas Wagner Jedidiah McClurg

Automated Requirements-Based Testing

Foundation of Contract for Things

Addressing Future Challenges in the Development of Safe and Secure Software Components The MathWorks, Inc. 1

Making the Most of your MATLAB Models to Improve Verification

DRYING CONTROL LOGIC DEVELOPMENT USING MODEL BASED DESIGN

Motor Control: Model-Based Design from Concept to Implementation on heterogeneous SoC FPGAs Alexander Schreiber, MathWorks

Hybrid System Modeling: Operational Semantics Issues

Introduction & Formal Methods

Automated test of the AMG Speedshift DCT control software

Introduction to Dependable Systems: Meta-modeling and modeldriven

Testing and Validation of Simulink Models with Reactis

What s New with the MATLAB and Simulink Product Families. Marta Wilczkowiak & Coorous Mohtadi Application Engineering Group

Review Sources of Architecture. Why Domain-Specific?

Chapter 2 Overview of the Design Methodology

AADL v2.1 errata AADL meeting Sept 2014

How to Automate A Complete Register. Verification Environment

Automating Model Composition for Design Verification

In Circuit Emulators. In-Circuit Emulators.

High-assurance software for autonomous ground systems

Rotational3D Efficient modelling of 3D effects in rotational mechanics

Model Checking of Statecharts using Automatic White Box Test Generation

Model-Based Design: Design with Simulation in Simulink

tempo2hsal: Converting Tempo Models into HybridSal Tool Description

Property-based design with HORUS / SYNTHORUS

Structural and Syntactic Pattern Recognition

Modular code generation from synchronous models:

Programmable Logic Devices FPGA Architectures II CMPE 415. Overview This set of notes introduces many of the features available in the FPGAs of today.

Verification and Validation of Models for Embedded Software Development Prashant Hegde MathWorks India Pvt. Ltd.

ACCELERATING DO-254 VERIFICATION

Process Modelling. Fault Tolerant Systems Research Group. Budapest University of Technology and Economics

On the Generation of Test Cases for Embedded Software in Avionics or Overview of CESAR

Model-Integrated Computing for Composition of Complex QoS Applications

ArchiMate 2.0. Structural Concepts Behavioral Concepts Informational Concepts. Business. Application. Technology

Scicos/Modelica for modeling and simulation

Design and Verification of FPGA and ASIC Applications Graham Reith MathWorks

Constraint-based Platform Variants Specification for Early System Verification

Transforming Cyber-Physical System Models

Transcription:

Verification of Cyber-Physical Controller Software Using the AVM Meta Tool Suite and HybridSAL Joseph Porter (jporter@isis.vanderbilt.edu), Ashish Tiwari (ashish.tiwari@sri.com), and Xenofon Koutsoukos (xenofon.koutsoukos@vanderbilt.edu) S5 Symposium June 2014

Controller Design Design space exploration with simulation can answer early questions about controller choices Simulation over alternatives is much cheaper than building prototypes Automated DSE helps answer questions about the evolving design Formal verification tools can detect hard-to-find errors Testing may fail to detect (large scenario space) Requires property specification CyPhy enables easy property addition, model editing, and visualize verification results

OpenMETA-CyPhy Cyber Toolchain (DARPA AVM) Cyber Components Authoring System Design Space Authoring Physical Components Authoring Custom Components Simulink/ Stateflow Auto Import Verification Condition Generation * Cyber Modeling Language Cyber Code Generator Component Use CyPhy System Design / Design Space Cyber Components Dynamics TB CyPhy Modelica Composer Physical Components Verification TB Component Use Dymola/ OpenModelica C2M2L Components Hybrid System Evaluation Cyber XML Modelica Sim (.mo,.lib) Modelica Simulation DAE XML HybridSAL Formal Verification

Why Cyber Modeling? Everything has software cars, refrigerators, even chainsaws. How do we model controller software and combine it with the mechanical design? Keep the design processes for the physical and cyber in sync. Building and testing prototypes is expensive. Integrating controllers into mechanical designs is costly and time-consuming. Too many scenarios to test cyber and physical systems exhaustively. Testing will miss important cases. Some examples: Toyota Acceleration problem MARS polar lander Ariane 5

AVM Control Design Capabilities How are META Cyber capabilities different from designing and simulating controllers using Modelica or Simulink alone? 1. Cyber controller component in Modelica is not a simulation model, but is the actual embedded code scheduled by a discrete-time periodic sampler. The simulation is much more realistic. 2. Integrated formal hybrid verification toolchain. 3. All of the benefits of using CyPhyML: design space exploration curated component library integrated test bench models parametric exploration cloud-based simulation

Introduction We will show how the Cyber tools can integrate multiple transmission controllers modeled in Simulink/Stateflow with a Driveline modeled in Modelica. We will use DSE to assess the controller alternatives in simulation, and then verify the candidate controller. Scenario: If we have a cheaper fixed-point processor, will the controller performance be degraded?

Creating a CyPhy model The CyPhy model is the integration model. It contains: The imported Modelica model (The System) The interface to the Cyber model (The Controller) A design describing how the two are connected A test bench describing how to evaluate the design

Connecting the Cyber interface to the system model in GME All modern designs have software controllers. How do we incorporate them into a design?

CyPhyML Controller Composition Concepts AVM Component Interface (Dynamics) Physical Component Connectors Parameters Modelica Component Interface S V B Modelica Component Signals (causal) P Physical variables (acausal) Buses (aggregate) Parameters Modelica Components and Ports each have a Class string indicating the location of its type definition in the library. C2M2L_Ext.Interfaces.Context_Interfaces.Driver.Driver_Bus

CyPhyML Controller Composition Concepts AVM Component Interface (Dynamics) Physical Component Connectors Parameters Modelica Component Interface S V B Modelica Component Signals (causal) P Physical variables (acausal) Buses (aggregate) Parameters Modelica Components and Ports each have a Class string indicating the location of its type definition in the library: C2M2L_Ext.Interfaces.Context_Interfaces.Driver.Driver_Bus

CyPhyML Controller Composition Concepts Component Physical Component S V Modelica Component B B P In composition, the underlying port types must match exactly (by type string). Modelica Components and Ports each have a Class string indicating the location of its type definition in the library. C2M2L_Ext.Interfaces.Context_Interfaces.Driver.Driver_Bus

CyPhyML Controller Composition Concepts Controller Component Physical Component S X S V Modelica Component B B P P Parameter ports are exposed in assemblies and test benches. Parameter values are propagated down into the components. Controller components must be causal: Only connect to signals and bus ports containing signals. Physical variable ports can not be connected to controller components.

CyPhyML Controller Composition Concepts Controller Component Physical Component Cyber Component (refers to external Cyber model) Simulink P S S S S B P S B P X S V B P Modelica Component (refers to external model in Modelica component libraries) Cyber interface parameters refer directly to parameter objects deep in the Simulink hierarchy. AVM and Cyber component model interfaces are identical. Bus ports aggregate signals. Bus signals are identified by name. Only one component can produce (output) a bus signal. The others must consume it.

Translating controllers to the Cyber language Controllers in Simulink/Stateflow Controllers in GME Cyber language Shift controller MDL2MGA Translator Torque converter controller Torque reduction controller

Design Space Exploration DSE allows us to evaluate different controller variants, to compare performance.

Controller Models Dynamics Models META-Cyber Simulation Workflow Simulink/ Stateflow 4 Controller Components Controller Import CyberComposition Model (GME) 5 6b Controller Modelica Details Interface 1 Code Generation Modelica Dynamic Components 8b Generated Code Controller C Code Glue Code Modelica Interface System Modeling Physical Component Import CyPhyML 2 Model (GME) 3 6a Modelica Controller References Design Space Modelica Dynamics References Legend Reference from CyPhyML to an external component model. Model created manually/semiautomatically. Test 7 Bench 8a Automatic model translation step. 9 Modelica Design Simulation Controller Libraries Dynamics Models Generation & Simulation

META-Cyber Simulation Workflow 1. Create or obtain physical component models in Modelica. 2. Create a CyPhyML model using GME. 3. Import Modelica components and build the system design space in the CyPhy model. 4. Create your controllers in Simulink/Stateflow. 5. Create a Cyber model in META and import your controllers into this model. 6. Define the controller interface in the CyPhyML model using GME (6a) and link it to the Cyber model (6b). 7. Create a test bench for the design in CyPhyML. 8. From the test bench, run the Master Interpreter to generate Modelica simulation code (8a). The Modelica generator also invokes the code generator to create Modelica controller components which are integrated into the simulation (8b). 9. Run the simulation.

Tool Flow Invoke DSE to explore alternatives Test Bench model defines inputs & environment for system under test Designs Component Alternatives DESERT tool presents design choices Select designs to generate Specify component Library paths Generate the Modelica model Simulate the designs and compare

Generated Code Generated code is placed in Simulink subdirectory Generated code can be inspected by opening the generated Visual Studio solution file.

Alternative #1 Simulation results #1 Selected gear vs time (s) Engine rpm vs time (blue) Transmission output rpm vs time (red)

Alternative #2 Simulation results #2 Selected gear vs time (s) Engine rpm vs time (blue) Transmission output rpm vs time (red)

Controller Correctness Once we have identified our candidate controller, we can use formal verification to assess the controller logic.

Formal Verification Testing/simulation can fail to detect design errors that are manifested only under certain scenarios Formal verification can verify designs for all scenarios Formal verification complements simulation in improving confidence in system design

Formal Verification What is formal verification? Techniques for verifying the system that are based on symbolic algebra, rather than numerical simulations Achieves the equivalent of exhaustive testing

Verification Workflow Identical to the simulation workflow except: Temporal properties are attached to models Verification results, namely o status (pass, fail, or error) and explanation are displayed on the dashboard Controllers often include intricate logic that can be difficult to exhaustively test Apply formal verification to ShiftController here

Temporal Properties Properties capture the intent of the controller design ShiftController: Inputs: 1.driver_gear_select 2.shift_request_state 3.input_speed_TC 4.output_speed_TC Output: 1.gear_selected

Shift Controller Inputs-Output The input variable driver_gear_select takes values: reverse=1, park=2, swim=3, neutral=4, neutral_pivot=5, low=6, drive=7 The input variable shift_request_state takes values: down_shift=1, no_shift=2, up_shift=3 The output variable gear_selected takes values: 0, 1, 2, 3, 4 A correct controller should guarantee something about the output under certain assumptions on the inputs.

Temporal Properties as Specification Some desired properties for such a ShiftController: 1. If shift_request_state==3 (up_shift) and driver_gear_select==7 (drive), then eventually gear_selected==4 (fourth gear) []( srs==3 && dgs==7 => <>(gear==4) ) []( [](srs==3 && dgs==7) => <>(gear==4) ) 2. If dgs==6(low), then eventually gear <= 1 []( [](dgs==6) => <>(gear <= 1) ) []( [](dgs==6) => <>(gear <= 2) )

Pattern-based Property Specification All properties above have the same Global Response pattern Another useful pattern is Absence before R Property: The output gear_selected does not take value 4 before driver_gear_select is 7 (drive) P := gear_selected == 4 R := driver_gear_select == 7 Property: P is absent before R

Adding LTL Properties to SL/SF Models

Pattern-based Property Specification If driver_gear_select is 6(low), then eventually gear_selected <= 1 (first gear)

Viewing Properties in SL/SF Models Set of all properties = Specification of the component

The Verification TestBench After controller models have been annotated with desired temporal properties, they are translated into CyberComposition language, and verified SL/SF + Properties CyberComp XML Formal Verification Results Verification results can be viewed in the dashboard

Verification Results in the Dashboard

Understanding Verification Results 1. If shift_request_state==3 (up_shift) and driver_gear_select==7 (drive), then eventually gear_selected==4 []( srs==3 && dgs==7 => <>(gear==4) ) Violated []( [](srs==3 && dgs==7) => <>(gear==4) ) Verified 2. If dgs==6(low), then eventually gear <= 1 []( [](dgs==1) => <>(gear <= 1) ) Violated []( [](dgs==1) => <>(gear <= 2) ) Verified 3. The event gear_selected==4 is absent before dgs is 7 (drive) Verified

Property is False in the Model: Details

Simulating the Counter-Example

Visualizing the Counter-Example []( [](dgs==6) => <>(gear <= 1) ) Violated

Refining the Model or Property When a property is found to be false in the model, the user can view and analyze the counterexample, and based on that, go back to the controller design and fix either The controller Edit transition guards Add/delete transitions The property Make the property weaker Constrain the inputs of the controller

Refining the Property Since output variable, gear_selected, gets stuck at value 2, we can see if our controller satisfies a weaker specification. []( [](dgs==6) => <>(gear <= 2) ) Verified

Refining the Model Designer changes condition on the downshift transition out of Gear2 in SL/SF

Refining the Model The condition on the outgoing transition from state Gear2 to state lockoutd1 is chaged from: srs==1 && dgs!=6 && dgs!=1 && in_tc > out_tc ((srs==1 && dgs!=6 && dgs!=1 && in_tc > out_tc) (dgs==6 dgs==1)) Enable transition additionally when driver_gear_select is 6 (low)

Verification Results for the Updated Model

Property is True in the Model: Details

Old CounterExample on the Fixed Model []( [](dgs==6) => <>(gear <= 1) ) Verified

Conclusions Design space exploration with simulation can answer early questions about controller choices Simulation over alternatives is much cheaper than building prototypes Automated DSE helps answer questions about the evolving design Formal verification tools can detect hard-to-find errors Testing may fail to detect (large scenario space) Requires property specification CyPhy enables easy property addition, model editing, and visualize verification results

Questions

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback