Frameworks and Tools for High-Confidence Design of Adaptive, Distributed Embedded Control Systems - Project Overview - Janos Sztipanovits ISIS-Vanderbilt University MURI Year 3 Review Meeting Frameworks and Tools for High-Confidence Design of Adaptive, Distributed Embedded Control Systems UC Berkeley, Berkeley, CA December 2, 2009

2 Team Vanderbilt Sztipanovits (PI), Karsai, Kottenstette, Neema Porter, Hemingway, Nile UC Berkeley Tomlin (PI), Lee, Sastry, Ding, Gillula, Gonzales, Huang, Leung, Lickly, Mahdl, Latronico, Shelton, Tripakis, Vitus CMU Krogh (PI), Clarke, Platzer Jain, Lerda, Bhave, Maka Stanford Boyd (PI) Wang

3 Development of a theory of deep composition of hybrid control systems with attributes of computational and communication platforms Development of foundations for model-based software design for high-confidence, networked embedded systems applications. Composable tool architecture that enables tool reusability in domain-specific tool chains Experimental research Long-Term PAYOFF: Decrease the V&V cost of distributed embedded control systems Objectives

4 Agenda 9:00 – 9:05 amIntroductions 9:05 - 9:15 amProject Overview Janos Sztipanovits 9:15 – 10:00 amOverview of Hybrid Control Design Challenges and Solutions Claire Tomlin and Shankar Sastry 10:00 – 10:45amModel-Integrated Tool Chain for High Confidence Design Gabor Karsai, Joe Porter, Graham Hemingway and Janos Sztipanovits 10: :00am Break 11:00 – 11:45 am Correctly Composing Components: Ontologies and Modal Behaviors Edward Lee 11:45 – 12:45pm Model-based Testing and Verification Edmund Clarke, Bruce Krogh, Andre Platzer 12:45 – 1:45pmLunch 1:45 – 2:15 pmPerformance Bounds and Suboptimal Policies for Linear Stochastic Control Yang Wang and Stephen Boyd 2:15 – 2:45 pmConstructive Non-linear Control Design With Applications to Quad-Rotor and Fixed-Wing Aircraft Nicholas Kottenstette 2:45 – 3:30 pmStarmac Experimental Platform Demo Claire Tomlin and Shankar Sastry 3:30 – 3:45 pmPlans for Year 4&5 Janos Sztipanovits 3:45 - 4:00 pmBreak 4:00 – 4:30 pmGovernment Caucus 4:30 – 4:45 pmFeedback to the Research Team

5 Overall Undertaking Scope of the Project: Development of component technologies in selected areas Development of model-based design methods Incrementally building and refining a tool chain for an experimental domain (micro UAV control) Demonstration of control software development with the tool chain Experiments Model-Based Design Plant Models and Requirements Controller Modeling System-Level Modeling System-Level Modeling SW Architecture Modeling Deployment Modeling Deployment Modeling Code X Expensive Intractable Fragile

6 Composition Inside Abstraction Layers Plant Dynamics Models Controller Models Dynamics: Properties: stability, safety, performance Abstractions: continuous time, functions, signals, flows,… Physical design Software Architecture Models Software Component Code Software design Software : Properties: deadlock, invariants, security,… Abstractions: logical-time, concurrency, atomicity, ideal communication,.. System Architecture Models Resource Management Models System/Platform Design Systems : Properties: timing, power, security, fault tolerance Abstractions: discrete-time, delays, resources, scheduling, Assumption: Effects of digital implementation can be neglected Assumption: Effects of platform properties can be neglected

7 Composition Inside Abstraction Layers Plant Dynamics Models Controller Models Physical design Software Architecture Models Software Component Code Software design System Architecture Models Resource Management Models System/Platform Design Controller dynamics is developed without considering implementation uncertainties (e.g. word length, clock accuracy ) optimizing performance. Software architecture models are developed without explicitly considering systems platform characteristics, even though key behavioral properties depend on it. Platform architectrue defines platform configuration, resource management, networking,. Uncertainties introduce time variant delays that may require re-verification of key properties on all levels. Assumption: Effects of digital implementation can be neglected Assumption: Effects of platform properties can be neglected X X

8 Model-Based Design Plant Models and Requirements Funcion (Controller) Modeling System-Level Modeling System-Level Modeling SW Architecture Modeling Deployment Modeling Deployment Modeling Code Improve Robustness of Controllers Against Implementation Uncertainties How should we increase robustness in controller design? – Robust hybrid and embedded systems design (Tomlin, Sastry) – Performance bounds for constrained linear stochastic control (Boyd, Wang) – Constructive nonlinear control design (Kottenstette, Porter ) Controller Design

9 Model-Based Design Plant Models and Requirements Funcion (Controller) Modeling System-Level Modeling System-Level Modeling SW Architecture Modeling Deployment Modeling Deployment Modeling Code Verification and Testing How can we exploit heterogeneous abstractions in verification and test generation? – Model-based testing and verification of embedded systems implementations (Clarke, Platzer) – Statistical Probabilistic Model Checking (Zuliani, Clarke) V&V

10 Model-Based Design Plant Models and Requirements Funcion (Controller) Modeling System-Level Modeling System-Level Modeling SW Architecture Modeling Deployment Modeling Deployment Modeling Code Model-based code generation (2008) From Models To Code From Models To Code How to design high-confidence software and systems? – Model-based code generation with partial evaluation (Zhou, Leung, Lee) – Model-based code generation with graph transformation (Karsai) (Last year results, they are built in the tools.)

11 Model-Based Design Plant Models and Requirements Funcion (Controller) Modeling System-Level Modeling System-Level Modeling SW Architecture Modeling Deployment Modeling Deployment Modeling Code Progress towards integrated model- based design flow How can we integrate model-based design flows? – Correctly composing components (Lee) – Model-integrated tool chain for high confidence design (Karsai, Porter, Hemingway, DeBusk and Sztipanovits) – StarMac Experimental platform (Tomlin, Sastry) PRISM Meta-Model ECSL-DP Meta-Model AIRES Meta-Model CFG Meta-Model PRISM  ESML ESML-  CFG ESML  AIF Model-Based Design

12 Starmac Experimental Platform Quadrotor aircraft developed by co-PI Claire Tomlin Requires integration of legacy and custom components.

13 Experimental Set Up A mobile sensor network: – A set of vehicles, each with a set of sensors for its own navigation and control, as well as for sensing its environment (such as target range or bearing) – Computation is distributed, and limited to the processors on board the vehicles (no central computer) – Communication between subsets of vehicles (limited by range or geography) available – Collision avoidance needed between vehicles – Humans share control with automation Focus on algorithms for autonomous search: – Unexploded ordinance detection – Beacon tracking scenarios – RFID tracking – Survey of disaster areas – Search and rescue – Biological studies, animal monitoring

14 Accomplishment Highlights 1/2 New results in hybrid control system design using reachable set analysis. Methodology for computing reachable sets using quantized inputs over discrete time steps has been developed and implemented for an aircraft collision avoidance example. (Tomlin, Sastry) Use of reachable set analysis in complex control law design. (Tomlin) We have extended our approach for integrated software model checking in the loop to the case of nonlinear dynamic plant models using the concept of bisimulation functions for nonlinear systems (Krogh) (not presented at the review) New algorithm for the formal verification of curved flight collision avoidance (Clarke, Platzer) New algorithm and method for statistical probabilistic model checking and its application to Simulink/Stateflow models (Clarke, Zuliani) Extension of passivity based approach for controller design to fixed-wing aircrafts. (Kottenstette)

15 Accomplishment Highlights 2/2 New results in introducing ontology information using Hindley-Milner type theories in modeling environments (Lee) New results in handling time in hierarchical modal models (Lee) Integrated tool chain for model-based generation of embedded flight controller on distributed computing platform. Guaranteed stability against implementation induced timing uncertainties and verified schedulability on time- triggered platform. Demonstration of roundtrip engineering between physical and implementation layers: physical models are used for code generation and implementation models are used for updating physical models. Demonstration of practical use of reachable set analysis in acrobatic maneuver design and multi-vehicle collision avoidance for the STARMAC quadrotor helicopter testbed.

16 Collaboration The team members work together extensively in many areas in this project and outside of the project Many examples for joint work among research teams Forms of collaborations: – Bi-weekly/monthly telecons – Researcher and graduate student visits – Free flow of ideas, methods and tools

17 Transitioning The Ptolemy II source tree now is available via CVS. The team actively works on transitioning research results to the following companies : Lockheed Martin National Instrument Vanderbilt’s MIC tool suite (GME, GReAT, UDM, OTIF) had a major release in GME supports now large scale model management and concurrent modeling. The releases are available through the ISIS download site. Vanderbilt continued working with GM, Raytheon, LM and BAE Systems research groups on transitioning model-based design technologies into programs. Vanderbilt continued working with Boeing’s FCS program on applying the MIC tools for precise architecture modeling and systems integration. Active collaboration with TTTech, University of Vienna. Collaboration started with VERIMAG.on integrating BIP in the tool chain. UC Berkeley’s reachable set tools are transitioned to the following institutions: Microsoft Research NASA Ames

18 Plans for Years 4&5 Networked Control System Design – Distributed control/multi agent systems – Dynamic state estimation and mode switching – Robustness against network effects – More realistic channel models – Managing effects from network layer Verification and Testing – Generation of formal representations from models – Order reduction using hybrid bisimulation – Compositional specification of heterogeneous components Tools – Integrated, heterogeneous tool chains – Complete path from virtual prototyping to physical implementation – Additional design aspects: fault management, bridge to security Experiments – Extension of scope and complexity

19 FUNDING ($K)— Show all funding contributing to this project FY06 FY07 FY08 FY09 FY10 FY11 AFOSR Funds Option TRANSITIONS Strong link to industry: Boeing, BAE Systems, Raytheon, GM, MathWorks, National Instruments, TTTech Industry affiliate programs: CHESS, ESCHER, GMLab. STUDENTS, POST-DOCS 9 graduate students (MURI) + student groups from other projects LABORATORY POINT OF CONTACT Dr William M. McEneaney, AFRL/AFOSR Dr Fariba Fahroo, AFRL/AFOSR Dr. David B. Homan, Civ AFRL/RBCC, WPAFB, OH APPROACH/TECHNICAL CHALLENGES Guaranteed behavior of distributed control software using the following approaches: (1) extension of robust controller design to selected implementation error categories (2) providing “certificate of correctness” for the controller implementation (3) development of semantic foundation for tool chain composition (4) introducing safe computation models that provide behavior guarantees ACCOMPLISHMENTS/RESULTS  See Presentations Long-Term PAYOFF: Decrease the V&V cost of distributed embedded control systems OBJECTIVES Development of a theory of deep composition of hybrid control systems with attributes of computational and communication platforms Development of foundations for model-based software design for high-confidence, networked embedded systems applications. Composable tool architecture that enables tol reusability in domain-specific tool chains Experimental research Frameworks and Tools for High-Confidence Design of Adaptive, Distributed Embedded Control Systems if (inactiveInterval != -1) { int thisInterval = (int)(System.currentTimeMill is() - lastAccessed) / 1000; if (thisInterval > inactiveInterval) { invalidate(); ServerSessionManager ssm = ServerSessionManager.getMana ger(); ssm.removeSession(this); } private long lastAccessedTime = creationTime; /** * Return the last time the client sent a Model Transformation Modeling Languages Models Model Translators Model-based Code Generators Analysis tools Platforms Control Design Implementation Design

20 WiFi b ≤ 5 Mbps ESC & Motors Phoenix-25, Axi 2208/26 IMU 3DMG-X1 76 or 100 Hz Ranger SRF08 13 Hz Altitude GPS Superstar II 10 Hz I 2 C 400 kbps PPM 100 Hz UART 19.2 kbps Robostix Atmega128 Low level control UART 115 kbps CF 100 Mbps Stereo Cam Videre STOC 30 fps 320x240 Firewire 480 Mbps UART 115 Kbps LIDAR URG-04LX 10 Hz ranges Ranger Mini-AE Hz Altitude Beacon Tracker/DTS 1 Hz WiFi g+ ≤ 54 Mbps USB Mbps RS kbps Timing/ Analog Analog RS232 UART Stargate 1.0 Intel PXA255 64MB RAM, 400MHz Supervisor, GPS PC/104 Pentium M 1GB RAM, 1.8GHz Est. & control Start with controller Expand to supervisor Finally to host Starmac Platform

21 Platform Extensions TTTech MPC 555 micros TTP/C comm TTTech Software tools Fault-tolerance Soekris Linux w/ 3xEthernet TT Virtual Machine on standard UDP and Linux No fault tolerance (yet) Gumstix