title 11/5/2000 eSimplex Architecture Using MaCS Insup Lee Oleg Sokolsky Moonjoo Kim Anirban Majumdar Sampath Kannan Mahesh Viswanathan Insik Shin and many others…

title 11/5/2000 Run-time Formal Analysis Run-time formal analysis ensures the run-time compliance of an execution of a system with its formal requirement. The analysis validates properties on the current execution of application. The analysis can –detect incorrect execution of applications –predict error and steer computation –collect statistics of actual execution

title 11/5/2000 System Spec System Spec Requirement Spec Requirement Spec Formal verification Design System Implementation System Implementation Monitoring Data Monitoring Data Implementation Event Recognizer + Checker Event Recognizer + Checker System Filter Communication Run-time Check MaCS Methodology

title 11/5/2000 MaCS Asynchronous Control Cycle Identify safe spots in the implementation to apply steering Detect violations as they occur and initiate steering Execute steering actions when it is safe System Checker monitor detect ! invoke execute

title 11/5/2000 MaCS Synchronous Control Cycle In critical situations, asynchronous cycle may not be suffient Check for violations before critical updates Pause the system until the checker confirms Steer if violation occurs System Checker monitor detect ! invoke compute update compute update compute execute update

title 11/5/2000 MaCS languages Run-time state: control locations object state local variables Abstract state: events conditions auxiliary variables MEDL PEDL SADL

title 11/5/2000 Property checking A MEDL specification can be seen as an automaton with auxiliary store running on a stream of events provided by the event recognizer aux. variables

title 11/5/2000 Data extraction and event detection PEDL script –describes monitored objects in the program, statically identifying them in the code –defines events in terms of monitored objects Technical challenge: –all updates to the monitored objects must be detected

title 11/5/2000 Steering (asynchronous) SADL script –defines steering actions –identifies locations in the code where the actions can be executed steering condition i satisfied execution Invocation flags Action bodies 0in 0 i n test call Checker invoke

title 11/5/2000 MaCS toolset Program (Java byte code) Monitoring Script (PEDL) Requirements (MEDL) PEDLCompiler MEDLCompiler Instrumented Code Filter Generator (JTREK) Instrumentation Information Compiled PEDL Compiled MEDL Event Recognizer Checker Steering Script (SADL) SADLCompiler Instrumentation Information Injector class (Java byte code)

title 11/5/2000 Simplex architecture Simplex (Simple and Complex) architecture allows the insertion of control software on the fly while maintaining system reliability. It is not possible to test new control software completely. Developed by Lui Sha, et al. (University of Illinois)

title 11/5/2000 Overview of Simplex Architecture Safety Baseline Experimental Decision Module Physical System usus ubub ueue xu SC BC EX x0x0 Equilibrium state

title 11/5/2000 Inverted Pendulum Hard constraints: State vector: The control problem is solved using LMI and LQR and the linearized dynamics of the system. The stability region is given by Soft constraints: A performance index, e.g., Relative stability in time domain or frequency domain Bandwidth m l  x g M ufuf

title 11/5/2000 IP eSimplex implementation Device Drivers angle, track volts Decision Module Experimental Controller Switching logic Safety Controller

title 11/5/2000 eSimplex in MaCS Goal: –Provide a prototyping framework for control engineers –Separate control design from software engineering Approach: –A system is an extensible collection of controllers –Monitor switching conditions –Implement controller switches using steering

title 11/5/2000 eSimplex in MaCS Device Drivers angle, track volts Decision Module Experimental Controller Switching logic Safety Controller JNIJNI JNI monitor steer

title 11/5/2000 Java implementation of eSimplex Controller interface: public interface Controller { public float sendCommand(double angle, double track, double period); } Decision module: static SafetyController SC = new SafetyController(); static ExternalController EC = new EC1(); static Controller ctr; public void setSC() { ctr = SC; } public void setEC() { ctr = EC; } public int control(long frequency) { angle = nativeGetAngle(); track = nativeGetTrack(); volts = ctr.sendCommand(angle,track,frequency/1000.0); nativeSendCommand (volts); }

title 11/5/2000 Monitoring: IP.pedl MonScr IP export event ev_track_pos,ev_current_angle, ev_volts, startPgm; monobj int DecisionModule.period; monobj float DecisionModule.track; monobj float DecisionModule.angle; monobj float DecisionModule.volts; event startPgm = update(DecisionModule.period); event ev_current_angle = update(DecisionModule.angle); event ev_track_pos = update(DecisionModule.track); event ev_volts=update(DecisionModule.volts); end

title 11/5/2000 Checking: IP.medl Detecting violations ev_current_angle -> { theta' = value(ev_current_angle,0)/ ; thetadot' = (theta' - theta) / 0.040; } ev_track_pos-> { x' = value(ev_track_pos,0)/ 100; xdot' = (x' - x) / 0.040; } condition abnormal = (track_pos' > 40 || track_pos' = 4 ; event invokeSafeController = start(abnormal) when (controller == 1); event invokeExternalController = start(nTimer'%500 == 0) when (controller == 0); invokeSafeController -> { invoke change2SC(); controller = 0; } invokeExternalController -> { invoke change2EC(); controller = 1; }

title 11/5/2000 Checking: IP.medl Safety envelope computation event calcSafeVal = ev_volts when (controller == 1); calcSafeVal -> { volts'= value(ev_volts,0); xa_0' = x * theta * xdot *thetadot * volts'; xa_1' = * theta * xdot * thetadot – * volts'; xa_2' = * theta * xdot * thetadot * volts'; xa_3' = * theta *xdot *thetadot * volts'; temp_0' = *xa_0' * xa_1' *xa_2' *xa_3' ; temp_1' = *xa_0' * xa_1' *xa_2' *xa_3' ; temp_2' = *xa_0' * xa_1' *xa_2' *xa_3' ; temp_3' = *xa_0' * xa_1' * xa_2' *xa_3' ; safeVal' = xa_0'*temp_0' + xa_1'*temp_1' + xa_2'*temp_2' + xa_3'*temp_3'; }

title 11/5/2000 Steering: IP.sadl steering script IP steered objects DecisionModule IP:dm; float DecisionModule:volts; steering action change2EC= { call (IP:dm).setEC(); } before read DecisionModule:volts; steering action change2SC= { call (IP:dm).setSC(); } before read DecisionModule:volts; end

title 11/5/2000 Demonstration Checker detects violations when the experimental controller is running –Switches to safe controller when a violation is detected –After fixed time switches back to the experimental controller A terribly bad experimental controller –Sends constant output to the motor regardless of the situation

title 11/5/2000 Experimental results MaCS can successfully detect safety violations in eSimplex and force switching to the safety controller Keeps the pendulum upright even if the experimental controller fails completely Turnaround time for the detection/steering cycle is significantly smaller than the eSimplex control cycle –synchronous steering is possible

title 11/5/2000 Future directions Implement synchronous steering –Extend SADL to have both synchronous and asynchronous actions –Modify instrumentation to pause the program Note that steering is now tied to specific updates Coordination with PEDL may be needed MaCS on real-time Java Distributed MaCS