Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Design, Implementation, and Validation of Embedded Software (DIVES) Rajeev Alur, Vijay Kumar, Insup Lee (PI), George Pappas, Oleg Sokolsky Department.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Design, Implementation, and Validation of Embedded Software (DIVES) Rajeev Alur, Vijay Kumar, Insup Lee (PI), George Pappas, Oleg Sokolsky Department."— Presentation transcript:

1 1 Design, Implementation, and Validation of Embedded Software (DIVES) Rajeev Alur, Vijay Kumar, Insup Lee (PI), George Pappas, Oleg Sokolsky Department of Computer and Information Science Department of Electrical Engineering Department of Mechanical Engineering and Applied Mechanics University of Pennsylvania 1 February 2002

2 2 Topic Area 1. Administrative

3 3 Administrative Information Project title: Design, Implementation, and Validation of Embedded Software (DIVES) PI: Insup Lee (215-898-3532, lee@cis.upenn.edu) Co-PI: Rajeev Alur, Vijay Kumar, George Pappas Organization: University of Pennsylvania Contract number: DARPA ITO MOBIES F33615-00-C- 1707 AO Number: K230 Award end date: May 16, 2003 Agent: 1 st Lt. Jason Lawson, Air Force Research Laboratory

4 4 DIVES Team Faculty Rajeev Alur (CIS) Vijay Kumar (MEAM) Insup Lee (CIS) George Pappas (EE) Oleg Sokolsky (CIS) Research Associates Thao Dang Salvatore La Torre Herbert Tanner PhD Students Calin Belta Joel Esposito Yerang Hur Franjo Ivancic Pradyumna Mishra Usa Sammapun Part-time Programmers Dan Huber Valya Sokolskaya

5 5 Topic Area 2. Collaborators CMU Berkeley Vanderbilt University

6 6 Topic Area 3. Problem Description and Program Objective

7 7 Project Overview Project Objective –Develop languages, algorithms and tools for hybrid systems to facilitate the development of reliable embedded systems Project Description: main research directions –Compositional semantics to support hierarchical, modular specifications of hybrid systems –Reachability analysis of embedded systems –Compositional analysis and optimal controller synthesis of hybrid systems –Model-based testing and validation of hybrid systems to provide an additional level of reliability

8 8 Topic Area 4. Milestone Excel Spreadsheet Provided separately.

9 9 Topic Area 5. Tool Description

10 10 Tools at UPenn 1.CHARON modeling environment 2.Reachability analysis based on predicate abstraction 3.Adaptive simulation tool 4.Requiem 5.Test generation (under development) 6.Abstraction checker (under development) Much of our efforts in last 6 months was driven by OEP problems (V2V and ETC).

11 11 1. CHARON Toolkit Hierarchical modeling of Hybrid systems Compositional semantics Simulation Assertion checking

12 12 2. Reachability analysis tool Input: –Linear hybrid systems Modes have linear dynamics: Mode invariants and transition guards are linear: –Input format is compatible with HSIF Output: –execution trace reaching the bad state linear hybrid system CHARON Simulink/ Stateflow counterexample Reachability computation propertiespredicates

13 13 Reachability computation Safety property Hybrid system Boolean predicates Search in abstract space Analyze counter-example Property holds No! Counter-example Real counter- example found additional predicate

14 14 Implementation status Implemented in C++ Continuous successors computed by d/dt routines –Determines the choice of linear hybrid systems as input language Preliminary results have been obtained Counterexample generation is being implemented Automatic translation of CHARON models into linear hybrid systems is incorporated into the CHARON toolset Connection to Simulink/Stateflow is being considered

15 15 3. Adaptive simulation tool Input: –Matlab model Implementation: –Adaptive integration routines for multi-rate and multi- agent simulation implemented in C –Used instead of standard Matlab integration routines Output: –Matlab simulation trace Integration: –Simulink/Stateflow can use custom integration routines for simulation –Integration with Charon simulator is under way

16 16 ratio of largest to smallest step size coupling step size constant Multi-time scale simulation Hierarchical systems have different time scales Multirate techniques exploit this by using different step sizes careful use of interpolants to accommodate coupling

17 17 Multi-agent simulation Agents proceed independently during simulation –Agents with slower dynamics are integrated with larger steps, saving unnecessary computation Discrete events may depend on the state of several agents –Adaptive step size selection synchronizes agents’ state close to event boundary

18 18 4. Requiem Exact symbolic continuous reachability computation Input: –Nilpotent linear differential equation (e.g., V2V) –Semialgebraic sets as initial conditions Output: – A quantifier free formula describing the reachable set. Implementation: –A Mathematica 4.0 notebook –Uses the experimental quantifier elimination package

19 19 5. Test generation Goal: generate a suite of tests based on a given level of coverage for the model Input: –A model of the system as a hierarchical state machine –A coverage criterion as a parameterized collection of temporal logic formulas Output: –A test suite Implementation: –In progress –An off-the-shelf model checker is used

20 20 6. Abstraction analysis Implementation We are beginning to develop Matlab tools for checking the consistency of modeling abstractions for discrete-time control systems in the presence of state and input constraints. Goal. To develop a formal methodology of deriving consistent abstractions of complex dynamical control systems Input linear control systems, subject to input and state constraints Output reduced order linear control systems capturing the behavior of the original systems abstraction

21 21 Penn’s Tool Chain HSIF Model Reduction Test Generation Predicate Abstraction CHARON Teja Simulink code d/dt Mathlab

22 22 Topic Area 6. OEP Participation

23 23 Automotive OEP We participate in both vehicle-to-vehicle coordination and ETC challenge problems –Perform analysis of models for the challenge problems using DIVES analysis tools and methodologies –We will demonstrate the analysis capabilities during the midterm experiments We participated in all ESWG meetings and a number of teleconferences –Actively participated in formulating the V2V experimental setup –Contributed to the definition of HSIF –Helped to define the logistics of the experiments –V2V POC: Franjo Ivancic; OEP collaborator: Anouck Girard –ETC POC: Oleg Sokolsky; OEP collaborator: Paul Griffiths One day workshop with CMU team to discuss ETC problems

24 24 Topic Area 7. Project Status

25 25 Progress since last meeting Progress on schedule Recently developed techniques –Simulation Relations for Constrained Discrete-Time Linear Systems –Multi-agent simulation methodology –Composability of abstractions –Model-based test generation for data-flow coverage criteria Publication during last six months –2 journal papers, 11 conference and workshop papers Specific milestones accomplished –Modular and distributed simulation techniques V2V and ETC Problems

26 26 Project status Selected publications since the last PI meeting –“Automatic Test Generation using Model Checking,” H.S. Hong, I. Lee, O. Sokolsky, and S.D. Cha, Workshop on Formal Approaches to Testing of Software, BRICS Notes Series NS-01-4, pp. 15--31, August 2001. –“A Temporal Logic Based Theory of Test Coverage and Generation,” H.S. Hong, I. Lee, O. Sokolsky, and H. Ural, to appear in TACAS'02. –“Reachability analysis of hybrid systems via predicate abstraction,” R. Alur, T. Dang, F. Ivancic, to appear at the 5th International Workshop, Hybrid Systems: Computation and Control, HSCC 2002. –“Composing Abstractions of Hybrid Systems,” P. Tabuada, G.J. Pappas, and P. Lima, to appear at the 5th International Workshop, Hybrid Systems : Computation and Control, March 2002. –“Simulation Relations for Discrete-Time Linear Systems,” H. Tanner and G.J. Pappas, to appear at the 15th International Federation on Automatic Control World Congress, July 2002. –“Hierarchies of Stabilizability Preserving Linear Systems,” G.J. Pappas and G. Lafferriere, 40th IEEE Conference on Decision and Control, December 2001 –“Abstractions of Hamiltonian Control Systems” (Finalist, Best Student Paper Award), P. Tabuada and George J. Pappas, 40th IEEE Conference on Decision and Control, December 2001 –“Multi-modal control of systems with constraints,” T.J. Koo, G.J. Pappas, and S. Sastry, 40th IEEE Conference on Decision and Control, December 2001 –“Multi-agent hybrid simulation,” J. Esposito, V. Kumar, and G.J. Pappas, 40th IEEE Conference on Decision and Control, December 2001 –“Hierarchical hybrid modeling of embedded systems,” R. Alur, T. Dang, J. Esposito, R. Fierro, Y. Hur, F. Ivancic, V. Kumar, I. Lee, P. Mishra, G.J. Pappas, and O. Sokolsky, Embedded Software, Lecture Notes in Computer Science, volume 2211, October 2001

27 27 V2V challenge problem An abstract model of the two vehicles is constructed Simulations and assertion checking performed by the CHARON toolkit Variables: distance velLead velFollow acceleration (uncertain input)

28 28 V2V challenge problem The hierarchical CHARON model was automatically translated to the flat linear hybrid system and verified using predicate abstraction –No collisions are possible when executions starts in the following initial set: 5 ≤ distance ≤ 1000 5 ≤ velLead ≤ 15 18 ≤ velFollow ≤ 30 There are 17 predicates and 16 reachable abstract states

29 29 V2V midterm experiment Goals –Demonstrate effectiveness of abstractions and analysis techniques –Demonstrate integration between the modeling and analysis tools Steps of the experiment: –Load the model into the Charon toolset; simulate –Perform automatic translation into the reachability tool format –Perform predicate abstraction and specify input sets –Perform reachability analysis Success criteria –Being able to prove or disprove safety properties

30 30 ETC Challenge Problem Two experiments are planned: –Analysis of the ETC model Several abstraction techniques employed Reachability analysis is used to prove properties of the abstracted model Conservativeness of abstractions ensures the properties of the orignal model –Test generation from the ETC model Tests are generated from the controller model only Tests will be applied to the implementation of the ETC controller

31 31 ETC analysis experiment Goals: –Demonstrate effectiveness of abstraction and analysis techniques Steps of the experiment –Start from the Simulink models of ETC –Step 1: simplification (completed) Manual application of abstractions Results: a model with 4 modes, 9 variables and 1 continuous input is reduced to a model with 4 modes, 3 variables and 3 discrete-time inputs –Step 2: analysis (in progress) Automatic transformation into the reachability tool format Perform predicate abstraction and specify input sets Perform reachability computation

32 32 Full ETC model sensors Signal generator human input parameters τ ω α α, ω, u u i des i Filter & controller plant actuator Mode 1 (ON) Mode 2 (OFF) Mode 1 (ω  0) Mode 2 (ω < 0)

33 33 Abstraction procedure 4 modes 9 continuous-time states: x 1 continuous-time input: u 9 99 9 4 modes 9 discrete-time states: x 1 discrete-time input: u 9 99 9 Discretization of continuous-time dynamics 4 modes 4 discrete-time states: y 3 discrete-time inputs: u f 4 44 4 Filter abstraction 4 modes 3 discrete-time states: z 3 discrete-time inputs: u f 3 33 3 Actuator-plant abstraction

34 34 Filter abstraction Approach: Overapproximate the filter output by additional independent bounded inputs: u f1 u f2 u f3 FILTER ωcωc

35 35 Actuator-Plant abstraction Consistent abstractions of discrete-time linear control systems can be derived and checked using the notion of simulation relations. [Tanner & Pappas, 2001] We construct a surjective linear map from the original state space X to the quotient state space Z, that captures the amount of state information preserved in the abstraction: S 1 simulates S 2 (i.e. it is a valid abstraction of S 2 ) if and only the following set containment relation holds: The condition allows the analytical construction of the abstract system. In the case of polyhedral constraints, it can be checked efficiently using standard linear programming algorithms.

36 36 Actuator-Plant abstraction The behavior of the original dynamics is captured (included) by the behavior of the abstracted dynamics!

37 37 Abstraction Results sensors Signal generator input α u abstraction

38 38 ETC test generation experiment Goals: –demonstrate model-based test generation techniques Status: –Tool implementation is being carried out –Test suites for mode and transition coverage, as well as definition-use dependency coverage have been generated manually –Test application to the ETC implementation is under way

39 39 ETC test generation experiment Steps of the experiment: –Take the Simulink model of the ETC controller and treat it as a collection of concurrent state machines Triggered blocks are turned into two-state state machines –Using a model checker, generate tests for the desired coverage criterion Mode coverage: –Input: we > weMaxOutput: MotorAmps = 0 –Input: te > teMaxOutput: MotorAmps = 0 –Input: V > 30, prndl = 3, cruiseSwitch = trueOutput: MotorAmps = 1 Transition coverage: –Input: we > weMaxOutput: MotorAmps = 0 Input: we –Input: te > teMaxOutput: MotorAmps = 0 Input: we –Input: V > 30, prndl = 3, cruiseSwitch = trueOutput: MotorAmps = 1 Input: brakeSwitch = trueOutput: MotorAmps =

40 40 Topic Area 8. Project Plans

41 41 Project Plans Describe your project's plans for next 6 months –Refine abstraction, analysis, test generation techniques –Develop tools to support them –Perform OEP experiments using these techniques and tools –Interface with other tools through HSIF Identify specific performance goals –Demonstrate improved capability to verify linear hybrid systems in terms of number of modes and number of state variables –Provide a methodology for design feedback to ETC and other problems –Demonstrate the feasibility of model-based test generation

42 42 Topic Area 9. Project schedule and milestones

43 43 Project schedule and milestones 3FY004FY001FY012FY013FY014FY011FY022FY02 1. Design language 2. Software toolkit 3a. Compositional semantics 3b. Simulation techniques 3e. Controller synthesis 3f. Abstraction techniques 3FY02 Milestone on schedule Milestone completed ahead of schedule Deliverable 4FY021FY032FY03

44 44 Project schedule and milestones Past milestones: –Q3FY01: Compositional Semantics Completed ahead of schedule Deliverable: research report on compositional semantics –Q1FY02: Modular and Distributed Simulation Techniques Completed on schedule Deliverables: research reports on event detection, modular and multi-agent simulation algorithms Upcoming milestones: –Q3FY02: Analysis Techniques and Tool Suite Progress on schedule Deliverables: –Research reports on abstraction techniques and analysis algorithms –Tool implementation

45 45 Technology Transition Use of Charon and its toolkit for embedded medical device development –The CARA (Computer Assisted Resuscitation Algorithm) Infusion pump system developed by WRAIR (Walter Reid Army Institute for Research) –The reference model specification in Charon –Design analysis and implementation validation Goal: enhance FDA approval process for embedded medical devices

46 46 The End.

Download ppt "1 Design, Implementation, and Validation of Embedded Software (DIVES) Rajeev Alur, Vijay Kumar, Insup Lee (PI), George Pappas, Oleg Sokolsky Department."

Similar presentations

Reliable Scripting Using Push Logic Push Logic David Greaves, Daniel Gordon University of Cambridge Computer Laboratory Reliable Scripting.

Reliable Scripting Using Push Logic Push Logic David Greaves, Daniel Gordon University of Cambridge Computer Laboratory Reliable Scripting.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.

1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.

1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.
ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.

ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.
Combining Symbolic Simulation and Interval Arithmetic for the Verification of AMS Designs Mohamed Zaki, Ghiath Al Sammane, Sofiene Tahar, Guy Bois FMCAD'07.

Combining Symbolic Simulation and Interval Arithmetic for the Verification of AMS Designs Mohamed Zaki, Ghiath Al Sammane, Sofiene Tahar, Guy Bois FMCAD'07.
Semantic Translation of Simulink/Stateflow Models to Hybrid Automata using Graph Transformations A. Agarwal, Gy. Simon, G. Karsai ISIS, Vanderbilt University.

Semantic Translation of Simulink/Stateflow Models to Hybrid Automata using Graph Transformations A. Agarwal, Gy. Simon, G. Karsai ISIS, Vanderbilt University.
1 Stability of Hybrid Automata with Average Dwell Time: An Invariant Approach Daniel Liberzon Coordinated Science Laboratory University of Illinois at.

1 Stability of Hybrid Automata with Average Dwell Time: An Invariant Approach Daniel Liberzon Coordinated Science Laboratory University of Illinois at.
EECE 396-1 Hybrid and Embedded Systems: Computation T. John Koo, Ph.D. Institute for Software Integrated Systems Department of Electrical Engineering and.

EECE Hybrid and Embedded Systems: Computation T. John Koo, Ph.D. Institute for Software Integrated Systems Department of Electrical Engineering and.
Systems Engineering for Automating V&V of Dependable Systems John S. Baras Institute for Systems Research University of Maryland College Park 301-405-6606.

Systems Engineering for Automating V&V of Dependable Systems John S. Baras Institute for Systems Research University of Maryland College Park
PTIDES: Programming Temporally Integrated Distributed Embedded Systems Yang Zhao, EECS, UC Berkeley Edward A. Lee, EECS, UC Berkeley Jie Liu, Microsoft.

PTIDES: Programming Temporally Integrated Distributed Embedded Systems Yang Zhao, EECS, UC Berkeley Edward A. Lee, EECS, UC Berkeley Jie Liu, Microsoft.
6/22/011 Case Study: Computer Assisted Resuscitation Algorithm (CARA) System Insup Lee Department of Computer and Information Science University of Pennsylvania.

6/22/011 Case Study: Computer Assisted Resuscitation Algorithm (CARA) System Insup Lee Department of Computer and Information Science University of Pennsylvania.
EECE 396-1 Hybrid and Embedded Systems: Computation T. John Koo, Ph.D. Institute for Software Integrated Systems Department of Electrical Engineering and.

EECE Hybrid and Embedded Systems: Computation T. John Koo, Ph.D. Institute for Software Integrated Systems Department of Electrical Engineering and.
Integrated Design and Analysis Tools for Software-Based Control Systems Shankar Sastry (PI) Tom Henzinger Edward Lee University of California, Berkeley.

Integrated Design and Analysis Tools for Software-Based Control Systems Shankar Sastry (PI) Tom Henzinger Edward Lee University of California, Berkeley.
EECE 396-1 Hybrid and Embedded Systems: Computation T. John Koo, Ph.D. Institute for Software Integrated Systems Department of Electrical Engineering and.

EECE Hybrid and Embedded Systems: Computation T. John Koo, Ph.D. Institute for Software Integrated Systems Department of Electrical Engineering and.
1 Design, Implementation, and Validation of Embedded Software (DIVES) Rajeev Alur, Vijay Kumar, Insup Lee (PI), George Pappas, Oleg Sokolsky Department.

1 Design, Implementation, and Validation of Embedded Software (DIVES) Rajeev Alur, Vijay Kumar, Insup Lee (PI), George Pappas, Oleg Sokolsky Department.
Causality Interface  Declares the dependency that output events have on input events.  D is an ordered set associated with the min ( ) and plus ( ) operators.

Causality Interface  Declares the dependency that output events have on input events.  D is an ordered set associated with the min ( ) and plus ( ) operators.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Similar presentations

Ads by Google