Design, Implementation, and Validation of Embedded Software (DIVES) Contract No. F33615-00-C-1707

1
Design, Implementation, and Validation
ofEmbedded Software (DIVES)Contract No.
F33615-00-C-1707

• Rajeev Alur, Vijay Kumar, Insup Lee (PI), and
  George Pappas
• Department of Computer and Information Science
• Department of Electrical Engineering
• Department of Mechanical Engineering and Applied
  Mechanics
• University of Pennsylvania

2
Our Group

• Prof. Rajeev Alur (CIS)
• Prof. Vijay Kumar (MEAM, CIS)
• Prof. Insup Lee (CIS)
• Prof. George Pappas (EE, CIS)
• Dr. Rafael Fierro (Postdoc)
• Dr. Oleg Sokolsky (Research associate)
• Joel Esposito (Ph.D. student)
• Yerang Hur (Ph.D. student)
• Franjo Ivancic (Ph.D. student)

3
Outline

• Goal and approach
• Modeling language for hybrid systems
• Analysis approaches
• Toolset
• Summary

4
The DIVES Project

• Goal
• Develop languages, algorithms and tools for
  hybrid systems to facilitate the development of
  reliable embedded systems
• Approach
• Design and modeling language (called CHARON) with
  formal semantics
• Analysis, verification, and validation techniques
• Programming environment and software tools
• Methodology for hybrid embedded systems
  development

5
CHARON Modeling Language

• Compositional and Modular specification of
  multi-agent hybrid systems
• Individual components described as agents
• Composition, instantiation, and hiding
• Individual behaviors described as modes
• Encapsulation, instantiation, and scoping
• Support for both discrete and continuous behavior
• Differential as well as algebraic constraints
• Discrete transitions can call library routines
• Resource requirements and constraints
• Well-defined formal semantics

6
Architectural Hierarchy in CHARON
Agent
Robot1
Robot2
sensor
sensor
processor
processor
actuator
actuator
Input Port
Output Port
Each agent can be represented as a parallel
composition of sub-agents
7
Behavioral Hierarchy in CHARON
Modes
main
awayTarget
atTarget
control
sensing
Entry Port
Exit Port

• Each agent consists of modes or behaviors
• Modes can in turn consist of submodes

8
Modes

• Each agent consists of modes or behaviors
• A mode describes flow of control inside an agent.
• Modes contain
• Control points (entry points, exit points)
• Variables (private, input, output)
• Continuous dynamics
• Invariants
• Transitions
• Nested submodes

9
Specification of Continuous Behavior in CHARON

• Differential Equations
• diff position robot_Pos
• diffEqn diffStop d(robot_ Pos.x) 0.0
  d(robot_ Pos.y) 0.0
• Continuous Equations
• cont robotEST
• contEqn contEST robotEST foo(x) bar(x)
• Invariant Constraints in Modes
• inv invTUCost lub lt xltgub

10
Sample code in CHARON
trans arrived from awayTarget to atTarget
when (myPos target ) mode
atTarget() diff diffStop
d(myPos.x) 0.0 d(myPos.y)
0.0 robot1 Robot (iPos,
spd) inLink1..5,outLink1..5
r12inLink,r12outLink,r13inLink,
r13outLink,r14inLink,r14outLink,
r15outLink,r15outLink
robot5 Robot (iPos, spd)
inLink1..5,outLink1..5
r51inLink,r51outLink,r52inLink,
r52outLink,r53inLink,r53outLink,
r54outLink,r54outLink Sys
robot1 robot2 robot3 robot 4 robot5
macro target x50.0 y50.0 agent Robot (diff
analog position initPos, real speed) input
channel of estimate inLink5 output
channel of estimate outLink5 extern
estimate updateEstimate(position, estimate)
mode main() diff analog position
myPos trans init from main
to awayTarget when true do myPos
initPos mode
awayTarget() inv invAway myPos !
target mode moving()
mode updating() trans
from to when trans
from to when
11
Analysis Algorithms and Techniques

• Robust and scalable simulation
• Modular
• Distributed
• Model checking
• Synthesis of embedded hybrid systems
• Runtime monitoring and checking

Theme Scalability by exploiting
modular/hierarchical structure
12
Modular Simulation
Goal To speed up simulation by exploiting the
modular structure of specification
d, x, inv1

1. Hierarchical modes can be integrated at different
   time scales
2. Submodes viewed as black-boxes
3. Initial experimental results encouraging

t,x,y,inv2

• Challenges
• Robustness
• Scalability
• Accuracy

13
Distributed Simulation

• Process allocation can be done at
• Agent level
• Mode level
• Synchronization approach
• Conservative LP (Logical Process) executes only
  after all values are available
• Cons LPs do not utilize concurrency fully
• Optimistic LP executes even though all the
  values are not ready and roll back later if
  necessary
• Cons rollbacks cause communication overhead
• Develop an integrated approach
• Challenges
• Speedup
• Integrated simulation with real components

14
Conservative vs. Optimistic
time
time
t
t
LPs
LPs
A1
A2
A3
A1
A2
A3
15
Model Checking

• Goal Atomically determine if a Charon program
  satisfies a temporal requirement
• Current technology symbolic reachability
  analysis using polyhedra (Hytech, Kronos)
• Challenges
• Scalability
• How to handle complex dynamics?
• Research directions
• Discrete approximation using abstractions
• Assume-guarantee
• Exploiting hierarchical structure

16
Hierarchical Synthesis for Hybrid Systems

• Hierarchical synthesis methods require property
  preserving abstractions of
• Continuous systems
• Hybrid systems
• Concurrency theory control theory
• Hybrid/timed abstractions of hybrid systems
• Optimal control of real time systems
• Mode switching controllers

17
Runtime Monitoring and Checking

• Run-time monitoring and checking to validate an
  implementation
• Execution is monitored for compliance with formal
  requirements
• The approach can be used to
• detect incorrect execution of an application
• predict error and steer computation
• measure statistics of actual execution which can
  not be measured in either testing or formal
  verification
• certify plug-in components
• increase the assurance of a running system

18
Monitoring and Checking Framework
19
The Overall Architecture

• Checking based on hybrid system model
• Distributed monitoring and checking

20
DIVES Programming Environment
Formal Requirements
CHARON Code (High level language)
Charon to Java Translator
Model Checker
Java Code
Java Libraries
Runtime Monitor
Drivers
Simulator Code Generator
Control Code Generator
Analysis
Human Interface
21
Toolset components

• CHARON to intermediate internal representation
  (IR)
• Simulator generation from IR
• Model checking from IR
• Graphical user interface
• Error trace generator
• Runtime monitor and checker generator

22
Methodology

• Compositional modeling
• Stepwise refinement
• Hierarchical abstractions of physical constraints

23
Summary

• DIVESincludes high-level modeling language
  (Charon) and a design environment reflecting the
  current state of the art both in formal and
  object oriented methods (UML)
• Tools for Formal Analysis
• Simulation
• Model checking
• Controller synthesis
• Runtime monitoring
• Emphasis on hierarchy and compositionality