Title: Design, Implementation, and Validation of Embedded Software DIVES
1Design, Implementation, and Validation
ofEmbedded Software (DIVES)
Rajeev Alur, Vijay Kumar, Insup Lee (PI), George
Pappas, and Oleg Sokolsky Department of
Computer and Information Science Department of
Electrical Engineering Department of Mechanical
Engineering and Applied Mechanics University of
Pennsylvania
2DIVES Team
- Faculty
- Rajeev Alur (CIS)
- Vijay Kumar (MEAM)
- Insup Lee (CIS)
- George Pappas (EE)
- Oleg Sokolsky (CIS)
PhD Students Joel Esposito Yerang Hur Franjo
Ivancic Salvatore La Torre Pradumna Mishra
Jiaxiang Zhou
Research Associates Thao Dang Rafael Fiero
Programmers Usa Samuppan Valya Sokolsky
3Project Overview
- Project Goal
- Develop languages, algorithms and tools for
hybrid systems to facilitate the development of
reliable embedded systems - Research Area
- Compositional semantics to support hierarchical,
modular specifications of hybrid systems - Abstraction techniques for analysis of embedded
systems - Compositional model checking and optimal
controller synthesis of hybrid systems - Model based run-time monitoring and testing of
hybrid systems to provide an additional level of
reliability
4Progress since ESWG2
- Progress on schedule
- Analysis techniques
- Compositional semantics (completed)
- Theory of refinement (completed)
- Modular event detection (completed)
- Reachability analysis (on-going)
- Abstraction techniques (on-going)
- Predicate abstraction
- Qualitative abstraction
- Model-based test generation (started)
- Analysis methodology
- Hierarchical modeling framework for scalability
- Modular modeling framework for model integration
5Interactions with OEP and AFRL
- Participated Teleconferences with OEP
- Test vector generation, Verification Synthesis
of switching, Boeing - Working on the automotive challenge problems
- Vehicle-to-Vehicle (V2V) Coordination
- Studied V2V model provided in Shift
- Generated the hierarchical model of V2V in Charon
- Interacting with Berkeley team to understand
better the Shift model - Powertrain Modeling
- Studied Powertrain model in Simulink
- Developed approximate models in Charon
- To be used in the V2V model we developed in
Charon - Studying Boeing OEP with Boeing teams help
- Netmeeting with Lt. Jason Lawson and Marc at AFRL
6Outline of Technical Overview
- Hierarchical modeling of V2V
- Reachability analysis
- Abstraction techniques
- Abstraction for control system design
- Model-base Test generation
- Modular event detection and simulation
7Hierarchical V2V Model
- Charon supports hierarchical and compositional
modeling of hybrid systems - Hierarchical Control Architecture
- Allows higher levels of hierarchies preserving
the same hierarchical block structure to model
complex situations - Formalization of hierarchy and clear interfaces
within layers - Model Analysis Verification, Synthesis of Mode
Switching, Test Generation, etc. - Developing a hierarchical control model to
specify motion control and navigation functions
as hierarchical layers - Lower layers of hierarchy Continuous
controllers that interact with physical sensors
and actuators for desired positioning and
tracking - Higher layers of hierarchy Discrete event
systems handling information, maneuvers,
cooperation safety - Clear interfaces for modes and agents
- Identify patterns of design and implementation
that can be reused across projects - Integrate the vehicle-vehicle and powertrain
models
8Example V2V model
Agent Vehicle
Agent RegulationLayer
Agent CarSensor
Agent InterVehicleCommunication_IN
Agent InterVehicleCommunication_OUT
Agent VehiclePlant
9Agent VehiclePlant in V2V
Agent Vehicle
Agent RegulationLayer
Agent CarSensor
Agent InterVehicleCommunication_IN
Agent InterVehicleCommunication_OUT
Agent VehiclePlant
Com_IN
Agent Dynamic Controller
Agent Dynamic Sensor
Com_OUT
Agent Vehicle Dynamics
10Detailed VehiclePlant
Agent VehiclePlant
Agent DynamicController
Agent DynamicSensor
Agent Communication_IN
Agent Communication_OUT
mode Brake Controller
mode Torque Controller
Agent VehicleDynamics
Agent PowerTrain
Agent Brake
Agent SI_Engine
Agent GearShift
Agent Rigid Body
Agent Torque Converter
Agent WheelSet
Agent Moments
11Agent VehiclePlant
Agent VehiclePlant
Agent DynamicController
Agent DynamicSensor
Agent Communication_IN
Agent Communication_OUT
mode Brake Controller
mode Torque Controller
xDot_lls
xDDot_lls
xDot
u_isl
p_man_lls
p_wheel_lls
w_wheel_lls
xDDot
throttle_lls
gearRatio_lls
we_lls
Agent VehicleDynamics
Agent PowerTrain
Agent Brake
Agent SI_Engine
Agent GearShift
steering
Agent Rigid Body
p_mcc
throttle_des
Agent Torque Converter
Agent WheelSet
Agent Moments
12Agent RegulationLayer
Agent RegulationLayer
mode VehicleLeader
mode VehicleFollower
mode Collision_W_ON
mode Collision_W_Off
mode No_Warning
mode Cruise
mode Accelerate
mode Cruise_Cntrl
mode Join_ACC
mode ACC
mode Join_CACC
mode CACC
mode Decelerate
mode Braking
mode FCW
mode CFCW
mode Warning
13Agent Vehicle in Charon
14Vehicle model in Charon
15Reachability Analysis in Hybrid Systems
- Problem Statement Given an initial region,
compute whether a hybrid system can reach a given
(bad) region. - The key computation step is to compute Reach(X)
for a given region X - Two paradigms
- Exact analysis
- Approximate analysis
Reach(X)
X
16Reachability using quantifier elimination
(Requiem)
- Given a nilpotent linear differential equation
and a set of initial conditions symbolically,
Requiem computes various reachable sets exactly.
- The symbolic computation uses the experimental
quantifier elimination package in Mathematica 4.0 - The computation of reachable sets converted into
a quantifier elimination problem in the decidable
theory of the reals as an ordered field. - Given a nilpotent system and a set defined by
polynomial inequalities, Requiem automatically
generates the quantifier elimination problem and
invokes the experimental quantifier elimination
package in Mathematica 4.0. - If the computation terminates, it returns a
quantifier free formula describing the reachable
set. - Future versions of Requiem may consider parameter
synthesis, and over approximations of reachable
sets. - More details on publications, download, examples
at - http//www.seas.upenn.edu/hybrid/requiem.html
17Forward reachable set
18Approximate Analysis
- Abstraction techniques for analysis
- Predicate abstraction
- Qualitative abstraction
- Abstraction techniques control system design
- Model approximation abstraction
19Predicate Abstraction
- Input is a hybrid automaton and a set of k
boolean predicates, e.g., xy gt 5-z - The partitioning of the concrete state space is
specified by the user-defined k predicates
Concrete Space L x R n
Abstract Space L x 0,1 k
20Overview of the Approach
Hybrid system
Boolean predicates
additional predicate
Search in abstract space
Safety property
No! Counter-example
Property holds
Analyze counter-example
Real counter- example found
21Searching the Abstract State
- Discrete transitions correspond to discrete jumps
of the concrete hybrid automaton - Continuous transitions correspond to continuous
flow of the concrete hybrid automaton - Goal is to find one new abstract state that is
reachable from the current abstract state - Possible strategies to find one new abstract
state (fix-point vs. exponential state space) - Pick a likely abstract state that might lead the
path to a counter-example and check reachability. - Pick a abstract state that could be reached
quickly from the current abstract state and check
it. - Check all new possible abstract states after
computing one numerical time step.
22Example a discrete transtion
- The effect of a discrete transition
3 Boolean predicates are xgt0 , ygt1 , ygtx. Reset
mapping is y x 1 x 0. Evaluation of
the Boolean predicates after the reset hence
is x gt 0 is false. y gt 1 is true, iff x gt
0. y gt x is true, iff x gt -1.
23Benefits
- In general, not necessary to compute Reach(X) for
a region X - Computing continuous successors only of abstract
states, not intermediate regions of unpredictable
shape - Amenable various search strategies
- E.g., try all discrete transitions first, as this
computation is less expensive than finding a
continuous transition - Discover new predicates by examining
counter-examples found
24Implementation Status
- Prototype implementation is (being) written in
C. - It utilizes the tool d/dt (Verimag) to compute
the continuous transitions. - Hence, only linear hybrid systems are been
considered. - Preliminary results are expected by the end of
the summer of 2001. - It will be integrated into Charon toolset.
25Qualitative Abstraction
- Conventional approaches for discrete abstraction
of differential equations - Based on the computation of reachable states
- Exact computation is in general undecidable and
is expensive even for restricted hybrid systems - Approximate computation (e.g., linear
abstractions) is also expensive - Qualitative reasoning
- AI technique for reasoning about continuous
systems with incomplete knowledge - Allows sound and inexpensive (but coarse)
discrete abstractions for both linear and
nonlinear differential equations
26Qualitative Abstraction Approach
- Differential equations as finite state machines
- State space
- Symbolic and interval values instead of numerical
values - amount 0, (0, low), low, (low, high), high,
(high, full), full, (full, inf), inf - Direction of change instead of precise continuous
dynamics - d(amount) dec, std, inc
- Transition relation
- Determines next states based on continuity and
mean value theorem - Is inherently coarse and nondeterministic
27Example Qualitative Models
SPRING global analog real x, v, a local analog
real f d(x) y d(y) a f m a f -k x
28Qualitative Abstraction of CHARON
- The basic idea
- Transform differential equations into finite
state machines using qualitative abstraction
while maintaining discrete behaviors - Soundness
L(ODE1) ? L(QDE1), , L(ODE4) ? L(QDE4)
Mode A ODE1
Mode A QDE1
?
Mode B ODE2
Mode B QDE2
Mode D ODE4
Mode D QDE4
Mode C ODE3
Mode C QDE3
29Example CHARON
Pool
Pump
level
WaterPump
d(level) flow
flow
Steady(rate,low,high)
WaterPump
flow rate d(timer) 0 level ? low level ?
high
On
TurnOff
Steady(On,0,Hi)
Transient(On)
level ? Hi
timer?0
timer ? Ready
Transient
timer ? Ready
flow M(timer) d(timer) gt 0 timer ? Ready
TurnOn
Off
level ? Lo
Transient(Off)
Steady(Off,Lo,?)
timer?0
30Example Qualitative Abstraction
31Model Approximation Abstraction
- Model approximation
- Given a control system P,
- we would like to find a
- reduced control system P
- of order n lt N with small
- output error
- Methods Singular Value Decomposition (SVD)
- Balanced Reduction, Hankel Norm, Singular
Perturbation - The control input u(t) is the same for both
models. - Designing a controller C for P is easier.
- Consistency
32Powertrain and V2V OEPs
- We need both types of abstraction
- Abstraction for analysis
- Abstraction for control system design
- Model Abstraction
- The drivetrain dynamics is abstracted form the
powertrain system - The input variable u(t) is the desired
acceleration sent by the V2V controller - The actual throttle position and brake commands
are computed using backstepping from u(t) - Model Approximation for torque generation and
braking force Engine has physical limitation and
the vehicle cannot change its state (velocity
and acceleration) instantaneously. - The engine, transmission and throttle systems are
approximated by a saturation element in series
with a first-order filter - The engine, transmission and braking systems are
approximated by a saturation element in series
with a first-order filter
33OEP Example Power Train
34OEP Example (continued)
35Specification-based testing
- Determines whether an implementation conforms to
its specification - Hardware and protocol conformance testing
- Widely-used specifications
- Finite state machines
- Extended finite state machines
- Labeled transition systems
- Consists of two main steps
- Test generation from specifications
- what to test, how to generate test
- Test execution of an implementation
- Applies tests to an implementation and validates
the observed behaviors
36Our Approach
- The problem automatic test generation from
specifications - Specifications deterministic EFSMs
- Coverage criteria
- Control flow state and transition coverage
- Data flow all-definition and all-use coverage
- Test generation as model checking
37Test coverage criteria
- Control Flow Coverage
- State coverage
- Requires every state be traversed at least once
- Transition coverage
- Requires every transition be traversed at least
once - Path coverage
- Requires every path of an EFSM be traversed at
least once - Is the strongest coverage criterion and cannot be
achieved in general - Data Flow Coverage
- Definition-use association (v, t, t)
- A variable v is defined at transition t and used
at t - There exists a definition-clear path w.r.t. v
from t to t - All-def coverage
- Requires a definition-clear path from each
definition to some use be traversed - All-use coverage
- Requires a definition-clear path from each
definition to every use be traversed
38Example control flow
39Coverage criteria as CTL formulas
- State coverage
- For every state q, EFin(q)
- When testers designate an exit node, EF(in(q)
EFexit) - Transition coverage
- For every transition t, EF(t EFexit)
- All-def coverage
- For every variable v and every transition t
defining v, - EF(t EXE!def(v) U (use(v) EFexit))
- All-use coverage
- For every variable v, every transition t defining
v, and every transition t using v, - EF(t EXE!def(v) U (t EFexit))
40Test generation using Model Checker
A test sequence covering t3 and ending at
Wait_req CTL formula (SMV) !EF(t3
EFin(Wait_req)) Counterexample
t1, t2,
t3,
t2, t4,
t2, t6,
t7,
t10
41Test Generation for Hybrid Systems
- Specifications CHARON
- Discrete behaviors are described by transitions
between modes - Continuous behaviors are described by
differential equations associated with modes - Test generation
- Transform CHARON into a (finite) discrete
abstraction - Find counterexamples by model checking the
abstraction - Determine the executability of counterexamples
42Analysis on one path
- Modularity
- Efficient and accurate
- Integration of sub modes, agents at different
time scales - Detection of Events
- Accurate detection of constraint violations or
transitions - Applications
- Reachability Analysis
- Simulation
43Event Detection
Given
g(x)
We re-parameterize time by controlling the
integration step size
x(t)
Event !
Using feedback linearization we select our
speed (step-size) along the integral curves to
converge to the event surface
44Modularity Hierarchy of Modes
1. Get integration time d and invariants from
the supermode (or the scheduler).
d, xInv
2. While (time t 0 t lt d) do
dt,
yInv
- Simplify all invariants.
- Predict integration step dt based on d and the
invariants.
- Execute time round of the active submode and
get state s and time elapsed e.
e, sz
- Integrate for time e and get new state s.
te,
sy
- Return s and te if invariants were violated.
- Increment t te.
3. Return s and d
45Plan for FY02
- Abstraction Techniques
- Predicate abstraction
- Qualitative abstraction
- Model approximation
- Rechability analysis
- Approximate analysis
- Exactly analysis
- Simulation in Charon
- Hierarchical, modular simulation
- Distributed simulation
- Test generation
- Model based test generation
- Model based test coverage
- Analysis methodology
- Hierarchical modeling
- Refinement to relate different models
- Evaluation using OEP
46Schedule
- Charon toolset with simulation and limited
reachability analysis capability (to be release
on 2Q F02, 4Q F02) - Preliminary version of predicate abstraction
package (1Q F02) - Modular event detection and modular simulation
packages implemented in Matlab (4Q F01) - A reachability tool for nilpotent systems
implemented in Mathematica (4Q F01) - OEP case studies Models of automotive OEP
challenge problems including (1Q F02, 4Q F02) - Vehicle-to-vehicle coordination using
hierarchical, modular architecture demonstrating
scalability of the approach - Model-integration illustration by incorporating
the models of the powertrain component at
different levels of detail - Preliminary version of test generation (3Q F02)