Design, Implementation, and Validation of Embedded Software DIVES - PowerPoint PPT Presentation

1 / 46
About This Presentation
Title:

Design, Implementation, and Validation of Embedded Software DIVES

Description:

Department of Computer and Information Science. Department of Electrical Engineering. Department of Mechanical Engineering and Applied Mechanics ... – PowerPoint PPT presentation

Number of Views:84
Avg rating:3.0/5.0
Slides: 47
Provided by: daves1
Category:

less

Transcript and Presenter's Notes

Title: Design, Implementation, and Validation of Embedded Software DIVES


1
Design, Implementation, and Validation
ofEmbedded Software (DIVES)
Rajeev Alur, Vijay Kumar, Insup Lee (PI), George
Pappas, and Oleg Sokolsky Department of
Computer and Information Science Department of
Electrical Engineering Department of Mechanical
Engineering and Applied Mechanics University of
Pennsylvania
2
DIVES Team
  • Faculty
  • Rajeev Alur (CIS)
  • Vijay Kumar (MEAM)
  • Insup Lee (CIS)
  • George Pappas (EE)
  • Oleg Sokolsky (CIS)

PhD Students Joel Esposito Yerang Hur Franjo
Ivancic Salvatore La Torre Pradumna Mishra
Jiaxiang Zhou
Research Associates Thao Dang Rafael Fiero
Programmers Usa Samuppan Valya Sokolsky
3
Project Overview
  • Project Goal
  • Develop languages, algorithms and tools for
    hybrid systems to facilitate the development of
    reliable embedded systems
  • Research Area
  • Compositional semantics to support hierarchical,
    modular specifications of hybrid systems
  • Abstraction techniques for analysis of embedded
    systems
  • Compositional model checking and optimal
    controller synthesis of hybrid systems
  • Model based run-time monitoring and testing of
    hybrid systems to provide an additional level of
    reliability

4
Progress since ESWG2
  • Progress on schedule
  • Analysis techniques
  • Compositional semantics (completed)
  • Theory of refinement (completed)
  • Modular event detection (completed)
  • Reachability analysis (on-going)
  • Abstraction techniques (on-going)
  • Predicate abstraction
  • Qualitative abstraction
  • Model-based test generation (started)
  • Analysis methodology
  • Hierarchical modeling framework for scalability
  • Modular modeling framework for model integration

5
Interactions with OEP and AFRL
  • Participated Teleconferences with OEP
  • Test vector generation, Verification Synthesis
    of switching, Boeing
  • Working on the automotive challenge problems
  • Vehicle-to-Vehicle (V2V) Coordination
  • Studied V2V model provided in Shift
  • Generated the hierarchical model of V2V in Charon
  • Interacting with Berkeley team to understand
    better the Shift model
  • Powertrain Modeling
  • Studied Powertrain model in Simulink
  • Developed approximate models in Charon
  • To be used in the V2V model we developed in
    Charon
  • Studying Boeing OEP with Boeing teams help
  • Netmeeting with Lt. Jason Lawson and Marc at AFRL

6
Outline of Technical Overview
  • Hierarchical modeling of V2V
  • Reachability analysis
  • Abstraction techniques
  • Abstraction for control system design
  • Model-base Test generation
  • Modular event detection and simulation

7
Hierarchical V2V Model
  • Charon supports hierarchical and compositional
    modeling of hybrid systems
  • Hierarchical Control Architecture
  • Allows higher levels of hierarchies preserving
    the same hierarchical block structure to model
    complex situations
  • Formalization of hierarchy and clear interfaces
    within layers
  • Model Analysis Verification, Synthesis of Mode
    Switching, Test Generation, etc.
  • Developing a hierarchical control model to
    specify motion control and navigation functions
    as hierarchical layers
  • Lower layers of hierarchy Continuous
    controllers that interact with physical sensors
    and actuators for desired positioning and
    tracking
  • Higher layers of hierarchy Discrete event
    systems handling information, maneuvers,
    cooperation safety
  • Clear interfaces for modes and agents
  • Identify patterns of design and implementation
    that can be reused across projects
  • Integrate the vehicle-vehicle and powertrain
    models

8
Example V2V model
Agent Vehicle
Agent RegulationLayer
Agent CarSensor
Agent InterVehicleCommunication_IN
Agent InterVehicleCommunication_OUT
Agent VehiclePlant
9
Agent VehiclePlant in V2V
Agent Vehicle
Agent RegulationLayer
Agent CarSensor
Agent InterVehicleCommunication_IN
Agent InterVehicleCommunication_OUT
Agent VehiclePlant
Com_IN
Agent Dynamic Controller
Agent Dynamic Sensor
Com_OUT
Agent Vehicle Dynamics
10
Detailed VehiclePlant
Agent VehiclePlant
Agent DynamicController
Agent DynamicSensor
Agent Communication_IN
Agent Communication_OUT
mode Brake Controller
mode Torque Controller
Agent VehicleDynamics
Agent PowerTrain
Agent Brake
Agent SI_Engine
Agent GearShift
Agent Rigid Body
Agent Torque Converter
Agent WheelSet
Agent Moments
11
Agent VehiclePlant
Agent VehiclePlant
Agent DynamicController
Agent DynamicSensor
Agent Communication_IN
Agent Communication_OUT
mode Brake Controller
mode Torque Controller
xDot_lls
xDDot_lls
xDot
u_isl
p_man_lls
p_wheel_lls
w_wheel_lls
xDDot
throttle_lls
gearRatio_lls
we_lls
Agent VehicleDynamics
Agent PowerTrain
Agent Brake
Agent SI_Engine
Agent GearShift
steering
Agent Rigid Body
p_mcc
throttle_des
Agent Torque Converter
Agent WheelSet
Agent Moments
12
Agent RegulationLayer
Agent RegulationLayer
mode VehicleLeader
mode VehicleFollower
mode Collision_W_ON
mode Collision_W_Off
mode No_Warning
mode Cruise
mode Accelerate
mode Cruise_Cntrl
mode Join_ACC
mode ACC
mode Join_CACC
mode CACC
mode Decelerate
mode Braking
mode FCW
mode CFCW
mode Warning
13
Agent Vehicle in Charon
14
Vehicle model in Charon
15
Reachability Analysis in Hybrid Systems
  • Problem Statement Given an initial region,
    compute whether a hybrid system can reach a given
    (bad) region.
  • The key computation step is to compute Reach(X)
    for a given region X
  • Two paradigms
  • Exact analysis
  • Approximate analysis

Reach(X)
X
16
Reachability using quantifier elimination
(Requiem)
  • Given a nilpotent linear differential equation
    and a set of initial conditions symbolically,
    Requiem computes various reachable sets exactly. 
  • The symbolic computation uses the experimental
    quantifier elimination package in Mathematica 4.0
  • The computation of reachable sets converted into
    a quantifier elimination problem in the decidable
    theory of the reals as an ordered field.   
  • Given a nilpotent system and a set defined by
    polynomial inequalities, Requiem automatically
    generates the quantifier elimination problem and
    invokes the experimental quantifier elimination
    package in Mathematica 4.0. 
  • If the computation terminates, it returns a
    quantifier free formula describing the reachable
    set.
  • Future versions of Requiem may consider parameter
    synthesis, and over approximations of reachable
    sets. 
  • More details on publications, download, examples
    at
  • http//www.seas.upenn.edu/hybrid/requiem.html

17
Forward reachable set
18
Approximate Analysis
  • Abstraction techniques for analysis
  • Predicate abstraction
  • Qualitative abstraction
  • Abstraction techniques control system design
  • Model approximation abstraction

19
Predicate Abstraction
  • Input is a hybrid automaton and a set of k
    boolean predicates, e.g., xy gt 5-z
  • The partitioning of the concrete state space is
    specified by the user-defined k predicates

Concrete Space L x R n
Abstract Space L x 0,1 k
20
Overview of the Approach
Hybrid system
Boolean predicates
additional predicate
Search in abstract space
Safety property
No! Counter-example
Property holds
Analyze counter-example
Real counter- example found
21
Searching the Abstract State
  • Discrete transitions correspond to discrete jumps
    of the concrete hybrid automaton
  • Continuous transitions correspond to continuous
    flow of the concrete hybrid automaton
  • Goal is to find one new abstract state that is
    reachable from the current abstract state
  • Possible strategies to find one new abstract
    state (fix-point vs. exponential state space)
  • Pick a likely abstract state that might lead the
    path to a counter-example and check reachability.
  • Pick a abstract state that could be reached
    quickly from the current abstract state and check
    it.
  • Check all new possible abstract states after
    computing one numerical time step.

22
Example a discrete transtion
  • The effect of a discrete transition

3 Boolean predicates are xgt0 , ygt1 , ygtx. Reset
mapping is y x 1 x 0. Evaluation of
the Boolean predicates after the reset hence
is x gt 0 is false. y gt 1 is true, iff x gt
0. y gt x is true, iff x gt -1.
23
Benefits
  • In general, not necessary to compute Reach(X) for
    a region X
  • Computing continuous successors only of abstract
    states, not intermediate regions of unpredictable
    shape
  • Amenable various search strategies
  • E.g., try all discrete transitions first, as this
    computation is less expensive than finding a
    continuous transition
  • Discover new predicates by examining
    counter-examples found

24
Implementation Status
  • Prototype implementation is (being) written in
    C.
  • It utilizes the tool d/dt (Verimag) to compute
    the continuous transitions.
  • Hence, only linear hybrid systems are been
    considered.
  • Preliminary results are expected by the end of
    the summer of 2001.
  • It will be integrated into Charon toolset.

25
Qualitative Abstraction
  • Conventional approaches for discrete abstraction
    of differential equations
  • Based on the computation of reachable states
  • Exact computation is in general undecidable and
    is expensive even for restricted hybrid systems
  • Approximate computation (e.g., linear
    abstractions) is also expensive
  • Qualitative reasoning
  • AI technique for reasoning about continuous
    systems with incomplete knowledge
  • Allows sound and inexpensive (but coarse)
    discrete abstractions for both linear and
    nonlinear differential equations

26
Qualitative Abstraction Approach
  • Differential equations as finite state machines
  • State space
  • Symbolic and interval values instead of numerical
    values
  • amount 0, (0, low), low, (low, high), high,
    (high, full), full, (full, inf), inf
  • Direction of change instead of precise continuous
    dynamics
  • d(amount) dec, std, inc
  • Transition relation
  • Determines next states based on continuity and
    mean value theorem
  • Is inherently coarse and nondeterministic

27
Example Qualitative Models
SPRING global analog real x, v, a local analog
real f d(x) y d(y) a f m a f -k x
28
Qualitative Abstraction of CHARON
  • The basic idea
  • Transform differential equations into finite
    state machines using qualitative abstraction
    while maintaining discrete behaviors
  • Soundness

L(ODE1) ? L(QDE1), , L(ODE4) ? L(QDE4)
Mode A ODE1
Mode A QDE1
?
Mode B ODE2
Mode B QDE2
Mode D ODE4
Mode D QDE4
Mode C ODE3
Mode C QDE3
29
Example CHARON
Pool
Pump
level
WaterPump
d(level) flow
flow
Steady(rate,low,high)
WaterPump
flow rate d(timer) 0 level ? low level ?
high
On
TurnOff
Steady(On,0,Hi)
Transient(On)
level ? Hi
timer?0
timer ? Ready
Transient
timer ? Ready
flow M(timer) d(timer) gt 0 timer ? Ready
TurnOn
Off
level ? Lo
Transient(Off)
Steady(Off,Lo,?)
timer?0
30
Example Qualitative Abstraction
31
Model Approximation Abstraction
  • Model approximation
  • Given a control system P,
  • we would like to find a
  • reduced control system P
  • of order n lt N with small
  • output error
  • Methods Singular Value Decomposition (SVD)
  • Balanced Reduction, Hankel Norm, Singular
    Perturbation
  • The control input u(t) is the same for both
    models.
  • Designing a controller C for P is easier.
  • Consistency

32
Powertrain and V2V OEPs
  • We need both types of abstraction
  • Abstraction for analysis
  • Abstraction for control system design
  • Model Abstraction
  • The drivetrain dynamics is abstracted form the
    powertrain system
  • The input variable u(t) is the desired
    acceleration sent by the V2V controller
  • The actual throttle position and brake commands
    are computed using backstepping from u(t)
  • Model Approximation for torque generation and
    braking force Engine has physical limitation and
    the vehicle cannot change its state (velocity
    and acceleration) instantaneously.
  • The engine, transmission and throttle systems are
    approximated by a saturation element in series
    with a first-order filter
  • The engine, transmission and braking systems are
    approximated by a saturation element in series
    with a first-order filter

33
OEP Example Power Train
34
OEP Example (continued)
35
Specification-based testing
  • Determines whether an implementation conforms to
    its specification
  • Hardware and protocol conformance testing
  • Widely-used specifications
  • Finite state machines
  • Extended finite state machines
  • Labeled transition systems
  • Consists of two main steps
  • Test generation from specifications
  • what to test, how to generate test
  • Test execution of an implementation
  • Applies tests to an implementation and validates
    the observed behaviors

36
Our Approach
  • The problem automatic test generation from
    specifications
  • Specifications deterministic EFSMs
  • Coverage criteria
  • Control flow state and transition coverage
  • Data flow all-definition and all-use coverage
  • Test generation as model checking

37
Test coverage criteria
  • Control Flow Coverage
  • State coverage
  • Requires every state be traversed at least once
  • Transition coverage
  • Requires every transition be traversed at least
    once
  • Path coverage
  • Requires every path of an EFSM be traversed at
    least once
  • Is the strongest coverage criterion and cannot be
    achieved in general
  • Data Flow Coverage
  • Definition-use association (v, t, t)
  • A variable v is defined at transition t and used
    at t
  • There exists a definition-clear path w.r.t. v
    from t to t
  • All-def coverage
  • Requires a definition-clear path from each
    definition to some use be traversed
  • All-use coverage
  • Requires a definition-clear path from each
    definition to every use be traversed

38
Example control flow
39
Coverage criteria as CTL formulas
  • State coverage
  • For every state q, EFin(q)
  • When testers designate an exit node, EF(in(q)
    EFexit)
  • Transition coverage
  • For every transition t, EF(t EFexit)
  • All-def coverage
  • For every variable v and every transition t
    defining v,
  • EF(t EXE!def(v) U (use(v) EFexit))
  • All-use coverage
  • For every variable v, every transition t defining
    v, and every transition t using v,
  • EF(t EXE!def(v) U (t EFexit))

40
Test generation using Model Checker
A test sequence covering t3 and ending at
Wait_req CTL formula (SMV) !EF(t3
EFin(Wait_req)) Counterexample
t1, t2,
t3,
t2, t4,
t2, t6,
t7,
t10
41
Test Generation for Hybrid Systems
  • Specifications CHARON
  • Discrete behaviors are described by transitions
    between modes
  • Continuous behaviors are described by
    differential equations associated with modes
  • Test generation
  • Transform CHARON into a (finite) discrete
    abstraction
  • Find counterexamples by model checking the
    abstraction
  • Determine the executability of counterexamples

42
Analysis on one path
  • Modularity
  • Efficient and accurate
  • Integration of sub modes, agents at different
    time scales
  • Detection of Events
  • Accurate detection of constraint violations or
    transitions
  • Applications
  • Reachability Analysis
  • Simulation

43
Event Detection
Given
g(x)
We re-parameterize time by controlling the
integration step size
x(t)
Event !
Using feedback linearization we select our
speed (step-size) along the integral curves to
converge to the event surface
44
Modularity Hierarchy of Modes
1. Get integration time d and invariants from
the supermode (or the scheduler).
d, xInv
2. While (time t 0 t lt d) do
dt,
yInv
- Simplify all invariants.
- Predict integration step dt based on d and the
invariants.
- Execute time round of the active submode and
get state s and time elapsed e.
e, sz
- Integrate for time e and get new state s.
te,
sy
- Return s and te if invariants were violated.
- Increment t te.
3. Return s and d
45
Plan for FY02
  • Abstraction Techniques
  • Predicate abstraction
  • Qualitative abstraction
  • Model approximation
  • Rechability analysis
  • Approximate analysis
  • Exactly analysis
  • Simulation in Charon
  • Hierarchical, modular simulation
  • Distributed simulation
  • Test generation
  • Model based test generation
  • Model based test coverage
  • Analysis methodology
  • Hierarchical modeling
  • Refinement to relate different models
  • Evaluation using OEP

46
Schedule
  • Charon toolset with simulation and limited
    reachability analysis capability (to be release
    on 2Q F02, 4Q F02)
  • Preliminary version of predicate abstraction
    package (1Q F02)
  • Modular event detection and modular simulation
    packages implemented in Matlab (4Q F01)
  • A reachability tool for nilpotent systems
    implemented in Mathematica (4Q F01)
  • OEP case studies Models of automotive OEP
    challenge problems including (1Q F02, 4Q F02)
  • Vehicle-to-vehicle coordination using
    hierarchical, modular architecture demonstrating
    scalability of the approach
  • Model-integration illustration by incorporating
    the models of the powertrain component at
    different levels of detail
  • Preliminary version of test generation (3Q F02)
Write a Comment
User Comments (0)
About PowerShow.com