teaching theoretical foundations of cyber-physical...
TRANSCRIPT
![Page 1: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/1.jpg)
1
LabCPS
fainekos at asu edu
http://www.public.asu.edu/~gfaineko
Teaching theoretical foundations of
Cyber-Physical Systems
Georgios Fainekos
July 2017 @ CPS Ed 2017
![Page 2: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/2.jpg)
2
LabCPS
Modern Vehicles
Engine Transmission
Control
Hybrid Powertrain
Control
Electronic Stability Control
Active Collision
Avoidance
Already demonstrated:
• Lane following & Active cruise control
• Fully autonomous driving
• …
![Page 3: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/3.jpg)
3
LabCPS
Embedded in : Automotive Systems
• Longitudinal dynamics : ABS (anti-
lock brake system) and ASC
(automatic stability control)
• Lateral dynamics : EDRC (engine
drag reduction control) and CBC
(corner braking control)
• DSC (dynamic stability control) is
using all the above
• Autonomous parking
• Lane following and adaptive cruise
control
“Soon” near you:
• Fully autonomous vehicles
![Page 4: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/4.jpg)
4
LabCPS
Smart Road Infrastructure:
Closing the loop at a higher level
[Image by Ken Butts, Toyota] [Continental Cooperation: The Cloud as sensor]
![Page 5: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/5.jpg)
5
LabCPS
• "A software error may prevent the transmission from downshifting, such as shifting
from 5th to 4th gear when coasting," said NHTSA in its recalls summary of the
problem. "This may result in decreased engine RPMs and possible engine stall,
increasing the risk of a crash."
• … the software that “allows the ECU to establish a ‘handshake’ with the engine is in
error. The ECU monitors certain driving conditions, and when the engine is found to
be out of tolerance, the software picks up an anomaly. When this happens, the ECU
triggers a fault code. As the ECU tries to find an optimal driving condition outside its
prescribed tolerances, a rough idle or stalling situation ensues.”
• … to update the software that controls the hybrid electric motor. Under certain
circumstances, it is possible, according to the company, "...for the electric motor to
rotate in the direction opposite to that selected by the transmission.“
• If the fault occurs, cruise control can only be disabled by turning of the ignition while
driving - which would mean a loss of some control and in many cars also disables
power steering. Braking or pressing the cancel button will not work.
• …
No downshifting from 5th to 4th
Rough idling or stalling due to complicated adaptive ECU
Electric motor to rotate in the direction opposite to that selected by the transmission
Cruise control does not disengage unless turning off the ignition
Many more …
Trust? : Sampling of automotive recalls
(~2011-12) due to software errors …
![Page 6: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/6.jpg)
6
LabCPS
How serious this problem is?
The same holds for the medical device industry!
http://www.jdpower.com/press-releases/jd-power-safetyiq-may-2016
![Page 7: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/7.jpg)
7
LabCPS
Is it always a software error?!?
From the Tesla Model X Owner’s manual (Not a bug!):
A Tesla somewhere in Switzerland
Tesla cars: Clearly a marvel of modern engineering!
• Why the engineers cannot guarantee correct operation under all conditions?
• Can you prove / formally verify correctness?
• How do you even test such a system?
https://www.youtube.com/watch?v=qQkx-4pFjus
![Page 8: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/8.jpg)
8
LabCPS
WHY IS THE PROBLEM
CHALLENGING?
Are these just programming errors?!?
Could these be logical / design errors?!?
Can we even answer these questions efficiently and effectively?
![Page 9: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/9.jpg)
9
LabCPS
Control design for powertrain
Controller design??
[Image: SimuQuest®]
Engine dynamicsVehicle dynamics & Environment
Challenges:
1. Noisy environment & high dim nonlinear dynamics
2. Hard real-time requirements <10ms
A simple model could have well over 60 continuous state variables.
Requirement: Whenever the normalized air-to-fuel ratio is outside [0.9,1.1], it will settle back inside the range within 1 sec, and stay there for at least 1 sec.
![Page 10: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/10.jpg)
10
LabCPS
Engine models: Complex!
[Image: SimuQuest®]
EnginuityTM Modeling Approach
Orifice Flow
Isentropic Flow Model
Intake and Exhaust Plenum
Mass Conservation
Energy Conservation
…
Combustion Chamber
Energy Conservation
Heat Transfer
Heat Release
Ignition Delay
Fuel Injection Dynamics
…
ሶ𝑚2 = ቐ
> 0 𝑖𝑓 𝑝1 > 𝑝2= 0 𝑖𝑓 𝑝1 = 𝑝2< 0 𝑖𝑓 𝑝1 < 𝑝2
ሶ𝑚1 = 𝐴𝑝
𝑅𝑇𝜓
𝜓 = … max … −max …
…
![Page 11: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/11.jpg)
11
LabCPS
Develop controllers and generate code
[Image: SimuQuest®]
Engine dynamics
Simplify model:ሶ𝑥 = 𝐴𝑥 + 𝐵𝑢
orሶ𝑥 = 𝑓 𝑥, 𝑢 , #(𝑥) ≪ 60
Design control lawse.g. idle speed control
economy sport
Charging DischargeA mix of autocode and
manual coding
Real-time execution
guarantees
![Page 12: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/12.jpg)
12
LabCPS
Control design for powertrain
How can we guarantee that the embedded control system will
satisfy the design requirements?
Designed to control an approximated model of the actual system
![Page 13: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/13.jpg)
13
LabCPS
Properties to check are typically on the physical side! (the domain of classical mechanical and electrical engineering)
Classical real-time systems and software engineering methods apply here! Still valuable, but …
Control design for powertrain
![Page 14: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/14.jpg)
14
LabCPS
HOW CAN WE BRIDGE THE
GAP?
What are the mathematical foundations and algorithmic tools needed so
that engineers can design such systems?
![Page 15: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/15.jpg)
15
LabCPS
Guidelines on CPS Education
Planning your education in CPS? Then read the following:
Caspi et al, Guidelines for a Graduate Curriculum on Embedded
Software and Systems, ACM Transactions on Embedded Computing
Systems, Vol. 4, No. 3, August 2005, Pages 587–611
Henzinger & Sifakis, The Discipline of Embedded Systems Design,
Computer, October 2007
![Page 16: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/16.jpg)
16
LabCPS
Recommended Curriculum
1. Foundations of Computer Science and Engineering
Algorithms, Computer architecture, Language theory (automata, etc),
Programming languages, Operating systems, and Software engineering
2. Control, Signal processing, and Communication
Modeling, Control design, Signal processing, Discrete event systems
3. Hybrid systems (CS + Control + Communication)
![Page 17: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/17.jpg)
17
LabCPS
SimulationHow accurate?
Pitfalls? Issues?
AnalysisWhat are the properties of interest?
How do we establish them?
ModelingHow is this done?
Physics? Concurrency?
Reactivity?
Model Based Development for CPSObjectives,
Specification & Level of detail required
Adapted from T. D. Burton: Introduction to Dynamic System Analysis
Model Simplification
What effects we can neglect?
Idealized System
Identify System variables & constants
Mathematical Model
Solutions to Math model:Analytical or
Numerical
Performance assessment
Expected to be a dynamic model
Physical Phenomenon or device to be studied
Aid in redesign to satisfy specs
Model Validation
![Page 18: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/18.jpg)
18
LabCPS
EXAMPLES OF MODEL
BASED DESIGN FOR CPS:
NUCLEAR REACTOR
What is an appropriate model?
What are properties of interest?
![Page 19: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/19.jpg)
19
LabCPS
Nuclear reactor example
Without rods
With rod 1
With rod 2
Requirements:
Rod 1 and 2 cannot be used simultaneously
Once a rod is removed, you cannot use it for 10 minutes
Specification : Keep temperature between 510 and 550 degrees.
If T=550 then either a rod is available or we shutdown the plant.
50T 0.1.T
60T 0.1.T
56T 0.1.T
![Page 20: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/20.jpg)
20
LabCPS
Software model of nuclear reactor
NoRodRod1 Rod2
Shutdown
![Page 21: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/21.jpg)
21
LabCPS
Hybrid model of nuclear reactor
550T
NoRodRod1 Rod2
Shutdown
10y10y510T 21
50T 0.1.T
10y550T 2 10y550T 1
56T 0.1.T
510T
60T 0.1.T
510T
50T 0.1.T
1.y
1 1
.y
2 1
.y
1 1
.y
2 1
.y
1 1
.y
2
1.y
1 1
.y
2
0y510T 1 : 0y510T 2 :
true
10y10y550T 21
Analysis : Is shutdown reachable ?
Algorithmic verification : NO
![Page 22: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/22.jpg)
22
LabCPS
EXAMPLES OF MODEL
BASED DESIGN FOR CPS:
TRAIN GATE CONTROLLER
What is an appropriate model?
What are properties of interest?
![Page 23: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/23.jpg)
23
LabCPS
The train gate example
Safety specification : If train is within 10 meters of the crossing, then the gate
should be completely closed.
Liveness specification : Keep gate open as much as possible.
x
approach exit
θ
lower
raise
Controller
Controller || Gate || Train System
![Page 24: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/24.jpg)
24
LabCPS
Train model
0x
nearfar past
2000 x
0x
40x 50-.
1000x -100x
1000x
30x 50-.
30x 50-.
approach
)[2000,x' 010x
exit
![Page 25: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/25.jpg)
25
LabCPS
Gate model
90θ
openraising
90θ
9θ.
lowering closed
0θ.
90θ
lower
9θ.
0θ
0θ.
0θ
90θ
raise
lowerraise
0θ
raise
lowerlower
raise
![Page 26: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/26.jpg)
26
LabCPS
Controller model
idlelower to Going raise to Going
true
0:y
dy
1y.
approach
true
exit1y
.
raise
0:y
lower
1y.
dy
0:y
approach
0:y
exit
![Page 27: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/27.jpg)
27
LabCPS
Synchronized transitions
idlelower to Going raise to Going
true
0:y
dy
1y.
approach
true
exit 1y.
raise
0:y
lower
1y.
dy
0:y
approach
0:y
exit
0x
nearfar past
2000 x
0x
40x 50-.
1000x -100x
1000x
30x 50-.
30x 50-.
approach
)[2000,x' 010x
exit
![Page 28: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/28.jpg)
28
LabCPS
Verifying the controller
Safety specification : Can we avoid the set ?
Parametric verification :
x
approach exit
θ
lower
raise
Controller
Controller || Gate || Train System
10)x(-10 0θ
5
49d if YES
![Page 29: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/29.jpg)
29
LabCPS
TEXTBOOKS
Which textbooks support such an MBD approach to teaching
foundations of CPS?
![Page 30: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/30.jpg)
30
LabCPS
Senior undergraduate and graduate level
Lee and SeshiaIntroduction to Embedded Systems
— A Cyber-Physical Systems Approach
![Page 31: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/31.jpg)
31
LabCPS
Graduate level
Rajeev AlurPrinciples of Cyber-Physical Systems
By MIT Press
Cassandras and Lafortune,
Introduction to Discrete Event Systems
Springer
Belta, Yordanov & Gol
Formal Methods for Discrete-Time Dynamical Systems
Springer
![Page 32: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/32.jpg)
32
LabCPS
Graduate level
Goebel, Sanfelice & TeelHybrid Dynamical Systems:
Modeling, Stability, and Robustness
Princeton University Press
P. Tabuada, Verification and control of hybrid systems:
a symbolic approach, Springer-Verlag
![Page 33: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/33.jpg)
33
LabCPS
TEACHING FORMAL
REQUIREMENTS
Why is it important?
![Page 34: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/34.jpg)
34
LabCPS
• "A software error may prevent the transmission from downshifting, such as shifting
from 5th to 4th gear when coasting," said NHTSA in its recalls summary of the
problem. "This may result in decreased engine RPMs and possible engine stall,
increasing the risk of a crash."
• … the software that “allows the ECU to establish a ‘handshake’ with the engine is in
error. The ECU monitors certain driving conditions, and when the engine is found to
be out of tolerance, the software picks up an anomaly. When this happens, the ECU
triggers a fault code. As the ECU tries to find an optimal driving condition outside its
prescribed tolerances, a rough idle or stalling situation ensues.”
• … to update the software that controls the hybrid electric motor. Under certain
circumstances, it is possible, according to the company, "...for the electric motor to
rotate in the direction opposite to that selected by the transmission.“
• If the fault occurs, cruise control can only be disabled by turning of the ignition while
driving - which would mean a loss of some control and in many cars also disables
power steering. Braking or pressing the cancel button will not work.
• …
When in 5th gear and RPM drops below x, then the system should always switch from 5th to 4th gear.
The engine should never stall while idle.
The electric motor should always rotate in the direction selected by the transmission.
The cruise control should always disengage when the “turn off” button is pressed.
Trust? : Sampling of automotive recalls
(~2011-12) due to software errors …
![Page 35: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/35.jpg)
35
LabCPS
How complex can specifications be*?
NL: During the position (cp) regulation after a step input on demand (dp),when the absolute value of the maximum torque limit (tl) decreases with astep (precondition), the absolute value of the actuator response in torques (ct)must be less than the torque limit plus 10% in less than 10 ms (postcondition)
* H. Roehm, R. Gmehlich, T. Heinz, J. Oehlerking and M. Woehrle: Industrial
Examples of Formal Specifications for Test Case Generation, ARCH 2015
![Page 36: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/36.jpg)
36
LabCPS
x
s1
s2
Specification: When ORANGE event happens after the BLACK EVENT, signal s2
should stabilize in the RED region within x time units. Signal s2 should only stay in the RED region only until signal s1 has stabilized in the BLUE region.
How do we mathematically
capture such requirements so that we can automatically verify/test a
system?
Example adapted from Bosch requirements
![Page 37: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/37.jpg)
37
LabCPS
G𝑎- always a
F[1,3]a - eventually a
𝑎 𝑈 𝑏 - a until b
𝑎 𝑈[1,1.5] 𝑏 - a until b
a a a a aa
* * a * **
a a b * *a
0 0.4 0.7 1.1 1.2 1.7
time
𝜙 ∷= ⊤ | 𝑝 ¬𝜙 𝜙1 ∨ 𝜙2 G𝐼𝜙 F𝐼𝜙 | 𝜙1𝑈𝐼𝜙2
Metric Interval Temporal Logic:
Semantic Intuition
now
![Page 38: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/38.jpg)
38
LabCPS
Possible formalizations?
G( (Orange P[0,y] Black) F[0,x]( (s2 in red) U G (s1 in blue) ))
G( (Orange P[0,y] Black) G[x,)( (s2 in red) G (s1 in blue) ))
x
s1
s2
Example adapted from Bosch requirements
![Page 39: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/39.jpg)
39
LabCPS
S-Taliro support in the V-process
Autocode Generation
(with multi-core in mind)
S-Taliro
support
1
2
Formal
Specifications
Model Design
System
Deployment
Informal
Requirements
4
3
1
2
5
System
Calibration
Hardware In the
Loop (HIL)
Processor In the
Loop (PIL)1. Testing formal specifications and specification mining [TECS 2013, ICTSS 2012, …]
2. Conformance testing: models, HIL/PIL or tuned/calibrated model [MEMOCODE 2014]
3. Testing formal specifications on the HIL/PIL calibrated system [TECS 2013, …]
4. Runtime monitoring of formal requirements [RV 2014]
5. Specification visualization [IROS 2015] & Debugging [MEMOCODE 2015]
![Page 40: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/40.jpg)
Trial in Actual Control Model (Past defect case)
Pedal
[%]
Tem
p[℃
]
En
g r
ev
[rpm
]Logic
Ou
tpu
t
Defect
Bra k eGas
M on ito rReq u est
Tim e[sec]
sim u lation
Trial in Actual Control Model
③. g as pedal OFF①. 1 rap id h ig h load
①. 2Over th reshold
①. 3 ON
Generated input
Gas pedal[%]
Brake[%]
Shift{P,N,D}
Water temp[℃]
Air temp[℃]
Air pressure[kPa]
Air conditioner SW
Figure Generated signals automatically
Detect following defect on SiLS model including all engine control
“monitor value-request value>50” continue over 500msec
Defect condition
① Specific logic on
② Engine revolution
around 4000rpm
③ Satisfy ①,② and
specific
accelerator
operation②Around 4000rpm
(Past defect case,intential defect by logic developer)
Tried 6 large-scale models,
5 models were falsified.
S-Taliro could generate the complicated scenario including the defect
There are 75 Control point
Shunsuke Kobuna
![Page 41: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/41.jpg)
41
LabCPS
WHAT IS THE CHALLENGE
IN FORMALIZING
REQUIREMENTS?
![Page 42: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/42.jpg)
42
LabCPS
Student homework (Graduate class):
Formalizing requirements
• Traditional section of the class (31 students)
• On-line section (10 professional* students)
Problem difficulty Very Easy Very Easy Easy
Average 9.4 9.6 7.2
Median 10.0 10 6
Max 10 10 10
Min 7.1 6.7 4
Problem difficulty Very Easy Very Easy Easy
Average 7.7 7.7 6.8
Median 8.6 7.8 6.0
Max 10 10 10
Min 4.3 4.4 0
* Typically working engineers
![Page 43: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/43.jpg)
43
LabCPS
Motivating Example: On-Line Survey
We asked:
“At some time in the first 30 seconds, the vehicle speed (v) will go
over 100 and stay above 100 for 20 seconds”
Response:
𝜑 =◇[0,30]( (𝑣 > 100) ⇒□[0,20](𝑣 > 100) )
𝜑 is a tautology
• 𝑣 > 100 =⊥ at any time in [0,30]
(𝑣 > 100) ⇒□[0,20](𝑣 > 100) = ⊤
• 𝑣 > 100 = ⊤ for all the time in [0,30]
□[0,20] 𝑣 > 100 = ⊤between [0,10]
(𝑣 > 100) ⇒□[0,20](𝑣 > 100) = ⊤ between [0,10]
B. Hoxha, N. Mavridis and G. Fainekos, VISPEC: A graphical tool for easy elicitation of MTL requirements, IROS 2015
![Page 44: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/44.jpg)
44
LabCPS
Visual Specification Language (ViSpec)
𝜙5 = 𝐺( 𝜆𝑑𝑖𝑓𝑓 > 0.1 → 𝐹 0,1 𝐺 0,1 𝜆𝑑𝑖𝑓𝑓 < 0.1 )
We have developed a graphical formalism for MTL specification elicitation. Example:
B. Hoxha and H. Bach and H. Abbas and A. Dokhanchi and Y. Kobayashi and G. Fainekos, Towards Formal Specification Visualization for Testing and Monitoring of Cyber-Physical Systems, DIFTS 2014
![Page 45: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/45.jpg)
45
LabCPS
ViSpec – Usability Study
Each user received ten tasks:
• To formalize a NL specification in automotive industry through ViSpec
Group I: Non-expert users
No experience in working with requirements.
20 subjects from the student community at ASU
Group 2: Expert users
Experienced in working with requirements (not necessarily formal requirements)
10 subjects from the industry in the Phoenix area
B. Hoxha, N. Mavridis and G. Fainekos, VISPEC: A graphical tool for easy elicitation of MTL requirements, IROS 2015
![Page 46: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/46.jpg)
46
LabCPS
Debugging MITL Specification
Specification Elicitation Framework
3-Levels of Specification Debugging
MITL Passed
![Page 47: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/47.jpg)
47
LabCPS
Problem Formulation
Given an MITL formula ϕ, find whether ϕ has any of the following
logical issues:
• Validity: the specification is unsatisfiable or a tautology.
• Redundancy: the formula has redundant conjuncts.
• Vacuity: some subformulas do not contribute to the satisfiability of the
formula.
A. Dokhanchi, B. Hoxha, and G. Fainekos, Metric interval temporal logic specification elicitation and debugging. MEMOCODE 2015
![Page 48: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/48.jpg)
48
LabCPS
Runtime Overhead
![Page 49: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/49.jpg)
49
LabCPS
WRAPPING UP
![Page 50: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/50.jpg)
50
LabCPS
As seen in …
![Page 51: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/51.jpg)
51
LabCPS
Vision: a complete theory for MBD for CPS
Autocode Generation
(with multi-core in mind)
Formal
Specifications
Model Design
System
Deployment
Informal
Requirements
Transparent from the user perspective:
1. Automated synthesis
2. Testing and verification support
with guarantees
Awards:
1017074, 1116136,
1319560, 1350420, 1446730
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
System
Calibration
Hardware In the
Loop (HIL)
Processor In the
Loop (PIL)
![Page 52: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/52.jpg)
52
LabCPS
S-Taliro support in the V-process
Autocode Generation
(with multi-core in mind)
S-Taliro
support
1
2
Formal
Specifications
Model Design
System
Deployment
Informal
Requirements
4
3
1
2
5
System
Calibration
Hardware In the
Loop (HIL)
Processor In the
Loop (PIL)1. Testing formal specifications and specification mining [TECS 2013, ICTSS 2012, …]
2. Conformance testing: models, HIL/PIL or tuned/calibrated model [MEMOCODE 2014]
3. Testing formal specifications on the HIL/PIL calibrated system [TECS 2013, …]
4. Runtime monitoring of formal requirements [RV 2014]
5. Specification visualization [IROS 2015] & Debugging [MEMOCODE 2015]
![Page 53: Teaching theoretical foundations of Cyber-Physical Systemskoclab.cs.ucsb.edu/cpsed/files/Fainekos.pdf · Teaching theoretical foundations of Cyber-Physical Systems Georgios Fainekos](https://reader030.vdocument.in/reader030/viewer/2022040208/5e1fc25f8863852a6b18d57e/html5/thumbnails/53.jpg)
53
LabCPS
Acknowledgements(Main contributors to the S-TaLiRo project)
Current Students
• Adel Dokhanchi – PhD
• Bardh Hoxha – PhD
• C. Erkan Tuncali – PhD
• Shakiba Yaghoubi – PhD
Main collaborator
• CU, Boulder: S. Sankaranarayanan
Other collaborators
• ASU: Y. Kobayashi, Y-H Lee,
H. Mittelmann
• NEC Labs: A. Gupta (now in
Princeton), F. Ivancic (now in
Google)
• RPI: Agung Julius
• Toyota: J. V. Deshmukh, J. Kapinski,
K. Ueda, H. Yazarel (now in
CareFusion), X. Jin
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
Former Students
• Houssam Abbas - PhD
• Y. Annapureddy - MS
• Rahul T. Srinivasa - MS
• Hengyi Yang – MS
• Hoang Bach – BS
• Jorge Mendoza – BS
Special Thanks: S. Vrudhula (ASU)
We build systems you can trust your life on!