Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Framework for Inter-Model Analysis of Cyber-Physical Systems

480 views

Published on

Cyber-physical systems are engineered using a broad range of modeling methods, from systems of ODEs to finite automata. Each modeling method comprises ways of representing a system (models) and reasoning about it (analyses). The growing diversity of CPS modeling methods creates a challenge of using models and analyses together: what implicit assumptions are models making about each other? In what order should analyses be composed? Incorrect answers to these questions may lead to modeling errors and, eventually, system failures.

In this talk I present a framework for inter-model analysis to deal with the challenge of multi-modeling. The framework allows its user to create architectural views as abstractions of models and specify contracts for analysis. Given views and contracts, the framework verifies model consistency, determines correct analysis execution sequence, an verifies that assumptions and guarantees of analyses hold.

Published in: Technology, Design
  • Be the first to comment

  • Be the first to like this

Framework for Inter-Model Analysis of Cyber-Physical Systems

  1. 1. Framework for Inter-Model Analysis of Cyber-Physical Systems Ivan Ruchkin With Dionisio De Niz, Sagar Chaki, David Garlan Carnegie Mellon University Pittsburgh, PA, USA The Summer School on Cyber-Physical Systems Grenoble, France, July 2014
  2. 2. 2 CPS engineering model model model analysis analysis analysis ?
  3. 3. 3 Problem ● Engineers' models may be inconsistent – Modeling errors and system failures ● Model-based reasoning may be flawed – Unsound results and system failures
  4. 4. 4 Example: real-time scheduling ● Model & analysis 1: Thread-to-CPU assignment – Goal: assign each thread to CPU & check schedulability – Inputs: threads, CPUs (as abstract execution units), WCETs, periods, deadlines ● Model & analysis 2: CPU frequency scaling – Goal: minimize CPU frequency to reduce energy losses – Inputs: Assignment of threads to CPUs, CPU frequency ● Issue: Frequency scaling implicitly assumes that a policy is deadline monotonic!
  5. 5. 5 Simple solutions ● Apply frequency scaling anyway – Unsound: frequency scaling may not preserve schedulability ● Use labels (“DMS”) to synchronize analyses – Too limiting: excludes frequency scaling for some cases
  6. 6. 6 Our solution: analysis contracts 1. Set up verification domains 2. Specify contracts for analyses 3. Determine the order of analyses 4. Verify the contract when each analysis is used
  7. 7. 7 Step 1: verification domain Contains: – Atom sets (ℤ, threads, policies) – Static (period, deadline) & dynamic functions (preemption) – Execution semantics (Kripke structure) & interpretation model model analysis analysis verification domain
  8. 8. 8 Step 2: contract specification ● Analysis contract contains: – I – atoms and static functions that are read – O – atoms and static functions that are output – A – set of assumptions – G – set of guarantees ● Language of A & G: φ ⇒ ψ; φ ∈ FOL, ψ ∈ LTL. ● Example for frequency scaling analysis: – I = {threads, CPUs, CPUBind, Dline}, O = {CPUFreq}, – A = { t∀ 1 , t2 : threads | t1 ≠ t2 ∧ CPUBind(t1 ) = CPUBind(t2 ) : □ (CanPrmpt(t1 , t2 ) Dline(t⇒ 1 ) ≤ Dline(t2 )) }, G = { }.
  9. 9. 9 Step 3: analysis sequencing ● I/O dependencies form a directional graph – If acyclical: analyses are orderable – If cyclical: the cycle needs to be broken ● For the example, frequency scaling is dependent on thread-to-CPU assignment
  10. 10. 10 Step 4: contract verification ● Given: system model, contract formula φ ⇒ ψ ● SMT solver finds solutions for φ ● Model checking a behavioral model for ψ – Promela program implements the execution semantics ● For the example: – ∀ t1 , t2 : threads | CPUBind(t1 ) = CPUBind(t2 ) : □ (CanPrmpt(t1 , t2 ) Dline(t⇒ 1 ) < Dline(t2 )) – SMT for t∀ 1 , t2 : threads | t1 ≠ t2 ∧ CPUBind(t1 ) = CPUBind(t2 ) – Spin verifies □ (CanPrmpt(t1 , t2 ) Dline(t⇒ 1 ) < Dline(t2 ))
  11. 11. 11 Intra-model analysis framework
  12. 12. 12 Summary ● Analysis contracts: – Integrates reasoning from different models – Describe verification domains, specify contracts, find ordering, verify contracts – Implemented in customizable framework ● Future work: – How do model structures affect verification domains? – What modeling aspects should be “contractified”?
  13. 13. 13 References ● I. Ruchkin, D. De Niz, S. Chaki, and D. Garlan. Contract-Based Integration of Cyber- Physical Analyses. To appear in EMSOFT 2014. ● A. Rajhans, A. Bhave, I. Ruchkin, B. Krogh, D. Garlan, A. Platzer, and B. Schmerl. Supporting Heterogeneity in Cyber- Physical Systems Architectures. To appear in IEEE Transactions on Automatic Control.

×