Design, Implementation, and Validation of Embedded Software (DIVES)

1
Design, Implementation, and Validation
ofEmbedded Software (DIVES)
Rajeev Alur, Vijay Kumar, Insup Lee (PI), George
Pappas, Oleg Sokolsky Department of Computer and
Information Science Department of Electrical
Engineering Department of Mechanical Engineering
and Applied Mechanics University of
Pennsylvania 1 February 2002
2
Topic Area 1. Administrative
3
Administrative Information

• Project title Design, Implementation, and
  Validation of Embedded Software (DIVES)
• PI Insup Lee (215-898-3532, lee_at_cis.upenn.edu)
• Co-PI Rajeev Alur, Vijay Kumar, George Pappas
• Organization University of Pennsylvania
• Contract number DARPA ITO MOBIES
  F33615-00-C-1707
• AO Number K230
• Award end date May 16, 2003
• Agent 1st Lt. Jason Lawson, Air Force Research
  Laboratory

4
DIVES Team

• Faculty
• Rajeev Alur (CIS)
• Vijay Kumar (MEAM)
• Insup Lee (CIS)
• George Pappas (EE)
• Oleg Sokolsky (CIS)

PhD Students Calin Belta Joel
Esposito Yerang Hur Franjo Ivancic Pradyumna
Mishra Usa Sammapun
Research Associates Thao Dang Salvatore La
Torre Herbert Tanner
Part-time Programmers Dan Huber Valya
Sokolskaya
5
Topic Area 2. Collaborators

• CMU
• Berkeley
• Vanderbilt University

6
Topic Area 3. Problem Description and Program
Objective
7
Project Overview

• Project Objective
• Develop languages, algorithms and tools for
  hybrid systems to facilitate the development of
  reliable embedded systems
• Project Description main research directions
• Compositional semantics to support hierarchical,
  modular specifications of hybrid systems
• Reachability analysis of embedded systems
• Compositional analysis and optimal controller
  synthesis of hybrid systems
• Model-based testing and validation of hybrid
  systems to provide an additional level of
  reliability

8
Topic Area 4. Milestone Excel Spreadsheet

• Provided separately.

9
Topic Area 5. Tool Description
10
Tools at UPenn

• CHARON modeling environment
• Reachability analysis based on predicate
  abstraction
• Adaptive simulation tool
• Requiem
• Test generation (under development)
• Abstraction checker (under development)
• Much of our efforts in last 6 months was driven
  by OEP problems (V2V and ETC).

11
1. CHARON Toolkit

• Hierarchical modeling of Hybrid systems
• Compositional semantics
• Simulation
• Assertion checking

12
2. Reachability analysis tool

• Input
• Linear hybrid systems
• Modes have linear dynamics
• Mode invariants and transition guards are linear
• Input format is compatible with HSIF
• Output
• execution trace reaching the bad state

properties
predicates
CHARON
linear hybrid system
Reachability computation
Simulink/ Stateflow
counterexample
13
Reachability computation
Safety property
Boolean predicates
additional predicate
Search in abstract space
Hybrid system
No! Counter-example
Property holds
Analyze counter-example
Real counter- example found
14
Implementation status

• Implemented in C
• Continuous successors computed by d/dt routines
• Determines the choice of linear hybrid systems as
  input language
• Preliminary results have been obtained
• Counterexample generation is being implemented
• Automatic translation of CHARON models into
  linear hybrid systems is incorporated into the
  CHARON toolset
• Connection to Simulink/Stateflow is being
  considered

15
3. Adaptive simulation tool

• Input
• Matlab model
• Implementation
• Adaptive integration routines for multi-rate and
  multi-agent simulation implemented in C
• Used instead of standard Matlab integration
  routines
• Output
• Matlab simulation trace
• Integration
• Simulink/Stateflow can use custom integration
  routines for simulation
• Integration with Charon simulator is under way

16
Multi-time scale simulation

• Hierarchical systems have different time scales
• Multirate techniques exploit this by using
  different step sizes
• careful use of interpolants to accommodate
  coupling

17
Multi-agent simulation

• Agents proceed independently during simulation
• Agents with slower dynamics are integrated with
  larger steps, saving unnecessary computation
• Discrete events may depend on the state of
  several agents
• Adaptive step size selection synchronizes agents
  state close to event boundary

18
4. Requiem

• Exact symbolic continuous reachability
  computation
• Input
• Nilpotent linear differential equation (e.g.,
  V2V)
• Semialgebraic sets as initial conditions
• Output
• A quantifier free formula describing the
  reachable set.
• Implementation
• A Mathematica 4.0 notebook
• Uses the experimental quantifier elimination
  package

19
5. Test generation

• Goal generate a suite of tests based on a given
  level of coverage for the model
• Input
• A model of the system as a hierarchical state
  machine
• A coverage criterion as a parameterized
  collection of temporal logic formulas
• Output
• A test suite
• Implementation
• In progress
• An off-the-shelf model checker is used

20
6. Abstraction analysis
Goal. To develop a formal methodology of deriving
consistent abstractions of complex dynamical
control systems
Output reduced order linear control systems
capturing the behavior of the original systems
Input linear control systems, subject to input
and state constraints
abstraction

• Implementation
• We are beginning to develop Matlab tools for
  checking the consistency of modeling abstractions
  for discrete-time control systems in the presence
  of state and input constraints.

21
Penns Tool Chain
Test Generation
code
Model Reduction
Simulink
Teja
Mathlab
HSIF
CHARON
Predicate Abstraction
d/dt
22
Topic Area 6. OEP Participation
23
Automotive OEP

• We participate in both vehicle-to-vehicle
  coordination and ETC challenge problems
• Perform analysis of models for the challenge
  problems using DIVES analysis tools and
  methodologies
• We will demonstrate the analysis capabilities
  during the midterm experiments
• We participated in all ESWG meetings and a number
  of teleconferences
• Actively participated in formulating the V2V
  experimental setup
• Contributed to the definition of HSIF
• Helped to define the logistics of the experiments
  
• V2V POC Franjo Ivancic OEP collaborator Anouck
  Girard
• ETC POC Oleg Sokolsky OEP collaborator Paul
  Griffiths
• One day workshop with CMU team to discuss ETC
  problems

24
Topic Area 7. Project Status
25
Progress since last meeting

• Progress on schedule
• Recently developed techniques
• Simulation Relations for Constrained
  Discrete-Time Linear Systems
• Multi-agent simulation methodology
• Composability of abstractions
• Model-based test generation for data-flow
  coverage criteria
• Publication during last six months
• 2 journal papers, 11 conference and workshop
  papers
• Specific milestones accomplished
• Modular and distributed simulation techniques
• V2V and ETC Problems

26
Project status

• Selected publications since the last PI meeting
• Automatic Test Generation using Model Checking,
  H.S. Hong, I. Lee, O. Sokolsky, and S.D. Cha,
  Workshop on Formal Approaches to Testing of
  Software, BRICS Notes Series NS-01-4, pp. 15--31,
  August 2001.
• A Temporal Logic Based Theory of Test Coverage
  and Generation, H.S. Hong, I. Lee, O. Sokolsky,
  and H. Ural, to appear in TACAS'02.
• Reachability analysis of hybrid systems via
  predicate abstraction, R. Alur, T. Dang, F.
  Ivancic, to appear at the 5th International
  Workshop, Hybrid Systems Computation and
  Control, HSCC 2002.
• Composing Abstractions of Hybrid Systems, P.
  Tabuada, G.J. Pappas, and P. Lima, to appear at
  the 5th International Workshop, Hybrid Systems
  Computation and Control, March 2002.
• Simulation Relations for Discrete-Time Linear
  Systems, H. Tanner and G.J. Pappas, to appear at
  the 15th International Federation on Automatic
  Control World Congress, July 2002.
• Hierarchies of Stabilizability Preserving Linear
  Systems, G.J. Pappas and G. Lafferriere, 40th
  IEEE Conference on Decision and Control, December
  2001
• Abstractions of Hamiltonian Control Systems
  (Finalist, Best Student Paper Award), P. Tabuada
  and George J. Pappas, 40th IEEE Conference on
  Decision and Control, December 2001
• Multi-modal control of systems with
  constraints, T.J. Koo, G.J. Pappas, and S.
  Sastry, 40th IEEE Conference on Decision and
  Control, December 2001
• Multi-agent hybrid simulation, J. Esposito, V.
  Kumar, and G.J. Pappas, 40th IEEE Conference on
  Decision and Control, December 2001
• Hierarchical hybrid modeling of embedded
  systems, R. Alur, T. Dang, J. Esposito, R.
  Fierro, Y. Hur, F. Ivancic, V. Kumar, I. Lee, P.
  Mishra, G.J. Pappas, and O. Sokolsky, Embedded
  Software, Lecture Notes in Computer Science,
  volume 2211, October 2001

27
V2V challenge problem

• An abstract model of the two vehicles is
  constructed
• Simulations and assertion checking performed by
  the CHARON toolkit

• Variables
• distance
• velLead
• velFollow
• acceleration
• (uncertain input)

28
V2V challenge problem

• The hierarchical CHARON model was automatically
  translated to the flat linear hybrid system and
  verified using predicate abstraction
• No collisions are possible when executions starts
  in the following initial set
• 5 distance 1000
• 5 velLead 15
• 18 velFollow 30
• There are 17 predicates and 16 reachable abstract
  states

29
V2V midterm experiment

• Goals
• Demonstrate effectiveness of abstractions and
  analysis techniques
• Demonstrate integration between the modeling and
  analysis tools
• Steps of the experiment
• Load the model into the Charon toolset simulate
• Perform automatic translation into the
  reachability tool format
• Perform predicate abstraction and specify input
  sets
• Perform reachability analysis
• Success criteria
• Being able to prove or disprove safety properties
  

30
ETC Challenge Problem

• Two experiments are planned
• Analysis of the ETC model
• Several abstraction techniques employed
• Reachability analysis is used to prove properties
  of the abstracted model
• Conservativeness of abstractions ensures the
  properties of the orignal model
• Test generation from the ETC model
• Tests are generated from the controller model
  only
• Tests will be applied to the implementation of
  the ETC controller

31
ETC analysis experiment

• Goals
• Demonstrate effectiveness of abstraction and
  analysis techniques
• Steps of the experiment
• Start from the Simulink models of ETC
• Step 1 simplification (completed)
• Manual application of abstractions
• Results a model with 4 modes, 9 variables and 1
  continuous input is reduced to a model with 4
  modes, 3 variables and 3 discrete-time inputs
• Step 2 analysis (in progress)
• Automatic transformation into the reachability
  tool format
• Perform predicate abstraction and specify input
  sets
• Perform reachability computation

32
Full ETC model
i
Signal generator
a
actuator
sensors
t
u
plant
humaninput
?
parameters
a, ?, u
ides
Filter controller
33
Abstraction procedure
34
Filter abstraction
ApproachOverapproximate the filter output by
additional independent bounded inputs
35
Actuator-Plant abstraction
Consistent abstractions of discrete-time linear
control systems can be derived and checkedusing
the notion of simulation relations. Tanner
Pappas, 2001
We construct a surjective linear map from the
original state space X to the quotient
statespace Z, that captures the amount of state
information preserved in the abstraction
S1 simulates S2 (i.e. it is a valid abstraction
of S2) if and only the following set containment
relation holds
The condition allows the analytical construction
of the abstract system.In the case of polyhedral
constraints, it can be checked efficiently using
standard linear programming algorithms.
36
Actuator-Plant abstraction
37
Abstraction Results
38
ETC test generation experiment

• Goals
• demonstrate model-based test generation
  techniques
• Status
• Tool implementation is being carried out
• Test suites for mode and transition coverage, as
  well as definition-use dependency coverage have
  been generated manually
• Test application to the ETC implementation is
  under way

39
ETC test generation experiment

• Steps of the experiment
• Take the Simulink model of the ETC controller and
  treat it as a collection of concurrent state
  machines
• Triggered blocks are turned into two-state state
  machines
• Using a model checker, generate tests for the
  desired coverage criterion
• Mode coverage
• Input we gt weMax Output MotorAmps 0
• Input te gt teMax Output MotorAmps 0
• Input V gt 30, prndl 3, cruiseSwitch
  true Output MotorAmps 1
• Transition coverage
• Input we gt weMax Output MotorAmps 0
• Input we lt 0.95weMax Output MotorAmps ltsgt
• Input te gt teMax Output MotorAmps 0
• Input we lt 0.95weMax Output MotorAmps ltsgt
• Input V gt 30, prndl 3, cruiseSwitch
  true Output MotorAmps 1
• Input brakeSwitch true Output MotorAmps
  ltsgt

40
Topic Area 8. Project Plans
41
Project Plans

• Describe your project's plans for next 6 months
• Refine abstraction, analysis, test generation
  techniques
• Develop tools to support them
• Perform OEP experiments using these techniques
  and tools
• Interface with other tools through HSIF
• Identify specific performance goals
• Demonstrate improved capability to verify linear
  hybrid systems in terms of number of modes and
  number of state variables
• Provide a methodology for design feedback to ETC
  and other problems
• Demonstrate the feasibility of model-based test
  generation

42
Topic Area 9. Project schedule and milestones
43
Project schedule and milestones
1. Design language
2. Software toolkit
3a. Compositional semantics
3b. Simulation techniques
3e. Controller synthesis
3f. Abstraction techniques
3FY00
4FY00
1FY01
2FY01
3FY01
4FY01
1FY02
2FY02
3FY02
4FY02
1FY03
2FY03
Milestone on schedule
Milestone completed ahead of schedule
Deliverable
44
Project schedule and milestones

• Past milestones
• Q3FY01 Compositional Semantics
• Completed ahead of schedule
• Deliverable research report on compositional
  semantics
• Q1FY02 Modular and Distributed Simulation
  Techniques
• Completed on schedule
• Deliverables research reports on event
  detection, modular and multi-agent simulation
  algorithms
• Upcoming milestones
• Q3FY02 Analysis Techniques and Tool Suite
• Progress on schedule
• Deliverables
• Research reports on abstraction techniques and
  analysis algorithms
• Tool implementation

45
Technology Transition

• Use of Charon and its toolkit for embedded
  medical device development
• The CARA (Computer Assisted Resuscitation
  Algorithm) Infusion pump system developed by
  WRAIR (Walter Reid Army Institute for Research)
• The reference model specification in Charon
• Design analysis and implementation validation
• Goal enhance FDA approval process for embedded
  medical devices

46
The End.