SlideShare una empresa de Scribd logo

Controller Software Verification Using AVM Meta and HybridSAL

Joseph Porter
Joseph Porter

The document discusses using the AVM Meta tool suite and HybridSAL to formally verify controller software for cyber-physical systems. It describes how controllers modeled in Simulink/Stateflow can be integrated with physical models in Modelica. Design space exploration is used to simulate different controller alternatives. Formal verification of properties specified in temporal logic is then used to detect errors in the candidate controller. The workflow involves translating controllers to a cyber language, generating simulation code, and visualizing verification results. Counterexamples can provide insight to refine the controller model or property specification.

IngenieríaTecnología
1 de 47
SRI International Verification of Cyber-Physical Controller Software Using the AVM Meta Tool Suite and HybridSAL Joseph Porter (jporter@isis.vanderbilt.edu), Ashish Tiwari (ashish.tiwari@sri.com), and Xenofon Koutsoukos (xenofon.koutsoukos@vanderbilt.edu) S5 Symposium June 2014
SRI International Controller Design Design space exploration with simulation can answer early questions about controller choices • Simulation over alternatives is much cheaper than building prototypes • Automated DSE helps answer questions about the evolving design Formal verification tools can detect hard-to-find errors • Testing may fail to detect (large scenario space) • Requires property specification • CyPhy enables easy property addition, model editing, and visualize verification results
SRI International OpenMETA-CyPhy Cyber Toolchain (DARPA AVM) Physical Components C2M2L Components Custom Components Cyber Components CyPhy System Design / Design Space Dynamics TB Verification TB Physical Components Authoring Cyber Components Authoring * Cyber Modeling Language Component Use Simulink/ Stateflow Auto Import Component Use Modelica Sim (.mo, .lib) CyPhy Modelica Composer Cyber Code Generator HybridSAL DAE XML Cyber XML Verification Condition Generation System Design Space Authoring Hybrid System Evaluation Dymola/ OpenModelica Modelica Simulation Formal Verification
SRI International Everything has software – cars, refrigerators, even chainsaws. How do we model controller software and combine it with the mechanical design? • Keep the design processes for the physical and cyber in sync. • Building and testing prototypes is expensive. Integrating controllers into mechanical designs is costly and time-consuming. Too many scenarios to test cyber and physical systems exhaustively. Testing will miss important cases. Some examples: • Toyota Acceleration problem • MARS polar lander • Ariane 5 Why Cyber Modeling?
SRI International AVM Control Design Capabilities How are META Cyber capabilities different from designing and simulating controllers using Modelica or Simulink alone? 1. Cyber controller component in Modelica is not a simulation model, but is the actual embedded code scheduled by a discrete-time periodic sampler. The simulation is much more realistic. 2. Integrated formal hybrid verification toolchain. 3. All of the benefits of using CyPhyML: • design space exploration • curated component library • integrated test bench models • parametric exploration • cloud-based simulation
SRI International Introduction We will show how the Cyber tools can integrate multiple transmission controllers modeled in Simulink/Stateflow with a Driveline modeled in Modelica. We will use DSE to assess the controller alternatives in simulation, and then verify the candidate controller. Scenario: If we have a cheaper fixed-point processor, will the controller performance be degraded?
SRI International Creating a CyPhy model The CyPhy model is the “integration” model. It contains: • The imported Modelica model (The System) • The interface to the Cyber model (The Controller) • A design describing how the two are connected • A test bench describing how to evaluate the design
SRI International Connecting the Cyber interface to the system model in GME All modern designs have software controllers. How do we incorporate them into a design?
SRI International CyPhyML Controller Composition Concepts Physical Component S V B Modelica Component P AVM Component Interface (Dynamics) • Connectors • Parameters Modelica Component Interface • Signals (causal) • Physical variables (acausal) • Buses (aggregate) • Parameters Modelica Components and Ports each have a Class string indicating the location of its type definition in the library. C2M2L_Ext.Interfaces.Context_Interfaces.Driver.Driver_Bus
SRI International CyPhyML Controller Composition Concepts Physical Component S V B Modelica Component P AVM Component Interface (Dynamics) • Connectors • Parameters Modelica Component Interface • Signals (causal) • Physical variables (acausal) • Buses (aggregate) • Parameters Modelica Components and Ports each have a Class string indicating the location of its type definition in the library: C2M2L_Ext.Interfaces.Context_Interfaces.Driver.Driver_Bus
SRI International CyPhyML Controller Composition Concepts Physical Component S V B Modelica Component P Modelica Components and Ports each have a Class string indicating the location of its type definition in the library. C2M2L_Ext.Interfaces.Context_Interfaces.Driver.Driver_Bus Component B In composition, the underlying port types must match exactly (by type string).
SRI International CyPhyML Controller Composition Concepts Physical Component S V B Modelica Component P Controller Component B S P Controller components must be causal: • Only connect to signals and bus ports containing signals. • Physical variable ports can not be connected to controller components. X Parameter ports are exposed in assemblies and test benches. Parameter values are propagated down into the components.
SRI International CyPhyML Controller Composition Concepts Physical Component S V B Modelica Component (refers to external model in Modelica component libraries)P Controller Component B S P X Cyber Component (refers to external Cyber model) S B P AVM and Cyber component model interfaces are identical. Simulink S S S Bus ports aggregate signals. Bus signals are identified by name. Only one component can produce (output) a bus signal. The others must consume it. P Cyber interface parameters refer directly to parameter objects deep in the Simulink hierarchy.
SRI International Translating controllers to the Cyber language MDL2MGA Translator Controllers in Simulink/Stateflow Controllers in GME Cyber language Shift controller Torque converter controller Torque reduction controller
SRI International Design Space Exploration DSE allows us to evaluate different controller variants, to compare performance.
SRI International CyberComposition Model (GME) ControllerModelsDynamicsModels Controller Details Modelica Interface CyPhyML Model (GME) Modelica Controller References Modelica Dynamic Components Modelica Dynamics References Modelica Design Simulation Dynamics Models Controller Libraries Legend Reference from CyPhyML to an external component model. Model created manually/semi- automatically. Automatic model translation step. 1 Generated Code 2 5 6b 6a Simulink/ Stateflow 9 Controller Components 4 Design Space 3 Test Bench7 8a Controller C Code “Glue” Code Modelica Interface 8b Controller Import Code Generation Physical Component Import System Modeling Generation & Simulation META-Cyber Simulation Workflow
SRI International META-Cyber Simulation Workflow 1. Create or obtain physical component models in Modelica. 2. Create a CyPhyML model using GME. 3. Import Modelica components and build the system design space in the CyPhy model. 4. Create your controllers in Simulink/Stateflow. 5. Create a Cyber model in META and import your controllers into this model. 6. Define the controller interface in the CyPhyML model using GME (6a) and link it to the Cyber model (6b). 7. Create a test bench for the design in CyPhyML. 8. From the test bench, run the Master Interpreter to generate Modelica simulation code (8a). The Modelica generator also invokes the code generator to create Modelica controller components which are integrated into the simulation (8b). 9. Run the simulation.
SRI International Tool Flow Test Bench model defines inputs & environment for system under test Invoke DSE to explore alternatives Designs Component Alternatives DESERT tool presents design choices Select designs to generate Specify component Library paths Generate the Modelica model Simulate the designs and compare
SRI International Generated Code Generated code is placed in Simulink subdirectory Generated code can be inspected by opening the generated Visual Studio solution file.
SRI International Alternative #1 Simulation results #1 Selected gear vs time (s) Engine rpm vs time (blue) Transmission output rpm vs time (red)
SRI International Selected gear vs time (s) Simulation results #2 Alternative #2 Engine rpm vs time (blue) Transmission output rpm vs time (red)
SRI International Controller Correctness Once we have identified our candidate controller, we can use formal verification to assess the controller logic.
SRI International Formal Verification Testing/simulation can fail to detect design errors that are manifested only under certain scenarios Formal verification can verify designs for all scenarios Formal verification complements simulation in improving confidence in system design
SRI International Formal Verification What is formal verification? Techniques for verifying the system that are based on symbolic algebra, rather than numerical simulations Achieves the equivalent of exhaustive testing
SRI International Verification Workflow Identical to the simulation workflowexcept:  Temporal properties are attached to models  Verification results, namely o status (pass, fail, or error) and explanation are displayed on the dashboard Controllers often include intricate logic that can be difficult to exhaustively test Apply formal verification to ShiftController here
SRI International Temporal Properties Properties capture the intent of the controller design ShiftController: Inputs: 1.driver_gear_select 2.shift_request_state 3.input_speed_TC 4.output_speed_TC Output: 1.gear_selected
SRI International Shift Controller Inputs-Output The input variable driver_gear_select takes values: reverse=1, park=2, swim=3, neutral=4, neutral_pivot=5, low=6, drive=7 The input variable shift_request_state takes values: down_shift=1, no_shift=2, up_shift=3 The output variable gear_selected takes values: 0, 1, 2, 3, 4 A correct controller should guarantee something about the output under certain assumptions on the inputs.
SRI International Temporal Properties as Specification Some desired properties for such a ShiftController: 1. If shift_request_state==3 (up_shift) and driver_gear_select==7 (drive), then eventually gear_selected==4 (fourth gear) • []( srs==3 && dgs==7 => <>(gear==4) ) • []( [](srs==3 && dgs==7) => <>(gear==4) ) 2. If dgs==6(low), then eventually gear <= 1 • []( [](dgs==6) => <>(gear <= 1) ) • []( [](dgs==6) => <>(gear <= 2) )
SRI International Pattern-based Property Specification All properties above have the same “Global Response’’ pattern Another useful pattern is “Absence before R’’ Property: “The output gear_selected does not take value 4 before driver_gear_select is 7 (drive)” P := gear_selected == 4 R := driver_gear_select == 7 Property: P is absent before R
SRI International Adding LTL Properties to SL/SF Models
SRI International Pattern-based Property Specification If driver_gear_select is 6(low), then eventually gear_selected <= 1 (first gear)
SRI International Viewing Properties in SL/SF Models Set of all properties = Specification of the component
SRI International The Verification TestBench After controller models have been annotated with desired temporal properties, they are translated into CyberComposition language, and verified SL/SF + Properties CyberComp XML Formal Verification Results Verification results can be viewed in the dashboard
SRI International Verification Results in the Dashboard
SRI International Understanding Verification Results 1. If shift_request_state==3 (up_shift) and driver_gear_select==7 (drive), then eventually gear_selected==4 • []( srs==3 && dgs==7 => <>(gear==4) ) Violated • []( [](srs==3 && dgs==7) => <>(gear==4) ) Verified 2. If dgs==6(low), then eventually gear <= 1 • []( [](dgs==1) => <>(gear <= 1) ) Violated • []( [](dgs==1) => <>(gear <= 2) ) Verified 3. The event gear_selected==4 is absent before dgs is 7 (drive) Verified
SRI International Property is False in the Model: Details
SRI International Simulating the Counter-Example
SRI International Visualizing the Counter-Example []( [](dgs==6) => <>(gear <= 1) ) Violated
SRI International Refining the Model or Property When a property is found to be false in the model, the user can view and analyze the counter- example, and based on that, go back to the controller design and fix either • The controller • Edit transition guards • Add/delete transitions • The property • Make the property weaker • Constrain the inputs of the controller
SRI International Refining the Property Since output variable, gear_selected, gets stuck at value 2, we can see if our controller satisfies a weaker specification. []( [](dgs==6) => <>(gear <= 2) ) Verified
SRI International Refining the Model Designer changes condition on the downshift transition out of Gear2 in SL/SF
SRI International Refining the Model The condition on the outgoing transition from state Gear2 to state lockoutD1 is chaged from: srs==1 && dgs!=6 && dgs!=1 && in_tc > out_tc ↓ ((srs==1 && dgs!=6 && dgs!=1 && in_tc > out_tc) || (dgs==6 || dgs==1)) Enable transition additionally when driver_gear_select is 6 (low)
SRI International Verification Results for the Updated Model
SRI International Property is True in the Model: Details
SRI International Old CounterExample on the Fixed Model []( [](dgs==6) => <>(gear <= 1) ) Verified
SRI International Conclusions Design space exploration with simulation can answer early questions about controller choices • Simulation over alternatives is much cheaper than building prototypes • Automated DSE helps answer questions about the evolving design Formal verification tools can detect hard-to-find errors • Testing may fail to detect (large scenario space) • Requires property specification • CyPhy enables easy property addition, model editing, and visualize verification results
SRI International Questions

Recomendados

QGen GNAT Industrial User Day
QGen GNAT Industrial User DayQGen GNAT Industrial User Day
QGen GNAT Industrial User Daymatteobordinadacore
 
Design Verification
Design VerificationDesign Verification
Design VerificationIshwaki Thakkar
 
ASIC design verification
ASIC design verificationASIC design verification
ASIC design verificationGireesh Kallihal
 
Aldec overview 2011-10 revised
Aldec overview 2011-10 revisedAldec overview 2011-10 revised
Aldec overview 2011-10 revisedPrateek Chopra
 
Tutor1
Tutor1Tutor1
Tutor1Hung Nguyen
 
Functional verification techniques EW16 session
Functional verification techniques EW16 sessionFunctional verification techniques EW16 session
Functional verification techniques EW16 sessionSameh El-Ashry
 
Firstenberg q207
Firstenberg q207Firstenberg q207
Firstenberg q207Obsidian Software
 
Bangalore march07
Bangalore march07Bangalore march07
Bangalore march07Obsidian Software
 

Recomendados

QGen GNAT Industrial User Day
QGen GNAT Industrial User DayQGen GNAT Industrial User Day
QGen GNAT Industrial User Daymatteobordinadacore
 
Design Verification
Design VerificationDesign Verification
Design VerificationIshwaki Thakkar
 
ASIC design verification
ASIC design verificationASIC design verification
ASIC design verificationGireesh Kallihal
 
Aldec overview 2011-10 revised
Aldec overview 2011-10 revisedAldec overview 2011-10 revised
Aldec overview 2011-10 revisedPrateek Chopra
 
Tutor1
Tutor1Tutor1
Tutor1Hung Nguyen
 
Functional verification techniques EW16 session
Functional verification techniques EW16 sessionFunctional verification techniques EW16 session
Functional verification techniques EW16 sessionSameh El-Ashry
 
Firstenberg q207
Firstenberg q207Firstenberg q207
Firstenberg q207Obsidian Software
 
Bangalore march07
Bangalore march07Bangalore march07
Bangalore march07Obsidian Software
 
Personalized Defect Prediction
Personalized Defect PredictionPersonalized Defect Prediction
Personalized Defect PredictionSung Kim
 
system verilog
system verilogsystem verilog
system verilogVinchipsytm Vlsitraining
 
IBM Rhapsody Code Generation Customization
IBM Rhapsody Code Generation CustomizationIBM Rhapsody Code Generation Customization
IBM Rhapsody Code Generation Customizationgjuljo
 
SOC Verification using SystemVerilog
SOC Verification using SystemVerilog SOC Verification using SystemVerilog
SOC Verification using SystemVerilog Ramdas Mozhikunnath
 
Bristol 2009 q1_blackmore_tim
Bristol 2009 q1_blackmore_timBristol 2009 q1_blackmore_tim
Bristol 2009 q1_blackmore_timObsidian Software
 
Classic Formal Methods Model Checking
Classic Formal Methods Model CheckingClassic Formal Methods Model Checking
Classic Formal Methods Model Checkingtyramisu
 
EC302-Introduction
EC302-IntroductionEC302-Introduction
EC302-IntroductionPoliteknik Sultan Idris Shah
 
[2016/2017] Architectural languages
[2016/2017] Architectural languages[2016/2017] Architectural languages
[2016/2017] Architectural languagesIvano Malavolta
 
GNAT Pro User Day: QGen: Simulink® static verification and code generation
GNAT Pro User Day: QGen: Simulink® static verification and code generationGNAT Pro User Day: QGen: Simulink® static verification and code generation
GNAT Pro User Day: QGen: Simulink® static verification and code generationAdaCore
 
Ecd302 unit 01(investigate ecad systems)
Ecd302 unit 01(investigate ecad systems)Ecd302 unit 01(investigate ecad systems)
Ecd302 unit 01(investigate ecad systems)Xi Qiu
 
Session 8 assertion_based_verification_and_interfaces
Session 8 assertion_based_verification_and_interfacesSession 8 assertion_based_verification_and_interfaces
Session 8 assertion_based_verification_and_interfacesNirav Desai
 
LTTechServices_Surya
LTTechServices_SuryaLTTechServices_Surya
LTTechServices_Suryasuryakant pallai
 
Conformiq Tutorial
Conformiq TutorialConformiq Tutorial
Conformiq Tutorialpetersmagnusson
 
Background And An Architecture Example
Background And An Architecture ExampleBackground And An Architecture Example
Background And An Architecture ExampleGlen Wilson
 
H S
H SH S
H SJEDAmarketing
 
Development and validation of an "in-the-loop" simulator for small satellites
Development and validation of an "in-the-loop" simulator for small satellitesDevelopment and validation of an "in-the-loop" simulator for small satellites
Development and validation of an "in-the-loop" simulator for small satellitesRobertoSorba
 
JedaOverview
JedaOverviewJedaOverview
JedaOverviewJEDAmarketing
 
Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012.
Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012.Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012.
Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012.Wolfgang Grieskamp
 
Verification Engineer - Opportunities and Career Path
Verification Engineer - Opportunities and Career PathVerification Engineer - Opportunities and Career Path
Verification Engineer - Opportunities and Career PathRamdas Mozhikunnath
 
Validation and-design-in-a-small-team-environment
Validation and-design-in-a-small-team-environmentValidation and-design-in-a-small-team-environment
Validation and-design-in-a-small-team-environmentObsidian Software
 
SoftTest Ireland: Model Based Testing - January 27th 2011
SoftTest Ireland: Model Based Testing - January 27th 2011SoftTest Ireland: Model Based Testing - January 27th 2011
SoftTest Ireland: Model Based Testing - January 27th 2011David O'Dowd
 
Aaron Bedra - Effective Software Security Teams
Aaron Bedra - Effective Software Security TeamsAaron Bedra - Effective Software Security Teams
Aaron Bedra - Effective Software Security Teamscentralohioissa
 

Más contenido relacionado

La actualidad más candente

Personalized Defect Prediction
Personalized Defect PredictionPersonalized Defect Prediction
Personalized Defect PredictionSung Kim
 
IBM Rhapsody Code Generation Customization
IBM Rhapsody Code Generation CustomizationIBM Rhapsody Code Generation Customization
IBM Rhapsody Code Generation Customizationgjuljo
 
SOC Verification using SystemVerilog
SOC Verification using SystemVerilog SOC Verification using SystemVerilog
SOC Verification using SystemVerilog Ramdas Mozhikunnath
 
Bristol 2009 q1_blackmore_tim
Bristol 2009 q1_blackmore_timBristol 2009 q1_blackmore_tim
Bristol 2009 q1_blackmore_timObsidian Software
 
Classic Formal Methods Model Checking
Classic Formal Methods Model CheckingClassic Formal Methods Model Checking
Classic Formal Methods Model Checkingtyramisu
 
[2016/2017] Architectural languages
[2016/2017] Architectural languages[2016/2017] Architectural languages
[2016/2017] Architectural languagesIvano Malavolta
 
GNAT Pro User Day: QGen: Simulink® static verification and code generation
GNAT Pro User Day: QGen: Simulink® static verification and code generationGNAT Pro User Day: QGen: Simulink® static verification and code generation
GNAT Pro User Day: QGen: Simulink® static verification and code generationAdaCore
 
Ecd302 unit 01(investigate ecad systems)
Ecd302 unit 01(investigate ecad systems)Ecd302 unit 01(investigate ecad systems)
Ecd302 unit 01(investigate ecad systems)Xi Qiu
 
Session 8 assertion_based_verification_and_interfaces
Session 8 assertion_based_verification_and_interfacesSession 8 assertion_based_verification_and_interfaces
Session 8 assertion_based_verification_and_interfacesNirav Desai
 
Background And An Architecture Example
Background And An Architecture ExampleBackground And An Architecture Example
Background And An Architecture ExampleGlen Wilson
 
Development and validation of an "in-the-loop" simulator for small satellites
Development and validation of an "in-the-loop" simulator for small satellitesDevelopment and validation of an "in-the-loop" simulator for small satellites
Development and validation of an "in-the-loop" simulator for small satellitesRobertoSorba
 
Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012.
Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012.Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012.
Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012.Wolfgang Grieskamp
 
Verification Engineer - Opportunities and Career Path
Verification Engineer - Opportunities and Career PathVerification Engineer - Opportunities and Career Path
Verification Engineer - Opportunities and Career PathRamdas Mozhikunnath
 
Validation and-design-in-a-small-team-environment
Validation and-design-in-a-small-team-environmentValidation and-design-in-a-small-team-environment
Validation and-design-in-a-small-team-environmentObsidian Software
 

La actualidad más candente (20)

Personalized Defect Prediction
Personalized Defect PredictionPersonalized Defect Prediction
Personalized Defect Prediction
 
system verilog
system verilogsystem verilog
system verilog
 
IBM Rhapsody Code Generation Customization
IBM Rhapsody Code Generation CustomizationIBM Rhapsody Code Generation Customization
IBM Rhapsody Code Generation Customization
 
SOC Verification using SystemVerilog
SOC Verification using SystemVerilog SOC Verification using SystemVerilog
SOC Verification using SystemVerilog
 
Bristol 2009 q1_blackmore_tim
Bristol 2009 q1_blackmore_timBristol 2009 q1_blackmore_tim
Bristol 2009 q1_blackmore_tim
 
Classic Formal Methods Model Checking
Classic Formal Methods Model CheckingClassic Formal Methods Model Checking
Classic Formal Methods Model Checking
 
EC302-Introduction
EC302-IntroductionEC302-Introduction
EC302-Introduction
 
[2016/2017] Architectural languages
[2016/2017] Architectural languages[2016/2017] Architectural languages
[2016/2017] Architectural languages
 
GNAT Pro User Day: QGen: Simulink® static verification and code generation
GNAT Pro User Day: QGen: Simulink® static verification and code generationGNAT Pro User Day: QGen: Simulink® static verification and code generation
GNAT Pro User Day: QGen: Simulink® static verification and code generation
 
Ecd302 unit 01(investigate ecad systems)
Ecd302 unit 01(investigate ecad systems)Ecd302 unit 01(investigate ecad systems)
Ecd302 unit 01(investigate ecad systems)
 
Session 8 assertion_based_verification_and_interfaces
Session 8 assertion_based_verification_and_interfacesSession 8 assertion_based_verification_and_interfaces
Session 8 assertion_based_verification_and_interfaces
 
LTTechServices_Surya
LTTechServices_SuryaLTTechServices_Surya
LTTechServices_Surya
 
Conformiq Tutorial
Conformiq TutorialConformiq Tutorial
Conformiq Tutorial
 
Background And An Architecture Example
Background And An Architecture ExampleBackground And An Architecture Example
Background And An Architecture Example
 
H S
H SH S
H S
 
Development and validation of an "in-the-loop" simulator for small satellites
Development and validation of an "in-the-loop" simulator for small satellitesDevelopment and validation of an "in-the-loop" simulator for small satellites
Development and validation of an "in-the-loop" simulator for small satellites
 
JedaOverview
JedaOverviewJedaOverview
JedaOverview
 
Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012.
Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012.Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012.
Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012.
 
Verification Engineer - Opportunities and Career Path
Verification Engineer - Opportunities and Career PathVerification Engineer - Opportunities and Career Path
Verification Engineer - Opportunities and Career Path
 
Validation and-design-in-a-small-team-environment
Validation and-design-in-a-small-team-environmentValidation and-design-in-a-small-team-environment
Validation and-design-in-a-small-team-environment
 

Destacado

SoftTest Ireland: Model Based Testing - January 27th 2011
SoftTest Ireland: Model Based Testing - January 27th 2011SoftTest Ireland: Model Based Testing - January 27th 2011
SoftTest Ireland: Model Based Testing - January 27th 2011David O'Dowd
 
Aaron Bedra - Effective Software Security Teams
Aaron Bedra - Effective Software Security TeamsAaron Bedra - Effective Software Security Teams
Aaron Bedra - Effective Software Security Teamscentralohioissa
 
Jason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 PredictionsJason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 Predictionscentralohioissa
 
Formal Method for Avionics Software Verification
Formal Method for Avionics Software Verification Formal Method for Avionics Software Verification
Formal Method for Avionics Software VerificationAdaCore
 
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...SecuRing
 
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureHIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureAdaCore
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸Amazon Web Services
 
淺談 Model based testing 與 graphwalker 導入心得 20160127
淺談 Model based testing 與 graphwalker 導入心得 20160127淺談 Model based testing 與 graphwalker 導入心得 20160127
淺談 Model based testing 與 graphwalker 導入心得 20160127Scott Hsiao
 
Dev ops 研究心得分享 0127
Dev ops 研究心得分享 0127Dev ops 研究心得分享 0127
Dev ops 研究心得分享 0127Scott Hsiao
 

Destacado (9)

SoftTest Ireland: Model Based Testing - January 27th 2011
SoftTest Ireland: Model Based Testing - January 27th 2011SoftTest Ireland: Model Based Testing - January 27th 2011
SoftTest Ireland: Model Based Testing - January 27th 2011
 
Aaron Bedra - Effective Software Security Teams
Aaron Bedra - Effective Software Security TeamsAaron Bedra - Effective Software Security Teams
Aaron Bedra - Effective Software Security Teams
 
Jason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 PredictionsJason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 Predictions
 
Formal Method for Avionics Software Verification
Formal Method for Avionics Software Verification Formal Method for Avionics Software Verification
Formal Method for Avionics Software Verification
 
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
AppSec EU 2015 - E-banking transaction authorization - possible vulnerabiliti...
 
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureHIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
 
淺談 Model based testing 與 graphwalker 導入心得 20160127
淺談 Model based testing 與 graphwalker 導入心得 20160127淺談 Model based testing 與 graphwalker 導入心得 20160127
淺談 Model based testing 與 graphwalker 導入心得 20160127
 
Dev ops 研究心得分享 0127
Dev ops 研究心得分享 0127Dev ops 研究心得分享 0127
Dev ops 研究心得分享 0127
 

Similar a Controller Software Verification Using AVM Meta and HybridSAL

Presentation Verification & Validation
Presentation Verification & ValidationPresentation Verification & Validation
Presentation Verification & ValidationElmar Selbach
 
Rhapsody Software
Rhapsody SoftwareRhapsody Software
Rhapsody SoftwareBill Duncan
 
Software Modeling and Verification
Software Modeling and VerificationSoftware Modeling and Verification
Software Modeling and VerificationRamnGonzlezRuiz2
 
Mechatronics design team project v2
Mechatronics design team project v2Mechatronics design team project v2
Mechatronics design team project v2Waleed El-Badry
 
Simulink Stateflow workshop
Simulink Stateflow workshop Simulink Stateflow workshop
Simulink Stateflow workshopMATLABISRAEL
 
Tech Days 2015: Model Based Development with QGen
Tech Days 2015: Model Based Development with QGenTech Days 2015: Model Based Development with QGen
Tech Days 2015: Model Based Development with QGenAdaCore
 
GPCE16: Automatic Non-functional Testing of Code Generators Families
GPCE16: Automatic Non-functional Testing of Code Generators FamiliesGPCE16: Automatic Non-functional Testing of Code Generators Families
GPCE16: Automatic Non-functional Testing of Code Generators FamiliesMohamed BOUSSAA
 
Incremental Queries and Transformations for Engineering Critical Systems
Incremental Queries and Transformations for Engineering Critical SystemsIncremental Queries and Transformations for Engineering Critical Systems
Incremental Queries and Transformations for Engineering Critical SystemsÁkos Horváth
 
Rhapsody Systems Software
Rhapsody Systems SoftwareRhapsody Systems Software
Rhapsody Systems SoftwareBill Duncan
 
Study for flight simulation environments
Study for flight simulation environmentsStudy for flight simulation environments
Study for flight simulation environmentsWai Nwe Tun
 
Modelon Modelica executable requirements Ansys Conference 2016
Modelon Modelica executable requirements Ansys Conference 2016Modelon Modelica executable requirements Ansys Conference 2016
Modelon Modelica executable requirements Ansys Conference 2016Modelon
 
Hirschmann: Automotive SPICE Requirements for development process and tools
Hirschmann: Automotive SPICE Requirements for development process and tools Hirschmann: Automotive SPICE Requirements for development process and tools
Hirschmann: Automotive SPICE Requirements for development process and tools Intland Software GmbH
 
Towards a metamodel for the Rubus Component Model
Towards a metamodel for the Rubus Component ModelTowards a metamodel for the Rubus Component Model
Towards a metamodel for the Rubus Component ModelAlessio Bucaioni
 
Modernizing Testing as Apps Re-Architect
Modernizing Testing as Apps Re-ArchitectModernizing Testing as Apps Re-Architect
Modernizing Testing as Apps Re-ArchitectDevOps.com
 
Hardware-Software allocation specification of IMA systems for early simulation
Hardware-Software allocation specification of IMA systems for early simulationHardware-Software allocation specification of IMA systems for early simulation
Hardware-Software allocation specification of IMA systems for early simulationÁkos Horváth
 
Mirabilis design Inc - Brochure
Mirabilis design Inc - BrochureMirabilis design Inc - Brochure
Mirabilis design Inc - BrochureDeepak Shankar
 
Incquery Suite Models 2020 Conference by István Ráth, CEO of IncQuery Labs
Incquery Suite Models 2020 Conference by István Ráth, CEO of IncQuery LabsIncquery Suite Models 2020 Conference by István Ráth, CEO of IncQuery Labs
Incquery Suite Models 2020 Conference by István Ráth, CEO of IncQuery LabsIncQuery Labs
 
Planning and Control Algorithms Model-Based Approach (State-Space)
Planning and Control Algorithms Model-Based Approach (State-Space)Planning and Control Algorithms Model-Based Approach (State-Space)
Planning and Control Algorithms Model-Based Approach (State-Space)M Reza Rahmati
 

Similar a Controller Software Verification Using AVM Meta and HybridSAL (20)

Presentation Verification & Validation
Presentation Verification & ValidationPresentation Verification & Validation
Presentation Verification & Validation
 
Rhapsody Software
Rhapsody SoftwareRhapsody Software
Rhapsody Software
 
Software Modeling and Verification
Software Modeling and VerificationSoftware Modeling and Verification
Software Modeling and Verification
 
Mechatronics design team project v2
Mechatronics design team project v2Mechatronics design team project v2
Mechatronics design team project v2
 
Simulink Stateflow workshop
Simulink Stateflow workshop Simulink Stateflow workshop
Simulink Stateflow workshop
 
Tech Days 2015: Model Based Development with QGen
Tech Days 2015: Model Based Development with QGenTech Days 2015: Model Based Development with QGen
Tech Days 2015: Model Based Development with QGen
 
GPCE16: Automatic Non-functional Testing of Code Generators Families
GPCE16: Automatic Non-functional Testing of Code Generators FamiliesGPCE16: Automatic Non-functional Testing of Code Generators Families
GPCE16: Automatic Non-functional Testing of Code Generators Families
 
Lear unified env_paper-1
Lear unified env_paper-1Lear unified env_paper-1
Lear unified env_paper-1
 
Incremental Queries and Transformations for Engineering Critical Systems
Incremental Queries and Transformations for Engineering Critical SystemsIncremental Queries and Transformations for Engineering Critical Systems
Incremental Queries and Transformations for Engineering Critical Systems
 
Prasad_CTP
Prasad_CTPPrasad_CTP
Prasad_CTP
 
Rhapsody Systems Software
Rhapsody Systems SoftwareRhapsody Systems Software
Rhapsody Systems Software
 
Study for flight simulation environments
Study for flight simulation environmentsStudy for flight simulation environments
Study for flight simulation environments
 
Modelon Modelica executable requirements Ansys Conference 2016
Modelon Modelica executable requirements Ansys Conference 2016Modelon Modelica executable requirements Ansys Conference 2016
Modelon Modelica executable requirements Ansys Conference 2016
 
Hirschmann: Automotive SPICE Requirements for development process and tools
Hirschmann: Automotive SPICE Requirements for development process and tools Hirschmann: Automotive SPICE Requirements for development process and tools
Hirschmann: Automotive SPICE Requirements for development process and tools
 
Towards a metamodel for the Rubus Component Model
Towards a metamodel for the Rubus Component ModelTowards a metamodel for the Rubus Component Model
Towards a metamodel for the Rubus Component Model
 
Modernizing Testing as Apps Re-Architect
Modernizing Testing as Apps Re-ArchitectModernizing Testing as Apps Re-Architect
Modernizing Testing as Apps Re-Architect
 
Hardware-Software allocation specification of IMA systems for early simulation
Hardware-Software allocation specification of IMA systems for early simulationHardware-Software allocation specification of IMA systems for early simulation
Hardware-Software allocation specification of IMA systems for early simulation
 
Mirabilis design Inc - Brochure
Mirabilis design Inc - BrochureMirabilis design Inc - Brochure
Mirabilis design Inc - Brochure
 
Incquery Suite Models 2020 Conference by István Ráth, CEO of IncQuery Labs
Incquery Suite Models 2020 Conference by István Ráth, CEO of IncQuery LabsIncquery Suite Models 2020 Conference by István Ráth, CEO of IncQuery Labs
Incquery Suite Models 2020 Conference by István Ráth, CEO of IncQuery Labs
 
Planning and Control Algorithms Model-Based Approach (State-Space)
Planning and Control Algorithms Model-Based Approach (State-Space)Planning and Control Algorithms Model-Based Approach (State-Space)
Planning and Control Algorithms Model-Based Approach (State-Space)
 

Último

Python Programming for basic beginners.pptx
Python Programming for basic beginners.pptxPython Programming for basic beginners.pptx
Python Programming for basic beginners.pptxmohitesoham12
 
System Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event SchedulingSystem Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event SchedulingBootNeck1
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionMebane Rash
 
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSneha Padhiar
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catcherssdickerson1
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Romil Mishra
 
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdfDEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdfAkritiPradhan2
 
Artificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewArtificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewsandhya757531
 
signals in triangulation .. ...Surveying
signals in triangulation .. ...Surveyingsignals in triangulation .. ...Surveying
signals in triangulation .. ...Surveyingsapna80328
 
List of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdfList of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdfisabel213075
 
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdfPaper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdfNainaShrivastava14
 
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithmComputer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithmDeepika Walanjkar
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfDrew Moseley
 
"Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ..."Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ...Erbil Polytechnic University
 
Comprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdfComprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdfalene1
 
Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsResearcher Researcher
 
Turn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptxTurn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptxStephen Sitton
 
KCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosKCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosVictor Morales
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONjhunlian
 
CS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfCS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfBalamuruganV28
 

Último (20)

Python Programming for basic beginners.pptx
Python Programming for basic beginners.pptxPython Programming for basic beginners.pptx
Python Programming for basic beginners.pptx
 
System Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event SchedulingSystem Simulation and Modelling with types and Event Scheduling
System Simulation and Modelling with types and Event Scheduling
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of Action
 
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________
 
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdfDEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
DEVICE DRIVERS AND INTERRUPTS SERVICE MECHANISM.pdf
 
Artificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewArtificial Intelligence in Power System overview
Artificial Intelligence in Power System overview
 
signals in triangulation .. ...Surveying
signals in triangulation .. ...Surveyingsignals in triangulation .. ...Surveying
signals in triangulation .. ...Surveying
 
List of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdfList of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdf
 
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdfPaper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
Paper Tube : Shigeru Ban projects and Case Study of Cardboard Cathedral .pdf
 
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithmComputer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithm
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdf
 
"Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ..."Exploring the Essential Functions and Design Considerations of Spillways in ...
"Exploring the Essential Functions and Design Considerations of Spillways in ...
 
Comprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdfComprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdf
 
Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending Actuators
 
Turn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptxTurn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptx
 
KCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosKCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitos
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
 
CS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfCS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdf
 

Controller Software Verification Using AVM Meta and HybridSAL

  • 1. SRI International Verification of Cyber-Physical Controller Software Using the AVM Meta Tool Suite and HybridSAL Joseph Porter (jporter@isis.vanderbilt.edu), Ashish Tiwari (ashish.tiwari@sri.com), and Xenofon Koutsoukos (xenofon.koutsoukos@vanderbilt.edu) S5 Symposium June 2014
  • 2. SRI International Controller Design Design space exploration with simulation can answer early questions about controller choices • Simulation over alternatives is much cheaper than building prototypes • Automated DSE helps answer questions about the evolving design Formal verification tools can detect hard-to-find errors • Testing may fail to detect (large scenario space) • Requires property specification • CyPhy enables easy property addition, model editing, and visualize verification results
  • 3. SRI International OpenMETA-CyPhy Cyber Toolchain (DARPA AVM) Physical Components C2M2L Components Custom Components Cyber Components CyPhy System Design / Design Space Dynamics TB Verification TB Physical Components Authoring Cyber Components Authoring * Cyber Modeling Language Component Use Simulink/ Stateflow Auto Import Component Use Modelica Sim (.mo, .lib) CyPhy Modelica Composer Cyber Code Generator HybridSAL DAE XML Cyber XML Verification Condition Generation System Design Space Authoring Hybrid System Evaluation Dymola/ OpenModelica Modelica Simulation Formal Verification
  • 4. SRI International Everything has software – cars, refrigerators, even chainsaws. How do we model controller software and combine it with the mechanical design? • Keep the design processes for the physical and cyber in sync. • Building and testing prototypes is expensive. Integrating controllers into mechanical designs is costly and time-consuming. Too many scenarios to test cyber and physical systems exhaustively. Testing will miss important cases. Some examples: • Toyota Acceleration problem • MARS polar lander • Ariane 5 Why Cyber Modeling?
  • 5. SRI International AVM Control Design Capabilities How are META Cyber capabilities different from designing and simulating controllers using Modelica or Simulink alone? 1. Cyber controller component in Modelica is not a simulation model, but is the actual embedded code scheduled by a discrete-time periodic sampler. The simulation is much more realistic. 2. Integrated formal hybrid verification toolchain. 3. All of the benefits of using CyPhyML: • design space exploration • curated component library • integrated test bench models • parametric exploration • cloud-based simulation
  • 6. SRI International Introduction We will show how the Cyber tools can integrate multiple transmission controllers modeled in Simulink/Stateflow with a Driveline modeled in Modelica. We will use DSE to assess the controller alternatives in simulation, and then verify the candidate controller. Scenario: If we have a cheaper fixed-point processor, will the controller performance be degraded?
  • 7. SRI International Creating a CyPhy model The CyPhy model is the “integration” model. It contains: • The imported Modelica model (The System) • The interface to the Cyber model (The Controller) • A design describing how the two are connected • A test bench describing how to evaluate the design
  • 8. SRI International Connecting the Cyber interface to the system model in GME All modern designs have software controllers. How do we incorporate them into a design?
  • 9. SRI International CyPhyML Controller Composition Concepts Physical Component S V B Modelica Component P AVM Component Interface (Dynamics) • Connectors • Parameters Modelica Component Interface • Signals (causal) • Physical variables (acausal) • Buses (aggregate) • Parameters Modelica Components and Ports each have a Class string indicating the location of its type definition in the library. C2M2L_Ext.Interfaces.Context_Interfaces.Driver.Driver_Bus
  • 10. SRI International CyPhyML Controller Composition Concepts Physical Component S V B Modelica Component P AVM Component Interface (Dynamics) • Connectors • Parameters Modelica Component Interface • Signals (causal) • Physical variables (acausal) • Buses (aggregate) • Parameters Modelica Components and Ports each have a Class string indicating the location of its type definition in the library: C2M2L_Ext.Interfaces.Context_Interfaces.Driver.Driver_Bus
  • 11. SRI International CyPhyML Controller Composition Concepts Physical Component S V B Modelica Component P Modelica Components and Ports each have a Class string indicating the location of its type definition in the library. C2M2L_Ext.Interfaces.Context_Interfaces.Driver.Driver_Bus Component B In composition, the underlying port types must match exactly (by type string).
  • 12. SRI International CyPhyML Controller Composition Concepts Physical Component S V B Modelica Component P Controller Component B S P Controller components must be causal: • Only connect to signals and bus ports containing signals. • Physical variable ports can not be connected to controller components. X Parameter ports are exposed in assemblies and test benches. Parameter values are propagated down into the components.
  • 13. SRI International CyPhyML Controller Composition Concepts Physical Component S V B Modelica Component (refers to external model in Modelica component libraries)P Controller Component B S P X Cyber Component (refers to external Cyber model) S B P AVM and Cyber component model interfaces are identical. Simulink S S S Bus ports aggregate signals. Bus signals are identified by name. Only one component can produce (output) a bus signal. The others must consume it. P Cyber interface parameters refer directly to parameter objects deep in the Simulink hierarchy.
  • 14. SRI International Translating controllers to the Cyber language MDL2MGA Translator Controllers in Simulink/Stateflow Controllers in GME Cyber language Shift controller Torque converter controller Torque reduction controller
  • 15. SRI International Design Space Exploration DSE allows us to evaluate different controller variants, to compare performance.
  • 16. SRI International CyberComposition Model (GME) ControllerModelsDynamicsModels Controller Details Modelica Interface CyPhyML Model (GME) Modelica Controller References Modelica Dynamic Components Modelica Dynamics References Modelica Design Simulation Dynamics Models Controller Libraries Legend Reference from CyPhyML to an external component model. Model created manually/semi- automatically. Automatic model translation step. 1 Generated Code 2 5 6b 6a Simulink/ Stateflow 9 Controller Components 4 Design Space 3 Test Bench7 8a Controller C Code “Glue” Code Modelica Interface 8b Controller Import Code Generation Physical Component Import System Modeling Generation & Simulation META-Cyber Simulation Workflow
  • 17. SRI International META-Cyber Simulation Workflow 1. Create or obtain physical component models in Modelica. 2. Create a CyPhyML model using GME. 3. Import Modelica components and build the system design space in the CyPhy model. 4. Create your controllers in Simulink/Stateflow. 5. Create a Cyber model in META and import your controllers into this model. 6. Define the controller interface in the CyPhyML model using GME (6a) and link it to the Cyber model (6b). 7. Create a test bench for the design in CyPhyML. 8. From the test bench, run the Master Interpreter to generate Modelica simulation code (8a). The Modelica generator also invokes the code generator to create Modelica controller components which are integrated into the simulation (8b). 9. Run the simulation.
  • 18. SRI International Tool Flow Test Bench model defines inputs & environment for system under test Invoke DSE to explore alternatives Designs Component Alternatives DESERT tool presents design choices Select designs to generate Specify component Library paths Generate the Modelica model Simulate the designs and compare
  • 19. SRI International Generated Code Generated code is placed in Simulink subdirectory Generated code can be inspected by opening the generated Visual Studio solution file.
  • 20. SRI International Alternative #1 Simulation results #1 Selected gear vs time (s) Engine rpm vs time (blue) Transmission output rpm vs time (red)
  • 21. SRI International Selected gear vs time (s) Simulation results #2 Alternative #2 Engine rpm vs time (blue) Transmission output rpm vs time (red)
  • 22. SRI International Controller Correctness Once we have identified our candidate controller, we can use formal verification to assess the controller logic.
  • 23. SRI International Formal Verification Testing/simulation can fail to detect design errors that are manifested only under certain scenarios Formal verification can verify designs for all scenarios Formal verification complements simulation in improving confidence in system design
  • 24. SRI International Formal Verification What is formal verification? Techniques for verifying the system that are based on symbolic algebra, rather than numerical simulations Achieves the equivalent of exhaustive testing
  • 25. SRI International Verification Workflow Identical to the simulation workflowexcept:  Temporal properties are attached to models  Verification results, namely o status (pass, fail, or error) and explanation are displayed on the dashboard Controllers often include intricate logic that can be difficult to exhaustively test Apply formal verification to ShiftController here
  • 26. SRI International Temporal Properties Properties capture the intent of the controller design ShiftController: Inputs: 1.driver_gear_select 2.shift_request_state 3.input_speed_TC 4.output_speed_TC Output: 1.gear_selected
  • 27. SRI International Shift Controller Inputs-Output The input variable driver_gear_select takes values: reverse=1, park=2, swim=3, neutral=4, neutral_pivot=5, low=6, drive=7 The input variable shift_request_state takes values: down_shift=1, no_shift=2, up_shift=3 The output variable gear_selected takes values: 0, 1, 2, 3, 4 A correct controller should guarantee something about the output under certain assumptions on the inputs.
  • 28. SRI International Temporal Properties as Specification Some desired properties for such a ShiftController: 1. If shift_request_state==3 (up_shift) and driver_gear_select==7 (drive), then eventually gear_selected==4 (fourth gear) • []( srs==3 && dgs==7 => <>(gear==4) ) • []( [](srs==3 && dgs==7) => <>(gear==4) ) 2. If dgs==6(low), then eventually gear <= 1 • []( [](dgs==6) => <>(gear <= 1) ) • []( [](dgs==6) => <>(gear <= 2) )
  • 29. SRI International Pattern-based Property Specification All properties above have the same “Global Response’’ pattern Another useful pattern is “Absence before R’’ Property: “The output gear_selected does not take value 4 before driver_gear_select is 7 (drive)” P := gear_selected == 4 R := driver_gear_select == 7 Property: P is absent before R
  • 30. SRI International Adding LTL Properties to SL/SF Models
  • 31. SRI International Pattern-based Property Specification If driver_gear_select is 6(low), then eventually gear_selected <= 1 (first gear)
  • 32. SRI International Viewing Properties in SL/SF Models Set of all properties = Specification of the component
  • 33. SRI International The Verification TestBench After controller models have been annotated with desired temporal properties, they are translated into CyberComposition language, and verified SL/SF + Properties CyberComp XML Formal Verification Results Verification results can be viewed in the dashboard
  • 35. SRI International Understanding Verification Results 1. If shift_request_state==3 (up_shift) and driver_gear_select==7 (drive), then eventually gear_selected==4 • []( srs==3 && dgs==7 => <>(gear==4) ) Violated • []( [](srs==3 && dgs==7) => <>(gear==4) ) Verified 2. If dgs==6(low), then eventually gear <= 1 • []( [](dgs==1) => <>(gear <= 1) ) Violated • []( [](dgs==1) => <>(gear <= 2) ) Verified 3. The event gear_selected==4 is absent before dgs is 7 (drive) Verified
  • 36. SRI International Property is False in the Model: Details
  • 38. SRI International Visualizing the Counter-Example []( [](dgs==6) => <>(gear <= 1) ) Violated
  • 39. SRI International Refining the Model or Property When a property is found to be false in the model, the user can view and analyze the counter- example, and based on that, go back to the controller design and fix either • The controller • Edit transition guards • Add/delete transitions • The property • Make the property weaker • Constrain the inputs of the controller
  • 40. SRI International Refining the Property Since output variable, gear_selected, gets stuck at value 2, we can see if our controller satisfies a weaker specification. []( [](dgs==6) => <>(gear <= 2) ) Verified
  • 41. SRI International Refining the Model Designer changes condition on the downshift transition out of Gear2 in SL/SF
  • 42. SRI International Refining the Model The condition on the outgoing transition from state Gear2 to state lockoutD1 is chaged from: srs==1 && dgs!=6 && dgs!=1 && in_tc > out_tc ↓ ((srs==1 && dgs!=6 && dgs!=1 && in_tc > out_tc) || (dgs==6 || dgs==1)) Enable transition additionally when driver_gear_select is 6 (low)
  • 43. SRI International Verification Results for the Updated Model
  • 44. SRI International Property is True in the Model: Details
  • 45. SRI International Old CounterExample on the Fixed Model []( [](dgs==6) => <>(gear <= 1) ) Verified
  • 46. SRI International Conclusions Design space exploration with simulation can answer early questions about controller choices • Simulation over alternatives is much cheaper than building prototypes • Automated DSE helps answer questions about the evolving design Formal verification tools can detect hard-to-find errors • Testing may fail to detect (large scenario space) • Requires property specification • CyPhy enables easy property addition, model editing, and visualize verification results