Jan 13, 2014 ... simple example. ▫ Will work with .... Device: Honda Accord (2005-. 2010), CR-V ...
Image: [http://www.netcarshow.com/honda/2010-accord_crosstour/800x600/
wallpaper_02.htm] ... modifications, which improved the long-term.
Cyber-Physical Systems (Special Topics in Advanced Systems and Architecture)
CSE 6359 Lecture 1 Taylor Johnson
Outline ▪ Administration ▪ Course Overview and Objectives ▪ What are Cyber-Physical Systems (CPS)?
[http://leeseshia.org/releases/LeeSeshia_DigitalV1_08.pdf] CSE6359, Spring 2014
January 13, 2014
2
Outline ▪ Administration ▪ Course Overview and Objectives ▪ What are Cyber-Physical Systems (CPS)?
[http://leeseshia.org/releases/LeeSeshia_DigitalV1_08.pdf] CSE6359, Spring 2014
January 13, 2014
3
Acknowledgements and Similar Courses ▪ Acknowledgments – Many slides are based on material from our textbook: Edward A. Lee and Sanjit A. Seshia, Introduction to Embedded Systems, A Cyber-Physical Systems Approach, http://LeeSeshia.org, ISBN 978-0-557-70857-4, 2011. – Many images come from Wikipedia – Many slides based on material from Sayan Mitra, Illinois
▪ Similar courses – ECE584 / CS584, Embedded System Verification: Illinois, http://users.crhc.illinois.edu/mitras/ECE584/index.shtml – EECS149/249A, Intro to Embedded Systems, Berkeley, http://chess.eecs.berkeley.edu/eecs149 CSE6359, Spring 2014
January 13, 2014
4
Administration ▪ Topic: Cyber-Physical Systems ▪ CSE Concentrations: Systems/Architectures and Software Engineering ▪ Time: M/W 1:00pm to 2:20pm ▪ Location: ERB129 ▪ Website: http://www.taylortjohnson.com/class/cse6359/s14/ ▪ Instructor: Taylor Johnson – Office: ERB 559 – Office Hours: 2:30pm~3:30pm and by appointment (email me) – Background: Electrical/Computer Engineering (BSEE, MSc, PhD) – Research: ensuring computer systems that interact with the physical world do what they’re supposed to do (i.e., avoiding bugs) CSE6359, Spring 2014
January 13, 2014
5
Materials ▪ Textbook (free online): Edward A. Lee and Sanjit A. Seshia, Introduction to Embedded Systems: A Cyber-Physical Systems Approach, http://LeeSeshia.org, ISBN 978-0-557-70857-4, 2011. ▪ Papers to be decided for second half of course based on interests ▪ Other resources (books, tools, etc.) that may be helpful with homeworks and projects will be linked on the website CSE6359, Spring 2014
January 13, 2014
6
Syllabus Overview ▪ See website: http://www.taylortjohnson.com/class/cse6359/s14/ ▪ Homeworks, project deadlines, papers, slides, and other updates will appear on the website, so please check often
CSE6359, Spring 2014
January 13, 2014
7
Course Focuses ▪ CPS – Design – Modeling – Analysis
▪ Discrete and continuous systems – Finite-state machines, differential equations / control theory – How to reason about these systems to ensure they meet specifications (safety, stability, invariance, performance, etc.)
CSE6359, Spring 2014
January 13, 2014
8
Work Expectations ▪ First half – Textbook to introduce concepts and common language – 3-5 Homeworks – Project ideas, couple milestones
▪ Second half – Paper presentations – Read assigned papers – Project report and presentation
▪ Overarching goal: research and technical communications skills CSE6359, Spring 2014
January 13, 2014
9
Project Overview ▪ Systems Type: design, build, and analyze a CPS ▪ Applications Type: model and thoroughly analyze a CPS described in an existing paper / book / project / specification ▪ Theory Type: develop a new method / software tool for analyzing CPS, analyze the new method, and apply it to a simple example ▪ Will work with you to develop a project that is novel research and interesting for you ▪ Project report: 8-12 pages, IEEE/ACM format (more details later) ▪ Milestones throughout semester
CSE6359, Spring 2014
January 13, 2014
10
Project Idea Discussion
CSE6359, Spring 2014
January 13, 2014
11
Administration Questions?
CSE6359, Spring 2014
January 13, 2014
12
Outline ▪ Administration ▪ Course Overview and Objectives ▪ What are Cyber-Physical Systems (CPS)?
[http://leeseshia.org/releases/LeeSeshia_DigitalV1_08.pdf] CSE6359, Spring 2014
January 13, 2014
13
Course Objectives ▪ Techniques and formalisms for modeling systems with dynamics, computation, and communication – Hybrid automata
▪ To use testing and verification tools (model checkers, SMT solvers, test-case generators, and specification finders) ▪ Practice effective research and technical communication skills (oral and written)
CSE6359, Spring 2014
January 13, 2014
14
Strategy Modeling is the process of gaining a deeper understanding of a system through imitation. Models specify what a system does. Design is the structured creation of artifacts. It specifies how a system does what it does. Analysis is the process of gaining a deeper understanding of a system through dissection. It specifies why a system does what it does (or fails to do what a model says it should do).
CSE6359, Spring 2014
January 13, 2014
15
Outline ▪ Administration ▪ Course Overview and Objectives ▪ What are Cyber-Physical Systems (CPS)?
[http://leeseshia.org/releases/LeeSeshia_DigitalV1_08.pdf] CSE6359, Spring 2014
January 13, 2014
16
Cyber-Physical Systems ▪ Networked embedded systems ▪ Networked computers + physical systems ▪ Computation, control, communication ▪ Involve nearly all engineering disciplines
CSE6359, Spring 2014
January 13, 2014
17
Cyber-Physical Systems (CPS): Orchestrating networked computational resources with physical systems Building Systems
Avionics
Transportation (Air traffic control at SFO)
Telecommunications
Automotive
Instrumentation (Soleil Synchrotron)
E-Corner, Siemens
Power generation and distribution
Factory automation
Daimler-Chrysler
Military systems:
Courtesy of Doug Schmidt
Courtesy of General Electric
Courtesy of Kuka Robotics Corp.
Kopetz Principle ▪ Many (predictive) properties that we assert about systems (determinism, timeliness, reliability, safety) are in fact not properties of an implemented system, but rather properties of a model of the system. ▪ We can make definitive statements about models, from which we can infer properties of system realizations. The validity of this inference depends on model fidelity, which is always approximate. ▪ Summary (George Box): All models are wrong, some are useful CSE6359, Spring 2014
January 13, 2014
19
CPS Reliability and Examples ▪ Even if it has not been clearly specified, any system has a set of criteria we assume about it – Example: autonomous cars should not collide, thermostat should regulate temperature to desired level (witihin some amount of time), cruise control regulates speed to setpoint (in spite of hills), elevator should not open doors if no car present, etc. – This specification is our assumption (as the operator / user) about how the system will function
▪ What happens if this is not true (e.g., system has a bug)? CSE6359, Spring 2014
January 13, 2014
20
X-Men Aside ▪ William Stryker in X-Men (X2): “I'm a scientist. When I build a machine, I want to make sure it's working."
[http://www.imdb.com/media/rm1921227008/ch0001108#] CSE6359, Spring 2014
January 13, 2014
21
V&V and CPS ▪ Verification and Validation: independent procedures used together for checking if system meets requirements/specifications and fulfills intended purpose – Validation: assurance system meets needs of customer – Verification: evaluation of whether system complies with regulation, requirement, specification, etc. – Colloquialism: ▪ Validation: are we building the right thing? ▪ Verification: are we building the thing right?
– Reliability: quality metric measuring degree to which system is verified/validated
▪ Cyber-Physical Systems: systems with interaction/coupling between software and physical processes through sensing, actuation, and communication ▪ What’s the reliability/V&V status of CPS today? [IEEE Standard 1409-2011, A Guide to the Project Management Body of Knowledge, 2011]
22
Elevators Date:
September 20, 2012
Notice:
#12-750
Device: ThyssenKrupp Access LEV II, Volant, Rise Units:
~670
Problem: “… elevator’s door can unlock and open at a landing with no elevator car present, exposing the elevator shaft and posing a fall hazard to consumers…” Remedy: Spec:
software update elevator door should only open when car is present and aligned with shaft
[Consumer Product Safety Commission (CPSC), Alert #12-750, http://www.cpsc.gov] Image: [http://www.tkaccess.com/home-elevators/volant/homeElevators_volant.aspx]
23
Fire Alarms and Controls Date:
February 15, 2012
Notice: #12-721 Device: Bosch FPA-1000-UL Units:
~330
Problem: “…control panel can fail to sound an alarm if a fire occurs…” Remedy:software update Spec:
if sensors detect smoke/heat/fire, alarm sounds
[Consumer Product Safety Commission (CPSC), Alert #12-721, http://www.cpsc.gov]
24
Fire Alarms and Controls Date:
October 5, 2010
Notice: #11-702 Device: Honeywell Fire-Lite Alarms MS-9600LS
Units:
~530
Problem: “…can fail to sound an alarm in the event of a fire…”
Remedy: Spec:
software update if sensors detect smoke/heat/fire, alarm sounds
[Consumer Product Safety Commission (CPSC), Alert #11-702, http://www.cpsc.gov]
25
Fire Alarms and Controls Date:
February 8, 2011
Notice: #11-721 Device: Tyco Safety Products / SimplexGrinnell Simplex 4100U-NXP
Units:
~540
Problem: “… can fail to send a signal to alert monitoring centers in the event of a fire…” Remedy:software update Spec: if sensors detect fire, controller notifies fire monitoring center [Consumer Product Safety Commission (CPSC), Alert #11-721, http://www.cpsc.gov]
26
SCUBA Diving Computers Date:
July 11, 2013
Notice: #13-236 Device: Hollis DG03 Dive Computers
Units:
~1000
Problem: “… can malfunction and display an incorrect tank pressure reading to the diver…” Remedy:upgrade operating system Spec:
dive computer displays current sensor reading
[Consumer Product Safety Commission (CPSC), Alert #13-236, http://www.cpsc.gov]
27
Medical Devices
[“Analysis of Safety-Critical Computer Failures in Medical Devices”, Homa Alemzadeh, Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jai Raman, IEEE Security & Privacy , vol. 11, no. 4, pp. 14-26, July-Aug. 2013]
28
(Non-Autonomous) Cars Date:
May 31, 2005
Notice:
#PE05029
Device: Toyota Prius (2004-2005) Units:
~75,000
Problem: “… reports allege that the gasoline engine shut down suddenly without warning…” Remedy: electronic control module (ECM) software update Spec:
if there is sufficient fuel and the ignition is on, once started, the engine should remain running
[National Highway Traffic Safety Administration (NHTSA), Investigation #PE05029, www.safercar.gov]
29
Toyota Unintended Acceleration
30
Toyota Unintended Acceleration: Bookout v. Toyota Motor Corp., CJ-20087969, Oklahoma ▪ “During the trial, embedded systems experts who reviewed Toyota's electronic throttle source code testified that they found Toyota's source code defective, and that it contains bugs -- including bugs that can cause unintended acceleration.” ▪ "We did a few things that NASA apparently did not have time to do," Barr said. For one thing, by looking within the real-time operating system, the experts identified "unprotected critical variables.“ ▪ "This confirmed tasks can die without the watchdog resetting the processor.“ [http://www.embedded.com/electronics-news/4423365/Toyota-Camry-L4-case--the-single-bit-flip-that-killed] [http://www.eetimes.com/document.asp?doc_id=1319903&page_number=2]
31
(Non-Autonomous) Cars Date:
August 4, 2011
Notice: #11V395 Device: Honda Accord (20052010), CR-V (2007-2010), Element (2005-2008) Units:
~1.5 million US (~2.5 million globally)
Problem: “…may cause an engine stall and/or cause the vehicle to move when the gear selector is in park…” Remedy:
update to automatic transmission control module
[NHTSA, Recall Notice #11V395, http://www.safercar.gov/] Image: [http://www.netcarshow.com/honda/2010-accord_crosstour/800x600/wallpaper_02.htm]
32
Cyber-Physical Defects “…specifications for the secondary shaft bearing outer race material and shape were modified in order to accommodate increased engine torque. These modifications, which improved the long-term durability of the component but reduced its resistance to shock, are not appropriately addressed in the automatic transmission control module software of the affected vehicles…” Research: Methods for proving CPS model 𝓐 specification 𝑃
Physical Specification
Cyber Specification
algorithmically satisfies its
[Defect Notice, Aug. 3, 2011, Part 573, http://www-odi.nhtsa.dot.gov/acms/cs/jaxrs/download/doc/ACM17689918/RCDNN-11V395-2852.pdf]33
Summary of Recalls and Failures ▪ Happen regardless of industry ▪ All systems are safety-critical and require high reliability – Generally large engineering teams (cars), but also small teams (diving computers) – Loss of life – Great financial loss (hundreds of lawsuits against Toyota)
▪ Commonality: software and bugs ▪ Solutions? – Engineering process: great success in aviation – New tools and techniques: our focus on automation 34
Verification Challenge Given system model 𝓐 and property 𝑃, design algorithm that returns 𝓐 satisfies 𝑃 and give proof, or 𝓐 violates 𝑃 and why (bug)
Engineering Grand Challenge
𝓐, 𝑃 No: bug 𝓐 ⊨ 𝑃?
Yes: proof
– Debugging & verification: ~50%-75% engineering cost [Beizer 1990] – Expensive & life-threatening bugs: ~$60 billion/year [NIST 2002] – State-space explosion & undecidability
𝓐 networked software interacting with physical world: cyber-physical system (CPS)
𝑃
Safety: something bad never happens Stability: reach good state eventually and stay there
35
Course Topics ▪ Model-Based Design – Implementation code based on a mathematical model
▪ System Analysis – Verify that your model & implementation will meet a spec.
▪ Concurrency – Run multiple tasks correctly and efficiently
▪ Time & Resources – Ensuring that tasks finish on time and within budgets
▪ Networking and other Advanced Topics – Automotive networks, mapping an area by a robot, etc.
CSE6359, Spring 2014
January 13, 2014
36
Questions?
CSE6359, Spring 2014
January 13, 2014
37