slides

Cyber-Physical Systems (Special Topics in Advanced Systems and Architecture)

CSE 6359 Lecture 1 Taylor Johnson

Outline ▪ Administration ▪ Course Overview and Objectives ▪ What are Cyber-Physical Systems (CPS)?

[http://leeseshia.org/releases/LeeSeshia_DigitalV1_08.pdf] CSE6359, Spring 2014

January 13, 2014

2



January 13, 2014

3

Acknowledgements and Similar Courses ▪ Acknowledgments – Many slides are based on material from our textbook: Edward A. Lee and Sanjit A. Seshia, Introduction to Embedded Systems, A Cyber-Physical Systems Approach, http://LeeSeshia.org, ISBN 978-0-557-70857-4, 2011. – Many images come from Wikipedia – Many slides based on material from Sayan Mitra, Illinois

▪ Similar courses – ECE584 / CS584, Embedded System Verification: Illinois, http://users.crhc.illinois.edu/mitras/ECE584/index.shtml – EECS149/249A, Intro to Embedded Systems, Berkeley, http://chess.eecs.berkeley.edu/eecs149 CSE6359, Spring 2014

January 13, 2014

4

Administration ▪ Topic: Cyber-Physical Systems ▪ CSE Concentrations: Systems/Architectures and Software Engineering ▪ Time: M/W 1:00pm to 2:20pm ▪ Location: ERB129 ▪ Website: http://www.taylortjohnson.com/class/cse6359/s14/ ▪ Instructor: Taylor Johnson – Office: ERB 559 – Office Hours: 2:30pm~3:30pm and by appointment (email me) – Background: Electrical/Computer Engineering (BSEE, MSc, PhD) – Research: ensuring computer systems that interact with the physical world do what they’re supposed to do (i.e., avoiding bugs) CSE6359, Spring 2014

January 13, 2014

5

Materials ▪ Textbook (free online): Edward A. Lee and Sanjit A. Seshia, Introduction to Embedded Systems: A Cyber-Physical Systems Approach, http://LeeSeshia.org, ISBN 978-0-557-70857-4, 2011. ▪ Papers to be decided for second half of course based on interests ▪ Other resources (books, tools, etc.) that may be helpful with homeworks and projects will be linked on the website CSE6359, Spring 2014

January 13, 2014

6

Syllabus Overview ▪ See website: http://www.taylortjohnson.com/class/cse6359/s14/ ▪ Homeworks, project deadlines, papers, slides, and other updates will appear on the website, so please check often

CSE6359, Spring 2014

January 13, 2014

7

Course Focuses ▪ CPS – Design – Modeling – Analysis

▪ Discrete and continuous systems – Finite-state machines, differential equations / control theory – How to reason about these systems to ensure they meet specifications (safety, stability, invariance, performance, etc.)


January 13, 2014

8

Work Expectations ▪ First half – Textbook to introduce concepts and common language – 3-5 Homeworks – Project ideas, couple milestones

▪ Second half – Paper presentations – Read assigned papers – Project report and presentation

▪ Overarching goal: research and technical communications skills CSE6359, Spring 2014

January 13, 2014

9

Project Overview ▪ Systems Type: design, build, and analyze a CPS ▪ Applications Type: model and thoroughly analyze a CPS described in an existing paper / book / project / specification ▪ Theory Type: develop a new method / software tool for analyzing CPS, analyze the new method, and apply it to a simple example ▪ Will work with you to develop a project that is novel research and interesting for you ▪ Project report: 8-12 pages, IEEE/ACM format (more details later) ▪ Milestones throughout semester


January 13, 2014

10

Project Idea Discussion


January 13, 2014

11

Administration Questions?


January 13, 2014

12



January 13, 2014

13

Course Objectives ▪ Techniques and formalisms for modeling systems with dynamics, computation, and communication – Hybrid automata

▪ To use testing and verification tools (model checkers, SMT solvers, test-case generators, and specification finders) ▪ Practice effective research and technical communication skills (oral and written)


January 13, 2014

14

Strategy Modeling is the process of gaining a deeper understanding of a system through imitation. Models specify what a system does. Design is the structured creation of artifacts. It specifies how a system does what it does. Analysis is the process of gaining a deeper understanding of a system through dissection. It specifies why a system does what it does (or fails to do what a model says it should do).


January 13, 2014

15



January 13, 2014

16

Cyber-Physical Systems ▪ Networked embedded systems ▪ Networked computers + physical systems ▪ Computation, control, communication ▪ Involve nearly all engineering disciplines


January 13, 2014

17

Cyber-Physical Systems (CPS): Orchestrating networked computational resources with physical systems Building Systems

Avionics

Transportation (Air traffic control at SFO)

Telecommunications

Automotive

Instrumentation (Soleil Synchrotron)

E-Corner, Siemens

Power generation and distribution

Factory automation

Daimler-Chrysler

Military systems:

Courtesy of Doug Schmidt

Courtesy of General Electric

Courtesy of Kuka Robotics Corp.

Kopetz Principle ▪ Many (predictive) properties that we assert about systems (determinism, timeliness, reliability, safety) are in fact not properties of an implemented system, but rather properties of a model of the system. ▪ We can make definitive statements about models, from which we can infer properties of system realizations. The validity of this inference depends on model fidelity, which is always approximate. ▪ Summary (George Box): All models are wrong, some are useful CSE6359, Spring 2014

January 13, 2014

19

CPS Reliability and Examples ▪ Even if it has not been clearly specified, any system has a set of criteria we assume about it – Example: autonomous cars should not collide, thermostat should regulate temperature to desired level (witihin some amount of time), cruise control regulates speed to setpoint (in spite of hills), elevator should not open doors if no car present, etc. – This specification is our assumption (as the operator / user) about how the system will function

▪ What happens if this is not true (e.g., system has a bug)? CSE6359, Spring 2014

January 13, 2014

20

X-Men Aside ▪ William Stryker in X-Men (X2): “I'm a scientist. When I build a machine, I want to make sure it's working."

[http://www.imdb.com/media/rm1921227008/ch0001108#] CSE6359, Spring 2014

January 13, 2014

21

V&V and CPS ▪ Verification and Validation: independent procedures used together for checking if system meets requirements/specifications and fulfills intended purpose – Validation: assurance system meets needs of customer – Verification: evaluation of whether system complies with regulation, requirement, specification, etc. – Colloquialism: ▪ Validation: are we building the right thing? ▪ Verification: are we building the thing right?

– Reliability: quality metric measuring degree to which system is verified/validated

▪ Cyber-Physical Systems: systems with interaction/coupling between software and physical processes through sensing, actuation, and communication ▪ What’s the reliability/V&V status of CPS today? [IEEE Standard 1409-2011, A Guide to the Project Management Body of Knowledge, 2011]

22

Elevators Date:

September 20, 2012

Notice:

#12-750

Device: ThyssenKrupp Access LEV II, Volant, Rise Units:

~670

Problem: “… elevator’s door can unlock and open at a landing with no elevator car present, exposing the elevator shaft and posing a fall hazard to consumers…” Remedy: Spec:

software update elevator door should only open when car is present and aligned with shaft

[Consumer Product Safety Commission (CPSC), Alert #12-750, http://www.cpsc.gov] Image: [http://www.tkaccess.com/home-elevators/volant/homeElevators_volant.aspx]

23

Fire Alarms and Controls Date:

February 15, 2012

Notice: #12-721 Device: Bosch FPA-1000-UL Units:

~330

Problem: “…control panel can fail to sound an alarm if a fire occurs…” Remedy:software update Spec:

if sensors detect smoke/heat/fire, alarm sounds

[Consumer Product Safety Commission (CPSC), Alert #12-721, http://www.cpsc.gov]

24


October 5, 2010

Notice: #11-702 Device: Honeywell Fire-Lite Alarms MS-9600LS

Units:

~530

Problem: “…can fail to sound an alarm in the event of a fire…”

Remedy: Spec:

software update if sensors detect smoke/heat/fire, alarm sounds


25


February 8, 2011

Notice: #11-721 Device: Tyco Safety Products / SimplexGrinnell Simplex 4100U-NXP

Units:

~540

Problem: “… can fail to send a signal to alert monitoring centers in the event of a fire…” Remedy:software update Spec: if sensors detect fire, controller notifies fire monitoring center [Consumer Product Safety Commission (CPSC), Alert #11-721, http://www.cpsc.gov]

26

SCUBA Diving Computers Date:

July 11, 2013

Notice: #13-236 Device: Hollis DG03 Dive Computers

Units:

~1000

Problem: “… can malfunction and display an incorrect tank pressure reading to the diver…” Remedy:upgrade operating system Spec:

dive computer displays current sensor reading


27

Medical Devices

[“Analysis of Safety-Critical Computer Failures in Medical Devices”, Homa Alemzadeh, Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jai Raman, IEEE Security & Privacy , vol. 11, no. 4, pp. 14-26, July-Aug. 2013]

28

(Non-Autonomous) Cars Date:

May 31, 2005

Notice:

#PE05029

Device: Toyota Prius (2004-2005) Units:

~75,000

Problem: “… reports allege that the gasoline engine shut down suddenly without warning…” Remedy: electronic control module (ECM) software update Spec:

if there is sufficient fuel and the ignition is on, once started, the engine should remain running

[National Highway Traffic Safety Administration (NHTSA), Investigation #PE05029, www.safercar.gov]

29

Toyota Unintended Acceleration

30

Toyota Unintended Acceleration: Bookout v. Toyota Motor Corp., CJ-20087969, Oklahoma ▪ “During the trial, embedded systems experts who reviewed Toyota's electronic throttle source code testified that they found Toyota's source code defective, and that it contains bugs -- including bugs that can cause unintended acceleration.” ▪ "We did a few things that NASA apparently did not have time to do," Barr said. For one thing, by looking within the real-time operating system, the experts identified "unprotected critical variables.“ ▪ "This confirmed tasks can die without the watchdog resetting the processor.“ [http://www.embedded.com/electronics-news/4423365/Toyota-Camry-L4-case--the-single-bit-flip-that-killed] [http://www.eetimes.com/document.asp?doc_id=1319903&page_number=2]

31

(Non-Autonomous) Cars Date:

August 4, 2011

Notice: #11V395 Device: Honda Accord (20052010), CR-V (2007-2010), Element (2005-2008) Units:

~1.5 million US (~2.5 million globally)

Problem: “…may cause an engine stall and/or cause the vehicle to move when the gear selector is in park…” Remedy:

update to automatic transmission control module

[NHTSA, Recall Notice #11V395, http://www.safercar.gov/] Image: [http://www.netcarshow.com/honda/2010-accord_crosstour/800x600/wallpaper_02.htm]

32

Cyber-Physical Defects “…specifications for the secondary shaft bearing outer race material and shape were modified in order to accommodate increased engine torque. These modifications, which improved the long-term durability of the component but reduced its resistance to shock, are not appropriately addressed in the automatic transmission control module software of the affected vehicles…” Research: Methods for proving CPS model 𝓐 specification 𝑃

Physical Specification

Cyber Specification

algorithmically satisfies its

[Defect Notice, Aug. 3, 2011, Part 573, http://www-odi.nhtsa.dot.gov/acms/cs/jaxrs/download/doc/ACM17689918/RCDNN-11V395-2852.pdf]33

Summary of Recalls and Failures ▪ Happen regardless of industry ▪ All systems are safety-critical and require high reliability – Generally large engineering teams (cars), but also small teams (diving computers) – Loss of life – Great financial loss (hundreds of lawsuits against Toyota)

▪ Commonality: software and bugs ▪ Solutions? – Engineering process: great success in aviation – New tools and techniques: our focus on automation 34

Verification Challenge Given system model 𝓐 and property 𝑃, design algorithm that returns 𝓐 satisfies 𝑃 and give proof, or 𝓐 violates 𝑃 and why (bug)

Engineering Grand Challenge

𝓐, 𝑃 No: bug 𝓐 ⊨ 𝑃?

Yes: proof

– Debugging & verification: ~50%-75% engineering cost [Beizer 1990] – Expensive & life-threatening bugs: ~$60 billion/year [NIST 2002] – State-space explosion & undecidability

𝓐 networked software interacting with physical world: cyber-physical system (CPS)

𝑃

Safety: something bad never happens Stability: reach good state eventually and stay there

35

Course Topics ▪ Model-Based Design – Implementation code based on a mathematical model

▪ System Analysis – Verify that your model & implementation will meet a spec.

▪ Concurrency – Run multiple tasks correctly and efficiently

▪ Time & Resources – Ensuring that tasks finish on time and within budgets

▪ Networking and other Advanced Topics – Automotive networks, mapping an area by a robot, etc.


January 13, 2014

36

Questions?


January 13, 2014

37