280 likes | 502 Views
Model Based Safety Analysis of Cyber Physical Systems (CPSs). Sailesh Umamaheswara Kandula Committee: Dr. Sandeep Gupta (Chair) Dr. Yann Hang Lee Dr. Georgios E Fainekos. Outline. Cyber Physical Systems Modeling abstractions for Cyber Physical Systems
E N D
Model Based Safety Analysis of Cyber Physical Systems (CPSs) SaileshUmamaheswaraKandula Committee: Dr. Sandeep Gupta (Chair) Dr. Yann Hang Lee Dr. Georgios E Fainekos
Outline • Cyber Physical Systems • Modeling abstractions for Cyber Physical Systems • Safety analysis algorithm for Cyber Physical Systems • Case Study : Safety of passengers traveling in Autonomous Vehicles • Conclusion and future work
Cyber Physical Systems (CPS) Stanley, Stanford's DARPA grand challenge entry[1] Collision of MIT’s and Cornell’s autonomous vehicles at DARPA Urban Challenge [2] • CPS : • Computing systems (e.g. autonomous vehicles) • Physical world (e.g. passengers, road conditions) • Cyber-Physical Interactions (e.g. planned interaction, erroneous interaction). • Overlapping Interactions may harm physical world • Physical world is unsafe if it’s parameters go above threshold value. Model based safety analysis at design time. Holistic modeling of autonomous vehicle and physical world • Perform architectural and behavior modeling of CPS (i.e. model CPS sub-systems and interactions). • Need : • Modeling abstractions to specify cyber physical interactions • Safety analysis algorithm to verify safety of physical world • Causes of MIT’s and Cornell’s autonomous • vehicles collision [2]: • Failure to anticipate vehicle intent. • Difficulties in sensor data association causing • inability to detect phantom obstacles. Objective: 1. Modeling abstractions that facilitate specification of CPS behavior and architecture. 2. Safety analysis algorithm for verifying the safety of physical world.
Research Problem • How to model CPS sub-systems at various levels of abstractions? • How to specify properties of computing systems that affect safety of CPS? • How to specify characteristics of physical world (i.e. specify various scenarios) ? Safety Features: S: Seat Belt A: Air Bag B: Anti lock breaking system T: Traction control system Different types of Autonomous Vehicles (Entries in table are sample values) Physical world characteristics
Research Problem Contd. Planned and erroneous behaviors • How to tie behavior of computing system to a scenario? • How to specify interactions between multiple computing systems in a complex scenario? Coupe on straight road Sedan on curved road Sedan on curved road Pick up truck on curved road Coupe on curved road Inherit generic behavior Instantiation sedans coupes coupes Pickup-trucks sedans coupes Curved road Straight road Ramp to highway
CPS Perspective of Autonomous Vehicles Planned interactions always exist. Erroneous interactions exist when threshold conditions are met (e.g. :- high vehicle speed along a sharp turn might lead to skid) Cyber system Physical system Sensing sub system Sensed data Road conditions, obstacles Autonomous Vehicle Navigation sub system Cyber Physical Interactions Planned Path Trajectory Planned Erroneous Control sub system (e.g. speed control) Spatial Regions Spatial Regions Motion characteristics Motion characteristics Erroneous Path Control Output Vehicle dynamics and properties Conceptual Architecture of AV from CPS perspective Scenario of Multiple AVs moving on straight road
Overlapping of cyber physical interactions Case 1 Case 3 Case 2 Guard rail Erroneous interaction overlaps with a physical object Planned interactions overlap Planned and erroneous interaction overlap Planned interaction Overlapping of planned and erroneous interactions can harm physical world (e.g. severe passenger injuries). Erroneous interaction
Outline • Cyber Physical Systems • Modeling abstractions for Cyber Physical Systems • Safety analysis algorithm for Cyber Physical Systems • Case Study : Safety of passengers traveling in Autonomous Vehicles • Conclusion and future work
CPS behavior modeling requirements Spatial regions of planned and erroneous interactions determined at analysis phase • Planned interaction • Trajectory (i.e. way-points) • Control logic. • Motion equations. • Erroneous Interaction • Control logic. • Motion equations. • Conditions causing unplanned interactions. • Physical World/System • Properties. • Safety Criteria • Safety threshold. • Safety Equations. • Analysis Parameters • System analysis duration. • Time step.
CPS Modeling Constructs Analysis Parameters System analysis duration 2.Time step CPS LCPS1 LCPSn Safety Criteria Analysis Parameters Safety Criteria 1. Safety threshold 2. Safety equations …. Computing System Safety Threshold Safety Equations Physical System Time Step Time Duration Erroneous interaction Control logic Condition for erroneous interaction 3. Motion equations Intended region of mobility Unintended region Of Mobility Planned interaction Trajectory 2. Control logic 3. Motion equations Physical Properties Physical Properties Computing Mobility Physical Process Minimum Threshold Physical Process Computing Mobility Control logic equations Motion Equations, way -points Conditions causing interaction Control logic equations
Implementation of Modeling Constructs in AADL[8] • AADL: Architectural modeling of Real time embedded systems. • Abstractions: system, threads, process, bus etc. • Extensibility : annex. • Modeling constructs implemented as cpsannex. • OSATE framework[8] : libraries to parse AADL model System model in core language System model in cps annex CPS Model in AADL OSATE core libraries Annex parser/grammer OSATE Framework Annex parse tree generator Annex libraries
Example: Modeling safety of passengers involved in a collision between Autonomous Vehicle and Guard Rail Trajectory : Way- points and heading angle I Intended region of mobility Computing mobility Control System Lateral Control Algorithm [3]: Ω= arctan(2*L(3y1- x1tanѲ)/(x1)2) L: wheel base of vehicle (X1,y1): next way-point Ѳ: Vehicle Heading angle Ω: Lateral control output Intended region of mobility Physical process Longitudinal Control Algorithm [3]: v = vprec + k1(vprec - vfollow ) + k2(Lr - Lm) Safety Criteria Safety Threshold Lr: Reference Inter vehicular distance Lm: Measured Inter vehicular distance Vprec : velocity of preceding vehicle Vfollo: velocity of following vehicle Safety Criteria: Probability of serious injury should be zero. Safety Criteria Safety Equations Unintended region of mobility Minimum threshold Condition for skid [4]: v > ( ufriction *rcurvature*g)1/2 ß = 8.4 degrees Unintended region of mobility Computing mobility Vehicle motion after skid : ß = arcos (rlane/ (rlane + ws)) Probability of serious injury to passengers [5]: P = 1/( 1 + exp (4.0139 - 0.1252*x)) x: Change in vehicle’s velocity after a collision. Safety Criteria Safety Equations Obtained using LS-Dyna [12], simulation software
Modeling using AADL-CPS annex beginDeclaration CPS end begin cps annex Unintended Region Of Mobility:{ Minimum Threshold : Equation: Necessary condition for skid Computing Mobility: Equation: Vehicle motion after skid } Safety Criteria{ Safety Threshold: Occupant Injury < AIS 3 Safety Equations : Table 1 Equation: Probability of serious injury to passengers } Intended Region of Mobility:{ Physical Process : Equation: Lateral Control Algorithm Equation : Longitudinal Control Algorithm Computing Mobility: Way-points } endannex beginDeclarationPhysical_System end beginImplementationPhysical_system: Guard Rail_Curve Properties: end beginImplementation CPS: Motion_HorizontalCurves subcomponents LCPS1 end beginDeclaraionComputing_System end begin Declaration Local CPS end begin Declaration Local CPS end beginDeclaration Local CPS End beginImplementation Local CPS: LCSP1 subcomponents AutonomousVehicle1 End beginImplementationComputing_System: AutonomousVehicle1 end Detailed AADL model web-link
Outline • Cyber Physical Systems • Modeling abstractions for Cyber Physical Systems • Safety analysis algorithm for Cyber Physical Systems • Case Study : Safety of passengers traveling in Autonomous Vehicles • Conclusion and future work
Safety analysis algorithm cases to analyze Case 1 Case 3 Case 2 Guard rail Planned interactions overlap Planned interaction overlaps with erroneous interaction erroneous interaction overlaps with a physical object Planned interaction Erroneous interaction
Safety analysis algorithm [11] Start Set currentTime = 0 Compute spatial regions (SIROm) of planned Interaction for computing nodes Use safety equations to determine safety violation Case 1 Do SIROms of mulitple nodes intersect O(n2) yes Is safety threshold violated no no Is physical property > minimum threshold Increment by time step Compute spatial regions of (SUIROms) erroneous interaction yes O(n2) Is current Time < time duration System is unsafe no Case 2 yes SUIROm and SIROm of multiple nodes intersect End O(n2) yes Case 3 System is safe yes SUIROms / SIROms intersect with physical object End
Outline • Cyber Physical Systems • Modeling abstractions for Cyber Physical Systems • Safety analysis algorithm for Cyber Physical Systems • Case Study : Safety of passengers traveling in Autonomous Vehicles • Conclusion and future work
Case Study: Analyzing safety of passengers involved in a collision between Autonomous Vehicle and Guard Rail • Instantiation • Translation of generic safety analysis algorithm to this scenario • CaseStudyAnalysisNew.pptx • Factors considered: • accidents between 2002-2007 • serious accidents • accidents due to pick-up trucks • accidents due to speeding and single vehicle collision . Analysis Result and Validation [11]:
Modeling Body Sensor Network using CPS abstractions [12] Computing systems (Sensors) Physical properties: Power dissipation of sensors. Body Area Network Wearable Sensor Nodes Thermal Map of Human Body Communication Range Logical view Operational view Cyber physical view Intended interaction : Communication between sensor nodes Physical systems (Human Tissue) Physical Properties: Human tissue conductivity, blood perfusion rate etc. Unintended interaction: Temperature rise of human tissue by penn’s heat transfer equation [12] Safety Threshold: Safety Criteria: Body temperature < 39 C [12]
Answers to research questions • How to model components of a CPS at various levels of abstractions such that it is: • How to specify properties of computing systems that affect safety of CPS? • How to specify characteristics of physical world (i.e. specify various scenarios) ? . Model : 1) AV : computing system. 2) Features: computing properties Model : 1)Scenario : physical system instance 2)Characteristics: physical system properties
Answers to research questions Autonomous vehicles and scenario : LCPS. Planned and erroneous interactions: cps annex Planned and erroneous behaviors under various scenarios • How to tie the behavior of computing system to a scenario? • How to specify interactions of multiple computing systems in a scenario? Sedan’s behavior on curved road with ice Coupe’s behavior on curved road Pick up truck’s behavior on curved road Multiple coupes Multiple sedans Multiple coupes Multiple Pickup-trucks Multiple sedans Multiple coupes Ramp to highway Curved road Straight road Complex scenario: CPS with LCPSs Instantiation: LCPS
Conclusion and Future Work • Safety is a crucial aspect of CPS, design time safety verification is essential for wide spread acceptance of these systems. • Architectural modeling abstractions are proposed for modeling CPS sub-systems and interactions. • Intuitiveness : Abstractions are intuitive in nature. • Semantics and Modularization: Abstractions capture semantics of planned and unplanned interactions in a modular manner. • Instantiation: Instantiation of modular abstractions for specific scenarios • Safety analysis algorithm is proposed to analyze the safety of CPS. • Modeling abstractions and safety analysis algorithm applied to two case studies. • Future work: • Applying modeling constructs to other domain. • Generating formal models from architectural models.
References 1. “Stanley: The robot that won the DARPA Grand Challenge: Research Articles,” J. Robot. Syst., vol. 23, no. 9, pp. 661– 692, 2006. 2. The MIT–Cornell Collision and Why It Happened, Journal of Field Robotics 25(10), 775–807 (2008). 3. S. Kato, S. Tsugawa, K. Tokuda, T. Matsui, and H. Fujii, “Vehicle control algorithms for cooperative driving with automated vehicles and intervehicle communications,” Intelligent Transportation Systems, IEEE Transactions on, vol. 3, no. 3, pp. 155 – 161, sep. 2002. 4. Engineering Mechanics: Statics and Dynamics by A.M Bedford. 5. B. George, D. Kennerly, B. Nabih, K. Alexander, A. Jeffrey, and P. Elana, “Development of URGENCY 2.1 for the Prediction of Crash Injury Severity.” 6. M. Althoff, O. Stursberg, and M. Buss, Model-based probabilistic collision detection in autonomous driving. Trans. Intell. Transport. Sys., vol. 10, pp. 299–310, June 2009 7. Q. Tang, N. Tummala, S. K. S. Gupta, and L. Schwiebert, Communication scheduling to minimize thermal effects of implanted biosensor networks in homogeneous tissue, IEEE Tran. Biomedical Eng. 8. AADL, www.aadlinfo.com 9.T. Tech, “AZ-83 roadway assessment report,Rosemont copper project,” 2009. 10. “National Crash Analysis Center at George Washington University,” http://www.ncac.gwu.edu/vml/models.html. 11.S. Kandula, T. Mukherjee, and S.K.S. Gupta Toward Autonomous Vehicle Safety Verification from Mobile Cyber Physical Systems Perspective, under review, ICCPS-2011 12. A. Banerjee, S. Kandula, T. Mukherjee, and S.K.S. Gupta BAND-AiDe: A Tool for Cyber-Physical Oriented Analysis and Design of Body Area Networks and Devices , ACM Transactions in Embedded Computing Systems, Special Issue on Wireless Health 2010, Accepted for publication 13. Douglas Gabauer, Corelating Delta-V to occupant injury using Event Data Recorders.
Annex support for differential(DE) and partial differential equations(PDE) • Specification of DE: Del(order)(DependentVariable)(IndependentVariable) • Specification of PDE: Pdel (order) (DependentVariable) (IndependentVariable) ((order)(IndependentVariable))+
Annex for Unintended region of mobility • waypointlist: • (( LCURLY INT COMMAN INT COMMA INT RCURLY)+) (SEMI); • minimumthreshold: : • (condstmt); • impactingimpactedrelationship : • (expr): • computingmobility: • :(expr |waypointlist ) • ; • …. • unintendedregionofmobility: (PHYSICALPROCESS LCURLY physicalprocess • RCURLY ) • (COMPUTINGMOBILITY LCURLY computingmobility • RCURLY ) • (MINIMUMTHRESHOLD LCURLY minimumthreshold • RCURLY ) • (IMPACTINGIMPACTEDRELATION LCURLY impactingimpactedrelation RCURLY)