Runtime Model Predictive Verification on Embedded Platforms 1

Size: px

Start display at page:

Download "Runtime Model Predictive Verification on Embedded Platforms 1"

Coral Hood
5 years ago
Views:

1 Runtime Model Predictive Verification on Embedded Platforms 1 Pei Zhang, Jianwen Li, Joseph Zambreno, Phillip H. Jones, Kristin Yvonne Rozier Presenter: Pei Zhang Iowa State University peizhang@iastate.edu September 28, Work supported by NASA ECF NNX16AR57G and NSF CAREER Award CNS / 32

2 Overview 1 Introduction Overview 2 Preliminary State Space Model 3 Methodology Hardware Monitor Model Predictive Runtime Verification 4 Evaluation Simulation of MPRV Disturbance Effect WCET Analysis 5 Conclusion 6 Related Work 2 / 32

3 Introduction Motivation Light weight monitor for embedded platform; Unobstrusive to a certified safety-critical system; Providing timely information; Runtime safety monitor 3 / 32

4 Introduction Overview Overview of Design Architecture Controllers Supervisory Controller On-chip Feedback Control Future Time Monitor Environment AP 1 AP n Conversion Function Sensor Figure: High level architecture of model predictive runtime verication. 4 / 32

Model Predictor Feedback Control On-chip Future

Predictor Model Controller Sensor Figure: High

5 Introduction Overview Overview of Design Architecture Controllers Supervisory Controller Model Predictor Feedback Control On-chip Future Time Monitor Environment AP 1 AP n AP 1 AP m Predictor Model Controller Sensor Figure: High level architecture of model predictive runtime verication. 5 / 32

6 Preliminary Extending LTL for Safety Properties: MLTL Mission-Time Linear Temporal Logic (MLTL) reasons about bounded timelines: finite set of atomic propositions {p q} Boolean connectives:,,, and temporal connectives with time bounds: Symbol Operator Timeline p p p p p [2,6] p Always [2,6] p [0,7] p Eventually [0,7] p p q pu [1,5] q Until [1,5] q q q p,q pr [3,8] q Release [3,8] / 32

7 Preliminary Model Predictive Function F Σ Σ. Definition (Predictive MLTL Semantics) Let π be a finite trace over Σ. The predictive truth value of the MLTL formula ϕ with respect to π, denoted as [π ϕ] p, is an element of {true, false,?} defined as follows: true if π Σ (π F(π) π ) ϕ; [π ϕ] p = false if π Σ (π F(π) π ) / ϕ;? (skip) Otherwise. 7 / 32

8 Preliminary State Space Model State Space Model A discrete state-space model defines what state a system will be in one-time step into the future: x k+1 = Ax k + Bu k (1) y k = Cx k + Du k (2) x k represents the state of the system at time k u k represents the input acting on the system at time k y k represents outputs of the system at time k A is a matrix that defines the internal dynamics of the system B is a matrix that defines how the input acting upon the system impact its state C is a matrix that transforms states of the system into outputs (y k ) 8 / 32

9 Methodology Hardware Monitor Abstract Syntax Tree (AST) Q: How can we check MLTL satisfication in hardware? Compile the MLTL formula into assembly code: e.g. [0,2] (!a0) Line 0 Line 1 Line 2 s0 load (a0, time) s1 s0 s2 [0,2] s1 Each instruction are stored in a data structure called Shared Connection Queue (SCQ). 9 / 32

10 Methodology Hardware Monitor Computation Core CORE Instruction Memory FSM PC RAW Sensor Signals (binary) Filters AP[1] Var Mem ATOMICs... v1 v2... L / / U AP[N] Queue Management PTR τ e I1 I1 I2 I SCQ I1 I2... L LOAD NEGATE / AND/OR RAM / GLOBAL/FUTURE U UNTIL Empty Increase PC Fetch Instruction Search SCQ Find Data Observer Algorithm Write Back (a) Observer Processing Core. (b) State machine transitions. Figure: Hardware design for embedded MLTL observer processor. 10 / 32

11 Methodology Model Predictive Runtime Verification Model Predictive Runtime Verification Processing Flow 1 Read Sensor 3 2 Model Prediction Runtime Verification Cache Restore Step 1 Convert sensor data into atomic propositions (APs) using predefined atomic conversion functions. 11 / 32

12 Methodology Model Predictive Runtime Verification Model Predictive Runtime Verification Processing Flow 1 Read Sensor 3 2 Model Prediction Runtime Verification Cache Restore Step 2 Observer processing core conducts runtime verification over the newly received APs. 12 / 32

13 Methodology Model Predictive Runtime Verification Model Predictive Runtime Verification Processing Flow 1 Read Sensor 3 2 Model Prediction Runtime Verification Cache Restore Step 3 Model Predictive Control (MPC) for a specified prediction horizon length is executed to estimate future states of the system. 13 / 32

14 Methodology Model Predictive Runtime Verification Model Predictive Runtime Verification Processing Flow 1 Read Sensor 3 2 Model Prediction Runtime Verification Cache Restore Step 4 Contents of the SCQs are cached. 14 / 32

15 Methodology Model Predictive Runtime Verification Model Predictive Runtime Verification Processing Flow 1 Read Sensor 3 2 Model Prediction Runtime Verification Cache Restore Step 5 Observer processing core conducts runtime verification over the generated trace of estimated future system states. 15 / 32

16 Methodology Model Predictive Runtime Verification Model Predictive Runtime Verification Processing Flow 1 Read Sensor 3 2 Model Prediction Runtime Verification Cache Restore Step 6 Restore cached SCQs contents. Thereby, placing the observer processing core back into its original state. 16 / 32

17 Methodology Model Predictive Runtime Verification Model Predictive Runtime Verification Processing Flow 1 Read Sensor 3 2 Model Prediction Runtime Verification Cache Restore Step 7 Return to step 1), once the next sensor sampling period starts. 17 / 32

18 Evaluation Simulation of MPRV MPRV on Moving a Point Mass Position (m) position planned trajectory Time (s) Figure: Model predictive control of the height of a point mass. Control input force [-1N, 1N]. Cost weighting: 2 with the error in mass position and 1 with its speed. Prediction horizon: 100. Controller actuation update rate to 10 Hz. a0: absolute speed < 0.1m/s. a1: absolute value of trajectory error < 0.08m. 18 / 32

19 Evaluation Simulation of MPRV True ( [5]a1) a0 False No Prediction Predict 10 (1.0s) Predict 50 (5.0s) Time (sec) Figure: MPRV responsiveness for different prediction horizons: No prediction, 10 steps (1s), 50 steps (5s). True a1 U [5,20]a0 False No Prediction Predict 10 (1.0s) Predict 50 (5.0s) Time (sec) 19 / 32

20 Evaluation Simulation of MPRV Disturbance Position (m) position planned trajectory Time (s) Figure: Unexpected disturbance taken place during control. The disturbance is marked in by the yellow rectangle. an external disturbance force being applied at time 14.6s and 35.0s. a0: absolute speed < 0.5m/s. a1: absolute value of trajectory error < 0.04m. 20 / 32

21 Evaluation Simulation of MPRV Disturbance Position (m) position planned trajectory Time (s) True a1 [15]a0 False No Prediction Predict 50 (5.0s) Time (sec) Figure: Comparasion between MPRV and normal RV with disturbance. 21 / 32

22 Evaluation Simulation of MPRV Disturbance Position (m) position planned trajectory Time (s) True a1 [15]a0 False No Prediction Predict 50 (5.0s) Time (sec) Figure: Comparasion between MPRV and normal RV with disturbance. 22 / 32

23 Evaluation Simulation of MPRV Utilize the MPRV Predictions under Disturbance 1 Case 1: Disturbance instantly breaks MLTL rule. 2 Case 2: Disturbance does not instantly break the MLTL rule. 3 Case 3: Disturbance adverts the system from breaking the MLTL in the future. 23 / 32

24 Evaluation Simulation of MPRV Sensor Noise and Prediction Horizon Length 100% 80% 100% 80% Accuracy 60% 40% 20% 0% a0 a1 a2 a4 [15] a1 [15] a1 [15] a4 ( [5] a3) a1 (a3 U [5,20] a1) Noise Standard Deviation Accuracy 60% 40% 20% 0% a0 a1 a2 a4 [15] a1 [15] a1 [15] a4 ( [5] a3) a1 (a3 U [5,20] a1) Prediction Step Length (P) (a) Sensor noise impact on MPRV accuracy. Prediction horizon length is 10 (1s) (b) Prediction horizon length impact on MPRV accuracy. Sensor noise standard deviation is Figure: Impact of sensor noise and prediction horizon length on MPRV accuracy. a0: absolute value of trajectory error < 0.04m a1: absolute value of trajectory error < 0.08m a2: absolute value of trajectory error < 0.20m a3: absolute speed > 0.6 m/s a4: position > 1.0 m/s 24 / 32

25 Evaluation WCET Analysis Worst Case Execution Time (WCET) Analysis where, N.t = t basic + t loop N.X C N.X (3) (N.iSCQ) N.X = P + 1 N is binary operator N is unary operator t basic is the time for Fetch Instruction and Increase PC etc. in Fig. 3(b) t loop is the time for Observer Algorithm C is a constant associated with the hardware computation core pipeline. In our design, the execution time is bounded by C = 24e 8 (unit: second) 2. (4) 2 Based on our hardware running at a clock frequency of 100 MHz. 25 / 32

26 Evaluation WCET Analysis a0 3[15] a0 800 (3[15] a3) a1 600 N (N.X ) (3[50] a3) a1 (a3 U[5,20] a1) (3[20] a4) (a3 U[5,20] a1) U[10,15] a Prediction Step Length (P) 100 Figure: Relationship between N.X and prediction horizon length for MLTL formulas of varying complexity. MPRV computational complexity: O(max(S, n P)), S is the total SCQ memory usage, n is the total number of operators, P is the prediction step length. 26 / 32

27 Conclusion Summary of Work The primary contribution of this work is providing predictive runtime verificaiton based on system model: extension to an existing state-of-the-art RV tool, R2U2; better mitigation of faults by enabling future-time requirements to be evaluated; hardware realiable by bounding resource usage; 27 / 32

28 Conclusion The End 28 / 32

29 Conclusion References I Ebru Aydin Gol, Mircea Lazar, and Calin Belta, Temporal logic model predictive control, Automatica 56 (2015), Hong Lu and Alessandro Forin, The design and implementation of p2v, an architecture for zero-overhead online verification of software programs, Tech. Report MSR-TR , Microsoft Research, August Gary Nutt, Tutorial: Computer system monitors, Computer 8 (1975), no. 11, R. Pellizzoni, P. Meredith, M. Caccamo, and G. Rosu, Hardware runtime monitoring for dependable cots-based real-time embedded systems, 2008 Real-Time Systems Symposium, Nov 2008, pp / 32

30 Conclusion References II Vasumathi Raman, Alexandre Donzé, Mehdi Maasoumy, Richard M Murray, Alberto Sangiovanni-Vincentelli, and Sanjit A Seshia, Model predictive control with signal temporal logic specifications, Decision and Control (CDC), 2014 IEEE 53rd Annual Conference on, IEEE, 2014, pp Thomas Reinbacher, Kristin Yvonne Rozier, and Johann Schumann, Temporal-logic based runtime observer pairs for system health management of real-time systems, International Conference on Tools and Algorithms for the Construction and Analysis of Systems, Springer, 2014, pp / 32

31 Related Work Hardware Monitor for Temporal Logic Related Hardware Monitor: 1975 as Nutt [Nut75] proposed using hardware to monitor computer systems. An FPGA-based hardware monitor, called BusMOP [PMCR08]. Hong created an automated tool, called P2V [LF07]. R2U2: soft-coded hardware monitor [RRS14]. 31 / 32

32 Related Work Predictive Runtime Verification Interdisciplinary work between RV and control. Model Predictive Control with Signal Temporal Logic Specifications [RDM + 14]. Temporal logic model predictive control [GLB15] 32 / 32

Course Runtime Verification

Course Runtime Verification Course Martin Leucker (ISP) Volker Stolz (Høgskolen i Bergen, NO) INF5140 / V17 Chapters of the Course Chapter 1 Recall in More Depth Chapter 2 Specification Languages on Words Chapter 3 LTL on Finite