Post on 29-Jan-2016
11/5/2000
title
eSimplex Architecture Using MaCS
Insup LeeOleg SokolskyMoonjoo Kim
Anirban Majumdar
Sampath KannanMahesh
ViswanathanInsik Shin
and many others…
11/5/2000
title
Run-time Formal Analysis
• Run-time formal analysis ensures the run-time compliance of an execution of a system with its formal requirement.
• The analysis validates properties on the current execution of application.
• The analysis can– detect incorrect execution of applications– predict error and steer computation– collect statistics of actual execution
11/5/2000
title
System SpecSystem
Spec
RequirementSpec
RequirementSpec
Formal verification
Design
SystemImplementation
SystemImplementation
MonitoringData
MonitoringData
Implementation
Event Recognizer +
Checker
Event Recognizer +
Checker
SystemSystem FilterCommunication
Run-time Check
MaCS Methodology
11/5/2000
title
MaCS Asynchronous Control Cycle
• Identify safe spots in the implementation to apply steering
• Detect violations as they occur and initiate steering
• Execute steering actions when it is safe
SystemChecker
monitor
detect!invoke
execute
11/5/2000
title
MaCS Synchronous Control Cycle
• In critical situations, asynchronous cycle may not be suffient
• Check for violations before critical updates• Pause the system until the checker confirms• Steer if violation occurs
SystemChecker
monitor
detect!invoke
computeupdate
computeupdate
computeexecuteupdate
11/5/2000
title
MaCS languages
Run-time state:•control locations•object state•local variables
Abstract state:•events•conditions•auxiliary variables
MEDL
PEDL
SADL
11/5/2000
title
Property checking
• A MEDL specification can be seen as an automaton with auxiliary store running on a stream of events provided by the event recognizer
aux. variables
11/5/2000
title
Data extraction and event detection
• PEDL script– describes monitored objects in the
program, statically identifying them in the code
– defines events in terms of monitored objects
• Technical challenge:– all updates to the monitored objects must
be detected
11/5/2000
title
Steering (asynchronous)
• SADL script– defines steering actions– identifies locations in the code where the
actions can be executed
steering conditioni satisfied
steering conditioni satisfied
execution Invocation flags
Action bodies
0 i n
0
i
n
test
call
Checkerinvoke
11/5/2000
title
MaCS toolset
Program(Java byte code)
Monitoring Script(PEDL)
Requirements(MEDL)
PEDLPEDLCompilerCompiler
MEDLMEDLCompilerCompiler
Instrumented Code
Filter Generator(JTREK)
InstrumentationInformation
Compiled PEDL
Compiled MEDL
Event Recognizer Checker
Steering Script(SADL)
SADLSADLCompilerCompiler
InstrumentationInformation
Injector class(Java byte code)
11/5/2000
title
Simplex architecture
• Simplex (Simple and Complex) architecture allows the insertion of control software on the fly while maintaining system reliability.
• It is not possible to test new control software completely.
• Developed by Lui Sha, et al. (University of Illinois)
11/5/2000
title
Overview of Simplex Architecture
Safety
Baseline
Experimental
DecisionModule
PhysicalSystem
us
ub
ue
xu
SC
BC
EXx0
Equilibriumstate
11/5/2000
title
Inverted Pendulum
0sin
sincos
cos 2f
P
C
p
u
C
xC
mgl
mlx
Iml
mlmM
xkvku af 21
xxx
x
x
x
x s
4
3
2
1
20
m/s 1 ,m 1.0
V 5
xxx
v
s
a
Hard constraints:State vector:
KXva The control problem is solved using LMI and LQRand the linearized dynamics of the system.
The stability region is given by }1|{ PXXX T
av
x
x
x
x
x
x
x
x
4385.4
0
9432.1
0
0441.05812.289179.240
1000
0043.07528.29526.100
0010
4
3
2
1
4
3
2
1
0)( ,0)( Xgup hf
Soft constraints: 0)( Xg s
• A performance index, e.g.,
• Relative stability in time domain or frequency domain
• Bandwidth
dteISE 2
m
l
x
g
Muf
11/5/2000
title
IP eSimplex implementation
DeviceDrivers
angle,track
volts
Decision Module
ExperimentalController
Switching logic
SafetyController
11/5/2000
title
eSimplex in MaCS
• Goal:– Provide a prototyping framework for control
engineers– Separate control design from software
engineering
• Approach:– A system is an extensible collection of
controllers– Monitor switching conditions– Implement controller switches using steering
11/5/2000
title
eSimplex in MaCS
DeviceDrivers
angle,track
volts
Decision Module
ExperimentalController
Switching logic
SafetyController
JNI
JNI
monitor
steer
11/5/2000
title
Java implementation of eSimplex• Controller interface: public interface Controller {
public float sendCommand(double angle, double track, double period); }
• Decision module: static SafetyController SC = new SafetyController(); static ExternalController EC = new EC1(); static Controller ctr; public void setSC() { ctr = SC; } public void setEC() { ctr = EC; } public int control(long frequency) { angle = nativeGetAngle(); track = nativeGetTrack(); volts = ctr.sendCommand(angle,track,frequency/1000.0); nativeSendCommand (volts); }
11/5/2000
title
Monitoring: IP.pedl
MonScr IP
export event ev_track_pos,ev_current_angle, ev_volts, startPgm;
monobj int DecisionModule.period;
monobj float DecisionModule.track;
monobj float DecisionModule.angle;
monobj float DecisionModule.volts;
event startPgm = update(DecisionModule.period);
event ev_current_angle = update(DecisionModule.angle);
event ev_track_pos = update(DecisionModule.track);
event ev_volts=update(DecisionModule.volts);
end
11/5/2000
title
Checking: IP.medl
• Detecting violations
ev_current_angle -> { theta' = value(ev_current_angle,0)/52.29578;
thetadot' = (theta' - theta) / 0.040; }
ev_track_pos-> { x' = value(ev_track_pos,0)/ 100; xdot' = (x' - x) / 0.040; }
condition abnormal = (track_pos' > 40 || track_pos' < -40) || safeVal >= 4 ;
event invokeSafeController = start(abnormal) when (controller == 1);
event invokeExternalController = start(nTimer'%500 == 0) when (controller == 0);
invokeSafeController -> { invoke change2SC(); controller = 0; }
invokeExternalController -> { invoke change2EC(); controller = 1; }
11/5/2000
title
Checking: IP.medl
• Safety envelope computation
event calcSafeVal = ev_volts when (controller == 1);
calcSafeVal -> {
volts'= value(ev_volts,0);
xa_0' = x + 0.00051281 * theta + 0.017961 * xdot + 0.0000026781*thetadot + 0.0003618 * volts';
xa_1' = -1.0056 * theta + 0.0046419 * xdot - 0.020029 * thetadot – 0.00082708 * volts';
xa_2' = 0.049519 * theta + 0.80322 * xdot + 0.00043546 * thetadot + 0.034913 * volts';
xa_3' = -0.55967* theta + 0.44824*xdot - 1.0048*thetadot - 0.079879 * volts';
temp_0' = 37.62 *xa_0' + 58.22 * xa_1' + 17.87 *xa_2' + 11.61 *xa_3' ;
temp_1' = 58.22 *xa_0' + 313.16 * xa_1' + 69.36 *xa_2' + 56.09 *xa_3' ;
temp_2' = 17.87 *xa_0' + 69.36 * xa_1' + 29.81*xa_2' + 14.81*xa_3' ;
temp_3' = 11.61 *xa_0' + 56.09 * xa_1' + 14.81 * xa_2' + 12.04*xa_3' ;
safeVal' = xa_0'*temp_0' + xa_1'*temp_1' + xa_2'*temp_2' + xa_3'*temp_3';
}
11/5/2000
title
Steering: IP.sadl
steering script IP
steered objects
DecisionModule IP:dm;
float DecisionModule:volts;
steering action change2EC=
{ call (IP:dm).setEC(); } before read DecisionModule:volts;
steering action change2SC=
{ call (IP:dm).setSC(); } before read DecisionModule:volts;
end
11/5/2000
title
Demonstration
• Checker detects violations when the experimental controller is running– Switches to safe controller when a
violation is detected– After fixed time switches back to the
experimental controller• A terribly bad experimental controller
– Sends constant output to the motor regardless of the situation
11/5/2000
title
Experimental results
• MaCS can successfully detect safety violations in eSimplex and force switching to the safety controller
• Keeps the pendulum upright even if the experimental controller fails completely
• Turnaround time for the detection/steering cycle is significantly smaller than the eSimplex control cycle– synchronous steering is possible
11/5/2000
title
Future directions
• Implement synchronous steering– Extend SADL to have both synchronous
and asynchronous actions– Modify instrumentation to pause the
program• Note that steering is now tied to specific
updates• Coordination with PEDL may be needed
• MaCS on real-time Java• Distributed MaCS