Integrated Design and Analysis Tools for Software Based ...

1

SEC PI MeetingSan Antonio, Nov. 13-5, 2001

Integrated Design and Analysis Toolsfor Software Based Control Systems

Principal Investigator: Tom HenzingerCo-Principal Investigator: Edward A. LeeCo-Principal Investigator: Shankar SastryProgram Manager: John BayOrganization: University of California at BerkeleyContract Number: F33615-98-C-3614

Boeing subcontract (OCP):Principal Investigator: Edward A. LeeCo-Principal Investigator: Tom Henzinger

Presenters:Edward A. LeeJie LiuJohn KooUC Berkeley

Berkeley SEC Project, San Antonio, 2

Subcontractors and CollaboratorsBoeing

OCPGeorgia Tech

blending controllersOGI & Yale

embedded virtual machineNorthrop Grumman

multimodal controlVanderbilt/Xerox

fault detection/isolation, metamodelingStanford and SRI

modal control systems - softwalls

2


Problem Description andProgram Objective

This project concerns the design of multi-agentmulti-modal control systems, their distributedreal-time software implementation, and theirformal analysis. As a common foundation webuild on the use of heterogeneous hybridmodeling techniques.


Technical Approach SummaryModels of computation

real-timeheterogeneous

Applying theory of component-based designInterface theories (with Mobies)System-level types (with Mobies)Theory of frameworks

Hybrid systems theorymulti-vehicle architecture integrationmulti-model control derivation and analysis

Software laboratory: Ptolemy IIHardware laboratory: Helicopter UAVs

3


Fault Detection, Isolation, RecoveryApproach: Generalized reflectionDemonstration: Cooperative multi-agent control

Reflection is a type theoretic notion of components that make availableat run time models of themselves. Classically, these models representonly static type information. Our variant represents dynamics.

One componentcarries a model

of anothercomponent that

reflects itsdynamic behavior


Blending Controllers(Collaboration with Georgia Tech)

Blending controllerarchitecture enablesdisciplined transitionsbetween control laws

4


Embedded Virtual Machine(Collaboration with OGI and Yale)

The embedded machine or E machine is a virtual,real-time scheduling machine

The E machine has:ports, drivers, tasks, and triggers3 key instructions + arbitrary control flow instructions

The E machine provides a platform for generatingdistributed, real-time scheduling code


The Embedded Machine: Three Instructions

SynchronousExecution:

ScheduledExecution:

schedule(t) call(d)

Triggering: enable(g,b)Tick

clk @ 20ms

b:

td

5


Portability, Mobility, Real-Time

Portability: no specific hardware mapping, nospecific scheduling scheme

Mobility: dynamic upload/linking of E code;binary application code strictly separated

Real-Time: hard real-time performance


Boeing Subcontract:Open Control Platform - OCP

We are contributing to the future evolution of the OCP byhelping to define and refine its semantics, using thesesemantics in hardware-in-the-loop simulation, anddetermining how the semantic model interoperates withothers, such as FSM (for mode changes) and Giotto (forhard-real-time systems). Specific tasks include:

Ptolemy II domains that explore OCP semantics.Component interfaces for real-time quality of service.Concurrency management.Solving the precise mode change problem.Interoperation of heterogeneous semantic models.

6


Precise Mode Change Problem

How do you getthe processesto a quiescentstate to take amode change?

thread or process

thread or process

thread or process

Jie Liu


TM: Timed MultitaskingA Model of Computation for Real Time

Previously reported versions were calledRTOS (real-time operating system)HPM (hierarchical preemptive multitasking)

Model of computation withConcurrencyDynamic prioritiesImproved determinacy (vs. prioritized threads)Simple real-time interface propertiesPrecise mode changesPossibilities for admission control, anytime algorithms…

Implementable on the OCPDistributedReal-time CORBA, using event channel

7


Precise ReactionA precise reaction is a finite piece of computationthat depends solely on its trigger.

trigger

finish

computation

quiescent state

responsible trigger


Responsible FrameworksA responsible framework requests that all itscomponents be precisely reactive and triggersthese components only with responsible triggers.

• Deadlocks can be monitored by examining triggering rules.

• A model always settles in quiescent states.

• Solves priority inversion problems in priority-based models.

8


Compositional Precise ReactionCan we treat a composition of components as an atomiccomponent?Yes, if the framework is responsible.


Precise Mode Change SolutionWill the process be in a quiescent state when we do a modechange?Yes, if the framework is responsible.

9


BenefitsComposable semantics

arbitrarily deep hierarchiesheterogeneous hierarchies

Precise mode switchingnest FSMs with anything else

Real-time schedulingmake RT scheduling policies

independent of functionality

controller plant

actuatordynamics

sensor

task1

task2

TTA

TTA

Hierarchical, heterogeneous,system-level model


Examples of Responsible FrameworksDataflow with firing

Firing rules are responsible trigger conditions.Atomic firings are precise reactions.

Timed MultitaskingTasks are either nonpreemptable or arbitrarily preemptable.Event-based firing rules are responsible triggers.Split-phase execution and over-run handling to guaranteetiming properties.

GiottoTime are responsible triggers.Well-defined communication guarantees precise reaction.Tasks are arbitrarily preemptable.

10


Giotto – Periodic Hard-Real-TimeTasks with Precise Mode Changes

t+10mst+10mst t t+5ms t+5ms

Higher frequency Task

Lower frequency task:

Giotto compiler targets the E MachinePtolemy II Giotto domain code generator planned


Helicopter TestbedsGiotto controller for Zurich helicopter writtenGiotto controller for Berkeley helicopter in progress

11


High ConfidenceControl Design for UAVs

Hybrid Control Design forMulti-Vehicle Multi-Modal Systems

Multi-modal controller for single vehicleCoordination of multiple vehicles

High-Confidence Hybrid ControlFDIR capabilities for single (envelope protection,sensor/actuator failures) and multiple vehicles(collision avoidance and conflict resolution)

Hierarchical System DesignBased on parallel and serial compositions of modelsof computationEnabling multiple vehicle corporative controlImplementation on OCP

John Koo


Technical ApproachHybrid Control design will be basedon a nonlinear helicopter model andnonlinear controllers. Available forsimulation in Ptolemy II andSimulinkHardware-In-the-Loop (HIL)simulation for architectureevaluation is currently underconstruction. System consists of anembedded controller and anemulator for emulatingsensor/dynamics/actuator.Verified/Validated embeddedcontroller will be used forcontrolling a R-Max helicopter.

NAV COMPQNX

PC104K6-400

SECONDARYNAV COMP

Win98PC104K6-400

ROUTERFreeBSD

MediaGX233BOEINGDQI-NP

Ethernet Hub

NOVATELGPS RT-2

BATTBATT

LucentWaveLAN

DC/DC Converter(for DQI-NP;24V)

Digital Compass

Dynamics

actuatorsensorVisualization

GUISW

12


q1 q2q3

u

xç = f (x ) + g(x )u

x

qi i =p : u = k i (x ; r i )o=p : y i = h i (x )

y i ! r i b y d esign

F or con t rol m od e qi ;

A ssum e t h a t r i 2 R i

x ( t 0) 2 S i ( r i ) ò X ix ( t ) 2 X i ; t õ t 0

Hierarchical Control ofMulti-Modal Systems

Given a continuous control system, a collection of control modesare designed

Problem Statement of Mode SwitchingDoes there exist a finite sequence of control modes for satisfying a setof given reachability specifications?

If it does exist, can the switching conditions be determined?When/ Where? Guard/Reset SynthesisWhat Trajectory? Performance Criteria

qS qF

Specification

!r S r F

qjqiqS qF

!% &

rS

r i r j

r F

Synthesis


ComputationOffline: Synthesis of control mode graph

Reachability and IntersectionOnline: Synthesis of control switching sequence

Reachability on Graph

T. J. Koo, G. J. Pappas, and S. Sastry, “Mode Switching Synthesis forReachability Specifications,” Hybrid Systems: Computation andControl, Lecture Notes in Computer Science, Springer, 2001.

Mode Switching Algorithm forMulti-Modal Control

q121 q122

q322

q422

q232 q233

q433 q323

q343

q244

q344

q434

q424

Mode q1

Mode q2

Mode q3

Mode q4

q242

q222 q222

q444 q444

q333 q333

abstraction

refinement

13


Hierarchical Component-Based DesignHierarchical nesting of compositions of discrete and continuouscomponentsAt each level of the hierarchy, a Model of Computation (MoC)governs the behaviors and interactions of components

q1 q2q3

xç = f (x ) + g(x )u

u x

(û i ; r i ) f (qj ; y j )g

î i z

e i s j

ODEsCT

DE

FSM

DE

PS

FSM

FSM

Realizationin Ptolemy II


Our Solution:at the level closest to theenvironment undercontrol, the embeddedsoftware needs to betime-triggered forguaranteed safety;

at higher levels, anasynchronous hybridcontroller design isrequired.

Implementing a Design inEmbedded Software

Environment

Embedded Hardware

Board Support Packages

Operating System

Embedded Software

Com

putingPlatform

Time-triggered SoftwareEvent-triggered Software

Question: How to guarantee safetyof the embedded system?

14


Ongoing WorkHardware-In-the-Loop (HIL) simulation forarchitecture evaluation is currently underconstruction. System consists of an embeddedcontroller and an emulator forsensor/dynamics/actuator.

Verified/Validated embedded controller will control anR-Max helicopter.

NAV COMPQNX

PC104K6-400

SECONDARYNAV COMP

Win98PC104K6-400

ROUTERFreeBSD

MediaGX233 BOEINGDQI-NP

Ethernet Hub

NOVATELGPS RT-2

BATTBATT

LucentWaveLAN

DC/DC Converter(for DQI-NP;24V)

Digital Compass

Dynamics

actuatorsensorVisualization

GUISW


Candidate Real-life Applications(with Northrop-Grumman)

Vector off

approach trajectorywaveoff trajectory

waveoff trajectory

To holding pattern

Lead

Wingman

LeadWingman

15


Project Tasks/Schedule/StatusDemos done

Multi-modal helicopter control model (hybrid system)Fault detection/isolation based on generalized reflectionBlending controller (with Georgia Tech)Publish & subscribe using Jini and JavaSpacesGiotto helicopter control for Zurich helicopterPrecise mode changes using TM domainMulti-modal distributed control (with Lego robots)

Fundamental contributionsFramework theory

responsible frameworksprecise reactions/mode changesmanaging heterogeneitymodels of computation

Timed multitasking model of computationGiotto time-triggered model of computationMultimodal control frameworkController synthesis for safety properties


Next MilestonesFuture milestones

Giotto helicopter control for Berkeley helicoptersHardware-in-the-loop simulationCORBA/OCP event channel interface to the TM domainOCP E Machine realizationE Machine realizations running hard-real-time codeFDIR in hybrid controllers for single/ multiple vehiclesMulti-vehicle formation flight

Anticipated fundamental contributionsJust watch!

16


Technology Transition/TransferClassic tech transfer strategy:

CopyrightRetain intellectual property & leverage the profit motive

Radical tech transfer strategy:CopyleftDistribute freely & impose your ideology on others

Berkeley tech transfer strategy:CopycenterTake it to the copy center & copy as much as you like.

Success of this model:Many companies have brought Berkeley research results intothe marketplace.


Technology Transition/Transfer –Near-Term Plans

E Machine pilot implementations will show how toIsolate designers from RTOS platformsGet a coherent semantics in the run-time environment

Giotto model of computation will show how toBuild hard-real-time, periodic, multimodal modelsSpecify real-time requirement (vs. infer real-time behavior)

TM model of computation will show how toBuild priority-driven multitasking with precise mode changes

Ptolemy II version 2.0 release will show how toGet precise mode changes in a real-time multitasking contextRealize multi-modal multi-agent hybrid systemsRealize blending controllers

Helicopter control models will show how toHierarchically build autonomous multi-vehicle control systems withhybrid control methods.Work with Northrop-Grumman to transfer methods.

17


Program Issues –Employing SEC Technology

Homeland defense – softwallscarry on-board 3-D database with “no-fly-zones”enforce in the on-board avionics, based on localizationnon-networked, non-hackablehybrid, modal controller in embedded software

Integrated Design and Analysis Tools for Software Based ...

Documents

Transcript of Integrated Design and Analysis Tools for Software Based ...