Adaptive Contracts For the Internet of Things Antonio Iannopollo - - PowerPoint PPT Presentation
Adaptive Contracts For the Internet of Things Antonio Iannopollo Advised by Prof. Sangiovanni-Vincentelli Marten Lohstroh Advised by Prof. Lee University of California, Berkeley CPS V&V I&F Workshop, CMU, Pittsburgh May 6, 2016
TerraSwarm Research Center 05/06/16
Advised by Prof. Sangiovanni-Vincentelli
Advised by Prof. Lee University of California, Berkeley
CPS V&V I&F Workshop, CMU, Pittsburgh May 6, 2016
TerraSwarm Research Center 05/06/16
The Internet of Things (IoT) poses unprecedented challenges to designers:
process;
TerraSwarm Research Center 05/06/16
TerraSwarm Research Center 05/06/16
TerraSwarm Research Center 05/06/16
Pieter Bruegel (1563)
TerraSwarm Research Center 05/06/16
TerraSwarm Research Center 05/06/16
TerraSwarm Research Center 05/06/16
TerraSwarm Research Center 05/06/16 Application space Architectural space
Mapping and
The application space includes the specification for the current mapping
by the designer or be the result of another PBD iteration The mapping process consists in the selection of a specific architectural instance, evaluating costs and functional/architectural constraints The architectural space includes platform components (libraries) abstracted from lower levels, connection rules and other properties such as component cost and timing properties
Refinement Abstraction
Specs C1 Cn
TerraSwarm Research Center 05/06/16 Application space Architectural space
Mapping and
Refinement Abstraction
Specs C1 Cn
TerraSwarm Research Center 05/06/16
Discrete Events Accessor Accessor Runtime (JavaScript) Horizontal The accessor bridges two semantic domains: Discrete Events (DE) and the accessor runtime (AR). Each domain has its own rules. Most importantly, the AR uses the asynchronous atomic callback (AAC) pattern due to its implementation in JavaScript, in DE a component may only react when it is fired. Vertical “An Interface Theory for the Internet of Things”, Lohstroh and Lee (SEFM’15)
TerraSwarm Research Center 05/06/16 Other useful properties...
Web server appear at the accessor’s
corresponding requests arrived at its input port (in LTL):
TerraSwarm Research Center 05/06/16 A contract C=(A, G) is characterized by:
A and G represent sets of environment and system behaviors
defines A M G Ω
For a component M (also defined as a set of behaviors) we have that
A M G Ω
A contract is saturated if in the form:
A M G Ω
Albert Benveniste, Benoit Caillaud, Dejan Nickovic, Roberto Passerone, Jean-Baptiste Raclet, et al.. Contracts for System Design. ] RR-8147, INRIA. 2012
TerraSwarm Research Center 05/06/16
C1 C2 A G
A/G Contract Theory specifies a number of operations to operate on contracts. We can recall a few of them:
TerraSwarm Research Center 05/06/16
Concrete representation of contracts using Linear Temporal Logic formulas
Given contracts
TerraSwarm Research Center 05/06/16 Example: security camera with remote analysis of the footage Contract C describes one aspect of the controller for the camera.
C Inputs: x (network bandwidth) Outputs: y (alarm notification delay) A: x ≥ 1 Mbps G: y < 10 sec In saturated form, guarantees are x < 1 Mbps ∨ y < 10 sec
If the network is too slow, then the component is allowed to expose any behavior!
cloud
TerraSwarm Research Center 05/06/16
Example: security camera with remote analysis of the footage If the network cannot satisfy the assumptions, then the component should guarantee lower performance
C Inputs: x (network bandwidth) Outputs: y (alarm notification delay) A: x ≥ 1 Mbps G: y < 10 sec
C* represents an approximation of the original contract C
cloud 512Kbps C* Inputs: x (network bandwidth) Outputs: y (alarm notification delay) A: x ≥ 512 Kbps G: y < 20 sec
TerraSwarm Research Center 05/06/16 We introduce the notion of Contract Approximation:
levels of systems.
with a wider set of assumptions at a cost of degraded guarantees.
TerraSwarm Research Center 05/06/16 Charging Station for Electric Cars
A charging station for electric cars is able to optimize power delivery to connected cars. Knowing how many cars are charging, the controller delivers a certain amount of power to every car to
With Jun Jie Ng and Lucas Servén
exceed 3h.
A typical requirement for this scenario could be:
TerraSwarm Research Center 05/06/16 Charging Station for Electric Cars
A charging station for electric cars is able to optimize power delivery to connected cars. Knowing how many cars are charging, the controller delivers a certain amount of power to every car to
C1: Charging module Input: n: # of cars (unitless) Output: p: charging power (W) Assume: 0 ≤ n ≤ 2 Guarantee: 1500W ≤ p ≤ 5000W C2: Battery module Input: p: charging power (W) Output: t: charging time (hours) Assume: 1000W ≤ p ≤ 5000W Guarantee: 0 ≤ t ≤ 2h
C1 C2
Spec: Input: n: # of cars (unitless) Output: t: charging time (hours) Assume: n = 1 Guarantee: 0 ≤ t ≤ 3h
Horizontal Contract Composition Vertical Contract Relation n t p C1⊗C2
With Jun Jie Ng and Lucas Servén
TerraSwarm Research Center 05/06/16 Is C1⊗C2 compatible? Is C1⊗C2 consistent?
C1⊗C2 Assumptions:
(0 ≤ n ≤ 2 ∧ 1000W ≤ p ≤ 5000W) ∨ ¬ { [1500W ≤ p ≤ 5000W ∨ ¬(0 ≤ n ≤ 2)] ∧ [(0 ≤ t ≤ 2h) ∨ ¬(1000W ≤ p ≤ 5000W)] }
✓ Compatible
C1⊗C2 Guarantees:
[1500W ≤ p ≤ 5000W ∨ ¬(0 ≤ n ≤ 2)] ∧ [(0 ≤ t ≤ 2h) ∨ ¬(1000W ≤ p ≤ 5000W)]
✓ Consistent
TerraSwarm Research Center 05/06/16 Refinement Check: Assumptions
C1⊗C2 Assumptions:
(0 ≤ n ≤ 2 ∧ 1000W ≤ p ≤ 5000W) ∨ ¬ { [1500W ≤ p ≤ 5000W ∨ ¬(0 ≤ n ≤ 2)] ∧ [(0 ≤ t ≤ 2h) ∨ ¬(1000W ≤ p ≤ 5000W)] }
Spec Assumptions:
n = 1
TerraSwarm Research Center 05/06/16 Refinement Check: Guarantees
C1⊗C2 Guarantees:
[1500W ≤ p ≤ 5000W ∨ ¬(0 ≤ n ≤ 2)] ∧ [(0 ≤ t ≤ 2h) ∨ ¬(1000W ≤ p ≤ 5000W)]
Spec Guarantees:
0 ≤ t ≤ 3h ∨ ¬ (n = 1)
✓ Yes, C1⊗C2 ≼Spec
TerraSwarm Research Center 05/06/16 What happens if a charging station needs to charge more cars? (i.e. the requirement requires a guarantee for 3 cars)
C2: Battery module Input: p: charging power (W) Output: t: charging time (hours) Assume: 1000W ≤ p ≤ 5000W Guarantee: 0 ≤ t ≤ 2h
C1 C2
Spec: Input: n: # of cars (unitless) Output: t: charging time (hours) Assume: n = 3 Guarantee: 0 ≤ t ≤ 3h
n t p C1⊗C2
C1: Charging module Input: n: # of cars (unitless) Output: p: charging power (W) Assume: 0 ≤ n ≤ 2 Guarantee: 1500W ≤ p ≤ 5000W
We need to approximate C1 and degrade system performance.
TerraSwarm Research Center 05/06/16
C1*: Charging module Input: n: # of cars (unitless) Output: p: charging power (W) Assume: 0 ≤ n ≤ 3 Guarantee: 1000W ≤ p ≤ 5000W C2: Battery module Input: p: charging power (W) Output: t: charging time (hours) Assume: 1000W ≤ p ≤ 5000W Guarantee: 0 ≤ t ≤ 2h
C1 C2
Spec: Input: n: # of cars (unitless) Output: t: charging time (hours) Assume: n = 3 Guarantee: 0 ≤ t ≤ 3h
n t p C1*⊗C2
What happens if a charging station needs to charge more cars? (i.e. the requirement requires a guarantee for 3 cars) We need to approximate C1 and degrade system performance.
TerraSwarm Research Center 05/06/16 Is C1*⊗C2 compatible? Is C1*⊗C2 consistent?
C1*⊗C2 Assumptions:
(0 ≤ n ≤ 3 ∧ 1000W ≤ p ≤ 5000W) ∨ ¬ { [1000W ≤ p ≤ 5000W ∨ ¬(0 ≤ n ≤ 3)] ∧ [(0 ≤ t ≤ 2h) ∨ ¬(1000W ≤ p ≤ 5000W)] }
✓ Compatible
C1*⊗C2 Guarantees:
[1000W ≤ p ≤ 5000W ∨ ¬(0 ≤ n ≤ 3)] ∧ [(0 ≤ t ≤ 2h) ∨ ¬(1000W ≤ p ≤ 5000W)]
✓ Consistent
TerraSwarm Research Center 05/06/16 Refinement Check: Assumptions
C1*⊗C2 Assumptions:
(0 ≤ n ≤ 3 ∧ 1000W ≤ p ≤ 5000W) ∨ ¬ { [1000W ≤ p ≤ 5000W ∨ ¬(0 ≤ n ≤ 3)] ∧ [(0 ≤ t ≤ 2h) ∨ ¬(1000W ≤ p ≤ 5000W)] }
Spec Assumptions:
n = 3
TerraSwarm Research Center 05/06/16 Refinement Check: Guarantees
C1*⊗C2 Guarantees:
[1000W ≤ p ≤ 5000W ∨ ¬(0 ≤ n ≤ 3)] ∧ [(0 ≤ t ≤ 2h) ∨ ¬(1000W ≤ p ≤ 5000W)]
Spec Guarantees:
0 ≤ t ≤ 3h ∨ ¬ (n = 3)
✓ C1*⊗C2 ≼Spec
TerraSwarm Research Center 05/06/16
TerraSwarm Research Center 05/06/16
TerraSwarm Research Center 05/06/16
II.
maximizing (non-)functional requirements.
TerraSwarm Research Center 05/06/16