Runtime Model Predictive Verification on Embedded Platforms 1 Pei - PowerPoint PPT Presentation

Runtime Model Predictive Verification on Embedded Platforms 1 Pei Zhang, Jianwen Li, Joseph Zambreno, Phillip H. Jones, Kristin Yvonne Rozier Presenter: Pei Zhang Iowa State University peizhang@iastate.edu September 28, 2018 1 Work supported by NASA ECF NNX16AR57G and NSF CAREER Award CNS-1552934. 1 / 32

Overview Introduction 1 Overview Preliminary 2 State Space Model Methodology 3 Hardware Monitor Model Predictive Runtime Verification Evaluation 4 Simulation of MPRV Disturbance Effect WCET Analysis Conclusion 5 Related Work 6 2 / 32

Introduction Motivation Light weight monitor for embedded platform; Unobstrusive to a certified safety-critical system; Providing timely information; Runtime safety monitor 3 / 32

Introduction Overview Overview of Design Architecture On-chip Controllers Supervisory Controller Feedback Control Future Time Monitor AP 1 … AP n Environment Conversion Function Sensor Figure: High level architecture of model predictive runtime verication. 4 / 32

Introduction Overview Overview of Design Architecture Controllers Supervisory Controller Model Predictor Feedback Control Future Time Monitor On-chip Model AP 1 AP AP 1 AP n m Controller Environment Predictor Sensor Figure: High level architecture of model predictive runtime verication. 5 / 32

Preliminary Extending LTL for Safety Properties: MLTL Mission-Time Linear Temporal Logic (MLTL) reasons about bounded timelines: finite set of atomic propositions { p q } Boolean connectives: ¬ , ∧ , ∨ , and → temporal connectives with time bounds : Symbol Operator Timeline p p p p p � [ 2 , 6 ] p Always [ 2 , 6 ] 0 1 2 3 4 5 6 7 8 p � [ 0 , 7 ] p Eventually [ 0 , 7 ] 0 1 2 3 4 5 6 7 8 p p q p U [ 1 , 5 ] q Until [ 1 , 5 ] 0 1 2 3 4 5 6 7 8 q q q p,q p R [ 3 , 8 ] q Release [ 3 , 8 ] 0 1 2 3 4 5 6 7 8 6 / 32

Preliminary Model Predictive Function F ∶ Σ → Σ ∗ . Definition (Predictive MLTL Semantics) Let π be a finite trace over Σ ∗ . The predictive truth value of the MLTL formula ϕ with respect to π , denoted as [ π ⊧ ϕ ] p , is an element of { true , false , ? } defined as follows: ⎧ if ∀ π ′ ∈ Σ ∗ ⋅ ( π ⋅ F ( π ) ⋅ π ′ ) ⊧ ϕ ; true ⎪ ⎪ ⎪ ⎪ if ∀ π ′ ∈ Σ ∗ ⋅ ( π ⋅ F ( π ) ⋅ π ′ ) / [ π ⊧ ϕ ] p = ⎨ false ⊧ ϕ ; ⎪ ⎪ ⎪ ⎪ ? (skip) Otherwise . ⎩ 7 / 32

Preliminary State Space Model State Space Model A discrete state-space model defines what state a system will be in one-time step into the future: x k + 1 = Ax k + Bu k (1) y k = Cx k + Du k (2) x k represents the state of the system at time k u k represents the input acting on the system at time k y k represents outputs of the system at time k A is a matrix that defines the internal dynamics of the system B is a matrix that defines how the input acting upon the system impact its state C is a matrix that transforms states of the system into outputs ( y k ) 8 / 32

Methodology Hardware Monitor Abstract Syntax Tree (AST) Q: How can we check MLTL satisfication in hardware? Compile the MLTL formula into assembly code: e.g. ◻ [ 0 , 2 ] ( ! a 0 ) Line 0 ∶ s 0 ← load ( a 0 , time ) Line 1 ∶ s 1 ← ¬ s 0 Line 2 ∶ s 2 ← ◻ [ 0 , 2 ] s 1 Each instruction are stored in a data structure called Shared Connection Queue (SCQ). 9 / 32

Methodology Hardware Monitor Computation Core Queue Management CORE Var Mem 𝜐 e PTR v1 Instruction I1 I1 v2 Memory I2 I2 ... ... ... PC SCQ Search SCQ □/ ◇ ∧ / ∨ U I1 L ¬ FSM I2 Empty Find Data ... Observer Increase PC Algorithm L LOAD ATOMICs RAW Sensor Signals ¬ NEGATE (binary) RAM ∧ / ∨ AND/OR ... AP[1] AP[N] Fetch □/ ◇ GLOBAL/FUTURE Write Back Instruction Filters U UNTIL (a) Observer Processing Core. (b) State machine transitions. Figure: Hardware design for embedded MLTL observer processor. 10 / 32

Methodology Model Predictive Runtime Verification Model Predictive Runtime Verification Processing Flow Model 3 Prediction Cache 1 5 Read Sensor 4 Runtime 6 2 Restore Verification Step 1 Convert sensor data into atomic propositions (APs) using predefined atomic conversion functions. 11 / 32

Methodology Model Predictive Runtime Verification Model Predictive Runtime Verification Processing Flow Model 3 Prediction Cache 1 5 Read Sensor 4 Runtime 6 2 Restore Verification Step 2 Observer processing core conducts runtime verification over the newly received APs. 12 / 32

Methodology Model Predictive Runtime Verification Model Predictive Runtime Verification Processing Flow Model 3 Prediction Cache 1 5 Read Sensor 4 Runtime 6 2 Restore Verification Step 3 Model Predictive Control (MPC) for a specified prediction horizon length is executed to estimate future states of the system. 13 / 32

Methodology Model Predictive Runtime Verification Model Predictive Runtime Verification Processing Flow Model 3 Prediction Cache 1 5 Read Sensor 4 Runtime 6 2 Restore Verification Step 4 Contents of the SCQs are cached. 14 / 32

Methodology Model Predictive Runtime Verification Model Predictive Runtime Verification Processing Flow Model 3 Prediction Cache 1 5 Read Sensor 4 Runtime 6 2 Verification Restore Step 5 Observer processing core conducts runtime verification over the generated trace of estimated future system states. 15 / 32

Methodology Model Predictive Runtime Verification Model Predictive Runtime Verification Processing Flow Model 3 Prediction Cache 1 5 Read Sensor 4 Runtime 6 2 Verification Restore Step 6 Restore cached SCQs contents. Thereby, placing the observer processing core back into its original state. 16 / 32

Methodology Model Predictive Runtime Verification Model Predictive Runtime Verification Processing Flow Model 3 Prediction Cache 1 5 Read Sensor 4 Runtime 6 2 Restore Verification Step 7 Return to step 1), once the next sensor sampling period starts. 17 / 32

Evaluation Simulation of MPRV MPRV on Moving a Point Mass 2.0 position Position (m) planned trajectory 1.5 1.0 0.5 0.0 0 10 20 30 40 50 60 Time (s) Figure: Model predictive control of the height of a point mass. Control input force ∈ [-1N, 1N]. Cost weighting: 2 with the error in mass position and 1 with its speed. Prediction horizon: 100. Controller actuation update rate to 10 Hz. a 0: absolute speed < 0.1m/s. a 1: absolute value of trajectory error < 0.08m. 18 / 32

Evaluation Simulation of MPRV True ( � [ 5 ] a 1 ) ∧ a 0 False No Prediction Predict 10 (1.0s) Predict 50 (5.0s) 0 10 20 30 40 50 60 Time (sec) Figure: MPRV responsiveness for different prediction horizons: No prediction, 10 steps (1s), 50 steps (5s). True a 1 U [ 5 , 20 ] a 0 False No Prediction Predict 10 (1.0s) Predict 50 (5.0s) 0 10 20 30 40 50 60 Time (sec) 19 / 32

Evaluation Simulation of MPRV Disturbance 2.0 position Position (m) planned trajectory 1.5 1.0 0.5 0.0 0 10 20 30 40 50 60 Time (s) Figure: Unexpected disturbance taken place during control. The disturbance is marked in by the yellow rectangle. an external disturbance force being applied at time 14.6s and 35.0s. a 0: absolute speed < 0.5m/s. a 1: absolute value of trajectory error < 0.04m. 20 / 32

Evaluation Simulation of MPRV Disturbance 2.0 position Position (m) planned trajectory 1.5 1.0 0.5 0.0 0 10 20 30 40 50 60 Time (s) True a 1 ∧ � [ 15 ] a 0 False No Prediction Predict 50 (5.0s) 0 10 20 30 40 50 60 Time (sec) Figure: Comparasion between MPRV and normal RV with disturbance. 21 / 32

Evaluation Simulation of MPRV Disturbance 2.0 position Position (m) planned trajectory 1.5 1.0 0.5 0.0 0 10 20 30 40 50 60 Time (s) True a 1 ∧ � [ 15 ] a 0 False No Prediction Predict 50 (5.0s) 0 10 20 30 40 50 60 Time (sec) Figure: Comparasion between MPRV and normal RV with disturbance. 22 / 32

Evaluation Simulation of MPRV Utilize the MPRV Predictions under Disturbance 1 Case 1: Disturbance instantly breaks MLTL rule. 2 Case 2: Disturbance does not instantly break the MLTL rule. 3 Case 3: Disturbance adverts the system from breaking the MLTL in the future. 23 / 32

Evaluation Simulation of MPRV Sensor Noise and Prediction Horizon Length 100% 100% 80% 80% Accuracy Accuracy 60% 60% 40% 40% ◻ [ 15 ] a 4 ◻ [ 15 ] a 4 a 0 a 4 a 0 a 4 20% 20% � [ 15 ] a 1 a 1 � [ 15 ] a 1 ( � [ 5 ] a 3 ) ∧ a 1 a 1 ( � [ 5 ] a 3 ) ∧ a 1 ◻ [ 15 ] a 1 ◻ [ 15 ] a 1 a 2 a 2 ( a 3 U [ 5 , 20 ] a 1 ) ( a 3 U [ 5 , 20 ] a 1 ) 0% 0% 0 . 0 0 . 2 0 . 4 0 . 6 0 10 20 30 40 50 Noise Standard Deviation Prediction Step Length (P) (a) Sensor noise impact on MPRV (b) Prediction horizon length impact accuracy. Prediction horizon length is on MPRV accuracy. Sensor noise 10 (1s) standard deviation is 0.025. Figure: Impact of sensor noise and prediction horizon length on MPRV accuracy. a 0: absolute value of trajectory error < 0.04m a 1: absolute value of trajectory error < 0.08m a 2: absolute value of trajectory error < 0.20m a 3: absolute speed > 0.6 m/s a 4: position > 1.0 m/s 24 / 32