Enabling Dependable Communication in Cyber-Physical Systems with a Wireless Bus Federico Ferrari PhD Defense October 18, 2013 — Zurich, Switzerland Computer

Enabling Dependable Communication in Cyber-Physical Systems with a

Wireless Bus

Federico Ferrari

PhD DefenseOctober 18, 2013 — Zurich, Switzerland

Computer Engineeringand Networks Laboratory

Enabling Dependable Communication in Cyber-Physical Systems with a Wireless Bus 2

Cyber-Physical Systems (CPSs)

• Tightly integrate physical processes, computation, and communication

• Safety-critical control loops– Sensors gather data from the environment– Actuators react according to a control law

October 18, 2013

Physical processes

ComputationCommunication


• Safety-critical CPS application

• Most of the existing CPS communication protocols operate in a best-effort manner

Infrastructure control Medical systems Environmental monitoring and control

…

Dependability Gap in Current CPSs

October 18, 2013

Enabling Dependable Communication in Cyber-Physical Systems with a Wireless Bus 4October 18, 2013

– Resource-constrainedwireless embedded devices

Communication Challenges in CPSs

[Tmote Sky]

• Tight physical integration → Severe constraints



– Multi-hop network topologies that vary over time





– Multi-hop network topologies that vary over time

– Operate for consecutive months/years



How to design efficient protocols that provide also delivery guarantees?


Looking for Inspiration:Safety-Critical Wired Embedded Systems• Based on time-triggered, shared buses

– Time-Triggered Protocol (TTP)[Kopetz et al., FTCS 1993]

– FlexRay[FlexRay Consortium, 2005]

• Successfully employed in automotive, avionics

October 18, 2013

Can we apply similar networking designs to CPSs?


Our Wireless Bus Conjecture

• A time-triggered communication infrastructure for multi-hop low-power wireless networks– Common notion of time– Communicate as if connected by a shared bus

October 18, 2013

It is possible to enable dependable yet efficient communication in CPSs by employing a wireless bus


Multi-hop low-power wireless network

October 18, 2013

Building a Wireless BusD

epen

dabi

lity

gap

Safety-critical CPS application



One-to-all communication

Global time synchronization

GlossyChapter 2 [IPSN 2011]

Building a Wireless Bus

October 18, 2013


Low-Power Wireless Bus

j,k,lj,k,l

j,k,l j,k,l×Multi-hop low-power wireless network




Time-triggered operation

Adaptive scheduling

LWB Chapter 3 [SenSys 2012]


October 18, 2013


j,k,l


j,k,lj,k,l

j,k,l ×j,k,l

VIRTUS

j,k,lj,k,l

j,k,lMulti-hop low-power wireless network





Adaptive scheduling


Delivery guarantees

Failure management

VIRTUSChapter 4 [SRDS 2013]


October 18, 2013

Safety-critical CPS application







Adaptive scheduling


Delivery guarantees

Failure management


Safety-critical CPS application• Fast and reliable flooding of messages

• Accurate global time synchronization

• Hide complexity of multi-hop networks

October 18, 2013

Glossy: Objectives


Challenges for Efficient Flooding

How to relay packets efficiently and reliably?• Avoid aggressive, uncoordinated broadcasts

• Typical approach:Coordinate packet transmissions– CF [Zhu et al., NSDI 2010]

– RBP [Stann et al., SenSys 2006]

– Maintain topology-dependent state

October 18, 2013

initiator


Glossy Flooding Architecture

• All receiving nodes relay packets synchronously– Simple, but radically different solution– No explicit routing– No topology-dependent state

• Key Glossy mechanisms– Start execution at the same time– Compensate for hardware variations– Ensure deterministic execution timing

October 18, 2013

initiator


Propagation in Glossy

October 18, 2013

RxRxRx

Proc

.

Tx

Proc

.

TxProc

.

TxProc

.

Tx

Rx

RxRxRx

RxRxRx

TxProc

.Pr

oc.

TxProc

.

TxProc

.

Tx

RxRxRx

Proc

.

Tx Proc

.

Tx Proc

.

Tx

RxRxRx

Proc

.

Tx Proc

.

Tx Proc

.

Tx

Proc

.

Tx Proc

.

TxTx

RxRxRx

Proc

.

Proc

.

Tx Proc

.

Tx Proc

.

Tx

c = 0 c = 1 c = 2 c = 3 c = 4 c = 5t

(In this example a node transmits at most twice)

• A relay counter c is set to 0 at the first transmission• A node increments c before relaying the packet

initiatorRxRxRx

Proc

.

Tx

Proc

.

TxProc

.

TxProc

.

Tx

Rx

RxRxRx

RxRxRx

TxProc

.Pr

oc.

TxProc

.

TxProc

.

Tx

RxRxRx

Proc

.

Tx Proc

.

Tx Proc

.

Tx

RxRxRx

Proc

.

Tx Proc

.

Tx Proc

.

Tx

Proc

.

Tx Proc

.

TxTx

RxRxRx

Proc

.

Proc

.

Tx Proc

.

Tx Proc

.

Tx

c = 0 c = 1 c = 2 c = 3 c = 4 c = 5t


Time synchronization in Glossy

October 18, 2013

Referencetime

Constant relay length

RxRxRx

Proc

.

Tx

Proc

.

TxProc

.

TxProc

.

Tx

Rx

RxRxRx

RxRxRx

TxProc

.Pr

oc.

TxProc

.

TxProc

.

Tx

RxRxRx

Proc

.

Tx Proc

.

Tx Proc

.

Tx

RxRxRx

Proc

.

Tx Proc

.

Tx Proc

.

Tx

Proc

.

Tx Proc

.

TxTx

RxRxRx

Proc

.

Proc

.

Tx Proc

.

Tx Proc

.

Tx

c = 0 c = 1 c = 2 c = 3 c = 4 c = 5t

• Estimate the relay length during propagation• Compute a common reference time

initiator


Glossy: Main Evaluation Findings

• A few ms to flood packets to hundreds of nodes

• Reliability > 99.99 % in most scenarios

• Synchronization error < 1 µs even after 8 hops

October 18, 2013


Multi-hop low-power wireless networkMulti-hop low-power wireless network





Adaptive scheduling


Delivery guarantees

Failure management






Adaptive scheduling


Delivery guarantees

Failure management


Safety-critical CPS applicationA concrete wireless bus that:

• Adapts to varying conditions and demands

• Efficiently supports a wide range of scenarios

• Delivers messages with high reliability

October 18, 2013

LWB: Objectives


LWB Design Principles

• Bizarre idea: broadcast-only communication!– Multi-hop wireless network → Shared bus

• Synchronized, time-triggered operation– Collision-free and efficient bus accesses

• Centralized scheduling– A host node orchestrates all communication

October 18, 2013


• LWB operation is confined to rounds

• A round consists of non-overlapping slots

• Each slot corresponds to adistinct Glossy flood

October 18, 2013

Round period T t

n1 n2 n3

n1

n1

Time-Triggered Operation in LWB


Centralized, Adaptive Scheduling

• Demand response scheduling at the host

• Example scheduling policy– Minimize energy while providing enough bandwidth– Ensure fair allocation of slots

October 18, 2013


HostResponseDemand


• Schedule: sent by the host H, also for time-sync• Data: messages transmitted by senders S1, S2, etc.• Requests: competed by senders to join LWB

T t

H

Schedule

notallocatedRequests

S1

Data

…S2

Data

LWB Activity during a Round

October 18, 2013

Host:compute schedule


LWB

Additional LWB Mechanisms

October 18, 2013

Host failover policySupport for nodesjoining and disconnecting

Optimizations forenergy efficiency

Prompt adaptationto traffic changes


LWB: Main Evaluation Findings(4 testbeds, 7 state-of-the-art protocols, 256 runs, 838 hours)

The same LWB prototype:

• Is efficient under a wide range of traffic loads

• Supports mobile nodes with no performance loss

• Is minimally affected by interference or failures

October 18, 2013


90 nodes• Varying senders• 8 receivers

Reliability and Energy Efficiency with Many-to-Many Communication

October 18, 2013

LWB outperforms state of the art• Reliability• Energy efficiency







Adaptive scheduling


Delivery guarantees

Failure management






Adaptive scheduling


Delivery guarantees

Failure management


Safety-critical CPS application• Provide guarantees on message delivery– In the face of communication failures– In the face of node crashes

• Keep overhead low compared with LWB

October 18, 2013

VIRTUS: Objectives


Key VIRTUS Mechanisms

• Guarantee virtually-synchronous executions– All nodes see the same events in the same order• Delivered messages• Joining and failing nodes

• Atomic multicast– Deliver messages reliably and with total order

• Group management– Share information on currently active nodes

October 18, 2013

(Formally proven)


New Interactions in VIRTUS

• View: set of active nodes, sent by the host H• Ack: receivers R1, R2, etc. buffer received data and

send the content of their buffers

October 18, 2013

T t

H

Schedule

notallocatedRequests

S1

Data

…Host:compute scheduleS2

Data

H

View

R1

Ack

R2

Ack

…and update view


VIRTUS provides delivery guarantees while outperforming existing best-effort solutions

90 nodes• 45 senders• Varying receivers

VIRTUS Efficiency

October 18, 2013


Conclusions

Wireless bus: delivery guarantees and efficiency

• Novel solutions

• Narrows the current dependability gap in CPSs

October 18, 2013






Adaptive scheduling


Delivery guarantees

Failure management

VIRTUSChapter 4 [SRDS 2013] Safety-critical CPS application

➤Multi-hop broadcasts have become cheap!

➤Efficient support for multiple traffic patterns

➤First to provide virtual synchrony to CPSs







Adaptive scheduling


Delivery guarantees

Failure management

VIRTUSChapter 4 [SRDS 2013] Safety-critical CPS application

Documents

Enabling Dependable Communication in Cyber-Physical Systems with a Wireless Bus Federico Ferrari PhD Defense October 18, 2013 — Zurich, Switzerland Computer