Networked  and  Embedded  Control  Systems

Jerome  Le  Ny

ESE  680,  Spring  2011

Upenn

Outline

• MoCvaCon  and  Examples

• IntroducCon  to  NECS  Issues

• AdministraCve  Stuff

MoCvaCon  and  Examples

Cyber-­‐Physical  Systems  (CPS)InformaCon/CompuCng  Systems  InteracCng  with  physical  systems,  broadly

Increasingly  integrated  systems:  sharing  of  sensing,  actuaCon,  computaCon  and  communicaCon  resources  across  distributed  systems

Networked  and  Embedded  Control  Systems  (NECS,  NCS)

Modern  cars:  40-­‐100  networked  microprocessors(brakes,  ESC,  transmission,  engine,  safety,  climate,  emissions,  mulCmedia,  …)  Several  CAN  and  other  busesBoeing  777:  1280  networked  microprocessors

good  design  Principles?

2-­‐5  million  lines  of  code

Embedded  Control  CharacterisCcs• Dependability

– Safety  (stability),  reliability,  security– E.g.:  flight  control  or  cruise  control  in  cars– Cer>fica>on  issues,  e.g.  DO  178-­‐B  in  aerospace.  Formal  guarantees?

• currently  most  cer>fica>on  standards  are  process  based

• Performance  guarantees  (e.g.  standard  control  specifica>ons)vs• Cost  constraints

– OKen  mass-­‐market  products,  e.g.  cars– Associated  computa>on,  communica>on,  memory,  energy  constraints…– Flexibility,  ease  and  speed  of  development  (COTS  components,  code  

reuse).  BeQer  system  integra>on  methods  cri>cal  for  future  complex  system  development

– Maintainability  is  very  important,  might  need  to  handle  evolu>ons  and  upgrades  easily  and  safely

Similar  Issues  at  all  Scales...

-­‐Safety-­‐Performance-­‐Sensing  and  Control-­‐Network  effects-­‐Distributed  informa>on-­‐Humans  in  the  loop-­‐Heterogeneous  components-­‐Cer>fica>on  issues,  system  of  systems  -­‐gradual  evolu>on

See for example the Microsoft Security Bulletins MS02-065, MS04-011, etc.

!"#$%&'($)*+',-".$)"/)0112

4$'$&()'56)7#"895,&()$%'$)&:7&#9&5,&6)$%&);+',-".$

<%&) !"#$%&'($) *+',-".$) "/) 0112) ='() '

>'((98&) =96&(7#&'6) 7"=&#) ".$'?&) $%'$

",,.##&6) $%#".?%".$) 7'#$() "/) $%&

!"#$%&'($&#5)'56)@96=&($&#5)A59$&6)4$'$&(

'56) B5$'#9"C) D'5'6') "5) <%.#(6'EC) F.?.($

3GC) 0112C) '$) '77#":9>'$&+E) GH33) 7I>I) JK<

LA<DM1GN) I) F$) $%&) $9>&C) 9$) ='() $%&) (&,"56

>"($) =96&(7#&'6) &+&,$#9,'+) ;+',-".$) 95

%9($"#EC) '/$&#) $%&) 3OOO) 4".$%&#5) *#'P9+

;+',-".$IQ3R) Q0R) <%&) ;+',-".$) '//&,$&6) '5

&($9>'$&6) 31)>9++9"5) 7&"7+&) 95)B5$'#9") '56

GS)>9++9"5)7&"7+&)95)&9?%$)AI4I)($'$&(I

!"#$"%&"'()'"*"%+,4%&)/"++"5678)6()$%&)9+',-".$:()(&;.&7,&)"/)&<&7$()"7)=.8.($)>?@)0112

A>2B)A>?B

)A>3B)

C$6D&()67)EF4GH

I >0H>3)JKDK)L7,"##&,$)$&+&D&$#M)N'$')#&7N&#()67"J&#'$6<&)$%&)($'$&)&($6D'$"#@)')J"5&#)/+"5)D"76$"#678)$""+)"J&#'$&N

9M)$%&)L7N6'7'O9'(&N)P6N5&($)L7N&J&7N&7$)4#'7(D6((6"7)QM($&D)RJ&#'$"#)CPLQRGK)=7)"J&#'$"#),"##&,$()$%&

$&+&D&$#M)J#"9+&D)9.$)/"#8&$()$")#&($'#$)$%&)D"76$"#678)$""+K

I >H2>)JKDK)4%&)E'($+'-&@)R%6")8&7&#'$678)J+'7$)(%.$()N"57K)4%&)J+'7$)6()"57&N)9M)S6#($E7&#8M@)'7)=-#"7@

R%6"O9'(&N),"DJ'7M)$%'$)%'N)&TJ&#6&7,&N)&T$&7(6<&)#&,&7$)D'67$&7'7,&)J#"9+&D(K

I 0H10)JKDK)4%&)/6#($)"/)(&<&#'+)2?3)-U)"<&#%&'N)$#'7(D6((6"7)+67&()67)7"#$%&'($)R%6")/'6+()N.&)$"),"7$',$)56$%)')$#&&

67)V'+$"7)W6++(@)R%6"KA>XB

)A>YB

I 0H>?)JKDK)=7)'+'#D)(M($&D)/'6+()'$)S6#($E7&#8M:(),"7$#"+)#""D)'7N)6()7"$)#&J'6#&NK

I 2H13)JKDK)=)2?3)-U)$#'7(D6((6"7)+67&)-7"57)'()$%&)Z%'D9&#+'67OW'#N678)+67&)/'6+()67)['#D'@)(".$%)"/)Z+&<&+'7N@

N.&)$")')$#&&K

I 2H>Y)JKDK)U"+$'8&)N6J()$&DJ"#'#6+M)"7)$%&)R%6")J"#$6"7)"/)$%&)8#6NK)Z"7$#"++&#()$'-&)7")',$6"7K

I 2H20)JKDK)["5&#)(%6/$&N)9M)$%&)/6#($)/'6+.#&)"7$")'7"$%&#)2?3)-U)J"5&#)+67&@)$%&)W'77'O\.76J&#)67$&#,"77&,$6"7@

,'.(&()6$)$")('8)67$")')$#&&@)9#678678)6$)"//+67&)'()5&++K)V%6+&)PLQR)'7N)S6#($E7&#8M),"7$#"++&#(),"7,&7$#'$&)"7

.7N&#($'7N678)$%&)/'6+.#&(@)$%&M)/'6+)$")67/"#D)(M($&D),"7$#"++&#()67)7&'#9M)($'$&(K

I 2H2])JKDK)=)S6#($E7&#8M)>2^)-U)+67&)/'6+()67)7"#$%&#7)R%6"KA>^B

Some  Mishaps…

Bugs  in  soYware,  but  also  in  specificaCons!ParCcularly  problemaCc  because  many  CPS  are  safety-­‐criCcal

7 Courtesy of © Wind River Inc. 2008 – IEEE-CS Seminar – June 4th, 2008

Federated vs. IMA

RadarSensor systems

FLIREO/OP

Engine ControlsEngine Monitoring

Fire Control

Weapons ControlStores ManagementTargeting Computer

Flight ControlsFlight Management

Inertial Reference System

DisplaysNavigation Computer

Mission Computer

8 Courtesy of © Wind River Inc. 2008 – IEEE-CS Seminar – June 4th, 2008

Federated vs. IMAFlight Controls

Flight ManagementInertial Reference System

RadarSensor systems

FLIREO/OP

Engine ControlsEngine Monitoring

Fire Control

Weapons ControlStores ManagementTargeting Computer

DisplaysNavigation Computer

Mission Computer

AutopilotOther

Systems,etc.

Heads-upDisplay

InertialPlatform

Transmitter Receiver ReceiverReceiver

EndSystem

EndSystem

EndSystem

OtherSystems,

etc.

Heads-upDisplay

InertialPlatform

Switch

Azimuth dataTwisted-pair copper wire

Simplex100 Kbps (maximum)Up to 20 receivers

Full duplex100 Mbps (maximum)Number of connections governed by number of switch ports

Two pairscategory 5 UTPtwisted-paircopper wire

ARINC 429

AFDX

ARINC 653Sampling portsQueuing ports

Avionics Computer System

EndSystem

AvionicsSubsystemPartition 1

AvionicsSubsystemPartition 3

AvionicsSubsystemPartition 2

Controllers

Sensors

Actuators

AFDXSwitch

AFDXNetwork

ARINC 664, Part 7AFDX communications ports Sampling ports Queuing ports Service access point port

[© Wind River]

[© GE]

Trends  in  NECS

A]empt  at  Controlling  Growing  System  Complexity,  while-­‐  Properly  managing  resources  (computaConal,  communicaCon)-­‐  Guaranteeing  Cmings:  important  for  control

Trends  in  NECS  II

• Toward  rigorous  Model  Based  Engineering  vs.  process  based  cerCficaCon– e.g.  DO  178B  replacement– ulCmate  goal:  want  to  reason  about  high-­‐level  models,  then  generate  correct  

controllers  and  code  from  these  models– introduce  more  formal  methods

• ComposiConality?– e.g.  needed  to  add  and  remove  small  generators  in  electric  grid– component  reusability  to  reduce  development  costs– modular  design  with  isolated  components  to  avoid  recerCficaCon  during  

incremental  changes

IntroducCon  to  NECS  Issues

Sampled-­‐Data  Systems

• Classical  theory  of  sampled-­‐data  systems  is  a  good  starCng  point

• Three  controller  design  approaches:

– discreCze  a  conCnuous-­‐Cme  design

– discrete-­‐Cme  design,  neglect  intersample  behavior  in  synthesis

– direct  sampled-­‐data  design  (liYing)  -­‐  most  rigorous  but  involved  theory

then  simulate  design  for  poten>al  issues

[©K.-E. Arzen, Lund]

Networked  Control  Systems• Adds  delay,  ji]er  and  possibly  packets  losses

• Managing  access  to  the  communicaCon  network

• Focus  of  much  of  the  current  research  literature  in  NCS

• Most  models  sCll  very  simplisCc

13

[©K.-E. Arzen, Lund]

Many  ImplementaCon  Choices

14

Plant Network

Controller (CPU)

Plant 2

Plan

t 3

Scheduler

S S S AA

K K

Schedulers

A S S A

N

N

NN

N

N

Real-­‐Time  Embedded  Control  Systems

15

y

y(tk!1)

y(tk )

y(tk+1)

Time

u

t k!1 t k tk+1

u(tk! 1)

u(t k)

Time

Con

trol

Va

ria

ble

Mea

sure

d V

ari

ab

le

Computa-tionallag "

• Output y(t) sampled periodically at time instants tk = kh

• Control u(t) generated after short and constant time delay !

classical  controller  Cming

y(t)

u(t)

rk!1 rk rk+1

Lk!1s Lk!1io Lks Lkio Lk+1s Lk+1io

sk!1 fk!1 sk fk sk+1 fk+1

Rk!1 Rk Rk+1

!

t

t

• Control task ! released periodically at time instances rk = kh

• Output y(t) sampled after time-varying sampling latency Ls

• Control u(t) generated after time-varying input-output latency Lio

Controller  Cming  with  RTOS  scheduler

CPU  Cme  management

using  a  Real-­‐TimeOperaCng  System

(RTOS)

-­‐  system  dedicated  to  control  task-­‐  Cming  very  predictable-­‐  costly,  li]le  flexibility-­‐  soYware  and  hardware  becomesunmanageable  as  system  becomesmore  complex

Increased  flexibility,  but  delays  and  non-­‐determinism  introduced  by  RTOS  and  network.  Impact  on  control  performance?

[©K.-E. Arzen, Lund]

[©K.-E. Arzen, Lund]

Control  System  SpecificaCons

• Stability• Analog  Performance:  transients  and  steady-­‐state• Safety,  absence  of  deadlocks• Liveness• Derive  SpecificaCons– Which  correspond  to  what  is  intuiCvely  expected  from  the  system

– Which  are  consistent  (object  of  this  course),  backed  by  formal  analysis,  formal  specificaCon  language

• Develop  system  and  soYware  from  them

for  systems  including  both  analog  signals  and  switching  logic:  hybrid  systems

About  this  course

• We  will  explore  some  of  these  issues– model  based  analysis  and  synthesis  of  digital  controllers

– understand  modern  implementaCon  issues:  computaCon  and  communicaCon  resource  management,  impact  on  control  performance

– discuss  complex  specificaCons,  cerCficaCon  and  verificaCon  issues:  formal  methods  (model  checking,  deducCve  methods)

• This  is  a  topics  course:  I’m  here  to  help  you  learn,  but  what  you  will  get  out  of  it  will  mostly  depend  on  your  personal  involvement  in  the  subject– currently  acCve  research  topics.  We  are  far  from  a  mature  theory  of  system  

design

– You  should  criCque  and  challenge  the  models  we  will  discuss

– complexity  and  variety  of  issues  make  this  subject  interesCng  to  researchers  with  diverse  backgrounds  and  interests:  control  engineering,  real-­‐Cme  systems,  logic  and  formal  methods,  etc.

Course  Outline• Review  of  classical  theory

– System  modeling:  con>nuous-­‐>me  and  discrete-­‐>me  systems,  automata  including  hybrid  automata  (2  lectures)

– Sampling  and  Sampled-­‐Data  Systems  (2  lectures)  -­‐-­‐>  discre>za>ons  of  CT  controllers

– Overview  of  2  other  classical  digital  control  design:  discrete  methods  and  direct  SD  design  (3-­‐4  lectures)

• NECS  issues:  

– Examples  of  communica>on  standards  for  control  (FlexRay,  ARINC  664).  Intro  to  real-­‐>me  scheduling  (1-­‐2  lectures)

– Control  for  systems  with  delays  and  sampling  jiQer  via  Lyapunov  methods  (2+  lectures)

– Input-­‐output  methods  for  NECS  (2+  lectures).  Passivity  and  wave  variables  for  networked  systems,  relevant  integral  quadra>c  constraints

• Formal  methods  for  verifica>on  and  design  (aKer  Spring  break):

– Discrete  system  abstrac>ons:  exact  and  approximate  bisimula>ons

– Model  checking

– Intro  to  deduc>ve  methods:  Hoare  logic  for  controller  verifica>on,  hybrid  dynamic  logic

• Addi>onal  lectures

– external  speakers:  AADL  (Oleg  Sokolsky),  possibly  more.  

– Student  lectures.

AdministraCve  Stuff

Grading

• Prepare  a  lecture  (40%)– Review  e.g.  2-­‐3  related  papers  (choice  guided  by  me).– Prepare  lecture  notes.– Lecture  format  free:  slides  or  blackboard.

• Project  (40-­‐50%)– Design  a  control  system,  and  do  an  analysis/simulaJon  as  realisJc  as  possible  (including  

effect  of  communicaJon  protocol,  real-­‐Jme  scheduler,  etc.).  Most  realisJc:  implement  control  algorithm  on  a  microcontroller,  w/  physical  process  possibly  simulated  (if  have  access  to  hardware  and  know  how  to  program  a  RT  system.  Physical  implementaJon  not  required).  

– or  explore  a  new  design/analysis  technique.  Aim  for  a  new  contribuJon  to  the  field  of  NECS.– No  literature  review  accepted  for  this  part  (that’s  the  previous  point).

• Homework  (0-­‐10%)– I  might  give  a  few  exercises  during  the  term  to  check  your  understanding  of  the  material.

• ParJcipaJon  ~10%– Influences  grade  subjecJvely  in  any  case…  – The  course  will  be  boring  if  I’m  the  only  one  speaking.  Again,  construcJve  criJcism  is  strongly  

encouraged.  View  this  as  a  research  seminar.

Example  of  Topics  for  Student  Lectures

• Decentralized  Control:  decentralized  fixed  modes,  quadraCc  invariance,  …

• Decentralized  EsCmaCon:  distributed  LMS,  RMS,  distributed  Kalman  filtering,  …

• Switched  systems  and  applicaCons  to  NECS

• Event  triggered  sampling  for  control

• More  advanced  real-­‐Cme  scheduling  for  control

• Synchronous  languages  or  other  programming  paradigms

• Other  choices  possible.  To  determine  with  me  during  first  couple  of  weeks