cyber-physical systems and aadl - cssecsse.usc.edu/.../gupta_sandeep-cps-aadl-feb-2-2009.pdf ·...

Cyber-Physical Systems and AADL

Sandeep K. S. Gupta

AADL Standards Meeting – Feb 2-5, 2009

Impact Lab (http://impact.asu.edu)

Computer Science and Engineering

Affiliated with EE, BMI, BME

Arizona State University

[email protected]

Student contributors: T. Mukherjee, Q. Tang, K. Venkatasubramanian

Sandeep K. S. Gupta, IEEE Senior Member

• Heads

Pervasive Health Monitoring

Use-inspired, Human-centric research in distributed cyber-physical systems

Thermal Management for Data Centers

Criticality Aware-SystemsID Assurance

Intelligent Container

Mobile Ad-hoc Networks

@ School of Computing & Informatics

BOOK: Fundamentals of Mobile and Pervasive Computing, Publisher: McGraw-Hill Dec. 2004

BEST PAPER AWARD: Security Solutions for Pervasive HealthCare – ICISIP 2006.

• TCP Chair •TCP Co-Chair:

GreenCom’07

Email: [email protected]; IMPACT Lab URL: http://impact.asu.edu;

• Area Editor

http://www.bodynets.org http://impact.asu.edu/greencom

Motivation

• Challenges – Traffic congestion, Energy Scarcity, Climate Change, Medical Cost …

• Need Smart Infrastructure – distributed CPHS (Cyber-Physical-Human System (of systems))

• Criticality-awareness: the ability of the system to respond to unusual situations, which may lead to


• Criticality-awareness: the ability of the system to respond to unusual situations, which may lead to disaster (with associated loss of life and/or property)– How to design, develop, and test criticality-aware software for

CPHS systems?

• Unifying Framework for Safe (Energy-Efficient) Spatio-Temporal Resource Management for CPHS– Thermal-Aware Scheduling for Data Centers and Bio Sensor

Network (within Human Body)

Cyber Physical Systems (CPS)

Courtesy: Vanderbilt University & Drexel University Courtesy: Idealog Magazine


Key Issues

• Physical Interactions

• Critical Applications

• Automated Design & Validation

� Dynamic distributed large-scale systems to control physical process

� Cyber and physical components are integrated

� Operations in computing entities affect the physical world & vice versa.

Courtesy: Vanderbilt University & Drexel University Courtesy: Idealog Magazine

4

Properties - Cyber Physical Human Systems

� Tight coupling between physical and cyber-world

� Human-in-the-loop

� Heterogeneous entities with order of magnitude difference in capabilities, e.g. sensors, medical difference in capabilities, e.g. sensors, medical devices, servers, handheld computing devices, and Humans.

IMPACT lab’s Approaches to Enable

Criticality-Aware CPHS Criticality-Aware CPHS

Unifying Framework for Modeling Spatio-Temporal Cyber-Physical

Effects


Effects

Physical Interactions (Interference)


Body Sensor Networks (BSN)

� Medical sensors implanted/worn by human for health-monitoring.

� Interference – sensor activity causes heating in the tissue.

� Heating caused by RF inductive powering

TissueBlow-up

powering

� Radiation from wireless communication

� Power dissipation of circuitry

Gateway

HeatingZone

Sensor Activities

Energy Consumption

Heat radiation &power dissipation

Environmental Interference in BSN

valueSafety – tissue temperature should be within a threshold value

Sensor

9

BSN

Heat Interference in BSN

Incident Plane Wave with power P0Transmitted Wave

Medium 1(free space)

ε1, µ1, σ1

Medium 2(Body tissue)

ε2, µ2, σ2

Cluster LeaderRF PoweringSource

depth d

Te

mp

era

ture

Temperature rise in sensor surroundings

heat

Heat bymetabolism

Reflected WaveControl Volume anda cluster of biosensors

Temperature Rise: Pennes Bio-heat Equation

Heat accumulated

Heat transfer by conduction

Heat byradiation

Heat transfer

by convection

Heat by power dissipation

heat dissipatio

n

10

Heat bymetabolism

BSN Scheduling

Requirement

• FCC Regulation

SAR = σ E2 / ρ (W/kg)

SAR = 0.4W/Kg

Whole BodyAverage

SAR = 8W/Kg

Peak Local

IEEE Requirement (1g Tissue)

E = induced Electric FieldΡ = tissue densityσ = electric conductivity of tissue

Incident Plane Wave with power P0

Reflected Wave

Transmitted Wave

Control Volume anda cluster of biosensors

Medium 1(free space)

ε1, µ1, σ1

Medium 2(Body tissue)

ε2, µ2, σ2

Cluster LeaderRF PoweringSource

depth d

System Model

• Consider only one cluster

• 2D Model

• Rotate cluster head - dist. energy consump. reduce heating

Temperature Rise: Pennes Bio-heat Equation

Heat accumulated

Heat transfer by conduction

Heat byradiation

Heat transfer

by convection

Heat by power dissipation

SAR = .08W/Kg

Whole BodyAverage

SAR = 1.6W/Kg

Peak Local

CE

UCE


metabolismaccumulated by conduction radiation by convection dissipation

Solution

• Random selection may lead to higher temperature rise

• Similar to Traveling salesman problem but with dynamic metric

• Heuristic: Leader selection based on sensor location, rotation history

1

2

34

5

1

2

34

5

1

2

34

5

(a) Ideal Rotation (c) Farthest Rotation(b) Nearest Rotation

Four Approaches

• FDTD + enumeration

• FDTD + Genetic Algorithm

• TSP + enumeration

• TSP +Genetic Algorithm

Results

FDTD + enumeration

FDTD + Genetic Algorithm

TSP + Genetic Algorithm

TSP +enumeration

Optimal

Optimal

Near Optimal

Near Optimal

720960 hrs (est.)

100 hrs (est.)

7.6 hrs

5 min

Te

mp

era

ture

Temp rise in sensor surroundings

Q. Tang, N. Tummala, S. K. S. Gupta, and L. Schwiebert, Communication scheduling to minimize

thermal effects of implanted biosensor networks in homogeneous tissue, Proc of IEEE Transactions of Biomedical Engineering

Worst Dynamic Manual Genetic Optimal0.06

0.07

0.08

0.09

0.1

0.11

Te

mp

era

ture

Ris

e °

C

TemperatureMean ± DeviationMean

Comparative Result

Envisioned Tool for Developing Dependable BSN Software

Communication Module

Rout ing Protocol

Medium Access

Frequency

Modulat ion Scheme

Sensor Hardware

Specification

Bioheat ModelEnergy Model

Propagat ion

Model

Heat Safety

Plug-in Modules

Design & Evaluation Tool

....

Tissue Properties Database


Application Requirements

Communication:

Latency, Reliability...

Sensor Location:

Eye, Hand...

Energy Constraints:

Powering, Recharging

....

Regulations

FDA

FCC

IEEE

IEC.

.

.

Heat Safety

Analysis

Energy

Analysis

Communication

Analysis

Matlab FDTD Software Labview

External Tools

Workflow

Execution

Engine

....

.

.

.

3D Visualization

T ool

Body Model

DataBase

Antenna Analysis

Software

Sensor

Placement

Visualization

Interface

User Interface

....

Workflow

Specification

....

Heat Analysis Workflow

Sources of

Heating

Radiaton of wireless

communication

Radiation of RF

powering

circuitry

dissipation

Blood

convection

Air convection

Single implanted

device

Mut liple

implanted device

Surface implant

In vivo

implants

Communication

Design

Tissue

Sources of

Cooling

Powering

Supply Design

Senseor

Implementation

Application Specific

Heating WorkFlow


Metabolic

heating

Tissue

conduct ion

Bioheat Model

Other model

Penns bio-heat

Equat ions

Safety Criteria

FDA

FCC

Bioheat

Analysis

FED

FDT D

2D/3D Tissue

model

Wireless Analysis Workflow

Modulation MethodsAntenna Model

Wireless Model WorkFlow

Modulation

M-PSK

Dipole Antenna

Microstrip

Antenna

Loop

Antenna


Propagation

Model

2D/3D T issue

model

Media

Properties

Modulation

Model OOK

QAM

Link Budget

Analysis

Implanted Device

Location/T opolocy

Interference

Output

Power Analysis Workflow

Rechargeable

Model

Power Model WorkFlow

Implanted

Battery

M-PSK

OOK

RF Induct ive

Passive E-Field

Supersonic


Propagat ion

Model

Power

Consumption

Media

Properties

QAM

Link Budget

Analysis

Implanted Device

Locat ion/Topolocy

Interference

Output

Analysis Module Interaction

Sensor

Implementation

Powering Supply

Design

Bioheat

Safety Criteria

Application


Design

Communication

Design

Safety Criteria

Regulation

Requirement

Data center Energy ConsumptionWhat are datacenters

– Server farms, IT centers, computer rooms

Why they are important– Centralized management, powerful

computation capabilities– Backbones of Internet Infrastructure

Why thermal management is important


17

Why thermal management is important

– Improve reliability– Reduce system down time– Save energy cost !!

• $400,000 annually to power a 1,000 volume server-unit data center, then how much for this

– More than 40% is cooling cost

51%42%

7%

Servers Air-Conditioning Other

Dense Computer Rooms (i.e. Data centers, Computer Clusters, Data warehouses)

Self Interference Cross Interference

Inlet

Outlet Outlet

Temp

avoid equipment failure

Safety – inlet temperature should be within the equipment red-line

temperature to avoid equipment failure

Server Activities

Energy Consumption

Outlet Heat throughpower dissipation

Heat recirculation at the inlet of itself

Self Interference

Server Activities

Energy Consumption

Heat recirculation at the inlet of others

Cross Interference

Outlet Heat throughpower dissipation

18

Two Studied CyberPhysical Applications

Application scenario Implanted biomedical sensor networks

Computing nodes of data center clusters

Objective find the best leadership sequence to minimize the temperature rise

find the best task assignment to minimize the energy cost

Heat transfer

mechanism

Convection, conduction and radiation.

Convection


Original numerical

simulation

Finite Difference Time Domain

Computational Fluid Dynamics

Abstract Model: the

function F(⋅)

Time-space function Cross interference coefficients

Placement or

scheduling: the function

H(⋅)

Temporal domain Spatial domain

“HOT” Mission Critical Applications –Example of Environmental Effects on

Networks


• Nodes exposed to the sun might easily reach 65C and above

• Temperature at nodes in a wildfire monitoring application have reported to reach 95C.

How to compensate for temperature effects at design/runtime?

Communication Range


Depending on the path loss model, losses due temperature cause reduction in range comprised between 40% and 60% the max. value

Network Connectivity @ 25°C


Average Connectivity = 8.94. Connected nodes = 100%.

Avg. Path Length = 2.95. Network seems reliable.

SINK NODE




Avg. Path Length = 4.93. Few nodes are disconnected.

SINK NODE




The sink is completely disconnected from the rest of the network!

SINK NODE

Physical Aspects of CPS Security– Modifying physical environment around the CPS can cause security

breach

– Example –

• Smart-car’s theft protection system fails completely if it is fooled into thinking the car is on fire by trigger specific sensors.

• No amount of securing all the other components will help

– The problem is compounded if security solutions for CPS depend on environmental stimuli for efficiency purposes


environmental stimuli for efficiency purposes

– Example –

• Physiological value based security (PVS) utilizes common physiological signals from the body for key agreement

• If one of the sensors is fooled into measuring incorrect physiological signals (by breaking the sensor-body interface), the whole process breaks down

Fundamental differences with Cyber Security

• Threat Model is fundamentally different• The point of entry for traditional (cyber-only) is essentially cyber

– Example – Attacker hacking a computing system through a network

• CPHS – it can be cyber, environmental (physical), and human


• CPHS system has several aspects each of which need to be secured–

• Environment• Sensing• Communication• Processing• Feedback• Humans

Securing these addressed in traditional cyber security

Securing the environment and its interaction with otherfollowing unique to CPHS

Criticality & Critical Event Management

• Critical events– Causes emergencies/crisis.– Leads to loss of

lives/property.

• Criticality– Effects of critical events on

the smart-infrastructure.

Critical Event

Timely Criticality Response within

window-of-opportunity

NORMAL STATE

CRITICALSTATE


the smart-infrastructure.– Critical State – state of the

system under criticality.– Window-of-opportunity (W)

– temporal constraint for criticality.

• Survivability– effectiveness of the criticality response actions in minimizing the disasters.

Mismanagement of any

criticality

DISASTER(loss of lives/property)

Handling Critical Events in CPS

Crisis Response Recovery Preparedness

Detect fire using information from sensors

CriticalEvent Detection

• Notify 911

• provide information to the first responders

Trapped People & Rescuers

Additional Critical Events

Detect trapped people

Detection

Performance Evaluation of

Crises Response


sensorsthe first responders

• Analyze the Spatial Properties • how to reach the source of fire;• which exits are closest; • is the closest exist free to get out;

• Determine the required actions• instruct the inhabitants to go to nearest safe place; • co-ordinate with the rescuers to evacuate.

Rescuers

HUMAN INTERACTION

MODEL

28

• State-based stochastic model– System in different critical

states for different criticalities.– Similar to AADL Error Model.

• Critical Events– Analogous to fault events in

Error Model Annex.– Enhancements capturing

• Criticality characteristics

Envisioned AADL Model for Survivability Analysis

NORMAL STATE


• Criticality characteristics (e.g. window-of-opportunity)

• Mitigative Link– Analogous to failure

responses in Error Model Annex.

– Enhancements capturing• probability of actions’

success considering uncertainties due to human involvement.

Mitigative Link Critical Event

Survivability – probability of reaching normal state based on MLs’ success probabilities and

conformity to window-of-opportunity.

Survivability Model for fire emergencies in offshore Oil & Gas Production Platforms (OGPP)

Fire Alarm

State transition probabilities derived from established probability distribution in [1].

0.284877

0.40365

0.1755

0.1634

0.2965 0.48970.5862

0.1977 0.1892

0. 2094


Fire Alarm &Imminent Danger

Fire Alarm &Non-tenable Path

Fire Alarm &Assistance Required

Fire Alarm &Non-tenable Path &

Assistance Required

Fire Alarm &Imminent Danger &

Assistance Required

Fire Alarm &Assistance Required &

Non-tenable Path

[1] D. G. DiMattia, F. I. Khan, and P. R. Amyotte, “Determination of human error probabilities for offshore platform musters,” Journal of Loss

Prevention in the Process

Industries, vol. 18, pp. 488–501, 2005.

0.1634

0.2965 0.4897

0.5717

0.57170.2649

0.2649

0.481

0.41861 0.3348

0.4138

Crisis Response Recovery PreparednessMitigationMitigation

Identify the critical events

Determine the Evaluate the Q-value of

Criticality Response Process

Evaluate Effectiveness of Response Process

Criticality Response Modeling (CRM) Framework


Determine the Window-of-opportunity

Determine the possible occurrences of

multiple criticalities

Determine the states & transition probabilities

Apply the Stochastic Model

Criticality Response Process

CRM Framework

Learn

ing

Criticality Aware Access Control (CAAC)

CAAC

Patient Emergency

(Doctor not available)Patient (NoEmergency)

Normal mode In this mode, an alternate set of access privileges are enforced for facilitating


CAAC

Allow another doctor toAccess Patient Data Treat Patient

CAAP mode

are enforced for facilitating mitigative actions

Sandeep K. S. Gupta

Model-based Engineering of

Cyber-physical Systems

____ _____ __________ __ ____

________ ______

Proposal for Cyber-Physical System

Annex in AADL

______ ____

Design Decisions

Security

Survivability Reliability

Critical applications should be able to handle dangerous physical conditions (e.g. life/property losses).

Physical security should be considered while designing the cyber components.

34

Real-time

Quality

Safety

Interactions between physical and cyber components should not detrimentally impact the physical conditions.

issuesThis talk specifically focuses on the safety & survivability issues

AADL Extensions Requirements

Physical Environment

Self-InterferenceEnvironment Interference

Cross-Interference

Cyber Subsystem

Cyber Subsystem

Criticality Model

Criticality Model

Cross-Interference

Non-physical Interactions(e.g. data flow)

35

Proposed AADL Extensions

AADL System Specification

CPS Annexes For AADL

36

AADL Analysis Platform (e.g. OSATE)

Analysis Plug-ins

Analysis of CPS

� Safety analysis

� Interference should not be detrimental to the physical and other cyber components

� e.g. heat generated by performing tasks in implanted body sensors should be within a threshold value to avoid tissue damage.

37

� Survivability analysis

� Critical events should be effectively responded to avoid dangerous failures

� e.g. providing proper access to equipment if fire is detected in a smart-building infused with sensors and actuators.

Safety Modeling in AADL

AADL Architecture Model

AADL Physical Interference

Model+

AADL Safety Model

Model Parsing

AADL Safety Analysis Plug-ins

Safety Measures

Model Processing

38

Envisioned Extensions in AADL for Safety Analysis


Environment

Physical Component Specification• Interference characteristics• Safety threshold of interferences

Physical Component Specification• Interference characteristics• Safety threshold of interferences

Connection between inward & outward interference of a device • analogous to AADL data flow

Connection between inward & outward interference of a device • analogous to AADL data flow

Connection between inward & outward interference of corresponding devices• analogous to AADL data flow

Connection between inward & outward interference of corresponding devices• analogous to AADL data flow

Cyber Subsystem

Cyber Subsystem


Cross-Interference


39

Physical Features of Computing Components • Physical State• Interference from device to environment• Interference from environment to device

Physical Features of Computing Components • Physical State• Interference from device to environment• Interference from environment to device

• analogous to AADL data flow• analogous to AADL data flow

Example Envisioned AADL Specification for BSN

Heat Safety Analysis

property set BSN isgrid_size: aadlinteger applies to (system);coordinatesX: aadlreal applies to (device);

…node_no: aadlinteger applies to (device); alarm_temp: aadlreal applies to (physical)

end BSN;

physical Tissueproperties

BSN::alarm_temp => 100.0;characteristics

device NodephysicalFeatures

out_interference: out energy interference subprogram Node.sensor_energy;

physicalStatememory_usage: aadlreal;cpu_usage: aadlreal;

end Node;

device implementation Node.node0propertiesBSN::coordinatesX => 20.0;

Safety threshold temperature

Physical State

Physical Component Specification Physical Features of Computing Components

40

characteristicsin_interference: in interference subprogram

Tissue.temp;end Tissue;

physical implementation Tissue.bodysubprogram Tissue.temp

featuresinput : in parameter Node.node0;time : in parameter aadlreal;output : out parameter aadlreal;

end Tissue.temp;end Tissue;

subprogram implementation Tissue.tempend Tissue.temp;

BSN::coordinatesX => 20.0;…

BSN::node_no => 0;end Node.node0

System implementation BSN.BSN1end BSN.BSN1;

subprogram Node.sensor_energyfeatures

input : in parameter Node::physicalState;output : out parameter aadlreal;

end Node.sensor_energy;

subprogram implementation Node.sensor_energyend Node.sensor_energy;

Interference characteristics

Interference from device to environment

Example Envisioned AADL Specification for Data

Centers (DC)

property set DC isgrid_size: aadlinteger applies to (system);supply_temp: aadlreal applies to (physical);

…node_no: aadlinteger applies to (device); redline_temp: aadlreal applies to (physical)

end DC;

physical Inletproperties

DC::redline_temp => 100.0;DC::supply_temp => 68.0;


in_interference: in energy interference Inlet;

out_interference: out energy interference subprogram Node.energy;


end Node;

System implementation DC.DC1


Interference from device to environment

Physical Component Specification Physical Features of Computing Components

Interference from environment to device

41

DC::supply_temp => 68.0;characteristics

in_interference: in interference subprogramOutlet.temp;

end Inlet;

physical implementation Outletsubprogram Outlet.temp


end Outlet.temp;end Outlet;

subprogram implementation Outlet.tempend Outlet.temp;

System implementation DC.DC1subcomponentsnode0: device Node.node0;

…connectionsnode0.out_interference -> node0.in_interference;node0.out_interference -> node1.in_interference;

end DC.DC1;

subprogram Node.energyfeatures


end Node.energy;


Interference characteristics

Self-Interference

Cross-Interference

Survivability & Criticality Modeling in AADL

AADL Architecture Model AADL Error Model

Physical & Human Uncertainties

+

AADL Criticality Model

+

AADL Survivability Model

Model Parsing

AADL Survivability Analysis Plug-ins

Parsing

Survivability Measures (e.g. Manageability)

Model Processing

42

Envisioned Extensions in AADL for

Survivability Analysis



Cross-Interference

Cyber Subsystem

Cyber Subsystem

Criticality Model

Criticality Model


43

Critical State and Response Action Specification• Human Uncertainties• State Transition Specification• Criticality Characteristics

Critical State and Response Action Specification• Human Uncertainties• State Transition Specification• Criticality Characteristics

Conclusions & Future Work

� Interference modeling essential to analyze safety of CPS.

� Criticality modeling essential to analyze survivability of CPS.

44

� Future Work

� Annexing the AADL with Interference and Criticality modeling capabilities.

� Develop and annex model to analyze CPS security.

Additional Slides

45

Example Envisioned AADL specification for BSN

Heat Safety Analysis

property set BSN isgrid_size: aadlinteger applies to (system);coordinatesX: aadlreal applies to (device);

…node_no: aadlinteger applies to (device); alarm_temp: aadlreal applies to (physical)

end BSN;

physical Tissueproperties

BSN::alarm_temp => 100.0;characteristics

in_interference: in interference subprogram


out_interference: out energy interference subprogram Node.sensor_energy;


end Node;

device implementation Node.node0propertiesBSN::coordinatesX => 20.0;

…

Physical characteristic


46

in_interference: in interference subprogramTissue.temp;

end Tissue;

physical implementation Tissue.bodysubprogram Tissue.temp


end Tissue.temp;end Tissue;

subprogram implementation Tissue.tempend Tissue.temp;

…BSN::node_no => 0;

end Node.node0

System implementation BSN.BSN1end BSN.BSN1;

subprogram Node.sensor_energyfeatures


end Node.sensor_energy;


characteristics

of devices

Physical Component

Data Centers

► Heat recirculation

� Hot air from the equipment air outlets is fed back to the equipment air inlets

► Hot spots

� Effect of Heat Recirculation

47

� Effect of Heat Recirculation

� Areas in the data center with alarmingly high temperature

► Consequence

� Cooling has to be set very low to have all inlet temperatures in safe operating range

Questions ??


Impact Lab (http://impact.asu.edu)

Creating Humane Technologies

for Ever-Changing World

cyber-physical systems and aadl - cssecsse.usc.edu/.../gupta_sandeep-cps-aadl-feb-2-2009.pdf ·...

Documents