cyber-physical systems and aadl - cssecsse.usc.edu/.../gupta_sandeep-cps-aadl-feb-2-2009.pdf ·...
TRANSCRIPT
Cyber-Physical Systems and AADL
Sandeep K. S. Gupta
AADL Standards Meeting – Feb 2-5, 2009
Impact Lab (http://impact.asu.edu)
Computer Science and Engineering
Affiliated with EE, BMI, BME
Arizona State University
Student contributors: T. Mukherjee, Q. Tang, K. Venkatasubramanian
Sandeep K. S. Gupta, IEEE Senior Member
• Heads
Pervasive Health Monitoring
Use-inspired, Human-centric research in distributed cyber-physical systems
Thermal Management for Data Centers
Criticality Aware-SystemsID Assurance
Intelligent Container
Mobile Ad-hoc Networks
@ School of Computing & Informatics
BOOK: Fundamentals of Mobile and Pervasive Computing, Publisher: McGraw-Hill Dec. 2004
BEST PAPER AWARD: Security Solutions for Pervasive HealthCare – ICISIP 2006.
• TCP Chair •TCP Co-Chair:
GreenCom’07
Email: [email protected]; IMPACT Lab URL: http://impact.asu.edu;
• Area Editor
http://www.bodynets.org http://impact.asu.edu/greencom
Motivation
• Challenges – Traffic congestion, Energy Scarcity, Climate Change, Medical Cost …
• Need Smart Infrastructure – distributed CPHS (Cyber-Physical-Human System (of systems))
• Criticality-awareness: the ability of the system to respond to unusual situations, which may lead to
AADL Standards Meeting – Feb 2-5, 2009
• Criticality-awareness: the ability of the system to respond to unusual situations, which may lead to disaster (with associated loss of life and/or property)– How to design, develop, and test criticality-aware software for
CPHS systems?
• Unifying Framework for Safe (Energy-Efficient) Spatio-Temporal Resource Management for CPHS– Thermal-Aware Scheduling for Data Centers and Bio Sensor
Network (within Human Body)
Cyber Physical Systems (CPS)
Courtesy: Vanderbilt University & Drexel University Courtesy: Idealog Magazine
AADL Standards Meeting – Feb 2-5, 2009
Key Issues
• Physical Interactions
• Critical Applications
• Automated Design & Validation
� Dynamic distributed large-scale systems to control physical process
� Cyber and physical components are integrated
� Operations in computing entities affect the physical world & vice versa.
Courtesy: Vanderbilt University & Drexel University Courtesy: Idealog Magazine
4
Properties - Cyber Physical Human Systems
� Tight coupling between physical and cyber-world
� Human-in-the-loop
� Heterogeneous entities with order of magnitude difference in capabilities, e.g. sensors, medical difference in capabilities, e.g. sensors, medical devices, servers, handheld computing devices, and Humans.
Unifying Framework for Modeling Spatio-Temporal Cyber-Physical
Effects
AADL Standards Meeting – Feb 2-5, 2009
Effects
Body Sensor Networks (BSN)
� Medical sensors implanted/worn by human for health-monitoring.
� Interference – sensor activity causes heating in the tissue.
� Heating caused by RF inductive powering
TissueBlow-up
powering
� Radiation from wireless communication
� Power dissipation of circuitry
Gateway
HeatingZone
Sensor Activities
Energy Consumption
Heat radiation &power dissipation
Environmental Interference in BSN
valueSafety – tissue temperature should be within a threshold value
Sensor
9
BSN
Heat Interference in BSN
Incident Plane Wave with power P0Transmitted Wave
Medium 1(free space)
ε1, µ1, σ1
Medium 2(Body tissue)
ε2, µ2, σ2
Cluster LeaderRF PoweringSource
depth d
Te
mp
era
ture
Temperature rise in sensor surroundings
heat
Heat bymetabolism
Reflected WaveControl Volume anda cluster of biosensors
Temperature Rise: Pennes Bio-heat Equation
Heat accumulated
Heat transfer by conduction
Heat byradiation
Heat transfer
by convection
Heat by power dissipation
heat dissipatio
n
10
Heat bymetabolism
BSN Scheduling
Requirement
• FCC Regulation
SAR = σ E2 / ρ (W/kg)
SAR = 0.4W/Kg
Whole BodyAverage
SAR = 8W/Kg
Peak Local
IEEE Requirement (1g Tissue)
E = induced Electric FieldΡ = tissue densityσ = electric conductivity of tissue
Incident Plane Wave with power P0
Reflected Wave
Transmitted Wave
Control Volume anda cluster of biosensors
Medium 1(free space)
ε1, µ1, σ1
Medium 2(Body tissue)
ε2, µ2, σ2
Cluster LeaderRF PoweringSource
depth d
System Model
• Consider only one cluster
• 2D Model
• Rotate cluster head - dist. energy consump. reduce heating
Temperature Rise: Pennes Bio-heat Equation
Heat accumulated
Heat transfer by conduction
Heat byradiation
Heat transfer
by convection
Heat by power dissipation
SAR = .08W/Kg
Whole BodyAverage
SAR = 1.6W/Kg
Peak Local
CE
UCE
AADL Standards Meeting – Feb 2-5, 2009
metabolismaccumulated by conduction radiation by convection dissipation
Solution
• Random selection may lead to higher temperature rise
• Similar to Traveling salesman problem but with dynamic metric
• Heuristic: Leader selection based on sensor location, rotation history
1
2
34
5
1
2
34
5
1
2
34
5
(a) Ideal Rotation (c) Farthest Rotation(b) Nearest Rotation
Four Approaches
• FDTD + enumeration
• FDTD + Genetic Algorithm
• TSP + enumeration
• TSP +Genetic Algorithm
Results
FDTD + enumeration
FDTD + Genetic Algorithm
TSP + Genetic Algorithm
TSP +enumeration
Optimal
Optimal
Near Optimal
Near Optimal
720960 hrs (est.)
100 hrs (est.)
7.6 hrs
5 min
Te
mp
era
ture
Temp rise in sensor surroundings
Q. Tang, N. Tummala, S. K. S. Gupta, and L. Schwiebert, Communication scheduling to minimize
thermal effects of implanted biosensor networks in homogeneous tissue, Proc of IEEE Transactions of Biomedical Engineering
Worst Dynamic Manual Genetic Optimal0.06
0.07
0.08
0.09
0.1
0.11
Te
mp
era
ture
Ris
e °
C
TemperatureMean ± DeviationMean
Comparative Result
Envisioned Tool for Developing Dependable BSN Software
Communication Module
Rout ing Protocol
Medium Access
Frequency
Modulat ion Scheme
Sensor Hardware
Specification
Bioheat ModelEnergy Model
Propagat ion
Model
Heat Safety
Plug-in Modules
Design & Evaluation Tool
....
Tissue Properties Database
AADL Standards Meeting – Feb 2-5, 2009
Application Requirements
Communication:
Latency, Reliability...
Sensor Location:
Eye, Hand...
Energy Constraints:
Powering, Recharging
....
Regulations
FDA
FCC
IEEE
IEC.
.
.
Heat Safety
Analysis
Energy
Analysis
Communication
Analysis
Matlab FDTD Software Labview
External Tools
Workflow
Execution
Engine
....
.
.
.
3D Visualization
T ool
Body Model
DataBase
Antenna Analysis
Software
Sensor
Placement
Visualization
Interface
User Interface
....
Workflow
Specification
....
Heat Analysis Workflow
Sources of
Heating
Radiaton of wireless
communication
Radiation of RF
powering
circuitry
dissipation
Blood
convection
Air convection
Single implanted
device
Mut liple
implanted device
Surface implant
In vivo
implants
Communication
Design
Tissue
Sources of
Cooling
Powering
Supply Design
Senseor
Implementation
Application Specific
Heating WorkFlow
AADL Standards Meeting – Feb 2-5, 2009
Metabolic
heating
Tissue
conduct ion
Bioheat Model
Other model
Penns bio-heat
Equat ions
Safety Criteria
FDA
FCC
Bioheat
Analysis
FED
FDT D
2D/3D Tissue
model
Wireless Analysis Workflow
Modulation MethodsAntenna Model
Wireless Model WorkFlow
Modulation
M-PSK
Dipole Antenna
Microstrip
Antenna
Loop
Antenna
AADL Standards Meeting – Feb 2-5, 2009
Propagation
Model
2D/3D T issue
model
Media
Properties
Modulation
Model OOK
QAM
Link Budget
Analysis
Implanted Device
Location/T opolocy
Interference
Output
Power Analysis Workflow
Rechargeable
Model
Power Model WorkFlow
Implanted
Battery
M-PSK
OOK
RF Induct ive
Passive E-Field
Supersonic
AADL Standards Meeting – Feb 2-5, 2009
Propagat ion
Model
Power
Consumption
Media
Properties
QAM
Link Budget
Analysis
Implanted Device
Locat ion/Topolocy
Interference
Output
Analysis Module Interaction
Sensor
Implementation
Powering Supply
Design
Bioheat
Safety Criteria
Application
AADL Standards Meeting – Feb 2-5, 2009
Design
Communication
Design
Safety Criteria
Regulation
Requirement
Data center Energy ConsumptionWhat are datacenters
– Server farms, IT centers, computer rooms
Why they are important– Centralized management, powerful
computation capabilities– Backbones of Internet Infrastructure
Why thermal management is important
AADL Standards Meeting – Feb 2-5, 2009
17
Why thermal management is important
– Improve reliability– Reduce system down time– Save energy cost !!
• $400,000 annually to power a 1,000 volume server-unit data center, then how much for this
– More than 40% is cooling cost
51%42%
7%
Servers Air-Conditioning Other
Dense Computer Rooms (i.e. Data centers, Computer Clusters, Data warehouses)
Self Interference Cross Interference
Inlet
Outlet Outlet
Temp
avoid equipment failure
Safety – inlet temperature should be within the equipment red-line
temperature to avoid equipment failure
Server Activities
Energy Consumption
Outlet Heat throughpower dissipation
Heat recirculation at the inlet of itself
Self Interference
Server Activities
Energy Consumption
Heat recirculation at the inlet of others
Cross Interference
Outlet Heat throughpower dissipation
18
Two Studied CyberPhysical Applications
Application scenario Implanted biomedical sensor networks
Computing nodes of data center clusters
Objective find the best leadership sequence to minimize the temperature rise
find the best task assignment to minimize the energy cost
Heat transfer
mechanism
Convection, conduction and radiation.
Convection
AADL Standards Meeting – Feb 2-5, 2009
Original numerical
simulation
Finite Difference Time Domain
Computational Fluid Dynamics
Abstract Model: the
function F(⋅)
Time-space function Cross interference coefficients
Placement or
scheduling: the function
H(⋅)
Temporal domain Spatial domain
“HOT” Mission Critical Applications –Example of Environmental Effects on
Networks
AADL Standards Meeting – Feb 2-5, 2009
• Nodes exposed to the sun might easily reach 65C and above
• Temperature at nodes in a wildfire monitoring application have reported to reach 95C.
How to compensate for temperature effects at design/runtime?
Communication Range
AADL Standards Meeting – Feb 2-5, 2009
Depending on the path loss model, losses due temperature cause reduction in range comprised between 40% and 60% the max. value
Network Connectivity @ 25°C
AADL Standards Meeting – Feb 2-5, 2009
Average Connectivity = 8.94. Connected nodes = 100%.
Avg. Path Length = 2.95. Network seems reliable.
SINK NODE
Network Connectivity @ 45°C
AADL Standards Meeting – Feb 2-5, 2009
Average Connectivity = 4.57. Connected nodes = 98%.
Avg. Path Length = 4.93. Few nodes are disconnected.
SINK NODE
Network Connectivity @ 65°C
AADL Standards Meeting – Feb 2-5, 2009
Average Connectivity = 4.57. Connected nodes = 0%.
The sink is completely disconnected from the rest of the network!
SINK NODE
Physical Aspects of CPS Security– Modifying physical environment around the CPS can cause security
breach
– Example –
• Smart-car’s theft protection system fails completely if it is fooled into thinking the car is on fire by trigger specific sensors.
• No amount of securing all the other components will help
– The problem is compounded if security solutions for CPS depend on environmental stimuli for efficiency purposes
AADL Standards Meeting – Feb 2-5, 2009
environmental stimuli for efficiency purposes
– Example –
• Physiological value based security (PVS) utilizes common physiological signals from the body for key agreement
• If one of the sensors is fooled into measuring incorrect physiological signals (by breaking the sensor-body interface), the whole process breaks down
Fundamental differences with Cyber Security
• Threat Model is fundamentally different• The point of entry for traditional (cyber-only) is essentially cyber
– Example – Attacker hacking a computing system through a network
• CPHS – it can be cyber, environmental (physical), and human
AADL Standards Meeting – Feb 2-5, 2009
• CPHS system has several aspects each of which need to be secured–
• Environment• Sensing• Communication• Processing• Feedback• Humans
Securing these addressed in traditional cyber security
Securing the environment and its interaction with otherfollowing unique to CPHS
Criticality & Critical Event Management
• Critical events– Causes emergencies/crisis.– Leads to loss of
lives/property.
• Criticality– Effects of critical events on
the smart-infrastructure.
Critical Event
Timely Criticality Response within
window-of-opportunity
NORMAL STATE
CRITICALSTATE
AADL Standards Meeting – Feb 2-5, 200927
the smart-infrastructure.– Critical State – state of the
system under criticality.– Window-of-opportunity (W)
– temporal constraint for criticality.
• Survivability– effectiveness of the criticality response actions in minimizing the disasters.
Mismanagement of any
criticality
DISASTER(loss of lives/property)
Handling Critical Events in CPS
Crisis Response Recovery Preparedness
Detect fire using information from sensors
CriticalEvent Detection
• Notify 911
• provide information to the first responders
Trapped People & Rescuers
Additional Critical Events
Detect trapped people
Detection
Performance Evaluation of
Crises Response
AADL Standards Meeting – Feb 2-5, 2009
sensorsthe first responders
• Analyze the Spatial Properties • how to reach the source of fire;• which exits are closest; • is the closest exist free to get out;
• Determine the required actions• instruct the inhabitants to go to nearest safe place; • co-ordinate with the rescuers to evacuate.
Rescuers
HUMAN INTERACTION
MODEL
28
• State-based stochastic model– System in different critical
states for different criticalities.– Similar to AADL Error Model.
• Critical Events– Analogous to fault events in
Error Model Annex.– Enhancements capturing
• Criticality characteristics
Envisioned AADL Model for Survivability Analysis
NORMAL STATE
AADL Standards Meeting – Feb 2-5, 200929
• Criticality characteristics (e.g. window-of-opportunity)
• Mitigative Link– Analogous to failure
responses in Error Model Annex.
– Enhancements capturing• probability of actions’
success considering uncertainties due to human involvement.
Mitigative Link Critical Event
Survivability – probability of reaching normal state based on MLs’ success probabilities and
conformity to window-of-opportunity.
Survivability Model for fire emergencies in offshore Oil & Gas Production Platforms (OGPP)
Fire Alarm
State transition probabilities derived from established probability distribution in [1].
0.284877
0.40365
0.1755
0.1634
0.2965 0.48970.5862
0.1977 0.1892
0. 2094
AADL Standards Meeting – Feb 2-5, 200930
Fire Alarm &Imminent Danger
Fire Alarm &Non-tenable Path
Fire Alarm &Assistance Required
Fire Alarm &Non-tenable Path &
Assistance Required
Fire Alarm &Imminent Danger &
Assistance Required
Fire Alarm &Assistance Required &
Non-tenable Path
[1] D. G. DiMattia, F. I. Khan, and P. R. Amyotte, “Determination of human error probabilities for offshore platform musters,” Journal of Loss
Prevention in the Process
Industries, vol. 18, pp. 488–501, 2005.
0.1634
0.2965 0.4897
0.5717
0.57170.2649
0.2649
0.481
0.41861 0.3348
0.4138
Crisis Response Recovery PreparednessMitigationMitigation
Identify the critical events
Determine the Evaluate the Q-value of
Criticality Response Process
Evaluate Effectiveness of Response Process
Criticality Response Modeling (CRM) Framework
AADL Standards Meeting – Feb 2-5, 2009
Determine the Window-of-opportunity
Determine the possible occurrences of
multiple criticalities
Determine the states & transition probabilities
Apply the Stochastic Model
Criticality Response Process
CRM Framework
Learn
ing
Criticality Aware Access Control (CAAC)
CAAC
Patient Emergency
(Doctor not available)Patient (NoEmergency)
Normal mode In this mode, an alternate set of access privileges are enforced for facilitating
AADL Standards Meeting – Feb 2-5, 2009
CAAC
Allow another doctor toAccess Patient Data Treat Patient
CAAP mode
are enforced for facilitating mitigative actions
Sandeep K. S. Gupta
Model-based Engineering of
Cyber-physical Systems
____ _____ __________ __ ____
________ ______
Proposal for Cyber-Physical System
Annex in AADL
______ ____
Design Decisions
Security
Survivability Reliability
Critical applications should be able to handle dangerous physical conditions (e.g. life/property losses).
Physical security should be considered while designing the cyber components.
34
Real-time
Quality
Safety
Interactions between physical and cyber components should not detrimentally impact the physical conditions.
issuesThis talk specifically focuses on the safety & survivability issues
AADL Extensions Requirements
Physical Environment
Self-InterferenceEnvironment Interference
Cross-Interference
Cyber Subsystem
Cyber Subsystem
Criticality Model
Criticality Model
Cross-Interference
Non-physical Interactions(e.g. data flow)
35
Proposed AADL Extensions
AADL System Specification
CPS Annexes For AADL
36
AADL Analysis Platform (e.g. OSATE)
Analysis Plug-ins
Analysis of CPS
� Safety analysis
� Interference should not be detrimental to the physical and other cyber components
� e.g. heat generated by performing tasks in implanted body sensors should be within a threshold value to avoid tissue damage.
37
� Survivability analysis
� Critical events should be effectively responded to avoid dangerous failures
� e.g. providing proper access to equipment if fire is detected in a smart-building infused with sensors and actuators.
Safety Modeling in AADL
AADL Architecture Model
AADL Physical Interference
Model+
AADL Safety Model
Model Parsing
AADL Safety Analysis Plug-ins
Safety Measures
Model Processing
38
Envisioned Extensions in AADL for Safety Analysis
Physical Environment
Environment
Physical Component Specification• Interference characteristics• Safety threshold of interferences
Physical Component Specification• Interference characteristics• Safety threshold of interferences
Connection between inward & outward interference of a device • analogous to AADL data flow
Connection between inward & outward interference of a device • analogous to AADL data flow
Connection between inward & outward interference of corresponding devices• analogous to AADL data flow
Connection between inward & outward interference of corresponding devices• analogous to AADL data flow
Cyber Subsystem
Cyber Subsystem
Self-InterferenceEnvironment Interference
Cross-Interference
Non-physical Interactions(e.g. data flow)
39
Physical Features of Computing Components • Physical State• Interference from device to environment• Interference from environment to device
Physical Features of Computing Components • Physical State• Interference from device to environment• Interference from environment to device
• analogous to AADL data flow• analogous to AADL data flow
Example Envisioned AADL Specification for BSN
Heat Safety Analysis
property set BSN isgrid_size: aadlinteger applies to (system);coordinatesX: aadlreal applies to (device);
…node_no: aadlinteger applies to (device); alarm_temp: aadlreal applies to (physical)
end BSN;
physical Tissueproperties
BSN::alarm_temp => 100.0;characteristics
device NodephysicalFeatures
out_interference: out energy interference subprogram Node.sensor_energy;
physicalStatememory_usage: aadlreal;cpu_usage: aadlreal;
end Node;
device implementation Node.node0propertiesBSN::coordinatesX => 20.0;
Safety threshold temperature
Physical State
Physical Component Specification Physical Features of Computing Components
40
characteristicsin_interference: in interference subprogram
Tissue.temp;end Tissue;
physical implementation Tissue.bodysubprogram Tissue.temp
featuresinput : in parameter Node.node0;time : in parameter aadlreal;output : out parameter aadlreal;
end Tissue.temp;end Tissue;
subprogram implementation Tissue.tempend Tissue.temp;
BSN::coordinatesX => 20.0;…
BSN::node_no => 0;end Node.node0
System implementation BSN.BSN1end BSN.BSN1;
subprogram Node.sensor_energyfeatures
input : in parameter Node::physicalState;output : out parameter aadlreal;
end Node.sensor_energy;
subprogram implementation Node.sensor_energyend Node.sensor_energy;
Interference characteristics
Interference from device to environment
Example Envisioned AADL Specification for Data
Centers (DC)
property set DC isgrid_size: aadlinteger applies to (system);supply_temp: aadlreal applies to (physical);
…node_no: aadlinteger applies to (device); redline_temp: aadlreal applies to (physical)
end DC;
physical Inletproperties
DC::redline_temp => 100.0;DC::supply_temp => 68.0;
device NodephysicalFeatures
in_interference: in energy interference Inlet;
out_interference: out energy interference subprogram Node.energy;
physicalStatememory_usage: aadlreal;cpu_usage: aadlreal;
end Node;
System implementation DC.DC1
Safety threshold temperature
Interference from device to environment
Physical Component Specification Physical Features of Computing Components
Interference from environment to device
41
DC::supply_temp => 68.0;characteristics
in_interference: in interference subprogramOutlet.temp;
end Inlet;
physical implementation Outletsubprogram Outlet.temp
featuresinput : in parameter Node.node0;time : in parameter aadlreal;output : out parameter aadlreal;
end Outlet.temp;end Outlet;
subprogram implementation Outlet.tempend Outlet.temp;
System implementation DC.DC1subcomponentsnode0: device Node.node0;
…connectionsnode0.out_interference -> node0.in_interference;node0.out_interference -> node1.in_interference;
end DC.DC1;
subprogram Node.energyfeatures
input : in parameter Node::physicalState;output : out parameter aadlreal;
end Node.energy;
subprogram implementation Node.sensor_energyend Node.sensor_energy;
Interference characteristics
Self-Interference
Cross-Interference
Survivability & Criticality Modeling in AADL
AADL Architecture Model AADL Error Model
Physical & Human Uncertainties
+
AADL Criticality Model
+
AADL Survivability Model
Model Parsing
AADL Survivability Analysis Plug-ins
Parsing
Survivability Measures (e.g. Manageability)
Model Processing
42
Envisioned Extensions in AADL for
Survivability Analysis
Physical Environment
Self-InterferenceEnvironment Interference
Cross-Interference
Cyber Subsystem
Cyber Subsystem
Criticality Model
Criticality Model
Non-physical Interactions(e.g. data flow)
43
Critical State and Response Action Specification• Human Uncertainties• State Transition Specification• Criticality Characteristics
Critical State and Response Action Specification• Human Uncertainties• State Transition Specification• Criticality Characteristics
Conclusions & Future Work
� Interference modeling essential to analyze safety of CPS.
� Criticality modeling essential to analyze survivability of CPS.
44
� Future Work
� Annexing the AADL with Interference and Criticality modeling capabilities.
� Develop and annex model to analyze CPS security.
Example Envisioned AADL specification for BSN
Heat Safety Analysis
property set BSN isgrid_size: aadlinteger applies to (system);coordinatesX: aadlreal applies to (device);
…node_no: aadlinteger applies to (device); alarm_temp: aadlreal applies to (physical)
end BSN;
physical Tissueproperties
BSN::alarm_temp => 100.0;characteristics
in_interference: in interference subprogram
device NodephysicalFeatures
out_interference: out energy interference subprogram Node.sensor_energy;
physicalStatememory_usage: aadlreal;cpu_usage: aadlreal;
end Node;
device implementation Node.node0propertiesBSN::coordinatesX => 20.0;
…
Physical characteristic
Safety threshold temperature
46
in_interference: in interference subprogramTissue.temp;
end Tissue;
physical implementation Tissue.bodysubprogram Tissue.temp
featuresinput : in parameter Node.node0;time : in parameter aadlreal;output : out parameter aadlreal;
end Tissue.temp;end Tissue;
subprogram implementation Tissue.tempend Tissue.temp;
…BSN::node_no => 0;
end Node.node0
System implementation BSN.BSN1end BSN.BSN1;
subprogram Node.sensor_energyfeatures
input : in parameter Node::physicalState;output : out parameter aadlreal;
end Node.sensor_energy;
subprogram implementation Node.sensor_energyend Node.sensor_energy;
characteristics
of devices
Physical Component
Data Centers
► Heat recirculation
� Hot air from the equipment air outlets is fed back to the equipment air inlets
► Hot spots
� Effect of Heat Recirculation
47
� Effect of Heat Recirculation
� Areas in the data center with alarmingly high temperature
► Consequence
� Cooling has to be set very low to have all inlet temperatures in safe operating range