Tasuku Ishigooka

A Distributed Computing Environment for Embedded Control Systems with Time-Triggered and Event-Triggered Processing

The paper presents a distributed computing environment for embedded control systems with time-triggered and event-triggered distributed processing. We have already presented a time-triggered distributed object model and a time-triggered distributed computing environment for embedded control systems. However, there are many embedded control systems with time-triggered and event-triggered processing. In this paper, we present two kinds of event-triggered distributed object models, a pure event-triggered distributed object model and a data-triggered distributed object model, in addition to the time-triggered distributed object model. We also present a distributed object computing environment based on a time-division scheduling for the mixed architecture with time-triggered and event-triggered distributed processing. The time division scheduling divides an execution cycle into a time-triggered processing segment and a non-time-triggered processing segment. The time-triggered distributed processing is executed in the former segment, and the event-triggered distributed processing is executed in the latter segment. The distributed object computing environment consists of a real-time operating system with the time division scheduling and distributed computing middleware to support the three kinds of distributed object models. We provide a development environment that generates stubs and configuration data to build distributed control systems.

A Time-Triggered Distributed Object Computing Environment for Embedded Control Systems

The paper presents a time-triggered distributed object computing environment for embedded control systems such as automotive control systems. The time-triggered architecture is suitable for hard real-time systems. We present a time-triggered distributed object model as an extension to the time-triggered object model that consists of objects periodically updating their own attribute values. The model is suitable for embedded control systems in which the control logics are designed with control block diagrams. Replica objects are used for efficient location transparency in the model and inter-object communications are local method calls, not remote method invocations. We have developed a distributed computing environment based on the time- triggered distributed object model. The middleware maintains the replicas to be consistent with the original objects using periodic state messages. The middleware executes the replication processing with the stubs that bridge the original objects, the middleware, and the replicas. We have also developed a development environment for embedded control application programs based on the time-triggered distributed object model. The stubs are generated from the interface definitions written in CORBA-compliant IDL.

Practical Use of Formal Verification for Safety Critical Cyber-Physical Systems: A Case Study

Cyber-Physical Systems (CPS) linking computing to physical systems are often used to monitor and controlsafety-critical processes, i.e. processes that bear the potential to cause significant damage or loss in the case of failures. While safety-critical systems have been extensively studied in both the discrete (computing) and analog (control) domains, the developed techniques apply to either one domain or the other. As cyber-physical systems span both domains, the focus on an individual domain leaves a gap on the systemlevel, where complex interactions between the domains can lead to failures that cannot be analyzed by considering only the physical orthe digital part of the integrated CPS. We discuss such a complex failure condition in a real-world brakecontrol system, and demonstrate its detection using a formalverification approach specifically targeting CPS.

Safety Verification Utilizing Model-based Development for Safety Critical Cyber-Physical Systems

The application of cyber-physical systems (CPSs) in safety-critical application domain requires rigorous verification of their functional correctness and safety-relevant properties. We propose a practical verification process which enables to conduct safety verification of safety critical CPSs. The verification process consists of (a) a system model construction method, which generates a system model by combining software described in C and plant model code reused from model-based development, (b) a model transformation method, which transforms the plant models including differential algebraic equations (DAE) to approximate models without DAE to reduce verification complexity induced by DAE solver execution, (c) a model simplification framework, which enables the simplification of bond-graph plant models using domain-knowledge-based replacement of complex model components for further verification overhead reductions, and (d) a formal verification based on symbolic execution. We implemented the proposed methods and framework, and successfully applied the proposed verification process for safety verification of automotive brake control systems. The results of the study demonstrate that the verification detects a complex failure condition in a real-world brake control system from the generated system model and that the automated model transformations of the CPS models yield significant verification complexity reductions without impairing the ability to detect unsafe behavior.

Practical Formal Verification for Model Based Development of Cyber-Physical Systems

The application of cyber-physical systems (CPSs) in safety-critical applications requires rigorous verification of their functional correctness and safety-relevant properties. We propose a practical verification framework which enables to fill the gaps between model-based development and the formal verification process seamlessly connecting them. The verification framework consists of (a) a model transformation method, which automatically transforms the plant models of CPSs including differential algebraic equations (DAE) to equivalent models without DAE to reduce verification complexity induced by DAE solver execution, and (b) a model simplification method, which automatically simplifies bond-graph models by replacing complex bond-graph components with simpler components for further verification overhead reductions. We successfully applied the proposed verification framework for safety verification of an automotive brake control system. The results of the study demonstrate that the automated model transformations of the CPS models yield significant verification complexity reductions without impairing the ability to detect unsafe behavior of the brake control system in a formal verification based on symbolic execution.

Dynamic Activation Timing Configuration for Product Line Development

Most automotive control systems have been developed by combining legacy Electronic Control Units (ECUs) with newly developed ECUs. We need to plan the product line to utilize as many legacy ECUs as possible to lower development costs of new vehicles. However, we must develop several new gateway ECUs per new vehicle because gateway ECUs depend on the placement of other ECUs and their combinations within the whole system. The reusable gateway ECUs are needed to lower development cost. However, there is a problem in that the worst case execution time (WCET) of relay processing may be impaired in typical methods that are synchronized with the communication cycle of time-triggered networks. Therefore, we propose a Dynamic Activation Timing Configuration (DATC) for product line development, which can dynamically calculate the activation timing of relay processing from the information on message routing, slot assignment, and time-triggered network. The gateway ECUs with DATC can be dynamically adjusted to new vehicles and improve the WCET of relay processing.