ebook img

Toward a Science of Cyber–Physical System Integration PDF

16 Pages·2011·0.89 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Toward a Science of Cyber–Physical System Integration

INVITED PAPER Toward a Science of Cyber–Physical System Integration This paper focuses on the design phase of the system lifecycle and proposes a passivity-based approach to decouple system stability from cyber timing uncertainties. ByJanos Sztipanovits, Fellow IEEE, Xenofon Koutsoukos, Senior Member IEEE, Gabor Karsai, Senior Member IEEE, Nicholas Kottenstette, Senior Member IEEE, Panos Antsaklis, Fellow IEEE, Vijay Gupta, Member IEEE, Bill Goodwine, Member IEEE, John Baras, , and Shige Wang, Fellow IEEE Senior Member IEEE ABSTRACT | System integration is the elephant in the china compositionfor heterogeneoussystemsfocusingon stability. store of large-scale cyber–physical system (CPS) design. It Specifically, the paper presents a passivity-based design ap- wouldbehardtofindanyothertechnologythatismoreunder- proach that decouples stability from timing uncertainties valuedscientificallyandatthesametimehasbiggerimpacton causedbynetworkingandcomputation.Inaddition,thepaper the presence and future of engineered systems. The unique describes cross-domain abstractions that provide effective challengesinCPSintegrationemergefromtheheterogeneityof solution for model-based fully automated software synthesis components and interactions. This heterogeneity drives the and high-fidelity performance analysis. The design objectives need for modeling and analyzing cross-domain interactions demonstratedusingthetechniquespresentedinthepaperare among physical and computational/networking domains and group coordination for networked unmanned air vehicles demandsdeepunderstandingoftheeffectsofheterogeneous (UAVs)andhigh-confidenceembeddedcontrolsoftwaredesign abstractionlayersinthedesignflow.Toaddressthechallenges foraquadrotorUAV.Openproblemsintheareaarealsodis- of CPS integration,significantprogress needs to be made to- cussed,includingtheextensionofthetheoryofcompositional ward a newscience and technologyfoundation that is model designtoguaranteepropertiesbeyondstability,suchassafety based,precise,andpredictable.Thispaperpresentsatheoryof andperformance. KEYWORDS|Controlengineeringcomputing;embeddedsoft- ware;systemanalysisanddesign ManuscriptreceivedMarch30,2011;revisedJune16,2011;acceptedJune23,2011. DateofpublicationSeptember1,2011;dateofcurrentversionDecember21,2011.This workwassupportedbytheNationalScienceFoundationunderGrantCNS-1035655. Anyopinions,findings,andconclusionsorrecommendationsexpressedinthismaterial I. INTRODUCTION arethoseoftheauthor(s)anddonotnecessarilyreflecttheviewsoftheNational ScienceFoundation. System integration is currently the largest obstacle to J.Sztipanovits,X.Koutsoukos,G.Karsai,andN.KottenstettearewiththeInstitute effectivecyber–physicalsystem(CPS)design,whichisdue forSoftwareIntegratedSystems,VanderbiltUniversity,Nashville,TN37069USA (e-mail:[email protected];[email protected]; primarily due to a lack of a solid scientific theoretical [email protected];[email protected]). foundation for the subject. The absence of a solid under- P.AntsaklisandV.GuptaarewiththeDepartmentofElectricalEngineering, UniversityofNotreDame,NotreDame,IN46556USA(e-mail:[email protected]; standingofthescienceofsystemintegrationisnotdueto [email protected]). neglect,butratherduetoitsdifficulty.Mostlargesystem B.GoodwineiswiththeDepartmentofAerospaceandMechanicalEngineering, UniversityofNotreDame,NotreDame,IN37069USA(e-mail:[email protected]). builders have given up on any science or engineering J.BarasiswiththeDepartmentofElectricalandComputerEngineering,Universityof disciplineforsystemintegrationVtheysimplytreatitasa Maryland,CollegePark,MD20740USA(e-mail:[email protected]). S.WangiswithGeneralMotors,Warren,MI48093USA(e-mail:[email protected]). managementproblem.Systemintegrationisalmosttotally DigitalObjectIdentifier:10.1109/JPROC.2011.2161529 absent from computer science and engineering curricula. 0018-9219/$26.00 (cid:1)2011 IEEE Vol.100,No.1,January2012|Proceedings of the IEEE 29 Sztipanovits etal.:TowardaScience of Cyber–Physical SystemIntegration The huge significance of this problem has long been re- these problems, significant progress needs to be made cognized by industry and considered to be a grand chal- toward a new science and technology foundation for CPS lenge. In this paper, we present some preliminary results integration, one that is model based, precise, and predic- directedtowardanewandcomprehensiveapproachtothe table. The unique challenges of a CPS integration science subject. emerge from the heterogeneity of components and System integration today relies on ad hoc methods: interactionsinsideCPSsystems.Thisheterogeneitydrives After all the components have been designed and manu- theneedformodelingandanalyzingcross-domaininterac- factured, existing integration methods simply aim at tions among physical and computational/networking Bmaking it work somehow.[ As the complexity of engi- domains and demands deep understanding the effects of neered systems continues to increase, our lack of a syste- heterogeneousabstractionlayersinthedesignflow.Trans- matic theory for systems integration creates more and forming system integration from a high-risk management moreproblems.Findingasolutionisdifficultbecausesys- practice into a science-based engineering discipline is a tem integration is the phase where essential design significant challenge. concernsVusually separated into physical systems, soft- As CPS-based solutions become ubiquitous, the need ware, and platform engineeringVcome together and the fortheories,methods,andtoolstoensurepredictabilityof hidden, poorly understood interactions and conflicts system behavior has significantly increased and expanded across design domains suddenly surface. Hence, system tomostengineeringsystems.Themaincontributionofthis integrationisparticularlychallenginginCPSwherefunda- paperistopresentaCPSintegrationapproachtoachieving mentallydifferentphysicalandcomputationaldesigncon- compositionality for a critical system level propertyV cerns intersect. stabilityVinnetworkedcontrolsystems.Theresultsshow As an example, the automotive industry has been that 1) passivity-based design of the physical dynamics struggling with system integration for many years [1]. fully decouples stability from timing uncertainties caused Traditionalcontrolsystemdevelopmentreliesonsuppliers by networking and computation and 2) cross-domain to provide systemcomponents, each implementing a con- abstractions provide effective solutions for model-based trol function using software and hardware. The original fully automated software synthesis and hi-fidelity perfor- equipment manufacturers (OEMs) purchase such system mance analysis. components and integrate them into a vehicle product. InSectionII,thepaperdescribestheimpactofhetero- Since different suppliers implement their products with geneity and neglected interactions in the loss of compo- different strategies, engineering processes, and tools, sitionalitywhichcreatestremendousdifficultiesinsystem OEMs always face the integration challenge, regardless integration. Section III presents passivity, a powerful sys- ofwhetherthecomponentsaredesignedanddevelopedfor tempropertythatallowscompositionalcontroldesignand the same vehicle products. The increasing complexity of decouples stability from implementation uncertainties. In electrical and control components, and the use of more Section IV, the inherent robustness that passivity offers advancedtechnologiessuchassmartsensorsandactuators, against uncertainties is exploited for the design of a net- wirelessnetworks,and multicore processorsmakethe ve- worked multiagent system that is stable even in the hicle control integration challenge far worse. OEMs need presence of time-varying network delays and data loss. solid scientific and engineering foundations that enable Section V presents a correct-by-construction method for predictableintegrationofindependentlydevelopedsystem implementation of networked controllers that includes components.Specifically,theories,methods,andtoolsare design of the software components, selection of their requiredfor:1)design,analysis,andverificationofcompo- interaction model, and design of their execution on a se- nents at various levels of abstraction, including system, lected implementation platform. Finally, Section VI sum- software architecture, and controller level, each of which marizes the main conclusions from our preliminary work isinitsowndisciplinebutsubjecttotheconstraintsfrom and discusses open research directions. other levels; 2) composing and analyzing the interactions betweenvehiclecontrolandphysicalsystems(e.g.,engine, II. IMPACT OF HETEROGENEITY ON transmission, steering, wheel, brake, suspension, etc.) to COMPOSITIONALITY ensure system-level properties (e.g., stability, safety, per- formance, cost); and 3) system-level behavior simulation Composition is a technical foundation for all engineering with incomplete or limited information. Know-how in disciplines; it helps to manage complexity, decreases system integration is increasingly the differentiator in time-to-market, and contains costs. The feasibility of competitiveness in automotive as well as other major component-based system design depends on two key industrial sectors such as aerospace, health, and defense. conditions: compositionalityVmeaning that system-level The need for a science of system integration was first properties can be computed from local properties of expressed over a decade ago in the aerospace community componentsVand composabilityVmeaning that compo- driven by the pressures of rapidly growing complexity of nentpropertiesarenotchangingasaresultofinteractions spacesystems[2],[3].Webelievethatinordertoaddress withothercomponents[4].Lackofcompositionalityleads 30 Proceedings of the IEEE|Vol.100,No.1,January2012 Sztipanovits et al.:Towarda Science of Cyber–Physical System Integration based on linear algebra, topology, and analysis. The soft- warelayercomprisesthesoftwarecomponentswithbeha- vior expressed in logical time. Interconnections are modeled using various models of computations (MoCs) [7] where software components are connected using an input/output (I/O) model with an implied notion of cau- sality. The mathematics of compositionality is discrete, based on logic, combinatorics, and universal algebra. The network/platform layer comprises the hardware side of CPS architectures and includes the network architecture and computation platform that interact with the physical componentsthroughsensorsandactuators.Whileexecut- ing the software components on processors and transfer- ring data on communication links, their abstract behavior isBtranslated[intophysicalbehavior.Thebehaviorofthe platformsismodeledbydiscreteeventsystems.Themath- Fig.1.DesignlayersinCPS. ematics of composition is timed automata, hybrid autom- ata, algebra, and queuing theory. It is the underlying fundamental differences in the to brittleness, that is, systems that do not behave well time, concurrency, and composition models that separate outside a small operational envelope. thecompositionprinciplesandverificationandvalidation Foundations of component-based design are well un- techniques in the three layers. In general, existing derstoodandsuccessfullyappliedinmanyengineeringand composition frameworks make assumptions that are computer science disciplines, such as digital logic in frequentlynotsatisfiedacrossthelayers.Thisistheresult computer engineering, linear control systems in control of the phenomenon of Bleaky abstractions[ [8] when the engineering,orprocessalgebraindistributedcomputingV underlying implementation of a higher level abstraction just to name a few. The common feature of all successful influencesitssemanticsunintentionally.Problemsemerg- compositionaldesignframeworksishomogeneityinterms ing from cross-layer semantic interactions are ubiquitous. of the properties to be composed and their semantic do- Here are a few. main. It should be noted, however, that though homoge- 1) Establishing compositionality for properties in neity is a common feature in successful compositional physical systems (for example, stability) can be design frameworks, that property inandofitselfdoesnot nontrivialeveninsimplecases.Muchofthefocus guaranteecompositionalityinallcases[5].Unfortunately, in control theory has been on restricted system CPSs are inherently heterogeneous in structure, compo- architectures, such as feedback loops, model- nent behavior, and types of interactions among compo- predictive control architectures, and others, to nents. CPSs have three fundamentally different design make the problems solvable. However, control layers:thephysicallayerandthetwoBcyber[layers:soft- theory on the physical layer tends to neglect ef- ware and network/platform layers as shown in Fig. 1. For fects of implementation of networked controllers example,thedesireddynamicsofacarengineanditscon- on compositionality. For example, effects of un- trollerismodeledfirstwithphysicallayerabstractions.The certainprocessoravailability, probabilisticdelays, controller,whichisusuallyimplemented asanembedded fixed point arithmetic, coefficient quantization, system, is modeled using software layer abstractions. and signal quantization introduce nonlinearities Finally,thesoftwaresystemisdeployedonacomputation that may result in limit-cycle oscillation and lack platform modeled with network/platform layer ab- of convergence. stractions.Whileusuallythisdesignprocessisconsidered 2) Dependability, safety, or security properties are as refinementVadding more details to higher level frequentlysatisfiedwith softwarethat havesigni- abstractionsVthe differences are more profound; the dif- ficant impact on the predictability of timing pro- ferent abstraction layers use fundamentally different perties of software applications. For example, semanticsandcompositionconcepts. multilevel security requirements can be effec- The physical layer embodies physical components and tively satisfied by using separation kernels. How- their interactions which are expressed in continuous ever, separation kernels interfere with timing (physical) time. Behavior of physical components is properties and the resulting increased jitter may determined by physical laws that impose relations on the lead to unacceptable performance degradation of system variables. Interconnection among physical compo- the system dynamics. nentsoccursthroughsharedvariableswithoutaprescribed 3) Uncertainty in wireless communication must be notionofcausality[6].Themathematicsofcompositionis mitigated by the use of complex protocols that Vol.100,No.1,January2012|Proceedings of the IEEE 31 Sztipanovits etal.:TowardaScience of Cyber–Physical SystemIntegration provide improved fault tolerance. These proto- wherex2X (cid:1)Rn istheprocessstate,u2U (cid:1)Rm isthe cols introduce significant time-varying delays in controlinput,andy2Y (cid:1)Rp istheoutputofthesystem. transmissions that can easily destabilize control The system H is said to be passive if there exists a storage loops. function VðxÞ(cid:2)0 such that 8t (cid:2)t (cid:2)0, xðt Þ2X and 1 0 0 Theimpactoftheseneglectedinteractionsisthelossof u2U compositionality which creates tremendous difficulty in systemintegration.Thepaperpresentsatheoryofcompo- sitionforheterogeneoussystemsthatcanenablescalingup Zt1 thesystems’sizeandachievepredictablebehaviorinterms Vðxðt ÞÞ(cid:3)Vðxðt ÞÞ(cid:4) uTð(cid:1)Þyð(cid:1)Þd(cid:1): 1 0 of stability and performance. As opposed to pursuing the t0 developmentofyetanothercompositionalframeworkthat works only under assumptions (that may not be met in CPS) the paper addresses compositionality in layered Note that if VðxÞ is differentiable, we can alternatively systems by introducing decoupling techniques among the write designlayers.Therationalefordecouplingistwofold:1)it limits system complexity by eliminating intractable cross- cutting interactions among system layers; and 2) it ena- V_ðxÞ(cid:4)uTðtÞyðtÞ 8t(cid:2)0: bles making design changes in one layer without influencing essential properties in the others. The cost ofdecouplingissomelevelofperformancelossrelativeto Intuitivelyspeaking,VðxÞreferstotheenergycontentofa a more optimal but brittle design. Effectiveness of the systemwhileuTðtÞyðtÞreferstothepowerbeingfedtothe approach in narrower problems (e.g., [9]–[11]) inspired system. Passivity implies that energy is being dissipated the development of a systematic approach for CPSs de- from the system. Notice that such an intuition holds ex- scribed in this paper. Our primary target is to decouple actly for electrical circuits; for more general systems, this stabilityVa crucial property on the physical layerVfrom is merely a guide. the effects of implementations on software and network/ There are several variations of this definition but es- platform layers. sentially all definitions state that the output energy must be bounded so that the system does not produce more energy than was initially stored [14]. Strictly output pas- III. PASSIVITY sive systems and strictly input passive systems with finite Stabilityis,ofcourse,theprimaryconcernwhendesigning gain have a special property in that they are ‘2-stable. In complex systems. In physical processes, stability can be addition if all internal states are zero-state detectable then analyzedusingenergyconservationlaws,andthetheoryof the system is Lyapunov stable [15]. passivedynamicalsystemsprovidesastrongfoundationfor The interest on passivity in CPS follows from the fact a compositional framework for stability. Traditional pas- thatitallowscompositionaldesign.Passivesystemshavea sive systems theory is a powerful tool for system analysis unique property that when connected in either a parallel andcontroldesign[12].Itsoriginsareinelectricalcircuit ornegativefeedbackmannerasshowninFig.2(a)and(b), theorywherenetworksofpassivecircuitcomponentswere respectively, the overall system remains passive. Passivity known to be stable in various configurations. These ispreservedsincetheenergystoredintheinterconnection components were often linear, but the general theory of is simply the sum of the energies stored in each of the passivity can be applied to general nonlinear systems. systems,andtherefore,astoragefunctionthatsatisfiesthe Passivitytheoryhasbeenappliedtoanalysisanddesignof passivity definition for the interconnected system can be manysystemsusingatraditionalnotionofenergy.Inmore easilyconstructedasthesumofthestoragefunctionsofthe generalcases, passivity canbeapplied evenwhenthere is individualsystems.Usingtheseresults,large-scalesystems notatraditionalnotionofenergy,butratherageneralized can be shown to be stable by verifying passivity for each energy. This generalized energy can be defined using an system component and by following simple interconnec- energy storage function. When a storage function exists tionrules.Moreover,alargevarietyofsystemsandnetwork andtheenergystoredinasystemcanbeboundedaboveby componentscanbemadepassive.Thus,passivityisanim- the energy supplied to the system, the system is passive. portant tool for compositional design of large-scale CPS, We present a formal definition of passivity [13]. particularlywhenthestructurealsoadmitsofsymmetries. Consider the system H The theory of passive dynamical systems provides a strongfoundationforacompositionalframeworkforstabi- lity [14], [16]. Passive systems have infinite gain margin x_ ¼fðx;uÞ and at least 900 of phase margin, and thus are able to toleratelargeloopgains[16].Passivecontroltheoryisvery y¼hðx;uÞ generalandbroadandappliestoalargeclassofcontrollers 32 Proceedings of the IEEE|Vol.100,No.1,January2012 Sztipanovits et al.:Towarda Science of Cyber–Physical System Integration that would become passive with a simple loop transfor- mation. This information can be presented in the form of passivityindices[26].Thedesignadvantageoftheconcept of passivity indices is that even when the system to be controlledisnotpassive(orevennotstable),thepassivity indexes can be used to design a feedback system that still renderstheinterconnectionstable[27].Thus,forinstance, ifalinearsystemG isoutputfeedbackpassive(OFP)with 1 passivityindex(cid:2) andinputfeedforwardpassive(IFP)with 1 passivityindex(cid:3) ,andanotherlinearsystemG isnonpas- 1 2 sivewithOFPð(cid:2) ÞandIFPð(cid:3) Þ,thentheirfeedbackinter- 2 2 connection would still be stable if (cid:2) þ(cid:3) (cid:2)0 and 1 2 (cid:2) þ(cid:3) (cid:2)0. Similar results can be derived for nonlinear 2 1 or switched systems. Moreover, using passivity indices, it can also be checked if the cascade connection of two sys- tems ispassive. We have introduced passivity indicesthat allow consideration of systems that may not be passive, passivity of systems in cascade, design of feedback hybrid passive systems, and methods for designing complex con- Fig.2.Interconnectionsthatpreservepassivity.(a)Parallel interconnection.(b)Negativefeedbackinterconnection. trol systems based on symmetries and dissipativity [27]– [29]. These methods can significantly extend the class of CPSs whose design can exploit passivity. for linear, nonlinear, continuous, and discrete-time con- Wehaveinvestigatedtheuseofpassivityforthedesign trol systems. The inherent safety of passive systems has of networked control systems, and in particular for de- beenwidelyexploitedbyresearchersinhumaninteracting coupling the control design from implementation uncer- machines like smart exercise machines and teleoperated tainties. We exploit the inherent robustness that passivity devices (e.g., [17] and [18]). Further, passivity provides offers against uncertainties to design a networked multi- significant advantages dealing with network delays, data agent system that is stable even in the presence of time- dropouts, and quantization. The problemofbilateral tele- varyingnetworkdelaysanddatalossinSectionIV,andwe operation of a single controller/plant pair for both generate control software while ensuring stability is pre- continuous-and discrete-timecommunicationchannelsis served in the presence of jitter in Section V. studied in [19]. The approach presented in [20] demon- strateshowtointerconnectacontinuous-timecontrollerto IV. DECOUPLING CONTROL DESIGN a continuous-time plant while maintaining stability for FROM NETWORK UNCERTAINTIES arbitraryfixedtimedelays.Anapproachwhichallowsone to connect discrete-time controllers to continuous port- Surveillance and convoy tracking applications often re- Hamiltonian plants while preserving passivity even with quire groups of networked agents for redundancy and droppeddataandtime-varyingdelaysispresentedin[21].A bettercoverage.Animportantgoalupondeploymentisthe passivityapproachformodel-basedcompositionaldesignof establishment of a formation around a target. Although anexperimentalnetworkedmultirobotsystemthatensures distributed algorithms using only local communication the overall system remains stable in spite of implemen- that achieve this goal exist, they typically ignore destabi- tation uncertainties such as network delays and data lizingeffectsresultingfromimplementationuncertainties, dropoutsispresentedin[22].Passivityhasbeenusedalso such as network delays and data loss. We address these forgroupcoordinationofmultiagentsystems.Apassivity- issues by introducing a discrete-time distributed design baseddesignframeworkforcontrollingnonlinearsystems framework that uses a compositional, passivity-based ap- which have been rendered passive through an internal proachtoensurelm-stabilityregardlessofoverlaynetwork 2 feedback configuration is presented in [23]. The design topology,inthepresenceofnetworkdelaysanddataloss. procedure is applied to group coordination problems and Furthermore, we show that asymptotic formation estab- group agreement (consensus). The framework has been lishment and output synchronization can be achieved. appliedtosynchronizeagroupofrigidbodiesin[24]andto Finally, we present simulations of velocity-limited quad- combineformationcontrolwithpathfollowingin[25]. rotor unmanned air vehicles (UAVs) to illustrate the per- As defined above, passivity is only a binary character- formance in the presence of time-varying network delays ization of system behavior based on whether that system and varying amounts of data loss. dissipates sufficient energy. However, there are systems Performing coordinated tasks in multiagent systems thatdissipatesignificantlymoreenergythanisrequiredto using only local information has been studied extensively maintainpassivity.Likewise,therearenonpassivesystems over the past decade [30], [31]. Typically, in group Vol.100,No.1,January2012|Proceedings of the IEEE 33 Sztipanovits etal.:TowardaScience of Cyber–Physical SystemIntegration coordination the desired formation emerges from the de- sign of the control law. In [32], the so-called information filter is used for formation stability of LTI systems. For coordinationofnonlinearsystems,contractiontheorywith wave variable communication [33], explicit design of Lyapunov vectorfields [34], and passivity [23], have been used successfully. Muchoftheabovework,especiallythepassivity-based methods, has considered continuous-time systems; how- ever, for digital implementation the design must consider discrete time. In addition, implementation uncertainties such as network delays and data loss must be taken into account. In the following, we present results that demon- stratedecouplingbetweenthecontroldesignanddiscrete- timeimplementationbyusingapassivity-basedframework inspiredbyworkintelemanipulation[19],port-Hamiltonian systems[21],andnetworkedcontrolsystems[35]. A. Networked Control System Design Weconsidertheproblemofamultiagentsystemestab- lishing a formation in R2 upon deployment. Assume a global inertial coordinate system and suppose the starting positionsoftheagentsarearbitrary.Thegoalistoestablish ann-gon,wherethenagentstendtothecoordinatesofthe vertices asymptotically. Formally, we assign a vertex (cid:4) of i the n-gon to agent i, with position pðkÞ, i¼1;2;...;n. i Then, we require lim kpðkÞ(cid:3)(cid:4)k ¼0. We design k!1 i i 2 the networked multiagent system so that the agents con- Fig.3.Networkandnodestructure.(a)Athreenodenetwork. (b)Nodestructure. verge to a location defined by a reference signal in a syn- chronized manner in order to achieve some global task. Instead of simply relaying the reference independently to bepossibletorenderthesystemstrictlyoutputpassiveby eachUAV,wecoupletheirpositionsinafeedbackmanner using local compensation (as illustrated for the quadrotor to ensure synchronization of the global task. UAVlaterinthissection).AsshowninFig.3(b),anagent In general, the overlay network is bidirectional with includes two additional components: the scattering trans- asymmetric delays. As a simple example, consider the formation and the power junction PJ. The scattering trans- three node network shown in Fig. 3(a). Each node repre- i formation is used to transform the variables x and y into sents a quadrotor UAV, with each edge modeling the de- i i the wave domain. The node’s wave variablesu and v , in sired communication between UAVs. Realistically, each ii ii turn,arecoupledtoothernodesthroughapowerjunction linkintheoverlaynetworkissubjecttodelayimposedby PJ,whichallowstwoormoresystemstobeconnectedina routing, packet handling, and transmission delays. We i passivity-preserving manner [35]. model such uncertainties using time-varying delays [e.g., In distributed control applications, typically the infor- d ðkÞ] as shown in Fig. 3(a). Our objective is to provide a ij mation transmitted across the network has inherent passive-by-construction, discrete-time multiagent net- physical meaning. It is well known that transforming work. In the following, we first describe the networked thesephysicalvariablesintothewavedomaincanpreserve control protocol focusing on the details required for im- passivityandstabilityforasinglebidirectionalconnection plementation,wethenanalyzepassivityandstabilityofthe [19] and for star networks [35]. We have extended these networked control system, and finally we present simula- approaches to distributed networks with arbitrary overlay tion results for distributed deployment of a network of topology[36].Foreachi2V,thescatteringtransformation eight quadrotor UAVs. produces power waves u ðkÞand v ðkÞdefined by ii ii 1)NetworkedControlProtocol:Theagentmodelisshown in Fig. 3(b). Each agent i receives an input reference r, i 1 which influences the output y of the agent through the u ðkÞ¼ p ðbyðkÞþxðkÞÞ i ii ffiffiffiffiffiffi i i i 2b systemmappingH,whichdescribesacompensatedplant. i i 1 Inthissection,wewillassumethatthesystemHiisstrictly viiðkÞ¼ pffiffiffiffiffiffiðbiyiðkÞ(cid:3)xiðkÞÞ outputpassive.Incasewhentheplantisnotpassive,itmay 2bi 34 Proceedings of the IEEE|Vol.100,No.1,January2012 Sztipanovits et al.:Towarda Science of Cyber–Physical System Integration where b denotes the characteristic impedance. This defi- whenevertheI/Omappingofeachagentisstrictlyoutput i nition is similar to the one in [18], with the force and passive.Consideranetworkofninteractingagentsimple- velocityvariablesreplacedwithx andy.Traditionally,the menting the control protocol described above. Then, the i i scattering formalism has been applied to power variables following global energy constraint: (effortandflow)whileclosingthelooponvelocity.Here, the scattering formalism is used abstractly (without the physicalinterpretation)toclosethelooponposition.The Xn (cid:3)(cid:2) (cid:2)2 (cid:2) (cid:2)2(cid:4) scattering transformation is treated as a mathematical (cid:2)ðuiiÞN(cid:2)2(cid:3)(cid:2)ðviiÞN(cid:2)2 (cid:2)0 i¼1 definition, where the characteristic impedance b is de- i finedappropriatelyforphysicalconsistency(inthiscaseb i is unitless). issatisfiedforallN 2N,regardlessoftime-varyingdelays The power junction is a component which allows two and data loss. Further, the entire networked system is ormoresystemstobeconnectedinthewave domainina strictly output passive for arbitrary network topologies. It passivity-preservingmanner.Formally,letui;vodenotethe thenfollowsthatthenetworkedcontrolsystemislm2-stable inputsandv;u denotetheoutputsofthepowerjunction. (proofs of the theoretical results can be found in [36]). i o Then, the power junction must satisfy Anysystemthatisstrictlyoutputpassiveisnecessarily lm-stable. Therefore, each agent described by H is inhe- 2 i rently stable. The benefit of the networked control proto- X X uTðkÞuðkÞ(cid:3)vTðkÞvðkÞ(cid:2) uTðkÞu ðkÞ(cid:3)vTðkÞv ðkÞ: col is that it ensures that interactions caused by the i i i i o o o o i2Sin o2Sout networked do not destabilize the networked multiagent system. Passivity holds even in the presence of time- varying delays and data loss. Wecanimplementthepowerjunctionusingasetoflinear Thecoupledmultiagentsystemcanestablishadesired equationsthatsatisfiestheaboveconstraints[36].Foreach formation upon deployment by analyzing the behavior at i2V, j2N, and k2Zþ, the outgoing waves are com- i steady state [36]. The system will converge to the ideal puted as steady-statecaseforconstantreferenceinputswithmode- rate time-varying delays and data loss because of the dis- turbance rejecting properties of strictly output passive 1 1 X uijðkÞ¼pffinffiffiffiuiiðkÞ viiðkÞ¼pffinffiffiffi vjiðkÞ systems.Supposethateachagent’ssystemmappingadmits i i j2Ni an invertible steady-state gain matrix Gi (i.e., yi ¼Giei). The steady-state output of agent i is given by where n is the number of neighbors of agent i. i In addition, we specify a set of rules for handling net- pffiffiffiffiffiffi ! workpackets.Duetothepresenceofdelaysanddataloss, yi ¼Mi riþ p2ffinffibffiffiiXpffi2ffi1ffibffiffiffinffiffiffiðrjþKjyjÞ some(orall)ofthevjiðkÞmaynotbereceivedattimek,in i j2Ni j j (cid:1) whichcasewesetv ðkÞ¼0.Wheneverthereceiver’sbuf- ji fersareempty,weprocessnullpackets.Handlingdelayed where and dropped packets as null packets satisfies the synchro- nous assumption and preserves passivity [19]. We also constrain the network by preventing retransmission of M ¼ðbG þI Þ(cid:3)1G and K ¼ðbG (cid:3)I ÞG(cid:3)1: data for each agent. Based on these assumptions, each i i i m i j j j m j channel satisfies the following inequality regardless of time-varying delays and data loss Using this transformation, the references for each agent can be computed for the UAVs to surround a target and (cid:2)(cid:2)ðvijÞN(cid:2)(cid:2)22 (cid:4)(cid:2)(cid:2)ðuijÞN(cid:2)(cid:2)22; holds 8 N 2N: establish an n-gon. B. Simulation Results Thisinequalitystatesthateachchannel,viewedastheI/O Our experimental setup involves a network of eight mapping is passive, and therefore does not introduce velocity-limited quadrotor UAVs that communicate in a energy into the system. regular overlay network topology. The UAVs move in the plane, and the goal is to form an octagon with each UAV 2) Analysis: Based on the passivity of the interconnec- 100 m from a target centered at the origin. The initial tions, we can show that a multiagent network designed points of the UAVs are randomly selected within the re- using the protocol described above is lm-stable for any gion between a 1000-m square and the circle with 100-m 2 bidirectional overlay network with asymmetric delays radius, both centered at the origin. For simplicity, since Vol.100,No.1,January2012|Proceedings of the IEEE 35 Sztipanovits etal.:TowardaScience of Cyber–Physical SystemIntegration Table1ParametersfortheNetworkofQuadrotorUAVs Scenario 1: No data loss. We consider time-varying delays with a nonuniform constant delay bias in all the communicationchannelsofthenetwork.Thedelaybiases arebetween1and2s.Wesimulatetime-varyingdelaysby introducing a disturbance node in the network which floods the network with disturbance packets based on a Bernoulliprocesswithparameterd¼0:5.Thedisturbance node samples a uniformly distributed random variable X½k(cid:5)2½0;1(cid:5)every0.05s.IfX½k(cid:5)>d,adisturbancepacket isforced on the network. Fig. 5(a)showsthe average and maximum errors for the nominal case and the combined delays with no data loss. The results show that the UAVs remain stable and converge to the desired configuration even in the case of time-varying delays. Fig.4.SimplifiedquadrotorUAVmodel.(a)NonpassiveUAVmodel. (b)StrictlyoutputpassiveUAVmodel. here we focus on coordination between UAVs, we model thequadrotorasapointmassintwodimensionsdescribed by y_ðtÞ¼vðtÞ Mv_ðtÞ¼fðtÞ: I I I I A detailed control design that shows that this is a good approximationwhenthevelocityandthemotorthrustsare below the saturation level is presented in [37]. The de- tailed quadrotor model is used to illustrate the embedded control software design in Section V. For each UAV, we addalocalpositioncontrolsystemshowninFig.4(a).The closed-loopsystemoftheUAVwiththelocalcontrollerisa stable second-order system that is not strictly output passive;however,byaddingahigh-passfilterinparallelas depictedinFig.4(b), thesystemmay berendered strictly output passive This model is discretized using a bilinear- liketransformwithsamplingperiodT ¼0.01s,calledthe inner-product equivalent sample and hold (IPESH) trans- form,whichpreservesthepassivepropertiesofthesystem [35]. We also include saturation in the actuators f to sat limit the velocity. Forthisexample,theoverlaynetworkismodeledasan 8-node graph where each node has degree (cid:5)¼4. It is assumedthattheagentscommunicatewitheachotherina synchronousmanner.Thenetworkedmultiagentsystemis implementedinSimulink[38].TrueTimeisusedtosimu- late the network for communicating between UAVs [39]. The network protocol used is IEEE 802.11b, with a speed of 11 Mb/s. Table 1 shows the values of the parameters Fig.5.Resultswithnetworkdelaysanddataloss.(a)Nopacketloss. used in the example. (b)Fivepercentpacketloss. 36 Proceedings of the IEEE|Vol.100,No.1,January2012 Sztipanovits et al.:Towarda Science of Cyber–Physical System Integration Scenario2:5% data loss. Inthisscenario,5% packet safety-critical software designs [40], [41]. It shares many loss is introduced with the time-varying delays described concepts with the Architecture Analysis and Design Lan- above. AprobabilisticmodelbasedonaBernoulliprocess guage (AADL) [42], [43], but differs in that it is a much isused toimplementthelossofpacketsindependently in simpler language, has an intuitive visual notation, and each channel. The results, shown in Fig. 5(b), illustrate aims to restrict component interactions available to de- that with packet loss the system does not achieve zero signers of embedded software and systems to functions steady-state error. However, the UAVs still manage to available on platforms that guarantee inherent safety and come very close to thedesiredconfiguration, demonstrat- fault tolerance properties. Code generators of the ESMoL ingtheresilienceofthenetwork.TheUAVsendupwithin tool-chain create functional C code from Simulink sub- an average error of 4 m of the desired configuration. system blocks (similar to Real-Time Workshop [38]), as Our results show that passivity improves decoupling well as platform-specific task execution and data commu- betweenthecontrollerdesignandimplementationdesign nication code for time-triggered (TT) networks. The layers. In particular, we decouple stability of the net- ESMoL tool-chain differs from the Real-Time Workshop worked multiagent system from networked implementa- and TargetLink [44] tools in that 1) it makes the archi- tion uncertainties that result in time-varying delays and tecture modeling explicit; 2) it gives a great degree of dataloss.Amajorconcernwithpassivity-basedapproaches controltothedesignerinallocatingthecomputationsand is that although they can tolerate network uncertainties, communications to physical resources; 3) it uses a com- they may lead to a conservative design that limits the re- mon TT task execution and communication model im- sponsiveness to fast reference signals because of the con- plementedviaavirtualmachine(VM);and4)itcreatesa straints imposed on the controllers. In our design, we schedule for the tasks and messages at design time. The assumedhigh-frequencysignalsarefilteredandwehadto VM relies on static scheduling of the controller network, tune the filter and control gains for improving perfor- with the goal of keeping the software for scheduling and mance.Althoughthe simulationsassume idealmodelsfor execution of the controllers simple enough to analyze the delays and the packet loss, our theoretical analysis formally. ensures stability of the networked control system without In ESMoL, functional specifications for components usingsuchrestrictiveassumptions.Wehavealsoevaluated appear in the form of Simulink/Stateflow models or as the approach using an experimental testbed consisting of existing C code snippets. The execution of Simulink data two robotic manipulators controlled over an 802.11 wire- flow blocks is restricted to the periodic, discrete-time less network in a laboratory environment and we have model which is consistent with the underlying TT shownthatstabilityispreservedwhileperformanceisde- platform. The platform definition language supports gradingbecauseoftheunreliablewirelessconnection[22]. concepts,relationships,andattributesneededfordescrib- ingTTnetworks.Themodelscoverthenetworktopology, as well as various parameters to describe performance V. DECOUPLING SOFTWARE DESIGN parameters like data rates and bus transfer setup times. FROM PLATFORM UNCERTAINTIES Parametersforhardwaredevicesalsocapturetimingreso- Passivity-based design decouples stability, which is a key lution, overhead for data transfers, and task context system-level property, from implementation induced tim- switching times. ing uncertainties. In addition to robustness to timing un- Thecomponentarchitecture,deployment,andtiming/ certainties, correct-by-construction implementation of executionmodelsrepresentdifferentdesignaspectsofthe networked controllers requires the design of the software system. Together, the information expressed in the three components, selection of their possible interactions, and aspectsconstitutesacompletemodelsuitableforschedul- therealizationoftheirexecutiononaselectedimplemen- ing analysis, platform-specific simulation, and code gene- tation platform that leads to further complex challenges. ration. The component architecture aspect describes the WeuseherethetermBcorrect-by-construction[toexpress logical dataflow among component instances. The seman- the goal to eliminate integration-time errors emerging ticsofthismodelisbasedontask-localsynchronousfunc- from undesirable cross-layer interactions. In this section, tion invocations (with shared memory messaging for weintroduceaframeworkandasuiteoftoolsforaddress- colocated components) and message transfers between ingthese challenges,we summarize the mainsteps ofthe remote tasks using a TT communication scheme. The de- designflowforimplementingembeddedcontrolsoftware, ployment aspect captures the realization of component andweillustratethemoreimportantstepsusingaquadro- instances as periodic tasks running on particular proces- tor UAV example. sors.InESMoL, ataskexecutesonaprocessing nodeata fixed, periodic rate and all components within the task A. Embedded Systems Modeling Language execute synchronously. Data exchanged between tasks taketheformofmessagesinthemodel.Fordatatransfers, 1) Overview: The Embedded Systems Modeling Lan- theruntimesystemsupportslogicalexecutiontimeseman- guage (ESMoL) is a software architecture language for tics found in TT languages such as Giotto [45]. Vol.100,No.1,January2012|Proceedings of the IEEE 37 Sztipanovits etal.:TowardaScience of Cyber–Physical SystemIntegration The timing aspect allows the designer to specify com- ponent execution timing constraints. Individual compo- nents can be annotated with timing objects that indicate whethertheyshouldbeexecutedstrictly(i.e.,viastatically scheduled,TTtasks),orasperiodicreal-timeorassporadic tasks. Messages are similarly annotated. The annotation objects contain parameters such as the period and worst caseexecutiontimethatmustbeprovidedbythedesigner. Aconstraint-basedautomatedschedulinganalysistoolcal- culatesthetaskandmessagereleasetimes.Theexecution modelalsoindicateswhichcomponentsandmessageswill be scheduled independently, and which will be grouped intoasingletaskormessageobject.Thetemporalorderof the message writers and readers is enforced by the static schedule.Thelocalityofamessagetransferisspecifiedin the logical architecture and deployment aspects. In the caseofprocessor-localdatatransfers,transfertimeisneg- lectedasreadsandwritesoccurinlocallysharedmemory. After a static schedule has been calculated, the timing objectsofthemodelareback-annotatedwiththetaskand message release times. Behavior of the deployed software components depends on the execution times of the functions on the platform, the calculated schedule, and coordination between distributed tasks. The calculated static execution schedule can be used to simulate the control design with the delays introduced by the imple- mentation to assess the impact of the platform effects on performance. 2)KeyFeatures:TheESMoLlanguageandtoolsprovide Fig.6.ESMoLdesignflow. a single multiaspect embedded software design environ- ment so that modeling, analysis, simulation, and code generationartifactsareallclearlyrelatedtoasingledesign model.Modelsappropriatetothedifferentdesigndomains plate generation techniques [48]. The incorporation of are incorporated in a consistent way using the model- calculated schedule analysis results back into the ESMoL integrated computing (MIC) approach [46]. Models use model helps to maintain consistency as models pass be- language-supportedrelationstoassociateSimulinkcontrol tween design phases. designstructureswithsoftware and hardwaredesigncon- ceptstodefineasoftwareimplementationforcontrollers. B. Embedded Control Software Design Flow ESMoLmodelsincludeobjectsandparameterstodescribe Fig. 6 depicts the basic ESMoL design flow. The soft- thedeploymentofsoftwarecomponentstohardwareplat- waredesignerimportsanexistingSimulinkcontroldesign forms. Analysis artifacts and simulation models that are into the genericmodeling environment (GME) [49], con- generatedcontainrepresentationsofthebehavioraleffects figured to edit ESMoL models, and encapsulates the sub- of the platform on the original design. We include system blocks imported from Simulink into software platform-specificsimulationstoassesstheeffectsofdistri- components that will implement the controllers. The de- buted computation on the control design [47]. signeralsocreatesmodelsforthehardwarearchitectureof The integrated analysis, simulation, and deployment theTTplatform.Finally,thedesignerinstantiatescompo- capabilities can shorten design cycles. The tool suite in- nentstocreatemultiaspectmodelsthatspecifylogicalde- cludesintegratedschedulinganalysistoolswhichconverge pendencies, hardware deployment, and timing models. A quickly in most cases so that static schedules can be cal- completed model is transformed into a model in the culated in rapid design and simulation cycles [48]. We ESMoL_Abstract language, resolving all implied relation- include automatic generation of platform-specific task shipsandstructuralmodelinferences.Modelinterpreters configuration and data communications code in order to are used to integrate schedulability and timing analysis rapidly move from modeling and analysis to testing on tools. Finally, the tool chain allows the generation of actualhardware.Finally,wegenerateanalysismodelsand platform-specific simulations of the system implementa- code from the intermediate language using simple tem- tion as well as deployable code. Potential targets include 38 Proceedings of the IEEE|Vol.100,No.1,January2012

Description:
and at least 900 of phase margin, and thus are able to tolerate large . global inertial coordinate system and suppose the starting positions of the .. execution time (WCET) and worst case communication . Berkeley, CA: APress
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.