Cyber-physical systems are engineered using a broad range of modeling methods, from systems of ODEs to finite automata. Each modeling method comprises ways of representing a system (models) and reasoning about it (analyses). The growing diversity of CPS modeling methods creates a challenge of using models and analyses together: what implicit assumptions are models making about each other? In what order should analyses be composed? Incorrect answers to these questions may lead to modeling errors and, eventually, system failures. In this talk I present a framework for inter-model analysis to deal with the challenge of multi-modeling. The framework allows its user to create architectural views as abstractions of models and specify contracts for analysis. Given views and contracts, the framework verifies model consistency, determines correct analysis execution sequence, an verifies that assumptions and guarantees of analyses hold.

1. Framework for Inter-Model Analysis
of Cyber-Physical Systems
Ivan Ruchkin
With Dionisio De Niz,
Sagar Chaki,
David Garlan
Carnegie Mellon University
Pittsburgh, PA, USA
The Summer School on Cyber-Physical Systems
Grenoble, France, July 2014

2. 2
CPS engineering
model
model
model
analysis
analysis
analysis
?

3. 3
Problem
● Engineers' models may be inconsistent
– Modeling errors and system failures
● Model-based reasoning may be flawed
– Unsound results and system failures

4. 4
Example: real-time scheduling
● Model & analysis 1: Thread-to-CPU assignment
– Goal: assign each thread to CPU & check schedulability
– Inputs: threads, CPUs (as abstract execution units),
WCETs, periods, deadlines
● Model & analysis 2: CPU frequency scaling
– Goal: minimize CPU frequency to reduce energy losses
– Inputs: Assignment of threads to CPUs, CPU frequency
● Issue: Frequency scaling implicitly assumes that a
policy is deadline monotonic!

5. 5
Simple solutions
● Apply frequency scaling anyway
– Unsound: frequency scaling may not preserve
schedulability
● Use labels (“DMS”) to synchronize analyses
– Too limiting: excludes frequency scaling for some
cases

6. 6
Our solution: analysis contracts
1. Set up verification domains
2. Specify contracts for analyses
3. Determine the order of analyses
4. Verify the contract when each analysis is used

7. 7
Step 1: verification domain
Contains:
– Atom sets (ℤ, threads, policies)
– Static (period, deadline) & dynamic functions (preemption)
– Execution semantics (Kripke structure) & interpretation
model model
analysis analysis
verification domain

8. 8
Step 2: contract specification
● Analysis contract contains:
– I – atoms and static functions that are read
– O – atoms and static functions that are output
– A – set of assumptions
– G – set of guarantees
● Language of A & G: φ ⇒ ψ; φ ∈ FOL, ψ ∈ LTL.
● Example for frequency scaling analysis:
– I = {threads, CPUs, CPUBind, Dline}, O = {CPUFreq},
– A = { t∀ 1
, t2
: threads | t1
≠ t2
∧ CPUBind(t1
) = CPUBind(t2
) :
□ (CanPrmpt(t1
, t2
) Dline(t⇒ 1
) ≤ Dline(t2
)) }, G = { }.

9. 9
Step 3: analysis sequencing
● I/O dependencies form a directional graph
– If acyclical: analyses are orderable
– If cyclical: the cycle needs to be broken
● For the example, frequency scaling is
dependent on thread-to-CPU assignment

10. 10
Step 4: contract verification
● Given: system model, contract formula φ ⇒ ψ
● SMT solver finds solutions for φ
● Model checking a behavioral model for ψ
– Promela program implements the execution semantics
● For the example:
– ∀ t1
, t2
: threads | CPUBind(t1
) = CPUBind(t2
) :
□ (CanPrmpt(t1
, t2
) Dline(t⇒ 1
) < Dline(t2
))
– SMT for t∀ 1
, t2
: threads | t1
≠ t2
∧ CPUBind(t1
) = CPUBind(t2
)
– Spin verifies □ (CanPrmpt(t1
, t2
) Dline(t⇒ 1
) < Dline(t2
))

11. 11
Intra-model analysis framework

12. 12
Summary
● Analysis contracts:
– Integrates reasoning from different models
– Describe verification domains, specify contracts, find
ordering, verify contracts
– Implemented in customizable framework
● Future work:
– How do model structures affect verification domains?
– What modeling aspects should be “contractified”?

13. 13
References
● I. Ruchkin, D. De Niz, S. Chaki, and D. Garlan.
Contract-Based Integration of Cyber-
Physical Analyses. To appear in EMSOFT
2014.
● A. Rajhans, A. Bhave, I. Ruchkin, B. Krogh, D.
Garlan, A. Platzer, and B. Schmerl.
Supporting Heterogeneity in Cyber-
Physical Systems Architectures. To appear
in IEEE Transactions on Automatic Control.