Designofadriver-Centricsystemusingcps-Cshmodel
Proceedingsofthe7thAnnualISCGraduateResearchSymposium
ISC-GRS2013
April24,2013,Rolla,Missouri
DESIGNOFADRIVER-CENTRICSYSTEMUSINGCPS-CSHMODEL
AnushaSankara,ChakradharVadde,SrinivasChakravarthi.T
DepartmentofComputerScience,MissouriUniversityofScienceandTechnology,Rolla,Missouri65401,USA.
FacultySupervisors:Dr.BruceMcMillin,Dr.SahraSedigh,Dr.DaleFitch
ABSTRACT
Existingmethodologiestoassess
cyber-physicalsystems(CPSs)arehamperedbytheirdiversenatureandcomplexity.Thispaperteststhemodelproposedforcyber-physicalsystemsdesignandanalysisrootedinthesocialscienceapproachtocomplexsystemanalysis,CriticalSystemHeuristics(CSH).ThemodelaffordsananalysisatboththelevelofabstractionoffunctionalityandthetypeoffunctionalitywithinaCPS.Inthispaper,theCPS-CSHmodelisutilizedtounderstandDrive-by-WireCarsystem.
INTRODUCTION
Cyber-physicalsystems(CPSs)arethe
integrationofcomputation,asmanifestedbyembeddedcomputersandcommunicationnetworks, with physical processes thatinvolvepeople.Controlinteractions,safety,liveness,security,faulttolerance,reliability,andhumanfactorsareamongthemanychallengesinthedevelopmentandanalysisofCPSs,whichmusttakeintoaccountthecomplexwaysinwhichthecyber,physical,andsocialcomponentsinteract.
TheCPS-CSHmodelprovidesastructuredanalysisandwillbeabletoaddressquestionsof(1)whatdesignaspectsmustbeaddressedwithinaCPS,(2)howdoCPScomponentsrelatetoeachother,and(3)wheredofunctionalitieswithinaCPSoccur?
To enhance safety and reliability, anincreasingnumberofmodernautomobilesareessentiallydrive-by-wiresystems,highlycomputerized,andconnectedwirelesslytoservicessuchasOnStarorToyotaSafetyConnect.Theimpactoftheseadvancedfeaturesisagrowingconcern. Sincetherearemanyentitiesinthesystem,weneedtoknowwhichentityhascontrolovertheCyberPhysicalObjectatagivenlevelofHierarchy.The fundamental questions to be addressedare: (i) What is the control flow in thesystem?(ii)Howdoesthedriverinteractwiththeautomobileandmanufacturer?Toaddressthese questions, we are utilizing the CPS-CSHmodelonDrive-By-Wirecarsystem.
WeutilizetheCPS-CSHmodeltoanalyzethefunctionalityoftheDrive-By-WiresystemconsideringthevariousentitiesinthesystemthatcancontroltheCyber–Physicalobject.Wealsotrytoensuretheprivacy,safetyofthedriver.
CPS-CSHMODEL
InthismodelCriticalSystems
Heuristics(CSH)isusedtodevelopaqualitativeontologicalmodelofCPSs.CSHisamethodologicalapproachtofacilitateboundarysettingwhenanalyzingsystems.Drawingsystemboundariesisnotaneasyprocess.Assoonasaboundaryisdrawnthenclaimsaremadethateithertoomuch"or“notenough"wasconsidered.
Fig1:TheCSHReferenceSystem
ThereforeUlrich[4]developedheuristicsinwhichfourboundaryissuesarediscussed:sourcesof
1. Motivation
2. Power
3. Knowledgeand
4. Legitimation.
Thefirstthreeconstitutethoseinvolvedinthesystemandthelastconstitutesthoseaffected.
TakentogethertheybecomethereferencesystemasshowninFigure1.Eachofthesefourissueshasthreecategories:
1. Stakeholder-thoseinvolvedorconcernedbyasituation,
2.Thespecificconcernrelevanttothestakeholderand
3. Difficultiesregardingtheconcernbecauseconcernscompetewitheachother.Takentogether,thefourissuesareexaminedbyeachofthethreecategories,resultingintwelveboundaryquestions.
Societal Sources ofMotivation / Cyber-Physical
Objects
1.
2.
3. / Whoistheclientor
Customerorthatwhichisactedupon?Whatisthepurposeofthat which is actedupon?
Whatisthemeasureofimprovement orsuccessforthisclientorcustomerorthatwhichisactedupon? / Controlledobject
RegulatedObject
Functionality
Improved Operational
Element
Table1:CSHinCPSContext
ThesetwelvequestionsareframedwithinaCPScontextandarerepresentedinTable1,the left column indicating the Ulrichheuristics,andtheright,theproposedCPS-CSHmodel.
1. CPS-CSH for Drive-By-Wire Car
System
ACPS-CSHsystemwhenseeninabig
picturewillhavevariouscyberphysicalelementsdistributed.Theassumptionforthesystemtorunreliablyis:Atanyinstanceoftimethecontrolisgiventorespectivecontrolelementonthecontrolledobject.
2.1.DescriptionoftheSystem
TheCyberPhysicalelementintheDriver-
CentricCPS-CSHmodelistheCar.Corporation,Brainbox,Third-partyandtheexternaldriveraretheotherelements.Theyaredefinedasfollowing:
Car:ThisistheCyberPhysicalelementinthesystemandentities:TheCorporation,Driver,andexternalenvironmenttrytoattaincontrolofthiselement.
Brainbox:Thisisaprocessorthatanalysestheinputfromvarioussensorsinthecar,processesthedataandperformsnecessaryactions.ThetasksincludeBraking,Accelerationandotherphysicalactions.
Corporation:Thisistheentitythatcontrolsthecarincaseofemergencyandtheftconditions.
TractionControl:Thisisthecontrolelementintegrated within the car. In case anyhazardoussituationsaresensedbythebrainboxthroughthesensors,theTractionControlkicksinandtemporarilytakesover
thecartocontrolitsmovementandbringittoasafestate.
Thirdparty:Thiscanbeafederalagencyoraconsumerwatchdoggroup,whichkeepsmonitoringthecorporation.Thisisaboveallentitiesconsideringhierarchy.
Externalenvironment:TheExternalenvironmentconsistsoftheentitiesintheenvironmentthatcannotbecontrolledbutcaninfluencetheCyberPhysicalObject(Car).Theseconsistofothercars,roadsandvariousphysicalorcyberentities
ThefollowingthreetablesapplyCPS-CSHtotheDrive-By-WireCarsystematthreelevelsofthehierarchy,thatoftheCPS-CSHwithboundaryatthebrakes,tractioncontrolandbrainbox
ThesetablesenableusinidentifyingwhichentityholdscontroloverthefunctionalityoftheCyberPhysicalObjectatvariouslevelsofhierarchy.
8 / Expertise,
Domain
Knowledge / Mechanicsofthebrakesdesign
9 / Guarantee,SystemCorrectness / Methodologies thatproduces brakesdesign and makesitfunctional
10 / Embedded
Monitor / TractionControl
11 / Emancipation / Safetypolicy,evaluatingmethodology anddesign of the tractioncontrol
12 / Worldview
(valuedetermination) / Protects against theimproper functioningofthebrakes
Table2:CPS-CSHmodelwithBoundary
AttheBrakes
In the above table, the CPS-CSH isappliedtotheproposedcyberphysicalobjectattheinitiallevelbrakes.Thisgivesthescopeofthefunctionalityofthebrakeswhichistocontrolthemovementofthecar.Hencethiswillbethemajorconcernwhichensuresthesafetyofthedriver.Atthisboundarycondition,theCSHholdsgoodonlywhenbrakesworkaspertheexpectationofthedriver.
Table3:BoundaryConditionswithboundaryattheBrainbox
IntheaboveCPS-CSHanalysisitisseenthatthebrainboxasaboundarywillhavedecision-making privilege underCorporation’ssupervisionwithDriverasanembedded monitor. Here the role ofembeddedmonitorcanalsobefulfilledbyCorporation,butwewouldpreferthedriverevaluatingthesystemratherthantheCorporation.
Category / CPS-CSHanalysiswithboundary at theTractionControl
1 / Controlled
Object / Tractioncontrol
2 / RegulatedObjectFunctionality / Safetyofthedriver,reduce
slippage,and helpsthecarnotloosegrip
3 / Improved
Functionality / Toimprovethe
safety of the driver, noslippageofthecar
hierarchy that can efficiently monitor thefunctioningofTractionControl.
2.2.ControlFlowinthesystem.
Fig.2RepresentationofCPS-CSHsystem.
Table4:BoundaryConditionswithboundaryattheTractionControl
Traction Control as a boundary in theproposedsystemissuperiortoconventionalDrive-By-Driver automobiles, in a sense itactsindependentlybasedonanyhazardousroadconditions.CPS-CSH-2,3conveysthesame;ithasimprovedfunctionalitywhichensuresthedriver’ssafetywhichservestheverypurposeoftheproposedsystembymaking it driver-centric system. Here theBrainBoxisthecontrolelementasitsensesanyhazardousconditionsandmakesthetractioncontroltakeoverthecar.TheBrainBoxalsofunctionsastheembeddedmonitoreventhoughitisthecontrolelementbecauseit is theonlyentityat thecurrent level of
- Figure 2 shows the information flowandControlflowinthesystem
-Brainboxinthissystemisacyber-
physicalelement
-The Traction control acts on thebrakesandtheinformationflowbetweenthemisbidirectionalflow
-TheThird party has got an indirectcontrolonthecarthroughToyotaasanintermediary
-Thereisaunidirectionalcontrolflowaswellasinformationflowbetweendriverandbrainbox
-Controlflows
C1–Thetractioncontrolduringitsoperationexertsanindirectcontroloverthedriver
C2-Toyotahasacontroloverthebrainboxundertheftconditionsoftheautomobile.
C3-ThirdpartyEntityhasacontroloverToyotaCareCorporation,(monitoring,validating,approving)
C4-Theinputsanalyzedbythebrainboxaresenttothetractioncontrolwhichinturnwillproduceanimpactonthemovingcar by operating the brakes/acceleratorsystem.
CONCLUSION
TheCPS-CSHmodelforDriver
CentricenvironmentconsideringthecarasCyberPhysicalelementensuresthesafetyofthedriver.BytestingtheCPS-CSHmodelusingaDrive-by-wirecarsystem,wehavebeenabletodeterminethefunctionalityofthesystem,theinteractionsbetweentheentitiesofthesystemi.e.thecontrolandinformationflow.
Therehasbeenadifficultywhiletryingtoemphasizetheembeddedmonitoratthevariouslevelsofhierarchy.Theentitythatprovidesaparticularserviceshouldnotbetheonetoevaluatethatservice.Butincertaincasesthereexistsnoentitythatcanproperlymonitoraservice,otherthantheentitythatisapartoftheservicebeingprovided.
TheissuesrelatedtoPrivacyandConcernsofthecustomershouldbemonitoredbyatrustedthirdpartyentity(Federalorganization,CustomerwelfareGroups...).Theprimaryfunctionsofsuchentitywouldbetomonitorthecollectionandusageofthedatarelatedtothecustomerandprovidesassurancetothecustomerregardingprivacyandsafety.
FUTUREWORK
Thefutureworkincludesthe
establishingofsuitableembeddedmonitorsatdifferent levels ofhierarchy. Ensuringnon-
deducibilitytopreventdataleakagetounwantedrecipients.
REFERENCES
[1]G.Howser,B.McMillin-Modelingand
reasoningaboutthesecurityofdrive-by-wireautomobilesystems,InternationalJournalofCriticalInfrastructureProtection(2012),
[2]AndrewW.MooreProfessorSchoolofComputer Science Carnegie MellonUniversity-InformationGain
[3]B.McMillin,D.Fitch,S.Sedigh,R.Akella,CPS-CSHCyber-PhysicalSocialPrivacyfortheSmartGrid,7thCRITISConference,September2012,Norway.
[4]W.Ulrich,\Beyondmethodologychoice:CriticalsystemsthinkingascriticallysystemicDiscourse," Journal of the OperationalResearch Society, vol. 54, no. 4, pp.
325{342,2003
[5] Patricia Derler, Edward A. Lee, andAlbertoSangiovanniVincentelli-AddressingModelingChallengesinCyber-PhysicalSystems-March4,2011
-WeexpressourappreciationofsupporttotheISC.
-WeappreciateGerryHowserforthe
ToyotaPriusModel.