Designofadriver-Centricsystemusingcps-Cshmodel

Proceedingsofthe7thAnnualISCGraduateResearchSymposium

ISC-GRS2013

April24,2013,Rolla,Missouri

DESIGNOFADRIVER-CENTRICSYSTEMUSINGCPS-CSHMODEL

AnushaSankara,ChakradharVadde,SrinivasChakravarthi.T

DepartmentofComputerScience,MissouriUniversityofScienceandTechnology,Rolla,Missouri65401,USA.

FacultySupervisors:Dr.BruceMcMillin,Dr.SahraSedigh,Dr.DaleFitch

ABSTRACT

Existingmethodologiestoassess

cyber-physicalsystems(CPSs)arehamperedbytheirdiversenatureandcomplexity.Thispaperteststhemodelproposedforcyber-physicalsystemsdesignandanalysisrootedinthesocialscienceapproachtocomplexsystemanalysis,CriticalSystemHeuristics(CSH).ThemodelaffordsananalysisatboththelevelofabstractionoffunctionalityandthetypeoffunctionalitywithinaCPS.Inthispaper,theCPS-CSHmodelisutilizedtounderstandDrive-by-WireCarsystem.

INTRODUCTION

Cyber-physicalsystems(CPSs)arethe

integrationofcomputation,asmanifestedbyembeddedcomputersandcommunicationnetworks, with physical processes thatinvolvepeople.Controlinteractions,safety,liveness,security,faulttolerance,reliability,andhumanfactorsareamongthemanychallengesinthedevelopmentandanalysisofCPSs,whichmusttakeintoaccountthecomplexwaysinwhichthecyber,physical,andsocialcomponentsinteract.

TheCPS-CSHmodelprovidesastructuredanalysisandwillbeabletoaddressquestionsof(1)whatdesignaspectsmustbeaddressedwithinaCPS,(2)howdoCPScomponentsrelatetoeachother,and(3)wheredofunctionalitieswithinaCPSoccur?

To enhance safety and reliability, anincreasingnumberofmodernautomobilesareessentiallydrive-by-wiresystems,highlycomputerized,andconnectedwirelesslytoservicessuchasOnStarorToyotaSafetyConnect.Theimpactoftheseadvancedfeaturesisagrowingconcern. Sincetherearemanyentitiesinthesystem,weneedtoknowwhichentityhascontrolovertheCyberPhysicalObjectatagivenlevelofHierarchy.The fundamental questions to be addressedare: (i) What is the control flow in thesystem?(ii)Howdoesthedriverinteractwiththeautomobileandmanufacturer?Toaddressthese questions, we are utilizing the CPS-CSHmodelonDrive-By-Wirecarsystem.

WeutilizetheCPS-CSHmodeltoanalyzethefunctionalityoftheDrive-By-WiresystemconsideringthevariousentitiesinthesystemthatcancontroltheCyber–Physicalobject.Wealsotrytoensuretheprivacy,safetyofthedriver.

CPS-CSHMODEL

InthismodelCriticalSystems

Heuristics(CSH)isusedtodevelopaqualitativeontologicalmodelofCPSs.CSHisamethodologicalapproachtofacilitateboundarysettingwhenanalyzingsystems.Drawingsystemboundariesisnotaneasyprocess.Assoonasaboundaryisdrawnthenclaimsaremadethateithertoomuch"or“notenough"wasconsidered.

Fig1:TheCSHReferenceSystem

ThereforeUlrich[4]developedheuristicsinwhichfourboundaryissuesarediscussed:sourcesof

1. Motivation

2. Power

3. Knowledgeand

4. Legitimation.

Thefirstthreeconstitutethoseinvolvedinthesystemandthelastconstitutesthoseaffected.

TakentogethertheybecomethereferencesystemasshowninFigure1.Eachofthesefourissueshasthreecategories:

1. Stakeholder-thoseinvolvedorconcernedbyasituation,

2.Thespecificconcernrelevanttothestakeholderand

3. Difficultiesregardingtheconcernbecauseconcernscompetewitheachother.Takentogether,thefourissuesareexaminedbyeachofthethreecategories,resultingintwelveboundaryquestions.

Societal Sources of
Motivation / Cyber-Physical
Objects
1.
2.
3. / Whoistheclientor
Customerorthatwhichisactedupon?Whatisthepurposeofthat which is actedupon?
Whatisthemeasureofimprovement orsuccessforthisclientorcustomerorthatwhichisactedupon? / Controlledobject
RegulatedObject
Functionality
Improved Operational
Element

Table1:CSHinCPSContext

ThesetwelvequestionsareframedwithinaCPScontextandarerepresentedinTable1,the left column indicating the Ulrichheuristics,andtheright,theproposedCPS-CSHmodel.

1. CPS-CSH for Drive-By-Wire Car

System

ACPS-CSHsystemwhenseeninabig

picturewillhavevariouscyberphysicalelementsdistributed.Theassumptionforthesystemtorunreliablyis:Atanyinstanceoftimethecontrolisgiventorespectivecontrolelementonthecontrolledobject.

2.1.DescriptionoftheSystem

TheCyberPhysicalelementintheDriver-

CentricCPS-CSHmodelistheCar.Corporation,Brainbox,Third-partyandtheexternaldriveraretheotherelements.Theyaredefinedasfollowing:

Car:ThisistheCyberPhysicalelementinthesystemandentities:TheCorporation,Driver,andexternalenvironmenttrytoattaincontrolofthiselement.

Brainbox:Thisisaprocessorthatanalysestheinputfromvarioussensorsinthecar,processesthedataandperformsnecessaryactions.ThetasksincludeBraking,Accelerationandotherphysicalactions.

Corporation:Thisistheentitythatcontrolsthecarincaseofemergencyandtheftconditions.

TractionControl:Thisisthecontrolelementintegrated within the car. In case anyhazardoussituationsaresensedbythebrainboxthroughthesensors,theTractionControlkicksinandtemporarilytakesover

thecartocontrolitsmovementandbringittoasafestate.

Thirdparty:Thiscanbeafederalagencyoraconsumerwatchdoggroup,whichkeepsmonitoringthecorporation.Thisisaboveallentitiesconsideringhierarchy.

Externalenvironment:TheExternalenvironmentconsistsoftheentitiesintheenvironmentthatcannotbecontrolledbutcaninfluencetheCyberPhysicalObject(Car).Theseconsistofothercars,roadsandvariousphysicalorcyberentities

ThefollowingthreetablesapplyCPS-CSHtotheDrive-By-WireCarsystematthreelevelsofthehierarchy,thatoftheCPS-CSHwithboundaryatthebrakes,tractioncontrolandbrainbox

ThesetablesenableusinidentifyingwhichentityholdscontroloverthefunctionalityoftheCyberPhysicalObjectatvariouslevelsofhierarchy.

7 / Professional,DomainExpert / Automobileengineers
8 / Expertise,
Domain
Knowledge / Mechanicsofthebrakesdesign
9 / Guarantee,SystemCorrectness / Methodologies thatproduces brakesdesign and makesitfunctional
10 / Embedded
Monitor / TractionControl
11 / Emancipation / Safetypolicy,evaluatingmethodology anddesign of the tractioncontrol
12 / Worldview
(valuedetermination) / Protects against theimproper functioningofthebrakes

Table2:CPS-CSHmodelwithBoundary

AttheBrakes

In the above table, the CPS-CSH isappliedtotheproposedcyberphysicalobjectattheinitiallevelbrakes.Thisgivesthescopeofthefunctionalityofthebrakeswhichistocontrolthemovementofthecar.Hencethiswillbethemajorconcernwhichensuresthesafetyofthedriver.Atthisboundarycondition,theCSHholdsgoodonlywhenbrakesworkaspertheexpectationofthedriver.

Table3:BoundaryConditionswithboundaryattheBrainbox

IntheaboveCPS-CSHanalysisitisseenthatthebrainboxasaboundarywillhavedecision-making privilege underCorporation’ssupervisionwithDriverasanembedded monitor. Here the role ofembeddedmonitorcanalsobefulfilledbyCorporation,butwewouldpreferthedriverevaluatingthesystemratherthantheCorporation.

Boundary
Category / CPS-CSHanalysiswithboundary at theTractionControl
1 / Controlled
Object / Tractioncontrol
2 / RegulatedObjectFunctionality / Safetyofthedriver,reduce
slippage,and helpsthecarnotloosegrip
3 / Improved
Functionality / Toimprovethe
safety of the driver, noslippageofthecar

hierarchy that can efficiently monitor thefunctioningofTractionControl.

2.2.ControlFlowinthesystem.

Fig.2RepresentationofCPS-CSHsystem.

Table4:BoundaryConditionswithboundaryattheTractionControl

Traction Control as a boundary in theproposedsystemissuperiortoconventionalDrive-By-Driver automobiles, in a sense itactsindependentlybasedonanyhazardousroadconditions.CPS-CSH-2,3conveysthesame;ithasimprovedfunctionalitywhichensuresthedriver’ssafetywhichservestheverypurposeoftheproposedsystembymaking it driver-centric system. Here theBrainBoxisthecontrolelementasitsensesanyhazardousconditionsandmakesthetractioncontroltakeoverthecar.TheBrainBoxalsofunctionsastheembeddedmonitoreventhoughitisthecontrolelementbecauseit is theonlyentityat thecurrent level of

- Figure 2 shows the information flowandControlflowinthesystem

-Brainboxinthissystemisacyber-

physicalelement

-The Traction control acts on thebrakesandtheinformationflowbetweenthemisbidirectionalflow

-TheThird party has got an indirectcontrolonthecarthroughToyotaasanintermediary

-Thereisaunidirectionalcontrolflowaswellasinformationflowbetweendriverandbrainbox

-Controlflows

C1–Thetractioncontrolduringitsoperationexertsanindirectcontroloverthedriver

C2-Toyotahasacontroloverthebrainboxundertheftconditionsoftheautomobile.

C3-ThirdpartyEntityhasacontroloverToyotaCareCorporation,(monitoring,validating,approving)

C4-Theinputsanalyzedbythebrainboxaresenttothetractioncontrolwhichinturnwillproduceanimpactonthemovingcar by operating the brakes/acceleratorsystem.

CONCLUSION

TheCPS-CSHmodelforDriver

CentricenvironmentconsideringthecarasCyberPhysicalelementensuresthesafetyofthedriver.BytestingtheCPS-CSHmodelusingaDrive-by-wirecarsystem,wehavebeenabletodeterminethefunctionalityofthesystem,theinteractionsbetweentheentitiesofthesystemi.e.thecontrolandinformationflow.

Therehasbeenadifficultywhiletryingtoemphasizetheembeddedmonitoratthevariouslevelsofhierarchy.Theentitythatprovidesaparticularserviceshouldnotbetheonetoevaluatethatservice.Butincertaincasesthereexistsnoentitythatcanproperlymonitoraservice,otherthantheentitythatisapartoftheservicebeingprovided.

TheissuesrelatedtoPrivacyandConcernsofthecustomershouldbemonitoredbyatrustedthirdpartyentity(Federalorganization,CustomerwelfareGroups...).Theprimaryfunctionsofsuchentitywouldbetomonitorthecollectionandusageofthedatarelatedtothecustomerandprovidesassurancetothecustomerregardingprivacyandsafety.

FUTUREWORK

Thefutureworkincludesthe

establishingofsuitableembeddedmonitorsatdifferent levels ofhierarchy. Ensuringnon-

deducibilitytopreventdataleakagetounwantedrecipients.

REFERENCES

[1]G.Howser,B.McMillin-Modelingand

reasoningaboutthesecurityofdrive-by-wireautomobilesystems,InternationalJournalofCriticalInfrastructureProtection(2012),

[2]AndrewW.MooreProfessorSchoolofComputer Science Carnegie MellonUniversity-InformationGain

[3]B.McMillin,D.Fitch,S.Sedigh,R.Akella,CPS-CSHCyber-PhysicalSocialPrivacyfortheSmartGrid,7thCRITISConference,September2012,Norway.

[4]W.Ulrich,\Beyondmethodologychoice:CriticalsystemsthinkingascriticallysystemicDiscourse," Journal of the OperationalResearch Society, vol. 54, no. 4, pp.

325{342,2003

[5] Patricia Derler, Edward A. Lee, andAlbertoSangiovanniVincentelli-AddressingModelingChallengesinCyber-PhysicalSystems-March4,2011

-WeexpressourappreciationofsupporttotheISC.

-WeappreciateGerryHowserforthe

ToyotaPriusModel.