A Model-Based Design Methodology For Cyber-Physical Systems
To appear, Proc. of the First IEEE Workshop on Design, Modeling, and Evaluation ofCyber-Physical Systems (CyPhy), Istanbul, Turkey, 2011.A Model-Based Design Methodology forCyber-Physical SystemsJeff C. JensenDanica H. ChangEdward A. LeeNational InstrumentsBerkeley, CA 94704E-mail: jjensen@ni.comUniversity of California, BerkeleyBerkeley, CA 94720E-mail: danicachang@berkeley.eduUniversity of California, BerkeleyBerkeley, CA 94720E-mail: eal@eecs.berkeley.eduAbstract—Model-based design is a powerful design techniquefor cyber-physical systems, but too often literature assumesknowledge of a methodology without reference to an explicitdesign process, instead focusing on isolated steps such as simulation, software synthesis, or verification. We combine thesesteps into an explicit and holistic methodology for model-baseddesign of cyber-physical systems from abstraction to architecture,and from concept to realization. We decompose model-baseddesign into ten fundamental steps, describe and evaluate aniterative design methodology, and evaluate this methodology inthe development of a cyber-physical system.Index Terms—model-based design, cyber-physical systems, embedded systems, LabVIEW, Ptolemy II.II. M ODEL -BASED D ESIGN IN T EN S TEPSA. MBD Step 1: State the ProblemUse simple language to describe the problem to be solved,without the use of mathematics or technical terminology.This is the “elevator speech” for the project and is a handyreference for developers, collaborators, colleagues and experts,vendors, and machine shops. Developers of large or safetycritical applications should also write a project plan consistingof requirement tracking, metrics, formal testing processes,and (most importantly) a process for peer review. Given themultidisciplinary nature of cyber-physical systems, this step isnecessary to effectively communicate design requirements.B. MBD Step 2: Model Physical ProcessesI. I NTRODUCTIONModel-based design (MBD) [1]–[3] emphasizes mathematical modeling to design, analyze, verify, and validate dynamicsystems. A complete model of a cyber-physical system represents the coupling of its environment, physical processes, andembedded computations. Modeled systems may be tested andsimulated offline [4], enabling developers to verify the logicof their application, assumptions about its environment, andend-to-end (i.e. closed-loop) behavior.The design of a complex cyber-physical system — especially one with heterogeneous subsystems distributed acrossnetworks — is a demanding task. Commonly employeddesign techniques are sophisticated and include mathematicalmodeling of physical systems, formal models of computation,simulation of heterogeneous systems, software synthesis, verification, validation, and testing. We have yet to find a setof sequential steps that, if followed carefully and correctly,encompasses each of these design techniques and sufficientlygoverns the development of a complex cyber-physical system.Instead, we propose a set of steps, not necessarily sequentialbut necessarily codependent, that facilitates the co-evolution ofa model of a cyber-physical system with its realization. Ourfocus is on design methodology, and for each step we offeronly a cursory introduction to a vast field of research. Since nomodel can ever be complete [5], a practical implementation ofthis methodology is to iteratively visit each step until designrequirements are met.A first iteration of physical modeling should establish basicobservations and insight into relevant physical systems, suchas the environment in which the cyber-physical system resides,or physical processes to be controlled. Models of physicalprocesses are simplified representations of real systems, andare usually in the form of systems of differential equations orLaplace transfer functions. What may begin as simple mathematical models may need to be refined following developmentof a control algorithm, specification of hardware, and testingof components and subsystems.C. MBD Step 3: Characterize the ProblemIsolate fixed parameters, adjustable parameters, and variables to be controlled. Identify quantities that characterizephysical processes, such as configuration spaces, safety limitations, input and output sets, saturation points, and modalbehavior. Understand how a physical process may interact witha computation, including end-to-end latency requirements,fault conditions, and reactions to noise and quantization.D. MBD Step 4: Derive a Control AlgorithmDetermine conditions under which physical processes arecontrollable and derive a suitable control algorithm to be executed by an embedded computer. Use the problem characterization to specify requirements on latencies, delays, samplingrates, jitter, and quantization so that the physical dynamics ofinterest can be accurately measured and suitably controlled;these requirements must be satisfied by the computational978-1-4244-9538-2/11 26.00 c 2011 IEEE
platform used. In highly distributed applications, or systemsthat are globally asynchronous but locally synchronous, itmay be necessary to select models of computation beforea control algorithm can be derived. Revisit this step afterselecting models of computation and specifying hardware todetermine the impact of latency jitter or variable samplingrates introduced by an asynchronous model of computation, orsaturation or other nonlinear artifacts introduced by hardware.E. MBD Step 5: Select Models of ComputationA model of computation is a set of allowable instructionsused in a computation along with rules that govern the interaction, communication, and control flow of a set of computational components [4]. A formal model of computation definessemantics that often result in greater analyzability and thepotential to simulate cyber-physical systems through the useof heterogeneous modeling tools. Models described by formalmodels of computation may be easier to analyze with respectto determinism, execution time, state reachability, memoryusage, and latency [6], [7]. These software dynamics alterthe evolution of a cyber-physical system, and if modeled maybe generalized and used in an MBD workflow. The inherentcomplexity of many cyber-physical systems often necessitatesthe composition of multiple models of computation. Advantages of using a specific model of computation depend on itssemantics, whether timing constructs are used, and whether itis Turing-complete.F. MBD Step 6: Specify HardwareSelect hardware that is capable of withstanding the environment, interacting with the modeled physical systems,and implementing the control algorithm. For each component,consider its input and output bandwidths, delay from inputto output, power usage, measurement resolutions and rates,and mechanical parameters such as form factor, rejection ofelectrical interference, durability, and lifespan. Mechanicalactuators should be capable of producing forces and torquesin excess of minimum values derived from earlier problemcharacterizations. Consider and model the impacts of usingcost-effective substitutes for ideal parts; keep in mind thatmanufacturer specifications are not always accurate, and thathardware components should be independently tested.Selection of an embedded computer may hinge on a deeperunderstanding of latency and execution time requirements ofcontrol algorithms, worst-case execution time measurements ofsynthesized software, and reasoning as to how software willinteract with a specific hardware architecture. This step mayrequire several iterations with software design and simulationbefore an embedded computer can be selected with confidence.G. MBD Step 7: SimulateSolve the problem using a desktop simulation tool. Ifmultiple models of computation are to be used, simulationand synthesis tools must allow the compositions of and interactions between multiple models of computation. Dependingon the robustness of the development environment, incorporate models of sensors, actuators, and physical processes.Use platform-based design to separate application logic andarchitecture-specific software into modular components, whichcan improve code portability, reduce the impact of changinghardware components, and allow components to be reused inother contexts [8].Models of individual components and subsystems are asimportant as a complete end-to-end model. Component modelsprovide a test harness for construction, verification of synthesized software, and testing. If no one modeling tool can completely describe the system, then for each subsystem use themodeling tool that best captures its dynamics. While disjointsimulations cannot represent relationships between signals thatcross subsystem boundaries, or the behavior of compositionsof these subsystems, the exercise facilitates co-iteration ofphysical modeling, simulation, and testing. Ptolemy II isa versatile tool for researching heterogeneity [4], allowingdevelopers to easily create new models of computation andsimulate their behavior.Many simulation tools exist, but most are limited to onlya few models of computation and are unable to capturethe interactions between heterogeneous systems. In our casestudy, we use Ptolemy II and LabVIEW. The heterogeneousmodeling capabilities of Ptolemy II are well-known [9].LabVIEW is a capable tool in this realm: continuous systemsare expressed as ordinary differential equations or differentialalgebraic equations, and discrete systems are expressed asdifference equations, in the LabVIEW Control, Design, andSimulation Module; concurrent state machines are expressedin models created in the LabVIEW Statechart Module (whichimplements a variant of Harel’s Statecharts); imperative expressions are expressed as formula nodes (a subset of ANSIC) or MathScript nodes (compatible with scripts created bydevelopers using The Mathworks, Inc. MATLAB softwareand others); data acquisition and program flow are expressedin structured dataflow, which is general enough to allow thecomposition of each of these models of computation [10].H. MBD Step 8: ConstructBuild the device according to specifications, taking notewhere exceptions have been made that may impact earliermodeling. Plan construction in a way that allows individualcomponents and subsystems to be tested against theoreticalmodels, which facilitates co-iteration between simulation andtesting.I. MBD Step 9: Synthesize SoftwareCode synthesizers are sometimes incorporated into desktopsimulation environments, examples of which are LabVIEWand Ptolemy II. They may directly support the embeddedcomputer used, or generic code may be synthesized and tiedto handwritten, architecture-specific code. Unlike many tools,models written in LabVIEW are natively executable acrossmany platforms without knowledge of architecture-specificinstruction sets or drivers, including desktop computers (for
simulation or data acquisition), real-time processors, FPGAs,and ARM-based microcontrollers. LabVIEW models may target custom platforms through arbitrary C code generation. Ifcode synthesis is infeasible or unavailable, handwritten codeshould carefully follow the selected models of computation.Assuming the code synthesizer produces code that faithfullyexecutes the semantics of the models of computation used, thelogic of synthesized code is correct by construction. Timingbehavior, however, must still be verified, as code generatorsand compilers may introduce software timing artifacts, andhardware features such as pipelines and caches may introducejitter. Other constraints such as memory footprint or processorutilization may also require independent verification. Timingand other constraints should be verified against existing models.J. MBD Step 10: Verify, and Validate, and TestConfigure adjustable parameters to create test environmentsthat are as simple as possible, and test each componentand subsystem independently. Computational systems maybe isolated from physical systems via hardware-in-the-looptesting, where programmable hardware such as embeddedcomputers or FPGAs simulate the feedback from physicalor other computational processes. Measurements of executiontime and latency can be used to refine previous models, andunexpected test results may point to errors in modeling orimplementation.Formal verification and validation give insight into thebehavior of an algorithm over all or certain combinationsof its inputs, or over the course of time. Precisely staterequirements and translate them into a formal specificationfor verification and validation. List invariants that should beverified during testing. Verification and validation are perhapsthe most difficult aspects in the design of a cyber-physicalsystem.III. C ASE S TUDY: T HE T UNNELING BALL D EVICEThe Tunneling Ball Device (TBD) [11] is a cyber-physicalsystem whose operation demands hardware and real-timeembedded computing that deliver high-precision sensing andactuation. Computations are triggered by a combination ofsporadic, periodic, and quasi-periodic events. Signals presentreflect those in an automotive engine control unit for controlof fuel injection, ignition timing, and valve retraction of anautomotive engine. The system is naturally extensible to adistributed platform, presenting an interesting example formodeling distributed cyber-physical systems. For the purposesof demonstrating our design methodology, we do not considera distributed implementation of this system.A. TBD Step 1: State the ProblemSteel ball bearings are dropped one at a time at sporadicintervals towards a fixed drop target located below a spinningdisc. The disc has been bored through at two opposite ends,and the ball will pass (“tunnel”) through untouched if the discis correctly aligned at the time of impact. Should the disc beimproperly rotated, the ball will collide with the disc. Thedevice must sense when a ball is dropped, track the positionof the disc, and adjust the trajectory of the disc so that ballstunnel through the disc untouched. Only one ball will beabove the disc at any time, and between drops the disc mustmaintain constant speed. The disc must not stop at any time,and changes in rate should be minimal.B. TBD Step 2: Model Physical Processes1) Kinematics of a Ball in Freefall: A ball is modeled as atuple of its initial altitude, initial velocity, and time at which itis detected above the drop target, β (z0 , v0 , t0 ) B, whereB R2 R is the set of all possible ball drop events. Letz : B R R be the altitude from the center of the ball tothe center of the disc,1z(β, t) z0 v0 (t t0 ) g(t t0 )22(1)where g is constant acceleration due to gravity [12].A ball with radius rb may first contact the disc at arrival timeTa (β), pass through the center of the disc at time Tc (β), departthe disc at time Td (β), and is known to be above the disc fortime T (β), where Ta , Tc , Td : B R follow from (1), and T : B R is defined T (β) Ta (β) t0 . The dropinterval [t0 , Ta (β)] is the duration for which a ball is knownto be above the disc, and the impact interval [Ta (β), Td (β)]is the interval over which the ball may contact the disc. Theimpact radius RI : B R R is the widest horizontalslice of the ball that may be passing through the disc: if z(β, t) rb h2 0if z(β, t) h2bRI (β, t) rq r2 z(β, t) h 2 otherwise,b2(2)where h denotes the thickness of the disc.2) Kinematics of a Rotating Disc: Let ϑ [R ( π, π]]be the set of functions that describe the rotation of a disc overtime. Note that all angle arithmetic is wrapped to ( π, π]. Thedisc has two doors bored at opposing ends, each with radiusrdoor and centered at a distance rdrop from the axis of rotation.A coordinate system is fixed so that the doors on the discare centered above the drop target at rotation 0 and π. TheEuclidean distance d : ϑ R [0, 2rdrop ] from the droptarget to the center of the nearest of two doors is d(θ, t) 2rdrop sin 21 min { θ(t) , π θ(t) } .(3)As the disc rotates, the doors pass over the drop targetexposing a tunnel through which a ball may pass. The tunnelradius RT : ϑ R [0, rdoor ] is the largest allowable impactradius at time t (Fig. 1):(rdoor d(θ, t) if d(θ, t) rdoorRT (θ, t) (4)0if d(θ, t) rdoor .
that yield success. We translate these quantities into physicalparameters used to select appropriate hardware for the device.1) Worst-Case Drop: The initial velocity of a ball isbounded, so let maximum initial velocity be defined asvmax max v0β B(9)and minimum drop time be defined astmin min T (β).β B(a) Disc rotated such that a door is (b) Disc rotated such that a door iscentered over the drop target, yielding offset from the drop target, yielding aan optimal tunnel.sub-optimal tunnel.Fig. 1.Disc rotations showing optimal and sub-optimal tunnels.3) Dynamics of a DC Motor with Load: To find a mechanism to control the position of the disc, we recursively applyMBD to model and characterize a disc with an inertial load,derive a PID control algorithm, evaluate hardware such as DCand AC brushed and brushless motors, and simulate using thecontinuous model of computation in the LabVIEW Control,Design, and Simulation Module. We conclude that a DCbrushed motor is a sufficient control mechanism and save ourmodels for later code synthesis and subsystem testing.A standard DC brushed motor with torque constant Kτ ,armature resistance R, armature inductance L, damping coefficient b, back-electromotive force constant KB , input voltageamplification KA , and net inertia J is modeled by the systemof linear differential equations [13]τ (t) Kτ i(t)KG τ (t) bdθ(t)d2 θ(t) Jdtdt2(5)(6)di(t)dθ(t) KB(7)dtdtwhere v : R R is voltage applied to the armature coil, i :R R is the current induced by this voltage, τ : R R isthe torque produced by the motor, and θ ϑ is the rotation ofthe disc. Moving to the frequency domain, the transfer functionof the system isKA v(t) Ri(t) LKA KG KτΘ(s) 2 K K )s , (8)V (s)JLs3 (RJ Lb)s2 (Rb KGB τwhere s is the Laplace complex variable [13].C. TBD Step 3: Characterize the ProblemThe Tunneling Ball problem is characterized by six fundamental quantities: a worst-case drop (minimum drop timecoinciding with maximum correction angle), the minimumtorque that can accommodate a worst-case drop, the minimumvoltage required to produce this torque, lower and upperbounds on disc rate, conditions for success, and trajectories(10)For a ball to pass through the disc, a tunnel must be presentat the time of impact, likely requiring the position of the discwhen the ball arrives be altered from its original trajectory.The center of a door is never more than one-quarter rotationaway from the drop target, hence maximum position errorπ(11)θmax .2A worst-case drop is tuple (βworst , θworst ) B ϑ suchthat T (βworst ) tmin and θworst (Tc (βworst )) θmax , whichcorresponds to the minimum amount of time to correct for themaximum position error.2) Minimum Torque: The trajectory with the least maximum torque that adjusts for a worst-case drop is given byMaupertuis’ principle of classical mechanics [14], and is theresult of applying a constant torque τmin over the drop interval.Given the motor and disc are at steady-state at time t0 0with constant angular velocity ω0 dθdt (0), and solving motorequations (5)–(7) subject to T (β) tmin , τ (t) τmin ,θ(0) θmax , and θ(tmin ) 0, for t t0 , θb max .τmin (12)KG t J 1 e Jb tminminb3) Minimum Voltage: The minimum voltage vmin is thevoltage applied to the motor necessary to produce steady-statetorque τmin . Substituting τ (t) τmin into the motor equations, bRKB KG Jb tminKA vmin 1 e τmin KB ω0 e J tmin .Kτb(13)4) Rate Bounds: The minimum rate ωmin at which the discmust spin to accommodate a worst-case drop follows fromminimum torque: bKG(14)ωmin ω0 τmin ω01 e J tmin .bIf the disc is rotating too fast, it may be impossible for aball to tunnel through. An exact bound on disc rate followsfrom the kin
design of cyber-physical systems from abstraction to architecture, and from concept to realization. We decompose model-based design into ten fundamental steps, describe and evaluate an iterative design methodology, and evaluate this methodology in the development of a cyber-physical system.
akuntansi musyarakah (sak no 106) Ayat tentang Musyarakah (Q.S. 39; 29) لًََّز ãَ åِاَ óِ îَخظَْ ó Þَْ ë Þٍجُزَِ ß ا äًَّ àَط لًَّجُرَ íَ åَ îظُِ Ûاَش
Collectively make tawbah to Allāh S so that you may acquire falāḥ [of this world and the Hereafter]. (24:31) The one who repents also becomes the beloved of Allāh S, Âَْ Èِﺑاﻮَّﺘﻟاَّﺐُّ ßُِ çﻪَّٰﻠﻟانَّاِ Verily, Allāh S loves those who are most repenting. (2:22
METHODOLOGY: VCS Version 3 v3.3 1 METHODOLOGY FOR ELECTRIC VEHICLE CHARGING SYSTEMS . Title Methodology for Electric Vehicle Charging Systems Version 1.0 Date of Issue April 2018 Type Methodology Sectoral Scope 7. Transport 1. Energy Prepared By Climate Neutral Business Network, a project of Strategic Environmental Associates Inc, on behalf of the EV Charging Carbon Coalition
Model based design . Control design and closed-loop simulation Code generation and transfer to target Model based design (MBD) Main steps of model based (controller) design . Pendulum friction is set to zero (d 2 0) The 4th line of the linearized model is used for identification
software development methodology, based on which a new agile method is engineered using the Hybrid Methodology Design approach. We claim that this methodology, and the approach used for its construction, can facilitate the application of a software engineering approach to the production of mobile software systems.
1 EXTERNAL USE Agenda Overview: Introduction and Objectives Model-Based Design Toolbox: Library blocks, FreeMASTER, and Bootloader Hands-On Demo: Motor Kit (Describe Freescale 3-Phase Motor Kit) Convert simple model to run on Motor Kit with MCD Toolbox and use FreeMASTER Model-Based Design: Model-Based Design Steps: Simulation, SIL, PIL and ISO 26262
Use Model-Based Design to model the system design and software design, and to generate flight code Results Software testing time cut by two-thirds Requirements stabilized earlier Certified flight software automatically generated Eurocopter Accelerates Development of DO-178B Certified Software with Model-Based Design "We use our system design
Am I my Brother’s Keeper? Sibling Spillover E ects: The Case of Developmental Disabilities and Externalizing Behavior Jason Fletcher, Nicole Hair, and Barbara Wolfe July 27, 2012 Abstract Using a sample of sibling pairs from the PSID-CDS, we examine the e ects of sibling health status on early educational outcomes. We nd that sibling developmental dis- ability and externalizing behavior are .
