Proceedings of the 7th Annual ISC Graduate Research Symposium
ISC-GRS 2013
April 24, 2013, Rolla, Missouri
DESIGN OF A DRIVER-CENTRIC SYSTEM USING CPS-CSH MODEL
Anusha Sankara, Chakradhar Vadde, Srinivas Chakravarthi. T
Department of Computer Science, Missouri University of Science and Technology, Rolla, Missouri 65401, USA.
Faculty Supervisors : Dr. Bruce McMillin, Dr. Sahra Sedigh, Dr. Dale Fitch
To enhance safety and reliability, an
increasing number of modern automobiles are
essentially drive-by-wire systems, highly
computerized, and connected wirelessly to
services such as OnStar or Toyota Safety
Connect. The impact of these advanced
features is a growing concern. Since there are
many entities in the system, we need to know
which entity has control over the Cyber
Physical Object at a given level of Hierarchy.
The fundamental questions to be addressed
are: (i) What is the control flow in the
system? (ii) How does the driver interact with
the automobile and manufacturer? To address
these questions, we are utilizing the CPSCSH model on Drive-By-Wire car system.
ABSTRACT
Existing methodologies to assess
cyber-physical systems (CPSs) are hampered
by their diverse nature and complexity. This
paper tests the model proposed for cyberphysical systems design and analysis rooted
in the social science approach to complex
system analysis, Critical System Heuristics
(CSH). The model affords an analysis at both
the level of abstraction of functionality and
the type of functionality within a CPS. In this
paper, the CPS-CSH model is utilized to
understand Drive-by-Wire Car system.
INTRODUCTION
Cyber-physical systems (CPSs) are the
integration of computation, as manifested by
embedded computers and communication
networks, with physical processes that
involve people. Control interactions, safety,
liveness, security, fault tolerance, reliability,
and human factors are among the many
challenges in the development and analysis of
CPSs, which must take into account the
complex ways in which the cyber, physical,
and social components interact.
We utilize the CPS-CSH model to analyze the
functionality of the Drive-By-Wire system
considering the various entities in the system
that can control the Cyber – Physical object.
We also try to ensure the privacy, safety of the
driver.
CPS-CSH MODEL
In this model Critical Systems
Heuristics (CSH) is used to develop a
qualitative ontological model of CPSs. CSH
is a methodological approach to facilitate
boundary setting when analyzing systems.
Drawing system boundaries is not an easy
process. As soon as a boundary is drawn then
claims are made that either too much" or “not
enough" was considered.
The CPS-CSH model provides a structured
analysis and will be able to address questions
of (1) what design aspects must be addressed
within a CPS, (2) how do CPS components
relate to each other, and (3) where do
functionalities within a CPS occur?
1
4.
5.
6.
Fig 1: The CSH Reference System
7.
Therefore Ulrich [4] developed heuristics in
which four boundary issues are discussed:
sources of
1. Motivation
2. Power
3. Knowledge and
4. Legitimation.
The first three constitute those involved in the
system and the last constitutes those affected.
8.
9.
Taken together they become the reference
system as shown in Figure 1. Each of these
four issues has three categories:
1. Stakeholder - those involved or concerned
by a situation,
2. The specific concern relevant to the
stakeholder and
3. Difficulties regarding the concern because
concerns compete with each other. Taken
together, the four issues are examined by each
of the three categories, resulting in twelve
boundary questions.
10.
11.
1.
2.
3.
Societal Sources of
Motivation
Who is the client or
Customer
or that
which is acted upon?
What is the purpose of
that which is acted
upon?
What is the measure of
improvement
or
success for this client
or customer or that
which is acted upon?
Cyber-Physical
Objects
Controlled object
Regulated
Object
Functionality
Improved Operational
Element
12.
2
Sources of Power
Cyber-Physical
Environment
Who or what is the
decision maker or
controller?
What resources are
controlled
by
the
decision maker?
What
does
the
decision maker not
control?
Sources
of
Knowledge
Who
is
to
be
considered
a
professional or expert
in the situation?
What expertise do
these
professional’s
hold? That is, what is
considered
relevant
knowledge?
Which
methodologies do they
use?
What is the guarantor
of success? That is,
upon what axioms or
algorithms
do
the
professionals rely?
Sources
of
Legitimation
Who or what is a
witness to the interests
of those affected but
not involved? That is,
who or what can
observe the actions of
the decision makers
upon the client or
customer or that which
is acted upon?
What
secures
the
emancipation of those
affected
from
the
premises or assertions
made
by
those
involved? That is, how
can
unanticipated
adverse consequences
be minimized?
What
worldview
pervades? That is,
what different visions
of
improvement
should be considered
Control Element
Actor on Object and
State Information
Other
actors
objects not in
reference system.
Cyber-Physical
Requirements
Domain Expert
and
the
Domain Knowledge
System Correctness
Cyber-Physical
Requirements
Embedded Monitor
Evaluation
of
the
Methodology used(#8)
or
the
resulting
Guarantee (#9)
Protects
Against
Requirements
Invalidation
the car to control its movement and bring it to
a safe state.
Table 1: CSH in CPS Context
Third party: This can be a federal agency or
a consumer watchdog group, which keeps
monitoring the corporation. This is above all
entities considering hierarchy.
These twelve questions are framed within a
CPS context and are represented in Table 1,
the left column indicating the Ulrich
heuristics, and the right, the proposed CPSCSH model.
External environment: The External
environment consists of the entities in the
environment that cannot be controlled but can
influence the Cyber Physical Object (Car).
These consist of other cars, roads and various
physical or cyber entities
The following three tables apply CPS-CSH to
the Drive-By-Wire Car system at three levels
of the hierarchy, that of the CPS-CSH with
boundary at the brakes, traction control and
brainbox
These tables enable us in identifying which
entity holds control over the functionality of
the Cyber Physical Object at various levels of
hierarchy.
1.
CPS-CSH for Drive-By-Wire Car
System
A CPS-CSH system when seen in a big
picture will have various cyber physical
elements distributed. The assumption for the
system to run reliably is: At any instance of
time the control is given to respective control
element on the controlled object.
2.1. Description of the System
The Cyber Physical element in the DriverCentric CPS-CSH model is the Car.
Corporation, Brainbox, Third-party and the
external driver are the other elements. They
are defined as following:
Car: This is the Cyber Physical element in
the system and entities: The Corporation,
Driver, and external environment try to attain
control of this element.
1
Brainbox: This is a processor that analyses
the input from various sensors in the car,
processes the data and performs necessary
actions. The tasks include Braking,
Acceleration and other physical actions.
2
3
4
Corporation: This is the entity that controls
the car in case of emergency and theft
conditions.
5
Traction Control: This is the control element
integrated within the car. In case any
hazardous situations are sensed by the
brainbox through the sensors, the Traction
Control kicks in and temporarily takes over
6
3
Boundary
Category
Controlled
Object
Regulated
Object
Functionality
CPS-CSH analysis with
boundary at the Brakes
Improved
Functionality
Decision
Makers,
Control
Element
ResourcesActor
on
Object state
information
To improve the braking
system
Environment
Brakes
Stopping
controlling
movement of the car
and
the
Brainbox- Traction Control/
Braking Pedal
Data generated by the brain
box and traction control
Acceleration
and
wheels,
system
system
hydraulic
7
Professional,
Domain
Expert
8
Expertise,
Domain
Knowledge
9
Guarantee,
System
Correctness
10
Embedded
Monitor
11
Emancipatio
n
12
Worldview
(value
determinatio
n)
communications
network
Automobile engineers
6
Environment
that
brakes
makes
7
Professional, Domain
Expert
8
Expertise, Domain
Knowledge
Safety policy, evaluating
methodology
and
design of the traction
control
9
Guarantee, System
Correctness
10
Embedded Monitor
11
Emancipation
12
Worldview
(value
determination)
Mechanics
brakes design
of
Methodologies
produces
design
and
it functional
the
Traction Control
Protects
against
the
improper
functioning
of the brakes
Table 2: CPS-CSH model with Boundary
At the Brakes
In the above table, the CPS-CSH is
applied to the proposed cyber physical object
at the initial level brakes. This gives the scope
of the functionality of the brakes which is to
control the movement of the car. Hence this
will be the major concern which ensures the
safety of the driver. At this boundary
condition, the CSH holds good only when
brakes work as per the expectation of the
driver.
1
2
3
4
5
Boundary Category
Controlled Object
Regulated
Object
Functionality
Improved
Functionality
Decision
Makers,
Control Element
Resources-Actor on
Object
state
information
Other cars on the
road,
humans.
Network
Security
Administrators,
Automobile engineers
Mechanics of Brain
box
(ECM,
sensors)design
Brain box design for
non-deducibility, for
Traction
control,
proper functioning of
the brainbox
Driver
Evaluating
methodology
and
design of the brain
box.
Protects against the
improper functioning
of the brain box.
Table 3: Boundary Conditions with boundary
at the Brainbox
In the above CPS-CSH analysis it is seen
that the brainbox as a boundary will have
decision-making
privilege
under
Corporation’s supervision with Driver as an
embedded monitor. Here the role of
embedded monitor can also be fulfilled by
Corporation, but we would prefer the driver
evaluating the system rather than the
Corporation.
CPS-CSH analysis
with
boundary at the
Brainbox
Brain box
Safety and security of
the driver
To improve safety
and security of the
driver
1
2
Driver, Toyota
Data generated by the
brain
box,
other
devices,
and
3
4
Boundary
Category
Controlled
Object
Regulated
Object
Functionality
Improved
Functionality
CPS-CSH analysis
boundary
at
Traction Control
with
the
Traction control
Safety of the driver, reduce
slippage, and helps the car
not loose grip
To improve the
safety of the driver, no
slippage of the car
4
5
6
7
8
Decision
Makers,
Control
Element
ResourcesActor
on
Object
state
information
Environment
Professional,
Domain
Expert
Expertise,
Domain
Knowledge
hierarchy that can efficiently monitor the
functioning of Traction Control.
Brainbox
Data generated by
The traction control, brakes,
and
the
wheel
speed
data.
Driver, Corporation, fourth
party driver, other cars on
the road.
Traction control
engineers
design
Mechanics
of
the
traction control design
Methodologies
that
produce
the
traction
control
design
and
makes it functional
9
Guarantee,
System
Correctness
10
Embedded
Monitor
Brainbox – Safety Monitor
Emancipation
Safety
policy,
evaluating
methodology
and
design
of
the
traction control
11
12
Worldview
(value
determination)
2.2. Control Flow in the system.
Fig.2 Representation of CPS-CSH system.
- Figure 2 shows the information flow
and Control flow in the system
- Brain box in this system is a cyberphysical element
- The Traction control acts on the
brakes and the information flow
between them is bidirectional flow
- The Third party has got an indirect
control on the car through Toyota as
an intermediary
- There is a unidirectional control flow
as well as information flow between
driver and brainbox
- Control flows
C1 – The traction control during its
operation exerts an indirect control over the
driver
C2-Toyota has a control over the brain
box under theft conditions of the automobile.
C3- Third party Entity has a control
over Toyota Care Corporation, (monitoring,
validating, approving)
Protects
against
the
improper
functioning
of the traction control
Table 4: Boundary Conditions
boundary at the Traction Control
with
Traction Control as a boundary in the
proposed system is superior to conventional
Drive-By-Driver automobiles, in a sense it
acts independently based on any hazardous
road conditions. CPS-CSH-2, 3 conveys the
same; it has improved functionality which
ensures the driver’s safety which serves the
very purpose of the proposed system by
making it driver-centric system. Here the
Brain Box is the control element as it senses
any hazardous conditions and makes the
traction control take over the car. The Brain
Box also functions as the embedded monitor
even though it is the control element because
it is the only entity at the current level of
5
C4- The inputs analyzed by the
brainbox are sent to the traction control which
in turn will produce an impact on the moving
car by operating the brakes/accelerator
system.
deducibility to prevent data leakage to
unwanted recipients.
REFERENCES
[1] G. Howser, B. McMillin - Modeling and
reasoning about the security of drive-by-wire
automobile systems, International Journal of
Critical Infrastructure Protection (2012),
http://dx.doi.org/10.1016/ j.ijcip.2012.09.001
CONCLUSION
The CPS-CSH model for Driver
Centric environment considering the car as
Cyber Physical element ensures the safety of
the driver. By testing the CPS-CSH model
using a Drive-by-wire car system, we have
been able to determine the functionality of the
system, the interactions between the entities
of the system i.e. the control and information
flow.
[2] Andrew W. Moore Professor School of
Computer
Science
Carnegie
Mellon
University
Information
Gain
http://www.cs.cmu.edu/~awm/tutorials
[3] B. McMillin, D. Fitch, S. Sedigh, R.
Akella, CPS-CSH Cyber-Physical Social
Privacy for the Smart Grid, 7th CRITIS
Conference, September 2012, Norway.
There has been a difficulty while trying to
emphasize the embedded monitor at the
various levels of hierarchy. The entity that
provides a particular service should not be the
one to evaluate that service. But in certain
cases there exists no entity that can properly
monitor a service, other than the entity that is
a part of the service being provided.
[4] W. Ulrich, \Beyond methodology choice:
Critical systems thinking as critically systemic
Discourse," Journal of the Operational
Research Society, vol. 54, no. 4, pp.
325{342, 2003
The issues related to Privacy and Concerns of
the customer should be monitored by a trusted
third party entity (Federal organization,
Customer welfare Groups...). The primary
functions of such entity would be to monitor
the collection and usage of the data related to
the customer and provides assurance to the
customer regarding privacy and safety.
[5] Patricia Derler, Edward A. Lee, and
Alberto Sangiovanni Vincentelli - Addressing
Modeling Challenges in Cyber-Physical
Systems - March 4, 2011
FUTURE WORK
The future work includes the
establishing of suitable embedded monitors at
different levels of hierarchy. Ensuring non-
6
-
We express our appreciation of
support to the ISC.
-
We appreciate Gerry Howser for the
Toyota Prius Model.