Robustness of Model-based Software
Against Implementation Imperfections
Ratnesh Kumar, Fellow, IEEE
Professor, Iowa State University
Simulink/Stateflow based Embedded Software



Simulink/Stateflow extensively used for
design of embedded software in
CyberPhysical domain
Software faults: No. 1 cause of field calls
Need for enhanced ways of



Ensuring correctness (eg, tests offering coverage)
Runtime-monitoring (as errors are unavoidable)
Goal: Model-based approach for error
analysis for Simulink/Stateflow
Motor Control/Monitoring
Servo Control
System
A/D
Microcontroller
Encoder
PWMControlled
Power Supply
Servo
Library
Start/Stop
Motor
Voltage V
Decoder
DigitalPos
VelCmd[n]
ServoPos θ
Control
Software
VelCmd[n]
PWMDutyCycle
ServoVel
HasSupplyF
Monitoring
Software
PWMDutyCycle
PortA_Reading
(Start/Stop)
“Fault Occurs”
 Specifications/Requirements for motor control:
Control
Software
Motor halt/set-point
 Whenever Stop is pressed, Halt in next 4 steps;
 Whenever Start is pressed, Stop is not pressed, and SeqNo = n
Issue VelCmd[n] as set-point, increment n.
Simulink/Stateflow for Motor Control/Monitoring
Step 2
Stateflow 2
Sum
Stateflow 1
Triggered
Subsystem

How to use model to check the consistency of the software
and the implementation
Imperfections on Software Implementations


Software implementation has imprecisions, which are determined by
implementation configuration
 Computing system imprecision (Machine precision):
 Floating point representation error
 Finite precision/Floating point arithmetic calculation error
 Sensor/Communication/Actuator imprecision
(Measurement/Control signal precision):
 Signal perturbation error
 Computation and Communication Delays
Accumulated error can be large and can change the control and data
flow of the system
Increment error
[-0.01, 0.01]
Accumulated
error
[-0.01 k, 0.01 k]
When time step k = 10000, error = 100 !
Simulink Model
of a Counter
Software Robustness Checking Steps
Simulink/Stateflow Model
I/O-EFA Model
Model Translation
Implementation Model
Introduce
Implementation
Imperfections
Error Propagation Model
Identify
Nondeterministic
Regions
Reachability
Analysis
Robustness Checking Report
Software
Implementation
Configuration
Robustness Report
Counter.
mdl
Counter_config.xml
P-Robustness: pass
P/O-Robustness: fail
Example: Counter With Imprecision
Resettable counter with limits
Recursive Translation from Simulink to I/O-EFA




Time-advance
edge
Model each atomic simulink block as
a pair of 2-location I/O-EFAs (for
output and state updates respectively)
Augment for block conditioning
Introduce succession edges based on
execution order
Introduce time-advance edge
Succession edges
Input/Output Extended Finite Automata
Introduce Implementation Imperfections



Perturbed Variables:
[[v]]ε(v) := v ± ε(v)
Delays: ζ := ζ + delay
Perturbed Arithmetic
Arithmetic Type
Perturbed Arithmetic
Summation
[[a]]ε1+[[b]]ε2=[[a+b]](ε1+ε2)
Subtraction
[[a]]ε1-[[b]]ε2=[[a-b]](ε1+ε2)
Production
[[a]]ε1× [[b]]ε2=[[a×b]](ε1|b|+ε2|a|+ε1ε2)
Division
[[a]]ε1/[[b]]ε2=[[a/b]](ε1+|a/b|ε2)/(|b|- ε2))
Implementation Model
Robustness Notions


P-Robustness: Software is P-Robust against an implementation if each input sequence applied
to its I/O-EFA model P and implementation model P I executes the same edge-sequences
(preserving the control-flow)
P/O-Robustness: a P-Robust design is further said to be P/O-Robust if the two output
sequences (of P and P I ) differ within a tolerance bound (preserving the data-flow)
u(0) = 0
I/O-EFA Model P
Robustness Notions


P-Robustness: Software is P-Robust against an implementation if each input sequence applied
to its I/O-EFA model P and implementation model P I executes the same edge-sequences
(preserving the control-flow)
P/O-Robustness: a P-Robust design is further said to be P/O-Robust if the two output
sequences (of P and P I ) differ within a tolerance bound (preserving the data-flow)
u(0) = 0, ε(u(0)) = 0.1
0 < error ≤ 0.1
-0.1 ≤ error ≤ 0
Violate P-Robustness
Implementation Model P I
Checking Robustness

Implementation Model Introduces Nondeterministic Regions
Implementation Model
l0-1
e0 :[1<[[v]] 0.1 <2]
{[[v1]] ε(v1) := [[1]] 0.2}
lm-1
e1 :[[[v]] 0.1 ≤ 1]
e2 :[[[v]] 0.1 ≥ 2]
Error Propagation Model
l0-1
e0 :[0.9 < v < 2.1]
{v1 := 1, ε(v1):=0.2}
lm-1
e1 :[v ≤ 1.1]
e2 :[v ≥ 1.9]
PI may activate a
different edge from one
activated by P




Nondeterministic
edge choice
l0-1
e0 :[1.1 < v < 1.9]
{v1 := 1, ε(v1):=0.2}
lm-1
e1 :[v ≤ 0.9]
e2 :[v ≥ 2.1]
e3 :[0.9 < v ≤ 1.1 ∨
1.9 ≤ v < 2.1]
fault
P-Robustness
Nondeterministic regions in P I are unreachable
P/O-Robustness
Nondeterministic regions in P I are unreachable and output
deviations from true values are within tolerance
Error Propagation Model
 Identify deterministic and non-deterministic regions
 Nondeterministic region goes to “fault”
 Output deviation exceeding tolerance goes to “fault”
Robustness Checking with Error Propagation Model
 P-Robustness
fault-location is unreachable disregarding output tolerance
 P/O-Robustness
fault-location is unreachable
Example: Error Propagation Model
u(0) = 0, ε(u(0)) = 0.1
-0.1 < 0 ≤ 0.1
Fault location f is reachable
Software is not p-robust under the implementation configuration
Robustness checking is equivalent to reachability analysis of fault-location f
Conclusion

Robustness of Embedded Code against Implementation Imperfections

System level compositional testing
Bio

Ratnesh Kumar is a professor of ECE at the Iowa State University since 2002.
Prior to this, he held faculty position at the University of Kentucky (1991-2002)
in ECE and has held visiting positions at the University of Maryland, Applied
Research Laboratory (at Penn State University), NASA Ames, Idaho National
Laboratory, and United Technologies Research Center. He received his B.Tech.
in EE from IIT Kanpur in 1987 and MS and PhD in ECE from the University
of Texas, Austin in 1989 and 1991, respectively. His research interests are in
event-driven, real-time, and hybrid systems, and their applications to embedded
systems and software, cyberphysical systems, web-services, sensor networks,
power systems, and precision farming. He is or has been an associate editor of
SIAM Journal on Control and Optimization, IEEE Transactions on Robotics
and Automation, Journal of Discrete Event Dynamical Systems, International
Journal on Discrete Event Control Systems, IEEE Control Systems Society,
IEEE Robotics and Automation Systems Society, IEEE Workshop on Software
Cybernetics. He is a fellow of the IEEE.
Bio

Meng Li is a research engineer at GE Global Research at Niskayuna, NY since
2014. He received his Bachelor's degree in Automation from Zhejiang
University, Hangzhou China, in 2008 and PhD’s degree in Computer
Engineering from Iowa State University, Ames IA in 2013. He was a research
assistant in Department of ECE at Clemson University, Clemson SC, from 2008
to 2009. He was a research assistant in Department of ECE at Iowa State
University, from 2009 to 2013. He was a control engineer intern with Corning
Incorporated in 2011 and a research associate intern with Honeywell
International in 2012. His research interest includes event-driven, real-time, and
hybrid system, and their application to model-based testing and verification for
embedded software and cyber-physical system.
Stateflow1: Control/Motor/SW-level Monitors
Motor
Control
SW Monitor2
SW Monitor1
Stateflow1 Model
Stateflow 1
Stateflow2: System-level Monitors
Sys Monitor1
Part of Sys Monitor2
Sys Monitor2
Stateflow 2 Model
Stateflow 2
Triggered Subsystem: Controlled Plant + Residual
Gain
Unit
Delay
Triggered Subsystem: Gain
Output Assignment
State Update
Triggered Subsystem: Unit-delay
Output Assignment
State Update
Step 2
Output Assignment
State Update
Sum
Output Assignment
State Update