# Toyota's Direction

Our sustainable mobility strategy includes products, partnerships, the urban environment and energy solutions.\*







\*Toyota 2010 North American Environmental Report Highlights

Vehicle-to Vehicle and Infrastructure integration



## Presentation Flow

- 1. Development Pressures → Model-based Development
- Open Challenge: Verification and Validation (V&V) of In-Vehicle Control Systems
- 3. V&V Research Directions
- 4. Discussion

with grateful contributions from:

Koichi Ueda, Hakan Yazarel, Prashant Ramachandra, Derek Caveney, Chrona, UCLA, UC Berkeley CHESS, Carnegie Mellon



## **Product Direction**



Product variation, control, integration, and complexity are accelerating in order to improve vehicle performance, address sustainability, and provide new features.



# Model-Based Development: Basic Tooling





# MBD Focus areas

- Process and Information Management
- Plant Modeling
- Model-based control design
- Calibration
- Verification and Validation



## MBD Focus: Verification and Validation

ACG: Automatic code generation

## Development time





# Verification and Validation: Strategy



Renew development process by applying advanced V&V technologies to improve:

- → Quality no defects allowed in product
- → Efficiency minimized development cost



# V & V Application: Model (vs. Code) Coverage

# Technology Goal

Show satisfied and unsatisfied paths unambiguously

# Motivating Example



Coverage measurement is required at each confirmation stage. i.e. Which paths are validated/verified by test cases?



# V & V Application: Test Generation

# Technology Goal

Structural coverage based test generation

## Motivation

- %100 MCDC (Modified Condition Decision Coverage) is required for new logic to make sure every part of the code is tested and there is no dead-code.
- Generating test cases for %100 path coverage for main logic of legacy code.
- Equivalence checking of Simulink models and corresponding C-code



# V & V Application: Test Generation

## Current analysis / tool capability

Commercial test generation tools are available, but they need laborious manual efforts to reach %100 MCDC.

# Challenges are:

- %100 MCDC
- %100 path coverage (needed for some logic portions)
- Look-up table coverage
- Lots of nonlinear arithmetic operations
- Logic with counters, timers, integrators



# V & V Research: Symbolic Equivalence Checking

# Technology Goal

Automatic and compositional symbolic equivalence checking of C code against corresponding Simulink models

## Motivating Example

### Equivalence Checking of Code against Models





# Equivalence Checking for Simulink Models and C code

#### Scenario 1: Code Generation



? ≡

```
int global_var;
int moduleSubFunction2(int var_func)
 int local out;
 local_out = var_func - 5;
 return local out;
int moduleSubFunction1(int var_func)
 int local_out;
 local_out = var_func - 2;
 return local_out;
void moduleSubFunction(int var_main)
 int local in;
 local_in = var_main;
 if (local_in > 50)
   global var = moduleSubFunction1(local in);
 else {
   global var = moduleSubFunction2(local in);
void moduleMainFunction(void)
 int local_main;
 local_main = global_var >> 4;
 if (local_main > 255)
   local main = 255;
 moduleSubFunction(local_main);
```

Scenario 2: Legacy Code Modeling



# Compositional Equivalence Checking for Simulink Models and C code (UCLA) \* Saha, Majumdar



- Process repeated bottomup on function-call tree
- Function calls in upper hierarchy are treated as uninterpreted functions since they are assumed already verified down the hierarchy

Verification Conditions for Simulink subsystem Verification Conditions for C function implementing Simulink subsystem

oid moduleMainFunction (void)

int global var;

int moduleSubFunction2(int var\_func)
{
 int local\_out;
 local\_out = var\_func - 5;
 return local\_out;

local\_in = var\_main; if (local\_in > 50) { global\_var = moduleSubFunction1(local\_in); } else { global\_var = moduleSubFunction2(local\_in);





# V & V Research: Control Design Specification Validation i.e. Prove model is consistent with requirements

## Technology Goal

Prove properties using formal methods

# Motivating Example





# V & V Research: Property Proving

# Current analysis / tool capability

Commercial model-based tools for property proving are available, but very limited in their application:

Technical challenges are...

- Scalability
- Floating-point and Nonlinear mathematics
- Look-up tables
- Logic with counters, timers, integrators



# V & V Research: Real-time Software Checking

## Technology Goal

Improve engine control software real-time characteristic robustness to software changes (Chrona TDL)



 Real-time software evaluation with Software-in-the-Loop (SIL) (Chrona Validator)



Real-time execution time estimation (CHESS GameTime)



- "Predictable" computing (future work ?)
  - Today's computer architects are not considering real-time control!



## V & V Research: Chrona TDL

TDL: Timing Definition Language \*Pree, Resmerita

Allocate generous computation time budgets (LETs) and use a run-time machine to enforce the timing specification

- Closely related to schedulability analysis
- Requires software program analysis to evaluate variable interactions
- Requires fine grain execution time data

Engine control requires extensions for event-based processes

#### **Logical Execution Time**



- All inputs are read at the beginning of the LET
- All outputs are updated at the end of the LET
- LET is platform-independent => platform independent behavior
- Schedulability condition: LET ≥ Worst Case Reaction
   Time of the time-triggered task

Increased robustness of the software: the time profile of a global variable will **not** change as a result of

- Adding/Removing functions in the system (both in the time-triggered and in the event triggered parts)
- Variation of execution times in different runs of the same system due to different dynamic conditions
- Changes of execution times due to porting the software to another ECU



## V & V Research: Chrona Validator

# Technology Goal

\*Resmerita et. al.

How to check Modified TDL versus Original ? → Real-time aware SIL

- Pre-emption, scheduling, jitter, (reverse) source level debugging



## V & V Research: GameTime in CHESS

# Technology Goal

\*Seshia

How to get good fine grain execution time estimates for TDL and Validator?

- Resolve worst-case path and initial state dimensions (and their interactions)
- Measure 'feasible basis' paths and use data to generate a model for all paths





(Complex == Cyber Physical Systems) (Carnegie Mellon University)

\*Krogh, Bhave

# Technology Goal

Learn how to apply recent V&V results to complex problems

- Architectural and Formal approaches
- Many advancements since MoBIES (circa 2002)
- Funding by the National Science Foundation
- Collision Avoidance application area
- Developing complex cyber-physical systems requires analyses of multiple models using different formalisms and tools

Proposal: Ar

#### How can we:

- guarantee the models represent the actual system?
- guarantee models are consistent with each other?
- infer system-level properties from heterogeneous analyses of heterogeneous models?

Multi-Domain Modeling/Analysis: Proposal: Architectural Approach

**Goal:** Unify heterogeneous models through *light-weight* representations of their structure and semantics using architecture description languages (ADLs).



(Complex == Cyber Physical Systems) (Carnegie Mellon University)

### **Models as Architectural Views**

\*Garlan, Krogh, Bhave



Base CPS Architecture

## **Heterogeneous Verification**

#### Annotate architectures with

- system-level specifications/requirements
- assumptions underlying models/views
- guarantees provided by model-based analyses

#### Develop algorithms for

- consistency analysis for specifications & assumptions
- integration of model-based verification results
- coverage via heterogeneous verification activities



(Complex == Cyber Physical Systems) (Carnegie Mellon University)



Abstract modeling and formal verification yield control requirements to be satisfied during design and implementation



(Complex == Cyber Physical Systems) (Carnegie Mellon University)

Safety Verification Using Reachable Sets



• System is safe, if no trajectory enters the unsafe set.



#### Nonlinear Sytems with Uncertain Parameters

$$\dot{x} = f(x(t), u(t), p(t)),$$

$$x(0) \in X_0 \subset \mathbb{R}^n$$
,  $u(t) \in U \subset \mathbb{R}^m$ ,  $p(t) \in \mathcal{P} \subset \mathbb{R}^p$ 



 Scalable when using zonotopes, as long as no splitting is involved. For a water tank system can be computed in a few minutes.

#### Hybrid Sytems

\*Althoff

#### Graphical Description:



- In addition to continuous systems, the intersection with guard sets is required (seems simple, but it's not).
- Not really scalable; usually

#### Nonlinear Sytems with Uncertain Parameters

Example: Evasive maneuver of a car. sketch:



computed set for a lane change maneuver:





Ken Butts, TEMA Toyota T Powertrain Control – Model ba

# V & V Research: Verifiable Control Design in CHESS \*Hedrick, Shahbakhti

## Technology Goal

How can we consider verification during control design?





# Model-based V & V: Situation Summary

## What we think we can do (soon):

Validation (design confirmation)

- Closed-loop simulation
  - Property assertions
  - Robustness to parameter and scenario variation
- Rapid prototyping

Verification (implementation confirmation)

- Structural
  - Static analysis
  - Test vector generation
  - Visualization and analysis
- Software-in-the-Loop
  - Code to Model Equivalence checking
  - Functional scenarios
  - Fixed point design
- Hardware-in-the-Loop
  - ECU interface and signal conditioning
  - Real-time software confirmation
  - Fault diagnosis and handling



# Model-based V & V: Situation Summary

## What we (will) need:

A *systematic engineering process* to fully explore the operating space

- Deal with system complexity
  - Heterogeneity (hybrid dynamics, wireless networking, dynamic agent scenarios)
  - Hierarchical structure (in-vehicle, vehicle-to-vehicle, vehicle to infrastructure)
  - Scale
  - Floating point design vs. fixed-point Implementation
- Leverage compositionality / prior knowledge
  - Component to system verification
  - Multiple component providers
  - Control design attributes
- Security threatening / malicious agents
- Real-time software performance guarantees predictable computing
- Calibration accommodate tuning changes at the end of the process.



# Thank you for your attention!

We're trying to hire a researcher to help.

