Better Engineering through Better Models

Better Engineering through Better Models

Edward A. Lee Robert S. Pepper Distinguished Professor UC Berkeley Plenary Talk International Conference on Complex Systems Engineering (ICCSE) November 9, 2015. Storrs, CT, USA

!"#$%&'"%()$"%*&+',-./'&%"012&'3'45%.&5-',0!""•! #$%&'"("!"#$%&'()•! #)*+,-./)0"("*#+',%&$)•! 1&2,'3-$"("-'./0#)6'&",.7*1/'&$8%•! 4352'&-&"657"12+3+424$)•! 85$029')0),5"657"5%,/6"•! 8:;)'3-9*5"657"*#+',%&$)•! <2)0)*3&5")="52.:&">2:),?@"657"72&'(%0#)8.29:)•! A3;9"+&'=)'*.02&"657"72;)<+/=9#)•! 8?.+-.%3:3-$"657">/?/'0'@%(%0#)•! A3;9"2)00&2/63-$"657"-/&4=%0#)'+6)!=%A'&#)•! 12.:.%3:3-$"657">/(%'@%(%0#)'+6)!=/6%&0'@%(%0#)•! B.C5".0?"D&;,:./)05"657"5/&"+%&'()!2$$%@%(%3/$)!&&'9./'&8%#$%&'E+9$532.:"5$5-&*5".'&"=,0?.*&0-.::$"?3F&'&0-"=')*"2)*+,-./)0.:"5$5-&*5".0?"=')*"+9$532.:"5$5-&*57"G9&$"'&H,3'&"0&C"&0;30&&'30;"*)?&:5"-9.-"&*%'.2&"-&*+)'.:"?$0.*325".0?".:;)'3-9*32"2)*+,-./)07"

Automotive

Biomedical

Military

Energy

Manufacturing

Avionics

Buildings

2

#$%&'EI9$532.:"1$5-&*5">#I1@"J0?&':3&5"*,29")="-9&"30?,5-'3.:"&2)0)*$"

The order and timing of events matters a lot when interacting with physical processes. The system at the right orchestrates hundreds of microcontrollers to deposit ink on paper flying through the printer at 100 km/h with micron precision.

Lee, Berkeley 3

This Bosch Rexroth printing press is a cyber-physical factory using Ethernet and TCP/IP with high-precision clock synchronization (IEEE 1588) for real-time control.

G3*30;"I')%:&*5"B))*"B.';&"30"#$%&'EI9$532.:"1$5-&*5"

K0"G935"G.:L!"M)2,5")0"N)?&:5"

Lee, Berkeley 4

N)?&:5"657"D&.:3-$"

K0"-935"&O.*+:&P"-9&",26/(%+9).=',/;2=B)35"2.:2,:,5".0?"Q&C-)0R5":.C57""C%6/(%0#"35"9)C"C&::"-9&"*)?&:".0?"3-5"-.';&-"*.-29"

Lee, Berkeley 5

The model

The target (the thing being modeled).

Solomon Wolf Golomb

Engineers all too often conflate the model with its target.

You will never strike oil by drilling through the map!

Lee, Berkeley 6

Keep Clear the Distinction Between the Model and its Target"

But this does not in any way diminish the value of a map!

129&*./2")="."53*+:&"#I1"

Lee, Berkeley 7

What kinds of models should we use? Let’s look at the most successful kinds of models from the cyber and the physical worlds.

1)SC.'&"35"."N)?&:"

I9$532.:"1$5-&*" D26/()

-%+9(/E0"=/'6/6)%,?/='3A/)?=29=',$)Lee, Berkeley 8

I9$532.:"1$5-&*"

-%+9(/E0"=/'6/6)%,?/='3A/)?=29=',$)

1)SC.'&"'&:3&5")0".0)-9&'"*)?&:"-9.-".%5-'.2-5"-9&"9.'?C.'&"

I9$532.:"1$5-&*" Model

Instruction Set Architectures (ISAs) Lee, Berkeley 9

Image: Wikimedia Commons Waterman, et al., The RISC-V Instruction Set Manual, UCB/EECS-2011-62, 2011

4&-&'*30.2$"

1)*&"*)?&:30;"='.*&C)'L5"5,++)'-"-9&"2)05-',2/)0")="6/0/=,%+%$3&"*)?&:57"

"8"*)?&:"35"6/0/=,%+%$3&)3=P";36&0"-9&"303/.:"5-.-&".0?"-9&"30+,-5P"-9&"*)?&:"?&T0&5"&O.2-:$")0&"%&9.63)'7"

"4&-&'*3035/2"*)?&:30;"='.*&C)'L5"9.6&"+')6&0"&O-'&*&:$"6.:,.%:&"30"-9&"+.5-7"

Lee, Berkeley 10

#)053?&'"530;:&E-9'&.?&?""3*+&'./6&"+');'.*5"

G9&"-.';&-")="-9&"*)?&:"35"0)0?&-&'*3035/2">&:&2-')05".0?"9):&5"5:)5930;".'),0?"30"53:32)0@7"

This program defines exactly one behavior, given the input x. Note that the modeling framework (the C language, in this case) defines “behavior” and “input.”

Lee, Berkeley 11 Lee, Berkeley

4&-&'*3035/2"N)?&:5"=)'"-9&""I9$532.:"13?&")="#I1"

I9$532.:"1$5-&*" D26/()

Signal Signal

*%F/=/+3'()<G4'32+$)Lee, Berkeley 12

Image: Wikimedia Commons

Signal Signal

13 Image: Wikimedia Commons Lee, Berkeley

8"N.U)'"I')%:&*"=)'"#I1!"#)*%30./)05")="4&-&'*3035/2"N)?&:5".'&"Q)0?&-&'*3035/2"

Correct execution of a program in C, C#, Java, Haskell, OCaml, Esterel, etc. has nothing to do with how long it takes to do anything. Nearly all our computation and networking abstractions are built on this premise.

Programmers have to step outside the programming abstractions to specify timing behavior. Embedded software designers have no map!

Lee, Berkeley 14

Timing is not Part of Software Semantics"

Lee, Berkeley 15

G9&"N)?&:"

Lee, Berkeley 16 Image: Wikimedia Commons

USB interface

JTAG and SWD interface

graphicsdisplay

CAN bus interface

Ethernet interface

analog(ADC)inputs

micro-controller

removable flash

memoryslot

PWM outputs

GPIO connectors

switchesconnected

to GPIO pinsspeakerconnected toGPIO or PWMG9&"D&.:3-$"

Lee, Berkeley 17

G9&"N)?&:"35"0)-"*,29"*)'&"?&-&'*3035/2"-9.0"-9&"'&.:3-$"

5"/),26/(%+9)('+94'9/$)"'A/)6%$H2%+0I)

%+&2,?'3@(/)$/,'+3&$)

Lee, Berkeley 18 Image: Wikimedia Commons

1$5-&*"?$0.*325"&*&';&5"=')*"-9&"+9$532.:"'&.:3V./)0"

USB interface

JTAG and SWD interface

graphicsdisplay

CAN bus interface

Ethernet interface

analog(ADC)inputs

micro-controller

removable flash

memoryslot

PWM outputs

GPIO connectors

switchesconnected

to GPIO pinsspeakerconnected toGPIO or PWM

J)(/'6%+9)02)')K?=2020#?/)'+6)0/$0L)

$0#(/)2.)6/$%9+)

4)"?&-&'*3035/2"*)?&:5"*.L&"5&05&"=)'"#$%&'E+9$532.:"5$5-&*5W"

Lee, Berkeley 19

Physical noise Imperfect actuation

Parts failures

Unknowable delays Packet losses

Unknowable execution times

Uncontrollable scheduling

M+)0"/).'&/)2.)$4&")+2+6/0/=,%+%$,I)62/$)%0),'B/)$/+$/)02)0'(B)'@240)6/0/=,%+%$3&)

,26/($).2=)&#@/=E?"#$%&'()$#$0/,$N)

Lee, Berkeley 20

•! K0"$&%/+&/P"-9&"6.:,&")="."*)?&:":3&5"30"9)C"C&::"3-5"%&9.63)'"*.-29&5"-9.-")="-9&"+9$532.:"5$5-&*7"

•! K0"/+9%+//=%+9P"-9&"6.:,&")="-9&"+9$532.:"5$5-&*":3&5"30"9)C"C&::"3-5"%&9.63)'"*.-29&5"-9.-")="-9&"*)?&:7"

Lee, Berkeley 21

In engineering, model fidelity is a two-way street!

For a model to be useful, it is necessary (but not sufficient) to be able to be able to

construct a faithful physical realization.

N)?&:"M3?&:3-$"D&6353-&?"

8"N)?&:"

Lee, Berkeley 22

8"I9$532.:"D&.:3V./)0"

Lee, Berkeley 23

N)?&:"M3?&:3-$"

•! G)"."$&%/+3$0P"-9&"*)?&:"35"X.C&?7"

•! G)".0"/+9%+//=P"-9&"+9$532.:"'&.:3V./)0"35"X.C&?7"

KR*".0"&0;30&&'Y"M)'"#I1P"C&"0&&?"%&Z&'"*)?&:5"C3-9":&55"X.C&?"+9$532.:"'&.:3V./)057"

Lee, Berkeley 24

#9.0;30;"-9&"[,&5/)0"

G9&"H,&5/)0"35"+20"C9&-9&'"?&-&'*3035/2"*)?&:5"2.0"?&52'3%&"-9&"%&9.63)'")="2$%&'E+9$532.:"5$5-&*5">C3-9"93;9"T?&:3-$@7""G9&"H,&5/)0"35"C9&-9&'"C&"2.0"%,3:?"2$%&'E+9$532.:"5$5-&*5"C9)5&"%&9.63)'"*.-29&5"-9.-")="."?&-&'*3035/2"*)?&:">C3-9"93;9"+')%.%3:3-$@7"

Lee, Berkeley 25

D&5&.'29"<F)'-5".-"\&'L&:&$"\&Z&'"<0;30&&'30;"-9'),;9"\&Z&'"N)?&:5"

•! IGK4<1!"?35-'3%,-&?"'&.:E/*&"5)SC.'&"–! 4&-&'*3035/2"/*30;")="?35-'3%,-&?"#I1"

•! ID<G"*.2930&5"–! 4&-&'*3035/2"/*30;".-"-9&"+')2&55)'":&6&:"

•! 822&55)'5">G&''.1C.'*@"–! I'3023+:&?"2)*+)53/)0")="0&-C)'L&?"2)*+)0&0-5"

•! ]+&0E5),'2&"5)SC.'&"–! I-):&*$"KK"

•! N)?&:E%.5&?"?&53;0">3#$I9$@"–! K0-&'=.2&5">&7;7"MNK@P"2)0-'.2-5P".5+&2-5P"Y"

•! 1&*.0/25"–! G3*&?"*)?&:5")="2)*+,-./)0P"

Lee, Berkeley 26

Lee, Berkeley 27

M)2,5")0"-9&"Q&-C)'L"K0-&'.2/)05"

*/0/=,%+%$3&),26/($"=)'"?35-'3%,-&?"'&.:E/*&"5)SC.'&".'&"+)553%:&",530;"."-&2903H,&"2.::&?"IGK4<17""

IGK4<1!"4352'&-&E<6&0-"1&*.0/25"("1$029')03V&?"#:)2L5"

Lee, Berkeley 28

Time-stamped events that are processed in time-stamp order.

This MoC is widely used in simulation and HDLs.

Given time-stamped inputs, it is a deterministic concurrent MoC.

A few texts that use the DE MoC

#:)2L"1$029')03V./)0"

•! QGI"•! ^I1"•! _`aa"•! G1Q"

Lee, Berkeley 29

:;$",.1"!"4352'&-&E&6&0-">4<@"*)?&:5".'&"=)'*.:"5$5-&*"5+&23T2./)05"-9.-"9.6&".0.:$V.%:&"?&-&'*3035/2"%&9.63)'57"J530;".";:)%.:P"2)0535-&0-"0)/)0")="/*&P"4<"2)*+)0&0-5"2)**,032.-&"63."/*&E5-.*+&?"&6&0-57"4<"*)?&:5"9.6&"+'3*.'3:$"%&&0",5&?"30"+&'=)'*.02&"*)?&:30;".0?"53*,:./)0P"C9&'&"/*&"5-.*+5".'&"."*)?&:30;"+')+&'-$"%&.'30;"0)"'&:./)0593+"-)"'&.:"/*&"?,'30;"&O&2,/)0")="-9&"*)?&:7"K0"-935"+.+&'P"C&"&O-&0?"4<"*)?&:5"C3-9"-9&"2.+.%3:3-$")="'&:./0;"2&'-.30"&6&0-5"-)"+9$532.:"/*&Y"

30 Lee, Berkeley

Ptides – A Robust Distributed DE MoC for IoIT Applications

Time stamp value is a deadline

Time stamp value is time of measurement

Actors wrap sensors

Actors wrap actuators

Lee, Berkeley 31

Ptides: First step: Time stamps bind to real time at sensors and actuators"

Ptides: Second step: Time-stamped messages.

Messages carry time stamps that define their

interleaving

Actors specify computation

Lee, Berkeley 32

Ptides: Third step: Network clock synchronization

GPS, NTP, IEEE 1588, TSN, time-triggered busses, ! they all work. We just need to bound the clock synchronization error.

Assume bounded clock error

Assume bounded clock error e


Clock synchronization gives global meaning to

time stamps

Messages are processed in time-stamp order

Lee, Berkeley 33

Assuming perfect clock synchronization, this gives a deterministic model of overall closed-loop dynamics.

Ptides: Fourth step: Specify latencies in the model

Model includes manipulations of time stamps, which control

latencies between sensors and actors

Actuators may be designed to interpret input time stamps as the time at which to

take action. Feedback through the physical world Lee, Berkeley

34

Ptides: Fifth step: Safe-to-process analysis (ensures determinacy)

Safe-to-process analysis guarantees that events are processed in time-stamp order, given some assumptions.

Assume bounded network delay d

Assume bounded clock error


An earliest event with time stamp t here can be safely merged when real time exceeds t + s + d + e – d2


Assume bounded sensor delay s

Application specification of

latency d2 Technical: Need to have deadlines on network interfaces, to guarantee time-stamp order irrespective of execution times of actors. Lee, Berkeley 35

All of the assumptions are achievable with today’s technology, and are requirements anyway for hard-real-time systems. The Ptides model makes the requirements explicit.

Lee, Berkeley 36

So Many Assumptions?"

You will never strike oil by drilling through the map!

Violations of the requirements are detectable as out-of-order events and can be treated as faults.

Non-Synchronized Clocks

A “fault” is a violation of assumptions in the model.

! after an event here with a later time stamp has been processed, then one or more assumptions was violated.

If an event arrives here with an earlier time

stamp!

As with any model, the physical world may not conform to its rules. Violations should be treated as faults.

Lee, Berkeley 37

Handling Faults"

^));:&"1+.00&'"b"8"D&306&0/)0")="IGK4<1"

^));:&"30?&+&0?&0-:$"?&6&:)+&?"."6&'$"53*3:.'"-&2903H,&".0?".++:3&?"3-"-)"?35-'3%,-&?"?.-.%.5&57"

Lee, Berkeley 38

Proceedings of OSDI 2012

^));:&"1+.00&'"b"8"D&306&0/)0")="IGK4<1"

Lee, Berkeley 39

Distributed database with redundant storage and query handling across data centers.

Update to a record comes in. Time stamp t1.

Query for the same record comes in. Time stamp t2.

^));:&"1+.00&'"b"8"D&306&0/)0")="IGK4<1"

Lee, Berkeley 40


If t2 < t1, the query response should be the pre-update value. Otherwise, it should be the post-update value.


^));:&"1+.00&'!"c9&0"-)"D&5+)0?W"

Lee, Berkeley 41


When the local clock time exceeds t2 + e + d, issue the current record value as a response.

Synchronize clocks with error bound e.

Communication latency bound b.


^));:&"1+.00&'!"M.,:-d"

Lee, Berkeley 42


If after sending a response, we receive a record update with time stamp t1 < t2 declare a fault. Spanner handles this with a transaction schema.

Synchronize clocks with error bound e.

Communication latency bound b.


1&&"\))L"

1&&"•! #9.+-&'"a!""

4352'&-&E<6&0-"N)?&:5"•! #9.+-&'"_e!""

N)?&:30;"G3*&?"1$5-&*5"

M'&&"?)C0:).?".-!"9Z+!ff+-):&*$7)';f5$5-&*5"

Lee, Berkeley 43 43

Lee, Berkeley 44

IGK4<1"4&.:5"C3-9"Q&-C)'L"K0-&'.2/)05"

O40);"'0)'@240)%+0/='&32+$);%0")0"/)?"#$%&'()?('+0N""

Lee, Berkeley 45

c9.-".%),-"-935"#$%&'EI9$532.:"\),0?.'$W"

D&5&.'29"<F)'-5"\&Z&'"<0;30&&'30;"-9'),;9"\&Z&'"N)?&:5"

•! IGK4<1!"?35-'3%,-&?"'&.:E/*&"5)SC.'&"–! 4&-&'*3035/2"/*30;")="?35-'3%,-&?"#I1"

•! ID<G"*.2930&5"–! 4&-&'*3035/2"/*30;".-"-9&"+')2&55)'":&6&:"

•! 822&55)'5"–! I'3023+:&?"2)*+)53/)0")="0&-C)'L&?"2)*+)0&0-5"

•! ]+&0E5),'2&"5)SC.'&"–! I-):&*$"KK"

•! N)?&:E%.5&?"?&53;0">3#$I9$@"–! K0-&'=.2&5">&7;7"MNK@P"2)0-'.2-5P".5+&2-5P"Y"

•! 1&*.0/25"–! G3*&?"*)?&:5")="2)*+,-./)0P"

Lee, Berkeley 46

The hardware out of which we build computers is capable of delivering “correct” computations and precise timing!

The synchronous digital logic abstraction removes the messiness of transistors. ! but the overlaying software abstractions discard the timing precision.

// Perform the convolution. for (int i=0; i<10; i++) { x[i] = a[i]*b[j-i]; // Notify listeners. notify(x[i]); }

Lee, Berkeley 47

PRET Machines – Giving Software the Capabilities their Hardware Already Has.

•! PREcision-Timed processors = PRET •! Predictable, REpeatable Timing = PRET •! Performance with REpeatable Timing = PRET

= PRET + Computing

With time

// Perform the convolution. for (int i=0; i<10; i++) { x[i] = a[i]*b[j-i]; // Notify listeners. notify(x[i]); }

http://chess.eecs.berkeley.edu/pret

Lee, Berkeley 48

ID<G"N.2930&5"

1,**.'$")="ID<G!"#)0-')::30;"/*30;")="5)SC.'&"C3-9"93;9"+'&2353)0"35"+)553%:&"C3-9"0)":)55")="+&'=)'*.02&7"""M)'"?&-.3:5!"K063-&"*&"%.2L7"]'"5&&"9Z+!ff29&557&&257%&'L&:&$7&?,f+'&-"

Lee, Berkeley 49

Y"80?"-9&'&"35"*)'&"Y"

•! IGK4<1!"?35-'3%,-&?"'&.:E/*&"5)SC.'&"–! 4&-&'*3035/2"/*30;")="?35-'3%,-&?"#I1"

•! ID<G"*.2930&5"–! 4&-&'*3035/2"/*30;".-"-9&"+')2&55)'":&6&:"

•! 822&55)'5">G&''.1C.'*@"–! I'3023+:&?"2)*+)53/)0")="0&-C)'L&?"2)*+)0&0-5"

•! ]+&0E5),'2&"5)SC.'&"–! I-):&*$"KK"

•! N)?&:E%.5&?"?&53;0">3#$I9$@"–! K0-&'=.2&5">&7;7"MNK@P"2)0-'.2-5P".5+&2-5P"Y"

•! 1&*.0/25"–! G3*&?"*)?&:5")="2)*+,-./)0P"

Lee, Berkeley 50

4&-&'*3035*W"

•! G9&"'&.:"C)':?"35"93;9:$",0+'&?32-.%:&7"•! 1)P".'&"?&-&'*3035/2"*)?&:5",5&=,:W"

–! K5"5$029')0),5"?3;3-.:":);32",5&=,:W""–!8'&"305-',2/)0E5&-".'293-&2-,'&5",5&=,:W"–! 130;:&E-9'&.?&?"3*+&'./6&"+');'.*5W""–!43F&'&0/.:"&H,./)05W"

Lee, Berkeley 51

For a model to be useful, it is necessary (but not sufficient) to be able to be able to

construct a faithful physical realization.

Avoid Building on Weak Foundations

The semantics of a modeling framework is the foundation for the models. Weak foundations result in less useful models. Deterministic models offer more solid foundations.

Lee, Berkeley 52

4&-&'*3035*W"

4&-&'*3035/2"*)?&:5"?)"0)-"&:3*30.-&"-9&"0&&?"=)'"')%,5-P"=.,:-E-):&'.0-"?&53;057"

K0"=.2-P"-9&$"/+'@(/"5,29"?&53;05P"%&2.,5&"-9&$"*.L&"3-"*,29"2:&.'&'"C9.-"3-"*&.05"-)"9.6&"."=.,:-d"

Lee, Berkeley 53

Modeling in an Artificial Universe Components of a model interact in an artificial universe. The modeling framework provides the laws of physics of that universe. Nonnegotiable requirement: The laws of physics must be the same to every observer. Desirable properties: •! Determinism •! Understandability Not necessary: The laws need not be those of the physical world. We are free to invent.

Lee, Berkeley 54

#)02:,53)0"

#I1"?&*.0?5"0&C"C.$5")="*)?&:30;7""K-"'&H,3'&5"6/0/=,%+%$3&)*)?&:5"-9.-"&*%'.2&"3,/P"-);&-9&'"C3-9".'%0".4("+9$532.:"'&.:3V./)057)

55 55

Raffaello Sanzio da Urbino – The Athens School

See: Lee, "The Past, Present, and Future of Cyber-Physical Systems: A Focus on Models," Sensors, 15(3), February, 2015. (Open Access)

Better Engineering through Better Models

Documents

Transcript of Better Engineering through Better Models