Rigorous engineering of safety-critical Cyber-Physical Systems (CPS) requires integration of heterogeneous modeling methods from different disciplines. It is often necessary to view this integration from the perspective of analyses -- algorithms that read and change models. Although analytic integration supports formal contract-based verfication of model evolution, it suffers from the limitation of analytic dependency loops. Dependency loops between analyses cannot be resolved based on the existing contract-based verification. This paper makes a step towards using rich architectural description to resolve circular analytic dependencies. We characterize the dependency loop problem and discuss three algorithmic approaches to resolving such loops: analysis iteration, constraint solving, and genetic search. These approaches take advantage of information in multi-view architectures to resolve analytic dependency loops.

1. Analytic Dependency Loops in
Architectural Models of
Cyber-Physical Systems
8th International Workshop on Model-based Architecting of
Cyber-Physical and Embedded Systems (ACES-MB)
September 28, 2015
Ottawa, Canada
Ivan Ruchkin
Bradley Schmerl
David Garlan

2. 2
Acknowledgments
● Collaborators:
— Dionisio De Niz (SEI CMU)
— Sagar Chaki (SEI CMU)
— Ashwini Rao (ISR CMU)
● Sponsors:
— NSF
— DoD
— NSA

3. 3
Agenda
● Dependency loops in cyber-physical systems
● Related work and background
● Fixpoints and cases of loops
● Resolution techniques
● Wrap-up

4. 4
Agenda
● Dependency loops in cyber-physical systems
● Related work and background
● Fixpoints and cases of loops
● Resolution techniques
● Wrap-up

5. 5
Driverless Cars
Image credit: telegraph.co.uk

6. 6
Braking Subsystem Architecture

7. 7
Analyses

8. 8
Analyses

9. 9
Analyses

10. 10
Analyses

11. 11
Analytic Dependencies

12. 12
Dependency Loop Example

13. 13
Dependency Loop

14. 14
Analytic Dependency Loops
● Appear in complex cyber-physical systems
● Important to address
— Currently require expensive manual effort
— May introduce subtle errors into designs
● No up-front, one-size-fits-all solution
— Diverse disciplines and combinations of analyses
— Different project scope and constraints
● Goal: develop concepts and methods for resolving
such loops

15. 15
Agenda
● Dependency loops in cyber-physical systems
● Related work and background
● Fixpoints and cases of loops
● Resolution techniques
● Wrap-up

16. 16
Related Work
● Loops and dependencies in other contexts
— Loop invariants in programming languages [1]
— Deadlocks in dataflow systems [2]
— Dependencies in design [3]
● Model evolution
— Model transformations [4]
— Analysis contracts[5]
[1] P. Cousot and R. Cousot. Automatic synthesis of optimal invariant assertions, SIGART Bulletin 1977.
[2] Y. Zhou and E. Lee. A Causality Interface for Deadlock Analysis in Dataflow, EMSOFT 2006.
[3] A. Qamar. Model and Dependency Management in Mechatronic Design, PhD Thesis, 2013.
[4] G. Bergmann, I. Rth, G. Varr, D. Varr. Change-driven model transformations, SoSyM 2011.
[5] I. Ruchkin, D. De Niz, S. Chaki, D. Garlan. Contract-based Integration of Cyber-physical Analyses, EMSOFT 2014.

17. 17
Background
● Analysis contract C is a tuple (I, O, A, G):
— Inputs I
— Outputs O
— Assumptions A
— Guarantees G
● Analysis A1 depends on analysis A2 iff:
A1.I A∩ 2.O ≠ ∅

18. 18
Agenda
● Dependency loops in cyber-physical systems
● Related work and background
● Fixpoints and cases of loops
● Resolution techniques
● Wrap-up

19. 19
Fixpoints
● System model M is a fixpoint (FP)
— For analysis A if: A(M) = M
— For dependency loop A1..AN if: ∀i:1..N · Ai(M) = M
— “A solution to a loop”
● System model M is a candidate fixpoint (CFP)
— For analysis A: M ⊨ A.G
— For dependency loop A1..AN if: ∀i:1..N ∙ M ⊨ Ai.G
— “Almost a solution to a loop”

20. 20
Cases of Dependency Loops
C1. Strong convergence
— FP exists, and is reachable by any sequence of analyses
C2. Weak convergence
— FP exists, and is reachable by some sequence of analyses
C3. Weak divergence
— FP exists, but is not reachable by any sequence of analyses
C4. Divergence
— FP does not exist, but CFP exists
C5. Strong divergence
— Neither FP, nor CFP exist

21. 21
Example: Strong & Weak Convergence

22. 22
Example: Weak Divergence & Divergence

23. 23
Agenda
● Dependency loops in cyber-physical systems
● Related work and background
● Fixpoints and cases of loops
● Resolution techniques
● Wrap-up

24. 24
Approach
1. Use rich multi-view model
2. Find a fixpoint (or candidate)
3. Verify that a model is a fixpoint

25. 25
Multi-View Architecture

26. 26
Technique 1: Iterative Execution
● Execute analyses in some sequence
— Random
— Contract-guided
— Model order-guided
● Applicability: strong and weak convergence
● Pros:
— Simple, accessible
— Can verify fixpoints
● Cons:
— Computationally expensive
— Heuristic, no guarantees

27. 27
Technique 2: Constraint Solving
● Generate a constraint satisfaction problem
— Using architectural model and guarantees
— Does not execute analyses
● Applicability:
— Finds CFP in all cases except strong divergence
— Demonstrates absence of CFP in strong divergence
● Pros:
— Exhaustive search within bounds
● Cons:
— Results need to be verified with a different method
— Relies on model translation to a constraint language

28. 28
Technique 3: Genetic Search
● Derive hybrids of models
— Crossover: M1 x M2 = M1 M⊕ 2 {∪ m Ɐ ⊆ M1 M∩ 2}
– E.g., AAB x ABB = {AB, AAB, ABB, AABB}
● Applicable:
— Find FP in convergence and weak divergence
— Find CFP in divergence
● Pros:
— Can find FPs/CFPs beyond constraint solving bounds
● Cons:
— Heuristic, no guarantees

29. 29
Summary of Resolution Techniques
Case Iterative Execution Constraint Solving Genetic Search
Find FP in
strong conv.
✓ ✓ ✓
Verify FP in
strong conv.
✓
Find FP in
weak conv.
✓ ✓
Verify FP in
weak conv.
✓
Find FP in
weak div.
✓ ✓
Verify FP in
weak div.
✓
Find CFP in div. ✓ ✓
Verify CFP in div. ✓ ✓
Detect absence
of CFP in str. div.
✓

30. 30
Agenda
● Dependency loops in cyber-physical systems
● Related work and background
● Fixpoints and cases of loops
● Resolution techniques
● Wrap-up

31. 31
Future Work
● Other techniques for loop resolution
● Connect analysis contracts to system invariants
— Discharge assumptions with invariants
— Discharge invariants with guarantees
● Experiments on realistic system models

32. 32
Summary
● Analytic dependency loops occur in complex systems
— Contract specifications are insufficient to resolve
● This paper explored resolution techniques:
— Iterative execution
— Constraint solving
— Genetic search

33. 33
References
● Analysis contracts methodology:
— I. Ruchkin, D. De Niz, S. Chaki, D. Garlan. Contract-based
Integration of Cyber-physical Analyses, EMSOFT 2014.
● ACTIVE tool for verifying contracts:
— I. Ruchkin, D. De Niz, S. Chaki, D. Garlan. ACTIVE: A Tool
for Integrating Analysis Contracts, AVICPS 2014.
● Security and reliability analyses:
— I. Ruchkin, A. Rao, D. De Niz, S. Chaki, D. Garlan.
Eliminating Inter-Domain Vulnerabilities in Cyber-
Physical Systems: An Analysis Contracts Approach, CPS-
SPC 2015.

34. 34
Q&A
● When to terminate the search?
● What views to use for constraint generation?
● What if no fixpoints/candidates found?
— Involve humans
— Probably irreconcilable requirements
● Resolving vs. avoiding the loop?
● Automated recognition of loop cases?
● General theorems about techniques?