formal model-based design & manufactureaustin/ense622.d/lecture...formal model-based design...
TRANSCRIPT
Formal Model-Based Design & Manufacture:
A Template for Managing Complexity in Large-Scale Cyber-Physical Systems
Paul Eremenko
fmr. Deputy Director/Acting Director
Tactical Technology Office
Briefing prepared for the
Conference on Systems Engineering Research
March 21, 2013
The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.
The six frigates (1794)
2
“… the sum of $688,888… to provide, equip and employ, four ships to carry forty guns each, and two ships to carry thirty-six guns each….”
--An Act to Provide a Naval Armament, March 27, 1794
USS Philadelphia, Tripoli Harbor, February 16, 1804
3
B-52 Stratofortress (1946)
"It is desired that the requirements set forth be considered as a goal and that the proposal be for an interim airplane to approximate all requirements, except that emphasis must be placed on meeting the high speed requirement... It is the intent that design proposals should present the best possible over-all airplane..." --Directive letter inviting design proposals for the B-52 bomber, February 13, 1946
F-111 Aardvark (1961)
5
F-35 Joint Strike Fighter (2001)
6
Kolmogorov complexity (sort of)
Frigate
F-22
B-52
0.1
1
10
100
1000
1750 1800 1850 1900 1950 2000 2050
Len
gth
of
Tech
nic
al S
pec
ific
atio
n (
pag
es)
Year of Entry into Service
7 Data compiled by Mark Nowack, DARPA/TTO
Software complexity
Apollo
Mariner-6
Viking Voyager
Shuttle
Galileo
ISS
Cassini Pathfinder
DS1
SIRTF
MER MRO
A-7E
EA-6B F-14A A-6E
F/A-18A AV-8B
F-14B
F/A-18C
AH-1W
F-14D
F/A-18E
F-22A F/A-18G F-35
1.E+00
1.E+01
1.E+02
1.E+03
1.E+04
1.E+05
1.E+06
1.E+07
1.E+08
1965 1970 1975 1980 1985 1990 1995 2000 2005 2010 2015
Key: • Manned Space Vehicle • Robotic Space Vehicle Manned Combat Aircraft
Year of Entry into Service
1
102
103
101
104
108
107
106
105
Sou
rce
Lin
es o
f C
od
e (S
LOC
)
Dvorak, D. ed, NASA Study on Flight Software Complexity, Jet Propulsion Laboratory, California Institute of Technology, 5 March2009 Borden, D., Software Acquisition Process Improvement, NAVAIR, undated Agle, D.C., Where Hunters Growl, Air & Space magazine, March 2011 8
Structural & software complexity
9 Data compiled by Mark Nowack, DARPA/TTO
Cost growth
10
$1 quintillion
$1 quadrillion
$1 trillion
$1 billion
$1 million
$1 thousand
1900 1950 2000 2050 2100 2150
Year of Entry into Service
Wright Model A
Morse JN-4A Standard E-1
DH-4
SPAD P-39 P-51
P-61
F-15
F-14
F-18
F-16 A-10
F-35 F-18
B-52
Entire Defense budget to buy one airplane.
Entire GNP to buy one airplane.
Source: Norm Augustine, Augustine’s Laws, 6th Edition, AIAA Press, 1997.
Evidence for a causal relationship with complexity
11
Modern systems engineering
Cost
Optimization
Power Data & Control Thermal Mgmt
SWaP
Optimization
SWaP
Optimization
System Functional
Specification
. . .
. . .
Subsystem
Design
Component
Design
System
Layout
Verification
& Validation
Component
Testing
Subsystem
Testing
SWaP = Size, Weight, and Power
Undesirable interactions (thermal, vibrations, EMI)
Desirable interactions (data, power, forces & torques)
V&V = Verification & Validation
System decomposed based on arbitrary cleavage lines . . .
Conventional V&V techniques do not scale to highly complex or adaptable systems–with large or infinite numbers of possible states/configurations
SWaP used as a proxy metric for cost, and dis-incentivizes abstraction in design
Unmodeled and undesired interactions lead to emergent behaviors during integration
. . . and detailed design occurs within these functional stovepipes
MIL-STD-499A (1969) systems engineering process: as employed today
Re-Design
Resulting architecturesare fragile point designs
12
Tools have made it better…
13
Image courtesy of Dassault Systemes
Dassault Falcon 7X Two-fold schedule compression for new business jets through faithful application of a digital master model with QA/QC feedback by tail number
Lockheed Martin F-35 Shimming and ‘drill and fill’ approach
significantly worsens production learning effects, leading to delays and
cost growth*
Image courtesy of Lockheed Martin
* GAO-10-382: Joint Strike Fighter – Additional Costs and Delays Risk Not Meeting Warfighter Requirements on Time, Mar 2010
13
… but the fundamental design flow hasn’t changed!
Giffin M., de Weck O., et al., Change Propagation Analysis in Complex Technical Systems, J. Mech. Design, 131 (8), Aug. 2009.
Engineering Change Requests (ECRs) per Month of Program Life
From Project Inception through Midcourse Maneuver, vol. 1 of Mariner Mars 1964 Project Report: Mission and Spacecraft Development, Technical Report No. 32-740, 1 March 1965, JPLA 8-28, p. 32, fig. 20.
Mariner Spacecraft (1960s) Modern Cyber-Electromechanical System (2000s)
14
Adaptive Vehicle Make
15
Approaches for tackling complexity
Simplify
Disaggregate
Modularize
??? 16
0
20
40
60
80
100
120
140
160
180
200
220
240
1E+03 1E+04 1E+05 1E+06 1E+07 1E+08 1E+09 1E+10
De
sign
, In
tegr
atio
n, a
nd
Te
stin
g (m
on
ths)
Complexity [Part Count + Source Lines of Code (SLOC)]
Automobile 1960s
Automobile 1990s
Automobile Next Gen
Integrated Circuit 1960s
Aerospace Vehicle 1960s
Aerospace Vehicle 1990s
~5X Reduction in Development Effort
New IC design flow
New automotive design flow
Long-Range Strike (est.)
Intel 8088 Intel 286 Intel 386
Pentium
Xeon
MIL-STD-499A
~10X Increase in Manageable Complexity
Integrated Circuit Next Gen
Goal
DARPA goals for AVM
17 Data compiled by Mark Nowack, DARPA/TTO
Existence proof—VLSI design
Daily engineer output (Trans/day)
Develop- ment time (mo)
IP block performance Inter IP communication performance models
incr
eas
ing
abst
ract
ion
Cluster
Abstract Cluster
Abstract RTL RTL
clusters
Abstract
Cluster SW models
IP blocks
Transistor model Capacity load
Gate level model Capacity load
System-on-chip Design Framework Wire load
18
Transistors per chip Speed (Hz)
Feature Size (µm)
Sources: Singh R., Trends in VLSI Design: Methodologies and CAD Tools, CEERI, Intel, The Evolution of a Revolution, and Sangiovanni-Vinventelli, A., Managing Complexity in IC Design, 2009
Existence proof—foundry-style manufacturing
An approach to VLSI chip design that separates design from manufacturing (Mead & Conway, 1979). Design implementation: Use of simplified device & component models that trade some performance for automation of design.
Design rules that are independent of and scalable with process technologies.
Semiconductor manufacturing facility becomes the semiconductor foundry. Semiconductor product implementation: Chip prototypes are manufactured in silicon foundries using the same tools, fabrication processes and materials used for high-volume chip manufacturing… no seams.
The result: Moved from hundreds of chip designers using vertically-integrated, captive semiconductor facilities to tens of thousands of designers using pure-play semiconductor foundries to create thousands of products.
Continues to enable, cost-effective custom VLSI products: Generating new markets & new companies including Apple, Silicon Graphics, Cadence, Jazz, TSMC, Broadcom, Nvidia and Qualcomm.
19
Des
ign
Up
da
te
Feed
ba
ck
Co
nst
rain
ts f
rom
Hig
her
Leve
ls o
f A
bst
ract
ion
Ma
nu
fact
ura
bili
ty
Co
nst
rain
ts
Co
mp
on
ent
Mo
del
Lib
rary
Model abstraction
Hie
rarc
hic
al a
bst
ract
ion
Electrical
Hydraulic
Mechanical
Thermal
Electromagnetic
Semantic Integration
Design Trade Space Visualization Dynamic Visualization
Structural & Entropy-Based Complexity Metrics Calculation
Design Space Construction(Stati
c Models)
Qualitative/ Relational
Models
Lumped Parameter (ODE)
Models
Nonlinear Differential
Equation (PDE) Models
Reachability Analysis
Controller/ FDIR Synthesis
CAD Geometry/ Grid Synthesis
Probabilistic Model Checker
Monte Carlo Dynamic Sim
Co
nte
xt M
od
el L
ibra
ry
FEA
CFD
PLM
User Req’ment Synthesis
The META-iFAB Integrated Tool Chain Rev. 10/18/2011
Probabilistic Certificate of Correctness
Foundry Trade Space Construct.
Instruction Sets
BOM
Process Model Library
. . .
Domain- Specific Modeling Languages
Multi- Attribute Preference Surfaces
Static Constraint Solver
Requirements
Verification
Process Mapping Ass’y Selection
Machine Selection
Machine/Ass’y Mod Lib
CNC Generator
QA/QC
Visualization
Metrics
Foundry
Design
20 Source: Paul Eremenko, DARPA/TTO
Formal Model-Based Design
21
As of today:
• 131 component classes
• 469 component instances
• 43 parametric components
• 112 ITAR protected models
• 357 non-ITAR protected models
Component models
22 Source: Ricardo plc
Probabilistic Context Model • Generate discrete time Markov chain (DTMC)
models of terrain from digital elevation data formula slope =
s = 0 ? down :
s = 1 ? level :
s = 2 ? up : 1;
module terrain
s : [0..2] init 1;
[] s=0 -> 0.8 : (s'=0) + 0.2 : (s'=1) + 0.0 : (s'=2) ;
[] s=1 -> 0.1 : (s'=0) + 0.8 : (s'=1) + 0.1 : (s'=2) ;
[] s=2 -> 0.0 : (s'=0) + 0.2 : (s'=1) + 0.8 : (s'=2) ;
endmodule
0.00 0.01 0.02 -0.01 -0.02
Specify terrain resolution for model and generate histogram (simple)
Compute autocorrelation matrix for terrain data to incorporate relationship between adjacent locations (more realistic)
Markov chain representation of terrain for probabilistic model checking Customized for required horizontal and vertical resolution
DTED elevation data
Example • Probabilistic model of drive
train • Extended to add vehicle load
and state computation • Terrain context model
specified as Markov chain
W
VehicleWeight
Trans_rot Position
VehicleState
Slope_in
WeightLoad_out
VehicleLoad
Trans_in_rpmGear_ratio
TransmissionController
Gear_ratio_in
Rot_in
Trans_load
Trans_in_rpm_sensor
Trans_rot_out
Torque_out
Transmission
PositionSlope
Terrain
Throttle_in
Trans_torque_in
Engine_rot
DieselEngine
1
Throttle
Vehicle drivetrain
Extension
Context
Context
Context models
23 Source: BAE Systems Land & Armaments Division
Integration of formal semantics across domains
META Semantic Integration
Formal Verification
• Qualitative reasoning • Relational abstraction • Model checking • Bounded model checking
Distributed Simulation
• NS3 • OMNET • Delta-3D • CPN
Equations Modelica-XML
FMU-ME S-function FMU-CS
High Level Architecture Interface (HLA)
Composition • Continuous Time • Discrete Time • Discrete Event
• Energy flows • Signal flows • Geometric
Hybrid Bond Graph
Modelica Functional Mock-up
Unit
Embedded Software Modeling
TrueTime Simulink/ Stateflow
Stochastic Co-Simulation
• Open Modelica • Delta Theta • Dymola
24
Sou
rce:
Van
der
bilt
ISI
S
Hierarchical and model abstraction H
iera
rch
al A
bst
ract
ion
System
Subsystems
Assemblies
Components
Static Models
Qualitative Models
Linear / ODE
Nonlinear / PDE
Relational Models
~1010
~105
~102
~10
Model Abstraction
# o
f D
esig
n A
lter
nat
ives
25
Hierarchical abstraction—assembly level
26 Source: Vanderbilt ISIS
Hierarchical abstraction—subassembly/component level
27 Source: Vanderbilt ISIS
Cloud-hosted commercial tools instantiation
28 Source: CyDesign Labs
Model abstraction for verification
• Models are fully composable • Simulation trace sampling to verify
correctness probability • Application of probabilistic model
checking under investigation • 10^2 10 designs
Component Models • Modelica • State Flow • Bond Graphs • XML • Geometry
Sem
antic
Inte
gra
tion
• Static constraint application • Manufacturability constraints • Structural complexity metrics • Info entropy complexity metrics • Identify Pareto-dominant designs • 10^10 10^4 designs
Static Trade Space Exploration Qualitative Reasoning
• Qualitative abstraction of dynamics • Computationally inexpensive • Quickly eliminate undesirable designs • State space reachability analysis • 10^4 10^3 designs
Relational Abstraction Linear Differential Equation Models
• Relational abstraction of dynamics • Discretization of continuous state space • Enables formal model checking • State-space reachability analysis • 10^3 10^2 designs
• Generate composed CAD geometry for iFAB
• Generate structured & unstructured grids
• Provide constraints and input data to PDE solvers
• Couple to existing FEA, CFD, EMI, & blast codes
• 10 1 design
CAD & Partial Differential Equation Models
Embedded Software Synthesis
• Auto code generation • Generation of hardware-
specific timing models • Monte Carlo simulation
sampling to co-verify • Hybrid model checking
under investigation A
B
29 Sources: GATech; Xerox PARC; SRI; Vanderbilt ISIS
Verification on a adiabatic quantum computer
Wiring and filtering
• ‘Motherboard’ - entire package cooled to 20mK
• Specialized 30MHz filtering on all lines
• IO system for 128 & 512 qubit chipset
© Copyright 2011 D-Wave Systems Inc. 17 © Copyright 2011 D-Wave Systems Inc.
Vesuvius, 512 qubits
Calypso, 4 qubits
Leda, 28 qubits
Source: USC/ISI
Calypso
Europa Leda
Ranier
Vesuvius
1
10
100
1000
2002 2004 2006 2008 2010 2012 2014
Nu
mb
er o
f Q
ub
its
1.E+18 1.E+16
1.E+14
1.E+12 1.E+10
1.E+08 1.E+06
1.E+04 1.E+02
1.E+00
Med
ian
ru
n t
ime
to 9
9%
cer
tain
ty [
mic
rose
con
ds]
Number of Variables [N]
0 64 128 192 256 320 384 448 512
30
Probabilistic verification through simulation
31 Source: Vanderbilt ISIS
Probabilistic certificates of correctness (PCCs)
32 Source: Vanderbilt ISIS
Design space visualization
33 Source: Vanderbilt ISIS
Geometric composition for gridding/higher-order modeling
34 Source: Vanderbilt ISIS
Model-Based Manufacturing
35
Manufacturing process models
As of today:
• 7 material shaping processes
• 19 general processes
• 231 machine instantiations
• 64 manual labor units
• 3,212 tools
36 Sources: Penn State ARL; GM Research
Design decomposition
37 Source: Xerox PARC
Topological Decomposition “Reverse Composition”
Foundry configuration tradespace exploration
38 Source: Penn State ARL
Sequencing & scheduling
39 Source: Penn State ARL
Tasking the distributed foundry & feedback to design
Information
Agreements
Goods
Joint Manufacturing Technology Center
Rock Island Arsenal, IL
ANALYSIS TIMING
• Part Decomposition - ~10 min • Assembly Analysis - ~120 min • Purchased Parts - ~1 min • Manufactured Parts
• aPriori - ~2 min/part • CNC-Ana - ~35 min
• Design Configuration - ~10 min • Build Schedule Gen - ~5 min
40 Source: Penn State ARL
Ecosystem
41
Collaboration platform—configuration control
42
Sou
rce:
Van
der
bilt
ISI
S
Collaboration platform—component model ontology
43 Source: Vanderbilt ISIS
Collaboration platform—immersive multi-user visualization
44 Sources: Electrotank; Vanderbilt ISIS
Critical scale for a model-based product ecosystem
45
Sources: Ferrari, A. An Overview of (Electronic) System Level Design: beyond hardware-software co-design, SFM-06:HV, Univ. of Urbino 2006; Jorge Tierno, Boston Fusion
Boston Fusion ROM Estimate of Investment Scale
AUTOSAR Consortium
Two-Sided Market Model
Prize: $1,000,000
FANG Challenge 1 – Mobility and Drivetrain subsystems
As of today:
• 1,077 participants
• 267 total teams
• 18 teams qualified for finals
• Largest team size ~ 27
Initial roll-out - 1/14/2013 Finalist team selection - 3/17/2013 Registration closes - 4/1/13 Challenge closes - 4/15/2013 Winner announced - 4/22/2013 Build - Summer 2013 (tbd)
www.vehicleforge.org 46
Prize: $1,000,000
FANG Challenge 2 – Chassis and Structural subsystems
47
Prize: $2,000,000
FANG Challenge 3 – Full Vehicle Design
Winner entered into Marine ACV prototype fly-off
48
Modeling shows promise for 5X time compression
400 Req/M 400 10 Arch/M 80
400 Spec/M 600 2000 Tests/M 600
Req*/M 800
200 Req/M 200 5 Arch/M 40
200 Spec/M 300 1000 Tests/M 300
Req*/M 400
0 0 12 24 36 48 60 72 84 96 0 12 24 36 48 60 72 84 96
Time (Month) Time (Month) Requirements Elicitation : METAm-on/off-with-change Concept Exploration : METAm-on/off-with-change Design and Integration : Metam-on/off-with-change Verification : METAm-on/off-with-change
Validation : METAm-on/off-with-change Certificate of Completion : METAm-on-with -change
Requirements/Month Architectures/Month Specifications/Month
Tests/Month Requirements/Month
META Design Flow Traditional Design Flow
Source: Olivier de Weck, MIT 49
50
For more information:
FANG Challenges: http://www.vehicleforge.org Source Code: http://www.cps-vo.org
DARPA PM: [email protected]
Coming soon… special issue of Journal of SE!