Formal Model-Based Design & Manufacture: A Template for Managing Complexity in Large-Scale Cyber-Physical Systems

Paul Eremenko fmr. Deputy Director/Acting Director Tactical Technology Office Briefing prepared for the Conference on Systems Engineering Research March 21, 2013

The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.

The six frigates (1794) “… the sum of $688,888… to provide, equip and employ, four ships to carry forty guns each, and two ships to carry thirty-six guns each….” --An Act to Provide a Naval Armament, March 27, 1794

2

USS Philadelphia, Tripoli Harbor, February 16, 1804

3

B-52 Stratofortress (1946) "It is desired that the requirements set forth be considered as a goal and that the proposal be for an interim airplane to approximate all requirements, except that emphasis must be placed on meeting the high speed requirement... It is the intent that design proposals should present the best possible over-all airplane..." --Directive letter inviting design proposals for the B-52 bomber, February 13, 1946

F-111 Aardvark (1961)

5

F-35 Joint Strike Fighter (2001)

6

Kolmogorov complexity (sort of)

Length of Technical Specification (pages)

1000

F-22

100

B-52

10

1

Frigate

0.1 1750

1800

1850

1900

1950

2000

2050

Year of Entry into Service Data compiled by Mark Nowack, DARPA/TTO

7

Software complexity 1.E+08 108 F-22A

107

F-35

F/A-18E

1.E+07

F/A-18C F/A-18A

6

10 1.E+06

Shuttle

Source Lines of Code (SLOC)

F/A-18G

105 1.E+05

EA-6B

F-14A

F-14D

ISS AV-8B AH-1W F-14B

SIRTF DS1 Pathfinder

Cassini

MRO

MER

A-6E

A-7E

104 1.E+04

Apollo

Galileo

Viking Voyager

103 1.E+03 Key: • Manned Space Vehicle • Robotic Space Vehicle Manned Combat Aircraft

1.E+02 102 Mariner-6

1.E+01 101 1.E+00 1

1965

1970

1975

1980

1985

1990

1995

2000

2005

2010

2015

Year of Entry into Service Dvorak, D. ed, NASA Study on Flight Software Complexity, Jet Propulsion Laboratory, California Institute of Technology, 5 March2009 Borden, D., Software Acquisition Process Improvement, NAVAIR, undated Agle, D.C., Where Hunters Growl, Air & Space magazine, March 2011

8

Structural & software complexity

Data compiled by Mark Nowack, DARPA/TTO

9

Cost growth $1 quintillion

$1 quadrillion Entire GNP to buy one airplane.

$1 trillion Entire Defense budget to buy one airplane.

$1 billion F-14

F-15 B-52

$1 million

F-35 F-18 F-16 A-10

F-18

P-61 P-39 P-51 Standard E-1

SPAD Morse JN-4A Wright Model A

DH-4

$1 thousand

1900

1950

Source: Norm Augustine, Augustine’s Laws, 6th Edition, AIAA Press, 1997.

2000 2050 Year of Entry into Service

2100

2150 10

Evidence for a causal relationship with complexity

11

Modern systems engineering SWaP used as a proxy metric for cost, and disincentivizes abstraction in design

System decomposed based on arbitrary cleavage lines . . .

MIL-STD-499A (1969) systems engineering process: as employed today

Conventional V&V techniques do not scale to highly complex or adaptable systems–with large or infinite numbers of possible states/configurations

Re-Design System Functional Specification

Cost Optimization

...

SWaP Optimization

SWaP Optimization

System Layout

Power

Data & Control

Thermal Mgmt

. . . and detailed design occurs within these functional stovepipes SWaP = Size, Weight, and Power V&V = Verification & Validation

...

Verification & Validation

Subsystem Design

Component Design

Subsystem Testing

Resulting architectures are fragile point designs

Component Testing

Unmodeled and undesired interactions lead to emergent behaviors during integration Desirable interactions (data, power, forces & torques) Undesirable interactions (thermal, vibrations, EMI)

12

Tools have made it better… Dassault Falcon 7X Two-fold schedule compression for new business jets through faithful application of a digital master model with QA/QC feedback by tail number

Image courtesy of Dassault Systemes

Lockheed Martin F-35 Shimming and ‘drill and fill’ approach significantly worsens production learning effects, leading to delays and cost growth* * GAO-10-382:

Joint Strike Fighter – Additional Costs and Delays Risk Not Meeting Warfighter Requirements on Time, Mar 2010

13 Image courtesy of Lockheed Martin

13

… but the fundamental design flow hasn’t changed! Engineering Change Requests (ECRs) per Month of Program Life Mariner Spacecraft (1960s)

From Project Inception through Midcourse Maneuver, vol. 1 of Mariner Mars 1964 Project Report: Mission and Spacecraft Development, Technical Report No. 32-740, 1 March 1965, JPLA 828, p. 32, fig. 20.

Modern Cyber-Electromechanical System (2000s)

Giffin M., de Weck O., et al., Change Propagation Analysis in Complex Technical Systems, J. Mech. Design, 131 (8), Aug. 2009.

14

Adaptive Vehicle Make

15

Approaches for tackling complexity

Simplify

Disaggregate

Modularize

???

16

Design, Integration, and Testing (months)

DARPA goals for AVM 240 220 200 180 160 MIL-STD-499A 140 120 100 80 Automobile Aerospace Vehicle 1960s 60 1960s 40 Integrated Circuit 1960s 20 Intel 8088 Intel 286 0 1E+03 1E+04 1E+05

Long-Range Strike (est.) ~10X Increase in Manageable Complexity

New IC design flow

Aerospace Vehicle 1990s

~5X Reduction in Development Effort

New automotive design flow

Goal

Automobile 1990s

Integrated Circuit Next Gen

Pentium Intel 386

Automobile Next Gen

1E+06 1E+07 1E+08 Complexity [Part Count + Source Lines of Code (SLOC)]

Data compiled by Mark Nowack, DARPA/TTO

Xeon

1E+09

1E+10

17

Existence proof—VLSI design

increasing abstraction

Transistor model Capacity load

Gate level model Capacity load

System-on-chip IP block performance Design Framework Inter IP communication Wire load performance models Abstract IP blocks

Abstract RTL Abstract

Cluster

RTL clusters

SW models

Cluster

Cluster

Feature Size (µm)

Transistors per chip

Speed (Hz)

Development time (mo)

Sources: Singh R., Trends in VLSI Design: Methodologies and CAD Tools, CEERI, Intel, The Evolution of a Revolution, and Sangiovanni-Vinventelli, A., Managing Complexity in IC Design, 2009

Daily engineer output (Trans/day)

18

Existence proof—foundry-style manufacturing The result: Moved from hundreds of chip designers using verticallyintegrated, captive semiconductor facilities to tens of thousands of designers using pure-play semiconductor foundries to create thousands of products.

An approach to VLSI chip design that separates design from manufacturing (Mead & Conway, 1979). Design implementation: Use of simplified device & component models that trade some performance for automation of design.

Design rules that are independent of and scalable with process technologies.

Semiconductor manufacturing facility becomes the semiconductor foundry. Semiconductor product implementation: Chip prototypes are manufactured in silicon foundries using the same

tools, fabrication processes and materials used for high-volume chip manufacturing… no seams.

Continues to enable, cost-effective custom VLSI products: Generating new markets & new companies including Apple, Silicon Graphics, Cadence, Jazz, TSMC, Broadcom, Nvidia and Qualcomm. 19

MultiAttribute

Design Update Feedback

Preference Surfaces

User Req’ment Synthesis

Visualization Metrics

QA/QC

Source: Paul Eremenko, DARPA/TTO

Constraints from Higher Levels of Abstraction

Rev. 10/18/2011 Design Trade Space Visualization

Dynamic Visualization

Structural & Entropy-Based Complexity Metrics Calculation

Design Space Construction(Stati c Models)

Static Constraint Solver

Qualitative/ Relational Models

Reachability Analysis

Lumped Parameter (ODE) Models

Nonlinear Differential Equation (PDE) Models

Controller/ FDIR Synthesis

CAD Geometry/ Grid Synthesis FEA CFD

Probabilistic Model Checker Requirements Verification

Foundry Trade Space Construct.

Foundry Design Instruction Sets

Monte Carlo Dynamic Sim

Probabilistic Certificate of Correctness

BOM

...

Modeling Languages

Semantic Integration

Component Model Library

DomainSpecific

Context Model Library

Model abstraction

The META-iFAB Integrated Tool Chain

Manufacturability Constraints

Hierarchical abstraction

Electromagnetic Thermal Mechanical Hydraulic Electrical

PLM

Ass’y Selection Process Mapping Machine Selection

Machine/Ass’y Mod Lib

CNC Generator

Process Model Library

20

Formal Model-Based Design

21

Component models As of today: • 131 component classes • 469 component instances • 43 parametric components • 112 ITAR protected models • 357 non-ITAR protected models

Source: Ricardo plc

22

Context models

Example • Probabilistic model of drive train • Extended to add vehicle load and state computation • Terrain context model specified as Markov chain

Gear_ratio

Trans_in_rpm

TransmissionController Trans_rot Gear_ratio_in

1 Throttle

Position

Trans_in_rpm_sensor

VehicleState

Throttle_in Engine_rot

Rot_in

Trans_rot_out

Slope_in Weight

Trans_load

Torque_out

VehicleLoad

DieselEngine Transmission

Contex t

Slope Position

Load_out

Trans_torque_in

Terrain

W VehicleWeight

Vehicle drivetrain

Extensi on

Contex t

Probabilistic Context Model •

Generate discrete time Markov chain (DTMC) models of terrain from digital elevation data

Specify terrain resolution for model and generate histogram (simple)

DTED elevation data

formula slope = s = 0 ? down : s = 1 ? level : s = 2 ? up : 1; module terrain s : [0..2] init [] s=0 -> 0.8 : [] s=1 -> 0.1 : [] s=2 -> 0.0 : endmodule

-0.02

Compute autocorrelation matrix for terrain data to incorporate relationship between adjacent locations (more realistic)

1; (s'=0) + 0.2 : (s'=1) + 0.0 : (s'=2) ; (s'=0) + 0.8 : (s'=1) + 0.1 : (s'=2) ; (s'=0) + 0.2 : (s'=1) + 0.8 : (s'=2) ;

-0.01

0.00

0.01

0.02

Markov chain representation of terrain for probabilistic model checking Customized for required horizontal and vertical resolution

Source: BAE Systems Land & Armaments Division

23

Integration of formal semantics across domains Composition • Continuous Time • Discrete Time • Discrete Event

META Semantic Integration

Simulink/ Stateflow

Embedded Software Modeling

Hybrid Bond Graph

Modelica

TrueTime

• Energy flows • Signal flows • Geometric

Functional Mock-up Unit Equations Modelica-XML

FMU-ME S-function FMU-CS

Formal Verification

Stochastic Co-Simulation

Distributed Simulation

• • • •

• Open Modelica • Delta Theta • Dymola

• • • •

Qualitative reasoning Relational abstraction Model checking Bounded model checking

NS3 OMNET Delta-3D CPN

Source: Vanderbilt ISIS

High Level Architecture Interface (HLA)

24

Hierarchical and model abstraction

Components

Assemblies ~102

Subsystems ~105

# of Design Alternatives

Hierarchal Abstraction

~10

System ~1010

Static Models

Qualitative Models

Relational Models

Linear / ODE

Nonlinear / PDE

Model Abstraction

25

Hierarchical abstraction—assembly level

Source: Vanderbilt ISIS

26

Hierarchical abstraction—subassembly/component level

Source: Vanderbilt ISIS

27

Cloud-hosted commercial tools instantiation

Source: CyDesign Labs

28

Model abstraction for verification Qualitative Reasoning

Static Trade Space Exploration Component Models Modelica State Flow Bond Graphs XML Geometry

Semantic Integration

• • • • •

Embedded Software Synthesis • Auto code generation • Generation of hardwarespecific timing models • Monte Carlo simulation sampling to co-verify • Hybrid model checking under investigation

• • • • • •

Static constraint application Manufacturability constraints Structural complexity metrics Info entropy complexity metrics Identify Pareto-dominant designs 10^10  10^4 designs

• • • • •

Linear Differential Equation Models

Relational Abstraction A

CAD & Partial Differential Equation Models • Generate composed CAD geometry for iFAB • Generate structured & unstructured grids • Provide constraints and input data to PDE solvers • Couple to existing FEA, CFD, EMI, & blast codes • 10  1 design Sources: GATech; Xerox PARC; SRI; Vanderbilt ISIS

Qualitative abstraction of dynamics Computationally inexpensive Quickly eliminate undesirable designs State space reachability analysis 10^4  10^3 designs

B

• Models are fully composable • Simulation trace sampling to verify correctness probability • Application of probabilistic model checking under investigation • 10^2  10 designs

• • • • •

Relational abstraction of dynamics Discretization of continuous state space Enables formal model checking State-space reachability analysis 10^3  10^2 designs

29

Verification on a adiabatic quantum computer Number of Qubits

1000

Vesuvius, 512 qubits

Leda, 28 qubits

Vesuvius Ranier

100 Leda Europa

10 Calypso 1 2002

Calypso, 4 qubits

2004

2006

2008

2010

2012

2014

ring

Hz es

8&

Median run time to 99% certainty [microseconds]

1.E+18 1.E+16 1.E+14 1.E+12 1.E+10 1.E+08 1.E+06 1.E+04 1.E+02 1.E+00 0 Source: USC/ISI

64

128

192

256

320

Number of Variables [N]

384

448

512 30

Probabilistic verification through simulation

Source: Vanderbilt ISIS

31

Probabilistic certificates of correctness (PCCs)

Source: Vanderbilt ISIS

32

Design space visualization

Source: Vanderbilt ISIS

33

Geometric composition for gridding/higher-order modeling

Source: Vanderbilt ISIS

34

Model-Based Manufacturing

35

Manufacturing process models As of today: • 7 material shaping processes • 19 general processes • 231 machine instantiations • 64 manual labor units • 3,212 tools

Sources: Penn State ARL; GM Research

36

Design decomposition

Topological Decomposition

Source: Xerox PARC

“Reverse Composition”

37

Foundry configuration tradespace exploration

Source: Penn State ARL

38

Sequencing & scheduling

Source: Penn State ARL

39

Tasking the distributed foundry & feedback to design Joint Manufacturing Technology Center Rock Island Arsenal, IL

• • • • Information Goods Agreements

Source: Penn State ARL

• •

ANALYSIS TIMING Part Decomposition - ~10 min Assembly Analysis - ~120 min Purchased Parts - ~1 min Manufactured Parts • aPriori - ~2 min/part • CNC-Ana - ~35 min Design Configuration - ~10 min Build Schedule Gen - ~5 min 40

Ecosystem

41

Source: Vanderbilt ISIS

Collaboration platform—configuration control

42

Collaboration platform—component model ontology

Source: Vanderbilt ISIS

43

Collaboration platform—immersive multi-user visualization

Sources: Electrotank; Vanderbilt ISIS

44

Critical scale for a model-based product ecosystem AUTOSAR Consortium

Two-Sided Market Model

Boston Fusion ROM Estimate of Investment Scale

Sources: Ferrari, A. An Overview of (Electronic) System Level Design: beyond hardware-software co-design, SFM-06:HV, Univ. of Urbino 2006; Jorge Tierno, Boston Fusion

45

FANG Challenge 1 – Mobility and Drivetrain subsystems

Prize: $1,000,000 Initial roll-out - 1/14/2013 Finalist team selection - 3/17/2013 Registration closes - 4/1/13 Challenge closes - 4/15/2013 Winner announced - 4/22/2013 Build - Summer 2013 (tbd)

As of today: • 1,077 participants • 267 total teams • 18 teams qualified for finals • Largest team size ~ 27

www.vehicleforge.org

46

FANG Challenge 2 – Chassis and Structural subsystems

Prize: $1,000,000

47

FANG Challenge 3 – Full Vehicle Design

Prize: $2,000,000 Winner entered into Marine ACV prototype fly-off

48

Modeling shows promise for 5X time compression Traditional Design Flow

META Design Flow

400 Req/M 400 10 Arch/M 80 400 Spec/M 600 2000 Tests/M 600 Req*/M 800

200 Req/M 200 5 Arch/M 40 200 Spec/M 300 1000 Tests/M 300 Req*/M 400

0

12

24

36

48

60 72 Time (Month)

Requirements Elicitation : METAm-on/off-with-change Concept Exploration : METAm-on/off-with-change Design and Integration : Metam-on/off-with-change Verification : METAm-on/off-with-change Validation : METAm-on/off-with-change Certificate of Completion : METAm-on-with -change

Source: Olivier de Weck, MIT

84

96

0

0

12

24

36

48

60 72 Time (Month)

84

96

Requirements/Month Architectures/Month Specifications/Month Tests/Month Requirements/Month

49

For more information: FANG Challenges: http://www.vehicleforge.org Source Code: http://www.cps-vo.org DARPA PM: [email protected] Me: [email protected] Coming soon… special issue of Journal of SE! 50