Model-Based Design of an Energy-System Embedded Controller …retis.sssup.it/iwes/technical/cavada.pdf · 2016-09-23 · language (AADL), but they are isolated Credits:Intecs (FoReVer

Model-Based Design of an Energy-System EmbeddedController using Taste

Roberto Cavada, Alessandro Cimatti, Luigi Crema, Mattia Roccabrunaand Stefano Tonetta

Sep 19th, 2016

(Accepted paper @FM2016 - Industry track)

Roberto Cavada, Alessandro Cimatti, Luigi Crema, Mattia Roccabruna and Stefano Tonetta ()Model-Based Design of an Energy-System Embedded Controller using TasteSep 19th, 2016 1 / 15

Outline

1 Motivations

2 The Plant and the Control System

3 The Taste tool

4 Some insight into Models

5 Results, future and conclusions


Model-Based Design in Embedded Systems

MBD is a standard practice in design of complex systems

Huge benefits: costs saving, reduction of errors, higher confidence,and opens doors to many system analysis

MBD is required to cover also the deployment stage

When supporting ES with MBD, new issues arise:I Specificity of the target execution platformI Real Time constraints of the systemI I/O, priority of tasks, stack size, ...


Model-Based Design in Embedded Systems

MBD is a standard practice in design of complex systems

Huge benefits: costs saving, reduction of errors, higher confidence,and opens doors to many system analysis

MBD is required to cover also the deployment stage

When supporting ES with MBD, new issues arise:I Specificity of the target execution platformI Real Time constraints of the systemI I/O, priority of tasks, stack size, ...


Short tale of MBD at the ES Unit in FBK

Until 2015, we addressed system V&V mostly at engineering level:COMPASS (ESA, Aachen RWTH) and FoReVer (ESA, Intecs, TAS)are good examples

Our Unit was lacking the experience to cover the deployment stage

In 2016 we joined efforts with the Applied Research on EnergySystems Unit in FBK, to develop innovative, complex and safe energysystems

We searched for tools support, we jumped at Taste as:OS, strengthening ESA partnership, willing to address industry, veryinteresting research branch to create links and continuity betweenCOMPASS and Taste

This is the report of activities yielded by lucky coincidence:ES Unit applying MBD to the Contest project, while learning andevaluating Taste on the job.
















Contest project as a testbed

Goal: efficient energy co-generation from solarenergy

Combines a large Solar Collector and a StirlingEngine

Heterogeneous, Large, Critical, Complex:calls for MBD!

Credits:Zephyris at the English Wikipedia


The Plant

Co-generation function

Produce electrical energy and heat for domestic/industrial usage

Alpha Stirling EngineI Heat to rotation, via cyclic compression/expansion of HeI Regulated by changing He pressure P [20..200 bar]I Stirling temperature T depends on heat received and on PI Efficiency is proportional to (P,T ), but higher P cause higher drop of

T

Solar collector

I A 8.5m Dish, 5 tons, 3kconcentration factor

I Movement precision is relevant: ≤0.1 ◦ when tracking Sun


Safety requirements of the Control System

Trivia

Burn ’em all: The high temperature can melt the Stirling in seconds

Freezing: When not fed, the Stirling freezes (< −100 ◦C) in seconds

Dynamics: T and P can vary at high rate (T > 500 ◦C/s)

Good luck: Surprise! Devices can fail badly

Requirements

Most in form Gp, !Gp, G (p → Fq), possibly with time bounds

About 200, at the moment in NL. For example:

“When rpm ≥ RPM FS CONS, after OIL PRESS CHECK TO secif oil press < MIN OIL PRESS, go to Error mode.”


Taste: collocation

Credits:ESA


Taste: featuresThe ASSERT Set of Tools for Engineering http://taste.tuxfamily.org/

Modeling can be done with (annotated)text, or graphically

Supports the workflow in four parts:1 System design: AADL functional blocks, use the Interface View editor2 Behavior design: Ada, C, SDL (Opengeode), Simulink, Scade, RTDS,

VHDL, SystemC3 Data types: ASN.1 + ACN used throughout the models4 Deployment: binding AADL functions to CPUs, bus and devices,

through the Deployment View editor, abstraction layers and anautomatic building system. Supported some combination of:

CPU : Intel, Leon, NDS�� → no ARM! no NXP!←

OS : Linux, Xenomai, RTEMS, Win32


http://taste.tuxfamily.org/

The Contest control system architecture


Model of the control systemSee https://gitlab.fbk.eu/ITC4Energy/contest

12 SDL blocks, FSMs have 86locations and 175 transitions(not counting self-loops). Use12 distinct timers

Most blocks are on/off type.Regulator is prop/der. In Suntracker uses prop to adjust Sunposition errors

SDL models react to both inputs andcontinuous signals

Limitation: Fan-Out > 1 not allowed


https://gitlab.fbk.eu/ITC4Energy/contest

Interesting issues in the models

Each SDL input (event or timer) statically generates a task:limitation is needed as the number of tasks can be critical

Notion of delta-cycle loop and multitasking controller not naturallyclicking:

I Delta-cycles is a sequence of Outputs, I nputs, C ontrol

I We forced O/I to run before C , adding a coordinating block andintroducing a start cycle event sent to each part of the O/I /C triplet

I We need to assure that C runs to completion each cycleI Timers are forced to expire at t + Tck ,Tck = kT , k ∈ NI T chosen to be 50ms, safe for sampling and divisor of the timers

resolution, which in Taste is hard-coded at 100msI Empirical data show a 2ms bound for C , but we need schedulability

analysis


What we have learnt

Taste performances

Taste effectively support deployment of complex ES, and createsefficient code: 76 RT tasks, 0.2% CPU usage, 14 MB

However, it cannot be used if micro or nano seconds are required:target at least 100 µs is highly desirable

Some usability issues with large models

Large room for improvement of the building system (speed andcustomization)

Modeling

Modeling in SDL is terrific but requires discipline

Explicit notion of delta loop cycle is desired

No control on tasks’ CPU affinity


Future work

Complete the integration phase, and test on the field

Validate more aggressively with unit testing

Run schedulability analysis

Apply model checking, compositional reasoning, fault-extension andfailure analysis

Try optimizing the Stirling regulation function


Conclusions

We applied MBD to a complex and heterogeneous energy system, tomake it safer

For implementation we successfully used Taste:I Generates efficiently code, for relatively slow control systemsI Fits easily within heterogeneous systemsI Robust editor, although showing some limits as the model growsI Some bugs identified, promptly fixed by Taste’s teamI ARM support highly desired, to target general industrial domain

We need to exploit some features provided by Taste

We need to apply more FM techniques


Thank you!


TasteTaste is a Modeling tool made by ESA, devoted to deployment in ESIn the design workflow, Taste is collocated after the COMPASStoolset, which targets Model-based Dependability Engineering.Taste and COMPASS share many concepts and specificationlanguage (AADL), but they are isolated

Credits:Intecs (FoReVer project)


Taste Languages

AADL To describe the architecture in terms of function blocks,their input/output ports, and port connections

ASN.1 Standard notation to specify data types, along with theirconstraints and encoding. Types and values are thenavailable at system and behavior level

SDL Formal specification language used in Taste for modelingthe behavior of the functional blocks

FSMs described in SDL communicate asynchronouslythrough events queued in channelsEach FSM runs-to-completion, until stops waiting anevent or timer

C/Ada For addressing low-level


Taste Languages (global vision)

Credits:ESA


Documents

Model-Based Design of an Energy-System Embedded Controller …retis.sssup.it/iwes/technical/cavada.pdf · 2016-09-23 · language (AADL), but they are isolated Credits:Intecs (FoReVer