SOTER: A Runtime Assurance Framework for Programming Safe Robotics Systems

The recent drive towards achieving greater autonomy and intelligence in robotics has led to high levels of complexity. Autonomous robots increasingly depend on third party off-the-shelf components and complex machine-learning techniques. This trend makes it challenging to provide strong design-time certification of correct operation. To address these challenges, we present SOTER, a robotics programming framework with two key components: (1) a programming language for implementing and testing high-level reactive robotics software and (2) an integrated runtime assurance (RTA) system that helps enable the use of uncertified components, while still providing safety guarantees. SOTER provides language primitives to declaratively construct a RTA module consisting of an advanced, high-performance controller (uncertified), a safe, lower-performance controller (certified), and the desired safety specification. The framework provides a formal guarantee that a well-formed RTA module always satisfies the safety specification, without completely sacrificing performance by using higher performance uncertified components whenever safe. SOTER allows the complex robotics software stack to be constructed as a composition of RTA modules, where each uncertified component is protected using a RTA module. To demonstrate the efficacy of our framework, we consider a real-world case-study of building a safe drone surveillance system. Our experiments both in simulation and on actual drones show that the SOTER-enabled RTA ensures the safety of the system, including when untrusted third-party components have bugs or deviate from the desired behavior

JUMPSAT: Qualifying three equipments in the CubeSat mission

JUMPSAT is a 3-Unit CubeSat mission expected for launch in 2017. It is a collaborative project involving the French research institutes CNES and ONERA as well as two universities, the Institut Supérieur de l'Aéronautique et de l'Espace and TELECOM Bretagne. The main mission objectives are the technological verification of both the three-axis attitude control system as well as the verification of two embedded payloads: A low cost Star Tracker developed by ISAE-Supaero for future small satellite missions and a directional radiation sensor for precise mapping of the Earth radiation belt. This article focuses on the mission concept and the status of the mission design in fall 2013. Main mission parameters are introduced, with emphases on the characteristic properties of the Jumpsat mission, as for example the choice of a sun-synchronous elliptical low-Earth Orbit, which is necessary to be in compliance with the payload requirements and at the same time to ensure space debris prevention. Furthermore, due to the limited observation time of a polar satellite, it was decided to utilize a distributed ground station network on S-band frequency for ensuring the necessary communication bandwidth for up- and downlink. The space segment will be equipped with deployable solar panels for improving the thermal and power budget of the overall system. Finally, a brief overview of the specifications and design of the attitude control system and both payloads are also given in the article

Building Blocks for Control System Software

Software implementation of control laws for industrial systems seem straightforward, but is not. The computer code stemming from the control laws is mostly not more than 10 to 30% of the total. A building-block approach for embedded control system development is advocated to enable a fast and efficient software design process.\ud We have developed the CTJ library, Communicating Threads for Java¿,\ud resulting in fundamental elements for creating building blocks to implement communication using channels. Due to the simulate-ability, our building block method is suitable for a concurrent engineering design approach. Furthermore, via a stepwise refinement process, using verification by simulation, the implementation trajectory can be done efficiently

Towards a Formal Framework for Mobile, Service-Oriented Sensor-Actuator Networks

Service-oriented sensor-actuator networks (SOSANETs) are deployed in health-critical applications like patient monitoring and have to fulfill strong safety requirements. However, a framework for the rigorous formal modeling and analysis of SOSANETs does not exist. In particular, there is currently no support for the verification of correct network behavior after node failure or loss/addition of communication links. To overcome this problem, we propose a formal framework for SOSANETs. The main idea is to base our framework on the \pi-calculus, a formally defined, compositional and well-established formalism. We choose KLAIM, an existing formal language based on the \pi-calculus as the foundation for our framework. With that, we are able to formally model SOSANETs with possible topology changes and network failures. This provides the basis for our future work on prediction, analysis and verification of the network behavior of these systems. Furthermore, we illustrate the real-life applicability of this approach by modeling and extending a use case scenario from the medical domain.Comment: In Proceedings FESCA 2013, arXiv:1302.478

Modelling and Refinement in CODA

This paper provides an overview of the CODA framework for modelling and refinement of component-based embedded systems. CODA is an extension of Event-B and UML-B and is supported by a plug-in for the Rodin toolset. CODA augments Event-B with constructs for component-based modelling including components, communications ports, port connectors, timed communications and timing triggers. Component behaviour is specified through a combination of UML-B state machines and Event-B. CODA communications and timing are given an Event-B semantics through translation rules. Refinement is based on Event-B refinement and allows layered construction of CODA models in a consistent way.Comment: In Proceedings Refine 2013, arXiv:1305.563

From FPGA to ASIC: A RISC-V processor experience

This work document a correct design flow using these tools in the Lagarto RISC- V Processor and the RTL design considerations that must be taken into account, to move from a design for FPGA to design for ASIC

SDN Access Control for the Masses

The evolution of Software-Defined Networking (SDN) has so far been predominantly geared towards defining and refining the abstractions on the forwarding and control planes. However, despite a maturing south-bound interface and a range of proposed network operating systems, the network management application layer is yet to be specified and standardized. It has currently poorly defined access control mechanisms that could be exposed to network applications. Available mechanisms allow only rudimentary control and lack procedures to partition resource access across multiple dimensions. We address this by extending the SDN north-bound interface to provide control over shared resources to key stakeholders of network infrastructure: network providers, operators and application developers. We introduce a taxonomy of SDN access models, describe a comprehensive design for SDN access control and implement the proposed solution as an extension of the ONOS network controller intent framework