Embedding runtime verification post-deployment for real-time health management of safety-critical systems

As cyber-physical systems increase in both complexity and criticality, formal methods have gained traction for design-time verification of safety properties. A lightweight formal method, runtime verification (RV), embeds checks necessary for safety-critical system health management; however, these techniques have been slow to appear in practice despite repeated calls by both industry and academia to leverage them. Additionally, the state-of-the-art in RV lacks a best practice approach when a deployed system requires increased flexibility due to a change in mission, or in response to an emergent condition not accounted for at design time. Human-robot interaction necessitates stringent safety guarantees to protect humans sharing the workspace, particularly in hazardous environments. For example, Robonaut2 (R2) developed an emergent fault while deployed to the International Space Station. Possibly-inaccurate actuator readings trigger the R2 safety system, preventing further motion of a joint until a ground-control operator determines the root-cause and initiates proper corrective action. Operator time is scarce and expensive; when waiting, R2 is an obstacle instead of an asset. We adapt the Realizable, Responsive, Unobtrusive Unit (R2U2) RV framework for resource-constrained environments. We retrofit the R2 motor controller, embedding R2U2 within the remaining resources of the Field-Programmable Gate Array (FPGA) controlling the joint actuator. We add online, stream-based, real-time system health monitoring in a provably unobtrusive way that does not interfere with the control of the joint. We design and embed formal temporal logic specifications that disambiguate the emergent faults and enable automated corrective actions. We overview the challenges and techniques for formally specifying behaviors of an existing command and data bus. We present our specification debugging, validation, and refinement steps. We demonstrate success in the Robonaut2 case study, then detail effective techniques and lessons learned from adding RV with real-time fault disambiguation under the constraints of a deployed system

An Overview of Distributed Spacecraft Autonomy at NASA Ames

Autonomous decision-making significantly increases mission effectiveness by mitigating the effects of communication constraints, like latency and bandwidth, and mission complexity on multi-spacecraft operations. To advance the state of the art in autonomous Distributed Space Systems (DSS), the Distributed Spacecraft Autonomy (DSA) team at NASA\u27s Ames Research Center is developing within five relevant technical areas: distributed resource and task management, reactive operations, system modeling and simulation, human-swarm interaction, and ad hoc network communications. DSA is maturing these technologies - critical for future large autonomous DSS - from concept to launch via simulation studies and orbital deployments. A 100-node heterogenous Processor-in-the-Loop (PiL) testbed aids distributed autonomy capability development and verification of multi-spacecraft missions. The DSA software payload deployed to the D-Orbit SCV-004 spacecraft demonstrates multi-agent reconfigurability and reliability as part of an ESA-sponsored in-orbit technology demonstration. Finally, DSA\u27s primary flight mission showcases collaborative resource allocation for multipoint science data collection with four small spacecraft as a payload on NASA\u27s Starling 1.0 satellites

Evaluating Network Performance of Containerized Test Framework for Distributed Space Systems

Distributed space systems are a mission architecture consisting of multiple spacecraft as a cohesive system which provide multipoint sampling, increased mission coverage, or improved sample resolution, while reducing mission risk through redundancy. To fully realize the potential of these systems, eventually scaling to hundreds or thousands of spacecraft, distributed space systems need to be operated as a single entity, which will enable a variety of novel scientific space missions. The Distributed Spacecraft Autonomy (DSA) project is a software project which aims to mature the technology needed for those systems, namely autonomous decision-making and swarm networking. The DSA project leverages a containerized swarm test framework to simulate spacecraft software, which can identify emergent behavior early in development. Container virtualization allows distributed spacecraft systems to be simulated entirely in software on a single computer, avoiding the overhead associated with conventional approaches like hardware facsimiles and virtual machines. For this approach to be effective, the simulated system behavior must not be artificially influenced by the swarm test framework itself. To address this, we present a series of benchmarks to quantify virtual network bandwidth available on a single-host computer and contextualize this against the network and application behavior of the DSA swarm test framework

Interaction between IRF6 and TGFA Genes Contribute to the Risk of Nonsyndromic Cleft Lip/Palate

Previous evidence from tooth agenesis studies suggested IRF6 and TGFA interact. Since tooth agenesis is commonly found in individuals with cleft lip/palate (CL/P), we used four large cohorts to evaluate if IRF6 and TGFA interaction contributes to CL/P. Markers within and flanking IRF6 and TGFA genes were tested using Taqman or SYBR green chemistries for case-control analyses in 1,000 Brazilian individuals. We looked for evidence of gene-gene interaction between IRF6 and TGFA by testing if markers associated with CL/P were overtransmitted together in the case-control Brazilian dataset and in the additional family datasets. Genotypes for an additional 142 case-parent trios from South America drawn from the Latin American Collaborative Study of Congenital Malformations (ECLAMC), 154 cases from Latvia, and 8,717 individuals from several cohorts were available for replication of tests for interaction. Tgfa and Irf6 expression at critical stages during palatogenesis was analyzed in wild type and Irf6 knockout mice. Markers in and near IRF6 and TGFA were associated with CL/P in the Brazilian cohort (p<10-6). IRF6 was also associated with cleft palate (CP) with impaction of permanent teeth (p<10-6). Statistical evidence of interaction between IRF6 and TGFA was found in all data sets (p = 0.013 for Brazilians; p = 0.046 for ECLAMC; p = 10-6 for Latvians, and p = 0.003 for the 8,717 individuals). Tgfa was not expressed in the palatal tissues of Irf6 knockout mice. IRF6 and TGFA contribute to subsets of CL/P with specific dental anomalies. Moreover, this potential IRF6-TGFA interaction may account for as much as 1% to 10% of CL/P cases. The Irf6-knockout model further supports the evidence of IRF6-TGFA interaction found in humans. © 2012 Letra et al

IFNs Modify the Proteome of <i>Legionella</i>-Containing Vacuoles and Restrict Infection Via IRG1-Derived Itaconic Acid

Macrophages can be niches for bacterial pathogens or antibacterial effector cells depending on the pathogen and signals from the immune system. Here we show that type I and II IFNs are master regulators of gene expression during Legionella pneumophila infection, and activators of an alveolar macrophage-intrinsic immune response that restricts bacterial growth during pneumonia. Quantitative mass spectrometry revealed that both IFNs substantially modify Legionella-containing vacuoles, and comparative analyses reveal distinct subsets of transcriptionally and spatially IFN-regulated proteins. Immune-responsive gene (IRG)1 is induced by IFNs in mitochondria that closely associate with Legionella-containing vacuoles, and mediates production of itaconic acid. This metabolite is bactericidal against intravacuolar L. pneumophila as well as extracellular multidrug-resistant Gram-positive and -negative bacteria. Our study explores the overall role IFNs play in inducing substantial remodeling of bacterial vacuoles and in stimulating production of IRG1-derived itaconic acid which targets intravacuolar pathogens. IRG1 or its product itaconic acid might be therapeutically targetable to fight intracellular and drug-resistant bacteria

Embedding runtime verification post-deployment for real-time health management of safety-critical systems

As cyber-physical systems increase in both complexity and criticality, formal methods have gained traction for design-time verification of safety properties. A lightweight formal method, runtime verification (RV), embeds checks necessary for safety-critical system health management; however, these techniques have been slow to appear in practice despite repeated calls by both industry and academia to leverage them. Additionally, the state-of-the-art in RV lacks a best practice approach when a deployed system requires increased flexibility due to a change in mission, or in response to an emergent condition not accounted for at design time. Human-robot interaction necessitates stringent safety guarantees to protect humans sharing the workspace, particularly in hazardous environments. For example, Robonaut2 (R2) developed an emergent fault while deployed to the International Space Station. Possibly-inaccurate actuator readings trigger the R2 safety system, preventing further motion of a joint until a ground-control operator determines the root-cause and initiates proper corrective action. Operator time is scarce and expensive; when waiting, R2 is an obstacle instead of an asset. We adapt the Realizable, Responsive, Unobtrusive Unit (R2U2) RV framework for resource-constrained environments. We retrofit the R2 motor controller, embedding R2U2 within the remaining resources of the Field-Programmable Gate Array (FPGA) controlling the joint actuator. We add online, stream-based, real-time system health monitoring in a provably unobtrusive way that does not interfere with the control of the joint. We design and embed formal temporal logic specifications that disambiguate the emergent faults and enable automated corrective actions. We overview the challenges and techniques for formally specifying behaviors of an existing command and data bus. We present our specification debugging, validation, and refinement steps. We demonstrate success in the Robonaut2 case study, then detail effective techniques and lessons learned from adding RV with real-time fault disambiguation under the constraints of a deployed system.</p

R2U2 Version 3.0: Re-Imagining a Toolchain for Specification, Resource Estimation, and Optimized Observer Generation for Runtime Verification in Hardware and Software

R2U2 is a modular runtime verification framework capable of monitoring sets of specifications in real time and in resource-constrained environments. Such environments demand that a runtime monitor be fast, easily integratable, accessible to domain experts, and have predictable resource requirements. Version 3.0 adds new features to R2U2 and its associated suite of tools that meet these needs including a new front-end compiler that accepts a custom specification language, a GUI for resource estimation, and improvements to R2U2’s internal architecture.This proceeding is published as Johannsen, C., Jones, P., Kempa, B., Rozier, K.Y., Zhang, P. (2023). R2U2 Version 3.0: Re-Imagining a Toolchain for Specification, Resource Estimation, and Optimized Observer Generation for Runtime Verification in Hardware and Software. In: Enea, C., Lal, A. (eds) Computer Aided Verification. CAV 2023. Lecture Notes in Computer Science, vol 13966. Springer, Cham. https://doi.org/10.1007/978-3-031-37709-9_23. © 2023 The Author(s).This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.The images or other third party material in this chapter are included in the chapter’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder

MLTL Multi-type (MLTLM): A Logic for Reasoning About Signals of Different Types

Modern cyber-physical systems (CPS) operate in complex systems of systems that must seamlessly work together to control safety- or mission-critical functions. Capturing specifications in a logic like LTL enables verification and validation of CPS requirements, yet an LTL formula specification can imply unrealistic assumptions, such as that all signals populating the variables in the formula are of type Boolean and agree on a standard time step. To achieve formal verification of CPS systems of systems, we need to write validate-able requirements that reason over (sub-)system signals of different types, such as signals with different timescales, or levels of abstraction, or signals with complex relationships to each other that populate variables in the same formula. Validation includes both transparency for human validation and tractability for automated validation, e.g., since CPS often run on resource-limited embedded systems. Specifications for correctness of numerical algorithms for CPS need to be able to describe global properties with precise representations of local components. Therefore, we introduce Mission-time Linear Temporal Logic Multi-type (MLTLM), a logic building on MLTL, to enable writing clear, formal requirements over finite input signals (e.g., sensor signals, local computations) of different types, cleanly coordinating the temporal logic and signal relationship considerations without significantly increasing the complexity of logical analysis, e.g., model checking, satisfiability, runtime verification (RV). We explore the common scenario of CPS systems of systems operating over different timescales, including a detailed analysis with a publicly-available implementation of MLTLM. We contribute: (1) the definition and semantics of MLTLM, a lightweight extension of MLTL allowing a single temporal formula over variables of multiple types; (2) the construction and use of an MLTLM fragment for time-granularity, with proof of the language’s expressive power; and (3) the design and empirical study of an MLTLM runtime engine suitable for real-time execution on embedded hardware.This is a pre-peer-review, pre-copyedit version of a proceeding published as Hariharan, G., Kempa, B., Wongpiromsarn, T., Jones, P.H., Rozier, K.Y. (2022). MLTL Multi-type (MLTLM): A Logic for Reasoning About Signals of Different Types. In: Isac, O., Ivanov, R., Katz, G., Narodytska, N., Nenzi, L. (eds) Software Verification and Formal Methods for ML-Enabled Autonomous Systems. NSV FoMLAS 2022 2022. Lecture Notes in Computer Science, vol 13466. Springer, Cham. The final authenticated version is available online at DOI: 10.1007/978-3-031-21222-2_11. Copyright 2022 The Author(s). Posted with permission

Distinct Metabolic States Are Observed in Hypoglycemia Induced in Mice by Ricin Toxin or by Fasting

Hypoglycemia may be induced by a variety of physiologic and pathologic stimuli and can result in life-threatening consequences if untreated. However, hypoglycemia may also play a role in the purported health benefits of intermittent fasting and caloric restriction. Previously, we demonstrated that systemic administration of ricin toxin induced fatal hypoglycemia in mice. Here, we examine the metabolic landscape of the hypoglycemic state induced in the liver of mice by two different stimuli: systemic ricin administration and fasting. Each stimulus produced the same decrease in blood glucose and weight loss. The polar metabolome was studied using 1H NMR, quantifying 59 specific metabolites, and untargeted LC-MS on approximately 5000 features. Results were analyzed by multivariate analyses, using both principal component analysis (PCA) and partial least squares-discriminant analysis (PLS-DA), to identify global metabolic patterns, and by univariate analyses (ANOVA) to assess individual metabolites. The results demonstrated that while there were some similarities in the responses to the two stimuli including decreased glucose, ADP, and glutathione, they elicited distinct metabolic states. The metabolite showing the greatest difference was O-phosphocholine, elevated in ricin-treated animals and known to be affected by the pro-inflammatory cytokine TNF-&alpha;. Another difference was the alternative fuel source utilized, with fasting-induced hypoglycemia primarily ketotic, while the response to ricin-induced hypoglycemia involves protein and amino acid catabolism