QP Based Framework for Development and Formal ... - Springer Link

QP Based Framework for Development and Formal Verification of Flight Control Software of UAV Yuchao Zhang, Guoqi Li, and Juan Zhang School of Reliability and System Engineering, Beihang University, Beijing, China [email protected]

Abstract. UAV is widely invested both in military and academic fields. The development and verification of UAV flight control software is an importance issues and hot topic. In this paper, a QP based method is present to develop and formally verify the UAV flight control software. The method combines the UML and OCL constraint language and output the UML file that constrained by OCL to XMI file. Then we input the XMI file to rule inference engine as facts. Aided by safety rules, the flight control software could be automatically verified. The method has many advantages and is hopeful to enhance the quality of UAV flight control software. It can also be used in similar scenarios. Keywords: UML, OCL, Inference machine, Software Verification.

1 Introduction UAV is a re-use aircraft that without the pilot and control the flight status, airline and other procedures by the wireless remote control or self-control program. It’s widely used for aerial reconnaissance surveillance, communication-n, anti-submarine and electronic interference. UAVs have many advantages such as small taking-off site, can hovering in the air, low cost and so on [1]. It’s a very potential research topics in the world, can be used for short-range military reconnaissance, urban search and rescue, low-level fire support missions etc. Recent studies and applications show that the UAV has great advantage in fire support, agricultural monitoring, marine exploration, traffic control and military. The most crucial part is the automatic flight control system (Automatic Flight Control System) to small UAVs. The performances of small UAVs (including taking-off landing performance, operating flight performance, flight safety, reliability, and maintainability of automation systems, etc.) are largely depend on its flight control system design. The unmanned aerial vehicle flight control system is an important part for a variety of data collection, storage, processing, control output, data transmission and other functions, it cause great direct impact on the UAV flight performance[2]. Aircraft's control system is complex embedded real-time hybrid system; the core of the control software must be complex, reactive, discrete, real-time and high reliability. Fast and reliable flight control software must be based on the system function and behavior, the main ways to describe the system specifications is word or flow chart in the past. These methods of communication are difficult to make the entire designer H. Deng et al. (Eds.): AICI 2011, Part I, LNAI 7002, pp. 1–8, 2011. © Springer-Verlag Berlin Heidelberg 2011

2

Y. Zhang, G. Li, and J. Zhang

understand and implement, while the ambiguity and errors will be hidden until the late stages of integration testing. Formal methods provides a executable verification standardized form for the function and behavior of complex systems modeling discrete, the state diagram is the most intuitive, practical one of the best modeling language. In this paper, we research a flight control software prototype of unmanned aerial vehicles based on hierarchical state machine, and then establish a flight control software executable authentication function and behavior model while make formal verification, to detect and correct various errors in the early system design to make a great quality basis for test and design.

2 Presentations of QP The quantum platform is an embedded systems programming concepts that made by Miro Samek(USA). It describe the transition between the description of the embedded software programming model use the describe ways of the transition between quantum energy states in the quantum mechanics, the quantum mechanics and quantum platform is not any real connection, just a concept borrowed it. However, the quantum platform presents the state machine programming model of embedded system. Quantum platform divide different CPU resources into two levels: lightweight (or streamline level) NANO, and the. NANO is for the application of limited CPU resources, while the common full version for the abundant CPU resources. QP includes two parts: the level of event handlers (QEP) and real-time framework (QF). The real-time framework (QF) has great advantages in dealing with event-driven system and has been widely used in the embedded system. QP can provide clear logic of the system by using the hierarchical state machine. Then connect to the computer modeling system for active objects by QF and state machine combination [3]. The hierarchy state machines and event-driven framework have been rapid development and widely application in the last two decades, almost all of the current success commercial market are based on the hierarchy state machine (state diagram) and some tools similar to QF real-time driver framework. The state machine is the most famous formal approach used to describe real-time event-driven system, the most advanced way to describe status is the hierarchy state machine theory of UML. Hierarchical state machine (Hierarchy State Machine) is the most intuitive method to model state behavioral and a good form method to achieve the event-driven system. It is mainly used to describe the object, subsystem, system lifecycle. Through the hierarchical state machine we can know the impact from all the state can reach and event objects can received of an object state and so on. Here are the related concepts of HSM. 1). Status: State is a stage such as to meet certain conditions, to perform some action or waiting for some event in the life cycle of an object. 2). Event: Event is an emerging phenomenon in specific time and space, which can trigger state transitions. 3). Conversion: Conversion is a one state node transfer to another state node.

QP Based Framework for Development and Formal Verification

3

The state and its transfer are the basic syntax elements of state chart. We assume the system state S, event E, the conditions C, the actions A, the reaction R, then the discrete model X is defined as behavior: e[ c ]/ a X = {si (ri ) ⎯⎯⎯ → s j ( rj ) | t }

(1)

3 Model the Flying Control System 3.1 Top Model The interactive part control of the flight control system includes rotation sensor, speed sensor, electronic compass, GPS, wireless communications components; engine throttle control, elevator, rudder, left aileron, right aileron, landing gear guide wheel. Using UML method to make Model and ensure system relations [4]. As the core of the flight control system, flight controllers include integrated flight data acquisition and control law generation, parameter adjustment, logic and timing judgments, equipment monitoring, autonomous navigation, remote communication and system self-test and so on[5][6]. At first, we definite the top-level module FC_program to describe the entrance and the process of entire software: FC_program

@Init

[Ready]A1 RUN

@PC

Fig. 1. State chart of top-level module FC_program

Run the system, and the status go into the initial state @ Init. The prefix @ indicates that the state can be broken down by a number of sub-state description, Init @ description acts include hardware initialization, power-down mode to determine, flight and navigation status and data clearing or recovery. At the end of initialization set

4

Y. Zhang, G. Li, and J. Zhang

conditions Ready to true, triggering the system transferred to the RUN state while into compound action A1 (set of hardware and software flag). 3.2 The PC Main Control Model This module is the main part of the flight control system and describes the state of UAV flight changes and device state changes. PC /A2 Condition

not [power_OK]/A4

@RESET

COMMAND_WAI T/A5 @WAIT

power_OK/A3

FLY

COMMAND_TAK EOFF/A6

@AUTO

@LOG_M

@LAT_M

Fig. 2. State chart of main control module PC

After into the PC state, use the connector to select the transfer path way. If the power uncommon ,then directly return to flight state FLY, if normal, then transferred to the reset state RESET, and clear date in this state, when received the standby command (event COMMAND_WAIT occurred)in this state, the system transferred to the state @ WAIT. Similarly, when received command to take off (event COMMAND_TAKEOFF place) in the WAIT state, it will be transferred to state FLY and default trigged sub-state autonomous navigation activation AUTO to automatically complete the roll, climb and improve equality of action. The AUTO state includes two states: horizontal and vertical control state control. Assume that the system is in direct state STRAIGHT now, when receiving the action instruction (deflection or down), the system shifted to the left (right) turn state LEFT (RIGHT), and achieve a given angle. After the completion of instruction, the system back to the command trigger-wait state, if receive the landing instructions in the flight, and then exit flight.

QP Based Framework for Development and Formal Verification

5

LAT_M N_LAT=0 @STRAIGHT

not[COMMAND]=0 FLYING [HS=HS_L/A9] [N_LAT=-1]and [HS=HS_L]/A7

@EVENT

[HS=HS_R]/A10 [N_LAT=1]and [HS=HS_R]/A8

@LEFT

@RIGHT

[COMMAND_LAND]/A14

@EXIT

Fig. 3. State chart of turn control module LAT_M

LAT_M N_LAT=0 @STRAIGHT

not[COMMAND]=0 FLYING [HS=HS_L/A9] [N_LAT=-1]and [HS=HS_L]/A7

@EVENT

[HS=HS_R]/A10 [N_LAT=1]and [HS=HS_R]/A8

@LEFT

@RIGHT

[COMMAND_LAND]/A14

@EXIT

Fig. 4. State chart of rise control module LAT_M

4 Formalized on the State Chart by OCL OCL (Object Constraint Language) is a limit way to direct the user model system [7]. It can be used to define the behavior of objects in the UML better, and specifies constraints to any class element. OCL has the following four characteristics [8]:

6

Y. Zhang, G. Li, and J. Zhang

1). OCL is a query language and a constraint language; 2). OCL is based on mathematics, but did not use mathematical symbols; 3). OCL is a strongly typed language; 4). OCL is a declaratory (Declarative) language. This article will use the OCL language to constraint the UML object, and to better represent the object that difficult to describe by simple graphical.

5 Verification and Validation 5.1 Convert UML by XMI Specification UML is a visual modeling language, the graphical business models (such as a user instance diagram, class diagram, sequence diagram, state diagrams, etc.) contain the data structure and logical constraints, but the external manifestations of these business models are collection of graphics [9]. So they don’t benefit in further development. To address this problem, we output the information of the model in the manifest file (XML) way to achieve the further treatment of the model and the information exchange between models. 5.2 Authentication by Inference Machine Inference machine is a way that according to a certain and simulate the human thinking activity, to solve the problem based on reasoning provided by the user and give the user a satisfactory conclusion. Inference structure is as follows: UXOHV

IDFWV

,QIHUHQFHSDW WHUQPDWFK

UHVXOW

Fig. 5. Inference structure

The inference mechanism as shown below, at first the real-time obtain the initial facts from all the information that get from the sensor, then find all available rules by match facts to the left part of the rule (the premise) and constitute the conflict set to select a rule in conflict with certain conflict resolution strategies, thereby generating

QP Based Framework for Development and Formal Verification

7

new facts in accordance. The new facts and the old facts cause a new round of matches, so continue to solution the problem, until no rule is activated. At last validate whether there is solution or not, if it is true the output all solutions (error messages), otherwise output no solution [10].

VWDUW

$FKLHYH IDFWVVHQVRU

5XOHVPDWFK

੖

*DLQ FRQIOLFW

6ROXWLRQ FKHFN

*HW FRQIOLFW VROXWLRQ

੖

ᱟ

)DXOW LQIRUPDWLRQ RXWSXW

1RVROXWLRQ $YDLODEOH UXOHV ᱟ

1HZIDFWV JHHQHUDWLRQ

HQG

Fig. 6. Inference mechanism

We use the inference engine make pattern matching to determine if it is safe by the security rule set given from experts based safety-theory and the two chapters of the XMI + OCL. Through use of inference we match the collecting facts from the sensor and rule base to the safety rules, ensure the conclusions that the flight control software meets safety rules and confirmed the safety quality of the flight control software. Complete the security validation of flight control system software.

6 Conclusion In this paper, we focus on the reality that increasing emphasis on UAV and the widely use of the newly popular QP Quantum platform, make the formal analysis of the flight control software safety by the hierarchical state machine method. We use UML to model the flight control software, and through to constraint language OCL to constrain the UML. As a formal constraint language, OCL made up the disadvantage of UML that as a semi-formal method. After the information in the UML model explicit output as XML file. It will work with OCL constraints as the fact that pattern matches in the

8

Y. Zhang, G. Li, and J. Zhang

inference engine with the safety rules given by experts, and finally makes judgment that the software system whether meets the safety rules. This formal verification method has some reference value to other similar safety critical embedded software system validation.

References 1. Quigley, M., Goodrich, M.A., Beard, R.W.: Semi-Autonomous Human-UAV Interfaces for Fixed- Wing Mini-UAVs. In: Proceedings of 2004 IEEE/RSJ International Conference on Intelligent Robots and Systems, pp. 2457–2462 (2004) 2. Fang, Z.: Output Feedback Control of a Quadrotor UAV Using Neural Networks. In: Proceedings of the 27th Chinese Control Conference, pp. 349–353 (2008) 3. Warmer, J., Kleppe, A.: The Object Constraint Language (2003) 4. Cai, G., Gu, T., Lam, C.P.: An approach for automatic test case generation from UML Statechart. In: Proceedings of the 9th Joint International Computer Conference (2003) 5. Koo, T.J., Sinopoli, B.: Aformal approach to reactive system design: a UAV flight management system design example. In: Proceedings of IEEE International Symposium on Computer-Aided Control System Design, Hawaii (1999) 6. Harei, D., Naamed, A.: The statement semantics of statecharts. In: Proceeding of the ACM Transactions on Software Engineering and Methodology, pp. 293–333 (1996) 7. Gunmath, P.: OCL exception handling. Texas A & M University, Texas (2004) 8. Nentwich, C., Emmerich, W., Finkelstein, A.: Flexible consistency checking. In: Proceedings of the ACM Transactions on Software Engineering and Methodology, pp. 28–63 (2003) 9. Muller, E., Zenker, A.: Business services as actors of knowledge transformation the role of KIBS in regional and innovation systems. Research Policy, 75–86 (1993) 10. Lauriente, M., Rolincik M.: An on-line expert system for diagnosing environmentally induced spacecraft anomalies using clips. N9332097 (1993)