Rozprawy doktorskie na temat „Verification of control systems”

Verification of access control systems against vulnerabilities has always been a challenging problem in the world of computer security. The complication of security policies in large- scale multi-agent systems increases the possible existence of vulnerabilities as a result of mistakes in policy definition. This thesis explores automated methods in order to verify temporal and epistemic properties of access control systems. While temporal property verification can reveal a considerable number of security holes, verification of epistemic properties in multi-agent systems enable us to infer about agents' knowledge in the system and hence, to detect unauthorized information flow. This thesis first presents a framework for knowledge-based verification of dynamic access control policies. This framework models a coalition-based system, which evaluates if a property or a goal can be achieved by a coalition of agents restricted by a set of permissions defined in the policy. Knowledge is restricted to the information that agents can acquire by reading system information in order to increase time and memory efficiency. The framework has its own model-checking method and is implemented in Java and released as an open source tool named \(\char{cmmi10}{0x50}\)\(\char{cmmi10}{0x6f}\)\(\char{cmmi10}{0x6c}\)\(\char{cmmi10}{0x69}\)\(\char{cmmi10}{0x56}\)\(\char{cmmi10}{0x65}\)\(\char{cmmi10}{0x72}\). In order to detect information leakage as a result of reasoning, the second part of this thesis presents a complimentary technique that evaluates access control policies over temporal-epistemic properties where the knowledge is gained by reasoning. We will demonstrate several case studies for a subset of properties that deal with reasoning about knowledge. To increase the efficiency, we develop an automated abstraction refinement technique for evaluating temporal-epistemic properties. For the last part of the thesis, we develop a sound and complete algorithm in order to identify information leakage in Datalog-based trust management systems.

Thesis (Ph.D.)--Boston University PLEASE NOTE: Boston University Libraries did not receive an Authorization To Manage form for this thesis or dissertation. It is therefore not openly accessible, though it may be available by request. If you are the author or principal advisor of this work and would like to request open access for it, please contact us at open-help@bu.edu. Thank you.
This thesis establishes theoretical and computational frameworks for formal verification and control synthesis for discrete-time stochastic systems. Given a temporal logic specification, the system is analyzed to determine the probability that the specification is achieved, and an input law is automatically generated to maximize this probability. The approach consists of three main steps: constructing an abstraction of the stochastic system as a finite Markov model, mapping the given specification onto this abstraction, and finding a control policy to maximize the probability of satisfying the specification. The framework uses Probabilistic Computation Tree Logic (PCTL) as the specification language. The verification and synthesis algorithms are inspired by the field of probabilistic model checking. In abstraction, a method for the computation of the exact transition probability bounds between the regions of interest in the domain of the stochastic system is first developed. These bounds are then used to construct an Interval-valued Markov Chain (IMC) or a Bounded-parameter Markov Decision Process (BMDP) abstraction for the system. Then, a representative transition probability is used to construct an approximating Markov chain (MC) for the stochastic system. The exact bound of the approximation error and an explicit expression for its grovvth over time are derived. To achieve a desired error value, an adaptive refinement algorithm that takes advantage of the linear dynamics of the system is employed. To verify the properties of the continuous domain stochastic system against a finite-time PCTL specification, IMC and BMDP verification algorithms are designed. These algorithms have low computational complexity and are inspired by the MC model checking algorithms. The low computational complexity is achieved by over approximating the probabilities of satisfaction. To increase the precision of the method, two adaptive refinement procedures are proposed. Furthermore, a method of generating the control strategy that maximizes the probability of satisfaction of a PCTL specification for Markov Decision Processes (MDPs) is developed. Through a similar method, a formal synthesis framework is constructed for continuous domain stochastic systems by utilizing their BMDP abstractions. These methodologies are then applied in robotics applications as a means of automatically deploying a mobile robot subject to noisy sensors and actuators from PCTL specifications. This technique is demonstrated through simulation and experimental case studies of deployment of a robot in an indoor environment. The contributions of the thesis include verification and synthesis frameworks for discrete time stochastic linear systems, abstraction schemes for stochastic systems to MCs, IMCs, and BMDPs, model checking algorithms with low computational complexity for IMCs and BMDPs against finite-time PCTL formulas, synthesis algorithms for Markov Decision Processes (MDPs) from PCTL formulas, and a computational framework for automatic deployment of a mobile robot from PCTL specifications. The approaches were validated by simulations and experiments. The algorithms and techniques in this thesis help to make discrete-time stochastic systems a more useful and effective class of models for analysis and control of real world systems.

Formal verification techniques have been widely deployed as means to ensure the quality of software products. Unfortunately, they suffer with the combinatorial explosion of the state space. That is, programs have a large number of states, sometimes infinite. A common approach to alleviate the problem is to perform the verification over abstract models from the program. Control-flow graphs (CFG) are one of the most common models, and have been widely studied in the past decades. Unfortunately, previous works over modern programming languages, such as Java, have either neglected features that influence the control-flow, or do not provide a correctness argument about the CFG construction. This is an unbearable issue for formal verification, where soundness of CFGs is a mandatory condition for the verification of safety-critical properties. Moreover, one may want to extract CFGs from the available components of an open system. I.e., a system whose at least one of the components is missing. Soundness is even harder to achieve in this scenario, because of the unknown inter-dependences between software components. In the current work we present a framework to extract control-flow graphs from open Java Bytecode systems in a modular fashion. Our strategy requires the user to provide interfaces for the missing components. First, we present a formal definition of open Java bytecode systems. Next, we generalize a previous algorithm that performs the extraction of CFGs for closed programs to a modular set-up. The algorithm uses the user-provided interfaces to resolve inter-dependences involving missing components. Eventually the missing components will arrive, and the open system will become closed, and can execute. However, the arrival of a component may affect the soundness of CFGs which have been extracted previously. Thus, we define a refinement relation, which is a set of constraints upon the arrival of components, and prove that the relation guarantees the soundness of CFGs extracted with the modular algorithm. Therefore, the control-flow safety properties verified over the original CFGs still hold in the refined model. We implemented the modular extraction framework in the ConFlEx tool. Also, we have implemented the reusage from previous extractions, to enable the incremental extraction of a newly arrived component. Our technique performs substantial over-approximations to achieve soundness. Despite this, our test cases show that ConFlEx is efficient. Also, the extraction of the CFGs gets considerable speed-up by reusing results from previous analyses.

QC 20121029

Verification of Control-Flow Properties of Programs with Procedures(CVPP)

Thesis (M.Eng. and S.B.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2003.
Includes bibliographical references (p. 74).
by Vida Uyen Ha.
M.Eng.and S.B.

In the last decades, systems have strongly increased their complexity in terms of number of functions that can be performed and quantity of relationships between functions and hardware as well as interactions of elements and disciplines concurring to the definition of the system. The growing complexity remarks the importance of defining methods and tools that improve the design, verification and validation of the system process: effectiveness and costs reduction without loss of confidence in the final product are the objectives that have to be pursued. Within the System Engineering context, the modern Model and Simulation based approach seems to be a promising strategy to meet the goals, because it reduces the wasted resources with respect to the traditional methods, saving money and tedious works. Model Based System Engineering (MBSE) starts from the idea that it is possible at any moment to verify, through simulation sessions and according to the phase of the life cycle, the feasibility, the capabilities and the performances of the system. Simulation is used during the engineering process and can be classified from fully numerical (i.e. all the equipment and conditions are reproduced as virtual model) to fully integrated hardware simulation (where the system is represented by real hardware and software modules in their operational environment). Within this range of simulations, a few important stages can be defined: algorithm in the loop (AIL), software in the loop (SIL), controller in the loop (CIL), hardware in the loop (HIL), and hybrid configurations among those. The research activity, in which this thesis is inserted, aims at defining and validating an iterative methodology (based on Model and Simulation approach) in support of engineering teams and devoted to improve the effectiveness of the design and verification of a space system with particular interest in Guidance Navigation and Control (GNC) subsystem. The choice of focusing on GNC derives from the common interest and background of the groups involved in this research program (ASSET at Politecnico di Torino and AvioSpace, an EADS company). Moreover, GNC system is sufficiently complex (demanding both specialist knowledge and system engineer skills) and vital for whatever spacecraft and, last but not least the verification of its behavior is difficult on ground because strong limitations on dynamics and environment reproduction arise. Considering that the verification should be performed along the entire product life cycle, a tool and a facility, a simulator, independent from the complexity level of the test and the stage of the project, is needed. This thesis deals with the design of the simulator, called StarSim, which is the real heart of the proposed methodology. It has been entirely designed and developed from the requirements definition to the software implementation and hardware construction, up to the assembly, integration and verification of the first simulator release. In addition, the development of this technology met the modern standards on software development and project management. StarSim is a unique and self-contained platform: this feature allows to mitigate the risk of incompatibility, misunderstandings and loss of information that may arise using different software, simulation tools and facilities along the various phases. Modularity, flexibility, speed, connectivity, real time operation, fidelity with real world, ease of data management, effectiveness and congruence of the outputs with respect to the inputs are the sought-after features in the StarSim design. For every iteration of the methodology, StarSim guarantees the possibility to verify the behavior of the system under test thanks to the permanent availability of virtual models, that substitute all those elements not yet available and all the non-reproducible dynamics and environmental conditions. StarSim provides a furnished and user friendly database of models and interfaces that cover different levels of detail and fidelity, and supports the updating of the database allowing the user to create custom models (following few, simple rules). Progressively, pieces of the on board software and hardware can be introduced without stopping the process of design and verification, avoiding delays and loss of resources. StarSim has been used for the first time with the CubeSats belonging to the e-st@r program. It is an educational project carried out by students and researchers of the “CubeSat Team Polito” in which StarSim has been mainly used for the payload development, an Active Attitude Determination and Control System, but StarSim’s capabilities have also been updated to evaluate functionalities, operations and performances of the entire satellite. AIL, SIL, CIL, HIL simulations have been performed along all the phases of the project, successfully verifying a great number of functional and operational requirements. In particular, attitude determination algorithms, control laws, modes of operation have been selected and verified; software has been developed step by step and the bugs-free executable files have been loaded on the micro-controller. All the interfaces and protocols as well as data and commands handling have been verified. Actuators, logic and electrical circuits have been designed, built and tested and sensors calibration has been performed. Problems such as real time and synchronization have been solved and a complete hardware in the loop simulation test campaign both for A-ADCS standalone and for the entire satellite has been performed, verifying the satisfaction of a great number of CubeSat functional and operational requirements. The case study represents the first validation of the methodology with the first release of StarSim. It has been proven that the methodology is effective in demonstrating that improving the design and verification activities is a key point to increase the confidence level in the success of a space mission.

The objective of modeling, verification, and synthesis of hierarchical hybrid mission control for underwater vehicle is to (i) propose a hierarchical architecture for mission control for an autonomous system, (ii) develop extended hybrid state machine models for the mission control, (iii) use these models to verify for logical correctness, (iv) check the feasibility of a simulation software to model the mission executed by an autonomous underwater vehicle (AUV) (v) perform synthesis of high-level mission coordinators for coordinating lower-level mission controllers in accordance with the given mission, and (vi) suggest further design changes for improvement. The dissertation describes a hierarchical architecture in which mission level controllers based on hybrid systems theory have been, and are being developed using a hybrid systems design tool that allows graphical design, iterative redesign, and code generation for rapid deployment onto the target platform. The goal is to support current and future autonomous underwater vehicle (AUV) programs to meet evolving requirements and capabilities. While the tool facilitates rapid redesign and deployment, it is crucial to include safety and performance verification into each step of the (re)design process. To this end, the modeling of the hierarchical hybrid mission controller is formalized to facilitate the use of available tools and newly developed methods for formal verification of safety and performance specifications. A hierarchical hybrid architecture for mission control of autonomous systems with application to AUVs is proposed and a theoretical framework for the models that make up the architecture is outlined. An underwater vehicle like any other autonomous system is a hybrid system, as the dynamics of the vehicle as well as its vehicle level control is continuous whereas the mission level control is discrete, making the overall system a hybrid system i.e., one possessing both continuous and discrete states. The hybrid state machine models of the mission controller modules is derived from their implementation done using TEJA, a software for representing hybrid systems with support for auto code generation. The verification of their logical correctness properties has been done using UPPAAL, a software tool for verification of timed automata a special kind of hybrid system. A Teja to Uppaal converter, called dem2xml, has been created at Applied Reserarch Lab that converts a hybrid (timed) autonomous system description in Teja to an Uppaal system description. Verification work involved developing abstract models for the lower level vehicle controllers with which the mission controller modules interact and follow a hierarchical approach: Assuming the correctness of level-zero or vehicle controllers, we establish the correctness of level-one mission controller modules, and then the correctness of level-two modules, etc. The goal of verification is to show that any valid meaning for a mission formalized in our research verifies the safe and correct execution of actions. Simulation of the sequence of actions executed for each of the operations give a better view of the combined working of the mission coordinators and the low level controllers. So we next looked into the feasibility of simulating the operations executed during a mission. A Perl program has been developed to convert the UPPAAL files in .xml format to OpenGL graphic files. The graphic files simulate the steps involved in the execution of a sequence of operations executed by an AUV. The highest level coordinators send mission orders to be executed by the lower level controllers. So a more generalized design of the highest level controllers would help to incorporate the execution of a variety of missions for a vast field of applications. Initially, we consider manually synthesized mission coordinator modules. Later we design automated synthesis of coordinators. This method synthesizes mission coordinators which coordinate the lower level controllers for the execution of the missions ordered and can be used for any autonomous system.

Thesis (M.S. in Electrical Engineering)--Naval Postgraduate School, Sept. 2004.
Thesis advisor(s): Barry Leonard, Xiaoping Yun. Includes bibliographical references (p. 185-186). Also available online.

Tethered satellite systems (TSS) can be utilized for a wide range of space-based applications, such as satellite formation control and propellantless orbital maneuvering by means of momentum transfer and electrodynamic thrusting. A TSS is a complicated physical system operating in a continuously varying physical environment, so most research on TSS dynamics and control makes use of simplified system models to make predictions about the behavior of the system. In spite of this fact, little effort is ever made to validate the predictions made by these simplified models. In an ideal situation, experimental data would be used to validate the predictions made by simplified TSS models. Unfortunately, adequate experimental data on TSS dynamics and control is not readily available at this time, so some other means of validation must be employed. In this work, we present a validation procedure based on the creation of a top-level computational model, the predictions of which are used in place of experimental data. The validity of all predictions made by lower-level computational models is assessed by comparing them to predictions made by the top-level computational model. In addition to the proposed validation procedure, a top-level TSS computational model is developed and rigorously verified. A lower-level TSS model is used to study the dynamics of the tether in a spinning TSS. Floquet theory is used to show that the lower-level model predicts that the pendular motion and transverse elastic vibrations of the tether are unstable for certain in-plane spin rates and system mass properties. Approximate solutions for the out-of-plane pendular motion are also derived for the case of high in-plane spin rates. The lower-level system model is also used to derive control laws for the pendular motion of the tether. Several different nonlinear control design techniques are used to derive the control laws, including methods that can account for the effects of dynamics not accounted for by the lower-level model. All of the results obtained using the lower-level system model are compared to predictions made by the top-level computational model to assess their validity and applicability to an actual TSS.
Ph. D.

Dissertação para obtenção do Grau de Mestre em Engenharia Informática
In an object-oriented setting, objects are modeled by their state and operations. The programmer should be aware of how each operation implicitly changes the state of an object. This is due to the fact that in certain states some operations might not be available, e.g., reading from a file when it is closed. Additional care must be taken if we consider aliasing, since many references to the same object might be held and manipulated. This hinders the ability to identify the source of a modification to an object, thus making it harder to track down its state. These difficulties increase in a concurrent setting, due to the unpredictability of the behavior of concurrent programs. Concurrent programs are complex and very hard to reason about and debug. Some of the errors that arise in concurrent programs are due to simultaneous accesses to shared memory by different threads, resulting in unpredictable outcomes due to the possible execution interleavings. This kind of errors are generally known as race conditions. Software verification and specification are important in software design and implementation as they provide early error detection, and can check conformity to a given specification, ensuring some intended correctness properties. To this end, our work builds on the work of Spatial-Behavioral types formalism providing object ownership support. Our approach consists in the integration of a behavioral type system, developed for a core fragment of the Java programming language, in the standard Java development process.
PTDC/EIA-CCO/104583/2008 research scholarship

Les phospholipases A2 sécrétées (sPLA2) sont de puissants inhibiteurs de l’entrée du virus de l’immunodéficience humaine (HIV) (Fenard et al. , 1999). Afin de mieux comprendre leur mécanisme d’action, nous avons cloné un HIV résistant à la sPLA2 de venin d’abeille (bvPLA2), HIVRBV-3. Mon projet de thèse a consisté en l’élucidation des mécanismes moléculaires qui confèrent sa résistance à HIVRBV-3. Il est bien documenté que le HIV pénétrant dans la cellule par fusion de la membrane virale avec la membrane plasmique. Par ailleurs, il est généralement admis que les HIV pénétrant dans la cellule par la voie endosomale sont dégradés dans les lysosomes et ne sont donc pas infectieux. Nous avons montré, avec trois techniques d’analyse différentes, que la voie d’entrée de HIVRBV-3 est dépendante des endosomes et de leurs moteurs cytosqueletiques. En effet, la réplication de HIVRBV-3 est sensible à plusieurs types d’inhibiteurs de l’acidification des endosomes et de la polymérisation des micro-filaments d’actine et ce, dans différents types cellulaires. Nous montrons que ce mécanisme d’entrée original ainsi que la résistance à bvPLA2 sont supportés par la glycoprotéine d’enveloppe (gp160) de HIVRBV-3. Nos recherches en cours consistent à démontrer l’implication de modification singulière de certaines boucles variables de la gp120 de HIVRBV-3 dans ce mécanisme d’entrée inédit. Les données de la bibliographie indiquent que ces modifications de la gp120 sont retrouvées dans les souches virales isolées chez les patients non progresseurs à long terme. Notre hypothèse actuelle est donc que les sPLA2 humaines pourraient jouer un rôle dans le contrôle de la réplication virale chez ces individus
Secreted phospholipases A2 (sPLA2) are potent inhibitors of Human Immunodeficiency Virus (HIV) replication. In order to gain insights of their antiviral effects we have cloned a bee-venom sPLA2 (bvPLA2) resistant HIV strain, HIVRBV-3. Our goal is to elucidate the molecular mechanisms that confer bvPLA2 resistance to HIVRBV-3. HIV enters cell via fusion o viral and plasma membrane. Furthermore, it is generally admitted that HIV endosomal entry is a dead end route of infection. We show that HIVRBV-3 entry is highly dependent on the molecular mechanisms of endocytosis, particularly those of vesicular trafficking. We were able to show, using three different ways of investigation, that HIVRBV-3 replication in different cell lines is inhibited by lysosomotropic agents, and by drug that affect the cytoskeleton (actin microfilaments and microtubules) polymerization. We further demonstrate that HIVRBV-3 envelope glycoprotein directs HIVRBV-3 in this particularly entry route and that is sufficient to confer bvPLA2 resistance to a HIV bfPLA2 sensitive strain. We are currently investigating the role played by uncommon mutations in the variable loops of HIVRBV-3 envelope glycoprotein, in directing the HIVRBV-3 entry pathway. These uncommon mutations are also specific of long-term non-progressor HIV strains? This lead us to assess the role played by endogenous human sPLA2 in the physiopathology of the HIV infection. Altogether our results suggest a new resistance mechanism at the cellular level. Indeed, HIV may overcome the inhibitory effect of an intracytoplasmic block by using an alternative entry pathway

Thesis (M. Tech. (Engineering: Electrical)) -- Central University of technology, Free State, [2014]
The project is aimed at exploring the application of Machine Vision in a Reconfigurable Manufacturing System (RMS) Environment. The Machine Vision System interfaces with the RMS to verify the reconfiguration and positioning of devices within the assembly system, and inspects the product for defects that infringe on the quality of that product. The vision system interfaces to the Multi-agent System (MAS), which is in charge of scheduling and allocating resources of the RMS, in order to communicate and exchange data regarding the quality of the product. The vision system is comprised of a Compact Vision System (CVS) device with fire-wire cameras to aid in the image acquisition, inspection and verification process. Various hardware and software manufacturers offer a platform to implement this with a multiple array of vision equipment and software packages. The most appropriate devices and software platform were identified for the implementation of the project. An investigation into illumination was also undertaken in order to determine whether external lighting sources would be required at the point of inspection. Integration into the assembly system involved the establishment communication between the vision system and assembly system controller.

The traditional security systems that verify the identity of users based on password usually face the risk of leaking the password contents. To solve this problem, biometrics such as the face, iris, and fingerprint, begin to be widely used in verifying the identity of people. However, these biometrics cannot be changed if the database is hacked. What's more, verification systems based on the traditional biometrics might be cheated by fake fingerprint or the photo.;Liu and Cheung (Liu and Cheung 2014) have recently initiated the concept of lip password, which is composed of a password embedded in the lip movement and the underlying characteristics of lip motion [26]. Subsequently, a lip password-based system for visual speaker verification has been developed. Such a system is able to detect a target speaker saying the wrong password or an impostor who knows the correct password. That is, only a target user speaking correct password can be accepted by the system. Nevertheless, it recognizes the lip password based on a lip-reading algorithm, which needs to know the language alphabet of the password in advance, which may limit its applications.;To tackle this problem, in this thesis, we study the lip password-based visual speaker verification system with unknown language alphabet. First, we propose a method to verify the lip password based on the key frames of lip movement instead of recognizing the individual password elements, such that the lip password verification process can be made without knowing the password alphabet beforehand. To detect these key frames, we extract the lip contours and detect the interest intervals where the lip contours have significant variations. Moreover, in order to avoid accurate alignment of feature sequences or detection on mouth status which is computationally expensive, we design a novel overlapping subsequence matching approach to encode the information in lip passwords in the system. This technique works by sampling the feature sequences extracted from lip videos into overlapping subsequences and matching them individually. All the log-likelihood of each subsequence form the final feature of the sequence and are verified by the Euclidean distance to positive sample centers. We evaluate the proposed two methods on a database that contains totally 8 kinds of lip passwords including English digits and Chinese phrases. Experimental results show the superiority of the proposed methods for visual speaker verification.;Next, we propose a novel visual speaker verification approach based on diagonal-like pooling and pyramid structure of lips. We take advantage of the diagonal structure of sparse representation to preserve the temporal order of lip sequences by employ a diagonal-like mask in pooling stage and build a pyramid spatiotemporal features containing the structural characteristic under lip password. This approach eliminates the requirement of segmenting the lip-password into words or visemes. Consequently, the lip password with any language can be used for visual speaker verification. Experiments show the efficacy of the proposed approach compared with the state-of-the-art ones.;Additionally, to further evaluate the system, we also develop a prototype of the lip password-based visual speaker verification. The prototype has a Graphical User Interface (GUI) that make users easy to access.

The Cal Poly Spacecraft Dynamics Simulator, also known as the Pyramidal Reaction Wheel Platform (PRWP), is an air-bearing four reaction wheel spacecraft simulator designed to simulate the low-gravity, frictionless condition of the space environment and to test and validate spacecraft attitude control hardware and control laws through real-time motion tests. The PRWP system was modified to the new Mk.III configuration, which adopted the MATLAB xPC kernel for better real-time hardware control. Also the Litton LN-200 IMU was integrated onto the PRWP and replaced the previous attitude sensor. Through the comparison of various control laws through motion tests the Mk.III configuration was tested for robust control law verification capability. Two fixed-gain controllers, full-state feedback (FSFB) and linear quadratic regulator with set-point control(LQRSP), and two adaptive controllers, nonlinear direct model reference adaptive controller (NDMRAC) and the adaptive output feedback (AOF), were each tested in three different cases of varying plant parameters to test controller robustness through real-time motion tests. The first two test cases simulate PRWP inertia tensor variations. The third test case simulates uncertainty of the reaction wheel dynamic by slowing down the response time for one of the four reaction wheels. The Mk.III motion tests were also compared with numerical simulations as well as the older Mk.II motion tests to confirm controller validation capability. The Mk.III test results confirmed certain patterns from the numerical simulations and the Mk.II test results. The test case in which actuator dynamics uncertainty was simulated had the most effect on controller performance, as all four control laws experienced an increase in steady-state error. The Mk.III test results also confirmed that the NDMRAC outperformed the fixed-gain controllers.

In this dissertation, the extended Melnikov's method has been applied to several nonlinear ship dynamics models, which are related to the new generation of stability criteria in the International Maritime Organization (IMO). The advantage of this extended Melnikov's method is it overcomes the limitation of small damping that is intrinsic to the implementation of the standard Melnikov's method. The extended Melnikv's method is first applied to two published roll motion models. One is a simple roll model with nonlinear damping and cubic restoring moment. The other is a model with a biased restoring moment. Numerical simulations are investigated for both models. The effectiveness and accuracy of the extended Melnikov's method is demonstrated. Then this method is used to predict more accurately the threshold of global surf-riding for a ship operating in steep following seas. A reference ITTC ship is used here by way of example and the result is compared to that obtained from previously published standard analysis as well as numerical simulations. Because the primary drawback of the extended Melnikov's method is the inability to arrive at a closed form equation, a 'best fit'approximation is given for the extended Melnikov numerically predicted result. The extended Melnikov's method for slowly varying system is applied to a roll-heave-sway coupled ship model. The Melnikov's functions are calculated based on a fishing boat model. And the results are compared with those from standard Melnikov's method. This work is a preliminary research on the application of Melnikov's method to multi-degree-of-freedom ship dynamics. In the last part of the dissertation, the method of manufactured solution is applied to systems with chaotic behavior. The purpose is to identify points with potential numerical discrepancies, and to improve computational efficiency. The numerical discrepancies may be due to the selection of error tolerances, precisions, etc. Two classical chaotic models and two ship capsize models are examined. The current approach overlaps entrainment in chaotic control theory. Here entrainment means two dynamical systems have the same period, phase and amplitude. The convergent region from control theory is used to give a rough guideline on identifying numerical discrepancies for the classical chaotic models. The effectiveness of this method in improving computational efficiency is demonstrated for the ship capsize models.
Ph. D.

Modern power networks incorporate communications and information technology infrastructure into the electrical power system to create a smart grid in terms of control and operation. The smart grid enables real-time communication and control between consumers and utility companies allowing suppliers to optimize energy usage based on price preference and system technical issues. The smart grid design aims to provide overall power system monitoring, create protection and control strategies to maintain system performance, stability and security. This dissertation contributed to the development of a unique and novel smart grid test-bed laboratory with integrated monitoring, protection and control systems. This test-bed was used as a platform to test the smart grid operational ideas developed here. The implementation of this system in the real-time software creates an environment for studying, implementing and verifying novel control and protection schemes developed in this dissertation. Phasor measurement techniques were developed using the available Data Acquisition (DAQ) devices in order to monitor all points in the power system in real time. This provides a practical view of system parameter changes, system abnormal conditions and its stability and security information system. These developments provide valuable measurements for technical power system operators in the energy control centers. Phasor Measurement technology is an excellent solution for improving system planning, operation and energy trading in addition to enabling advanced applications in Wide Area Monitoring, Protection and Control (WAMPAC). Moreover, a virtual protection system was developed and implemented in the smart grid laboratory with integrated functionality for wide area applications. Experiments and procedures were developed in the system in order to detect the system abnormal conditions and apply proper remedies to heal the system. A design for DC microgrid was developed to integrate it to the AC system with appropriate control capability. This system represents realistic hybrid AC/DC microgrids connectivity to the AC side to study the use of such architecture in system operation to help remedy system abnormal conditions. In addition, this dissertation explored the challenges and feasibility of the implementation of real-time system analysis features in order to monitor the system security and stability measures. These indices are measured experimentally during the operation of the developed hybrid AC/DC microgrids. Furthermore, a real-time optimal power flow system was implemented to optimally manage the power sharing between AC generators and DC side resources. A study relating to real-time energy management algorithm in hybrid microgrids was performed to evaluate the effects of using energy storage resources and their use in mitigating heavy load impacts on system stability and operational security.

This dissertation investigates the problem of developing verifiable stable control architectures for gas turbine engines. First, a nonlinear physics-based dynamic model of a twin spool turboshaft engine which drives a variable pitch propeller is developed. In this model, the dynamics of the engine are defined to be the two spool speeds, and the two control inputs to the system are fuel flow rate and prop pitch angle. Experimental results are used to verify the dynamic model of JetCat SPT5 turboshaft engine. Based on the experimental data, performance maps of the engine components including propeller, high pressure compressor, high pressure, and low pressure turbines are constructed. The engine numerical model is implemented using Matlab. Second, a stable gain scheduled controller is described and developed for a gas turbine engine that drives a variable pitch propeller. A stability proof is developed for a gain scheduled closed-loop system using global linearization and linear matrix inequality (LMI) techniques. Using convex optimization tools, a single quadratic Lyapunov function is computed for multiple linearizations near equilibrium and non-equilibrium points of the nonlinear closed-loop system. This approach guarantees stability of the closed-loop gas turbine engine system. To verify the stability of the closed-loop system on-line, an optimization problem is proposed which is solvable using convex optimization tools. Through simulations, we show the developed gain scheduled controller is capable to regulate a turboshaft engine for large thrust commands in a stable fashion with proper tracking performance. Third, a gain scheduled model reference adaptive control (GS-MRAC) concept for multi-input multi-output (MIMO) nonlinear plants with constraints on the control inputs is developed and described. Specifically, adaptive state feedback for the output tracking control problem of MIMO nonlinear systems is studied. Gain scheduled reference model system is used for generating desired state trajectories, and the stability of this reference model is also analyzed using convex optimization tools. This approach guarantees stability of the closed-loop gain scheduled gas turbine engine system, which is used as a gain scheduled reference model. An adaptive state feedback control scheme is developed and its stability is proven, in addition to transient and steady-state performance guarantees. The resulting closed-loop system is shown to have ultimately bounded solutions with a priori adjustable bounded tracking error. The results are then extended to GS-MRAC with constraints on the magnitudes of multiple control inputs. Sufficient conditions for uniform boundedness of the closed-loop system is derived. A semi-global stability result is proven with respect to the level of saturation for open-loop unstable plants, while the stability result is shown to be global for open-loop stable plants. Simulations are performed for three different models of the turboshaft engine, including the nominal engine model and two models where the engine is degraded. Through simulations, we show the developed GS-MRAC architecture can be used for the tracking problem of degraded turboshaft engine for large thrust commands with guaranteed stability. Finally, a decentralized linear parameter dependent representation of the engine model is developed, suitable for decentralized control of the engine with core and fan/prop subsystems. Control theoretic concepts for decentralized gain scheduled model reference adaptive control (D-GS-MRAC) systems is developed. For each subsystem, a linear parameter dependent model is available and a common Lyapunov matrix can be computed using convex optimization tools. With this control architecture, the two subsystems of the engine (i.e., engine core and engine prop/fan) can be controlled with independent controllers for large throttle commands in a decentralized manner. Based on this D-GS-MRAC architecture, a "plug and play" (PnP) technology concept for gas turbine engine control systems is investigated, which allows us to match different engine cores with different engine fans/propellers. With this plug and play engine control architecture, engine cores and fans/props could be used with their on-board subordinate controllers ready for integration into a functional propulsion system. Simulation results for three different models of the engine, including the nominal engine model, the model with a new prop, and the model with a new engine core, illustrate the possibility of PnP technology development for gas turbine engine control systems.

In this thesis, a test platform based on real-time facilities and embedded software is designed to verify the performance of a controller model in real time. By the help of this platform, design errors can be detected earlier and possible problems can be solved cost-effectively without interrupting the development process. An unmanned combat air vehicle (UCAV) model is taken as a plant model due to its importance in current and future military operations. Among several autopilot modes, the altitude hold mode is selected since it is an important pilot-relief mode and widely used in aviation. A discrete PID controller is designed in MATLAB/Simulink environment for using in verification studies. To control the dynamic system in wide range, a gain scheduling is employed where the altitude and velocity are taken as scheduling variables. Codes for plant and controller model are obtained by using real time workshop embedded coder (RTWEC) and downloaded to two separate computers, in which xPC kernel and VxWorks operating system are run, respectively. A set of flight test scenarios are generated in Simulink environment. They are analyzed, discussed, and then some of them are picked up to verify the platform. These test scenarios are run in the setup and their results are compared with the ones obtained in Simulink environment. The reusability of the platform is verified by using a commercial aircraft, Boeing 747, and its controller models. The test results obtained in the setup and in Simulink environment are presented and discussed.

ITC/USA 2010 Conference Proceedings / The Forty-Sixth Annual International Telemetering Conference and Technical Exhibition / October 25-28, 2010 / Town and Country Resort & Convention Center, San Diego, California
Flight and weapons test ranges typically include multiple Telemetry Sites (TM Sites) that receive telemetry from platforms being flown on the range. Received telemetry is processed and forwarded by them to a Range Control Center (RCC) which is responsible for flight safety, and for delivering captured best source telemetry to those responsible for the platform being flown. When range equipment or operations are impaired in their ability to receive telemetry or process it correctly, expensive and/or one-of-a-kind platforms may have to be destroyed in flight to maintain safety margins, resulting in substantial monetary loss, valuable data loss, schedule disruption and potential safety concerns. Less severe telemetry disruptions can also result in missing or garbled telemetry data, negatively impacting platform test, analysis and design modification cycles. This paper provides a high level overview of a physics-compliant Range Test System (RTS) built upon Radio Frequency (RF) Channel Simulator technology. The system is useful in verifying range operation with most range equipment configured to function as in an actual mission. The system generates RF signals with appropriate RF link effects associated with range and range rate between the flight platform and multiple telemetry tracking stations. It also emulates flight and RF characteristics of the platform, to include signal parameters, antenna modeling, body shielding and accurate flight parameters. The system is useful for hardware, software, firmware and process testing, regression testing, and fault detection test, as well as range customer assurance, and range personnel training against nominal and worst-case conditions.

If we have a program with strict control flow security requirements and want to ensure system requirements by verifying properties of said program, but part of the code base is in the form of a plug-in or third party library which we do not have access to at the time of verification, the procedure presented in this thesis can be used to generate the requirements needed for the plug-ins or third party libraries that they would have to fulfil in order for the final product to pass the given system requirements. This thesis builds upon a transformation procedure that turns control flow properties of a behavioural form into a structural form. The control flow properties focus purely on control flow in the sense that they abstract away any kind of program data and target only call and return events. By behavioural properties we refer to properties regarding execution behaviour and by structural properties to properties regarding sequences of instructions in the source code or object code. The result presented in this thesis takes this transformation procedure one step further and assume that some methods (or functions or procedures, depending on the programming language) are given in the form of models called flow graph, while the remaining methods are left unspecified. The output then becomes a set of structural constraints for the unspecified methods, which they must adhere to in order for any completion of the partial flow graph to satisfy the behavioural formula.
Om vi har ett program med strikta kontrollflödeskrav och vill garantera att vissa systemkrav uppfylls genom att verifiera formella egenskaper av detta program, samtidigt som en del av kodbasen är i form av ett plug-in eller tredjeparts-bibliotek som vi inte har tillgång till vid verifieringen, så kan proceduren som presenteras i detta examensarbete användas för att generera de systemkrav som de plug-in eller tredjeparts-bibliotek behöver uppfylla för att slutprodukten ska passera de givna systemkraven. Detta examensarbete bygger på en transformationsprocedur som omvandlar kontrollflödesegenskaper på en beteendemässig form till en strukturell form. Kontrollflödes-egenskaperna fokuserar uteslutande på kontrollflöden i den meningen att de abstraherar bort all form av programdata och berör enbart anrop- och retur-händelser. Med beteendemässiga egenskaper syftar vi på egenskaper som berör exekverings-beteende och med strukturella egenskaper syftar vi på egenskaper som berör ordningen på instruktionerna i källkoden eller objektkoden. Resultatet i detta examensarbete tar denna transformationsprocedur ett steg längre och antar att vissa metoder (eller funktioner eller procedurer beroende på programmeringsspråk) är redan givna i formen av modeller som kallas flödesgrafer, medan resten av metoderna fortfarande är ospecificerade. Utdata blir då en mängd av strukturella restriktioner för de ospecificerade metoderna, som de måste följa för att en fulländning av den partiella flödesgrafen ska satisfiera den beteendemässiga formeln.

The research in this thesis is undertaken by observing that modern systems are becoming more and more complex and safety-critical due to the increasing requirements on system smartness and autonomy, and as a result health monitoring system needs to be developed to meet the requirements on system safety and reliability. The state-of-the-art approaches to monitoring system status are model based Fault Diagnosis (FD) systems, which can fuse the advantages of system physical modelling and sensors' characteristics. A number of model based FD approaches have been proposed. The conventional residual based approaches by monitoring system output estimation errors, however, may have certain limitations such as complex diagnosis logic for fault isolation, less sensitiveness to system faults and high computation load. More importantly, little attention has been paid to the problem of fault diagnosis system verification which answers the question that under what condition (i.e., level of uncertainties) a fault diagnosis system is valid. To this end, this thesis investigates the design and verification of fault diagnosis algorithms. It first highlights the differences between two popular FD approaches (i.e., residual based and fault estimation based) through a case study. On this basis, a set of uncertainty estimation algorithms are proposed to generate fault estimates according to different specifications after interpreting the FD problem as an uncertainty estimation problem. Then FD algorithm verification and threshold selection are investigated considering that there are always some mismatches between the real plant and the mathematical model used for FD observer design. Reachability analysis is drawn to evaluate the effect of uncertainties and faults such that it can be quantitatively verified under what condition a FD algorithm is valid. First the proposed fault estimation algorithms in this thesis, on the one hand, extend the existing approaches by pooling the available prior information such that performance can be enhanced, and on the other hand relax the existence condition and reduce the computation load by exploiting the reduced order observer structure. Second, the proposed framework for fault diagnosis system verification bridges the gap between academia and industry since on the one hand a given FD algorithm can be verified under what condition it is effective, and on the other hand different FD algorithms can be compared and selected for different application scenarios. It should be highlighted that although the algorithm design and verification are for fault diagnosis systems, they can also be applied for other systems such as disturbance rejection control system among many others.

In this thesis, we are interested in designing schedulers for hybrid systems. We consider two specific subclasses of hybrid systems, real-time systems where tasks are competing for the access to common resources, and sampled switched systems where a choice has to be made on dynamics of the system to reach goals. Scheduling consists in defining the order in which the tasks will be run on the processors in order to complete all the tasks before a given deadline. In the first part of this thesis, we are interested in the scheduling of periodic tasks on multiprocessor architectures. We are especially interested in the robustness of schedulers, i.e., to prove that some values of the system parameters can be modified, and until what value they can be extended while preserving the scheduling order and meeting the deadlines. The Inverse Method can be used to prove the robustness of parametric timed systems. In this thesis, we introduce a state space reduction technique which allows us to treat challenging case studies such as one provided by Astrium EADS for the launcher Ariane 6. We also present how an extension of the Inverse Method, the Behavioral Cartography, can solve the problem of schedulability, i.e., finding the area in the parametric space in which there exists a scheduler that satisfies all the deadlines. We compare this approach to an analytic method to illustrate the interest of our approach In the second part of this thesis, we are interested in the control of affine switched systems. These systems are governed by a finite family of affine differential equations. At each time step, a controller can choose which dynamics will govern the system for the next time step. Controlling in this sense can be seen as a scheduling on the order of dynamics the system will have to use. The objective for the controller can be to make the system stay in a given area of the state space (stability) or to reach a given region of the state space (reachability). In this thesis, we propose a novel approach that computes a scheduler where the strategy is uniform for dense subsets of the state space. Moreover, our approach only uses forward computation, which is better suited than backward computation for contractive systems. We show that our designed controllers, systems evolve to a limit cyclic behavior. We apply our method to several case studies from the literature and on a real-life prototype of a multilevel voltage converter. Moreover, we show that our approach can be extended to systems with perturbations and non-linear dynamics.

[ES] La utilización de sistemas empotrados en cada vez más ámbitos de aplicación está llevando a que su diseño deba enfrentarse a mayores requisitos de rendimiento, consumo de energía y área (PPA). Asimismo, su utilización en aplicaciones críticas provoca que deban cumplir con estrictos requisitos de confiabilidad para garantizar su correcto funcionamiento durante períodos prolongados de tiempo. En particular, el uso de dispositivos lógicos programables de tipo FPGA es un gran desafío desde la perspectiva de la confiabilidad, ya que estos dispositivos son muy sensibles a la radiación. Por todo ello, la confiabilidad debe considerarse como uno de los criterios principales para la toma de decisiones a lo largo del todo flujo de diseño, que debe complementarse con diversos procesos que permitan alcanzar estrictos requisitos de confiabilidad. Primero, la evaluación de la robustez del diseño permite identificar sus puntos débiles, guiando así la definición de mecanismos de tolerancia a fallos. Segundo, la eficacia de los mecanismos definidos debe validarse experimentalmente. Tercero, la evaluación comparativa de la confiabilidad permite a los diseñadores seleccionar los componentes prediseñados (IP), las tecnologías de implementación y las herramientas de diseño (EDA) más adecuadas desde la perspectiva de la confiabilidad. Por último, la exploración del espacio de diseño (DSE) permite configurar de manera óptima los componentes y las herramientas seleccionados, mejorando así la confiabilidad y las métricas PPA de la implementación resultante. Todos los procesos anteriormente mencionados se basan en técnicas de inyección de fallos para evaluar la robustez del sistema diseñado. A pesar de que existe una amplia variedad de técnicas de inyección de fallos, varias problemas aún deben abordarse para cubrir las necesidades planteadas en el flujo de diseño. Aquellas soluciones basadas en simulación (SBFI) deben adaptarse a los modelos de nivel de implementación, teniendo en cuenta la arquitectura de los diversos componentes de la tecnología utilizada. Las técnicas de inyección de fallos basadas en FPGAs (FFI) deben abordar problemas relacionados con la granularidad del análisis para poder localizar los puntos débiles del diseño. Otro desafío es la reducción del coste temporal de los experimentos de inyección de fallos. Debido a la alta complejidad de los diseños actuales, el tiempo experimental dedicado a la evaluación de la confiabilidad puede ser excesivo incluso en aquellos escenarios más simples, mientras que puede ser inviable en aquellos procesos relacionados con la evaluación de múltiples configuraciones alternativas del diseño. Por último, estos procesos orientados a la confiabilidad carecen de un soporte instrumental que permita cubrir el flujo de diseño con toda su variedad de lenguajes de descripción de hardware, tecnologías de implementación y herramientas de diseño. Esta tesis aborda los retos anteriormente mencionados con el fin de integrar, de manera eficaz, estos procesos orientados a la confiabilidad en el flujo de diseño. Primeramente, se proponen nuevos métodos de inyección de fallos que permiten una evaluación de la confiabilidad, precisa y detallada, en diferentes niveles del flujo de diseño. Segundo, se definen nuevas técnicas para la aceleración de los experimentos de inyección que mejoran su coste temporal. Tercero, se define dos estrategias DSE que permiten configurar de manera óptima (desde la perspectiva de la confiabilidad) los componentes IP y las herramientas EDA, con un coste experimental mínimo. Cuarto, se propone un kit de herramientas que automatiza e incorpora con eficacia los procesos orientados a la confiabilidad en el flujo de diseño semicustom. Finalmente, se demuestra la utilidad y eficacia de las propuestas mediante un caso de estudio en el que se implementan tres procesadores empotrados en un FPGA de Xilinx serie 7.
[CA] La utilització de sistemes encastats en cada vegada més àmbits d'aplicació està portant al fet que el seu disseny haja d'enfrontar-se a majors requisits de rendiment, consum d'energia i àrea (PPA). Així mateix, la seua utilització en aplicacions crítiques provoca que hagen de complir amb estrictes requisits de confiabilitat per a garantir el seu correcte funcionament durant períodes prolongats de temps. En particular, l'ús de dispositius lògics programables de tipus FPGA és un gran desafiament des de la perspectiva de la confiabilitat, ja que aquests dispositius són molt sensibles a la radiació. Per tot això, la confiabilitat ha de considerar-se com un dels criteris principals per a la presa de decisions al llarg del tot flux de disseny, que ha de complementar-se amb diversos processos que permeten aconseguir estrictes requisits de confiabilitat. Primer, l'avaluació de la robustesa del disseny permet identificar els seus punts febles, guiant així la definició de mecanismes de tolerància a fallades. Segon, l'eficàcia dels mecanismes definits ha de validar-se experimentalment. Tercer, l'avaluació comparativa de la confiabilitat permet als dissenyadors seleccionar els components predissenyats (IP), les tecnologies d'implementació i les eines de disseny (EDA) més adequades des de la perspectiva de la confiabilitat. Finalment, l'exploració de l'espai de disseny (DSE) permet configurar de manera òptima els components i les eines seleccionats, millorant així la confiabilitat i les mètriques PPA de la implementació resultant. Tots els processos anteriorment esmentats es basen en tècniques d'injecció de fallades per a poder avaluar la robustesa del sistema dissenyat. A pesar que existeix una àmplia varietat de tècniques d'injecció de fallades, diverses problemes encara han d'abordar-se per a cobrir les necessitats plantejades en el flux de disseny. Aquelles solucions basades en simulació (SBFI) han d'adaptar-se als models de nivell d'implementació, tenint en compte l'arquitectura dels diversos components de la tecnologia utilitzada. Les tècniques d'injecció de fallades basades en FPGAs (FFI) han d'abordar problemes relacionats amb la granularitat de l'anàlisi per a poder localitzar els punts febles del disseny. Un altre desafiament és la reducció del cost temporal dels experiments d'injecció de fallades. A causa de l'alta complexitat dels dissenys actuals, el temps experimental dedicat a l'avaluació de la confiabilitat pot ser excessiu fins i tot en aquells escenaris més simples, mentre que pot ser inviable en aquells processos relacionats amb l'avaluació de múltiples configuracions alternatives del disseny. Finalment, aquests processos orientats a la confiabilitat manquen d'un suport instrumental que permeta cobrir el flux de disseny amb tota la seua varietat de llenguatges de descripció de maquinari, tecnologies d'implementació i eines de disseny. Aquesta tesi aborda els reptes anteriorment esmentats amb la finalitat d'integrar, de manera eficaç, aquests processos orientats a la confiabilitat en el flux de disseny. Primerament, es proposen nous mètodes d'injecció de fallades que permeten una avaluació de la confiabilitat, precisa i detallada, en diferents nivells del flux de disseny. Segon, es defineixen noves tècniques per a l'acceleració dels experiments d'injecció que milloren el seu cost temporal. Tercer, es defineix dues estratègies DSE que permeten configurar de manera òptima (des de la perspectiva de la confiabilitat) els components IP i les eines EDA, amb un cost experimental mínim. Quart, es proposa un kit d'eines (DAVOS) que automatitza i incorpora amb eficàcia els processos orientats a la confiabilitat en el flux de disseny semicustom. Finalment, es demostra la utilitat i eficàcia de les propostes mitjançant un cas d'estudi en el qual s'implementen tres processadors encastats en un FPGA de Xilinx serie 7.
[EN] Embedded systems are steadily extending their application areas, dealing with increasing requirements in performance, power consumption, and area (PPA). Whenever embedded systems are used in safety-critical applications, they must also meet rigorous dependability requirements to guarantee their correct operation during an extended period of time. Meeting these requirements is especially challenging for those systems that are based on Field Programmable Gate Arrays (FPGAs), since they are very susceptible to Single Event Upsets. This leads to increased dependability threats, especially in harsh environments. In such a way, dependability should be considered as one of the primary criteria for decision making throughout the whole design flow, which should be complemented by several dependability-driven processes. First, dependability assessment quantifies the robustness of hardware designs against faults and identifies their weak points. Second, dependability-driven verification ensures the correctness and efficiency of fault mitigation mechanisms. Third, dependability benchmarking allows designers to select (from a dependability perspective) the most suitable IP cores, implementation technologies, and electronic design automation (EDA) tools. Finally, dependability-aware design space exploration (DSE) allows to optimally configure the selected IP cores and EDA tools to improve as much as possible the dependability and PPA features of resulting implementations. The aforementioned processes rely on fault injection testing to quantify the robustness of the designed systems. Despite nowadays there exists a wide variety of fault injection solutions, several important problems still should be addressed to better cover the needs of a dependability-driven design flow. In particular, simulation-based fault injection (SBFI) should be adapted to implementation-level HDL models to take into account the architecture of diverse logic primitives, while keeping the injection procedures generic and low-intrusive. Likewise, the granularity of FPGA-based fault injection (FFI) should be refined to the enable accurate identification of weak points in FPGA-based designs. Another important challenge, that dependability-driven processes face in practice, is the reduction of SBFI and FFI experimental effort. The high complexity of modern designs raises the experimental effort beyond the available time budgets, even in simple dependability assessment scenarios, and it becomes prohibitive in presence of alternative design configurations. Finally, dependability-driven processes lack an instrumental support covering the semicustom design flow in all its variety of description languages, implementation technologies, and EDA tools. Existing fault injection tools only partially cover the individual stages of the design flow, being usually specific to a particular design representation level and implementation technology. This work addresses the aforementioned challenges by efficiently integrating dependability-driven processes into the design flow. First, it proposes new SBFI and FFI approaches that enable an accurate and detailed dependability assessment at different levels of the design flow. Second, it improves the performance of dependability-driven processes by defining new techniques for accelerating SBFI and FFI experiments. Third, it defines two DSE strategies that enable the optimal dependability-aware tuning of IP cores and EDA tools, while reducing as much as possible the robustness evaluation effort. Fourth, it proposes a new toolkit (DAVOS) that automates and seamlessly integrates the aforementioned dependability-driven processes into the semicustom design flow. Finally, it illustrates the usefulness and efficiency of these proposals through a case study consisting of three soft-core embedded processors implemented on a Xilinx 7-series SoC FPGA.
Tuzov, I. (2020). Dependability-driven Strategies to Improve the Design and Verification of Safety-Critical HDL-based Embedded Systems [Tesis doctoral]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/159883
TESIS

Functional proton-beam stereotactic radiosurgery requires sub-millimeter alignment accuracy. A patient tracking system called Sequential Alignment and Position Verification System (SAVPS) is under development at Loma Linda University Medical Center. An optical positioning system (OPS), manufactured by Vicon Peak, has been chosen to verify the correct alignment of the target with the proton beam axis. The main objective of this thesis is to optimize an existing version of SAVPS by conducting error analysis. An image processing algorithm was developed and applied to estimate the error introduced by the Patient Positioning System (PPS) in order to derive the true error of the SAVPS.

Organisations such as governments and healthcare bodies are increasingly responsible for managing large amounts of personal information, and the increasing complexity of modern information systems is causing growing concerns about the protection of these assets from insider threats. Insider threats are very difficult to handle, because the insiders have direct access to information and are trusted by their organisations. The nature of insider privacy breaches varies with the organisation’s acceptable usage policy and the attributes of an insider. However, the level of risk that insiders pose depends on insider breach scenarios including their access patterns and contextual information, such as timing of access. Protection from insider threats is a newly emerging research area, and thus, only few approaches are available that systemise the continuous monitoring of dynamic insider usage characteristics and adaptation depending on the level of risk. The aim of this research is to develop a formal framework for an adaptive early warning and response system for insider privacy breaches within dynamic software systems. This framework will allow the specification of multiple policies at different risk levels, depending on event patterns, timing constraints, and the enforcement of adaptive response actions, to interrupt insider activity. Our framework is based on Usage Control (UCON), a comprehensive model that controls previous, ongoing, and subsequent resource usage. We extend UCON to include interrupt policy decisions, in which multiple policy decisions can be expressed at different risk levels. In particular, interrupt policy decisions can be dynamically adapted upon the occurrence of an event or over time. We propose a computational model that represents the concurrent behaviour of an adaptive early warning and response system in the form of statechart. In addition, we propose a Privacy Breach Specification Language (PBSL) based on this computational model, in which event patterns, timing constraints, and the triggered early warning level are expressed in the form of policy rules. The main features of PBSL are its expressiveness, simplicity, practicality, and formal semantics. The formal semantics of the PBSL, together with a model of the mechanisms enforcing the policies, is given in an operational style. Enforcement mechanisms, which are defined by the outcomes of the policy rules, influence the system state by mutually interacting between the policy rules and the system behaviour. We demonstrate the use of this PBSL with a case study from the e-government domain that includes some real-world insider breach scenarios. The formal framework utilises a tool that supports the animation of the enforcement and policy models. This tool also supports the model checking used to formally verify the safety and progress properties of the system over the policy and the enforcement specifications.

Thesis (S.B.)--Massachusetts Institute of Technology, Dept. of Mechanical Engineering, 2010.
Cataloged from PDF version of thesis.
Includes bibliographical references (p. 54).
Underactuated robotics, though surrounded by an established body of work, has certain limitations when nonlinear adaptive control principles are applied. This thesis applies a nonlinear adaptative controller that avoids many of these limitations using alterations inspired by the control of a similar underactuated system, the cart-pole. Due to the complexity of the system, a sums-of-squares MATLAB toolbox is used to generate a suitable Lyapunov Candidate used for proofs of stability, with claims of local stability made using Barbalat's Lemma. This provides us with a local domain of attraction for the altered classical nonlinear adaptive controller. In addition, the algorithm known as LQR Trees is applied to the system in order to create a controller with a larger region of attraction and lower torque requirements, though without an adaptive component. Both control systems are implemented in simulations using MATLAB.
by Ian Charles Rust.
S.B.

Mestrado em Engenharia Eletrónica e Telecomunicações
O reconhecimento facial tem vindo a receber bastante atenção ao longo dos últimos anos não só na comunidade cientifica, como também no ramo comercial. Uma das suas várias aplicações e o seu uso num controlo de acessos onde um indivíduo tem uma ou várias fotos associadas a um documento de identificação (também conhecido como verificação de identidade). Embora atualmente o estado da arte apresente muitos estudos em que tanto apresentam novos algoritmos de reconhecimento como melhorias aos já desenvolvidos, existem mesmo assim muitos problemas ligados a ambientes não controlados, a aquisição de imagem e a escolha dos algoritmos de deteção e de reconhecimento mais eficazes. Esta tese aborda um ambiente desafiador para a verificação facial: um cenário não controlado para o acesso a infraestruturas desportivas. Uma vez que não existem condições de iluminação controladas nem plano de fundo controlado, isto torna um cenário complicado para a implementação de um sistema de verificação facial. Esta tese apresenta um estudo sobre os mais importantes algoritmos de detecção e reconhecimento facial assim como técnicas de pré-processamento tais como o alinhamento facial, a igualização de histograma, com o objetivo de melhorar a performance dos mesmos. Também em são apresentados dois métodos para a aquisição de imagens envolvendo a seleção de imagens e calibração da câmara. São apresentados resultados experimentais detalhados baseados em duas bases de dados criadas especificamente para este estudo. No uso de técnicas de pré-processamento apresentadas, foi possível presenciar melhorias até 20% do desempenho dos algoritmos de reconhecimento referentes a verificação de identidade. Com os métodos apresentados para os testes ao ar livre, foram conseguidas melhorias na ordem dos 30%.
Face Recognition has been received great attention over the last years, not only on the research community, but also on the commercial side. One of the many uses of face recognition is its use on access control systems where a person has one or several photos associated to an Identi cation Document (also known as identity veri cation). Although there are many studies nowadays, both presenting new algorithms or just improvements of the already developed ones, there are still many open problems regarding face recognition in uncontrolled environments, from the image acquisition conditions to the choice of the most e ective detection and recognition algorithms, just to name a few. This thesis addresses a challenging environment for face veri cation: an unconstrained environment for sports infrastructures access. As there are no controlled lightning conditions nor controlled background, this makes a di cult scenario to implement a face veri cation system. This thesis presents a study of some of the most important facial detection and recognition algorithms as well as some pre-processing techniques, such as face alignment and histogram equalization, with the aim to improve their performance. It also introduces some methods for a more e cient image acquisition based on image selection and camera calibration, specially designed for addressing this problem. Detailed experimental results are presented based on two new databases created speci cally for this study. Using pre-processing techniques, it was possible to improve the recognition algorithms performances up to 20% regarding veri cation results. With the methods presented for the outdoor tests, performances had improvements up to 30%

Synchronous generators have been used in hydropower from more than a century where, traditionally, the field current is transferred to the rotor using slip rings and carbon brushes. There are some major disadvantages following the use static excitation; regular and expensive maintenance, as well as a source of carbon dust which, due to buildup, may cause short circuits. To avoid these problems associated with slip ring exciter systems, a system that use induction to transfer power to the rotor could be used instead. Systems that utilize brushless excitation today usually regulates the current by controlling the magnetization of the exciter stator, which is comparably slower than their static counterparts. In order to allow for swift regulation of the field current from a brushless exciter, required power electronics and controllers have to be present on the rotor shaft instead. The aim of this project is to start investigating if commercially available products, which are originally indented to be used in a stationary environment, could accomplish this. The results from this study shows that it is possible to use such products to control the field current. The components were found to withstand the exposure of high g-forces and vibrations, albeit only during the relatively small amount of time in which rotary testing was performed. As such there is no certainty that the components would remain functional for the considerably longer time that any commercial use would require them to.

Nous avons étudié dans le cadre de cette thèse le design, la vérification et l'implémentation des systèmes à composants. Nous nous sommes intéressés en particulier aux formalismes exprimant des interactions complexes, dans lesquels les connecteurs servent non seulement au transfert de données mais également à la synchronisation entre composants. 1. DESIGN ET VÉRIFICATION Le design par contrat est une approche largement répandue pour développer des systèmes lorsque plusieurs équipes travaillent en parallèle. Les contrats représentent des contraintes sur les implémentations qui sont préservées tout au long du développement et du cycle de vie d'un système. Ils peuvent donc servir également à la phase de vérification d'un tel système. Notre but n'est pas de proposer un nouveau formalisme de spécification, mais plutôt de définir un ensemble minimal de propriétés qu'une théorie basée sur les contrats doit satisfaire pour permettre certains raisonnements. En cela, nous cherchons à séparer explicitement les propriétés spécifiques à chaque formalisme de spécification et les règles de preuves génériques. Nous nous sommes attachés à fournir des définitions suffisamment générales pour exprimer un large panel de langages de spécification, et plus particulièrement ceux dans lesquels les interactions sont complexes, tels que Reo ou BIP. Pour ces derniers, raisonner sur la structure du système est essentiel et c'est pour cette raison que nos contrats ont une partie structurelle. Nous montrons comment découle de la propriété nommée raisonnement circulaire une règle pour prouver la dominance sans composer les contrats, et comment cette propriété peut être affaiblie en utilisant plusieurs relations de raffinement. Notre travail a été motivé par les langages de composants HRC L0 et L1 définis dans le projet SPEEDS. 2. IMPLÉMENTATION Synthétiser un contrôleur distribué imposant une contrainte globale sur un système est dans le cas général un problème indécidable. On peut obtenir la décidabilité en réduisant la concurrence: nous proposons une méthode qui synchronise les processus de façon temporaire. Dans les travaux de Basu et al., le contrôle distribué est obtenu en pré-calculant par model checking la connaissance de chaque processus, qui reflète dans un état local donné toutes les configurations possibles des autres processus. Ensuite, à l'exécution, le contrôleur local d'un processus décide si une action peut être exécutée sans violer la contrainte globale. Nous utilisons de même des techniques de model checking pour pré-calculer un ensemble minimal de points de synchronisation au niveau desquels plusieurs processus partagent leur connaissance au court de brèves périodes de coordination. Après chaque synchronisation, les processus impliqués peuvent de nouveau progresser indépendamment les uns des autres jusqu'à ce qu'une autre synchronisation ait lieu. Une des motivations pour ce travail est l'implémentation distribuée de systèmes BIP.

This thesis is an investigation into the unique rural banking system in Ghana and the role of information systems in fraud control. It presents a robust information security and internal control model to deal with fraud for the banking system. The rural banking industry has been noted for poor internal control leading to fraud. This has resulted in poor performance and even the collapse of some banks. The Focus of the study was on the processes used to deliver banking services. To design a protection system, a number of rural banks were visited. This was to understand the environment, regulatory regimes and the structure and banking processes of the industry and banks. Systemic vulnerabilities within the industry which could be exploited for fraud were found. The lack of structures like an address system and unreliable identification documents makes it difficult to use conventional identification processes. Also the lack of adequate controls, small staff numbers and the cross organisational nature of some transactions among other cultural issues reduces the ability to implement transaction controls. Twenty fraud scenarios were derived to illustrate the manifestation of these vulnerabilities. The rural banking integrity model was developed to deal with these observations. This protection model was developed using existing information security models and banking control mechanisms but incorporating the nature of the rural banking industry and culture of its environment. The fraud protection model was tested against the fraud scenarios and was shown to meet the needs of the rural banking industry in dealing with its systemic vulnerabilities. The proposed community-based identification scheme deals with identification weaknesses as an alternative to conventional identity verification mechanisms. The Transaction Authentication Code uses traditional adinkra symbols. Whilst other mechanisms like the Transaction Verification Code design v internal controls into the banking processes. This deals with various process control weaknesses and avoids human discretion in complying with controls. Object based separation of duties is also introduced as a means of controlling conflicting tasks which could lead to fraud.

Model-based development is one of the most significant areas in recent research and development activities in the field of automotive industry. As the field of software engineering is evolving, model based development is gaining more and more importance in academia and industry. Therefore, it is desirable to have techniques that are able to identify anomalies in system models during the analysis and design phase instead of identifying them in development phase where it is difficult to detect them and a lot of time, effort and resources are required to fix them. Model checking is a formal verification technique that facilitates the identification of defects in system models during early stages of system development. There are a lot of tools in academia and industry that provide the automated support for model checking.  In this master thesis a vehicle control system of Scania the Fuel Level Display System is modeled in two different model checking tools; Simulink Design Verifier and UPPAAL. The requirements that are to be satisfied by the system model are verified by both tools. After verifying the requirements against the system model and checking the model against general design errors, it is established that the model checking can be effectively used for detecting the design errors in early development phases and can help developing better systems. Both the tools are analyzed depending upon the features supported. Moreover, relevance of model checking is studied with respect to ISO 26262 standard.

This thesis is an investigation into the unique rural banking system in Ghana and the role of information systems in fraud control. It presents a robust information security and internal control model to deal with fraud for the banking system. The rural banking industry has been noted for poor internal control leading to fraud. This has resulted in poor performance and even the collapse of some banks. The Focus of the study was on the processes used to deliver banking services. To design a protection system, a number of rural banks were visited. This was to understand the environment, regulatory regimes and the structure and banking processes of the industry and banks. Systemic vulnerabilities within the industry which could be exploited for fraud were found. The lack of structures like an address system and unreliable identification documents makes it difficult to use conventional identification processes. Also the lack of adequate controls, small staff numbers and the cross organisational nature of some transactions among other cultural issues reduces the ability to implement transaction controls. Twenty fraud scenarios were derived to illustrate the manifestation of these vulnerabilities. The rural banking integrity model was developed to deal with these observations. This protection model was developed using existing information security models and banking control mechanisms but incorporating the nature of the rural banking industry and culture of its environment. The fraud protection model was tested against the fraud scenarios and was shown to meet the needs of the rural banking industry in dealing with its systemic vulnerabilities. The proposed community-based identification scheme deals with identification weaknesses as an alternative to conventional identity verification mechanisms. The Transaction Authentication Code uses traditional adinkra symbols. Whilst other mechanisms like the Transaction Verification Code design v internal controls into the banking processes. This deals with various process control weaknesses and avoids human discretion in complying with controls. Object based separation of duties is also introduced as a means of controlling conflicting tasks which could lead to fraud.

Web systems have become an integral part in daily life of billions of people. Social is a key characteristic today’s web projects need to feature in order to be successful in the social age. To benefit from an improved user experience, individual persons are continually invited to reveal more and more personal data to web systems. With a rising severity of attacks on web systems, it is evident that their security is inadequate for the amount of accumulated personal data. Numerous threat reports indicate that social media has become a top-ranking attack target, with climbing impacts, with ramifications beyond single individuals and with a booming black market to trade leaked personal data. To enhance information security in managing personal data by web systems for the mutual benefit of individual persons, companies and governments, this dissertation proposes a solution architecture and three research contributions. While the solution architecture establishes the foundation for a more secure management of personal data by web systems, the research contributions represent complementary components for protecting personal data against unwanted data disclosure, tampering and use without the actual data owner’s intent or knowledge. Not only do these components enable seamless integration and combination, but they also contribute to assure quality and maintainability. The dissertation concludes with discussing evaluation results and providing an outlook towards future work.

Web systems have become an integral part in daily life of billions of people. Social is a key characteristic today’s web projects need to feature in order to be successful in the social age. To benefit from an improved user experience, individual persons are continually invited to reveal more and more personal data to web systems. With a rising severity of attacks on web systems, it is evident that their security is inadequate for the amount of accumulated personal data. Numerous threat reports indicate that social media has become a top-ranking attack target, with climbing impacts, with ramifications beyond single individuals and with a booming black market to trade leaked personal data. To enhance information security in managing personal data by web systems for the mutual benefit of individual persons, companies and governments, this dissertation proposes a solution architecture and three research contributions. While the solution architecture establishes the foundation for a more secure management of personal data by web systems, the research contributions represent complementary components for protecting personal data against unwanted data disclosure, tampering and use without the actual data owner’s intent or knowledge. Not only do these components enable seamless integration and combination, but they also contribute to assure quality and maintainability. The dissertation concludes with discussing evaluation results and providing an outlook towards future work.

La robotique industrielle actuelle se trouve dans un etat peu developpe, les taches communement effectuees par les robots etant essentiellement liees a des processus de fabrication tres simples. Pourtant, les developpements technologiques lies a la robotique n'ont pas cesse de s'accroitre, et notamment ceux qui concernent les capacites sensorielles du robot. Les controleurs de robots actuellement commercialises sont generalement des machines fermees, ne permettant pas au concepteur d'acceder au niveau des algorithmes de commande pour realiser de nouvelles applications, telles que des commandes de robots referencees capteurs. La contribution de cette these tourne autour d'orccad (open robot controller computer-aided design) qui est un projet d'atelier de genie logiciel pour la robotique, devant rassembler un ensemble de techniques et d'outils informatiques pour la specification, la verification, la simulation et l'execution sur une architecture multiprocesseurs et multicapteurs d'actions robotiques. L'approche fonction de tache est utilisee pour la description d'actions robotiques. Un environnement de simulation d'actions robotiques a ete developpe, il permet le test et la mise au point de la loi de commande de ces actions. Il est base sur le systeme simparc (concu a l'origine pour la simulation d'architectures materielles multiprocesseurs des controleurs de robots). Le bon fonctionnement d'une action robotique a ete caracterise en termes d'un ensemble de proprietes que les actions robotiques doivent respecter. Les differentes techniques de modelisation et de verification de systemes temps-reel, auxquels les actions robotiques appartiennent, ont ete etudiees. Ce travail decrit aussi la conception et le developpement d'un outil informatique, base sur la theorie de reseaux de petri temporises, pour la verification automatique de ces proprietes. Finalement, une validation experimentale des principes et des outils developpes est presentee. Elle met en uvre trois taches-robot typiques de la robotique manufacturiere

Conception assistee par ordinateur dans le domaine des circuits electroniques a haut niveau d'integration en presentant une methode conception de ces circuits integres et la chaine d'outils logiciels adaptes a cette methode