Machines in dialogue
Cyber-physical systems are in strong demand for their ability to increase road traffic safety and optimize electricity consumption from renewable sources. They link vehicles to sensors that monitor traffic and order the car to brake if a dangerous situation arises, for example. Or they distribute electricity from multiple power plants to consumers as efficiently as possible. Rupak Majumdar, Director at the Max Planck Institute for Software Systems in Kaiserslautern, develops mathematical methods for ensuring the reliability of these networked systems.
Text: Gordon Bolduan
Everything is prepared in the conference hall of Saarland University. Staff members of the press department have arranged the tables on the lightcolored wooden flooring into a U-shape and placed name plates on the seats. Positioned in the middle is an orange and blue microphone belonging to the German public broadcasting radio station Deutschlandfunk. Journalists from the public broadcasting service Saarlandischer Rundfunk have meanwhile gathered at the open end of the large U and set up their cameras and tripods. They are there to capture the event on film for Tagesschau, a nationwide evening news program. For a short moment, the cameraman takes a close-up shot of the name plate reading "Rupak Majumdar". Then he zooms out. The camera now focuses on a man wearing a black sports coat over a light blue shirt and no tie. His hair is black, his eyes are hazel.
Rupak Majumdar comes from India, is 38 years old and Director at the Max Planck Institute for Software Systems in Kaiserslautern in the German federal state of Rhineland-Palatinate. The press conference was called because he and three computer science professors from Saarland University were awarded the European Research Council's largest research grant, valued at 9.3 million euros. Over the next six years, this money will serve to help them find a way to reconcile the conflict between safety and freedom on the World Wide Web. The Internet is one of the peripheral fields associated with Majumdar's research.
His primary focus is on the foundations of what are known as cyber-physical systems (CPS). These systems are promising not only in terms of fostering economic growth, but also for finding solutions to major societal challenges. Their advantage is that they are rooted both in the real and in the digital world. They link physical sensors and controls in devices, buildings, vehicles and medical equipment with communication networks such as the Internet. In this way, physical data can be gathered in a real environment and analyzed anywhere on the globe. The results can trigger further arithmetic instructions as needed, which in turn alter the real world via special actuators. Majumdar develops algorithms, or arithmetic instructions, that make it possible to increase the reliability of these kinds of complicated systems as early as in the design phase.
The press conference is over. Majumdar quickly swipes away the e-mails that appeared on his smartphone before rushing to his car. It's roughly a 70 kilometer drive from Saarbrucken to Kaiserslautern, where he has headed the Max Planck Institute since 2010. He also lives there, with his wife and two sons. Majumdar is in a rush. He promised to pick up his eldest son from school and take him to a friend's birthday party. That means he needs to be in Kaiserslautern in about an hour. In the future, cyber-physical systems could assist users with endeavors like this, as well. According to the agenda CPS study conducted by the National Academy of Science and Engineering (acatech), the resulting scenario could look something like this:
Majumdar enters his destination into his smartphone, in addition to the desired time of arrival, stopovers and costs. The smartphone, which is connected to various service providers via the Internet, contacts these providers and then lists the options. Majumdar decides to take the regional train. The ticket is inexpensive, and he can work during the commute. His smartphone then suggests renting a vehicle from a car-sharing provider located close to the train station in Kaiserslautern. He could use the car to pick up his son from school and drop him off at the birthday party.
Majumdar agrees. On the way to the central train station in Saarbrucken, his cell phone beeps. It displays a text message notifying him of the fact that his train will be running 20 minutes late because another train on the same track is experiencing technical difficulties, thus jeopardizing his time schedule. As an alternative, the system suggests renting a car here in Saarbrucken. Once again, Majumdar agrees, and the system now initiates two further operations in the background: it cancels the train ticket and rents a car from a service provider located directly in Saarbrucken. In order to be able to work during the trip, Majumdar selects the self-driving vehicle option. By the time he opens the car door just minutes later, the system has already sent his entire travel itinerary to the vehicle's on-board computer.
This is made possible by the fact that his smartphone is connected to a kind of virtual butler on the Internet. Online, this calculates Majumdar's agenda for today based on his selected settings. The assistant also constantly requests up-to-date information from service providers such and controls in devices, buildings, vehicles and medical equipment with communication networks such as traffic management systems and public transport operators. It uses this data to calculate alternatives, which it then lists as options that can be selected. Once Majumdar picks an alternative, the virtual assistant regularly verifies the real conditions. In the event of disruptions, it displays the relevant notifications on the smartphone's display and also informs everyone else involved in the travel itinerary of the changes that are being made.
"In Los Angeles, something like that would have made my life a whole lot easier," Majumdar explains, as he sits behind the steering wheel of his car. He spent six years there, teaching and researching as a professor at the University of California.
And the scenarios painted by the CPS prophet don't end there. Cyberphysical systems are expected to make road traffic not only more comfortable and stress-free, but also safer. This would require equipping street lights, house facades, sidewalks and vehicles with sensors designed for early detection of the presence of dangerous objects or persons at risk.
If Majumdar were to approach his son's school with the car and pass a bus waiting at a stop, for instance, it's possible that the car would suddenly brake very hard. One reason may be that the sensors embedded in the asphalt might have detected a child standing behind the bus, out of view. The moment the child's position is transmitted in real time to the virtual assistant in Majumdar's car, the assistant immediately decides to play it safe. It initiates the braking process while at the same time using what is known as vehicle-to-vehicle communication to inform the cars driving behind Majumdar of the situation. These cars then brake as well in order to prevent a pile-up. Scientists hope that this kind of technology could help significantly reduce the number of traffic-related injuries and mortalities.
Helping the elderly in an emergency and with shopping
Cyber-physical systems could also help to more easily deal with two other common societal challenges. In order to ensure that elderly persons can stay in their familiar surroundings for as long as possible, their apartments or houses would need to be equipped with sensors and voice-activated electronic devices. These would link together to form a cyber-physical system that learns to recognize the inhabitant's behavioral pattern when he or she is in a good state of health, and alert a doctor if any deviations from this pattern occur. If the inhabitant suffers from dementia, the system could also write shopping lists based on the food items stocked in their pantry, and monitor whether the person is taking their medication as required. The system could even detect if an elderly person falls, and initiate emergency measures.
Cyber-physical systems also play an important role in the transition from fossil fuels to renewable energy sources, with wind and solar power increasingly covering energy demand. However, the amount of electricity contributed by these energy sources naturally fluctuates. Thus, in order to ensure that the supply still satisfies the demand, the electricity must be transmitted using a clever mechanism. This approach is based on a vast energy information network that combines the regulation of the power grid with consumers, electricity producers and energy storage devices. The important components of this gigantic system include sensors in the form of smart meters located in households, along with information and communication technology, as well as adaptive arithmetic techniques.
Unlike conventional electricity meters, these sensors take into account the current energy prices and grid loads to make consumers aware of any powerguzzling appliances and give them tips on saving energy.
"In recent years there have been two key developments without which such scenarios would be absolutely unthinkable," explains Manfred Broy, professor of computer science at Technische Universitat Munchen (TUM). "This is the triumph of the Internet, spurred on by increasingly powerful and more-affordable computers," says the professor. Not to mention the increased use of embedded systems. While these small computers have limited capability, they feature sensors and actuators that help them understand and control the physical world.
Researchers and engineers are already faced with a series of challenges when it comes to designing and developing embedded systems. Cyber-physical systems significantly compound these difficulties. "The complexity of the systems that we want to build is always greater than the complexity that we can still reasonably monitor," Majumdar explains. The development of brakes for cars is a prime example of this.
Greater complexity: a multi-vehicle network
In 1978, the anti-lock braking system (ABS) was considered a technological milestone because it ensured improved steering and directional stability when a car's brakes were engaged. Seventeen years later, the automotive supplier Bosch launched the gelectronic stability programh (ESP) for the Mercedes S-Class. As a combination of ABS, traction control and electronic brake-force distribution, it was designed to specifically decelerate individual wheels in order to prevent the vehicle from breaking away. Then, in 2003, Japanese car manufacturer Honda introduced the Collision Mitigation Brake System on the market. This type of emergency brake assist automatically initiates the braking process via the onboard computer as soon as it deems a situation critical. Using radio waves and laser beams, the system determines the distance between the vehicle and the obstacle. If the distance is too small, the system even triggers full braking.
Greater functionality requires a greater number of sensors and actuators, whose correct interaction in turn increases the system's complexity. An ABS affects only the wheel speed and brake force, while the ESP monitors the steering angle and various acceleration forces, specifically controls individual wheels and throttles the engine. The emergency brake assistant detects the car's surroundings as well as potential obstacles. Current technology such as computer vision can even detect pedestrians in the vicinity. "All of this is taking place inside a vehicle, and now we want to access a network that is established between multiple driving vehicles. This takes us to a whole new level of complexity," explains Majumdar.
A cyber-physical system with responsibilities
Constantly mastering this growing complexity is just one of the numerous challenges faced by scientists in this field. But the public, too, must become involved. Not only must society ask itself whether it wants to relinquish the responsibility of full braking to sensors and program codes, it must also define rules and guidelines for other applications involving cyber-physical systems, such as those that care for the elderly and regulate power supply.
Yet before any of this can happen, the public must first learn to accept cyberphysical systems. This means that the systems must always work in a reliable manner. Not only must they meet the expectations of the consumers and the engineers alike, but they must also never malfunction and be available at all times. Even if individual components were to fail due an accident or as a result of damage, the ramifications must be kept to a minimum. And all of this must already be ensured while the systems are still being designed. This is where Rupak Majumdar comes into play.
The stairs, a combination of lightcolored wooden flooring, metal and concrete, creak as he heads up to his office on the third floor of the Max Planck Institute for Software Systems in Kaiserslautern. The building still smells new - after all, the researchers just moved in last July. Six floors composed of offices, conference rooms and lounges surround a square-shaped atrium. With its second site in Saarbrucken and in addition to the Max Planck Institute for Informatics, this institute is one of two within the Max Planck Society devoted exclusively to computer science. This is where scientists research all kinds of structures and linkages of software systems. Here, Majumdar and his group develop methods that can be used to automatically check the operational safety of CPS.
High demands regarding realiability
"Obviously, the system should never fail," he explains, as he walks from his office to a meeting with his group. Before, it was possible to reboot the software if need be. "But the requirements are much greater, of course, when you design a control system for an entire electrical grid," Majumdar says, and adds: "When certain functions don't deliver the correct result within a clearly defined period of time, this can result in high costs or even, at worst, in a catastrophe." It is already complicated to ensure the reliability of embedded systems. Yet in the case of cyber-physical systems, there is an added difficulty: their components operate in both the analog-real world and the digital one. This fact must be taken into account when developing the models for these systems.
In the digital world, reliability is defined as 'robustness', a term computer scientists use to express that the system continues working in a satisfactory manner despite malfunctions. In the real world, which is described by control systems and differential equations, on the other hand, reliability is defined as 'input-output stability'.
Take a coil spring with a weight attached to one end as an example: No matter how far the weight is pulled down, once let go, the range of the spring pendulum won't exceed the distance by which it was initially extended. Friction causes the swinging motion to gradually die off. The fact that in a spring pendulum system, the limited input signal, namely pulling the spring downward, also induces a limited output signal, namely the swinging motion of the spring pendulum, is described as input-output stability.
Human factors: a tough nut to crack
Robustness and input-output stability can be applied only in their respective fields, so it isn't possible to express and calculate them for 'hybrid' systems such as cyber-physical systems. However, checking the reliability of precisely these systems is extremely important, for example with regard to ensuring a steady supply of electricity generated from solar and wind power. Majumdar has made a major contribution to this.
He expanded the definition of input output stability from the world of real controls in such a way that it can now also be applied in the realm of bits and bytes. This is an important piece of the puzzle to also help assess the reliability of cyber-physical systems.
Yet for Majumdar, it isn't just these different approaches to developing models based on control systems and software technology that prove to be a challenge; the human factors are also a tough nut to crack. He calls it the 'semantic gap': various experts are involved in developing a control system. However, each of them focuses only on their individual level of abstraction, which in turn can lead to errors in the overall system. That is why Majumdar's goal is to be able to check all of the properties of such a system using an integrated program analysis.
The members of Majumdar's group have gathered in the room, which offers a sweeping view of the campus of the TU Kaiserslautern. They are sitting on blue chairs pulled up to white tables, attentively watching a researcher who has already gone up to the whiteboard. Rayna Dimitrova completed her doctorate in Saarbrucken and now conducts research in Kaiserslautern. She is wearing blue jeans and a white fleece sweater. She quickly fills the two boards with arrows, Latin and Greek letters, round and wavy brackets. Whenever she explains something, her right hand repeatedly opens and closes the cap of the big marker she is holding.
Arriving at the best abstraction step by step
Dimitrova's research focuses on refining abstractions. "That's what this game is all about," explains Majumdar: "We throw away certain pieces of information, but we make sure that we have enough information left over to conduct the analysis."
This approach is also suitable for testing the system models. Previous methods have one major drawback: if you want to model everything with great precision, the sheer number of possible states that such a system could adopt becomes so large that many computers need too much time to complete the computations for the model - if they can complete them at all. Majumdar and other researchers have further developed this approach and established what is known as counterexample-guided abstraction refinement. When applying this method, you start out with a very rough abstraction. Instead of modeling everything, the modeling is kept as cursory as possible error, this error is then used as a point of origin to describe this particular segment of the model. This step is repeated until the analysis no longer detects any possible errors. The researchers use this method to arrive at the best abstraction step by step. This abstraction helps the researchers prove, in mathematical terms, that the system as a whole works exactly as it should.
After the presentation, Majumdar is back at his desk, reading his e-mails as his feet bob up and down to the tune of his keystrokes. A picture of a dinosaur, colored in using all sorts of colored pencils, is taped to the cabinet, where it forms a stark contrast to the whiteboard. The latter is covered in so many equations written in red, blue and black ink that the board itself has seemingly become a gray surface. The to-do list is visible in the top left-hand corner. The first ten tasks are written in large black letters, while the remaining items have been jotted down in small red letters. "We’re making progress, but many questions remain unanswered," Majumdar explains. How can you check and certify that the systems will work even in the case of malicious attacks? How can it be guaranteed that they will protect the users’ data? And how can you make sure that the systems are easy to use, even for non-experts?
Night has fallen long before he gets into his ten-year-old Mercedes-Benz and drives home. One thing is certain: if cyber-physical systems develop the way he hopes they will, he will no longer have to worry as much about road safety on the way home.
TO THE POINT:
● Cyber-physical systems can increase road traffic safety, make logistics more efficient or ensure a continuous power supply in a fluctuating power grid.
● In computer science, reliability is studied using models that aren’t compatible with the models of the physical world. Ensuring that a hybrid system – one that is rooted in both worlds – works reliably thus requires a comprehensive model.
● Max Planck researchers develop methods that ensure the reliability of cyberphysical systems. The scientists master the high level of complexity by searching for suitable abstractions. These abstractions help them ultimately ensure the reliability of the entire system.