Cyber-Physical Systems (CPS) encompass a large variety of systems including for example future energy systems (e.g. smart grid), homeland security and emergency response, smart medical technologies, smart cars and air transportation. One of the most important challenges in the design and deployment of Cyber-Physical Systems is how to formally guarantee that they are amenable to effective human control. This is a challenging problem not only because of the operational changes and increasing complexity of future CPS but also because of the nonlinear nature of the human-CPS system under realistic assumptions. Current state of the art has in general produced simplified models and has not fully considered realistic assumptions about system and environmental constraints or human cognitive abilities and limitations. To overcome current state of the art limitations, our overall research goal is to develop a theoretical framework for complex human-CPS that enables formal analysis and verification to ensure stability of the overall system operation as well as avoidance of unsafe operating states. To analyze a human-CPS involving a human operator(s) with bounded rationality three key questions are identified: (a) Are the inputs available to the operator sufficient to generate desirable behaviors for the CPS? (b) If so, how easy is it for the operator with her cognitive limitations to drive the system towards a desired behavior? (c) How can areas of poor system performance and determine appropriate mitigations be formally identified? The overall technical approach will be to (a) develop and appropriately leverage general cognitive models that incorporate human limitations and capabilities, (b) develop methods to abstract cognitive models to yield tractable analytical human models (c) develop innovative techniques to design the abstract interface between the human and underlying system to reflect mutual constraints, and (d) extend current state-of-the-art reachability and verification algorithms for analysis of abstract interfaces, iin which one of the systems in the feedback loop (i.e., the user) is mostly unknown, uncertain, highly variable or poorly modeled. The research will provide contributions with broad significance in the following areas: (1) fundamental principles and algorithms that would serve as a foundation for provably safe robust hybrid control systems for mixed human-CPS (2) methods for the development of analytical human models that incorporate cognitive abilities and limitations and their consequences in human control of CPS, (3) validated techniques for interface design that enables effective human situation awareness through an interface that ensures minimum information necessary for the human to safely control the CPS, (4) new reachability analysis techniques that are scalable and allow rapid determination of different levels of system safety. The research will help to identify problems (such as automation surprises, inadequate or excessive information contained in the user interface) in safety critical, high-risk, or expensive CPS before they are built, tested and deployed. The research will provide the formal foundations for understanding and developing human-CPS and will have a broad range of applications in the domains of healthcare, energy, air traffic control, transportation systems, homeland security and large-scale emergency response. The research will contribute to the advancement of under-represented students in STEM fields through educational innovation and outreach. The code, benchmarks and data will be released via the project website. Formal descriptions of models of human cognition are in general incompatible with formal models of the Cyber Physical System (CPS) the human operator(s) control. Therefore, it is difficult to determine in a rigorous way whether a CPS controlled by a human operator will be safe or stable and under which circumstances. The objective of this research is to develop an analytic framework of human-CPS systems that encompasses engineering compatible formal models of the human operator that preserve the basic architectural features of human cognition. In this project the team will develop methodologies for building such models as well as techniques for formal verification of the human-CPS system so that performance guarantees can be provided. They will validate models in a variety of domains ranging from air traffic control to large scale emergency response to the administration of anesthesia.

This project will result in fundamental physical and algorithmic building blocks of a novel cyber-physical for a two-way communication platform between handlers and working dogs designed to enable accurate training and control in open environments (eg, disaster response, emergency medical intervention). Miniaturized sensor packages will be developed to enable non- or minimally-invasive monitoring of dogs' positions and physiology. Activity recognition algorithms will be developed to blend data from multiple sensors. The algorithms will dynamically determine position and behavior from time series of inertial and physiological measurements. Using contextual information about task performance, the algorithms will provide duty-cycling information to reduce sensor power consumption while increasing sensing specificity. The resulting technologies will be a platform for implementation of communication. Strong interactions among computer science, electrical engineering, and veterinary science support this project. Work at the interface between electrical engineering and computer science will enable increased power efficiency and specificity of sensing in the detectors; work at the interface of electrical engineering and veterinary behavior will enable novel physiological sensing packages to be developed which measure behavioral signals in real time; Project outcomes will enable significant advances in how humans interact with both cyber and physical agents, including getting clearer pictures of behavior through real time physiological monitoring. Students are part of the project and multidisciplinary training will help to provide development of the Cyber-Physical Systems pipeline. Project outreach efforts will include working with middle school children, especially women and under-represented minorities, presentations in public museums that will promote public engagement and appreciation of the contribution of cyber-physical systems to daily lives. The goal of each outreach activity is to encourage both interest and excitement for STEM topics, demonstrating how computer science and engineering can lead to effective and engaging cyber-physical systems.

Processors in cyber-physical systems are increasingly being used in applications where they must operate in harsh ambient conditions and a computational workload which can lead to high chip temperatures. Examples include cars, robots, aircraft and spacecraft. High operating temperatures accelerate the aging of the chips, thus increasing transient and permanent failure rates. Current ways to deal with this mostly turn off the processor core or drastically slow it down when some part of it is seen to exceed a given temperature threshold. However, this pass/fail approach ignores the fact that (a) processors experience accelerated aging due to high temperatures, even if these are below the threshold, and (b) while deadlines are a constraint for real-time tasks to keep the controlled plant in the allowed state space, the actual controller response times that will increase if the voltage or frequency is lowered (to cool down the chip) are what determine the controlled plant performance. Existing approaches also fail to exploit the tradeoff between controller reliability (affected by its temperature history) and the performance of the plant. This project addresses these issues. Load-shaping algorithms are being devised to manage thermal stresses while ensuring appropriate levels of control quality. Such actions include task migration, changing execution speed, selecting an alternative algorithm or software implementation of control functions, and terminating prematurely optional portions of iterative tasks. Validation platforms for this project include automobiles and unmanned aerial vehicles. These platforms have been chosen based on both their importance to society and the significant technical challenges they pose. With CPS becoming ever more important in our lives and businesses, this project which will make CPS controllers more reliable and/or economical has broad potential social and economic impacts. Collaboration with General Motors promotes transition of the new technology to industry. The project includes activities to introduce students to thermal control in computing, in courses spanning high-school, undergraduate and graduate curricula.

Objective: How much a person should be allowed to interact with a controlled machine? If that machine is safety critical, and if the computer that oversees its operation is essential to its operation and safety, the answer may be that the person should not be allowed to interfere with its operation at all or very little. Moreover, whether the person is a novice or an expert matters. Intellectual Merit: This research algorithmically resolves the tension between the need for safety and the need for performance, something a person may be much more adept at improving than a machine. Using a combination of techniques from numerical methods, systems theory, machine learning, human-machine interfaces, optimal control, and formal verification, this research will develop a computable notion of trust that allows the embedded system to assess the safety of the instruction a person is providing. The interface for interacting with a machine matters as well; designing motions for safety-critical systems using a keyboard may be unintuitive and lead to unsafe commands because of its limitations, while other interfaces may be more intuitive but threaten the stability of a system because the person does not understand the needs of the system. Hence, the person needs to develop trust with the machine over a period of time, and the last part of the research will include evaluating a person's performance by verifying the safety of the instructions the person provides. As the person becomes better at safe operation, she will be given more authority to control the machine while never putting the system in danger. Broader Impacts: The activities will include outreach, development of public-domain software, experimental coursework including two massive online courses, and technology transfer to rehabilitation. Outreach will include exhibits at the Museum of Science and Industry and working with an inner-city high school. The algorithms to be developed will have immediate impact on projects with the Rehabilitation Institute of Chicago, including assistive devices, stroke assessment, and neuromuscular hand control. Providing a foundation for a science of trust has the potential to transform rehabilitation research.

The objective of this project is to research tools to manage uncertainty in the design and certification process of safety-critical aviation systems. The research focuses on three innovative ideas to support this objective. First, probabilistic techniques will be introduced to specify system-level requirements and bound the performance of dynamical components. These will reduce the design costs associated with complex aviation systems consisting of tightly integrated components produced by many independent engineering organizations. Second, a framework will be created for developing software components that use probabilistic execution to model and manage the risk of software failure. These techniques will make software more robust, lower the cost of validating code changes, and allow software quality to be integrated smoothly into overall system-level analysis. Third, techniques from Extreme Value Theory will be applied to develop adaptive verification and validation procedures. This will enable early introduction of new and advanced aviation systems. These systems will initially have restricted capabilities, but these restrictions will be gradually relaxed as justified by continual logging of data from in-service products. The three main research aims will lead to a significant reduction in the costs and time required for fielding new aviation systems. This will enable, for example, the safe and rapid implementation of next generation air traffic control systems that have the potential of tripling airspace capacity with no reduction in safety. The proposed methods are also applicable to other complex systems including smart power grids and automated highways. Integrated into the research is an education plan for developing a highly skilled workforce capable of designing safety critical systems. This plan centers around two main activities: (a) creation of undergraduate labs focusing on safety-critical systems, and (b) integration of safety-critical concepts into a national robotic snowplow competition. These activities will provide inspirational, real-world applications to motivate student learning.

This project develops the foundations of modeling, synthesis and development of verified medical device software and systems, from verified closed-loop models of the device and organ(s). The effort spans both implantable medical devices such as cardiac pacemakers and physiological control systems such as drug infusion pumps that have multiple networked medical systems. In both cases, the devices are physically connected to the body and exert direct control over the physiology and safety of the patient-in-the-loop. The goal is to ensure the device will never drive the patient into an unsafe state, while providing effective therapy. The contributions of are in three areas: closed-loop patient-device modeling; quantitative verification for optimized patient-specific devices; platforms for life-critical systems. Integrated modeling methodologies are developed to produce both the functional physiological signals, for clinically relevant testing with a medical device, and also generate the formal timing of device-patient interaction for formal verification. Starting with the problem of verifying the safety and correctness of medical device software, probabilistic patient models based on physiological data are then used to develop quantitative verification techniques to maintain the therapy?s efficacy on the patient and operational efficiency of the device. To facilitate participation of the CPS community, the Food and Drug Administration (FDA), physicians and manufacturers, open source libraries of device/patient models, software tools for verification and model translation and hardware platforms for testing with real medical devices are developed. The closed-loop design and verification techniques for medical device software and patients, developed here, have direct potential benefits on human health, and the quality and cost of medical care. Design of bug-free and safe medical device software is challenging, especially in complex implantable devices that control and actuate organs who's response is not fully understood. Safety recalls of pacemakers and implantable ?cardioverter? defibrillators between 1990 and 2000 affected over 600,000 devices. Of these, 200,000 or 41%, were due to firmware issues (i.e. software) that continue to increase in frequency. There is currently no formal methodology or open experimental platform to test and verify the correct operation of medical device software within the closed-loop context of the patient. If successful, this project has potential to not only increase the safety of such devices, but also to accelerate the development and certification process. The latter could reduce costs, and shorten the time to market for new devices. The project also has an extensive education and outreach component, including curriculum development in medical cyber-physical systems, involvement of undergraduate and graduate students in research, and cooperation with hospitals, makers of medical devices, and the FDA. The cross-cutting nature of the project brings together communities involving clinical physicians, electrical engineers, computer scientists and regulators of health care safety.

This project's objective is to enable assertion-driven development and debugging of cyber-physical systems (CPS), in which required conditions are formalized as part of the design. In contrast with traditional uses of assertions in software engineering, CPS demand a tight coupling of the cyber with the physical, including in system validation. This project uses mathematical models of key physical attributes to guide creation of assertions, to identify inconsistent or infeasible assertions, and to localize potential causes for CPS failures. The goal is to produce methods and tools that use physical models to guide assertion-based verification of cyber-physical systems. An assertion language is being developed that is founded in mathematical logic while providing the familiarity of commonly used programming languages. This foundation enables new automated debugging techniques for CPS. By leveraging models that encode laws of physics and an automated decision procedure, the techniques being developed help identify causes of CPS failures by distinguishing inconsistent or infeasible physical states from valid ones. This model-based approach incorporates means to assess these physical states using both probabilistic and non-probabilistic measures. Two safety-critical applications guide the research and demonstrate the impact on the development of CPS: coordinated control of autonomous vehicles and monitoring and control of left-ventricular assist devices (LVADs). The focus on these safety-critical applications are motivational for recruiting and educating engineering students who have high expectations for how their lives should be enabled by computing advances. Further, this research advances methods needed to validate safe and effective CPS, promoting the public's confidence in their application to safety-critical systems.

This project aims to achieve key technology, infrastructure, and regulatory science advances for next generation medical systems based on the concept of medical application platforms (MAPs). A MAP is a safety/security-critical real-time computing platform for: (a) integrating heterogeneous devices and medical IT systems, (b) hosting application programs ("apps") that provide medical utility through the ability to both acquire information and update/control integrated devices, IT systems, and displays. The project will develop formal architectural and behavioral specification languages for defining MAPs, with a focus on techniques that enable compositional reasoning about MAP component interoperability and safety. These formal languages will include an extensible property language to enable the specification of real-time, quality-of-service, and attributes specific to medical contexts that can be leveraged by code generation, testing, and verification tools. The project will work closely with a synergistic team of clinicians, device industry partners, regulators, and medical device interoperability and safety standard organizations to develop an open source MAP innovation platform to enable key stakeholders within the nation's health care ecosphere to identify, prototype, and evaluate solutions to key technology and regulatory challenges that must be overcome to develop a commodity market of regulated MAP components. Because MAPs provide pre-built certified infrastructure and building blocks for rapidly developing multi-device medical applications, this research has the potential to usher in a new paradigm of medical system that significantly increases the pace of innovation, lowers development costs, enables new functionality by aggregating multiple devices into a system of systems, and achieves greater system safety.

Effective engineering of complex devices often depends critically on the ability to encapsulate responsibility for tasks into modular agents and ensure those agents communicate with one another in well-defined and easily observable ways. When such conditions are followed, it becomes possible to detect where problems lie so they can be corrected. It also becomes possible to optimize the agents and their communications to improve performance. Cyber-physical systems (like robots, self-piloting aircraft, etc.) modify themselves to improve performance break those conditions in that some agent modules negotiate their own communications and decide their own actions, sometimes taking advantage of the physics of the world in ways we did not anticipate. This renders difficult application of standard engineering tools to accomplish critical fault diagnosis and design optimization. This project will produce analysis methods address the specific needs of cyber-physical systems that, by their natures, break the rules of convention. We will apply these new methods to the design and analysis of self-improving controllers for flapping-wing micro air vehicles. This work will provide advances in both model-checking related formal design methodologies and in module-based self-adaptive control in computationally resource constrained cyber-physical systems. The formal methods advances will significantly expand our ability to properly design and verify systems that tightly couple computation, sensors, and actuators. The specific test application addressed is significant to a number of nationally important security and defense efforts and will directly impact identified national priorities.

Large-scale critical infrastructure systems, including energy and transportation networks, comprise millions of individual elements (human, software and hardware) whose actions may be inconsequential in isolation but profoundly important in aggregate. The focus of this project is on the coordination of these elements via ubiquitous sensing, communications, computation, and control, with an emphasis on the electric grid. The project integrates ideas from economics and behavioral science into frameworks grounded in control theory and power systems. Our central construct is that of a ?resource cluster,? a collection of distributed resources (ex: solar PV, storage, deferrable loads) that can be coordinated to efficiently and reliably offer services (ex: power delivery) in the face of uncertainty (ex: PV output, consumer behavior). Three topic areas form the core of the project: (a) the theoretical foundations for the ?cluster manager? concept and complementary tools to characterize the capabilities of a resource cluster; (b) centralized resource coordination strategies that span multiple time scales via innovations in stochastic optimal control theory; and (c) decentralized coordination strategies based on cluster manager incentives and built upon foundations of non-cooperative dynamic game theory. These innovations will improve the operation of infrastructure systems via a cyber-physical-social approach to the problem of resource allocation in complex infrastructures. By transforming the role of humans from passive resource recipients to active participants in the electric power system, the project will facilitate energy security for the nation, and climate change mitigation. The project will also engage K-12 students through lab-visits and lectures; address the undergraduate demand for power systems training through curricular innovations at the intersection of cyber-systems engineering and physical power systems; and equip graduate students with the multi-disciplinary training in power systems, communications, control, optimization and economics to become leaders in innovation.