Model Checking for Hybrid Systems

Transcription

1 Model Checking for Hybrid Systems Bruce H. Krogh Carnegie Mellon University Hybrid Dynamic Systems Models Dynamic systems with both continuous & discrete state variables Continuous-State Systems differential equations, transfer functions, etc. Discrete-State Systems automata, Petri nets, statecharts, etc. Analytical Tools Software Tools Lyapunov functions, eigenvalue analysis, etc. MATLAB, Matrix X, VisSim, etc., Boolean algebra, formal logics, recursion, etc. Statemate, Design CPN, Slam II, SMV, etc. Carnegie Mellon: The Rare Glitch Project 2 Bruce H. Krogh Three Main Thrusts of Our Project l Verifying system integrity Synchronization constraints Resource constraints Real-time constraints l Modeling the environment Hybrid dynamics Stochastic models l Usability Extracting models Explaining tool feedback system environment Carnegie Mellon: The Rare Glitch Project 3 Bruce H. Krogh Embedded systems with significant hybrid dynamics Communications/ Telecommunications/ Networking Industrial Control Automotive/Transportation Systems & Equipment Computers/Peripherals Consumer Electronics/ Office Automation Entertainment/Multimedia Medical Electronic Equipment Government/Military Aerospace/ Electronics Space Electronics Electronic Instruments/ Other ATE/Design & Test Equipment Source: ESP, Dec, 1998 Carnegie Mellon: The Rare Glitch Project 4 Bruce H. Krogh Opportunity to Apply Formal Verification Techniques Example: Variable CAM Timing &RPSXWHU$LGHGÃ&RQWUROÃ6\VWHPÃ'HVLJQ feature specification code test on engine/ vehicle executable spec. simulation code generation model checking Objective: Verify feature behavior for the entire range of operating conditions. operating state look-up table cam angle 2-mode PID/ saturation controller production hardware in the loop actuator command Carnegie Mellon: The Rare Glitch Project 5 Bruce H. Krogh Carnegie Mellon: The Rare Glitch Project 6 Bruce H. Krogh

2 Example: Variable CAM Timing Controller Continuous-Time Model Verification Problem: Determine whether the controller will switch only once from saturation to PID mode. Carnegie Mellon: The Rare Glitch Project 7 Bruce H. Krogh Carnegie Mellon: The Rare Glitch Project 8 Bruce H. Krogh Switching Rule Finite-State Analysis Discrete-time rule Switch on magnitude of the error and the sign of this filter H 1 0.7(1 z ) ( z) = z Continuous-time rule Switch on magnitude of the error and the sign of this filter H ( s) 150.5s = s state of the filter l Assign discrete states to each switch boundary and the initial condition set l Determine reachability from each discrete state to the other discrete states l Analyze the resulting finite state system error Carnegie Mellon: The Rare Glitch Project 9 Bruce H. Krogh Carnegie Mellon: The Rare Glitch Project 10 Bruce H. Krogh Reachability Analysis Finite-State Model Switching back to the saturation controller is certain from some initial states (i.e., specification is not satisfied) Carnegie Mellon: The Rare Glitch Project 11 Bruce H. Krogh Carnegie Mellon: The Rare Glitch Project 12 Bruce H. Krogh

3 Applying Model Checking to Hybrid Systems: l interpret a hybrid system as a transition system (with an infinite state space) l find an equivalent finite-state transition systems (bisimulation) l perform verification using the bisimulation Can this approach be generalized to higher-order systems? Carnegie Mellon: The Rare Glitch Project 13 Bruce H. Krogh Carnegie Mellon: The Rare Glitch Project 14 Bruce H. Krogh CheckMate Block Diagram SWITCHED CONTINUOUS DYNAMICS dx/dt = f u (x) T STATEFLOW FSMs Switched Continuous Dynamics 2 x1 Switched Continuous System 1 x2 Switched C*x <= d Continuous System 2 Polyhedral Threshold 2 x3 C*x <= d C*x <= d Polyhedral Threshold 1 th2 th3 th1 OR Logical Operator Switching Hyperplanes Switched Continuous System 3 Polyhedral Threshold 3 1 T/P POLYHEDRAL REGIONS Discrete-State Dynamics q2 q1 c1 q c2 Finite State Machine 2 c1 q c2 Finite State Machine 1 Carnegie Mellon: The Rare Glitch Project 15 Bruce H. Krogh Carnegie Mellon: The Rare Glitch Project 16 Bruce H. Krogh Elements of CheckMate flow constraints F1 x(t) F2 F3 Hybrid Automaton m(t) (PIHA) mode select xdot(t) e(t) X 0 initial condition integrator T 1 x(t) cont. S state discrete event threshold-driven T/P x(t) discrete state discrete dynamics m(t) e(t) J e jump e(t) mapping Carnegie Mellon: The Rare Glitch Project 17 Bruce H. Krogh Carnegie Mellon: The Rare Glitch Project 18 Bruce H. Krogh

4 Elements of CheckMate u u x INV u e i : g i (x) 0 x INV u dx/dt = F u (x) x u J i (x u ) x X dx/dt = F u (x) o Carnegie Mellon: The Rare Glitch Project 19 Bruce H. Krogh Carnegie Mellon: The Rare Glitch Project 20 Bruce H. Krogh T T/P Carnegie Mellon: The Rare Glitch Project 21 Bruce H. Krogh Carnegie Mellon: The Rare Glitch Project 22 Bruce H. Krogh Computing Transitions p p π (π,p,q) q q (π 1,p,q ) Carnegie Mellon: The Rare Glitch Project 23 Bruce H. Krogh π 1 π 2 (π 2,p,q ) Approximating reachable sets E.K. Kornoushenko. Finite-automaton approximation to the behavior of continuous plants, Automation and Remote Control, 1975 J. Reisch and S. O Young, A DES approach to control of hybrid dynamical systems, Hybrid Systems III, LNCS 1066, Springer, 1996 A. Puri, V. Borkar and P. Varaiya, ε-approximation of differential inclusions, Hybrid Systems III, LNCS 1066, Springer, 1996 M.R. Greenstreet, Verifying safety properties of differential equations, CAV 96 M.R. Greenstreet and I. Mitchell, Integrating projections, HSCC98 T. Dang and O. Maler, Reachability analysis via face lifting, HSCC98 A. Chutinan and B. H. Krogh, Verification of polyhedral-invariant hybrid systems using polygonal flow pipe approximations, HSCC99 Carnegie Mellon: The Rare Glitch Project 24 Bruce H. Krogh

5 Polyhedral flow pipe approximation Segment Approximation X 0 t 1 t 2 t 3 t 4 t 5 t 6 t 7 divide R [0,T] (X 0 ) into [t k,t k+1 ] segments enclose each segment with a convex polytope R M [0,T] (X 0 ) = union of polytopes A. Chutinan and B. H. Krogh, Computing polyhedral approximations to dynamic flow pipes, IEEE CDC, 1998 t 8 t 9 Step 1. a. Simulate trajectories from each vertex of X 0. b. Take the convex hull and identify outward normal vectors. Vertices(X 0 ) at t k Vertices(X 0 ) at t k+1 Step 2. Solve optimization for d i flow pipe segment approximated by { x c it x d i, i } Carnegie Mellon: The Rare Glitch Project 25 Bruce H. Krogh Carnegie Mellon: The Rare Glitch Project 26 Bruce H. Krogh Approximation for a Linear System A = Vertices for X , 1, 2, and Approximation l Applies to nonlinear dynamics l Applies in arbitrary dimensions l Approximation error doesn t grow with time l Estimation error (Hausdorff distance) can be made arbitrarily small with t < δ and size of X 0 < δ l Integrated into CheckMate Uniform time step t k = 0.1 Carnegie Mellon: The Rare Glitch Project 27 Bruce H. Krogh Carnegie Mellon: The Rare Glitch Project 28 Bruce H. Krogh Carnegie Mellon: The Rare Glitch Project 29 Bruce H. Krogh Carnegie Mellon: The Rare Glitch Project 30 Bruce H. Krogh

6 Application Case Studies l F 16 auto-land system (Lockheed-DARPA) l Batch process shut down controller (ESPRIT VHS Project) l Automotive powertrain Engine shut-off mode (PARADES) Idle speed control (CADENCE) Transmission shift controller (Ford-DARPA) CheckMate - Current Work l Sampled-data systems clocked + unclocked events l Resets (jumps in the continuous state) l Efficient hybrid automata generation Carnegie Mellon: The Rare Glitch Project 31 Bruce H. Krogh Carnegie Mellon: The Rare Glitch Project 32 Bruce H. Krogh The Rare Glitch Project l Hybrid system abstractions composable with independent embedded software models l Generation of requirements from hybrid system models (timing and resource constraints) l Improved technology order-reduction focused refinement automatic model abstraction usability Carnegie Mellon: The Rare Glitch Project 33 Bruce H. Krogh