Verification of Behavior-Based Control Systems in their Physical Environment

Transcription

1 Verification of Behavior-Based Control Systems in their Physical Environment Thorsten Ropertz, Prof. Dr. Karsten Berns Robotics Research Lab Department of Computer Science University of Kaiserslautern, Germany Xian Li, Prof. Dr. Klaus Schneider Embedded System Group Department of Computer Science University of Kaiserslautern, Germany

2 Outline Behavior-Based Control Systems 2-Step Verification Approach Network Reduction Verification using Hybrid Quartz Application Example Conclusion and Future Work

3 Behavior-Based Control System Global system behavior emerges from rather simple interacting local behaviors (behavior network) Robust due to partially overlapping functionality Modular structure fosters reuse Distributed design, implementation, and testing Network size and complexity can lead to difficulties to locate errors Safety critical application scenarios require correct control

4 Integrated Behavior-Based Control (ib2c) Fundamental unit in ib2c More information: [Proetzsch10]

5 2-Step Verification Direct verification not feasible due to network size and complexity Network structure (fusion+stimulation+inhibition) allows high level reduction Formal verification of reduced control network using synchronous programming language Quartz with hybrid system extension

6 Reduction Behaviors which have no connection to the realizing behaviors can be discarded Competing behaviors can be reduced if they are suppressed by behaviors on signal path Requirements: Mapping of properties to behaviors from design phase available Activity functions designed such that behavior is active if it requires full control to keep the intended property valid

7 Reduction 1. Identification of property-realizing behaviors 2. Separation of network into connected subnets 3. Removing networks that do not contain emphasized behaviors 4. For each emphasized behavior check competing behaviors on signal path If behaviors cannot be active at the same time then remove corresponding branch

8 Reduction Based on requirements the control networks always maintain properties realized by behavior A direct suppression: indirect suppression:

9 Reduction Problem: check whether two behaviors can be active at the same time Modelling the network structure using finite state automata 5 synchronizing FSMs per behavior Limiting behavior signals to {0,1} Using Uppaal verifier to check for concurrent activity

10 Verification Reduced behavior network modeled using the Quartz language VCG procedure for Quartz programs based on induction proofs on the strongly connected components (SCCs) of the underlying state transition diagram Validity of VCs is proven by standard SMT solvers like CVC4, isat, or Z3

11 Averest Toolkit Model-based design of software and hardware Based on the synchronous programming language Quartz Allows simple analysis and verification

12 Application Example Collision avoidance system Safety behavior limits velocity High level behaviors process velocity given by Joystick Trajectory following Target point tracking Others Question: Does the robot always keep a minimum distance to obstacles in front of it?

13 Reduction Uppaal model contains 408 locations and 927 edges Signal path from SlowDown to sink examined Tested against HighLevel Forward Cannot be active at the same time -> reduction of HighLevel Forward branch two behaviors remaining

14 Hybrid System Verification Hybrid Quartz Program macro delta=?, max_velocity_v =?, protect_distance =?; module SlowDown(real? obstacle_x,? vehicle_xi) { real max_velocity_a, slow_down_a, distance_front, vehicle_v ; hybrid real vehicle_x; vehicle_x = vehicle_xi ; // the movement of the vehicle towards the obstacle loop { // detect the distance betwee the vehicle and the obstacle distance_front = obstacle_x - vehicle_x ; // decide the velocity for the movement if( distance_front < protect_distance ) slow_down_a = 1; else slow_down_a = 0; max_velocity_a = 1.0- slow_down_a; vehicle_v = max_velocity_v*max_velocity_a; // the vehicle moves forward for delta unit time w0,w1: flow{ drv(vehicle_x) <- vehicle_v ; }until(cont(time)-time>=delta); } } Properties satisfies{ assume ((protect_distance >= 0) and (delta > 0)) ; // for bounded initial distance assume (abs(vehicle_xi-obstacle_x) > protect_distance ) ; // for fixed initial distance assume ((vehicle_xi = 0.0 ) and (obstacle_x = 15.0) ) ; // the vehicle keeps a certain distance to the obstacle assume (abs(max_velocity_v * delta) < protect_distance ) ; assert A G (abs(obstacle_x-vehicle_x) > protect_distance - vehicle_v* delta ) ;}

15 EFSM Generation

16 Verification Condition Generation Experiment with fixed and bounded initial distance VCG procedure generates 7 VCs All ODEs solved by Mathematica Application of SMT solver Z3 and isat

17 Experimental Results Application of 2 different solvers due to different handling of non-linear equations In bounded initial distance case isat returned CANDIDATE SOLUTION due to Zeno behaviors

18 Conclusion and Future Work Direct hybrid verification of behavior-based control systems not feasible due to complexity/size Exploiting arbitration mechanism allows efficient high level control system reduction Modelling the resulting system using the Quartz language and applying the VCG procedure to decompose the verification goal allows for further verification effort reduction and makes the hybrid system verification feasible Reduction procedure shall be extended and the correctness formally shown VCG procedure shall be extended to allow induction over program loops