Symbolic Synthesis of Observability Requirements for Diagnosability

Transcription

1 Symbolic Synthesis of Observability Requirements for Diagnosability B. Bittner 1,2 M.Bozzano 2 A. Cimatti 2 X. Olive 3 1 University of Amsterdam, Science Park 904, 1098XH Amsterdam, The Netherlands bittner@science.uva.nl 2 FBK-irst, Trento, Italy bozzano,cimatti@fbk.eu 3 Thales Alenia Space, 100 Boulevard Midi, Cannes, France xavier.olive@thalesaleniaspace.com 11thh Symposium on Advanced Space Technologies in Robotics and Automation - ASTRA 2011 ESTEC (Netherlands)

2 Context Plant in closed loop with controller. Diagnosis Systems for Fault Detection, Identification and Recovery (FDIR). The diagnosis system tracks the hidden state of the plant over time. The diagnosis process has no direct control over the control loop. Sensed Information Diagnosis System Controller Plant Commands

3 The Problem of Diagnosability Sensors/observables may not be enough: even an ideal Diagnosis System may not have enough information. The Diagnosability problem: verify off-line that an ideal Diagnosis System can infer at run-time accurate and sufficient information on the behavior of the observed Plant. The system is diagnosable when there is no pair of indistinguishable traces, one good and one dangerous/bad. Previous work with NASA AMES A. Cimatti, C. Pecheur and R. Cavada, Formal Verification of Diagnosability via Symbolic Model Checking [IJCAI 03].

4 In this work: Synthesis for Diagnosability Assume we have enough sensors for diagnosability. Maybe they are (and they cost) more than needed. The synthesis for diagnosability problem: find sensor configurations that could be used... That are sufficient to guarantee diagnosability, and that are minimal, or have minimum cardinality, or minimize a given cost function.

5 Our contribution We propose practical methods for synthesis of diagnosable configurations. This work is based on symbolic model checking techniques, inspired by and built on top of framework applied in recent ESA projects: OMCARE COMPASS In particular, we provide formal modeling of the problem we generalize the diagnosability framework to synthesis, with the parameterized twin plant construction We propose two complementary algorithms FTA-based algorithm trace-based algorithm Experimental evaluation

6 Index of the Talk Diagnosability Synthesis for diagnosability Generalized twin plant Symbolic techniques FTA-based algorithm Trace-based algorithm Experiments Related work Conclusions and future work

7 Plant Partially Observable Plant X, U, Y, δ, λ : X is the state space; x, x 0, x 1,... are states; U is the input space; u, u 0, u 1,... are inputs; Y is the output space; y, y 0, y 1,... are outputs; To Controller Hidden State From Controller y Outputs λ x Delay x δ x u Inputs ToDiagnosis System ToDiagnosis System δ X U X is the transition relation. We write x 0 u 1 x1 if δ(x 0, u 1, x 1 ). λ X Y is the observation relation. We require that x. y.λ(x, y). We write x/y iff λ(x, y).

8 Execution, Trace An execution has the form x 0, y 0, u 1, x 1, y 1, u 2,..., u k, x k, y k, where u i+1 x i xi+1, and x i /y i. The observable trace of x 0, y 0, u 1, x 1, y 1, u 2,..., u k, x k, y k is y 0, u 1, y 1,..., u k, y k

9 Diagnosability A diagnosis condition for a plant P is a pair of nonempty sets of states c 1, c 2 X, with c 1 c 2 =, written c 1 c 2. A critical pair for diagnosis condition c 1 c 2 is a pair of executions π 1 and π 2, both of length t, with the same observable traces obs(π 1 ) = obs(π 2 ), and c 1 (x t π 1 ) c 2 (x t π 2 ). x^ c 1 w c 1 x 1 x 2 w x 1 x ^ 0 x 01 x 02 w ^x 0 x 01 x 02 x^ w x 2 c 2 c 2

10 Synthesis for Diagnosability Let P =< X, U, Y, δ, λ > be a plant. Assume outputs as Boolean vectors: Y = B N, with B = {0, 1}. The observation relation λ is presented by N observation relations [λ 1,..., λ N ], with λ i : X B. The induced observation relation λ : X B is defined as λ(x, b) iff for all i [1, N].λ i (x, b[i]). To Controller Hidden State From Controller y Outputs λ x Delay x δ x u Inputs ToDiagnosis Sys ToDiagnosis Sys. Definition (Sensor Configuration) A sensor configuration for P is a set of indices sc {1,..., N}. Definition (Plant Restriction) The restriction of P to a sensor configuration sc, denoted P sc, is the plant < X, U, Y, δ, [λ 1,..., λ N ] >, where λ i = λ i if i sc, and λ i = λ : X {0} otherwise.

11 Problem Definition Find all the sensor configurations sc {1,..., N} such that P sc is diagnosable, and sc is minimal, that is, for every sc sc, if P sc satisfies the problem then sc = sc, or sc is minimum w.r.t. cardinality, that is, for every sc {1,..., N}, if P sc satisfies the problem then sc sc, or sc is cost minimum, that is, for every sc {1,..., N}, if P sc satisfies the problem then cost(sc) cost(sc ). Additional remarks: Minimum sensor configurations are also minimal. The notion of minimum configurations can be generalized with respect to a cost function expressed as cost : 2 {1,...,N} N. We require that cost(sc 1 ) cost(sc 2 ) if sc 1 sc 2, and cost(sc 1 ) < cost(sc 2 ) if sc 1 sc 2.

12 Coupled Twin Plant The twin plant of P, denoted Twin(P), is the plant X X, U, Y, δ δ, λ λ, where X X X 2, where (x 1, x 2 ) X X iff there exists y Y such that λ(x 1, y) and λ(x 2, y); ((x 1, x 2 ), u, (x 1, x 2 )) δ δ iff (x 1, u, x 1 ) δ and (x 2, u, x 2 ) δ; ((x 1, x 2 ), y) λ λ iff λ(x 1, y) and λ(x 2, y). y Outputs λ x1 x2 Delay x1 Hidden State Hidden State x2 Delay δ δ x1 x2 u Inputs x ^ 0 x 01 x 02 w w c 1 x 1 x 2 x^ c 2

13 Find sensor configurations, reformulated Find all the sensor configurations sc {1,..., N} such that the twin plant Twin(P sc ) has no critical pair, and sc is a minimal [minimum, or minimum cost, resp.] configuration.

14 Symbolic Representation Vectors of variables ( x 1, x 2, u, y ), respectively ranging over X, X, U and Y. Any subset c of X X U Y (states, transitions) can be described with a formula c( x 1, x 2, y, u ). Set operations (union, intersection, complement) are represented by boolean connectives (or, and, not) Algorithms can manipulate sets of states, without explicitly enumerating them. Formulae are represented and manipulated as SAT, RBC, BDDs.

15 Symbolic Representation of Parameterized Twin Plant Vector of N activation variables a. A truth assignment to a represents a sensor configuration sc, i.e. a [i] is true if and only if i is in sc, and thus λ i is available. λ λ is characterized as a [i] (λ i ( x 1, y ) λ i ( x 2, y )). if a [i] is false, there is no constraint over the values of λ i if a [i] is true, (λ i ( x 1, y ) λ i ( x 2, y )) is enforced, hence less critical pairs exist δ δ is extended to constrain a not to change over time.

16 FTA-based algorithm function alldiagnosablesets (Twin(P), dc) 1 Reach := I(Twin(P)) 2 Front := I(Twin(P)) 3 BadSC := 4 while (Front ) do 5 BadSC := BadSC Proj( a, Front dc) 6 BadSC := BadSC allsubsets(badsc) 7 Front := Front \BadSC 8 temp := Reach 9 Reach := Reach FwdImage(Front, Twin(P)) 10 Front := Reach\temp 11 end while 12 GoodSC := BadSC 13 return GoodSC

17 Trace-based algorithm function allminimumsets (Twin(P), dc, costfn) 1 obsreq := 2 do 3 configs := getminconf (obsreq, costfn) 4 π := check(twin(p) = configs F dc) 5 if (π = ) do 6 return (, configs) 7 endif 8 obsreq := obsreq getobsreq(π) 9 while (obsreq ) 10 return (, )

18 Related Work Synthesis for diagnosability for continuous dynamics, based structural on analysis [L. Travé-Massuyes at al., 2001], [Yassine et al, 2008] Dynamic activation (beyond static observer): one approach based on safety 2-player games and weighted automata [Cassez et al., 2007]; another looks for minimal (not minimum) configurations [Wang et al., 2008]. An approximated approach is proposed in [Ru and Hadjicostis, 2010] in the setting of Petri nets. The twin plant construction is used in [Briones et al., 2008], the search of critical pairs is not addressed. A trace-based method is proposed in [Grastien, 2009]. No practical implementation is proposed. Large bodies of work on diagnosability: seminal work by [Sampath et al., 95, 96], automata-theoretic extensions to complex failures in temporal logics [Jiang and Kumar, 02], reformulation in process algebras [Console et al. 00]; practical approach based on symbolic model checking [Cimatti et al, 03]; generalization of zero-delay diagnosability, using SAT techniques [Rintanen and Grastien, 07]. Other work on active diagnosis [Sampath et al, 98], with controller designed to take into account diagnosability; planning under partial observability with information gathering actions [Bertoli et al, 02].

19 Implementation The approach has been implemented within the NuSMV3 platform. NuSMV3 is a substantial extension of NUSMV2 Requirements analysis, functional verification, safety assessment Boolean engines (BDD, SAT), integration with theory-specific reasoning (the MathSAT SMT solver) Wide set of verification algorithms: interpolation, CEGAR Backend in various functional verification flows: AADL/SLIM, ALTARICA, Mathlab/StateFlow/Simulink, SystemC, PLC, Interlocking. User specifies model of plant, list of observables, cost function. System generates twin plant, carries out search, and presents the results.

20 Experiments: benchmarks Orbiter, Rover are models of an orbiter and of a planetary rover, both develped in the OMCARE project. The models describe the functional level, with various relevant subsystems including failure modes. The diagnosis property used for the benchmarks is whether a working component has failed (fault detection). Cassini models is the propulsion system of the Cassini spacecraft: two engines fed by redundant propellant/gas circuit lines, which contain several valves and pyro-valves. Leakage failures are attached to all components. The diagnosis property of interest is a correct input pressure in at least one of the engines in presence of a correct output pressure from the gas and propellant tanks. Elevator is a newly created set of models of an elevator controller, parameterized by the number of floors. The modelled properties are cabin and door movement, request and reset operations at each floor, and the controller logic. The property of interest is whether the cabin is moving or not.

21 model orbiter rover cassini # state vars # input vars state space reachable states % reachable e-36 diameter model elevator 8 fl. 12 fl. 16 fl. 20 fl. # state vars # input vars state space reachable states % reachable e e e-6 diameter

22 Experiments model obs c1 s1 s1d c2 s2 s2t (tl) elev (4.91) elev (5.50) elev (4.91) elev (5.50) elev (4.75) elev (4.66) elev orbiter (2.00) rover (3.00) rover (2.90) rover (3.00) rover (3.00) rover 40 cassini (2.00) cassini

23 Conclusions and Future Work Conclusions: A practical approach to synthesis for diagnosability Two complementary algorithms Implemented in the NuSMV symbolic model checker Future activities: investigate more aggressive use of advanced verification techniques (e.g. incremental SAT, model simplification); experiment with different domains take into account fault tolerance generalize the approach to arbitrary diagnosability conditions expressed in LTL extend approach to continuous time systems

24 Questions?