Formal Methods in CPS

Transcription

1 Formal Methods in CPS A Computer Science Perspective Kim G. Larsen Aalborg University, DENMARK

2 From Timed Automata to Stochastic Hybrid Games Model Checking, Performance Evaluation and Synthesis Kim G. Larsen Aalborg University, DENMARK

3 Cyber-Physical Systems Complex systems that New tightly Foundation integrate multiple, networked computing Discrete Models elements (hardware (Boolean correctness) and software) with non-computing Quantitive Models physical (time, resources, elements such probabilistic, stochastic, as electrical continuous,..) or (Quantitative mechanical correctness) components. Discrete Real Time Resources Stochasticity Hybrid DICS PhD School Kim Larsen [3]

4 Models Discrete ALW( OFF) EVEN ON) Probabilistic ALW( OFF) EVEN s<3, p>0.90 ON) Timed Hybrid ALW( OFF) EVEN t<5, p>0.90 ON) ALW( T<3) EVEN t<20, p>0.90 T>20) DICS PhD School [4]

5 UPPAAL Tool Suit Verification Optimization Synthesis Component Testing Performance Analysis Optimal Synthesis CLASSIC CORA TIGA ECDAR TRON SMC STRATEGO DICS PhD School Kim Larsen [5]

6 Wang Yi Paul Pettersson John Håkansson Anders Hessel Pavel Krcal Leonid Mokrushin Shi Kim G Larsen Alexandre David Marius Mikucionis Gerd Behrman Arne Skou Brian Nielsen Jacob I. Rasmussen Thomas Emmanuel Fleury, Didier Lime, Johan Bengtsson, Fredrik Larsson, Kåre J Kristoffersen, Tobias Amnell, Thomas Hune, Oliver Möller, Elena Fersman, Carsten Weise, David Griffioen, Ansgar Fehnker, Frits Vandraager, Theo Ruys, Pedro D Argenio, J-P Katoen, Jan Tretmans, Judi Romijn, Ed Brinksma, Martijn Hendriks, Klaus Havelund, Franck Cassez, Magnus Lindahl, Francois Laroussinie, Patricia Bouyer, Augusto Burgueno, H. Bowmann, D. Latella, M. Massink, G. Faconti, Kristina Lundqvist, Lars Asplund, Justin Pearson... DICS PhD School Kim Larsen [6]

7 Overview Timed Automata / UPPAAL Verification Stochastic Priced Timed Automata / UPPAAL SMC Performance Evaluation SMC in a Nutshell Stochastic Hybrid Automata Energy-Aware Buildings Timed Games / UPPAAL TIGA Controller Syntesis HYDAC Case Stochastic Priced Timed Games / UPPAAL STRATEGO Optimal & Safe Synteses Adaptive Cruice Control Conclusion DICS PhD School Kim Larsen [7]

8 Timed Automata

9 A Dumb Light Controller DICS PhD School Kim Larsen [9]

10 Timed Automata [Alur & Dill 89] Reset Synchronizing action Clock Guard Conjunctions of x~n x: real-valued clock ADD a clock x DICS PhD School Kim Larsen [10]

11 A Timed Automata (Semantics) States: ( location, x=v) where v2r Transitions: ( Off, x=0 ) delay 4.32 ( Off, x=4.32 ) press? ( Light, x=0 ) delay 2.51 ( Light, x=2.51 ) press? ( Bright, x=2.51 ) DICS PhD School Kim Larsen [11]

12 Intelligent Light Controller Invariant (Henzinger) DICS PhD School Kim Larsen [12]

13 Intelligent Light Controller Transitions: ( Off, x=0 ) delay 4.32 ( Off, x=4.32 ) press? ( Light, x=0 ) delay 4.51 ( Light, x=4.51 ) press? ( Light, x=0 ) delay 100 ( Light, x=100) ( Off, x=0) Note: X ( Light, x=0 ) delay 103 Invariants ensures progress DICS PhD School Kim Larsen [13]

14 Train Crossing Safe Approaching Crossing Safe River tracks Bridge Time DICS PhD School [14]

15 Train Crossing Safe Approaching Crossing Safe Safe Approaching Crossing Safe River Bridge tracks Stop the train while it still stoppable! 3 5 DICS PhD School [15] Time

16 Train Crossing Safe Approaching Crossing Safe Safe Approaching Crossing Safe Stopped Restarted River Bridge tracks 7 15 Time DICS PhD School [16]

17 Train Crossing Safe Approaching Crossing Safe Add timing+ synchronization Stopped Restarted DICS PhD School [17]

18 Timed Automata [Train] = Finite State Control + Real Valued Clocks invariants Resets Guards SEMANTICS ( Appr, x=0 ) -5.2-> ( Appr, x=5.2 ) stop? -> ( Stop, x=5.2 ) Synchronizations DICS PhD School Kim Larsen [18]

19 DEMO

20 Logical Specifications Validation Properties Possibly: E<> P Safety Properties Invariant: A[] P Pos. Inv.: E[] P Liveness Properties Eventually: A<> P Leadsto: P Q Bounded Liveness Leads to within: P t Q The expressions P and Q must be type safe, side effect free, and evaluate to a boolean. Only references to integer variables, constants, clocks, and locations are allowed (and arrays of these). DICS PhD School Kim Larsen [20]

21 THE secret of UPPAAL DICS PhD School Kim Larsen [21]

22 Zones From Finite to Efficiency A zone Z: 1 x 2 Æ 0 y 2 Æ x - y 0 DICS PhD School Kim Larsen [22]

23 Zones - Operations y (n, 2 x 4 Æ 1 y 3 Æ y-x 0 ) y (n, 2 x Æ 1 y Æ -3 y-x 0 ) y (n, 2 x Æ 1 y 3 Æ y-x 0 ) y (n, x=0 Æ 1 y 3 ) x y Delay (n, 2 x 4Æ 1 y ) x y Delay (stopwatch) x 2 Reset x Extrapolation x Convex Hull x DICS PhD School Kim Larsen [23]

24 Datastructures for Zones Difference Bounded Matrices (DBMs) Minimal Constraint Form [RTSS97] -4 x1 x x0 1 x3 5 2 Clock Difference Diagrams [CAV99] DICS PhD School Kim Larsen [24]

25 Stochastic Timed Automata

26 Stochastic Semantics of TA Exponential Distribution Uniform Distribution Input enabled Composition = Repeated races between components for outputting DICS PhD School Kim Larsen [26]

27 Stochastic Semantics of Timed Automata g1 g2 Delay Density Function ¹ s : R! R Output Probability Function s : o! [0,1] s ¹ s uniform on [ d min, d max ] s uniform over enabled outputs DICS PhD School Kim Larsen [27]

28 Composition of STA Pr[time<=2](<> T.T3)? Z 1 t 1 =0 1 Z 2 Pr[time<=T](<> T.T3)? t 2 =t dt 2 dt1 = 3 4 Composition = Race between components for outputting DICS PhD School Kim Larsen [28]

29 Stochastic Semantics of TA Assumptions: Component TAs are: Input enabled Deterministic Disjoint set of output actions Delay Density Function ¹ s : R! R Output Probability Function s : o! [0,1] ¼ ( s, a 1 a 2. a n ) : the set of maximal runs from s with a prefix t 1 a 1 t 2 a 2 t n a k for some t 1,,t n 2 R. DICS PhD School Kim Larsen [29]

30 Beyond Uniform / Exponential Dist. Includes all Phase-Type Distributions. Can encode any distribution with arbitrary precision. DICS PhD School Kim Larsen [30]

31 Inconclusive Statistical Model Checking [FORMATS11, LPAR12, RV12] M Generate random run π } <T p Á Validate π φ? Hypothesis testing µ, ² p, Pr M (Á) p at significance level Core Statistical Algorithm Pr M (Á) 2 [a-²,a+²] with confidence µ Confidence Interval DICS PhD School Kim Larsen [31]

32 Queries in UPPAAL Syntax Evaluation Pr[<=100](<> expr) Hypothesis testing Pr[<=100](<> expr)>=0.1 c<=100 #<=50 [] expr <=0.5 Comparison Pr[<=20](<> e1)>=pr[<=10](<> e2) Expected value E[<=10;1000](min: expr) Explicit number of runs. Min or max. Simulations simulate 10 [<=100]{expr1,expr2} DICS PhD School Kim Larsen [32]

33 DEMO

34 Stochastic Hybrid Systems A Bouncing Ball Player 1 Player 2 DICS PhD School Kim Larsen [34]

35 Stochastic Hybrid Systems A Bouncing Ball Ball Player 1 Player 2 simulate 1 [<=20]{Ball1.p, Ball2.p} Pr[<=20](<>(time>=12 && Ball1.p>4)) Pr[<=20](<> (time>=12 && Ball1.p>4)) >= Pr[<=20](<> (time>=12 && Ball2.p>4)) DICS PhD School Kim Larsen [35]

36 Stochastic Hybrid Systems simulate 1 Room [<=100]{Temp(0).T, 1 Temp(1).T} simulate 10 [<=100]{Temp(0).T, Temp(1).T} Pr[<=100](<> Temp(1).T<=5 and time>30) >= 0.2 on/off Pr[<=100](<> Temp(0).T >= 10) Room 2 on/off Heater DICS PhD School Kim Larsen [36]

37 Hybrid Automata H=(L, l 0,, X,E,F,Inv) where L set of locations l 0 initial location = i [ o set of actions X set of continuous variables valuation º: X!R (=R X ) E set of edges (l,g,a,á,l ) with gµr X and ÁµR X R X and a2 For each l a delay function F(l): R >0 R X! R X For each l an invariant Inv(l)µR X Ball Player 1 Player 2 DICS PhD School Kim Larsen [37]

38 Hybrid Automata Ball (p = 10; v = 0) d! (p = 10 9:81=2d 2 ; v = 9:81d) bounce!! (p = 0; v = 14:02 0:83) at d = 1:43 d! (p = 6:92; v = 0) at d = 1:18 d! (p = 0; v = 11:51) at d = 1:18 bounce!! : : : Semantics States (l,º) where º2R X Transitions (l,º)! d (l,º ) where º =F(l)(d,º) provided º 2 Inv(l) (l,º)! a (l,º ) if there exists (l,g,a,á,l )2E with º2g and (º,º )2Á and º 2 Inv(l ) DICS PhD School Kim Larsen [38]

39 Stochastic Hybrid Automata Ball Stochastic Semantics For each state s=(l,º) Delay density function * ¹ s : R >0! R (p = 10; v = 0) d! (p = 10 9:81=2d 2 ; v = 9:81d) bounce!! (p = 0; v = 14:02 0:83) at d = 1:43 Output Probability Function s : o! [0,1] Player 1 Player 2 Next-state density function * a s : St! R where a2. t=1.43 Pr 1 hit! = 2.5 e 2.5t dt t=0 = e 2.5t = 0.97 t=1.43 Pr 2 hit! = 1 3 dt t=0 = 1 3 t = 0.48 * Dirac s delta functions for deterministic delays / next state DICS PhD School Kim Larsen [39]

40 Stochastic Semantics of NHAs Assumptions: Component SHAs are: Input enabled Deterministic Disjoint set of output actions ¼ ( s, a 1 a 2. a n ) : the set of maximal runs from s with a prefix t 1 a 1 t 2 a 2 t n a k for some t 1,,t n 2 R. DICS PhD School Kim Larsen [40]

41 Stochastic Hybrid Systems A Bouncing Ball UPPAAL SMC Player 1 Ball Uniform distributions (bounded delay) Exponential distributions (unbounded delay) Syntax for discrete probabilistic choice Player 2 Distribution on next state by use of random GUI for plot composing and exporting Hybrid flow by use of ODEs + usual stuff (structured variables, user-defined types user-defined functions, simulate.) 1 [<=20]{Ball1.p, Ball2.p} MITL Networks Pr[<=20](<>(time>=12 && Ball.p>4)) Repeated races between components for outputting DICS PhD School Kim Larsen [41]

42 Energy Aware Buildings Fehnker, Ivancic. Benchmarks for Hybrid Systems Verification. HSCC04 With Alexandre David, Dehui Du Marius Mikucionis Arne Skou

43 Rooms & Heaters MODELS DICS PhD School Kim Larsen [43]

44 Control Strategies MODELS Temperature Threshold Strategies DICS PhD School Kim Larsen [44]

45 Weather & User Profile MODELS DICS PhD School Kim Larsen [45]

46 Results Simulations simulate 1 [<=2*day] { T[1], T[2], T[3], T[4], T[5] } simulate 1 [<=2*day] { Heater(1).r, Heater(2).r, Heater(3).r } DICS PhD School Kim Larsen [46]

47 Results Comfort Pr[comfort<=2*day] (<> time>=2*day) DICS PhD School Kim Larsen [47]

48 Results Energy Pr[Monitor.energy<= ](<> time>=2*day) DICS PhD School Kim Larsen [48]

49 Other Case Studies FIREWIRE BLUETOOTH 10 node LMAC Schedulability Analysis for Mix Cr Sys Smart Grid Demand / Response Energy Aware Buildings Genetic Oscilator (HBS) Passenger Seating in Aircraft Battery Scheduling DICS PhD School Kim Larsen [49]

50 BREAK

51 Timed Games TIGA

52 Timed Automata & Model Checking State (L1, x=0.81) Transitions (L1, x=0.81) > (L1, x=2.91) -> (goal, x=2.91) Ehi goal? Ahi goal? A[ ] : L4? DICS PhD School Kim Larsen [52]

53 Timed Game Automata & Synthesis controllable uncontrollable Problems to be considered: - Does there exist a winning strategy? - If yes, compute one (as simple as possible) DICS PhD School Kim Larsen [53]

54 Computing Winning States DICS PhD School Kim Larsen [54]

55 Decidability of Timed Games DICS PhD School Kim Larsen [55]

56 Model Checking (ex Train Gate) Controller Environment : Never two trains at the crossing at the same time DICS PhD School Kim Larsen [56]

57 Synthesis (ex Train Gate)? Controller Environment : Never two trains at the crossing at the same time DICS PhD School Kim Larsen [57]

58 Timed Games Controllable Uncontrollable Controller Environment Find strategy for controllable actions st behaviour satisfies : Never two trains at the crossing at the same time DICS PhD School Kim Larsen [58]

59 Controller Synthesis Room Room Heater Room Room on/off?? const int Tenv=7; const int k=2; const int H=20; const int TB[4]= {12, 18, 25, 28}; critical high high normal low critical low DICS PhD School Kim Larsen [59]

60 Unfolding critical high high normal low critical low DICS PhD School Kim Larsen [60]

61 Timing critical high high normal low critical low DICS PhD School Kim Larsen [61]

62 TA Abstraction const int ul[3]={3,5,2}; const int uu[3]={4,6,3}; const int dl[3]={3,9,15}; const int du[3]={4,10,16} DICS PhD School Kim Larsen [62]

63 Validation by co-simulation DICS PhD School Kim Larsen [63]

64 Validation by co-simulation const int ul[3]={3,8,2}; const int uu[3]={4,9,3}; const int dl[3]={3,9,15}; const int du[3]={4,10,16} DICS PhD School Kim Larsen [64]

65 Synthesis using TIGA Uncontrollable Controllable DICS PhD School Kim Larsen [65]

66 Plastic Injection Molding Machine Quasiomodo Robust and optimal control [CJL+09] Tool Chain Synthesis: UPPAAL TIGA Verification: PHAVer Performance: SIMULINK 40% improvement of existing solutions.. DICS PhD School Kim Larsen [66]

67 Oil Pump Control Problem Quasiomodo R1: stay within safe interval [4.9,25.1] R2: minimize average/overall oil volume DICS PhD School Kim Larsen [67]

68 The Machine (consumption) Quasiomodo Infinite cyclic demand to be satisfied by our control strategy. P: latency 2 s between state change of pump F: noise 0.1 l/s DICS PhD School Kim Larsen [68]

69 Hybrid Game Model Undecidability Discretization DICS PhD School Kim Larsen [69]

70 Tool Chain Quasiomodo Strategy Synthesis TIGA Performance Evaluation SIMULINK Guaranteed Correctness Robustness Verification PHAVER with 40% Improvement DICS PhD School Kim Larsen [70]

71 Stochastic Priced Timed Games

72 Going to Sydney in 1 hour U[42,45] U[0,20] U[0,140] U[0,35] Can I get to Sidney? (1-player) Will I always come to Sidney? (1-player) What is the optimal WC strategy? (2-player) Is there a strategy guaranteeing WC <= 60? (2-player) 0.1 What is the optimal strategy? (1½-player) DICS PhD School Jakob H. Taankvist [72] What is the optimal strategy Guarenteeing WC <= 60? (1½-player)

73 Uppaal TIGA strategy NS = control: A<> goal strategy NS = control: A[] safe Uppaal E<> error under NS A[] safe under NS G Timed Game φ synthesis σ Strategy G σ Timed Automata abstraction P Stochastic Priced Timed Game P σ mine(cost) maxe(gain) σ optimized Strategy P σ Stochastic Priced Timed Automata Statistical Learning strategy DS = mine (cost) [<=10]: <> done under NS strategy DS = maxe (gain) [<=10]: <> done under NS Uppaal SMC simulate 5 [<=10]{e1, e2} under SS Pr[<=10](<> error) under SS E[<=10;100](max: cost) under SS

74 DEMO control: A<> Kim.Sidney && time<=60 DICS PhD School Kim Larsen [74]

75 Safe & Adaptive Cruice Control EGO FRONT Q1: Find a safety strategy for Ego such no crash will ever occur no matter what Front is doing. Q2: Find the most permissive strategy ensuring safety Q3: Find the optimal sub-strategy that will allow Ego to go as far as possible (without overtaking). DICS PhD School Kim Larsen [75]

76 Discretization Discrete Continuous DICS PhD School Kim Larsen [76]

77 Ego DICS PhD School Kim Larsen [77]

78 Front DICS PhD School Kim Larsen [78]

79 No Strategy DICS PhD School Kim Larsen [79]

80 Safety Strategy DICS PhD School Kim Larsen [80]

81 Safety Strategy DICS PhD School Kim Larsen [81]

82 Optimal and Safe Strategy DICS PhD School Kim Larsen [82]

83 References Frits Vaandrager: A first introduction to UPPAAL Alexandre David, Kim G Larsen: More features in UPPAAL Alexandre David, Kim G Larsen, Axel Legay, Marius Mikucionis, Danny Bøgsted Poulsen: UPPAAL SMC Tutorial. To appear in Software Tools for Technology Transfer. Alexandre David, Kim G. Larsen, Axel Legay, Marius Mikucionis, Zheng Wang: Time for Statistical Model Checking of Real-Time Systems. CAV Gerd Behrmann, Agnes Cougnard, Alexandre David, Emmanuel Fleury, Kim G. Larsen, and Didier Lime: UPPAAL-Tiga: Time for Playing Games! CAV Alexandre David, Peter Gjøl Jensen, Kim Guldstrand Larsen, Marius Mikucionis, Jakob Haahr Taankvist: Uppaal Stratego. TACAS 2015 For more see DICS PhD School Kim Larsen [83]

84 THANKS! DICS PhD School Kim Larsen [84]

85 Applications

86 Case Studies: Controllers Memory Arbiter Synthesis and Verification for a Radar Memory Interface Card, 2005 Analyzing a χ model of a turntable system using Spin, CADP and Uppaal, 2006 Designing, Modelling and Verifying a Container Terminal System Using UPPAAL, 2008 Model-based system analysis using Chi and Uppaal: An industrial case study, 2008 Climate Controller for Pig Stables, 2008 (synth) Optimal and Robust Controller for Hydralic Pump, 2009 (synth) DICS PhD School Kim Larsen [86/54]

87 Case Studies: Protocols Analysis of a protocol for dynamic configuration of IPv4 link local addresses using Uppaal, 2006 Formalizing SHIM6, a Proposed Internet Standard in UPPAAL, 2007 Verifying the distributed real-time network protocol RTnet using Uppaal, 2007 Analysis of the Zeroconf protocol using UPPAAL, 2009 Analysis of a Clock Synchronization Protocol for Wireless Sensor Networks, 2009 Model Checking the FlexRay Physical Layer Protocol, 2010 DICS PhD School Kim Larsen [87/54]

88 Using UPPAAL as Back-end Timed automata translator from Uppaal to PVS Component-Based Design and Analysis of Embedded Systems with UPPAAL PORT, 2008 METAMOC: Modular WCET Analysis Using UPPAAL, TetaSARTS: a tool for modular timing analysis of safety critical Java systems, 2013 DICS PhD School Kim Larsen [88/54]

89 DICS PhD School Kim Larsen [89]