Using Hybrid Automata for Early Spacecraft Design Evaluation

Transcription

1 Seminar Operating Systems: Winter Semester 18/19 Using Hybrid Automata for Early Spacecraft Design Evaluation Jafar Akhundov

2 Motivation Motivation: Spacecraft Modelling Gaia - mission to chart a 3d-map of the Milky Way System Model Repository Charge Downlink Power Rate = -20 [W] Data Send Rate = 40 [Mb] Experiment Power Rate = -40 [W] Data Rate = 10 [Mb] Power Rate = 80 [W] Design Phases 0, A Mission Start 2 time Mission Deadline [1] J. Akhundov, P. Tröger, and M. Werner. Superposition Principle in Composable Hybrid Automata. In CS&P 2016 Proceedings [2] J. Akhundov, V. Schaus, A. Gerndt, and M. Werner. Using timed automata to check space mission feasibility in the early design phases. In IEEE Aerospace 2016 Proceedings

3 Motivation Motivation: Spacecraft Modelling Source: DLR 3

4 Motivation Motivation: Spacecraft Modelling Source: DLR 4

5 Initial Problem Initial Problem Sequential Model Concurrent Model guard: mission constraints ok sync: input events occurred? reset: update mission params Module 1 Inactive guard: mission constraints ok sync: input events occurred? reset: update mission params guard: mission constraints violated Module 1 Active Idle guard: mission constraints ok sync: input events occurred? reset: update mission params Module N Inactive guard: mission constraints violated Active Module N 5

6 Idea Idea A new formalism for modeling spacecraft at early design stages was introduced: LTI- HA Support for certain needed properties (superposition) Hybrid formalism seems to be the most promising for the simulation model at hand Hybrid formalisms are a research area in both computer science and control systems engineering Important for computer science: composition, language theoretical investigation, reachability and liveness Important for control systems theory: reachability, stability, observability, liveness 6

7 Definition 1. LTI Hybrid Automata Set of discrete locations: Set of discrete transitions between them: Set of continuous variables: S I Set of labeled events, assigned to the discrete transitions: Set of guarding conditions for the discrete transitions: Set of linear time-invariant flow functions (linear ODE) describing continuous change of the variables in the locations: L =(L 1,...,L n ) S O X T L L G = {(,C(X ), E, A) 2 T, E 2 S I, A 2 S O } NX i=0 a i d i f L (t) dt i = MX j=0 b j d j x L (t) dt j f L (x, t) :X R 0 7! V (X ) 7

8 Definition 1. LTI Hybrid Automata Initial state is a pair: No resets No invariants I = (t 0 )=(L I,V I (X )) State of a hybrid system is a pair: (t) =(L, V (X )) 8

9 Example Example 9

10 Semantics 1. LTI Hybrid Automata Semantics Time: Time flow uniform (Newtonian time) Evaluation of flow functions based on durations only Transitions are timeless Events: Event semantics is still object of discussions Output events: one-to-all Input events: one-from-one Event occurrences have no duration and are not buffered 10

11 Progress Semantics 1. LTI Hybrid Automata Progress Semantics Two rules for discrete step (ds) and timed step (ts) semantics: A timed transition system is induced by applying these rules 11

12 Composition 1. LTI Hybrid Automata: Composition 12

13 Example Example 13

14 Verification 1. LTI Hybrid Automata Verification Once the model has been built, what do we do next? Verification of some model properties! Two important types of properties in hybrid automata theory: Reachability Liveness Other properties possible: stability, observability, etc 14

15 Verification: Reachability & Liveness 1. LTI Hybrid Automata Reachability & Liveness Reachability: given a formula Is there at least one execution leading to its satisfiability? Is this formula holding on all of the execution paths? Liveness: Any reachable state is reachable within a finite number of steps (eventually) Usually modal timed logics are used to express these properties: LTL, CTL, CTL*, TCTL etc. 15

16 Verification: Liveness Example 1. LTI Hybrid Automata Liveness (Progressiveness) Example Resets (in the classical HA) Jafar Akhundov, Peter Tröger, Matthias Werner - Superposition Principle in Composable Hybrid Automata, CS&P

17 Verification: Liveness Condition 1. LTI Hybrid Automata Liveness (Progressiveness) one of the conditions Definition (Enabled cycles): An enabled cycle in a finite LTI-HA is a directed cycle of finite length with at least one valuation of continuous variables which enables all of the guards along that cycle. 17

18 Topics Complex 1 Topic Complex 1: Tools for Hybrid Automata (Overview) Difficulty: Proseminar (1-2 tools), Hauptseminar (2-3 tools), Forschungsseminar (3-5 tools) Many tools exist for modeling and analysis of hybrid models: Ptolemy, SpaceEX, Flow*, d/dt, UPPAAL, PHAVER, HyTech etc. Research should provide an exhaustive list and a comparison of some of these tools (your choice!) with one another in terms of performance (run-times, scalability) Optional, but very useful result would also be a comparison in terms of expressive power (only for Forschungsseminar!) Two properties to check: reachability and liveness Systems-to-model will be provided for both (complex for reachability, simple for liveness) References: Luca P. Carloni, Maria Domenica DiBenedetto, et al...- Modeling Techniques, Programming Languages, and Design Toolsets for Hybrid Systems Tutorial: Software Tools for Hybrid Systems Verification, Transformation, and Synthesis: C2E2, HyST, and TuLiP Volker Schaus, Michael Tiede, et al... - A Continuous Verification Process in Concurrent Engineering 18

19 Topics Complex 2 Topic Complex 2: Application of Hybrid Automata in Aerospace Engineering (Overview) Difficulty: Proseminar (1 example), Hauptseminar (2+ examples), Forschungsseminar (2+ examples) Which hybrid systems tool/formalism was used in verification of an air-/spacecraft? At which design phase was it used? What properties were verified? How? What were the results? Any performance metrics? Was it ad-hoc or is it a standard practice? References: Agharazi - A Hybrid Approach to Fault Diagnosis in Teams of Autonomous Systems Najm-Tehrani - Formal Verification of Dynamic Properties in an Aerospace Application 19

20 Topics Complex 3 Topic Complex 3: Model transformation Difficulty: Forschungsseminar only Transform the LTI hybrid automata data structure to an input of a selected tool Tool selection is up to you: UPPAAL (extremely bounded expressiveness), HyTech, Flow*, SpaceEx, Ptolemy II A system-to-model will be provided to you for a use case References: Luca P. Carloni, Maria Domenica DiBenedetto, et al...- Modeling Techniques, Programming Languages, and Design Toolsets for Hybrid Systems Tutorial: Software Tools for Hybrid Systems Verification, Transformation, and Synthesis: C2E2, HyST, and TuLiP Volker Schaus, Michael Tiede, et al... - A Continuous Verification Process in Concurrent Engineering 20

21 Topics Complex 4 Topic 4: Verification in relativistic time Difficulty: Forschungsseminar only What formal methods exist to model relativistic effects? How are they expressed? Examples for modeling? Comparison with any existing timed modeling methods References: Jafar Akhundov - Relativistic Mobility Calculi for distributed Cyber-Physical Systems (Seminararbeit) 21

22 Reading Material Some preliminary reading for you Starting Point: Erika Abraham - Modeling and Analysis of Hybrid Systems (Hybrid Automata) More formal: Raskin - Introduction to Hybrid Automata (Hybrid Automata) Useful and Easy: Rajeev Alur - Introduction to Cyber-Physical Systems (real-time systems, hybrid/timed automata) Useful and Easy: Lee and Seshia - Introduction to Embedded Systems: A Cyber-Physical Systems Approach (Signal theory, real-time systems, hybrid/timed automata) Useful: Cassandras - Introduction to Discrete-Event Systems (Automata theory, languages, discrete control) Useful: Katoen - Introduction to Model Checking (Timed Automata, LTL, CTL) 22

23 Plan Plan Read the provided text and gather preliminary questions (2 weeks time) Do some preliminary research and select a topic for yourself (2 weeks time) Inform me about (at least) two selected topics, type of your seminar (proseminar/ hauptseminar/research seminar) and your student data (first/second name, id number, faculty and major) Start working (use our and recommended survival guides from our web page) Plan your consultations carefully My recommendation: at least once every 3-4 weeks Personal consultations are only possible until Starting : only per Presentations will be held before the exam period, probably on one day Gained feedback must be integrated into your papers Paper submission deadline: end of the semester 23