Distance Sampling – Part I Ecological MethodologyLEC-02 Althoff.
althoff (2013) Formal Verification of Cyberphysical Systems
-
Upload
danielbilar -
Category
Technology
-
view
563 -
download
2
Transcript of althoff (2013) Formal Verification of Cyberphysical Systems
Formal Verification of Cyber-Physical Systems
Matthias Althoff
Technische Universitat Munchen
November 15, 2013
M. Althoff CPS Verification November 15, 2013 1 / 29
Introduction
Examples of Cyber-Physical Systems
automated drivingsource: Carnegie Mellon University
automated farmingsource: Kesmac
human-robot collaborationsource: Rethink Robotics
surgical robotssource: daVinci
Smart gridssource: Siemens
Air traffic controlsource: NASA
Emerging technologies are increasingly safety- or operation-critical!
M. Althoff CPS Verification November 15, 2013 2 / 29
Introduction
Examples of Insufficiently Verified Systems
Intel Bug (1994)
Error in the floating point division.
costs: $ 500 Mio
Explosion of the Ariane 5 rocket (1996)
Variable overflow due to software reuse from Ariane 4.
costs: $ 500 Mio
Unintended acceleration in Toyota cars (2010)
Several investigations, no mistake found (NHTSA andNASA).
PR disaster
M. Althoff CPS Verification November 15, 2013 3 / 29
Introduction
Need for Formal Verification
Testing
Not much expert knowledgerequired
Applicable to large systems
No guarantee of correctness
Formal Verification
Expert knowledge required
Not (yet) applicable to largesystems
Guarantees correctness
Critical components: Proof of correctness outweighs advantages of testing.
Case study:Unmanned aerial vehicle (UAV) flight control verified by two teams of equal size.
Lockheed Martin Aero
Used testing
Found no bugs
Rockwell Collins
Used Model Checking
Found 12 bugs
”Model-checking was more cost effective than testing at finding design errors.”(Dr. Steven P. Miller, Rockwell Collins, CMACS Industry Workshop, 2011)
M. Althoff CPS Verification November 15, 2013 4 / 29
Introduction
Interaction of Discrete and Continuous Dynamics
Formal verification has first been developed for discrete systems. However:
Cyber-physical systems interact with the physical world.
Discrete Dynamics
z1 z2
z3
discrete-event control
communication protocols
discrete sensors/actuators
discrete signal processing
scheduling algorithms
Continuous Dynamics
x(t) =f (x(t), u(t))
y(t) =g(x(t), u(t))
x : state vector, u: input vector, y : output
vector
continuous control
physics
continuous sensors/actuators
continuous signal processing
M. Althoff CPS Verification November 15, 2013 5 / 29
Introduction
Outline
Modeling of Cyber-Physical Systems with Hybrid Automata
Definition of the Verification Problem
Reachability Analysis
Linear continuous systems
Nonlinear continuous systems
Hybrid systems
Applications (automated driving, phase-locked loops, smart grids)
Future Research Proposals
Scalable verification algorithms using compositional design
Model-based design using abstract models
Fault-tolerant systems
M. Althoff CPS Verification November 15, 2013 6 / 29
Hybrid Dynamics
Hybrid Automaton (HA)
HA = (Z, z0,X ,X 0,U , inv,T , guard, jump, f )
set of locations Z = {z1, . . . , zm} with initial location z0,
continuous state space X ⊂ Rn with initial continuous set X 0,
discrete transitions T ⊆ Z × Z ,
invariants inv : Z → 2X ,
guard sets guard : T → 2X ,
jump functions jump : T × X → X
flow functions f : X × U × Z → Rn (U : continuous input space)
initialcontinuous
set
reachable set
guards
invariant
x1
x2z1 z2
Continuous evolution
Start at z0 and x0 ∈ X 0
x(t) is the solution ofx(t) = f (x(t), u(t), z(t))
M. Althoff CPS Verification November 15, 2013 7 / 29
Hybrid Dynamics
Hybrid Automaton (HA)
HA = (Z, z0,X ,X 0,U , inv,T , guard, jump, f )
set of locations Z = {z1, . . . , zm} with initial location z0,
continuous state space X ⊂ Rn with initial continuous set X 0,
discrete transitions T ⊆ Z × Z ,
invariants inv : Z → 2X ,
guard sets guard : T → 2X ,
jump functions jump : T × X → X
flow functions f : X × U × Z → Rn (U : continuous input space)
initialcontinuous
set
reachable set
guards
invariant
x1
x2z1 z2
Activation of discrete transition
Transition (zj , zi ) is activatedwhen x(t) ∈ guard((zj , zi ))
Transition has to be taken whenx(t) at the border of inv(zi )
M. Althoff CPS Verification November 15, 2013 7 / 29
Hybrid Dynamics
Hybrid Automaton (HA)
HA = (Z, z0,X ,X 0,U , inv,T , guard, jump, f )
set of locations Z = {z1, . . . , zm} with initial location z0,
continuous state space X ⊂ Rn with initial continuous set X 0,
discrete transitions T ⊆ Z × Z ,
invariants inv : Z → 2X ,
guard sets guard : T → 2X ,
jump functions jump : T × X → X
flow functions f : X × U × Z → Rn (U : continuous input space)
initialcontinuous
set
reachable set
guards
jump
invariant
x1
x2z1 z2
Discrete transition and jump of
continuous state
Location changes from zi to zj
Continuous state may jump:x ′ = jump((zj , zi ), x)(x ′: cont. state after jump)
M. Althoff CPS Verification November 15, 2013 7 / 29
Hybrid Dynamics
Hybrid Automaton (HA)
HA = (Z, z0,X ,X 0,U , inv,T , guard, jump, f )
set of locations Z = {z1, . . . , zm} with initial location z0,
continuous state space X ⊂ Rn with initial continuous set X 0,
discrete transitions T ⊆ Z × Z ,
invariants inv : Z → 2X ,
guard sets guard : T → 2X ,
jump functions jump : T × X → X
flow functions f : X × U × Z → Rn (U : continuous input space)
initialcontinuous
set
reachable set
guards
jump
invariant
x1
x2z1 z2
... and so on ...
M. Althoff CPS Verification November 15, 2013 7 / 29
Problem Definition
Reachability Analysis
possibletrajectory
exactreachable set
jump
steady state
initial set
x1
x2
Informal Definition
A reachable set is the set of states that can be reached by a dynamicalsystem in finite or infinite time for a
set of initial states,
uncertain inputs,
and uncertain parameters.
M. Althoff CPS Verification November 15, 2013 8 / 29
Problem Definition
Verification Task
overapproximativereachable set exact
reachable setinvariant set
unsafe set
initial set
x1
x2
Verification Task
Check if a set of unsafe states is never reached.
Exact reachable set only for special classes computable→ overapproximation computed for consecutive time intervals.
Overapproximation might lead to spurious counterexamples.
Simulation cannot prove correctness.
M. Althoff CPS Verification November 15, 2013 9 / 29
Reachability Analysis Linear Systems
Linear Systems: Overview of Reachable Set Computation
x(t) = Ax(t) + u(t), A ∈ Rn×n, x(t) ∈ R
n, x(0) ∈ R(0), u(t) ∈ uc ⊕ U
1 Compute reachable set H(r) = eArR(0)⊕∫ r
t=0eA(r−t)dt uc at time r neglecting
the uncertain input (C ⊕ D := {c + d |c ∈ C, d ∈ D}).
2 Obtain convex hull of initial set R(0) and H(r).
3 Enlarge reachable set to account for (1) uncertain inputs, (2) curvature oftrajectories.
4 Continue with further time intervals [kr , (k + 1)r ], k ∈ N.
Known algorithm, similar to work of A. Girard at HSCC’05.
R(0)
H(r)convexhull of
R(0), H(r)R([0, r ])
➀ ➁ ➂
enlargement
M. Althoff CPS Verification November 15, 2013 10 / 29
Reachability Analysis Nonlinear Systems
Nonlinear Reachability Analysis: Overall Algorithm
initial set R(0), input set U , time step k = 1
linearize system
compute reachable set Rlin without linearization error
obtain set of linearization errors L based onRlin and L (L: set of admissible linearization errors)
L ⊆ L ? enlarge L
compute reachable set Rerr due to L
R = Rlin ⊕ Rerr
k:=
k+
1
yes
no
M. Althoff CPS Verification November 15, 2013 11 / 29
Reachability Analysis Nonlinear Systems
Overall Algorithm: Animation
R(0)
linearize system
M. Althoff CPS Verification November 15, 2013 12 / 29
Reachability Analysis Nonlinear Systems
Overall Algorithm: Animation
Rlin([0, r ])
compute reachable set Rlin
without linearization error
M. Althoff CPS Verification November 15, 2013 12 / 29
Reachability Analysis Nonlinear Systems
Overall Algorithm: Animation
Rlin([0, r ])⊕Rerr ([0, r ])
Rerr : reachable set due to L
obtain set of linearizationerrors L based on
Rlin([0, r ]) ⊕Rerr ([0, r ])
M. Althoff CPS Verification November 15, 2013 12 / 29
Reachability Analysis Nonlinear Systems
Overall Algorithm: Animation
R([0, r ]) =
Rlin([0, r ])⊕Rerr ([0, r ])
L ⊆ L ?
M. Althoff CPS Verification November 15, 2013 12 / 29
Reachability Analysis Nonlinear Systems
Overall Algorithm: Animation
R([r , 2r ])
reachable set ofnext time interval
M. Althoff CPS Verification November 15, 2013 12 / 29
Reachability Analysis Nonlinear Systems
Overall Algorithm: Animation
R([0, tf ])
reachable set ofthe complete time horizon tf
possibletrajectories
M. Althoff CPS Verification November 15, 2013 12 / 29
Reachability Analysis Nonlinear Systems
Linearization and Lagrange Remainder
x = f (z(t)), zT := [xT , uT ] and t ∈ [kr , (k + 1)r ]:
Taylor series
xi ∈ fi (z∗) +
∂fi (z)
∂z
∣∣∣z=z∗
(z − z∗)︸ ︷︷ ︸
1st order Taylor series: A∆x+B∆u+fi (z∗)
⊕
{1
2(z − z∗)T
∂2fi(z)
∂z2
∣∣∣z=ξ
(z − z∗)
∣∣∣∣ξ, z ∈ R([kr , (k + 1)r ]) × U
}
︸ ︷︷ ︸
Lagrange remainderLi
Possible computation of the Lagrange remainder:Enclose reachable set by a multidimensional interval and apply intervalarithmetic.
M. Althoff CPS Verification November 15, 2013 13 / 29
Reachability Analysis Nonlinear Systems
Scalability of the Linearization Approach
x1
xn−1
xn
u
... (more tanks)
Water tank system.
1 2 3 4
2
3
4
5
6
x1
x6
initial set
possibletrajectories
Projected reachable set(n = 6).
Complexity with respect to the number of continuous state variables n: O(n3).
Dimension n 5 10 20 50 100
CPU-time [sec] 1.19 1.73 3.11 11.59 35.78
M. Althoff CPS Verification November 15, 2013 14 / 29
Reachability Analysis Hybrid Systems
Reachability Analysis of Hybrid Systems
Hybrid systems additionally require intersections of guard sets:
x1
x2
R(0)
Rg
R([tk , tk+1])
guard
(a) Classical approach.
x1
x2
R(0)
Rg
R([tk , tk+1])
R(tη)
guard
(b) New approach.
tη: last point in time before intersecting the hyperplane.
Rg : Overapproximation of the guard set intersection.
M. Althoff CPS Verification November 15, 2013 15 / 29
Reachability Analysis Hybrid Systems
Scalability of the Mapping-Based Approach
Jm J1 J2 JθJl
ks k1 k2 kθ
Θm
Θ1 Θ2 Θθ
Θl
gear
enginedynamics
uTm
Θs
2α
Powertrain with backlash.
−0.1 0 0.1 0.2
0
20
40
60
80
Θs −Θ1
Θref
guard set
R(0)
sampletraj.
Projected reachable set(n = 101).
Complexity with respect to the number of continuous state variables n: O(n5).
Dimension n 11 21 31 41 51 101
CPU time [sec] 8.122 14.31 23.72 31.83 53.74 1550
M. Althoff CPS Verification November 15, 2013 16 / 29
Reachability Analysis Hybrid Systems
Comparison With SpaceEx
SpaceEx: state of the art tool for reachability analysis of hybrid systems.
Uses geometric guard intersection.
Example sensitive to overapproximation → comparison for initial set with5% of initial size and n = 7.
−0.05 0 0.05 0.1−20
0
20
40
60
80
Θs −Θ1
Tm
SpaceEx
mappingapproach
guard
R0.05(0)
−0.05 0 0.05 0.1
0
20
40
60
80
Θs −Θ1
Θref
SpaceEx
mappingapproach
guard
R0.05(0)
Computational times: 10023 s (new approach: 0.133 s).
M. Althoff CPS Verification November 15, 2013 17 / 29
Reachability Analysis Extensions
Further Work
Reachability Analysis
Hybrid systems with differential-algebraic equations
Consideration of uncertain parameters
Improved algorithms for nonlinear systems using non-convex sets
Stochastic Verification
Abstraction of stochastic hybrid systems to Markov chains
Probabilistic inevitable collision states
left car
right car
ego car
initialpositions
M. Althoff CPS Verification November 15, 2013 18 / 29
Applications
Online Verification Of Automated Driving
lane change
maneuver B
lane change
maneuver A
Test site Test vehicle
−20 0 20 40 60 80 100 120−5
0
5
reference trajectory
other vehicle
ego vehicle ego vehicle (braking part)
initial occupancy
final occupancyobstacle
x-position [m]
y-position[m
]
M. Althoff CPS Verification November 15, 2013 19 / 29
Applications
Test Drive Results
[
sxsy
]
Ψ
β
δ
x
y
v
sx , sy [m] x- and y-positionΨ [rad] orientationβ [rad] slip angle at center of massδ [rad] front wheel anglev [m/s] velocity
2.5 3−0.5
0
0.5
Ψ [rad]
Ψ[rad
/s]
lc B lc A−0.2 0 0.2
2.4
2.6
2.8
3
δ [rad]
Ψ[rad
]
−0.2 0 0.2−0.5
0
0.5
δ [rad]
Ψ[rad
/s]
lc A
lc B
computation time: ≈ 1.8 times faster than maneuver time (Intel i7, 1.6GHz)
M. Althoff CPS Verification November 15, 2013 20 / 29
Applications
Verification of a Phase-Locked Loop (PLL)
System properties:
Hybrid dynamics withmany switchings(≈ 3000 untilconvergence)
Slow convergence tolocking
Verification Task:Check if for any initialcondition, the phase is lockedto the reference signal.
(received IEEE/ACM WilliamJ. McCalla ICCAD BestPaper Award)
Ci
Cp1
CP
Rp2
Rp3
frequency
divider1/N
Cp3
vi
vp1 vpip
ii
Φref
Φv
phasefrequency
detector(PFD)
RefUP
VCO
DN
Computation time: Verification vs. simulationreachability avg. MATLAB
∆Φ(0) analysis [s]: simulation [s]:[−1,−0.8]π 55.0461 48.3297[−0.8,−0.6]π 54.4418 47.9096[−0.6,−0.4]π 53.4820 46.2673[−0.4,−0.2]π 47.8208 44.4596[−0.2, 0]π 42.9191 38.5102
M. Althoff CPS Verification November 15, 2013 21 / 29
Applications
Transient Stability in Smart Grids
System properties:
Differential-algebraicequations
Nonlinear dynamics
Large system size
Verification Task:Check if all states return tothe operating point after apower drop-out.
GG
G
G
G
1
2
3
76
4
12
13
14
1110
9
58
Values at bus 3:
−0.8 −0.6 −0.4
375.5
376
376.5
377
377.5
generator phase [rad]
freq
uen
cy[rad/s]
1.02 1.04 1.06 1.08−0.8
−0.7
−0.6
−0.5
−0.4
bus voltage [p.u.]busphase
[p.u.]
M. Althoff CPS Verification November 15, 2013 22 / 29
Applications
Conclusions
Scalability issues in formal verification of cyber-physical systems havebeen successfully addressed.
The presented approaches verified applications that were previouslyout of reach.
The online verification of automated vehicles is the first approachthat verifies a system with non-trivial dynamics on-the-fly.
Results of reachability analysis can be easily interpreted.
Unlike other approaches (e.g. barrier certificates, constraintpropagation, theorem proving), reachability analysis immediatelyshows where a specification is violated.
M. Althoff CPS Verification November 15, 2013 23 / 29
Future Research Proposals
Scalable Verification using Compositional Design
Simulation: complete system has to be consideredReachability analysis: set of behaviors can be computed compositionally.
Simplest scenario
subsystem A
subsystem B
UA YA
UBYB
Assume set of inputs UA and UB for A and B ,respectively. If YA ⊆ UB and YB ⊆ UA →assumptions and set of behaviors areoverapproximative.
Possible application tosmart grids:
M. Althoff CPS Verification November 15, 2013 24 / 29
Future Research Proposals
Verification of Programmable Logic Controllers (PLCs)
and Real-Time Constraints
z1 z2
z3
z4
a, c1 > 1, c1 := 0
b, c1 > 0,c2 > 1
c2 ≤ 1, c2 := 0
e, c1 ≤ 1,c1 := 0, c2 := 0
c, c1 > 1c1 := 0
d , c1 = 1, c2 > 1
Solar Panel Productionsource: KUKA
Timed automata or timed Petri nets are often sufficient for PLC verification.
Timed automata and timed Petri nets are a special class of hybrid automata.
Algorithms for hybrid automata can be specialized.
M. Althoff CPS Verification November 15, 2013 25 / 29
Future Research Proposals
Non-Formal Verification Approaches
Non-formal verification is often more effective for less critical components.Most approaches try to steer the system into a fault:
Sensitivity-based simulation
Rapidly-exploring random trees
Cross-entropy method
Ant-colony optimization
etc.
Method selection is more art than science.
0 5 10 15 20 2512
14
16
18
20
22
24 Falsification of the room heatingbenchmark problem using ant-colonyoptimizationY. Annapureddy, C. Liu, G. Fainekos and S.
Sankaranarayanan: S-TaLiRo: A Tool for Temporal Logic
Falsification for Hybrid Systems
M. Althoff CPS Verification November 15, 2013 26 / 29
Future Research Proposals
Model-Based Design using Abstract Models
Build abstract subsystems to which uncertainty is added.→ design changes within the abstraction require no design iteration.
Continuous abstraction
x ∈ {f (x , p) + u|p ∈ P, u ∈ U}Parametric (p ∈ P) and additiveuncertainties (u ∈ U)
Discrete abstraction
Add non-deterministic transitions
z1 z2
z3
Example: Vehicle dynamics for automated driving.
0 10 20 30 40 50 60 70 80
−1
0
1
2
3
4
5
6
7
8
referencetrajectory
x-position
y-position
source: bremarauto
M. Althoff CPS Verification November 15, 2013 27 / 29
Future Research Proposals
Fault-Tolerant Systems
Information redundancy:Check bits to detect data transfer errors.
Physical redundancy:
Voter switches subsystem in case of a fault.
Drawbacks: Faults need to be directlymeasurable, redundant components areexpensive.
subsystem A
subsystem B
subsystem C
voter
Analytical redundancy:
Controller re-design based on informationfrom model-based observers.
Drawbacks: Control performance isdegraded, challenging design.
controller plant
diagnosiscontrollerre-design
yref
u y
f
yref : reference, u: input, y : output, f : fault
Design of scalable and reliable observers and fault-tolerant controllers for hybriddynamics is an open research problem.
M. Althoff CPS Verification November 15, 2013 28 / 29
Future Research Proposals
Final Thoughts
How to build safe and reliable cyber-physical systems?
Good balance between formal and non-formal verification
Scalable formal verification techniques (rather provide techniques thatcan address a limited set of specifications, but for large systems)
Consideration of disturbances, parameter variations, and faults in theverification process
Model-based design supporting abstraction, modularity, and hierarchy
Built-in fault tolerance
Good tool support
M. Althoff CPS Verification November 15, 2013 29 / 29