Automatic Verification of Control System Implementations fileApplications of Control Systems The...
Transcript of Automatic Verification of Control System Implementations fileApplications of Control Systems The...
![Page 1: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/1.jpg)
Automatic Verification of Control SystemImplementations
Adolfo Anta1,2, Rupak Majumdar3,4, Indranil Saha3 and Paulo Tabuada3
1Max Planck Institute for Dynamics of Complex Technical Systems
2TU Berlin
3University of California Los Angeles
4Max Planck Institute for Software Systems
EMSOFT 2010October 25, 2010
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 1/24
![Page 2: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/2.jpg)
Applications of Control Systems
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 2/24
![Page 3: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/3.jpg)
Applications of Control Systems
The systems are mostlylife-critical or mission-critical
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 2/24
![Page 4: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/4.jpg)
Control Software Development Flow
Closed-loop SystemModel in
Simulink/Stateflow
Floating-pointC Code
Control System
MathematicalModel of
Physical System
Control Design
Code Generation
Integration
Floating-point to Fixed-point Code
Converter
Fixed-pointC Code
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 3/24
![Page 5: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/5.jpg)
Control Software Development Flow
!"#$%&'"##()*+$,%-.#&%")/0
*/-1"/023*,4,%5"#6
7"#4,/08'(#/0,!)!#&%
!#0,9#")*+$,%-
*/-1"4,/#07#9
:%95#9-40;%
.4,<%-4,/;4".#&%")#5
:<+$/;4")*+$,%-
!#0,9#")=%$/80
!#&%)>%0%94,/#0
?0,%894,/#0
7"#4,/08'(#/0,),#)7/@%&'(#/0,)!#&%
!#0A%9,%9
7/@%&'(#/0,!)!#&%
.4,<%-4,/;4"B04"+$/$)#5*,4C/"/,+
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 4/24
![Page 6: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/6.jpg)
Semantic Gap between Mathematical Controller andSoftware Implementation
Automatic code generators are not certified
Sensor and actuator errors
Limited precision arithmetic
It is often unclear if the implemented system exhibits the samebehavior as the mathematical model
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 5/24
![Page 7: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/7.jpg)
Semantic Gap between Mathematical Controller andSoftware Implementation
Automatic code generators are not certified
Sensor and actuator errors
Limited precision arithmetic
It is often unclear if the implemented system exhibits the samebehavior as the mathematical model
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 5/24
![Page 8: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/8.jpg)
Control Software Development Flow
!"#$%&'"##()*+$,%-.#&%")/0
*/-1"/023*,4,%5"#6
7"#4,/08'(#/0,!)!#&%
!#0,9#")*+$,%-
*/-1"4,/#07#9)
:%95#9-40;%
.4,<%-4,/;4".#&%")#5
:<+$/;4")*+$,%-
!#0,9#")=%$/80
!#&%)>%0%94,/#0
?0,%894,/#0
7"#4,/08'(#/0,),#)7/@%&'(#/0,)!#&%
!#0A%9,%9
7/@%&'(#/0,!)!#&%
.4,<%-4,/;4"B04"+$/$)#5*,4C/"/,+
!#&%'"%A%")*/-1"4,/#0
*+$,%-'"%A%"*/-1"4,/#0
*,4C/"/,+)B04"+$/$
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 6/24
![Page 9: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/9.jpg)
Limitations of Simulation
Simulation can find out bugs, but cannot guaranteecorrectness
Does not take into account any knowledge frommathematical properties of the control systems
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 7/24
![Page 10: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/10.jpg)
Proposed Control Software Development Flow
!"#$%&'"##()*+$,%-.#&%")/0
*/-1"/023*,4,%5"#6
7"#4,/08'(#/0,!)!#&%
!#0,9#")*+$,%-
*/-1"4,/#0
.4,:%-4,/;4".#&%")#5
<:+$/;4")*+$,%-
!#0,9#")=%$/80
!#&%)>%0%94,/#0
?0,%894,/#0
7"#4,/08'(#/0,),#)7/@%&'(#/0,)!#&%
!#0A%9,%9
7/@%&'(#/0,!)!#&%
.4,:%-4,/;4"B04"+$/$
7#9-4")*,4C/"/,+)B04"+$/$)D##"
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 8/24
![Page 11: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/11.jpg)
Model of a Control System
!"#$%
&'$%('"")(
*)$+'(,-%.#%'(
/)+0()1
2)3#40'(
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 9/24
![Page 12: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/12.jpg)
Stability of a Control System
!"#$%
&'$%('"")(
*)$+'(,-%.#%'(
/)+0()1
2)3#40'(
StabilityThe physical plant converges to a desired behavior under theactions of the controller.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 10/24
![Page 13: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/13.jpg)
Different Sources of Implementation Error
FactWhen we implement the controller in software, we introduceerror in the output of the controller due to
Large sampling timeSensor and actuator error (noise, saturations,quantization...)Limited precision arithmetic
QuestionWhat is the effect of the implementation error on the stability ofa control system?
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 11/24
![Page 14: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/14.jpg)
Effect of Implementation Error on Stability
Linear Control SystemIf γC is the L2 gain of a linear control system, and be is the bound onthe implementation error e, then the implementation guarantees thatthe output trajectories of the controlled system asymptoticallyconverge to the set of outputs y ∈ Rn satisfying
‖y‖ ≤ γC × be
For linear control systems,ξ = Aξ + Bυ
y = Cξ
where υ is the input to the plant
γC can be calculated using classical control theory
γC = maxψ∈[0,2π[
∥∥∥C(eiψ1n×n − A)−1B∥∥∥ .
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 12/24
![Page 15: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/15.jpg)
Effect of Implementation Error on Stability
Nonlinear Control SystemsFor a nonlinear system
ddtξ = f (ξ, υ)
with a feedback controller of the form
υ = k(ξ)
the effect of implementation error e is computed using an ISSLyapunov function, and the following constraint from robust controltheory
∂V∂x
f (x , k(x) + e) ≤ −λV (x) + σ‖e‖2
The trajectories of the controlled system are guaranteed to convergeto the set of states x defined by V (x) ≤ (σ/λ)× be.
The value of σ and λ can be found using Sum of Squares (SoS)optimization technique.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 13/24
![Page 16: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/16.jpg)
Finding the Bound on Implementation Error
FactTypical embedded controller implementations use periodsin the millisecond to microsecond range.- Quantization error dominates the sampling error.
Bounds on the errors arising from sensors and actuatorsare available from sensor and actuator specifications.
QuestionHow to calculate a bound on the implementation error due toquantization?
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 14/24
![Page 17: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/17.jpg)
Finding the Bound on Implementation Error
FactTypical embedded controller implementations use periodsin the millisecond to microsecond range.- Quantization error dominates the sampling error.
Bounds on the errors arising from sensors and actuatorsare available from sensor and actuator specifications.
QuestionHow to calculate a bound on the implementation error due toquantization?
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 14/24
![Page 18: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/18.jpg)
Effect of Quantization Error on Stability
Example: Vehicle SteeringThe control objective is to make the vehicle stable parallelto the x-axis at a certain distance of d meter.
Plant
DoublePrecision
Implementation of Controller
ReferenceInput
Fixed-pointImplementation
of Controller
Subtract
Plant
Out
!"#$
%&&'&
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 15/24
![Page 19: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/19.jpg)
Example of Controller ProgramControl Lawu = 0.81× (x1 − x2)− 1.017× ref
Real-valued program// Input variablesreal In1;real In2;real In3;
// Intermediate variablesreal Subtract;real Gain;real Gain2;
// Output variablesreal Out1;
static void output(void) {Subtract = In1 - In2;Gain = 0.81 * Subtract;Gain2 = 1.017 * In3;Out1 = Gain - Gain2;
}
Fixed-point implementation (16-bit)// Input variablesshort int In1; // range: [0, 100], fixdt(1,16,8)short int In2; // range: [50, 110], fixdt(1,16,8)short int In3; // range: [-10, 50], fixdt(1,16,9)
// Intermediate variablesshort int Subtract; // fixdt(1,16,8)short int Gain; // fixdt(1,16,8)short int Gain2; // fixdt(1,16,9)
// Output variablesshort int Out1; // fixdt(1,16,8)
static void output(void) {Subtract = (short int)(In1 - In2);Gain = (short int)(26542 * Subtract� 15);Gain2 = (short int)(16663 * In3� 14);Out1 = (short int)(((Gain� 1) - Gain2)� 1);
}
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 16/24
![Page 20: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/20.jpg)
Calculating the bound on Quantization Error
Inputs
A real-valued polynomial function u = k(y).A program K implementing k using finite precisionarithmetic.Range [ymin, ymax ] for y .
QuestionHow far the value k(y) can be from the output of K (y) when yis chosen from the range [ymin, ymax ] and y is the closestrepresentation of y using the finite precision implementation ofreal numbers?
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 17/24
![Page 21: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/21.jpg)
Algorithm
Construct the strongest post-condition SP(K )(y , u) for thefunction K .
Set up a set of constraints that is the conjunction of:y ∈ [ymin, ymax ],|y − y | ≤ δ,u = k(y),SP(K )(y , u)
Ask: What is the maximum difference between u and uunder the above constraints?
The problem can be solved by bisection optimizationmethod using off-the-shelf decision procedures.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 18/24
![Page 22: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/22.jpg)
Stability Analysis Tool: Costan
A tool to compute the error bound in fixed-pointimplementation of control law automatically.
Reduces the error bound computation problem to a seriesof decision problems.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 19/24
![Page 23: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/23.jpg)
Stability Analysis Tool: Costan
Costan Supports both linear and nonlinear controllers, fornonlinear controllers both polynomial implementation andlookup table based implementation.
For linear controllers, Costan uses Yices [SRI] and fornonlinear controllers Costan uses HySat [Franzle et al]solver.
For large linear controllers and nonlinear controllersimplemented as large lookup table, we adoptcompositional strategy.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 20/24
![Page 24: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/24.jpg)
Stability Analysis Tool: Costan
Costan Supports both linear and nonlinear controllers, fornonlinear controllers both polynomial implementation andlookup table based implementation.
For linear controllers, Costan uses Yices [SRI] and fornonlinear controllers Costan uses HySat [Franzle et al]solver.
For large linear controllers and nonlinear controllersimplemented as large lookup table, we adoptcompositional strategy.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 20/24
![Page 25: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/25.jpg)
Stability Analysis Tool: Costan
Costan Supports both linear and nonlinear controllers, fornonlinear controllers both polynomial implementation andlookup table based implementation.
For linear controllers, Costan uses Yices [SRI] and fornonlinear controllers Costan uses HySat [Franzle et al]solver.
For large linear controllers and nonlinear controllersimplemented as large lookup table, we adoptcompositional strategy.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 20/24
![Page 26: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/26.jpg)
Experimental Results
Example Error bound Set size (ρ) Run timevehicle steering (16bit) 0.0163 0.0375 1m14.313spendulum (16bit) 0.0508 0.1806 2m36.409sdc motor (16bit) 0.0473 1.0889 2m15.110strain car - 1 car (32bit) 5e-7 2.6080e-5 3m25.478strain car - 2 cars (32bit) 1.5e-6 9.4000e-5 5m39.607strain car - 3 cars (32bit) 8.5e-6 0.0010 9m34.485strain car - 4 cars (32bit) 3.351e-5 0.0080 10m9.179strain car - 5 cars (32bit) 1.655e-4 0.0627 20m28.822sjet engine[poly] (16bit) 4e-3 0.0230 0m0.551sjet engine[3× 8] 6.40 37.0431 0m34.636sjet engine[5× 10] 4.48 25.9296 0m34.293sjet engine[7× 14] 2.73 15.8009 1m6.981sjet engine[21× 21] 1.25 7.2348 18m15.794sjet engine[21× 101] 0.88 5.0933 50m23.127sjet engine[100× 100] 0.33 1.9100 103m19.977s
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 21/24
![Page 27: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/27.jpg)
Interpretation of Result
Example: Vehicle SteeringThe control objective is to make the vehicle stable parallelto the x-axis at a certain distance d .
If we find the set size for d to be r , then in the steady statethe vehicle will be between d − r and d + r distance awayfrom the x-axis.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 22/24
![Page 28: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/28.jpg)
Related Works
YazarelPappasGirardAlur2005 , NghiemPappasGirardAlur2006characterizes the stability performance gap of the model of thecontrol system and its implementation on a time-triggeredarchitecture.
AlurWeiss2008 models dependency of control performance onschedules by an automaton that can be used for onlinescheduling.
ZhangSzwaykowskaWolfMooney2008 codesigns the control lawand the task scheduling algorithm for predictable stabilityperformance.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 23/24
![Page 29: Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,](https://reader033.fdocuments.us/reader033/viewer/2022041422/5e1fc25e8863852a6b18d57a/html5/thumbnails/29.jpg)
Conclusion
We bridge the gap of model-based design of controlsystems and finite-precision implementation of controllers.
We show how the result of program analysis of controllercode can be utilized in judging the performance of a controlsystem.
We have developed a tool that can find out theimplementation error in the fixed-point implementation oflinear and nonlinear controllers.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 24/24