Verification of Discrete & Hybrid Powertrain Controllers Bruce H. Krogh Carnegie Mellon University.
-
Upload
merryl-patrick -
Category
Documents
-
view
219 -
download
0
Transcript of Verification of Discrete & Hybrid Powertrain Controllers Bruce H. Krogh Carnegie Mellon University.
Verification of Discrete & HybridPowertrain Controllers
Bruce H. Krogh
Carnegie Mellon University
Overview
• model checking
– SMV
• verification of state charts
– sf2smv
• verification of hybrid systems
– CheckMate
Overview
• model checking
– SMV• verification of state charts
– sf2smv
• verification of hybrid systems
– CheckMate
Verification via Model Checking
systemmodel
systemproperty
(specification)
MODELCHECKER
confirm property is TRUE OR generate a counterexample
Model Checking vs. Simulation
In one run, a model checker investigates every possible behavior of the system for the given set of initial conditions and input signals ... a simulator generates only one trajectory for a particular initial condition and input signal.
Where does Verification fit in the Powertrain Control Feature Design Cycle?
test on engine/vehicle
feature specification
code
production
executable spec.
code generation
simulation
hardware in the loop
executable spec.
CACSD
model checking
Objective: Verify feature behavior for the entire range of operating conditions.
Potential role of formal verification
Verification of Finite-State Systems
FINITE-STATE SYSTEM
PROPERTYTO VERIFY
MODEL CHECKINGPROGRAM
PROPERTY IS TRUE OR A COUNTER EXAMPLE
propagates sets of states, not individual trajectories
FSM Model Checkers
key strength: exhaustive search of reachable states
key theory: fixed-point operations for temporal logic assertions
key technology: OBBDs (ordered binary decision diagrams)
SMV (symbolic model verification)
• Textual programming language– interacting state-transition systems– Boolean, integer, symbolic variables– modules with multiple instantiations– temporal logic specifications
• Originally developed at Carnegie Mellon– www.cs.cmu.edu/~modelcheck/smv.html
• Cadence Labs version– www-cad.eecs.berkeley.edu/~kenmcmil/smv/
Cadence Labs SMV Graphical Interface
From “Getting started with SMV”by Ken L. McMillan
“Model checking by itself is limited to fairly small designs …
For large designs, the user must [use] compositional verification …
These techniques include refinement verification, symmetry reduction, temporal case splitting, data type reduction, and induction.”
Overview
• model checking
– SMV
• verification of state charts
–sf2smv• verification of hybrid systems
– CheckMate
Mathworks Stateflow® Charts
States•AND states (dashed lines)•OR states (solid lines)
Transitions fire when •source state is active,•conditions (in brackets) are true•labeling events occur
Actions•transition actions (follow / in transition label)•state actions: enter, during, exit
Junctionsconnect multiple input-output transition branches for "flowchart" logic
Example from Stateflow example: automotive\fuelsys
Statecharts = Hierarchical State Machines
Verification of Stateflow Charts
FEATURESPECIFICATIONS
DESIGNER
STATEFLOWDIAGRAM
(SIMULINK)
VERIFICATIONRESULTS
specificationsto verify
SMV
M. Rausch and B. Krogh, “Symbolic Verification of Stateflow Logic,” WODES 98
sf2smv SMVMODULES
(new Matlab command)
Stateflow Charts SMV Modules
OR state group SMV module
module name = parent state namemodule states = states in OR state groupassign statements = state transitions
AND state group SMV module
same as OR, except states are set/reset with the parent
Transitions SMV variables
DEFINE block = state transition conditions
Stateflow Charts SMV Modules
MODULE main
VARstate : {no_states,A3,A1,A2};A3_child : A3_c(…);A2_child : A2_c(…);
ASSIGNinit(state):=no_states;next(state):=case t42_f : A3; t39_f | t41_f : A1; t43_f : A2; 1 :state; esac;
MODULE A3_c(…)
VARstate : {no_states,A3b,A3a};
ASSIGNinit(state):=no_states;next(state):=case t41_f : no_states; t42_f : A3b; t40_f : A3a; 1 : state; esac;
MODULE A2a_c(…)
VARstate : {no_states,a1,a2,a3};
ASSIGNinit(state):=no_states;next(state):=case t42_f : no_states; t44_f | t46_f : a1; t48_f : a2; t50_f : a3; 1 : state; esac;
MODULE A2b_c(…)
VARstate : {no_states,b1,b2,b3};
ASSIGNinit(state):=no_states;next(state):=case t42_f : no_states; t45_f | t47_f : b1; t49_f : b2; t51_f : b3; 1 : state; esac;
MODULE A2_c(…)
VARA2a : and_state(…);A2b : and_state(…);A2a_child : A2a_c(…);A2b_child : A2b_c(…);
.
.
.
“Verification of Stateflow Diagrams Using SMV,” CMU Tech Report, Oct. 1998
Sensor-Filter Example
Sensor-Filter Example
Sensor-Filter Example
Sensor-Filter Example
Sensor-Filter Example
problem: initializes with default value (10.0) although
sensor_flag = 0 at t = 1.0
Sensor-Filter Example:Application of sf2smv
FEATURESPECIFICATIONS
DESIGNER
STATEFLOWDIAGRAM
(SIMULINK)
VERIFICATIONRESULTS
specificationsto verify
SMV
sf2smv SMVMODULES
(new Matlab command)
Generation of SMV Model
Specification for Verification
AG(input_sel=1 -> init_sel=1)
if input_sel = 1theninit_sel should be 1on the first pass(but it apparently isn’t -- so I want atrace of what happens)
SMV Verification Result
when trig_init occurred
starting.state was not active!
Using the Trace for Debugging
Starting is activated after main,so it is not active when trig_initis generated on the first pass.
Sensor-Filter Example
correct filter initialization from the
good sensor measurement
For code generation, the semantics matter!
Overview
• model checking
– SMV
• verification of state charts
– sf2smv
• verification of hybrid systems
–CheckMate
CAM Controller Example
Verification Problem: Determine whether the controller will switch only once from saturation to PID mode.
Continuous-Time Model
Switching Rule
1
1
3.01
)1(7.0)(
z
zzH
Discrete-time ruleSwitch on magnitude of the error and the sign of this filter
Continuous-time ruleSwitch on magnitude of the error and the sign of this filter
5.150
5.150)(
s
ssH
s tat
e of
th e
fil t
e r
error
Finite State Analysis
• Assign discrete states to each switch boundary and the initial condition set
• Determine reachability from each discrete state to the other discrete states
• Analyze the resulting finite state system
Reachability Analysis
Resulting Finite-State System
Verification is inconclusive since it is a conservative
approximation
Possible switch back to thesaturation controller
Precise Reachability Analysis
Portion of A1 that doesn’tlead to switching
Portion of A1 that reaches A2
(leads to switching)
“Exact” Finite-State System
Switch back to thesaturation controlleris certain from some
initial states
Applying Model Checking to Hybrid Systems:
• interpret a hybrid system as a transition system (with an infinite state space)
• find an equivalent finite-state transition systems (bisimulation)
• perform verification using the bisimulation
Can this approach be generalized to higher-order systems?
Hybrid System Verification via Finite-State Bisimulation
hybrid system model: H
BisimulationProcedure
finite-statetransition system T
H
PROPERTYTO VERIFY
MODEL CHECKINGPROGRAM
PROPERTY IS TRUE OR A COUNTER EXAMPLE
modeselect
integrator
m(t)
xdot(t)
flow constraints
x(t)
x(t)
jump mapping
initial condition
e(t)
discrete-state system with guarded transitions
x(t)e(t)
m(t)
cont. state
discrete state
discrete event
F1
F2
F31S
X0
Je
e(t)
Je
jump dynamics
cont. state
discrete state
discrete event
discrete dynamics
Simulink Diagram of General Hybrid System Dynamics
F1
F2
F3
1S
continuous dynamics
modeselect
integrator
m(t)
xdot(t)
flow constraints
x(t)
x(t)
jump mapping
initial condition
e(t)
discrete-state system with guarded transitions
x(t)e(t)
m(t)
cont. state
discrete state
discrete event
F1
F2
F3
1S
X0
Je
e(t)
Simulink Diagram of a Hybrid System
modeselect
integrator
m(t)
xdot(t)
flow constraints
x(t)
x(t)
jump mapping
initial condition
e(t)
discrete-state system with guarded transitions
x(t)e(t)
m(t)
cont. state
discrete state
discrete event
F1
F2
F3
1S
X0
Je
e(t)
Continuous-StateReachable Set Mapping
Objective:Compute mappings from initial state sets to next initial state sets at the discrete-state transitions.
X0(mk) X0(mk+1)
Hybrid System VerificationDecidability Results
Hybrid Automata (flows,guards,jumps)
Linear Hybrid Automata (P,P,P)
Rectangular Automata (In,In,In)
Multirate Automata (Zn,In,In)
Timed Automata (1n, In,{reset,continue}n )
Stopwatch Automata(2-slopes w/o reset)
InitializedPSPACE-c
Initialized
isomorphic(initialized)
Bisim
(finite slope, triangular, state-dependent assignment or initialize)
Uninitialized
1 Courtesy of Enrique Ferreira, CMU, 1999
Piecewise-Trivial Hybrid Systems1
modeselect
integrator
m(t)
xdot(t)
flow constraints
x(t)
x(t)
jump mapping
initial condition
e(t)
discrete-state system with guarded transitions
x(t)e(t)
m(t)
cont. state
discrete state
discrete event
F1
F2
F31S
X0
Je
e(t)
1Dang & Maler, HS’98
Reacht(Xo,Fk) can berepresented and
computed
Piecewise-Trivial Hybrid Systems (PTHS)
m(t)
x(t)
jump mapping
initial condition
e(t)
discrete-state system with guarded transitions
x(t)
e(t)
m(t)
cont. state
discrete state
discrete event
X0
Je
e(t)
X(t; Xo,m)
modeselect
integrator
m(t)
xdot(t)
x(t)
jump mapping
initial condition
e(t)
discrete-state system with guarded transitions
x(t)e(t)
m(t)
cont. state
discrete state
discrete event
F1
F2
F3
1S
X0
Je
e(t)
Linear Hybrid AutomataHyTech (UCBerkeley)
• Fk (flow constraints), Je (jump mappings), and Gjk (guards) are convex polyhedra
• Fk are independent of x(t)
Verification of General Hybrid Systems
CheckMate Block Diagram
x1
x2
x3
th1
th2
q1
q2
th3
SwitchedContinuous System 3
SwitchedContinuous System 2
SwitchedContinuous System 1
C*x <= d
PolyhedralThreshold 3
C*x <= d
PolyhedralThreshold 2
C*x <= d
PolyhedralThreshold 1
Mux
Mux2
MuxMux1
Mux
Mux
OR
LogicalOperator
c1
c2q
FiniteState Machine 2
c1
c2q
FiniteState Machine 1
Simulink Model
Switched Continuous System
• Parameter: Switching function f• Input: Discrete condition signal u• Output: Continuous state vector
x• Description: Continuous
dynamics selected by discrete input signal
)(xfx u
u x
SwitchedContinuous System
Switched Continuous System Parameters
Polyhedral Threshold
• Parameters: C,d• Input: Continuous state vector x• Output: Boolean signal
1 if Cx d
0 otherwise• Description: Outputs Boolean
signal indicating whether continuous state variable x is in polyhedron Cx d
x
C*x <= d
PolyhedralThreshold
Visualization Tool
Finite State Machine (Stateflow)
• Inputs:
– Data: Boolean condition signals which are functions of PTHB and FSMB outputs
– Event: Transition edges of Boolean condition signals which are functions of PTHB outputs
• Output: Discrete signal (integer) indicating active state of FSM
event input(vectorized)
scalardata inputs
.
.
.
data 1
data N
q
Finite State Machine
modeselect
integrator
m(t)
xdot(t)
flow constraints
x(t)
x(t)
jump mapping
initial condition
e(t)
discrete-state system with guarded transitions
x(t)e(t)
m(t)
cont. state
discrete state
discrete event
F1
F2
F3
1S
X0
Je
e(t)
Approximating the Continuous-StateReachable Set Mapping
Objective:Compute mappings from initial state sets to next initial state sets at the discrete-state transitions.
X0(mk) X0(mk+1)
Approximating reachable sets
E.K. Kornoushenko. Finite-automaton approximation to the behavior of continuous plants, Automation and Remote Control, 1975
J. Reisch and S. O’Young, A DES approach to control of hybrid dynamical systems, Hybrid Systems III, LNCS 1066, Springer, 1996
A. Puri, V. Borkar and P. Varaiya, -Approximation of differential inclusions, Hybrid Systems III, LNCS 1066, Springer, 1996
M.R. Greenstreet, Verifying safety properties of differential equations, CAV’96
M.R. Greenstreet and I. Mitchell, Integrating projections, HS'98
T. Dang and O. Maler, Reachability analysis via face lifting, HS'98
A. Chutinan and B. H. Krogh, Computing polyhedral approximations to dynamic flow pipes, IEEE CDC, 1998
A. Chutinan and B. H. Krogh, Verification of polyhedral-invariant hybrid systems using polygonal flow pipe approximations, HSCC99
Polyhedral Flow Pipe Approximations
A. Chutinan and B. H. Krogh, Computing polyhedral approximations to dynamic flow pipes, IEEE CDC, 1998
X0
t1
t2
t3
t4
t5t6 t7
t8
t9
• divide R[0,T](X0) into [tk,tk+1] segments
• enclose each segment with a convex polytope
• RM[0,T](X0) = union of polytopes
Flow Pipe Segment Approximation
Vertices(X0) at tk
Vertices(X0) at tk+1
Step 1.a. Simulate trajectories from each vertex of X0.
Step 2.Solve optimization for di
flow pipe segment approximated by { x | ci
Tx di, i }
b. Take the convex hulland identify outwardnormal vectors.
Flow Pipe ApproximationExample 1: Van der Pol Equation
X x x0 1 20 8 1 0 { . , }
. ( )
x x
x x x x1 2
2 12
2 10 2 1
Van der Pol Equation
Uniform time steptk = 0.5
Initial Set
Flow Pipe ApproximationExample 2: Linear System
A
0 1 0
0 0 1
1 2 2
1
1
1
2
1
1
2
2
1
1
2
1
, , , and
Vertices for X0
Uniform time steptk = 0.1
Flow Pipe Approximation
• Applies in arbitrary dimensions• Approximation error doesn't grow with time• Estimation error (Hausdorff distance) can be
made arbitrarily small with t < and size of X0 <
• Integrated into a complete verification tool (paper in next session)
Polyhedral-Invariant Hybrid Automaton (PIHA)
Conversion
Simulink/Stateflow Front End(graphical editing, simulation)
Threshold-event-driven Hybrid Systems (TEDHS)
Flow PipeApproximations
Quotient Transition System
ACTL Verification
PartitionRefinement
Initial Partition
Elements of CheckMate
Using Reachability Approximationsfor Verification
Hybrid system model: H
SimulationIteration
Transition system TM/P
PROPERTYTO VERIFY
MODEL CHECKINGPROGRAM
PROPERTY IS TRUE OR A COUNTER EXAMPLE
Conclusive for H?
No
For universal assertions (A - for all paths), TRUE for TM/P implies TRUE for TH
Comparison to Bisimulation Approach
constructinitial partition
BPiterations
finite bisimulation
verification
stop: specification
is true
stop: specification
is false
yes
no
constructinitial partition
refinepartition
finite quotient system
verification
test for bisimulation
no
yes
no
stop:specification
is true
stop:specification
is false
yes
Powertrain Control Application
“Hybrid control in automotive applications: the cut-off control” A. Balluchi et. al, Automatica Special Issue on Hybrid Systems, vol. 35, no. 3, March 99
Problem: Verify the event-driven implementation of a control law designed in continuous time.
Control law: Decide when to inject air/fuel for torque to decrease speed along a prescribed trajectory.
Cut-off Control
Plant– four-stroke, four-cylinder engine– discrete-event model of torque generation
• 4-state FSM model for each piston
– continuous-time powertrain model1
• axle torsion angle• crankshaft speed• wheel speed• crankshaft angle ----> FSM transition event• input: engine torque from pistons
1Model from Magneti Marlli Engine Control Division
CheckMate Model
CheckMate Model
power traindynamics
Piston FSM
CheckMate Model
Predictive Control Logic
Verification for Powertrain Control Features
• Problems are hybrid• Logic introduces combinatorial complexity• Potential savings if control logic can be
evaluated early in the design cycle• Flowpipe reachability analysis applies to
purely continuous problems• Verification requires model “abstraction” (i.e.,
insight and effort)
BUT formal verification often reveals unanticipated behaviors