althoff (2013) Formal Verification of Cyberphysical Systems

1,320 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,320
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
40
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

althoff (2013) Formal Verification of Cyberphysical Systems

  1. 1. Formal Verification of Cyber-Physical Systems Matthias Althoff Technische Universit¨t M¨nchen a u November 15, 2013 M. Althoff CPS Verification November 15, 2013 1 / 29
  2. 2. Introduction Examples of Cyber-Physical Systems automated driving human-robot collaboration Smart grids source: Carnegie Mellon University source: Rethink Robotics source: Siemens automated farming surgical robots Air traffic control source: Kesmac source: daVinci source: NASA Emerging technologies are increasingly safety- or operation-critical! M. Althoff CPS Verification November 15, 2013 2 / 29
  3. 3. Introduction Examples of Insufficiently Verified Systems Intel Bug (1994) Error in the floating point division. costs: $ 500 Mio Explosion of the Ariane 5 rocket (1996) Variable overflow due to software reuse from Ariane 4. costs: $ 500 Mio Unintended acceleration in Toyota cars (2010) Several investigations, no mistake found (NHTSA and NASA). PR disaster M. Althoff CPS Verification November 15, 2013 3 / 29
  4. 4. Introduction Need for Formal Verification Testing Formal Verification Not much expert knowledge required Expert knowledge required Applicable to large systems Not (yet) applicable to large systems No guarantee of correctness Guarantees correctness Critical components: Proof of correctness outweighs advantages of testing. Case study: Unmanned aerial vehicle (UAV) flight control verified by two teams of equal size. Lockheed Martin Aero Rockwell Collins Used testing Used Model Checking Found no bugs Found 12 bugs ”Model-checking was more cost effective than testing at finding design errors.” (Dr. Steven P. Miller, Rockwell Collins, CMACS Industry Workshop, 2011) M. Althoff CPS Verification November 15, 2013 4 / 29
  5. 5. Introduction Interaction of Discrete and Continuous Dynamics Formal verification has first been developed for discrete systems. However: Cyber-physical systems interact with the physical world. Discrete Dynamics Continuous Dynamics z2 z1 x(t) =f (x(t), u(t)) ˙ y (t) =g (x(t), u(t)) z3 discrete-event control x: state vector, u: input vector, y : output vector continuous control communication protocols physics discrete sensors/actuators continuous sensors/actuators discrete signal processing continuous signal processing scheduling algorithms M. Althoff CPS Verification November 15, 2013 5 / 29
  6. 6. Introduction Outline Modeling of Cyber-Physical Systems with Hybrid Automata Definition of the Verification Problem Reachability Analysis Linear continuous systems Nonlinear continuous systems Hybrid systems Applications (automated driving, phase-locked loops, smart grids) Future Research Proposals Scalable verification algorithms using compositional design Model-based design using abstract models Fault-tolerant systems M. Althoff CPS Verification November 15, 2013 6 / 29
  7. 7. Hybrid Dynamics Hybrid Automaton (HA) HA = (Z, z 0 , X , X 0 , U, inv, T , guard, jump, f ) set of locations Z = {z1 , . . . , zm } with initial location z 0 , continuous state space X ⊂ Rn with initial continuous set X 0 , discrete transitions T ⊆ Z × Z , invariants inv : Z → 2X , guard sets guard : T → 2X , jump functions jump : T × X → X flow functions f : X × U × Z → Rn (U: continuous input space) reachable set invariant Continuous evolution initial continuous set Start at z 0 and x 0 ∈ X 0 x(t) is the solution of x(t) = f (x(t), u(t), z(t)) ˙ guards x1 x2 z1 M. Althoff z2 CPS Verification November 15, 2013 7 / 29
  8. 8. Hybrid Dynamics Hybrid Automaton (HA) HA = (Z, z 0 , X , X 0 , U, inv, T , guard, jump, f ) set of locations Z = {z1 , . . . , zm } with initial location z 0 , continuous state space X ⊂ Rn with initial continuous set X 0 , discrete transitions T ⊆ Z × Z , invariants inv : Z → 2X , guard sets guard : T → 2X , jump functions jump : T × X → X flow functions f : X × U × Z → Rn (U: continuous input space) reachable set Activation of discrete transition invariant Transition (zj , zi ) is activated when x(t) ∈ guard((zj , zi )) initial continuous set Transition has to be taken when x(t) at the border of inv(zi ) guards x1 x2 z1 M. Althoff z2 CPS Verification November 15, 2013 7 / 29
  9. 9. Hybrid Dynamics Hybrid Automaton (HA) HA = (Z, z 0 , X , X 0 , U, inv, T , guard, jump, f ) set of locations Z = {z1 , . . . , zm } with initial location z 0 , continuous state space X ⊂ Rn with initial continuous set X 0 , discrete transitions T ⊆ Z × Z , invariants inv : Z → 2X , guard sets guard : T → 2X , jump functions jump : T × X → X flow functions f : X × U × Z → Rn (U: continuous input space) reachable set Discrete transition and jump of continuous state jump invariant Location changes from zi to zj initial continuous set Continuous state may jump: x ′ = jump((zj , zi ), x) (x ′ : cont. state after jump) guards x1 x2 z1 M. Althoff z2 CPS Verification November 15, 2013 7 / 29
  10. 10. Hybrid Dynamics Hybrid Automaton (HA) HA = (Z, z 0 , X , X 0 , U, inv, T , guard, jump, f ) set of locations Z = {z1 , . . . , zm } with initial location z 0 , continuous state space X ⊂ Rn with initial continuous set X 0 , discrete transitions T ⊆ Z × Z , invariants inv : Z → 2X , guard sets guard : T → 2X , jump functions jump : T × X → X flow functions f : X × U × Z → Rn (U: continuous input space) reachable set jump invariant initial continuous set ... and so on ... guards x1 x2 z1 M. Althoff z2 CPS Verification November 15, 2013 7 / 29
  11. 11. Problem Definition Reachability Analysis jump exact reachable set initial set x1 possible trajectory x2 steady state Informal Definition A reachable set is the set of states that can be reached by a dynamical system in finite or infinite time for a set of initial states, uncertain inputs, and uncertain parameters. M. Althoff CPS Verification November 15, 2013 8 / 29
  12. 12. Problem Definition Verification Task overapproximative reachable set exact reachable set initial set invariant set x1 x2 unsafe set Verification Task Check if a set of unsafe states is never reached. Exact reachable set only for special classes computable → overapproximation computed for consecutive time intervals. Overapproximation might lead to spurious counterexamples. Simulation cannot prove correctness. M. Althoff CPS Verification November 15, 2013 9 / 29
  13. 13. Reachability Analysis Linear Systems Linear Systems: Overview of Reachable Set Computation x(t) = Ax(t) + u(t), ˙ A ∈ Rn×n , x(t) ∈ Rn , x(0) ∈ R(0), u(t) ∈ uc ⊕ U r 1 Compute reachable set H(r ) = e Ar R(0) ⊕ t=0 e A(r−t) dt uc at time r neglecting the uncertain input (C ⊕ D := {c + d|c ∈ C, d ∈ D}). 2 Obtain convex hull of initial set R(0) and H(r ). 3 Enlarge reachable set to account for (1) uncertain inputs, (2) curvature of trajectories. 4 Continue with further time intervals [kr , (k + 1)r ], k ∈ N. Known algorithm, similar to work of A. Girard at HSCC’05. H(r ) convex hull of R(0), H(r ) R([0, r ]) R(0) enlargement ➀ M. Althoff ➁ ➂ CPS Verification November 15, 2013 10 / 29
  14. 14. Reachability Analysis Nonlinear Systems Nonlinear Reachability Analysis: Overall Algorithm initial set R(0), input set U, time step k = 1 linearize system k := k + 1 compute reachable set Rlin without linearization error obtain set of linearization errors L based on Rlin and L (L: set of admissible linearization errors) no L⊆L? enlarge L yes compute reachable set Rerr due to L R = Rlin ⊕ Rerr M. Althoff CPS Verification November 15, 2013 11 / 29
  15. 15. Reachability Analysis Nonlinear Systems Overall Algorithm: Animation R(0) linearize system M. Althoff CPS Verification November 15, 2013 12 / 29
  16. 16. Reachability Analysis Nonlinear Systems Overall Algorithm: Animation Rlin ([0, r ]) compute reachable set Rlin without linearization error M. Althoff CPS Verification November 15, 2013 12 / 29
  17. 17. Reachability Analysis Nonlinear Systems Overall Algorithm: Animation Rlin ([0, r ]) ⊕ Rerr ([0, r ]) Rerr : reachable set due to L obtain set of linearization errors L based on Rlin ([0, r ]) ⊕ Rerr ([0, r ]) M. Althoff CPS Verification November 15, 2013 12 / 29
  18. 18. Reachability Analysis Nonlinear Systems Overall Algorithm: Animation R([0, r ]) = Rlin ([0, r ]) ⊕ Rerr ([0, r ]) L⊆L? M. Althoff CPS Verification November 15, 2013 12 / 29
  19. 19. Reachability Analysis Nonlinear Systems Overall Algorithm: Animation R([r , 2r ]) reachable set of next time interval M. Althoff CPS Verification November 15, 2013 12 / 29
  20. 20. Reachability Analysis Nonlinear Systems Overall Algorithm: Animation possible trajectories R([0, tf ]) reachable set of the complete time horizon tf M. Althoff CPS Verification November 15, 2013 12 / 29
  21. 21. Reachability Analysis Nonlinear Systems Linearization and Lagrange Remainder x = f (z(t)), z T := [x T , u T ] and t ∈ [kr , (k + 1)r ]: ˙ Taylor series xi ∈ ˙ fi (z ∗ ) + ∂fi (z) ∂z z=z ∗ (z − z ∗ ) ⊕ 1st order Taylor series: A∆x+B∆u+fi (z ∗ ) 1 ∂ 2 fi (z) (z − z ∗ )T 2 ∂z 2 z=ξ (z − z ∗ ) ξ, z ∈ R([kr , (k + 1)r ]) × U Lagrange remainderLi Possible computation of the Lagrange remainder: Enclose reachable set by a multidimensional interval and apply interval arithmetic. M. Althoff CPS Verification November 15, 2013 13 / 29
  22. 22. Reachability Analysis Nonlinear Systems Scalability of the Linearization Approach 6 x1 xn−1 u x6 5 . . (more tanks) . initial set 4 possible trajectories 3 2 xn 1 2 3 4 x1 Projected reachable set (n = 6). Water tank system. Complexity with respect to the number of continuous state variables n: O(n3 ). Dimension n CPU-time [sec] M. Althoff 5 1.19 10 1.73 CPS Verification 20 3.11 50 11.59 100 35.78 November 15, 2013 14 / 29
  23. 23. Reachability Analysis Hybrid Systems Reachability Analysis of Hybrid Systems Hybrid systems additionally require intersections of guard sets: guard guard Rg Rg R(tη ) R([tk , tk+1 ]) x2 R([tk , tk+1 ]) x2 R(0) x1 (b) New approach. R(0) x1 (a) Classical approach. tη : last point in time before intersecting the hyperplane. Rg : Overapproximation of the guard set intersection. M. Althoff CPS Verification November 15, 2013 15 / 29
  24. 24. Reachability Analysis Hybrid Systems Scalability of the Mapping-Based Approach engine dynamics u 60 ks 2α Jm k1 J1 k2 J2 kθ Jθ Θref Tm guard set sample traj. 80 Jl 40 20 gear 0 Θs Θ1 Θ2 −0.1 Θθ Θm Θl Powertrain with backlash. 0 R(0) 0.1 0.2 Θs − Θ1 Projected reachable set (n = 101). Complexity with respect to the number of continuous state variables n: O(n5 ). Dimension n CPU time [sec] M. Althoff 11 8.122 21 14.31 31 23.72 CPS Verification 41 31.83 51 53.74 101 1550 November 15, 2013 16 / 29
  25. 25. Reachability Analysis Hybrid Systems Comparison With SpaceEx SpaceEx: state of the art tool for reachability analysis of hybrid systems. Uses geometric guard intersection. Example sensitive to overapproximation → comparison for initial set with 5% of initial size and n = 7. 80 80 SpaceEx SpaceEx 60 mapping approach 0 −20 −0.05 0.05 mapping approach guard 0 guard 0 20 R0.05 (0) 40 Θref 20 R0.05 (0) Tm 40 60 0.1 −0.05 Θs − Θ1 0 0.05 0.1 Θs − Θ1 Computational times: 10023 s (new approach: 0.133 s). M. Althoff CPS Verification November 15, 2013 17 / 29
  26. 26. Reachability Analysis Extensions Further Work Reachability Analysis Hybrid systems with differential-algebraic equations Consideration of uncertain parameters Improved algorithms for nonlinear systems using non-convex sets Stochastic Verification Abstraction of stochastic hybrid systems to Markov chains Probabilistic inevitable collision states left car right car ego car initial positions M. Althoff CPS Verification November 15, 2013 18 / 29
  27. 27. Applications Online Verification Of Automated Driving lane change maneuver B lane change maneuver A Test vehicle Test site initial occupancy y-position [m] 5 0 −5 −20 final occupancy obstacle ego vehicle 0 reference trajectory 20 40 other vehicle ego vehicle (braking part) 60 80 100 120 x-position [m] M. Althoff CPS Verification November 15, 2013 19 / 29
  28. 28. Applications Test Drive Results sx , sy [m] Ψ [rad] β [rad] δ [rad] v [m/s] δ y v x β Ψ sx sy x- and y-position orientation slip angle at center of mass front wheel angle velocity 0.5 0.5 0 −0.5 lc B lc A 2.5 3 Ψ [rad] ˙ Ψ [rad/s] Ψ [rad] ˙ Ψ [rad/s] 3 2.8 2.6 2.4 −0.2 0 δ [rad] 0.2 lc B 0 lc A −0.5 −0.2 0 0.2 δ [rad] computation time: ≈ 1.8 times faster than maneuver time (Intel i7, 1.6GHz) M. Althoff CPS Verification November 15, 2013 20 / 29
  29. 29. Applications Verification of a Phase-Locked Loop (PLL) System properties: Hybrid dynamics with many switchings (≈ 3000 until convergence) Slow convergence to locking Verification Task: Check if for any initial condition, the phase is locked to the reference signal. (received IEEE/ACM William J. McCalla ICCAD Best Paper Award) M. Althoff CP ii v i Ref phase Φref UP frequency Φv detector DN (PFD) VCO Ci ip vp1 Rp3 vp Cp1 Rp2 Cp3 frequency divider 1/N Computation time: Verification vs. simulation reachability avg. MATLAB ∆Φ(0) analysis [s]: simulation [s]: [−1, −0.8]π 55.0461 48.3297 [−0.8, −0.6]π 54.4418 47.9096 [−0.6, −0.4]π 53.4820 46.2673 [−0.4, −0.2]π 47.8208 44.4596 [−0.2, 0]π 42.9191 38.5102 CPS Verification November 15, 2013 21 / 29
  30. 30. Applications Transient Stability in Smart Grids 13 14 12 11 System properties: G 1 G Differential-algebraic equations 10 9 4 5 8 7 6 2 Nonlinear dynamics G Large system size 3 Values at bus 3: G 377.5 −0.4 bus phase [p.u.] frequency [rad/s] Verification Task: Check if all states return to the operating point after a power drop-out. 377 376.5 376 375.5 −0.5 −0.6 −0.7 −0.8 −0.8 −0.6 −0.4 generator phase [rad] M. Althoff G CPS Verification 1.02 1.04 1.06 1.08 bus voltage [p.u.] November 15, 2013 22 / 29
  31. 31. Applications Conclusions Scalability issues in formal verification of cyber-physical systems have been successfully addressed. The presented approaches verified applications that were previously out of reach. The online verification of automated vehicles is the first approach that verifies a system with non-trivial dynamics on-the-fly. Results of reachability analysis can be easily interpreted. Unlike other approaches (e.g. barrier certificates, constraint propagation, theorem proving), reachability analysis immediately shows where a specification is violated. M. Althoff CPS Verification November 15, 2013 23 / 29
  32. 32. Future Research Proposals Scalable Verification using Compositional Design Simulation: complete system has to be considered Reachability analysis: set of behaviors can be computed compositionally. Simplest scenario YA UA subsystem A subsystem B YB Assume set of inputs UA and UB for A and B, respectively. If YA ⊆ UB and YB ⊆ UA → assumptions and set of behaviors are overapproximative. UB Possible application to smart grids: M. Althoff CPS Verification November 15, 2013 24 / 29
  33. 33. Future Research Proposals Verification of Programmable Logic Controllers (PLCs) and Real-Time Constraints z3 d, c1 = 1, c2 > 1 b, c1 > 0, c2 > 1 c2 ≤ 1, c2 := 0 z1 a, c1 > 1, c1 := 0 e, c1 ≤ 1, c1 := 0, c2 := 0 z2 c, c1 > 1 c1 := 0 z4 Solar Panel Production source: KUKA Timed automata or timed Petri nets are often sufficient for PLC verification. Timed automata and timed Petri nets are a special class of hybrid automata. Algorithms for hybrid automata can be specialized. M. Althoff CPS Verification November 15, 2013 25 / 29
  34. 34. Future Research Proposals Non-Formal Verification Approaches Non-formal verification is often more effective for less critical components. Most approaches try to steer the system into a fault: Sensitivity-based simulation Rapidly-exploring random trees Cross-entropy method Ant-colony optimization etc. Method selection is more art than science. Falsification of the room heating benchmark problem using ant-colony optimization 24 22 20 18 Y. Annapureddy, C. Liu, G. Fainekos and S. 16 Sankaranarayanan: S-TaLiRo: A Tool for Temporal Logic 14 Falsification for Hybrid Systems 12 0 5 M. Althoff 10 15 20 25 CPS Verification November 15, 2013 26 / 29
  35. 35. Future Research Proposals Model-Based Design using Abstract Models Build abstract subsystems to which uncertainty is added. → design changes within the abstraction require no design iteration. Continuous abstraction x ∈ {f (x, p) + u|p ∈ P, u ∈ U } ˙ Parametric (p ∈ P) and additive uncertainties (u ∈ U ) Discrete abstraction Add non-deterministic transitions z3 z2 z1 Example: Vehicle dynamics for automated driving. 8 y -position 7 6 5 4 3 reference trajectory 2 1 0 −1 source: bremarauto 0 10 20 M. Althoff 30 40 50 x-position 60 70 80 CPS Verification November 15, 2013 27 / 29
  36. 36. Future Research Proposals Fault-Tolerant Systems Information redundancy: Check bits to detect data transfer errors. subsystem A Physical redundancy: Voter switches subsystem in case of a fault. subsystem B Drawbacks: Faults need to be directly measurable, redundant components are expensive. subsystem C voter f Analytical redundancy: controller re-design Controller re-design based on information from model-based observers. Drawbacks: Control performance is degraded, challenging design. diagnosis yref controller u plant y yref : reference, u: input, y: output, f : fault Design of scalable and reliable observers and fault-tolerant controllers for hybrid dynamics is an open research problem. M. Althoff CPS Verification November 15, 2013 28 / 29
  37. 37. Future Research Proposals Final Thoughts How to build safe and reliable cyber-physical systems? Good balance between formal and non-formal verification Scalable formal verification techniques (rather provide techniques that can address a limited set of specifications, but for large systems) Consideration of disturbances, parameter variations, and faults in the verification process Model-based design supporting abstraction, modularity, and hierarchy Built-in fault tolerance Good tool support M. Althoff CPS Verification November 15, 2013 29 / 29

×