1 / 33

Model Checking for Hybrid Systems

Model Checking for Hybrid Systems. Bruce H. Krogh Carnegie Mellon University. Discrete-State Systems. Continuous-State Systems. Models. automata, Petri nets, statecharts, etc. differential equations, transfer functions, etc. Analytical Tools.

lroling
Download Presentation

Model Checking for Hybrid Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Model Checking for Hybrid Systems Bruce H. Krogh Carnegie Mellon University

  2. Discrete-State Systems Continuous-State Systems Models automata, Petri nets, statecharts, etc. differential equations, transfer functions, etc. Analytical Tools Boolean algebra, formal logics, recursion, etc. Lyapunov functions, eigenvalue analysis, etc. Software Tools Statemate, Design CPN, Slam II, SMV, etc. MATLAB, MatrixX, VisSim, etc., Hybrid Dynamic Systems Dynamic systems with both continuous & discrete state variables

  3. Three Main Thrusts of Our Project • Verifying system integrity • Synchronization constraints • Resource constraints • Real-time constraints • Modeling the environment • Hybrid dynamics • Stochastic models • Usability • Extracting models • Explaining tool feedback system environment

  4. Embedded systems with significant hybrid dynamics Source: ESP, Dec, 1998

  5. model checking Objective: Verify feature behavior for the entire range of operating conditions. Opportunity to Apply Formal Verification Techniques Computer-Aided Control System Design executable spec. executable spec. feature specification simulation code code generation test on engine/vehicle hardware in the loop production

  6. Example: Variable CAM Timing 2-mode PID/saturationcontroller look-uptable operatingstate cam angle actuator command

  7. Example: Variable CAM Timing Controller Verification Problem: Determine whether the controller will switch only once from saturation to PID mode.

  8. Continuous-Time Model

  9. Switching Rule Discrete-time rule Switch on magnitude of the error and the sign of this filter state of the filter Continuous-time rule Switch on magnitude of the error and the sign of this filter error

  10. Finite-State Analysis • Assign discrete states to each switch boundary and the initial condition set • Determine reachability from each discrete state to the other discrete states • Analyze the resulting finite state system

  11. Reachability Analysis

  12. Switching back to the saturation controller is certain from some initial states (i.e., specification is not satisfied) Finite-State Model

  13. Applying Model Checking to Hybrid Systems: • interpret a hybrid system as a transition system (with an infinite state space) • find an equivalent finite-state transition systems (bisimulation) • perform verification using the bisimulation Can this approach be generalized to higher-order systems?

  14. Simulink/Stateflow Front End (graphical editing, simulation) Threshold-event-driven Hybrid Systems (TEDHS) Flow Pipe Approximations Conversion Quotient Transition System Partition Refinement Polyhedral-Invariant Hybrid Automaton (PIHA) ACTL Verification Initial Partition

  15. SWITCHED CONTINUOUS DYNAMICS dx/dt = fu(x) STATEFLOW FSMs T T/P POLYHEDRAL REGIONS Simulink/Stateflow Front End (graphical editing, simulation) Threshold-event-driven Hybrid Systems (TEDHS) Flow Pipe Approximations Conversion Quotient Transition System Partition Refinement Polyhedral-Invariant Hybrid Automaton (PIHA) ACTL Verification Initial Partition

  16. x1 Mux Switched Continuous Dynamics Switching Hyperplanes Mux2 Switched th1 Continuous System 1 Mux C*x <= d Mux Polyhedral Threshold 1 x2 th2 C*x <= d Switched Continuous System 2 Polyhedral OR Threshold 2 Logical x3 th3 Operator C*x <= d Mux Mux1 Switched Polyhedral Continuous System 3 Threshold 3 q1 c1 q c2 Finite State Machine 1 Discrete-State Dynamics c1 q2 q c2 Finite State Machine 2 CheckMate Block Diagram

  17. flow constraints T F1 integrator xdot(t) F2 m(t) discrete state x(t) cont. state e(t) 1 S F3 e(t) discrete event x(t) X0 m(t) initial condition threshold-driven discrete dynamics modeselect x(t) T/P Je e(t) jump mapping Simulink/Stateflow Front End (graphical editing, simulation) Threshold-event-driven Hybrid Systems (TEDHS) Flow Pipe Approximations Conversion Quotient Transition System Partition Refinement Polyhedral-Invariant Hybrid Automaton (PIHA) ACTL Verification Initial Partition

  18. Simulink/Stateflow Front End (graphical editing, simulation) Elements of CheckMate Threshold-event-driven Hybrid Systems (TEDHS) Flow Pipe Approximations Conversion Quotient Transition System Partition Refinement Polyhedral-Invariant Hybrid Automaton (PIHA) ACTL Verification Initial Partition

  19. u’ ei : gi(x)0 xINVu’ dx/dt = Fu’(x) u xu’Ji(xu) xINVu dx/dt = Fu(x) xXo Simulink/Stateflow Front End (graphical editing, simulation) Threshold-event-driven Hybrid Systems (TEDHS) Flow Pipe Approximations Conversion Quotient Transition System Partition Refinement Polyhedral-Invariant Hybrid Automaton (PIHA) ACTL Verification Initial Partition

  20. Simulink/Stateflow Front End (graphical editing, simulation) Elements of CheckMate Threshold-event-driven Hybrid Systems (TEDHS) Flow Pipe Approximations Conversion Quotient Transition System Partition Refinement Polyhedral-Invariant Hybrid Automaton (PIHA) ACTL Verification Initial Partition

  21. Simulink/Stateflow Front End (graphical editing, simulation) Threshold-event-driven Hybrid Systems (TEDHS) Flow Pipe Approximations Conversion Quotient Transition System Partition Refinement Polyhedral-Invariant Hybrid Automaton (PIHA) ACTL Verification Initial Partition

  22. T T/P Simulink/Stateflow Front End (graphical editing, simulation) Threshold-event-driven Hybrid Systems (TEDHS) Flow Pipe Approximations Conversion Quotient Transition System Partition Refinement Polyhedral-Invariant Hybrid Automaton (PIHA) ACTL Verification Initial Partition

  23. Computing Transitions q q' p p' '1 '2  ('1,p',q') (,p,q) ('2,p',q')

  24. Approximating reachable sets E.K. Kornoushenko. Finite-automaton approximation to the behavior of continuous plants, Automation and Remote Control, 1975 J. Reisch and S. O’Young, A DES approach to control of hybrid dynamical systems, Hybrid Systems III, LNCS 1066, Springer, 1996 A. Puri, V. Borkar and P. Varaiya, -Approximation of differential inclusions, Hybrid Systems III, LNCS 1066, Springer, 1996 M.R. Greenstreet, Verifying safety properties of differential equations, CAV’96 M.R. Greenstreet and I. Mitchell, Integrating projections, HSCC98 T. Dang and O. Maler, Reachability analysis via face lifting, HSCC98 A. Chutinan and B. H. Krogh, Verification of polyhedral-invariant hybrid systems using polygonal flow pipe approximations, HSCC99

  25. t6 t5 t7 t4 t3 t8 t2 t9 t1 • divide R[0,T](X0) into [tk,tk+1] segments • enclose each segment with a convex polytope Polyhedral flow pipe approximation X0 • RM[0,T](X0) = union of polytopes A. Chutinan and B. H. Krogh, Computing polyhedral approximations to dynamic flow pipes, IEEE CDC, 1998

  26. Step 2. Solve optimization for di b. Take the convex hull and identify outward normal vectors. flow pipe segment approximated by { x | ciTx di, i } Flow Pipe Segment Approximation Vertices(X0) at tk Step 1. a. Simulate trajectories from each vertex of X0. Vertices(X0) at tk+1

  27. Flow Pipe Approximationfor a Linear System Vertices for X0 Uniform time step Dtk = 0.1

  28. Flow Pipe Approximation • Applies to nonlinear dynamics • Applies in arbitrary dimensions • Approximation error doesn't grow with time • Estimation error (Hausdorff distance) can be made arbitrarily small with Dt < d and size of X0 < d • Integrated into CheckMate

  29. Simulink/Stateflow Front End (graphical editing, simulation) Threshold-event-driven Hybrid Systems (TEDHS) Flow Pipe Approximations Conversion Quotient Transition System Partition Refinement Polyhedral-Invariant Hybrid Automaton (PIHA) ACTL Verification Initial Partition

  30. Simulink/Stateflow Front End (graphical editing, simulation) Threshold-event-driven Hybrid Systems (TEDHS) Flow Pipe Approximations Conversion Quotient Transition System Partition Refinement Polyhedral-Invariant Hybrid Automaton (PIHA) ACTL Verification Initial Partition

  31. Application Case Studies • F 16 auto-land system (Lockheed-DARPA) • Batch process shut down controller (ESPRIT VHS Project) • Automotive powertrain • Engine shut-off mode (PARADES) • Idle speed control (CADENCE) • Transmission shift controller (Ford-DARPA)

  32. CheckMate - Current Work • Sampled-data systems • clocked + unclocked events • Resets (jumps in the continuous state) • Efficient hybrid automata generation

  33. The Rare Glitch Project • Hybrid system abstractions composable with independent embedded software models • Generation of requirements from hybrid system models (timing and resource constraints) • Improved technology • order-reduction • focused refinement • automatic model abstraction • usability

More Related