450 likes | 784 Views
Practical reasoning about control Ursula Martin Queen Mary University of London/University of Cambridge www.cl.cam.ac.uk/~um200 With Ruth Hardy, Richard Boulton Thanks to Qinetiq. Outline of talk What is control and why do we want to reason about it? Control basics: the time domain
E N D
Practical reasoning about controlUrsula MartinQueen Mary University of London/University of Cambridgewww.cl.cam.ac.uk/~um200With Ruth Hardy, Richard BoultonThanks to Qinetiq
Outline of talk • What is control and why do we want to reason about it? • Control basics: the time domain Example: feedback control in TetR/EColi • Control basics: the frequency domain Example: aero-servoelasticity • A very short history of computer science • Progress to date 1 : control in logical form A Hoare logic for continuous SISO control • Progress to date 2: reasoning about design requirements Proving properties of Nichols plots • Where next?
What is control ? to influence behaviour to a desired outcome steam engines, fighter aircraft, cars, smart devices, genomics, nanotech...
What is control ? to influence behaviour to a desired outcome steam engines, fighter aircraft, cars, smart devices, genomics, nanotech...
What is control ? to influence behaviour to a desired outcome steam engines, fighter aircraft, cars, smart devices, genomics, nanotech...
What is control ? To control an object is to influence its behaviour to a desired outcome steam engines, fighter aircraft, cars, smart devices, genomics, nanotech... • Theory of control analogue - continuous - differential equations digital - discrete - difference equations dynamical systems, Lie algebras ….math toybox!
What is control ? to influence behaviour to a desired outcome steam engines, fighter aircraft, cars, smart devices, genomics, nanotech... • Theory of control analogue - continuous - differential equations digital - discrete - difference equations dynamical systems, Lie algebras ….math toybox! • Practical control design systems with required behaviour linear models + numeric simulation analysestability, response, reachability, identification…
Computational logic for control sponsored by QinetiQ, Intel and EPSRC 2002 - • Goal Symbolic reasoning about continuous and discrete dynamical systems • Replace numerics for simulation and requirements verification - greater expressive power - greater automation - assured code generation • Simulink block diagram of F14
Computational logic for control sponsored by QinetiQ, Intel and EPSRC 2002 - • Goal Symbolic reasoning about continuous and discrete dynamical systems • Replace numerics for simulation and requirements verification - greater expressive power - greater automation - assured code generation • Simulink block diagram of F14 if a > 0 then .. else ..
Goal Symbolic reasoning about continuous and discrete block diagrams { I } M { G } “if the inputs of M satisfy I then the outputs satisfy { G } “ Step 1: symbolic reasoning about components (transfer functions) Step 2: compositionality: a Hoare logic for intermediate assertions • Simulink block diagram of F14 {G} {I}
{ ??} • Goal Symbolic reasoning about continuous and discrete block diagrams { I } M { G } “if the inputs of M satisfy I then the outputs satisfy { G } “ Step 1: symbolic reasoning about components Step 2: compositionality: a Hoare logic for intermediate assertions • Simulink block diagram of F14 {G} {I}
{ ??} { ??} { ??} { ??} { ??} • Goal Symbolic reasoning about continuous and discrete block diagrams { I } M { G } “if the inputs of M satisfy I then the outputs satisfy { G } “ Step 1: symbolic reasoning about components Step 2: compositionality: a Hoare logic for intermediate assertions • Simulink block diagram of F14 {G} {I}
{ ??} { ??} { ??} { ??} { ??} { A } • Goal Symbolic reasoning about continuous and discrete block diagrams { I } M { G } “if the inputs of M satisfy I then the outputs satisfy { G } “ Step 1: symbolic reasoning about components (transfer functions) Step 2: compositionality: a Hoare logic for intermediate assertions • Simulink block diagram of F14 {G} {I}
{ ??} { ??} { ??} { ??} { ??} { A } • Goal Symbolic reasoning about continuous and discrete block diagrams { I } M { G } “if the inputs of M satisfy I then the outputs satisfy { G } “ Step 1: symbolic reasoning about components Step 2: compositionality: a Hoare logic for intermediate assertions • Simulink block diagram of F14 {G} {I} Hoare logic Verif ication req’t QED
Outline of talk • What is control and why do we want to reason about it? • Control basics: the time domain Example: feedback control in TetR/EColi • Control basics: the frequency domain Example: aero-servoelasticity • A very short history of computer science • Progress to date 1 : control in logical form A Hoare logic for continuous SISO control • Progress to date 2: reasoning about design requirements Proving properties of Nichols plots • Where next?
X(s) U(s) G(s) • Control basics • Differential equation M x’’ + b x’ + k x = u where x’ = dx/dt etc • Laplace transform X(s) = U(s)/( M s2+ b s + k) rational function of a complex variable s x’ u x’’ x 1/M b/M K/M
X(s) U(s) A F(s) G(s) • Control basics: Time response analysis of linear systems • Differential equation M x’’ + b x’ + k x = u • Laplace transform X(s) = U(s)/( M s2+ b s + k) • The controller applies a constant force “feedback gain” A to G(s) • Laplace transform with feedback control F(s) = A U(s)/( M s2+ b s + ( A + k ) )
X(s) U(s) A F(s) G(s) • Control basics: Time response analysis of linear systems • Differential equation M x’’ + b x’ + k x = u • Laplace transform X(s) = U(s)/( M s2+ b s + k) • The controller applies a constant force “feedback gain” A to G(s) • Laplace transform with feedback control F(s) = A U(s)/( M s2+ b s + ( A + k ) ) • Analyse location of poles for stability • If stable analyse steady state behaviour under “typical “ inputs, eg ramp • Increasing A decreases rise time, increases overshoot and decreases variability (steady state error) (s(U(s)-F(s)))
Control basics: An experiment • Ultimately we validate our models by experiment • The cellular environment is very “noisy” but large variations in certain chemicals such as transcription regulators maybe lethal to the cell. It is known that in E.coli about 40% of transcription factors self regulate. • If this is controlled by a feedback mechanism we would expect that lowering the feedback gain would raise the variability in protein expression • Experiment: To show that decreasing the feedback gain increases variability • TetR (tetracyclin repressor protein) defends E.coli against tetracycline and is a major source of antibiotic resistance. TetR regulates its own formation through a feedback loop. Becskei and Serrano (Nature, 2000) showed that decreasing feedback gain in TetR creases variability in protein expression. • The protein level in E.coli was measured by splicing GFP (green flourescent protein) gene to TetR gene so both genes expressed simultaneously and amount of protein was measured by measuring flouresence. A mutant E.coli was created in which the feedback loop was partially disabled and protein levels measured. Results were consistent with hypothesis.
Outline of talk • What is control and why do we want to reason about it? • Control basics: the time domain Example: feedback control in TetR/EColi • Control basics: the frequency domain Example: aero-servoelasticity • A very short history of computer science • Progress to date 1 : control in logical form A Hoare logic for continuous SISO control • Progress to date 2: reasoning about design requirements Proving properties of Nichols plots • Where next?
Control basics: Frequency response of linear systems • Fundamental theorem of linear systems If a sinusoidal input with frequency w is applied to a stable linear system G (s) then the response (output) approaches a sinusoidal motion with frequency w • The gain of G (s) is |G(I w)|, the ratio of the amplitudes of the sinusoidal response and the sinusoidal input at frequency w • The phase of G (s) is tan-1(Im G (I w)/Re G (I w)), the difference between the phase angles of input and output at input frequency w
Control basics: frequency response of linear systems • Fundamental theorem of linear systems If a sinusoidal input with frequency w is applied to a stable linear system G (s) then the response (output) approaches a sinusoidal motion with frequency w • The gain of G (s) is |G(I w)|, the ratio of the amplitudes of the sinusoidal response and the sinusoidal input at frequency w • The phase of G (s) is tan-1(Im G (I w)/Re G (I w)), the difference between the phase angles of input and output at input frequency w • Example: aero-servoelasticity in flight control Structural coupling in flexible aircraft introduces high-frequency resonances to digital flight control system. These vary with payload. Add filter to attentuate - introduces low frequency phase lag - so add phase advance filter - this increases structural coupling…..
Design verification: frequency response • Analyse properties of model using Bode and Nicholls plots • Nicholls plot: |G(I w)| against 20 log 10( tan-1(Im G (I w)/Re G (I w)) ) System is stable if it avoids ( - p, 0) • For balance between stability and performance avoid critical region to obtain good handling + aeroservoelasticity properties • current design verification is by numeric plotting + eyeballing Garteur reference model 1100 plots
Outline of talk • What is control and why do we want to reason about it? • Control basics: the time domain Example: feedback control in TetR/EColi • Control basics: the frequency domain Example: aero-servoelasticity • A very short history of computer science • Progress to date 1 : control in logical form A Hoare logic for continuous SISO control • Progress to date 2: reasoning about design requirements Proving properties of Nichols plots • Where next?
A very short history of computational logic • 1949 Turing Explain why program right using values at intermediate stages -- assertions.. • 1965 Scott-Strachey Machine independent model of computation -- models and semantics STOP Y r’ = 1 - s’ = 1 v’ =u u’ = u + v TEST r - n s’ = s + 1 u’ = 1 - TEST s - r r’ = r + 1 + Y
A very short history of computational logic • 1949 Turing Explain why program right using values at intermediate stages -- assertions.. • 1965 Scott-Strachey Machine independent model of computation -- models and semantics • 1967 Hoare Gave formal rules for tracking assertions through programs -- Hoare logic {A} prog {B} denotes “if A is true and we run prog then B is true” {C and r=n} {C} STOP Y r’ = 1 - s’ = 1 v’ =u u’ = u + v TEST r - n s’ = s + 1 u’ = 1 - TEST s - r r’ = r + 1 +
A very short history of computational logic • 1949 Turing Explain why program right using values at intermediate stages -- assertions.. • 1965 Scott-Strachey Machine independent model of computation • 1967 Hoare Gave formal rules for tracking assertions through programs -- Hoare logic {A} prog {B} denotes “if A is true and we run prog then B is true” • To exploit this needed: Theory Software Scalability Compelling benefits • Aim “correct by construction” {u = n!} STOP {n > 0} {??} Y r’ = 1 - s’ = 1 v’ =u u’ = u + v TEST r - n s’ = s + 1 u’ = 1 {??} {??} - TEST s - r r’ = r + 1 +
A very short history of computational logic use of a computer to produce or check formal proofs within a computer representation of a system of formal logic Russell and Whitehead, Principia Mathematica, Vol II p79
Computational logic for computer science PVS theorem prover: SRI International Menlo Park USA HOL theorem prover : Cambridge UK formal proof + fast decision procedures + computation+ highly automated + architecture for other techniques eg model checking • Qinetiq ClawZ Eurofighter braking system certification compliance conditions derived from annotated Sparc Ada implementation specification got from translating Fortran into Simulink into ClawZ reason in ProofPower - HOL-like system from Lemma 1 • Ford hybrid model checker + Matlab to reason about Stateflow
Computational logic for to support computational mathematics PVS/SALHOLIsabelle COQ formal proof + automation/high level strategies + computation + libraries + fast decision procedures/model checking/QE …. • Intel verification of floating point division for IA-64 HOL: analysis, numerical analysis, floating point • Larch AXIOM (Martin, Dunstan, Kelsey + NAG Ltd) light formal methods, assertions and VC generator for AXIOM computational math system • Maple-PVS (Martin, Kelsey, Gottliebsen) Maple symbolic computation + numerics to experiment / solve / simulate / prototype / formulate proof obligations restricted invocation of PVS for highly automated verification support strategies for continuity, convergence, existence of limits… d’base of lemmas about elementary functions (cos, ln, exp…) “Prove that arctan( sin( x )) -1 is positive and continuous in [0, p]” PVS: analysis, trigonometry • NASA Langley verification of free flight air traffic control
Numerical computation MATLAB/Simulink NAG library Solve x2 - 2 x - 4 = 0 Soln: x = 3.236, -1.236 + error bound Integrate cos(x) between 0, /2 Soln: 1.0 + error bound • Symbolic computation Maple, Mathematica Solve x2 - 2 x - 4 a = 0 Soln: x = 1+ √ (1 + 4 a), 1- √ (1 + 4 a) Differentiate sin(cos(x)) Soln:-sin(x) . cos ( cos (x)) • Computational logic HOL, Cambridge PVS, SRI Menlo Park Prove that x2 - 2 x - 4 a = 0 has a real solution for a > -1/4 Prove that x = 3.236 is a “solution” of x2 - 2 x - 4 = 0 with error … Prove that arctan( sin( x )) -1 is always positive Prove that this implementation of Newton-Raphson is…. Intel: verification of floating point division for IA-64 NASA Langley: verification of free flight air traffic control
Outline of talk • What is control and why do we want to reason about it? • Control basics: the time domain Example: feedback control in TetR/EColi • Control basics: the frequency domain Example: aero-servoelasticity • A very short history of computer science • Progress to date 1 : control in logical form A Hoare logic for continuous SISO control • Progress to date 2: reasoning about design requirements Proving properties of Nichols plots • Where next?
Part 1: Symbolic reasoning about transfer functions • Design verification: frequency response • Pilot implementation in Maple-PVS • Key observation requirements of form: g(x) > f(x) in interval [a,b] in Nichols plots correspond to good handling + aeroservoelasticity properties • Method of Lipschitz bounds If f(b) < g(b) and f'(b) > g'(b) f monotone increasing (i.e. f ’ > 0) in [a,b] f' monotone decreasing (i.e. f ’’< 0 ) in [a,b] then g(x) > f(x) in interval [a,b]
Part 1: Symbolic reasoning about transfer functions • Design verification: frequency response • Pilot implementation in Maple-PVS • Sample calculations for G(t) = k.(-t2+2 I c t + d)-1 • Nicholls plot x:= argument( k.(-t2 + 2 I c t + d)-1) y:= ( 20 ln |k.(-t2 + 2 I c t + d)-1| ) / ln(10) Calculate dy/dx (Maple) and show positive in [-Pi, -Pi/2] (PVS) dy/dx = 20*sin(x)*(-c*(c^2*cos(x)^2+d^2*sin(x)^2)^(1/2) + cos(x)*c^2+cos(x)*d^2)/(c^2*cos(x)^2+d^2*sin(x)^2)^(1/2)/(c*cos(x)+(c^2*cos(x)^2+d^2*sin(x)^2)^(1/2))/ln(10)
H(s) G(s) • Part 2: A Hoare logic for assertions • Key problem: compositionality
H(s) G(s) • Part 2: A Hoare logic for assertions • Key problem: compositionality • Key observation: composition of blocks with sinusoidal input multiplies the gain (modulus) |G( i w) H( i w) | = | G( i w) | * | H( i w) | adds the phase (argument) arg(G( i w) H( i w) ) = arg(G( i w)) + arg(H( i w) ) compositionality for frequency response!
H(s) G(s) • Part 2: A Hoare logic for assertions • Key problem: compositionality • Key observation: composition of blocks with sinusoidal input multiplies the gain (modulus) |G( i w) H( i w) | = | G( i w) | * | H( i w) | adds the phase (argument) arg(G( i w) H( i w) ) = arg(G( i w)) + arg(H( i w) ) compositionality for frequency response! • Define a Hoare logic in terms of phase and gain for sinusoidal input {P} C < dr,d > {Q} denotes that component C causes a gain of dr and a phase shift of d, and if property P holds at the input then property Q holds at the output
Part 2: A Hoare logic for assertions - feedback loops • Do phase and gain compose for feedback loops? • G1, G2 have gain r1, r2 phase 1 2
{ ??} { ??} { ??} { ??} { A } { ??} • Part 2: A Hoare logic for assertions - feedback loops Hoare logic in terms of phase and gain for siso frequency domain Proved soundness in HOL up to soundness of underlying math Verification condition generator in HOL for “simple” block diagrams Discharge verification requirements in HOL/PVS • Simulink block diagram of F14 {G} {I} Theorem prover VCG works out this QED
Further work • Only just started and many opportunities for further research • Goal: control in logical form and meaningful applications • Extend current work to • State space models • Discrete models • Assertion language • Traced monoidal categories • Applications • Control engineering • Genomics, MEMS, nanotechnology….
Acknowledgements and further reading • Joint work with Richard Boulton, Verilab Ruth Hardy, University of St AndrewsWith thanks to Yoge Patel, John Hall, Rob Arthan, Rick Hyde, Colin O’Halloran for their time and ideas QinetiQ for the funding SRI and Royal Academy of Engineering for the sabbatical 1999-2000 • Richard Boulton, Ruth Hardy and Ursula Martin, paper in HSCC 2003 • Papers and talks at www.dcs.qmul.ac.uk/~uhmm
Light-FM for math software, funded by NAG Ltd • Aldor: NAG/Maple internal development language category/domain object model • Aldor-FMlite project annotate code with assertions interface specifications as high level operational semantics for trusted components uses/requires/modifies/ensures/assumes tools for verification condition generation • Applications locate type system bugs analysis of pre/side conditions eg continuity smart documentation method selection document and reason about assumptions • Case study: bugs in Aldor object model
Control basics: Frequency response of linear systems • Fundamental theorem of linear systems If a sinusoidal input with frequency w is applied to a stable linear system G (s) then the response (output) approaches a sinusoidal motion with frequency w • The gain of G (s) is |G(I w)|, the ratio of the amplitudes of the sinusoidal response and the sinusoidal input at frequency w • The phase of G (s) is tan-1(Im G (I w)/Re G (I w)), the difference between the phase angles of input and output at input frequency w