1 / 25

Safety Verification of Model Helicopter Controller Using Hybrid Input/Output Automata

Safety Verification of Model Helicopter Controller Using Hybrid Input/Output Automata. Sayan Mitra MIT Hybrid Systems: Computation and Control Prague, Czech Republic 2003 Joint work with Yong Wang (U. Beijing), Nancy Lynch, Eric Feron. Verification Techniques. Algorithmic

mardi
Download Presentation

Safety Verification of Model Helicopter Controller Using Hybrid Input/Output Automata

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Safety Verification of Model Helicopter Controller Using Hybrid Input/Output Automata Sayan Mitra MIT Hybrid Systems: Computation and Control Prague, Czech Republic 2003 Joint work with Yong Wang (U. Beijing), Nancy Lynch, Eric Feron MITLCS

  2. Verification Techniques • Algorithmic • Model checking e.g.[Alur, et al. 95] • Automatic: HyTech • Essentially for finite-state systems, subclass of linear hybrid systems • Over approximating set of unsafe states [Bayen, et al. 02] • Deductive • Invariant assertions, simulation relations e.g. [Manna, Sipma 98] • Can accommodate infinite-state systems: STeP • Requires human effort • User interaction MITLCS

  3. Talk Outline • Introduction٭ • Hybrid I/O Automata definitions • Specification of Quanser • Safety Verification • Conclusions MITLCS

  4. The HIOA Model[Lynch, Segala, Vaandrager 01, 03] • General, mathematical modeling framework. • States, discrete transitions • Trajectories: Maps left closed intervals of time to variable values • Support for decomposing hybrid system descriptions: • External behavior: Models interaction of component with environment. • Composition: Synchronizes external actions, external “flows”; respects external behavior. • Levels of abstraction: Implementation notion • Can incorporate analysis methods from: • CS: Invariants, simulation relations, compositional methods. • Control theory: Invariant sets, stability analysis, robust control. MITLCS

  5. Hybrid I/O Automaton • V = U  Y  X: Input, output, and internal (state) variables • Q: States, a set of valuations of X •   Q : Start states • A = I  O  H: Input, output, and internal actions • D  Q  A  Q: Discrete transitions • T: Trajectories for V. I O X U Y H MITLCS

  6. Trajectory Axioms and Executions • Set T of trajectories is closed under: • Prefix • Suffix • Countable concatenation • fstate, lstate • Execution fragment: 0a11a22…, where: • Each iis a trajectoryof the automaton and • Each (i.lstate, ai ,i+1.fstate) is a discrete step. • Execution: • Execution fragment beginning in a start state. MITLCS

  7. Model Helicopter System • Manufactured by Quanser • User controllers not necessarily safe, can crash the helicopter on the table. • Supervisory pitchcontroller needed to ensure safety. • Safe operating region • Saturated actuator outputs : Umin or Umax • Must contend with • Sensor errors • Actuator delay MITLCS

  8. Helicopter System Actuator Plant Sensor θ0,θ1 U buffer, u dequeue now, next θ0,θ1 Sample Sample Sample Sample Sample Command(S) Command(S) Command(S) Supervisor UserCntrl Useroutput(Xu) Useroutput(Xu) mode, Xs , S, rt Xu MITLCS

  9. Plant U θ0,θ1 Plant Variables: θ0 :Pitch angle θ1: Pitch velocity Trajectories: evolve:d(θ0) = θ1 d(θ1) = -Ω2cos θ0+ U Input bounds: Umin , Umax Safe Region: S = { s | θmin≤ s.θ0≤ θmax } θ0,θ1 MITLCS

  10. Sensor Discrete transition: Sample(θ0d , θ1d) precondition: now = next and θ0dє [θ0- є0 , θ0+ є0 ] and θ1dє [θ1- є1, θ1- є1] effect: next = next + Δ Trajectories: evolve: d(now) = 1 stopping condition:now = next θ0 ,θ1 Sensor now, next } Nondeterministic choice Sample(θ0d , θ1d) MITLCS

  11. User Controller • Arbitrarily bad user • On receiving Sample, • Useroutput(Xu) • Non deterministic choice, Xuє [Umin, Umax ] MITLCS

  12. Actuator • Actuator delay Ta • modeled as a FIFO queue of Supervisor(User) outputs • buffer: length [Ta / Δ] • Enqueue S received from supervisor • Dequeue u from bufferhead, • u changes discretely • Made into piece-wise continuous output U MITLCS

  13. Modeling Actuator Delay • Ta Currently modeled as a single discrete jump from Umin to Umax after time Ta. • Alternatively • Approximate exponential rise by adding k intermediate values in the buffer, for every command from the supervisor. • Output from buffer will change every Δ/k time. • Model as continuous function Ta MITLCS

  14. Safe Operating Region θ1 S C R U I θ0 θmin θmax Assumption: Cannot cross I in Δ time. MITLCS

  15. Supervisor Sample Supervisor Command(S) mode, Xs , S, rt Userout(Xu) • On receiving sample, computes Xs • If s is above I+then Xs = Umin • If s is below I-then Xs = Umax • On receiving useroutput(Xu), computes S • If mode = userthen • If s is inU then S = Xu • Else mode = supervisor ; S = Xs • If mode = supervisor then • If s is inI then S = Xu ; mode = user • Else S = Xs MITLCS

  16. Safety Verification • Assertional Proofs • Reasoning based on current state of the system • Finding the invariants is challenging • Strengthen statement • Proofs are easy, for proving I • Base case:   I • Discrete part: s a s’ є D, show I(s) implies I(s’) • Continuous part: closed τє T, show I(fstate(τ)) implies I(lstate(τ)) MITLCS

  17. Key Lemmas • All trajectories are closed • Any trajectory τє T, ltime(τ) - ftime(τ) ≤ Δ. MITLCS

  18. User mode θ1 S C A0 A1 A2 R AΔ U A0 = R For 0 ≤ t ≤ t’ ≤ Δ At’  At U AΔ I θ0 MITLCS

  19. User mode Safety • Any reachable state in the user mode is within R. • Proof: • Discrete part is easy • Any closed trajectory τє T, if fstate(τ)є At then lstate(τ)є At-ltime(τ). MITLCS

  20. buffer flushed, Supervisor mode kicks in. Cannot go outside R from U, in the user mode Returns to Iand mode switches back to user . mode switches to supervisor, but buffer contains stale user commands. Executions in User and Supervisor modes MITLCS

  21. Supervisor mode Correct input to plant • If s is above I+then last [rt/Δ] entries in buffer are Umin • rt: stopwatch for supervisor mode • Similarly, s is below I-then … Umax Settling phase rt ≤ Ta • Any reachable state is within C • All trajectories starting from within R remains within C • Proof similar to User mode Recovery phase rt > Ta • Any reachable state is within C • Proof: At any point on boundary of C, the vector field points inwards MITLCS

  22. Conclusions • Design of supervisory controller • Controller has been implemented [Ishutkina]. • Specification Language • Demonstration of HIOA framework • Specification • Compositional • Nondeterminism models uncertainties in devices or user inputs. • Purely assertional proofs • Discrete and continuous parts • CS and Control Theory techniques • Current/Future Work • Performance guarantees for mobile computing algorithms • Theorem prover support MITLCS

  23. Thank You.Questions ? MITLCS

  24. MITLCS

  25. Current/Future Work • Incorporate control theory methods: • Invariant sets, Stability analysis using Lyapunov functions, robust control methods. • More examples: • Systems with more complicated discrete behavior and dynamics, e.g. mobile computing, embedded systems. • Develop analysis tools for HIOA programs: • Theorem-provers, automated tools • As extension to IOA toolset MITLCS

More Related