320 likes | 493 Views
University of L’Aquila Center of Excellence DEWS L’Aquila, Italy. Observability and Diagnosability of Hybrid Automata, and their application in Air Traffic Management M.D. Di Benedetto, S. Di Gennaro and A. D ’Innocenzo. Motivation.
E N D
University of L’Aquila Center of Excellence DEWSL’Aquila, Italy Observability and Diagnosability of Hybrid Automata, and their application in Air Traffic Management M.D. Di Benedetto, S. Di Gennaro and A. D’Innocenzo
Motivation • ATM procedures define behaviours and interactions among actors of a multi agent system • With the increase of air traffic, bottlenecks of current procedures are arising: decentralize decisions? • It is extremely hard to convince people that a “new” procedure is more efficient than the “old” one, but equally safe
General framework for testingATM procedures In order to convince - formally prove - that an ATM procedure satisfies certain properties: • Compositional mathematical framework for modeling ATM procedures • Propositional logics to mathematically define properties of interest • Tools to automatically verify properties
Property of interest Yes ATM procedure Automatic Verification Tool No + counterexample Automatically verify propertiesof ATM procedures • Can the procedure terminate correctly? • Does the procedure terminate in time t [min, max]? • Is it possible to immediately detect if the procedure is not performed correctly? • Is it possible to detect propagation of situation awareness incongruency due to interconnection of agents?
Formula Yes Hybrid model Model checking No + counterexample Automatically verify propertiesof ATM procedures • Can the procedure terminate correctly? CTL PROPERTY • Does the procedure terminate in time t [min, max]? TCTL PROPERTY • Is it possible to immediately detect if the procedure is not performed correctly? OBSERVABILITY PROPERTY • Is it possible to detect propagation of situation awareness incongruency due to interconnection of agents? DIAGNOSABILITY PROPERTY
Hybrid system definition Discrete Layer Invariant Sets Guard Sets Reset Maps q3 q1 q2 Continuous Layer
LQbexecutions that terminate in Qb Q Llanguage of all discrete state executions PQbobservations of string in LQb Planguage of all discrete observations Language of executions of discrete state q2 q3 q4 q1 4 s 1 s 2 s 3 s
Regular language of executions • Consider observations without time delays:then L, P, LQb,PQb are regular languages • Regular languages are closed w.r.t. union, intersection, concatenation.
Discrete state observability: motivation [Di Benedetto et al. MED’05] Qb = {unauth. crossing} Engines Running Taxiing Ask for crossing grant Taxi on airport way Taxiing Unobs. Waiting at stop-bar Unauthorized crossing Unobs. Emergency Braking Crossing Unobs. Unobs. Authorized crossing Taxi to hangar Crossing completed
Observability definition Let Qb Q be a subset of the discrete state space, that models a faulty behavior of the system. Definition:Set Qb Q is observable for hybrid system H if observer of Qb exists. [Di Benedetto et al. LNCIS’05, CDC’06] Hybrid system Observer of Qb
Classical observability definition Proposition:Classical discrete state observability is a special case of observability of Qb Observer of q1 Observer of H … Observer of qN
b d c a c b a d Observability condition Proposition:Set Qb is observable for hybrid system H if and only if Q0 Qb
Observability verification Algorithm: • Compute regular languages PQb andPQ\Qb • Compute intersection PQb PQ\Qb • Check ifPQb PQ\Qb is empty. [Di Benedetto et al. IJRNC’08] Algorithm terminates in polynomial time w.r.t. dimension of discrete state space
Diagnosability definition Definition:Set Qb is -diagnosable for a hybrid system H if it is possible to detect within a delay that Qb has been visited, using the observable output. Proposition: Set Qb is observable if and only if it is-diagnosable with =0.
q2 q3 q4 q1 1 s 2 s 2 s 3 s q5 q7 q6 q1 2 s 1 s 2 s 3 s 6-diagnosability conditions q2 q3 q4 q1 notadmitted 1 s 2 s 4 s 3 s q5 q7 q6 q1 4 s 1 s 2 s 3 s admitted
Faulty executions Definition:A δ-faulty execution is a trajectory that enters the faulty set at a certain time instant, and then continues flowing for a time duration δ. q2 q4 q3 q1 4 s 1 s 2 s 3 s is 3-faulty
Diagnosability conditions Proposition: Qb is -diagnosable for H iff Problem: Compute the minimum m such that Qb is m-diagnosable for H.
Diagnosability verification for HA • It is extremely hard to automatically verify diagnosability conditions on a general hybrid model. • It is probably undecidable. • This problem has been solved for discrete event systems and timed automata
Abstraction methods Hybrid system H Discrete event system D safety Untimed temporal properties Hybrid system H Durationalgraph G Timedautomaton T Timed Timed abstraction: Pro:preserve time information! Con: more complex algorithms…
Diagnosability Verification by abstraction[Di Benedetto et Al., IEEE TAC] • Construct abstraction G to preserve properties of interest • Verification procedure on G Hybrid system H Abstraction G H is diagnosable G is diagnosable Find conditions to construct an abstraction G such that:property true for Hif and only if true for G
Diagnosability verification complexity Complexity class: Timed automata PSPACE [Tripakis] < Expressive power P [Di Benedetto et Al., IEEE TAC] Durational graphs < P [Lafortune] Discrete event systems
In-Trail Procedures:ATSA and ASEP ITP • ATSA-ITP application is currently being standardized by the Requirements Focus Group as part of Airborne Separation Assistance System (ASAS) Package 1 applications. • Tested since spring 2008 in the North Atlantic Airspace above Iceland (where radar coverage is available) with a small set of aircraft equipped with special ADS-B devices. ATSA-ITP is the near-future of ITP oceanic airspace applications. • Airborne Separation In Trail Procedure (ASEP-ITP) studied inside the Advanced Safe Separation Technologies and Algorithms (ASSTAR) project introduces an innovative transfer of separation management responsibilities from ATC to the flight crew throughout the ITP manoeuvre. • The rationale behind this is that the flight crew, in contrast to ATC, disposes of the appropriate surveillance equipment (i.e. ADS-B and ASAS Equipment), and is therefore instantly able to monitor separation and act if necessary.
ATSA and ASEP ITP • ATSA-ITP: improvement in the situation awareness of the agents, but the procedure is the same as the traditional, and does not include any transfer of responsibility from the controller to the pilot. • ASEP-ITP: for the first time in oceanic applications, the pilot has the responsability of separation during execution. He can change the Mach number, whenever the ASAS systems suggests. Reduce the separation minimum to 5NM. • ASEP-ITP is strongly based on ATSA-ITP: step-by-step evolution of the application inside the ASAS concept, gradual implementation of a new concept and of safety assessment.
Separation minimum improvement FL360 Reference Aircraft FL350 >10 minutes Actual Separation ( ~80 NM) FL340 ITP Aircraft FL360 Reference Aircraft FL350 10 NM ATSA Separation minimum FL340 ITP Aircraft FL360 Reference Aircraft FL350 5 NM ASEP Separation minimum FL340 ITP Aircraft
Assumptions • Agents: • ITP Aircraft modeled by Rectangular automaton • Oceanic Controller modeled by Discrete Event System • ASAS Technical System is working • Aircraft Dynamics are described by • longitudinal position • altitude • longitudinal absolute speed, measured in Mach • climb rate • Operational hazards: • [Requirements Focus Group (RFG). In-trail procedure in non-radar oceanic airspace (atsa-itp) - operational safety assessment (osa), v2.3. November 2007.]
From ASEP-ITP specificationto automatic verification Most of the properties of our interest for ATM procedure analysis are decidable for timed and rectangular automata[Alur et Al., TAC’00] ASEP-ITP specification Hybrid System or Rectangular Aut. H Timed automaton T Property true on ASEP-ITP specification Propertytrue on H Propertytrue on T
ASEP-ITP observability analysis Q6 ITP Aborted Q1 Cruise Q1 Cruise σ1 Q12 Asas alert ε σ9 σ2 Q2 ITP Initiation Q2 ITP Initation ε ψ7 Q10 Non-ITP Criteria compliant Q7 ITP Denied σ7 ψ4 ε ψ5 σ4 ψ2 Q5 ITP Termination σ5 ψ5 ε Q3 ITP Instruction ψ4 σ7 ψ6 ε Q9 Abnormal Termination ε σ3 Q13 Wrong termination σ8 ψ1 ε Q8 ITP Rejected ε σ7 ψ5 ψ3 ψ4 σ6 ψ4 Q4 ITP Standard Execution σ7 ε Q11 Wrong Execution σ9 ε ψ7 ψ5 ε
Non-ITP Criteria compliant ITP Aborted Q1 Cruise Cruise Asasalert ITP Initiation Q2 ITP Initation NON-ITP Criteria Compliant ITP Denied ITP Termination ITP Instruction Abnormal Termination Wrong Termination ITP Rejected ITP Standard Execution Wrong Execution
ASEP-ITP observer Q1,Q2,Q6 Q12 Q7 ψ7 ψ2 ψ4 ψ6 Q3 Q9 ψ5 ψ1 Q4,Q10,Q11 Q5,Q13 ψ4 Q8 ψ3 ψ5 The operational hazards are not observable even if the ASEP-ITP procedure satisfies the ED78a check, some operational hazards cannot be detected!
Conclusions • Apply hybrid systems theory for formal modeling of ATM procedures • Propose a mathematical framework for formal analysis of ATM procedures • Develop tools for automatic verification of observability and diagnosability • Analyze observability of ASEP-ITP
Future work • Stochastic definitions of observability and diagnosability • Use abstraction tools for stochastic hybrid systems analysis • Compositional analysis for complexity reduction