Modeling and Reachability Analysis of Hybrid Systems

Modeling and Reachability Analysis of Hybrid Systems Rajeev Alur Systems Design Research Lab University of Pennsylvania www.cis.upenn.edu/~alur/ MFPS, March 2002

Programming Interacting Autonomous Robots Low level Analysis of vision data Control laws for legs Wireless cards • Current programming • How to implement Go-to-ball • Real-time scheduling High level Modes: Attack, Defend How to switch? Strategies Communication to collaborate

Trends in Model-Based Design • Emerging notations: UML-RT,Stateflow • Visual, Hierarchical, Object oriented • Simulation, code generation • Formal models and Model checking tools • Programming languages (Esterel, FRP…) • Control engineer’s tools (Matlab…) • Design/Simulation environments • SHIFT, Ptolemy-II, Modelica ….

Guiding Themes for CHARON • Integrated modeling of control program and physical environment (hybrid) • Programming language technology in Control tools • Continuous modeling in Programming environments • Foundations for hybrid systems in presence of concurrency, hierarchy, exceptions … • Compositionality, refinement, …. • Models need to be analyzable • Model checking • Exploit modeling constructs for efficiency

Faculty Rajeev Alur (CIS) Vijay Kumar (MEAM) Insup Lee (CIS) George Pappas (EE) CHARON Team PhD Students Joel Esposito Yerang Hur Franjo Ivancic P K Mishra Usa Sammapun Research Associates Thao Dang Salvatore La Torre Oleg Sokolsky Collaborators Rafael Fierro (U Oklahoma) Radu Grosu (SUNY StonyBrook) Funding: DARPA Mobies, NSF ITR

Talk Outline • Motivation • CHARON Summary • Model Checking • Conclusions

State machines + Dynamical systems x>68 off on dx=-k’x x>60 dx=kx x<70 x<63 Hybrid Modeling

CHARON Language Features • Individual components described as agents • Composition, instantiation, and hiding • Individual behaviors described as modes • Encapsulation, instantiation, and Scoping • Support for concurrency • Shared variables as well as message passing • Support for discrete and continuous behavior • Differential as well as algebraic constraints • Discrete transitions can call Java routines

Example: Vehicle Model Agent Vehicle Agent InterVehicleCommunication_IN Agent InterVehicleCommunication_OUT Agent CarSensor Agent RegulationLayer Agent VehiclePlant

Agent VehiclePlant Agent VehiclePlant Agent DynamicController Agent DynamicSensor Agent Communication_IN Agent Communication_OUT mode Brake Controller mode Torque Controller xDot_lls xDDot_lls xDot u_isl p_man_lls p_wheel_lls w_wheel_lls xDDot throttle_lls gearRatio_lls we_lls Agent VehicleDynamics Agent PowerTrain Agent Brake Agent SI_Engine Agent GearShift steering p_mcc Agent Rigid Body throttle_des Agent Torque Converter Agent WheelSet Agent Moments

Agent RegulationLayer Agent RegulationLayer mode VehicleFollower mode VehicleLeader mode Collision_W_ON mode No_Warning mode Collision_W_Off mode Cruise mode Accelerate mode Cruise_Cntrl mode Join_ACC mode ACC mode Join_CACC mode CACC mode Decelerate mode Braking mode FCW mode CFCW mode Warning

CHARON Toolkit

What is Compositionality ? Which properties are preserved? Can we restrict reasoning to modified parts of design? Mode should have a precise interface spec that would permit composition of behaviors Charon supports formal trace-based semantics and compositional proof calculus for refinement

Talk Outline • Motivation • CHARON Summary • Model Checking • Overview • Linear Hybrid Automata • Polyhedral Approximations for Linear Systems • Predicate Abstraction • Conclusions

Quest for Better Debugging • Bugs are expensive! • Pentium floating point bug, Arian-V disaster • Testing is expensive! • More time than design and implementation • Safety critical applications • Certification mandated

Model Checker model yes temporal property error-trace Advantages Automated formal verification, Effective debugging tool Moderate industrial success In-house groups: Intel, Microsoft, Lucent, Motorola… Commercial model checkers: FormalCheck by Cadence Obstacles Scalability is still a problem (about 100 state vars) Effective use requires great expertise

Cache consistency: Gigamax Real design of a distributed multiprocessor Global bus UIC UIC UIC Cluster bus P M P M Read-shared/read-owned/write-invalid/write-shared/… Deadlock found using SMV Similar successes: IEEE Futurebus+ standard, network RFCs

Symbolic Model Checking Model variables: X = {x1, x2, … xn} Given initial set I, is target set T reachable? Data type: region to represent state-sets R:=I(X) Repeat If R intersects T report “yes” Else if R contains Post(R) report “no” Else R := R union Post(R) Post(R)= Set of states that can be reached from R in one “step” (discrete switch or continuous flow)

Symbolic Representations • Necessary operations on Regions • Union, Intersection, Negation • Projection, Renaming • Equality/containment test, Emptiness test • Different choices for different classes • BDDs for discrete boolean systems in hardware verification • Difference Bound Matrices (DBMs) for verification of timed automata

Model Checking for Hybrid Systems • Same algorithm works in principle • What’s a suitable representation of regions? • Region: subset of Rk • Main problem: handling continuous dynamics • Precise solutions available for restricted continuous dynamics • Timed automata • Linear hybrid automata • Even for linear systems, over-approximations of reachable set needed

Reach(X) X Reachability Analysis for Dynamical Systems • Goal: Given an initial region, compute whether a bad state can be reached • Key step is to compute Reach(X) for a given set X under dx/dt = f(x)

Linear Hybrid Automata • Invariants and guards: linear (Ax <= b) • Actions: linear transforms (x:= Ax) • Dynamics: time-invarint, state-independent specified by a convex polytope constraining rates E.g. 2 < x <= 3, x = y • Tools: HyTech • Symbolic representation: Polyhedra • Methodology: abstract dynamics by differential inclusions bounding rates

Example LHAGate for a railroad controller h = 90 Open h = 90 dh = 0 lower lowering h >= 0 -10<dh < 9 lower h = 90 h = 0 raise closed h = 0 dh = 0 raising h <= 90 8< dh <10 raise

Reachability Computation Basic element: (location l, polyhedron p) Set of visited states: a list of (l,p) pairs Key steps: • Compute “discrete” successors of (l,p) • Compute “continuous” successor of (l,p) • Check if p intersects with “bad” region • Check if newly found p is covered by already visited polyhedra p1,…, pk (expensive!)

Computing Discrete Successors g(x)-> x := a(x) Discrete successor of (l,p) • Intersect p with g (result r is a polyhedron) • Apply linear transformation a to r (result r’ is a polyhedron) • Successor is (l’,r’) l l’

y x Computing Time Successor y (1,4) (1,4) Reach(p) (3,2) p (3,2) x Rate Polytope • Thm: If initial set p, invariant I, and rate constraint r, are polyhedra, then set of reachable states is a polyhedron (and computable) • Basically, apply extremal rates to vertices of p

Summary: Linear Hybrid Automata • HyTech implements this strategy • Core computation: manipulation of polyhedra • Bottlenecks • proliferation of polyhedra (unions) • computing with higher dimensional polyhedra • Many case studies (active structure control, Philips audio control protocol, steam boiler…)

Beyond LHA • Exact computation with polyhedra is limiting. • If dynamics is dX=AX, and P is a polyhedron, Reach(P) is not a polyehdron • Solutions: • Approximate Reach(P) with an enclosing convex polyhedron: Checkmate (Krogh) • Approximate Reach(P) with an enclosing (non-convex) orthogonal polyhedron: d/dt (Dang/Maler) • Level sets method (Greenstreet, Tomlin) • Use ellipsoids for representation of sets (Kurzhanski)

t6 t5 t7 t4 t3 t8 t2 t9 t1 • divide R[0,T](X0) into [tk,tk+1] segments • enclose each segment with a convex polytope Polyhedral Flow Pipe Approximations X0 • RM[0,T](X0) = union of polytopes

Wrapping Hyperplanes Around a Set c2 Step 1: Choose normal vectors, c1,...,cm c1 S c3 c4

Wrapping Hyperplanes Around a Set Step 2: Compute optimal d in Cx  d, CT = [c1... cm]: c2 c1 di = max ciTx xS S c3 c4

Wrapping a Flow Pipe Segment Given normal vectors ci, we wrap R[tk,tk+1](X0) in a polytope by solving for each i di = max ciTx(t,x0) xo,t s.t. x0X0 t [tk,tk+1] Optimization problem is solved by embedding simulation into objective function computation

Improvements for Linear Systems • x = Ax x(t, x0) = eAtx0 • No longer need to embed simulation into optimization • Flow pipe segment computation depends only on time step t • A segment can be obtained by applying eAt to another segment of the same t

Example 1: Van der Pol Equation Van der Pol Equation Initial Set Uniform time step Dtk = 0.5

Example 2: Linear System Vertices for X0 Uniform time step Dtk = 0.1

Predicate Abstraction bx: x>0; by : y>0 Program Abstraction int x, y; if x>0 { ………… y:=x+1 ……….} else { ………… y:=x+1 ……….} bool bx, by; if bx { ………… by:=true ……….} else { ………… by:={true,false} ……….} Successful applications: Lucent: Pathstar switch NASA: Space shuttle control

x t Concrete Space: L x Rn Abstract Space: L x {0,1} k Predicate Abstraction • Input is a hybrid automaton and a set of k boolean predicates, e.g. x+y > 5-z. • The partitioning of the concrete state space is specified by the user-defined k predicates.

Overview of the Approach Hybrid system Boolean predicates additional predicates Search in abstract space Safety property No! Counter-example Property holds Analyze counter-example Real counter- example found

Why use this approach? • Reach(X) needs to be computed only for abstract states X and not intermediate regions of unpredictable shapes/complexity • No need to compute Reach (X). Goal is to find one new abstract state reachable from X, partial results are of great use • Simulate vertices • Consider time-slices at discrete times • Our focus is on search strategies to make progress in the abstract state-space • Initial implementation in C++ with promising results

What do we analyze? • Input hybrid automaton • Guards/updates/invariants are linear expressions • Dynamics: dx = A x + B u • u : uncertain input within a bounded range • Initial condition and bad region (both linear) • User provides set of linear predicates for abstraction • Builds on routines for manipulating polyhedra from d/dt

Search Algorithm • Starting with initial abstract states, depth-first search to discover bad state • On-the-fly search: abstract states analyzed for outgoing transitions only on demand • Given an abstract state s, first examine outgoing edges and check if they lead to new abstract states • When discrete transitions do not yield new states, compute continuous successors • For abstract state s, compute polyhedral slices at times r, 2r, 3r • Compute bounding polyhedra for reach sets from kr to (k+1)r • For every intermediate result, check intersection with new abstract states

Vehicle Controller PLATOON (i) DISTANCE VELOCITY CONTROLLER PLATOON (i-1) vel vel acc • The agent platoon-(i-1) generates a trace for its velocity using its acceleration which is treated as uncertain input to the system: • The agent controller of platoon-(i) tries to maintain the distance to the previous platoon-(i-1) to some safety distance which depends on its own acceleration and velocity. dist

Charon Modeling and Simulation • Variables: • distance • velLeader • velFollower • acceleration • (uncertain input)

Verification Results • The Predicate Abstraction tool found that the MoBIES Automotive OEP Vehicle-To-Vehicle longitudinal controller satisfies collision-free behavior, if the following initial region is assumed: • 20 ≤ distance ≤ 1000 • 15 ≤ velLead ≤ 18 • 20 ≤ velFollow ≤ 25 • The tool used 17 predicates, and found 16 reachable abstract states. • The computation took approximately 4 minutes on a Pentium II with negligible memory resource needs.

Talk Outline • Motivation • CHARON Summary • Model Checking • Conclusions

Refining the Verifier • How to efficiently check whether the abstract counter example is a real one? • Automatic discovery of new predicates • Finding a separating hyperplane for two sets of polyhedra • Greedy heuristic picks a subset of faces • Improved search strategy to guide the search • Techniques for eliminating abstract states early from consideration while computing continuous successors

Ongoing Activities • Research • Distributed simulation • Qualitative abstractions of hybrid systems • Model-based test generation • Accurate event detection for simulation • Exploiting hierarchy for efficient simulation • Applications/Case-studies • Multiple autonomous robots • MoBIES challenge problems • Animation • Biomolecular networks…

Wrap-Up • Modeling and Analysis in symbiosis • Common themes in many modeling proposals • Hierarchy • Concurrency and Communication • Component interfaces • Formal semantics and compositionality • Integration: Discrete + Continuous + Stochastic • Automating formal verification is hard, but there is a steady progress • Biological systems: emerging application for modeling with similarities to embedded software

Modeling and Reachability Analysis of Hybrid Systems

Modeling and Reachability Analysis of Hybrid Systems

Presentation Transcript

Hybrid Systems Modeling and Analysis of Regulatory Pathways

Modeling and Analysis of Manufacturing Systems

Hybrid Systems Modeling, Analysis, Control

Hybrid Systems: Modeling and Analysis

Reachability Analysis

Foundations of Reachability Analysis

Stochastic Hybrid Systems: Modeling, analysis, and applications to networks and biology

Reachability Analysis

Reachability analysis*

Efficient Reachability Analysis for Verification of Asynchronous Systems

Reachability Analysis

Hybrid Systems Modeling, Analysis, Control Review and Vistas of Research

Reachability Analysis

Reachability Analysis

MODELING AND ANALYSIS OF MANUFACTURING SYSTEMS

Reachability Analysis

Stochastic Hybrid Systems: Modeling, analysis, and applications to networks and biology

Reachability Analysis

Hybrid Systems Modeling, Analysis, Control

Hybrid Systems Modeling, Analysis, Control Review and Vistas of Research

Modeling and Analysis of Manufacturing Systems

Hybrid Systems Modeling of Communication Networks