1 / 59

Two Worlds: Abstractions in the Continuous World

Explore the challenges of software control in cyber-physical systems and the importance of formal methods for verifying and synthesizing controllers. Topics covered include verification techniques, input-output robustness, and the application of formal methods in the continuous world.

pdoyle
Download Presentation

Two Worlds: Abstractions in the Continuous World

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Two Worlds:Abstractions in the Continuous World Rupak Majumdar Max Planck Institute for Software Systems

  2. Cyber-Physical Systems • Software Controlled interactions • with the physical world • 2. Safety Critical • Software a major component: • Boeing 747: ~50ECUs, 4M LOC • ETCS Kernel: ~0.5MLOC • Lexus 2006: ~100 CPUs, ~7M LOC • BMW: ~70-100CPUs, ~100M LOC!

  3. Cyber-Physical Systems • Software Controlled interactions • with the physical world • 2. Safety Critical • 3. Software is the hard part • - Expensive, brittle • - Low productivity, High QA cost • - Major part of development cost

  4. Control System Development against system performance spec Validate Combine Plant Model x’= Ax + Bu Environment = spec Controller Model u= Kx = Control Software spec Virtual World Real World Plant (Hardware) Environment = impl Controller (Software+Hardware) = Control impl Combine Validate

  5. Formal Methods Challenges • Verification • How can we ensure a system meets its specifications? • Synthesis • How can we automatically construct controllers for temporal requirements? • Abstraction and Robustness • When are two systems close? When is a system robust?

  6. This Talk: FM in the Control World • - Proof techniques for verification • Epsilon-bisimulations and reactive synthesis • Input-output robustness • End-to-end arguments

  7. Disclaimer • Tutorial introduction to the field

  8. Continuous Dynamical Systems • f : Dynamics • u : Input from the controller • … assume f is “nice” • Trajectory: Solution of the differential equation • Specification: • Stability: “Under the action of the controller, the dynamics converges to the origin”

  9. Hybrid Dynamical Systems || Discrete constraint: - Control task can only run once every k cycles - The system must reach a sequence of setpoints while avoiding bad states - LTL specification

  10. Verification Question || • Given a controller that claims to • Stabilize the system • Satisfy additional discrete constraints • Check the controller works correctly

  11. Synthesis Question || • Synthesize a controller that • Stabilizes the system • Satisfies additional discrete constraints

  12. Formal Methods Perspective • Verification: • Safety  Inductive invariants • Liveness  Ranking functions • Synthesis: • Controller design  Reactive synthesis • Q: How do we apply these techniques to the continuous world?

  13. Verification

  14. Commonalities Control Theory Formal Methods Safety: Show that program stays in safe states Liveness: Show that program eventually terminates -Techniques: (Discrete) Logic • Safety: Show that system stays in safe states • Stability: Show that system eventually goes to setpoint • Techniques: Real Analysis

  15. Model Problem: Ensure no trajectory from Init reaches Bad

  16. [PrajnaJadbabaie04] Barriers: B(x) Init Bad The dynamics pushes the state back at the boundary of the barrier

  17. Reachability Target

  18. [LyapunovB.C.] Lyapunov functions: L(x) The dynamics pushes the state down along the level sets of L(x)

  19. Commonalities Control Theory Formal Methods Safety: Show that program stays in safe states * Inductive invariants Liveness: Show that program eventually terminates * Rank functions Techniques: (Discrete) Logic * Horn clauses • Safety: Show that system stays in safe states • * Barrier certificates • Stability: Show that system eventually goes to setpoint • * Lyapunov functions • -Techniques: Real Analysis • * Constraints?

  20. Barriers/LF to Constraints

  21. Constraints: Polynomials • Assume f(x) is a polynomial • Fix polynomial template for B •  Polynomial constraints

  22. Aside: Sum of Squares • Want to show: • p(x) ≥ 0 • Look for polynomials p1(x), …, pk(x) s.t. • p(x) = p1(x)2 + … + pk(x)2 • Sufficient but not necessary •  But search for “sum of squares” polynomials reduces to convex optimization (semi-definite programming)

  23. Not just Safety/Reachability… • Horn clause formulations carry over: • - LTL, CTL*, ATL* [DimitrovaM] • Idea for LTL: • Convert to parity conditions • Certificate = Sequence of functions V0,…,Vk • - even i  barrier • - odd i  Lyapunov function that exits this color

  24. Formal Methods Challenge • Design numerically stable and scalable decision procedures for polynomial arithmetic • Connect the search for barriers and Lyapunov functions to abstraction-refinement techniques

  25. Synthesis

  26. Controller Synthesis for LTL Continuous system Abstraction ? Control input u Reactive synthesis Refinement Discrete controller

  27. GirardPappas07,Tabuada ε-Bisimulation (x,y)∈R means that every trajectory starting from x is matched up to ε by a trajectory from y and vice versa

  28. Controller Synthesis for LTL Continuous system Abstraction Control input u Reactive synthesis Refinement Discrete controller When do finite bisimulations exist?

  29. Angeli02 Incremental Stability • “Trajectories converge to each other as time progresses” • Incremental asymptotic stability (AS): • || x(t, x0, u) - y(t, y0, u) || ≤ β (|| x0 – y0 ||, t) • for all u • Incremental input-to-state stability (ISS): • || x(t, x0, u) - y(t, y0, v) || ≤ β (|| x0 – y0 ||, t) + • γ( || u – v || ) • β is KL, γ is K∞

  30. Incremental Stability, in Pictures • Linear systems: • Asymptotic stability • (= all eigenvalues have negative real part) •  • incremental stability

  31. Transition Systems • Fix a sampling time τ • Transition system: • States: Rn • Labels: Piecewise constant control inputs • Transitions:

  32. Intuition • Discretize state and input space • Error accumulated due to discretization cancel out because of incremental stability x y

  33. Finite Bisimilarity • Fix an incremental ISS continuous system • Fix precision ε, sampling time τ • Theorem: [PolaGirardTabuada] Can choose discretization parameters • a (state discretization), b (input discretization) • s.t. there is a finite ε bisimulation

  34. ZamaniEfsahaniM.AbateLygeros Extensions: Stochastic Dynamics • Extend notions of incremental ISS to stochastic ones • Finite epsilon-bisimulation (in the sense of expectations) exists for any compact set

  35. Good News/Bad News • Now discrete synthesis can be applied • Tool: Pessoa [RoyM.Tabuada] • (coming up) • Expensive procedure: exponential in the dimension of the system

  36. Example 1: Motion Planning

  37. Example 1: Motion Planning

  38. Example 1: Motion Planning Abstraction: 91035 states (585s) Control: 155s

  39. Example 2: DC Motor Speed Control Spec: Abstraction: 1M states, 150s, Controller found in 4s

  40. Formal Methods Challenges • Better abstractions for bisimulations? • - Using timed automata? • (exponentially succinct representations) • 2. Abstraction and refinement for control?

  41. End-to-end Design

  42. Control System Development against system performance spec Validate Combine Plant Model x’= Ax + Bu Environment = spec Controller Model u= Kx = Control Software spec Virtual World Real World Plant (Hardware) Environment = impl Controller (Software+Hardware) = Control impl Combine Validate

  43. Controller Implementations • Physical world and software implementations may not match up • Resource constraints, finite precision, distributed computation • Uncertainties in measurements/actuations • How can we ensure that the implemented system correctly implements the controller? • What doescorrectlymean?

  44. Stability • “The physical plant converges to a desired behavior under the actions of the controller” Example: In the steady state, the angular velocity of a DC motor will be between 7.5 and 8.5 rad/s Mathematical Model Software Implementation

  45. Stability Example: In the steady state, the angular velocity of a DC motor will be between 7.5 and 8.5 rad/s Mathematical Model Software Implementation Question: What is the effect of implementation error on system stability?

  46. Effects of Implementation Error ρ Ideal, Mathematical Model Implementation • The software implementation introduces errors due to: • Limited precision arithmetic • Quantization of sensing and actuation • Computation times • … Can we bound the effect of error on the stability?

  47. Bound on Errors • Theorem[AntaM.SahaTabuada10] If a is the L2 gain of a linear control system and b a bound on the implementation error, then • ρ ≤ a . b • Separation of concerns: • Calculate L2 gain from the mathematical model • Calculate implementation error from the code

  48. Non-linear Systems • System x’ = f(x,u) Controller u = k(x) • Use an ISS Lyapunov function V, and the additional constraint from robust control theory: • ∂V/∂x . f(x,k(x)+e) ≤ - λV(x) + σ || e ||

  49. Non-linear Systems: Error Bounds • Theorem [AntaM.SahaTabuada10]: If b is a bound on the implementation error, and σ, λ as before for some Lyapunov function V, then ρ ≤ σ/λ . b • The value of σ and λ can be found using Sum of Squares (SoS) optimization techniques

  50. Error Sources • Sampling errors: Sampling a function at discrete points • Quantization errors: Finite precision arithmetic • Assume that sampling errors are negligible (by sampling fast enough) • Focus on quantization errors

More Related