970 likes | 983 Views
This paper presents a method for verifying hybrid systems using discrete model approximations. It includes an outline of the contribution, an overview of the MATLAB verification tool, a verification example, and concluding remarks.
E N D
Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University Pittsburgh, PA, USA.
Note: contribution Outline • Hybrid Systems and Verification • MATLAB Verification Tool • Verification Example • Conclusions
Continuous Dynamics Differential Equations/Inclusions Stopwatch Timers etc. Discrete Dynamics Finite State Automata Petri Nets etc. Hybrid Systems
Hybrid Systems • Found virtually everywhere • Result of switching logic in many computer-controlled applications • Extremely difficult to analyze • Small perturbation can lead to drastically different behavior • No universally accepted framework for analysis and control
Focus: The Verification Problem system property (specification) • Very important problem for safety-critical applications • All behaviors must be taken into account Does the system satisfy the property? Yes/No system model
Outline • Hybrid Systems and Verification • MATLAB Verification Tool • Verification Example • Conclusions
Simulink/Stateflow Front End (graphical editing, simulation) MATLAB Tool Overview Threshold-event-driven Hybrid Systems (TEDHS) Flow Pipe Approximations Conversion Quotient Transition System Partition Refinement Polyhedral-Invariant Hybrid Automaton (PIHA) ACTL Verification Initial Partition
switched continuous dynamics threshold event generator threshold events u(t) x(t) y(t) v(t) F(.,.) g(.) zero detector u(t) = h(u(t-),v(t)) u(0-) = u0 finite state machine (event driven) Threshold-event-driven Hybrid Systems (TEDHS)
Simulink/Stateflow Front End (graphical editing, simulation) MATLAB Tool Overview Threshold-event-driven Hybrid Systems (TEDHS) Flow Pipe Approximations Conversion Quotient Transition System Partition Refinement Polyhedral-Invariant Hybrid Automaton (PIHA) ACTL Verification Initial Partition
TEDHS Front End • Built on top of Simulink in MATLAB • Simulink’s simulation capability can be exploited • Special blocks customized through Simulink’s masking mechanism • Major supported block types • Switched Continuous System Block (SCSB) • Polyhedral Threshold Block (PTHB) • Finite State Machine Block (FSMB) • Multiplexer and Logical Operators (And, Or, Not)
x u Switched Continuous System Switched Continuous System • Parameter: Switching function f • Input: Discrete condition signal u • Output: Continuous state vector x • Description: Continuous dynamics selected by discrete input signal
x C*x <= d Polyhedral Threshold Polyhedral Threshold • Parameters:C,d • Input: Continuous state vector x • Output: Boolean signal 1 if Cx d 0 otherwise • Description: Outputs Boolean signal indicating whether continuous state variable x is in polyhedron Cx d
event input (vectorized) scalar data inputs data 1 . . q . data N Finite State Machine Finite State Machine (Stateflow) • Inputs: • Data: Boolean condition signals which are functions of PTHB and FSMB outputs • Event: Transition edges of Boolean condition signals which are functions of PTHB outputs • Output: Discrete signal (integer) indicating active state of FSM • Description: State transitions are driven by input data and event signals.
event input (vectorized) scalar data inputs data 1 . . q . data N Finite State Machine Finite State Machine (Stateflow) • Inputs: • Data: Boolean condition signals which are functions of PTHB and FSMB outputs • Event: Transition edges of Boolean condition signals which are functions of PTHB outputs • Output: Discrete signal (integer) indicating active state of FSM • Description: State transitions are driven by input data and event signals.
event input (vectorized) scalar data inputs data 1 . . q . data N Finite State Machine Finite State Machine (Stateflow) • Inputs: • Data: Boolean condition signals which are functions of PTHB and FSMB outputs • Event: Transition edges of Boolean condition signals which are functions of PTHB outputs • Output: Discrete signal (integer) indicating active state of FSM • Description: State transitions are driven by input data and event signals.
event input (vectorized) scalar data inputs data 1 . . q . data N Finite State Machine Finite State Machine (Stateflow) • Inputs: • Data: Boolean condition signals which are functions of PTHB and FSMB outputs • Event: Transition edges of Boolean condition signals which are functions of PTHB outputs • Output: Discrete signal (integer) indicating active state of FSM • Description: State transitions are driven by input data and event signals.
x1 Mux Mux2 Switched th1 Continuous System 1 Mux C*x <= d Mux Polyhedral Threshold 1 x2 th2 C*x <= d Switched Continuous System 2 Polyhedral OR Threshold 2 Logical x3 th3 Operator C*x <= d Mux Mux1 Switched Polyhedral Continuous System 3 Threshold 3 q1 c1 q c2 Finite State Machine 1 c1 q2 q c2 Finite State Machine 2 Sample Block Diagram
Simulink/Stateflow Front End (graphical editing, simulation) MATLAB Tool Overview Threshold-event-driven Hybrid Systems (TEDHS) Flow Pipe Approximations Conversion Quotient Transition System Partition Refinement Polyhedral-Invariant Hybrid Automaton (PIHA) ACTL Verification Initial Partition
Hybrid Automaton guard condition location (discrete state) edge u’ u reset condition invariant: hybrid automaton may remain in u as long as xI(u) initial condition continuous dynamics
Reset Condition exit states entry states
Polyhedral-Invariant Hybrid Automaton (PIHA) identity reset u hyperplane guard invariant is the convex polytope defined from complements of the guards ordinary differential equation
Simulink/Stateflow Front End (graphical editing, simulation) MATLAB Tool Overview Threshold-event-driven Hybrid Systems (TEDHS) Flow Pipe Approximations Conversion Quotient Transition System Partition Refinement Polyhedral-Invariant Hybrid Automaton (PIHA) ACTL Verification Initial Partition
Hybrid System State Space • Given by cross product XcXd • Continuous state space Xc given by cross product of nscs state spaces for all SCSBs. Xc = Xc1 … Xcnscs • Discrete state space Xd given by cross product of nfsm state spaces for all FSMBs. Xd = Xd1 … Xdnfsm
Continuous State Space Partition • Restrict our attention to bounded subset of Xc called analysis region (AR) • Partition Xc into polyhedral cells by all hyperplanes cTx= d from all PTHBs • Output values of all PTHBs are constant across all xc in each cell analysis region cell hyperplane
PIHA Construction • Each location is a pair (p,q) • p: cell p • q: FSM states • p is the invariant • p determines outputs of PTHBs in the TEDHS • q contains outputs of FSMBs in the TEDHS • q directly determines continuous dynamics
Location Transition h’ • Events occur when continuous trajectory x crosses hyperplane h on boundary of cell p • Determine neighboring cell p’ that is reached by crossing h • Use p and p’ to compute PTHB outputs before and after hyperplane crossing • Determine events that occur and make FSM state transition from q to q’ • Transition to a special (empty) location when crossing hyperplane on analysis boundary p h p’ (p,q) h h’ out of AR (p’,q’)
Location Transition h’ • Events occur when continuous trajectory x crosses hyperplane h on boundary of cell p • Determine neighboring cell p’ that is reached by crossing h • Use p and p’ to compute PTHB outputs before and after hyperplane crossing • Determine events that occur and make FSM state transition from q to q’ • Transition to a special (empty) location when crossing hyperplane on analysis boundary p h p’ (p,q) h h’ out of AR (p’,q’)
Location Transition h’ • Events occur when continuous trajectory x crosses hyperplane h on boundary of cell p • Determine neighboring cell p’ that is reached by crossing h • Use p and p’ to compute PTHB outputs before and after hyperplane crossing • Determine events that occur and make FSM state transition from q to q’ • Transition to a special (empty) location when crossing hyperplane on analysis boundary p h p’ (p,q) h h’ out of AR (p’,q’)
Location Transition h’ • Events occur when continuous trajectory x crosses hyperplane h on boundary of cell p • Determine neighboring cell p’ that is reached by crossing h • Use p and p’ to compute PTHB outputs before and after hyperplane crossing • Determine events that occur and make FSM state transition from q to q’ • Transition to a special (empty) location when crossing hyperplane on analysis boundary p h p’ (p,q) h h’ out of AR (p’,q’)
Location Transition h’ • Events occur when continuous trajectory x crosses hyperplane h on boundary of cell p • Determine neighboring cell p’ that is reached by crossing h • Use p and p’ to compute PTHB outputs before and after hyperplane crossing • Determine events that occur and make FSM state transition from q to q’ • Transition to a special (empty) location when crossing hyperplane on analysis boundary p h p’ (p,q) h h’ out of AR (p’,q’)
Simulink/Stateflow Front End (graphical editing, simulation) MATLAB Tool Overview Threshold-event-driven Hybrid Systems (TEDHS) Flow Pipe Approximations Conversion Quotient Transition System Partition Refinement Polyhedral-Invariant Hybrid Automaton (PIHA) ACTL Verification Initial Partition
Transition Systems T = (Q,,Q0) • Q: set of states (possibly infinite/continuum) • QQ: transition relation • Q0 : initial states T = (Q,,Q0,2AP,L) • AP: set of atomic propositions • L:Q 2AP: labeling function unlabeled labeled
PIHA Semantics:Discrete-Trace Transition Systems • Given a hybrid system H, TH = (X0Xentry{qu},H,X0) • Discrete Transitions: • (x,u) H (x',u') u u', e = (u,u'), and there is a continuous trajectory from x to a state x'' G(e) such that x' R(e,x'') • Null Transitions: • (x,u) Hquthere is a continuous trajectory from x that never leaves the location u completely masks the continuous-time behavior
TH Illustration exit states entry states
Simulation of Transition Systems Given T1 = (Q1, 1, Q1o, 2AP,L1), T2 = (Q2, 2, Q2o,2AP,L2), T2simulatesT1if there exists a binary relationQ1 Q2such that • is total (involves all of Q1) • q1q2 (q1Q1oq2Q2o and L1(q1) = L2(q2)) • q1q2 and q1 1 q1 there exists q2 such that q1q2 and q2 2 q2 q1 q2 Q1 Q2 q1 q2 T1T2
Bisimulation Given T1 = (Q1, 1,Q1o,2AP,L1),T2 = (Q2, 2, Q2o,2AP,L2), a relation Q1 Q2is a bisimulation if • is a simulation relation of T1 by T2 • -1 is a simulation relation of T2 by T1 Q1 q1 q2 Q2 q1 q2 T1T2
Simulation vs. Bisimulation • Simulation • Conservative approximation of labeled behaviors • Can be used to verify universal specifications • Bisimulation • Equivalent to original system wrt labeled behaviors • Obtained through iterative refinements of quotient transition systems • Can be used to verify all specifications
Quotient Transition Systems (QTS) T • Given transition system T = (Q,,Q0) • Pre(P) = { q | pP, q p } • Post(P) = { q | pP, p q } • Quotient transition system T/P = (P,P , Q0/P) where • P : a partition of Q • P1 P P2 for P1,P2 P q1 q2 for some q1P1, q2P2 Post(P1) P2 P1 Pre(P2) T/P
P P' P' P Facts About QTS 1. T T/P 2. T/P is a bisimulation if and only if P Pre(P') = or P for all P, P' P stopping condition for bisimulation procedure
Approximating QTS • Reachability approximation (for continuous dynamics) Quotient transition system approximation • Computing QTS requires computation of reachable sets in Pre and Post operators • Reachable set cannot be computed exactly in general
Approximate QTS • Given reachability approximation method M • Pre(P) PreM(P) • Post(P) PostM(P) • Approximate quotient transition system TM/P = (P,PM , Q0/P) where • P1 PMP2 for P1,P2 P PostM(P1) P2 conservative
Facts About Approximate QTS can use TM/P to verify universal specification 1. T T/P TM/P usual bisimulation condition no longer holds for approximation 2. TM/P is a bisimulation if (PostM(P) P') pP,p'P',pp’ and P,P'P, PostM(P) P' = or PostM(P) stopping condition for bisimulation with approximation P has at most one successor
Application to PIHA:TH/P Approximation • Partition • Initial States • Entry States: Faces of cell p for each location (p,q) • Each state is (,p,q) where is a polytope • on boundary of cell p; or • contained in the continuous initial set for some location (p,q) • Use flow pipe approximations to computePost M((,p,q))
Simulink/Stateflow Front End (graphical editing, simulation) MATLAB Tool Overview Threshold-event-driven Hybrid Systems (TEDHS) Flow Pipe Approximations Conversion Quotient Transition System Partition Refinement Polyhedral-Invariant Hybrid Automaton (PIHA) ACTL Verification Initial Partition
Approximating Reachable Sets: Previous Work • Model theory and quantifier elimination • R. Alur, T.A. Henzinger, and P.-H. Ho. Automatic symbolic verification of embedded systems, 1996. (linear hybrid automata) • G. Lafferriere, G.J. Pappas, and S. Yovine. Decidable hybrid systems, 1996. (special classes of linear hybrid systems) • Rectangular Discretizations • E.K. Kornoushenko. Finite-automaton approximation to the behavior of continuous plants, 1975. • O. Stursberg, S. Kowalewski, and S. Engell. On the generation of timed discrete approximations for continuous systems, 1997. • T. Dang and O. Maler, Reachability Analysis via Face Lifting, 1998. • Piecewise linear hybrid automaton approximation • A. Puri, P. Varaiya, and V. Borkar. -approximation of differential inclusion, 1996. • T.A. Henzinger, P.-H. Ho, and H. Wong-Toi. Algorithmic analysis of nonlinear hybrid systems, 1998.
Quantifier Elimination:Linear Hybrid Automata • Continuous dynamics of the form where F is a constant convex polytope • Reachable set is a polyhedron
Rectangular Discretization • Information about vector field is used to iteratively include reachable cells *Figure from T. Dang and O. Maler, Reachability Analysis via Face Lifting, HS'98
Flow Pipe Approximations: Problem Statement • Given a continuous dynamic system, and a set of initial states, X0 • Conservatively approximate the set of reachable states R[0,T](X0) from time t = 0 to t = T
t6 t5 t7 t4 t3 t8 t2 t9 t1 • divide R[0,T](X0) into [tk,tk+1] segments • enclose each segment with a convex polytope Polyhedral Flow Pipe Approximations X0 • R[0,T](X0) = union of polytopes A. Chutinan and B. H. Krogh, Computing polyhedral approximations to dynamic flow pipes, IEEE CDC, 1998
Wrapping Hyperplanes Around a Set (1) Step 1: • Choose normal vectors, c1,...,cm c2 c1 S c3 c4