Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems

1. Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England

2. Two Tanks System V0 L V2 V1 Given a controller, verify that the tanks do not overflow and an equilibrium is reached.

3. The Idea verify properties and requirements Controllers PLC Languages Plants Differential Equations Control Loops Requirements model Isabelle/HOL Model checker ODE solver

4. HOL • Version of higher order predicate logic designed for mechanical hardware verification. • Polymorphic type system:   ,   ,  list, … • Very expressive due to abstraction and quantification over functions. • Widely studied and well understood logical systems. • Methodology of embedding other formalisms in HOL, for example subsets of VHDL and Java.

5. Isabelle/HOL • Popular, interactive HOL theorem proving assistant. • Stresses logical safety - avoidance of inconsistency. • Supports safe theory extension by definitions, data types, primitive recursive functions, ... • Comes with libraries: nat, int, real, set, .... • Open and extendible • Proof results from external tools can be imported via oracles.

6. Discrete Components in HOL a 0 a 1 a 2 a 3   f b 0 b 1 b 2 b 3  stream = (  ) f ::  stream   stream causal f =  g.  n x. take n (f x) = g (take n x) stream operators, LTL operators transition systems, automata

7. Real Time clock = (   ) constant T :: clock T 0 T 1 T 2 T 3 T 0 T 1 T 2 T 3 Clocks are strictly monotonous, unbounded and start at 0. Conceptual clocks - cycle duration can vary

8. Function Blocks in HOL • IEC 61131-3 PLC programming languages Structured Text (ST) and Sequential Function Charts (SFC) • Function blocks written in an idealised subset of ST/SFC are mapped to automata in HOL. • Mapping is similar to writing an interpreter in a functional programming language. • Automata are not executed - size is not important as long as there is a compact representation in HOL. • The HOL embedding defines a semantics.

9. A Verifiable Subset of ST • Restriction to function block level: no configurations, resources, tasks or scheduling • Omission of absolute, global, reference or retentive variables. • Reactive model: actions are atomic • Idealised data types: Int, Bool, String, records, arrays • Disregard of implementation limitations. • Function block invocation has no side effects!

10. Real Analysis in Isabelle/HOL • Axiomatic type class V of finite-dimensional, normed vector spaces over  • Limits, continuity, differentiation • Type  flow = (  ) • Differentiation operator D:: (:: V ) flow   flow • Lots of elementary lemmas and theorems. • Currently no integration, exp, sqrt, ln, sin, … • Currently 17 K theory files, 95 K proof code files.

11. Differential Systems in HOL • A differential system (f,x0) without input is a transition system  diffsys = ([,  ]  )   where f is continuous and :: V. • Behaviour is given by the solution of the associated differential equation bhvD ::  diffsys   flow bhvD (f, x0) = ( g. g 0 = x0  D g = f  g) where  is Hilbert’s choice operator. • This does not mean we have solved the ODE.

12. Plants in HOL   F g 0 g 1 g 2 g 3 g 4 F ::  stream   flow causal F Transition systems (f,y0) f :: [, ]  , y0 ::   a. continuous (f a) g 0 = bhvD (f (x 0), y0) g (n+1) = bhvD (f (x (n+1), g n (T (n+1)))

13. A Control Loop in HOL B B B         ttc ttp 4,4 tt = feedback (ttp  ttc) 4,4 0 ttc ::  stream  (B B B) stream ttp :: (B B B) stream  (      ) stream

14. Verification • Use standard Isabelle proof strategies and tools: • induction, case distinctions, algebraic manipulation • conditional term rewriting • proof search algorithms • Problems: • command line user interface • still relatively low level of proofs • real number library not well developed yet • algebraic manipulation often cumbersome • few decision procedures • analytically intractable systems remain intractable in HOL

15. HOL models of automata, stream operators, LTL operators, PLC language subsets, differential and hybrid systems. The beginnings of a HOL Real Analysis library. Small verification examples (standard function blocks, traffic light, container control) Strong points: Compositional model of hybrid systems as causal functions on stream and flows. Verification lemmas yield understanding Trustworthiness of Isabelle/HOL What’s There

16. Models of bigger/ more faithful PLC language subsets More automation of HOL modelling and proofs Connection to other tools A better theorem prover front-end. Comprehensive Real Analysis and Control theory libraries Bigger examples Verification of function block libraries An answer to: What contribution can HOL make? What’s Missing

17. Questions or Comments?

18. Transition Systems in HOL (,) trsys = ([, ]  )   bhvT :: [(,) trsys,  stream ]   stream bhvT (f,y0) x 0 = y0 bhvT (f,y0) x (n+1) = f (x n) (bhvT (f,y0) x n) Theorem: causal bhvT

19. Automata in HOL (,,) automaton = (, ) trsys  ([, ]  ) bhvA :: [(,, ) automaton,  stream ]   stream bhvA (S,w) x n = w (x n) (bhvT S x n) Theorem: causal bhvA

20. S0 SFC Controller Start S1 S V0 T1 S1.T S2 S V1 V0 bool level  T2 S2.T bool V1  time S3 S V2 bool V2 Level  L S4 R V2 L Level

21. Controller in HOL ttc_autom :: (  ,   , BBB) automaton ttc_autom = ((ttc_tf, (0,0)), ttc_outf ) ttc_tf :: [   ,    ]     ttc_tf (level, t) (step, t0) = if step = 0 then (1,t)else if step = 1  T1 t t0then (2,t)else if step = 2  T2 t t0 then (3,t)else if step = 3  Level  L then (4,t)else if step = 4  Level  L then (3,t)else (step, t0 )

22. Controller in HOL (continued) ttc_outf :: [   ,    ]  B  B  B ttc_outf (level, t) (step, t0) = if step = 0 then (False,False,False)else if step = 1 then (True, False, False)else if step = 2 then (True, True, False)else if step = 3 then (True, True, True)else (True, False, False)

23. General Hybrid Systems   g   g :: [  stream,  flow]  stream  flow causal g