presenting sebastian scherer authors sebastian scherer flavio lerda and edmund m clarke
Download
Skip this Video
Download Presentation
Model Checking of Robotic Control Systems

Loading in 2 Seconds...

play fullscreen
1 / 30

Model Checking of Robotic Control Systems - PowerPoint PPT Presentation


  • 110 Views
  • Uploaded on

Presenting: Sebastian Scherer Authors: Sebastian Scherer, Flavio Lerda, and Edmund M. Clarke. Model Checking of Robotic Control Systems. Outline. Motivation Why verification Scope Control software Method Case Study Conclusions. Why verify robot software?. Failure is expensive:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Model Checking of Robotic Control Systems' - peers


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
presenting sebastian scherer authors sebastian scherer flavio lerda and edmund m clarke
Presenting:

Sebastian Scherer

Authors:

Sebastian Scherer, Flavio Lerda,

and Edmund M. Clarke

Model Checking of Robotic Control Systems
outline
Outline
  • Motivation
    • Why verification
    • Scope
    • Control software
  • Method
  • Case Study
  • Conclusions
why verify robot software
Why verify robot software?
  • Failure is expensive:
    • Interplanetary exploration
    • Crash / Rollover
  • Autonomy increases responsibility:
    • Human interaction
    • Large forces and momenta
the scope of our approach
Start by verifying this part.The scope of our approach

Software

Goal

Typical mobile robot architecture

Hardware

Specified

Accumulation

Planning

Preprocessing

Controller

Actuators

Sensors

Environment

control systems are implemented in software
Control systems are implemented in software
  • Main loop is only a small fraction of the control software:
    • Initialization
    • Exception handling
    • Conversion
  • Fatal bugs can be in any line of the code.

Software

Goal

Typical mobile robot architecture

Hardware

Specified

Accumulation

Planning

Preprocessing

Controller

Actuators

Sensors

Environment

outline1
Code of controller +

environment(plant)

import gov.nasa.jpf.jvm.Verify;

import com.ajile.jem.PeriodicThread;

import com.ajile.jem.PianoRoll;

import com.ajile.drivers.gptc.*;

import intermediate.*;

import drivers.*;

import controller.*;

import model.*;

public class Mobot

{

static final int PR_DURATION_MSEC = 80;

static final int PR_BEAT_MSEC = 1;

static PianoRoll Piano_Roll = new PianoRoll

(PR_DURATION_MSEC, PR_BEAT_MSEC);

public static void main(String[] args)

{

DecsionPoints.runSys=true;

//Initialize threads

PWM2 pwm

= PWM2.getInstance();

Gate gate

= Gate.getInstance();

SpeedOMeter encoder

= SpeedOMeter.getInstance();

LightArray lightsensor

= LightArray.getInstance();

TLC2543 tlc

= TLC2543.getInstance();

* if(Environment.isMC)

{

lightsensor.initDefault();

SpeedControl speedcontrol

= SpeedControl.getInstance();

SteeringControl steeringcontrol =

SteeringControl.getInstance();

Environment env

= Environment.getInstance();

+

Outline
  • Motivation
  • Method
    • Capabilities & Limitations
    • Method
    • Model Checking
  • Case Study
  • Conclusions
capabilities of our method
Capabilities of our method
  • Utilizes environment (plant) of the control system.
  • Simulates behaviour:
    • Determines stability.
    • Models influence of noise.
    • Checks performance specifications.
    • Computes ranges of trajectories.
  • Checks programming errors:
    • Null pointer exceptions.
    • Dead lock, concurrency bugs.
    • Errors affecting the behavior.
  • Code checked is identical to executed code.
limitations of our method
Limitations of our method
  • Discrete method:
    • Makes assertions only about a particular initial condition.
    • Continuous states are approximated up to a fixed point precision.
    • Precision often determines the length of a simulation trace and the size of the state space to explore.
    • Noise is approximated by a discrete set of values.
  • Detailed model:
    • Requires model relating inputs and outputs.
    • Additional memory and computation time.
  • Assumptions:
    • Time elapses only while tasks sleep.
    • Unbounded variables like time and distance must be abstracted manually.
model check software with a physical environment
Abstract controller

Source code

of controller

import gov.nasa.jpf.jvm.Verify;

import com.ajile.jem.PeriodicThread;

import com.ajile.jem.PianoRoll;

import com.ajile.drivers.gptc.*;

import intermediate.*;

import drivers.*;

import controller.*;

import model.*;

public class Mobot

{

static final int PR_DURATION_MSEC = 80;

static final int PR_BEAT_MSEC = 1;

static PianoRoll Piano_Roll = new PianoRoll

(PR_DURATION_MSEC, PR_BEAT_MSEC);

public static void main(String[] args)

{

DecsionPoints.runSys=true;

//Initialize threads

PWM2 pwm

= PWM2.getInstance();

Gate gate

= Gate.getInstance();

SpeedOMeter encoder

= SpeedOMeter.getInstance();

LightArray lightsensor

= LightArray.getInstance();

TLC2543 tlc

= TLC2543.getInstance();

* if(Environment.isMC)

{

lightsensor.initDefault();

SpeedControl speedcontrol

= SpeedControl.getInstance();

SteeringControl steeringcontrol =

SteeringControl.getInstance();

Environment env

= Environment.getInstance();

Source code including the environment

Verify actual source code

Code of controller +

environment(plant)

import gov.nasa.jpf.jvm.Verify;

import com.ajile.jem.PeriodicThread;

import com.ajile.jem.PianoRoll;

import com.ajile.drivers.gptc.*;

import intermediate.*;

import drivers.*;

import controller.*;

import model.*;

public class Mobot

{

static final int PR_DURATION_MSEC = 80;

static final int PR_BEAT_MSEC = 1;

static PianoRoll Piano_Roll = new PianoRoll

(PR_DURATION_MSEC, PR_BEAT_MSEC);

public static void main(String[] args)

{

DecsionPoints.runSys=true;

//Initialize threads

PWM2 pwm

= PWM2.getInstance();

Gate gate

= Gate.getInstance();

SpeedOMeter encoder

= SpeedOMeter.getInstance();

LightArray lightsensor

= LightArray.getInstance();

TLC2543 tlc

= TLC2543.getInstance();

* if(Environment.isMC)

{

lightsensor.initDefault();

SpeedControl speedcontrol

= SpeedControl.getInstance();

SteeringControl steeringcontrol =

SteeringControl.getInstance();

Environment env

= Environment.getInstance();

+

Model check software with a physical environment
method
Method

Software executed

on robot

Environment model

Actual Robot

  • Execute the source code.
  • After all tasks sleep execute the environment.
  • Equivalent states are not revisited.

import gov.nasa.jpf.jvm.Verify;

import com.ajile.jem.PeriodicThread;

import com.ajile.jem.PianoRoll;

import com.ajile.drivers.gptc.*;

import intermediate.*;

import drivers.*;

import controller.*;

import model.*;

public class Mobot

{

static final int PR_DURATION_MSEC = 80;

static final int PR_BEAT_MSEC = 1;

static PianoRoll Piano_Roll = new PianoRoll

(PR_DURATION_MSEC, PR_BEAT_MSEC);

public static void main(String[] args)

{

DecsionPoints.runSys=true;

//Initialize threads

PWM2 pwm

= PWM2.getInstance();

Gate gate

= Gate.getInstance();

SpeedOMeter encoder

= SpeedOMeter.getInstance();

LightArray lightsensor

= LightArray.getInstance();

TLC2543 tlc

= TLC2543.getInstance();

* if(Environment.isMC)

{

lightsensor.initDefault();

SpeedControl speedcontrol

= SpeedControl.getInstance();

SteeringControl steeringcontrol =

SteeringControl.getInstance();

Environment env

= Environment.getInstance();

Sensors

Actuators

method1
Method

Software executed

on robot

Environment model

Actual Robot

  • Software executes until all tasks yield.

import gov.nasa.jpf.jvm.Verify;

import com.ajile.jem.PeriodicThread;

import com.ajile.jem.PianoRoll;

import com.ajile.drivers.gptc.*;

import intermediate.*;

import drivers.*;

import controller.*;

import model.*;

public class Mobot

{

static final int PR_DURATION_MSEC = 80;

static final int PR_BEAT_MSEC = 1;

static PianoRoll Piano_Roll = new PianoRoll

(PR_DURATION_MSEC, PR_BEAT_MSEC);

public static void main(String[] args)

{

DecsionPoints.runSys=true;

//Initialize threads

PWM2 pwm

= PWM2.getInstance();

Gate gate

= Gate.getInstance();

SpeedOMeter encoder

= SpeedOMeter.getInstance();

LightArray lightsensor

= LightArray.getInstance();

TLC2543 tlc

= TLC2543.getInstance();

* if(Environment.isMC)

{

lightsensor.initDefault();

SpeedControl speedcontrol

= SpeedControl.getInstance();

SteeringControl steeringcontrol =

SteeringControl.getInstance();

Environment env

= Environment.getInstance();

method2
Method

Software executed

on robot

Environment model

Actual Robot

  • Software executes until all tasks yield.
  • Commands are set. Sensors are read. Time elapses

import gov.nasa.jpf.jvm.Verify;

import com.ajile.jem.PeriodicThread;

import com.ajile.jem.PianoRoll;

import com.ajile.drivers.gptc.*;

import intermediate.*;

import drivers.*;

import controller.*;

import model.*;

public class Mobot

{

static final int PR_DURATION_MSEC = 80;

static final int PR_BEAT_MSEC = 1;

static PianoRoll Piano_Roll = new PianoRoll

(PR_DURATION_MSEC, PR_BEAT_MSEC);

public static void main(String[] args)

{

DecsionPoints.runSys=true;

//Initialize threads

PWM2 pwm

= PWM2.getInstance();

Gate gate

= Gate.getInstance();

SpeedOMeter encoder

= SpeedOMeter.getInstance();

LightArray lightsensor

= LightArray.getInstance();

TLC2543 tlc

= TLC2543.getInstance();

* if(Environment.isMC)

{

lightsensor.initDefault();

SpeedControl speedcontrol

= SpeedControl.getInstance();

SteeringControl steeringcontrol =

SteeringControl.getInstance();

Environment env

= Environment.getInstance();

method3
Method

Software executed

on robot

Environment model

Actual Robot

  • Software executes until all tasks yield.
  • Commands are set. Sensors are read. Time elapses
  • Software executes with new sensor values.

import gov.nasa.jpf.jvm.Verify;

import com.ajile.jem.PeriodicThread;

import com.ajile.jem.PianoRoll;

import com.ajile.drivers.gptc.*;

import intermediate.*;

import drivers.*;

import controller.*;

import model.*;

public class Mobot

{

static final int PR_DURATION_MSEC = 80;

static final int PR_BEAT_MSEC = 1;

static PianoRoll Piano_Roll = new PianoRoll

(PR_DURATION_MSEC, PR_BEAT_MSEC);

public static void main(String[] args)

{

DecsionPoints.runSys=true;

//Initialize threads

PWM2 pwm

= PWM2.getInstance();

Gate gate

= Gate.getInstance();

SpeedOMeter encoder

= SpeedOMeter.getInstance();

LightArray lightsensor

= LightArray.getInstance();

TLC2543 tlc

= TLC2543.getInstance();

* if(Environment.isMC)

{

lightsensor.initDefault();

SpeedControl speedcontrol

= SpeedControl.getInstance();

SteeringControl steeringcontrol =

SteeringControl.getInstance();

Environment env

= Environment.getInstance();

method4
Method

Software executed

on robot

Actual Robot

Environment model

  • Software executes until all tasks yield.
  • Commands are set. Sensors are read. Time elapses.
  • Software executes with new sensor values.
  • Commands are set. Sensors are read. Time elapses with new commands.

import gov.nasa.jpf.jvm.Verify;

import com.ajile.jem.PeriodicThread;

import com.ajile.jem.PianoRoll;

import com.ajile.drivers.gptc.*;

import intermediate.*;

import drivers.*;

import controller.*;

import model.*;

public class Mobot

{

static final int PR_DURATION_MSEC = 80;

static final int PR_BEAT_MSEC = 1;

static PianoRoll Piano_Roll = new PianoRoll

(PR_DURATION_MSEC, PR_BEAT_MSEC);

public static void main(String[] args)

{

DecsionPoints.runSys=true;

//Initialize threads

PWM2 pwm

= PWM2.getInstance();

Gate gate

= Gate.getInstance();

SpeedOMeter encoder

= SpeedOMeter.getInstance();

LightArray lightsensor

= LightArray.getInstance();

TLC2543 tlc

= TLC2543.getInstance();

* if(Environment.isMC)

{

lightsensor.initDefault();

SpeedControl speedcontrol

= SpeedControl.getInstance();

SteeringControl steeringcontrol =

SteeringControl.getInstance();

Environment env

= Environment.getInstance();

model checking
Model checking

Transitions

import gov.nasa.jpf.jvm.Verify;

import com.ajile.jem.PeriodicThread;

import com.ajile.jem.PianoRoll;

import com.ajile.drivers.gptc.*;

import intermediate.*;

import drivers.*;

import controller.*;

import model.*;

public class Mobot

{

static final int PR_DURATION_MSEC = 80;

static final int PR_BEAT_MSEC = 1;

static PianoRoll Piano_Roll = new PianoRoll

(PR_DURATION_MSEC, PR_BEAT_MSEC);

public static void main(String[] args)

{

DecsionPoints.runSys=true;

//Initialize threads

PWM2 pwm

= PWM2.getInstance();

Gate gate

= Gate.getInstance();

SpeedOMeter encoder

= SpeedOMeter.getInstance();

LightArray lightsensor

= LightArray.getInstance();

TLC2543 tlc

= TLC2543.getInstance();

* if(Environment.isMC)

{

lightsensor.initDefault();

SpeedControl speedcontrol

= SpeedControl.getInstance();

SteeringControl steeringcontrol =

SteeringControl.getInstance();

Environment env

= Environment.getInstance();

  • Model consists of states and transitions.
  • Java byte code specifies a model.
  • Verify a model against a specification given as logic properties.
  • The algorithm visits all states of the model to verify that none of the specified properties are violated.
  • If the same state is reached twice backtrack.

States

java pathfinder
Environment

Robot

source code

Java Virtual Machine of Model Checker

Host JVM running Java PathFinder

Java PathFinder
  • All states are explored to find a violation of the properties.
  • Executing the byte code generates successors.
  • If no new successors are generated the search backtracks.
  • Environment byte code is executed on host JVM. No intermediate states are generated from it.
  • Environment stores only necessary state variables.
outline2
Outline
  • Motivation
  • Method
  • Case Study
    • Architecture
    • Verification
    • Model
    • Results
  • Conclusions
overview
Overview
  • Robot has to follow a line and maintain a constant speed.
  • Native Java microcontroller executes the code.
  • Check source code without change.
architecture
Architecture
  • Actuators
    • Steering
    • Motors
  • Sensors
    • Light sensors
    • Encoder
software
Software
  • 3 tasks running with a fixed frequency of 33Hz.
  • Task 1: Reads sensor values.
  • Task 2: Controls the steering.
  • Task 3: Controls the velocity.
  • A fixed rate scheduler determines the execution order and duration.

Task 1

Task 2

Task 3

verification
Verification
  • Need model of the environment.
  • Need definition of states.
  • Verify robot starting from initial condition offset from center of line and on a straight line.
environment model
Environment model

Inputs:

Velocity command

Steering command

  • Two models necessary
  • Model relate commands to sensor information
  • Sensed position over line depends on
    • Steering command
    • Velocity command
  • Sensed encoder velocity depends on the velocity command.

Sensed position

model

Output:

Encoder velocity

Input:

Velocity command

Sensed velocity

model

Output:

Encoder velocity

determining the model
Determining the model
  • One way to obtain a model of the environment is system identification.
  • Performed experiments and obtained a second-order model for velocity and a fourth-order model for steering
  • Quality of sensor gave a better fit for the velocity
states
States

Discrete State

Continuous State

  • Continuous state:
    • 6 state variables
    • 2 inputs
  • States are discretized up to a fixed precision to terminate on stability and disambiguate quasi-equal states.
  • Monotonic variables such as time or distance are (manually) abstracted.
  • DESCRIBE PICTURE

import gov.nasa.jpf.jvm.Verify;

import com.ajile.jem.PeriodicThread;

import com.ajile.jem.PianoRoll;

import com.ajile.drivers.gptc.*;

import intermediate.*;

import drivers.*;

import controller.*;

import model.*;

public class Mobot

{

static final int PR_DURATION_MSEC = 80;

static final int PR_BEAT_MSEC = 1;

static PianoRoll Piano_Roll = new PianoRoll

(PR_DURATION_MSEC, PR_BEAT_MSEC);

public static void main(String[] args)

{

DecsionPoints.runSys=true;

//Initialize threads

PWM2 pwm

= PWM2.getInstance();

Gate gate

=

+

State space model

non determinism
Non-Determinism
  • Possible to explore non-determinism in the software and environment.
  • Model checking explores a wider spread of trajectories.
  • Non-determinism is discrete. Differential equations are deterministic.

Red trajectory shows

an actual trace of the

robot.

Blue region is the spread of

trajectories covered by the

model checker.

results
Results
  • Added different kinds of non-determinism to model.
    • Encoder reading off by -10, 0, +10 ticks
    • Failure of one sensor in the array of light sensors
    • Commanded steering and velocity pulsewidth is not accurate.

Wheel

Slip

Ground

results1
Results
  • We verified a set of properties of the control software.
  • No programming errors (e.g. Null pointer exceptions) were found.
conclusion
Conclusion
  • Model checker covers a sufficient range of trajectories to simulate all inputs to program.
  • Seeded type conversion bug was found.
  • Verifies software for robot controllers directly.
  • Discretization, abstraction and extraction of continuous states enable efficient verification.
  • Exhaustive exploration of non-determinism such as random sensor failure.
  • Aids the control system designer by direct verification of all reachable states of the model.
future work
Future work
  • Prove correctness of model checking algorithm
  • Extend notion of discretization of state space to be an over-approximation.
  • Provide integrated support for modeling the environment
  • Integrate with higher level software interfaces
  • Check complex systems
  • Extend to languages other than Java
contact information sebastian scherer basti@andrew cmu edu http www cs cmu edu basti
Contact Information:

Sebastian Scherer

[email protected]

http://www.cs.cmu.edu/~basti/

Questions? Comments?
ad