Hybrid System Verification Using Discrete Model Approximations

Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University Pittsburgh, PA, USA.

Note:  contribution Outline • Hybrid Systems and Verification • MATLAB Verification Tool • Verification Example • Conclusions

Continuous Dynamics Differential Equations/Inclusions Stopwatch Timers etc. Discrete Dynamics Finite State Automata Petri Nets etc. Hybrid Systems

Hybrid Systems • Found virtually everywhere • Result of switching logic in many computer-controlled applications • Extremely difficult to analyze • Small perturbation can lead to drastically different behavior • No universally accepted framework for analysis and control

Focus: The Verification Problem system property (specification) • Very important problem for safety-critical applications • All behaviors must be taken into account Does the system satisfy the property? Yes/No system model

Outline • Hybrid Systems and Verification • MATLAB Verification Tool • Verification Example • Conclusions

Simulink/Stateflow Front End (graphical editing, simulation) MATLAB Tool Overview Threshold-event-driven Hybrid Systems (TEDHS) Flow Pipe Approximations Conversion Quotient Transition System Partition Refinement Polyhedral-Invariant Hybrid Automaton (PIHA) ACTL Verification Initial Partition

switched continuous dynamics threshold event generator threshold events u(t) x(t) y(t) v(t) F(.,.) g(.) zero detector u(t) = h(u(t-),v(t)) u(0-) = u0 finite state machine (event driven) Threshold-event-driven Hybrid Systems (TEDHS)

TEDHS Front End • Built on top of Simulink in MATLAB • Simulink’s simulation capability can be exploited • Special blocks customized through Simulink’s masking mechanism • Major supported block types • Switched Continuous System Block (SCSB) • Polyhedral Threshold Block (PTHB) • Finite State Machine Block (FSMB) • Multiplexer and Logical Operators (And, Or, Not)

x u Switched Continuous System Switched Continuous System • Parameter: Switching function f • Input: Discrete condition signal u • Output: Continuous state vector x • Description: Continuous dynamics selected by discrete input signal

x C*x <= d Polyhedral Threshold Polyhedral Threshold • Parameters:C,d • Input: Continuous state vector x • Output: Boolean signal 1 if Cx d 0 otherwise • Description: Outputs Boolean signal indicating whether continuous state variable x is in polyhedron Cx d

event input (vectorized) scalar data inputs data 1 . . q . data N Finite State Machine Finite State Machine (Stateflow) • Inputs: • Data: Boolean condition signals which are functions of PTHB and FSMB outputs • Event: Transition edges of Boolean condition signals which are functions of PTHB outputs • Output: Discrete signal (integer) indicating active state of FSM • Description: State transitions are driven by input data and event signals.

x1 Mux Mux2 Switched th1 Continuous System 1 Mux C*x <= d Mux Polyhedral Threshold 1 x2 th2 C*x <= d Switched Continuous System 2 Polyhedral OR Threshold 2 Logical x3 th3 Operator C*x <= d Mux Mux1 Switched Polyhedral Continuous System 3 Threshold 3 q1 c1 q c2 Finite State Machine 1 c1 q2 q c2 Finite State Machine 2 Sample Block Diagram

Hybrid Automaton guard condition location (discrete state) edge u’ u reset condition invariant: hybrid automaton may remain in u as long as xI(u) initial condition continuous dynamics

Reset Condition exit states entry states

Polyhedral-Invariant Hybrid Automaton (PIHA) identity reset u hyperplane guard invariant is the convex polytope defined from complements of the guards ordinary differential equation

Hybrid System State Space • Given by cross product XcXd • Continuous state space Xc given by cross product of nscs state spaces for all SCSBs. Xc = Xc1 … Xcnscs • Discrete state space Xd given by cross product of nfsm state spaces for all FSMBs. Xd = Xd1 … Xdnfsm

Continuous State Space Partition • Restrict our attention to bounded subset of Xc called analysis region (AR) • Partition Xc into polyhedral cells by all hyperplanes cTx= d from all PTHBs • Output values of all PTHBs are constant across all xc in each cell analysis region cell hyperplane

PIHA Construction • Each location is a pair (p,q) • p: cell p • q: FSM states • p is the invariant • p determines outputs of PTHBs in the TEDHS • q contains outputs of FSMBs in the TEDHS • q directly determines continuous dynamics

Location Transition h’ • Events occur when continuous trajectory x crosses hyperplane h on boundary of cell p • Determine neighboring cell p’ that is reached by crossing h • Use p and p’ to compute PTHB outputs before and after hyperplane crossing • Determine events that occur and make FSM state transition from q to q’ • Transition to a special (empty) location when crossing hyperplane on analysis boundary p h p’ (p,q) h h’ out of AR (p’,q’)

Transition Systems T = (Q,,Q0) • Q: set of states (possibly infinite/continuum) •  QQ: transition relation • Q0 : initial states T = (Q,,Q0,2AP,L) • AP: set of atomic propositions • L:Q  2AP: labeling function unlabeled labeled

PIHA Semantics:Discrete-Trace Transition Systems • Given a hybrid system H, TH = (X0Xentry{qu},H,X0) • Discrete Transitions: • (x,u) H (x',u')  u  u', e = (u,u'), and there is a continuous trajectory from x to a state x''  G(e) such that x'  R(e,x'') • Null Transitions: • (x,u) Hquthere is a continuous trajectory from x that never leaves the location u completely masks the continuous-time behavior

TH Illustration exit states entry states

Simulation of Transition Systems Given T1 = (Q1, 1, Q1o, 2AP,L1), T2 = (Q2, 2, Q2o,2AP,L2), T2simulatesT1if there exists a binary relationQ1 Q2such that • is total (involves all of Q1) • q1q2 (q1Q1oq2Q2o and L1(q1) = L2(q2)) • q1q2 and q1 1 q1 there exists q2 such that q1q2 and q2 2 q2 q1 q2 Q1 Q2 q1 q2 T1T2

Bisimulation Given T1 = (Q1, 1,Q1o,2AP,L1),T2 = (Q2, 2, Q2o,2AP,L2), a relation  Q1 Q2is a bisimulation if •  is a simulation relation of T1 by T2 • -1 is a simulation relation of T2 by T1 Q1 q1 q2 Q2 q1 q2 T1T2

Simulation vs. Bisimulation • Simulation • Conservative approximation of labeled behaviors • Can be used to verify universal specifications • Bisimulation • Equivalent to original system wrt labeled behaviors • Obtained through iterative refinements of quotient transition systems • Can be used to verify all specifications

Quotient Transition Systems (QTS) T • Given transition system T = (Q,,Q0) • Pre(P) = { q | pP, q  p } • Post(P) = { q | pP, p  q } • Quotient transition system T/P = (P,P , Q0/P) where • P : a partition of Q • P1 P P2 for P1,P2  P  q1 q2 for some q1P1, q2P2  Post(P1)  P2    P1 Pre(P2)   T/P

P P' P' P Facts About QTS 1. T  T/P 2. T/P is a bisimulation if and only if P  Pre(P') =  or P for all P, P'  P stopping condition for bisimulation procedure

Approximating QTS • Reachability approximation (for continuous dynamics)  Quotient transition system approximation • Computing QTS requires computation of reachable sets in Pre and Post operators • Reachable set cannot be computed exactly in general

Approximate QTS • Given reachability approximation method M • Pre(P) PreM(P) • Post(P) PostM(P) • Approximate quotient transition system TM/P = (P,PM , Q0/P) where • P1 PMP2 for P1,P2  P PostM(P1)  P2   conservative

Facts About Approximate QTS can use TM/P to verify universal specification 1. T  T/P  TM/P usual  bisimulation condition no longer holds for approximation 2. TM/P is a bisimulation if (PostM(P)  P') pP,p'P',pp’ and P,P'P, PostM(P)  P' =  or PostM(P) stopping condition for bisimulation with approximation P has at most one successor

Application to PIHA:TH/P Approximation • Partition • Initial States • Entry States: Faces of cell p for each location (p,q) • Each state is (,p,q) where  is a polytope • on boundary of cell p; or • contained in the continuous initial set for some location (p,q) • Use flow pipe approximations to computePost M((,p,q))

Approximating Reachable Sets: Previous Work • Model theory and quantifier elimination • R. Alur, T.A. Henzinger, and P.-H. Ho. Automatic symbolic verification of embedded systems, 1996. (linear hybrid automata) • G. Lafferriere, G.J. Pappas, and S. Yovine. Decidable hybrid systems, 1996. (special classes of linear hybrid systems) • Rectangular Discretizations • E.K. Kornoushenko. Finite-automaton approximation to the behavior of continuous plants, 1975. • O. Stursberg, S. Kowalewski, and S. Engell. On the generation of timed discrete approximations for continuous systems, 1997. • T. Dang and O. Maler, Reachability Analysis via Face Lifting, 1998. • Piecewise linear hybrid automaton approximation • A. Puri, P. Varaiya, and V. Borkar. -approximation of differential inclusion, 1996. • T.A. Henzinger, P.-H. Ho, and H. Wong-Toi. Algorithmic analysis of nonlinear hybrid systems, 1998.

Quantifier Elimination:Linear Hybrid Automata • Continuous dynamics of the form where F is a constant convex polytope • Reachable set is a polyhedron

Rectangular Discretization • Information about vector field is used to iteratively include reachable cells *Figure from T. Dang and O. Maler, Reachability Analysis via Face Lifting, HS'98

Flow Pipe Approximations: Problem Statement • Given a continuous dynamic system, and a set of initial states, X0 • Conservatively approximate the set of reachable states R[0,T](X0) from time t = 0 to t = T

t6 t5 t7 t4 t3 t8 t2 t9 t1 • divide R[0,T](X0) into [tk,tk+1] segments • enclose each segment with a convex polytope Polyhedral Flow Pipe Approximations X0 • R[0,T](X0) = union of polytopes A. Chutinan and B. H. Krogh, Computing polyhedral approximations to dynamic flow pipes, IEEE CDC, 1998

Wrapping Hyperplanes Around a Set (1) Step 1: • Choose normal vectors, c1,...,cm c2 c1 S c3 c4

Hybrid System Verification Using Discrete Model Approximations

Hybrid System Verification Using Discrete Model Approximations

Presentation Transcript

Using the Hybrid- p Model

Safety Verification of Model Helicopter Controller Using Hybrid Input/Output Automata

Unbounded Data Model Verification Using SMT Solvers

Discrete Choice Model

Discrete Abstractions of Hybrid Systems

Field quantization via discrete approximations: problems and perspectives.

Model Verification

Assembly Code Verification Using Model Checking

Succinct Approximations of Distributed Hybrid Behaviors

Using Discrete System Simulation to Model the Lane County Criminal Justice System

Verification of Hybrid Simulation

Model Formulation, Numerics and Approximations

Hybrid School Model

Verification Model

System verification

Verification of FT System Using Simulation

Probabilistic Verification of Discrete Event Systems using Acceptance Sampling

System Functionality Verification using FPGA

LEP Model Verification

Hybrid equivalent model

Speaker Verification System using SVM

Succinct Approximations of Distributed Hybrid Behaviors