Top Banner
Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University Pittsburgh, PA, USA.
97

Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Dec 21, 2015

Download

Documents

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Hybrid System Verification Using Discrete Model Approximations

Alongkrit Chutinan

Department of Electrical and Computer Engineering

Carnegie Mellon University

Pittsburgh, PA, USA.

Page 2: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Outline

Hybrid Systems and Verification MATLAB Verification Tool Verification Example Conclusions

Note: contribution

Page 3: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Hybrid Systems

Continuous

Dynamics

Differential Equations/Inclusions

Stopwatch Timers etc.

Discrete

Dynamics

Finite State Automata Petri Nets etc.

Page 4: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Hybrid Systems

Found virtually everywhere Result of switching logic in many computer-

controlled applications Extremely difficult to analyze

Small perturbation can lead to drastically different behavior

No universally accepted framework for analysis and control

Page 5: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

system property(specification)

system model

Yes/No

Focus: The Verification Problem

Very important problem for safety-critical applications

All behaviors must be taken into account

Does the system

satisfy the property?

Page 6: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Outline

Hybrid Systems and Verification MATLAB Verification Tool Verification Example Conclusions

Page 7: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

MATLAB Tool Overview

Polyhedral-Invariant Hybrid Automaton (PIHA)

Conversion

Simulink/Stateflow Front End(graphical editing, simulation)

Threshold-event-driven Hybrid Systems (TEDHS)

Flow PipeApproximations

Quotient Transition System

ACTL Verification

PartitionRefinement

Initial Partition

Page 8: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Threshold-event-driven Hybrid Systems (TEDHS)

g(.)zero

detector

y(t) v(t)

threshold event generator threshold

events

u(t) = h(u(t-),v(t))u(0-) = u0

finite state machine(event driven)

switched continuousdynamics

F(.,.)

x(t)u(t)

x(0) X0

)(),( xFxuFx u

Page 9: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

MATLAB Tool Overview

Polyhedral-Invariant Hybrid Automaton (PIHA)

Conversion

Simulink/Stateflow Front End(graphical editing, simulation)

Threshold-event-driven Hybrid Systems (TEDHS)

Flow PipeApproximations

Quotient Transition System

ACTL Verification

PartitionRefinement

Initial Partition

Page 10: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

TEDHS Front End

Built on top of Simulink in MATLAB Simulink’s simulation capability can be exploited Special blocks customized through Simulink’s

masking mechanism Major supported block types

Switched Continuous System Block (SCSB) Polyhedral Threshold Block (PTHB) Finite State Machine Block (FSMB) Multiplexer and Logical Operators (And, Or, Not)

Page 11: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Switched Continuous System

Parameter: Switching function f Input: Discrete condition signal u Output: Continuous state vector x Description: Continuous dynamics

selected by discrete input signal

)(xfx u

u x

SwitchedContinuous System

Page 12: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Polyhedral Threshold

Parameters: C,d Input: Continuous state vector x Output: Boolean signal

1 if Cx d

0 otherwise Description: Outputs Boolean signal

indicating whether continuous state variable x is in polyhedron Cx d

x

C*x <= d

PolyhedralThreshold

Page 13: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Finite State Machine (Stateflow) Inputs:

Data: Boolean condition signals which are functions of PTHB and FSMB outputs

Event: Transition edges of Boolean condition signals which are functions of PTHB outputs

Output: Discrete signal (integer) indicating active state of FSM

Description: State transitions are driven by input data and event signals.

event input(vectorized)

scalardata inputs

.

.

.

data 1

data N

q

Finite State Machine

Page 14: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Finite State Machine (Stateflow) Inputs:

Data: Boolean condition signals which are functions of PTHB and FSMB outputs

Event: Transition edges of Boolean condition signals which are functions of PTHB outputs

Output: Discrete signal (integer) indicating active state of FSM

Description: State transitions are driven by input data and event signals.

event input(vectorized)

scalardata inputs

.

.

.

data 1

data N

q

Finite State Machine

Page 15: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Finite State Machine (Stateflow) Inputs:

Data: Boolean condition signals which are functions of PTHB and FSMB outputs

Event: Transition edges of Boolean condition signals which are functions of PTHB outputs

Output: Discrete signal (integer) indicating active state of FSM

Description: State transitions are driven by input data and event signals.

event input(vectorized)

scalardata inputs

.

.

.

data 1

data N

q

Finite State Machine

Page 16: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Finite State Machine (Stateflow) Inputs:

Data: Boolean condition signals which are functions of PTHB and FSMB outputs

Event: Transition edges of Boolean condition signals which are functions of PTHB outputs

Output: Discrete signal (integer) indicating active state of FSM

Description: State transitions are driven by input data and event signals.

event input(vectorized)

scalardata inputs

.

.

.

data 1

data N

q

Finite State Machine

Page 17: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Sample Block Diagramx1

x2

x3

th1

th2

q1

q2

th3

SwitchedContinuous System 3

SwitchedContinuous System 2

SwitchedContinuous System 1

C*x <= d

PolyhedralThreshold 3

C*x <= d

PolyhedralThreshold 2

C*x <= d

PolyhedralThreshold 1

Mux

Mux2

MuxMux1

Mux

Mux

OR

LogicalOperator

c1

c2q

FiniteState Machine 2

c1

c2q

FiniteState Machine 1

Page 18: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

MATLAB Tool Overview

Polyhedral-Invariant Hybrid Automaton (PIHA)

Conversion

Simulink/Stateflow Front End(graphical editing, simulation)

Threshold-event-driven Hybrid Systems (TEDHS)

Flow PipeApproximations

Quotient Transition System

ACTL Verification

PartitionRefinement

Initial Partition

Page 19: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Hybrid Automaton

u

continuous dynamics

invariant: hybrid automaton may remain in u as long as x I(u)

)(

)(

xFx

uIx

u

location (discrete state) u’

reset condition

guard conditionedge

0Xx

initial condition

)(

)(

xFx

uIx

u

)(: 11 eGxe

),( 1 xeRx

),( 4 xeRx

)(: 44 eGxe

)(: 22 eGxe

)(: 33 eGxe ),( 3 xeRx

),( 2 xeRx

Page 20: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Reset Condition

)(uI)(eG

entry states

exit states

)(uI

)( 0tx

)( 1tx

)(

),(eGx

xeR

))(,()( 11 txeRtxnR nR

Page 21: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Polyhedral-Invariant Hybrid Automaton (PIHA)

u

)(xfx

111 : dxce T 222 : dxce T

333 : dxce T invariant is the convex polytope defined from complements of the guards

ordinarydifferentialequation

identity reset

xx

11 dxc T 22 dxc T

33 dxc T

)(uI

hyperplane guard

xx

xx

Page 22: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

MATLAB Tool Overview

Polyhedral-Invariant Hybrid Automaton (PIHA)

Conversion

Simulink/Stateflow Front End(graphical editing, simulation)

Threshold-event-driven Hybrid Systems (TEDHS)

Flow PipeApproximations

Quotient Transition System

ACTL Verification

PartitionRefinement

Initial Partition

Page 23: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Hybrid System State Space

Given by cross product Xc Xd

Continuous state space Xc given by cross product of nscs state spaces for all SCSBs.

Xc = Xc1

… Xcnscs

Discrete state space Xd given by cross product of nfsm state spaces for all FSMBs.

Xd = Xd1

… Xdnfsm

Page 24: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Continuous State Space Partition

Restrict our attention to bounded subset of Xc called analysis region (AR)

Partition Xc into polyhedral cells by all hyperplanes cTx = d from all PTHBs

Output values of all PTHBs are constant across all xc in each cell

analysisregion cell

hyperplane

Page 25: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

PIHA Construction

Each location is a pair (p,q) p: cell p q: FSM states

p is the invariant p determines outputs of PTHBs in the TEDHS q contains outputs of FSMBs in the TEDHS q directly determines continuous dynamics

Page 26: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Location Transition

Events occur when continuous trajectory x crosses hyperplane h on boundary of cell p

Determine neighboring cell p’ that is reached by crossing h

Use p and p’ to compute PTHB outputs before and after hyperplane crossing

Determine events that occur and make FSM state transition from q to q’

Transition to a special (empty) location when crossing hyperplane on analysis boundary

(p,q)

(p’,q’)

h

out ofAR

h’

hh’p p’

Page 27: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Location Transition

Events occur when continuous trajectory x crosses hyperplane h on boundary of cell p

Determine neighboring cell p’ that is reached by crossing h

Use p and p’ to compute PTHB outputs before and after hyperplane crossing

Determine events that occur and make FSM state transition from q to q’

Transition to a special (empty) location when crossing hyperplane on analysis boundary

(p,q)

(p’,q’)

h

out ofAR

h’

hh’p p’

Page 28: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Location Transition

Events occur when continuous trajectory x crosses hyperplane h on boundary of cell p

Determine neighboring cell p’ that is reached by crossing h

Use p and p’ to compute PTHB outputs before and after hyperplane crossing

Determine events that occur and make FSM state transition from q to q’

Transition to a special (empty) location when crossing hyperplane on analysis boundary

(p,q)

(p’,q’)

h

out ofAR

h’

hh’p p’

Page 29: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Location Transition

Events occur when continuous trajectory x crosses hyperplane h on boundary of cell p

Determine neighboring cell p’ that is reached by crossing h

Use p and p’ to compute PTHB outputs before and after hyperplane crossing

Determine events that occur and make FSM state transition from q to q’

Transition to a special (empty) location when crossing hyperplane on analysis boundary

(p,q)

(p’,q’)

h

out ofAR

h’

hh’p p’

Page 30: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Location Transition

Events occur when continuous trajectory x crosses hyperplane h on boundary of cell p

Determine neighboring cell p’ that is reached by crossing h

Use p and p’ to compute PTHB outputs before and after hyperplane crossing

Determine events that occur and make FSM state transition from q to q’

Transition to a special (empty) location when crossing hyperplane on analysis boundary

(p,q)

(p’,q’)

h

out ofAR

h’

hh’p p’

Page 31: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

MATLAB Tool Overview

Polyhedral-Invariant Hybrid Automaton (PIHA)

Conversion

Simulink/Stateflow Front End(graphical editing, simulation)

Threshold-event-driven Hybrid Systems (TEDHS)

Flow PipeApproximations

Quotient Transition System

ACTL Verification

PartitionRefinement

Initial Partition

Page 32: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

T = (Q,,Q0)

Q: set of states (possibly infinite/continuum) QQ: transition relation Q0 : initial states

T = (Q,,Q0,2AP,L)

AP: set of atomic propositions L:Q 2AP: labeling function

unlabeled

labeled

Transition Systems

Page 33: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

PIHA Semantics:Discrete-Trace Transition Systems Given a hybrid system H,

TH = (X0Xentry{qu },H,X0)

Discrete Transitions: (x,u) H (x',u') u u', e = (u,u'), and there is a

continuous trajectory from x to a state x'' G(e) such that x' R(e,x'')

Null Transitions: (x,u) H q

u there is a continuous trajectory from x that never leaves the location u

completely masks the continuous-time behavior

Page 34: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

)(uI)(eG

entry states

exit states)(uI

x x

)(

),(eGx

xeR

),( xeRx nR nR

uHH quxux ),(),(

TH Illustration

Page 35: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Simulation of Transition SystemsGiven T1 = (Q1, 1, Q1o, 2AP,L1), T2 = (Q2, 2, Q2o,2AP,L2), T2 simulates T1 if there exists a binary relation Q1 Q2

such that is total (involves all of Q1)

q1 q2 (q1Q1o q2Q2o and L1(q1) = L2(q2))

q1 q2 and q1 1 q1 there exists q2 such that q1 q2 and q2 2 q2

Q1 Q2

q1

q1

q2

q2

T1 T2

Page 36: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Q1 Q2

q1

q1

q2

q2

T1 T2

Bisimulation

Given T1 = (Q1, 1,Q1o,2AP,L1), T2 = (Q2, 2, Q2o,2AP,L2),

a relation Q1 Q2 is a bisimulation if is a simulation relation of T1 by T2

-1 is a simulation relation of T2 by T1

Page 37: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Simulation vs. Bisimulation

Simulation Conservative approximation of labeled behaviors Can be used to verify universal specifications

Bisimulation Equivalent to original system wrt labeled behaviors Obtained through iterative refinements of quotient

transition systems Can be used to verify all specifications

Page 38: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Quotient Transition Systems (QTS) Given transition system T = (Q,,Q0)

Pre(P) = { q | pP, q p } Post(P) = { q | pP, p q }

Quotient transition system

T/P = (P,P , Q0/P)

where P : a partition of Q P1 P P2 for P1,P2 P

q1 q2 for some q1P1, q2 P2

Post(P1) P2

P1 Pre(P2)

T

T/P

Page 39: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Facts About QTS

1. T T/P

2. T/P is a bisimulation if and only if

P Pre(P') = or P for all P, P' P P'

P

stopping condition for bisimulation procedure

P'P

Page 40: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Approximating QTS

Reachability approximation (for continuous dynamics) Quotient transition system approximation Computing QTS requires computation of reachable

sets in Pre and Post operators Reachable set cannot be computed exactly in

general

Page 41: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Approximate QTS

Given reachability approximation method M Pre(P) PreM(P) Post(P) PostM(P)

Approximate quotient transition system

TM/P = (P,PM , Q0/P)

where P1 P

M P2 for P1,P2 P PostM(P1) P2

conservative

Page 42: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Facts About Approximate QTS1. T T/P TM/P

2. TM/P is a bisimulation if

(PostM(P) P') pP,p'P',pp’

and

P,P'P, PostM(P) P' = or PostM(P)

usual bisimulation condition no longer holds for approximation

P has at most one successor

can use TM/P to verify universal specification

stopping condition for bisimulation with approximation

Page 43: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Application to PIHA:TH/P Approximation Partition

Initial States Entry States: Faces of cell p for each location (p,q)

Each state is (,p,q) where is a polytope on boundary of cell p; or contained in the continuous initial set

for some location (p,q) Use flow pipe approximations to compute

Post M((,p,q))

Page 44: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

MATLAB Tool Overview

Polyhedral-Invariant Hybrid Automaton (PIHA)

Conversion

Simulink/Stateflow Front End(graphical editing, simulation)

Threshold-event-driven Hybrid Systems (TEDHS)

Flow PipeApproximations

Quotient Transition System

ACTL Verification

PartitionRefinement

Initial Partition

Page 45: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Approximating Reachable Sets: Previous Work Model theory and quantifier elimination

R. Alur, T.A. Henzinger, and P.-H. Ho. Automatic symbolic verification of embedded systems, 1996. (linear hybrid automata)

G. Lafferriere, G.J. Pappas, and S. Yovine. Decidable hybrid systems, 1996. (special classes of linear hybrid systems)

Rectangular Discretizations E.K. Kornoushenko. Finite-automaton approximation to the behavior of

continuous plants, 1975. O. Stursberg, S. Kowalewski, and S. Engell. On the generation of timed discrete

approximations for continuous systems, 1997. T. Dang and O. Maler, Reachability Analysis via Face Lifting, 1998.

Piecewise linear hybrid automaton approximation A. Puri, P. Varaiya, and V. Borkar. -approximation of differential inclusion, 1996. T.A. Henzinger, P.-H. Ho, and H. Wong-Toi. Algorithmic analysis of nonlinear

hybrid systems, 1998.

Page 46: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Quantifier Elimination:Linear Hybrid Automata Continuous dynamics of the form

where F is a constant convex polytope Reachable set is a polyhedron

Fx

1x 1x 1x

2x 2x2x

)(Reach 0],0[ XT

F0X

Page 47: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Rectangular Discretization

*Figure from T. Dang and O. Maler, Reachability Analysis via Face Lifting, HS'98

Information about vector field is used to iteratively include reachable cells

Page 48: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

and a set of initial states, X0

Conservatively approximate the set of reachable states R[0,T](X0) from time t = 0 to t = T

),(xfx

Flow Pipe Approximations: Problem Statement Given a continuous dynamic system,

Page 49: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Polyhedral Flow Pipe Approximations

A. Chutinan and B. H. Krogh, Computing polyhedral approximations to dynamic flow pipes, IEEE CDC, 1998

X0

t1

t2

t3

t4

t5t6 t7

t8

t9

• divide R[0,T](X0) into [tk,tk+1] segments

• enclose each segment with a convex polytope

• R[0,T](X0) = union of polytopes

Page 50: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

S

c4

c3

c2c1

Wrapping Hyperplanes Around a Set (1)

Step 1: Choose normal

vectors, c1,...,cm

Page 51: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

S

c4

c3

c2

c1

Wrapping Hyperplanes Around a Set (2)

Step 2: Adjust each

hyperplane so that it just touches S

By solving for each i optimization problem

xcd Ti

Sxi max

Page 52: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

],[

..

),(max

1

00

0,0

kk

Ti

txi

ttt

Xxts

xtxcd

The optimization problem is solved by embedding simulation into objective function computation routine

)( 0],[ 1XR

kk tt

Wrapping a Flow Pipe Segment

Given normal vectors ci, we shrink wrap in a polytope by solving for each i

Page 53: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Choosing Normal Vectors We probably need a different set of normal

vectors ci to shrink wrap each segment Heuristics:

Compute vertices of X0 at times tk and tk+1 using ODE solver

Form convex hull from these points Use normal vectors from faces of convex hull

Page 54: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Flow Pipe Segment Approximation

Vertices(X0) at tk

Vertices(X0) at tk+1

Step 1.a. Simulate trajectories from each vertex of X0.

Step 2.Solve optimization for di

flow pipe segment approximated by { x | ci

Tx di, i }

b. Take the convex hulland identify outwardnormal vectors.

Page 55: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

X x x0 1 20 8 1 0 { . , }

. ( )

x x

x x x x1 2

2 12

2 10 2 1

Van der Pol Equation

Uniform time steptk = 0.5

Initial Set

Example 1: Van der Pol Equation

Page 56: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

analytical solutionbAxx

t AAtt

Atttt bdeeXReXR

00],0[0],[ )(ˆ)(ˆ

t AAtAt bdeexextx

000 ),(

Improvements for Linear Systems

Flow pipe segment computation depends only on time step t

A segment can be obtained by applying affine transformation to another segment with the same t

No longer need to embed numerical integration into optimization when b = 0

Page 57: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Transforming A Polytope

CT-1y d+CT-1v

Polytope TP + v

Cx d

Polytope P

y = Tx+v

PT v

t AAtt

Atttt bdeeXReXR

00],0[0],[ )(ˆ)(ˆ

Page 58: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

A

0 1 0

0 0 1

1 2 2

1

1

1

2

1

1

2

2

1

1

2

1

, , , and

Vertices for X0

Uniform time steptk = 0.1

Example 2: Linear System

Compute first segment Then transform it with eAt 49 times

Page 59: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

)(],[ PRttt

),( *0xtx

n/

))(),(ˆ( ],[],[ PRPRdisttt tttt

0

)(

*0

1)),((

xtLL tt ee

L

xtxfn

Approximation Error

Time step Size of X0

Lipschitz constant Vector field Dimension

Can be made arbitrarily small for each segment

)(ˆ],[ PR

ttt

Page 60: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Flow Pipe Approximation

Applies in arbitrary dimensions Approximation error does not accumulate from

previous time step Approximation error can be made arbitrarily small by

bounds t - size of segment time step

independent of the starting time for the segment

x0 - size of initial set partition

depends on the starting time for the segment

Page 61: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Approximating Transitions in TH/P

('1,p',q')

'1'2

('2,p',q')

(,p,q)

p p'

q q'

Page 62: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

MATLAB Tool Overview

Polyhedral-Invariant Hybrid Automaton (PIHA)

Conversion

Simulink/Stateflow Front End(graphical editing, simulation)

Threshold-event-driven Hybrid Systems (TEDHS)

Flow PipeApproximations

Quotient Transition System

ACTL Verification

PartitionRefinement

Initial Partition

Page 63: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Selecting Initial Partition

Start with faces of invariant cell for each location (p,q)

Look at vector field fq(x) on each face with normal vector c

Split polytopes recursively to satisfy Vector field direction tolerance Vector field variation tolerance Size tolerance

Group continuous states with similar qualitative behaviors

c

fq(x)

Page 64: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Legendmax cTfq(x)

min cTfq(x)

Initial Partition Tolerances

Direction

1-1 0

1-1 0

1-1 0split

ok

ok

Variation2

2

split

ok

Sizesize 3

size 3

splitok

c

fq(x)

Page 65: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Splitting Polytopes for Initial Partitions (and Refinement)

cTx = dmax

P {cTx d}

cTx = d = (dmin+dmax)/2

P {cTx d}

cTx = dmin

c: split direction dmin,max = min,max cTx

xP

P

Page 66: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

MATLAB Tool Overview

Polyhedral-Invariant Hybrid Automaton (PIHA)

Conversion

Simulink/Stateflow Front End(graphical editing, simulation)

Threshold-event-driven Hybrid Systems (TEDHS)

Flow PipeApproximations

Quotient Transition System

ACTL Verification

PartitionRefinement

Initial Partition

Page 67: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Finite-State Transition System

State-transition graph

u0

a c

u3

e

u1

b d

u2

d

u0

a c

u1

b du2

d

u3

e

u2

du3

e

u0

a cu0

a c

u3

eu2

d

Computation tree

unfold

Page 68: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Path Quantifiers Linear-time Operators

AE

for all computation pathsfor some computation paths

GFXU

globallyin the futurenext timeuntil

Computation Tree Logic (CTL) Specify evolutions along paths in computation

tree from a given state

Can specify safety, liveness, fairness, etc.

AG safe: system is safe along all pathsAG(AF reset): system is reset infinitely often along every computation path

Page 69: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Model Checking Program

Implemented in MATLAB using graph search algorithms

Complexity linear in the product of system size and length of CTL formula

Find the set of states where the given CTL formula is true.

Page 70: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

THM/P satisfies ACTL spec TH satisfies ACTL spec

ACTL

Restricted class of CTL allowing only universal path quantifier

f ap | ap | f f | f f | AX f | AF f | AG f | A f U f

Page 71: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Atomic Propositions in the Tool

Two types of atomic propositions (AP)

Polyhedral Threshold Atomic Proposition

<PTHB>

Identified by name of each PTHB Specify output for each PTHB (true if PTHB output

is 1) Truth value determined directly from cell p for each

state (,p,q) in THM/P

Page 72: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Atomic Propositions (cont.)

Finite State Machine Atomic Proposition

<FSMB == state>

Specify active state for each FSMB

Truth value determined directly from q for each state

(,p,q) in THM/P

Page 73: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

MATLAB Tool Overview

Polyhedral-Invariant Hybrid Automaton (PIHA)

Conversion

Simulink/Stateflow Front End(graphical editing, simulation)

Threshold-event-driven Hybrid Systems (TEDHS)

Flow PipeApproximations

Quotient Transition System

ACTL Verification

PartitionRefinement

Initial Partition

Page 74: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Quotient Transition System Refinement Bisimulation refinement

Splits P into part that can reach P' (P1) and part that cannot (P2)

Difficult to implement Set subtractions Non-convex sets

P'P1

P2

P

Page 75: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Alternative Refinement Procedure

Refine states with more than one successor state Motivated by bisimulation condition for

approximation Use bisection refinement instead of bisimulation

refinement Selective refinement w.r.t. ACTL specification

Refine only initial states not satisfying ACTL specification and all descendants

Reduce computational cost Slow down state explosion

Page 76: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Summary of Verification Procedure

Approximate initial quotient transition system THM/P0

for PIHA converted from TEDHS If all initial states in TH

M /PN satisfy ACTL specification Stop, system is verified

Otherwise For each initial state in TH

M /PN violating ACTL specification and all its descendants, split the associated polytope

Recompute mappings and transitions for new polytopes to approximate TH

M /PN+1

N = N + 1 and repeat

Page 77: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Outline

Hybrid Systems and Verification MATLAB Verification Tool Verification Example Conclusions

Page 78: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Simulink Model

Page 79: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Switched Continuous System Parameters

Page 80: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Approximation Parameters & Specification

Page 81: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Visualization Tool

Page 82: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Visualization Tool

Page 83: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Visualization Tool

Page 84: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Partition P0 Specification unsatisfied

Page 85: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Partition P1 Specification unsatisfied

Page 86: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Partition P2 Specification unsatisfied

Page 87: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Partition P3 Specification unsatisfied

Page 88: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Partition P4 Specification unsatisfied

Page 89: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Partition P5 Specification unsatisfied

Page 90: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Partition P6 Specification satisfied

Page 91: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Bound on Number of Switchings

Page 92: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Outline

Hybrid Systems and Verification MATLAB Verification Tool Verification Example Conclusions

Page 93: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Contributions

Approximate quotient transition systems for verification of hybrid systems Discrete-trace transition system Bisimulation condition for approximate quotient

transition systems Verification results in some cases where finite

bisimulation does not exist

Page 94: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Contributions

Flow pipe approximations Handles general ODEs in arbitrary dimensions Efficient computations for affine systems Arbitrarily close approximations Error does not accumulate from previous time steps Realization of quotient transition system verification

Page 95: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Contributions

MATLAB verification tool TEDHS modeling front end Conversion from TEDHS to PIHA Automatic generation and refinements of

approximate quotient transition systems Polyhedral library (convex hull, etc.) ACTL parser and finite-state model checking library

Page 96: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Research Directions Flow pipe approximations

More efficient nonlinear flow pipe approximations Extension to differential inclusions Numerical methods to guarantee conservative

approximation using floating point or integer arithmetic global optimization technique

Null transition identification methods

Page 97: Hybrid System Verification Using Discrete Model Approximations Alongkrit Chutinan Department of Electrical and Computer Engineering Carnegie Mellon University.

Research Directions More restrictive refinement set

Identify states along particular paths from the initial states that violate ACTL specification

As opposed to all reachable states from the initial states that violate ACTL specification

More efficient PIHA conversion for the tool The tool introduces many cells between which no

discrete transition actually occurs Consolidate adjacent cells with same discrete state

Extension of theory/tool to handle jumps in continuous dynamics