Overview of UnCoVerCPS Matthias Althoff, Technische Universität München UnCoVerCPS Workshop, Milan, 06 June 2018
Overview of UnCoVerCPS
Matthias Althoff, Technische Universität MünchenUnCoVerCPS Workshop, Milan, 06 June 2018
Examples of Cyber-Physical Systems
automated drivingsource: Carnegie Mellon University
automated farmingsource: Kesmac
human-robotcollaboration
source: Rethink Robotics
surgical robotssource: daVinci
smart gridssource: Siemens
air traffic controlsource: NASA
Emerging technologies are increasingly safety- oroperation-critical!
June 6, 2018 cps-vo.org/group/UnCoVerCPS 2
EU Project UnCoVerCPS: Partners
UnCoVer
Unifying Control and Verification of Cyber-PhysicalSystems(UnCoVerCPS)
Funding: 4.9 mio Euro
Participant organisation name CountryTechnische Universität München (TUM) GermanyUniversité Joseph Fourier Grenoble 1 (UJF) FranceUniversität Kassel (UKS) GermanyPolitecnico di Milano (PoliMi) ItalyGE Global Research Europe (GE) GermanyRobert Bosch GmbH (Bosch) GermanyEsterel Technologies (ET) FranceDeutsches Zentrum für Luft- und Raumfahrt (DLR) GermanyTecnalia (Tec) SpainR.U.Robots Limited (RUR) United Kingdom
June 6, 2018 cps-vo.org/group/UnCoVerCPS 3
Expect the Unexpected
How to ensure safety in uncertain environments?
Automated driving: classical testing [N. Kalra and S. M.Paddock (2016)]
• 440 million km to demonstrate better performance thanhumans (95% confidence).
• 12.5 years with 100 test vehicles continuously driving.
June 6, 2018 cps-vo.org/group/UnCoVerCPS 4
Possible Traffic Situations: A RoughEstimation
We assume that each variable of the verification problem has 20values.
3 lane parameters8 own vehicle parameters max. 5 lanes
4 other vehicle parametersmax. 10 vehicles
(203)5· (204)10
· 208≈ 9.2 · 1081 scenarios
June 6, 2018 cps-vo.org/group/UnCoVerCPS 5
Main Idea
Paradigm shift in verification of CPS
Verification before deployment → continuous self-verification.
• Each momentary situation is considered;
• each action is only executed if it is formally verified;
• each verification is performed just-in-time.
June 6, 2018 cps-vo.org/group/UnCoVerCPS 6
Main Idea
Paradigm shift in verification of CPS
Verification before deployment → continuous self-verification.
• Each momentary situation is considered;
• each action is only executed if it is formally verified;
• each verification is performed just-in-time.
Advantages:
• Current scenario is always considered.
• Only current scenario required (smaller problem).
June 6, 2018 cps-vo.org/group/UnCoVerCPS 7
Main Idea
Paradigm shift in verification of CPS
Verification before deployment → continuous self-verification.
• Each momentary situation is considered;
• each action is only executed if it is formally verified;
• each verification is performed just-in-time.
Advantages:
• Current scenario is always considered.
• Only current scenario required (smaller problem).
Requirement: efficient and online-adaptable verificationprocedure.
June 6, 2018 cps-vo.org/group/UnCoVerCPS 8
Main Idea
Paradigm shift in verification of CPS
Verification before deployment → continuous self-verification.
• Each momentary situation is considered;
• each action is only executed if it is formally verified;
• each verification is performed just-in-time.
Advantages:
• Current scenario is always considered.
• Only current scenario required (smaller problem).
Requirement: efficient and online-adaptable verificationprocedure.
Impact: Reduced costs, fewer liability claims, enabling safeautonomy.
June 6, 2018 cps-vo.org/group/UnCoVerCPS 9
EU Project UnCoVerCPS: Main objectives
• Novel on-the-fly control and verification concepts.
June 6, 2018 cps-vo.org/group/UnCoVerCPS 10
EU Project UnCoVerCPS: Main objectives
• Novel on-the-fly control and verification concepts.
• Unifying control and verification to quickly react to changingenvironments.
June 6, 2018 cps-vo.org/group/UnCoVerCPS 11
EU Project UnCoVerCPS: Main objectives
• Novel on-the-fly control and verification concepts.
• Unifying control and verification to quickly react to changingenvironments.
• A unique tool chain that makes it possible to integratemodeling, control design, formal verification, and automaticcode generation.
June 6, 2018 cps-vo.org/group/UnCoVerCPS 12
EU Project UnCoVerCPS: Main objectives
• Novel on-the-fly control and verification concepts.
• Unifying control and verification to quickly react to changingenvironments.
• A unique tool chain that makes it possible to integratemodeling, control design, formal verification, and automaticcode generation.
• Prototypical realizations for automated vehicles, human-robotcollaborative manufacturing, wind turbines and smart grids.
June 6, 2018 cps-vo.org/group/UnCoVerCPS 13
EU Project UnCoVerCPS: Main objectives
• Novel on-the-fly control and verification concepts.
• Unifying control and verification to quickly react to changingenvironments.
• A unique tool chain that makes it possible to integratemodeling, control design, formal verification, and automaticcode generation.
• Prototypical realizations for automated vehicles, human-robotcollaborative manufacturing, wind turbines and smart grids.
• A new development process that reduces development timeand costs for critical cyber-physical systems.
June 6, 2018 cps-vo.org/group/UnCoVerCPS 14
Beyond Online Verification
Unification of control and verification has also big potential foroffline design:
Front loading of verification
verific
atio
n&
valid
atio
n
verific
atio
non
abst
ract
mod
eldesign&
development
require-
ments
system
architecture
specification
models
implementation
models
code
30% reduction of developmenttime through front loading
det
ailed
abstra
ct
front-loading
confor-mance
Formal verification barrier
verific
atio
n&
valid
atio
n
design&
development
E.g., 12.5 years of testingfor autonomous vehicles
formalverification
testing
form
al
veri
fica
tion
bar
rier
June 6, 2018 cps-vo.org/group/UnCoVerCPS 15
Problem Statement of Our Use Cases
Human-Robot Co-Existence
robot
planned trajectorygoal
region
table
unsafe regionover time
Automated Driving
replacements
autonomous car planned trajectory
goal region
unsafe region over time
obstacle
other vehicle
Smart Grid (similar for wind turbine)planned trajectory voltage/phase limits (unsafe region)
time t
voltage/phase
June 6, 2018 cps-vo.org/group/UnCoVerCPS 16
Tool chain of UnCoVerCPS
offline online
ConfTest
SCADEDMPC-HS,ScenarioMPC
SpaceEx,
CORA
auto-gene-
rated code
SpaceExonl ,
CORAonl
physicalsystem
conformancetesting
plant + high-
level control
predictive
control
offlineverification
high-level
control
onlineverification
behaviour
formalSpec
formalspecification
tool extension
new tool
not a tool
June 6, 2018 cps-vo.org/group/UnCoVerCPS 17
Prediction-planning-verification-control loop
Use case: automated driving
➀ occupancy prediction ➁ trajectory planning
➂ collision checking➃ trajectory tracking
controller
June 6, 2018 cps-vo.org/group/UnCoVerCPS 18
Prediction-planning-verification-control loop
Use case: human-robot co-existence
➀ desired trajectory ➁ trajectory planning
➂ collision checking➃ update of safe path
June 6, 2018 cps-vo.org/group/UnCoVerCPS 19
Interaction between Planning and Verification
time tk:
Host Other
a
Host: intendedtrajectory (Ford)
Other: most-likelytrajectory
June 6, 2018 cps-vo.org/group/UnCoVerCPS 20
Interaction between Planning and Verification
time tk:
Host Other
a
b
Host: intendedtrajectory (Ford)Host: fail-safetrajectory (TUM)Other: most-likelytrajectoryOther: reachableset (TUM)
June 6, 2018 cps-vo.org/group/UnCoVerCPS 21
Interaction between Planning and Verification
time tk:
Host Other
a
b
Host: intendedtrajectory (Ford)Host: fail-safetrajectory (TUM)Other: most-likelytrajectoryOther: reachableset (TUM)
time tk+1:
a
b
a′
b′
June 6, 2018 cps-vo.org/group/UnCoVerCPS 22
Reachable Sets
possibletrajectory
exactreachable set
jump
steady state
initial set
x1
x2
Informal Definition
A reachable set is the set of states that can be reached by adynamical system in finite or infinite time for a
• set of initial states,
• uncertain inputs,
• and uncertain parameters.
June 6, 2018 cps-vo.org/group/UnCoVerCPS 23
Overapproximative Reachable Sets
overapproximativereachable set exact
reachable setinvariant set
unsafe set
initial set
x1
x2
• Exact reachable set only for special classes computable→ overapproximation computed for consecutive time intervals.
June 6, 2018 cps-vo.org/group/UnCoVerCPS 24
Overapproximative Reachable Sets
overapproximativereachable set exact
reachable setinvariant set
unsafe set
initial set
x1
x2
• Exact reachable set only for special classes computable→ overapproximation computed for consecutive time intervals.
• Overapproximation might lead to spurious counterexamples.
June 6, 2018 cps-vo.org/group/UnCoVerCPS 25
Overapproximative Reachable Sets
overapproximativereachable set exact
reachable setinvariant set
unsafe set
initial set
x1
x2
• Exact reachable set only for special classes computable→ overapproximation computed for consecutive time intervals.
• Overapproximation might lead to spurious counterexamples.
• Simulation cannot prove correctness.
June 6, 2018 cps-vo.org/group/UnCoVerCPS 26
• Safety-critical, autonomous cyber-physical systems requireon-the-fly control and verification.
• Safety-critical, autonomous cyber-physical systems requireon-the-fly control and verification.
• Changing environments require to unify control andverification to meet formal specifications.
• Safety-critical, autonomous cyber-physical systems requireon-the-fly control and verification.
• Changing environments require to unify control andverification to meet formal specifications.
• Advances are also beneficial to offline control and verification.
• Safety-critical, autonomous cyber-physical systems requireon-the-fly control and verification.
• Changing environments require to unify control andverification to meet formal specifications.
• Advances are also beneficial to offline control and verification.
• Our approach works across several application domains(de-verticalization).
• Safety-critical, autonomous cyber-physical systems requireon-the-fly control and verification.
• Changing environments require to unify control andverification to meet formal specifications.
• Advances are also beneficial to offline control and verification.
• Our approach works across several application domains(de-verticalization).
• We combine our expertise to establish a unique toolchain forfuture development of cyber-physical systems.