Overview of UnCoVerCPS - UnCoVerCPS Workshop · EU Project UnCoVerCPS: Main objectives • Novel on-the-fly control and verification concepts. • Unifying control and verification

Overview of UnCoVerCPS

Matthias Althoff, Technische Universität MünchenUnCoVerCPS Workshop, Milan, 06 June 2018

Examples of Cyber-Physical Systems

automated drivingsource: Carnegie Mellon University

automated farmingsource: Kesmac

human-robotcollaboration

source: Rethink Robotics

surgical robotssource: daVinci

smart gridssource: Siemens

air traffic controlsource: NASA

Emerging technologies are increasingly safety- oroperation-critical!

June 6, 2018 cps-vo.org/group/UnCoVerCPS 2

EU Project UnCoVerCPS: Partners

UnCoVer

Unifying Control and Verification of Cyber-PhysicalSystems(UnCoVerCPS)

Funding: 4.9 mio Euro

Participant organisation name CountryTechnische Universität München (TUM) GermanyUniversité Joseph Fourier Grenoble 1 (UJF) FranceUniversität Kassel (UKS) GermanyPolitecnico di Milano (PoliMi) ItalyGE Global Research Europe (GE) GermanyRobert Bosch GmbH (Bosch) GermanyEsterel Technologies (ET) FranceDeutsches Zentrum für Luft- und Raumfahrt (DLR) GermanyTecnalia (Tec) SpainR.U.Robots Limited (RUR) United Kingdom

June 6, 2018 cps-vo.org/group/UnCoVerCPS 3

Expect the Unexpected

How to ensure safety in uncertain environments?

Automated driving: classical testing [N. Kalra and S. M.Paddock (2016)]

• 440 million km to demonstrate better performance thanhumans (95% confidence).

• 12.5 years with 100 test vehicles continuously driving.

June 6, 2018 cps-vo.org/group/UnCoVerCPS 4

Possible Traffic Situations: A RoughEstimation

We assume that each variable of the verification problem has 20values.

3 lane parameters8 own vehicle parameters max. 5 lanes

4 other vehicle parametersmax. 10 vehicles

(203)5· (204)10

· 208≈ 9.2 · 1081 scenarios

June 6, 2018 cps-vo.org/group/UnCoVerCPS 5

Main Idea

Paradigm shift in verification of CPS

Verification before deployment → continuous self-verification.

• Each momentary situation is considered;

• each action is only executed if it is formally verified;

• each verification is performed just-in-time.

June 6, 2018 cps-vo.org/group/UnCoVerCPS 6

Main Idea

Paradigm shift in verification of CPS

Verification before deployment → continuous self-verification.

• Each momentary situation is considered;

• each action is only executed if it is formally verified;

• each verification is performed just-in-time.

Advantages:

• Current scenario is always considered.

• Only current scenario required (smaller problem).

June 6, 2018 cps-vo.org/group/UnCoVerCPS 7

Main Idea

Paradigm shift in verification of CPS

Verification before deployment → continuous self-verification.

• Each momentary situation is considered;

• each action is only executed if it is formally verified;

• each verification is performed just-in-time.

Advantages:

• Current scenario is always considered.

• Only current scenario required (smaller problem).

Requirement: efficient and online-adaptable verificationprocedure.

June 6, 2018 cps-vo.org/group/UnCoVerCPS 8

Main Idea

Paradigm shift in verification of CPS

Verification before deployment → continuous self-verification.

• Each momentary situation is considered;

• each action is only executed if it is formally verified;

• each verification is performed just-in-time.

Advantages:

• Current scenario is always considered.

• Only current scenario required (smaller problem).

Requirement: efficient and online-adaptable verificationprocedure.

Impact: Reduced costs, fewer liability claims, enabling safeautonomy.

June 6, 2018 cps-vo.org/group/UnCoVerCPS 9

EU Project UnCoVerCPS: Main objectives

• Novel on-the-fly control and verification concepts.

June 6, 2018 cps-vo.org/group/UnCoVerCPS 10

EU Project UnCoVerCPS: Main objectives

• Novel on-the-fly control and verification concepts.

• Unifying control and verification to quickly react to changingenvironments.

June 6, 2018 cps-vo.org/group/UnCoVerCPS 11

EU Project UnCoVerCPS: Main objectives

• Novel on-the-fly control and verification concepts.

• Unifying control and verification to quickly react to changingenvironments.

• A unique tool chain that makes it possible to integratemodeling, control design, formal verification, and automaticcode generation.

June 6, 2018 cps-vo.org/group/UnCoVerCPS 12

EU Project UnCoVerCPS: Main objectives

• Novel on-the-fly control and verification concepts.

• Unifying control and verification to quickly react to changingenvironments.

• A unique tool chain that makes it possible to integratemodeling, control design, formal verification, and automaticcode generation.

• Prototypical realizations for automated vehicles, human-robotcollaborative manufacturing, wind turbines and smart grids.

June 6, 2018 cps-vo.org/group/UnCoVerCPS 13

EU Project UnCoVerCPS: Main objectives

• Novel on-the-fly control and verification concepts.

• Unifying control and verification to quickly react to changingenvironments.

• A unique tool chain that makes it possible to integratemodeling, control design, formal verification, and automaticcode generation.

• Prototypical realizations for automated vehicles, human-robotcollaborative manufacturing, wind turbines and smart grids.

• A new development process that reduces development timeand costs for critical cyber-physical systems.

June 6, 2018 cps-vo.org/group/UnCoVerCPS 14

Beyond Online Verification

Unification of control and verification has also big potential foroffline design:

Front loading of verification

verific

atio

n&

valid

atio

n

verific

atio

non

abst

ract

mod

eldesign&

development

require-

ments

system

architecture

specification

models

implementation

models

code

30% reduction of developmenttime through front loading

det

ailed

abstra

ct

front-loading

confor-mance

Formal verification barrier

verific

atio

n&

valid

atio

n

design&

development

E.g., 12.5 years of testingfor autonomous vehicles

formalverification

testing

form

al

veri

fica

tion

bar

rier

June 6, 2018 cps-vo.org/group/UnCoVerCPS 15

Problem Statement of Our Use Cases

Human-Robot Co-Existence

robot

planned trajectorygoal

region

table

unsafe regionover time

Automated Driving

replacements

autonomous car planned trajectory

goal region

unsafe region over time

obstacle

other vehicle

Smart Grid (similar for wind turbine)planned trajectory voltage/phase limits (unsafe region)

time t

voltage/phase

June 6, 2018 cps-vo.org/group/UnCoVerCPS 16

Tool chain of UnCoVerCPS

offline online

ConfTest

SCADEDMPC-HS,ScenarioMPC

SpaceEx,

CORA

auto-gene-

rated code

SpaceExonl ,

CORAonl

physicalsystem

conformancetesting

plant + high-

level control

predictive

control

offlineverification

high-level

control

onlineverification

behaviour

formalSpec

formalspecification

tool extension

new tool

not a tool

June 6, 2018 cps-vo.org/group/UnCoVerCPS 17

Prediction-planning-verification-control loop

Use case: automated driving

➀ occupancy prediction ➁ trajectory planning

➂ collision checking➃ trajectory tracking

controller

June 6, 2018 cps-vo.org/group/UnCoVerCPS 18

Prediction-planning-verification-control loop

Use case: human-robot co-existence

➀ desired trajectory ➁ trajectory planning

➂ collision checking➃ update of safe path

June 6, 2018 cps-vo.org/group/UnCoVerCPS 19

Interaction between Planning and Verification

time tk:

Host Other

a

Host: intendedtrajectory (Ford)

Other: most-likelytrajectory

June 6, 2018 cps-vo.org/group/UnCoVerCPS 20

Interaction between Planning and Verification

time tk:

Host Other

a

b

Host: intendedtrajectory (Ford)Host: fail-safetrajectory (TUM)Other: most-likelytrajectoryOther: reachableset (TUM)

June 6, 2018 cps-vo.org/group/UnCoVerCPS 21

Interaction between Planning and Verification

time tk:

Host Other

a

b

Host: intendedtrajectory (Ford)Host: fail-safetrajectory (TUM)Other: most-likelytrajectoryOther: reachableset (TUM)

time tk+1:

a

b

a′

b′

June 6, 2018 cps-vo.org/group/UnCoVerCPS 22

Reachable Sets

possibletrajectory

exactreachable set

jump

steady state

initial set

x1

x2

Informal Definition

A reachable set is the set of states that can be reached by adynamical system in finite or infinite time for a

• set of initial states,

• uncertain inputs,

• and uncertain parameters.

June 6, 2018 cps-vo.org/group/UnCoVerCPS 23

Overapproximative Reachable Sets

overapproximativereachable set exact

reachable setinvariant set

unsafe set

initial set

x1

x2

• Exact reachable set only for special classes computable→ overapproximation computed for consecutive time intervals.

June 6, 2018 cps-vo.org/group/UnCoVerCPS 24

Overapproximative Reachable Sets

overapproximativereachable set exact

reachable setinvariant set

unsafe set

initial set

x1

x2

• Exact reachable set only for special classes computable→ overapproximation computed for consecutive time intervals.

• Overapproximation might lead to spurious counterexamples.

June 6, 2018 cps-vo.org/group/UnCoVerCPS 25

Overapproximative Reachable Sets

overapproximativereachable set exact

reachable setinvariant set

unsafe set

initial set

x1

x2

• Exact reachable set only for special classes computable→ overapproximation computed for consecutive time intervals.

• Overapproximation might lead to spurious counterexamples.

• Simulation cannot prove correctness.

June 6, 2018 cps-vo.org/group/UnCoVerCPS 26

• Safety-critical, autonomous cyber-physical systems requireon-the-fly control and verification.

• Safety-critical, autonomous cyber-physical systems requireon-the-fly control and verification.

• Changing environments require to unify control andverification to meet formal specifications.

• Safety-critical, autonomous cyber-physical systems requireon-the-fly control and verification.

• Changing environments require to unify control andverification to meet formal specifications.

• Advances are also beneficial to offline control and verification.

• Safety-critical, autonomous cyber-physical systems requireon-the-fly control and verification.

• Changing environments require to unify control andverification to meet formal specifications.

• Advances are also beneficial to offline control and verification.

• Our approach works across several application domains(de-verticalization).

• Safety-critical, autonomous cyber-physical systems requireon-the-fly control and verification.

• Changing environments require to unify control andverification to meet formal specifications.

• Advances are also beneficial to offline control and verification.

• Our approach works across several application domains(de-verticalization).

• We combine our expertise to establish a unique toolchain forfuture development of cyber-physical systems.