althoff (2013) Formal Verification of Cyberphysical Systems

Formal Verification of Cyber-Physical Systems

Matthias Althoff

Technische Universitat Munchen

November 15, 2013

M. Althoff CPS Verification November 15, 2013 1 / 29

Introduction

Examples of Cyber-Physical Systems

automated drivingsource: Carnegie Mellon University

automated farmingsource: Kesmac

human-robot collaborationsource: Rethink Robotics

surgical robotssource: daVinci

Smart gridssource: Siemens

Air traffic controlsource: NASA

Emerging technologies are increasingly safety- or operation-critical!


Introduction

Examples of Insufficiently Verified Systems

Intel Bug (1994)

Error in the floating point division.

costs: $ 500 Mio

Explosion of the Ariane 5 rocket (1996)

Variable overflow due to software reuse from Ariane 4.

costs: $ 500 Mio

Unintended acceleration in Toyota cars (2010)

Several investigations, no mistake found (NHTSA andNASA).

PR disaster


Introduction

Need for Formal Verification

Testing

Not much expert knowledgerequired

Applicable to large systems

No guarantee of correctness

Formal Verification

Expert knowledge required

Not (yet) applicable to largesystems

Guarantees correctness

Critical components: Proof of correctness outweighs advantages of testing.

Case study:Unmanned aerial vehicle (UAV) flight control verified by two teams of equal size.

Lockheed Martin Aero

Used testing

Found no bugs

Rockwell Collins

Used Model Checking

Found 12 bugs

”Model-checking was more cost effective than testing at finding design errors.”(Dr. Steven P. Miller, Rockwell Collins, CMACS Industry Workshop, 2011)


Introduction

Interaction of Discrete and Continuous Dynamics

Formal verification has first been developed for discrete systems. However:

Cyber-physical systems interact with the physical world.

Discrete Dynamics

z1 z2

z3

discrete-event control

communication protocols

discrete sensors/actuators

discrete signal processing

scheduling algorithms

Continuous Dynamics

x(t) =f (x(t), u(t))

y(t) =g(x(t), u(t))

x : state vector, u: input vector, y : output

vector

continuous control

physics

continuous sensors/actuators

continuous signal processing


Introduction

Outline

Modeling of Cyber-Physical Systems with Hybrid Automata

Definition of the Verification Problem

Reachability Analysis

Linear continuous systems

Nonlinear continuous systems

Hybrid systems

Applications (automated driving, phase-locked loops, smart grids)

Future Research Proposals

Scalable verification algorithms using compositional design

Model-based design using abstract models

Fault-tolerant systems


Hybrid Dynamics

Hybrid Automaton (HA)

HA = (Z, z0,X ,X 0,U , inv,T , guard, jump, f )

set of locations Z = {z1, . . . , zm} with initial location z0,

continuous state space X ⊂ Rn with initial continuous set X 0,

discrete transitions T ⊆ Z × Z ,

invariants inv : Z → 2X ,

guard sets guard : T → 2X ,

jump functions jump : T × X → X

flow functions f : X × U × Z → Rn (U : continuous input space)

initialcontinuous

set

reachable set

guards

invariant

x1

x2z1 z2

Continuous evolution

Start at z0 and x0 ∈ X 0

x(t) is the solution ofx(t) = f (x(t), u(t), z(t))


Hybrid Dynamics










initialcontinuous

set

reachable set

guards

invariant

x1

x2z1 z2

Activation of discrete transition

Transition (zj , zi ) is activatedwhen x(t) ∈ guard((zj , zi ))

Transition has to be taken whenx(t) at the border of inv(zi )


Hybrid Dynamics










initialcontinuous

set

reachable set

guards

jump

invariant

x1

x2z1 z2

Discrete transition and jump of

continuous state

Location changes from zi to zj

Continuous state may jump:x ′ = jump((zj , zi ), x)(x ′: cont. state after jump)


Hybrid Dynamics










initialcontinuous

set

reachable set

guards

jump

invariant

x1

x2z1 z2

... and so on ...


Problem Definition


possibletrajectory

exactreachable set

jump

steady state

initial set

x1

x2

Informal Definition

A reachable set is the set of states that can be reached by a dynamicalsystem in finite or infinite time for a

set of initial states,

uncertain inputs,

and uncertain parameters.


Problem Definition

Verification Task

overapproximativereachable set exact

reachable setinvariant set

unsafe set

initial set

x1

x2

Verification Task

Check if a set of unsafe states is never reached.

Exact reachable set only for special classes computable→ overapproximation computed for consecutive time intervals.

Overapproximation might lead to spurious counterexamples.

Simulation cannot prove correctness.


Reachability Analysis Linear Systems

Linear Systems: Overview of Reachable Set Computation

x(t) = Ax(t) + u(t), A ∈ Rn×n, x(t) ∈ R

n, x(0) ∈ R(0), u(t) ∈ uc ⊕ U

1 Compute reachable set H(r) = eArR(0)⊕∫ r

t=0eA(r−t)dt uc at time r neglecting

the uncertain input (C ⊕ D := {c + d |c ∈ C, d ∈ D}).

2 Obtain convex hull of initial set R(0) and H(r).

3 Enlarge reachable set to account for (1) uncertain inputs, (2) curvature oftrajectories.

4 Continue with further time intervals [kr , (k + 1)r ], k ∈ N.

Known algorithm, similar to work of A. Girard at HSCC’05.

R(0)

H(r)convexhull of

R(0), H(r)R([0, r ])

➀ ➁ ➂

enlargement


Reachability Analysis Nonlinear Systems

Nonlinear Reachability Analysis: Overall Algorithm

initial set R(0), input set U , time step k = 1

linearize system

compute reachable set Rlin without linearization error

obtain set of linearization errors L based onRlin and L (L: set of admissible linearization errors)

L ⊆ L ? enlarge L

compute reachable set Rerr due to L

R = Rlin ⊕ Rerr

k:=

k+

1

yes

no



Overall Algorithm: Animation

R(0)

linearize system




Rlin([0, r ])

compute reachable set Rlin

without linearization error




Rlin([0, r ])⊕Rerr ([0, r ])

Rerr : reachable set due to L

obtain set of linearizationerrors L based on

Rlin([0, r ]) ⊕Rerr ([0, r ])




R([0, r ]) =

Rlin([0, r ])⊕Rerr ([0, r ])

L ⊆ L ?




R([r , 2r ])

reachable set ofnext time interval




R([0, tf ])

reachable set ofthe complete time horizon tf

possibletrajectories



Linearization and Lagrange Remainder

x = f (z(t)), zT := [xT , uT ] and t ∈ [kr , (k + 1)r ]:

Taylor series

xi ∈ fi (z∗) +

∂fi (z)

∂z

∣∣∣z=z∗

(z − z∗)︸︷︷︸

1st order Taylor series: A∆x+B∆u+fi (z∗)

⊕

{1

2(z − z∗)T

∂2fi(z)

∂z2

∣∣∣z=ξ

(z − z∗)

∣∣∣∣ξ, z ∈ R([kr , (k + 1)r ]) × U

}

︸︷︷︸

Lagrange remainderLi

Possible computation of the Lagrange remainder:Enclose reachable set by a multidimensional interval and apply intervalarithmetic.



Scalability of the Linearization Approach

x1

xn−1

xn

u

... (more tanks)

Water tank system.

1 2 3 4

2

3

4

5

6

x1

x6

initial set

possibletrajectories

Projected reachable set(n = 6).

Complexity with respect to the number of continuous state variables n: O(n3).

Dimension n 5 10 20 50 100

CPU-time [sec] 1.19 1.73 3.11 11.59 35.78


Reachability Analysis Hybrid Systems

Reachability Analysis of Hybrid Systems

Hybrid systems additionally require intersections of guard sets:

x1

x2

R(0)

Rg

R([tk , tk+1])

guard

(a) Classical approach.

x1

x2

R(0)

Rg

R([tk , tk+1])

R(tη)

guard

(b) New approach.

tη: last point in time before intersecting the hyperplane.

Rg : Overapproximation of the guard set intersection.



Scalability of the Mapping-Based Approach

Jm J1 J2 JθJl

ks k1 k2 kθ

Θm

Θ1 Θ2 Θθ

Θl

gear

enginedynamics

uTm

Θs

2α

Powertrain with backlash.

−0.1 0 0.1 0.2

0

20

40

60

80

Θs −Θ1

Θref

guard set

R(0)

sampletraj.

Projected reachable set(n = 101).

Complexity with respect to the number of continuous state variables n: O(n5).

Dimension n 11 21 31 41 51 101

CPU time [sec] 8.122 14.31 23.72 31.83 53.74 1550



Comparison With SpaceEx

SpaceEx: state of the art tool for reachability analysis of hybrid systems.

Uses geometric guard intersection.

Example sensitive to overapproximation → comparison for initial set with5% of initial size and n = 7.

−0.05 0 0.05 0.1−20

0

20

40

60

80

Θs −Θ1

Tm

SpaceEx

mappingapproach

guard

R0.05(0)

−0.05 0 0.05 0.1

0

20

40

60

80

Θs −Θ1

Θref

SpaceEx

mappingapproach

guard

R0.05(0)

Computational times: 10023 s (new approach: 0.133 s).


Reachability Analysis Extensions

Further Work


Hybrid systems with differential-algebraic equations

Consideration of uncertain parameters

Improved algorithms for nonlinear systems using non-convex sets

Stochastic Verification

Abstraction of stochastic hybrid systems to Markov chains

Probabilistic inevitable collision states

left car

right car

ego car

initialpositions


Applications

Online Verification Of Automated Driving

lane change

maneuver B

lane change

maneuver A

Test site Test vehicle

−20 0 20 40 60 80 100 120−5

0

5

reference trajectory

other vehicle

ego vehicle ego vehicle (braking part)

initial occupancy

final occupancyobstacle

x-position [m]

y-position[m

]


Applications

Test Drive Results

[

sxsy

]

Ψ

β

δ

x

y

v

sx , sy [m] x- and y-positionΨ [rad] orientationβ [rad] slip angle at center of massδ [rad] front wheel anglev [m/s] velocity

2.5 3−0.5

0

0.5

Ψ [rad]

Ψ[rad

/s]

lc B lc A−0.2 0 0.2

2.4

2.6

2.8

3

δ [rad]

Ψ[rad

]

−0.2 0 0.2−0.5

0

0.5

δ [rad]

Ψ[rad

/s]

lc A

lc B

computation time: ≈ 1.8 times faster than maneuver time (Intel i7, 1.6GHz)


Applications

Verification of a Phase-Locked Loop (PLL)

System properties:

Hybrid dynamics withmany switchings(≈ 3000 untilconvergence)

Slow convergence tolocking

Verification Task:Check if for any initialcondition, the phase is lockedto the reference signal.

(received IEEE/ACM WilliamJ. McCalla ICCAD BestPaper Award)

Ci

Cp1

CP

Rp2

Rp3

frequency

divider1/N

Cp3

vi

vp1 vpip

ii

Φref

Φv

phasefrequency

detector(PFD)

RefUP

VCO

DN

Computation time: Verification vs. simulationreachability avg. MATLAB

∆Φ(0) analysis [s]: simulation [s]:[−1,−0.8]π 55.0461 48.3297[−0.8,−0.6]π 54.4418 47.9096[−0.6,−0.4]π 53.4820 46.2673[−0.4,−0.2]π 47.8208 44.4596[−0.2, 0]π 42.9191 38.5102


Applications

Transient Stability in Smart Grids

System properties:

Differential-algebraicequations

Nonlinear dynamics

Large system size

Verification Task:Check if all states return tothe operating point after apower drop-out.

GG

G

G

G

1

2

3

76

4

12

13

14

1110

9

58

Values at bus 3:

−0.8 −0.6 −0.4

375.5

376

376.5

377

377.5

generator phase [rad]

freq

uen

cy[rad/s]

1.02 1.04 1.06 1.08−0.8

−0.7

−0.6

−0.5

−0.4

bus voltage [p.u.]busphase

[p.u.]


Applications

Conclusions

Scalability issues in formal verification of cyber-physical systems havebeen successfully addressed.

The presented approaches verified applications that were previouslyout of reach.

The online verification of automated vehicles is the first approachthat verifies a system with non-trivial dynamics on-the-fly.

Results of reachability analysis can be easily interpreted.

Unlike other approaches (e.g. barrier certificates, constraintpropagation, theorem proving), reachability analysis immediatelyshows where a specification is violated.



Scalable Verification using Compositional Design

Simulation: complete system has to be consideredReachability analysis: set of behaviors can be computed compositionally.

Simplest scenario

subsystem A

subsystem B

UA YA

UBYB

Assume set of inputs UA and UB for A and B ,respectively. If YA ⊆ UB and YB ⊆ UA →assumptions and set of behaviors areoverapproximative.

Possible application tosmart grids:



Verification of Programmable Logic Controllers (PLCs)

and Real-Time Constraints

z1 z2

z3

z4

a, c1 > 1, c1 := 0

b, c1 > 0,c2 > 1

c2 ≤ 1, c2 := 0

e, c1 ≤ 1,c1 := 0, c2 := 0

c, c1 > 1c1 := 0

d , c1 = 1, c2 > 1

Solar Panel Productionsource: KUKA

Timed automata or timed Petri nets are often sufficient for PLC verification.

Timed automata and timed Petri nets are a special class of hybrid automata.

Algorithms for hybrid automata can be specialized.



Non-Formal Verification Approaches

Non-formal verification is often more effective for less critical components.Most approaches try to steer the system into a fault:

Sensitivity-based simulation

Rapidly-exploring random trees

Cross-entropy method

Ant-colony optimization

etc.

Method selection is more art than science.

0 5 10 15 20 2512

14

16

18

20

22

24 Falsification of the room heatingbenchmark problem using ant-colonyoptimizationY. Annapureddy, C. Liu, G. Fainekos and S.

Sankaranarayanan: S-TaLiRo: A Tool for Temporal Logic

Falsification for Hybrid Systems



Model-Based Design using Abstract Models

Build abstract subsystems to which uncertainty is added.→ design changes within the abstraction require no design iteration.

Continuous abstraction

x ∈ {f (x , p) + u|p ∈ P, u ∈ U}Parametric (p ∈ P) and additiveuncertainties (u ∈ U)

Discrete abstraction

Add non-deterministic transitions

z1 z2

z3

Example: Vehicle dynamics for automated driving.

0 10 20 30 40 50 60 70 80

−1

0

1

2

3

4

5

6

7

8

referencetrajectory

x-position

y-position

source: bremarauto



Fault-Tolerant Systems

Information redundancy:Check bits to detect data transfer errors.

Physical redundancy:

Voter switches subsystem in case of a fault.

Drawbacks: Faults need to be directlymeasurable, redundant components areexpensive.

subsystem A

subsystem B

subsystem C

voter

Analytical redundancy:

Controller re-design based on informationfrom model-based observers.

Drawbacks: Control performance isdegraded, challenging design.

controller plant

diagnosiscontrollerre-design

yref

u y

f

yref : reference, u: input, y : output, f : fault

Design of scalable and reliable observers and fault-tolerant controllers for hybriddynamics is an open research problem.



Final Thoughts

How to build safe and reliable cyber-physical systems?

Good balance between formal and non-formal verification

Scalable formal verification techniques (rather provide techniques thatcan address a limited set of specifications, but for large systems)

Consideration of disturbances, parameter variations, and faults in theverification process

Model-based design supporting abstraction, modularity, and hierarchy

Built-in fault tolerance

Good tool support


althoff (2013) Formal Verification of Cyberphysical Systems

Technology

Transcript of althoff (2013) Formal Verification of Cyberphysical Systems