Analytical Validation Tools for Safety Critical Systems [12pt] … 2/Analytical Validation... ·...

Analytical Validation Tools for Safety CriticalSystems

http://www.aem.umn.edu/∼AerospaceControl

Gary J. Balas and Peter SeilerAerospace Engineering and Mechanics

University of Minnesota

Andrew PackardDepartment of Mechanical Engineering

University of California, Berkeley

Safe & Secure Systems & Software Symposium – S5, 16–18 June 2010

IEEE CSS International Workshop on The Future of Control in Transportation Systems

May 27-29, 2010, Benevento – Sorrento, Italy

Workshop focused on transportation systems (railways, vehicle and road transportation, aircraft/infrastructure) to:

• Highlight future control challenges.• Identify common control problems across the application areas.• Identify control areas in need of support by academia, industries,

private and government funding agencies.

30 attendees from 12 countries

IEEE International Workshop on The Future of Control in Transportation SystemsAerospace Working Group

Aerospace Working Group

Aerospace Working Group Members

• Gary Balas, University of Minnesota• Johann Bals, German Aerospace Center• Richard Barhydt, NASA• Federico Corraro, CIRA• John Hansman, MIT• Marco Lovera, Politecnico di Milano• Andres Marcos, Deimos Space• Roberto Palumbo, CIRA• Peter Seiler, University of Minnesota• Balint Vanek, Hungarian Academy of Sciences• Shuguang Zhang, Beihang University

3


Aerospace Challenges and Open Issues

• High integrity control systems development (e.g., safety-critical systems)• Certification challenges• Design for Validation & Verification• Life cycle management• Process and tools (modeling, simulation, analysis, design, verification,

validation)• Theoretical understanding and validation of industrial practices• Analytical redundancy (FDI, FTC, HM)• Policy and legacy issues causing implementation issues

• Flexible operation design• Multi-attribute optimization• Adaptive systems• Trajectory planning • Environmental performance

4


Aerospace Challenges and Open Issues

• Complexity• Handling complexity (model abstraction level) Boundary with related disciplines Distributed/centralized control and coordination Management of uncertainty Multi-vehicle network control

• Human-centered automation and control

5


Aerospace Potential Actions

• Cross-discipline benchmark problems• Control, human factors, software, certification…• Formulated with industry• IEEE Control System Society sponsored workshop

• Broadening control education• Include the entire development process in education• Education in related disciplines (e.g., computer science, human

factors, application domains)• Incorporate into existing curricula

• Encourage and support international collaboration• High-integrity certification processes will require international

cooperation

• Capture common industrial practices• Encourage industry papers in special sessions and special issues

6

Embedded Redundancy Management for Low-Cost, Safety-Critical Systems

NSF Cyber-Physical Systems Program

Pete Seiler, Gary Balas, Mats Heimdahl, Jaideep Srivastava, and Antonia Zhai

Aerospace Engineering and Mechanics, Computer Science

University of Minnesota

June 14, 2010

Fault Detection for Safety Critical Systems

Issue: Current safety critical systems rely mainly on physical redundancy but this increases system size, complexity and power consumption.

Objective: Develop algorithms and computing architectures which enable fault detection without relying on physical redundancy.

F/A-18 Hornet Aircraft

Embedded Fault Detection

Fault Detection Approach1. Model-based monitors to detect faults in physical domain2. Monitors derived from software requirements to detect faults in

cyber (hardware/software) domain3. Data-driven anomaly detection to detect faults in both the

cyber and physical domains

Computing Architectures:• Develop novel architectural

enhancements to the multi-core architectures in order to implement the proposed fault-detection approach.

Applications:• UAVs, medical devices, road

vehicles

ABSTRACTCONCRETE

Design & Development SpaceDesign & Development Space

4input_sel

3totalizer_cnt

2persistence_cnt

pc

trigger

input_a

input_b

input_c

DST_index

input_sel

triplex_input_selector

input_a

input_b

input_c

trip_level

persist_lim

MS

failreport

pc

tc

triplex_input_monitor

[A]

[trigger]

[A]

[prev_sel]

[DSTi]

[status_c]

[status_b]

[status_a]

[C]

[B]

[C]

[B]

mon_failure_report

status_a

status_b

status_c

prev_sel

input_a

input_b

input_c

failure_report

Failure_Isolation

m

totalizer_cnt<tc>

persistence_cnt<pc>

failreport

Software V&V Research: • Model-Based Formal Methods• Structural Testing• Run-time Monitoring

Software-Enabled Control

ABSTRACTCONCRETE


4input_sel

3totalizer_cnt

2persistence_cnt

pc

trigger

input_a

input_b

input_c

DST_index

input_sel


input_a

input_b

input_c

trip_level

persist_lim

MS

failreport

pc

tc


[A]

[trigger]

[A]

[prev_sel]

[DSTi]

[status_c]

[status_b]

[status_a]

[C]

[B]

[C]

[B]

mon_failure_report

status_a

status_b

status_c

prev_sel

input_a

input_b

input_c

failure_report

Failure_Isolation

m

totalizer_cnt<tc>

persistence_cnt<pc>

failreport

Aerospace Research: • V&V of flight control system and

vehicle health management;• discrete and continuous-time dynamics


ABSTRACTCONCRETE


4input_sel

3totalizer_cnt

2persistence_cnt

pc

trigger

input_a

input_b

input_c

DST_index

input_sel


input_a

input_b

input_c

trip_level

persist_lim

MS

failreport

pc

tc


[A]

[trigger]

[A]

[prev_sel]

[DSTi]

[status_c]

[status_b]

[status_a]

[C]

[B]

[C]

[B]

mon_failure_report

status_a

status_b

status_c

prev_sel

input_a

input_b

input_c

failure_report

Failure_Isolation

m

totalizer_cnt<tc>

persistence_cnt<pc>

failreport

PHYS

ICAL

CYBE

R


Plant Description

1F_dist

sin

TrigonometricFunction

Sign

Product1

u2

MathFunction

m*g

Gain3

1/2*rho*Cd*A_front

Gain2

m*g

Gain1

w

theta

Environment

c_r

Constant2

1X

F_drag [N]

F_grav [N]

F_f ric [N]

<Velocity [m/s]>

Total Disturbance Force [N]

ABSTRACTCONCRETE


4input_sel

3totalizer_cnt

2persistence_cnt

pc

trigger

input_a

input_b

input_c

DST_index

input_sel


input_a

input_b

input_c

trip_level

persist_lim

MS

failreport

pc

tc


[A]

[trigger]

[A]

[prev_sel]

[DSTi]

[status_c]

[status_b]

[status_a]

[C]

[B]

[C]

[B]

mon_failure_report

status_a

status_b

status_c

prev_sel

input_a

input_b

input_c

failure_report

Failure_Isolation

m

totalizer_cnt<tc>

persistence_cnt<pc>

failreport

PHYS

ICAL

CYBE

R


Plant Description

1F_dist

sin

TrigonometricFunction

Sign

Product1

u2

MathFunction

m*g

Gain3

1/2*rho*Cd*A_front

Gain2

m*g

Gain1

w

theta

Environment

c_r

Constant2

1X

F_drag [N]

F_grav [N]

F_f ric [N]

<Velocity [m/s]>

Total Disturbance Force [N]

NSF CPS Project

IGERT (Pending)IGERT (Pending)

IGERT: Cyber Physical Systems—A Confluence of Human, Machine,

and Physical Environment

Human Centered AutomationHuman Factors

Cognitive Science

Control TheorySoftware EngineeringValidation & Verification

Fluid and Aero DynamicsSensors

Collaboration:•Computer Science•Aerospace•Mechanical•Civil•Electrical•Biomedical•Human Factors

Collaboration:•Computer Science•Aerospace•Mechanical•Civil•Electrical•Biomedical•Human Factors

Acknowledgments

I Dr. Ufuk Topcu, Control and Dynamical Systems, CaltechI Berkeley Center for Control and Identification

I Ryan Feeley, Evan Haas, George Hines, ZacharyJarvis-Wloszek, Erin Summers, Kunpeng Sun, Weehong Tan,and Timothy Wheeler

I University of Minnesota Aerospace Controls GroupI Abhijit Chakraborty, Rohit Pandita and Qian Zheng

I AFOSR FA9550-05-1-0266, “Development of Analysis Tools forCertification of Flight Control Laws,” 05/01/05 – 04/30/08.

I NASA NRA NNX08AC80A, “Analytical Validation Tools for SafetyCritical Systems,” Dr. Christine Belcastro Technical Monitor,01/01/2008 – 12/31/2010.

I NSF CPS CNS-0931031, “Embedded Fault Detection forLow-Cost, Safety Critical Systems,” 10/01/2009 – 9/30/2012.

I Software, Course Notes: http://www.aem.umn.edu/∼AerospaceControl

2/24

Motivation: Flight Controls

I Validation of flight controls mainly relies on linear analysistools and nonlinear (Monte Carlo) simulations.

I This approach generally works well but there are drawbacks:I It is time consuming and requires many well-trained engineers.I Linear analyses are valid over an infinitesimally small region of

the state space.I Linear analyses are not sufficient to understand truly nonlinear

phenomenon, e.g. the falling leaf mode in the F/18 Hornet.I Linear analyses are not applicable for adaptive control laws or

systems with hard nonlinearities.I There is a need for nonlinear analysis tools which provide

quantitative performance/stability assessments over aprovable region of the state space.

3/24

Our Perspective

Linear analysis: provides a quick answer to a related, but differentquestion:

I Q: How much gain and time-delay variation can beaccommodated without undue performance degradation?

I A: (answers a different question) Here’s a scatter plot ofmargins at 1000 trim conditions throughout envelope.

Why does linear analysis have impact in nonlinear problems?

I Domain-specific expertise exists to interpret linear analysisand assess relevance.

I Speed, scalable: Fast, defensible answers on high-dimensionalsystems.

Extend validity of the linearized analysis

I Infinitesimal → local (with certified estimates)

I Address uncertainty

4/24

Overiew

Numerical tools to quantify/certify dynamic behaviorI Locally, near equilibrium points

Analysis consideredI Region-of-attraction, input/output gain, reachability,

establishing local IQCs

MethodologyI Enforce Lyapunov/Dissipation inequalities locally, on sublevel

setsI Set containments via S-procedure and SOS constraints

I Bilinear semi-definite programsI “Always” feasibleI Simulation aids nonconvex proof/certificate search

I Address model uncertaintyI Parametric Uncertainty

I Parameter-independent Lyapunov/Storage functionsI Branch-&-Bound

I Dynamic UncertaintyI Local small-gain theorems

5/24

Nonlinear Analysis

Autonomous dynamics: x = f(x), f(x) = 0

I Equilibrium point

I Uncertain initial condition, x(0) = GI Question: Do all solutions converge to x?

Drive dynamics: x = f(x,w), f(x, 0) = 0

I Equilibrium point

I Uncertain inputs, ||w||2 ≤ R, ||w||∞ ≤ σI Question: How large can z = h(x) get?

Uncertain dynamics: x = f(x, δ), or x = f(x,w, δ)

I Unknown, constant parameters, δ ∈ ∆

I Unmodeled dynamics

I Same questions . . ..

6/24

Region-of-Attraction and Reachability

Dynamics, equilibrium point

x = f(x), f(x) = 0

p : Analyst-defined functionwhose (well-understood)sub-level sets are to bein region-of-attraction.{x : p(x) β} , ROAN

By choice of positive-definite V ,maximize β so that

{x : p(x) ≤ β} ⊆ {x : V (x) ≤ 1}

{x : V (x) ≤ 1} is bounded

{x : x 6= x, V (x) ≤ 1}

⊆{x :

dV

dxf(x) < 0

}

Given a differential equation x = f(x,w) and a positive definite function p,how large can e(t) get, knowing x(0) = 0, ||w||2 ≤ R?

x = f(x,w), e = p(x)

Conditions on Rn+nw

dV

dxf(x,w) ≤ wTw on

{x : V (x) ≤ R2} , all w{

x : V (x) ≤ R2} ⊆ {x : p(x) ≤ β}Conclusion on ODE

x(0)0, ||w||2 ≤ R⇒ for allt, solution exists and e(t) ≤ β 7/24

Solution Approach

1. Sum-of-squares to (conservatively) enforce nonnegativity.

f ∈ Σ if f = ΣG2i for some gi

2. Easy (semi-definite program) to check if a given polynomial is SOS3. S-procedure to (conservatively) enforce set containment4. Apply S-procedure to Analysis conditions. For (e.g.) reachability,

minimize β (by choice of si and V ) such that

(β − p)− s1(R2 − V ) ∈ Σx,w

−(

(R2 − V )s2 +dV

dxf(x,w)− wTw

)∈ Σx,w

5. Semi-definite program iteration: Initialize V , then5.1 Optimize objective by changing S-procedure multipliers5.2 Optimize objective by changing V5.3 Iterate on (5.1) and (5.2)

6. Initialization of V is important for the iteration to work6.1 Simulation of system dynamics yields convex constraints which

contain all feasible Lyapunov function candidates. This set canbe sampled to initialize V .

8/24

Applications

I Region of attraction for F/A-18 falling leaf mode

I Reachability for GTM aircraft longitudinal axis dynamics

9/24

F/A-18 Falling Leaf MotionI The US Navy has lost many

F/A-18 A/B/C/D Hornet aircraftdue to an out-of-control flightdeparture described as the ’fallingleaf’ mode.

F/A-18 : NASA Dryden Photo

F/A-18 : NASA Dryden Photo

I The falling leaf mode can require4.5K-6K m to recover∗.

I Administrative action by NAVAIRto prevent further losses.

Revised control law implemented deployed in 2003-4, F/A-18E/F

I Uses ailerons to damp sideslip

10/24

Baseline/Revised Control Architecture (simplified)

11/24

Baseline vs Revised: Analysis

Is revised better?

I Yes, several years service confirm but can this be ascertained with a

model-based validation?

Recall that Baseline underwent validation, yet had problems.

Linearized Analysis: at equilibrium and several steady turn ratesI Classical loop-at-a-time margins

I Disk margin analysis (Nichols)

I Multivariable input disk-margin

I Diagonal input multiplicative uncertainty

I “Full”-block input multiplicative uncertainty

I Parametric stability margin (µ) using physically motivated uncertainty in

8 aero coefficients.

Conclusion:

I Both designs have excellent (and nearly identical) linearizedrobustness margins trimmed across envelope.

12/24

Baseline vs Revised: Beyond Linearized Analysis

Perform region-of-attraction estimate as described.

I Unfortunately, closed-loop models too complex (high dynamic

order) for direct approach, at this time.

Model approximation:I Reduced state dimension (domain-specific simplifications)

αβpqrφxc

I Polynomial approximation of closed-loop dynamic models.

13/24

ROA Results

Ellipsoidal shape factor, aligned w/ states, appropriated scaledI 5 hours for quartic Lyapunov function certificate

I 100 hours for divergent sims with “small” initial conditions

Chakraborty , Seiler and Balas, “Applications of Linear and Nonlinear Robustness Analysis Techniques to the

F/A-18 Control Laws,” AIAA Guidance, Navigation and Control Conference, Chicago IL, August 2009.

14/24

NASA Generic Transport Model (GTM) AircraftNASA constructed the remote-controlled GTM aircraft forstudying advanced safety technologies.

I The GTM is a 5.5 percent scale commercial aircraft.I NASA created a high-fidelity 6DOF model of the GTM

including look-up tables for the aerodynamic coefficients.

References:

Jordan, T., Foster, J.V., Bailey, R.M, and Belcastro, C.M., AirSTAR: A UAV platform for flight dynamics andcontrol system testing. 25th AIAA Aerodynamic Measurement Technology and Ground Testing Conf.,AIAA-2006-3307 (2006).

Cox, D., The GTM DesignSim v0905.

15/24

Reachable Sets

I For a nonlinear system x = f(x, u), the vector xf ∈ Rn isunit energy reachable if there exists a final time T and aninput u(t) defined on [0, T ] satisyfing ‖u‖2 ≤ 1 and thatdrives the state from x(0) = 0 to x(T ) = xf .

I The unit energy reachable set Rue is the set of points that arereachable from the origin with a unit energy.

I For linear systems this set is an ellipsoid that can be computed froma semidefinite programming problem. The size of the ellipsoid scaleswith the magnitude of the input energy.

I For nonlinear systems the this set can be difficult to compute andits size does not, in general, scale linearly with the magnitude of theinput energy.

I Our approach is to approximate nonlinear models with polynomials

and then estimate the size of this set with polynomial optmization

tools.

I Knowledge of the reachable set for an aircraft can be used fordynamic flight envelope assessment.

16/24

Aircraft Longitudinal Axis Dynamics

The aircraft longitudinal axis dynamics are described by:

V = −Dm

+mg sin (θ − α)− T cosα

α = − L

mV+mg cos (θ − α)− T sinα+ q

q =M

Iyy

θ = q

States: air speed V (ft/sec), angle of attack α (deg), pitch rate q(deg/sec) and pitch angle θ (deg).

Controls: elevator deflection δelev (deg) and engine thrust T (lbs).

Forces/Moment: drag force D (lbs), lift force L (lbs), andpitching moment M (lbs-ft).

17/24

GTM Polynomial ModelingI Aerodynamic look-up table data, engine data, trigonometric

functions, and 1/V with low-order polynomials were fit.I Resulting model is a 7th order polynomial.I Two facts for obtaining accurate models:

I The raw aerodynamic data is provided in body-axes but betterfits can be obtained in wind axes.

I Matching the trim characteristics requires very accurate fits atlow angles of attack.

0 20 40 60 80−0.5

0

0.5

1

1.5

alpha (deg)

CLa

Lookup TablePoly Fit

0 20 40 60 800

0.5

1

1.5

2

alpha (deg)

CD

a

Lookup TablePoly Fit

18/24

Trim ConditionsComputed the level-flight trim conditions for the nonlinear(look-up tables, etc.) and polynomial models.

100 200 300 400

0

5

10

TAS (ft/sec)

alph

a (d

eg)

100 200 300 400

0

5

10

TAS (ft/sec)

thet

a (d

eg)

100 200 300 4000

50

100

TAS (ft/sec)

thro

ttle

(per

cent

)

100 200 300 400−2

0

2

4

6

8

TAS (ft/sec)

elev

(de

g)

Full NonlinearPolynomial

19/24

Computing Reachable Set EstimatesI We approximate the reachable set by an ellipsoid of the formRβ := {x : (x− xtrim)TN(x− xtrim) ≤ β} where Nreflects a scaling of the coordinates.

I x := [V (ft/sec), α (rad), q (rad/sec), θ (rad) ]I xtrim := [ 150 ft/sec, 0.047 rad, 0 rad/sec, 0.047 rad ]I N := diag([ 50 ft/sec, 0.35 rad, 0.87 rad/sec, 0.35 rad ])−2

I Upper bounds: β(γ) := min‖u‖2≤γ β subject to Rue ⊆ RβI For polynomial systems this computation takes the form of an

iteration involving polynomial (sum-of-squares) optimizations that

are converted into semidefinte programs.

I Lower bounds: β(γ) := max‖u‖2≤γ(x−xtrim)TN(x−xtrim).I One method is a power-method iteration [Tierno, et. al., 1997]I Another method is to simulate the nonlinear system with the exact

(scaled) worst-case input for the linearized system.

I The exact reachable set for the linearization can be computedand this can be used to compute the maximal value of(x− xtrim)TN(x− xtrim).

20/24

Reachability ResultsThe size of the reachable set depends on the input energy. Upperbounds are shown in red, lower bounds in blue, and the linearapproximation is in black.

0 0.5 1 1.50

0.1

0.2

0.3

0.4

0.5

0.6

0.7

γ (input energy)

β (

reac

habl

e se

t elli

psoi

d bo

und)

nonlinear(quadratic)linearnonlinear (lowerbound)nonlinear(quartic)nonlinear(lower bound,wcinput)

21/24

Reachability ResultsTested the worse-case input signal for polynominal model(β = 0.48) on the full, nonlinear GTM model (β = .35).

0 50 100 15060

80

100

120

time (sec)

TA

S (

knot

s)

0 50 100 1502

3

4

time (sec)

alph

a (d

eg)

0 50 100 150−5

0

5

time (sec)

q (d

eg/s

ec)

0 50 100 150−10

0

10

20

time (sec)th

eta

(deg

)

0 50 100 15014.5

15

15.5

16

time (sec)

thro

ttle

(per

cent

)

0 50 100 1502

2.5

3

3.5

time (sec)

elev

(de

g)

PolyGTM

22/24

Wrapup/PerspectiveProofs of behavior ⇐⇒ Extensive simulation

with certificate and linearized analysis

Tools (Multipoly, SOSOPT, SeDuMi) that handle (cubic, in x,vector field)

I 15 states, 3 parameters, unmodeled dynamics, analyze with∂(V ) = 2

I 7 states, 3 parameters, unmodeled dynamics, analyze with ∂(V ) = 4

I 4 states, 3 parameters, unmodeled dynamics, analyze with∂(V ) = 6− 8

I Certified answers, however, not clear that these are appropriate for

design choices.

S-procedure/SOS/DIE more quantitative than linearizationI Linearized analysis: quadratic storage functions, infinitesimal

sublevel sets

I SOS/S-procedure always works

23/24

Analytical Validation Tools for Safety Critical Systems [12pt] … 2/Analytical Validation... ·...

Documents

Transcript of Analytical Validation Tools for Safety Critical Systems [12pt] … 2/Analytical Validation... ·...