A CEGAR Approach for Stability Verification of Linear Hybrid Systems - - PowerPoint PPT Presentation

a cegar approach for stability verification of linear
SMART_READER_LITE
LIVE PREVIEW

A CEGAR Approach for Stability Verification of Linear Hybrid Systems - - PowerPoint PPT Presentation

Feb 24, 2024 92 likes •530 views

A CEGAR Approach for Stability Verification of Linear Hybrid Systems Miriam Garca Soto Co-authored work with Pavithra Prabhakar DARS 2017 1 Cyber-Physical Systems (CPSs) Systems in which software "cyber" interacts with the

slide-1
SLIDE 1

A CEGAR Approach for Stability Verification of Linear Hybrid Systems

Miriam García Soto

Co-authored work with Pavithra Prabhakar DARS 2017

1

slide-2
SLIDE 2

Cyber-Physical Systems (CPSs)

Medical Devices Automotive Robotics Aeronautics Process control

Systems in which software "cyber" interacts with the "physical" world

2

✤ Automotive systems: Cruise control, lane assistants ✤ Medical Devices: Pacemakers, infusion pumps

Software controlled physical systems Critical aspects in CPS design

✤ Security ✤ Reliability ✤ Safety

Grand Challenge How do we build and deploy robust CPS?

slide-3
SLIDE 3

Formal Verification

✤ Models for Cyber-Physical Systems (Automata based) ✤ Robustness Specifications (Logic based) ✤ Verification Algorithms (Model checker)

3

Model Specifications Verification Certificate Counterexample

Model checker

  • r

Theorem prover

slide-4
SLIDE 4

CPS Model

4

slide-5
SLIDE 5

5

y

u

˙ x = f(x, u) y = h(x)

Physical System

Control

u = g(y)

Continuous dynamics Discrete dynamics

Hybrid Control Systems

Hybrid Systems capture one of the main features of CPS, the mixed continuous and discrete behaviour.

slide-6
SLIDE 6

Cruise control & automatic gearbox

6

˙ v = pr

qT

M

Gearbox

v

Kq τ Z (vd − v)dv Kq(vd − v)

PI Control

vd

Discrete Control

if v − vd =

1 pi ωhigh

q → q + 1 if v − vd =

1 pi ωlow

q → q − 1

T, q

Continuous Variables

Error E = (vd − v)

Torque T

˙ E =

−pr

q

M T

˙ T = Kq

r E + KqE

Continuous Dynamics

q

Discrete Variable

Gear Position q

q = 1, 2, 3, 4

Cruise control

slide-7
SLIDE 7

Hybrid Automata

7

1 2 3 4

E = 1 p4 ωlow E = 1 p3 ωlow E = 1 p2 ωlow E = 1 p1 ωhigh E = 1 p2 ωhigh E = 1 p3 ωhigh ˙ x = A1x ˙ x = A2x ˙ x = A3x ˙ x = A4x

E

Trajectories

T

4 to 3

  • 3

to 2

  • 2

to 1

  • E

1 to 2

  • 2

to 3

  • 3

to 4

  • x3

x0 x1 x2

Executions

T

slide-8
SLIDE 8

CPS Specifications

8

slide-9
SLIDE 9

Specifications

9

Cruise control Robotic arm Bipedal robot walking

✤ Cruise control: stability with respect to the desired velocity ✤ Robotic arm: stability with respect to the set point ✤ Bipedal walking: stability with respect the periodic orbit

Stability: Small perturbations in the initial state or input to the system result in only small deviations from the nominal behavior

slide-10
SLIDE 10

Stability notions

10

A system is Lyapunov stable with respect to the equilibrium point 0 if for every ε > 0 there exists δ > 0 such that for every execution σ starting from Bδ(0) , σ(t) ∈ Bε(0), for all time t. A system is asymptotically stable with respect to the equilibrium point 0 if it is Lyapunov stable and there exist η > 0 such that every execution σ starting from Bη(0) converges to 0.

δ

η σ σ

Lyapunov Stable Asymptotically Stable Unstable

f1 f2 f3 f4 f1 f2 f3 f4 f1 f2 f3 f4

slide-11
SLIDE 11

Stability analysis challenges

11

Stability can be determined by eigenvalues analysis

Linear dynamical systems

Stable Stable

x

y

y

x

Eigenvalue analysis does not suffice for switched linear system Stable Unstable

Linear hybrid systems

y

x x

y

slide-12
SLIDE 12

State of the art: Lyapunov’s second method

12

˙ x = F(x)

Continuous dynamics: If there exists a Lyapunov function for the system, then the system is Lyapunov stable

V

x y

✤ Continuously differentiable

V : Rn → R+

∂V (x) ∂x F(x) ≤ 0 ∀x

V (x) ≥ 0 ∀x V (x) = 0 iff x = 0

✤ Positive definite ✤ Function value decreases along any trajectory

Lyapunov function

✤ Common Lyapunov functions ✤ Multiple Lyapunov functions

Switched and hybrid systems:

slide-13
SLIDE 13

Automated analysis

13

Template based automated search

✤ Choose a template ✤ Encode Lyapunov function conditions as constraints ✤ Solve using sum-of-squares programming tools

Shortcomings:

✤ Success depends crucially on the choice of the template ✤ The current methods provide no insight into the reason for the failure,

when a template fails to prove stability

✤ No guidance regarding the choice of the next template

Alternate approach CEGAR

slide-14
SLIDE 14

14

Counterexample Guided Abstraction Refinement (CEGAR)

slide-15
SLIDE 15

CEGAR for stability

15

Property violated Abstraction Relation Analysis Results Abstract Counterexample Property Abstract System Concrete System

Abstract Model-Check Validate Refine Yes No Yes No

Property satisfied

First CEGAR approach for stability verification

  • f hybrid systems

✤ Systematically iterates over the

abstract systems

✤ Returns a counterexample in the case

that the abstraction fails

✤ The counterexample can be used to

guide the choice of the next abstraction

✤ Success depends crucially on the

choice of the template

✤ The current methods provide no

insight into the reason for the failure, when a template fails to prove stability

✤ No guidance regarding the choice of

the next template CEGAR framework Template based search

slide-16
SLIDE 16

16

Quantitative Predicate Abstraction

slide-17
SLIDE 17

17

Quantitative Predicate Abstraction

f1 f2 f3 f4 u1 u2 u3 u4

Facets F = {f1, f2, f3, f4} Concrete system

slide-18
SLIDE 18

18

Quantitative Predicate Abstraction

f1 f2 f3 f4 u1 u2 u3 u4

Facets F = {f1, f2, f3, f4} Concrete system

slide-19
SLIDE 19

19

Quantitative Predicate Abstraction

= ⇒

f1 f2 f3 f4 f1 f2 f3 f4 u1 u2 u3 u4

Facets F = {f1, f2, f3, f4} Concrete system Abstract system

slide-20
SLIDE 20

20

Quantitative Predicate Abstraction

= ⇒

f1 f2 f3 f4 f1 f2 f3 f4 u1 u2 u3 u4

Facets F = {f1, f2, f3, f4} Concrete system Abstract system

slide-21
SLIDE 21

21

Quantitative Predicate Abstraction

= ⇒

f1 f2 f3 f4 f1 f2 f3 f4 u1 u2 u3 u4

Facets F = {f1, f2, f3, f4} Concrete system Abstract system

An edge between facets indicates the existence of an execution.

slide-22
SLIDE 22

22

Quantitative Predicate Abstraction

= ⇒

f1 f2 f3 f4 f1 f2 f3 f4 u1 u2 u3 u4

Facets F = {f1, f2, f3, f4} Concrete system Abstract system

An edge between facets indicates the existence of an execution.

slide-23
SLIDE 23

23

Quantitative Predicate Abstraction

= ⇒

f1 f2 f3 f4 f1 f2 f3 f4 u1 u2 u3 u4

Facets F = {f1, f2, f3, f4} Concrete system Abstract system

An edge between facets indicates the existence of an execution. 1

2 2

Weights capture information about distance to the equilibrium point along the executions.

slide-24
SLIDE 24

24

Quantitative Predicate Abstraction

= ⇒

f1 f2 f3 f4 f1 f2 f3 f4 u1 u2 u3 u4

Facets F = {f1, f2, f3, f4} Concrete system Abstract system

An edge between facets indicates the existence of an execution.

2 3 −1 1 3

Weights capture information about distance to the equilibrium point along the executions.

1 3 1

slide-25
SLIDE 25

25

Quantitative Predicate Abstraction

= ⇒

f1 f2 f3 f4

1 3 1 3 1

f1 f2 f3 f4 u1 u2 u3 u4

Facets F = {f1, f2, f3, f4} Concrete system

π

Abstract system

An edge between facets indicates the existence of an execution. Weights capture information about distance to the equilibrium point along the executions.

2

W(π) = 2 · 1 3 · 1 3 · 1 = 2 9 < 1

slide-26
SLIDE 26

26

Quantitative Predicate Abstraction - samples

Product of edge weights = 1 Lyapunov Stable Product of edge weights = 1/4 Asymptotically Stable Product of edge weights = 4 Unstable

f1 f2 f3 f4 f1 f2 f3 f4 f1 f2 f3 f4 f1 f2 f3 f4

1 1 1 1 2

f1 f2 f3 f4

1 1 2

f1 f2 f3 f4

1 1 1/2 1/2

slide-27
SLIDE 27

x

y

z

|~ b| |~ a|

c

~ a

~ b

Higher dimensions

Weight computation

27

2 dimension

f2 f1 f1 f2

d2 d1 αd2 αd1 |d2| |d1| = |αd2| |αd1| Weight Weight (LP problems) sup |v2| |v1| t > 0, v1 ∈ f1, v2 ∈ f2, v2 = v1 + ct Constant dynamics ˙ x = c c

~ d ~ d

|~ b+~ d| |~ a+~ d| 6=

slide-28
SLIDE 28

28

^ ai · x ≤ bi c c

Weight computation

Weight (LP problems) t > 0, v1 ∈ f1, v2 ∈ f2, v2 = v1 + ct, V ai · c 6 bi V ai · (v2 − v1) 6 bit sup |v2| |v1| Polyhedral inclusion dynamics ˙ x ∈ P P is a polyhedral set

slide-29
SLIDE 29

29

✤ Solution is an exponential function ✤ Need a representation on which optimization can be performed ✤ Approximation methods [Girard et al., Frehse et al.]

Weight computation

Linear dynamics ˙ x = Ax Weight t > 0, v1 ∈ f1, v2 ∈ f2, v2 = v1eAt sup |v2| |v1|

slide-30
SLIDE 30

30

Hybridization

slide-31
SLIDE 31

31

Hybridization and soundness

˙ x ∈ P Linear hybrid system Polyhedral hybrid system ˙ x = Ax x1 x2 x1 x2 P = {Ax : x ∈ R} R

x1 6 0 x2 > 0

Hybridization for stability analysis of switched linear systems. HSCC’16

If the hybridized polyhedral hybrid system is Lyapunov (asymptotically) stable then the original linear hybrid system is Lyapunov (asymptotically) stable. Theorem - Hybridization

slide-32
SLIDE 32

32

Soundness of Quantitative Predicate Abstraction

A polyhedral hybrid system is Lyapunov stable if

✤ the abstract weighted graph has no edges with infinite weights, and ✤ no cycles with product of edge weights greater than 1

Theorem - Model-checking Every cycle has weight smaller than 1 => Concrete system is stable => Stop There is a cycle, π, with weight greater than 1 => π is an abstract counterexample => Validation

1

1 1 2 2 3

1 1

2

Abstract system

1 1

1 2

2 1

2 1

Abstract system

π

Abstraction based model-checking of stability of hybrid systems. CAV’13 Foundations of Quantitative Predicate Abstraction for Stability Analysis of Hybrid Systems. VMCAI’15

slide-33
SLIDE 33

2

f1 f2 f3 f4

1 1 2

33

Counterexample

✤ Model-checking of the abstract system returns an abstract counterexample

if the abstract system fails to establish stability.

Abstract Counterexample (ACE): A cycle with product of edge weights greater than 1

✤ Spurious ACE: If there exist no infinite execution (concrete) of the system

which follows the edges and weights of the cycle (and diverges)

✤ Validation: Checking if the ACE is spurious.

Validation is not a bounded model-checking problem! Requires checking for an infinite execution instead of a finite execution.

slide-34
SLIDE 34

34

Validation

slide-35
SLIDE 35

35

Validation

Existence of an infinite concrete counterexample is equivalent to the existence of a finite execution along the cycle with certain properties, which can be encoded as an SMT formula.

Facets ACE

f1 f1 f2 f3 f4

x1 x2 x3 x4 xk xk+1 A counterexample f1 ⟶ f2 ⟶ f3 ⟶ … ⟶ f1 is valid ⟺ ∃ α > 1, ∃ x1 ∈ f1, …, xk ∈ fk, xk+1 ∈ f1 x1 ⟶ x2 ⟶ x3 ⟶ … ⟶ xk ⟶ xk+1, xk+1 = αx1 Theorem - Validation

fk

slide-36
SLIDE 36

36

Refinement

slide-37
SLIDE 37

Refinement

37

Counterexample guided abstraction refinement for stability analysis. CAV’16

slide-38
SLIDE 38

38

Software tool

slide-39
SLIDE 39

39

AVERIST flowchart and software dependencies

LHS PHS Stable/Unstable/Abstract counterexample

HYBRIDIZATION ABSTRACTION MODEL-CHECKING VALIDATION REFINEMENT

AVERIST

PPL GLPK NetworkX Z3

Stability Verifier

http://software.imdea.org/projects/averist/index.html

slide-40
SLIDE 40

Conclusion

40

slide-41
SLIDE 41

Summary

41

CPS design Control theory Formal methods

✤ Development of a novel CEGAR approach, based on abstraction and

model-checking techniques

✤ Automatic process for linear and polyhedral hybrid systems ✤ Framework extendable to more complex class of hybrid systems ✤ Techniques implemented in AVERIST provide promising results ✤ Application to an automatic gearbox

slide-42
SLIDE 42

42

Questions?

LHS PHS Stable/Unstable/Abstract counterexample

HYBRIDIZATION ABSTRACTION MODEL-CHECKING VALIDATION REFINEMENT

AVERIST

PPL GLPK NetworkX Z3

Stability Verifier

http://software.imdea.org/projects/averist/index.html