[PPT] - Automatically Robustifying Verified Hybrid Systems in KeYmaera X PowerPoint Presentation

SLIDE 1 Automatically Robustifying Verified Hybrid Systems in KeYmaera X Nathan Fulton Carnegie Mellon University September 13, 2016 Dagstuhl, Germany

SLIDE 2 Robustness A system is robust if it operates correctly despite:

Disturbances in actuation
Uncertainty in sensing
Deviation from typical dynamics
Adversarial agents
. . .

1

SLIDE 3 Robustness A system is robust if it operates correctly despite:

Disturbances in actuation
Uncertainty in sensing
Deviation from typical dynamics
Adversarial agents
. . .

Expressible by systematically modifying a hybrid system 1

SLIDE 4 Robustness A system is robust if it operates correctly despite:

Disturbances in actuation
Uncertainty in sensing
Deviation from typical dynamics
Adversarial agents
. . .

Expressible by systematically modifying a hybrid system Can we automatically robustify hybrid systems? 1

SLIDE 5 Automatic Incremental Robustification Typical verification approach: begin with a simplified model, then incrementally add complexity. 2

SLIDE 6 Automatic Incremental Robustification Typical verification approach: begin with a simplified model, then incrementally add complexity. Advantages:

Initial verification task

exposes essential aspects of the safety argument.

Successive verification tasks

are tractable. 2

SLIDE 7 Automatic Incremental Robustification Typical verification approach: begin with a simplified model, then incrementally add complexity. Advantages:

Initial verification task

exposes essential aspects of the safety argument.

Successive verification tasks

are tractable. Disadvantages:

Re-verification is expensive.
Verification efforts are

non-compositional. 2

SLIDE 8 Automatic Incremental Robustification Typical verification approach: begin with a simplified model, then incrementally add complexity. Advantages:

Initial verification task

exposes essential aspects of the safety argument.

Successive verification tasks

are tractable. Disadvantages:

Re-verification is expensive.
Verification efforts are

non-compositional. Goal: Automatic Incremental Robustification 2

SLIDE 9 Specifying Hybrid Systems Definition (Hybrid Programs) Assign x := θ Sequence α; β Test ?ϕ Iteration α∗ Choice α ∪ β ODEs {x′ 1 = θ1, . . . , x′ n = θn & H} 3

SLIDE 10 Specifying Hybrid Systems Definition (Hybrid Programs) Assign x := θ Sequence α; β Test ?ϕ Iteration α∗ Choice α ∪ β ODEs {x′ 1 = θ1, . . . , x′ n = θn & H} Differential Dynamic Logic (dL) formulas describe reachability properties of hybrid programs using modalities: [α]ϕ and αϕ. 3

SLIDE 11 Specifying Hybrid Systems

[ ]ϕ

4

SLIDE 12 Example: A Hybrid Systems Specification in dL [{ {?(x ≥ ( AT +v)2 2 B + obs); a := A ∪ a := −B }; c := 0; {x′ = v, v ′ = a, c′ = 1 ∧ v ≥ 0 ∧ c ≤ T } }∗]x ≤ obs 5

SLIDE 13 Example: A Hybrid Systems Specification in dL [{ {?(x ≥ ( AT +v)2 2 B + obs); a := A ∪ a := −B }; c := 0; {x′ = v, v ′ = a, c′ = 1 ∧ v ≥ 0 ∧ c ≤ T } }∗]x ≤ obs

Parametric controller design

5

SLIDE 14 Example: A Hybrid Systems Specification in dL [{ {?(x ≥ ( AT +v)2 2 B + obs); a := A ∪ a := −B }; c := 0; {x′ = v, v ′ = a, c′ = 1 ∧ v ≥ 0 ∧ c ≤ T } }∗]x ≤ obs

Parametric controller design
Non-determinism

5

SLIDE 15 Example: A Hybrid Systems Specification in dL A > 0∧B > 0∧T > 0∧v ≥ 0∧ v 2 2B +obs ≤ x ≤ obs → [{ {?(x ≥ ( AT +v)2 2 B + obs); a := A ∪ a := −B }; c := 0; {x′ = v, v ′ = a, c′ = 1 ∧ v ≥ 0 ∧ c ≤ T } }∗]x ≤ obs

Parametric controller design
Non-determinism
Symbolic constraints on parameters

5

SLIDE 16 Verifying a Simple Hybrid System in KeYmaera X KeYmaera X is a trustworthy and scriptable hybrid systems theorem prover.

Trustworthy: All prover automation passes through a small

soundness-critical core (< 2 KLOC).

Scriptable: KeYmaera X provides a DSL for writing proof

search programs. 6

SLIDE 17 Example: Adding Actuation Error A > 0 ∧ B > 0 ∧ T > 0 ∧ v ≥ 0 ∧ v 2 2B + obs ≤ x ≤ obs → [{ {?(x ≥ ((A)T+v)2 2(B) + obs); a := A ∪ a := −B}; c := 0; {x′ = v, v ′ = a, c′ = 1 ∧ v ≥ 0 ∧ c ≤ T} }∗]x ≤ obs 7

SLIDE 18 Example: Adding Actuation Error A > 0∧B > 0∧T > 0∧v ≥ 0∧0 < ǫ < A∧ǫ < B∧ v 2 2B±ǫ + obs ≤ x ≤ obs → [{ {?(x ≥ ((A±ǫ)T+v)2 2(B±ǫ) +obs); a := A±ǫ∪a := −B ±ǫ}; c := 0; {x′ = v, v ′ = a, c′ = 1 ∧ v ≥ 0 ∧ c ≤ T} }∗]x ≤ obs 7

SLIDE 19 Example: Adding Actuation Error A > 0∧B > 0∧T > 0∧v ≥ 0∧0 < ǫ < A∧ǫ < B∧ v 2 2B−ǫ + obs ≤ x ≤ obs → [{ {?(x ≥ ((A+ǫ)T+v)2 2(B−ǫ) +obs); a := A+ǫ∪a := −B −ǫ}; c := 0; {x′ = v, v ′ = a, c′ = 1 ∧ v ≥ 0 ∧ c ≤ T} }∗]x ≤ obs 8

SLIDE 20 Co-Transformation of Models and Tactics Simple Model ImplyR(1) & loop(p(x,v,a,A,B), 1) <( QE, QE, splitCases(1) <( chase(1) & ODE & QE chase(1) & ODE & QE )) Simple Model + Uncertainty ImplyR(1) & loop(p(x,v,a,A+ǫ,B−ǫ), 1) <( QE, QE, splitCases(1) <( chase(1) & ODE & QE chase(1) & ODE & QE )) 9

SLIDE 21 Incremental Robustification via Model/Proof Co-Transformation Tractable initial verification Verification of robustified models re-use ideas from initial safety proof ? Compositional robustification Re-verification is expensive (manual effort) × Re-verification is expensive (computationally) 10

SLIDE 22 Incremental Robustification via Refinement System α refines system β (α ≤ β) if every state reachable by α is also reachable by β. 11

SLIDE 23 Incremental Robustification via Refinement System α refines system β (α ≤ β) if every state reachable by α is also reachable by β.

Many robustifications are refinements (after changing

environment and controller). 11

SLIDE 24 Incremental Robustification via Refinement System α refines system β (α ≤ β) if every state reachable by α is also reachable by β.

Many robustifications are refinements (after changing

environment and controller).

Refinement makes direct use the initial safety property:

[β]ϕ α ≤ β [α]ϕ 11

SLIDE 25 Incremental Robustification via Refinement System α refines system β (α ≤ β) if every state reachable by α is also reachable by β.

Many robustifications are refinements (after changing

environment and controller).

Refinement makes direct use the initial safety property:

[β]ϕ α ≤ β [α]ϕ

≤ has a well-understood algebraic structure.

11

SLIDE 26 Conclusions and Further Thoughts Automatic incremental robustification automates common changes to CPS models 12

SLIDE 27 Conclusions and Further Thoughts Automatic incremental robustification automates common changes to CPS models Further Thoughts:

It would be nice to have automatic robustification procedures

for high-fidelity models of common sensors and actuators.

Notions of robustness are describable in differential game logic

(dGL); automation story is unclear. 12

SLIDE 28 Conclusions and Further Thoughts Automatic incremental robustification automates common changes to CPS models Further Thoughts:

It would be nice to have automatic robustification procedures

for high-fidelity models of common sensors and actuators.

Notions of robustness are describable in differential game logic

(dGL); automation story is unclear. Thanks: KeYmaera X developers (Stefan Mistch, Andr` e Platzer, Brandon Bohrer, Jan-David Quesel) Advertisement: KeYmaera X Tutorial at FM this year! 12