Challenge Parasara Sridhar Duggirala, Chuchu Fan, Sayan Mitra, and - - PowerPoint PPT Presentation

challenge
SMART_READER_LITE
LIVE PREVIEW

Challenge Parasara Sridhar Duggirala, Chuchu Fan, Sayan Mitra, and - - PowerPoint PPT Presentation

Jan 24, 2023 483 likes •924 views

Meeting A Powertrain Verification Challenge Parasara Sridhar Duggirala, Chuchu Fan, Sayan Mitra, and Mahesh Viswanathan Powertrain Control Systems Fuel control and transmission subsystem Software control: increasing complexity (100M

slide-1
SLIDE 1

Meeting A Powertrain Verification Challenge

Parasara Sridhar Duggirala, Chuchu Fan, Sayan Mitra, and Mahesh Viswanathan

slide-2
SLIDE 2

Powertrain Control Systems

  • Fuel control and transmission subsystem
  • Software control: increasing complexity (100M LOC)
  • Constraints: Emissions, Efficiency, etc.
  • Strict performance requirements
  • Early bug detection using formal methods

CAV 2015 2

slide-3
SLIDE 3

Powertrain Control Systems

  • Fuel control and transmission subsystem
  • Software control: increasing complexity (100M LOC)
  • Constraints: Emissions, Efficiency, etc.
  • Strict performance requirements
  • Early bug detection using formal methods
  • Powertrain control benchmarks from Toyota Jin et.al. [HSCC’14]
  • Complexity “similar” to industrial systems
  • Benchmark tool/challenge problems for academic research

CAV 2015 3

slide-4
SLIDE 4

Powertrain Control Systems

  • Fuel control and transmission subsystem
  • Software control: increasing complexity (100M LOC)
  • Constraints: Emissions, Efficiency, etc.
  • Strict performance requirements
  • Early bug detection using formal methods
  • Powertrain control benchmarks from Toyota Jin et.al. [HSCC’14]
  • Complexity “similar” to industrial systems
  • Benchmark tool/challenge problems for academic research

CAV 2015 4

This paper: Verifying one of the models in the powertrain control benchmark

slide-5
SLIDE 5

Verifying Powertrain Control System

(Challenges)

CAV 2015 5

Hybrid id Systems Model

Polynomial ODE Plant + Modes of operation Pr Property rise ⇒ □[𝜃,𝜂][0.98 𝜇𝑠𝑓𝑔, 1.02𝜇𝑠𝑓𝑔]

C2E2

(Hybrid Systems Verification Tool)

Yes No

slide-6
SLIDE 6

Verifying Powertrain Control System

(Challenges)

  • Hybrid systems verification
  • Undecidable in general [simple continuous dynamics ሶ

𝑦 = 1, ሶ 𝑧 = 2]

CAV 2015 6

Pr Property rise ⇒ □[𝜃,𝜂][0.98 𝜇𝑠𝑓𝑔, 1.02𝜇𝑠𝑓𝑔]

C2E2

(Hybrid Systems Verification Tool)

Yes No

slide-7
SLIDE 7

Verifying Powertrain Control System

(Challenges)

  • Hybrid systems verification
  • Undecidable in general [simple continuous dynamics ሶ

𝑦 = 1, ሶ 𝑧 = 2]

  • Nonlinear Ordinary Diff. Eqns. – scalability problems

CAV 2015 7

Pr Property rise ⇒ □[𝜃,𝜂][0.98 𝜇𝑠𝑓𝑔, 1.02𝜇𝑠𝑓𝑔]

C2E2

(Hybrid Systems Verification Tool)

Yes No

slide-8
SLIDE 8

Verifying Powertrain Control System

(Challenges)

  • Hybrid systems verification
  • Undecidable in general [simple continuous dynamics ሶ

𝑦 = 1, ሶ 𝑧 = 2]

  • Nonlinear Ordinary Diff. Eqns. – scalability problems

CAV 2015 8

Pr Property rise ⇒ □[𝜃,𝜂][0.98 𝜇𝑠𝑓𝑔, 1.02𝜇𝑠𝑓𝑔]

C2E2

(Hybrid Systems Verification Tool)

Yes No

ሶ p = c1 2θ c20p2 + c21p + c22 − c12 c2 + c3ωp + c4ωp2 + c5ωp2 ሶ λ = c26(c15 + c16c25Fc + c17c25

2 Fc 2 + c18

ሶ mc + c19 ሶ mcc25Fc − λ) ሶ pe = c1 2c23θ c20p2 + c21p + c22 − c2 + c3ωp + c4ωp2 + c5ωp2 ሶ i = c14(c24λ − c11)

where Fc =

1 c11 (1 + i + c13(c24λ − c11))(c2 + c3ωp + c4ωp2 + c5ωp2)

ሶ mc = c12(c2 + c3ωp + c4ωp2 + c5ωp2)

slide-9
SLIDE 9

Outline

 Motivation & Challenges

  • Powertrain Benchmark
  • Specification
  • Simulation Based Verification Technique
  • Engineering
  • Verification Results
  • Conclusions and Future Work

CAV 2015 9

slide-10
SLIDE 10

Powertrain Systems Benchmark

(previous work)

  • Falsification techniques

S-Taliro Annpureddy et.al.[TACAS’11], Breach Donze et.al.[CAV’10].

  • Requirement mining (also found bugs) Jin et.al.[HSCC’13].
  • Simulation guided Lyapunov analysis Balkan et.al.[ICC’15], and more

CAV 2015 10

Model I Delay Differential Equations + Lookup Tables + Hierarchical Components Model II Nonlinear ODE Plant ( Non – polynomial ) + Discrete update control software Model III Polynomial ODE Plant + Continuous controller + Modes of operation

slide-11
SLIDE 11

Powertrain Systems Benchmark

(previous work)

  • Falsification techniques

S-Taliro Annpureddy et.al.[TACAS’11], Breach Donze et.al.[CAV’10].

  • Requirement mining (also found bugs) Jin et.al.[HSCC’13].
  • Simulation guided Lyapunov analysis Balkan et.al.[ICC’15], and more

  • Our contribution:
  • Formal verification of Model III*
  • Bridging simulations and verification

CAV 2015 11

Model III Polynomial ODE Plant + Continuous controller + Modes of operation

slide-12
SLIDE 12

Powertrain Model

(Model III)

  • Hybrid System of 4 modes (with inputs)

CAV 2015 12

startup ሶ 𝒚 = 𝒈𝒕 𝒚 normal ሶ 𝒚 = 𝒈𝒐 𝒚 sensor_fail ሶ 𝒚 = 𝒈𝒕𝒈 𝒚 power ሶ 𝒚 = 𝒈𝒒 𝒚 𝑢𝑗𝑛𝑓𝑠 = 𝑈

𝑡

𝜄𝑗𝑜 ≤ 50𝑝 𝜄𝑗𝑜 ≥ 70𝑝 𝑡𝑓𝑜𝑡𝑝𝑠𝐺𝑏𝑗𝑚

 No Feedback Control  Open Loop mode, feedforward estimator  Feedback Control  Closed-loop mode, feedback PI control + feedforward estimator

slide-13
SLIDE 13

Powertrain Model

(Model III)

  • Hybrid System of 4 modes (with inputs)
  • Real valued variables – Ordinary Diff. Eqns.

𝜇 – Air/fuel ratio 𝑞 – Intake manifold pressure 𝑞𝑓 – Estimate of 𝑞 𝑗 – PI control variable

CAV 2015 13

startup ሶ 𝒚 = 𝒈𝒕 𝒚 normal ሶ 𝒚 = 𝒈𝒐 𝒚 sensor_fail ሶ 𝒚 = 𝒈𝒕𝒈 𝒚 power ሶ 𝒚 = 𝒈𝒒 𝒚 𝑢𝑗𝑛𝑓𝑠 = 𝑈

𝑡

𝜄𝑗𝑜 ≤ 50𝑝 𝜄𝑗𝑜 ≥ 70𝑝 𝑡𝑓𝑜𝑡𝑝𝑠𝐺𝑏𝑗𝑚

 No Feedback Control  Open Loop mode, feedforward estimator  Feedback Control  Closed-loop mode, feedback PI control + feedforward estimator

slide-14
SLIDE 14

Powertrain Model

(Model III)

  • Hybrid System of 4 modes (with inputs)
  • Real valued variables – Ordinary Diff. Eqns.

𝜇 – Air/fuel ratio 𝑞 – Intake manifold pressure 𝑞𝑓 – Estimate of 𝑞 𝑗 – PI control variable

  • Transitions – input signal 𝜄𝑗𝑜

CAV 2015 14

startup ሶ 𝒚 = 𝒈𝒕 𝒚 normal ሶ 𝒚 = 𝒈𝒐 𝒚 sensor_fail ሶ 𝒚 = 𝒈𝒕𝒈 𝒚 power ሶ 𝒚 = 𝒈𝒒 𝒚 𝑢𝑗𝑛𝑓𝑠 = 𝑈

𝑡

𝜄𝑗𝑜 ≤ 50𝑝 𝜄𝑗𝑜 ≥ 70𝑝 𝑡𝑓𝑜𝑡𝑝𝑠𝐺𝑏𝑗𝑚 𝜄𝑗𝑜 𝑢 𝑢 𝜇

 No Feedback Control  Open Loop mode, feedforward estimator  Feedback Control  Closed-loop mode, feedback PI control + feedforward estimator

slide-15
SLIDE 15

Powertrain Model

(Challenges)

  • How to handle input signals?

CAV 2015 15

startup ሶ 𝒚 = 𝒈𝒕 𝒚 normal ሶ 𝒚 = 𝒈𝒐 𝒚 sensor_fail ሶ 𝒚 = 𝒈𝒕𝒈 𝒚 power ሶ 𝒚 = 𝒈𝒒 𝒚 𝑢𝑗𝑛𝑓𝑠 = 𝑈

𝑡

𝜄𝑗𝑜 ≤ 50𝑝 𝜄𝑗𝑜 ≥ 70𝑝 𝑡𝑓𝑜𝑡𝑝𝑠𝐺𝑏𝑗𝑚

slide-16
SLIDE 16

Powertrain Model

(Challenges)

  • How to handle input signals?

CAV 2015 16

startup ሶ 𝒚 = 𝒈𝒕 𝒚 normal ሶ 𝒚 = 𝒈𝒐 𝒚 sensor_fail ሶ 𝒚 = 𝒈𝒕𝒈 𝒚 power ሶ 𝒚 = 𝒈𝒒 𝒚 𝑢𝑗𝑛𝑓𝑠 = 𝑈

𝑡

𝑢𝑗𝑛𝑓𝑠 ∈ 𝐽1 𝑢𝑗𝑛𝑓𝑠 ∈ 𝐽2 𝑡𝑓𝑜𝑡𝑝𝑠𝐺𝑏𝑗𝑚 𝜄𝑗𝑜 𝑢

Consider family of input signals 𝜄𝑗𝑜 and construct closed hybrid system

𝐽1 𝐽2

slide-17
SLIDE 17

Powertrain Model

(Challenges)

  • How to handle input signals?
  • Nonlinearity of ODE

CAV 2015 17

startup ሶ 𝒚 = 𝒈𝒕 𝒚 normal ሶ 𝒚 = 𝒈𝒐 𝒚 sensor_fail ሶ 𝒚 = 𝒈𝒕𝒈 𝒚 power ሶ 𝒚 = 𝒈𝒒 𝒚 𝑢𝑗𝑛𝑓𝑠 = 𝑈

𝑡

𝑢𝑗𝑛𝑓𝑠 ∈ 𝐽1 𝑢𝑗𝑛𝑓𝑠 ∈ 𝐽2 𝑡𝑓𝑜𝑡𝑝𝑠𝐺𝑏𝑗𝑚 𝜄𝑗𝑜 𝑢

Consider family of input signals 𝜄𝑗𝑜 and construct closed hybrid system

𝐽1 𝐽2

slide-18
SLIDE 18

Powertrain Model

(Challenges)

  • How to handle input signals?
  • Nonlinearity of ODE

CAV 2015 18

startup ሶ 𝒚 = 𝒈𝒕 𝒚 normal ሶ 𝒚 = 𝒈𝒐 𝒚 sensor_fail ሶ 𝒚 = 𝒈𝒕𝒈 𝒚 power ሶ 𝒚 = 𝒈𝒒 𝒚 𝑢𝑗𝑛𝑓𝑠 = 𝑈

𝑡

𝑢𝑗𝑛𝑓𝑠 ∈ 𝐽1 𝑢𝑗𝑛𝑓𝑠 ∈ 𝐽2 𝑡𝑓𝑜𝑡𝑝𝑠𝐺𝑏𝑗𝑚 𝜄𝑗𝑜 𝑢

Consider family of input signals 𝜄𝑗𝑜 and construct closed hybrid system

𝐽1 𝐽2 Closed loop Dynamics ሶ p = c1 2θ c20p2 + c21p + c22 − c12 c2 + c3ωp + c4ωp2 + c5ωp2 ሶ λ = c26(c15 + c16c25Fc + c17c25

2 Fc 2 + c18

ሶ mc + c19 ሶ mcc25Fc − λ) ሶ pe = c1 2c23θ c20p2 + c21p + c22 − c2 + c3ωp + c4ωp2 + c5ωp2 ሶ i = c14(c24λ − c11)

where Fc =

1 c11 (1 + i + c13(c24λ − c11))(c2 + c3ωp + c4ωp2 + c5ωp2)

ሶ mc = c12(c2 + c3ωp + c4ωp2 + c5ωp2)

slide-19
SLIDE 19

Powertrain Specification

  • Signal Temporal Logic: temporal specification for signals

CAV 2015 19

□[60,100] 𝑦 < 0.1 □[0,100] 𝑦 ∈ [1,3]

100 50 1 3

t

𝑦

100 1

  • 0.1

+0.1

60

t

𝑦

slide-20
SLIDE 20

Powertrain Specification

  • Signal Temporal Logic: temporal specification for signals
  • Encoded as safety properties

CAV 2015 20

□[60,100] 𝑦 < 0.1 □[0,100] 𝑦 ∈ [1,3]

100 50 1 3

t

𝑦

100 1

  • 0.1

+0.1

60

t

𝑦 𝐕 ≜ (𝒚 < −𝟏. 𝟐 ∨ 𝒚 > 𝟏. 𝟐) ∧ (𝒖 ≥ 𝟕𝟏 ∧ 𝒖 ≤ 𝟐𝟏𝟏) 𝐕 ≜ (𝒚 < 𝟐 ∨ 𝒚 > 𝟒) ∧ (𝒖 ≤ 𝟐𝟏𝟏)

slide-21
SLIDE 21

Powertrain Specification

  • Signal Temporal Logic: temporal specification for signals
  • Encoded as safety properties

CAV 2015 21

□[60,100] 𝑦 < 0.1 □[0,100] 𝑦 ∈ [1,3] 𝐬𝐣𝐭𝐟 ⇒ □[𝜽,𝜼][𝟏. 𝟘𝟗 𝝁𝒔𝒇𝒈, 𝟐. 𝟏𝟑𝝁𝒔𝒇𝒈]

100 50 1 3

t

𝑦

100 1

  • 0.1

+0.1

60

t

𝑦

Initial Set

𝜃 𝜂

t

𝜇

𝜇𝑠𝑓𝑔

𝐕 ≜ (𝒚 < 𝟐 ∨ 𝒚 > 𝟒) ∧ (𝒖 ≤ 𝟐𝟏𝟏)

Verification goal: Given initial set 𝚾 and switching signals 𝝉 Prove that

𝐕 ≜ (𝒚 < −𝟏. 𝟐 ∨ 𝒚 > 𝟏. 𝟐) ∧ (𝒖 ≥ 𝟕𝟏 ∧ 𝒖 ≤ 𝟐𝟏𝟏) Technique: Reachability Computation

slide-22
SLIDE 22

Outline

 Motivation & Challenges  Powertrain Benchmark  Specification

  • Simulation Based Verification Technique
  • Engineering
  • Verification Results
  • Conclusions and Future Work

CAV 2015 22

slide-23
SLIDE 23

23

  • Given start and unsafe

Θ

𝑦0

𝑉

A Simple (Often The Only) Strategy

ሶ 𝑦 = 𝑔(𝑦)

slide-24
SLIDE 24

24

  • Given start and unsafe
  • Compute finite cover of initial set
  • Simulate from the center 𝑦 of each cover

Θ

𝑦0

𝑉

A Simple (Often The Only) Strategy

ሶ 𝑦 = 𝑔(𝑦) 𝑦(𝑢)

slide-25
SLIDE 25

25

  • Given start and unsafe
  • Compute finite cover of initial set
  • Simulate from the center 𝑦 of each cover
  • Bloat simulation so that bloated tube contains

all trajectories from the cover

  • Union = over-approximation of reach set

Θ

𝑦0

𝑉

A Simple (Often The Only) Strategy

ሶ 𝑦 = 𝑔(𝑦) 𝐶𝜗(𝑦(𝑢))

slide-26
SLIDE 26

26

  • Given start and unsafe
  • Compute finite cover of initial set
  • Simulate from the center 𝑦 of each cover
  • Bloat simulation so that bloated tube contains

all trajectories from the cover

  • Union = over-approximation of reach set
  • Check intersection/containment with 𝑉
  • Refine

Θ

𝑦0

𝑉

A Simple (Often The Only) Strategy

ሶ 𝑦 = 𝑔(𝑦) 𝐶𝜗(𝑦(𝑢))

slide-27
SLIDE 27

27

  • Given start and unsafe
  • Compute finite cover of initial set
  • Simulate from the center 𝑦 of each cover
  • Bloat simulation so that bloated tube contains

all trajectories from the cover

  • Union = over-approximation of reach set
  • Check intersection/containment with 𝑉
  • Refine

Θ

𝑦0

𝑉

A Simple (Often The Only) Strategy

ሶ 𝑦 = 𝑔(𝑦) 𝐶𝜗(𝑦(𝑢))

slide-28
SLIDE 28

28

  • Given start and unsafe
  • Compute finite cover of initial set
  • Simulate from the center 𝑦 of each cover
  • Bloat simulation so that bloated tube contains

all trajectories from the cover

  • Union = over-approximation of reach set
  • Check intersection/containment with 𝑉
  • Refine

Θ

𝑦0

𝑉

A Simple (Often The Only) Strategy

ሶ 𝑦 = 𝑔(𝑦)

How much to bloat the sample simulation?

𝐶𝜗(𝑦(𝑢))

slide-29
SLIDE 29

Discrepancy Function

Discrepancy Function: capturing the continuity of ODE solutions executions that start close, stay close

𝛾 is called a discrepancy function of the system if for any two states 𝑦1 and 𝑦2, |𝑦1(𝑢) − 𝑦2(𝑢)| ≤ 𝛾(𝑦1, 𝑦2, 𝑢)

29

|𝑦1 − 𝑦2| 𝑦1 𝑦2 𝑦2(𝑢) 𝑦1(𝑢)

≤ 𝛾(𝑦1, 𝑦2, 𝑢) = 𝛾(𝑦1, 𝑦2, 𝑢)

slide-30
SLIDE 30

Discrepancy Function

Discrepancy Function: capturing the continuity of ODE solutions executions that start close, stay close

𝛾 is called a discrepancy function of the system if for any two states 𝑦1 and 𝑦2, |𝑦1(𝑢) − 𝑦2(𝑢)| ≤ 𝛾(𝑦1, 𝑦2, 𝑢)

30

|𝑦1 − 𝑦2| 𝑦1 𝑦2 𝑦2(𝑢) 𝑦1(𝑢)

≤ 𝛾(𝑦1, 𝑦2, 𝑢) = 𝛾(𝑦1, 𝑦2, 𝑢)

Discrepancy functions are given as model annotations, i.e. 𝛾 is given by the user

Use proof techniques in Control Theory to compute discrepancy function [EMSOFT’13]

slide-31
SLIDE 31

Discrepancy Function

Discrepancy Function: capturing the continuity of ODE solutions executions that start close, stay close

𝛾 is called a discrepancy function of the system if for any two states 𝑦1 and 𝑦2, |𝜊(𝑦1, 𝑢) − 𝜊(𝑦2, 𝑢)| ≤ 𝛾(𝑦1, 𝑦2, 𝑢)

31

|𝑦1 − 𝑦2| 𝑦1 𝑦2 𝜊 𝑦2, 𝑢 𝜊 𝑦1, 𝑢

≤ 𝛾(𝑦1, 𝑦2, 𝑢) = 𝛾(𝑦1, 𝑦2, 𝑢)

Discrepancy functions are given as model annotations, i.e. 𝛾 is given by the user

ሶ 𝑞 = 𝑑1(2𝜄 𝑑20𝑞2 + 𝑑21𝑞 + 𝑑22 − 𝑑12(𝑑2 + 𝑑3𝜕𝑞 + 𝑑4𝜕𝑞2 + 𝑑5𝜕𝑞2)) ሶ 𝜇 = 𝑑26(𝑑15 + 𝑑16𝑑25𝐺

𝑑 + 𝑑17𝑑25 2 𝐺 𝑑 2 + 𝑑18

ሶ 𝑛𝑑 + 𝑑19 ሶ 𝑛𝑑𝑑25𝐺

𝑑 − 𝜇)

ሶ 𝑞𝑓 = 𝑑1(2𝑑23𝜄 𝑑20𝑞2 + 𝑑21𝑞 + 𝑑22 − (𝑑2 + 𝑑3𝜕𝑞 + 𝑑4𝜕𝑞2 + 𝑑5𝜕𝑞2)) ሶ 𝑗 = 𝑑14 𝑑24𝜇 − 𝑑11 where 𝐺

𝑑 =

1 𝑑11 (1 + 𝑗 + 𝑑13(𝑑24𝜇 − 𝑑11))(𝑑2 + 𝑑3𝜕𝑞 + 𝑑4𝜕𝑞2 + 𝑑5𝜕𝑞2) ሶ 𝑛𝑑 = 𝑑12(𝑑2 + 𝑑3𝜕𝑞 + 𝑑4𝜕𝑞2 + 𝑑5𝜕𝑞2) All known tools failed to find any discrepancy functions

slide-32
SLIDE 32

On-The-Fly Discrepancy

  • Computing discrepancy function from simulations and static

analysis Fan & Mitra [ATVA’15]

CAV 2015 32

slide-33
SLIDE 33

On-The-Fly Discrepancy

  • Computing discrepancy function from simulations and static

analysis Fan & Mitra [ATVA’15]

  • Key principle
  • 𝐾 = 𝜖𝑔

𝜖𝑦

  • If eig 𝐾 + 𝐾𝑈 < 0 in 𝐒 then

trajectories converge in 𝐒

CAV 2015 33

𝐒 ሶ 𝒚 = 𝒈(𝒚)

slide-34
SLIDE 34

On-The-Fly Discrepancy

  • Computing discrepancy function from simulations and static

analysis Fan & Mitra [ATVA’15]

  • Key principle
  • 𝐾 = 𝜖𝑔

𝜖𝑦

  • If eig 𝐾 + 𝐾𝑈 < 0 in 𝐒 then

trajectories converge in 𝐒

CAV 2015 34

𝐒 ሶ 𝒚 = 𝒈(𝒚) 𝑦1 𝑦2

≤ 𝑓−𝜇𝑢 𝑦1 − 𝑦2

slide-35
SLIDE 35

On-The-Fly Discrepancy

  • Computing discrepancy function from simulations and static

analysis Fan & Mitra [ATVA’15]

  • Key principle
  • 𝐾 = 𝜖𝑔

𝜖𝑦

  • If eig 𝐾 + 𝐾𝑈 < 0 in 𝐒 then

trajectories converge in 𝐒

  • Compute max eig 𝐾 + 𝐾𝑈 in 𝐒
  • Gives a local discrepancy

function in region 𝐒

CAV 2015 35

𝐒 ሶ 𝒚 = 𝒈(𝒚) 𝑦1 𝑦2

≤ 𝑓−𝜇𝑢 𝑦1 − 𝑦2

slide-36
SLIDE 36

On-The-Fly Discrepancy

  • Computing discrepancy function from simulations and static

analysis Fan & Mitra [ATVA’15]

  • Key principle
  • 𝐾 = 𝜖𝑔

𝜖𝑦

  • If eig 𝐾 + 𝐾𝑈 < 0 in 𝐒 then

trajectories converge in 𝐒

  • Compute max eig 𝐾 + 𝐾𝑈 in 𝐒
  • Gives a local discrepancy

function in region 𝐒

CAV 2015 36

𝐒 ሶ 𝒚 = 𝒈(𝒚) 𝑦1 𝑦2

≤ 𝑓−𝜇𝑢 𝑦1 − 𝑦2

We apply on–the–fly discrepancy function for verifying powertrain control system

slide-37
SLIDE 37

Engineering

  • Domain Transformation:

If eig(𝐾 + 𝐾𝑈) returns values close to 0, fails to prove convergence of traj. Performs linear basis transformation for getting useful discrepancy function. Involves multiplicative costs.

  • Model reduction:

The differential equation was reduced to a simpler one in power and start-up mode.

CAV 2015 37

slide-38
SLIDE 38

Engineering

  • Domain Transformation:

If eig(𝐾 + 𝐾𝑈) returns values close to 0, fails to prove convergence of traj. Performs linear basis transformation for getting useful discrepancy function. Involves multiplicative costs.

  • Model reduction:

The differential equation was reduced to a simpler one in power and start-up mode.

  • Performance Tuning:

How often to perform domain transformation

  • Implementation in C2E2 [TACAS’15]:

Extension of C2E2 tool using eigen library and interval arithmetic for matrix norms.

CAV 2015 38

slide-39
SLIDE 39

Powertrain Verification Results

Verified many key specification for a given set of driver behaviors

CAV 2015 39

Property Mode Sat Sim. Time □ 𝜇 ∈ [0.8𝜇𝑠𝑓𝑔, 1.2𝜇𝑠𝑓𝑔] all modes Yes 53 11m58s □ 𝜇 ∈ [0.8𝜇𝑠𝑓𝑔, 1.2𝜇𝑠𝑓𝑔] startup Yes 50 10m21s □ 𝜇 ∈ [0.8𝜇𝑠𝑓𝑔, 1.2𝜇𝑠𝑓𝑔] normal Yes 50 10m21s □ 𝜇 ∈ [0.8𝜇𝑠𝑓𝑔

𝑞𝑥𝑠, 1.2𝜇𝑠𝑓𝑔 𝑞𝑥𝑠]

power Yes 53 11m12s □ 𝜇 ∈ [0.8𝜇′𝑠𝑓𝑔, 1.2𝜇′𝑠𝑓𝑔] power No 4 0m43s 𝑠𝑗𝑡𝑓 ⇒ □(𝜃,𝜊)𝜇 ∈ [0.98 𝜇𝑠𝑓𝑔, 1.02𝜇𝑠𝑓𝑔] normal Yes 50 10m15s (𝑚 = 𝑞𝑥𝑠) ⇒ □(𝜃,𝜊)𝜇 ∈ [0.95 𝜇𝑠𝑓𝑔, 1.05𝜇𝑠𝑓𝑔] power Yes 53 11m35s (𝑚 = 𝑞𝑥𝑠) ⇒ □(𝜃/2,𝜊)𝜇 ∈ [0.95 𝜇𝑠𝑓𝑔, 1.05𝜇𝑠𝑓𝑔] power No 4 0m45s Safety properties Performance properties

slide-40
SLIDE 40

Reachable Set

CAV 2015 40

slide-41
SLIDE 41

Conclusions and Future Work

  • Verified the polynomial hybrid system model in the Powertrain

Control Benchmark

  • Scalability of dynamic analysis tool C2E2 to handle systems of

industrial complexity Future Work:

  • Handling properties with path integrals
  • New algorithms for handling other models in the benchmark

CAV 2015 41

slide-42
SLIDE 42

Thank You

  • Xiaoqing Jin
  • Jyotirmoy Deshmukh
  • Jim Kapinski
  • Koichi Ueda
  • Ken Butts

CAV 2015 42

Questions?