Correctness and Control for Human Cyber-Physical Systems Dorsa Sadigh Advisors: Sanjit A. Seshia, S. Shankar Sastry University of California, Berkeley Department of Electrical Engineering and Computer Sciences Non-Zero-Sum-Games and Control, Schloss Dagstuhl February 3, 2015
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions Motivation: Safety Critical Human CPS Giving guarantees about the performance of control algorithms for safety critical Human CPS is a challenging problem. 2 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions The Human CPS Problem Interface Layer human autonomous control control Shared or Swtiched Control Setting Performing a task and satisfaction of properties. 3 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions The Human CPS Problem Interface Layer envrionment speci fj cation human system human autonomous control control Shared or Swtiched Control Setting Performing a task and satisfaction of properties. 3 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions The Human CPS Problem Interface Layer envrionment speci fj cation human system human autonomous One challenge is detecting why and control control when the robot is going to fail and Shared or Swtiched Control Setting transfer control to the human in such scenarios. Performing a task and satisfaction of properties. 3 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions Contributions • Formalization of human-in-the-loop control systems. 1 4 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions Contributions • Formalization of human-in-the-loop control systems. 1 • Proposing a new take on specification , algorithm and output of controller synthesis from Temporal Logic specifications for human-in-the-loop systems. 4 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions Contributions • Formalization of human-in-the-loop control systems. 1 • Proposing a new take on specification , algorithm and output of controller synthesis from Temporal Logic specifications for human-in-the-loop systems. - Extracting specifications from high level guidelines . - Mining and Monitoring assumptions about the environment. - Advisory controller that decides whether the human or autonomous system should be in control. 4 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions Contributions • Formalization of human-in-the-loop control systems. 1 • Proposing a new take on specification , algorithm and output of controller synthesis from Temporal Logic specifications for human-in-the-loop systems. - Extracting specifications from high level guidelines . - Mining and Monitoring assumptions about the environment. - Advisory controller that decides whether the human or autonomous system should be in control. system envrionment speci fj cation system envrionment speci fj cation human 1. Synthesis for Human-in-the-Loop Control Systems. W. Li, D. Sadigh, S. Sastry, S. Seshia. TACAS 2014. 4 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions Unrealizable Left Turn Example Realizable Autonomous Temporal Spec Synthesis Tool Control Unrealizable :( Synthesizing a controller for a vehicle making an unprotected left turn at a traffic light is unrealizable. Human driver decides how to change the objective or violate the specification. 5 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions National Highway Transportation and Safety Administration Level 0 No Automation Driver is in complete control Level 1 Function Specific Automation precharged brakes Level 2 Combined Function Automation Cruise Control + Lane Keeping Level 3 Limited Self Driving Automation Level 4 Full Self Driving Automation 6 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions National Highway Transportation and Safety Administration Level 0 No Automation Driver is in complete control Level 1 Function Specific Automation precharged brakes Level 2 Combined Function Automation Cruise Control + Lane Keeping Level 3 Limited Self Driving Automation Level 4 Full Self Driving Automation 7 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions Level 3: Limited Self Driving Automation “Vehicles at this level of automation enable the driver to cede full control of all safety-critical functions under certain traffic or environmental conditions and in those conditions to rely heavily on the vehicle to monitor for changes in those conditions requiring transition back to driver control. The driver is expected to be available for occasional control, but with sufficiently comfortable transition time. The Google car is an example of limited self-driving automation. ” 1 1. National Highway Traffic Safety Administration. Preliminary statement of policy concerning automated vehicles, May 2013. 8 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions Criteria for Human in the Loop Controllers • Monitoring ⋆ Determine if the human intervention is needed based on past and current information. 9 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions Criteria for Human in the Loop Controllers • Monitoring ⋆ Determine if the human intervention is needed based on past and current information. • Minimally Intervening ⋆ Invoke human operator only if necessary. 9 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions Criteria for Human in the Loop Controllers • Monitoring ⋆ Determine if the human intervention is needed based on past and current information. • Minimally Intervening ⋆ Invoke human operator only if necessary. • Prescient ⋆ Allow sufficient response time for the human operator. 9 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions Criteria for Human in the Loop Controllers • Monitoring ⋆ Determine if the human intervention is needed based on past and current information. • Minimally Intervening ⋆ Invoke human operator only if necessary. • Prescient ⋆ Allow sufficient response time for the human operator. • Conditionally Correct ⋆ Controller should operate correctly until the point of human intervention. 9 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions Problem Formulation Given: • a high level specification, Temporal Spec • driver’s response time, • a cost function penalizing human’s intervention Autonomous Synthesize a fully autonomous ? Control controller satisfying the specification Or a Human in the Loop Controller Human Control (composition of auto-controller, human operator, advisory controller) that is: ⋆ Monitoring Intervention Response time Cost Function ⋆ Prescient ⋆ Minimally Intervening ⋆ Conditionally correct 10 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions Synthesis from GR(1) y Specification: Environment System x ψ env = GF ¬ x Environment Fairness ψ sys = G ( ¬ x → ¬ y ) System Transition I = { x } set of inputs ∧ GF y System Fairness O = { y } set of outputs ψ := ψ env → ψ sys ψ { env , sys } = ψ i ∧ ψ t ∧ ψ f GR(1) Specifications: 11 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions Game Graph: Satisfiable Run Specification: ψ env = GF ¬ x ψ sys = G ( ¬ x → ¬ y ) ∧ GF y Env. Sys. x = 0 y = 0 x = 1 y = 1 x = 0 y = 0 x = 1 y = 1 . . . . . . 12 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions Game Graph: Satisfiable Run xy Specification: ψ env = GF ¬ x xy ψ sys = G ( ¬ x → ¬ y ) x ¯ ¯ y ∧ GF y xy Each state of the game graph G is x ¯ ¯ y x ¯ ¯ y marked by inputs and outputs. x ¯ ¯ y Env. Sys. x ¯ y x = 0 y = 0 x ¯ y x = 1 y = 1 x = 0 y = 0 x = 1 y = 1 x ¯ y . . . . . . 12 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions Game Graph: Unsatisfiable Run Specification: ψ env = GF ¬ x ψ sys = G ( ¬ x → ¬ y ) ∧ GF y Env. Sys. System transition is x = 0 y = 0 satisfied, but system x = 0 y = 0 fairness is violated. x = 0 y = 0 The specification is x = 0 y = 0 unrealizable. . . . . . . 13 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions Game Graph: Unsatisfiable Run xy Specification: xy ψ env = GF ¬ x x ¯ ¯ y ψ sys = G ( ¬ x → ¬ y ) ∧ GF y xy ¯ x ¯ y x ¯ ¯ y x ¯ ¯ y Env. Sys. System transition is x = 0 y = 0 x ¯ y satisfied, but system x = 0 y = 0 x ¯ y fairness is violated. x = 0 y = 0 The specification is x = 0 y = 0 unrealizable. . . . . x ¯ y . . 13 / 27
Motivation NHTSA Guideline Human-in-the-Loop Control Control Advisor Future Directions Generating Counterstrategy Graph Realizable Autonomous Temporal Spec Synthesis Tool Control Unrealizable Counterstrategy Graph 14 / 27
Recommend
More recommend
![Verified Cyber-Physical Systems [FM11] 2 Verified Cyber-Physical Systems x l x j](https://c.sambuz.com/1033063/verified-cyber-physical-systems-s.jpg)
