Formal Verification and Digital Filters Diane Gallois-Wong - - PowerPoint PPT Presentation

Formal Verification and Digital Filters

Diane Gallois-Wong

supervised by Sylvie Boldo and Thibault Hilaire

Universit´ e Paris-Sud, LRI (Orsay), Inria Saclay

CICM – Doctoral Program – August 13, 2018

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 1 / 11

Digital Filters

Signal processing: audio, video, various physical measurements ֒ → communication, control systems in robotics, automotive, aeronautics, etc.

ime ime

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 2 / 11

Digital Filters

Signal processing: audio, video, various physical measurements ֒ → communication, control systems in robotics, automotive, aeronautics, etc.

Time Time

Analog signal Digital signal continuous time t ∈ R discrete time k ∈ Z

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 2 / 11

Digital Filters

Signal processing: audio, video, various physical measurements ֒ → communication, control systems in robotics, automotive, aeronautics, etc.

Time Time

Analog signal Digital signal continuous time t ∈ R discrete time k ∈ Z

Digital filter H : H u(k)

input

y(k)

• utput

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 2 / 11

LTI Filters

Digital filter H : H u(k)

input

y(k)

• utput

Linear Time-Invariant (LTI) filter: compatible with addition H(u1 + u2) = H(u1) + H(u2) scalar multiplication H(λu) = λH(u) delay H(m → u(m − K))(k) = H(u)(k − K) Example: y(k) = u(k) − 3y(k − 1)

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 3 / 11

Theory and Practice: Finite Precision

Theory: mathematical definition ∀k ∈ Z. y(k) = u(k) − 3y(k − 1) infinite precision (real numbers R) ↓ Practice: implementation foreach k do y(k) ← u(k) − 3 ∗ y(k − 1) end finite precision

(floating- or fixed-point numbers)

֒ → rounding errors

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 4 / 11

Theory and Practice: Finite Precision

Theory: mathematical definition ∀k ∈ Z. y(k) = u(k) − 3y(k − 1) infinite precision (real numbers R) ↓ Practice: implementation foreach k do y(k) ← u(k) − 3 ∗ y(k − 1) end finite precision

(floating- or fixed-point numbers)

֒ → rounding errors which propagate and may accumulate: y ∗(k) ← u(k) ⊖ 3 ⊗ y ∗(k − 1)

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 4 / 11

Theory and Practice: Finite Precision

Theory: mathematical definition ∀k ∈ Z. y(k) = u(k) − 3y(k − 1) infinite precision (real numbers R) ↓ Practice: implementation foreach k do y(k) ← u(k) − 3 ∗ y(k − 1) end finite precision

(floating- or fixed-point numbers)

֒ → rounding errors which propagate and may accumulate: y ∗(k) ← u(k) ⊖ 3 ⊗ y ∗(k − 1) y ∗(k) ← ֓ y ∗(k − 1) ← ֓ y ∗(k − 2) ← ֓ ...

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 4 / 11

Using Fixed-Point Numbers

Fixed-point numbers: faster computations, less energy consumption than floating-point numbers ֒ → used for digital filters in embedded systems

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 5 / 11

Using Fixed-Point Numbers

Fixed-point numbers: faster computations, less energy consumption than floating-point numbers ֒ → used for digital filters in embedded systems They try to use as few significant digits as possible: bigger rounding errors than using floating-point numbers risk of overflow (exceeding the greatest representable value)

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 5 / 11

Controlling Rounding Errors in Digital Filters

But robotics, automotive, aeronautics etc. are critical domains How to ensure that rounding errors do not cause critical failures in digital filters?

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 6 / 11

Controlling Rounding Errors in Digital Filters

But robotics, automotive, aeronautics etc. are critical domains How to ensure that rounding errors do not cause critical failures in digital filters? Error analysis with pen-and-paper proofs [Hilaire, Lopez 2013] etc. Formal methods [Akbarpour, Tahar 2007] [Siddique, Mahmoud, Tahar 2018] etc.

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 6 / 11

Objective of my PhD and First Contributions

Objective: formal analysis of rounding errors in Coq Current formalization includes: Various algorithms for LTI filters and equivalences between them Theorem of the Error Filter to study propagation of errors Worst-Case Peak-Gain Theorem to bound the final error

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 7 / 11

One Realization to Represent them all

Filters can be defined under various forms, called realizations:

y(k) =

n

• i=0

biu(k − i) −

n

• i=1

aiy(k − i)        e(k) ← u(k) −

n

• i=1

aie(k − i) y(k) ←

n

• i=1

bie(k − i)

• x(k + 1)

= Ax(k) + Bu(k) y(k) = Cx(k) + Du(k)

Coq definitions and proofs : Three realizations: Direct Forms I and II, and State-Space Corresponding filters are LTI Transformation functions between them that preserve the filter

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 8 / 11

One Realization to Represent them all

Filters can be defined under various forms, called realizations:

y(k) =

n

• i=0

biu(k − i) −

n

• i=1

aiy(k − i)        e(k) ← u(k) −

n

• i=1

aie(k − i) y(k) ←

n

• i=1

bie(k − i)

• x(k + 1)

= Ax(k) + Bu(k) y(k) = Cx(k) + Du(k)

Coq definitions and proofs : Three realizations: Direct Forms I and II, and State-Space Corresponding filters are LTI Transformation functions between them that preserve the filter ֒ → we can choose one of them to do the error analysis

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 8 / 11

Error Propagation: the Error Filter

We can compute a filter Hε such that:

H Hε u(k) ε(k) + y(k) ∆y(k) y ∗(k)

where y(k) : output of infinite-precision model filter H y∗(k) : output of actual implemented filter ε(k) : vector of errors in individual computations at step k

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 9 / 11

Error Propagation: the Error Filter

We can compute a filter Hε such that:

H Hε u(k) ε(k) + y(k) ∆y(k) y ∗(k)

where y(k) : output of infinite-precision model filter H y∗(k) : output of actual implemented filter ε(k) : vector of errors in individual computations at step k

Fixed-point norms: individual computations are correctly rounded ֒ → bound on ε(k)

???

− → bound on ∆y(k)

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 9 / 11

The Worst-Case Peak-Gain Theorem

The Worst-Case Peak-Gain H = |D| + ∞

k=0

• CAkB
• f filter H

verifies: bound for the input

× H

• −

− − − − − − → bound for the output ∀k. |u(k)| ≤ M ∀k. |y(k)| ≤ H × M H The value of H is in R (it may be equal to +∞) and it is optimal

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 10 / 11

Conclusion and Future Work

Formalized1 in Coq: equivalence between forms of definition, theorem of the Error Filter, Worst-Case Peak-Gain theorem

1www.lri.fr/~gallois/code/coq-digital-filters-CICM18.tgz

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 11 / 11

Conclusion and Future Work

Formalized1 in Coq: equivalence between forms of definition, theorem of the Error Filter, Worst-Case Peak-Gain theorem To complete formal error analysis: Formalize two’s complement fixed-point arithmetic in Coq Prove that

H = |D| + ∞

k=0

• CAkB
• can be well approximated

Bound errors in correctly rounded individual computations

1www.lri.fr/~gallois/code/coq-digital-filters-CICM18.tgz

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 11 / 11

Conclusion and Future Work

Formalized1 in Coq: equivalence between forms of definition, theorem of the Error Filter, Worst-Case Peak-Gain theorem To complete formal error analysis: Formalize two’s complement fixed-point arithmetic in Coq Prove that

H = |D| + ∞

k=0

• CAkB
• can be well approximated

Bound errors in correctly rounded individual computations Longer-term goal: Automatically generate certified code together with formally proven error bound ...while reordering computations to minimize the rounding errors

1www.lri.fr/~gallois/code/coq-digital-filters-CICM18.tgz

Diane Gallois-Wong (U-PSud, LRI) Formal Verification and Digital Filters August 13, 2018 11 / 11