Invariant-Based Verification and Synthesis for Hybrid Systems - PowerPoint PPT Presentation

Invariant-Based Verification and Synthesis for Hybrid Systems Naijun Zhan Institute of Software, Chinese Academy of Sciences (Joint work with Hengjun Zhao, Jiang Liu, Deepak Kapur, Kim G. Larsen, Liang Zou, etc.) IFIP WG 2.2 Scientific Meeting, IMS, Singapore Sept. 12-16, 2016

Outline  Background  Invariant and Verification  Invariant-Based Synthesis  Case Studies  Conclusion 2

Outline  Background  Invariant and Verification  Invariant-Based Synthesis  Case Studies  Conclusion 3

Classification of Dynamical Systems  Discrete ON OFF  Continuous ( t ) x x  d x f ( x ) 0 d t 4

Hybrid System  Continuous + Discrete Universal Law of Gravitation by Heer Rami http://www.benettonplay.com/toys/flipbookdeluxe/player.php?id=294504 5

Hybrid Automata transition Initial guard x   x  ( )  f 1 x f 2 x ( ) domain 6

HSs in Engineering Electrical Circuits Chemical Process http://people.ee.ethz.ch/~mpt/2/docs/demos/twotanks.php 7

Embedded Control Systems actuator physical discipline logic/computation sensor 8

9 Safety Critical Systems

Motivation  Develop formal methods for enhancing the trustworthiness of safety critical embedded systems  Problems: Verification and Design  System Requirements: mainly safety  Techniques: symbolic/rigorous computation 10

Outline  Background  Invariant and Verification  Invariant-Based Synthesis  Case Studies  Conclusion 11

Deductive Verification  Continuous system  Program x  x:=1; d f ( x ) while (x<=1000000000) d t { x:=x+1; } x ≦ 0 Inductive  Inductive Invariant Invariant  x=1  x ≧ 1  x ≧ 1  x+1 ≧ 1  x ≧ 1  ﹁ ( x ≦ 0 ) 12

Inductiveness  Discrete  Continuous I I Δ t  Inductiveness  Inductiveness        x I x I x ( t ) I x ( t  ) t I  1 k k  Transition relation  Transition relation       x ( x ) ' x ( t  t ) x ( t ) x ( t )  t  k 1 k 13

Lie Derivatives and Invariant x  d f ( x ) d t d p ( x ( t )) p ( x ) = 0  0 d t p ( x ) > 0 d p ( x ( t ))  0 d t d p ( x ( t ))  0 d t 14

Higher-Order Lie Derivatives p ( x ) = 0 1 d p  0 1 d t p ( x ) > 0 1 2 d p d p     0 0 1 2 d t d t d p ( x ( t ))  0 1 2 3 d p d p d p       d t 0 0 0 1 2 3 d t d t d t 1 2 3 d p d p d p         0 0 0 1 2 3 d t d t d t 15

Criterion for Invariant  f ( x ) and p ( x ) are polynomials  Compute an upper bound N s.t. x  d  p ( x ) ≥ 0 is an inductive invariant of f ( x ) d t iff  1 d p   0   0  p  1 d t  1 2 d d p p     0 0 1 2 d t d t     1 2 N d p d p d p         0 0 0  1 2 N d t d t d t  16

Main Result  Semi-algebraic set ,  First-order theory of real numbers is decidable  Quantifier Elimination Checking whether a semi-algebraic set is an inductive invariant of a polynomial continuous dynamical systems is decidable 17

Parametric Case  Parametric polynomials p ( u,x ) x  d  p ( u,x ) ≥ 0 is an inductive invariant of f ( x ) d t iff u satisfies  1 d p  0    0  p ( u , x )  1 d t  Use parametric polynomials and quantifier elimination (or other compuation 1 2 d d p p     0 0 techniques) to automatically discovering 1 2 d t d t inductive invariants     1 2 N d d d p p p         0 0 0  1 2 N d t d t d t  18

Inductive Invariant of HSs Init  Inv Init G 1 12 Inv 1 Inv 2 1 , Inv Inv x  2 x    f 1 x ( ) f 2 x ( )   Inv G Inv 1 12 2 G   21 Inv G Inv 2 21 1 19

Safety Verification  Example  Try to generate an invariant that implies   y   the safety property    x    3   x           x y y   3 S Inv 20

Outline  Background  Invariant and Verification  Invariant-Based Synthesis  Case Studies  Conclusion 21

Problem Description  Given an initial specification of a hybrid system and a safety requirement, construct a refined hybrid system such that the safety requirement is satisfied  domains  guards 22

Nuclear Reactor http://commons.wikimedia.org/wiki/File:Control_rods_schematic.svg 23

Hybrid Automata Model  x : temperature of the reactor  p : fraction of the rod immersed into the reactor 24

Violation of Safety  510 x 550 550 x 510 p 0 1 25

Invariant for Refinement Guard 12 Domain 1 Domain 2 S Inv 26

Result 6575   x 547 . 92 Inv 12 27

Optimization  Further refine the hybrid system according to certain optimization criteria  polynomial objective function + semi-algebraic feasible region  Symbolic optimization 28

Outline  Background  Invariant and Verification  Invariant-Based Synthesis  Case Studies  Oil pump  Lunar lander  Conclusion 29

Oil Pump Switching  First studied in [Cassez et al. HSCC09, 45% improvement]  Provided by the German company HYDAC  Determine the time points to switch the pump on/off s.t.  Safety:  Optimality: minimize 30

Synthesized Switching Controller  v 0 is the initial volume of oil on off on off 31

Performance  Safety  Improve the optimal value of [HSCC09] by 7.5%  The synthesized controller is correct, also optimal 32

Soft Landing 15km Braking 3km Adjustment 2.4km Approach Hovering 100m Obstacle avoidance 30m Slow descent 0m Lunar surface 33

Slow Descent Phase  Trajectory control  Sampling period ： ∆ T = 0.128s  Control objective: v = -2m/s 34

Hybrid Automata Model  Dynamics  Replace the non-polynomial term by a new variable: a = Fc/m

Verification  Safety requirement: | v – (-2)| 0.05  Generated Invariant: Kong, H., He, F., Song, X., Hung,W., Gu, M.: Exponential-condition-based barrier certificate generation for safety verification of hybrid systems. In: CAV’13. pp. 242–257 (2013) 36

Conclusion  Hybrid systems attracts more and more interests with the development of safety critical embedded systems  Invariant plays an important role in the study (formal verification, controller synthesis) of hybrid systems  Semi-algebraic inductive invariant checking for polynomial continuous/hybrid systems is decidable 37

Conclusion  Use parametric polynomials and symbolic computation to automatically discover invariants, and to perform optimization  rigorous  high complexity (may be combined with numeric computation)  Non-polynomial systems transformed to polynomials ones  Case studies show good prospect of proposed methods 38

Related references Hengjun Zhao, Mengfei Yang, Naijun Zhan, Bin Gu, Liang Zou and Yao Chen (2014):  Formal verification of a descent guidance control program of a lunar lander , in Proc. of FM 2014, Lecture Notes in Computer Science 8442 , pp.733-748. Hengjun Zhao, Naijun Zhan and Deepak Kapur (2013): Synthesizing switching  controllers for hybrid systems by generating invariants , in Proc. of the Jifeng Festschrift, Lecture Notes in Computer Science 8051, pp.354-373. Hengjun Zhao, Naijun Zhan, Deepak Kapur, and Kim G. Larsen (2012): A “hybrid”  approach for synthesizing optimal controllers of hybrid systems: A Case study of the oil pump industrial example , in Proc. of FM 2012, Lecture Notes in Computer Science 7436, pp.471-485, 2012. Jiang Liu, Naijun Zhan and Hengjun Zhao (2011): Computing semi-algebraic  invariants for polynomial dynamical systems , in Proc. of EMSOFT 2011, pp.97-106, ACM Press. 39

Thanks! Questions? 40