presentation for 4th international workshop on formal
play

Presentation for 4th International Workshop on Formal Methods for - PowerPoint PPT Presentation

Oct 14, 2023 •20 likes •280 views

Presentation for 4th International Workshop on Formal Methods for Interactive Systems: FMIS 2011, Limerick, Ireland, 21 June 2011 Formal Modeling and Analysis For Interactive Hybrid Systems Ellen J. Bass Systems and Information Engineering,

  1. Presentation for 4th International Workshop on Formal Methods for Interactive Systems: FMIS 2011, Limerick, Ireland, 21 June 2011

  2. Formal Modeling and Analysis For Interactive Hybrid Systems Ellen J. Bass Systems and Information Engineering, University of Virginia Karen M. Feigh School of Aerospace Engineering, Georgia Institute of Technology Elsa Gunter Department of Computer Science, University of Illinois, Urbana-Champaign John Rushby Computer Science Laboratory, SRI International, Menlo Park, California Supported by NSF grant CNS-0720908 and NASA contract NNA10DE79C John Rushby et al Formal Analysis for Interactive Hybrid Systems 1

  3. Premise • Human interactions with automated systems are guided by mental models (Craik 1943) • Exact nature of the models is a topic of debate and research ◦ Behavioral representation that allows mental simulation ⋆ e.g., state machine ◦ Stimulus/response rules ◦ Both We’ll assume the first of these • An automation surprise can occur when the behavior of the real system and the mental model diverge • Can discover potential surprises by model checking ◦ Build state machines for the system and its model, explore all possible behaviors looking for significant divergences • This works! (Rushby 1997) John Rushby et al Formal Analysis for Interactive Hybrid Systems 2

  4. Mental Models • Aviation psychologists elicit pilot’s actual mental models • However, a well-designed system should induce an effective model, and the purpose of training is to develop this • So can construct plausible mental models by extracting state machines from training material, then applying known psychological simplification processes (Javaux 1998) ◦ Frequential simplification ◦ Inferential simplification • But there are some basic properties that should surely be true of any plausible mental model ◦ e.g., pilots can predict whether their actions will cause the plane to climb or descend • Yet many avionics systems are so poor that they provoke an automation surprise even against such core models • We will use models of this kind John Rushby et al Formal Analysis for Interactive Hybrid Systems 3

  5. System Models • The real system will have many parts, and possibly complex internal behavior • But there is usually some externally visible physical plant ◦ e.g., a car, airplane, vacuum cleaner, iPod • And what humans care about, and represent in their mental models, is the behavior of the plant • And divergence between a mental model and the real system should be in terms of this plant behavior ◦ e.g., does the car or plane go in the right direction, does the vacuum cleaner use the brush or the hose, does the iPod play the right song? • So our analysis should model the plant behavior • Did not do this previously, just the plant controller John Rushby et al Formal Analysis for Interactive Hybrid Systems 4

  6. Hybrid Systems • Many plants are modelled by differential equations ◦ e.g., 6 DOF models for airplanes • Compounded by different sets of equations in different discrete modes ◦ e.g., flap extension • These models are called hybrid systems ◦ Combine discrete (state machine) and continuous (differential equation) behavior • The full system model will be the composition of the hybrid plant model with its controller and its interface and. . . • Can do accurate simulations (e.g., Matlab) • But that’s just one run at a time, we need all runs • And formal analysis of hybrid systems is notoriously hard John Rushby et al Formal Analysis for Interactive Hybrid Systems 5

  7. Relational Abstractions • We need to find suitable abstractions (i.e., approximations) for hybrid systems that are sufficiently accurate for our purposes, and are easy to analyze • Several abstractions available for hybrid systems, we use a very recent kind called relational abstractions (Tiwari 2011) • For each discrete mode, instead of differential equations to specify evolution of continuous variables, give a relation between them that holds in all future states (in that mode) • Accurate relational abstractions for hybrid systems require specialized invariant generation and eigenvalue analysis • But for our purposes, something much cruder suffices ◦ e.g., if pitch angle is positive, then altitude in the future will be greater than it is now • Rather than derive these rel’ns, we assert them as our spec’n John Rushby et al Formal Analysis for Interactive Hybrid Systems 6

  8. Model Checking Infinite State Systems • Our relational abstractions get us from hybrid systems back to state machines • But these state machines are still defined over continuous quantities (i.e., mathematical real numbers) ◦ Altitude, roll rate, etc. • How do we model check these? ◦ i.e., do fully automatic analysis of all reachable states ◦ When there’s potentially an infinite number of these • We can do it by Bounded Model Checking (BMC) over the theories decided by a solver for Satisfiability Modulo Theories (SMT) ◦ This is infinite BMC John Rushby et al Formal Analysis for Interactive Hybrid Systems 7

  9. SMT Solvers: Disruptive Innovation in Theorem Proving • SMT solvers extend decision procedures with the ability to handle arbitrary propositional structure ◦ Previously, case analysis was handled heuristically or interactively in a front end theorem prover ⋆ Where must be careful to avoid case explosion ◦ SMT solvers use the brute force of modern SAT solving • Or, dually, they generalize SAT solving by adding the ability to handle arithmetic and other decidable theories • Typical theories: uninterpreted functions with equality, linear arithmetic over integers and reals, arrays of these, etc. • There is an annual competition for SMT solvers • Very rapid growth in performance • Biggest advance in formal methods in last 25 years John Rushby et al Formal Analysis for Interactive Hybrid Systems 8

  10. Bounded Model Checking (BMC) • Given system specified by initiality predicate I and transition relation T on states S • Is there a counterexample to property P in k steps or less? • i.e., can we find an assignment to states s 0 , . . . , s k satisfying I ( s 0 ) ∧ T ( s 0 , s 1 ) ∧ T ( s 1 , s 2 ) ∧ · · · ∧ T ( s k − 1 , s k ) ∧ ¬ ( P ( s 1 ) ∧ · · · ∧ P ( s k )) • Try for k = 1 , 2 , . . . • Given a Boolean encoding of I , T , and P (i.e., circuits), this is a propositional satisfiability (SAT) problem • If I , T , and P are over the theories decided by an SMT solver, then this is an SMT problem ◦ Then called Infinite Bounded Model Checking (inf-BMC) • Works for LTL (via B¨ uchi automata), not just invariants • Extends to verification via k -induction John Rushby et al Formal Analysis for Interactive Hybrid Systems 9

  11. Specifying Relations • Most model checking notations specify state variables of new state in terms of those in the old; may be nondeterministic • For example, guarded command in SAL ◦ pitch > 0 --> alt’ IN { x: REAL | x > alt } If pitch is positive, new value of alt is bigger than old one • But how do we say that x and y get updated such that ◦ x*x + y*y < 1 ? • Various possibilities, depending on the model checker, but one way that always works is to use a synchronous observer • Main module makes nondeterministic assignments to x and y • Observer module sets ok false if relation is violated ◦ NOT(x*x + y*y < 1) --> ok’ = FALSE • Model check for the property we care about only when ok is true: G(ok IMPLIES property) John Rushby et al Formal Analysis for Interactive Hybrid Systems 10

  12. Example: Airbus Speed Protection • Systems similar to that described below were used in A310, A320, A330, and A340 airplanes; this is the A320 version • Autothrottle modes ◦ SPD: try to maintain speed set in the FCU • Autopilot vertical modes and submodes ◦ VS/FPA: fly at the fight path angle specified in the FCU ◦ OP CLB: climb toward target altitude set in the FCU, using max thrust at the FPA that maintains set airspeed ◦ OP DES: ...if target altitude is lower than current • Speed protection ◦ On descent in SPD VS/FPA modes, allow overspeed ◦ But if it exceeds the MAX, change to OP mode ◦ Will be OP CLB if target altitude is above current ◦ MAX speed is lower when flaps are extended John Rushby et al Formal Analysis for Interactive Hybrid Systems 11

  13. Modeling Airbus Speed Protection • Composition of three main components ◦ Pilots: nondeterministically set vertical mode, dial values into FCU, deploy flaps ⋆ Organized by mental mode (descend, climb, level) ◦ Automation: determines actual mode and applies control laws to determine thrust and pitch ◦ Airplane: uses thrust and pitch values, and flap setting, to calculate airplane trajectory (altitude and airspeed) • Plus constraints, which is an observer that sets ok to enforce plausible relations among pitch, altitude, etc. • And observer, which sets alarm if airplane climbs while mental mode is descend • Model check for G(ok IMPLIES NOT alarm) John Rushby et al Formal Analysis for Interactive Hybrid Systems 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal

Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal

Formal Analysis of Correctness of a Strategy for the KRK Chess Endgame Fifth Workshop on Formal and Automated Theorem Proving and Applications. Belgrade, February 3-4, 2012. Marko Malikovi Mirko ubrilo Predrag Janii Faculty of Humanities

406 views • 27 slides
1 Fifth Workshop on Lambda Calculus and Formal Grammar 2 Fifth Workshop on Lambda Calculus and

1 Fifth Workshop on Lambda Calculus and Formal Grammar 2 Fifth Workshop on Lambda Calculus and

1 Fifth Workshop on Lambda Calculus and Formal Grammar 2 Fifth Workshop on Lambda Calculus and Formal Grammar A Type-Theoretic View of Dynamic Logic Philippe de Groote LORIA &amp; Inria-Lorraine 3 Fifth Workshop on Lambda Calculus and

1.12k views • 82 slides
Model Checking Infinite-state Systems in SAL Bruno Dutertre, SRI International Automated Formal

Model Checking Infinite-state Systems in SAL Bruno Dutertre, SRI International Automated Formal

Computer Science Laboratory, SRI International Model Checking Infinite-state Systems in SAL Bruno Dutertre, SRI International Automated Formal Methods FLoC Workshop Seattle, August 21st 2006. Computer Science Laboratory, SRI International

470 views • 10 slides
CAV Workshop Fun With Formal Methods, St Petersburg, Russia, 13 July 2013 based on Crazy

CAV Workshop Fun With Formal Methods, St Petersburg, Russia, 13 July 2013 based on Crazy

CAV Workshop Fun With Formal Methods, St Petersburg, Russia, 13 July 2013 based on Crazy Ideas talk, 9 Nov 2012 The Ontological Argument In PVS What Does This Really Prove? John Rushby Computer Science Laboratory SRI International

754 views • 44 slides
Formal Theory, Informally Jonathan Worthington German Perl Workshop 2007 Formal Theory,

Formal Theory, Informally Jonathan Worthington German Perl Workshop 2007 Formal Theory,

Formal Theory, Informally Jonathan Worthington German Perl Workshop 2007 Formal Theory, Informally RED TAPE HOLDS UP NEW BRIDGE Formal Theory, Informally INCLUDE YOUR CHILDREN WHEN BAKING COOKIES Formal Theory, Informally PORTABLE

860 views • 85 slides
Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Formal Methods Assurance for TTP John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Formal Methods Assurance for TTP: 1 Formal Methods for Analysis and Assurance: The Idea Testing/Simulation Formal

200 views • 6 slides
Welcome and Introduction Peter D. Karp, Ph.D. Bioinformatics Research Group SRI International

Welcome and Introduction Peter D. Karp, Ph.D. Bioinformatics Research Group SRI International

Welcome and Introduction Peter D. Karp, Ph.D. Bioinformatics Research Group SRI International SRI International Bioinformatics 1 Pathway Tools Workshop Workshop format First three days formal presentations Last two days

349 views • 17 slides
Formal Models and Analysis for Self-Adaptive Cyber- Physical Systems International Conference on

Formal Models and Analysis for Self-Adaptive Cyber- Physical Systems International Conference on

Formal Models and Analysis for Self-Adaptive Cyber- Physical Systems International Conference on Formal Aspects of Component Software, Besanon, France, 19 th October 2016. Prof. Dr. Holger Giese Head of the System Analysis &amp; Modeling

704 views • 47 slides
BENIN: BENIN: EXPE EXPERIENCE RIENCES WITH TW S WITH TWO O FORMAL TRAINING FORMAL T

BENIN: BENIN: EXPE EXPERIENCE RIENCES WITH TW S WITH TWO O FORMAL TRAINING FORMAL T

5 th International Conference, 23-24 April 2013, Johannesburg BENIN: BENIN: EXPE EXPERIENCE RIENCES WITH TW S WITH TWO O FORMAL TRAINING FORMAL T RAINING CER CERTIFI TIFICA CATES TES Roger Adanhounzo, Expert on Informal

707 views • 8 slides
AGENDA 1. Formal meeting 2. Management presentation 3. Q&amp;A period 0 NPI.TO Formal Meeting

AGENDA 1. Formal meeting 2. Management presentation 3. Q&amp;A period 0 NPI.TO Formal Meeting

Annual General Meeting May 19, 2015 AGENDA 1. Formal meeting 2. Management presentation 3. Q&amp;A period 0 NPI.TO Formal Meeting Call to Order Notice of Meeting Quorum and Voting Procedure Presentation of Financial

847 views • 39 slides
ICFCA 2014 12 th International Conference on Formal Concept Analysis Cluj-Napoca, Transylvania,

ICFCA 2014 12 th International Conference on Formal Concept Analysis Cluj-Napoca, Transylvania,

ICFCA 2014 12 th International Conference on Formal Concept Analysis Cluj-Napoca, Transylvania, Romania June 10-13, 2014 Formal Concept Analysis is a fjeld of applied ma- The International Conference on Formal Concept Analysis thematics with

249 views • 3 slides
NARIC Study on Formal Recognition of Non-formal and Informal Learning RPL Bologna Seminar

NARIC Study on Formal Recognition of Non-formal and Informal Learning RPL Bologna Seminar

NARIC Study on Formal Recognition of Non-formal and Informal Learning RPL Bologna Seminar Jenneke Lokhoff Policy Officer 12 December 2008 Background (1) National and international Lifelong Learning strategies Increasing number of

348 views • 18 slides
Annex-4 Formal vs. Non-formal Debate ICT in Non-Formal Education ad hoc, not

Annex-4 Formal vs. Non-formal Debate ICT in Non-Formal Education ad hoc, not

Annex-4 Formal vs. Non-formal Debate ICT in Non-Formal Education ad hoc, not hierarchically structured, standardized chronologically graded, for the standardized Anir Chowdhury for the mainstream dropouts Policy Advisor

395 views • 5 slides
Program: Examples of Kandal and Prey Veng Province International Workshop International Workshop

Program: Examples of Kandal and Prey Veng Province International Workshop International Workshop

Experience of Integration DRR Into Commune Development and Investment Program: Examples of Kandal and Prey Veng Province International Workshop International Workshop People Centered Approach in Flood and Land Management in the Mekong Basin:

751 views • 16 slides
Agile Formal Methods Reiner H ahnle 6th International KeY Symposium Nomborn 15th June 2007

Agile Formal Methods Reiner H ahnle 6th International KeY Symposium Nomborn 15th June 2007

Agile Formal Methods Reiner H ahnle 6th International KeY Symposium Nomborn 15th June 2007 Agile FM KeY Workshop 2007 1 / 8 Agile Methods Agile software developmentis a conceptual framework for undertaking software engineering

377 views • 19 slides
International Workshop on Country Practices in Compilation of International Merchandise Trade

International Workshop on Country Practices in Compilation of International Merchandise Trade

International Workshop on Country Practices in Compilation of International Merchandise Trade Statistics Presentation of Sri Lanka Background The liberalized economic policies were introduced in 1978 in Sri Lanka. Under the environment of

137 views • 3 slides
Energetically Optimal Flapping Flight via a Fully Discrete Adjoint Method with Explicit Treatment

Energetically Optimal Flapping Flight via a Fully Discrete Adjoint Method with Explicit Treatment

Energetically Optimal Flapping Flight via a Fully Discrete Adjoint Method with Explicit Treatment of Flapping Frequency Jingyi Wang, Matthew J. Zahr , and Per-Olof Persson CFD-36, Optimization Techniques for CFD AIAA Aviation Sheraton

360 views • 34 slides
Orchestrator High Availability tutorial Shlomi Noach GitHub PerconaLive 2018 About me

Orchestrator High Availability tutorial Shlomi Noach GitHub PerconaLive 2018 About me

Orchestrator High Availability tutorial Shlomi Noach GitHub PerconaLive 2018 About me @github/database-infrastructure Author of orchestrator , gh-ost , freno , ccql and others. Blog at http://openark.org @ShlomiNoach Agenda

1.39k views • 106 slides
The$UX$Lifecycle$ Selected material from The UX Book , Hartson &amp; Pyla The UX Life Cycle

The$UX$Lifecycle$ Selected material from The UX Book , Hartson &amp; Pyla The UX Life Cycle

The$UX$Lifecycle$ Selected material from The UX Book , Hartson &amp; Pyla The UX Life Cycle Iterative, evaluation-centered, UX lifecycle template to evolve UX design Iteration: All or part repeated for purpose of exploring, fixing, or

326 views • 13 slides
Adaptive Textile Technology with Adaptive Cooling and Heating (ATTACH) Lead PI: Professor Joseph

Adaptive Textile Technology with Adaptive Cooling and Heating (ATTACH) Lead PI: Professor Joseph

Adaptive Textile Technology with Adaptive Cooling and Heating (ATTACH) Lead PI: Professor Joseph Wang Co-PIs: Prof. Renkun Chen, Prof. Sungho Jin, Prof. Shirley Meng, Prof. Sheng Xu, Dr. Chulmin Choi and Irena Ilcheva ARPA-E (DELTA) -

459 views • 7 slides
Learning From Data Lecture 20 Multilayer Perceptron Multiple layers Universal Approximation

Learning From Data Lecture 20 Multilayer Perceptron Multiple layers Universal Approximation

Learning From Data Lecture 20 Multilayer Perceptron Multiple layers Universal Approximation The Neural Network M. Magdon-Ismail CSCI 4100/6100 recap: Unsupervised Learning k -Means Clustering Gaussian Mixture Model P ( x ) x Hard

699 views • 18 slides
INSERT TITLE SLIDE HERE Practical planning And exporting options ASD iPad Masterclass Keeping

INSERT TITLE SLIDE HERE Practical planning And exporting options ASD iPad Masterclass Keeping

INSERT TITLE SLIDE HERE Practical planning And exporting options ASD iPad Masterclass Keeping up to date after today App Smackdown Write your favourite apps on Padlet We will share them soon! Our turn first...... Ready-made Target specific

644 views • 25 slides
Global Optimization of continuous MinMax problem Dominique Monnet, Jordan Ninin, Beno t Cl

Global Optimization of continuous MinMax problem Dominique Monnet, Jordan Ninin, Beno t Cl

Min Max problem in control Global optimization for Min max problems Benchmark Conclusion Global Optimization of continuous MinMax problem Dominique Monnet, Jordan Ninin, Beno t Cl ement LAB-STICC, UMR 6285 / ENSTA-Bretagne 1 / 23

971 views • 64 slides
Do we need a new Internet? Part 2: Motivations for Change Adrian Perrig Network Security Group,

Do we need a new Internet? Part 2: Motivations for Change Adrian Perrig Network Security Group,

Do we need a new Internet? Part 2: Motivations for Change Adrian Perrig Network Security Group, ETH Zrich Worst Internet Security Problems? Malware (worms, viruses, etc.) Spyware Ransomware APT HTTP-based attacks Spam,

424 views • 17 slides

More recommend