Towards Proving Runtime Properties of Data-Driven Systems Using - - PowerPoint PPT Presentation

▶

May 01, 2023 191 likes •420 views

Towards Proving Runtime Properties of Data-Driven Systems Using Safety Envelopes Samuel Breese Fotis Kopsaftopoulos Carlos Varela Rensselaer Polytechnic Institute Dynamic Data Driven Application Systems (DDDAS) Session International Workshop

SLIDE 1

Towards Proving Runtime Properties of Data-Driven Systems Using Safety Envelopes

Samuel Breese Fotis Kopsaftopoulos Carlos Varela Rensselaer Polytechnic Institute Dynamic Data Driven Application Systems (DDDAS) Session International Workshop on Structural Health Monitoring (IWSHM) Stanford, September 12, 2019

SLIDE 2

Dynamic Data Driven Aerospace Systems

SLIDE 3

Overview

◮ Dynamic data-driven systems introduce complexity ◮ Often used in safety-critical domains (e.g. aerospace) ◮ Formal methods can yield stronger safety guarantees than

testing

SLIDE 4

Formal Methods

◮ Computer-checked logical reasoning about a system ◮ Both automated and interactive approaches ◮ Requires a high level of rigor and detail, leading to high

development costs

◮ Magnified in systems involving stochastic elements

◮ Novel methods and techniques can help offset these costs

SLIDE 5

Hierarchy of Theories

Material set theory Algebraic theories Topology Linear algebra Real analysis Measure theory and integration, formal probability Higher-level statistical results

SLIDE 6

Approach: Safety Envelopes

◮ Analogous to a flight safety envelope in an aircraft ◮ Describes a safe subset of system states ◮ Associates that safe subset with some correctness guarantee ◮ Provable formally in the proof assistant ◮ Checkable in live system through runtime sentinel

SLIDE 7

Workflow

System model Safety envelopes (with proofs) Development

f software

control systems Runtime sentinels Live system Operator informs inform generate runs on run on

SLIDE 8

Runtime Sentinels

◮ Represent safe subsets as terms in some embedded

domain-specific language

◮ Support evaluation to term in proof assistant ◮ Support generation of a program accessible from the runtime

system

◮ Bring awareness of state-dependent formal properties to the

system as it runs

SLIDE 9

Example: Introduction

◮ We study a model from Kopsaftopoulos and Chang

associating a sensor reading from a wing with the likelihood that an aircraft is in a stall state

◮ Model is trained on experimental data from a wind tunnel -

data driven

◮ We treat pairs of training data and runtime signal as system

states

◮ Safe subset: intervals on runtime signal, (approximate)

normality in training data

SLIDE 10

Example

SLIDE 11

Example: Model Formalization

We can view the model as a function m : Rn → (R → {Stall, No Stall})

m′ : Rn × R → {Stall, No Stall}, which allows us to treat pairs of training data and runtime signal energy as system states.

◮ We know that some intervals of runtime signal lead to “stall”

classification

◮ Other intervals lead to “no stall” classification

SLIDE 12

Example: Correctness

We wish to prove that for all signal energies in a given interval, the model behaves in a predictable way.

◮ There is a set of signal energy means and variances D(T)

taken from the experimental data T at various airspeeds and angles of attack.

◮ Let S(T) ⊆ D(T) correspond to stall states. ◮ Model (partial) correctness can be expressed as:

∀(x, T : R × Rn).x, T ∈ Safe → m′(x, T) = No Stall where Safe, the safe subset, is all x, T satisfying (∀(d ∈ D(T)).Gaussian(d)) ∧ (∀(d ∈ S(T)) |x − µ(d)| > 3σ(d)) ∧ (∃(d ∈ D(T) \ S(T)) |x − µ(d)| < 3σ(d))

SLIDE 13

Example: Sentinel

◮ C program testing membership in safe subset

◮ Floating-point arithmetic for safe intervals of runtime signal ◮ Using standard statistical tests for normality on training data

◮ Neither of these are “exact”: disconnect between formal

assumption and validation process

◮ Important area for future development

SLIDE 14

Dynamic Data Driven Aerospace Systems

Partial support from: Air Force Office of Scientific Research DDDAS Program, Dr. E. Blasch (AFOSR Grant No. FA9550-19-1-0054.)

SLIDE 15

Extra Slides

SLIDE 16

Experimental Signal Energy to Train Model

0.5 1 1.5 2 2.5 3 3.5 4 4.5 5

Time (s)

0.2 0.4

Normalized Signal (V)

0.2
0.15
0.1
0.05

0.05 0.1 0.15 0.2 0.25 0.3 10 20 30 40 50

SLIDE 17

Pre-processed vs non-preprocessed data (normality visualization)

0.1 0.2 0.3 0.2 0.4 0.6 0.8 1 Empirical CDF Standard Normal CDF 99% Conf. Int.

0.5 1 1.5 2 0.2 0.4 0.6 0.8 1 Empirical CDF Standard Normal CDF 99% Conf. Int.

SLIDE 18

Example: Full Correctness

◮ Let S(T) ⊆ D(T) correspond to stall states. ◮ Analogously, the corresponding proposition for the “Stall”

classification is similar except for an inversion of the roles of S(T) and D(T) \ S(T): ∀(x, T : R × Rn).x, T ∈ Safe′ → m′(x, T) = Stall where the new safe subset Safe′ is all x, T satisfying (∀(d ∈ D(T)).Gaussian(d)) ∧ (∀(d ∈ D(T) \ S(T)) |x − µ(d)| > 3σ(d)) ∧ (∃(d ∈ S(T)) |x − µ(d)| < 3σ(d)).

SLIDE 19

Example: Proof of Cram´ er’s Decomposition Theorem

The proof is based on the observation that the characteristic function φ of the sum of independent normally distributed random variables X1 and X2 is the product of the characteristic functions

f those variables:

φX1+X2(t) = φX1(t) · φX2(t) φX1+X2(t) =

eitµ1− 1

2 σ2 1t2

eitµ2− 1

2 σ2 2t2

φX1+X2(t) = eit(µ1+µ2)− 1

2 (σ2 1+σ2 2)t2

which is the characteristic function of a normal random variable with mean µ1 + µ2 and variance σ2

1 + σ2 2.

SLIDE 20

Athena proof of Cram´ er’s Decomposition Theorem

SLIDE 21

Towards Proving Runtime Properties of Data-Driven Systems Using Safety Envelopes

Samuel Breese Fotis Kopsaftopoulos Carlos Varela Rensselaer Polytechnic Institute Dynamic Data Driven Application Systems (DDDAS) Session International Workshop on Structural Health Monitoring (IWSHM) Stanford, September 12, 2019

Dynamic Data Driven Aerospace Systems

Overview

◮ Dynamic data-driven systems introduce complexity ◮ Often used in safety-critical domains (e.g. aerospace) ◮ Formal methods can yield stronger safety guarantees than

testing

Formal Methods

◮ Computer-checked logical reasoning about a system ◮ Both automated and interactive approaches ◮ Requires a high level of rigor and detail, leading to high

development costs

◮ Novel methods and techniques can help offset these costs

Hierarchy of Theories

Material set theory Algebraic theories Topology Linear algebra Real analysis Measure theory and integration, formal probability Higher-level statistical results

Approach: Safety Envelopes

◮ Analogous to a flight safety envelope in an aircraft ◮ Describes a safe subset of system states ◮ Associates that safe subset with some correctness guarantee ◮ Provable formally in the proof assistant ◮ Checkable in live system through runtime sentinel

Workflow

System model Safety envelopes (with proofs) Development

control systems Runtime sentinels Live system Operator informs inform generate runs on run on

Runtime Sentinels

◮ Represent safe subsets as terms in some embedded

domain-specific language

◮ Support evaluation to term in proof assistant ◮ Support generation of a program accessible from the runtime

system

◮ Bring awareness of state-dependent formal properties to the

system as it runs

Example: Introduction

◮ We study a model from Kopsaftopoulos and Chang

associating a sensor reading from a wing with the likelihood that an aircraft is in a stall state

◮ Model is trained on experimental data from a wind tunnel -

data driven

◮ We treat pairs of training data and runtime signal as system

states

◮ Safe subset: intervals on runtime signal, (approximate)

normality in training data

Example

Example: Model Formalization

We can view the model as a function m : Rn → (R → {Stall, No Stall})

m′ : Rn × R → {Stall, No Stall}, which allows us to treat pairs of training data and runtime signal energy as system states.

◮ We know that some intervals of runtime signal lead to “stall”

classification

◮ Other intervals lead to “no stall” classification

Example: Correctness

We wish to prove that for all signal energies in a given interval, the model behaves in a predictable way.

◮ There is a set of signal energy means and variances D(T)

taken from the experimental data T at various airspeeds and angles of attack.

◮ Let S(T) ⊆ D(T) correspond to stall states. ◮ Model (partial) correctness can be expressed as:

∀(x, T : R × Rn).x, T ∈ Safe → m′(x, T) = No Stall where Safe, the safe subset, is all x, T satisfying (∀(d ∈ D(T)).Gaussian(d)) ∧ (∀(d ∈ S(T)) |x − µ(d)| > 3σ(d)) ∧ (∃(d ∈ D(T) \ S(T)) |x − µ(d)| < 3σ(d))

Example: Sentinel

◮ C program testing membership in safe subset

◮ Neither of these are “exact”: disconnect between formal

assumption and validation process

◮ Important area for future development

Dynamic Data Driven Aerospace Systems

Partial support from: Air Force Office of Scientific Research DDDAS Program, Dr. E. Blasch (AFOSR Grant No. FA9550-19-1-0054.)

Extra Slides

Experimental Signal Energy to Train Model

0.5 1 1.5 2 2.5 3 3.5 4 4.5 5

Time (s)

0.2 0.4

Normalized Signal (V)

0.05 0.1 0.15 0.2 0.25 0.3 10 20 30 40 50

Pre-processed vs non-preprocessed data (normality visualization)

Example: Full Correctness

◮ Let S(T) ⊆ D(T) correspond to stall states. ◮ Analogously, the corresponding proposition for the “Stall”

Example: Proof of Cram´ er’s Decomposition Theorem

The proof is based on the observation that the characteristic function φ of the sum of independent normally distributed random variables X1 and X2 is the product of the characteristic functions

φX1+X2(t) = φX1(t) · φX2(t) φX1+X2(t) =

eitµ2− 1

φX1+X2(t) = eit(µ1+µ2)− 1

which is the characteristic function of a normal random variable with mean µ1 + µ2 and variance σ2

1 + σ2 2.

Athena proof of Cram´ er’s Decomposition Theorem

Coq proof of Cram´ er’s Decomposition Theorem