st 1 HYCON PhD School on Hybrid Systems www.ist-hycon.org www.unisi.it Verification of Hybrid Systems George Pappas University of Pennsylvania, USA pappasg@central.cis.upenn.edu scimanyd suounitnoc enibmoc smetsys dirbyH lacipyt (snoitauqe ecnereffid ro laitnereffid) scimanyd etercsid dna stnalp lacisyhp fo fo lacipyt (snoitidnoc lacigol dna atamotua) fo senilpicsid gninibmoc yB .cigol lortnoc ,yroeht lortnoc dna smetsys dna ecneics retupmoc dilos a edivorp smetsys dirbyh no hcraeser ,sisylana eht rof sloot lanoitatupmoc dna yroeht fo ngised lortnoc dna ,noitacifirev ,noitalumis egral a ni desu era dna ,''smetsys deddebme`` ria ,smetsys evitomotua) snoitacilppa fo yteirav ssecorp ,smetsys lacigoloib ,tnemeganam ciffart .(srehto ynam dna ,seirtsudni HYSCOM IEEE CSS Technical Committee on Hybrid Systems 7 Siena, July 1 9-22, 2005 - Rectorate of the University of Siena
Thanks to Verification of hybrid systems School Organizers Alberto Bemporad Maurice Heemels HYCON Summer School George J. Pappas and HYCON on Hybrid Systems Departments of ESE and CIS Siena, Italy University of Pennsylvania July 19-22, 2005 pappasg@ee.upenn.edu http://www.seas.upenn.edu/~pappasg Acknowledgments Lecture goals Collaborators Why hybrid systems ? Postdocs Rajeev Alur, M. Babaali, Calin Belta, Antoine Girard Volkan Isler, Ali Jadbabaie, John Emphasis on some engineering examples Koo, Vijay Kumar, Insup Lee, Stephen Agung Julius Modeling of hybrid systems Prajna, Paulo Tabuada, Herbert Tanner. Ph.D Students Emphasis on abstraction and refinement Analysis of hybrid systems Ali Ahmazadeh Support NSF Career, PECASE George Fainekos Emphasis on algorithmic verification NSF ITR (2) Hadas Kress Gazit Approximations of discrete and continuous systems Truong Nghiem NSF EHS (3) Mahmut Serkar ARO MURI (2) Emphasis on approximate (bi)-simulation Hakan Yazarel DARPA HURT Michael Zavlanos Honeywell Warning : All questions and answers are biased and incomplete! Outline of lectures Lecture 1 Lecture 1 Examples of hybrid systems and hybrid automata A crash course in formal methods Lecture 2 Why hybrid ? Abstraction and refinement notions Discrete abstractions for hybrid systems verification Lecture 3 Approximation metrics for discrete/continuous systems Game theoretic interpretation of bisimulation 1
Enabling technologies Emerging applications… Advances in sensor and actuator technology GPS, control of quantum systems Invasion of powerful microprocessors in physical devices Sophisticated software/hardware on board Networking everywhere Interconnects subsystems Latest BMW : 72 networked microprocessors Boeing 777 : 1280 networked microprocessors Networked embedded systems… Networked embedded systems… Network Network Controller Controller Controller Controller SW/HW SW/HW SW/HW SW/HW Actuator Sensor Actuator Sensor Actuator Sensor Actuator Sensor Physical Physical Physical Physical System System System System Physical system is continuous, software is discrete Discrete and Continuous Exporting Science Control Theory Computer Science Control Theory Computer Science Continuous systems Transition systems Continuous systems Transition systems Composition, abstraction Composition, abstraction Stability, control Stability, control Feedback, robustness Concurrency models Feedback, robustness Concurrency models Hybrid Systems Software controlled systems Composition Robustness Abstraction Feedback Multi-modal systems Concurrency Stability Embedded real-time systems Multi-agent systems 2
Embedded System Architecture Different views… Computer science perspective View the physics from the eyes of the software Modeling result : Hybrid automaton Control theory perspective View the software from the eyes of the physics Modeling result : Switched control systems Hybrid behavior arises in Hybrid dynamics Hybrid model is a simplification of a larger nonlinear model Quantized control of continuous systems Input and observation sets are finite Logic based switching Logic based switching Software is designed to supervise various dynamics/controllers Partial synchronization of many continuous systems Resource allocation for competing multi-agent systems Hybrid specifications of continuous systems Plant is continuous, but specification is discrete or hybrid... Nuclear reactor example Software model of nuclear reactor Without rods . T 0.1 T 50 = − With rod 1 . Rod1 NoRod Rod2 T = 0.1 T − 56 With rod 2 . T 0.1 T 60 = − Rod 1 and 2 cannot be used simultaneously Once a rod is removed, you cannot use it for 10 minutes Shutdown Specification : Keep temperature between 510 and 550 degrees. If T=550 then either a rod is available or we shutdown the plant. 3
Hybrid model of nuclear reactor T = 510 ∧ y = 10 ∧ y = 10 1 2 Rod1 T 550 y 10 NoRod T 550 y 10 Rod2 = ∧ 1 ≥ = ∧ 2 ≥ . . . T = 0.1 T − 56 T = 0.1 T − 60 T = 0.1 T − 50 . . . . . . y 1 = 1 y 2 = 1 y 1 = 1 y 2 = 1 y 1 = 1 y 2 = 1 T = 510 → y 1 = 0 T = 510 → y 2 = 0 T ≥ 510 : T ≤ 550 : T ≥ 510 Partial synchronization (Concurrency) T = 550 ∧ y < 10 ∧ y < 10 1 2 Analysis : Is shutdown reachable ? Analysis : Is shutdown reachable ? Shutdown . T = 0.1 T − 50 Algorithmic verification : NO Algorithmic verification : NO . . y 1 = 1 y 2 = 1 true The train gate Train model θ x x ≥ 2000 raise near past lower far approach exit x = 1000 x = 0 . . . - 50 x 40 - 50 x 30 - 50 x 30 ≤ ≤ − approach ≤ ≤ − ≤ ≤ − Controller x ≥ 1000 x ≥ 0 x ≥ -100 exit System = Train || Gate || Controller x 10 0 x' [2000, ) = − → ∈ ∞ Safety specification : If train is within 10 meters of the crossing, then gate should completely closed. Liveness specification : Keep gate open as much as possible. Gate model Controller model θ = 90 y = : 0 raising open raise raise exit θ = 90 . . θ 9 θ = 0 = true θ = 90 θ ≤ 90 Going tolower idle Going to raise lower y = : 0 y = : 0 approach exit . . . y 1 y = 1 = y = 1 raise lower raise y ≤ d y ≤ d lower raise true lowering closed θ = 0 . . y = : 0 θ = − 9 θ = 0 approach θ ≥ 0 θ = 0 lower lower 4
Synchronized transitions Verifying the controller x ≥ 2000 near past far θ x = 1000 x = 0 x . . . - 50 x 40 - 50 x 30 - 50 x 30 ≤ ≤ − approach ≤ ≤ − ≤ ≤ − x ≥ 1000 x ≥ 0 x ≥ -100 raise exit lower x = − 10 0 → x' ∈ [2000, ∞ ) exit approach y = : 0 Controller exit true System = Train || Gate || Controller Going tolower idle Going to raise y = : 0 y = : 0 approach . exit . . y = 1 y = 1 y = 1 Safety specification : Can we avoid the set ? θ 0 (-10 x 10) > ∧ ≤ ≤ y ≤ d lower raise y ≤ d true 49 YES if d ≤ Parametric HyTech verification : y = : 0 5 approach Research Issues Outline of lectures Lecture 1 Lecture 1 Modeling Issues � Well posedness, robustness, zenoness Examples of hybrid systems and hybrid automata Analysis A crash course in formal methods � Stability issues, qualitative theory, parametric analysis Verification � Algorithmic methods that verify system performance Lecture 2 Controller Synthesis � Algorithmic methods that design hybrid controllers Abstraction and refinement notions Simulation Discrete abstractions for hybrid systems verification � Mixed signal simulation, event detection, modularity Code generation Lecture 3 � From hybrid models to embedded code Complexity Approximation metrics for discrete/continuous systems � Compositionality and hierarchies Game theoretic interpretation of bisimulation Tools : HyTech, Checkmate, d/dt, HYSDEL, Stateflow, Charon Transition Systems A discrete example A transition system The parking meter S = ( Q, Q 0 , Σ , → , Π , ⋅ ) 5p 5p 5p consists of 0 1 2 3 4 5 60 A set of states Q exp act act act act act act Q 0 ⊆ Q tick tick tick tick tick tick tick A subset of initial states 5p Σ Σ tick A set of events Π S Π A set of observations States Q ={0,1,2,…,60} σ q → q' The transition relation q = π The observation map Events {tick,5p} Observations {exp,act} We assume systems to be non-blocking, possibly nondeterministic The sets Q, , and may be infinite Σ Π A possible string of observations 5p exp ⎯ ⎯→ act ⎯ ⎯→ tick ⎯ act ⎯ tick ⎯→ ⎯ ... Language L(S) is all initialized sequences of observations Reach(S) { π Π | π is reachable by L(S) } = ∈ 5
Recommend
More recommend
