Verification of Hybrid Systems Using Linear Hybrid Automata Bruce - - PowerPoint PPT Presentation

Verification of Hybrid Systems Using Linear Hybrid Automata

Bruce H. Krogh Department of Electrical and Computer Engineering Carnegie Mellon University Carnegie Mellon University Pittsburgh, Pennsylvania – USA krogh@ece.cmu.edu

1

g @

Standard Model: Hybrid Automata* Standard Model: Hybrid Automata

locations or modes

j

edge guard (discrete states)

i

x  INVj dx/dt  Fj (x) x  INVi ei j: gij(x)0 xjJij(x) jump transformation x  INVi dx/dt  Fi(x) x  Xo i d i initial di i invariant: hybrid automaton may remain in i as long as x  INVi

2

continuous dynamics condition

* Thomas A. Henzinger. The theory of hybrid automata. In Verification of Digital and Hybrid Systems (M.K. Inan, R.P. Kurshan, eds.), NATO ASI Series F: Computer and Systems Sciences, Vol. 170, Springer, 2000, pp. 265-292.

Linear Hybrid Automata Linear Hybrid Automata

All t i t li ffi j All constraints are linear or affine. i

x  INVj dx/dt  Fj x  INVi ei j: gij(x)0 xjJij(x) x  INVi dx/dt  Fi x  Xo

constant polyhedra constant polyhedra

3

Overview Overview

• LHA Reachability
• Approximating Richer Dynamics
• PHAVer
• Iterative Relaxation Abstractions
• Iterative Relaxation Abstractions

4

Reachability with LHA [Halbwachs, Henzinger, 93-97]

9

Reachability with LHA [Halbwachs, Henzinger, 93 97]

• 1. find bounds

d i i invariant

• n derivative
• 2. time elapse by

projection

• 3. compute

successors of successors transitions initial states derivatives in invariant projection cone

5

cone

Overview Overview

• LHA Reachability
• Approximating Richer Dynamics*
• PHAVer
• Iterative Relaxation Abstractions
• Iterative Relaxation Abstractions

6

* Thomas A. Henzinger, Pei-Hsin Ho, and Howard Wong-Toi. Algorithmic analysis of nonlinear hybrid systems. IEEE Transactions on Automatic Control 43:540-554, 1998.

Linear Phase-Portrait Approximation Linear Phase-Portrait Approximation

d t

Goal: Approximate a hybrid automaton H with an LHA, A.

xdot dx/dt Fk(x) maxP e.g., single location, scalar x valid trajectory for H approximating “polydedron” Pk xo valid trajectory for A minP x location invariant minP

7

location invariant minX maxX

Linear Phase-Portrait Approximation: Time-Domain Implications

range of slopes slope maxP x(t) maxX range of slopes allowed by Fk(x(t1)) slope minP x(t1) xo minX t1 te in H

8

te in A

Improving Linear Phase-Portrait Approximations: Mode Splitting

d t xdot Fk(x) maxP2 valid trajectory for H Pk2 P maxP1 xo minP2 Pk1 minP1 x m m minP1

9

minX1 maxX2 X’ mk2 mk1

Linear Phase-Portrait Approximation: Improved Time-Domain Approximation

x(t) maxX X’ xo X t minX te in H

10

te in A

Linear Phase-Portrait Approximation: Higher Dimensions

Pk In general find Pk by xdot2 Fk(Xk)

k

n2 In general find Pk by solving the following

• ptimization problem

in a set of face- n1 n3 normal directions: max ni

T xdot

d t

3

n4 x, xdot s.t. xdot  Fk(x) x  Xk xdot1 Problem: How to choose the ni.

k

11

i

Linear Phase-Portrait Approximations Linear Phase Portrait Approximations

• guaranteed conservative approximations
• refinement introduces more discrete states
• for bounded hybrid automata, arbitrarily close

approximation can be attained using mode splitting approximation can be attained using mode splitting

• sufficient to use rectangular phase-portrait

approximations (ni

T = [0…1…0])

12

Overview Overview

• LHA Reachability
• Approximating Richer Dynamics
• PHAVer
• Iterative Relaxation Abstractions
• Iterative Relaxation Abstractions

13

Th f ll i lid The following slides are excerpts from the following presentation:

PHAVer: Reachability Analysis for Linear Hybrid Systems and Beyond

Goran Frehse Verimag – UJF/CNRS/INPG, Grenoble PHAVer available at http://www verimag imag fr/~frehse/phaver web/index html

14

http://www-verimag.imag.fr/~frehse/phaver_web/index.html

Yet Another Verification Tool?

• Existing not powerful enough

– in practice only 3 - 4 dimensions

• Non-conservative floating-point

tools give wrong results

not reachable according to HDV

g g

– exception: HSOLVER

• Why not use HyTech?

– numerical problems no easy fix

thanks to Zhi Han, CMU

according to HDV Floating Point:

– numerical problems, no easy fix (exact arithm. & 32 bit  overflow) – complexity explosion – limited class of automata (LHA)

Floating-Point: CheckMate (CMU ‘98) HYSDEL (ETH Zurich ‘99) d/dt (Verimag ‘00)

– limited class of automata (LHA)

Predicate Abstraction (UPenn ‘02) HDV (UPenn ‘04) HSOLVER (MPI ’05)

15

Exact Arithmetic: HyTech (Berkeley ‘95)

Polyhedral Hybrid Automaton Verifyer Polyhedral Hybrid Automaton Verifyer

• Reachability Analysis

Hybrid Automata

Model

b A M  

– exact arithmetic – guaranteed overapproximation – complexity management

M, A, b as intervals On-the-fly over-

Model

b Ax x M  

• limiting bits & constraints
• State-of-the-Art Libraries:

– Parma Polyhedra Library

Linear Hybrid Automata approximation

Analysis E i

y y – Gnu MultiPrecision (GMP)

• Compositional Reasoning

computing simulation relations

• Overapprox. with

limited complexity

Engine

– computing simulation relations

Reachable States as Polyhedra limited complexity

Output

16

y

Over-Approximation of Affine Dynamics pp y

• From

to LHA:

affine dynamics LHA dynamics invariant

17

Over-Approximation of Affine Dynamics pp y

• From

to LHA:

• Solutions:

a) project invariant  flow to b) each constraint separately (rectangular, octagonal, etc.)

 projection

• based

constraint-based

18

Limiting the Number of Bits

12

g

• 1. truncate bits of

coefficients

• 2. push plane to
• utside (solve LP)
• 3. snap to next

integer

1 y 109 x 121 y 100 1 y 1 y

coefficients

• utside (solve LP)

integer 7 bit

1 x 6 x 6 y

?

6 x 6 y

?

1 x 600 109 6 x 6 y 600 109 6 x 6 y 1 x 6 x 6 y 6 6 x 6 y 6

3 bit

1 x 1 x 1 x

• Good:

–large problems infeasible without

10000

• Max. # of Bits

li it d

3 bit large problems infeasible without –with limit of constraints  termination

• Bad:

–unbounded error

1000

• Max. Bits

unlimited limited

19

unbounded error

25 50 75 100 125 100 Iteration

Limiting the Number of Constraints g

• Reduce from m to z constraints
• Significance Measure f(m d)

45° 15° 135° A E F

• Significance Measure f(m,d)

– Volume: exp – Slack: LP

–

• max. angle:

m2d

30° 45° 90° B C D

g

 - minij ai

Taj

• Heuristics to choose constraints

– deconstruction:

30 90 C 45° 150° 2 4 F A

drop (m-z) least significant – reconstruction: add z most significant

• Experiments: angle & reconstr

30° 45° 1 3 5 D B C

• Experiments: angle & reconstr.

– 1000  50 in 4 dim: < 2 sec. (1000x faster than slack)

30 1 C

From 6 to 5 constraints

20

Reachability of Tunnel Diode Oscillator Reachability of Tunnel Diode Oscillator

• Efficiency through

IL [mA]

– Adaptation of partitions to dynamics – Overapproximation:

• complex polyhedra

 conservative, simplified polyhedra

G d f

• Good performance

– Reachability with high accuracy in 72s, 127MB

VC [V]

• Tunnel Diode Oscillator

well behaved…

vector field Partition depending

• n dynamics

21

y

Reachability of Voltage Controlled Oscillator Reachability of Voltage Controlled Oscillator

• 3-dim. system with

nonlinearity

• Goal:

Show invariance of Show invariance of cycle

• No success after

20 i 1GB RAM 20min, 1GB RAM

 64x accuracy needed  20h, 64GB? 64GB?

 We need advanced

22

methods

Forward/Backward-Refinement - Concept Forward/Backward-Refinement - Concept

• Task:

Final states

– Show that bad states are not reachable from initial states

• Observation:

– Small partitions in regions not leading to

Reachable states

bad states

• Solution:

– Alternate Alternate forward/backward reachability – Smaller partitions at each

Initial states Partitions

23

p step

Forward/Backward-Refinement - Example Forward/Backward-Refinement - Example

Step 1 ) F d Step 3 a) Restrict final Step 2 ) R t i t fi l a) Forward reachability with coarse partition R a) Restrict final states and invariants to R2 b) Backward a) Restrict final states and invariants to R R1 b) Backward reachability with finer partition R3 R1 b) Backward reachability with finer final states

3

with finer partition R2 not reachable

24

Forward/Backward-Refinement of VCO Forward/Backward-Refinement of VCO

• F/B-Refinement

initial states

VD2

15

steps

– states outside initial states = final (forbidden)

last iteration vanishes

1

– not reachable  any cycle passes through i iti l t t

• verapprox.

harmless

VD1

initial states

• Success

– after 11.5h, 1.7GB C D RAM

• Parallelizable:

– 5.7h, 1.2GB RAM A B

25

, each on two CPUs hybrid automaton

Forward/Backward-Refinement of VCO Forward/Backward-Refinement of VCO

• Computation of

Cyclic Invariant

• F/B-Refinement

– used to find efficient used to find efficient partition – predecessors of DA  = final (forbidden) – intersect reachable part of initial states C D p forward & backward

 Invariant of cycle

– 0 8h 0 7GB RAM A B

26

0.8h, 0.7GB RAM – smooth hybrid automaton

Navigation Benchmark Navigation Benchmark

• Fehnker, Ivancic.

Benchmarks for Hybrid

forbidden direction of equilibrium NAV02

Benchmarks for Hybrid Systems Verification. HSCC'04

initial states velocity initial velocities reachable

• “Balloon driven by wind”

– Moving object in plane 4 di i l i i ffi d i initial states target states reachable states – 4-dimensional piecewise affine dynamics (position, velocity) – equilibrium velocity depends on position

• Instances NAV01-NAV29 with increasing difficulty

sta ces 9 t c eas g d cu ty

• Verification Task: Reachability of forbidden states

www.cse.unsw.edu.au/~ansgar/benchmark/

27

g

Navigation Benchmark Navigation Benchmark

forbidden states NAV02 NAV04 NAV05 initial initial velocities

Tool d/dt Pred Abstr PHAVer TimePass PHAVer PHAVer

states

Tool Instance d/dt Verimag ‘00

• Pred. Abstr.

UPenn‘02 4x250MHz Sun PHAVer ‘05/’06 2.8GHz P4 TimePass

• Stanf. ’06

PIII(!) PHAVer F/B-Ref.’05 3GHz Xeon PHAVer F/B-Ref.’05 2.8GHz P4 NAV01 ~30s 34s 5s 27MB 5s 2MB 5s Doyen, 32s 59MB NAV02 ~150s 153s 68MB 6s 27MB 73s 5MB 10s Henzinger 34s 60MB NAV02 ~150s 153s 68MB 6s 27MB 73s 5MB 10s Henzinger, 34s 60MB NAV03 ? 152s 180MB 6s 27MB 78s 5MB 10s Raskin 33s 60MB NAV04 “

• ?-

8s 48MB 1191s 16MB 75s

• Sept. ‘05

81s 52MB NAV05 “ “    46000s 529MB

28

NAV06 “ “    48000s 575MB

PHAVer References PHAVer References

• Reachability Analysis

PHAVer: Algorithmic Verification of Hybrid Systems past HyTech – PHAVer: Algorithmic Verification of Hybrid Systems past HyTech

• Frehse. HSCC'05

– Time Domain Verification of Oscillator Circuit Properties Frehse, Krogh, Rutenbar, Maler. FAC’05 – Verifying Analog Oscillator Circuits Using Forward/Backward Abstraction Refinement Frehse, Krogh, Rutenbar. DATE’06

• Compositional Reasoning

Co pos t o a easo g

– On Timed Simulation and Compositionality Frehse, FORMATS’06 – Assume-Guarantee Reasoning for Hybrid I/O-Automata by Over- Approximation of Continuous Interaction Approximation of Continuous Interaction Frehse, Han, Krogh. CDC’04

htt // l/ f/

29

http://www.cs.ru.nl/~goranf/

Overview Overview

• LHA Reachability
• Approximating Richer Dynamics
• PHAVer
• Iterative Relaxation Abstraction
• Iterative Relaxation Abstraction
• S. K. Jha, B. H. Krogh, J. E. Weimer, E. M. Clarke, Reachability for linear hybrid automata

using iterative relaxation abstraction, Hybrid Systems: Computation and Control, April 2007.

30

CEGAR (CounterExample Guided Abstraction Refinement)

concrete system construct initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

31

specification satisfied specification not satisfied

CEGAR CEGAR

concrete system construct

complete detailed model

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

32

specification satisfied specification not satisfied

CEGAR CEGAR

concrete system construct

reduced, conservative model

initial abstraction abstraction infeasible t i t construct new b t ti

model

abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

33

specification satisfied specification not satisfied

CEGAR CEGAR

concrete system construct

model check the abstraction (faster than for the

initial abstraction abstraction infeasible t i t construct new b t ti

( concrete system)

abstraction validate constraints abstraction specification model checking counterexample ifi ti validate counterexample ifi ti

34

specification satisfied specification not satisfied

CEGAR CEGAR

concrete system construct

no counterexample  specification satisfied for the concrete system

initial abstraction abstraction infeasible t i t construct new b t ti

for the concrete system

abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

35

specification satisfied specification not satisfied

CEGAR CEGAR

concrete system construct

counterexample for the abstraction corresponds to a state-transition path in the concrete system

initial abstraction abstraction infeasible t i t construct new b t ti

in the concrete system

abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

36

specification satisfied specification not satisfied

CEGAR CEGAR

concrete system construct

Can the constraints along the counterexample path be satisfied in the concrete system?

initial abstraction abstraction infeasible t i t construct new b t ti

the concrete system?

abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

37

specification satisfied specification not satisfied

CEGAR CEGAR

concrete system construct

feasible constraints  there exists a feasible counterexample for the concrete system

initial abstraction abstraction infeasible t i t construct new b t ti

concrete system

abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

38

specification satisfied specification not satisfied

CEGAR CEGAR

concrete system construct

create a new abstraction (refinement) that eliminates the spurious counterexample

initial abstraction abstraction infeasible t i t construct new b t ti

p p

abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

39

specification satisfied specification not satisfied

CEGAR for Digital Systems CEGAR for Digital Systems

concrete

state transition system ith B l i bl

system construct

with Boolean variables

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

40

specification satisfied specification not satisfied

CEGAR for Digital Systems CEGAR for Digital Systems

concrete system construct

eliminate some variables

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

41

specification satisfied specification not satisfied

CEGAR for Digital Systems CEGAR for Digital Systems

concrete system construct

decision procedures/SAT solvers

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

42

specification satisfied specification not satisfied

CEGAR for Digital Systems CEGAR for Digital Systems

concrete system construct

add variables in the unsatisfiable core

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

43

specification satisfied specification not satisfied

CEGAR for Digital Systems CEGAR for Digital Systems

• Leverages

– Power of model checking on simpler models – Power of decision procedures / SAT solvers to validate counterexamples

• Empirically a very powerful approach
• Many success stories

SLAM : Verifying Device Drivers at Microsoft – SLAM : Verifying Device Drivers at Microsoft

• Actually ships as a commercial product Static Driver Verifier

(SDV)

– Many software model checkers developed Many software model checkers developed

• MAGIC, BLAST, CBMC

44

CEGAR for Hybrid Systems

(our previous work)

concrete

hybrid automaton

system construct

hybrid automaton

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

45

specification satisfied specification not satisfied

CEGAR for Hybrid Systems y y

concrete system construct

start with location transition graph

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

46

specification satisfied specification not satisfied

CEGAR for Hybrid Systems

concrete system construct

reachability specifications

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction forbidden locations model checking counterexample ifi ti validate counterexample ifi ti

47

specification satisfied specification not satisfied

CEGAR for Hybrid Systems y y

concrete system construct

HS reachability: apply increasingly precise approximations

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction forbidden locations model checking counterexample ifi ti validate counterexample ifi ti

48

specification satisfied specification not satisfied

CEGAR for Hybrid Systems y y

concrete system construct

compute reachable sets along the counterexample path

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

49

specification satisfied specification not satisfied

CEGAR for Hybrid Systems y y

concrete system construct

identify point where the reachable set becomes empty

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

50

specification satisfied specification not satisfied

CEGAR for Hybrid Systems y y

concrete system construct

introduce new locations (“splitting”) to eliminate the infeasible path

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

51

specification satisfied specification not satisfied

CEGAR for Hybrid Systems y y

concrete

Li it ti

system construct

Limitations:

• slow convergence: refinement

eliminates one path at a time

• HS reachability limited to low

initial abstraction abstraction infeasible t i t construct new b t ti

y dimensional systems

abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

52

specification satisfied specification not satisfied

Iterative Relaxation Abstraction (IRA) for Linear Hybrid Automata (LHA)

concrete system construct initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

53

specification satisfied specification not satisfied

Linear Hybrid Automata (LHA) Linear Hybrid Automata (LHA)

qk

guard

qj

b A 

k k k k

f x F b x A   

jk jk jk jk

r x R g x G      

invariant

j j j j

f x F b x A   

jk jk

' x   

flow reset

54

All constraints convex polyhedra.

Reachability Problems in LHA Reachability Problems in LHA

q0 qB Guarantee no paths in the location graph from initial l ti ( ) t b d l ti ( ) f ibl

55

location(s) q0 to bad location(s) qB are feasible.

Feasible Counterexamples* Feasible Counterexamples

 = q0 e01 q1 e1j  emk qk ekj qB

q e01 q1 qm q0 qB emk e1j qk ekB

Path  is feasible if PathCon( is satisfiable, where PathCon() is the set of linear constraints over the variables:

56

xo

• , xo

f, δo, x1

• , x1

f, δ1, . . . , xk

• , xk

f, δko, x1 B

variables:

* X. Li, S.K. Jha, L. Bu, Towards an efficient path-oriented tool for bounded reachability analysis of linear hybrid systems using linear programming, BMC 2006.

IRA for LHA IRA for LHA

concrete

LHA (with several continuous variables)

system construct

(with several continuous variables)

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

57

specification satisfied specification not satisfied

IRA for LHA IRA for LHA

concrete system construct

relaxation abstraction: fewer continuous variables

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

58

specification satisfied specification not satisfied

IRA for LHA IRA for LHA

concrete system construct

start with the location graph (zero continuous variables)

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

59

specification satisfied specification not satisfied

IRA for LHA IRA for LHA

concrete system construct

LHA reachability

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction forbidden locations model checking counterexample ifi ti validate counterexample ifi ti

60

specification satisfied specification not satisfied

IRA for LHA IRA for LHA

concrete system construct

check feasibility of linear constraints using LP

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

61

specification satisfied specification not satisfied

IRA for LHA IRA for LHA

concrete system construct

use variables from an irreducible infeasible subset

initial abstraction abstraction infeasible t i t construct new b t ti

(IIS) of constraints

abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

62

specification satisfied specification not satisfied

IRA for LHA IRA for LHA

concrete system construct

new relaxation abstraction each time: NOT a refinement

initial abstraction abstraction infeasible t i t construct new b t ti

NOT a refinement

abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

63

specification satisfied specification not satisfied

IRA for LHA – Leverages: IRA for LHA Leverages:

• Power of LHA reachability on low-order LHA models
• Power of LP to validate counterexamples involving

huge number of continuous variables huge number of continuous variables.

• Ability of a LP solver to identify an irreducible

infeasible subset for an infeasible LP

• Inspired by CEGAR for discrete systems but
• Inspired by CEGAR for discrete systems, but

variables are not added to refine abstractions

64

Relaxation Abstractions Relaxation Abstractions

• LHA

– discrete transition structure (locations/transitions) – linear constraints for invariants, guards, jumps

• Given a subset of continuous variables V

R l li t i t ith l d t i t

• Replace linear constraints with relaxed constraints

involving only variables in V

– x<100 /\ x>20 /\ y<30 /\ x<y can be relaxed to x<100 /\ x>20

• Not unique – various relaxations

– Drop constraints involving variables not in V (localization)

65

Drop constraints involving variables not in V (localization) – Quantifier Elimination (Fourier-Motzkin)

Relaxation Abstractions Relaxation Abstractions

LHA Relaxation Abstraction (localization on x1)

66

Counterexamples (CEs) Counterexamples (CEs)

• Paths in the discrete structure (sequence of locations

and transitions)

• Key observations [Xuandong Li Sumit Jha Lei Bu BMC06] :
• Key observations [Xuandong Li, Sumit Jha, Lei Bu BMC06] :

– Feasible runs along a path are defined by linear constraints CE exists in the concrete LHA if and only if the – CE exists in the concrete LHA if and only if the corresponding linear constraints are feasible

67

Irreducible Infeasible Subset (IIS) Irreducible Infeasible Subset (IIS)

• Given a set of infeasible linear constraints

(corresponding to a spurious CE).

• IIS: a subset of constraints such that

IIS: a subset of constraints such that

– the constraints are infeasible – removing one constraint makes them feasible

• Use variables in the IIS

Use variables in the IIS for the next next relaxation abstraction

68

The Language of Counterexamples The Language of Counterexamples

• LHA reachability gives a discrete CE automaton A for

the current relaxed LHA the current relaxed LHA

– A string s = {s0,s1 ……,sn} is in the language of the discrete CE automaton A only if

• nly if the reachability analysis engine

says that sn may be reachable from s0 using the path s0  s1 …… sn.

• Intersect with the previous CE automaton

– to remove CE s refuted earlier remove CE s refuted earlier by other abstractions l i CE i h bilit t – also, remove previous CE in case reachability was too conservative

69

• Key Idea: Generate relaxation abstractions with only
• nly

the most recent set of IIS variables. the most recent set of IIS variables.

IRA for LHA

selecting counterexamples

concrete system construct initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

70

specification satisfied specification not satisfied

IRA for LHA

selecting counterexamples

concrete abstraction CE automaton system construct CE automaton update CE automaton initial abstraction abstraction cumulative CE automaton infeasible t i t abstraction validate select counterexample constraints model checking counterexample ifi ti validate counterexample ifi ti

71

specification satisfied specification not satisfied

IRA for LHA

selecting counterexamples

concrete abstraction CE automaton

guarantees:

system construct CE automaton update CE automaton

• only previously

discovered CEs are explored

• no CE is used twice

initial abstraction abstraction cumulative CE automaton infeasible t i t

• no CE is used twice

abstraction validate select counterexample constraints model checking counterexample ifi ti validate counterexample ifi ti

72

specification satisfied specification not satisfied

IRA for LHA

constructing new relaxation abstractions

concrete system construct initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

73

specification satisfied specification not satisfied

IRA for LHA

constructing new relaxation abstractions

concrete system construct identify variables continuous initial abstraction abstraction infeasible t i t construct new b t ti in an IIS variables abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

74

specification satisfied specification not satisfied

IRA for LHA

constructing new relaxation abstractions

concrete

guarantees relaxation abstraction has a minimal t f i bl t li i t th i CE

system construct identify variables continuous

set of variables to eliminate the previous CE

initial abstraction abstraction infeasible t i t construct new b t ti in an IIS variables abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

75

specification satisfied specification not satisfied

IRA for LHA

implementation

concrete system construct

LHA reachability: PHAVer

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

76

specification satisfied specification not satisfied

IRA for LHA

implementation

concrete system construct

CE Automata : AT&T FSM Library

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

77

specification satisfied specification not satisfied

IRA for LHA

implementation

concrete system construct

LP & IIS Analysis : CPLEX LP & IIS Analysis : CPLEX

initial abstraction abstraction infeasible t i t construct new b t ti abstraction validate constraints abstraction model checking counterexample ifi ti validate counterexample ifi ti

78

specification satisfied specification not satisfied

IRA vs. PHAVer for an Adaptive Cruise Control Example (time in sec)

N f IRA IRA

• No. of

Variables PHAVer IRA –

Localization

IRA

Fourier-Motzkin

6 0.26 1.34 61.05 8 0.96 5.11 170.11 10 8 21 17 76 402 15 10 8.21 17.76 402.15 12 147.11 50.04 933.47 14 7007 51 123 73 1521 95 14 7007.51 123.73 1521.95 15 70090.06 181.74 2503.59 did not

79

16 did not complete 267.46 3519.51

IRA vs. PHAVer for an Adaptive Cruise Control Example (time in sec)

No of IRA IRA

• No. of

Variables PHAVer IRA –

Localization

IRA

Fourier-Motzkin

6 0.26 1.34 61.05

IRA becomes faster for  12 variables

8 0.96 5.11 170.11 10 8 21 17 76 402 15 10 8.21 17.76 402.15 12 147.11 50.04 933.47 14 7007 51 123 73 1521 95 14 7007.51 123.73 1521.95 15 70090.06 181.74 2503.59 did not

80

16 did not complete 267.46 3519.51

IRA vs. PHAVer for an Adaptive Cruise Control Example (time in sec)

No of IRA IRA

• No. of

Variables PHAVer IRA –

Localization

IRA

Fourier-Motzkin

6 0.26 1.34 61.05

IRA-FM becomes faster

8 0.96 5.11 170.11 10 8 21 17 76 402 15

for  14 variables

10 8.21 17.76 402.15 12 147.11 50.04 933.47 14 7007 51 123 73 1521 95 14 7007.51 123.73 1521.95 15 70090.06 181.74 2503.59 did not

81

16 did not complete 267.46 3519.51

IRA vs. PHAVer for an Adaptive Cruise Control Example (time in sec)

No of IRA IRA

• No. of

Variables PHAVer IRA –

Localization

IRA

Fourier-Motzkin

6 0.26 1.34 61.05 8 0.96 5.11 170.11 10 8 21 17 76 402 15 10 8.21 17.76 402.15 12 147.11 50.04 933.47 14 7007 51 123 73 1521 95

15 Vars: 19.5 hr. (PHAVer) vs. 3 min. (IRA-LOC)

14 7007.51 123.73 1521.95 15 70090.06 181.74 2503.59 did not

82

16 did not complete 267.46 3519.51

IRA vs. PHAVer for an Adaptive Cruise Control Example (time in sec)

No of IRA IRA

• No. of

Variables PHAVer IRA –

Localization

IRA

Fourier-Motzkin

6 0.26 1.34 61.05 8 0.96 5.11 170.11 10 8 21 17 76 402 15

PHAVer fails to converge for

10 8.21 17.76 402.15 12 147.11 50.04 933.47 14 7007 51 123 73 1521 95

g 16 variables

14 7007.51 123.73 1521.95 15 70090.06 181.74 2503.59 did not

83

16 did not complete 267.46 3519.51

IRA-Loc vs. IRA-FM IRA Loc vs. IRA FM

IRA-FM IRA-Loc

84

Switched Buffer Network1 Switched Buffer Network

2 3 1

1Frehse & Maler, HSCC ‘07

7 5 6 Valve Operation Closed Mode: 0 Open Mode: 10

Controller Hybrid automaton

4 9 10

Hybrid automaton controlling the valves in the channels

11 8 Buffer Size: 100

• Buffers connected by pipes with valves.
• Valves have several modes

85

• Controller observes buffers and to switch valve modes
• Specification: No buffer overflow

Switched Buffer Network Switched Buffer Network

• Implemented a simple controller with three locations

and 11 continuous variables

• Design: sequence of actual counterexamples from

Design: sequence of actual counterexamples from IRA used to “tune” the control parameters

• One case led to a 101 location CE in 3 iterations of

the abstraction refinement loop Final design (verified):

• PHAVer took over 12 minutes

86

• IRA took 23.7 seconds

Nuclear Power Plant Control2 Nuclear Power Plant Control

Temperature control

• Temperature control

– rods immersed to cool the reactor, withdrawn to allow reaction – rods controlled temperature measurements and local timers. – each rod can stay inside only for a certain max time limit

• Temperature should not rise beyond a critical threshold.
• Model

Model

– 3 control rods – 11 continuous variables

87

2 Variation of the problem studied by Kapur and Shyamasundar (HART’97), R

Alur et al (TCS’95), P. H. Ho 95 PhD thesis and others.

Nuclear Power Plant Control Nuclear Power Plant Control

Iterative Design Procedure

– First attempt:

• simple counterexample of 3 locations
• abstraction 3 continuous variables
• all of variables related to control rod 1
• clear that the rod was being inserted too late
• changed the cutoff temperature

S C f 2 3 – Similar CEs for control rods 2 and 3

Final Design

– PHAVer verification: 16 hours – IRA verification: 6 iterations, 30.04 seconds

88

Hybrid System Reachability: Additi l T i Additional Topics

• systems with inputs

– control inputs – disturbances

• uncertain systems

y

– unknown parameters – stochastic systems

• other abstractions/representations
• other abstractions/representations

– predict abstraction – ellipsoids lit ti i – qualitative reasoning – level sets – methods leveraging numerical simulation

89

• theorem proving

Rockwell Collins Tool Chain* Rockwell Collins Tool Chain

SCADE NuSMV Si li k

Simulink Gateway

SCADE Lustre PVS Simulink Reactis ACL2 Design Verifier Safe State Machines StateFlow Prover

Simulink Gateway

Rockw ell Collins/U of Minnesota

SAL ICS Symbolic Model Checker

Esterel Technologies MathWorks SRI International

SAL Bounded Model Checker Infinite

90

Infinite Model Checker

Reactive Systems

* from S.P. Miller, “Proving the Shalls: Requirements, Proofs, and Model-Based Development” presentation at Carnegie Mellon University, August 31, 2007.