Verification of Robotic Code and Autonomous Systems Kerstin Eder - - PowerPoint PPT Presentation
Verification of Robotic Code and Autonomous Systems Kerstin Eder University of Bristol and Bristol Robotics Laboratory Verification and Validation for Safety in Robots To develop techniques and methodologies that can be used to design
University of Bristol and Bristol Robotics Laboratory
2
User Requirements
High-level Specification
Optimizer
Design and Analysis (Simulink)
Controller (SW/HW)
e.g. C, C++, RTL (VHDL/Verilog)
Translate Implement
3
Verification and testing of mobile robot navigation algorithms: A case study in SPARK. IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS).
http://dx.doi.org/10.1109/IROS.2014.6942753
4
§ Array and vector out-of-bounds accesses § Null pointer dereferencing § Accesses to uninitialized data
§ Integer and floating-point arithmetic errors § Mathematic functions domain errors § Dynamic memory allocation and blocking inter- thread communication (non real-time)
5
§ Model checking: infeasible § Static analysis of C++: not possible § Static analysis of C: requires verbose and difficult to maintain annotations
§ SPARK, a verifiable subset of Ada
§ No Memory allocation, pointers, concurrency
§ Required code modifications:
§ Pre- and post-conditions, loop (in)variants § Numeric subtypes (e.g. Positive) § Formal data containers
6
§ Three open-source implementations of navigation algorithms translated from C/C++ (2.7 kSLOC) to SPARK (3.5 kSLOC)
§ Several bugs discovered by run-time checks injected by the Ada compiler
interpretation.
§ Up to 97% of the verification conditions discharged automatically by SMT solvers in less than 10 minutes § Performance of the SPARK and C/C++ code similar
7
Verification and testing of mobile robot navigation algorithms: A case study in SPARK. IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS).
http://dx.doi.org/10.1109/IROS.2014.6942753
8
User Requirements
High-level Specification
Optimizer
Design and Analysis (Simulink)
Controller (SW/HW)
e.g. C, C++, RTL (VHDL/Verilog)
Translate Implement Verification
(IL)
Verification
(OL)
9
Formal Verification of Control Systems’ Properties with Theorem Proving. International Conference on Control (CONTROL), pp. 244 – 249. IEEE, Jul 2014. http://dx.doi.org/10.1109/CONTROL.2014.6915147
Verification of Control Systems Implemented in Simulink with Assertion Checks and Theorem Proving: A Case Study. European Control Conference (ECC), pp. tbc. Jul 2015. http://arxiv.org/abs/1505.05699
10
§ Simulating the control systems § Analysis techniques from control systems theory (e.g., stability) § Serve as requirements/specification § For (automatic) code generation
Control systems design level Implementation level
11
Stability Matrix P > 0 (Lyapunov function) Equivalence
V(k)-V(k-1) = x(k-1)T [(A−BK)T P(A−BK)-P]x(k-1)
(Lyapunov's equation application) Add as assertions Capture control systems requirements Retain in code implementation Matrix P−(A−BK)T P(A−BK) > 0 (Lyapunov function's difference)
13
Stability Matrix P > 0 (Lyapunov function) Equivalence
V(k)-V(k-1) = x(k-1)T [(A−BK)T P(A−BK)-P]x(k-1)
(Lyapunov's equation application) Matrix P−(A−BK)T P(A−BK) > 0 (Lyapunov function's difference)
Test in simulation
14
Automatic theorem proving
First order logic theory of the Simulink diagram
Axiom: Bu = B * u ... … Goal: vdiff == vdiff_an
Formal Verification of Control Systems’ Properties with Theorem Proving. International Conference on Control (CONTROL), pp. 244 – 249. IEEE, Jul 2014. http://dx.doi.org/10.1109/CONTROL.2014.6915147
Verification of Control Systems Implemented in Simulink with Assertion Checks and Theorem Proving: A Case Study. European Control Conference (ECC), pp. tbc. Jul 2015. http://arxiv.org/abs/1505.05699
15
Coverage-Driven Verification - An approach to verify code for robots that directly interact with humans. (In Proceedings of HVC 2015, November 2015)
Model-Based, Coverage-Driven Verification and Validation
(under review for publication at ICRA 2016)
16
17
SUT
18
IEEE Robotics & Automation Magazine, vol. 17, no. 4, pp. 18–20, 2010.
19
SUT Test Response
20
SUT Test Test Generator Response
21
22
23
24
25
SUT Test Test Generator Checker Response
“If the robot decides the human is not ready, then the robot never releases an object”.
– High-level requirements – Lower-level requirements depending on the simulation's detail (e.g., path planning, collision avoidance).
26
27
SUT Test Test Generator Checker Response
28
SUT Test Test Generator Checker Coverage Collector Response
29
30
31
32
33
34
36
38
Pseudorandom Constrained
Coverage Hole
Model-based
39
40
§ 100 pseudorandomly generated tests § 160 model-based tests § 180 model-based constrained tests § 440 tests in total
41
SUT Test Test Generator Checker Coverage Collector Response
42
SUT Test Test Generator Checker Coverage Collector Response
43
SUT Test Test Generator Checker Coverage Collector Response Driver
44
SUT Test Test Generator Checker Coverage Collector Response Driver Stimulus
45
46
Code for Robots in Human-Robot Interactions. (under review for publication at ICRA 2016)
Coverage-Driven Verification - An approach to verify code for robots that directly interact with humans. (Proceedings of HVC 2015, November 2015)
Model-Based, Coverage-Driven Verification and Validation
(under review for publication at ICRA 2016)
48
– Combine verification techniques
49
Special thanks to Dejanira Araiza Illan, David Western, Arthur Richards, Jonathan Lawry, Trevor Martin, Piotr Trojanek, Yoav Hollander, Yaron Kashai, Mike Bartley, Tony Pipe and Chris Melhuish for their hard work, collaboration, inspiration and the many productive discussions we have had.