1. Applications of control to formal software semantics Eric Feron Aerospace Engineering Georgia Tech (with Fernando Alegre, Alwyn Goodloe, Romain Jobredeaux, Tim Wang + a growing number of guests of Alwyn’s at NIA) 3 Novembre 2010 N7 Toulouse

2. Take-Home Message We’ve got proofs for our control systems, so let’s use them beyond cool research papers, inside software (Probable static analysis interpretation: Yet another guy who’s discovered static analyzers and formal proofs)

3. Outline A simple control example Stability and performance analyses Why code-level analyses? Hoare logic and partial correctness Analysis of controller implementation Closed-loop system analysis

4. A simple control example d d t · x _ x ¸ = · 01 ¡ 10 ¸· x _ x ¸ + · 0 1 ¸ u ; x ( 0 ) = x 0 ; _ x ( 0 ) = _ x 0 y = [ 10 ] · x _ x ¸ :

5. A simple control example (Ct’d) ~ y ( t ) = SAT ( y ( t )) ; u ( s ) = 128 s + 1 s + 0 : 1 s = 5 + 1 s = 50 + 1 ~ y ( s ) ; Step response

6. Controller implementation ~ y ( t ) = SAT ( y ( t )) ; u ( s ) = 128 s + 1 s + 0 : 1 s = 5 + 1 s = 50 + 1 ~ y ( s ) ; d d t x c = · ¡ 50 : 1 ¡ 5 : 0 1 : 00 : 0 ¸ x c + · 100 0 ¸ SAT ( y ) u = ¡ [ 564 : 480 ] x c + 1280 SAT ( y ) : State-space realization x c ; k + 1 = · 0 : 499 ¡ 0 : 050 0 : 0101 : 000 ¸ x c ; k + · 1 0 ¸ SAT ( y k ) u k = ¡ [ 564 : 480 ] x c ; k + 1280 SAT ( y k ) Discrete time Implementation 100Hz

7. Controller Program 1 : A = [ 0. 4990, - 0. 0500 ; 0. 0100, 1. 0000 ] ; 2 : C = [ - 564. 48, 0 ] ; 3 : B = [ 1 ; 0 ] ; D = 1280 ; 4 :x = zeros ( 2, 1 ) ; 5 :w hil e 1 6 :y = f scan f ( s t di n, " % f" ) ; 7 :y = max ( m i n ( y, 1 ), - 1 ) ; 8 :u = C * x + D * y; 9 : f pr i n t f ( s t d ou t, " % f \ n ", u ) ; 10 :x = A * x + B * y; 11 :en d MATLAB

8. Controller Program 1 : i n t ma i n ( i n t ar g c, c h ar * ar g v []) 2 : { 3 : d ou bl e * x [ 2 ], * x b [ 2 ], y, u ; 4 :x [ 0 ] = 0 ; 5 :x [ 1 ] = 0 ; 6 :w hil e ( 1 ){ 7 : f scan f ( s t di n, " % f", & y ) ; 8 : if ( y > 1 ){ 9 : y = 1 10 : } 11 : if ( y < - 1 ){ 12 : y = - 1 13 : } 14 :u = - 564. 48 * x [ 0 ] + 1280 * y ; 15 : f p r i n t f ( s t d ou t, " % f \ n ", u ) ; 16 :x b [ 0 ] = x [ 0 ] ; 17 :x b [ 1 ] = x [ 1 ] ; 18 :x [ 0 ] : = 0. 4990 * x b [ 0 ] - 0. 0500 * x b [ 1 ] + y ; 19 :x [ 1 ] : = 0. 01 * x b [ 0 ] + x b [ 1 ] ; 20 : } 21 : } C

9. Control system as seen by control engineers System Identification/ Validation Controller design Control system analysis System data System model Controller Validated Controller Invalidated Controller NOT MY PROBLEM! Implementation Matlab/ Simulink/ Real-time Workshop MatrixX Picture 2 code (UTC) Manual coding Compiler Source code Executable Verification and Validation Good to go Not good to go

10. Code-level analyses of control software Significant contribution from Patrick Cousot’s group at Ecole Normale Superieure, Paris and NYU. Abstract interpretation supports capturing semantics of programs Most important application is ASTREE analyzer for Airbus A380 control code. From Feret, “Static Analysis of Digital Filters”, 2004 (also with ASTREE).

11. Making sense out of computer programs Consists of asking: “Where can the program go? Does it do what it’s supposed to do?” Well-known limits to what can be done. Several options are available: “Formal Methods” –Model checking –Abstract interpretation

12. Desirable attributes of “program proofs” Must be expressive enough to tell nontrivial statements about program Must be “elementary enough” so that each “proof element” can be verified using only local program elements. “Line-by-line verification”.

13. Hoare logic: While programs Assignments y:=t Composition S1; S2 If-then-else if e then S1 else S2 fi While e do S od Hoare logic consist of instrumenting each line with “what it does to the state-space” ass i g nmen t ) f s t a t e-spaces t a t emen t 1 g à precon d i t i on ass i g nmen t f s t a t e-spaces t a t emen t 2 g à pos t con d i t i on f pre 1 g l oc 1 f pos t 1 g ; f pre 2 g l oc 2 f pos t 2 g ^ (f pos t 1 g ! f pre 2 g) ) f pre 1 g l oc 1 ; l oc 2 f pos t 2 g Compositionality: See Peled, 2001, Monin, 2000

14. Example: Capturing controller behavior The control-systemic way x c ; k + 1 = · 0 : 499 ¡ 0 : 050 0 : 0101 : 000 ¸ x c ; k + · 1 0 ¸ SAT ( y k ) u k = ¡ [ 564 : 480 ] x c ; k + 1280 SAT ( y k ) A ssume t h econ t ro ll ers t a t e i s i n i t i a l i ze d a t x c ; 0 = 0 W h a t rangeo f va l uescou ldb ereac h e db y t h es t a t ex c ; k an d t h econ t ro l var i a bl eu k ? There is a variety of options, including computation of -1 norms. A Lyapunov-like proof (from Boyd et al., Poola): The ellipsoid E P = © x 2 R 2 j x T P x · 1 ª : is invariant. None of the entries of x exceeds 40 in size. How do you say the same thing about the program that implements the controller? P = 10 ¡ 3 · 0 : 67420 : 0428 0 : 04282 : 4651 ¸

15. f x 2 E P g 5 :w hil e 1 f x 2 E P g 11 :en d f f a l se g A Matlab program f x 2 E P g 7 :y = max ( m i n ( y, 1 ), - 1 ) ; © x 2 E P ; y 2 · 1 ª f x 2 E P g 6 :y = f scan f ( s t di n, " % f" ) f x 2 E P g f t rue g 4 :x = zeros ( 2, 1 ) f x 2 E P g. © x 2 E P ; y 2 · 1 ª 8 :u = C * x + D * y; © x 2 E P ; u 2 · 2 ( CP ¡1 C T + D 2 ) ; y 2 · 1 ª © A x + B y 2 E P ; y 2 · 1 ª 10 :x = A * x + B * y; f x 2 E P g © x 2 E P ; u 2 · 2 ( CP ¡1 C T + D 2 ) ; y 2 · 1 ª 9 : f pr i n t f ( s t d ou t, " % f n n ", u ) f x 2 E P ; y 2 · 1 g. © A x + B y 2 E P ; y 2 · 1 ; u 2 · 2 ( CP ¡1 C T + D 2 ) ª 9 : f pr i n t f ( s t d ou t, " % f n n ", u ) © A x + B y 2 E P ; y 2 · 1 ª. < ?

16. Critical step is true for the particular instances of A, B, P. (ellipsoid invariance condition)/ -Either leave it as is to check via automated checker that can handle systems of polynomial inequalities (eg Zumkeller, Thery 2008) -Or provide additional proof element: 8 ( x ; y )( A x + B y ) T P ( A x + B y ) ¡ 0 : 01 x T P x ¡ 0 : 99 y 2 · 0 : f x 2 E P ; y 2 · 1 ; ( A x + B y ) T P ( A x + B y ) ¡ 0 : 01 x T P x ¡ 0 : 99 y 2 · 0 g ) © A x + B y 2 E P ; y 2 · 1 ª ;

17. Commented code

18. Forward constraint propagation f t rue g 1 : A = [ 0. 4990, - 0. 0500 ; 0. 0100, 1. 0000 ] ; f t rue g 2 : C = [ - 564. 48, 0 ] ; f t rue g 3 : B = [ 1 ; 0 ] ; D = 1280 ; f t rue g f t rue g 4 :x = zeros ( 2, 1 ) ; f x 2 E P g f x 2 E P g 11 :en d f f a l se g f x 2 E P g 5 :w hil e 1 f x 2 E P g f x 2 E P g 6 :y = f scan f ( s t di n, " % f" ) ; f x 2 E P g f x 2 E P g 7 :y = max ( m i n ( y, 1 ), - 1 ) ; f x 2 E P ; y 2 · 1 g Q = · 0 : 01 P 0 00 : 99 ¸ f( xy ) 2 E Q g 8 :u = C * x + D * y; f( xy ) 2 E Q ; u 2 · [ CD ] Q ¡1 [ CD ] T g < f( xy ) 2 E Q ; u 2 · [ CD ] Q ¡ 1 [ CD ] T g 9 : f pr i n t f ( s t d ou t, " % f n n ", u ) ; f( xy ) 2 E Q g f( xy ) 2 E Q g 10 :x = A * x + B * y; f x 2 E ( 1 0 : 01 AP ¡ 1 A T + 1 0 : 99 BB T ) ¡ 1 g

19. C code analysis f x 2 E P g 8 : if ( y > 1 ) f f x 2 E P ; y > 1 g f x 2 E P ; y · 1 g 10 : g f x 2 E P ; y · 1 g f x 2 E P ; y > 1 g 9 :y = 1 f x 2 E P ; y · 1 g Q = · 0 : 01 P 0 00 : 99 ¸ 2 6 4 x [ 1 ] x [ 2 ] y x b [ 1 ] 3 7 5 = 2 6 4 100 010 001 100 3 7 5 " x [ 1 ] x [ 2 ] y # E R ¡ 1 = © x j x T R ¡ 1 x · 1 ª = G R = ½ x j · 1 x T x R ¸ ¸ 0 ¾ R = 2 6 6 4 100 010 001 100 3 7 7 5 Q ¡1 2 6 6 4 100 010 001 100 3 7 7 5 T ½· x y ¸ 2 E Q ¾ 16 :x b [ 0 ] = x [ 0 ] 8 < : 2 4 x y x b [ 1 ] 3 5 2 G R 9 = ;

20. Applications Credible autocoder (a la Rinard) Controller Specifications +proof Credible autocoder Documented (auto)-code Proof checker Go/no-go (third party) (user) (certification Authority) (auto) Code analyzer Controller Specifications (+proof) Autocoder (auto)-code Code analyzer (third party) (user) (certification Authority) Proof Go/no Go

21. Other important questions Verifying closed-loop system So far made assumption that analyzer could handle real numbers like you and me…. Many controllers are more complex than a simple lead-lag controller – nonlinear? Adaptive? Receding horizon???

22. More Complex Control Systems Adaptive systems a, b un k nown R e f erencemo d e l A d ap t i vecon t ro l arc h i t ec t ure N onqua d ra t i c i nvar i an t s t ruc t ure !

23. Plant Controller Closed-loop system representations Plant Controller Plant Controller

24. Concurrent Representations of System and Controller %Controller dynamics

25. Actual Computations Computations do not follow real arithmetic –Fixed/Floating-point computations are often neglected during specification phase, comes back as “thorn in foot” during implementation. –Neglect at specification level makes typical “leaky abstraction” –Justified because detailed computations are typically left aside when spec-ing system Computation model that’s agreeable/manageable by everybody

26. Additive/multiplicative uncertainty model IEEE 754: x, y floats x real (Discussions with Eric Goubault & Sylvie Putot) ( x + y ) ° oa t = ( x + y )( 1 + ¢ 1 ( x + y )) + ¢ 2 ( x + y ) x ° oa t = x ( 1 + ¢ 1 ( x )) + ¢ 2 ( x ) S ame f or ¡, £, = O n l yupper b oun d sare k nownon ¢ 1 ( : ) ; ¢ 2 ( : ) eg j ¢ 1 ( : )j · M 1 ; j ¢ 2 ( : )j · M 2

27. Consequence on invariance conditions E ll i pso i d a l i nvar i ancecon d i t i on b ecomes © x 2 E P ; y 2 · 1 ª ) © F ( x ; y ; ¢ 1 ; ¢ 2 ;:::; ¢ M ) 2 E P ; y 2 · 1 ª Back to proof checker / proof assistant that can handle systems of polynomial inequalities (eg Zumkeller, Thery 2008)

28. Conclusion Stability and performance proofs of control systems fundamentally compatible with formal static analysis and verification methods – must feed available information in “system assembly process”. Must write software development tools that run across layers of implementation and are compatible with verification preferences/levels of rigor favored by different communities.