Presentation is loading. Please wait.

Presentation is loading. Please wait.

Multiple Shooting, CEGAR-based Falsification for Hybrid Systems

Published byCaitlin Allyson Rogers Modified over 9 years ago

Similar presentations

Presentation on theme: "Multiple Shooting, CEGAR-based Falsification for Hybrid Systems"— Presentation transcript:

1 Multiple Shooting, CEGAR-based Falsification for Hybrid Systems
Aditya Zutshi Sriram Sankaranarayanan Jyotirmoy Deshmukh James Kapinski

2 Physical System (plant)
Hybrid Systems Physical System (plant) Discrete Controller Actuate Sense Safety Critical ! A quick recap about HS. These are systems which incorporate both continuous time and discrete time dynamics. Many examples of such systems can be found in the domain of Embedded systems, where we have digital processes controlling a physical plant. The controller is usually a piece of embedded software and the plant is a physical system commonly modeled as a set of differential equations. Specific examples of such systems are almost everywhere, like in the automotive industry, medical devices, aviation, railways and power plants…and as most of us are aware these systems are safety critical. Hence the need for rigorous testing and validation.

3 Falsification Error? System Description Error States Initial States t
We can talk about the safety of such systems by talking about reachability, which says… Given a set of initial states and the system definition, what all states can be reached. For finding errors, to falsification we can ask a slightly different question, is there an initial state from which the system can reach an error state? Lets look at the common approaches to solve such a problem…we look at the two ends of the spectrum… Is there a trajectory from an initial state to an error state?

4 System Description Mode 1 Mode 2 𝑑𝑥 𝑑𝑡 = 𝑓 1 (𝑥) 𝑑𝑥 𝑑𝑡 = 𝑓 2 (𝑥)
Most systems do not have Hybrid Automaton models! 𝐺 21 𝑥 =0 𝑥 ′ ≔ 𝑅 21 (𝑥) 𝐺 12 𝑥 =0 𝑥 ′ ≔ 𝑅 12 (𝑥) Mode 1 Mode 2 𝑑𝑥 𝑑𝑡 = 𝑓 2 (𝑥) 𝑑𝑥 𝑑𝑡 = 𝑓 1 (𝑥) Simulink/Stateflow X t X’ SIM(X,t) X, t Remove legacy Don’t go into details of HA… We have sim/state flow,…hjard to convert oto HA Hybrid Automaton Model [Alur, Henzinger, Lygeros, Sastry, Tomlin,…]

5 Single Shooting Inefficient in the presence of
SIM(X,t) System Description Inefficient in the presence of non-linearities and discrete updates Error States Naïve: needs guidance Curse of dimensionality: Scales poorly with increasing states Initial States S-Taliro: [Fainekos, et al.] BREACH: [Donze’] RRT: [Bhatia et al., …]

6 Multiple Shooting Explore trajectory space Narrow gaps iteratively
Proposed Solution CEGAR Gaps Delta t Error States Initial States

7 Multiple Shooting ↔ CEGAR (Counter Example Guided Refinement)
Contributions Multiple Shooting ↔ CEGAR (Counter Example Guided Refinement) 𝑥 2 𝑥 1 Abstract path Trajectory segment B Let us look at our main contributions… In this work We observed that multiple shooting is very closely related to CEGAR To illustrate, lets look at a grid based abstraction, where the state space has been partitioned into rectangular cells If a cell can be reached from another cell, then there exists a representative trajectory segment Infact, a sequence of trajectory segments gives a path in the abstraction! Moreover, the refinement of the abstraction effectively reduces the gap between these trajectory segments Moreover, if we refine the abstraction, then we make an additional observation, that the gaps between the trajectory segments have reduced Refinement Narrowing of gaps A Grid based Abstractions Verification of Hybrid Systems Based on Counterexample-Guided Abstraction Refinement [Clarke, Fehnker, et al.]

8 Explicit Abstractions
Scatter and Simulate Grid based Abstractions Induced by 𝐿 ∞ norm Fundamental question in abstractions: A  B ? 𝑥∈𝐴∧ 𝑥 ′ =𝑆𝐼𝑀(𝑥,𝑡)∧𝑥′∈𝐵 Scatter & Simulate 𝑥 2 𝑥 1 B Explicit Abstractions Black Box: No system dynamics Complex dynamics Curse of Dimensionality Δ𝑡 A

9 Multiple Shooting & CEGAR
Compute 𝐶 𝑖𝑛𝑖𝑡 / 𝐶 𝑒𝑟𝑟 Explore it using scatter & simulate Search Error Paths Trade soundness for efficiency. Find a subset of paths. Assume implicit abstraction Enumerate error paths Check for concrete paths Error Paths done Refine abstraction using CEGAR Assume a finer abstraction Compute 𝐶 𝑖𝑛𝑖𝑡

10 Multiple Shooting & CEGAR…
Compute 𝐶 𝑖𝑛𝑖𝑡 / 𝐶 𝑒𝑟𝑟 Explore it using scatter & simulate Refine by CEGAR Examine abstract error paths Entire path Initial cell Assume implicit abstraction Enumerate error paths Check for concrete paths Error Paths done CEGAR Assume a finer abstraction Finer grid size 𝐶 0 Compute 𝐶 𝑖𝑛𝑖𝑡

11 Identify reached cells
Scatter and Simulate Compute 𝐶 𝑖𝑛𝑖𝑡 / 𝐶 𝑒𝑟𝑟 Error States Get cell from Q Δ𝑡 Sample cell Δ𝑡 Cell Queue Δ𝑡 Simulate for Δ𝑇 Initial States 𝜖 Identify reached cells If new, add cell to Q 𝜖 Error Paths Enumerate error paths

12 Refinement CEGAR Refine Grid Error Paths Compute 𝐶 𝑖𝑛𝑖𝑡
Scatter & Simulate 𝜖 New Error Paths Enumerate error Paths 𝜖 2

13 Concretization Described procedure can run forever Solution
Only comes up with segmented trajectories No termination guarantee due to numerical errors Solution interleave Concretization: Use random testing on refined initial cells Scatter & Simulate Done!! Concretize CEGAR

14 Demo Van der Pol – iteration 1
Plot of Scatter & Simulate Intial Set with initial cells 𝐶 𝑖 Add a slide with concrete simulations….and equations…and random testing performance…

15 Demo Van der Pol – iteration 2
Plot of Scatter & Simulate Intial Set with initial cells 𝐶 𝑖

16 Demo Van der Pol – iteration 3
Plot of Scatter & Simulate Intial Set with initial cells 𝐶 𝑖

17 Demo Van der Pol – iteration 4
Plot of Scatter & Simulate Intial Set with initial cells 𝐶 𝑖

18 Demo Van der Pol – iteration 5
Plot of Scatter & Simulate Intial Set with initial cells 𝐶 𝑖

19 Experiments Van Der Pol Lorenz Brusselator Bouncing Ball
14 Cont. States 625 Modes Experiments Academic Examples Van Der Pol Lorenz Brusselator Bouncing Ball Bouncing Ball + SHM Constrained Pendulum Navigation 30(mod.) Idle Speed Controller MPC Glucose Insulin Quadcopter(mod.) Cardiac Cont. States: 2-14 Modes: 0-625 Complex Benchmarks Radu grosu We run random simulations 100,000 times, all in parallel and S-Taliro ands SS 10 times to get consistent results… As SS is parallelized, and S-Taliro not, we try to compare the num of successful runs instead of just timings…

20 Comparison Van Der Pol Lorenz Brusselator Bouncing Ball
Random Testing Van Der Pol Lorenz Brusselator Bouncing Ball Bouncing Ball + SHM Constrained Pendulum Navigation 30(mod.) Idle Speed Controller MPC Glucose Insulin Quadcopter(mod.) Cardiac Light-weight S-Taliro Scatter and Simulate Add dReach Exhaustive S-Taliro: [Fainekos, et. Al.] dReach: [Gao, et. Al. ]

21 Experimental Setup Random Testing S-Taliro Scatter & Sim.
Times are hard to compare! Experimental Setup Random Testing S-Taliro Scatter & Sim. #𝑣𝑖𝑜. 100,000 #𝑣𝑖𝑜. 10 Random Testing Use random testing to synthesize safety properties when they don’t exist Run 100,000 simulations and find number of violations S-Taliro vs Scatter & Sim. Run 10 times Run terminates if Violation found Timeout: 1hr Tools can restart during a run Time taken is hard to compare S-Taliro has a single threaded impl.

22 Results - Van Der Pol Random Testing S-Taliro Scatter & Sim. Vs
Highly non-linear! 2 continuous States Random Testing S-Taliro Scatter & Sim. 10 10 0 100,000 Vs

23 Results - Bouncing Ball
Hybrid! 4 continuous States 1 mode Random Testing S-Taliro Scatter & Sim. 1 10 10 10 3 100,000 Vs

24 Results - Navigation30 Random Testing S-Taliro Scatter & Sim. Vs
625 Modes! 4 continuous States 625 modes Random Testing S-Taliro Scatter & Sim. 3 10 10 10 1 100,000 Vs Becnhmarks for Hybrid Systems Verification: [Fehnker and Ivancic]

25 Results - Idle Speed Controller
Inputs! 9 continuous States 4 modes 1 input Random Testing S-Taliro Scatter & Sim. 2 10 10 10 70 100,000 Vs A new algorithm for reachability analysis of hybrid automata : [A. Casagrande, et al.]

26 In Summary… Falsification technique for Hybrid Systems.
No explicit model required! Simulations are cheap and parallelizable! Generalizable in many direction. But… Can not find non-robust trajectories Convergence is not guaranteed Best effort search Can provide asymptotic guarantees Sampling based approach, and does not use a model of the system, we can never detect non robust behaviors

27 Extra Slides…

28 Falsification Approaches: Shooting
Single Shooting Random testing S-Taliro BREACH Systematic Sim. RRTs Multiple Shooting Proposed approach: Scatter & Simulate Reverse explanations… Search space…

29 Single Shooting: Random Testing
SIM(X,T) System Description Naïve: needs guidance Curse of dimensionality: Scales poorly with increasing states Error States The simplest kind of Single shooting is random testing. We sample a point, simulate for the given time and check if we find erroneous behavior. Though its very light weight, it can be very powerful when coupled with the insights of engineers. This approach however, is usually not very successful for complex systems for several reasons. Systems with non linear and hybrid dynamics can fail in complex ways and the search space explodes exponentially with increase in states. There have been a lot of improvements over random testing recently and tools like S-Taliro and BREACH which use guided testing, and have been used to falsify complex systems. Although better, these tools still use single shooting which is not very good in handling systems with highly non linear and discrete behaviors. Initial States

30 Single Shooting: Guided Testing
S-Taliro: [Fainekos, et. Al] BREACH: [Donze] Inefficient in the presence of non-linearities and discrete updates Error States 𝜌 Initial States

31 Multiple Shooting Solution…? Use mature NLP Solvers
Distribute non -linearity Solution…? Use mature NLP Solvers Translate the problem as an optimization problem with equality constraints Error States Initial conditons outside intial states Ignore NLP Proposed Solution Use Abstractions and CEGAR Initial States Undesirable Gaps A Trajectory Splicing Approach to Concretizing Counterexamples for Hybrid Systems: [Zutshi, et al.]

32 Abstractions and CEGAR
How to effectively use Multiple Shooting? Use Discrete Abstractions and a refinement procedure CEGAR: Counter Example Guided Refinement 𝑥 2 𝑥 1 Induced by 𝐿 ∞ norm Grid Based Implicit Abstraction Partitions the state space into rectangular Cells Discovers relations using simulation Modify to contributions… Verification of Hybrid Systems Based on Counterexample-Guided Abstraction Refinement [Clarke, Fehnker, et al.]

33 Grid Based Abstraction
Discretizes concrete states Relations induced by Dynamics 𝑥 1 = 𝑙 1 𝑥 1 = ℎ 1 𝑥 2 = ℎ 2 𝑥 2 = 𝑙 2 Abstract State: 𝐶𝑒𝑙𝑙 𝐶 𝑖 Concrete States: 𝑥 𝑖 ∈[ 𝑙 𝑖 , ℎ 𝑖 ) 𝐶 1 𝐶 0 HSolver: [Ratschan, et al.]

34 Explicit Abstractions
Curse of Dimensionality Explicit abstraction construction Used by verification approaches Sound procedure finds relations between adjacent cells Enumerate all abstract error paths 𝑥 2 𝑥 1 In essence, we sample the graph over relations instead of building it entirely. In other words, we never explicitly construct the abstraction, but use simulations to discover the relations Predicate Abstraction for reachability analysis of HS [Alur, Dang, Ivancic]

35 Exploring Implicit Abstractions
Mitigate curse of dimensionality! Implicit Abstractions Use simulations in a multiple shooting fashion Sample relations Efficiently discover a subset of abstract error paths 𝑥 2 𝑥 1 Δ𝑡 Δ𝑡 In essence, we sample the graph over relations instead of building it entirely. In other words, we never explicitly construct the abstraction, but use simulations to discover the relations Δ𝑡

Download ppt "Multiple Shooting, CEGAR-based Falsification for Hybrid Systems"

Similar presentations

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)

Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Principal Component Analysis Based on L1-Norm Maximization Nojun Kwak IEEE Transactions on Pattern Analysis and Machine Intelligence, 2008.

Principal Component Analysis Based on L1-Norm Maximization Nojun Kwak IEEE Transactions on Pattern Analysis and Machine Intelligence, 2008.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Hybrid System Verification Synchronous Workshop 2003 A New Verification Algorithm for Planar Differential Inclusions Gordon Pace University of Malta December.

Hybrid System Verification Synchronous Workshop 2003 A New Verification Algorithm for Planar Differential Inclusions Gordon Pace University of Malta December.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Control Structure Selection for a Methanol Plant using Hysys/Unisim

Control Structure Selection for a Methanol Plant using Hysys/Unisim
Zonotopes Techniques for Reachability Analysis Antoine Girard Workshop “Topics in Computation and Control” March 27 th 2006, Santa Barbara, CA, USA

Zonotopes Techniques for Reachability Analysis Antoine Girard Workshop “Topics in Computation and Control” March 27 th 2006, Santa Barbara, CA, USA
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
Aditya Zutshi Sriram Sankaranarayanan Ashish Tiwari TIMED RELATIONAL ABSTRACTIONS FOR SAMPLED DATA CONTROL SYSTEMS.

Aditya Zutshi Sriram Sankaranarayanan Ashish Tiwari TIMED RELATIONAL ABSTRACTIONS FOR SAMPLED DATA CONTROL SYSTEMS.
Guaranteeing Safety in Semi-autonomous Robotic Systems: A Formal Approach through Hybrid Systems with Hidden Modes Domitilla Del Vecchio University of.

Guaranteeing Safety in Semi-autonomous Robotic Systems: A Formal Approach through Hybrid Systems with Hidden Modes Domitilla Del Vecchio University of.
Anytime RRTs Dave Fergusson and Antony Stentz. RRT – Rapidly Exploring Random Trees Good at complex configuration spaces Efficient at providing “feasible”

Anytime RRTs Dave Fergusson and Antony Stentz. RRT – Rapidly Exploring Random Trees Good at complex configuration spaces Efficient at providing “feasible”
Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.

Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.
1 Formal Models for Stability Analysis : Verifying Average Dwell Time * Sayan Mitra MIT,CSAIL Research Qualifying Exam 20 th December.

1 Formal Models for Stability Analysis : Verifying Average Dwell Time * Sayan Mitra MIT,CSAIL Research Qualifying Exam 20 th December.
Gizem ALAGÖZ. Simulation optimization has received considerable attention from both simulation researchers and practitioners. Both continuous and discrete.

Gizem ALAGÖZ. Simulation optimization has received considerable attention from both simulation researchers and practitioners. Both continuous and discrete.
1 Verification and Synthesis of Hybrid Systems Thao Dang October 10, 2000.

1 Verification and Synthesis of Hybrid Systems Thao Dang October 10, 2000.
1 Rare Event Simulation Estimation of rare event probabilities with the naive Monte Carlo techniques requires a prohibitively large number of trials in.

1 Rare Event Simulation Estimation of rare event probabilities with the naive Monte Carlo techniques requires a prohibitively large number of trials in.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.

Similar presentations

Ads by Google