HSCC 03 MIT LCS Safety Verification of Model Helicopter Controller Using Hybrid Input/Output Automata Sayan Mitra MIT Hybrid Systems: Computation and Control Prague, Czech Republic 2003 Joint work with Yong Wang (U. Beijing), Nancy Lynch, Eric Feron

HSCC 03 MIT LCS Verification Techniques Algorithmic –Model checking e.g. [Alur, et al. 95] Automatic: HyTech Essentially for finite-state systems, subclass of linear hybrid systems –Over approximating set of unsafe states [Bayen, et al. 02] Deductive –Invariant assertions, simulation relations e.g. [Manna, Sipma 98] Can accommodate infinite-state systems: STeP Requires human effort –User interaction

HSCC 03 MIT LCS Talk Outline Introduction ٭ Hybrid I/O Automata definitions Specification of Quanser Safety Verification Conclusions

HSCC 03 MIT LCS The HIOA Model [Lynch, Segala, Vaandrager 01, 03] General, mathematical modeling framework. –States, discrete transitions –Trajectories: Maps left closed intervals of time to variable values Support for decomposing hybrid system descriptions: –External behavior: Models interaction of component with environment. –Composition: Synchronizes external actions, external “flows”; respects external behavior. –Levels of abstraction: Implementation notion Can incorporate analysis methods from: –CS: Invariants, simulation relations, compositional methods. –Control theory: Invariant sets, stability analysis, robust control.

HSCC 03 MIT LCS Hybrid I/O Automaton V = U  Y  X: Input, output, and internal (state) variables Q: States, a set of valuations of X   Q : Start states A = I  O  H: Input, output, and internal actions D  Q  A  Q: Discrete transitions T: Trajectories for V. X UY I O H

HSCC 03 MIT LCS Trajectory Axioms and Executions Set T of trajectories is closed under: –Prefix –Suffix –Countable concatenation fstate, lstate Execution fragment:  0 a 1  1 a 2  2 …, where: Each  i is a trajectory of the automaton and Each (  i.lstate, a i,  i+1.fstate) is a discrete step. Execution: –Execution fragment beginning in a start state.

HSCC 03 MIT LCS Model Helicopter System Manufactured by Quanser User controllers not necessarily safe, can crash the helicopter on the table. Supervisory pitch controller needed to ensure safety. –Safe operating region –Saturated actuator outputs : U min or U max Must contend with –Sensor errors –Actuator delay

HSCC 03 MIT LCS Helicopter System UserCntrl Useroutput(Xu) Sample Supervisor Actuator Sensor Plant θ0, θ1θ0, θ1 U Command(S) now, next buffer, u XuXu dequeue Sample θ0, θ1θ0, θ1 mode, X s, S, rt Command(S) Sample Useroutput(Xu) Sample

HSCC 03 MIT LCS Plant θ0,θ1θ0,θ1 U Variables: θ 0 : Pitch angle θ 1 : Pitch velocity Trajectories: evolve: d(θ 0 ) = θ 1 d(θ 1 ) = -Ω 2 cos θ 0 + U Input bounds: U min, U max Safe Region: S = { s | θ min ≤ s.θ 0 ≤ θ max } θ0, θ1θ0, θ1

HSCC 03 MIT LCS Sensor Discrete transition: Sample(θ 0 d, θ 1 d ) precondition: now = next and θ 0 d є [θ 0 - є 0, θ 0 + є 0 ] and θ 1 d є [θ 1 - є 1, θ 1 - є 1 ] effect: next = next + Δ Trajectories: evolve: d(now) = 1 stopping condition: now = next Sensor Sample(θ 0 d, θ 1 d ) θ 0,θ 1 now, next } Nondeterministic choice

HSCC 03 MIT LCS User Controller Arbitrarily bad user On receiving Sample, –Useroutput(X u ) –Non deterministic choice, X u є [U min, U max ]

HSCC 03 MIT LCS Actuator Actuator delay T a –modeled as a FIFO queue of Supervisor(User) outputs –buffer: length [T a / Δ] Enqueue S received from supervisor Dequeue u from buffer head, –u changes discretely –Made into piece-wise continuous output U

HSCC 03 MIT LCS Modeling Actuator Delay T a Currently modeled as a single discrete jump from U min to U max after time T a. Alternatively –Approximate exponential rise by adding k intermediate values in the buffer, for every command from the supervisor. Output from buffer will change every Δ/k time. –Model as continuous function Ta

HSCC 03 MIT LCS I S C R U θ max θ1θ1 Assumption: Cannot cross I in Δ time. θ min Safe Operating Region θ0θ0

HSCC 03 MIT LCS Supervisor On receiving sample, computes X s If s is above I + then X s = U min If s is below I - then X s = U max On receiving useroutput(X u ), computes S –If mode = user then If s is in U then S = X u Else mode = supervisor ; S = X s –If mode = supervisor then If s is in I then S = X u ; mode = user Else S = X s Supervisor mode, X s, S, rt Command(S) Userout(Xu) Sample

HSCC 03 MIT LCS Safety Verification Assertional Proofs –Reasoning based on current state of the system Finding the invariants is challenging –Strengthen statement Proofs are easy, for proving I –Base case:   I –Discrete part: s  a s’ є D, show I(s) implies I(s’) –Continuous part: closed τ є T, show I(fstate(τ)) implies I(lstate(τ))

HSCC 03 MIT LCS Key Lemmas All trajectories are closed Any trajectory τ є T, ltime(τ) - ftime(τ) ≤ Δ.

HSCC 03 MIT LCS I S C A0A0 θ0θ0 θ1θ1 A1A1 A2A2 AΔAΔ A 0 = R For 0 ≤ t ≤ t’ ≤ Δ A t’  A t U  A Δ R U User mode

HSCC 03 MIT LCS User mode Safety Any reachable state in the user mode is within R. Proof: –Discrete part is easy –Any closed trajectory τ є T, if fstate(τ) є A t then lstate(τ) є A t-ltime(τ).

HSCC 03 MIT LCS Executions in User and Supervisor modes Cannot go outside R from U, in the user mode buffer flushed, Supervisor mode kicks in. Returns to I and mode switches back to user. mode switches to supervisor, but buffer contains stale user commands.

HSCC 03 MIT LCS Supervisor mode Correct input to plant If s is above I + then last [rt/Δ] entries in buffer are U min –rt: stopwatch for supervisor mode Similarly, s is below I - then … U max Settling phase rt ≤ T a Any reachable state is within C –All trajectories starting from within R remains within C –Proof similar to User mode Recovery phase rt > T a Any reachable state is within C –Proof: At any point on boundary of C, the vector field points inwards

HSCC 03 MIT LCS Conclusions Design of supervisory controller –Controller has been implemented [Ishutkina]. Specification Language Demonstration of HIOA framework –Specification Compositional Nondeterminism models uncertainties in devices or user inputs. –Purely assertional proofs Discrete and continuous parts CS and Control Theory techniques Current/Future Work –Performance guarantees for mobile computing algorithms –Theorem prover support

HSCC 03 MIT LCS Thank You. Questions ?

HSCC 03 MIT LCS

HSCC 03 MIT LCS Current/Future Work Incorporate control theory methods: –Invariant sets, Stability analysis using Lyapunov functions, robust control methods. More examples: –Systems with more complicated discrete behavior and dynamics, e.g. mobile computing, embedded systems. Develop analysis tools for HIOA programs: –Theorem-provers, automated tools –As extension to IOA toolset

HSCC 03 MIT LCS Future Work : Case Studies Mobile Computing –Location and Routing algorithms, e.g. Grid [Li 2000] Objectives:  Performance guarantees under mobility  Specialize HIOA to model mobile systems Control problems –Quantized double integrator system Objective:  Develop and apply analysis methods from control theory

HSCC 03 MIT LCS Future Work : Tool Support Theorem prover interface –Automatic translation of HIOA specifications into the language of the prover –Prover tactics and strategies Extend IOA Toolset –Language frontend Interface with other tools –Model-checkers –Simulators

HSCC 03 MIT LCS sample control command dequeue    act 0 supervisor plant sensor usrCtrl Discrete Communication Among Components actuator

HSCC 03 MIT LCS Other Applications Automated transportation systems: –Simple vehicle maneuvers [Weinberg, Lynch 96] –PATH automated highway system [Branicky, Dolginova, Lynch 97] [Dolginova, Lynch 97][Lygeros, Lynch 98] Aircraft control: –TCAS [Livadas, Lygeros, Lynch 99] Spacecraft: –ACME [Ha, Lynch, Garland, Kochocki, Tanzman 03] Robotics –Lego cars [Fehnker, Vaandrager, Zhang 02]

HSCC 03 MIT LCS Helicopter Model and Analysis We developed HIOA models for all system components: Plant, Sensor, Actuator, User Controller, Supervisor –Including realistic dynamics, delays, inaccuracies. –Used the models to help design a safe supervisory controller.

HSCC 03 MIT LCS Language Design Additional structure for specifying trajectories: –Variables are either discrete or continuous –Discrete variables remain constant over trajectories Describing trajectories: –State space is partitioned into modes –Continuous variables in each mode evolve according to differential/algebraic equations. –Each mode is specified by an activity