Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Charles Pecheur 1 Dagstuhl 5-9 Nov 2001 Symbolic Model Checking of Domain Models for Autonomous Spacecrafts Charles Pecheur (RIACS / NASA Ames)

Published byNya Frisbie Modified over 9 years ago

Similar presentations

Presentation on theme: "© Charles Pecheur 1 Dagstuhl 5-9 Nov 2001 Symbolic Model Checking of Domain Models for Autonomous Spacecrafts Charles Pecheur (RIACS / NASA Ames)"— Presentation transcript:

1 © Charles Pecheur 1 Dagstuhl 5-9 Nov 2001 Symbolic Model Checking of Domain Models for Autonomous Spacecrafts Charles Pecheur (RIACS / NASA Ames)

2 © Charles Pecheur 2 Dagstuhl 5-9 Nov 2001 Model-Based Autonomy Goal: "intelligent" autonomous spacecrafts –cheaper (smaller ground control) –more capable (delays, blackouts) General reasoning engine + application-specific model Use model to respond to unanticipated situations For planning, diagnosis Huge state space, reliability is critical Reasoning Engine Model commandsstatus Spacecraft Autonomous controller model of

3 © Charles Pecheur 3 Dagstuhl 5-9 Nov 2001 MRMI Command Discretized Observations Mode updates Goals Model Reconfig Command current state Plan Execution System High level operational plan Livingstone Courtesy Autonomous Systems Group, NASA Ames Livingstone Remote Agent's model-based diagnosis sub-system

4 © Charles Pecheur 4 Dagstuhl 5-9 Nov 2001 Livingstone Models concurrent transition systems (components) synchronous product enumerated types => finite state Essentially ≈ SMV model +nominal/fault modes, commands/monitors (I/O), probabilities on faults,... Closed Valve Open Stuckopen Stuckclosed OpenClose inflow = outflow = zero Courtesy Autonomous Systems Group, NASA Ames p=0.001 p=0.01 Diagnosis = find the most likely assumptions (modes) that are consistent with the observations (commands/monitors) inflow = outflow inflow, outflow : {zero,low,high}

5 © Charles Pecheur 5 Dagstuhl 5-9 Nov 2001 Large State Space? Example: model of ISPP = 7.16·10 55 states This is only the Livingstone model – a complete verification model could be Exec driver (10-100 states) xSpacecraft simulator (10 55 states) xLivingstone system (keeps history – 10 n·55 states) Verify a system that analyzes a large state space! Approach: the model is the program –Verify it (using symbolic model checking) –Assume Livingstone correct (and complete)

6 © Charles Pecheur 6 Dagstuhl 5-9 Nov 2001 MPL2SMV Livingstone Model SMV Model Livingstone Requirement SMV Requirement Livingstone Trace SMV Trace Livingstone SMV MPL2SMVMPL2SMV Autonomy Verification

7 © Charles Pecheur 7 Dagstuhl 5-9 Nov 2001 Translator from Livingstone to SMV Co-developed with CMU (Reid Simmons) Similar semantics => translation is easy Properties in temporal logic + pre-defined patterns Initially for Livingstone 1 (Lisp), upgraded to Livingstone 2 (C++/Java)

8 © Charles Pecheur 8 Dagstuhl 5-9 Nov 2001 (load "mpl2smv.lisp") ;; load the translator ;; Livingstone not needed! (translate "ispp.lisp" "ispp.smv") ;; do the translation (smv "ispp.smv") ;; call SMV ;; (as a sub-process) Principle of Operations (defcomponent heater …) (defmodule valve-mod …) … (defverify :structure (ispp) :specification (all (globally …))) (defcomponent heater …) (defmodule valve-mod …) … (defverify :structure (ispp) :specification (all (globally …))) MODULE Mheater … MODULE Mvalve-mod … … MODULE main VAR Xispp:Mispp SPEC AG … MODULE Mheater … MODULE Mvalve-mod … … MODULE main VAR Xispp:Mispp SPEC AG … Specification AG … is false as shown … State 1.1: … State 1.2: … Specification AG … is false as shown … State 1.1: … State 1.2: … ispp.lisp ispp.smv SMV output Lisp shell

9 © Charles Pecheur 9 Dagstuhl 5-9 Nov 2001 Simple Properties Supported by the translator: –syntax sugar –iterate over model elements (e.g. all component modes) Examples –Reachability (no dead code) EF heater.mode = on –Path Reachability (scenario) AG (s1 –> EF (s2 & EF (s3 & EF s4)))

10 © Charles Pecheur 10 Dagstuhl 5-9 Nov 2001 Probabilistic Properties Use probabilities associated to failure transitions Use order of magnitude: -log(p), rounded to a small integer Combine additively, OK for BDD computations Approximate – but so are the proba. values heater.mode = overheat -> heater.proba = 2; (p = 0.01) proba = heater.proba + valve.proba + sensor.proba; SPEC AG (broken & proba EF working)

11 © Charles Pecheur 11 Dagstuhl 5-9 Nov 2001 Functional Dependency Check that y=f(x) for some unknown f Use universally quantified variables in CTL = undetermined constants in SMV VAR x0,y0 : {a,b,c}; TRANS next(x0) = x0 TRANS next(y0) = y0 SPEC (EF x=x0 & y=y0) –> (AG x=x0 –> y=y0) Limitation: counter-example needs two traces, SMV gives only one => instantiate second half by hand, re-run SMV ≈  x0, y0

12 © Charles Pecheur 12 Dagstuhl 5-9 Nov 2001 Temporal Queries Temporal Query = CTL formula with a hole: AG (? –> EF working) Search (canonical) condition for ? that satisfies the formula (computable for useful classes of queries) Recent research, interrupted (William Chan, †1999) Problem: visualize solutions (CNF, projections,...) Core algorithm implemented in NuSMV (Wolfgang Heinle) Deceptive initial results, to probe further

13 © Charles Pecheur 13 Dagstuhl 5-9 Nov 2001 SMV with Macro Expansion Custom version of SMV (Bwolen Yang, CAV 99) Eliminates variables by Macro Expansion: –analyzes static constraints of the model (invariants), –find dependent variables x=f(x1,...,xn), –substitute f(x1,...,xn) for x everywhere, –eliminate x from the set of BDD variables. For models with lots of invariants => useful for Livingstone models Full ISPP model in < 1 min, vs. SMV runs out of memory.

14 © Charles Pecheur 14 Dagstuhl 5-9 Nov 2001 ISPP Model Statistics In Situ Propellant Production (ISPP) = turn Mars atmosphere into rocket fuel (NASA KSC) Original model state = 530 bits (trans. = 1060 bits) Total BDD vars588 bits Macro expanded-209 bits Reduced BDD vars379 bits Reachable state space7.16·10 55 = 2 185.5 Total state space1.06·10 81 = 2 269.16 Reachability of all modes (163): 29.14" CPU time in 63.6 Mb RAM

15 © Charles Pecheur 15 Dagstuhl 5-9 Nov 2001 Diagnosis Properties Can fault F always be diagnosed? (assuming perfect diagnosis and accurate model) = is F unambiguously observable?  obs0. (EF F & obs=obs0) –> (AG F –> obs=obs0) Similar to functional dependency obs = observable variables (many of them) Static variant (ignore transitions): SAT on two states S, S' such that F & ! F' & obs=obs'

16 © Charles Pecheur 16 Dagstuhl 5-9 Nov 2001 Very recent (yesterday), with Alessandro Cimatti Can fault F be diagnosed knowing the last n steps? Apply SAT to: Variants are possible (e.g. fork at n-1 intead of 0) Diagnosis Properties Revisited... x0 x1 x1' x2 x2' xn xn' T T T T T T T T cmd obs F ! F...

17 © Charles Pecheur 17 Dagstuhl 5-9 Nov 2001 Diagnosis Properties (cont'd) Does it work? –Computational cost of extra variables Has it been done? –Similar work in hardware testability? Is it useful? –It is unrealistic to expect all faults to be immediately observable (e.g. valve closed vs. stuck-closed) –What weaker properties? Are they verifiable? To be explored

18 © Charles Pecheur 18 Dagstuhl 5-9 Nov 2001 Summary Verification of model-based diagnosis: –Space flight => safety critical. –Huge state space (w.r.t. fixed command sequence). Focus on models (the model is the program) Quite different from executable programs –Loose coupling, no threads of control, passive. –Huge but shallow state spaces. Symbolic model checking is very appropriate Verify well-formedness + validity w.r.t. hardware Verify suitability for diagnosis: to be explored

19 © Charles Pecheur 19 Dagstuhl 5-9 Nov 2001 Thank You

Download ppt "© Charles Pecheur 1 Dagstuhl 5-9 Nov 2001 Symbolic Model Checking of Domain Models for Autonomous Spacecrafts Charles Pecheur (RIACS / NASA Ames)"

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.

1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.

Timed Automata.
Chapter 1 An Overview of Computers and Programming Languages.

Chapter 1 An Overview of Computers and Programming Languages.
MBD in real-world system… Self-Configuring Systems Meir Kalech Partially based on slides of Brian Williams.

MBD in real-world system… Self-Configuring Systems Meir Kalech Partially based on slides of Brian Williams.

Similar presentations

Ads by Google