Presentation is loading. Please wait.

Presentation is loading. Please wait.

HSCC 03 MIT LCS Safety Verification of Model Helicopter Controller Using Hybrid Input/Output Automata Sayan Mitra MIT Hybrid Systems: Computation and Control.

Published bySophia Cummings Modified over 9 years ago

Similar presentations

Presentation on theme: "HSCC 03 MIT LCS Safety Verification of Model Helicopter Controller Using Hybrid Input/Output Automata Sayan Mitra MIT Hybrid Systems: Computation and Control."— Presentation transcript:

1 HSCC 03 MIT LCS Safety Verification of Model Helicopter Controller Using Hybrid Input/Output Automata Sayan Mitra MIT Hybrid Systems: Computation and Control Prague, Czech Republic 2003 Joint work with Yong Wang (U. Beijing), Nancy Lynch, Eric Feron

2 HSCC 03 MIT LCS Verification Techniques Algorithmic –Model checking e.g. [Alur, et al. 95] Automatic: HyTech Essentially for finite-state systems, subclass of linear hybrid systems –Over approximating set of unsafe states [Bayen, et al. 02] Deductive –Invariant assertions, simulation relations e.g. [Manna, Sipma 98] Can accommodate infinite-state systems: STeP Requires human effort –User interaction

3 HSCC 03 MIT LCS Talk Outline Introduction ٭ Hybrid I/O Automata definitions Specification of Quanser Safety Verification Conclusions

4 HSCC 03 MIT LCS The HIOA Model [Lynch, Segala, Vaandrager 01, 03] General, mathematical modeling framework. –States, discrete transitions –Trajectories: Maps left closed intervals of time to variable values Support for decomposing hybrid system descriptions: –External behavior: Models interaction of component with environment. –Composition: Synchronizes external actions, external “flows”; respects external behavior. –Levels of abstraction: Implementation notion Can incorporate analysis methods from: –CS: Invariants, simulation relations, compositional methods. –Control theory: Invariant sets, stability analysis, robust control.

5 HSCC 03 MIT LCS Hybrid I/O Automaton V = U  Y  X: Input, output, and internal (state) variables Q: States, a set of valuations of X   Q : Start states A = I  O  H: Input, output, and internal actions D  Q  A  Q: Discrete transitions T: Trajectories for V. X UY I O H

6 HSCC 03 MIT LCS Trajectory Axioms and Executions Set T of trajectories is closed under: –Prefix –Suffix –Countable concatenation fstate, lstate Execution fragment:  0 a 1  1 a 2  2 …, where: Each  i is a trajectory of the automaton and Each (  i.lstate, a i,  i+1.fstate) is a discrete step. Execution: –Execution fragment beginning in a start state.

7 HSCC 03 MIT LCS Model Helicopter System Manufactured by Quanser User controllers not necessarily safe, can crash the helicopter on the table. Supervisory pitch controller needed to ensure safety. –Safe operating region –Saturated actuator outputs : U min or U max Must contend with –Sensor errors –Actuator delay

8 HSCC 03 MIT LCS Helicopter System UserCntrl Useroutput(Xu) Sample Supervisor Actuator Sensor Plant θ0, θ1θ0, θ1 U Command(S) now, next buffer, u XuXu dequeue Sample θ0, θ1θ0, θ1 mode, X s, S, rt Command(S) Sample Useroutput(Xu) Sample

9 HSCC 03 MIT LCS Plant θ0,θ1θ0,θ1 U Variables: θ 0 : Pitch angle θ 1 : Pitch velocity Trajectories: evolve: d(θ 0 ) = θ 1 d(θ 1 ) = -Ω 2 cos θ 0 + U Input bounds: U min, U max Safe Region: S = { s | θ min ≤ s.θ 0 ≤ θ max } θ0, θ1θ0, θ1

10 HSCC 03 MIT LCS Sensor Discrete transition: Sample(θ 0 d, θ 1 d ) precondition: now = next and θ 0 d є [θ 0 - є 0, θ 0 + є 0 ] and θ 1 d є [θ 1 - є 1, θ 1 - є 1 ] effect: next = next + Δ Trajectories: evolve: d(now) = 1 stopping condition: now = next Sensor Sample(θ 0 d, θ 1 d ) θ 0,θ 1 now, next } Nondeterministic choice

11 HSCC 03 MIT LCS User Controller Arbitrarily bad user On receiving Sample, –Useroutput(X u ) –Non deterministic choice, X u є [U min, U max ]

12 HSCC 03 MIT LCS Actuator Actuator delay T a –modeled as a FIFO queue of Supervisor(User) outputs –buffer: length [T a / Δ] Enqueue S received from supervisor Dequeue u from buffer head, –u changes discretely –Made into piece-wise continuous output U

13 HSCC 03 MIT LCS Modeling Actuator Delay T a Currently modeled as a single discrete jump from U min to U max after time T a. Alternatively –Approximate exponential rise by adding k intermediate values in the buffer, for every command from the supervisor. Output from buffer will change every Δ/k time. –Model as continuous function Ta

14 HSCC 03 MIT LCS I S C R U θ max θ1θ1 Assumption: Cannot cross I in Δ time. θ min Safe Operating Region θ0θ0

15 HSCC 03 MIT LCS Supervisor On receiving sample, computes X s If s is above I + then X s = U min If s is below I - then X s = U max On receiving useroutput(X u ), computes S –If mode = user then If s is in U then S = X u Else mode = supervisor ; S = X s –If mode = supervisor then If s is in I then S = X u ; mode = user Else S = X s Supervisor mode, X s, S, rt Command(S) Userout(Xu) Sample

16 HSCC 03 MIT LCS Safety Verification Assertional Proofs –Reasoning based on current state of the system Finding the invariants is challenging –Strengthen statement Proofs are easy, for proving I –Base case:   I –Discrete part: s  a s’ є D, show I(s) implies I(s’) –Continuous part: closed τ є T, show I(fstate(τ)) implies I(lstate(τ))

17 HSCC 03 MIT LCS Key Lemmas All trajectories are closed Any trajectory τ є T, ltime(τ) - ftime(τ) ≤ Δ.

18 HSCC 03 MIT LCS I S C A0A0 θ0θ0 θ1θ1 A1A1 A2A2 AΔAΔ A 0 = R For 0 ≤ t ≤ t’ ≤ Δ A t’  A t U  A Δ R U User mode

19 HSCC 03 MIT LCS User mode Safety Any reachable state in the user mode is within R. Proof: –Discrete part is easy –Any closed trajectory τ є T, if fstate(τ) є A t then lstate(τ) є A t-ltime(τ).

20 HSCC 03 MIT LCS Executions in User and Supervisor modes Cannot go outside R from U, in the user mode buffer flushed, Supervisor mode kicks in. Returns to I and mode switches back to user. mode switches to supervisor, but buffer contains stale user commands.

21 HSCC 03 MIT LCS Supervisor mode Correct input to plant If s is above I + then last [rt/Δ] entries in buffer are U min –rt: stopwatch for supervisor mode Similarly, s is below I - then … U max Settling phase rt ≤ T a Any reachable state is within C –All trajectories starting from within R remains within C –Proof similar to User mode Recovery phase rt > T a Any reachable state is within C –Proof: At any point on boundary of C, the vector field points inwards

22 HSCC 03 MIT LCS Conclusions Design of supervisory controller –Controller has been implemented [Ishutkina]. Specification Language Demonstration of HIOA framework –Specification Compositional Nondeterminism models uncertainties in devices or user inputs. –Purely assertional proofs Discrete and continuous parts CS and Control Theory techniques Current/Future Work –Performance guarantees for mobile computing algorithms –Theorem prover support

23 HSCC 03 MIT LCS Thank You. Questions ?

24 HSCC 03 MIT LCS

25 HSCC 03 MIT LCS Current/Future Work Incorporate control theory methods: –Invariant sets, Stability analysis using Lyapunov functions, robust control methods. More examples: –Systems with more complicated discrete behavior and dynamics, e.g. mobile computing, embedded systems. Develop analysis tools for HIOA programs: –Theorem-provers, automated tools –As extension to IOA toolset

26 HSCC 03 MIT LCS Future Work : Case Studies Mobile Computing –Location and Routing algorithms, e.g. Grid [Li 2000] Objectives:  Performance guarantees under mobility  Specialize HIOA to model mobile systems Control problems –Quantized double integrator system Objective:  Develop and apply analysis methods from control theory

27 HSCC 03 MIT LCS Future Work : Tool Support Theorem prover interface –Automatic translation of HIOA specifications into the language of the prover –Prover tactics and strategies Extend IOA Toolset –Language frontend Interface with other tools –Model-checkers –Simulators

28 HSCC 03 MIT LCS sample control command dequeue    act 0 supervisor plant sensor usrCtrl Discrete Communication Among Components actuator

29 HSCC 03 MIT LCS Other Applications Automated transportation systems: –Simple vehicle maneuvers [Weinberg, Lynch 96] –PATH automated highway system [Branicky, Dolginova, Lynch 97] [Dolginova, Lynch 97][Lygeros, Lynch 98] Aircraft control: –TCAS [Livadas, Lygeros, Lynch 99] Spacecraft: –ACME [Ha, Lynch, Garland, Kochocki, Tanzman 03] Robotics –Lego cars [Fehnker, Vaandrager, Zhang 02]

30 HSCC 03 MIT LCS Helicopter Model and Analysis We developed HIOA models for all system components: Plant, Sensor, Actuator, User Controller, Supervisor –Including realistic dynamics, delays, inaccuracies. –Used the models to help design a safe supervisory controller.

31 HSCC 03 MIT LCS Language Design Additional structure for specifying trajectories: –Variables are either discrete or continuous –Discrete variables remain constant over trajectories Describing trajectories: –State space is partitioned into modes –Continuous variables in each mode evolve according to differential/algebraic equations. –Each mode is specified by an activity

Download ppt "HSCC 03 MIT LCS Safety Verification of Model Helicopter Controller Using Hybrid Input/Output Automata Sayan Mitra MIT Hybrid Systems: Computation and Control."

Similar presentations

Hybrid System Verification Synchronous Workshop 2003 A New Verification Algorithm for Planar Differential Inclusions Gordon Pace University of Malta December.

Hybrid System Verification Synchronous Workshop 2003 A New Verification Algorithm for Planar Differential Inclusions Gordon Pace University of Malta December.
Timed Automata.

Timed Automata.
Supervisory Control of Hybrid Systems Written by X. D. Koutsoukos et al. Presented by Wu, Jian 04/16/2002.

Supervisory Control of Hybrid Systems Written by X. D. Koutsoukos et al. Presented by Wu, Jian 04/16/2002.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Models for Control and Verification Ian Mitchell Department of Computer Science The University of British Columbia research supported by National Science.

Models for Control and Verification Ian Mitchell Department of Computer Science The University of British Columbia research supported by National Science.
Zonotopes Techniques for Reachability Analysis Antoine Girard Workshop “Topics in Computation and Control” March 27 th 2006, Santa Barbara, CA, USA

Zonotopes Techniques for Reachability Analysis Antoine Girard Workshop “Topics in Computation and Control” March 27 th 2006, Santa Barbara, CA, USA
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.

1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.
ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.

ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Trajectory-Directed Discrete State Space Modeling for Formal Verification of Nonlinear Analog Circuits Presented by Valeriy Balabanov.

Trajectory-Directed Discrete State Space Modeling for Formal Verification of Nonlinear Analog Circuits Presented by Valeriy Balabanov.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
Succinct Approximations of Distributed Hybrid Behaviors P.S. Thiagarajan School of Computing, National University of Singapore Joint Work with: Yang Shaofa.

Succinct Approximations of Distributed Hybrid Behaviors P.S. Thiagarajan School of Computing, National University of Singapore Joint Work with: Yang Shaofa.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
1 Formal Models for Stability Analysis : Verifying Average Dwell Time * Sayan Mitra MIT,CSAIL Research Qualifying Exam 20 th December.

1 Formal Models for Stability Analysis : Verifying Average Dwell Time * Sayan Mitra MIT,CSAIL Research Qualifying Exam 20 th December.
1 Stability of Hybrid Automata with Average Dwell Time: An Invariant Approach Daniel Liberzon Coordinated Science Laboratory University of Illinois at.

1 Stability of Hybrid Automata with Average Dwell Time: An Invariant Approach Daniel Liberzon Coordinated Science Laboratory University of Illinois at.
EECE 396-1 Hybrid and Embedded Systems: Computation T. John Koo, Ph.D. Institute for Software Integrated Systems Department of Electrical Engineering and.

EECE Hybrid and Embedded Systems: Computation T. John Koo, Ph.D. Institute for Software Integrated Systems Department of Electrical Engineering and.
STARI: A Case Study in Compositional and Hierarchical Timing Verification Serdar Tasiran, Prof. Robert K. Brayton Department of Electrical Engineering.

STARI: A Case Study in Compositional and Hierarchical Timing Verification Serdar Tasiran, Prof. Robert K. Brayton Department of Electrical Engineering.
An Introduction to Input/Output Automata Qihua Wang.

An Introduction to Input/Output Automata Qihua Wang.
EECE 396-1 Hybrid and Embedded Systems: Computation T. John Koo, Ph.D. Institute for Software Integrated Systems Department of Electrical Engineering and.

EECE Hybrid and Embedded Systems: Computation T. John Koo, Ph.D. Institute for Software Integrated Systems Department of Electrical Engineering and.

Similar presentations

Ads by Google