Presentation is loading. Please wait.

Presentation is loading. Please wait.

Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Observability and Diagnosability of Hybrid Automata, and their application in Air Traffic.

Published byLawrence Booth Modified over 8 years ago

Similar presentations

Presentation on theme: "Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Observability and Diagnosability of Hybrid Automata, and their application in Air Traffic."— Presentation transcript:

1 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Observability and Diagnosability of Hybrid Automata, and their application in Air Traffic Management M.D. Di Benedetto, S. Di Gennaro and A. D’Innocenzo University of L’Aquila Center of Excellence DEWS L’Aquila, Italy

2 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Motivation ATM procedures define behaviours and interactions among actors of a multi agent system With the increase of air traffic, bottlenecks of current procedures are arising: decentralize decisions? It is extremely hard to convince people that a “new” procedure is more efficient than the “old” one, but equally safe

3 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 General framework for testing ATM procedures In order to convince - formally prove - that an ATM procedure satisfies certain properties: Compositional mathematical framework for modeling ATM procedures Propositional logics to mathematically define properties of interest Tools to automatically verify properties

4 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Automatically verify properties of ATM procedures ATM procedure Automatic Verification Tool Property of interest Yes No + counterexample Can the procedure terminate correctly? Does the procedure terminate in time t  [min, max]? Is it possible to immediately detect if the procedure is not performed correctly? Is it possible to detect propagation of situation awareness incongruency due to interconnection of agents?

5 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Automatically verify properties of ATM procedures Hybrid model Model checking Formula Yes No + counterexample Can the procedure terminate correctly? CTL PROPERTY Does the procedure terminate in time t  [min, max]? TCTL PROPERTY Is it possible to immediately detect if the procedure is not performed correctly? OBSERVABILITY PROPERTY Is it possible to detect propagation of situation awareness incongruency due to interconnection of agents? DIAGNOSABILITY PROPERTY

6 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Hybrid system definition Continuous Layer q1q1 q2q2 q3q3 Discrete Layer Invariant Sets Guard Sets Reset Maps

7 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Hybrid execution

8 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Language of executions of discrete state q1q1 q2q2 q4q4 q3q3 3 s 4 s2 s1 s L language of all discrete state executions P language of all discrete observations L Q b executions that terminate in Q b  Q P Q b observations of string in L Q b

9 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Regular language of executions Consider observations without time delays: then L, P, L Q b, P Q b are regular languages Regular languages are closed w.r.t. union, intersection, concatenation.

10 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Discrete state observability: motivation Unauthorized crossing Waiting at stop-bar Emergency Braking Authorized crossing Taxi to hangar Taxiing Engines Running Taxi on airport way Ask for crossing grant Crossing Crossing completed Taxiing Unobs. [Di Benedetto et al. MED’05] Q b = {unauth. crossing}

11 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Observability definition Definition: Set Q b  Q is observable for hybrid system H if observer of Q b exists. Hybrid system Observer of Q b [Di Benedetto et al. LNCIS’05, CDC’06] Let Q b  Q be a subset of the discrete state space, that models a faulty behavior of the system.

12 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Classical observability definition Proposition: Classical discrete state observability is a special case of observability of Q b Observer of q 1 Observer of q N … Observer of H

13 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Observability condition Proposition: Set Q b is observable for hybrid system H if and only if Q0Q0 QbQb a b c d a b c d

14 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Observability verification Algorithm: 1.Compute regular languages P Q b and P Q\Q b 2.Compute intersection P Q b  P Q\Q b 3.Check if P Q b  P Q\Q b is empty. Algorithm terminates in polynomial time w.r.t. dimension of discrete state space [Di Benedetto et al. IJRNC’08]

15 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Diagnosability definition Definition: Set Q b is  -diagnosable for a hybrid system H if it is possible to detect within a delay  that Q b has been visited, using the observable output. Proposition: Set Q b is observable if and only if it is  -diagnosable with  =0.

16 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 6-diagnosability conditions q1q1 q2q2 q4q4 q3q3 3 s 4 s 2 s1 s q1q1 q5q5 q7q7 q6q6 3 s 4 s2 s1 s not admitted admitted q1q1 q2q2 q4q4 q3q3 3 s 2 s 1 s q1q1 q5q5 q7q7 q6q6 3 s 2 s 1 s

17 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Faulty executions q1q1 q2q2 q4q4 q3q3 3 s 4 s2 s1 s Definition: A δ- faulty execution is a trajectory that enters the faulty set at a certain time instant, and then continues flowing for a time duration δ. is 3-faulty

18 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Diagnosability conditions Proposition: Q b is  -diagnosable for H iff Problem: Compute the minimum  m such that Q b is  m -diagnosable for H.

19 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Diagnosability verification for HA It is extremely hard to automatically verify diagnosability conditions on a general hybrid model. It is probably undecidable. This problem has been solved for discrete event systems and timed automata

20 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Abstraction methods Hybrid system H Discrete event system D Hybrid system H Timed automaton T Timed abstraction: Pro: preserve time information! Con: more complex algorithms… safety temporal properties Durational graph G Untimed Timed

21 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Diagnosability Verification by abstraction [Di Benedetto et Al., IEEE TAC] Hybrid system H Abstraction G G is diagnosable Construct abstraction G to preserve properties of interest Verification procedure on G Find conditions to construct an abstraction G such that: property true for H if and only if true for G H is diagnosable

22 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Diagnosability verification complexity Timed automata Durational graphs Discrete event systems < < Complexity class: PSPACE [Tripakis] P [Lafortune] P [Di Benedetto et Al., IEEE TAC] Expressive power

23 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 In-Trail Procedures: ATSA and ASEP ITP ATSA-ITP application is currently being standardized by the Requirements Focus Group as part of Airborne Separation Assistance System (ASAS) Package 1 applications. Tested since spring 2008 in the North Atlantic Airspace above Iceland (where radar coverage is available) with a small set of aircraft equipped with special ADS-B devices. ATSA-ITP is the near-future of ITP oceanic airspace applications. Airborne Separation In Trail Procedure (ASEP-ITP) studied inside the Advanced Safe Separation Technologies and Algorithms (ASSTAR) project introduces an innovative transfer of separation management responsibilities from ATC to the flight crew throughout the ITP manoeuvre. The rationale behind this is that the flight crew, in contrast to ATC, disposes of the appropriate surveillance equipment (i.e. ADS-B and ASAS Equipment), and is therefore instantly able to monitor separation and act if necessary.

24 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 ATSA and ASEP ITP ATSA-ITP: improvement in the situation awareness of the agents, but the procedure is the same as the traditional, and does not include any transfer of responsibility from the controller to the pilot. ASEP-ITP: for the first time in oceanic applications, the pilot has the responsability of separation during execution. He can change the Mach number, whenever the ASAS systems suggests. Reduce the separation minimum to 5NM. ASEP-ITP is strongly based on ATSA-ITP: step-by-step evolution of the application inside the ASAS concept, gradual implementation of a new concept and of safety assessment.

25 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 >10 minutes Actual Separation ( ~80 NM) ‏ FL350 FL360 FL340 Reference Aircraft ITP Aircraft 10 NM ATSA Separation minimum FL350 FL360 FL340 ITP Aircraft 5 NM ASEP Separation minimum FL350 FL360 FL340 Reference Aircraft ITP Aircraft Separation minimum improvement

26 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Agents: ITP Aircraft modeled by Rectangular automaton Oceanic Controller modeled by Discrete Event System ASAS Technical System is working Assumptions Aircraft Dynamics are described by longitudinal position altitude longitudinal absolute speed, measured in Mach climb rate Operational hazards: [Requirements Focus Group (RFG). In-trail procedure in non-radar oceanic airspace (atsa-itp) - operational safety assessment (osa), v2.3. November 2007.]

27 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 From ASEP-ITP specification to automatic verification Hybrid System or Rectangular Aut. H Timed automaton T Property true on H Property true on T Most of the properties of our interest for ATM procedure analysis are decidable for timed and rectangular automata [Alur et Al., TAC’00] ASEP-ITP specification Property true on ASEP-ITP specification

28 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Q1 Cruise Q2 ITP Initatio n Q3 ITP Instruction Q4 ITP Standard Execution Q5 ITP Termination Q1 Cruise Q2 ITP Initiation Q6 ITP Aborted Q7 ITP Denied Q8 ITP Rejected Q9 Abnormal Termination ε σ1σ1 σ6σ6 ε σ4σ4 ψ2ψ2 ψ3ψ3 ψ5ψ5 σ2σ2 ε σ3σ3 ψ1ψ1 ψ6ψ6 σ5σ5 σ9σ9 ψ7ψ7 Q12 Asas alert Q10 Non-ITP Criteria compliant Q10 Non-ITP Criteria compliant Q11 Wrong Execution Q11 Wrong Execution Q13 Wrong termination Q13 Wrong termination σ8σ8 ε ε ε ε σ9σ9 ψ7ψ7 ψ4ψ4 ψ4ψ4 ψ4ψ4 σ7σ7 σ7σ7 σ7σ7 σ7σ7 ψ5ψ5 ψ5ψ5 ψ5ψ5 ψ4ψ4 ε ε ε ε ASEP-ITP observability analysis

29 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Q1 Cruise Q2 ITP Initatio n ITP Instruction ITP Standard Execution ITP Termination Cruise ITP Initiation ITP Aborted ITP Denied ITP Rejected Abnormal Termination Asas alert Non-ITP Criteria compliant NON-ITP Criteria Compliant Wrong Termination Wrong Execution

30 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 ASEP-ITP observer ψ1ψ1 ψ6ψ6 Q1,Q2,Q6 Q3 Q7 Q8 ψ2ψ2 Q4,Q10,Q11 Q9 ψ5ψ5 ψ4ψ4 Q12 ψ7ψ7 ψ3ψ3 ψ4ψ4 ψ5ψ5 Q5,Q13 The operational hazards are not observable even if the ASEP-ITP procedure satisfies the ED78a check, some operational hazards cannot be detected!

31 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Conclusions Apply hybrid systems theory for formal modeling of ATM procedures Propose a mathematical framework for formal analysis of ATM procedures Develop tools for automatic verification of observability and diagnosability Analyze observability of ASEP-ITP

32 Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Future work Stochastic definitions of observability and diagnosability Use abstraction tools for stochastic hybrid systems analysis Compositional analysis for complexity reduction

Download ppt "Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009 Observability and Diagnosability of Hybrid Automata, and their application in Air Traffic."

Similar presentations

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
FAA/Eurocontrol TIM 9 on Performance Metrics – INTEGRA Rod Gingell 16 May 2002.

FAA/Eurocontrol TIM 9 on Performance Metrics – INTEGRA Rod Gingell 16 May 2002.
Page 1 CARE/ASAS Activity 3: ASM workshop Brétigny, 19 December 2001 Autonomous Aircraft OSED CARE-ASAS Activity 3: ASM Autonomous Aircraft OSED.

Page 1 CARE/ASAS Activity 3: ASM workshop Brétigny, 19 December 2001 Autonomous Aircraft OSED CARE-ASAS Activity 3: ASM Autonomous Aircraft OSED.
Air Traffic Management

Air Traffic Management
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Knowledge Based Synthesis of Control for Distributed Systems Doron Peled.

Knowledge Based Synthesis of Control for Distributed Systems Doron Peled.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Formal Development and Verification of Distibuted Railway Control System – Haxthausen&Peleska To allow for private companies to be key players in the railway.

Formal Development and Verification of Distibuted Railway Control System – Haxthausen&Peleska To allow for private companies to be key players in the railway.
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.

Timed Automata.
The Big Picture Chapter 3. We want to examine a given computational problem and see how difficult it is. Then we need to compare problems Problems appear.

The Big Picture Chapter 3. We want to examine a given computational problem and see how difficult it is. Then we need to compare problems Problems appear.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Advanced Safe Separation Technologies and Algorithms (ASSTAR) Project ASAS-TN2 Workshop #1 Malmö 26 th -28 th September 2005 ASSTAR is a Specific Targeted.

Advanced Safe Separation Technologies and Algorithms (ASSTAR) Project ASAS-TN2 Workshop #1 Malmö 26 th -28 th September 2005 ASSTAR is a Specific Targeted.
1 Formal Models for Stability Analysis : Verifying Average Dwell Time * Sayan Mitra MIT,CSAIL Research Qualifying Exam 20 th December.

1 Formal Models for Stability Analysis : Verifying Average Dwell Time * Sayan Mitra MIT,CSAIL Research Qualifying Exam 20 th December.
1 Stability of Hybrid Automata with Average Dwell Time: An Invariant Approach Daniel Liberzon Coordinated Science Laboratory University of Illinois at.

1 Stability of Hybrid Automata with Average Dwell Time: An Invariant Approach Daniel Liberzon Coordinated Science Laboratory University of Illinois at.
Applications from packages I to III

Applications from packages I to III
CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.

CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.
Discrete Abstractions of Hybrid Systems Rajeev Alur, Thomas A. Henzinger, Gerardo Lafferriere and George J. Pappas.

Discrete Abstractions of Hybrid Systems Rajeev Alur, Thomas A. Henzinger, Gerardo Lafferriere and George J. Pappas.

Similar presentations

Ads by Google