bridging the gap between research and prac4ce: … methods for powertrain control so>ware ......
TRANSCRIPT
BridgingtheGapbetweenResearchandPrac4ce:FormalMethodsfor
PowertrainControlSo>ware
Jyo$rmoyV.Deshmukh
WhatisaPowertrain?
©h9p://www.greencarcongress.com/2014/11/20141118-mirai.html©GoogleImagesearch
©MotorTrend.Tundrapowertrain
� Maincomponentsindeliveringpower� Automo$vecontext:engineand
transmission� Thistalk:engine,fuelcellstack,engine
+electricmotor,etc.
UCBerkeley,DreamSeminar,Oct15 2/42
WhatisPowertrainControlSoWware
� Real-$meControlAlgorithmsq Examples:Air/FuelRa$oControl,IdleSpeedControl,Exhaust-gas
recircula$on,boostcontrol,Electronicthro9lecontrol,ba9ery
managementsystems,etc.
� On-boardDiagnos$cAlgorithmsq Fuelandairmetering,emissionscontrols,misfireindica$on,
telema$cs,fleettracking,etc.
UCBerkeley,DreamSeminar,Oct15 3/42
Whatdowemeanbyformallyverified?
?SafetyLowexhaustgasemissionsGoodFuelEfficiencyDrivabilityComfort
©GoogleImagesearch
©GoogleImagesearch
UCBerkeley,DreamSeminar,Oct15 4/42
ComplexityofpowertrainsoWwareisincreasing
� 70to100ECUsinmodernluxurycars,closeto100MLOC� Enginecontrol:1.7MLOC
� F-22raptor:1.7M,Boeing787:6.5M
� Frost&Sullivan:200Mto300MLOC� Electronics&SoWware:35-40%ofluxurycarcost
200219971988 2009200219971988 2009
Chare9e,R.,“ThisCarRunsonCode”,IEEEspectrum,http://spectrum.ieee.org/transportation/systems/this-car-runs-on-code
� 1977:firstGMcarwithembeddedsoWware� 1981:GM:50KLOCforen$reUSfleet
UCBerkeley,DreamSeminar,Oct15 5/42
Overview
� Model-basedDevelopment:Verifica$on&Valida$on
� PromisingTechniquesq Somesuccessstories
� ChallengeProblems
UCBerkeley,DreamSeminar,Oct15 6/42
DevTarget:KeepA/Fra$oto5%of14.7
} Cataly$cconvertersreduceHC,CO2,andNOxemissions} Conversionefficiencyop$malatstoichiometricvalue
[1]X.Jin.J.Kapinski.J.Deshmukh,K.Ueda,K.Bu9s,PowertrainControlVerifica$onBenchmark,HSCC2014
UCBerkeley,DreamSeminar,Oct15 7/42
MBDprocess
-+C
-+C
PrototypeDesign Model-Based Development
Real World
Control SoftwareSpecification=
Engine PerformanceSpecification=
Plant Model Controller Model
Plant(Engine, Transmission etc.)
Controller(Hardware, Software)
HILSRapid Prot. ECU
SILS / MILS
Virtual World
Combination
Validation
Combination
Validation
Prototypemodelingandimplementa$on
Systemevalua$on
LegacyCode
Development target
UCBerkeley,DreamSeminar,Oct15 8/42
Theplantmodel
𝑑𝜃/𝑑𝑡 =10(𝜃↓𝑖𝑛 −𝜃)
𝑑𝑝/𝑑𝑡 = 𝑐↓1 (2𝜃 √𝑝/𝑐↓10 − (𝑝/𝑐↓10 )↑2 − 𝑐↓12 ( 𝑐↓2 + 𝑐↓3 𝜔𝑝+ 𝑐↓4 𝜔𝑝↑2 +𝑐↓1 𝜔↑2 𝑝 )
𝑑↑2 �↓𝑚 /𝑑𝑡↑2 = 1/0.002 (−0.12𝑑�↓𝑚 /𝑑𝑡 − �↓𝑚 (𝑡)+ �↓𝑐 (𝑡−∆(𝑚↓𝑐 , 𝑛)))
𝑚↓𝜑 =(1 − �(𝑛, 𝑚↓𝑐 ))𝑚↓� + 𝑚↓𝑓 /𝜏(𝑛, 𝑚↓𝑐 )
𝑑𝑚↓𝑓 /𝑑𝑡 =�(𝑛, 𝑚↓𝑐 )𝑚↓� − 𝑚↓𝑓 /𝜏(𝑛, 𝑚↓𝑐 )
DelayDifferentialEquation
UCBerkeley,DreamSeminar,Oct15 9/42
ControllerHybridAutomaton
startup
sensorfailure
normal
power
} NoFeedbackControl} Onlyfeedforward
es$mator
} FeedbackControl} +Feedforward
es$mator
𝜽≥ 𝟕𝟎↑𝒐
𝜽≤ 𝟓𝟎↑𝒐
�↓𝐫𝐞𝐟↑𝐩𝐨𝐰𝐞𝐫 =𝟏𝟐.𝟓
𝜆↓ref =14.7
𝜆↓ref =14.7
StartupTime𝝉𝑰
𝜆↓ref =14.7
UCBerkeley,DreamSeminar,Oct15 10/42
MBDprocess
ControllerSpecifica$onModel
Auto-CodeGenera$on
Integratedcode
-+C
-+C
PrototypeDesign Model-Based Development
Real World
Control SoftwareSpecification=
Engine PerformanceSpecification=
Plant Model Controller Model
Plant(Engine, Transmission etc.)
Controller(Hardware, Software)
HILSRapid Prot. ECU
SILS / MILS
Virtual World
Combination
Validation
Combination
Validation
Prototypemodelingandimplementa$on
Systemevalua$on
Requirement
Newdesign
LegacyCode
Feasibility study / requirement analysis
Development target
UCBerkeley,DreamSeminar,Oct15
Lotsandlotsoftes$ng,nowby
driving!
Moretes$ng
MoreTes$ng
Tes$ng
11/42
Challenge:VerifytheseTemporalLogicRequirements
𝜇= 𝜆−14.7/14.7 NormalizedA/FRa$o
NormalModeRequirements
□↓(𝜏↓s , 𝑇) |𝜇|<0.05 A/Fra$oalwayswithin5%aWerini$alstartup$me
□ ↓(𝜏↓𝑠 ,𝑇) (rise∨fall⇒ □ ↓(𝜂, 𝜁/2 ) |𝜇|<0.02) AWereveryrisingorfallingedgeofpulseinput,signalse9leswithin𝜂seconds,andremainsse9led$llthenextedge
◇↓(𝑇,𝑇) √1/𝑡− 𝜏↓𝐼 ∫0↑𝑡▒(𝜆(𝑡)−14.7)↑2 𝑢(𝜏− 𝜏↓𝐼 )𝑑𝜏 <0.05 RMSerrorislessthan0.05
□↓(𝜏↓s , 𝑇) 𝜇<0.05 Maximumovershootis0.05
Exis$ngformalverifica$ontechniquesstruggle
UCBerkeley,DreamSeminar,Oct15 12/42
V&Vintheindustry:bothtoolsandprac$ce
� Mostlyfocusedon“verifying”thecontrollerq Bythat,Imean“verifying”thegeneratedCcodeq Bythat,Imeantes$ngthegeneratedCcode
� Codecoveragemetrics,test-casegenera$on� Someformalmethodsbeingmarketedbytoolvendorsq Sta$canalysis:Deadcodedetec$on,Dividebyzeroq PropertyProvingq Donotscaletolargeopen-looporsimpleclosed-loopmodels
� Dearthoftoolsforclosed-looptes$ng/verifica$on?
UCBerkeley,DreamSeminar,Oct15 13/42
ScalingandIndustrializingMBDV&V:Acaseforsimula$on-guidedformalanalysis
UCBerkeley,DreamSeminar,Oct15 14/42
SpectrumofAnalysisTechniquesCanapplytore
aldesigns?(scalability)
Howformal/exhaus$ve?
• LinearAnalysis(symbolic)
• TestVectorGenera$onforModelCoverage
• Simula$on
• LinearAnalysis(numerical)
• ConcolicTes$ng
• TheoremProving
• (Bounded)ModelChecking • Stability
Proofs
• ReachabilityAnalysis
• TheOneTooltoRuleThemAll
ProgramAnalysisFormalVerifica$on
SoWwareTes$ngControlTheoryTechniques
UCBerkeley,DreamSeminar,Oct15 15/42
Whystartfromsimula$ons?
� Visualfeedback,bug-finding
� Canuseexis$ngdesignar$facts
� Doesnotrequireknowledgeof:• TemporalLogic,SATmodulotheories,BoundedModelChecking,
Undecidability,HybridAutomata,….
� Richheritageofdynamicanalysis,run$meverifica$onin
formalmethods/verifica$oncommunity(SciDuc$on,Seshiaetal.,ProofsfromTests,Guptaetal.,ConcolicTes$ng,Senet
al.,MonitoringTemporalLogic(cf.Leuckeretal.))
• ControlDesignersalreadyusethemalot
• Whatwelearned:Ifwewantproduc$onengineerstopaya9en$on,wehavetospeaktotheminalanguagetheyunderstand!
UCBerkeley,DreamSeminar,Oct15 16/42
AFewPromisingTechniques
� RequirementFalsifica$on
� MiningTemporalRequirements
� ConformanceTes$ng
� Simula$on-guideddynamicalanalysis
� Simula$on-guidedreachabilityanalysis
UCBerkeley,DreamSeminar,Oct15 17/42
RequirementFalsifica$on
� Givenmodel𝑀;property𝜑
� Findinput𝐮(𝑡)andini$alcondi$ons 𝐱↓0 s.t.� 𝑀( 𝐱↓0 ,𝐮)doesnotsa$sfy𝜑� Notverifica$on,butsystema$cbug-finding,aka“supertes$ng”� Noguaranteesofcompleteness(exceptasympto$c/probabilis$c)
UCBerkeley,DreamSeminar,Oct15 18/42
Signal/MetricTemporalLogicforRequirements
UCBerkeley,DreamSeminar,Oct15
0 100 50
1
3
Alwaysbetween$me0and100
19/42
Signal/MetricTemporalLogicforRequirements
UCBerkeley,DreamSeminar,Oct15
®®
0 100
1
-0.1 +0.1
60
x
Eventuallyatsome$metbetween$me20and60
Fromthat$met,always$lltheendofthesignaltrace
20/42
Quan$ta$veSeman$csforReal-$meTemporalLogics
� Robustsa$sfac$on1,2oftemporallogicproperty𝜑bygiven
simula$ontrace𝑦(⋅):� Func$onmapping𝜑and𝑦toℝ
� Posi$venumber=𝑦sa$sfies𝜑
� Nega$venumber=𝑦doesnotsa$sfy𝜑� Movingtowardszero=movingtowardsviola$on
UCBerkeley,DreamSeminar,Oct15
[1]G.Fainekos,andG.J.Pappas.Robustnessoftemporallogicspecifica6onsforcon6nuous-6mesignals.Theore$calComputerScience2009.[2]A.Donzé,andO.Maler.Robustsa6sfac6onoftemporallogicoverreal-valuedsignals.FORMATS2010
21/42
Quan$ta$veSeman$csforReal-$meTemporalLogics
UCBerkeley,DreamSeminar,Oct15
0
µ= x¡ 1.51 0.5 -0.5 0.5 -1
0.1 0.2 0.3 0.4 0.5 0.6 0.7
1
2
x
t
0 0.5 µ
1 1
0.5 0.5
0.5 0.5 0.5
supremumovereachinterval
22/42
Quan$ta$veSeman$csforReal-$meTemporalLogics
UCBerkeley,DreamSeminar,Oct15
0
µ= x¡ 1.51 0.5 -0.5 0.5 -1
0.1 0.2 0.3 0.4 0.5 0.6 0.7
1
2
x
t
0 0.5 µ
1 1 0.5 0.5 0.5 0.5 0.5
0.5
=0.5
infimumoverresultfrompreviousstep
23/42
Falsifica$onbyop$miza$on
𝐮(𝐭) 𝑀(𝐮(𝐭), 𝐱↓𝟎 )
Op4mizer:Minimizerobustsa$sfac$onvalue
\
ϕ\
UCBerkeley,DreamSeminar,Oct15
� Usepowerfulop$miza$onheuris$cstogetclosetoglobalop$mum
24/42
Falsifica$onwithParameterizedInputs
S-TaLiRo[Fainekos,Sankaranarayanan,etal.,TACAS’11,HSCC’10,ACC‘12]� MetricTemporalLogicbased
robustnesscomputa$on� Supports:simulated
annealing,cross-entropy,ant-colony,gene$calgorithms
Breach[Donzéetal.,CAV‘10,NSV‘13]� SignalTemporalLogicbased
robustnesscomputa$on� SupportsNelder-Meadop$mizer
UCBerkeley,DreamSeminar,Oct15
ControlPoints
𝑢↓1
t
u(t) y(t)
t
25/42
Falsifica$on+State-spaceCoverageRRT-REX[Dreossi,Donzé,Dang+ToyotaMBD,NFM‘15]� RRT-basedop$malsearch
UCBerkeley,DreamSeminar,Oct15
BAD
X
X
X
Differentchoicesfor𝑢(Δ𝑡)
Differentchoicesfor𝑢(2Δ𝑡)
ChoosingGoalPoint:• MaximizeSpace-Coverage• Pickinregionoflowrobust
sa$sfac$onvalue𝑥↓2
𝑥↓1
PickNeighbortogrowfrom• Pickneighborwithlowest
robustsa$sfac$onvalue
LocalChoiceforInput• Decreaserobustsa$sfac$on
valueofpar$altrace
26/42
Falsifica$on+InputSpaceRefinementSITAR[ToyotaMBD+OdedMaler,ATVA‘15]� Discre$zeInputSignalSpace
UCBerkeley,DreamSeminar,Oct15
𝑢↓1
t
27/42
Falsifica$on+InputSpaceRefinementSITAR[ToyotaMBD+OdedMaler,ATVA‘15]� Evaluatecostatneighbors� Descendtoneighborwithlowestcost� Toomanyneighbors?Stochas$callypickasubset� MaintainTabulisttoavoidrevisi$ngneighbors� Havocwhenlocalop$mumorslowconvergence
UCBerkeley,DreamSeminar,Oct15
𝑢↓1
t
Neighbor1Neighbor2
28/42
Falsifica$on+InputSpaceRefinementSITAR[ToyotaMBD+OdedMaler,ATVA‘15]� RefineInputSignalSpacefrom“promisinginputs”� Permitnonuniformgriddingandrefinement
UCBerkeley,DreamSeminar,Oct15
𝑢↓1
t
29/42
InPrac$ce?
� Found“hun$ng”behaviorinanexperimentalToyotaairpathcontrolmodelq Over4000Simulinkblocksq AdvancedControlScheme
� FoundundesirableovershootinanexperimentalversionofcontrolsoWwareinapowertrainapplica$onq Largemodelq Takes5to10secondstosimulateonesecondofreal-$meq Hoursoffalsifica$onrequired
UCBerkeley,DreamSeminar,Oct15 30/42
RequirementsinanIndustrialSe|ng
� Formalmethods/verifica$onengineerslovethem
� ControldesignerswritetheminWorddocuments� (inJapaneseand/orGerman)
� Controldesigners(andoccasionallytemporallogicpundits)haveahard$mewri$ngthem
UCBerkeley,DreamSeminar,Oct15 31/42
MiningRequirements
} Howdocontroldesignerscheckcorrectness?
} Whatdoyoudowhenyourchiefengineerleaves?} Formaltechniquesneedmachine-checkablerequirements} KeyIdea:Iden$fyTemporalLogicPa9ernsfromSimula$onData!
Req:Se9leinthered-band
UCBerkeley,DreamSeminar,Oct15 32/42
CounterexampleGuidedInduc$veSynthesis
UCBerkeley,DreamSeminar,Oct15
Find“Tightest”Answers
Se9lingTimeis??Overshootis??Boundsonxare??
∃trace⊭Property?
Se9lingTimeis5msOvershootis5KPaUpperBoundonxis3.6
1.
m.
33/42
UCBerkeley,DreamSeminar,Oct15
Find“Tightest”Answers
Se9lingTimeis??Overshootis??Boundsonxare??
∃trace⊭Property?
Se9lingTimeis5.8msOvershootis5.3KPaUpperBoundonxis4
1.
m.Counterexamples
1.
n.
CounterexampleGuidedInduc$veSynthesis
34/42
UCBerkeley,DreamSeminar,Oct15
Find“Tightest”Answers
Se9lingTimeis??Overshootis??Boundsonxare??
∃trace⊭Property?
Se9lingTimeis6msOvershootis5.5KPaUpperBoundonxis5
1.
m.
NO
Se9lingTimeis6msOvershootis5.5KPaUpperBoundonxis5
CounterexampleGuidedInduc$veSynthesis
35/42
ConformanceTes$ng
� Isbehaviorofmodels𝑀↓1 and 𝑀↓2 “similar”?� Mul$pleDistancemetricsintheoryq Skorokhodmetric
q Kossen$ni-Caspimetric• [C.Kossen$ni,P.Caspi,Approxima6on,SamplingandVo6nginHybridCompu6ngSystems]
q MetricbyR.Goebel,R.SanfeliceandA.Teel• [R.Goebel,R.SanfeliceandA.Teel,HybridDynamicalSystems,PrincetonUniversityPress]
q (𝑇,𝐽,(𝜏,𝜖))-closenessmetric• [H.Abbas,H.Mi9leman,G.Fainekos,Formalpropertyverifica6oninaconformancetes6ng
framework,MEMOCODE2014]
q 𝛿-approximatebisimula$onrela$ons• [A.Girard,G.Pappas,Approxima6onmetricsfordiscreteandcon6nuoussystems,IEEETrans.
OnAutoma$cControl,2007]UCBerkeley,DreamSeminar,Oct15 36/63
Keyenablers
� Efficientalgorithmstocomputedistancemetricsq H.Abbas,Mi9lemann,Fainekos,FormalPropertyVerifica6oninaConformanceTes6ng
Framework,MEMOCODE2014q R.Majumdar,V.Prabhu,Compu6ngtheSkorokhodDistancebetweenPolygonalTraces,HSCC
2015
� Simula$on&op$miza$on-guidedconformancetes$ng� J.Deshmukh,R.Majumdar,V.Prabhu,Quan$fyingSystemConformancewiththeSkorokhod
Metric,CAV2015.
Model1
Model2
DistanceEs$mator→CostFunc$on
OutputTraces
Picknewinput
Op$mizer-guidedinput Op$mizer
UCBerkeley,DreamSeminar,Oct15 37/63
Herearesomegrandchallenges….
UCBerkeley,DreamSeminar,Oct15 38/42
GrandChallengeI:RequirementEngineering
� KeychallengeforToyota,Bosch,andothersq [H.Roehm,R.Gmehlich,T.Heinz,J.OehlerkingandM.Woehrle:
IndustrialExamplesofFormalSpecifica6onsforTestCaseGenera6on,ARCH2015]
UCBerkeley,DreamSeminar,Oct15 39/42
GrandChallengeI:RequirementEngineering
□ ↓[1,3] (𝑥>0)⇒�↓[1,3] ((𝑦>0)∧�↓[0,0.001] (𝑦<0)⇒(𝑥>1)∨(𝑥<−1)
� KeychallengeforToyota,Bosch,andothersq Howdoyoupresentrequirementstocontroldesigners?q Howdotheyconveytheirinten$onwithoutusingformalisms?q IsTemporalLogictherightrequirementlanguage?
UCBerkeley,DreamSeminar,Oct15
□ ↓[1,3] (𝑥>0)∧�↓[0,0.001] (𝑦<0)⇒(𝑥>1)∨(𝑥<−1)
40/42
GrandChallengeII:Impendinginvasionofconcurrency
� Hugepushformul$-coreandmany-coreECUs� ImmediateChallenges:Real-$me+q Par$$oning/Parallelizingq Loadbalancingq Memorymapping,q Cross-corereads,overhead?q LegacysoWware?
� Philosophicalchallengesq Concurrencyisaknownhardproblemq ProgrammingLanguagesq Domain-specificDeterminism:seman$cequivalencevs.predictablerun-$meq Controldesignersrarelyknowaboutmemorymodels,paralleliza$on,etc.
UCBerkeley,DreamSeminar,Oct15 41/42
Credits
� JimKapinski,XiaoqingJin,Hisahiro“Isaac”Ito,KoichiUeda,KenBu9s:Toyota
� AlexandreDonzé,SanjitSeshia:UCBerkeley� OdedMaler,TommasoDreossi,ThaoDang:Verimag� GeorgiosFainekos:ArizonaStateUniversity� SriramSankaranarayanan:Univ.ofColorado
� ThankYou,Ques$ons?
UCBerkeley,DreamSeminar,Oct15 42/42