HSCC 03 MIT LCS

Safety Verification of Model Helicopter Controller Using Hybrid Input/Output

Automata

Sayan Mitra

MIT

Hybrid Systems: Computation and Control

Prague, Czech Republic

2003

Joint work with Yong Wang (U. Beijing), Nancy Lynch, Eric Feron

HSCC 03 MIT LCS

Verification Techniques

• Algorithmic– Model checking e.g. [Alur, et al. 95]

• Automatic: HyTech• Essentially for finite-state systems, subclass of linear hybrid

systems

– Over approximating set of unsafe states [Bayen, et al. 02]

• Deductive – Invariant assertions, simulation relations e.g. [Manna,

Sipma 98]• Can accommodate infinite-state systems: STeP• Requires human effort

– User interaction

HSCC 03 MIT LCS

Talk Outline

• Introduction٭ • Hybrid I/O Automata definitions

• Specification of Quanser

• Safety Verification

• Conclusions

HSCC 03 MIT LCS

The HIOA Model[Lynch, Segala, Vaandrager 01, 03]

• General, mathematical modeling framework.– States, discrete transitions

– Trajectories: Maps left closed intervals of time to variable values

• Support for decomposing hybrid system descriptions:– External behavior: Models interaction of component with

environment.

– Composition: Synchronizes external actions, external “flows”; respects external behavior.

– Levels of abstraction: Implementation notion

• Can incorporate analysis methods from:– CS: Invariants, simulation relations, compositional methods.

– Control theory: Invariant sets, stability analysis, robust control.

HSCC 03 MIT LCS

Hybrid I/O Automaton • V = U Y X: Input, output, and internal (state)

variables• Q: States, a set of valuations of X Q : Start states• A = I O H: Input, output, and internal actions• D Q A Q: Discrete transitions• T: Trajectories for V.

XU Y

I O

H

HSCC 03 MIT LCS

Trajectory Axioms and Executions

• Set T of trajectories is closed under:– Prefix– Suffix– Countable concatenation

• fstate, lstate

• Execution fragment: 0 a1 1 a2 2 …, where:• Each i is a trajectory of the automaton and• Each ( i.lstate, ai , i+1.fstate) is a discrete step.

• Execution:– Execution fragment beginning in a start state.

HSCC 03 MIT LCS

Model Helicopter System• Manufactured by Quanser• User controllers not necessarily safe, can crash

the helicopter on the table.• Supervisory pitch controller needed to ensure

safety.– Safe operating region– Saturated actuator outputs : Umin or Umax

• Must contend with– Sensor errors– Actuator delay

HSCC 03 MIT LCS

Helicopter System

UserCntrlUseroutput(Xu)

Sam

ple

Supervisor

Actuator SensorPlant

θ0 , θ1

U

Com

mand(S)

now, nextbuffer, u

Xu

dequeue

Sample

θ0 , θ1

mode, Xs , S,

rt

Com

mand(S)

Com

mand(S)

Sample

Sample

Useroutput(Xu)

Sample

HSCC 03 MIT LCS

Plant

θ0 ,θ1

U

PlantVariables:

θ0 : Pitch angle

θ1: Pitch velocity

Trajectories:evolve: d(θ0) = θ1

d(θ1) = -Ω2cos θ0 + U

Input bounds:Umin , Umax

Safe Region:S = { s | θmin ≤ s.θ0

≤ θmax }

θ0 , θ1

HSCC 03 MIT LCS

Sensor

Discrete transition:Sample(θ0

d , θ1d )

precondition: now = next

and θ0d є [θ0- є0 , θ0+ є0 ]

and θ1d є [θ1

- є1, θ1 - є1]

effect: next = next + Δ

Trajectories:evolve: d(now) = 1

stopping condition: now = next

Sensor

Sample(θ

0d , θ1d )

θ0 ,θ1

now, next

}Nondeterministic choice

HSCC 03 MIT LCS

User Controller

• Arbitrarily bad user

• On receiving Sample,– Useroutput(Xu)

– Non deterministic choice, Xu є [Umin, Umax ]

HSCC 03 MIT LCS

Actuator

• Actuator delay Ta

– modeled as a FIFO queue of Supervisor(User) outputs

– buffer: length [Ta / Δ]

• Enqueue S received from supervisor

• Dequeue u from buffer head, – u changes discretely– Made into piece-wise continuous output U

HSCC 03 MIT LCS

Modeling Actuator Delay

• Ta Currently modeled as a single discrete jump from Umin to Umax after time Ta.

• Alternatively– Approximate exponential rise by

adding k intermediate values in the buffer, for every command from the supervisor.

• Output from buffer will change every Δ/k time.

– Model as continuous function

Ta

HSCC 03 MIT LCS

I

S

CR

U

θmax

θ1

Assumption: Cannot

cross I in Δ time.

θmin

Safe Operating Region

θ0

HSCC 03 MIT LCS

Supervisor

• On receiving sample, computes Xs

• If s is above I+ then Xs = Umin

• If s is below I- then Xs = Umax

• On receiving useroutput(Xu), computes S – If mode = user then

• If s is in U then S = Xu

• Else mode = supervisor ; S = Xs

– If mode = supervisor then• If s is in I then S = Xu ; mode = user

• Else S = Xs

Supervisor

mode, Xs , S,

rt

Command(S)

Userout(Xu)

Sample

HSCC 03 MIT LCS

Safety Verification

• Assertional Proofs– Reasoning based on current state of the system

• Finding the invariants is challenging– Strengthen statement

• Proofs are easy, for proving I– Base case: I– Discrete part: s a s’ є D,

show I(s) implies I(s’)– Continuous part: closed τ є T,

show I(fstate(τ)) implies I(lstate(τ))

HSCC 03 MIT LCS

Key Lemmas

• All trajectories are closed

• Any trajectory τ є T, ltime(τ) - ftime(τ) ≤ Δ.

HSCC 03 MIT LCS

I

SCA0

θ0

θ1

A1 A2 AΔ

A0 = R

For 0 ≤ t ≤ t’ ≤ Δ

At’ At

U AΔ

RU

User mode

HSCC 03 MIT LCS

User mode

Safety

• Any reachable state in the user mode is within R.

• Proof:– Discrete part is easy

– Any closed trajectory τ є T, if fstate(τ) є At then lstate(τ) є At-ltime(τ).

HSCC 03 MIT LCS

Executions in User and Supervisor modes

Cannot go outside R from U, in the user mode

buffer flushed, Supervisor mode kicks in.

Returns to I and mode switches back to user .

mode switches to supervisor, but

buffer contains stale user commands.

HSCC 03 MIT LCS

Supervisor mode

Correct input to plant• If s is above I+

then last [rt/Δ] entries in buffer are Umin– rt: stopwatch for supervisor mode

• Similarly, s is below I- then … Umax

Settling phase rt ≤ Ta

• Any reachable state is within C– All trajectories starting from within R remains within C – Proof similar to User mode

Recovery phase rt > Ta

• Any reachable state is within C– Proof: At any point on boundary of C, the vector field points

inwards

HSCC 03 MIT LCS

Conclusions

• Design of supervisory controller– Controller has been implemented [Ishutkina].

• Specification Language • Demonstration of HIOA framework

– Specification• Compositional• Nondeterminism models uncertainties in devices or user inputs.

– Purely assertional proofs• Discrete and continuous parts• CS and Control Theory techniques

• Current/Future Work– Performance guarantees for mobile computing algorithms– Theorem prover support

HSCC 03 MIT LCS

Thank You.

Questions

?

HSCC 03 MIT LCS

HSCC 03 MIT LCS

Current/Future Work

• Incorporate control theory methods:– Invariant sets, Stability analysis using Lyapunov

functions, robust control methods.

• More examples:– Systems with more complicated discrete behavior and

dynamics, e.g. mobile computing, embedded systems.

• Develop analysis tools for HIOA programs: – Theorem-provers, automated tools– As extension to IOA toolset