hscc03

7/29/2019 HSCC03

http://slidepdf.com/reader/full/hscc03 1/25

HSCC 03 MIT LCS

Safety Verification of Model Helicopter

Controller Using Hybrid Input/Output

AutomataSayan Mitra

MIT

Hybrid Systems: Computation and Control

Prague, Czech Republic

2003

Joint work with Yong Wang (U. Beijing),

Nancy Lynch, Eric Feron

7/29/2019 HSCC03


HSCC 03 MIT LCS

Verification Techniques

• Algorithmic

– Model checking e.g. [Alur, et al. 95]• Automatic: HyTech

• Essentially for finite-state systems, subclass of linear hybrid

systems

– Over approximating set of unsafe states [Bayen, et al. 02]

• Deductive

– Invariant assertions, simulation relations e.g.

[Manna, Sipma 98] • Can accommodate infinite-state systems: STeP

• Requires human effort

– User interaction

7/29/2019 HSCC03


HSCC 03 MIT LCS

Talk Outline

• Introduction • Hybrid I/O Automata definitions

• Specification of Quanser

• Safety Verification

• Conclusions

7/29/2019 HSCC03


HSCC 03 MIT LCS

The HIOA Model[Lynch, Segala, Vaandrager 01, 03]

• General, mathematical modeling framework. – States, discrete transitions

– Trajectories: Maps left closed intervals of time to variable values

• Support for decomposing hybrid system descriptions:

– External behavior: Models interaction of component withenvironment.

– Composition: Synchronizes external actions, external “flows”;

respects external behavior.

– Levels of abstraction: Implementation notion

• Can incorporate analysis methods from: – CS: Invariants, simulation relations, compositional methods.

– Control theory: Invariant sets, stability analysis, robust control.

7/29/2019 HSCC03


HSCC 03 MIT LCS

Hybrid I/O Automaton

• V = U Y X: Input, output, and internal (state)variables

• Q: States, a set of valuations of X

• Q : Start states

• A = I O H: Input, output, and internal actions• D Q A Q: Discrete transitions

• T: Trajectories for V.

XU Y

IO

H

7/29/2019 HSCC03


HSCC 03 MIT LCS

Trajectory Axioms and Executions

• Set T of trajectories is closed under: – Prefix

– Suffix

– Countable concatenation

• fstate, lstate

• Execution fragment: 0 a1 1 a2 2 …, where: • Each i is a trajectory of the automaton and

• Each ( i.lstate, ai , i+1.fstate) is a discrete step

• Execution: – Execution fragment beginning in a start state.

7/29/2019 HSCC03

http://slidepdf.com/reader/full/hscc03 7/25HSCC 03 MIT LCS

Model Helicopter System

•

Manufactured by Quanser• User controllers not necessarily safe, can crash

the helicopter on the table.

• Supervisory pitch controller needed to ensure

safety. – Safe operating region

– Saturated actuator outputs : Umin or Umax

• Must contend with

– Sensor errors – Actuator delay

7/29/2019 HSCC03


Helicopter System

UserCntrlUseroutput(Xu)

Supervisor

Actuator SensorPlant

θ 0

,

θ 1

U

now, next

buffer, u

X u

dequeue

θ 0 , θ 1

mode, X s , S,

rt

Useroutput(Xu)

7/29/2019 HSCC03


Plant

θ 0 ,θ 1

U

Plant

Variables:θ 0 : Pitch angle

θ 1: Pitch velocity

Trajectories:evolve: d(θ 0) = θ 1

d(θ 1) = -Ω2cos θ 0 + U

Input bounds:

U min , U max

Safe Region:

S = { s | θ min ≤ s.θ 0 ≤ θ max }

θ 0 , θ

1

7/29/2019 HSCC03


Sensor

Discrete transition:

Sample( θ 0d , θ 1d )

precondition: now = next

and θ 0

d є [θ 0

- є 0 , θ 0

+ є 0 ] and θ 1d є [θ 1 - є 1 , θ 1 - є 1]

effect: next = next + Δ

Trajectories:

evolve: d(now) = 1

stopping condition: now = next

Sensor

S a m p l e ( θ 0

d , θ 1

d )

θ 0 ,θ 1

now, next

}Nondeterministicchoice

7/29/2019 HSCC03


User Controller

• Arbitrarily bad user

• On receiving Sample,

– Useroutput(X u )

– Non deterministic choice, X u є [U min, U max ]

7/29/2019 HSCC03


Actuator

• Actuator delay T a – modeled as a FIFO queue of Supervisor(User)

outputs

– buffer : length [T a / Δ]

• Enqueue S received from supervisor

• Dequeue u from buffer head,

– u changes discretely

– Made into piece-wise continuous output U

7/29/2019 HSCC03


HSCC 03 MIT LCS

Modeling Actuator Delay

• Ta Currently modeled as a singlediscrete jump from Umin to Umax

after time Ta.

• Alternatively

– Approximate exponential rise byadding k intermediate values in thebuffer, for every command fromthe supervisor.

• Output from buffer will changeevery Δ /k time.

– Model as continuous function

Ta

7/29/2019 HSCC03


HSCC 03 MIT LCS

I

SC

RU

θ max

θ 1

Assumption: Cannot

cross I in Δ time.

θ min

Safe Operating Region

θ 0

7/29/2019 HSCC03


HSCC 03 MIT LCS

Supervisor

• On receiving sample, computes X s • If s is above I+ then Xs = Umin

• If s is below I-

then Xs = Umax

• On receiving useroutput(X u) , computes S

– If mode = user then

• If s is in U then S = X u

• Else mode = supervisor ; S = X s

– If mode = supervisor then

• If s is in I then S = X u ; mode = user

• Else S = X s

Supervisor

mode, X s , S,

rt

Command(S)Userout(Xu)

Sample

7/29/2019 HSCC03


HSCC 03 MIT LCS

Safety Verification

• Assertional Proofs

– Reasoning based on current state of the system

• Finding the invariants is challenging

– Strengthen statement

• Proofs are easy, for proving I

– Base case: I

– Discrete part: s a s’ є D,

show I(s) implies I(s’) – Continuous part: closed τ є T,

show I(fstate(τ)) implies I(lstate(τ))

7/29/2019 HSCC03


HSCC 03 MIT LCS

Key Lemmas

• All trajectories are closed

• Any trajectory τ є T, ltime(τ ) - ftime(τ) ≤ Δ.

7/29/2019 HSCC03


HSCC 03 MIT LCS

I

SCA0

θ 0

θ 1

A1 A2

AΔ

A0 = R

For 0 ≤ t ≤ t’ ≤ Δ

At’ At

U AΔ

RU

User mode

7/29/2019 HSCC03


HSCC 03 MIT LCS

User mode

Safety

• Any reachable state in the user mode is

within R.

• Proof:

– Discrete part is easy

– Any closed trajectory τ є T, if fstate(τ) є At

then

lstate(τ) є At-ltime(τ ).

7/29/2019 HSCC03


HSCC 03 MIT LCS

Executions in User and Supervisor modes

Cannot go outside R

from U, in the user

mode

buffer flushed,

Supervisor mode

kicks in. Returns to I and

mode switches back

to user .

mode switches to

supervisor, butbuffer contains stale

user commands.

7/29/2019 HSCC03


HSCC 03 MIT LCS

Supervisor mode

Correct input to plant • If s is above I+

then last [ rt/ Δ] entries in buffer are Umin

– rt: stopwatch for supervisor mode

• Similarly, s is below I- then … Umax

Settling phase rt ≤ T a

• Any reachable state is within C – All trajectories starting from within R remains within C

– Proof similar to User mode

Recovery phase rt > T a

• Any reachable state is within C – Proof: At any point on boundary of C, the vector field points

inwards

7/29/2019 HSCC03


HSCC 03 MIT LCS

Conclusions

• Design of supervisory controller

– Controller has been implemented [Ishutkina].

• Specification Language

• Demonstration of HIOA framework

– Specification• Compositional

• Nondeterminism models uncertainties in devices or user inputs.

– Purely assertional proofs

• Discrete and continuous parts

• CS and Control Theory techniques

• Current/Future Work – Performance guarantees for mobile computing algorithms

– Theorem prover support

7/29/2019 HSCC03


HSCC 03 MIT LCS

Thank You.

Questions

?

7/29/2019 HSCC03


HSCC 03 MIT LCS

7/29/2019 HSCC03


HSCC 03 MIT LCS

Current/Future Work

• Incorporate control theory methods:

– Invariant sets, Stability analysis using Lyapunovfunctions, robust control methods.

• More examples:

– Systems with more complicated discrete behavior anddynamics, e.g. mobile computing, embedded systems.

• Develop analysis tools for HIOA programs:

– Theorem-provers, automated tools

– As extension to IOA toolset

hscc03

Documents