hybrid system verification using discrete model approximations alongkrit chutinan department of...

Hybrid System Verification Using Discrete Model Approximations

Alongkrit Chutinan

Department of Electrical and Computer Engineering

Carnegie Mellon University

Pittsburgh, PA, USA.

Outline

Hybrid Systems and Verification MATLAB Verification Tool Verification Example Conclusions

Note: contribution

Hybrid Systems

Continuous

Dynamics

Differential Equations/Inclusions

Stopwatch Timers etc.

Discrete

Dynamics

Finite State Automata Petri Nets etc.

Hybrid Systems

Found virtually everywhere Result of switching logic in many computer-

controlled applications Extremely difficult to analyze

Small perturbation can lead to drastically different behavior

No universally accepted framework for analysis and control

system property(specification)

system model

Yes/No

Focus: The Verification Problem

Very important problem for safety-critical applications

All behaviors must be taken into account

Does the system

satisfy the property?

Outline


MATLAB Tool Overview

Polyhedral-Invariant Hybrid Automaton (PIHA)

Conversion

Simulink/Stateflow Front End(graphical editing, simulation)

Threshold-event-driven Hybrid Systems (TEDHS)

Flow PipeApproximations

Quotient Transition System

ACTL Verification

PartitionRefinement

Initial Partition


g(.)zero

detector

y(t) v(t)

threshold event generator threshold

events

u(t) = h(u(t-),v(t))u(0-) = u0

finite state machine(event driven)

switched continuousdynamics

F(.,.)

x(t)u(t)

x(0) X0

)(),( xFxuFx u



Conversion





ACTL Verification

PartitionRefinement

Initial Partition

TEDHS Front End

Built on top of Simulink in MATLAB Simulink’s simulation capability can be exploited Special blocks customized through Simulink’s

masking mechanism Major supported block types

Switched Continuous System Block (SCSB) Polyhedral Threshold Block (PTHB) Finite State Machine Block (FSMB) Multiplexer and Logical Operators (And, Or, Not)

Switched Continuous System

Parameter: Switching function f Input: Discrete condition signal u Output: Continuous state vector x Description: Continuous dynamics

selected by discrete input signal

)(xfx u

u x

SwitchedContinuous System

Polyhedral Threshold

Parameters: C,d Input: Continuous state vector x Output: Boolean signal

1 if Cx d

0 otherwise Description: Outputs Boolean signal

indicating whether continuous state variable x is in polyhedron Cx d

x

C*x <= d

PolyhedralThreshold

Finite State Machine (Stateflow) Inputs:

Data: Boolean condition signals which are functions of PTHB and FSMB outputs

Event: Transition edges of Boolean condition signals which are functions of PTHB outputs

Output: Discrete signal (integer) indicating active state of FSM

Description: State transitions are driven by input data and event signals.

event input(vectorized)

scalardata inputs

.

.

.

data 1

data N

q

Finite State Machine

Sample Block Diagramx1

x2

x3

th1

th2

q1

q2

th3

SwitchedContinuous System 3



C*x <= d

PolyhedralThreshold 3

C*x <= d


C*x <= d


Mux

Mux2

MuxMux1

Mux

Mux

OR

LogicalOperator

c1

c2q

FiniteState Machine 2

c1

c2q

FiniteState Machine 1



Conversion





ACTL Verification

PartitionRefinement

Initial Partition

Hybrid Automaton

u

continuous dynamics

invariant: hybrid automaton may remain in u as long as x I(u)

)(

)(

xFx

uIx

u

location (discrete state) u’

reset condition

guard conditionedge

0Xx

initial condition

)(

)(

xFx

uIx

u

)(: 11 eGxe

),( 1 xeRx

),( 4 xeRx

)(: 44 eGxe

)(: 22 eGxe

)(: 33 eGxe ),( 3 xeRx

),( 2 xeRx

Reset Condition

)(uI)(eG

entry states

exit states

)(uI

)( 0tx

)( 1tx

)(

),(eGx

xeR

))(,()( 11 txeRtxnR nR


u

)(xfx

111 : dxce T 222 : dxce T

333 : dxce T invariant is the convex polytope defined from complements of the guards

ordinarydifferentialequation

identity reset

xx

11 dxc T 22 dxc T

33 dxc T

)(uI

hyperplane guard

xx

xx



Conversion





ACTL Verification

PartitionRefinement

Initial Partition

Hybrid System State Space

Given by cross product Xc Xd

Continuous state space Xc given by cross product of nscs state spaces for all SCSBs.

Xc = Xc1

… Xcnscs

Discrete state space Xd given by cross product of nfsm state spaces for all FSMBs.

Xd = Xd1

… Xdnfsm

Continuous State Space Partition

Restrict our attention to bounded subset of Xc called analysis region (AR)

Partition Xc into polyhedral cells by all hyperplanes cTx = d from all PTHBs

Output values of all PTHBs are constant across all xc in each cell

analysisregion cell

hyperplane

PIHA Construction

Each location is a pair (p,q) p: cell p q: FSM states

p is the invariant p determines outputs of PTHBs in the TEDHS q contains outputs of FSMBs in the TEDHS q directly determines continuous dynamics

Location Transition

Events occur when continuous trajectory x crosses hyperplane h on boundary of cell p

Determine neighboring cell p’ that is reached by crossing h

Use p and p’ to compute PTHB outputs before and after hyperplane crossing

Determine events that occur and make FSM state transition from q to q’

Transition to a special (empty) location when crossing hyperplane on analysis boundary

(p,q)

(p’,q’)

h

out ofAR

h’

hh’p p’



Conversion





ACTL Verification

PartitionRefinement

Initial Partition

T = (Q,,Q0)

Q: set of states (possibly infinite/continuum) QQ: transition relation Q0 : initial states

T = (Q,,Q0,2AP,L)

AP: set of atomic propositions L:Q 2AP: labeling function

unlabeled

labeled

Transition Systems

PIHA Semantics:Discrete-Trace Transition Systems Given a hybrid system H,

TH = (X0Xentry{qu },H,X0)

Discrete Transitions: (x,u) H (x',u') u u', e = (u,u'), and there is a

continuous trajectory from x to a state x'' G(e) such that x' R(e,x'')

Null Transitions: (x,u) H q

u there is a continuous trajectory from x that never leaves the location u

completely masks the continuous-time behavior

)(uI)(eG

entry states

exit states)(uI

x x

)(

),(eGx

xeR

),( xeRx nR nR

uHH quxux ),(),(

TH Illustration

Simulation of Transition SystemsGiven T1 = (Q1, 1, Q1o, 2AP,L1), T2 = (Q2, 2, Q2o,2AP,L2), T2 simulates T1 if there exists a binary relation Q1 Q2

such that is total (involves all of Q1)

q1 q2 (q1Q1o q2Q2o and L1(q1) = L2(q2))

q1 q2 and q1 1 q1 there exists q2 such that q1 q2 and q2 2 q2

Q1 Q2

q1

q1

q2

q2

T1 T2

Q1 Q2

q1

q1

q2

q2

T1 T2

Bisimulation

Given T1 = (Q1, 1,Q1o,2AP,L1), T2 = (Q2, 2, Q2o,2AP,L2),

a relation Q1 Q2 is a bisimulation if is a simulation relation of T1 by T2

-1 is a simulation relation of T2 by T1

Simulation vs. Bisimulation

Simulation Conservative approximation of labeled behaviors Can be used to verify universal specifications

Bisimulation Equivalent to original system wrt labeled behaviors Obtained through iterative refinements of quotient

transition systems Can be used to verify all specifications

Quotient Transition Systems (QTS) Given transition system T = (Q,,Q0)

Pre(P) = { q | pP, q p } Post(P) = { q | pP, p q }

Quotient transition system

T/P = (P,P , Q0/P)

where P : a partition of Q P1 P P2 for P1,P2 P

q1 q2 for some q1P1, q2 P2

Post(P1) P2

P1 Pre(P2)

T

T/P

Facts About QTS

1. T T/P

2. T/P is a bisimulation if and only if

P Pre(P') = or P for all P, P' P P'

P

stopping condition for bisimulation procedure

P'P

Approximating QTS

Reachability approximation (for continuous dynamics) Quotient transition system approximation Computing QTS requires computation of reachable

sets in Pre and Post operators Reachable set cannot be computed exactly in

general

Approximate QTS

Given reachability approximation method M Pre(P) PreM(P) Post(P) PostM(P)

Approximate quotient transition system

TM/P = (P,PM , Q0/P)

where P1 P

M P2 for P1,P2 P PostM(P1) P2

conservative

Facts About Approximate QTS1. T T/P TM/P

2. TM/P is a bisimulation if

(PostM(P) P') pP,p'P',pp’

and

P,P'P, PostM(P) P' = or PostM(P)

usual bisimulation condition no longer holds for approximation

P has at most one successor

can use TM/P to verify universal specification

stopping condition for bisimulation with approximation

Application to PIHA:TH/P Approximation Partition

Initial States Entry States: Faces of cell p for each location (p,q)

Each state is (,p,q) where is a polytope on boundary of cell p; or contained in the continuous initial set

for some location (p,q) Use flow pipe approximations to compute

Post M((,p,q))



Conversion





ACTL Verification

PartitionRefinement

Initial Partition

Approximating Reachable Sets: Previous Work Model theory and quantifier elimination

R. Alur, T.A. Henzinger, and P.-H. Ho. Automatic symbolic verification of embedded systems, 1996. (linear hybrid automata)

G. Lafferriere, G.J. Pappas, and S. Yovine. Decidable hybrid systems, 1996. (special classes of linear hybrid systems)

Rectangular Discretizations E.K. Kornoushenko. Finite-automaton approximation to the behavior of

continuous plants, 1975. O. Stursberg, S. Kowalewski, and S. Engell. On the generation of timed discrete

approximations for continuous systems, 1997. T. Dang and O. Maler, Reachability Analysis via Face Lifting, 1998.

Piecewise linear hybrid automaton approximation A. Puri, P. Varaiya, and V. Borkar. -approximation of differential inclusion, 1996. T.A. Henzinger, P.-H. Ho, and H. Wong-Toi. Algorithmic analysis of nonlinear

hybrid systems, 1998.

Quantifier Elimination:Linear Hybrid Automata Continuous dynamics of the form

where F is a constant convex polytope Reachable set is a polyhedron

Fx

1x 1x 1x

2x 2x2x

)(Reach 0],0[ XT

F0X

Rectangular Discretization

*Figure from T. Dang and O. Maler, Reachability Analysis via Face Lifting, HS'98

Information about vector field is used to iteratively include reachable cells

and a set of initial states, X0

Conservatively approximate the set of reachable states R[0,T](X0) from time t = 0 to t = T

),(xfx

Flow Pipe Approximations: Problem Statement Given a continuous dynamic system,

Polyhedral Flow Pipe Approximations

A. Chutinan and B. H. Krogh, Computing polyhedral approximations to dynamic flow pipes, IEEE CDC, 1998

X0

t1

t2

t3

t4

t5t6 t7

t8

t9

• divide R[0,T](X0) into [tk,tk+1] segments

• enclose each segment with a convex polytope

• R[0,T](X0) = union of polytopes

S

c4

c3

c2c1

Wrapping Hyperplanes Around a Set (1)

Step 1: Choose normal

vectors, c1,...,cm

S

c4

c3

c2

c1

Wrapping Hyperplanes Around a Set (2)

Step 2: Adjust each

hyperplane so that it just touches S

By solving for each i optimization problem

xcd Ti

Sxi max

],[

..

),(max

1

00

0,0

kk

Ti

txi

ttt

Xxts

xtxcd

The optimization problem is solved by embedding simulation into objective function computation routine

)( 0],[ 1XR

kk tt

Wrapping a Flow Pipe Segment

Given normal vectors ci, we shrink wrap in a polytope by solving for each i

Choosing Normal Vectors We probably need a different set of normal

vectors ci to shrink wrap each segment Heuristics:

Compute vertices of X0 at times tk and tk+1 using ODE solver

Form convex hull from these points Use normal vectors from faces of convex hull

Flow Pipe Segment Approximation

Vertices(X0) at tk

Vertices(X0) at tk+1

Step 1.a. Simulate trajectories from each vertex of X0.

Step 2.Solve optimization for di

flow pipe segment approximated by { x | ci

Tx di, i }

b. Take the convex hulland identify outwardnormal vectors.

X x x0 1 20 8 1 0 { . , }

. ( )

x x

x x x x1 2

2 12

2 10 2 1

Van der Pol Equation

Uniform time steptk = 0.5

Initial Set

Example 1: Van der Pol Equation

analytical solutionbAxx

t AAtt

Atttt bdeeXReXR

00],0[0],[ )(ˆ)(ˆ

t AAtAt bdeexextx

000 ),(

Improvements for Linear Systems

Flow pipe segment computation depends only on time step t

A segment can be obtained by applying affine transformation to another segment with the same t

No longer need to embed numerical integration into optimization when b = 0

Transforming A Polytope

CT-1y d+CT-1v

Polytope TP + v

Cx d

Polytope P

y = Tx+v

PT v

t AAtt

Atttt bdeeXReXR

00],0[0],[ )(ˆ)(ˆ

A

0 1 0

0 0 1

1 2 2

1

1

1

2

1

1

2

2

1

1

2

1

, , , and

Vertices for X0

Uniform time steptk = 0.1

Example 2: Linear System

Compute first segment Then transform it with eAt 49 times

)(],[ PRttt

),( *0xtx

n/

))(),(ˆ( ],[],[ PRPRdisttt tttt

0

)(

*0

1)),((

xtLL tt ee

L

xtxfn

Approximation Error

Time step Size of X0

Lipschitz constant Vector field Dimension

Can be made arbitrarily small for each segment

)(ˆ],[ PR

ttt

Flow Pipe Approximation

Applies in arbitrary dimensions Approximation error does not accumulate from

previous time step Approximation error can be made arbitrarily small by

bounds t - size of segment time step

independent of the starting time for the segment

x0 - size of initial set partition

depends on the starting time for the segment

Approximating Transitions in TH/P

('1,p',q')

'1'2

('2,p',q')

(,p,q)

p p'

q q'



Conversion





ACTL Verification

PartitionRefinement

Initial Partition

Selecting Initial Partition

Start with faces of invariant cell for each location (p,q)

Look at vector field fq(x) on each face with normal vector c

Split polytopes recursively to satisfy Vector field direction tolerance Vector field variation tolerance Size tolerance

Group continuous states with similar qualitative behaviors

c

fq(x)

Legendmax cTfq(x)

min cTfq(x)

Initial Partition Tolerances

Direction

1-1 0

1-1 0

1-1 0split

ok

ok

Variation2

2

split

ok

Sizesize 3

size 3

splitok

c

fq(x)

Splitting Polytopes for Initial Partitions (and Refinement)

cTx = dmax

P {cTx d}

cTx = d = (dmin+dmax)/2

P {cTx d}

cTx = dmin

c: split direction dmin,max = min,max cTx

xP

P



Conversion





ACTL Verification

PartitionRefinement

Initial Partition

Finite-State Transition System

State-transition graph

u0

a c

u3

e

u1

b d

u2

d

u0

a c

u1

b du2

d

u3

e

u2

du3

e

u0

a cu0

a c

u3

eu2

d

Computation tree

unfold

Path Quantifiers Linear-time Operators

AE

for all computation pathsfor some computation paths

GFXU

globallyin the futurenext timeuntil

Computation Tree Logic (CTL) Specify evolutions along paths in computation

tree from a given state

Can specify safety, liveness, fairness, etc.

AG safe: system is safe along all pathsAG(AF reset): system is reset infinitely often along every computation path

Model Checking Program

Implemented in MATLAB using graph search algorithms

Complexity linear in the product of system size and length of CTL formula

Find the set of states where the given CTL formula is true.

THM/P satisfies ACTL spec TH satisfies ACTL spec

ACTL

Restricted class of CTL allowing only universal path quantifier

f ap | ap | f f | f f | AX f | AF f | AG f | A f U f

Atomic Propositions in the Tool

Two types of atomic propositions (AP)

Polyhedral Threshold Atomic Proposition

<PTHB>

Identified by name of each PTHB Specify output for each PTHB (true if PTHB output

is 1) Truth value determined directly from cell p for each

state (,p,q) in THM/P

Atomic Propositions (cont.)

Finite State Machine Atomic Proposition

<FSMB == state>

Specify active state for each FSMB

Truth value determined directly from q for each state

(,p,q) in THM/P



Conversion





ACTL Verification

PartitionRefinement

Initial Partition

Quotient Transition System Refinement Bisimulation refinement

Splits P into part that can reach P' (P1) and part that cannot (P2)

Difficult to implement Set subtractions Non-convex sets

P'P1

P2

P

Alternative Refinement Procedure

Refine states with more than one successor state Motivated by bisimulation condition for

approximation Use bisection refinement instead of bisimulation

refinement Selective refinement w.r.t. ACTL specification

Refine only initial states not satisfying ACTL specification and all descendants

Reduce computational cost Slow down state explosion

Summary of Verification Procedure

Approximate initial quotient transition system THM/P0

for PIHA converted from TEDHS If all initial states in TH

M /PN satisfy ACTL specification Stop, system is verified

Otherwise For each initial state in TH

M /PN violating ACTL specification and all its descendants, split the associated polytope

Recompute mappings and transitions for new polytopes to approximate TH

M /PN+1

N = N + 1 and repeat

Outline


Simulink Model

Switched Continuous System Parameters

Approximation Parameters & Specification

Visualization Tool

Partition P0 Specification unsatisfied

Partition P6 Specification satisfied

Bound on Number of Switchings

Outline


Contributions

Approximate quotient transition systems for verification of hybrid systems Discrete-trace transition system Bisimulation condition for approximate quotient

transition systems Verification results in some cases where finite

bisimulation does not exist

Contributions

Flow pipe approximations Handles general ODEs in arbitrary dimensions Efficient computations for affine systems Arbitrarily close approximations Error does not accumulate from previous time steps Realization of quotient transition system verification

Contributions

MATLAB verification tool TEDHS modeling front end Conversion from TEDHS to PIHA Automatic generation and refinements of

approximate quotient transition systems Polyhedral library (convex hull, etc.) ACTL parser and finite-state model checking library

Research Directions Flow pipe approximations

More efficient nonlinear flow pipe approximations Extension to differential inclusions Numerical methods to guarantee conservative

approximation using floating point or integer arithmetic global optimization technique

Null transition identification methods

Research Directions More restrictive refinement set

Identify states along particular paths from the initial states that violate ACTL specification

As opposed to all reachable states from the initial states that violate ACTL specification

More efficient PIHA conversion for the tool The tool introduces many cells between which no

discrete transition actually occurs Consolidate adjacent cells with same discrete state

Extension of theory/tool to handle jumps in continuous dynamics

hybrid system verification using discrete model approximations alongkrit chutinan department of...

Documents

hybrid systems n

verification problem

continuous system n

outline n hybrid systems

d n input

different behavior n

continuous system slide

hybrid system verification