APPROACH TO HYBRID SYSTEMS SAFETY VERIFICATION Andreas Mller - PowerPoint PPT Presentation

A COMPONENT-BASED APPROACH TO HYBRID SYSTEMS SAFETY VERIFICATION Andreas Müller – andreas.mueller@jku.at Stefan Mitsch – smitsch@cs.cmu.edu Werner Retschitzegger – werner.retschitzegger@jku.at André Platzer - aplatzer@cs.cmu.edu Wieland Schwinger – wieland.schwinger@jku.at Johannes Kepler University, Linz Carnegie Mellon University, Pittsburgh Department of Cooperative Information Systems Computer Science Department http://cis.jku.at/ http://www.ls.cs.cmu.edu

OVERVIEW  Background  Cyber-Physical System  Hybrid System Models  Component-based Modeling  Component-based Modeling and Verification Approach  Components  Interfaces  Contracts  Composition Retains Contract  Conclusion and Future Work 2

OVERVIEW  Background  Cyber-Physical System  Hybrid System Models  Component-based Modeling  Component-based Modeling and Verification Approach  Components  Interfaces  Contracts  Composition Retains Contract  Conclusion and Future Work 3

BACKGROUND  Cyber-physical systems (CPS)  Cyber and physical capabilities  Continuous physical- part: vehicle movement,…  Discrete cyber- part: vehicle steering,…  Often safety-critical!  Hybrid system models – Model and analyze CPS  Hybrid programs: program notation for hybrid system modeling  Safety Analysis:  Φ → 𝛽 Ψ …starting in Φ, each run of 𝛽 leads to a safe state Ψ  Verified using Theorem Prover – KeYmaera  Challenging for large monolithic models  Component-based hybrid system modeling and verification  Component verification results do not always transfer to composite  Component-based approach to hybrid system safety verification 4

OVERVIEW  Background  Cyber-Physical System  Hybrid System Models  Component-based Modeling  Component-based Modeling and Verification Approach  Components  Interfaces  Contracts  Composition Retains Contract  Conclusion and Future Work 5

RUNNING EXAMPLE - VEHICLE CRUISE CONTROL  Vehicle Cruise Control System  Overall Safety Property: Keep vehicle’s velocity within bounds  Split into two components  Actuator Component  Receives target velocity  Chooses target acceleration, such that target velocity can be reached  Outputs actual velocity  Cruise Controller Component  Receives actual velocity  Chooses target velocity  Outputs target velocity 6

DEFINITION 2: COMPONENT  Component 𝐷 = (𝑑𝑢𝑠𝑚, 𝑞𝑚𝑏𝑜𝑢)  Actuator: 𝐷 𝑏𝑑 = (𝑑𝑢𝑠𝑚 𝑏𝑑 , 𝑞𝑚𝑏𝑜𝑢 𝑏𝑑 ) 𝑢𝑠 −𝑤 𝑏𝑑 𝑤 𝑏𝑑 choose 𝑏 , such that 𝑤 𝑢𝑠 is  𝑑𝑢𝑠𝑚 𝑏𝑑 ≡ 𝑏 𝑏𝑑 ≔ ; 𝜗 0 ≔ 𝑢 reached until 𝜗 𝑢 𝑏𝑑  𝑑𝑢𝑠𝑚 ′ = 𝑏 𝑏𝑑 , 𝑢 ′ = 1& 𝑢 − 𝑢 𝑏𝑑 0 ≤ 𝜗  Discrete control part  𝑞𝑚𝑏𝑜𝑢 𝑏𝑑 ≡ 𝑤 𝑏𝑑 evolve 𝑤 with rate 𝑏 for at most 𝜗  NO continuous parts  𝑞𝑚𝑏𝑜𝑢  Cruise Control Component  Continuous part  Choose target velocity ′ = 𝜄 1 , … , 𝑦 𝑜 ′ = 𝜄 𝑜 & 𝐼 𝑦 1   Ordinary differential equations  Evolution domain H 7

DEFINITION 3: INTERFACE  Interface 𝐽 = (𝑊 𝑗𝑜 , 𝜌 𝑗𝑜 , 𝑊 𝑝𝑣𝑢 , 𝜌 𝑝𝑣𝑢 )  Actuator: 𝐽 𝑏𝑑  𝑊 𝑗𝑜 = 𝑤 𝑢𝑠 …target velocity  𝜌 𝑗𝑜 𝑤 𝑢𝑠 ≡ 0 ≤ 𝑤 𝑢𝑠 ≤ 𝑊 target velocity 𝑤 𝑢𝑠 in velocity interval  𝑊 𝑗𝑜 …variables for input ports  𝑊 𝑝𝑣𝑢 = 𝑤 …current velocity  𝜌 𝑝𝑣𝑢 𝑤 ≡ 0 ≤ 𝑤 ≤ 𝑊  𝜌 𝑗𝑜 … input assumptions current velocity 𝑤 in velocity interval  𝑊 𝑝𝑣𝑢 …variables for output ports  Cruise Control Component  Reads current velocity  𝜌 𝑝𝑣𝑢 … output guarantees  Provides calculated target velocity 8

DEFINITION 4: CONTRACT  Contract  Actuator: (1) Vehicle initially stopped and …  Initial state 𝜚  𝜚 ≡ 𝑤 = 0 ∧ 𝑊 ≥ 0 ∧ ⋯  Target state 𝜔  𝜔 ≡ 0 ≤ 𝑤 ≤ 𝑊 vehicle velocity always in interval  Cont 𝐷, 𝐽 ≡ 𝑗𝑜; 𝑑𝑢𝑠𝑚; 𝑢 ′ = 1, 𝑞𝑚𝑏𝑜𝑢 𝑢 = 0 ∧ 𝜚 → ∗ 𝜔  Cruise Controller Component: read valid initial run plant  Target velocity always in interval inputs state run ctrl  Verified using KeYmaera repeat 0…n times must hold after all runs  𝜔 ≡ 𝜔 𝑡𝑏𝑔𝑓 ∧ Π 𝑝𝑣𝑢 9 (1) Properties coincide due to simple example. Not necessarily the case!

THEOREM 1: COMPOSITION RETAINS CONTRACTS  Let…  Two Components 𝐷 1 , 𝐽 1 and 𝐷 2 , 𝐽 2 be Components   Actuator and Cruise Controller with Interfaces  Actuator Contract verified  𝐷𝑝𝑜𝑢 𝐷 1 , 𝐽 1 and 𝐷𝑝𝑜𝑢 𝐷 2 , 𝐽 2 verified  𝜔 𝑏𝑑 ≡ vehicle velocity always in interval  Compatible (Def. 6)  Cruise Controller Contract verified  𝐷 3 , 𝐽 3 = 𝐷 1 , 𝐽 1 || 𝐷 2 , 𝐽 2 (Def. 5)  𝜔 𝑑𝑑 ≡ target velocity always in interval  Then 𝐷𝑝𝑜𝑢 𝐷 3 , 𝐽 3 is also valid, with…  Compatible Composite  𝜚 3 ≡ 𝜚 1 ∧ 𝜚 2 both initial states hold  𝜔 3 ≡ 𝜔 1 ∧ 𝜔 2 𝐷 𝑡𝑧𝑡 , 𝐽 𝑡𝑧𝑡 = 𝐷 𝑏𝑑 , 𝐽 𝑏𝑑 || 𝐷 𝑑𝑑 , 𝐽 𝑑𝑑  both safety properties and all output  𝜚 𝑡𝑧𝑡 ≡ 𝜚 𝑏𝑑 ∧ 𝜚 𝑑𝑑 properties hold  𝜔 𝑡𝑧𝑡 ≡ 𝜔 𝑏𝑑 ∧ 𝜔 𝑑𝑑   vehicle velocity always in interval 10 Overall System Property!

OVERVIEW  Background  Cyber-Physical System  Hybrid System Models  Component-based Modeling  Component-based Modeling and Verification Approach  Components  Interfaces  Contracts  Composition Retains Contract  Conclusion and Future Work 11

CONCLUSION AND FUTURE WORK  We presented a technique to model and verify component-based CPS  Split system into components  Verify Components  Rebuild system from components   Transfer Verification Results!  Future Work  Extend interface and port capabilities  Implement framework as tool  Add further composition operations  Delayed transmission  Erroneous transmission 12

A COMPONENT-BASED APPROACH TO HYBRID SYSTEMS SAFETY VERIFICATION Andreas Müller – andreas.mueller@jku.at Stefan Mitsch – smitsch@cs.cmu.edu Werner Retschitzegger – werner.retschitzegger@jku.at André Platzer - aplatzer@cs.cmu.edu Wieland Schwinger – wieland.schwinger@jku.at Johannes Kepler University, Linz Carnegie Mellon University, Pittsburgh Department of Cooperative Information Systems Computer Science Department http://cis.jku.at/ http://www.ls.cs.cmu.edu