Challenge Parasara Sridhar Duggirala, Chuchu Fan, Sayan Mitra, and - PowerPoint PPT Presentation

Meeting A Powertrain Verification Challenge Parasara Sridhar Duggirala, Chuchu Fan, Sayan Mitra, and Mahesh Viswanathan

Powertrain Control Systems  Fuel control and transmission subsystem • Software control: increasing complexity (100M LOC) • Constraints: Emissions, Efficiency, etc. • Strict performance requirements • Early bug detection using formal methods CAV 2015 2

Powertrain Control Systems  Fuel control and transmission subsystem • Software control: increasing complexity (100M LOC) • Constraints: Emissions, Efficiency, etc. • Strict performance requirements • Early bug detection using formal methods  Powertrain control benchmarks from Toyota Jin et.al . [HSCC’14]  Complexity “ similar ” to industrial systems  Benchmark tool/challenge problems for academic research CAV 2015 3

Powertrain Control Systems  Fuel control and transmission subsystem • Software control: increasing complexity (100M LOC) • Constraints: Emissions, Efficiency, etc. • Strict performance requirements • Early bug detection using formal methods  Powertrain control benchmarks from Toyota Jin et.al . [HSCC’14]  Complexity “ similar ” to industrial systems  Benchmark tool/challenge problems for academic research This paper: Verifying one of the models in the powertrain control benchmark CAV 2015 4

Verifying Powertrain Control System (Challenges) Hybrid id Systems Model Polynomial ODE Plant Yes + Modes of operation C2E2 (Hybrid Systems Verification Tool) No Pr Property rise ⇒ □ [𝜃,𝜂] [0.98 𝜇 𝑠𝑓𝑔 , 1.02𝜇 𝑠𝑓𝑔 ] CAV 2015 5

Verifying Powertrain Control System (Challenges) Yes C2E2 (Hybrid Systems Verification Tool) No Pr Property rise ⇒ □ [𝜃,𝜂] [0.98 𝜇 𝑠𝑓𝑔 , 1.02𝜇 𝑠𝑓𝑔 ]  Hybrid systems verification • Undecidable in general [simple continuous dynamics ሶ 𝑧 = 2 ] 𝑦 = 1, ሶ CAV 2015 6

Verifying Powertrain Control System (Challenges) Yes C2E2 (Hybrid Systems Verification Tool) No Pr Property rise ⇒ □ [𝜃,𝜂] [0.98 𝜇 𝑠𝑓𝑔 , 1.02𝜇 𝑠𝑓𝑔 ]  Hybrid systems verification • Undecidable in general [simple continuous dynamics ሶ 𝑧 = 2 ] 𝑦 = 1, ሶ • Nonlinear Ordinary Diff. Eqns. – scalability problems CAV 2015 7

ሶ ሶ ሶ ሶ ሶ ሶ ሶ Verifying Powertrain Control System (Challenges) Yes C2E2 (Hybrid Systems p = c 1 2θ c 20 p 2 + c 21 p + c 22 − c 12 c 2 + c 3 ωp + c 4 ωp 2 + c 5 ωp 2 Verification Tool) 2 F c 2 + c 18 λ = c 26 (c 15 + c 16 c 25 F c + c 17 c 25 m c + c 19 m c c 25 F c − λ) No p e = c 1 2c 23 θ c 20 p 2 + c 21 p + c 22 − c 2 + c 3 ωp + c 4 ωp 2 + c 5 ωp 2 Property Pr i = c 14 (c 24 λ − c 11 ) rise ⇒ □ [𝜃,𝜂] [0.98 𝜇 𝑠𝑓𝑔 , 1.02𝜇 𝑠𝑓𝑔 ] where c 11 (1 + i + c 13 (c 24 λ − c 11 ))(c 2 + c 3 ωp + c 4 ωp 2 + c 5 ωp 2 ) 1 F c = m c = c 12 (c 2 + c 3 ωp + c 4 ωp 2 + c 5 ωp 2 )  Hybrid systems verification • Undecidable in general [simple continuous dynamics ሶ 𝑧 = 2 ] 𝑦 = 1, ሶ • Nonlinear Ordinary Diff. Eqns. – scalability problems CAV 2015 8

Outline  Motivation & Challenges  Powertrain Benchmark  Specification  Simulation Based Verification Technique  Engineering  Verification Results  Conclusions and Future Work CAV 2015 9

Powertrain Systems Benchmark (previous work)  Falsification techniques S-Taliro Annpureddy et.al.[TACAS’11 ], Breach Donze et.al .[CAV’10] .  Requirement mining (also found bugs) Jin et.al.[HSCC’13].  Simulation guided Lyapunov analysis Balkan et.al.[ICC’15] , and more … Model I Model II Model III Delay Differential Nonlinear ODE Polynomial ODE Equations Plant Plant + ( Non – polynomial ) + Lookup Tables + Continuous + Discrete update controller Hierarchical control software + Components Modes of operation CAV 2015 10

Powertrain Systems Benchmark (previous work)  Falsification techniques S-Taliro Annpureddy et.al.[TACAS’11] , Breach Donze et.al.[CAV’10] .  Requirement mining (also found bugs) Jin et.al.[HSCC’13].  Simulation guided Lyapunov analysis Balkan et.al.[ICC’15] , and more … Model III  Our contribution: Polynomial ODE Plant • Formal verification of Model III* + • Bridging simulations and verification Continuous controller + Modes of operation CAV 2015 11

ሶ ሶ ሶ ሶ Powertrain Model (Model III)  Hybrid System of 4 modes (with inputs) startup 𝒚 = 𝒈 𝒕 𝒚 𝑢𝑗𝑛𝑓𝑠 = 𝑈 𝑡 normal 𝜄 𝑗𝑜 ≤ 50 𝑝 𝒚 = 𝒈 𝒐 𝒚 𝑡𝑓𝑜𝑡𝑝𝑠𝐺𝑏𝑗𝑚 𝜄 𝑗𝑜 ≥ 70 𝑝 sensor_fail power 𝒚 = 𝒈 𝒕𝒈 𝒚 𝒚 = 𝒈 𝒒 𝒚  No Feedback Control  Feedback Control  Closed-loop mode,  Open Loop mode, feedback PI control + feedforward estimator feedforward estimator CAV 2015 12

ሶ ሶ ሶ ሶ Powertrain Model (Model III)  Hybrid System of 4 modes (with inputs) startup 𝒚 = 𝒈 𝒕 𝒚  Real valued variables – Ordinary Diff. Eqns. 𝜇 – Air/fuel ratio 𝑢𝑗𝑛𝑓𝑠 = 𝑈 𝑡 𝑞 – Intake manifold pressure normal 𝜄 𝑗𝑜 ≤ 50 𝑝 𝑞 𝑓 – Estimate of 𝑞 𝒚 = 𝒈 𝒐 𝒚 𝑗 – PI control variable 𝑡𝑓𝑜𝑡𝑝𝑠𝐺𝑏𝑗𝑚 𝜄 𝑗𝑜 ≥ 70 𝑝 sensor_fail power 𝒚 = 𝒈 𝒕𝒈 𝒚 𝒚 = 𝒈 𝒒 𝒚  No Feedback Control  Feedback Control  Closed-loop mode,  Open Loop mode, feedback PI control + feedforward estimator feedforward estimator CAV 2015 13

ሶ ሶ ሶ ሶ Powertrain Model (Model III)  Hybrid System of 4 modes (with inputs) startup 𝒚 = 𝒈 𝒕 𝒚  Real valued variables – Ordinary Diff. Eqns. 𝜇 – Air/fuel ratio 𝑢𝑗𝑛𝑓𝑠 = 𝑈 𝑡 𝑞 – Intake manifold pressure normal 𝜄 𝑗𝑜 ≤ 50 𝑝 𝑞 𝑓 – Estimate of 𝑞 𝒚 = 𝒈 𝒐 𝒚 𝑗 – PI control variable 𝑡𝑓𝑜𝑡𝑝𝑠𝐺𝑏𝑗𝑚  Transitions – input signal 𝜄 𝑗𝑜 𝜄 𝑗𝑜 ≥ 70 𝑝 sensor_fail power 𝜄 𝑗𝑜 𝒚 = 𝒈 𝒕𝒈 𝒚 𝒚 = 𝒈 𝒒 𝒚 𝑢  No Feedback Control  Feedback Control  Closed-loop mode,  Open Loop mode, 𝜇 feedback PI control + feedforward estimator feedforward estimator 𝑢 CAV 2015 14

ሶ ሶ ሶ ሶ Powertrain Model (Challenges)  How to handle input signals? startup 𝒚 = 𝒈 𝒕 𝒚 𝑢𝑗𝑛𝑓𝑠 = 𝑈 𝑡 normal 𝜄 𝑗𝑜 ≤ 50 𝑝 𝒚 = 𝒈 𝒐 𝒚 𝑡𝑓𝑜𝑡𝑝𝑠𝐺𝑏𝑗𝑚 𝜄 𝑗𝑜 ≥ 70 𝑝 sensor_fail power 𝒚 = 𝒈 𝒕𝒈 𝒚 𝒚 = 𝒈 𝒒 𝒚 CAV 2015 15

ሶ ሶ ሶ ሶ Powertrain Model (Challenges)  How to handle input signals? startup 𝒚 = 𝒈 𝒕 𝒚 Consider family of input signals 𝜄 𝑗𝑜 and construct closed hybrid system 𝑢𝑗𝑛𝑓𝑠 = 𝑈 𝑡 normal 𝑢𝑗𝑛𝑓𝑠 ∈ 𝐽 1 𝜄 𝑗𝑜 𝒚 = 𝒈 𝒐 𝒚 𝑡𝑓𝑜𝑡𝑝𝑠𝐺𝑏𝑗𝑚 𝑢 𝐽 1 𝐽 2 𝑢𝑗𝑛𝑓𝑠 ∈ 𝐽 2 sensor_fail power 𝒚 = 𝒈 𝒕𝒈 𝒚 𝒚 = 𝒈 𝒒 𝒚 CAV 2015 16

ሶ ሶ ሶ ሶ Powertrain Model (Challenges)  How to handle input signals? startup 𝒚 = 𝒈 𝒕 𝒚 Consider family of input signals 𝜄 𝑗𝑜 and construct closed hybrid system 𝑢𝑗𝑛𝑓𝑠 = 𝑈 𝑡 normal 𝑢𝑗𝑛𝑓𝑠 ∈ 𝐽 1 𝜄 𝑗𝑜 𝒚 = 𝒈 𝒐 𝒚 𝑡𝑓𝑜𝑡𝑝𝑠𝐺𝑏𝑗𝑚 𝑢 𝐽 1 𝐽 2 𝑢𝑗𝑛𝑓𝑠 ∈ 𝐽 2 sensor_fail power  Nonlinearity of ODE 𝒚 = 𝒈 𝒕𝒈 𝒚 𝒚 = 𝒈 𝒒 𝒚 CAV 2015 17

ሶ ሶ ሶ ሶ ሶ ሶ ሶ ሶ ሶ ሶ ሶ Powertrain Model (Challenges)  How to handle input signals? startup 𝒚 = 𝒈 𝒕 𝒚 Consider family of input signals 𝜄 𝑗𝑜 and construct closed hybrid system 𝑢𝑗𝑛𝑓𝑠 = 𝑈 𝑡 normal 𝑢𝑗𝑛𝑓𝑠 ∈ 𝐽 1 𝜄 𝑗𝑜 𝒚 = 𝒈 𝒐 𝒚 𝑡𝑓𝑜𝑡𝑝𝑠𝐺𝑏𝑗𝑚 𝑢 Closed loop 𝐽 1 𝐽 2 𝑢𝑗𝑛𝑓𝑠 ∈ 𝐽 2 Dynamics sensor_fail power  Nonlinearity of ODE p = c 1 2θ c 20 p 2 + c 21 p + c 22 − c 12 c 2 + c 3 ωp + c 4 ωp 2 + c 5 ωp 2 𝒚 = 𝒈 𝒕𝒈 𝒚 𝒚 = 𝒈 𝒒 𝒚 2 F c 2 + c 18 λ = c 26 (c 15 + c 16 c 25 F c + c 17 c 25 m c + c 19 m c c 25 F c − λ) p e = c 1 2c 23 θ c 20 p 2 + c 21 p + c 22 − c 2 + c 3 ωp + c 4 ωp 2 + c 5 ωp 2 i = c 14 (c 24 λ − c 11 ) where c 11 (1 + i + c 13 (c 24 λ − c 11 ))(c 2 + c 3 ωp + c 4 ωp 2 + c 5 ωp 2 ) 1 F c = m c = c 12 (c 2 + c 3 ωp + c 4 ωp 2 + c 5 ωp 2 ) CAV 2015 18

Powertrain Specification  Signal Temporal Logic: temporal specification for signals 𝑦 𝑦 1 3 +0.1 -0.1 1 0 t 0 60 50 100 t 100 □ [0,100] 𝑦 ∈ [1,3] □ [60,100] 𝑦 < 0.1 CAV 2015 19

Powertrain Specification  Signal Temporal Logic: temporal specification for signals 𝑦 𝑦 1 3 +0.1 -0.1 1 0 t 0 60 50 100 t 100 □ [0,100] 𝑦 ∈ [1,3] □ [60,100] 𝑦 < 0.1 𝐕 ≜ (𝒚 < 𝟐 ∨ 𝒚 > 𝟒) ∧ (𝒖 ≤ 𝟐𝟏𝟏) 𝐕 ≜ (𝒚 < −𝟏. 𝟐 ∨ 𝒚 > 𝟏. 𝟐) ∧ (𝒖 ≥ 𝟕𝟏 ∧ 𝒖 ≤ 𝟐𝟏𝟏)  Encoded as safety properties CAV 2015 20