hybrid system falsification and reinforcement learning
play

Hybrid System Falsification and Reinforcement Learning Formal - PowerPoint PPT Presentation

Hybrid System Falsification and Reinforcement Learning Formal Method for Cyber-Physical Systems Clovis Eberhart David Sprunger National Institute of Technology, Japan SOKENDAI lesson, July 1, 8, and 22 1 / 50 Lecture structure Lectures


  1. Hybrid System Falsification and Reinforcement Learning Formal Method for Cyber-Physical Systems Clovis Eberhart David Sprunger National Institute of Technology, Japan SOKENDAI lesson, July 1, 8, and 22 1 / 50

  2. Lecture structure Lectures 1st: falsification (problem, framework, logics. . . ), by me 2nd: deep learning for falsification (learning, reinforcement learning, application to falsification. . . ), by David 3rd: advanced techniques in falsification and reinforcement learning, by David and me Evaluation Easy practical assignment (in Python). Questions? Ask them during the lesson. Find me at my desk (Palaceside building). clovis.eberhart@gmail.com 2 / 50

  3. First lecture overview Formal methods landscape 1 Framework 2 Hybrid systems 3 Formulas 4 Optimisation 5 3 / 50

  4. Table of Contents Formal methods landscape 1 Framework 2 Hybrid systems 3 Formulas 4 Optimisation 5 4 / 50

  5. Formal method landscape Kapinski, Deshmukh, Jin, Ito, Butts, Simulation-Based Approaches for Verification of Embedded Control Systems , IEEE Control Magazine, 2010 5 / 50

  6. Testing Testing Given: a system S , a property ϕ . Goal: generate a test suite { t i } i ∈ I . 6 / 50

  7. Testing Testing Given: a system S , a property ϕ . Goal: generate a test suite { t i } i ∈ I . Characteristics simple (run tests) black-box (unknown systems) versatile (guarantees, explainable failures. . . ) no formal guarantee too general 6 / 50

  8. Verification Verification Given: a model M , a property ϕ . Goal: automatically prove that M � ϕ . 7 / 50

  9. Verification Verification Given: a model M , a property ϕ . Goal: automatically prove that M � ϕ . Characteristics complex (design model, use specific techniques, so typically not used by engineers) white-box (known systems only) formal proof (strong guarantee) ill-suited to CPS (continuous systems) 7 / 50

  10. Verification Verification Given: a model M , a property ϕ . Goal: automatically prove that M � ϕ . Characteristics complex (design model, use specific techniques, so typically not used by engineers) white-box (known systems only) formal proof (strong guarantee) ill-suited to CPS (continuous systems) Theorem proving Given: a model M , a property ϕ . Goal: prove that M � ϕ . 7 / 50

  11. Falsification Falsification Given: a system S , a property ϕ . Goal: generate a counterexample to S � ϕ . 8 / 50

  12. Falsification Falsification Given: a system S , a property ϕ . Goal: generate a counterexample to S � ϕ . Characteristics particular case of testing black-box (unknown systems) relatively simple no proof (no formal guarantee) 8 / 50

  13. Verification versus falsification Verification: finds a proof: system verifies property, finds nothing: Falsification: finds a counterexample: system violates property, finds nothing: 9 / 50

  14. Verification versus falsification Verification: finds a proof: system verifies property, finds nothing: nothing can be said. Falsification: finds a counterexample: system violates property, finds nothing: nothing can be said. 9 / 50

  15. Verification versus falsification Verification: finds a proof: system verifies property, finds nothing: nothing can be said. Falsification: finds a counterexample: system violates property, finds nothing: nothing can be said. Interaction: verification for falsification: constraining state space by reachability analysis, falsification for verification: coverage-based falsification techniques. 9 / 50

  16. Table of Contents Formal methods landscape 1 Framework 2 Hybrid systems 3 Formulas 4 Optimisation 5 10 / 50

  17. General framework Reminder Given: a system S , a property ϕ . Goal: generate a counterexample to S � ϕ . 11 / 50

  18. General framework Reminder Given: a system S , a property ϕ . Goal: generate a counterexample to S � ϕ . Questions What is a system? 11 / 50

  19. General framework Reminder Given: a system S , a property ϕ . Goal: generate a counterexample to S � ϕ . Questions What is a system? � hybrid system 11 / 50

  20. General framework Reminder Given: a system S , a property ϕ . Goal: generate a counterexample to S � ϕ . Questions What is a system? � hybrid system What is a property? 11 / 50

  21. General framework Reminder Given: a system S , a property ϕ . Goal: generate a counterexample to S � ϕ . Questions What is a system? � hybrid system What is a property? � logical formula 11 / 50

  22. General framework Reminder Given: a system S , a property ϕ . Goal: generate a counterexample to S � ϕ . Questions What is a system? � hybrid system What is a property? � logical formula What is a counterexample? 11 / 50

  23. General framework Reminder Given: a system S , a property ϕ . Goal: generate a counterexample to S � ϕ . Questions What is a system? � hybrid system What is a property? � logical formula What is a counterexample? � an input (and output) signal to the system that violates the property 11 / 50

  24. General framework Reminder Given: a system S , a property ϕ . Goal: generate a counterexample to S � ϕ . Questions What is a system? � hybrid system What is a property? � logical formula What is a counterexample? � an input (and output) signal to the system that violates the property Challenges infinite (and high-dimensional) search space non-linear dynamics 11 / 50

  25. The falsification loop σ in S σ out falsification σ out � ϕ generator checker ϕ σ out � ϕ ϕ ϕ σ in / ( σ in ,σ out ) 12 / 50

  26. The falsification loop falsification σ in S σ out σ out � ϕ generator checker ϕ σ out � ϕ ϕ ϕ σ in / ( σ in ,σ out ) 12 / 50

  27. The falsification algorithm Input: A system S , a formula ϕ , a satisfaction predicate � , and a timeout t max Output: A signal σ in such that S ( σ in ) � ϕ found = false; while not( found ) and t < t max do σ in = generate(); σ out = S ( σ in ); found = σ out � ϕ ; end if found then return σ in else return “timeout” end 13 / 50

  28. Optimisation-based falsification σ in S σ out falsification ρ ( σ out ,ϕ ) ≥ 0 generator checker ϕ ρ ( σ out ,ϕ ) < 0 ϕ ϕ σ in / ( σ in ,σ out ) 14 / 50

  29. Optimisation-based falsification falsification σ in S σ out ρ ( σ out ,ϕ ) ≥ 0 generator checker ϕ ρ ( σ out ,ϕ ) < 0 ϕ ϕ σ in / ( σ in ,σ out ) 14 / 50

  30. The optimisation-based falsification algorithm Input: A system S , a formula ϕ , a robustness function ρ , and a timeout t max Output: A signal σ in such that S ( σ in ) � ϕ found = false; while not( found ) and t < t max do σ in = search minimum( ρ ); σ out = S ( σ in ); found = ρ ( σ out , ϕ ) < 0; end if found then return σ in else return “timeout” end Required: ρ ( σ, ϕ ) ≥ 0 ⇐ ⇒ σ � ϕ 15 / 50

  31. Table of Contents Formal methods landscape 1 Framework 2 Hybrid systems 3 Formulas 4 Optimisation 5 16 / 50

  32. Hybrid systems Definition A hybrid system is a dynamical system that exhibits both continuous and discrete dynamic behavior – a system that can both flow (described by a differential equation) and jump (described by a state machine or automaton). Wikipedia Fehnker, Ivanˇ ci´ c, Benchmarks for Hybrid Systems Verification , Hybrid Systems: Computation and Control, pp 326–341 17 / 50

  33. Hybrid system: definition Hybrid system A Hybrid system is a tuple H = ( Q , X , GUARD , JUMP , U , FLOW) of: a finite set of modes Q , a family of continuous state spaces X = { X q ⊆ R n q | q ∈ Q } , GUARD q , q ′ ⊆ X q is the set of states in X q that can transition to mode q ′ , JUMP q , q ′ : X q → X q ′ describes the transition from q to q ′ , U is the input space, FLOW q , is a set of differential equations in X q and U , seen as a function X q × U × R ≥ 0 → X q , 18 / 50

  34. Example of hybrid system: thermostat T = T 0 | · q 0 q 1 dT dT dt = − KT dt = K ( h − T ) T ≥ T 0 T ≤ T 1 T = T 1 | · 19 / 50

  35. Example of hybrid system: thermostat T = T 0 | · q 0 q 1 dT dT dt = − KT dt = K ( h − T ) T ≥ T 0 T ≤ T 1 T = T 1 | · Q = { q 0 , q 1 } , 19 / 50

  36. Example of hybrid system: thermostat T = T 0 | · q 0 q 1 dT dT dt = − KT dt = K ( h − T ) T ≥ T 0 T ≤ T 1 T = T 1 | · Q = { q 0 , q 1 } , X q 0 = { T ∈ R | T ≥ T 0 } , 19 / 50

  37. Example of hybrid system: thermostat T = T 0 | · q 0 q 1 dT dT dt = − KT dt = K ( h − T ) T ≥ T 0 T ≤ T 1 T = T 1 | · Q = { q 0 , q 1 } , X q 0 = { T ∈ R | T ≥ T 0 } , X q 1 = { T ∈ R | T ≤ T 1 } , 19 / 50

  38. Example of hybrid system: thermostat T = T 0 | · q 0 q 1 dT dT dt = − KT dt = K ( h − T ) T ≥ T 0 T ≤ T 1 T = T 1 | · Q = { q 0 , q 1 } , X q 0 = { T ∈ R | T ≥ T 0 } , X q 1 = { T ∈ R | T ≤ T 1 } , GUARD q 0 , q 1 = { m } 19 / 50

  39. Example of hybrid system: thermostat T = T 0 | · q 0 q 1 dT dT dt = − KT dt = K ( h − T ) T ≥ T 0 T ≤ T 1 T = T 1 | · Q = { q 0 , q 1 } , X q 0 = { T ∈ R | T ≥ T 0 } , X q 1 = { T ∈ R | T ≤ T 1 } , GUARD q 0 , q 1 = { m } GUARD q 1 , q 0 = { M } 19 / 50

Recommend


More recommend