Model Checking of Hybrid Systems Goran Frehse AVACS Autumn School, - PowerPoint PPT Presentation

Model Checking of Hybrid Systems Goran Frehse AVACS Autumn School, October 1, 2015 Univ. Grenoble Alpes – Verimag, 2 avenue de Vignate, Centre Equation, 38610 Gières, France, frehse@imag.fr

Overview Hybrid Automata Set-Based Reachability Abstraction-Based Model Checking Verification by Numerical Simulation Conclusions 2

Overview Hybrid Automata Example Definition and Semantics Set-Based Reachability Abstraction-Based Model Checking Verification by Numerical Simulation Conclusions 3

Example: Ball on String x r + L x r + L x m x r x r F g F s x m F g (a) extension (b) freefall 4

Equations of Motion • dynamics in freefall when x ≥ x r , with mass m , m ¨ x = F g = − mg . • dynamics in extension when x ≤ x r , with spring constant k , damping factor d , m ¨ x = F g + F s = − mg + kx r − kx − d ˙ x . • transition when x = x r + L , collision factor c ∈ [ 0 , 1 ] , x ′ = − c ˙ x . ˙ 5

Hybrid Automaton Model auxiliary variable v = ˙ x , so ˙ v = ¨ x . clip from SpaceEx Model Editor 1 1 G. Frehse, C. L. Guernic, A. Donzé, R. Ray, O. Lebeltel, R. Ripado, A. Girard, T. Dang, and O. Maler, “Spaceex: Scalable verification of hybrid systems,” in CAV’11 , ser. LNCS, Springer, 2011. 6

Behavior x 2 1 position x x 5 x 1 x 3 0 x 4 x 0 − 1 0 0 . 5 1 1 . 5 2 2 . 5 t v 1 5 v − v 4 2 velocity v v 0 0 v 5 v 2 − 5 v 3 0 0 . 5 1 1 . 5 2 2 . 5 t 7

Overview Hybrid Automata Example Definition and Semantics Set-Based Reachability Abstraction-Based Model Checking Verification by Numerical Simulation Conclusions 8

Hybrid Automata (Alur, Henzinger, ’95)[2][3] • locations Loc = { ℓ 1 , . . . , ℓ m } and variables X = { x 1 , . . . , x n } define the state space Loc × R X , • transitions Edg ⊆ Loc × Lab × Loc define location changes with synchronization labels Lab, • invariant or staying condition Inv ⊆ Loc × R X , X × R X , e.g., • flow relation Flow, where Flow ( ℓ ) ⊆ R ˙ x = f ( x ); ˙ • jump relation Jump, where Jump ( e ) ⊆ R X × R X ′ , e.g., Jump ( e ) = { ( x , x ′ ) | x ∈ G ∧ x ′ = r ( x ) } , • initial states Init ⊆ Inv. 9

Run Semantics δ 0 ,ξ 0 α 0 δ 1 ,ξ 1 ( ℓ 0 , x 0 ) → ( ℓ 1 , x 1 ) − − → ( ℓ 0 , ξ 0 ( δ 0 )) − − − → ( ℓ 1 , ξ 1 ( δ 1 )) . . . with ( ℓ 0 , x 0 ) ∈ Init, α i ∈ Lab ∪ { τ } , and for i = 0 , 1 , . . . : 1. Trajectories: ( ˙ ξ ( t ) , ξ ( t )) ∈ Flow ( ℓ ) and ξ i ( t ) ∈ Inv ( ℓ i ) for all t ∈ [ 0 , δ i ] . 2. Jumps: ( ξ i ( δ i ) , x i + 1 ) ∈ Jump ( e i ) , e i = ( ℓ i , α i , ℓ i + 1 ) ∈ Edg, and x i + 1 ∈ Inv ( ℓ i + 1 ) . A state ( ℓ, x ) is reachable if there exists a run with ( ℓ i , x i ) = ( ℓ, x ) for some i . 10

Example: Ball on String ξ 0 ( δ 0 ) = x 1 5 ξ 1 ( δ 1 ) ξ 3 ( δ 3 ) = x 4 velocity v x 0 0 ξ 4 ( δ 4 ) = x 5 x 2 − 5 ξ 2 ( δ 2 ) = x 3 − 1 − 0 . 8 − 0 . 6 − 0 . 4 − 0 . 2 0 0 . 2 0 . 4 0 . 6 0 . 8 1 position x 11

Overview Hybrid Automata Set-Based Reachability Piecewise Constant Dynamics Piecewise Affjne Dynamics Set Representations Abstraction-Based Model Checking Verification by Numerical Simulation Conclusions 12

Set-Based Reachability Extending numerical simulation from numbers to sets • account for nondeterminism • exhaustive • infinite time horizon Downsides: • only approximate for complex dynamics • generally not scalable in # of variables • trade-ofg between runtime and accuracy 13

Reachability Algorithm One-step successors by time elapse from set of states S , δ,ξ Post C ( S ) = � ∃ ( ℓ, x ) ∈ S : ( ℓ, x ) { � } ( ℓ, ξ ( δ )) − → ( ℓ, ξ ( δ )) . One-step successors by jump from set of states S , Post D ( S ) = ( ℓ ′ , x ′ ) � ∃ ( ℓ ′ , x ′ ) ∈ S , ∃ α ∈ Lab ∪ { τ } : { � α ( ℓ, x ) → ( ℓ ′ , x ′ ) } − . 14

Reachability Algorithm Compute sequence R 0 Post C ( Init ) , = R i ∪ Post C ( Post D ( R i )) . R i + 1 = If R i + 1 = R i , then R i = reachable states. • may not terminate if states unbounded (counter) • problem undecidable in general 2 2 T. A. Henzinger, P. W. Kopke, A. Puri, and P. Varaiya, “What’s decidable about hybrid automata?” Journal of Computer and System Sciences , vol. 57, pp. 94–124, 1998. 15

Ball on String: Reachable States (clip from SpaceEx output) 16

HA with piecewise constant dynamics (PCDA, LHA) • initial states and invariants given by conjunctions of linear constraints, • flows given by conjunctions of linear constraints over the derivatives ˙ X , and • jumps given by linear constraints over X ∪ X ′ , where X ′ denote the variables after the jump. One-step successors of PCDA can be computed exactly . 17

Polyhedra in Constraint Form H -polyhedron (constraint form) ∧ m { � } i = 1 a T x i x ≤ b i P = , � � with facet normals a i ∈ R n and inhomogeneous coefficients b i ∈ R . vector-matrix notation: ( a T ) ( b 1 ) 1 . { � } . x � A x ≤ b , with A = , b = . . P = . � . . a T b m m 18

Geometric Operations x 2 x 2 pos ( Q ) P ⊕ Q Q P x 1 x 1 Q 0 . 0 . 4 0 1 8 0 . 2 6 0 . 4 0 . 2 . 0 0 1 0 . 8 6 0 . The convex hull {∑ � } q i ∈Q λ i · q i � λ i ≥ 0 , ∑ i λ i = 1 chull ( Q ) = , � The cone of Q is pos ( Q ) = { q · t | q ∈ Q , t ≥ 0 } . The Minkowski sum is P ⊕ Q = { p + q | p ∈ P , q ∈ Q} . 19

Polyhedra in Generator Form V -polyhedron (generator form) P = ( V , R ) = chull ( V ) ⊕ pos ( chull ( R )) . with vertices V ⊆ R n and rays R ⊆ R n conversion between H - and V -polyhedra is expensive cube: 2 n constraints, 2 n vertices cross-polytope (diamond): 2 n vertices, 2 n constraints 20

Time Elapse with Polyhedra For PCDA, it suffjces to consider straight-line trajectories: Lemma (Constant Derivatives 3 ) There is a trajectory ξ ( t ) from x = ξ ( 0 ) to x ′ = ξ ( δ ) , δ > 0 , iff η ( t ) = x + q t with q = ( x ′ − x ) /δ is a trajectory from x to x ′ . 3 P.-H. Ho, “Automatic analysis of hybrid systems,” Technical Report CSD-TR95-1536, PhD thesis, Cornell University, Aug. 1995. 21

Time Elapse with Polyhedra Given polyhedra P = { x | A x ≤ b } , Q = { q | ¯ A q ≤ ¯ b } Time successors (without invariant): P ↗Q = { x ′ | x ∈ P , q ∈ Q , t ∈ R ≥ 0 , x ′ = x + q t } . Eliminating q = x ′ − x for t > 0 and multiplying with t : t x ′ � A ( x ′ − x ) ≤ ¯ { } � A x ≤ b ∧ ¯ b · t ∧ t ≥ 0 P ↗Q = . � Quantifier elimination of t squares the number of constraints. 22

Time Elapse with Polyhedra – Geometric Version x 2 x 2 pos ( Q ) P ⊕ pos ( Q ) Q P x 1 x 1 (a) cone pos ( Q ) (b) P ↗Q = P ⊕ pos ( Q ) Intersect with invariant: post C ( ℓ × P ) = ℓ × P ↗ Flow ( ℓ ) ∩ Inv ( ℓ ) . ( ) 23

Discrete Successors Edge e = ( ℓ, α, ℓ ′ ) with guard x ∈ G and nondeterministic assignment x ′ = C x + w , w ∈ W , post D ( ℓ × P ) = ℓ ′ × C ( P ∩ G ) ⊕ W ∩ Inv ( ℓ ′ ) . ( ) If linear map C singular, constraints require quantifier elimination, otherwise C P = { x | AC − 1 x ≤ b } 24

Computational Cost polyhedra operation m constraints k generators m 2 cone k Minkowski sum exp k 2 linear map m / exp k intersection 2 m exp 25

Complex Behavior in PCDA Linear Hybrid Automata � chaos – even with 1 variable, 1 location, 1 transition (tent map) – observed in actual production systems [Schmitz,2002] states of the Tent map brewery and chaotic throughput [Schmitz,2002] source: wikipedia Schmitz, J. P. M., D. A. Van Beek, and J. E. Rooda. "Chaos in discrete production systems?." Journal of Manufacturing Systems 21.3 26

Example: Multi-Product Batch Plant 27 40

Example: Multi-Product Batch Plant � Cascade mixing process L IS L IS L IS 1 1 12 1 3 – 3 educts via 3 reactors � 2 products � Verification Goals M M M – Invariants LIS LIS LIS 21 22 23 QIS QIS Q IS 22 23 • overflow 21 • product tanks never empty – Filling sequence � Design of verified LIS L IS controller 31 32 28 41

Verification with PHAVer � Controller + Plant – 266 locations, 823 transitions (~150 reachable) – 8 continuous variables � Reachability over infinite time – 120s—1243s, 260—600MB – computation cost increases with nondeterminism (intervals for throughputs, initial states) Controller Controlled Plant 29 42

Verification with PHAVer 30 43

Overview Hybrid Automata Set-Based Reachability Piecewise Constant Dynamics Piecewise Affjne Dynamics Set Representations Abstraction-Based Model Checking Verification by Numerical Simulation Conclusions 31

Piecewise Affine Dynamics Hybrid automata with piecewise affine dynamics (PWA) • initial states and invariants are polyhedra, • flows are affjne ODEs x = A x + B u , u ∈ U , ˙ • jumps have a guard set and assignments x ′ = C x + w , w ∈ W . 32

Continuous successors x = A x + B u , u ∈ U , ˙ trajectory ξ ( t ) from ξ ( 0 ) = x 0 for given input signal ζ ( t ) ∈ U : ∫ t ξ x 0 ,ζ ( t ) = e At x 0 + e A ( t − s ) B ζ ( s ) ds . 0 reachable states from set X 0 for any input signal: X t = e At X 0 ⊕ Y t , ∫ t ⌊ t /δ ⌋ e As U ds = e At X 0 ⊕ lim e A δ k δ U . ⊕ Y t = δ → 0 0 k = 0 33