Towards Proving Runtime Properties of Data-Driven Systems Using Safety Envelopes Samuel Breese Fotis Kopsaftopoulos Carlos Varela Rensselaer Polytechnic Institute Dynamic Data Driven Application Systems (DDDAS) Session International Workshop on Structural Health Monitoring (IWSHM) Stanford, September 12, 2019
Dynamic Data Driven Aerospace Systems
Overview ◮ Dynamic data-driven systems introduce complexity ◮ Often used in safety-critical domains ( e.g. aerospace) ◮ Formal methods can yield stronger safety guarantees than testing
Formal Methods ◮ Computer-checked logical reasoning about a system ◮ Both automated and interactive approaches ◮ Requires a high level of rigor and detail, leading to high development costs ◮ Magnified in systems involving stochastic elements ◮ Novel methods and techniques can help offset these costs
Hierarchy of Theories Material Algebraic set theory theories Measure theory and Linear algebra Topology integration, formal probability Real analysis Higher-level statistical results
Approach: Safety Envelopes ◮ Analogous to a flight safety envelope in an aircraft ◮ Describes a safe subset of system states ◮ Associates that safe subset with some correctness guarantee ◮ Provable formally in the proof assistant ◮ Checkable in live system through runtime sentinel
Workflow Development Safety inform of software runs on envelopes Live system control (with proofs) systems run on generate informs Operator System model Runtime sentinels
Runtime Sentinels ◮ Represent safe subsets as terms in some embedded domain-specific language ◮ Support evaluation to term in proof assistant ◮ Support generation of a program accessible from the runtime system ◮ Bring awareness of state-dependent formal properties to the system as it runs
Example: Introduction ◮ We study a model from Kopsaftopoulos and Chang associating a sensor reading from a wing with the likelihood that an aircraft is in a stall state ◮ Model is trained on experimental data from a wind tunnel - data driven ◮ We treat pairs of training data and runtime signal as system states ◮ Safe subset: intervals on runtime signal, (approximate) normality in training data
Example
Example: Model Formalization We can view the model as a function m : R n → ( R → { Stall , No Stall } ) or m ′ : R n × R → { Stall , No Stall } , which allows us to treat pairs of training data and runtime signal energy as system states. ◮ We know that some intervals of runtime signal lead to “stall” classification ◮ Other intervals lead to “no stall” classification
Example: Correctness We wish to prove that for all signal energies in a given interval, the model behaves in a predictable way. ◮ There is a set of signal energy means and variances D ( T ) taken from the experimental data T at various airspeeds and angles of attack. ◮ Let S ( T ) ⊆ D ( T ) correspond to stall states. ◮ Model (partial) correctness can be expressed as: ∀ ( � x , T � : R × R n ) . � x , T � ∈ Safe → m ′ ( � x , T � ) = No Stall where Safe , the safe subset, is all � x , T � satisfying ( ∀ ( d ∈ D ( T )) . Gaussian ( d )) ∧ ( ∀ ( d ∈ S ( T )) | x − µ ( d ) | > 3 σ ( d )) ∧ ( ∃ ( d ∈ D ( T ) \ S ( T )) | x − µ ( d ) | < 3 σ ( d ))
Example: Sentinel ◮ C program testing membership in safe subset ◮ Floating-point arithmetic for safe intervals of runtime signal ◮ Using standard statistical tests for normality on training data ◮ Neither of these are “exact”: disconnect between formal assumption and validation process ◮ Important area for future development
Dynamic Data Driven Aerospace Systems Partial support from: Air Force Office of Scientific Research DDDAS Program, Dr. E. Blasch (AFOSR Grant No. FA9550-19-1-0054.)
Extra Slides
Experimental Signal Energy to Train Model 0.4 Normalized Signal (V) 0.2 0 -0.2 -0.4 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 Time (s) 50 40 30 20 10 0 -0.2 -0.15 -0.1 -0.05 0 0.05 0.1 0.15 0.2 0.25 0.3
Pre-processed vs non-preprocessed data (normality visualization) 1 1 Empirical CDF Empirical CDF Standard Normal CDF Standard Normal CDF 99% Conf. Int. 99% Conf. Int. 0.8 0.8 0.6 0.6 0.4 0.4 0.2 0.2 0 0 -0.2 -0.1 0 0.1 0.2 0.3 -0.5 0 0.5 1 1.5 2
Example: Full Correctness ◮ Let S ( T ) ⊆ D ( T ) correspond to stall states. ◮ Analogously, the corresponding proposition for the “Stall” classification is similar except for an inversion of the roles of S ( T ) and D ( T ) \ S ( T ): ∀ ( � x , T � : R × R n ) . � x , T � ∈ Safe ′ → m ′ ( � x , T � ) = Stall where the new safe subset Safe ′ is all � x , T � satisfying ( ∀ ( d ∈ D ( T )) . Gaussian ( d )) ∧ ( ∀ ( d ∈ D ( T ) \ S ( T )) | x − µ ( d ) | > 3 σ ( d )) ∧ ( ∃ ( d ∈ S ( T )) | x − µ ( d ) | < 3 σ ( d )) .
Example: Proof of Cram´ er’s Decomposition Theorem The proof is based on the observation that the characteristic function φ of the sum of independent normally distributed random variables X 1 and X 2 is the product of the characteristic functions of those variables: φ X 1 + X 2 ( t ) = φ X 1 ( t ) · φ X 2 ( t ) � 1 t 2 � � 2 t 2 � e it µ 1 − 1 2 σ 2 e it µ 2 − 1 2 σ 2 φ X 1 + X 2 ( t ) = φ X 1 + X 2 ( t ) = e it ( µ 1 + µ 2 ) − 1 2 ( σ 2 1 + σ 2 2 ) t 2 which is the characteristic function of a normal random variable with mean µ 1 + µ 2 and variance σ 2 1 + σ 2 2 .
Athena proof of Cram´ er’s Decomposition Theorem
Coq proof of Cram´ er’s Decomposition Theorem
Recommend
More recommend