Verified Runtime Validation of Verified Cyber-Physical System Models Stefan Mitsch Andr´ e Platzer Computer Science Department, Carnegie Mellon University CPS V&V I&F Workshop, Dec. 12, 2014 For Details, see ModelPlex paper at RV’14 Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 1 of 9
Formal Verification in CPS Development Real CPS safe Proof Reachability Analysis . . . Verification Results Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 2 of 9
Formal Verification in CPS Development Real CPS safe abstract Model α ∗ Proof Control α ctrl v := v + 1 Reachability safe sense Analysis act . . . Plant α plant x ′ = v Verification Results Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 2 of 9
Formal Verification in CPS Development Real CPS safe Challenge Verification results about models abstract only apply if CPS fits to the model Model α ∗ � Verifiably correct runtime model validation Proof Control α ctrl v := v + 1 Reachability safe sense Analysis act . . . Plant α plant x ′ = v Verification Results Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 2 of 9
Runtime Model Validation Ensures that verification results about models apply to CPS implementations predict turn plant Model α ctrl i − 1 i + 1 i . . . model adequate? control safe? until next cycle? Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 3 of 9
Runtime Model Validation Ensures that verification results about models apply to CPS implementations Insights predict turn Verification results transfer to CPS when validating model compliance Compliance with model is characterizable in logic Compliance formula transformed by proof to plant Model α ctrl i − 1 i + 1 i executable monitor . . . model adequate? control safe? until next cycle? Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 3 of 9
Model Validation at Runtime “Simplex for Models” Controller Sensors Actuators Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 4 of 9
Model Validation at Runtime “Simplex for Models” Controller ModelPlex Compliance Fallback Monitor Sensors Actuators Compliance Monitor Checks CPS for compliance with model at runtime Fallback Safe action, executed when monitor is not satisfied Challenge What conditions do the monitors need to check to be safe? Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 4 of 9
Model Validation at Runtime “Simplex for Models” Controller ModelPlex Compliance Fallback Monitor Sensors Actuators Challenge: Monitorability Our current monitors compare two consecutive states (but: which conditions can we actually observe?) Monitoring a history of states: becomes necessary when using temporal operators in safety condition Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 4 of 9
Model Validation at Runtime “Simplex for Models” Controller ModelPlex Compliance Fallback Monitor Sensors Actuators Challenge: Monitor assumptions if not modeled otherwise Intercepts all communication: sensors - controller - actuators Untampered values, time-consistent and unit-consistent values No execution overhead, no clock drift No communication delays (sensor - controller - monitor - actuator) Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 4 of 9
Model Validation at Runtime “Simplex for Models” Controller ModelPlex Compliance Fallback Monitor Sensors Actuators Challenge: Fallback and Enforceability Cannot just disallow unsafe actions, need fallback (redundant) Which properties are enforceable with a specific fallback action? What is an appropriate fallback to enforce a specific property? Enforceability of temporal properties is tricky Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 4 of 9
Model Validation at Runtime “Simplex for Models” Controller ModelPlex Compliance Fallback Monitor Sensors Actuators Challenge: Fallback assumptions if not modeled otherwise Executable unconditionally Immediate reaction Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 4 of 9
Model Validation at Runtime “Simplex for Models” Controller ModelPlex Compliance Fallback Monitor Sensors Actuators Challenge: Platform assumptions Reals vs. floats (currently: interval arithmetic) Correct compiler and processor Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 4 of 9
Monitor Characterization When are two states linked through a run of model α ? ⊆ Model α i − 1 i Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 5 of 9
Monitor Characterization When are two states linked through a run of model α ? a prior state char- a posterior state ⊆ characterized by x + acterized by x − Model α i − 1 i ( x − , x + ) ∈ ρ ( α ) reachability relation of α Semantical: Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 5 of 9
Monitor Characterization When are two states linked through a run of model α ? a prior state char- a posterior state ⊆ characterized by x + acterized by x − Model α i − 1 i Offline ( x − , x + ) ∈ ρ ( α ) starting at x = x − Semantical: exists a run of α to a � Theorem state where x = x + ( x = x − ) → � α ( x ) � ( x = x + ) Logic (d L ): Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 5 of 9
Monitor Characterization When are two states linked through a run of model α ? a prior state char- a posterior state ⊆ characterized by x + acterized by x − Model α i − 1 i Offline ( x − , x + ) ∈ ρ ( α ) starting at x = x − Semantical: exists a run of α to a � Theorem state where x = x + ( x = x − ) → � α ( x ) � ( x = x + ) Logic (d L ): d L proof � F ( x − , x + ) Real arithmetic: check at runtime (efficient) Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 5 of 9
Monitor Characterization When are two states linked through a run of model α ? a prior state char- a posterior state ⊆ characterized by x + acterized by x − Model α i − 1 i Offline ( x − , x + ) ∈ ρ ( α ) starting at x = x − Semantical: exists a run of α to a � Theorem state where x = x + ( x = x − ) → � α ( x ) � ( x = x + ) Logic (d L ): ⇑ d L proof F ( x − , x + ) Real arithmetic: check at runtime (efficient) Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 5 of 9
Challenges What is missing to ensure that proofs apply to real CPS? Monitorability, fallback and enforceability, implementation Synthesis Model quality, model adaptation plant Model α ctrl i − 1 i + 1 i . . . Model Monitor Controller Monitor Prediction Monitor model adequate? control safe? until next cycle? Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 6 of 9
Synthesis Challenges Proof calculus of d L executes models symbolically Model α posterior state x + i − 1 prior state x − i proof attempt ( x = x − ) → � α ( x ) � ( x = x + ) Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 7 of 9
Synthesis Challenges Proof calculus of d L executes models symbolically Model α climb posterior state x + i − 1 prior state x − i descend proof attempt ( x = x − ) → � climb ∪ descend � ( x = x + ) �∪�� climb � φ ∨ � descend � φ � climb ∪ descend � φ Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 7 of 9
Synthesis Challenges Proof calculus of d L executes models symbolically Model α climb posterior state x + i − 1 prior state x − i descend proof attempt ( x = x − ) → � climb ∪ descend � ( x = x + ) ∨ � climb � ( x = x + ) � descend � ( x = x + ) Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 7 of 9
Synthesis Challenges Proof calculus of d L executes models symbolically Model α climb posterior state x + i − 1 prior state x − i descend proof attempt ( x = x − ) → � climb ∪ descend � ( x = x + ) ∨ � climb � ( x = x + ) � descend � ( x = x + ) F 1 ( x − , x + ) F 2 ( x − , x + ) Stefan Mitsch, Andr´ e Platzer—Verified Runtime Validation of Verified Cyber-Physical System Models 7 of 9
Recommend
More recommend