Towards a HOL Framework for the Deductive Analysis of

Download Report

Transcript Towards a HOL Framework for the Deductive Analysis of 

Towards a HOL Framework
for the Deductive Analysis
of Hybrid Control Systems
ADPM’2000
Norbert Völker
University of Essex, England
Two Tanks System
V0
L
V1
V2
Given a controller, verify that the tanks do not overflow
and an equilibrium is reached.
The Idea
verify properties
and requirements
Controllers
PLC Languages
Plants
Differential Equations
model
Isabelle/HOL
Control Loops
Requirements
Model checker
ODE solver
HOL
• Version of higher order predicate logic designed for
mechanical hardware verification.
• Polymorphic type system:   ,   ,  list, …
• Very expressive due to abstraction and quantification
over functions.
• Widely studied and well understood logical systems.
• Methodology of embedding other formalisms in HOL,
for example subsets of VHDL and Java.
Isabelle/HOL
• Popular, interactive HOL theorem proving
assistant.
• Stresses logical safety - avoidance of inconsistency.
• Supports safe theory extension by definitions, data
types, primitive recursive functions, ...
• Comes with libraries: nat, int, real, set, ....
• Open and extendible
• Proof results from external tools can be imported
via oracles.
Discrete Components in HOL


a0
a1 a2 a3
b0
b1 b2 b3
f
 stream = (  )
f ::  stream   stream
causal f =  g.  n x. take n (f x) = g (take n x)
stream operators, LTL operators
transition systems, automata
Real Time
clock = (   )
constant T :: clock
T0 T1 T2 T3
T0 T1 T2
T3
Clocks are strictly monotonous, unbounded and start at 0.
Conceptual clocks - cycle duration can vary
Function Blocks in HOL
• IEC 61131-3 PLC programming languages
Structured Text (ST) and Sequential Function
Charts (SFC)
• Function blocks written in an idealised subset of
ST/SFC are mapped to automata in HOL.
• Mapping is similar to writing an interpreter in a
functional programming language.
• Automata are not executed - size is not important as
long as there is a compact representation in HOL.
• The HOL embedding defines a semantics.
A Verifiable Subset of ST
• Restriction to function block level: no
configurations, resources, tasks or scheduling
• Omission of absolute, global, reference or retentive
variables.
• Reactive model: actions are atomic
• Idealised data types: Int, Bool, String, records,
arrays
• Disregard of implementation limitations.
• Function block invocation has no side effects!
Real Analysis in Isabelle/HOL
• Axiomatic type class V of finite-dimensional, normed
vector spaces over 
• Limits, continuity, differentiation
• Type  flow = (  )
• Differentiation operator D:: (:: V ) flow   flow
• Lots of elementary lemmas and theorems.
• Currently no integration, exp, sqrt, ln, sin, …
• Currently 17 K theory files, 95 K proof code files.
Differential Systems in HOL
• A differential system (f,x0) without input is a
transition system
 diffsys = ([,  ]  )  
where f is continuous and :: V.
• Behaviour is given by the solution of the associated
differential equation
bhvD ::  diffsys   flow
bhvD (f, x0) = ( g. g 0 = x0  D g = f  g)
where  is Hilbert’s choice operator.
• This does not mean we have solved the ODE.
Plants in HOL

F

g0 g1 g2 g3 g4
F ::  stream   flow
causal F
g0
Transition systems (f,y0)
g (n+1) = bhvD (f (x (n+1),
f :: [, ]  , y0 :: 
 a. continuous (f a)
= bhvD (f (x 0), y0)
g n (T (n+1)))
A Control Loop in HOL

ttc
B B B
ttp

4,4
tt = feedback (ttp  ttc) 4,4 0
ttc ::  stream  (B B B) stream
ttp :: (B B B) stream  (      )
stream
Verification
• Use standard Isabelle proof strategies and tools:
– induction, case distinctions, algebraic manipulation
– conditional term rewriting
– proof search algorithms
• Problems:
–
–
–
–
–
–
command line user interface
still relatively low level of proofs
real number library not well developed yet
algebraic manipulation often cumbersome
few decision procedures
analytically intractable systems remain intractable in HOL
What’s There
• HOL models of automata, stream operators, LTL
operators, PLC language subsets, differential and
hybrid systems.
• The beginnings of a HOL Real Analysis library.
• Small verification examples (standard function
blocks, traffic light, container control)
• Strong points:
– Compositional model of hybrid systems as
causal functions on stream and flows.
– Verification lemmas yield understanding
– Trustworthiness of Isabelle/HOL
What’s Missing
• Models of bigger/ more faithful PLC language
subsets
• More automation of HOL modelling and proofs
• Connection to other tools
• A better theorem prover front-end.
• Comprehensive Real Analysis and Control theory
libraries
• Bigger examples
• Verification of function block libraries
• An answer to: What contribution can HOL make?
Questions
or
Comments?
Transition Systems in HOL
(,) trsys
= ([, ]  )  
bhvT :: [(,) trsys,  stream ]   stream
bhvT (f,y0) x 0
= y0
bhvT (f,y0) x (n+1) = f (x n) (bhvT (f,y0) x n)
Theorem: causal bhvT
Automata in HOL
(,,) automaton = (, ) trsys  ([, ]  )
bhvA :: [(,, ) automaton,  stream ]   stream
bhvA (S,w) x n = w (x n) (bhvT S x n)
Theorem: causal bhvA
SFC Controller
S0
Start
S1
S V0
T1  S1.T
S2
S V1

T2  S2.T
S3
S V2
Level  L
S4
R V2
L  Level

level
V0
bool
V1
bool
V2
bool
time
Controller in HOL
ttc_autom :: (  ,   , BBB) automaton
ttc_autom = ((ttc_tf, (0,0)), ttc_outf )
ttc_tf :: [   ,    ]    
ttc_tf (level, t) (step, t0) =
if
step = 0
else if
step = 1  T1  t  t0
else if
step = 2  T2  t  t0
else if
step = 3  Level  L
else if
step = 4  Level  L
else
then
then
then
then
then
(1,t)
(2,t)
(3,t)
(4,t)
(3,t)
(step, t0 )
Controller in HOL (continued)
ttc_outf :: [   ,    ]  B  B  B
ttc_outf (level, t) (step, t0) =
if
step = 0
then (False,False,False)
else if
step = 1
then (True, False, False)
else if
step = 2
then (True, True, False)
else if
step = 3
then (True, True, True)
else
(True, False, False)
General Hybrid Systems


g


g :: [  stream,  flow]  stream   flow
causal g