Transcript Slide 1

Two Worlds:
Abstractions in the Continuous World
Rupak Majumdar
Max Planck Institute for Software Systems
Cyber-Physical Systems
1. Software Controlled interactions
with the physical world
2. Safety Critical
Software a major component:
Boeing 747: ~50ECUs, 4M LOC
ETCS Kernel: ~0.5MLOC
Lexus 2006: ~100 CPUs, ~7M LOC
BMW: ~70-100CPUs, ~100M LOC!
Cyber-Physical Systems
1. Software Controlled interactions
with the physical world
2. Safety Critical
3. Software is the hard part
- Expensive, brittle
- Low productivity, High QA cost
- Major part of development cost
Control System Development
Validate
against system
performance spec
Combine
Environment =
spec
Plant Model
x’= Ax + Bu
Controller Model
u= Kx
= Control
Software spec
Virtual World
Real World
Environment =
impl
Plant
(Hardware)
=
Controller
(Software+Hardware)
Combine
Validate
Control
impl
Formal Methods Challenges
•
Verification
How can we ensure a system meets its specifications?
•
Synthesis
How can we automatically construct controllers for
temporal requirements?
•
Abstraction and Robustness
When are two systems close? When is a system robust?
This Talk: FM in the Control World
- Proof techniques for verification
- Epsilon-bisimulations and reactive synthesis
- Input-output robustness
- End-to-end arguments
Disclaimer
Tutorial introduction to the field
Continuous Dynamical Systems
Specification:
f : Dynamics
u : Input from the controller
… assume f is “nice”
Trajectory: Solution of the
differential equation
Stability: “Under the action
of the controller, the
dynamics converges to the
origin”
Hybrid Dynamical Systems
||
Discrete constraint:
- Control task can only run once every k cycles
- The system must reach a sequence of setpoints
while avoiding bad states
- LTL specification
Verification Question
||
Given a controller that claims to
- Stabilize the system
- Satisfy additional discrete constraints
Check the controller works correctly
Synthesis Question
||
Synthesize a controller that
- Stabilizes the system
- Satisfies additional discrete constraints
Formal Methods Perspective
Verification:
Safety

Liveness 
Inductive invariants
Ranking functions
Synthesis:
Controller design  Reactive synthesis
Q: How do we apply these techniques to the
continuous world?
Verification
Commonalities
Control Theory
Formal Methods
-Safety: Show that system stays
in safe states
-Safety: Show that program
stays in safe states
-Stability: Show that system
eventually goes to setpoint
-Liveness: Show that program
eventually terminates
-Techniques: Real Analysis
-Techniques: (Discrete) Logic
Model
Problem: Ensure no trajectory from
Init reaches Bad
[PrajnaJadbabaie04]
Barriers: B(x)
Init
Bad
The dynamics pushes the state
back at the boundary of the barrier
Reachability
Target
[LyapunovB.C.]
Lyapunov functions: L(x)
The dynamics pushes the state
down along the level sets of L(x)
Commonalities
Control Theory
Formal Methods
-Safety: Show that system stays -Safety: Show that program
in safe states
stays in safe states
* Barrier certificates
* Inductive invariants
-Stability: Show that system
eventually goes to setpoint
* Lyapunov functions
-Techniques: Real Analysis
* Constraints?
-Liveness: Show that program
eventually terminates
* Rank functions
-Techniques: (Discrete) Logic
* Horn clauses
Barriers/LF to Constraints
Constraints: Polynomials
Assume f(x) is a polynomial
Fix polynomial template for B
 Polynomial constraints
Aside: Sum of Squares
Want to show:
p(x) ≥ 0
Look for polynomials p1(x), …, pk(x) s.t.
p(x) = p1(x)2 + … + pk(x)2
Sufficient but not necessary
 But search for “sum of squares” polynomials reduces to
convex optimization (semi-definite programming)
Not just Safety/Reachability…
Horn clause formulations carry over:
- LTL, CTL*, ATL*
[DimitrovaM]
Idea for LTL:
1.Convert to parity conditions
2.Certificate = Sequence of functions V0,…,Vk
- even i  barrier
- odd i  Lyapunov function that exits this color
Formal Methods Challenge
1.Design numerically stable and scalable decision
procedures for polynomial arithmetic
2.Connect the search for barriers and Lyapunov
functions to abstraction-refinement techniques
Synthesis
Controller Synthesis for LTL
Continuous system
Abstraction
?
Control
input u
Reactive synthesis
Refinement
Discrete
controller
GirardPappas07,Tabuada
ε-Bisimulation
(x,y)∈R means that every trajectory starting from x
is matched up to ε by a trajectory from y
and vice versa
Controller Synthesis for LTL
Continuous system
Abstraction
Control
input u
Reactive synthesis
Refinement
Discrete
controller
When do finite bisimulations exist?
Angeli02
Incremental Stability
“Trajectories converge to each other as time progresses”
Incremental asymptotic stability (AS):
|| x(t, x0, u) - y(t, y0, u) || ≤ β (|| x0 – y0 ||, t)
for all u
Incremental input-to-state stability (ISS):
|| x(t, x0, u) - y(t, y0, v) || ≤ β (|| x0 – y0 ||, t) +
γ( || u – v || )
β is KL, γ is K
Incremental Stability, in Pictures
Linear systems:
Asymptotic stability
(= all eigenvalues have
negative real part)

incremental stability
Transition Systems
Fix a sampling time τ
Transition system:
States: Rn
Labels: Piecewise constant control inputs
Transitions:
Intuition
- Discretize state and input space
- Error accumulated due to discretization cancel
out because of incremental stability
x
y
Finite Bisimilarity
Fix an incremental ISS continuous system
Fix precision ε, sampling time τ
Theorem: [PolaGirardTabuada] Can choose
discretization parameters
a (state discretization), b (input discretization)
s.t. there is a finite ε bisimulation
ZamaniEfsahaniM.AbateLygeros
Extensions: Stochastic Dynamics
- Extend notions of incremental ISS to stochastic
ones
- Finite epsilon-bisimulation (in the sense of
expectations) exists for any compact set
Good News/Bad News
- Now discrete synthesis can be applied
- Tool: Pessoa [RoyM.Tabuada]
- (coming up)
- Expensive procedure: exponential in the
dimension of the system
Example 1: Motion Planning
Example 1: Motion Planning
Example 1: Motion Planning
Abstraction: 91035 states (585s)
Control: 155s
Example 2: DC Motor Speed Control
Spec:
Abstraction: 1M states, 150s, Controller found in 4s
Formal Methods Challenges
1. Better abstractions for bisimulations?
- Using timed automata?
(exponentially succinct representations)
2. Abstraction and refinement for control?
End-to-end Design
Control System Development
Validate
against system
performance spec
Combine
Environment =
spec
Plant Model
x’= Ax + Bu
Controller Model
u= Kx
= Control
Software spec
Virtual World
Real World
Environment =
impl
Plant
(Hardware)
=
Controller
(Software+Hardware)
Combine
Validate
Control
impl
Controller Implementations
Physical world and software implementations
may not match up
•
Resource constraints, finite precision, distributed
computation
•
Uncertainties in measurements/actuations
How can we ensure that the implemented system
correctly implements the controller?
What does correctly mean?
Stability
“The physical plant converges to a desired behavior
under the actions of the controller”
Example: In the steady state, the angular velocity of a DC motor
will be between 7.5 and 8.5 rad/s
Mathematical Model
Software Implementation
Stability
Example: In the steady state, the angular velocity of a DC motor
will be between 7.5 and 8.5 rad/s
Mathematical Model
Software Implementation
Question: What is the effect of implementation error
on system stability?
Effects of Implementation Error
ρ
Ideal, Mathematical Model
Implementation
The software implementation introduces errors due to:
- Limited precision arithmetic
- Quantization of sensing and actuation
- Computation times
-…
Can we bound the effect of error on the stability?
Bound on Errors
Theorem [AntaM.SahaTabuada10] If a is the L2 gain of a
linear control system and b a bound on the
implementation error, then
ρ≤a.b
Separation of concerns:
1. Calculate L2 gain from the mathematical model
2. Calculate implementation error from the code
Non-linear Systems
System
x’ = f(x,u)
Controller u = k(x)
Use an ISS Lyapunov function V, and the
additional constraint from robust control theory:
∂V/∂x . f(x,k(x)+e) ≤ - λV(x) + σ || e ||
Non-linear Systems: Error Bounds
Theorem [AntaM.SahaTabuada10]: If b is a bound on
the implementation error, and σ, λ as before for
some Lyapunov function V, then ρ ≤ σ/λ . b
The value of σ and λ can be found using Sum of
Squares (SoS) optimization techniques
Error Sources
- Sampling errors: Sampling a function at discrete
points
- Quantization errors: Finite precision arithmetic
Assume that sampling errors are negligible (by
sampling fast enough)
Focus on quantization errors
Bounding the Error: Finite Precision
• Only consider error due to finite precision
• Target fixed-point implementations
• Each real variable is implemented using n bits,
with k bits for the fractional part
k
n
Fixed Point Arithmetic
Can perform arithmetic operations on this
representation (using bitshifts and arithmetic)
k1
k1
n
n
+
n
k2
+
k1
n
k1
n
Algorithm
Given: function y = f(x), implementation y = F(x)
Set up optimization problem:
Max
| y – y|
the difference in outputs
Subject to:
x ∈ [l,u],
|x – x| ≤ e,
y = f(x)
SP(F)(x,y)
the range of inputs
the precision of the representation
the “actual” controller output
the “computed” controller output
SP(F)(x,y) is a logical formula relating
inputs x and outputs y of function F
Computing SP: Symbolic Execution
•
Run the program with symbolic inputs
•
Each execution maintains
•
-
A symbolic store: map program variables to symbolic
expressions
-
A path constraint that specifies constraints on inputs for the
current path to be executed
SP(F) =
Disjunction of path constraints along all paths
Implementation
Simulink Model
Real-Time
Workshop
C code
-Implementation of concolic
execution with support for
numerical operations
CIL
Instrumented C code
Concolic Execution
Yices+HySat
Symbolic constraints
-Collect symbolic
constraints and relate to
control system parameters
-Model fixed-point
arithmetic precisely
From Verification to Synthesis
Verification Problem: Given a
controller, compute the bound ρ
ρ
Synthesis Problem: Find a
controller implementation for which
the bound is minimized
Search over:
- all implementations of a given
controller
- all stabilizing controllers for a
fixed budget
Conclusion
Abstraction + Verification techniques
from computer science
can help
build better systems that
interact with the physical world
Thank You
http://www.mpi-sws.org/~rupak/