A COMPONENT-BASED APPROACH TO HYBRID SYSTEMS SAFETY VERIFICATION

Transcription

1 A COMPONENT-BASED APPROACH TO HYBRID SYSTEMS SAFETY VERIFICATION Andreas Müller Werner Retschitzegger Wieland Schwinger Johannes Kepler University, Linz Department of Cooperative Information Systems Stefan Mitsch André Platzer - aplatzer@cs.cmu.edu Carnegie Mellon University, Pittsburgh Computer Science Department

2 OVERVIEW Background Cyber-Physical System Hybrid System Models Component-based Modeling Component-based Modeling and Verification Approach Components Interfaces Contracts Composition Retains Contract Conclusion and Future Work 2

3 OVERVIEW Background Cyber-Physical System Hybrid System Models Component-based Modeling Component-based Modeling and Verification Approach Components Interfaces Contracts Composition Retains Contract Conclusion and Future Work 3

4 BACKGROUND Cyber-physical systems (CPS) Cyber and physical capabilities Continuous physical-part: vehicle movement, Discrete cyber-part: vehicle steering, Often safety-critical! Hybrid system models Model and analyze CPS Hybrid programs: program notation for hybrid system modeling Safety Analysis: Φ α Ψ starting in Φ, each run of α leads to a safe state Ψ Verified using Theorem Prover KeYmaera Challenging for large monolithic models Component-based hybrid system modeling and verification Component verification results do not always transfer to composite Component-based approach to hybrid system safety verification 4

5 OVERVIEW Background Cyber-Physical System Hybrid System Models Component-based Modeling Component-based Modeling and Verification Approach Components Interfaces Contracts Composition Retains Contract Conclusion and Future Work 5

6 RUNNING EXAMPLE - VEHICLE CRUISE CONTROL Vehicle Cruise Control System Overall Safety Property: Keep vehicle s velocity within bounds Split into two components Actuator Component Receives target velocity Chooses target acceleration, such that target velocity can be reached Outputs actual velocity Cruise Controller Component Receives actual velocity Chooses target velocity Outputs target velocity 6

7 DEFINITION 2: COMPONENT Component C = (ctrl, plant) ctrl Discrete control part NO continuous parts plant Continuous part x 1 = θ 1,, x n = θ n & H Ordinary differential equations Evolution domain H Actuator: C ac = (ctrl ac, plant ac ) ctrl ac a ac v ac tr v ac choose a, such that v tr is reached until ε ε t ac 0 t plant ac v evolve ac = av ac with, t rate = 1& a for t at t 0 ac most ε Cruise Control Component Choose target velocity ; 7

8 DEFINITION 3: INTERFACE Interface I = (V in, π in, V out, π out ) V in variables for input ports π in input assumptions Actuator: I ac V in = v tr target velocity π in v tr 0 v tr V V out = v current velocity π out v 0 v V target velocity v tr in velocity interval current velocity v in velocity interval V out variables for output ports π out output guarantees Cruise Control Component Reads current velocity Provides calculated target velocity 8

9 DEFINITION 4: CONTRACT Contract Initial state φ Target state ψ Cont C, I t = 0 φ in; ctrl; t = 1, plant ψ valid initial state read inputs ψ ψ safe Π out run ctrl run plant repeat 0 n times must hold after all runs Actuator: (1) Vehicle initially stopped and vehicle velocity always in interval φ v = 0 V 0 ψ 0 v V Cruise Controller Component: Target velocity always in interval Verified using KeYmaera 9 (1) Properties coincide due to simple example. Not necessarily the case!

10 THEOREM 1: COMPOSITION RETAINS CONTRACTS Let C 1, I 1 and C 2, I 2 be Components with Interfaces Cont C 1, I 1 and Cont C 2, I 2 verified Compatible (Def. 6) C 3, I 3 = C 1, I 1 C 2, I 2 (Def. 5) Then Cont C 3, I 3 is also valid, with φ 3 φ 1 φ 2 both initial states hold ψ 3 ψ 1 ψ 2 both safety properties and all output properties hold Two Components Actuator and Cruise Controller Actuator Contract verified ψ ac vehicle velocity always in interval Cruise Controller Contract verified ψ cc target velocity always in interval Compatible Composite C sys, I sys = C ac, I ac C cc, I cc φ sys φ ac φ cc ψ sys ψ ac ψ cc vehicle velocity always in interval Overall System Property! 10

11 OVERVIEW Background Cyber-Physical System Hybrid System Models Component-based Modeling Component-based Modeling and Verification Approach Components Interfaces Contracts Composition Retains Contract Conclusion and Future Work 11

12 CONCLUSION AND FUTURE WORK We presented a technique to model and verify component-based CPS Split system into components Verify Components Rebuild system from components Transfer Verification Results! Future Work Extend interface and port capabilities Implement framework as tool Add further composition operations Delayed transmission Erroneous transmission 12

13 A COMPONENT-BASED APPROACH TO HYBRID SYSTEMS SAFETY VERIFICATION Andreas Müller Werner Retschitzegger Wieland Schwinger Johannes Kepler University, Linz Department of Cooperative Information Systems Stefan Mitsch André Platzer - aplatzer@cs.cmu.edu Carnegie Mellon University, Pittsburgh Computer Science Department