Verification of quantitative properties of logic systems using model checker for hybrid automata

Transcription

1 Verification of quantitative properties of logic systems using model checker for hybrid automata Z. Juarez, B. Denis, J.-J. Lesage LURPA, ENS de Cachan

2 Outlines Motivation Why use a hybrid models for the formal verification of logic systems? Modular modeling of hybrid systems Network of Hybrid Input Output Automata with Typed Synchronizations Verification of quantitative properties case study 1: displacement axis of the test station case study 2: production of batch (cooling process)

3 Motivation: Dependable Control of Discrete Event Systems Targets: critical automated systems Power plant Transport Strategy of development Off line approaches (during design and realization): - Fault Prevention (Synthesis, ) - Fault Forecasting (FT Analysis, ) - Fault Tolerance (Redundant solutions, ) - Fault Removal (Verification, Test, ) On line approaches (during operation): - FDI, Diagnosis, Prognostics, - Dynamic reconfiguration, Today talk Requirements Analysis Specification & Design of the DES Specif. & Design of the Controller Specification, Design Spéc. & Design Soft. Spec., Design & Coding Realization Realization Integ. Valid. & Test Soft. Integration Valid. & Test Of the Controller Of the Hardware Of the Plant Off line approaches On line approaches Optimization, Operation, Maintenance Integration, Valid. & test of the DES

4 Motivation: structure of target systems Logic signals Timed subsystem Inputs Controller Program Monitor Outputs Plant Hybrid subsystem For economic reasons logic interfaces between plant and controller are often preferred Then the controller deal with a discrete event abstraction of the plant Is the program correct? (in accordance with the awaited system behavior)

5 Motivation: quantitative properties Example: displacement axis of a test station To perform successfully the test, stop precision must be 1.5 mm Test station Logical control orders: - Go_to_test - Go_to_load Logical sensors information: - Load_pos - Test_pos 0 Conveyor X M Motor Load_pos Test_pos Unload_pos click on picture to play video

6 Motivation: Formal verification Model-checking formal method with exhaustive state space exploration Inputs - S: model of system behavior (automaton) - φ: model of properties (temporal formula) Question - Does the system model S satisfy the set of properties φ? Outputs - Yes or no (+ counterexample) Polyhedral model checker Outputs can also include the reachable region System to be verified Formal model of system: S (automaton) model-checker? S φ Expected properties Formal model of properties: φ (temporal formula) Yes / No (+ diagnosis)

7 Motivation: Existing approaches of verification Program alone Model without time [Moon 92] Controller alone (program+monitor) Model without time [Moon 94], [Mertke 01], [Rossi 03] Timed model [Kowalewski 99], [Gourcuff 05] Program Controller Plant in the loop Model without time [Raush 98], [Machado 06] Timed model [Krogh 00], [Stursberg 97] Hybrid model [Engell, 2005] Controller Plant This presentation focus on qualitative properties

8 Verification of quantitative properties of logic systems Problem definition How to guarantee quantitative properties on the plant when a logic controller has been selected? Principle of the solution Because of the logic abstraction, controller can t guarantee on-line the quantitative properties on the plant The designer verifies off-line the quantitative properties using a hybrid plant model in closed-loop with a controller model Selected model checker: PHAVer [Frehse 06] Formal model of system: S Controller timed model Plant hybrid model model-checker? S φ Formal model of properties: φ (temporal formula) Yes / No (+ diagnosis)

9 Modular modeling of hybrid systems Requirements Modular formalism to take into account large systems Expressive formalism to easily coordinate different kind for modules (program + monitor + plant) Formalism close to PHAVer input formalism

10 Modular modeling of hybrid systems Condition initiale x 1 =0 Invariant source location x x& 1 1 q 5 = 2 label flows Guard Affectation l 1, x 1 3, x 1 : = 5 l 2, x 1 =1, -1 x 1 0 Definition of Hybrid Input Output Automata HIOA = <,,,,,,,Init > destination location q x x& 1 2 a set of locations = I U O U L a set of input, output and local variables = I U O U L a set of input, output and local variables = x x x a set of transition with a set of guard a function which associates affectations to transition (q,l,g,q ) a function which associates flows to location q a function which associates invariant to location q Init a initial state l 1 x 1 x 2 x 3 Synchronization A x 4 Data exchange l 2 l 3 x 5 x 6 A=<,,,,,,,Init> 3 l 1 I (x 1, x 2, x 3 ) I 2 (l 2, l 3 ) O x 4 L 2 (x 5, x 6 ) O

11 Modular modeling of hybrid systems Hybrid Input Output Automata with Typed Synchronization HIOA TS = <HIOA, > where HIOA is a Hybrid Input Output Automata and is a function which associates a role to each label : {!,?, }! stand for synchronization sender? stand for blocking receiver stand for non blocking receiver

12 Modular modeling of hybrid systems Chart of typed synchronizations Implications of type on label role Blocking Rendezvous e HIOA_A e HIOA_B e HIOA_C HIOA_A P1 P2!e g1 HIOA_B Q1 Q2?e g2 HIOA_C R1 R2?e g3 Typed synchronizations Non blocking Rendezvous Mixed Rendezvous e HIOA_A e HIOA_A e HIOA_B e HIOA_C e HIOA_B e HIOA_C HIOA_A P1 P2 HIOA_A P1 P2!e g1!e g1 HIOA_B Q1 Q2 e g2 HIOA_B Q1 Q2?e g2 HIOA_C R1 R2 HIOA_C R1 R2 e g3 e g3

13 Modular modeling of hybrid systems Example of system 2 roads with a crossing 2 cars less (or equal) than 1 car on crossroad area Véhicule X x = -1 Finish y =10 y 0 Finish x = 10 x Modular model start_x stop_x Feu X tx Véhicule X Start -10 x -7 Feu X Feu Y y = -1 stop_y start_y Feu Y Véhicule Y Start -10 y -7 Véhicule Y ty

14 Modular modeling of hybrid systems Model HIOA TS!stop_x tx 2 tx := 0 Feu X FXR1 tx = 0 FXR2 tx 2?stop_y tx = 1!start_x tx 2 tx := 0 FXV tx 2 tx = 1 0 tx 2!stop_y ty 2 ty : = 0 Feu Y FYR1 ty = 0 FYR2 ty 2 ty = 1!start_y ty 2 ty := 0 FYV ty 2 ty = 1?stop_x ty:= 0-10 x -7 VXC x 10 x& = 1-10 y -7 VYC y 10 y& = 1 start_x x <-1 stop_x -7 x -1 start_y y <-1 stop_y -7 y -1 Véhicule X VXR x -1 x & = 0.5 Véhicule Y VYR y -1 y & = 0.5 start_x x < 10!vx x -1!vx x 10 start_y y < 10!vy y -1!vy y 10 VXA x& = 0 VYA y& = 0

15 Modular modeling of hybrid systems Hybrid Input Output Automata with Typed Synchronizations A parallel composition of HIOA TS was formally defined to express the operational semantic of a network of HIOA TS - parallel composition transform a network HIOA TS of into a single HA A algorithm to translate a network of HIOA TS to a network of HIOA was constructed to import a network of HIOA TS into PHAVer

16 Modular modeling of hybrid systems Example of translation HIOA TS to HIOA q 1 l 1 g 1 q l 1 g 2!l 2 g 3 q 3 HIOA TS q 2 q 1 l 1 g 1 q l 1 g2 l 1 ( g 1 g 2 ) l 2 g 3 q 3 PHAVer Automaton q 2 Presentation of HIOA TS toolbox

17 Verification of quantitative properties Case study 1 Displacement axis of the test station - To have successfully test, precision of the stop position must be 1.5 mm Case study 2 Batch production (cooling process) - Determination of the production time depending of the cooling strategy

18 Conclusions Hybrid model allows the checking of quantitative properties for logic system An extension for HIOA has been introduced HIOA with typed synchronization (send/receiver, blocking/non-blocking) Parallel composition allows translation from a network of HIOA TS to one HA An algorithm allows to translate a network of HIOA TS to a network of HIOA

19 Thank you!

20 Annexes Developed toolbox Case study 1

21 Modular modeling of hybrid systems: toolbox A software toolbox was developed: to validated algorithms (parallel composition, translation), to provide a chart of automata and their analyses Toolbox input neutral textual format for HIOA TS networks and theirs analyses Toolbox contents HA_grapher: generate picture of automata (based on Graphviz tool) HIOAts2HA: generate parallel composition of a HIOA TS networks HIOAts2HIOA: translate HIOA TS networks to HIOA network HIOA2PHAVer: generate a model according PHAVer input syntax HA_analyser: perform analysis using PHAVer and generate picture of 2D region (based on plotutils tools) HTMLreport: generate full analysis report according WEB page format

22 analysis report Modular modeling of hybrid systems: toolbox

23 analysis report Modular modeling of hybrid systems: toolbox

24 Modular modeling of hybrid systems: toolbox analysis report

25 analysis report Modular modeling of hybrid systems: toolbox

26 Displacement axis of the test station SFC 1 S0 Spécification du contrôle Moniteur du contrôle tc = [tc min,tc max ] (t1) S1 (t2) S2 (t3) SFC2.X10 N go_forward test_pos SFC3.X20 Logical control orders: - Go_forward - Go_backward x min AV Conveyor Logical sensors information: - Load_pos - Test_pos - Unload_pos Δx x max X Conveyer position S3 N go_forward M (t4) S4 (t5) unload_pos SFC4.X30 x = V Motor AR Load_pos x_test x_unload Test_pos Unload_pos S5 N go_backward (t6) load_pos Position (mm) Speed (mm/s) Monitor cycle time (ms) S5 x_load = 0 Nominal Dispersion % Nominal Jitter % x_test = 30 ± % % x_unload = 120

27 Logic controller S1 Mow t1, t2,t3,t4,t5,t6 Plant S1 t1, t2,t3,t4,t5,t6 SFC1 load_pos test_pos unload_pos Monitor TD swatchm ρ tc t1,t2,t3,t4 Output1 go_forwards t5, t6 Mow Axe go_forwards x go_backwards Sensor_load x load_pos Sensor_test x test_pos Output2 go_backwards Sensor_unload x unload_pos

28 EDC1-PLC-HIOATS Monitor TD SFC1 Output1 Local variable: swatchm Output label: syncmow Input labels: syncs1, syncs1t1, syncs1t2, syncs1t3, syncs1t4, syncs1t5, syncs1t6 tc -tc*ptc swatchm tc+tc*ptc!syncmow swatchm tc-tc*ptc swatchm := 0 Start of cycle swatchm 0 swatchm = 1 Traitement swatchm tc+tc*ptc swatchm?syncs1,?syncs1t1,?syncs1t2,?syncs1t3,?syncs1t4,?syncs1t5,?syncs1t6 swatchm 0 swatchm := 0 ptc*= demi étendue de la gigue du temps de cycle (%) = 0.5% de la valeur de tc = 1 Input variables: load_pos, test_pos, unload_pos Constants: SFC2_step10=1, SFC3_step20=0, SFC4_step30=0 Output labels: syncs1, syncs1t1, syncs1t2, syncs1t3, syncs1t4, syncs1t5, syncs1t6!syncs1t6 load_pos = 1!syncS1 SFC2_step10 = 0 Step0!syncS1t1 SFC2_step10 = 1!syncS1 Step1 test_pos = 0!syncS1t2 test_pos = 1!syncS1 Step2 SFC3_step20 = 0!syncS1t3 SFC3_step20 = 1!syncS1 unload_pos = 0 Step3!syncS1t4 unload_pos = 1!syncS1 Step4 SFC4_step30 = 0!syncS1t5 SFC4_step30 = 1!syncS1 Step5 load_pos = 0 Output label: go_forwards Input labels: syncs1t1, syncs1t2, syncs1t3, syncs2t4 output forwards go _ forwards = 0 Output label: go_forwards go_forwards = 0 Output2 Input labels: syncs1t5, syncs1t6 output backwards go _ backwards = 0 go_backwards = 0?:syncS1t1, syncs1t3 go_forwards : = 1?:syncS1t2, syncs1t4 go_forwards : = 0?syncS1t5 go_backwards : = 1?syncS1t6 go_backwards : = 0

29 EDC1-PLANT-HIOATS Plant_axe Plant_sensor_ load Plant_sensor_test Plant_sensor_ unload Output variable: x Local label: syncpaxe Input label: syncmow Output variable: load_pos Local label: syncpsl Output variable: test_pos Local label: syncpst test_pos = 0 Output variable: unload_pos Local label: syncpsu unload_pos = 0!syncPaxe x x_max syncmow go_forwards = 0 go_bacwards = 0!syncPaxe x x_min forward x < x_max x = V syncmow syncmow!syncpsl!syncpsl go_forwards = 1 go_forwards = 0 x x_load e x x_load e go_bacwards = 0 go_bacwards = 0 load_pos : = 1 load_pos : = 0 load stop x = 0 load_pos = 1 x x_load e x x_load + e x = 0 backward x x_min x = V syncmow go_forwards = 0 go_bacwards = 1!syncPsl x x_load + e load_pos : = 0 behind_load x x_load - e load _ pos = 0 load _ pos = 0 ahead_load x x_load + e load _ pos = 0!syncPsl x x_load + e load_pos : = 1 behind_test x x_test - e test _ pos = 0!syncPst!syncPst x x_test e x x_test e test_pos : = 1 test_pos : = 0 test x x_test e x x_test + e test _ pos = 0!syncPst!syncPst x x_test + e x x_test + e test_pos : = 0 test_pos : = 1 ahead_load x x_load + e test _ pos = 0!syncPsu x x_unload e unload_pos : = 1!syncPsu x x_unload + e unload_pos : = 0 behind_unload x x_unload - e unload _ pos = 0 unload x x_unload e x x_unload + e unload _ pos = 0 ahead_unload x x_unload + e unload _ pos = 0!syncPsu x x_unload e unload_pos : = 0!syncPsu x x_unload + e unload_pos : = 1

30