Step Simulation Based Verification of Nonlinear Deterministic Hybrid System

Size: px

Start display at page:

Download "Step Simulation Based Verification of Nonlinear Deterministic Hybrid System"

Darrell Neal
5 years ago
Views:

1 Step Simulation Based Verification of Nonlinear Deterministic Hybrid System Ratnesh Kumar, Professor, IEEE Fellow PhD Student: Hao Ren Electrical and Computer Engineering Iowa State University

2 Verification of Hybrid Systems Hybrid system verification required for safety-critical cyber-physical applications

3 Verification of Hybrid Systems Hybrid system verification required for safety-critical cyber-physical applications One approach: Successive Abstraction + Refinement

4 Verification of Hybrid Systems Hybrid system verification required for safety-critical cyber-physical applications One approach: Successive Abstraction + Refinement Another approach: Simulation-based verification (for finite-horizon safety) Execute finite number of representative simulations, and bloat to cover all initial states Useful for runtime assurance

5 Model-based Automated Test Generation Simulink/Stateflow Model I/O-EFA Model Model Translation Set of all Computation Paths Computation Extraction Feasible Paths Feasibility Analysis Test Report Test Generation Reachable paths & their test cases Test Validation & Error Localization

6 Runtime Assurance: Simplex Architecture Control Switch at current state x if: [X A (x,t) X B ] Finite-time reachability required Baseline control Switching/ Steering System Plant B : Safety region for baseline control (states from where system can be safely steered to target states and maintained there) Advance control

7 Runtime Assurance: Simplex Architecture X B: Safety region for baseline control (states from where system can be safely steered to target states and maintained there) Control Switch at current state x if: [X A (x,t) X B ] Finite-time reachability required Baseline control Switching/ Steering System Plant Advance control Some notation: X A (x,t): Active safety margin (states reachable under advanced control from current state x, within system s reaction time T) Unsafe x X B X A (x,t) target

8 Runtime Assurance: Simplex Architecture Finite-time reachability required X B] Control Switch at current state x if: Finite-time reachability required [X A (x,t) X B ] Finite-time reachability required Baseline control Switching/ Steering System Plant Advance control Some notation: X A (x,t): Active safety margin (states reachable under advanced control from current state x, within system s reaction time T) Unsafe x X B X A (x,t) target

9 Introduction to Simulation-based Verification Nonlinear system: X 0 state set at t 0 x 1

10 Introduction to Simulation-based Verification Nonlinear system: state set at t X 0 state set at t 0 x 1

11 Introduction to Simulation-based Verification Nonlinear system: state set at t X 0 p 1 p 2 state set at t 0 x 1

12 Introduction to Simulation-based Verification Nonlinear system: state set at t p 1 p 2 For Lipschitz-cont flows: (dx/dt=f(x) f(x)-f(y) L x-y ) d(trace 1,trace 2 ) h(d(p 1,p 2 ), (t -t 0 ), L) X 0 p 1 p 2 state set at t 0 x 1

13 Introduction to Simulation-based Verification Nonlinear system: X 0 p 1 γ state set at t p 1 For Lipschitz-cont flows: (dx/dt=f(x) f(x)-f(y) L x-y ) d(trace 1,trace 2 ) h(d(p 1,p 2 ), (t -t 0 ), L) Can bloat tube around an execution trace to bound all traces in γ-neighborhood of initial state state set at t 0 x 1

14 Introduction to Simulation-based Verification Nonlinear system: X 0 p 1 state set at t 0 state set at t For Lipschitz-cont flows: (dx/dt=f(x) f(x)-f(y) L x-y ) d(trace 1,trace 2 ) h(d(p 1,p 2 ), (t -t 0 ), L) Can bloat tube around an execution trace to bound all traces in γ-neighborhood of initial state So create representative cover/state for initial set X 0 x 1

15 Introduction to Simulation-based Verification Nonlinear system: X 0 p 1 state set at t For Lipschitz-cont flows: (dx/dt=f(x) f(x)-f(y) L x-y ) d(trace 1,trace 2 ) h(d(p 1,p 2 ), (t -t 0 ), L) Can bloat tube around an execution trace to bound all traces in γ-neighborhood of initial state So create representative cover/state for initial set X 0 state set at t 0 x 1 Bloat tube around execution trace of each representative state to bound reachability

16 Introduction to Simulation-based Verification Nonlinear system: X 0 p 1 state set at t For Lipschitz-cont flows: (dx/dt=f(x) f(x)-f(y) L x-y ) d(trace 1,trace 2 ) h(d(p 1,p 2 ), (t -t 0 ), L) Can bloat tube around an execution trace to bound all traces in γ-neighborhood of initial state So create representative cover/state for initial set X 0 state set at t 0 x 1 Bloat tube around execution trace of each representative state to bound reachability Hybrid system: p 1 p 2 A neighboring execution may witness different discrete evolution, causing bloating to not work t 2 p 2 p 1 p2 t 0 t 1

17 Introduction to Simulation-based Verification Nonlinear system: X 0 p 1 state set at t For Lipschitz-cont flows: (dx/dt=f(x) f(x)-f(y) L x-y ) d(trace 1,trace 2 ) h(d(p 1,p 2 ), (t -t 0 ), L) Can bloat tube around an execution trace to bound all traces in γ-neighborhood of initial state So create representative cover/state for initial set X 0 state set at t 0 x 1 Bloat tube around execution trace of each representative state to bound reachability Hybrid system: p 1 p 2 A neighboring execution may witness different discrete evolution, causing bloating to not work p 1 p2 t 0 t 1 t 2 p 2 Existing literature: Computation of representative cover not provided (and so only works under stringent requirements, eg, no jumps, time-triggered switching, simulation and execution traces witness same discrete evolution)

18 Error Propagation (for bloating ) γ i err i ε δ γ i+1 reference execution trace execution trace from representative neighbor simulation trace from representative neighbor simulation values t i t i+1

19 Error Propagation (for bloating ) γ i err i ε δ t i t i+1 γ i+1 reference execution trace execution trace from representative neighbor simulation trace from representative neighbor simulation values when no mode change in (t i t i+1 ): γ i+1 γ i e Liδ + ε

20 Error Propagation (for bloating ) γ i err i ε δ t i t i+1 γ i+1 reference execution trace execution trace from representative neighbor simulation trace from representative neighbor simulation values when no mode change in (t i t i+1 ): γ i+1 γ i e Liδ + ε when a single mode change from location i to j (owing to minimum dwell time): γ i+1 (γ i +M/L j )e Lδ -M/L j + ε, where L=max{L i, L j }, M=sup x Inv(i) Inv(j) f i (x)-f j (x) (assumes Lipschitz continuity, minimum dwell-time, hybrid system without jumps, ie, switched systems, and identical discrete evolution for the reference and representative execution traces)

21 γ i Error Propagation (for bloating ) err i ε δ t i t i+1 γ i+1 reference execution trace execution trace from representative neighbor simulation trace from representative neighbor simulation values when no mode change in (t i t i+1 ): γ i+1 γ i e Liδ + ε when a single mode change from location i to j (owing to minimum dwell time): γ i+1 (γ i +M/L j )e Lδ -M/L j + ε, where L=max{L i, L j }, M=sup x Inv(i) Inv(j) f i (x)-f j (x) (assumes Lipschitz continuity, minimum dwell-time, hybrid system without jumps, ie, switched systems, and identical discrete evolution for the reference and representative execution traces) inv(l ) Without said assumptions, above error bounds don t hold, as shown in figure to right: γ i?? guard(l, l ) inv(l) γ i-1 t i-1 t i t i+1

22 Our idea: Successive Cover Refinement Case I (no discrete mode change in current step): γ i t i x1

23 Our idea: Successive Cover Refinement Case I (no discrete mode change in current step): 1. do step simulation γ i t i x1

24 Our idea: Successive Cover Refinement γ i+1 Case I (no discrete mode change in current step): 1. do step simulation 2. compute error bound γ i+1 at t i+1 γ i t i t i+1 x 1

25 Our idea: Successive Cover Refinement guard(l,l ) γ i γ i+1 t i t i+1 l l Case I (no discrete mode change in current step): 1. do step simulation 2. compute error bound γ i+1 at t i+1 3. bloat to build the tube 4. check guard conditions x 1

26 Our idea: Successive Cover Refinement guard(l,l ) γ i γ i+1 t i t i+1 l l Case I (no discrete mode change in current step): 1. do step simulation 2. compute error bound γ i+1 at t i+1 3. bloat to build the tube 4. check guard conditions 5. if no discrete transition witnessed: advance time, go to first step and repeat x 1

27 Our idea: Successive Cover Refinement guard(l,l ) γ i γ i+1 t i t i+1 l l Case I (no discrete mode change in current step): 1. do step simulation 2. compute error bound γ i+1 at t i+1 3. bloat to build the tube 4. check guard conditions 5. if no discrete transition witnessed: advance time, go to first step and repeat x 1 Case II (discrete mode change in current step): 1. do step simulation 2. compute error bound γ i+1 at t i+1 3. bloat to build tube γ i+1 γ i t i t i+1 x 1

28 Our idea: Successive Cover Refinement guard(l,l ) γ i γ i+1 t i t i+1 l l Case I (no discrete mode change in current step): 1. do step simulation 2. compute error bound γ i+1 at t i+1 3. bloat to build the tube 4. check guard conditions 5. if no discrete transition witnessed: advance time, go to first step and repeat x 1 Case II (discrete mode change in current step): 1. do step simulation 2. compute error bound γ i+1 at t i+1 3. bloat to build tube 4. check guard conditions guard(l,l ) γ i+1 l l γ i t i t i+1 x 1

29 Our idea: Successive Cover Refinement guard(l,l ) γ i γ i+1 t i t i+1 l l Case I (no discrete mode change in current step): 1. do step simulation 2. compute error bound γ i+1 at t i+1 3. bloat to build the tube 4. check guard conditions 5. if no discrete transition witnessed: advance time, go to first step and repeat x 1 guard(l,l ) jump(l,l ) γ i+1 l l Case II (discrete mode change in current step): 1. do step simulation 2. compute error bound γ i+1 at t i+1 3. bloat to build tube 4. check guard conditions 5. if a discrete transition witnessed: 5.1 intersect reach and guard sets to get entry face, and apply jump condition γ i t i t i+1 x 1

30 Our idea: Successive Cover Refinement guard(l,l ) γ i γ i+1 t i t i+1 l l Case I (no discrete mode change in current step): 1. do step simulation 2. compute error bound γ i+1 at t i+1 3. bloat to build the tube 4. check guard conditions 5. if no discrete transition witnessed: advance time, go to first step and repeat x 1 jump(l,l ) guard(l,l ) γ i γ i+1 t i t i+1 l l Case II (discrete mode change in current step): 1. do step simulation 2. compute error bound γ i+1 at t i+1 3. bloat to build tube 4. check guard conditions 5. if a discrete transition witnessed: 5.1 intersect reach and guard sets to get entry face, and apply jump condition 5.2 Equi-partition the new face x 1

31 Our idea: Successive Cover Refinement guard(l,l ) γ i γ i+1 t i t i+1 l l Case I (no discrete mode change in current step): 1. do step simulation 2. compute error bound γ i+1 at t i+1 3. bloat to build the tube 4. check guard conditions 5. if no discrete transition witnessed: advance time, go to first step and repeat x 1 jump(l,l ) guard(l,l ) γ i γ i+1 t i t i+1 l l Case II (discrete mode change in current step): 1. do step simulation 2. compute error bound γ i+1 at t i+1 3. bloat to build tube 4. check guard conditions 5. if a discrete transition witnessed: 5.1 intersect reach and guard sets to get entry face, and apply jump condition 5.2 Equi-partition the new face 5.3 simulate/build tubes to get the reachable state set at t i+1 in the new discrete state x 1

32 Our idea: Successive Cover Refinement guard(l,l ) γ i γ i+1 t i t i+1 l l Case I (no discrete mode change in current step): 1. do step simulation 2. compute error bound γ i+1 at t i+1 3. bloat to build the tube 4. check guard conditions 5. if no discrete transition witnessed: advance time, go to first step and repeat x 1 jump(l,l ) guard(l,l ) γ i γ i+1 t i t i+1 l l x 1 Case II (discrete mode change in current step): 1. do step simulation 2. compute error bound γ i+1 at t i+1 3. bloat to build tube 4. check guard conditions 5. if a discrete transition witnessed: 5.1 intersect reach and guard sets to get entry face, and apply jump condition 5.2 Equi-partition the new face 5.3 simulate/build tubes to get the reachable state set at t i+1 in the new discrete state 6. Advance time, go to first step and repeat

Engine Reset initial/ Refine parameter Check guards/safety Results & plots Partition

33 HS 3 V: Tool for Simulation-based Verification Prototype tool, Hybrid System Step Simulation Verifier (HS 3 V) implemented using C# Input file Create/Refine model HS 3 V Engine Reset initial/ Refine parameter Check guards/safety Results & plots Partition initial states Build Tube Simulator ALGLIB2.0 Polygon operation Clipper libraries: Visualizer Gnuplot

34 Example 1: Brussellator System Nonlinear dynamics (single mode) A model for a type of chemical reaction System Dynamics: ẋ = 1+ y - 2.5x ẏ = 1.5x - y

35 Example 1: Brussellator System Nonlinear dynamics (single mode) A model for a type of chemical reaction System Dynamics: ẋ = 1+ y - 2.5x ẏ = 1.5x - y Experimental result: unsafe zone the reachable state set tube grows by steps reachable state set tube initial zone

36 Example 1: Brussellator System Nonlinear dynamics (single mode) A model for a type of chemical reaction System Dynamics: ẋ = 1+ y - 2.5x ẏ = 1.5x - y Experimental result: unsafe zone the reachable state set tube grows by steps reachable state set tube initial zone since unsafe zone is reached, we refine the neighborhood parameter: γ γ/2, then rerun verification.

37 Example 1: Brussellator System Nonlinear dynamics (single mode) A model for a type of chemical reaction System Dynamics: ẋ = 1+ y - 2.5x ẏ = 1.5x - y Experimental result: unsafe zone the reachable state set tube grows by steps reachable state set tube initial zone since unsafe zone is reached, we refine the neighborhood parameter: γ γ/2, then rerun verification. safety property is verified with the refined parameter.

38 Example 1: Brussellator System unsafe zone initial zone

39 Example 1: Brussellator System unsafe zone initial zone the initial simulation seeds partition of the initial state set along the boarder

40 Example 1: Brussellator System unsafe zone tube segment [t i-1, t i ] initial zone the initial simulation seeds partition of the initial state set along the boarder the tube segment between [t i-1, t i ] (the reachable state set between [t i-1, t i ])

41 Example 1: Brussellator System unsafe zone tube segment [t i-1, t i ] initial zone the initial simulation seeds partition of the initial state set along the boarder v i v i-1 the tube segment between [t i-1, t i ] (the reachable state set between [t i-1, t i ]) each unit is built around simulation trace (v i-1, v i )

42 Example 2: Bouncing ball System A linear hybrid dynamical system Mode switch at collision of ball with the ground. System Dynamics: ẋ = -g ḣ = x Guard condition: h=0 Jump/Reset condition: x + = -0.8 x -

43 Example 2: Bouncing ball System A linear hybrid dynamical system Mode switch at collision of ball with the ground. System Dynamics: ẋ = -g ḣ = x Guard condition: h=0 Jump/Reset condition: x + = -0.8 x - Experimental result: unsafe zone reachable state set tubes initial zone

44 Example 2: Bouncing ball System unsafe zone reachable state set tubes initial zone

45 Example 2: Bouncing ball System An intermediate reachability plot, showing reachable states prior to executing jump guard: x 1 = 0 (height = 0) initial zone unsafe zone reachable state set tubes initial zone

46 Example 2: Bouncing ball System An intermediate reachability plot, showing reachable states prior to executing jump guard: x 1 = 0 (height = 0) initial zone unsafe zone reachable state set tubes initial zone entry face jump mapping Intersect with guard condition to get the entry face

47 Example 2: Bouncing ball System An intermediate reachability plot, showing reachable states prior to executing jump guard: x 1 = 0 (height = 0) initial zone unsafe zone reachable state set tubes initial zone entry face jump mapping the group of simulation seeds generated at step: When the tube crosses the guard condition, it usually takes multiple steps. Each step generates an entry face. Therefore we get multiple sets of simulation samples in the new discrete state. Intersect with guard condition to get the entry face

48 Conclusion and Future works Contribution: Simulation-based Verification: A promising approach to boundedtime safety analysis of Hybrid Systems Future Directions: Tighter error propagation HS 3 V tool enhancement Open systems (one with inputs) Integration with application, such as Runtime assurance

49 Conclusion and Future works Contribution: Simulation-based Verification: A promising approach to boundedtime safety analysis of Hybrid Systems Future Directions: Tighter error propagation HS 3 V tool enhancement Open systems (one with inputs) Integration with application, such as Runtime assurance

An Introduction to Hybrid Systems Modeling

CS620, IIT BOMBAY An Introduction to Hybrid Systems Modeling Ashutosh Trivedi Department of Computer Science and Engineering, IIT Bombay CS620: New Trends in IT: Modeling and Verification of Cyber-Physical