Resilient Formal Synthesis

Transcription

1 Resilient Formal Synthesis Calin Belta Boston University CDC 2017 Workshop: 30 years of the Ramadge-Wonham Theory of Supervisory Control: A Retrospective and Future Perspectives

2 Outline Formal Synthesis Resilient Formal Synthesis Probabilistic Formal Synthesis Quantitative Formal Synthesis Quantitative Distributed Formal Synthesis

3 Outline Formal Synthesis Resilient Formal Synthesis Probabilistic Formal Synthesis Quantitative Formal Synthesis Quantitative Distributed Formal Synthesis

4 Formal Synthesis Design or control a system from a temporal logic specification Messenger robot (black disk) moves in an environment with a base B, data gather region G, recharge regions R, dangerous region D, intersections I Inputs: West, East, South, North. Unreliable actuators and sensors: the transition to a next intersection is not guaranteed (probabilities not known) Specification: Keep on collecting messages from data gather region G and bring them back to the base B. Collect a message and recharge between any two visits to the base. Always avoid the dangerous region D.

5 Formal Synthesis Specification: Keep on collecting messaged from data gather region G and bring them back to the base B. Collect a message and recharge between any two visits to the base. Always avoid the dangerous region D.

6 Formal Synthesis Product automaton Rabin game Nondeterministic transition system Rabin / Buchi automaton

7 Formal Synthesis Product automaton Rabin game Nondeterministic transition system abstraction Rabin / Buchi automaton ẋ = f(x, u)

8 Formal Synthesis Spec: Keep taking photos and upload current photo before taking another photo. Unsafe regions should always be avoided. If fires are detected, then they should be extinguished. If survivors are detected, then they should be provided medical assistance. If both fires and survivors are detected locally, priority should be given to the survivors. z y x photo unsafe upload extinguish upload assist Ulusoy and Belta, IJRR 2014

9 Formal Synthesis Complete but expensive solutions for the finite case Very conservative (incomplete) solutions for the infinite case Not robust (not resilient) Produces Yes / No answers: no information on how close the solution it to a Yes or No How to exploit statistical data if available? If the problem is infeasible, can we get a solution that is ``close to satisfaction?

10 Outline Formal Synthesis Resilient Formal Synthesis Probabilistic Formal Synthesis Quantitative Formal Synthesis Quantitative Distributed Formal Synthesis

11 Probabilistic Formal Synthesis Find a control policy that maximizes the probability of satisfying: Eventually reach Destination by driving through either only Safe regions or through Relatively safe regions only if MedicalSupply is available at such regions

12 Probabilistic Formal Synthesis Maximize the probability of satisfying: Eventually reach Destination by driving through either only Safe regions or through Relatively safe regions only if Medical Supply is available at such regions [(S (R M)) U D] Rabin, Buchi, FS Automaton Experiment1_movie.wmv MDP Product probabilistic automaton MRPP Control policy Ding et.al. IEEE TAC 2014

13 Probabilistic Formal Synthesis Works for stochastic linear systems with additive Gaussian noise Abate et.al., IEEE TAC 2011 Lahijanian et.al., IEEE TAC 2015

14 Outline Formal Synthesis Resilient Formal Synthesis Probabilistic Formal Synthesis Quantitative Formal Synthesis Quantitative Distributed Formal Synthesis

15 Signal Temporal Logic: Boolean and Quantitative Semantics Temporal operators are timed Semantics defined over signals Has qualitative semantics: real-valued function (s, ) [t1,t 2 ](s apple 2.5) [t3,t 4 ](s >3.5) Boolean: True Quantitative: 0.01 Boolean: False Quantitative: -0.2 [t1,t 2 ](s apple 2.5) ^ [t3,t 4 ](s >3.5) Boolean: False Quantitative: -0.2 Boolean satisfaction of STL formulae over linear predicates can be mapped to feasibility of mixed integer linear equalities / inequalities (MILP feasibility) Robustness is piecewise affine in the integer and continuous variables Donze & Maler 2004, Fainekos et.al Raman et. al, 2014 Sadraddini & Belta, 2015 Bemporad and Morari, 1999

16 Optimization-based STL Control min u H J(x H,u H ) (any linear cost, robustness of STL formula) Subject to x + = f(x, u) (any MLD system, e.g., piecewise affine) x H,u H satisfy STL formula over linear predicates Reduces to solving a MILP!

17 Planar Robot Example x + = x + u ' = [40,50] A ^ [0,40] [0,10] B ^ [0,30] C H = 50 Maximum robustness + Minimum fuel Minimum Fuel Only HX 1 HX 1 J = u[ ] J = u[ ] =0 =0

18 STL Model Predictive Control (MPC) Repetitive tasks in infinite time: global STL formulas: [0,1] ' u H [t] = argmin J = J c J = J(x H [t],u H [t]) subject to x + = f(x, u) x H [t] = [t H,t] ' J = M( k k)+j c M is a large number. When < 0, effectively maximize 2M Raman et. al, 2015, Sadraddini and Belta 2015

19 x + = Double Integrator Example x w Spec: [0,1] [0,4] ((x 1 apple 4) ^ (x 1 2)) ^ [0,4] ((x 1 4) ^ (x 1 apple 2)) Minimize fuel. If the spec becomes infeasible, maximize robustness. J = c t+h X 1 =t u[ ] Sadraddini and Belta 2015

20 Optimal Control with Temporal Logic Correctness What we learned so far Boolean satisfaction of STL formulas over linear predicates in state can be mapped to mixed integer linear equalities and inequalities Control of MLD systems to optimize linear costs with correctness as above maps to MILP. Terminal constraints can also be guaranteed To make the above robust to uncertainties in the model, add robustness of the formula in the cost

21 Outline Formal Synthesis Resilient Formal Synthesis Probabilistic Formal Synthesis Quantitative Formal Synthesis Quantitative Distributed Formal Synthesis

22 Multi-agent Systems: coupled dynamics and specification Dynamically coupled agents Network-level (STL) specification system states ' over Network-level cost function J(x, u) A i : x + i 2 F (x i,u i, {x j } j2ni ) S = {A i } i2i Find (optimal) distributed controls policy: minimize J(x, u) s.t. u i = u i (x i, {x j } j2ni ) x = '

23 Contract Based Design Assumption: distributable specifications and costs ^ (A i = ' i ) ) S = ' ' i over x i i A contract is a protocol between agents j!i J(x, u) = X i is a specification over those states of j that appear in the dynamics of i (a promise of j to i) In general, agent i has to solve a robust optimal control problem: Tradeoff: Contract restrictiveness / optimality u i = argmin ui J(x i,u i ) x i ' i ^i2nj i!j x j j!i, 8j 2 N i x + i 2 F (x i,u i, {x j } j2ni ) j i Assume-Guarantee Protocols Henzinger et al, CAV 1998 J(x i, u i )

24 How to find contracts? Challenges: Circular reasoning in networks with many two-way connections Contracts should not block the satisfaction of the original specs. Approach I based on contract mining (compositional synthesis) Parameterize contracts Search until original spec becomes feasible Kim, Arcak, Seshia, CDC 15, HSCC 16, 17 Search can be efficient for some system classes (e.g. monotone systems) Approach II based on control invariant sets for timeglobal specifications Satisfaction can be mapped to invariance in an augmented space If the invariant set is decomposable for individual agents Extract contracts from the sets Nilsson and Ozay, ACC 16 Sadraddini, et.al. ICCPS 17 Sets synthesized using a feasibility problem (LMI/MILP) Straightforward extension: In both approaches, if satisfying contracts are not found, minimally violating ones can be generated

25 Example: Distributed Traffic Management ' = [0,1) ((x, u) 2 ) ^ [0,1) [0,120s] (u 12 = u 46 = u 54 =red)^ [0,1) (x 59 + x 60 + x 65 + x 66 apple 100) Issue: No congestion Pedestrian liveness at all directions every at most 120 seconds Optimal correct control is computationally difficult for online implementation. Solution: Low volume on eastern bridge Divide the network to distinct neighborhoods. Each neighborhood is an agent interacting with other agents

26 Distributed Optimal Traffic Control Network and Specification Partitioning to neighborhoods (agents) Contract Synthesis Control Synthesis Sadraddini, Rudan, Belta, ICCPS 17 Example: contract between agent 3 and agent 4: Agent 3 Promises to agent 4 about flow of links 12 and 83: 3!4 = V 2N {6 } ((y 12 = 0) ^ {6 +1} (y 12 apple 12) ^ {6 +2} (y 12 apple 1.5) ^ {6 +3} (y 12 apple 9.6) ^ {6 +4} (y 12 = 0) ^ {6 +5} (y 12 apple 3.95) ^ {6 } ((y 83 = 0) ^ {6 +1} (y 83 apple 3) ^ {6 +2} (y 83 apple 0.36) ^ {6 +3} (y 83 apple 2.4) ^ {6 +4} (y 83 = 0) ^ {6 +5} (y 83 apple 0.99) Agent 4 promises to agent 3 about flow of link 6 4!3 = V 2N {6 } ((y 6 apple 2.4) ^ {6 +1} (y 6 apple 3.1) ^ {6 +2} (y 6 apple 4.5) ^ {6 +3} (y 6 apple 2.4) ^ {6 +4} (y 12 apple 3.4) ^ {6 +5} (y 6 apple 8.95) Results: Spec is satisfied for all allowable exogenous demands Network-level delay minimized Computational times on PC: Contract synthesis: ~ 5 seconds MPC optimization one instance: Centralized: ~ 30 mins Distributed : ~ 1 second Total Vehicular Delay in 15 mins simulation: Fixed lights: ~ 27 hours Centralized: ~ 16 hours Distributed: ~ 18 hours

27 Acknowledgements Sadra Sadradini Jana Tumova (now at KTH) Alphan Ulusoy (now at Mathworks) Morteza Lahijanian (now at U. of Oxford)