Verification of Nonlinear Hybrid Systems with Ariadne

Similar documents
Verification of Hybrid Systems with Ariadne

CEGAR:Counterexample-Guided Abstraction Refinement

Hybrid Control and Switched Systems. Lecture #1 Hybrid systems are everywhere: Examples

AUTOMATIC CONTROL. Andrea M. Zanchettin, PhD Spring Semester, Introduction to Automatic Control & Linear systems (time domain)

FMCAD 2013 Parameter Synthesis with IC3

Analysis of a Boost Converter Circuit Using Linear Hybrid Automata

Approximation Metrics for Discrete and Continuous Systems

APPROXIMATE SIMULATION RELATIONS FOR HYBRID SYSTEMS 1. Antoine Girard A. Agung Julius George J. Pappas

Models for Control and Verification

Using Theorem Provers to Guarantee Closed-Loop Properties

The algorithmic analysis of hybrid system

Active Fault Diagnosis for Uncertain Systems

Safety and Liveness Properties

Hybrid systems and computer science a short tutorial

Hybrid Automata. Lecturer: Tiziano Villa 1. Università di Verona

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Discrete abstractions of hybrid systems for verification

CM 3310 Process Control, Spring Lecture 21

Flat counter automata almost everywhere!

Simplification of finite automata

Controlling probabilistic systems under partial observation an automata and verification perspective

Lecture 6: Reachability Analysis of Timed and Hybrid Automata

ONR MURI AIRFOILS: Animal Inspired Robust Flight with Outer and Inner Loop Strategies. Calin Belta

Hierarchical Control of Piecewise Linear Hybrid Dynamical Systems Based on Discrete Abstractions Λ

Hybrid Automata and ɛ-analysis on a Neural Oscillator

Work in Progress: Reachability Analysis for Time-triggered Hybrid Systems, The Platoon Benchmark

Chapter 2 Review of Linear and Nonlinear Controller Designs

Static Program Analysis using Abstract Interpretation

A Gentle Introduction to Reinforcement Learning

Scalable Static Hybridization Methods for Analysis of Nonlinear Systems

Classes and conversions

Modeling and Analysis of Hybrid Systems

ProbReach: Probabilistic Bounded Reachability for Uncertain Hybrid Systems

A Decidable Class of Planar Linear Hybrid Systems

QUANTIZED SYSTEMS AND CONTROL. Daniel Liberzon. DISC HS, June Dept. of Electrical & Computer Eng., Univ. of Illinois at Urbana-Champaign

Prashant Mhaskar, Nael H. El-Farra & Panagiotis D. Christofides. Department of Chemical Engineering University of California, Los Angeles

Process Control Hardware Fundamentals

Symbolic Verification of Hybrid Systems: An Algebraic Approach

Automatic determination of numerical properties of software and systems

Tuning PI controllers in non-linear uncertain closed-loop systems with interval analysis

Reachability Analysis for Hybrid Dynamic Systems*

Timed Automata with Observers under Energy Constraints

Ellipsoidal Toolbox. TCC Workshop. Alex A. Kurzhanskiy and Pravin Varaiya (UC Berkeley)

Introduction to Process Control

Proving Safety Properties of the Steam Boiler Controller. Abstract

CHAPTER 5 ROBUSTNESS ANALYSIS OF THE CONTROLLER

FAULT-TOLERANT CONTROL OF CHEMICAL PROCESS SYSTEMS USING COMMUNICATION NETWORKS. Nael H. El-Farra, Adiwinata Gani & Panagiotis D.

An Introduction to Hybrid Systems Modeling

Reachability Analysis of Nonlinear and Hybrid Systems using Zonotopes May 7, / 56

Stability Analysis and Synthesis for Scalar Linear Systems With a Quantized Feedback

540 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 43, NO. 4, APRIL Algorithmic Analysis of Nonlinear Hybrid Systems

Reachability Analysis: State of the Art for Various System Classes

Semi-decidable Synthesis for Triangular Hybrid Systems

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

for System Modeling, Analysis, and Optimization

Linear Time Logic Control of Discrete-Time Linear Systems

Symbolic Reachability Analysis of Lazy Linear Hybrid Automata. Susmit Jha, Bryan Brady and Sanjit A. Seshia

Static-Dynamic Analysis of Security Metrics

c 2011 Kyoung-Dae Kim

Numerical Methods. Root Finding

APPROXIMATING SWITCHED CONTINUOUS SYSTEMS BY RECTANGULAR AUTOMATA

Step Simulation Based Verification of Nonlinear Deterministic Hybrid System

Automata-theoretic analysis of hybrid systems

models, languages, dynamics Eugene Asarin PIMS/EQINOCS Workshop on Automata Theory and Symbolic Dynamics LIAFA - University Paris Diderot and CNRS

Set-valued Observer-based Active Fault-tolerant Model Predictive Control

Project #1 Internal flow with thermal convection

Verifying Safety Properties of Hybrid Systems.

Euler s Method applied to the control of switched systems

Modeling and Analysis of Dynamic Systems

Modeling of Hydraulic Control Valves

Modeling and Verifying a Temperature Control System using Continuous Action Systems

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Synthesizing Switching Logic using Constraint Solving

Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication

Course on Hybrid Systems

Deductive Verification of Continuous Dynamical Systems

Verification of analog and mixed-signal circuits using hybrid systems techniques

Lecture 9 Nonlinear Control Design

Parameter iden+fica+on with hybrid systems in a bounded- error framework

Georg Frey ANALYSIS OF PETRI NET BASED CONTROL ALGORITHMS

Process Control J.P. CORRIOU. Reaction and Process Engineering Laboratory University of Lorraine-CNRS, Nancy (France) Zhejiang University 2016

Modeling & Control of Hybrid Systems. Chapter 7 Model Checking and Timed Automata

Overview of Control System Design

Uncertainty modeling for robust verifiable design. Arnold Neumaier University of Vienna Vienna, Austria

Petri nets. s 1 s 2. s 3 s 4. directed arcs.

Simulated Annealing for Constrained Global Optimization

Safety analysis and standards Analyse de sécurité et normes Sicherheitsanalyse und Normen

An Algorithm Inspired by Constraint Solvers to Infer Inductive Invariants in Numeric Programs

Robust and Gain-Scheduled PID Controller Design for Condensing Boilers by Linear Programming

Formally Analyzing Adaptive Flight Control

Heat Exchangers for Condensation and Evaporation Applications Operating in a Low Pressure Atmosphere

Development of an organometallic flow chemistry. reaction at pilot plant scale for the manufacture of

Modeling and Model Predictive Control of Nonlinear Hydraulic System

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Lecture 8. Root finding II

Linear Temporal Logic and Büchi Automata

7 RC Simulates RA. Lemma: For every RA expression E(A 1... A k ) there exists a DRC formula F with F V (F ) = {A 1,..., A k } and

Set- membership es-ma-on of hybrid dynamical systems.

Synthesising Certificates in Networks of Timed Automata

Design of Decentralised PI Controller using Model Reference Adaptive Control for Quadruple Tank Process

Transcription:

Verification of Nonlinear Hybrid Systems with Ariadne Luca Geretti and Tiziano Villa June 2, 2016 June 2, 2016 Verona, Italy 1 / 1

Outline June 2, 2016 Verona, Italy 2 / 1

Outline June 2, 2016 Verona, Italy 3 / 1

The issue with nonlinearity Reachable sets cannot be represented in an effective and efficient way Most set operations on accurate representations are undecidable. Coarse approximations are ultimately needed to recover decidability. Set representations play a particularly important role, as a tradeoff between effectiveness and efficiency. June 2, 2016 Verona, Italy 4 / 1

Representing regions of space Subsets of R n are approximated by finite unions of basic sets: intervals, simplices, cuboids, parallelotopes, zonotopes, polytopes, spheres and ellipsoids, Taylor sets. Finite unions of basic sets of a given type are called denotable sets. June 2, 2016 Verona, Italy 5 / 1

Approximating regions Approximating Re with A 1 Inner approximation: Re strictlay contains A. 2 Outer approximation: Re is strictly contained in A. 3 ε-lower approximation: every point of A is at distance less than ε from a point of Re. Inner approximation is used for specification of system s properties (System Property inner Property), but it is not computable in general. Outer and ε-lower approximations can be used to verify property satisfaction. June 2, 2016 Verona, Italy 6 / 1

Property satisfaction in terms of sets Re O S 1 S 2 Re L ϵ Re S 1 ϵ Re S 2 Re is the (exact) reachable set. O is the outer approximation. L ε is the ε-lower approximation. S 1, S 2 are sets within which a property is satisfied. June 2, 2016 Verona, Italy 7 / 1

Hybrid regions and Hybrid grid sets Definition (Hybrid sets) Hybrid sets are subsets of the space V R n. We start from hybrid basic sets that pair a location of the automaton with a single basic set: hybrid intervals, hybrid simplices, hybrid cuboids, hybrid parallelotopes, hybrid zonotopes, hybrid polytopes, hybrid spheres and hybrid ellipsoids, hybrid Taylor sets. Finite unions of hybrid basic sets are called hybrid denotable sets. Hybrid sets are approximated by hybrid denotable sets. June 2, 2016 Verona, Italy 8 / 1

Hybrid regions and Hybrid grid sets Definition (Hybrid grids) A grid for every location of the automaton. Hybrid sets are approximated by marking the cells on the grids. Hybrid grid sets are practical but coarse: Union, intersection, difference and inclusion can be performed efficiently. They introduce large over-approximations. They do not scale well when more precision is required. June 2, 2016 Verona, Italy 9 / 1

Outline June 2, 2016 Verona, Italy 10 / 1

Introduction to Ariadne Developed by a joint team including the University of Verona, CWI/University of Maastricht, the University of Udine and the company PARADES/ALES (Rome). Based on a rigorous mathematical semantics for the numerical analysis of continuous and hybrid systems. Exploits reachability analysis to prove properties of nonlinear systems, especially for safety verification. Released as an open source distribution. June 2, 2016 Verona, Italy 11 / 1

Approximate Reachability Analysis Given a hybrid automaton H, an initial set I, Ariadne can compute: an outer approximation of the states reached by H starting from I. for a given ε > 0, an ε-lower approximation of the states reached by H starting from I. June 2, 2016 Verona, Italy 12 / 1

The reachability algorithm of Ariadne for O 1 Start from the initial Taylor set and compute the continuous evolution of the automaton within the bounding set, until no new states are reached. Mark the cells of the projection of the reach set on the grid, until no more cells can be marked. 2 When no more cells can be marked, compute a single discrete evolution step from the reached Taylor set. Mark the new cells of the grid that are reached by the discrete step. 3 If new cells are reached, go to (1). Otherwise, stop. The grid and the bounding set are essential for termination! June 2, 2016 Verona, Italy 13 / 1

Computing the continuous evolution (1) 1 Convert the cells to basic sets (Taylor sets + error term). 2 Integrate the continuous dynamics with integration step h for a user-given number of steps. 3 If a set becomes too large, split it. 4 Project back to the grid. June 2, 2016 Verona, Italy 14 / 1

Computing the continuous evolution (1) 1 Convert the cells to basic sets (Taylor sets + error term). 2 Integrate the continuous dynamics with integration step h for a user-given number of steps. 3 If a set becomes too large, split it. 4 Project back to the grid. June 2, 2016 Verona, Italy 14 / 1

Computing the continuous evolution (1) 1 Convert the cells to basic sets (Taylor sets + error term). 2 Integrate the continuous dynamics with integration step h for a user-given number of steps. 3 If a set becomes too large, split it. 4 Project back to the grid. June 2, 2016 Verona, Italy 14 / 1

Computing the continuous evolution (1) 1 Convert the cells to basic sets (Taylor sets + error term). 2 Integrate the continuous dynamics with integration step h for a user-given number of steps. 3 If a set becomes too large, split it. 4 Project back to the grid. June 2, 2016 Verona, Italy 14 / 1

Computing the continuous evolution (2) 5 Check if new grid cells have been reached. 6 If so, go back to (1). 7 The snapshot is discretised and added to the set of cells. When a new snapshot does not provide additional contribution, the current set of cells is returned as the reachability result. June 2, 2016 Verona, Italy 15 / 1

Computing the continuous evolution (2) 5 Check if new grid cells have been reached. 6 If so, go back to (1). 7 The snapshot is discretised and added to the set of cells. When a new snapshot does not provide additional contribution, the current set of cells is returned as the reachability result. June 2, 2016 Verona, Italy 15 / 1

Computing the continuous evolution (2) 5 Check if new grid cells have been reached. 6 If so, go back to (1). 7 The snapshot is discretised and added to the set of cells. When a new snapshot does not provide additional contribution, the current set of cells is returned as the reachability result. June 2, 2016 Verona, Italy 15 / 1

Computing the discrete evolution Computing the discrete evolution is simpler: 1 For every control switch e E, determine the set of cells that intersect with Act(e). 2 If such set is not empty, apply the reset function Reset(e) to obtain the set of cells reached by the transition. Upper Semantics: When there are multiple enabled transitions, or when the system exhibits grazing (tangential contact between a reached region and an activation set), all possible transitions are taken. June 2, 2016 Verona, Italy 16 / 1

Computing ε-lower evolution The computation of the ε-lower approximation uses a different algorithm: 1 Start from the initial set and compute the continuous evolution for a time-step t. Do not discretize the result. 2 Compute a single discrete evolution step. 3 If the width of the flow tube is smaller than a given ε, go to (1). Otherwise, discretize the computed set and stop. June 2, 2016 Verona, Italy 17 / 1

Outline June 2, 2016 Verona, Italy 18 / 1

The watertank example der a simple control problem consisting of controlling the water level in a k equipped with an inlet pipe at the top and an outlet pipe at the bottom (see The outlet flow depends on the water level while the inlet flow is controlled hose position is regulated by a controller receiving the measurement of the y an appropriate sensor. Figure 2.1: Water tank system. Outlet flow F out depends on the water level (F out (t) = λ x(t)). Inlet flow F in is controlled by the valve position (F in (t) = u(t)). The controller senses the water level and sends the appropriate commands to the valve. apter, two different systems equipped with the same cylindric tank will be e first system is characterized by a hysteresis controller and by a on off ed by a 4-locations hybrid model (see Section 2.1). The second system June 2, 2016 Verona, Italy 19 / 1 zed by a proportional controller with gain scheduling and by a first order

The watertank control loop p(t) Controller command Actuator: valve u(t) Plant: tank x s (t) Sensor x(t) δ June 2, 2016 Verona, Italy 20 / 1

Modeling the water tank Tank automaton Sensor automaton ẋ(t) = λ x(t)+u(t) x = H u λ H ẋ(t) =0 xs(t) =x(t)+δ(t) 0 x H x = H u λ H x(t) =H u(t) λ H q1 q2 r1 Controller automaton c1 l xs(t) h Valve automaton α(t) =0 u(t) =0 open α(t) =1/T u(t) =α(t)f(p(t)) α =0 0 α 1 xs l open xs h close v1 open α = 0 α = 1 v2 xs h close xs(t) h close xs(t) l α(t) = 1/T u(t) =α(t)f(p(t)) close α(t) =0 u(t) =f(p(t)) c2 xs l open c3 0 α 1 α =1 v4 v3 June 2, 2016 Verona, Italy 21 / 1

The water tank automaton ẋ(t) = λ x(t)+u(t) x = H u λ H ẋ(t) =0 x = H u λ x(t) =H 0 x H H u(t) λ H q 1 q 2 x(t) it the water level, u(t) is the inlet flow. q 1 represents the situation when there is no water overflow. q 2 represents the situation when there is water overflow. June 2, 2016 Verona, Italy 22 / 1

The water tank automaton λ H is the largest outflow λ x when x = H. x = H u > λ H is the case when the water is at the top level H and the inflow u is larger than the largest outflow λ H. when in q 2, if (by the action of the controller) the valve angle decreases, then u decreases to the point that the invariant x = H u > λ H is not true anymore, and so the transition to q 1 is taken under the guard x = H u λ H. June 2, 2016 Verona, Italy 23 / 1

The sensor automaton x s (t) =x(t)+δ(t) r 1 The input is the real water level x(t) provided by the tank. The output is the measured water level x s (t) = x(t) + δ for the controller (where δ is an interval ( δ 1, δ 1 )). June 2, 2016 Verona, Italy 24 / 1

A simple hysteresis controller c 1 l x s(t) h x s l open x s h close x s h close x s(t) h x s(t) l c 2 x s l open c 3 The input is the measured water level x s (t) provided by the sensor. The output is the command signal open or close for the valve. The controller produces the open command when x s (t) l, and it produces the close command when x s (t) h. l and h are lower and upper water levels. June 2, 2016 Verona, Italy 25 / 1

The valve automaton α(t) =0 u(t) =0 open α(t) =1/T u(t) =α(t)f(p(t)) α =0 0 α 1 v 1 open v 2 α = 0 α = 1 close α(t) = 1/T u(t) =α(t)f(p(t)) 0 α 1 close α(t) =0 u(t) =f(p(t)) α =1 v 4 v 3 In response to a command, the valve aperture changes linearly in time with rate 1/T. June 2, 2016 Verona, Italy 26 / 1

The valve automaton The pressure p(t) is assumed to be any constant value in an interval [p 1, p 2 ], where p 1 and p 2 are respectively the minimum and the maximum of p(t) over a time interval of interest. One may assume f (p(t)) = k p, where p is a constant value from an interval (see above) and so it can be used also in a linear model. June 2, 2016 Verona, Italy 27 / 1

The complete watertank automaton ẋ(t) = λ x(t)+α(t)f(p(t)) α(t) =1/T 0 x(t) h δ(t) 0 α(t) 1 x l δ(t) α =1 x = H ẋ(t) = λ x(t)+f(p(t)) α(t) =0 0 x(t) h δ(t) α(t) =1 l u λ H 0 l 1 x l δ(t) x h δ(t) x h δ(t) ẋ(t) = λ x(t) α(t) =0 l δ(t) x(t) H α(t) =0 α =0 ẋ(t) = λ x(t)+α(t)f(p(t)) α(t) = 1/T l δ(t) x(t) H 0 α(t) 1 x = H u λ H x = H u λ H ẋ(t) =0 α(t) = 1/T x(t) =H u λ H 0 α(t) 1 l 2 l 3 l 4 June 2, 2016 Verona, Italy 28 / 1

The complete watertank automaton The automaton is obtained by the composition and reduction of all the automata of the system. The locations l 0 and l 3 model respectively when the valve is opening and when the valve is closing. The locations l 1 and l 2 model respectively when the valve is open and when the valve is closed. The location l 4 models when there is overflow; the transitions between l 4 and l 3 handle the passage between overflow and decrease of water below the top level. June 2, 2016 Verona, Italy 29 / 1

Evolution of the watertank Horizontal axis: time t; vertical axis: water level x(t). The water level in the tank oscillates widely periodically between the lower level l and the upper level h. June 2, 2016 Verona, Italy 30 / 1

Outline June 2, 2016 Verona, Italy 31 / 1

Assume-guarantee system specification The system is specified as a set of components. Every component is annotated with a pair (A i, G i ) of assumptions and guarantees. The requirements (A, G) of the whole system are decomposed into a set of simpler requirements (A i, G i ) that, if satisfied, guarantee that the overall requirements (A, G) are satisfied. June 2, 2016 Verona, Italy 32 / 1

Safety checking Let C be a component of the system, annotated with assumptions A and guarantees G. With Ariadne we can verify whether the component C respects the safety guarantees G or not given the assumptions A. Represent the component C by a hybrid automaton H with inputs and outputs. Assumptions A are represented by a hybrid automaton H A that specifies the possible inputs U for H. Guarantees G specify the possible outputs Y of automaton H. This is a reachability analysis problem: Reach(H H A ) Sat(G). June 2, 2016 Verona, Italy 33 / 1

Safety checking by grid refinement 1 Compute an outer-approximation O of Reach(H H A ) using a grid of a given size. 2 If O Sat(G), the system is verified to be safe. Exit with success. 3 Otherwise, compute an ε-lower approximation L ε of Reach(H H A ). The value of ε depends on the size of the grid (typically, ε is a small multiple of the size of a grid cell). 4 If there exists at least a point in L ε that is outside Sat(G) by more than ε, the system is verified to be unsafe. Exit with failure. 5 Otherwise, set the grid to a finer size and restart from point 1. June 2, 2016 Verona, Italy 34 / 1

Verifying the water tank Safety property: the water level between 5.25 and 8.25 meters. First iteration: grid 1/8 1/80 (x-axis: x(t), y-axis: α(t)). Outer reach is not safe, try lower reach. Green: safe set Orange: ε-tolerance Red: computed set June 2, 2016 Verona, Italy 35 / 1

Verifying the water tank Safety property: the water level between 5.25 and 8.25 meters. First iteration: grid 1/8 1/80 (x-axis: x(t), y-axis: α(t)). Lower reach is not unsafe, refine grid. Green: safe set Orange: ε-tolerance Red: computed set June 2, 2016 Verona, Italy 35 / 1

Verifying the water tank Safety property: the water level between 5.25 and 8.25 meters. Second iteration: grid 1/16 1/160 (x-axis: x(t), y-axis: α(t)). Outer reach is not safe, try lower reach. Green: safe set Orange: ε-tolerance Red: computed set June 2, 2016 Verona, Italy 35 / 1

Verifying the water tank Safety property: the water level between 5.25 and 8.25 meters. Second iteration: grid 1/16 1/160 (x-axis: x(t), y-axis: α(t)). Lower reach is not unsafe, refine grid. Green: safe set Orange: ε-tolerance Red: computed set June 2, 2016 Verona, Italy 35 / 1

Verifying the water tank Safety property: the water level between 5.25 and 8.25 meters. Third iteration: grid 1/32 1/320 (x-axis: x(t), y-axis: α(t)). Outer reach is safe, system is proved safe. Green: safe set Orange: ε-tolerance Red: computed set June 2, 2016 Verona, Italy 35 / 1

Verifying the water tank 1 In this example, we could prove safety by outer reach. 2 Variations of the parameters could yield systems where lower reach would prove unsafety or where no conclusions could be drawn (smallest precision of the parameters reached without proving safety or unsafety). June 2, 2016 Verona, Italy 36 / 1

Dominance checking Definition Given two components C 1 and C 2, with assumptions and guarantees (A 1, G 1 ) and (A 2, G 2 ), we say that C 1 dominates C 2 if and only if under weaker assumptions (A 2 A 1 ), stronger promises are guaranteed (G 1 G 2 ). If this is the case, the component C 2 can be replaced with C 1 in the system without affecting the whole system behaviour. Intuitively, the component C 1 dominates C 2 if it issues sharper outputs (G 1 G 2 ) with looser inputs (A 2 A 1 ), e.g., a dominating controller can issue a subset of the control commands to cope with an environment which is allowed more freedom. June 2, 2016 Verona, Italy 37 / 1

Dominance checking by reachability analysis 1 Represent the two components by two hybrid automata H 1 and H 2 with inputs and outputs. 2 Assumptions A 1 and A 2 are represented by hybrid automata H A1 and H A2 that specify the possible inputs U 1, U 2 for the components. 3 Guarantees G 1 and G 2 specify the possible outputs Y 1, Y 2 of the automata H 1 and H 2. 4 H 1 dominates H 2 if and only if G 1 G 2 and A 2 A 1. This is a reachability analysis problem: Reach(H A1 H 1 ) Y1 Reach(H A2 H 2 ) Y2. June 2, 2016 Verona, Italy 38 / 1

Dominance checking in Ariadne The approximate reachability routines of Ariadne can be used to test dominance of components: 1 Compute an ε-lower approximation L ε 2 of Reach(H A 2 H 2 ) Y2. 2 Remove a border of size ε from L ε 2. 3 Compute an outer approximation O 1 of Reach(H A1 H 1 ) Y1. 4 If O 1 L ε 2 ε then Reach(H A 1 H 1 ) Y1 Reach(H A2 H 2 ) Y2 and thus H 1 dominates H 2. 5 If not, we cannot say anything about H 1 and H 2, and we retry with a finer approximation. June 2, 2016 Verona, Italy 39 / 1

Dominance checking in Ariadne The proof of correctness of the procedure relies on the following steps: 1 Reach(H A1 H 1 ) Y1 O 1 by definition. 2 O 1 L ε 2 ε to be verified. 3 L ε 2 ε Inner 2 under suitable hypotheses. 4 Inner 2 Reach(H A2 H 2 ) Y2 by definition. Therefore Reach(H A1 H 1 ) Y1 Reach(H A2 H 2 ) Y2 and thus H 1 dominates H 2. A sufficient hypothesis to guarantee that L ε 2 ε Inner 2 is that Reach(H A2 H 2 ) Y2 is a ε-regular set, i.e., there are no holes smaller than ε in the set. June 2, 2016 Verona, Italy 40 / 1

The water tank again We want to replace the controller and the valve. p(t) Controller w(t) Actuator: valve u(t) Plant: tank xs(t) Sensor x(t) δ The valve is slower than the previous one The controller is smarter and can fix the valve aperture to any value w(t) [0, 1] Does the system still operate correctly? June 2, 2016 Verona, Italy 41 / 1

The water tank again Application of dominance relation in this example: 1 The automaton H 1 represents the whole system with new components (proportional controller, slower valve, sensor, plant). 2 The automaton H 2 represents the whole system with old components (hysteresis controller, original faster valve, sensor, plant). 3 A 1 and A 2 specify the same external input U 1 = U 2 = p(t), i.e. the pressure on the valve, so it is A 2 = A 1. 4 G 1 and G 2 specify the same output Y 1 = Y 2 = x(t), i.e., the water level of the tank, for which it is requested G 1 G 2. June 2, 2016 Verona, Italy 42 / 1

A proportional controller c 0 c 1 xs(t) R 1 w(t) =1 KP w(t) =K P (R x s(t)) x s(t) R 1 R 1 xs(t) R K P KP x s(t) R 1 K P xs(t) R xs(t) R c 2 w(t) =0 xs(t) R The input is the measured water level x s (t) provided by the sensor. The output is a command signal w(t) [0, 1] for the valve position regulation. The controller computes the output w(t) from the measured level x s (t) and the water level reference R. In response to a command w(t) the valve aperture a(t) varies with the first-order linear dynamics ȧ(t) = 1 τ (w(t) a(t)). June 2, 2016 Verona, Italy 43 / 1

A proportional controller 1 Location c 0 models when the controller saturates the opening valve command to w(t) = 1. 2 Location c 1 models when the controller tracks the water reference level R. 3 Location c 2 models when the controller saturates the closing valve command to w(t) = 0. June 2, 2016 Verona, Italy 44 / 1

Results ε-lower approximation of the reachable set of the hysteresis controller: Assumptions: Inlet pressure p between 50 and 60 KPa (KiloPascal) Sensor s error between 0.05 and 0.05 m The proportional controller dominates the hysteresis controller. June 2, 2016 Verona, Italy 45 / 1

Results Outer approximation of the reachable set of the proportional controller: Assumptions: Inlet pressure p between 50 and 60 KPa (KiloPascal) Sensor s error between 0.05 and 0.05 m The proportional controller dominates the hysteresis controller. June 2, 2016 Verona, Italy 45 / 1

Parametric verification A system can be partially specified environmental parameters outside the control of the designer and for which there may be imperfect knowledge design parameters that can be fixed by the designer, but whose admissible values are not necessarily known a priori Ariadne allows parametric verification exhaustively check all possible values of the parameters determine the value for the design parameters for which the component respects the guarantees, for all possible values of the environmental parameters June 2, 2016 Verona, Italy 46 / 1

Parametric dominance results Obtained for different values of two parameters: the gain K P and the reference height R of the proportional controller. Green: proportional dominates hysteretic for all points; Red: proportional does not dominate hysteretic in at least one point; Yellow: insufficient accuracy to obtain a result. June 2, 2016 Verona, Italy 47 / 1

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback