Reactive Protocol Synthesis for for Embedded Control Software

Similar documents
Lecture 8 Receding Horizon Temporal Logic Planning & Finite-State Abstraction

Lecture 9 Synthesis of Reactive Control Protocols

Lecture 7 Synthesis of Reactive Control Protocols

Receding Horizon Control for Temporal Logic Specifications

Formal Methods for Design and Verification of Embedded Control Systems: Application to an Autonomous Vehicle

Specification, Design and Verification of Distributed Embedded Systems

Receding Horizon Temporal Logic Planning

Feedback Control Theory: Architectures and Tools for Real-Time Decision Making

CDS 101/110a: Lecture 10-2 Control Systems Implementation

Formal Synthesis of Embedded Control Software: Application to Vehicle Management Systems

Synthesis of Control Protocols for Autonomous Systems

Op#mal Control of Nonlinear Systems with Temporal Logic Specifica#ons

Synthesis of Reactive Switching Protocols from Temporal Logic Specifications

THE objective of this paper is to synthesize switching. Synthesis of Reactive Switching Protocols from Temporal Logic Specifications

Synthesis of Provably Correct Controllers for Autonomous Vehicles in Urban Environments

Route-Planning for Real-Time Safety-Assured Autonomous Aircraft (RTS3A)

Synthesis of Reactive Switching Protocols From Temporal Logic Specifications

Automatic Synthesis of Robust Embedded Control Software

Lecture 6 Verification of Hybrid Systems

Synthesis of Switching Protocols from Temporal Logic Specifications

NCS Lecture 11 Distributed Computation for Cooperative Control. Richard M. Murray (Caltech) and Erik Klavins (U. Washington) 17 March 2008

Algorithmic Verification of Stability of Hybrid Systems

Switching Protocol Synthesis for Temporal Logic Specifications

Lecture 4: Introduction to Graph Theory and Consensus. Cooperative Control Applications

ONR MURI AIRFOILS: Animal Inspired Robust Flight with Outer and Inner Loop Strategies. Calin Belta

Provably Correct Persistent Surveillance for Unmanned Aerial Vehicles Subject to Charging Constraints

EE C128 / ME C134 Feedback Control Systems

Abstraction-based synthesis: Challenges and victories

Lecture 2 Automata Theory

Formal Verification of an Autonomous Vehicle System

Resilient Formal Synthesis

Lecture 2 Automata Theory

Synthesis of Reactive Control Protocols for Differentially Flat Systems

Scaling up controller synthesis for linear systems and safety specifications

Dynamic and Adversarial Reachavoid Symbolic Planning

16.410/413 Principles of Autonomy and Decision Making

FAULT-TOLERANT CONTROL OF CHEMICAL PROCESS SYSTEMS USING COMMUNICATION NETWORKS. Nael H. El-Farra, Adiwinata Gani & Panagiotis D.

Probabilistic Model Checking and Strategy Synthesis for Robot Navigation

ENES 489p. Verification and Validation: Logic and Control Synthesis

Consensus Algorithms are Input-to-State Stable

Linear Time Logic Control of Discrete-Time Linear Systems

A Decentralized Approach to Multi-agent Planning in the Presence of Constraints and Uncertainty

SENSE: Abstraction-Based Synthesis of Networked Control Systems

A Probability-Based Model of Traffic Flow

Receding Horizon Temporal Logic Planning for Dynamical Systems

NCS Lecture 8 A Primer on Graph Theory. Cooperative Control Applications

Symbolic Control of Incrementally Stable Systems

Complexity Metrics. ICRAT Tutorial on Airborne self separation in air transportation Budapest, Hungary June 1, 2010.

FAULT DETECTION AND FAULT TOLERANT APPROACHES WITH AIRCRAFT APPLICATION. Andrés Marcos

Online Horizon Selection in Receding Horizon Temporal Logic Planning

Ranking Verification Counterexamples: An Invariant guided approach

Time-Constrained Temporal Logic Control of Multi-Affine Systems

Efficient control synthesis for augmented finite transition systems with an application to switching protocols

ANALYSIS OF CONSENSUS AND COLLISION AVOIDANCE USING THE COLLISION CONE APPROACH IN THE PRESENCE OF TIME DELAYS. A Thesis by. Dipendra Khatiwada

Feedback Control CONTROL THEORY FUNDAMENTALS. Feedback Control: A History. Feedback Control: A History (contd.) Anuradha Annaswamy

arxiv: v1 [cs.sy] 26 Mar 2012

A Quantum Computing Approach to the Verification and Validation of Complex Cyber-Physical Systems

Compositional Synthesis with Parametric Reactive Controllers

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

APPROXIMATE SIMULATION RELATIONS FOR HYBRID SYSTEMS 1. Antoine Girard A. Agung Julius George J. Pappas

Abstractions and Decision Procedures for Effective Software Model Checking

We provide two sections from the book (in preparation) Intelligent and Autonomous Road Vehicles, by Ozguner, Acarman and Redmill.

Data-Driven Optimization under Distributional Uncertainty

Receding Horizon Control in Dynamic Environments from Temporal Logic Specifications

Verification of Hybrid Systems with Ariadne

Safety Verification of Fault Tolerant Goal-based Control Programs with Estimation Uncertainty

Research on Consistency Problem of Network Multi-agent Car System with State Predictor

Multi-Modal Control of Systems with Constraints

Temporal Logic Control of Switched Affine Systems with an Application in Fuel Balancing

ELEC4631 s Lecture 2: Dynamic Control Systems 7 March Overview of dynamic control systems

Today s Lecture. Mars Climate Orbiter. Lecture 21: Software Disasters. Mars Climate Orbiter, continued

Decomposition of planning for multi-agent systems under LTL specifications

Stéphane Lafortune. August 2006

Controlo Switched Systems: Mixing Logic with Differential Equations. João P. Hespanha. University of California at Santa Barbara.

Semi-decidable Synthesis for Triangular Hybrid Systems

Distributed Multi-Agent Persistent Surveillance Under Temporal Logic Constraints

Distributed Receding Horizon Control of Cost Coupled Systems

Counterexamples for Robotic Planning Explained in Structured Language

Lecture 4 Model Checking and Logic Synthesis

Reach Sets and the Hamilton-Jacobi Equation

Temporal Logic Control of Switched Affine Systems with an Application in Fuel Balancing

Switched Systems: Mixing Logic with Differential Equations

CDS 101: Lecture 2.1 System Modeling. Lecture 1.1: Introduction Review from to last Feedback week and Control

V&V MURI Overview Caltech, October 2008

Work in Progress: Reachability Analysis for Time-triggered Hybrid Systems, The Platoon Benchmark

A Learning Based Approach to Control Synthesis of Markov Decision Processes for Linear Temporal Logic Specifications

Hierarchical Synthesis of Hybrid Controllers from Temporal Logic Specifications

Safe Autonomy Under Perception Uncertainty Using Chance-Constrained Temporal Logic

Failure Diagnosis of Discrete-Time Stochastic Systems subject to Temporal Logic Correctness Requirements

Integrating Induction and Deduction for Verification and Synthesis

Bridging the Gap between Reactive Synthesis and Supervisory Control

An Efficient Motion Planning Algorithm for Stochastic Dynamic Systems with Constraints on Probability of Failure

Average-Consensus of Multi-Agent Systems with Direct Topology Based on Event-Triggered Control

Control Theory: Design and Analysis of Feedback Systems

Fault Tolerance of a Reconfigurable Autonomous Goal-Based Robotic Control System

Binary Decision Diagrams and Symbolic Model Checking

Recap. CS514: Intermediate Course in Operating Systems. What time is it? This week. Reminder: Lamport s approach. But what does time mean?

Trajectory Planning, Setpoint Generation and Feedforward for Motion Systems

Automata-theoretic analysis of hybrid systems

Reachability Analysis for Hybrid Dynamic Systems*

Transcription:

Reactive Protocol Synthesis for for Embedded Control Software Richard M. Murray Control & Dynamical Systems California Institute of Technology Necmiye Ozay (Michigan) Ufuk Topcu (Penn) Nok Wongpiromsarn Scott Livingston Stephanie Tsuei Eric Wolff Mumu Xu EXCAPE Summer School 13 June 2013 Research support by AFOSR, Boeing, DARPA (FCRP), IBM and United Technologies Corp.

Long Term Research Objectives and Goals Design of networked control systems Interconnected subsystems/agents working to achieve a common goal How do we describe complex temporal tasks in a manner that allows rigorous proof of correctness? Correct-by-construction synthesis Given a specification, how do we synthesize a control protocol that satisfies the specs Application areas Mission management & flight controls Unmanned, autonomous systems Safety critical, networked embedded systems (cars, planes, factories) - Internet of things Electrical power distribution networks (Cyber-security for embedded systems) MuSyC, 16 Oct 2012 2

Hybrid, Multi-Component System Description Subsystem/agent dynamics - continuous ẋ i = f i (x i, i,y i,u i ) y i = h i (x i, i ) x i 2 R n,u i 2 R m y i 2 R q Agent mode (or role ) - discrete A encodes internal state, relationship to current task, environment state Discrete transition = r(x, ) Environment: discrete transition system with temporal logic specs (eg, LTL) Communications graph G Encodes the system information flow Neighbor set N i (x, ) Communications channel Communicated information can be lost, delayed, reordered; rate constraints yj[k] i = y i (t k j ) t k+1 t k >T r γ = binary random process (packet loss) Task Encode task as finite horizon optimal control + temporal logic (LTL/GR(1)) J = 0 (' init ^ ' e ) =) ( ' s ^ applet ' g ) Assume/guarantee contract structure Strategy = control law + control protocol Control action for individual agents u i = (x, ) {gj(x, i ): rj(x, i )} Decentralized strategy u i (x, )=u i (x i, T L(x,, u) dt + V (x(t ), (T )), c i 0 (r i = j (x, ) gi j (x, ) =true unchanged otherwise. i,y i, y i = {y j 1,...,y j m i } j k N i m i = N i Similar structure for role update i ) EXCAPE, 13 Jun 2013 3

Motivating Example: Alice (DGC07) Alice 300+ miles of fully autonomous driving 8 cameras, 8 LADAR, 2 RADAR 12 Core 2 Duo CPUs + Quad Core ~75 person team over 18 months Software 25 programs with ~200 exec threads 237,467 lines of executable code Team Caltech, Jan 08 4

Stack Mission performs high level decision-making Graph search for best routes; replan if routes are blocked Traffic handles rules of the road Control execution of path following & planning (multi-point turns) Encode traffic rules - when can we change lanes, proceed thru intersection, etc Path /Path Follower generate trajectories and track them Optimized trajectory generation + PID control (w/ anti-windup) Substantial control logic to handle failures, command interface, etc Burdick et al, 2007 Mission Traffic Path Path Follower Actuation Interface Vehicle Team Caltech, Jan 08 5

Design of Reactive Decision-Making Protocols passing finished or obstacle disappeared ROAD REGION passing finished or obstacle disappeared Alice has been stopped for long DR,NP,S STO,NP,S enough and there is an obstacle DR,P,S collision-free path is found collision-free path is found in the vicinity of Alice collision-free path is found collision-free path is found and the number of times Alice has switched to the DR,P,R state near the current STO,P,S DR,P,S position is less than some threshold STO,PR,S backup finished collision-free path is found or failed and the no collision-free path exists and no collision-free number of times Alice no collision-free there is only path exists and has switched to BACKUP path exists one lane there is more is less than some threshold than one lane STO,P,S and the number of times Alice has switched to the DR,P,R state near the current position is less than some threshold DR,PR,S DR,A collision-free path is found collision-free path with DR,A is found and the number backup finished or failed and the of times Alice has switched to the DR,P,R number of times Alice has switched state near the current position exceeds some BACKUP to BACKUP exceeds some threshold threshold and there is more than one lane STO,A and the number of times Alice has switched to the DR,P,R state near the current position exceeds some threshold and there is only one lane DR,B collision-free path is found STO,B and there is only one lane and there is more than one lane OFF-ROAD mode FAILED PAUSED collision-free path with DR,P,R is found How do we design control protocols that manage behavior Mixture of discrete and continuous decision making Insure proper response external events, with unknown timing Design input = specification + model (system + environment) Design output = finite state machine implementing logic Approach: rapidly explore all trajectories satisfying specs Search through all possible actions and events, discarding executions that violate a set of (LTL) specifications Issue: state space explosion (especially due to environment) Good news: recent results in model checking for class of specs Mission Traffic Path Path Follower Actuation Interface Vehicle EXCAPE, 13 Jun 2013 6

Receding Horizon Control Murray, Hauser et al SEC chapter (IEEE, 2002) state Actual state ΔT Computed state T time Solve finite time optimization over T seconds and implement first ΔT seconds Finite horizon optimization Terminal cost Requires that computation time be small relative to time horizons Initial implementation in process control, where time scales are fairly slow Real-time trajectory generation enables implementation on faster systems EXCAPE, 13 Jun 2013 7

Receding Horizon Control for Linear Temporal Logic Find planner (logic + path) to solve general control problem ( init e) = ( s g φinit = init conditions φs = safety property ) φe = envt description φg = planning goal For discrete system, can find automaton to satisfy this formula in O((nm Σ 3 ) time (!) Basic idea Discretize state space into regions { V i } + interconnection graph Organize regions into a partially ordered set { W i }; W j W g i if state starts in W i, must transition through W j on way to goal Find a finite state automaton A i satisfying i = ((v W i ) e) = ( s (v W gi ) ) Wongpiromsarn, Topcu and M CDC09, HSCC10, IEEE TAC (s) W 4 W 3 EXCAPE, 13 Jun 2013 - Φ describes receding horizon invariants (eg, no collisions) - Automaton states describe sequence of regions we transition through; W gi g W i is intermediate (fixed horizon) goal - generates trajectory for each discrete transition - Partial order condition guarantees that we move closer to goal Properties Provably correct behavior according to spec W 2 W 1 8

Constructing Finite State Abstraction Find discretization of state space and represent connectivity using a graph Look for regions such that we can move from one region to another w/out leaving the union of two regions If we can start from any point in first region and get to some point in second, the regions are connected Approach: guess at initial regions, then refine based on solving for reachability sets Can solve for feasible regions via finite-time trajectory generation problem Fix the horizon length N. Given i j, compute a sequence of control signals u[0],..., u[n-1] such that for any s[0] i i j s[t + 1] = As[t]+Bu[t]+Ed[t] s[t] i,s[n] j,u[t] U t {0,...,N 1},d[0],...,d[N 1] D Assume L EXCAPE, 13 Jun 2013 U, D, i, j s[0] u[0]. u[n 1] are polyhedral sets. The above equation can be written as M G d[0]. d[n 1] Set S0 of all s[0] satisfying this gives refinement of initial guess Multi-Parametric Toolbox (MPT) solves this problem and returns the set S0 as polyhedron (!) 9

Example: Autonomous Navigation in Urban Environment Traffic rules No collisions with other vehicles Stay in the travel lane unless there is an obstacle blocking the lane Only proceed through an intersection when it is clear Assumptions Obstacle may not block a road Obstacle is detected before the vehicle gets too close to it Limited sensing range Obstacle does not disappear when the vehicle is in its vicinity Obstacles may not span more than a certain number of consecutive cells in the middle of the road Each intersection is clear infinitely often Each of the cells marked by star and its adjacent cells are not occupied by an obstacle infinitely often EXCAPE, 13 Jun 2013 10

Example: Autonomous Navigation in Urban Environment Mission Traffic Path Path Follower JTLV returns 900 state FSA in about 1.5 seconds Φ = start in proper lane if no obstacle present ^ no collision Actuation Interface Vehicle Use response mechanism to replan if no feasible solution exists Trajectory planner sees blockage and fails to find strategy satisfying specification Trajectory planner reports failure to goal generator Goal generator re-computes a (high level) path to the goal state EXCAPE, 13 Jun 2013 11

Temporal Logic Planning (TuLiP) toolbox http://tulip-control.sourceforge.net Python Toolbox GR(1), LTL specs Nonlin dynamics Supports discretization via MPT Control protocol designed using JTLV Receding horizon compatible Applications of TuLiP in the last year Autonomous vehicles - traffic planner (intersections and roads, with other vehicles) Distributed camera networks - cooperating cameras to track people in region Electric power transfer - fault-tolerant control of generator + switches + loads AFOSR, 15 June 2011 Caltech/MIT/UW V&V MURI 12

Example: Electrical Power Management for Aircraft Power management of three VMS subsystems Flight control (actuation) - highest priority Active de-icing - elevation dependent demand Environmental control - slower timescale Specifications Constraint on maximum total power Prioritization: actuation, de-icing, environment Safety: ice accumulation, altitude change Performance: desired altitude and environmental conditions External environment: wind gusts, outside temperature, generator health De-icer model Boeing,15 Sep 2011 Cabin pressure level model 13

Open (Research) Issues Optimality: language-constrained, optimal trajectory generation ( init e) = ( s g ) J = 0 T L(x,, u) dt + V (x(t ), (T )), Partial order computation and hierarchical structure How do we determine the partial order for RHTLP and link to supervisory levels? Verification and synthesis with (hard) real-time constraints How do we incorporate time in our specifications, verification and synthesis tools? Note: time automata and timed temporal logic formulas available... Contract-based design: automate search interfaces for distributed synthesis How do we decompose a larger problem into smaller pieces? Especially important for large scale projects with multiple teams/companies Uncertainty and robustness How to specify uncertainty for transition systems, robustness for controllers, specs New methods for describing robustness by Tabuada et al: look at how much the specifications must be enlarged to capture new behaviors based on uncertainty Many other directions: incremental, probabilistic, performance metrics,... Identify problems where knowledge of dynamics, uncertainty and feedback matter EECI, Mar 2011 14

Aircraft Vehicle Management Systems Electrical Power System Landing Gear Fuel System Propulsion and Power How do we design software-controlled systems of systems to insure safe operation across all operating conditions (including failures)? Environmental Control System Power Transmission Thermal, Electrical, Lubrication Systems Hydraulic System Servo System MuSyC workshop, Apr 2011 15

Summary and Future Work Specification, Design, Verification for Autonomous Vehicles Most of the actual design was ad hoc; with lots of testing Starting to develop tools for systematic design, verification Synthesis techniques for LTL specifications using receding horizon planning Convert the specification into a design criterion Use fast solvers to find trajectories that satisfy constraints (including temporal logic specifications) Manage complexity using receding horizon approach Python toolbox: http://tulip-control.sf.net Current work More systematic design of regions, lattices, invariants Better integration of trajectory planning and logic planning Application to (aircraft) vehicle management systems: - Many heterogeneous systems w/ coupled function, physics - Mixed criticality operations, depending on flight mode - Distributed resource allocation and decision-making, coupled by (loosely) asynch communications network Mission Traffic Path Path Follower Actuation Interface Vehicle EXCAPE, 13 Jun 2013 16

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback