Formally Analyzing Adaptive Flight Control

Similar documents
Verification and Synthesis. Using Real Quantifier Elimination. Ashish Tiwari, SRI Intl. Verif. and Synth. Using Real QE: 1

Deductive Verification of Continuous Dynamical Systems

Synthesizing from Components: Building from Blocks

Synthesizing Switching Logic using Constraint Solving

HybridSAL Relational Abstracter

Non-linear Interpolant Generation and Its Application to Program Verification

Stability and Stabilization of polynomial dynamical systems. Hadi Ravanbakhsh Sriram Sankaranarayanan University of Colorado, Boulder

Constraint-based Approach for Analysis of Hybrid Systems

Abstractions for Hybrid Systems

Synthesizing Switching Logic using Constraint Solving

Compositionally Analyzing a Proportional-Integral Controller Family

Using Theorem Provers to Guarantee Closed-Loop Properties

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Analysis and synthesis: a complexity perspective

Formal Verification and Automated Generation of Invariant Sets

Formal Verification of Cyber-Physical Systems

Constraint Solving for Program Verification: Theory and Practice by Example

Compositionally Analyzing a Proportional-Integral Controller Family

Symbolic Reachability Analysis of Lazy Linear Hybrid Automata. Susmit Jha, Bryan Brady and Sanjit A. Seshia

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

Termination Analysis of Loops

Automatic Generation of Polynomial Invariants for System Verification

Hoare Logic I. Introduction to Deductive Program Verification. Simple Imperative Programming Language. Hoare Logic. Meaning of Hoare Triples

Proving Unsatisfiability in Non-linear Arithmetic by Duality

EE C128 / ME C134 Feedback Control Systems

Mech 6091 Flight Control System Course Project. Team Member: Bai, Jing Cui, Yi Wang, Xiaoli

From Electrical Switched Networks to Hybrid Automata. Alessandro Cimatti 1, Sergio Mover 2, Mirko Sessa 1,3

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

Tuning PI controllers in non-linear uncertain closed-loop systems with interval analysis

CDS 101/110a: Lecture 8-1 Frequency Domain Design

Chapter 2 Review of Linear and Nonlinear Controller Designs

LOGIC PROPOSITIONAL REASONING

Autonomous Mobile Robot Design

Discrete abstractions of hybrid systems for verification

The Polyranking Principle

Verification Constraint Problems with Strengthening

Verifying Safety Properties of Hybrid Systems.

CHAPTER 5 ROBUSTNESS ANALYSIS OF THE CONTROLLER

Estimating the Region of Attraction of Ordinary Differential Equations by Quantified Constraint Solving

Pitch Rate CAS Design Project

Overview of the Seminar Topic

FAULT DETECTION AND FAULT TOLERANT APPROACHES WITH AIRCRAFT APPLICATION. Andrés Marcos

ANALYSIS OF MULTIPLE FLIGHT CONTROL ARCHITECTURES ON A SIX DEGREE OF FREEDOM GENERAL AVIATION AIRCRAFT. A Thesis by. John Taylor Oxford, Jr.

DERIVATIVE FREE OUTPUT FEEDBACK ADAPTIVE CONTROL

Propositional Logic: Evaluating the Formulas

Floyd-Hoare Style Program Verification

AERO-ENGINE ADAPTIVE FUZZY DECOUPLING CONTROL

Department of Aerospace Engineering and Mechanics University of Minnesota Written Preliminary Examination: Control Systems Friday, April 9, 2010

CHAPTER 1. Introduction

Multivariable MRAC with State Feedback for Output Tracking

Nonlinear Control as Program Synthesis (A Starter)

Hover Control for Helicopter Using Neural Network-Based Model Reference Adaptive Controller

Adaptive Output Feedback Based on Closed-Loop. Reference Models for Hypersonic Vehicles

Assertions and Measurements for Mixed-Signal Simulation

Algorithmic Verification of Stability of Hybrid Systems

Time Delay Margin Analysis Applied to Model Reference Adaptive Control

Specification Mining of Industrial-scale Control Systems

Gödel s Incompleteness Theorem. Overview. Computability and Logic

Analytical Validation Tools for Safety Critical Systems

ADAPTIVE NEURAL NETWORK CONTROLLER DESIGN FOR BLENDED-WING UAV WITH COMPLEX DAMAGE

Gödel s Incompleteness Theorem. Overview. Computability and Logic

Adaptive Dynamic Inversion Control of a Linear Scalar Plant with Constrained Control Inputs

Nonlinear Landing Control for Quadrotor UAVs

Lecture 6 Verification of Hybrid Systems

Optimization over Nonnegative Polynomials: Algorithms and Applications. Amir Ali Ahmadi Princeton, ORFE

Constructing Invariants for Hybrid Systems

DESIGN PROJECT REPORT: Longitudinal and lateral-directional stability augmentation of Boeing 747 for cruise flight condition.

Aim. Unit abstract. Learning outcomes. QCF level: 6 Credit value: 15

an information-theoretic model for adaptive side-channel attacks

Integrating Induction, Deduction and Structure for Synthesis

(Refer Slide Time: 00:01:30 min)

NEURAL NETWORK ADAPTIVE SEMI-EMPIRICAL MODELS FOR AIRCRAFT CONTROLLED MOTION

Constraint Solving for Program Verification: Theory and Practice by Example

Pitch Control of Flight System using Dynamic Inversion and PID Controller

Aircraft Stability & Control

CALIFORNIA INSTITUTE OF TECHNOLOGY

Lecture 2: Symbolic Model Checking With SAT

Robustness Study for Longitudinal and Lateral Dynamics of RLV with Adaptive Backstepping Controller

Lyapunov Function Synthesis using Handelman Representations.

Learning Model Predictive Control for Iterative Tasks: A Computationally Efficient Approach for Linear System

Linear Matrix Inequalities in Robust Control. Venkataramanan (Ragu) Balakrishnan School of ECE, Purdue University MTNS 2002

Time Delay Margin Analysis for an Adaptive Controller

ANALYZING REAL TIME LINEAR CONTROL SYSTEMS USING SOFTWARE VERIFICATION. Parasara Sridhar Duggirala UConn Mahesh Viswanathan UIUC

Vector Barrier Certificates and Comparison Systems

Mechanizing Elliptic Curve Associativity

Formal methods in analysis

CDS 270-2: Lecture 6-1 Towards a Packet-based Control Theory

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

FUZZY CONTROL CONVENTIONAL CONTROL CONVENTIONAL CONTROL CONVENTIONAL CONTROL CONVENTIONAL CONTROL CONVENTIONAL CONTROL

Approximation Metrics for Discrete and Continuous Systems

IC3, PDR, and Friends

Simulation of Non-Linear Flight Control Using Backstepping Method

Nonlinear Real Arithmetic and δ-satisfiability. Paolo Zuliani

Aerodynamics and Flight Mechanics

FMCAD 2013 Parameter Synthesis with IC3

SRV02-Series Rotary Experiment # 7. Rotary Inverted Pendulum. Student Handout

KeYmaera: A Hybrid Theorem Prover for Hybrid Systems

AFRL MACCCS Review. Adaptive Control of the Generic Hypersonic Vehicle

Generation of Basic Semi-algebraic Invariants Using Convex Polyhedra

Ivy: Safety Verification by Interactive Generalization

Transcription:

Formally Analyzing Adaptive Flight Control Ashish Tiwari SRI International 333 Ravenswood Ave Menlo Park, CA 94025 Supported in part by NASA IRAC NRA grant number: NNX08AB95A Ashish Tiwari Symbolic Verification of Adaptive Systems: 1

System Development Design Verify Implementation Verify Focus here is on verification at the design phase of Adaptive flight control systems Ashish Tiwari Symbolic Verification of Adaptive Systems: 2

Adaptive Control Systems Learning Module Plant Plant Actuators Sensors Actuators Sensors Controller Inputs Controller Inputs Simple Control System Adaptive Control System Ashish Tiwari Symbolic Verification of Adaptive Systems: 3

Direct NN Adaptive Flight Control. x m r Reference Model +. x m x e x PI Controller d Dynamic Inversion u Aircraft x u ad Direct NN x u Adaptive: Additional red loop To compensate for the unknown dynamics arising from aircraft damage Ashish Tiwari Symbolic Verification of Adaptive Systems: 4

Verifying Adaptive System Challenges: Unknown plant (aircraft) model Nonlinear functions (kernel functions) Unknown initial weights of the neural net Unknown assumptions Complexity of model: mixed discrete and continuous, dimension Ashish Tiwari Symbolic Verification of Adaptive Systems: 5

Formal Verification Formal verification gives correctness guarantees for all possible behaviors 1. Build a model of the system (a) Model each component controller, aircraft, NN (b) Model disturbances nondeterminism, symbolic parameters (c) Specify the property 2. Formally verify the system You verify what you model Ashish Tiwari Symbolic Verification of Adaptive Systems: 6

Why Formal Verification? Why use formal verification? 1. Alternative to doing simulation and testing 2. Equivalent to doing an analytic proof 3. Do a new proof, or machine check/validate a hand proof 4. Verify different safety and stability properties 5. Redo proofs if design is changed 6. Applies to both design and implementation 7. Helps in certification Ashish Tiwari Symbolic Verification of Adaptive Systems: 7

Bounded Verification Typical verification approaches iterative over-approximation of the reachable set abstraction smart simulations Bounded Verification is a different technique for Safety and Stability verification of Continuous and Hybrid dynamical systems Reduce verification problem to constraint solving Use modern constraint solvers to solve the constraint Ashish Tiwari Symbolic Verification of Adaptive Systems: 8

Outline/Summary 1. Bounded Verification: Verification solving 2. Solving formulas 3. Analyzing adaptive flight control 3.1 Modeling Neural Network Direct MRAC 3.2 Verifying stability and invariance properties of the model using the bounded verification technique Sources for the Model: N. Nguyen and K. Krishnakumar, An optimal control modification to model-reference adaptive control for fast adaptation, AIAA GNC 2008. Matlab scripts for simulating direct, indirect, and hybrid adaptive flight control (source: Stephen A. Jacklin, NASA Ames) Ashish Tiwari Symbolic Verification of Adaptive Systems: 9

Part I: Bounded Verification Ashish Tiwari Part I: Bounded Verification: 10

Bounded Verification A generic approach for analysis of continuous and hybrid dynamical systems based on symbolic constraint solving Key Observation: Verification = searching for right witness Property Stability Safety Liveness Controllability Witness Lyapunov function Inductive Invariant Ranking function Controlled Invariant How to find the right witness? Ashish Tiwari Part I: Bounded Verification: 11

Finding the Witness Key idea: Bounded search for witnesses of a specific form High-level outline of the procedure: 1. Fix a form ( template) for the witness function Quadratic template: ax 2 + by 2 2. Existence of a witness (of the chosen form) is encoded as a constraint a, b : x, y : ax 2 + by 2 c d dt (ax2 + by 2 ) < 0 3. Solve the constraint Ashish Tiwari Part I: Bounded Verification: 12

Quick Introduction to Logic Let V (a, b, x, y) := ax 2 + by 2 There exist values for a, b, c such that for all values of x, y, if V (a, b, x, y) c, then V < 0 a, b, c : x, y : V (a, b, x, y) c dv dt < 0 Add requirement that a, b, c are positive a, b, c : a > 0 b > 0 c > 0 ( x, y : V (a, b, x, y) c dv dt < 0) Tarski s Result: These formulas can be solved Ashish Tiwari Part I: Bounded Verification: 13

Safety Verification using Inductive Invariants A discrete-time system always remains inside the set Safe( x) of good states if there is an inductive invariant Inv( x) such that Init : x : Init( x) Inv( x) Ind : x, x : Inv( x) t( x, x ) Inv( x ) Safe : x : Inv( x) Safe( x) Template: Inv( a, x) Generated Constraint: a : x, x : (Init( x) Inv( a, x)) (Inv( a, x) t( x, x ) Inv( a, x )) (Inv( a, x) Safe( x)) Ashish Tiwari Part I: Bounded Verification: 14

Safety Verification: Continuous-Time A continuous-time system x = f( x) always remains inside the set Safe( x) of good states if there is an inductive invariant Inv( a, x) such that a : x : (Init( x) Inv( a, x)) ( x Inv( a, x) f( x) TInv( a, x)) (Inv( a, x) Safe( x)) The middle condition can be formulated for polynomial systems as: p 0 is inductive if ( x) : p( x) = 0 p( x) f( x) 0 Ashish Tiwari Part I: Bounded Verification: 15

Digression Unsound, but sound variant and even relatively complete variants exist (A1) Init p 0 (A2) p = 0 L f (p) 0 (A3) p 0 Safe (A4) p = 0 p 0 Reach(CDS) Safe Figure 1: Sound, but incomplete, rule for safety verification of polynomial CDS CDS := (X, Init, f) and safety property Safe X. Relatively complete Ashish Tiwari Part I: Bounded Verification: 16

Bounded Stability Verification (S1) : Init V 0 (S2) : V > 0 dv dt < 0 (S3) : V 0 φ Init F(φ) (T 1) : φ V > 0 (T 2) : φ dv dt < 0 true G(F(φ)) Figure 2: On the left, an inference rule for verifying that a continuous system CDS := (X, f) eventually reaches φ starting from any state in Init. On the right, an inference rule for verifying that a continuous system CDS := (X, f) always eventually reaches φ. Ashish Tiwari Part I: Bounded Verification: 17

Proving Bounded Stability Constraints can also encode that some function is a Lyapunov function. Some systems may not be globally stable We can also generate assumptions on the inputs (subset of the global state space) that will guarantee stability or safety Idea: Use a template for the assumption Ashish Tiwari Part I: Bounded Verification: 18

xd Controller u Aircraft x A NN G T Pick Template for G: V(x) = x x k Pick Template for A: xd < a x T Exist(a,k): Forall(x): x x k > 0 and xd < ax implies d/dt(x x k) < 0 Eliminate Forall(x) Exist(a,k): Exist( λ): (...) Solve for all variables k = 60, a = 5,... (This proves bounded stability of the system) Ashish Tiwari Part I: Bounded Verification: 19

Controllability Verification Our approach can be used to synthesize controllers that preserve safety and/or stability A continuous-time system x = f( x, u) can be made to remain inside the set Safe( x) of good states if there is an controlled inductive invariant CInv( a, x) such that a : x : (Init( x) CInv( a, x)) ( x CInv( a, x) u : f( x, u) TCInv( a, x)) (CInv( a, x) Safe( x)) Similarly for controlled Lyapunov function Ashish Tiwari Part I: Bounded Verification: 20

Overview of Bounded Verification Given continuous dynamical system, and optionally property Safe: Guess a template Inv( a, x) For stability, this will be a Lyapunov function For safety, this will be an inductive invariant Guess a template for the assumption A( b, x) ( if any) Generate the verification condition: a, b : x : A( b, x) φ Formula φ states that Inv is a Lyapunov fn/inductive invariant Solve the formula to get values for a and b Ashish Tiwari Part I: Bounded Verification: 21

Related Work The bounded verification approach encompasses Template-based invariant generation (Sankaranarayanan et al., Kapur) Barrier certificates (Prajna et al.) Constraint-based approach for verification (Gulwani et al.) Bounded verification is the dual of bounded falsification (aka bounded model checking) The real problem is deciding formulas over the reals Ashish Tiwari Part I: Bounded Verification: 22

Part II: Solving formulas Ashish Tiwari Part II: Solving formulas: 23

Solving formulas Bounded verification: verification of hybrid systems checking validity of u : x : φ When φ is over polynomials, this is decidable (e.g. QEPCAD) More practically, use heuristics to decide u : x : φ 1. Eliminate : u : x : φ u : λ : φ 2. Search for u and λ over a finite domain using SMT (bit vector) solver Ashish Tiwari Part II: Solving formulas: 24

Step 1: to For linear arithmetic, Farkas Lemma eliminates x : p 1 0 p 2 0 p 3 0, iff λ : p 3 = λ 1 p 1 + λ 2 p 2 λ 1 0 λ 2 0 For nonlinear, we can still use this and be sound, but incomplete We can partially regain completeness by using Positivstellensatz Ashish Tiwari Part II: Solving formulas: 25

Step 2: to Bit-Vectors Farkas Lemma/Posit. : Solving the formula One approach: Search for solutions in a finite range using bit-vector decision procedures u R : (u 2 2u = 3 u > 0) u Z : (u 2 2u = 3 u > 0) u Z : ( 32 u < 32 u 2 2u = 3 u > 0) b B 6 : (u u 2 u = 3 u > 0) We use Yices to search for finite bit length solutions for the original nonlinear constraint b = 000011 Ashish Tiwari Part II: Solving formulas: 26

Overall Approach Given hybrid system HS and optionally property Safe: Guess a template for witness Inv( u, x) Generate the verification condition: u : x : φ Solve using either QEPCAD or Eliminate using Farkas Lemma: u : λ : ψ Guess sizes for u, λ: bv u : bv λ : ψ Ask Yices to search for solutions If a satisfying assignment is found, system proved safe Ashish Tiwari Part II: Solving formulas: 27

Part III.I Modeling NN Direct Model Reference Adaptive Control Ashish Tiwari Part III.I: Modeling Direct MRAC: 28

NN Direct Model Reference Adaptive Control. x m r Reference Model +. x m x e x PI Controller d Dynamic Inversion u Aircraft x u ad Direct NN x u Sources: N. Nguyen and K. Krishnakumar, An optimal control modification to model-reference adaptive control for fast adaptation, AIAA GNC 2008. Matlab scripts for simulating direct, indirect, and hybrid adaptive flight control (source: Stephen A. Jacklin, NASA Ames) Ashish Tiwari Part III.I: Modeling Direct MRAC: 29

Step 1: Modeling Direct MRAC x: 3 1 vector of roll, pitch, and yaw rates of the aircraft. u: 3 1 vector of aileron, elevator, and rudder inputs. z: 3 1 trim state vector of angle of attack, angle of sideslip, and engine throttle. The dynamics of the aircraft are given by x = A x + B u + G z + f( x, u, z) (1) where A, B, G are known matrices in R 3 3 and f represent the unknown term (caused by uncertainty or damage to the aircraft). Ashish Tiwari Part III.I: Modeling Direct MRAC: 30

Step 1: Modeling Direct MRAC We tried to build a continuous dynamical system model State space: x m, intx e, x, L, β, f x m = A m (x m r) intx e = x m x ẋ = A m (x m r) + K p (x m x) + K i intx e L β + f L = Γβ(intx T e K 1 i β =... f =... + (x m x) T Kp 1 (I + K 1 i )) Constants : Γ, K p, K i, A m, Unknown/Symbolic Parameters : r, f, f Ashish Tiwari Part III.I: Modeling Direct MRAC: 31

Step 1: Modeling Direct MRAC r x m x x e intx e L β f u e x d L commanded value for x desired value for x, calculated using reference model actual value for x, determined by the damaged aircraft error, x m x integral of the error, x e weights of the NN fixed functions, L β = adaptive control term Damaged dynamics, f = ẋ ẋ u K p x e + K i intx e x m + u e uad weight update / neural net learning Ashish Tiwari Part III.I: Modeling Direct MRAC: 32

Step 1: Modeling Direct MRAC: Issues Dynamics for β: β =... There are two options here: Option 1. Use β from the NASA Matlab scripts Option 2. Leave β as unknown symbolic parameters If we use Option 1 There is an algebraic loop on u: u(t) depends on u(t) Leads to complications not pursued further. If we use Option 2 Analysis independent of β Need assumption on β (to capture damaged dynamics f) Used in [NguyenKrishnakumar08] Ashish Tiwari Part III.I: Modeling Direct MRAC: 33

Step 1: Modeling Direct MRAC: Issues Dynamics of f: f =... Dynamics of damaged aircraft: f is unknown f is also unknown ẋ = A u x + B u σ + F u u + f( x, σ, u) We leave f and f as unknown symbolic parameters We wish to prove properties of the system for any f, f Which is not possible, hence need assumptions We will verify... assuming that... Ashish Tiwari Part III.I: Modeling Direct MRAC: 34

Step 1: Final Model x e = K p x e K i intx e + L β f intx e = x e L = Γβ(intx T e K 1 i + (x m x) T Kp 1 (I + K 1 i )) β = f 1 f = f 2 state variables x e, intx e, L, β, f unknown parameters f 1, f 2 fixed parameters Γ, K p, K i Ashish Tiwari Part III.I: Modeling Direct MRAC: 35

Step 1: Simulating the Original Model Standard PI Controller without adaptation: 0.15 0.05 0.01 0.1 0.04 0.03 0.008 0.006 0.05 0.02 0.004 0 0.05 0.01 0 0.01 0.002 0 0.002 0.1 0.02 0.004 0.15 0.03 0.04 0.006 0.008 0.2 0 5 10 15 20 25 30 35 40 0.05 0 5 10 15 20 25 30 35 40 0.01 0 5 10 15 20 25 30 35 40 Roll rate Pitch rate Yaw rate Pitch command : Roll and Yaw respond bcos of aymmetric damage Response unacceptable due to excessive roll and yaw rates Ashish Tiwari Part III.I: Modeling Direct MRAC: 36

Step 1: Simulating the Model with MRAC Standard MRAC Controller using learning rate Γ = 10 4 : 0.015 0.04 8 x 10 4 0.01 0.03 6 0.005 0.02 4 0 0.005 0.01 0.015 0.01 0 0.01 2 0 2 4 0.02 0.02 6 0.025 0.03 8 0.03 0 5 10 15 20 25 30 35 40 0.04 0 5 10 15 20 25 30 35 40 10 0 5 10 15 20 25 30 35 40 Roll rate Pitch rate Yaw rate Pitch command : Roll and Yaw respond bcos of aymmetric damage Tracking performance improves drastically High-frequency oscillations in yaw, lesser in pitch, roll channel Ashish Tiwari Part III.I: Modeling Direct MRAC: 37

Step 1.5: Simulating the Original Model Adaptation based on estimating f: 8 x 10 4 0.04 1.5 x 10 5 6 0.03 1 4 0.02 2 0.01 0.5 0 0 0 2 0.01 0.5 4 0.02 6 0.03 1 8 0 5 10 15 20 25 30 35 40 0.04 0 5 10 15 20 25 30 35 40 1.5 0 5 10 15 20 25 30 35 40 Roll rate Pitch rate Yaw rate Pitch command : Roll and Yaw respond bcos of aymmetric damage Tracking performance improves drastically Any High-frequency oscillations? Ashish Tiwari Part III.I: Modeling Direct MRAC: 38

Part III.I Verifying NN Direct Model Reference Adaptive Control Ashish Tiwari Part III.2: Verifying Direct MRAC: 39

Step 2: Verifying the Model We first verify that error remains bounded assuming that the NN works properly Assumption (u ad f) is bounded Template: L β f 2 a Assumption x e exceeds bound Template: x e 2 > c Guarantee Exists a Lyapunov function Template: x e 2 + b intx e 2 Generated formula: a, b, c : x e, intx e, L, β, f :... Values computed by the constraint solver: b = 10, 25c > a > 0 Assuming L β f is bounded, the error x e eventually remains bounded irrespective of β, f, L, f,... Ashish Tiwari Part III.2: Verifying Direct MRAC: 40

Step 2: Verifying the Model The above property holds even under a different assumption. Assumption x e u ad f exceeds bound x e 2 > c u ad f 2 Guarantee Exists a Lyapunov function x e 2 + b intx e 2 Generated formula: b, c : x e, intx e, L, β, f :... Values computed by the constraint solver: b = 10, 25c > 1 The error x e always eventually drops below a constant factor of the NN approximation error irrespective of β, f, L, f,... Ashish Tiwari Part III.2: Verifying Direct MRAC: 41

Step 2: Verifying the Model Can we show that the weights L also eventually remain bounded? Assume f = L β Assume β is bounded β 2 e Assume x e exceeds bound x e 2 > a Prove Exists an invariant x e 2 + b intx e 2 + c L L 2 d Generated formula: a, b, c, d, e : x e, intx e, L, β, f :... Values computed by the constraint solver: b = 10, c = 1 2200, 20(d a)2 e < 11a 2 When x e 2 > a, then the set x e 2 + b intx e 2 + c L L 2 < d is an invariant assuming β 2 is bounded by e. Ashish Tiwari Part III.2: Verifying Direct MRAC: 42

Step 2: Verifying the Model Can we show that the weights L also eventually remain bounded? Assume f = L β Assume (u ad f) is bounded L β f 2 e Assume x e exceeds bound x e 2 > a Prove Exists an invariant x e 2 + b intx e 2 + c L L 2 d Generated formula: a, b, c, d, e : x e, intx e, L, β, f :... Values computed by the constraint solver: b = 10, c = 1 2200, (d a)e < 1210a2 When x e > a, then the set x e 2 + b intx e 2 + c L L 2 < d is an invariant assuming (L L ) β is bounded. Ashish Tiwari Part III.2: Verifying Direct MRAC: 43

Step 2: Verifying the Model: Issues Constraint solver: formulas over the reals Our implementation: fast, but incomplete Poor in handling squares Can not solve all the constraints QEPCAD: slow and unreliable, but complete Automation of template generation difficult in general possible for NN adaptive flight control systems Automating model extraction Ashish Tiwari Part III.2: Verifying Direct MRAC: 44

Other Case Studies The same approach used to verify bounded stability of a flight controller from: T. Lee and Y. Kim, Nonlinear adaptive flight control using backstepping and neural networks controller, J. of Guidance, Control, and Dynamics:24(4), 2001. The method has also been used to verify traditional control systems and other hybrid dynamical systems adaptive cruise control in automobiles models from systems biology human blood glucose metabolism model Ashish Tiwari Part III.2: Verifying Direct MRAC: 45

Recap: Overall Approach xd Controller u Aircraft x A NN G T Pick Template for G: V(x) = x x k Pick Template for A: xd < a x T Exist(a,k): Forall(x): x x k > 0 and xd < ax implies d/dt(x x k) < 0 Eliminate Forall(x) Exist(a,k): Exist( λ): (...) Solve for all variables k = 60, a = 5,... (This proves bounded stability of the system) Ashish Tiwari Part III.2: Verifying Direct MRAC: 46

Part IV Discussion and Conclusion Ashish Tiwari Part IV: Discussion and Conclusion: 47

What is novel in the technique? Computer Science The template+constraint-solving approach is different from the usual verification approaches reachability abstraction Bounded Falsification (BMC) vs. Bounded Verification Control The approach is standard, but the novelty is in generating more precise constraints and using symbolic solvers for testing their feasibility Ashish Tiwari Part IV: Discussion and Conclusion: 48

Why is the technique so effective? This is the classical approach only slightly modified to generate more precise constraints that can be non-convex solved using modern solvers such as fast constraint solvers called SMT solvers complete symbolic solver like QEPCAD replacing optimization by feasibility or satisfiability Systems have several invariants/lyapunov functions that can be searched using few templates Correct systems have simple witnesses Robust technique does not require any careful tuning or a smart user Handles unknown parameters Ashish Tiwari Part IV: Discussion and Conclusion: 49

Future Work Modeling and Analysis Complete analysis of NN direct MRAC Analyze other variants of direct MRAC Analyze indirect and hybrid NN adaptive flight control Add automation for template generation for this specific domain Improve automation for constraint solving Ashish Tiwari Part IV: Discussion and Conclusion: 50

Tool We have generic prototype implementations for: Generating constraint from continuous dynamical model: Given a CDS and templates, generates an constraint Eliminating quantifier: Given an constraint, eliminates the and return an formula Solver for formulas Off-the-shelf tool QEPCAD Ashish Tiwari Part IV: Discussion and Conclusion: 51

Tool Development: Issues Constraint generation only for safety verification Need constraint generation for stability verification May need a careful study of the underlying proof rule Extracting CDS model from a more intuitive front-end description? Solver for constraints Need to balance completeness and efficiency Domain-specific heuristics Ashish Tiwari Part IV: Discussion and Conclusion: 52

Conclusion We are verifying designs of NN adaptive flight control systems The bounded verification approach reduces verification to constraint solving Ashish Tiwari Part IV: Discussion and Conclusion: 53

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback