automatic verification of a turbogas control system with the murphi verifier enrico tronci computer...
TRANSCRIPT
![Page 1: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/1.jpg)
Automatic Verification of a Turbogas Control System with the
Murphi Verifier
Enrico TronciComputer Science Department, University of Rome “La Sapienza”, Via Salaraia 113,
00198 Roma, Italy, [email protected], http://www.dsi.uniroma1.it/~tronci
Joint work with:
G. D. Penna, B. Intrigila, I. Melatti, M. Minichino, E. Ciancamerla, A. Parisse, M. Venturini Zilli
HSCC03: Hybrid Systems: Computation and Control, Prague, The Czech Republic, April 3-5, 2003
![Page 2: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/2.jpg)
2
Automatic Verification Game
Given: a Hybrid Systems S and an undesired state BAD (e.g. an error state)
We want to know:under which conditions, if any, our system S can reach BAD during its evolution.
![Page 3: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/3.jpg)
3
HOW
Model Checker
System Model +
Param. Ranges+
Disturbances
Init StatesRequirements (undesired/desired states)
YesI.e. no sequence of events (states) can possibly lead to an undesired state.
CounterexampleI.e. sequence of events (states) leading to undesired state.
![Page 4: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/4.jpg)
4
Example (Simulation 1) x(t + 1) = if x(t) <= 3 then x(t) + u(t) else x(t) – u(t), u(t) = 1, 2. x(0) = 0
0
1 3
4
1 1
2
Spec: x(t) < 5.I.e. no state with x(t) >= 5 is reachable.
Sim length: 101, 2, 1, 2, 1, 1, 2, 2, 2, 1
Spec does not fail on this run
2
1
2
2
2
21 1
![Page 5: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/5.jpg)
5
Example (Simulation 2) x(t + 1) = if x(t) <= 3 then x(t) + u(t) else x(t) – u(t), u(t) = 1, 2. x(0) = 0
2
0
1 3
4
5
2
1 11
2 2
Spec: x(t) < 5.I.e. no state with x(t) >= 5 is reachable.
Sim length: 61, 2, 1, 2, 1, 2
Spec FAIL
![Page 6: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/6.jpg)
6
Example (Model Checking) x(t + 1) = if x(t) <= 3 then x(t) + u(t) else x(t) – u(t), u(t) = 1, 2. x(0) = 0
2
0
1 3
4
5
2
1
21 1
11
1
2
2
2
2
Spec: x(t) < 5.I.e. no state with x(t) >= 5 is reachable.
Spec FAILSpec ok if u(t) = 0, 1.
![Page 7: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/7.jpg)
7
A Larger Systemx(t + 1) = case x(t) – 2 + u(t) when x(t) + y(t) > 4
x(t) – 1 + u(t) when x(t) + y(t) = 4 x(t) + u(t) when x(t) + y(t) = 3 x(t) + 1 + u(t) when x(t) + y(t) = 2 x(t) + 2 + u(t) when x(t) + y(t) < 2 esac
y(t + 1) = u(t)u(t) = -1, 0, 1
0,0
1,-1
2,0
3,1
2,-1
3,0
4,1
3,-1
4,0
5,1
-1
0
1
x,y
![Page 8: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/8.jpg)
8
Remark
• MC and Simulation have different, complementary goals.
• MC from the system model AND state X produces a sequence of stimuli (events) , if any, leading to state X. (Obstrucion: State Explosion)
• Simulation from the system model AND a sequence of stimuli (events) shows where leads (in | | steps). (Obstrucion: False Negatives).
.
![Page 9: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/9.jpg)
9
Model Checking as State Space Exploration
Given a Finite State System S = (S, I, Next), where:S : Finite set of states;I : set of initial states;Next : function mapping a state to the set of its successors;
Visit all states that S can reach from I.
For safety properties (no bad state is reachable) the model checking problem becomes the reachability problem on the transition graph of the system to be analyzed.
![Page 10: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/10.jpg)
10
Model Checking FlavorsExplicit
Set Reach of visited states stored in a Hash Table.Explicit approach typically works well for protocols, hybrid systems and software-like systems (i.e. asynchronous systems).Famous MC: SPIN (Bell Lab), Murphi (Stanford).
SymbolicSet Reach of visited states represented with its characteristic function f. That is f(s) = if (s is in Reach) then 1 else 0.States are bit vectors, thus f is a Boolean function. Ordered Binary Decision Diagrams (OBDDs) are used to efficiently represent and manipulate f. Symbolic approach typically works well for Hardware-like systems(i.e. synchronous systems).Famous MC: SMV (CMU), VIS (CU + Berkeley), CUDD (CU).
![Page 11: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/11.jpg)
11
Overview
Symbolic model checkers are typically used for automatic verification of Hybrid Systems.
We present a nontrivial case study on automatic verification of a Hybrid Systems using an explicit model checker. Namely, Automatic verification with Murphi verifier of the Turbogas Control System of a 2MW Co-generative Power Plant (ICARO).
Our experimental results show that explicit model checkers (Murphi in our case) can outperform symbolic model checkers for verification of Hybrid Control Systems.
![Page 12: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/12.jpg)
12
History•Murphi is an explicit state model checker for low level analysis of Protocols and Software-like Systems.
•Murphi has been realized Alan Hu, David Dill, Ulrich Stern, and many others from University of Stanford, USA.
•Murphi: http://sprout.stanford.edu/dill/murphi.html
•Cached Murphi has been obtained from Murphi by changing Murphi engine so as to use a cache based BFS and by adding finite precision real numbers. Cmurphi 4.2 uses a disk based BFS.
•Cached Murphi is a joint effort of the University of L’Aquila and at the University of Rome “La Sapienza”.
•Cached Murphi: http://www.dsi.uniroma1.it/~tronci
![Page 13: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/13.jpg)
13
PLAN
• Add finite precision real numbers to Murphi. This allows easy modeling of (discrete time) Hybrid Systems.
• Build model of ICARO Turbogas Control System.
• Code model with Murphi verifier.
• Run verification experiments.
![Page 14: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/14.jpg)
14
A Simple SystemA glimpse of Murphi input language
x(t) + d(t) when x(t) <= 3 x(t + 1) = x(t) – d(t) when x(t) > 3
d(t) = 0, 1, 2. x(0) = 0
2
0
1 3
4
5
2
1
21 1
11
1
2
2
2
2
0
0
0
0
00
![Page 15: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/15.jpg)
15
Murphi Code
CONST -- constant declarationsMAX_STATE_VALUE : 5;
TYPE -- type declarationsstate_type : 0 .. 10; -- integers from 0 to 10disturbance_type : 0 .. 2;
VAR -- (global) variable declarations x : state_type; -- variable of type state_type
-- next state function
function next(x: state_type; d : disturbance_type): state_type;begin if (x <= 3) then return (x + d); else return (x - d); endif end;
startstate "startstate" -- define initial statex := 0; end;
-- nondeterministic disturbances -- trigger system transitions
ruleset d : disturbance_type do -- define transition rule rule "time step" true ==> begin x := next(x, d); end;end;
-- define property to be verified invariant "x less than 5" (x < MAX_STATE_VALUE);
x(t + 1) = if x(t) <= 3 then x(t) + d(t) else x(t) – d(t) ; d(t) = 0, 1, 2 ; x(0) = 0;
Spec: x(t) < 5 (FAIL). Spec: x(t) <= 5 (PASS).
![Page 16: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/16.jpg)
16
Murphi Error Trace
Startstate startstate fired.x:0----------Rule time step, d:1 fired.x:1----------Rule time step, d:2 fired.x:3----------Rule time step, d:2 fired.The last state of the trace (in full) is:x:5----------
![Page 17: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/17.jpg)
17
Gas Turbine System
ControllerGas Turbine(Turbogas)
Disturbances: electric users, param. var, etc
Vrot: Turbine Rotation speedTexh: Exhaust smokes TemperaturePel: Generated Electric PowerPmc: Compressor Pressure
Settings Fuel Valve OpeningFG102
Vrot, Texh, Pel, Pmc
![Page 18: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/18.jpg)
18
Controller
MIN ADJ
Offset
Valve FG102 Opening Command
12MW
N1Gov
PowLim
ExTLim
Winner
Vrot
Pel
Pmc
Texh
Limiter
Vrot: Turbine Rotation speed
Texh: Exhaust smokes Temperature
Pel: Generated Electric Power
Pmc: Compressor Pressure
![Page 19: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/19.jpg)
19
Cell i
+
1/s
X
X
AND
+
-
S
P
>0? Reset at u + 4kWu = min(output N1Gov, output PowLim, output ExTLim)
-
CellOutput
Kp
Ki
Winner != i?
Winner name
-10MW
10MW
B
A
A B
SAT
SAT
![Page 20: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/20.jpg)
20
Power Limiter (PowLim)Electric Power Controller
Pel Setpoint (+2MW)
Winner
OutputPowLim
PelS
P
Celli = “Power Limiter”A = 3000kWB = 10Mw
Vrot: Turbine Rotation speed
Texh: Exhaust smokes Temperature
Pel: Generated Electric Power
Pmc: Compressor Pressure
![Page 21: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/21.jpg)
21
N1 Governor (N1Gov)Turbine Rotation Speed Controller
1/s
XS
P
Accelleration
Deceleration
Pel
Kdr
network
Vrot
-
+Output N1 Governor
105%
Winner
Celli = “N1 Governor”A = 0B = 10MW
isle
6%
Vrot: Turbine Rotation speed
Texh: Exhaust smokes Temperature
Pel: Generated Electric Power
Pmc: Compressor Pressure
![Page 22: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/22.jpg)
22
Exhaust Temperature Limiter(ExTLim)
Exhaust Smoke Temperature Controller
+Pmc
Offset
P
S
Winner
TexhCelli = “Exhaust Temperature Limiter”A = 0B = 10MW
Output Exhaust Temperature Limiter
Vrot: Turbine Rotation speed
Texh: Exhaust smokes Temperature
Pel: Generated Electric Power
Pmc: Compressor Pressure
![Page 23: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/23.jpg)
23
Gas Turbine
Gas Turbine
FG102 Texh
Vrot
Pel
Disturbances: el. users, par. var, etc.
Vrot: Turbine Rotation speed
Texh: Exhaust smokes Temperature
Pel: Generated Electric Power
Pmc: Compressor Pressure
![Page 24: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/24.jpg)
24
ModelingAll subsystems are modeled as Finite State Automata (FSA).This implies:•Time is discrete.•State values range on finite precision real numbers (namely real(4, 2): 4 digit mantissa, 2 digit exponent).
Going to discrete time brings in a sampling frequency F = 1/T.
dx(t)/dt = f(x(t), u(t))(x(t + 1) – x(t))/T = f(x(t), u(t))x(t + 1) = x(t) + T*f(x(t), u(t))
![Page 25: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/25.jpg)
25
Gas Turbine (as seen from Controller)
Generated Electric Power:P(t + 1) = P(t) + (a1(P(t) – P0) + a2FG102(t) – a3u(t))T
Smokes Temperature: Tf(t + 1) = Tf(t) + (b1(P(t) – P0) + b2FG102(t) – b3u(t))T
Turbine Rotation Speed:V(t + 1) = V(t) + (c1(P(t) – P0) + c2FG102(t) – c3u(t))T
User demandu(t + 1) = u(t) + MAX_D_U *ud (t)*T
MAX_D_U = Max variation speed (time derivative) of user el. demand ud (t) = -1, 0, 1 (uncontrolled load disturbance)
Coefficients a, b, c computed by fitting with plant log data.
![Page 26: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/26.jpg)
26
A Glimpse of the PI Model
Discrete Time PI:
x(t + 1) = x(t) + K *u(t)*T
PI: dx/dt = K*u(t)
![Page 27: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/27.jpg)
27
Murphi Code for GTS: constCONST
SAMPLING_FREQ : 100.0; -- sampling frequency in Hz.
-- Max Electric Power generated (kW)MAX_ELECT_POW_GEN_ALT: 3200.0;
-- Max turbine rotation speed (percentage of max = 22500 rpm)MAX_ROT_SPEED: 130.0;
MAX_ COMPR_PRES: 14.0; -- Max compressor pressure (bar)
MAX_SMOKE_TEMP: 600.0; -- Max exhaust smokes temperature (C)
-- Max variation speed (time derivative) of user demandMAX_D_U: 10.0;
FREQ_1 : 100; -- frequency injection disturbances
kdr : 0.0019; -- multiplier
![Page 28: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/28.jpg)
28
Murphi Code for GTS: typeTYPE
-- define our real type: -- 4 digit mantissa, 2 digit exponents, ±0.mmmm*10±nn
real_type : real(4,2);
Pow_Gen_type: real_type; -- power generator type
Rot_Speed_type: real_type; -- rot speed type
Mode_type: 1 .. 2; -- 1 isle, 2 net
-- exhaust smokes temperature typeSmoke_Temp_type: real_type;
![Page 29: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/29.jpg)
29
Murphi Code for GTS: var
VAR
-- Generated Electric Power (kW)Power : Pow_Gen_type;
-- Turbine rotation speed (percentage of max = 22500 rpm)v_rot : Rot_Speed_type;
-- Exhaust smokes temperature (C)smokes : Smoke_Temp_type;
modality_value : Mode_type; -- 1 isle, 2 net
![Page 30: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/30.jpg)
30
Murphi Invariants-- invariants
invariant "power ok"(Power>=1300) & (Power<=2500);
invariant "fumi ok"(smokes>=200) & (smokes<=580);
invariant "rot speed ok"(v_rot>=40) & (v_rot<=120);
![Page 31: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/31.jpg)
31
Murphi Output OK (MAX_D_U = 10.0)
Cached Murphi Release 3.1Finite-state Concurrent System Verifier.…Progress Report:---- begin bfs level 0. …---- begin bfs level 12903. ---- begin bfs level 12904. ==========================================================================
Status:No error found.
State Space Explored:2246328 states, 6738984 rules fired in 16988.18s.Collision Rate: 1.9587522e-05.Levels Explored: 12904.
Omission Probabilities (caused by Hash Compaction):
Pr[even one omitted state] <= 4.8779e-08Pr[even one undetected error] <= 2.62273e-10Diameter of reachability graph: 12904
![Page 32: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/32.jpg)
32
Murphi Output FAIL (Max_D_U = 25)
---- begin bfs level 0. …---- begin bfs level 1533.
The following is the error trace for the error:
Invariant "rot speed ok, morsetto:2" failed.
Startstate initstate fired.
Power:+2.000e+03 v_rot:+7.500e+01FUMI:+5.520e+02 N1_gov:+1.000e+03Pow_lim:+1.000e+03 Temp_lim:+1.000e+03valve_fg102:+1.000e-01 v:+7.500e+02N1_state:+1.000e+03 Powlim_state:+1.000e+03templim_state:+1.000e+03 minall:+1.000e+03winner:2 step_counter:0pressione:+1.200e+01 utenza:+0.000e+00modality_value:1
![Page 33: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/33.jpg)
33
Murphi Fail (2)Rule time step, morsetto:2, modalita:2, d_pressione:0, N1_d1:0, N1_d2:0, Powlim_d:0, templim_d:0, utenza_d:-1 fired.v_rot:+7.507e+01 N1_gov:+1.100e+04Temp_lim:+6.180e+03 v:+1.050e+02N1_state:+1.004e+03 templim_state:+1.004e+03step_counter:1----------….Rule time step, morsetto:2, modalita:2, d_pressione:0, N1_d1:0, N1_d2:0, Powlim_d:0, templim_d:0, utenza_d:-1 fired.The last state of the trace (in full) is:Power:+1.627e+03 v_rot:+3.994e+01FUMI:+5.520e+02 N1_gov:+1.120e+04Pow_lim:+1.199e+03 Temp_lim:+6.380e+03valve_fg102:+1.198e-01 v:+1.050e+02N1_state:+1.202e+03 Powlim_state:+8.283e+02templim_state:+1.202e+03 minall:+1.199e+03winner:2 step_counter:34pressione:+1.200e+01 utenza:+1.250e+02modality_value:2
![Page 34: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/34.jpg)
34
Murphi Fail (3)
End of the error trace.
=====================================================
Result:
Invariant "rot speed ok, morsetto:2" failed.
State Space Explored:
1739719 states, 5186047 rules fired in 12548.25s.Collision Rate: 0.Levels Explored: 1533.
![Page 35: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/35.jpg)
35
Experimental ResultsMAX_D_U Reachable
StatesRules Fired
Diameter CPU (sec) Result
10.0 2,246,328 6,738,984 12904 16988.18 PASS
17.5 7,492,389 22,477,167 7423 54012.18 PASS
25 1,739,719 5,186,047 1533 12548.25 FAIL
50 36,801 109,015 804 271.77 FAIL
Results on a INTEL Pentium 4, 2GHz Linux PC with 512 MB RAM. Murphi options: -b, -c, --cache, -m350
![Page 36: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/36.jpg)
36
Why does it work?
Here we are interested in automatic verification of a control system in a neighborhood of its setpoint.
A well designed controller keeps the whole system in a (small) neighborhood of the setpoint, thus the set of states that are reachable from the setpoint is small.
An explicit model checker, like Murphi, can exploit this fact.
Taking advantage of this fact, using a symbolic model checker may be hard. As a result, the representation of the system transition relation can be so large that we may run out of memory even before starting the reachability analysis.
Indeed this was our experience when we tried to use HyTech and SMV on our hybrid system verification problem.
![Page 37: Automatic Verification of a Turbogas Control System with the Murphi Verifier Enrico Tronci Computer Science Department, University of Rome “La Sapienza”,](https://reader035.vdocuments.net/reader035/viewer/2022070414/5697bffc1a28abf838cc1790/html5/thumbnails/37.jpg)
37
Conclusions• Finite Precision Real Numbers can be easily added to
Murphi verifier. This allows easy modeling of hybrid systems with Murphi.
• Nontrivial case study presented: Automatic Verification of Turbogas Control System of a Co-generative Electric Power Plant (ICARO).
• Our experimental results suggest that Murphi can be effectively used for automatic verification of Hybrid Control Systems.