model checker in-the-loop flavio lerda, edmund m. clarke computer science department jim kapinski,...
TRANSCRIPT
![Page 1: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/1.jpg)
Model Checker In-The-Loop
Flavio Lerda, Edmund M. Clarke Computer Science Department
Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering
MURI Review Meeting
Frameworks and Tools for High-Confidence Design of Adaptive, Distributed Embedded Control Systems
Berkeley, CA
September 6, 2007
![Page 2: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/2.jpg)
2
Motivation
Designing control software is difficult: Designing software is difficult Interaction between software and the plant
Simulation is not always sufficient: Difficult to model software accurately:
• Concurrent tasks• User inputs
Only some specific cases
![Page 3: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/3.jpg)
3
Accomplishments
A tool that combines a software model checker with continuous-time plant models: Model checker uses simulation traces produced
by MATLAB/Simulink Control code reacts to plant at fixed sample
times Simulation is used to determine behaviors of
plant between sampling instants
![Page 4: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/4.jpg)
4
Accomplishments
More than simple simulation: Using a model checker to efficiently search
for counterexamples• Non-deterministic model• Able to handle concurrency• Model the software in detail
Able to evaluate concurrency issues more efficiently than simulation
![Page 5: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/5.jpg)
5
Accomplishments
Analyzed the Simulink model of the STARMAC Quadrotor from the Stanford group: Designed a concurrent supervisory controller Detected a bug in our controller:
• Due to the interleaving of concurrent tasks
![Page 6: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/6.jpg)
6
System Model
The controller: Discrete time Stateflow diagrams Interleaving semantics
The plant: Continuous time Simulink model
![Page 7: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/7.jpg)
7
Systematic Simulation
Simulations traces are not independent Common prefixes
Explore a tree of simulations The model checker
generates the traces Exploration can be
done efficiently
Standard Simulation
Systematic Simulation
![Page 8: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/8.jpg)
8
Trace Generation
Finite set of initial states States are composed of both
Controller state Plant state
Discrete transitions: Corresponding to the controller
Continuous transitions: Corresponding to the plant Duration is determined by the
period of the tasks Generate traces by alternating
transitions
Discrete Transitions
ContinuousTransitions
DiscreteTransitions
InitialState
ContinuousTransitions
![Page 9: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/9.jpg)
9
Approximate Equivalence
Some simulation traces are similar: Reach a state near a previous
simulation state We expect the evolution to be
similar to the previous trace
The same controller state and proximity of the plant state
![Page 10: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/10.jpg)
10
Approximate Equivalence
Some simulation traces are similar: Reach a state near a previous
simulation state We expect the evolution to be
similar to the previous trace Heuristic approach:
Ignore traces that lead close to a previously visited point
![Page 11: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/11.jpg)
11
Approximate Equivalence
Non-conservative: The ignored trace may lead to
new behavior Useful heuristic for efficiently
searching for counterexamples[1]
Dynamically choose a subset of simulations to perform, based on proximity
[1] J. Kapinski, O. Maler, O. Stursberg, and B. H. Krogh. On Systematic Simulation of Open Continuous Systems.
![Page 12: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/12.jpg)
12
STARMAC Example
Supervisory controller constructed for the STARMAC
Flies the vehicle through a given sequence of waypoints
Safety property The altitude is never lower than the minimum
safe altitude (1 meter) unless the vehicle is taking off or landing
Modeled in Stateflow but we assume implementation uses interleaving semantics
![Page 13: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/13.jpg)
13
Controller Tasks
Waypoint Tracking task: Checks the proximity to a waypoint Picks next waypoint from a list Generates the next command
Waypoint Monitoring task: Checks if altitude value of the next waypoint is less than
1.1 meters If so, it fixes the altitude command to be equal to 1.1
meters, unless it is the first of last waypoint ADC task
Samples the state of the environment Command Latch task:
Maintains the command until the next waypoint is issued
![Page 14: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/14.jpg)
14
STARMAC ExampleWaypoint Tracking Task
Waypoint Monitoring Task
ADC Task
Command Latch Task
![Page 15: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/15.jpg)
15
Systematic Simulation
The controller is given a list of waypoints Given by the table on the right One waypoint is belong the minimum
safe altitude The model checker generates a large
number of traces: They represent different possible
executions They correspond to the different
interleaving of tasks
Waypoints:WP1: z = 0WP2: z = 1.2WP3: z = 1.5WP4: z = 0.5WP5: z = 1.5WP6: z = 0
![Page 16: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/16.jpg)
16
Systematic Simulation
I will show only two traces: The first trace satisfies the
property• The STARMAC takes off, goes
through the waypoints, lands safely
In the second one, the vehicle goes below the minimum safe altitude
• The error is due to the particular interleaving of tasks
![Page 17: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/17.jpg)
17
0 5 10 150
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
Time (sec.)
Alti
tude
(m
)
zz
cmd
zmin
Waypoints:WP1: z = 0WP2: z = 1.2WP3: z = 1.5WP4: z = 0.5WP5: z = 1.5WP6: z = 0
Successful trace
The fourth waypoint is below 1.1 meters
The Waypoint Tracking task generates the invalid command
The Waypoint Monitor task corrects the value
The UAV remains above the minimum altitude and lands safely
![Page 18: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/18.jpg)
18
0 5 10 150
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
Time (sec.)
Alti
tude
(m
)
zz
cmd
zmin
Waypoints:WP1: z = 0WP2: z = 1.2WP3: z = 1.5WP4: z = 0.5WP5: z = 1.5WP6: z = 0
CounterexampleA different interleaving is possible at time t = 7.5
The Waypoint Monitor task executes first and sees a valid waypoint
The Waypoint Tracking task generates the invalid value
The UAV received the lower waypoint and flies below the minimum altitude
![Page 19: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/19.jpg)
19
Conservative Approach
Approximate equivalence is a heuristic: Proximity of states at the current
time not of future evolutions originating from these states
Determine a set around each simulation state which is guaranteed to be safe
Special case: Affine dynamics Bounded time
![Page 20: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/20.jpg)
20
Safe Ellipsoidal Set
For stable affine systems, we can determine a Lyapunov function and the level sets are ellipsoids
Given a trajectory from x0 to x1, consider a point y within a level set of the Lyapunov function centered around x0
The trajectory starting at y0 ends within the corresponding level set centered around x1
We can use the Lyapunov function to determine safe sets of states
Efficient operations on ellipsoids
y0
x0
x1
y1
![Page 21: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/21.jpg)
23
Conclusion
How to use a software model checker for systematic simulation
Using Matlab/Simulink for the plant A model checker for the automatically
generated code from Stateflow Heuristic for ignoring traces that are similar Currently working on a conservative
approach for affine systems
![Page 22: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/22.jpg)
24
Future Work
Develop the conservative approach Integrate with Vanderbilt’s code generator Extend results to unbounded time Use Lyapunov functions for non-linear
systems
![Page 23: Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI](https://reader036.vdocuments.net/reader036/viewer/2022062421/56649c945503460f9494ff44/html5/thumbnails/23.jpg)
25
Questions?