Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

HSCC03 - People.csail.mit.edu

advertisement 
Safety Verification of Model Helicopter
Controller Using Hybrid Input/Output
Automata
Sayan Mitra
MIT
Hybrid Systems: Computation and Control
Prague, Czech Republic
2003
Joint work with Yong Wang (U. Beijing), Nancy
Lynch, Eric Feron
HSCC 03
MIT LCS
Verification Techniques
• Algorithmic
– Model checking e.g. [Alur, et al. 95]
• Automatic: HyTech
• Essentially for finite-state systems, subclass of linear hybrid
systems
– Over approximating set of unsafe states [Bayen, et al. 02]
• Deductive
– Invariant assertions, simulation relations e.g.
[Manna, Sipma 98]
• Can accommodate infinite-state systems: STeP
• Requires human effort
– User interaction
HSCC 03
MIT LCS
Talk Outline
• Introduction‫٭‬
•
•
•
•
Hybrid I/O Automata definitions
Specification of Quanser
Safety Verification
Conclusions
HSCC 03
MIT LCS
The HIOA Model
[Lynch, Segala, Vaandrager 01, 03]
• General, mathematical modeling framework.
– States, discrete transitions
– Trajectories: Maps left closed intervals of time to variable values
• Support for decomposing hybrid system descriptions:
– External behavior: Models interaction of component with
environment.
– Composition: Synchronizes external actions, external “flows”;
respects external behavior.
– Levels of abstraction: Implementation notion
• Can incorporate analysis methods from:
– CS: Invariants, simulation relations, compositional methods.
– Control theory: Invariant sets, stability analysis, robust control.
HSCC 03
MIT LCS
Hybrid I/O Automaton
• V = U  Y  X: Input, output, and internal (state)
variables
• Q: States, a set of valuations of X
•   Q : Start states
• A = I  O  H: Input, output, and internal actions
• D  Q  A  Q: Discrete transitions
• T: Trajectories for V.
I
U
O
Y
X
H
HSCC 03
MIT LCS
Trajectory Axioms and Executions
• Set T of trajectories is closed under:
– Prefix
– Suffix
– Countable concatenation
• fstate, lstate
• Execution fragment: 0 a1 1 a2 2 …, where:
• Each i is a trajectory of the automaton and
• Each ( i.lstate, ai , i+1.fstate) is a discrete step.
• Execution:
– Execution fragment beginning in a start state.
HSCC 03
MIT LCS
Model Helicopter System
• Manufactured by Quanser
• User controllers not necessarily safe, can crash
the helicopter on the table.
• Supervisory pitch controller needed to ensure
safety.
– Safe operating region
– Saturated actuator outputs : Umin or Umax
• Must contend with
– Sensor errors
– Actuator delay
HSCC 03
MIT LCS
Helicopter System
Actuator
buffer, u
Plant
U
θ0 , θ1
θ0 , θ1
dequeue
Supervisor
mode, Xs , S,
Useroutput(Xu)
Sensor
now, next
UserCntrl
Xu
rt
HSCC 03
MIT LCS
Plant
Variables:
θ0 : Pitch angle
θ1: Pitch velocity
Trajectories:
evolve: d(θ0) = θ1
d(θ1) = -Ω2cos θ0 + U
U
Plant
θ0 , θ1
θ0 ,θ1
Input bounds:
Umin , Umax
Safe Region:
S = { s | θmin ≤ s.θ0 ≤ θmax }
HSCC 03
MIT LCS
Sensor
Discrete transition:
Sample(θ0d
,
θ1
d
θ0 ,θ1
)
}
Trajectories:
evolve: d(now) = 1
stopping condition: now = next
HSCC 03
Nondeterministic
choice
now, next
Sample(θ0d , θ1d )
precondition: now = next
and θ0d є [θ0- є0 , θ0+ є0 ]
and θ1d є [θ1 - є1, θ1 - є1]
effect: next = next + Δ
Sensor
MIT LCS
User Controller
• Arbitrarily bad user
• On receiving Sample,
– Useroutput(Xu)
– Non deterministic choice, Xu є [Umin, Umax ]
HSCC 03
MIT LCS
Actuator
• Actuator delay Ta
– modeled as a FIFO queue of Supervisor(User)
outputs
– buffer: length [Ta / Δ]
• Enqueue S received from supervisor
• Dequeue u from buffer head,
– u changes discretely
– Made into piece-wise continuous output U
HSCC 03
MIT LCS
Modeling Actuator Delay
• Ta Currently modeled as a single
discrete jump from Umin to Umax
after time Ta.
• Alternatively
– Approximate exponential rise by
adding k intermediate values in the
buffer, for every command from
the supervisor.
• Output from buffer will change
every Δ/k time.
Ta
– Model as continuous function
HSCC 03
MIT LCS
Safe Operating Region
θ1
S
C
U
R
I
θmin
θ0
θmax
Assumption: Cannot
cross I in Δ time.
HSCC 03
MIT LCS
Supervisor
Command(S)
Supervisor
Sample
mode, Xs , S,
Userout(Xu)
rt
• On receiving sample, computes Xs
• If s is above I+ then Xs = Umin
• If s is below I- then Xs = Umax
• On receiving useroutput(Xu), computes S
– If mode = user then
• If s is in U then S = Xu
• Else mode = supervisor ; S = Xs
– If mode = supervisor then
• If s is in I then S = Xu ; mode = user
• Else S = Xs
HSCC 03
MIT LCS
Safety Verification
• Assertional Proofs
– Reasoning based on current state of the system
• Finding the invariants is challenging
– Strengthen statement
• Proofs are easy, for proving I
– Base case:   I
– Discrete part: s a s’ є D,
show I(s) implies I(s’)
– Continuous part: closed τ є T,
show I(fstate(τ)) implies I(lstate(τ))
HSCC 03
MIT LCS
Key Lemmas
• All trajectories are closed
• Any trajectory τ є T, ltime(τ) - ftime(τ) ≤ Δ.
HSCC 03
MIT LCS
User mode
θ1
A2 A1
AΔ
A0 = R
I
A0
R
C
S
U
For 0 ≤ t ≤ t’ ≤ Δ
At’  At
U  AΔ
HSCC 03
θ0
MIT LCS
User mode
Safety
• Any reachable state in the user mode is
within R.
• Proof:
– Discrete part is easy
– Any closed trajectory τ є T, if fstate(τ) є At then
lstate(τ) є At-ltime(τ).
HSCC 03
MIT LCS
Executions in User and Supervisor modes
buffer flushed,
mode switches
to R
Supervisor
mode
Cannot
go outside
supervisor,
but
kicks
from
U,in.in the user
buffer
contains
to Istale
and
modeReturns
user
commands.
mode
switches back
to user .
HSCC 03
MIT LCS
Supervisor mode
Correct input to plant
• If s is above I+ then last [rt/Δ] entries in buffer are Umin
– rt: stopwatch for supervisor mode
• Similarly, s is below I- then … Umax
Settling phase rt ≤ Ta
• Any reachable state is within C
– All trajectories starting from within R remains within C
– Proof similar to User mode
Recovery phase rt > Ta
• Any reachable state is within C
– Proof: At any point on boundary of C, the vector field points
inwards
HSCC 03
MIT LCS
Conclusions
• Design of supervisory controller
– Controller has been implemented [Ishutkina].
• Specification Language
• Demonstration of HIOA framework
– Specification
• Compositional
• Nondeterminism models uncertainties in devices or user inputs.
– Purely assertional proofs
• Discrete and continuous parts
• CS and Control Theory techniques
• Current/Future Work
– Performance guarantees for mobile computing algorithms
– Theorem prover support
HSCC 03
MIT LCS
Thank You.
Questions
?
HSCC 03
MIT LCS
HSCC 03
MIT LCS
Current/Future Work
• Incorporate control theory methods:
– Invariant sets, Stability analysis using Lyapunov
functions, robust control methods.
• More examples:
– Systems with more complicated discrete behavior and
dynamics, e.g. mobile computing, embedded systems.
• Develop analysis tools for HIOA programs:
– Theorem-provers, automated tools
– As extension to IOA toolset
HSCC 03
MIT LCS
Related documents
MIT Ed Tech Retreat
MIT Ed Tech Retreat
Megan Cramer Defense Daily OA Summit rev 2
Megan Cramer Defense Daily OA Summit rev 2
LCSmith Admissions Overview
LCSmith Admissions Overview
"Literature Circles" to Enrich Students
"Literature Circles" to Enrich Students
DynamicP
DynamicP
Example Proposal 1 - MIT Executive MBA Program
Example Proposal 1 - MIT Executive MBA Program
Skoltech.
Skoltech.
HealthscienceLC_Advantage_Creating_Learning
HealthscienceLC_Advantage_Creating_Learning
Download
advertisement