HSCC 03
MIT
L
C
S
Safety Verification of Model Helicopter
Controller Using Hybrid Input/Output
Automata
Sayan Mitra
MIT
Hybrid Systems: Computation and Control
Prague, Czech Republic
2003
Joint work with Yong Wang (U. Beijing),
Nancy Lynch, Eric Feron
HSCC 03
MIT
L
C
S
Verification Techniques
•
Algorithmic
–
Model checking e.g
.
[Alur, et al. 95]
•
Automatic:
HyTech
•
Essentially for finite

state systems, subclass of linear hybrid
systems
–
Over approximating set of unsafe states
[Bayen, et al. 02]
•
Deductive
–
Invariant assertions, simulation relations e.g.
[Manna, Sipma 98]
•
Can accommodate infinite

state systems:
STeP
•
Requires human effort
–
User interaction
HSCC 03
MIT
L
C
S
Talk Outline
•
Introduction
٭
•
Hybrid I/O Automata definitions
•
Specification of Quanser
•
Safety Verification
•
Conclusions
HSCC 03
MIT
L
C
S
The HIOA Model
[Lynch, Segala, Vaandrager 01, 03]
•
General, mathematical modeling framework.
–
States, discrete transitions
–
Trajectories:
Maps left closed intervals of time to variable values
•
Support for
decomposing
hybrid system descriptions:
–
External behavior: Models interaction of component with
environment.
–
Composition
: Synchronizes external actions, external “flows”;
respects external behavior.
–
Levels of
abstraction
:
Implementation
notion
•
Can incorporate analysis methods from:
–
CS: Invariants, simulation relations, compositional methods.
–
Control theory: Invariant sets, stability analysis, robust control.
HSCC 03
MIT
L
C
S
Hybrid I/O Automaton
•
V = U
夠
堺X⁉湰畴Ⱐ潵瑰畴Ⱐ,湤湴敲湡氠⡳瑡瑥⤠
癡物慢汥l
•
Q: States, a set of valuations of X
•
儠
㨠:却慲琠獴慴敳
•
A = I
传
䠺H⁉湰畴Ⱐ,畴灵琬t慮搠楮瑥牮慬捴楯cs
•
D
儠
䄠
儺†䑩Q捲整攠瑲e湳楴i潮s
•
T: Trajectories for V.
X
U
Y
I
O
H
HSCC 03
MIT
L
C
S
Trajectory Axioms and Executions
•
Set T of trajectories is closed under:
–
Prefix
–
Suffix
–
Countable concatenation
•
fstate, lstate
•
Execution fragment:
0
a
1
1
a
2
2
…, where:
•
Each
i
is a trajectory
of the automaton and
•
Each (
i
.lstate, a
i
,
i+
1
.fstate) is a discrete step
.
•
Execution:
–
Execution fragment beginning in a start state.
HSCC 03
MIT
L
C
S
Model Helicopter System
•
Manufactured by Quanser
•
User controllers not necessarily safe, can crash
the helicopter on the table.
•
Supervisory
pitch
controller
needed to ensure
safety.
–
Safe operating region
–
Saturated actuator outputs : U
min
or U
max
•
Must contend with
–
Sensor errors
–
Actuator delay
HSCC 03
MIT
L
C
S
Helicopter System
UserCntrl
Useroutput(Xu)
Supervisor
Actuator
Sensor
Plant
θ
0
,
θ
1
U
now, next
buffer, u
X
u
dequeue
θ
0
,
θ
1
mode, X
s
, S,
rt
Useroutput(Xu)
HSCC 03
MIT
L
C
S
Plant
θ
0
,
θ
1
U
Plant
Variables:
θ
0
:
Pitch angle
θ
1
:
Pitch velocity
Trajectories:
evolve:
d(
θ
0
) =
θ
1
d(
θ
1
) =

Ω
2
cos
θ
0
+ U
Input bounds:
U
min
, U
max
Safe Region:
S
= {
s 
θ
min
≤ s.
θ
0
≤
θ
max
}
θ
0
,
θ
1
HSCC 03
MIT
L
C
S
Sensor
Discrete transition:
Sample(
θ
0
d
,
θ
1
d
)
precondition
:
now = next
and
θ
0
d
є
[
θ
0

є
0
,
θ
0
+
є
0
]
and
θ
1
d
є
[
θ
1

є
1
,
θ
1

є
1
]
effect
:
next = next +
Δ
Trajectories:
evolve
:
d(now) =
1
stopping condition:
now = next
Sensor
Sample(
θ
0
d ,
θ
1
d
)
θ
0
,
θ
1
now, next
}
Nondeterministic
choice
HSCC 03
MIT
L
C
S
User Controller
•
Arbitrarily bad user
•
On receiving
Sample,
–
Useroutput(X
u
)
–
Non deterministic choice,
X
u
є
[U
min,
U
max
]
HSCC 03
MIT
L
C
S
Actuator
•
Actuator delay
T
a
–
modeled as a FIFO queue of Supervisor(User)
outputs
–
buffer
:
length [
T
a
/
Δ
]
•
Enqueue
S
received from supervisor
•
Dequeue
u
from
buffer
head,
–
u
changes discretely
–
Made into piece

wise continuous output
U
HSCC 03
MIT
L
C
S
Modeling Actuator Delay
•
T
a
Currently modeled as a single
discrete jump from U
min
to U
max
after time T
a
.
•
Alternatively
–
Approximate exponential rise by
adding
k
intermediate values in the
buffer, for every command from
the supervisor.
•
Output from buffer will change
every
Δ
/k time.
–
Model as continuous function
Ta
HSCC 03
MIT
L
C
S
I
S
C
R
U
θ
max
θ
1
Assumption: Cannot
cross I in
Δ
time.
θ
min
Safe Operating Region
θ
0
HSCC
03
MIT
L
C
S
Supervisor
•
On receiving
sample,
computes
X
s
•
If
s
is above I
+
then X
s
= U
min
•
If
s
is below I

then X
s
= U
max
•
On receiving
useroutput
(X
u
)
,
computes
S
–
If
mode =
user
then
•
If
s
is in
U
then
S = X
u
•
Else
mode =
supervisor ;
S = X
s
–
If
mode =
supervisor
then
•
If
s
is in
I
then
S = X
u
; mode =
user
•
Else S =
X
s
Supervisor
mode, X
s
, S,
rt
Command(S)
Userout(Xu)
Sample
HSCC 03
MIT
L
C
S
Safety Verification
•
Assertional Proofs
–
Reasoning based on current state of the system
•
Finding the invariants is challenging
–
Strengthen statement
•
Proofs are easy, for proving
I
–
Base case:
I
–
Discrete part:
s
a
s’
є
D
,
show I(s) implies I(s’)
–
Continuous part: closed
τ
є
T,
show I(fstate(
τ
))
implies I(lstate(
τ
))
HSCC 03
MIT
L
C
S
Key Lemmas
•
All trajectories are closed
•
Any trajectory
τ
є
T, ltime(
τ
)

ftime(
τ
) ≤
Δ
.
HSCC 03
MIT
L
C
S
I
S
C
A
0
θ
0
θ
1
A
1
A
2
A
Δ
A
0
= R
For
0
≤ t ≤ t’ ≤
Δ
A
t’
A
t
U
A
Δ
R
U
User mode
HSCC 03
MIT
L
C
S
User mode
Safety
•
Any reachable state in the user mode is
within R.
•
Proof:
–
Discrete part is easy
–
Any closed trajectory
τ
є
T,
if
fstate(
τ
)
є
A
t
then
lstate(
τ
)
є
A
t

ltime(
τ
)
.
HSCC 03
MIT
L
C
S
Executions in User and Supervisor modes
Cannot go outside
R
from
U,
in the
user
mode
buffer flushed,
Supervisor
mode
kicks in.
Returns to
I
and
mode
switches back
to
user
.
mode
switches to
supervisor,
but
buffer contains stale
user commands.
HSCC 03
MIT
L
C
S
Supervisor mode
Correct
input to plant
•
If
s
is above I
+
then last [
rt/
Δ
] entries in
buffer
are U
min
–
rt
: stopwatch for supervisor mode
•
Similarly,
s
is below I

then … U
max
Settling phase
rt
≤ T
a
•
Any reachable state
is within C
–
All trajectories starting from within R
remains within C
–
Proof similar to User mode
Recovery phase
rt >
T
a
•
Any reachable state
is within C
–
Proof: At any point on boundary of C, the vector field points
inwards
HSCC 03
MIT
L
C
S
Conclusions
•
Design of supervisory controller
–
Controller has been implemented
[Ishutkina]
.
•
Specification Language
•
Demonstration of HIOA framework
–
Specification
•
Compositional
•
Nondeterminism models uncertainties in devices or user inputs.
–
Purely assertional proofs
•
Discrete and continuous parts
•
CS and Control Theory techniques
•
Current/Future Work
–
Performance guarantees for mobile computing algorithms
–
Theorem prover support
HSCC 03
MIT
L
C
S
Thank You.
Questions
?
HSCC 03
MIT
L
C
S
HSCC 03
MIT
L
C
S
Current/Future Work
•
Incorporate control theory methods:
–
Invariant sets, Stability analysis using Lyapunov
functions, robust control methods.
•
More examples:
–
Systems with more complicated discrete behavior and
dynamics, e.g. mobile computing, embedded systems.
•
Develop analysis tools for HIOA programs:
–
Theorem

provers, automated tools
–
As extension to IOA toolset
Comments 0
Log in to post a comment