Controller Using Hybrid Input/Output

bouncerarcheryAI and Robotics

Nov 14, 2013 (3 years and 9 months ago)

84 views

HSCC 03

MIT

L
C
S

Safety Verification of Model Helicopter
Controller Using Hybrid Input/Output
Automata

Sayan Mitra

MIT


Hybrid Systems: Computation and Control

Prague, Czech Republic

2003


Joint work with Yong Wang (U. Beijing),
Nancy Lynch, Eric Feron

HSCC 03

MIT

L
C
S

Verification Techniques


Algorithmic


Model checking e.g
.

[Alur, et al. 95]


Automatic:
HyTech


Essentially for finite
-
state systems, subclass of linear hybrid
systems


Over approximating set of unsafe states
[Bayen, et al. 02]


Deductive


Invariant assertions, simulation relations e.g.

[Manna, Sipma 98]


Can accommodate infinite
-
state systems:
STeP


Requires human effort


User interaction

HSCC 03

MIT

L
C
S

Talk Outline


Introduction
٭




Hybrid I/O Automata definitions


Specification of Quanser


Safety Verification


Conclusions

HSCC 03

MIT

L
C
S

The HIOA Model

[Lynch, Segala, Vaandrager 01, 03]


General, mathematical modeling framework.


States, discrete transitions


Trajectories:
Maps left closed intervals of time to variable values


Support for
decomposing

hybrid system descriptions:


External behavior: Models interaction of component with
environment.


Composition
: Synchronizes external actions, external “flows”;
respects external behavior.


Levels of
abstraction
:
Implementation

notion


Can incorporate analysis methods from:


CS: Invariants, simulation relations, compositional methods.


Control theory: Invariant sets, stability analysis, robust control.

HSCC 03

MIT

L
C
S

Hybrid I/O Automaton


V = U





堺X⁉湰畴Ⱐ潵瑰畴Ⱐ,湤⁩湴敲湡氠⡳瑡瑥⤠
癡物慢汥l


Q: States, a set of valuations of X







㨠:却慲琠獴慴敳


A = I





䠺H⁉湰畴Ⱐ,畴灵琬t慮搠楮瑥牮慬⁡捴楯cs


D








儺†䑩Q捲整攠瑲e湳楴i潮s


T: Trajectories for V.

X

U

Y

I

O

H

HSCC 03

MIT

L
C
S

Trajectory Axioms and Executions


Set T of trajectories is closed under:


Prefix


Suffix


Countable concatenation


fstate, lstate



Execution fragment:

0

a
1


1

a
2


2

…, where:


Each

i

is a trajectory

of the automaton and


Each (


i
.lstate, a
i
,


i+
1
.fstate) is a discrete step
.


Execution:


Execution fragment beginning in a start state.

HSCC 03

MIT

L
C
S

Model Helicopter System


Manufactured by Quanser


User controllers not necessarily safe, can crash
the helicopter on the table.


Supervisory
pitch

controller

needed to ensure
safety.


Safe operating region


Saturated actuator outputs : U
min
or U
max


Must contend with


Sensor errors


Actuator delay



HSCC 03

MIT

L
C
S

Helicopter System

UserCntrl

Useroutput(Xu)

Supervisor

Actuator

Sensor

Plant

θ
0

,

θ
1


U

now, next

buffer, u

X
u

dequeue

θ
0

,

θ
1


mode, X
s
, S,

rt

Useroutput(Xu)

HSCC 03

MIT

L
C
S

Plant

θ
0

,
θ
1


U

Plant

Variables:



θ
0
:

Pitch angle



θ
1
:
Pitch velocity


Trajectories:

evolve:

d(
θ
0
) =
θ
1



d(
θ
1
) =
-
Ω
2
cos
θ
0

+ U



Input bounds:



U
min
, U
max


Safe Region:

S
= {
s |
θ
min

≤ s.
θ
0


θ
max
}

θ
0

,

θ
1


HSCC 03

MIT

L
C
S

Sensor

Discrete transition:


Sample(
θ
0
d

,
θ
1
d

)


precondition
:


now = next


and
θ
0
d

є

[
θ
0
-

є
0

,
θ
0
+
є
0
]



and
θ
1
d

є

[
θ
1

-

є
1
,
θ
1

-

є
1
]



effect
:
next = next +
Δ

Trajectories:


evolve
:
d(now) =
1


stopping condition:

now = next


Sensor

Sample(
θ
0
d ,
θ
1
d

)

θ
0

,
θ
1

now, next

}

Nondeterministic
choice

HSCC 03

MIT

L
C
S

User Controller


Arbitrarily bad user


On receiving
Sample,


Useroutput(X
u
)


Non deterministic choice,
X
u

є

[U
min,
U
max
]

HSCC 03

MIT

L
C
S

Actuator


Actuator delay
T
a


modeled as a FIFO queue of Supervisor(User)
outputs


buffer
:
length [
T
a
/
Δ
]


Enqueue
S
received from supervisor


Dequeue
u
from
buffer

head,


u

changes discretely


Made into piece
-
wise continuous output
U


HSCC 03

MIT

L
C
S

Modeling Actuator Delay


T
a
Currently modeled as a single
discrete jump from U
min
to U
max

after time T
a
.



Alternatively


Approximate exponential rise by
adding
k

intermediate values in the
buffer, for every command from
the supervisor.


Output from buffer will change
every
Δ
/k time.


Model as continuous function


Ta

HSCC 03

MIT

L
C
S

I

S

C

R

U

θ
max

θ
1

Assumption: Cannot
cross I in
Δ

time.

θ
min

Safe Operating Region

θ
0

HSCC
03

MIT

L
C
S

Supervisor




On receiving
sample,
computes
X
s


If
s
is above I
+

then X
s
= U
min



If
s
is below I
-

then X
s
= U
max


On receiving
useroutput
(X
u
)
,
computes
S



If
mode =
user

then


If
s
is in

U

then
S = X
u



Else
mode =
supervisor ;
S = X
s


If
mode =
supervisor
then


If
s
is in

I
then
S = X
u

; mode =
user


Else S =
X
s

Supervisor

mode, X
s
, S,

rt

Command(S)

Userout(Xu)

Sample


HSCC 03

MIT

L
C
S

Safety Verification


Assertional Proofs


Reasoning based on current state of the system


Finding the invariants is challenging


Strengthen statement


Proofs are easy, for proving
I


Base case:




I


Discrete part:
s

a
s’
є

D
,


show I(s) implies I(s’)


Continuous part: closed
τ

є

T,



show I(fstate(
τ
))
implies I(lstate(
τ
))


HSCC 03

MIT

L
C
S

Key Lemmas


All trajectories are closed


Any trajectory
τ

є

T, ltime(
τ
)
-

ftime(
τ
) ≤
Δ
.


HSCC 03

MIT

L
C
S

I

S

C

A
0

θ
0

θ
1

A
1


A
2


A
Δ


A
0

= R

For
0
≤ t ≤ t’ ≤
Δ

A
t’


A
t

U


A
Δ

R

U

User mode

HSCC 03

MIT

L
C
S

User mode

Safety


Any reachable state in the user mode is
within R.


Proof:


Discrete part is easy


Any closed trajectory
τ

є

T,
if

fstate(
τ
)

є

A
t
then
lstate(
τ
)

є

A
t
-
ltime(
τ
)
.

HSCC 03

MIT

L
C
S

Executions in User and Supervisor modes

Cannot go outside
R
from
U,

in the
user
mode

buffer flushed,
Supervisor
mode
kicks in.

Returns to
I

and
mode
switches back
to
user

.

mode

switches to
supervisor,

but
buffer contains stale
user commands.

HSCC 03

MIT

L
C
S

Supervisor mode

Correct

input to plant


If
s
is above I
+

then last [
rt/
Δ
] entries in
buffer
are U
min


rt
: stopwatch for supervisor mode


Similarly,
s
is below I
-

then … U
max

Settling phase
rt
≤ T
a


Any reachable state
is within C


All trajectories starting from within R
remains within C


Proof similar to User mode

Recovery phase
rt >

T
a


Any reachable state
is within C


Proof: At any point on boundary of C, the vector field points
inwards

HSCC 03

MIT

L
C
S

Conclusions


Design of supervisory controller


Controller has been implemented
[Ishutkina]
.


Specification Language


Demonstration of HIOA framework


Specification


Compositional


Nondeterminism models uncertainties in devices or user inputs.


Purely assertional proofs


Discrete and continuous parts


CS and Control Theory techniques


Current/Future Work


Performance guarantees for mobile computing algorithms


Theorem prover support


HSCC 03

MIT

L
C
S

Thank You.



Questions

?

HSCC 03

MIT

L
C
S

HSCC 03

MIT

L
C
S

Current/Future Work


Incorporate control theory methods:


Invariant sets, Stability analysis using Lyapunov
functions, robust control methods.


More examples:


Systems with more complicated discrete behavior and
dynamics, e.g. mobile computing, embedded systems.


Develop analysis tools for HIOA programs:


Theorem
-
provers, automated tools


As extension to IOA toolset