Download presentation
Presentation is loading. Please wait.
Published bySkyler Holeman Modified over 9 years ago
1
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI Review Meeting Frameworks and Tools for High-Confidence Design of Adaptive, Distributed Embedded Control Systems Berkeley, CA September 6, 2007
2
2 Motivation Designing control software is difficult: Designing software is difficult Interaction between software and the plant Simulation is not always sufficient: Difficult to model software accurately: Concurrent tasks User inputs Only some specific cases
3
3 Accomplishments A tool that combines a software model checker with continuous-time plant models: Model checker uses simulation traces produced by MATLAB/Simulink Control code reacts to plant at fixed sample times Simulation is used to determine behaviors of plant between sampling instants
4
4 Accomplishments More than simple simulation: Using a model checker to efficiently search for counterexamples Non-deterministic model Able to handle concurrency Model the software in detail Able to evaluate concurrency issues more efficiently than simulation
5
5 Accomplishments Analyzed the Simulink model of the STARMAC Quadrotor from the Stanford group: Designed a concurrent supervisory controller Detected a bug in our controller: Due to the interleaving of concurrent tasks
6
6 System Model The controller: Discrete time Stateflow diagrams Interleaving semantics The plant: Continuous time Simulink model
7
7 Systematic Simulation Simulations traces are not independent Common prefixes Explore a tree of simulations The model checker generates the traces Exploration can be done efficiently Standard Simulation Systematic Simulation
8
8 Trace Generation Finite set of initial states States are composed of both Controller state Plant state Discrete transitions: Corresponding to the controller Continuous transitions: Corresponding to the plant Duration is determined by the period of the tasks Generate traces by alternating transitions Discrete Transitions Continuous Transitions Discrete Transitions Initial State Continuous Transitions
9
9 Approximate Equivalence Some simulation traces are similar: Reach a state near a previous simulation state We expect the evolution to be similar to the previous trace The same controller state and proximity of the plant state
10
10 Approximate Equivalence Some simulation traces are similar: Reach a state near a previous simulation state We expect the evolution to be similar to the previous trace Heuristic approach: Ignore traces that lead close to a previously visited point
11
11 Approximate Equivalence Non-conservative: The ignored trace may lead to new behavior Useful heuristic for efficiently searching for counterexamples [1] Dynamically choose a subset of simulations to perform, based on proximity [1] J. Kapinski, O. Maler, O. Stursberg, and B. H. Krogh. On Systematic Simulation of Open Continuous Systems.
12
12 STARMAC Example Supervisory controller constructed for the STARMAC Flies the vehicle through a given sequence of waypoints Safety property The altitude is never lower than the minimum safe altitude (1 meter) unless the vehicle is taking off or landing Modeled in Stateflow but we assume implementation uses interleaving semantics
13
13 Controller Tasks Waypoint Tracking task: Checks the proximity to a waypoint Picks next waypoint from a list Generates the next command Waypoint Monitoring task: Checks if altitude value of the next waypoint is less than 1.1 meters If so, it fixes the altitude command to be equal to 1.1 meters, unless it is the first of last waypoint ADC task Samples the state of the environment Command Latch task: Maintains the command until the next waypoint is issued
14
14 STARMAC Example Waypoint Tracking Task Waypoint Monitoring Task ADC Task Command Latch Task
15
15 Systematic Simulation The controller is given a list of waypoints Given by the table on the right One waypoint is belong the minimum safe altitude The model checker generates a large number of traces: They represent different possible executions They correspond to the different interleaving of tasks Waypoints: WP 1 : z = 0 WP 2 : z = 1.2 WP 3 : z = 1.5 WP 4 : z = 0.5 WP 5 : z = 1.5 WP 6 : z = 0
16
16 Systematic Simulation I will show only two traces: The first trace satisfies the property The STARMAC takes off, goes through the waypoints, lands safely In the second one, the vehicle goes below the minimum safe altitude The error is due to the particular interleaving of tasks
17
17 Waypoints: WP 1 : z = 0 WP 2 : z = 1.2 WP 3 : z = 1.5 WP 4 : z = 0.5 WP 5 : z = 1.5 WP 6 : z = 0 Successful trace The fourth waypoint is below 1.1 meters The Waypoint Tracking task generates the invalid command The Waypoint Monitor task corrects the value The UAV remains above the minimum altitude and lands safely
18
18 Waypoints: WP 1 : z = 0 WP 2 : z = 1.2 WP 3 : z = 1.5 WP 4 : z = 0.5 WP 5 : z = 1.5 WP 6 : z = 0 Counterexample A different interleaving is possible at time t = 7.5 The Waypoint Monitor task executes first and sees a valid waypoint The Waypoint Tracking task generates the invalid value The UAV received the lower waypoint and flies below the minimum altitude
19
19 Conservative Approach Approximate equivalence is a heuristic: Proximity of states at the current time not of future evolutions originating from these states Determine a set around each simulation state which is guaranteed to be safe Special case: Affine dynamics Bounded time
20
20 Safe Ellipsoidal Set For stable affine systems, we can determine a Lyapunov function and the level sets are ellipsoids Given a trajectory from x 0 to x 1, consider a point y within a level set of the Lyapunov function centered around x 0 The trajectory starting at y 0 ends within the corresponding level set centered around x 1 We can use the Lyapunov function to determine safe sets of states Efficient operations on ellipsoids y0y0 x0x0 x1x1 y1y1
21
21 Illustrative Example Consider a UAV flying from an initial location to a waypoint The flight path must avoid an unsafe region given by a minimum altitude There is an external input to the system the maximum vertical velocity two possible values V 1 and V 2
22
22 Negative Vertical Velocity Altitude V2V2 V1V1 initial waypoint minimum altitude
23
23 Conclusion How to use a software model checker for systematic simulation Using Matlab/Simulink for the plant A model checker for the automatically generated code from Stateflow Heuristic for ignoring traces that are similar Currently working on a conservative approach for affine systems
24
24 Future Work Develop the conservative approach Integrate with Vanderbilt’s code generator Extend results to unbounded time Use Lyapunov functions for non-linear systems
25
25 Questions?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.