Presentation is loading. Please wait.

Presentation is loading. Please wait.

Verification of Discrete & Hybrid Powertrain Controllers

Published byMerryl Patrick Modified over 9 years ago

Similar presentations

Presentation on theme: "Verification of Discrete & Hybrid Powertrain Controllers"— Presentation transcript:

1 Verification of Discrete & Hybrid Powertrain Controllers
Bruce H. Krogh Carnegie Mellon University

2 Overview model checking SMV verification of state charts sf2smv verification of hybrid systems CheckMate

3 model checking SMV Overview verification of state charts sf2smv
verification of hybrid systems CheckMate

4 Verification via Model Checking
system model property (specification) MODEL CHECKER confirm property is TRUE OR generate a counterexample

5 Model Checking vs. Simulation
In one run, a model checker investigates every possible behavior of the system for the given set of initial conditions and input signals ... a simulator generates only one trajectory for a particular initial condition and input signal.

6 Where does Verification fit in the Powertrain Control Feature Design Cycle?
executable spec. code generation simulation hardware in the loop CACSD model checking Objective: Verify feature behavior for the entire range of operating conditions. Potential role of formal verification feature specification code test on engine/ vehicle production

7 Verification of Finite-State Systems
PROPERTY TO VERIFY MODEL CHECKING PROGRAM PROPERTY IS TRUE OR A COUNTER EXAMPLE propagates sets of states, not individual trajectories

8 FSM Model Checkers key strength: exhaustive search of reachable states
key theory: fixed-point operations for temporal logic assertions key technology: OBBDs (ordered binary decision diagrams)

9 SMV (symbolic model verification)
Textual programming language interacting state-transition systems Boolean, integer, symbolic variables modules with multiple instantiations temporal logic specifications Originally developed at Carnegie Mellon Cadence Labs version www-cad.eecs.berkeley.edu/~kenmcmil/smv/

10 Cadence Labs SMV Graphical Interface

11 From “Getting started with SMV” by Ken L. McMillan
“Model checking by itself is limited to fairly small designs … For large designs, the user must [use] compositional verification … These techniques include refinement verification, symmetry reduction, temporal case splitting, data type reduction, and induction.”

12 verification of state charts sf2smv
Overview model checking SMV verification of state charts sf2smv verification of hybrid systems CheckMate

13 Mathworks Stateflow® Charts
Statecharts = Hierarchical State Machines States AND states (dashed lines) OR states (solid lines) Transitions fire when source state is active, conditions (in brackets) are true labeling events occur Actions transition actions (follow / in transition label) state actions: enter, during, exit Junctions connect multiple input-output transition branches for "flowchart" logic Example from Stateflow example: automotive\fuelsys

14 Verification of Stateflow Charts
FEATURE SPECIFICATIONS DESIGNER STATEFLOW DIAGRAM (SIMULINK) VERIFICATION RESULTS specifications to verify SMV M. Rausch and B. Krogh, “Symbolic Verification of Stateflow Logic,” WODES 98 sf2smv SMV MODULES (new Matlab command)

15 Stateflow Charts  SMV Modules
OR state group  SMV module module name = parent state name module states = states in OR state group assign statements = state transitions AND state group  SMV module same as OR, except states are set/reset with the parent Transitions  SMV variables DEFINE block = state transition conditions

16 Stateflow Charts  SMV Modules
“Verification of Stateflow Diagrams Using SMV,” CMU Tech Report, Oct. 1998

17 Sensor-Filter Example

18 Sensor-Filter Example

19 Sensor-Filter Example

20 Sensor-Filter Example

21 Sensor-Filter Example
problem: initializes with default value (10.0) although sensor_flag = 0 at t = 1.0

22 Sensor-Filter Example: Application of sf2smv
FEATURE SPECIFICATIONS DESIGNER STATEFLOW DIAGRAM (SIMULINK) VERIFICATION RESULTS specifications to verify SMV sf2smv SMV MODULES (new Matlab command)

23 Generation of SMV Model

24 Specification for Verification
AG(input_sel=1 -> init_sel=1) if input_sel = 1 then init_sel should be 1 on the first pass (but it apparently isn’t -- so I want a trace of what happens)

25 SMV Verification Result
when trig_init occurred starting.state was not active!

26 Using the Trace for Debugging
Starting is activated after main, so it is not active when trig_init is generated on the first pass.

27 Sensor-Filter Example
correct filter initialization from the good sensor measurement For code generation, the semantics matter!

28 verification of hybrid systems CheckMate
Overview model checking SMV verification of state charts sf2smv verification of hybrid systems CheckMate

29 CAM Controller Example
Verification Problem: Determine whether the controller will switch only once from saturation to PID mode.

30 Continuous-Time Model

31 Switching Rule Discrete-time rule
Switch on magnitude of the error and the sign of this filter Continuous-time rule Switch on magnitude of the error and the sign of this filter state of the filter error

32 Finite State Analysis Assign discrete states to each switch boundary and the initial condition set Determine reachability from each discrete state to the other discrete states Analyze the resulting finite state system

33 Reachability Analysis

34 Resulting Finite-State System
Possible switch back to the saturation controller Verification is inconclusive since it is a conservative approximation

35 Precise Reachability Analysis
Portion of A1 that doesn’t lead to switching Portion of A1 that reaches A2 (leads to switching)

36 “Exact” Finite-State System
Switch back to the saturation controller is certain from some initial states

37 Applying Model Checking to Hybrid Systems:
interpret a hybrid system as a transition system (with an infinite state space) find an equivalent finite-state transition systems (bisimulation) perform verification using the bisimulation Can this approach be generalized to higher-order systems?

38 Hybrid System Verification via Finite-State Bisimulation
hybrid system model: H Bisimulation Procedure PROPERTY TO VERIFY finite-state transition system TH MODEL CHECKING PROGRAM PROPERTY IS TRUE OR A COUNTER EXAMPLE

39 Simulink Diagram of General Hybrid System Dynamics
1 S continuous dynamics mode select integrator m(t) xdot(t) flow constraints x(t) jump mapping initial condition e(t) discrete-state system with guarded transitions cont. state discrete state discrete event F1 F2 F3 1 S X0 Je cont. state discrete state discrete event discrete dynamics Je jump dynamics

40 Simulink Diagram of a Hybrid System
mode select integrator m(t) xdot(t) flow constraints x(t) jump mapping initial condition e(t) discrete-state system with guarded transitions cont. state discrete state discrete event F1 F2 F3 1 S X0 Je

41 Continuous-State Reachable Set Mapping
Objective: Compute mappings from initial state sets to next initial state sets at the discrete-state transitions. mode select integrator m(t) xdot(t) flow constraints x(t) jump mapping initial condition e(t) discrete-state system with guarded transitions cont. state discrete state discrete event F1 F2 F3 1 S X0 Je X0(mk)  X0(mk+1)

42 Hybrid System Verification Decidability Results
Hybrid Automata (flows,guards,jumps) (finite slope, triangular, state-dependent assignment or initialize) Linear Hybrid Automata (P,P,P) Uninitialized Rectangular Automata (In,In,In) Initialized PSPACE-c Multirate Automata (Zn,In,In) Stopwatch Automata (2-slopes w/o reset) Bisim isomorphic (initialized) Initialized Timed Automata (1n, In,{reset,continue}n ) 1 Courtesy of Enrique Ferreira, CMU, 1999

43 Piecewise-Trivial Hybrid Systems1
mode select integrator m(t) xdot(t) flow constraints x(t) jump mapping initial condition e(t) discrete-state system with guarded transitions cont. state discrete state discrete event F1 F2 F3 1 S X0 Je Reacht(Xo,Fk) can be represented and computed 1Dang & Maler, HS’98

44 Piecewise-Trivial Hybrid Systems (PTHS)
m(t) x(t) jump mapping initial condition e(t) discrete-state system with guarded transitions cont. state discrete state discrete event X0 Je X(t; Xo,m)

45 Linear Hybrid Automata HyTech (UCBerkeley)
Fk (flow constraints), Je (jump mappings), and Gjk (guards) are convex polyhedra Fk are independent of x(t) mode select integrator m(t) xdot(t) x(t) jump mapping initial condition e(t) discrete-state system with guarded transitions cont. state discrete state discrete event F1 F2 F3 1 S X0 Je

46 Verification of General Hybrid Systems

47 CheckMate Block Diagram
x1 x2 x3 th1 th2 q1 q2 th3 Switched Continuous System 3 Continuous System 2 Continuous System 1 C*x <= d Polyhedral Threshold 3 Threshold 2 Threshold 1 Mux Mux2 Mux1 OR Logical Operator c1 c2 q Finite State Machine 2 State Machine 1

48 Simulink Model

49 Switched Continuous System
Parameter: Switching function f Input: Discrete condition signal u Output: Continuous state vector x Description: Continuous dynamics selected by discrete input signal u x Switched Continuous System

50 Switched Continuous System Parameters

51 Polyhedral Threshold 1 if Cx  d 0 otherwise Parameters: C,d
Input: Continuous state vector x Output: Boolean signal 1 if Cx  d 0 otherwise Description: Outputs Boolean signal indicating whether continuous state variable x is in polyhedron Cx  d x C*x <= d Polyhedral Threshold

52 Visualization Tool

53 Finite State Machine (Stateflow)
Inputs: Data: Boolean condition signals which are functions of PTHB and FSMB outputs Event: Transition edges of Boolean condition signals which are functions of PTHB outputs Output: Discrete signal (integer) indicating active state of FSM event input (vectorized) scalar data inputs . data 1 data N q Finite State Machine

54 Approximating the Continuous-State Reachable Set Mapping
Objective: Compute mappings from initial state sets to next initial state sets at the discrete-state transitions. mode select integrator m(t) xdot(t) flow constraints x(t) jump mapping initial condition e(t) discrete-state system with guarded transitions cont. state discrete state discrete event F1 F2 F3 1 S X0 Je X0(mk)  X0(mk+1)

55 Approximating reachable sets
E.K. Kornoushenko. Finite-automaton approximation to the behavior of continuous plants, Automation and Remote Control, 1975 J. Reisch and S. O’Young, A DES approach to control of hybrid dynamical systems, Hybrid Systems III, LNCS 1066, Springer, 1996 A. Puri, V. Borkar and P. Varaiya, -Approximation of differential inclusions, Hybrid Systems III, LNCS 1066, Springer, 1996  M.R. Greenstreet, Verifying safety properties of differential equations, CAV’96 M.R. Greenstreet and I. Mitchell, Integrating projections, HS'98  T. Dang and O. Maler, Reachability analysis via face lifting, HS'98  A. Chutinan and B. H. Krogh, Computing polyhedral approximations to dynamic flow pipes, IEEE CDC, 1998 A. Chutinan and B. H. Krogh, Verification of polyhedral-invariant hybrid systems using polygonal flow pipe approximations, HSCC99

56 Polyhedral Flow Pipe Approximations
divide R[0,T](X0) into [tk,tk+1] segments enclose each segment with a convex polytope X0 RM[0,T](X0) = union of polytopes A. Chutinan and B. H. Krogh, Computing polyhedral approximations to dynamic flow pipes, IEEE CDC, 1998

57 Flow Pipe Segment Approximation
Vertices(X0) at tk Step 2. Solve optimization for di flow pipe segment approximated by { x | ciTx  di, i } Step 1. a. Simulate trajectories from each vertex of X0. b. Take the convex hull and identify outward normal vectors. Vertices(X0) at tk+1

58 Flow Pipe Approximation Example 1: Van der Pol Equation
Initial Set Uniform time step Dtk = 0.5

59 Flow Pipe Approximation Example 2: Linear System
Vertices for X0 Uniform time step Dtk = 0.1

60 Flow Pipe Approximation
Applies in arbitrary dimensions Approximation error doesn't grow with time Estimation error (Hausdorff distance) can be made arbitrarily small with Dt < d and size of X0 < d Integrated into a complete verification tool (paper in next session)

61 Elements of CheckMate Simulink/Stateflow Front End
(graphical editing, simulation) Elements of CheckMate Threshold-event-driven Hybrid Systems (TEDHS) Flow Pipe Approximations Conversion Quotient Transition System Partition Refinement Polyhedral-Invariant Hybrid Automaton (PIHA) Initial Partition ACTL Verification

62 Using Reachability Approximations for Verification
Hybrid system model: H For universal assertions (A - for all paths), TRUE for TM/P implies TRUE for TH Simulation Iteration PROPERTY TO VERIFY Transition system TM/P MODEL CHECKING PROGRAM Conclusive for H? No PROPERTY IS TRUE OR A COUNTER EXAMPLE

63 Comparison to Bisimulation Approach
construct initial partition construct initial partition finite quotient system BP iterations verification yes refine partition finite bisimulation no verification yes test for bisimulation no no yes stop: specification is false stop: specification is true stop: specification is false stop: specification is true

64 Powertrain Control Application
“Hybrid control in automotive applications: the cut-off control” A. Balluchi et. al, Automatica Special Issue on Hybrid Systems, vol. 35, no. 3, March 99 Problem: Verify the event-driven implementation of a control law designed in continuous time. Control law: Decide when to inject air/fuel for torque to decrease speed along a prescribed trajectory.

65 Cut-off Control Plant four-stroke, four-cylinder engine
discrete-event model of torque generation 4-state FSM model for each piston continuous-time powertrain model1 axle torsion angle crankshaft speed wheel speed crankshaft angle ----> FSM transition event input: engine torque from pistons 1Model from Magneti Marlli Engine Control Division

66 CheckMate Model

67 CheckMate Model power train dynamics

68 Piston FSM

69 CheckMate Model

70 Predictive Control Logic

71 Verification for Powertrain Control Features
Problems are hybrid Logic introduces combinatorial complexity Potential savings if control logic can be evaluated early in the design cycle Flowpipe reachability analysis applies to purely continuous problems Verification requires model “abstraction” (i.e., insight and effort) BUT formal verification often reveals unanticipated behaviors

Download ppt "Verification of Discrete & Hybrid Powertrain Controllers"

Similar presentations

1 of 13 STABILIZING a SWITCHED LINEAR SYSTEM by SAMPLED - DATA QUANTIZED FEEDBACK 50 th CDC-ECC, Orlando, FL, Dec 2011, last talk in the program! Daniel.

1 of 13 STABILIZING a SWITCHED LINEAR SYSTEM by SAMPLED - DATA QUANTIZED FEEDBACK 50 th CDC-ECC, Orlando, FL, Dec 2011, last talk in the program! Daniel.
Simulation executable (simv)

Simulation executable (simv)
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani

Bebop: A Symbolic Model Checker for Boolean Programs Thomas Ball Sriram K. Rajamani
Hybrid System Verification Synchronous Workshop 2003 A New Verification Algorithm for Planar Differential Inclusions Gordon Pace University of Malta December.

Hybrid System Verification Synchronous Workshop 2003 A New Verification Algorithm for Planar Differential Inclusions Gordon Pace University of Malta December.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.

Timed Automata.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.

ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.
Combining Symbolic Simulation and Interval Arithmetic for the Verification of AMS Designs Mohamed Zaki, Ghiath Al Sammane, Sofiene Tahar, Guy Bois FMCAD'07.

Combining Symbolic Simulation and Interval Arithmetic for the Verification of AMS Designs Mohamed Zaki, Ghiath Al Sammane, Sofiene Tahar, Guy Bois FMCAD'07.
Semantic Translation of Simulink/Stateflow Models to Hybrid Automata using Graph Transformations A. Agarwal, Gy. Simon, G. Karsai ISIS, Vanderbilt University.

Semantic Translation of Simulink/Stateflow Models to Hybrid Automata using Graph Transformations A. Agarwal, Gy. Simon, G. Karsai ISIS, Vanderbilt University.
1 Verification and Synthesis of Hybrid Systems Thao Dang October 10, 2000.

1 Verification and Synthesis of Hybrid Systems Thao Dang October 10, 2000.
EECE 396-1 Hybrid and Embedded Systems: Computation T. John Koo, Ph.D. Institute for Software Integrated Systems Department of Electrical Engineering and.

EECE Hybrid and Embedded Systems: Computation T. John Koo, Ph.D. Institute for Software Integrated Systems Department of Electrical Engineering and.
Spring 07, Feb 6 ELEC 7770: Advanced VLSI Design (Agrawal) 1 ELEC 7770 Advanced VLSI Design Spring 2007 Verification Vishwani D. Agrawal James J. Danaher.

Spring 07, Feb 6 ELEC 7770: Advanced VLSI Design (Agrawal) 1 ELEC 7770 Advanced VLSI Design Spring 2007 Verification Vishwani D. Agrawal James J. Danaher.
Discrete Abstractions of Hybrid Systems Rajeev Alur, Thomas A. Henzinger, Gerardo Lafferriere and George J. Pappas.

Discrete Abstractions of Hybrid Systems Rajeev Alur, Thomas A. Henzinger, Gerardo Lafferriere and George J. Pappas.
Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.

Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.

Similar presentations

Ads by Google