Safety Verification of Model Helicopter Controller Using Hybrid Input/Output Automata

Sayan Mitra MIT Hybrid Systems: Computation and Control Prague, Czech Republic 2003
Joint work with Yong Wang (U. Beijing), Nancy Lynch, Eric Feron
HSCC 03 MIT LCS

Verification Techniques
Algorithmic
Model checking e.g. [Alur, et al. 95]
Automatic: HyTech Essentially for finite-state systems, subclass of linear hybrid systems

Over approximating set of unsafe states [Bayen, et al. 02]

Deductive
Invariant assertions, simulation relations e.g. [Manna, Sipma 98]
Can accommodate infinite-state systems: STeP Requires human effort
User interaction

HSCC 03

MIT LCS

Talk Outline
Introduction Hybrid I/O Automata definitions Specification of Quanser Safety Verification Conclusions

HSCC 03

MIT LCS

The HIOA Model

[Lynch, Segala, Vaandrager 01, 03]
General, mathematical modeling framework.
States, discrete transitions Trajectories: Maps left closed intervals of time to variable values

Support for decomposing hybrid system descriptions:

External behavior: Models interaction of component with environment. Composition: Synchronizes external actions, external flows; respects external behavior. Levels of abstraction: Implementation notion

Can incorporate analysis methods from:

CS: Invariants, simulation relations, compositional methods. Control theory: Invariant sets, stability analysis, robust control.

HSCC 03

MIT LCS

Hybrid I/O Automaton

V = U Y X: Input, output, and internal (state) variables Q: States, a set of valuations of X Q : Start states A = I O H: Input, output, and internal actions D Q A Q: Discrete transitions T: Trajectories for V.
I U O X H
HSCC 03 MIT LCS

Trajectory Axioms and Executions

Set T of trajectories is closed under:
Prefix Suffix Countable concatenation

fstate, lstate Execution fragment: 0 a1 1 a2 2 , where:

Each i is a trajectory of the automaton and Each ( i.lstate, ai , i+1.fstate) is a discrete step.

Execution:

Execution fragment beginning in a start state.

MIT LCS

HSCC 03

Model Helicopter System

Manufactured by Quanser User controllers not necessarily safe, can crash the helicopter on the table. Supervisory pitch controller needed to ensure safety.
Safe operating region Saturated actuator outputs : Umin or Umax

Must contend with

Sensor errors Actuator delay

HSCC 03

MIT LCS

Helicopter System
Actuator buffer, u
dequeue

Plant 0 , 1

0 , 1

Sensor now, next

Supervisor mode, Xs , S, rt
HSCC 03

Useroutput(Xu)

UserCntrl

Xu
MIT LCS

Plant
Variables:
0 : Pitch angle 1: Pitch velocity

Trajectories:
evolve: d(0) = 1 d(1) = -2cos 0 + U

Plant

0 , 1

0 ,1

Input bounds: Umin , Umax Safe Region: S = { s | min s.0 max }

HSCC 03 MIT LCS

Sensor
Discrete transition:
Sample(0d , 1
d

0 ,1

Sensor now, next Sample(0d , 1d )

precondition: now = next and 0d [0- 0 , 0+ 0 ] and 1d [1 - 1, 1 - 1] effect: next = next +

Nondeterministic choice

Trajectories:
evolve: d(now) = 1 stopping condition: now = next

HSCC 03

MIT LCS

User Controller
Arbitrarily bad user On receiving Sample,
Useroutput(Xu) Non deterministic choice, Xu [Umin, Umax ]

HSCC 03

MIT LCS

Actuator
Actuator delay Ta
modeled as a FIFO queue of Supervisor(User) outputs buffer: length [Ta / ]

Enqueue S received from supervisor Dequeue u from buffer head,

u changes discretely Made into piece-wise continuous output U
HSCC 03 MIT LCS

Modeling Actuator Delay

Ta Currently modeled as a single discrete jump from Umin to Umax after time Ta. Alternatively
Approximate exponential rise by adding k intermediate values in the buffer, for every command from the supervisor.
Output from buffer will change every /k time.

Ta

Model as continuous function

HSCC 03

MIT LCS

Safe Operating Region

1
S C U I R

min

0
Assumption: Cannot cross I in time.

max

HSCC 03

MIT LCS

Supervisor
Supervisor
Command(S)

Sample
Userout(Xu)

mode, Xs , S, rt

On receiving sample, computes Xs

If s is above I+ then Xs = Umin If s is below I- then Xs = Umax

On receiving useroutput(Xu), computes S

If mode = user then
If s is in U then S = Xu Else mode = supervisor ; S = Xs

If mode = supervisor then

If s is in I then S = Xu ; mode = user Else S = Xs

HSCC 03

MIT LCS

Safety Verification
Assertional Proofs
Reasoning based on current state of the system

Finding the invariants is challenging

Strengthen statement

Proofs are easy, for proving I

Base case: I Discrete part: s a s D, show I(s) implies I(s) Continuous part: closed T, show I(fstate()) implies I(lstate())
MIT LCS

HSCC 03

Key Lemmas
All trajectories are closed Any trajectory T, ltime() - ftime() .

HSCC 03

MIT LCS

User mode
1
A2 A1 A A0

R U

A0 = R For 0 t t

At At

U A

HSCC 03

MIT LCS

User mode
Safety Any reachable state in the user mode is within R. Proof:
Discrete part is easy Any closed trajectory T, if fstate() At then lstate() At-ltime().

HSCC 03

MIT LCS

Executions in User and Supervisor modes

buffer flushed, mode go outside Supervisor mode Cannot switches to R supervisor, but kicks in. from U, in the user buffer contains I and Returns to stale mode user commands. back mode switches to user .

HSCC 03

MIT LCS

Supervisor mode
Correct input to plant
If s is above I+ then last [rt/] entries in buffer are Umin
rt: stopwatch for supervisor mode

Similarly, s is below I- then Umax Settling phase rt Ta Any reachable state is within C
All trajectories starting from within R remains within C Proof similar to User mode

Recovery phase rt > Ta

Any reachable state is within C

Proof: At any point on boundary of C, the vector field points inwards

HSCC 03

MIT LCS

Conclusions
Design of supervisory controller
Controller has been implemented [Ishutkina].

Specification Language Demonstration of HIOA framework

Specification
Compositional Nondeterminism models uncertainties in devices or user inputs.

Purely assertional proofs

Discrete and continuous parts CS and Control Theory techniques

Current/Future Work
Performance guarantees for mobile computing algorithms Theorem prover support
HSCC 03 MIT LCS

Thank You.

Questions

?
HSCC 03 MIT LCS

HSCC 03

MIT LCS

Current/Future Work
Incorporate control theory methods:
Invariant sets, Stability analysis using Lyapunov functions, robust control methods.

More examples:
Systems with more complicated discrete behavior and dynamics, e.g. mobile computing, embedded systems.

Develop analysis tools for HIOA programs:

Theorem-provers, automated tools As extension to IOA toolset

HSCC 03

MIT LCS