Model Checking of Robotic Control Systems

1
Model Checking of Robotic Control Systems

• Presenting
• Sebastian Scherer
• Authors
• Sebastian Scherer, Flavio Lerda,
• and Edmund M. Clarke

2
Outline

• Motivation
• Why verification
• Scope
• Control software
• Method
• Case Study
• Conclusions

3
Why verify robot software?

• Failure is expensive
• Interplanetary exploration
• Crash / Rollover
• Autonomy increases responsibility
• Human interaction
• Large forces and momenta

4
The scope of our approach
Software
Goal
Typical mobile robot architecture
Hardware
Specified
Accumulation
Planning
Preprocessing
Controller
Actuators
Sensors
Environment
5
Control systems are implemented in software

• Main loop is only a small fraction of the control
  software
• Initialization
• Exception handling
• Conversion
• Fatal bugs can be in any line of the code.

Software
Goal
Typical mobile robot architecture
Hardware
Specified
Accumulation
Planning
Preprocessing
Controller
Actuators
Sensors
Environment
6
Outline

• Motivation
• Method
• Capabilities Limitations
• Method
• Model Checking
• Case Study
• Conclusions

7
Capabilities of our method

• Utilizes environment (plant) of the control
  system.
• Simulates behaviour
• Determines stability.
• Models influence of noise.
• Checks performance specifications.
• Computes ranges of trajectories.
• Checks programming errors
• Null pointer exceptions.
• Dead lock, concurrency bugs.
• Errors affecting the behavior.
• Code checked is identical to executed code.

8
Limitations of our method

• Discrete method
• Makes assertions only about a particular initial
  condition.
• Continuous states are approximated up to a fixed
  point precision.
• Precision often determines the length of a
  simulation trace and the size of the state space
  to explore.
• Noise is approximated by a discrete set of
  values.
• Detailed model
• Requires model relating inputs and outputs.
• Additional memory and computation time.
• Assumptions
• Time elapses only while tasks sleep.
• Unbounded variables like time and distance must
  be abstracted manually.

9
Model check software with a physical environment
10
Method
Software executed on robot
Actual Robot
Environment model
import gov.nasa.jpf.jvm.Verify import
com.ajile.jem.PeriodicThread import
com.ajile.jem.PianoRoll import
com.ajile.drivers.gptc. import
intermediate. import drivers. import
controller. import model. public class
Mobot static final int PR_DURATION_MSEC
80 static final int PR_BEAT_MSEC 1
static PianoRoll Piano_Roll new PianoRoll
(PR_DURATION_MSEC, PR_BEAT_MSEC) public
static void main(String args)
DecsionPoints.runSystrue //Initialize
threads PWM2 pwm
PWM2.getInstance() Gate gate
Gate.getInstance() SpeedOMeter
encoder SpeedOMeter.getInstance()
LightArray lightsensor
LightArray.getInstance() TLC2543
tlc TLC2543.getInstance()
if(Environment.isMC)
lightsensor.initDefault() SpeedControl
speedcontrol SpeedControl.getInstance()
SteeringControl steeringcontrol
SteeringControl.getInstance()
Environment env
Environment.getInstance()
Sensors
Actuators

• Execute the source code.
• After all tasks sleep execute the environment.
• Equivalent states are not revisited.

11
Method
Software executed on robot
Actual Robot
Environment model
import gov.nasa.jpf.jvm.Verify import
com.ajile.jem.PeriodicThread import
com.ajile.jem.PianoRoll import
com.ajile.drivers.gptc. import
intermediate. import drivers. import
controller. import model. public class
Mobot static final int PR_DURATION_MSEC
80 static final int PR_BEAT_MSEC 1
static PianoRoll Piano_Roll new PianoRoll
(PR_DURATION_MSEC, PR_BEAT_MSEC) public
static void main(String args)
DecsionPoints.runSystrue //Initialize
threads PWM2 pwm
PWM2.getInstance() Gate gate
Gate.getInstance() SpeedOMeter
encoder SpeedOMeter.getInstance()
LightArray lightsensor
LightArray.getInstance() TLC2543
tlc TLC2543.getInstance()
if(Environment.isMC)
lightsensor.initDefault() SpeedControl
speedcontrol SpeedControl.getInstance()
SteeringControl steeringcontrol
SteeringControl.getInstance()
Environment env
Environment.getInstance()

• Software executes until all tasks yield.

12
Method
Software executed on robot
Actual Robot
Environment model
import gov.nasa.jpf.jvm.Verify import
com.ajile.jem.PeriodicThread import
com.ajile.jem.PianoRoll import
com.ajile.drivers.gptc. import
intermediate. import drivers. import
controller. import model. public class
Mobot static final int PR_DURATION_MSEC
80 static final int PR_BEAT_MSEC 1
static PianoRoll Piano_Roll new PianoRoll
(PR_DURATION_MSEC, PR_BEAT_MSEC) public
static void main(String args)
DecsionPoints.runSystrue //Initialize
threads PWM2 pwm
PWM2.getInstance() Gate gate
Gate.getInstance() SpeedOMeter
encoder SpeedOMeter.getInstance()
LightArray lightsensor
LightArray.getInstance() TLC2543
tlc TLC2543.getInstance()
if(Environment.isMC)
lightsensor.initDefault() SpeedControl
speedcontrol SpeedControl.getInstance()
SteeringControl steeringcontrol
SteeringControl.getInstance()
Environment env
Environment.getInstance()

• Software executes until all tasks yield.
• Commands are set. Sensors are read. Time elapses

13
Method
Software executed on robot
Actual Robot
Environment model
import gov.nasa.jpf.jvm.Verify import
com.ajile.jem.PeriodicThread import
com.ajile.jem.PianoRoll import
com.ajile.drivers.gptc. import
intermediate. import drivers. import
controller. import model. public class
Mobot static final int PR_DURATION_MSEC
80 static final int PR_BEAT_MSEC 1
static PianoRoll Piano_Roll new PianoRoll
(PR_DURATION_MSEC, PR_BEAT_MSEC) public
static void main(String args)
DecsionPoints.runSystrue //Initialize
threads PWM2 pwm
PWM2.getInstance() Gate gate
Gate.getInstance() SpeedOMeter
encoder SpeedOMeter.getInstance()
LightArray lightsensor
LightArray.getInstance() TLC2543
tlc TLC2543.getInstance()
if(Environment.isMC)
lightsensor.initDefault() SpeedControl
speedcontrol SpeedControl.getInstance()
SteeringControl steeringcontrol
SteeringControl.getInstance()
Environment env
Environment.getInstance()

• Software executes until all tasks yield.
• Commands are set. Sensors are read. Time elapses
• Software executes with new sensor values.

14
Method
Software executed on robot
Actual Robot
Environment model
import gov.nasa.jpf.jvm.Verify import
com.ajile.jem.PeriodicThread import
com.ajile.jem.PianoRoll import
com.ajile.drivers.gptc. import
intermediate. import drivers. import
controller. import model. public class
Mobot static final int PR_DURATION_MSEC
80 static final int PR_BEAT_MSEC 1
static PianoRoll Piano_Roll new PianoRoll
(PR_DURATION_MSEC, PR_BEAT_MSEC) public
static void main(String args)
DecsionPoints.runSystrue //Initialize
threads PWM2 pwm
PWM2.getInstance() Gate gate
Gate.getInstance() SpeedOMeter
encoder SpeedOMeter.getInstance()
LightArray lightsensor
LightArray.getInstance() TLC2543
tlc TLC2543.getInstance()
if(Environment.isMC)
lightsensor.initDefault() SpeedControl
speedcontrol SpeedControl.getInstance()
SteeringControl steeringcontrol
SteeringControl.getInstance()
Environment env
Environment.getInstance()

• Software executes until all tasks yield.
• Commands are set. Sensors are read. Time elapses.
• Software executes with new sensor values.
• Commands are set. Sensors are read. Time elapses
  with new commands.

15
Model checking
Transitions
import gov.nasa.jpf.jvm.Verify import
com.ajile.jem.PeriodicThread import
com.ajile.jem.PianoRoll import
com.ajile.drivers.gptc. import
intermediate. import drivers. import
controller. import model. public class
Mobot static final int PR_DURATION_MSEC
80 static final int PR_BEAT_MSEC 1
static PianoRoll Piano_Roll new PianoRoll
(PR_DURATION_MSEC, PR_BEAT_MSEC) public
static void main(String args)
DecsionPoints.runSystrue //Initialize
threads PWM2 pwm
PWM2.getInstance() Gate gate
Gate.getInstance() SpeedOMeter
encoder SpeedOMeter.getInstance()
LightArray lightsensor
LightArray.getInstance() TLC2543
tlc TLC2543.getInstance()
if(Environment.isMC)
lightsensor.initDefault() SpeedControl
speedcontrol SpeedControl.getInstance()
SteeringControl steeringcontrol
SteeringControl.getInstance()
Environment env
Environment.getInstance()
States

• Model consists of states and transitions.
• Java byte code specifies a model.
• Verify a model against a specification given as
  logic properties.
• The algorithm visits all states of the model to
  verify that none of the specified properties are
  violated.
• If the same state is reached twice backtrack.

16
Java PathFinder

• All states are explored to find a violation of
  the properties.
• Executing the byte code generates successors.
• If no new successors are generated the search
  backtracks.
• Environment byte code is executed on host JVM. No
  intermediate states are generated from it.
• Environment stores only necessary state variables.

17
Outline

• Motivation
• Method
• Case Study
• Architecture
• Verification
• Model
• Results
• Conclusions

18
Overview

• Robot has to follow a line and maintain a
  constant speed.
• Native Java microcontroller executes the code.
• Check source code without change.

19
Architecture

• Actuators
• Steering
• Motors
• Sensors
• Light sensors
• Encoder

20
Software

• 3 tasks running with a fixed frequency of 33Hz.
• Task 1 Reads sensor values.
• Task 2 Controls the steering.
• Task 3 Controls the velocity.
• A fixed rate scheduler determines the execution
  order and duration.

Task 1
Task 2
Task 3
21
Verification

• Need model of the environment.
• Need definition of states.
• Verify robot starting from initial condition
  offset from center of line and on a straight line.

22
Environment model

• Two models necessary
• Model relate commands to sensor information
• Sensed position over line depends on
• Steering command
• Velocity command
• Sensed encoder velocity depends on the velocity
  command.

Inputs Velocity command Steering command
Sensed position model
Output Encoder velocity
Input Velocity command
Sensed velocity model
Output Encoder velocity
23
Determining the model

• One way to obtain a model of the environment is
  system identification.
• Performed experiments and obtained a second-order
  model for velocity and a fourth-order model for
  steering
• Quality of sensor gave a better fit for the
  velocity

24
States

• Continuous state
• 6 state variables
• 2 inputs
• States are discretized up to a fixed precision to
  terminate on stability and disambiguate
  quasi-equal states.
• Monotonic variables such as time or distance are
  (manually) abstracted.
• DESCRIBE PICTURE

Discrete State
Continuous State
import gov.nasa.jpf.jvm.Verify import
com.ajile.jem.PeriodicThread import
com.ajile.jem.PianoRoll import
com.ajile.drivers.gptc. import
intermediate. import drivers. import
controller. import model. public class
Mobot static final int PR_DURATION_MSEC
80 static final int PR_BEAT_MSEC 1
static PianoRoll Piano_Roll new PianoRoll
(PR_DURATION_MSEC, PR_BEAT_MSEC) public
static void main(String args)
DecsionPoints.runSystrue //Initialize
threads PWM2 pwm
PWM2.getInstance() Gate gate


State space model
25
Non-Determinism

• Possible to explore non-determinism in the
  software and environment.
• Model checking explores a wider spread of
  trajectories.
• Non-determinism is discrete. Differential
  equations are deterministic.

Red trajectory shows an actual trace of the robot.
Blue region is the spread of trajectories
covered by the model checker.
26
Results

• Added different kinds of non-determinism to
  model.
• Encoder reading off by -10, 0, 10 ticks
• Failure of one sensor in the array of light
  sensors
• Commanded steering and velocity pulsewidth is not
  accurate.

Wheel
Slip
Ground
27
Results

• We verified a set of properties of the control
  software.
• No programming errors (e.g. Null pointer
  exceptions) were found.

28
Outline

• Motivation
• Method
• Case Study
• Conclusions

29
Conclusion

• Model checker covers a sufficient range of
  trajectories to simulate all inputs to program.
• Seeded type conversion bug was found.
• Verifies software for robot controllers directly.
• Discretization, abstraction and extraction of
  continuous states enable efficient verification.
• Exhaustive exploration of non-determinism such as
  random sensor failure.
• Aids the control system designer by direct
  verification of all reachable states of the model.

30
Future work

• Prove correctness of model checking algorithm
• Extend notion of discretization of state space to
  be an over-approximation.
• Provide integrated support for modeling the
  environment
• Integrate with higher level software interfaces
• Check complex systems
• Extend to languages other than Java

31
Questions? Comments?

• Contact Information
• Sebastian Scherer
• basti_at_andrew.cmu.edu
• http//www.cs.cmu.edu/basti/