Robust testing of hybrid systems

1
Robust testing of hybrid systems

• A Agung Julius
• Dept. Electrical and Systems Engineering
• University of Pennsylvania

http//www.seas.upenn.edu/agung
Hybrid Systems Seminar, Drexel Univ., 7 Dec 2006.
2
Collaborators

• George J Pappas (ESE UPenn)
• NSF Presidential Early CAREER Award Grant 0132716
• Georgios Fainekos (CIS UPenn)
• Alessandro DInnocenzo (LAquila Italy)
• Insup Lee (CIS UPenn)
• Madhukar Anand (CIS UPenn)
• Antoine Girard (Grenoble France)

3
Hybrid systems

• Hybrid systems systems that have both continuous
  and discrete aspects in the dynamics.
• Continuous continuous time, differential
  equations, smooth evolution, infinite/noncountable
  states.
• Discrete discontinuities, finite/countable
  states, discrete time.

4
Discrete and Continuous
Control Theory
Computer Science
Continuous systems
Transition systems
Stability, control
Composition, abstraction
Feedback, robustness
Concurrency models
Hybrid Systems
Software controlled systems Multi-modal
systems Embedded real-time systems Multi-agent
systems
5
Emerging applications
Latest BMW 72 networked microprocessors Boeing
777 1280 networked microprocessors
6
Networked embedded systems
Network
Controller SW/HW
Controller SW/HW
Sensor
Actuator
Sensor
Actuator
Physical System
Physical System
7
Networked embedded systems
Network
Controller SW/HW
Controller SW/HW
Sensor
Actuator
Sensor
Actuator
Physical System
Physical System
Physical system is continuous, software is
discrete
8
Hybrid behavior arises in

• Hybrid dynamics
• Hybrid model is a simplification of a larger
  nonlinear model
• Quantized control of continuous systems
• Input and observation sets are finite
• Logic based switching
• Software is designed to supervise various
  dynamics/controllers
• Partial synchronization of many continuous
  systems
• Resource allocation for competing multi-agent
  systems
• Hybrid specifications of continuous systems
• Plant is continuous, but specification is
  discrete or hybrid...

9
Nuclear reactor example

• Without rods
• With rod 1
• With rod 2
• Rod 1 and 2 cannot be used simultaneously
• Once a rod is removed, you cannot use it for 10
  minutes
• Specification Keep temperature between 510 and
  550 degrees.
• If T550 then either a rod is available or we
  shutdown the plant.

10
Software model of nuclear reactor
11
Hybrid model of nuclear reactor
Analysis Is shutdown reachable ?
Algorithmic verification NO
12
Lesson from Ariane 5

• Ariane 5, an unmanned rocket, was launched on
  4th June 1996. The rocket exploded 37s after
  launching, due to software error.
• The program had been running for 10 years,
  costing 7 billion. The rocket and its cargo
  itself cost 500 million.
• Post-explosion analysis singled out a software
  program as the cause of the accident.
• Interestingly, the same program functioned
  perfectly on Ariane 4, and was copied to Ariane 5
  for that reason. What had changed, was the
  physical system around the software.

13
Abstract safety verification

14
Abstract safety verification

state space
Unsafe
Init
15
Existing tools

• Existing tools for verification
• UPPAAL Larsen et al
• PHAVer Frehse
• d/dt Dang, Maler
• HyTech Henzinger et al
• Matisse Girard, Pappas, Julius
• Ellipsoidal toolbox Kurzhanski, Varaiya
• SOSTOOLS Parillo, Prajna, et al
• CheckMate Krogh et al, etc

16
Testing vs verification

• Verification gives 100 guarantee, but it is
  hard!
• Infinite time horizon is probably too much to ask
  for.
• Testing run the system to be verified under as
  many scenarios as possible for a finite time
  horizon.
• Each run is called a test, parametrized by test
  parameters.

17
Testing vs verification

• Based on the test results, provide a (partial)
  guarantee on the properties of the system.
• Is a common practice in software engineering.
• Problems
• How to generate the tests?
• What can we learn after finitely many tests?

18
Overview

• Intro what is testing?
• Why is testing for hybrid systems interesting?
• Theoretical foundation
• Testing algorithms
• Navigation benchmark
• Further extensions

19
Why is testing for hybrid systems interesting?
20
Ice cream analogue

• Imagine going to an ice cream parlor

for a bowl of ice cream.
21
Ice cream analogue
You want to try out the flavors, say, one flavor
a day
Even though performing each single test is
easy When you have infinitely many tests, its
a problem.
22
Covering of the parameter space

• It is impossible to cover an uncountable testing
  parameter space with points.

Parameter space
23
Covering with robust tests

• Each test represents a (nonzero measure)
  neighborhood of testing parameters.
• Parameters that lead to tests with the same
  qualitative properties are grouped together.

Finite covering is possible!
Parameter space
24
Theoretical foundation
25
Bisimulation function

A. Girard and G.J. Pappas
26
Bisimulation function
X
27
Invariance property
X
X
The level sets of f are invariant.
28
Invariance property

29
Construction of bisimulation functions

30
Properties of the bisimulation functions

31
Systems with affine dynamics

32
Lyapunov equation
Lyapunov equation..always has a solution for
stable A.
33
Metric induced by bisimulation function

34
Metric induced by bisimulation function

35
Invariance property

X
36
Computational aspects of the construction

37
Polynomial systems

38
Testing algorithms
39
Hybrid executions

40
Hybrid executions

41
One step of the algorithm

42
One step of the algorithm
43
One step of the algorithm

44
One step of the algorithm
45
One step of the algorithm
Thus, a guarantee on the qualitative behavior and
timing.
46
Finite test with multiple transitions

47
Finite test with multiple transitions
Notice that the level sets can have different
shapes.
48
Navigation Benchmark
- G. Fainekos
49
Navigation benchmark

50
Navigation benchmark

51
Navigation benchmark 1
52
Navigation benchmark 1
With 25 runs, we cover gt48 of the initial set.
Notice that there is a clear divide in the
initial set, due to different transitions.
53
Benchmark problem 2
Verified to be safe with CHARON
54
Benchmark problem 2
Safety verified after 9 tests!
55
Navigation benchmark 3
Goal
Unsafe
56
Navigation benchmark 3
Unsafety verified by PHAVer. We verified unsafety
with 10 tests.
57
Further extensions
58
Coverage computation

59
Coverage strategies

• Randomized strategy easy to implement, almost
  impossible to get 100 coverage.
• Gridding based strategy easy to implement,
  suffers from curse of dimensionality.
• Maximal dispersal based strategy based on
  partitioning the parameter space with weighted
  Voronoi partitions.
• Greedy algorithm underapproximate the
  ellipsoids with polygons, partition the rest with
  Voronoi.

Alessandro DInnocenzo
60
Handling instability

Unstable, small level sets, higher complexity
Stable, big level sets, less complexity
Trading off complexity with stability
61
Adding bounded input

62
Adding bounded input

63
Probabilistic testing

64
Probabilistic testing
X
The size of the level set will depend on the
confidence level of the test. Trade off more
confidence requires more tests.
65
Translating hybrid automata to timed automata

66
Translating hybrid automata to timed automata

Alessandro DInnocenzo
67
Translating hybrid automata to timed automata
Alessandro DInnocenzo
68
Translating hybrid automata to timed automata
Alessandro DInnocenzo
69
Related publications
70
and finally

• Thank you for your attention!
• Slides and related publications can be found at
• http//www.seas.upenn.edu/agung

No ice cream was harmed during the making of
this presentation