Temporal Logic Testing for Hybrid Systemsgfaineko/pres/fainekos_shonan2012.pdf · 2. the engine...
Transcript of Temporal Logic Testing for Hybrid Systemsgfaineko/pres/fainekos_shonan2012.pdf · 2. the engine...
1
LabCPS
School of Computing, Informatics and Decision System Engineering
Arizona State University
fainekos at asu edu
http://www.public.asu.edu/~gfaineko
Georgios Fainekos
Temporal Logic Testing for Hybrid Systems
2
LabCPS
“A design without specifications cannot be right or wrong, it can only be surprising!”*
*Lee & Seshia, Introduction to Embedded Systems: A Cyber-Physical Systems Approach, 2011 paraphrased from Boebert & Kain: Proving a computer system secure. Scientific Honeyweller, 6(2), 18–27, 1985
3
LabCPS
Motivating Example: Automatic Transmission Simulink Demo
Specification: The following 3 conditions should not occur during the first 60 sec of system operation:1. the vehicle speed v exceeds 120km/h, and 2. the engine speed ω exceeds 4500RPM, and3. all states are reached in the switching logic
[Zhao, Krogh, Hubbard, IEEE CSM Aug. 2003]
5
LabCPS
Why is this problem challenging?
Switching guards that depend in inputs
In other models some guards may also depend on initial conditions
7
LabCPS
In summary• Nonlinear ODEs with 2 state variables• 3 look-up tables and 3 look-up 2D tables • A Stateflow chart: two concurrent FSM with 4 and 3 states
If you would like to get real, in simplified models you will expect ~100 state variables (both continuous & discrete time)
8
LabCPS
Properties?Specification: The following 3 conditions should not occur during the
first 60 sec of system operation:1. the vehicle speed v exceeds 120km/h, and 2. the engine speed ω exceeds 4500RPM, and3. all states are reached in the switching logic
What if you would like to verify some more complicated property?For example:• “when the road grade and the throttle remain constant, then the
system should not change from gear 1 to gear 2 and then back to gear 1”
• “whenever the system enters the first gear, then it should not enter the second gear within 2.5 sec”
• “whenever the system is in transition from gear 2 to gear 1, then the derivative of the torque is less than 450”
9
LabCPS
Linear Temporal Logic Intuition
a – a now
G a - always a
F a – eventually a
X a – next state a
a U b – a until b
a B b – a before b
a a a a aa
* * a * **
a * * * **
a a b * *a
* a * b **
a * * * **
11
LabCPS
Automatic Transmission ExampleNot:1. the vehicle speed v
exceeds 120km/h and2. the engine speed !
exceeds 4500RPM and3. all states are reached in
the switching logic
φ = (i={1,…,9}Fpi)
O(p1) = Q × [120,+∞) × R
O(p2) = Q × R × [4500,+∞)O(p3) = {first} × R2
ª
12
LabCPS
More Complex Specifications1. Find values for the initial parameters such that starting from 0
speed, the gear transitions from second to first to second.
2. A more “useful” property is to find constrain the gear change from second to first to second not happen within 2.5 sec.
3. Verify that the jitter is within acceptable limits
φ1 = F(gear2 F(gear1 Fgear2))
φ2 = G((gear1 X gear1) G[0,2.5] gear2)
φ3 = G(gear21 b)
13
LabCPS
Verifying Temporal Logic Properties
LTL / MTLΦ = G p1 ⁄ F[0,Τ]G p2
System Σx0X0u U
Yes
Verifier
σ=Δ(x0,u)
No
Counterexample for debugging?
14
LabCPS
Back to the Automatic Transmission Example
0 5 10 15 20 25 300
50
100Throttle
0 5 10 15 20 25 300
5000RPM
0 5 10 15 20 25 300
100
200Speed
Stateflow state coverage was verified with Matlab diagnostics tool
15
LabCPS
This talk ...
What can be done?
• Previous approaches to the problem:
identifying decidable classes
barrier certificates / invariants
reachability algorithms
robust testing
systematic simulations / model based testing
statistical techniques
System com
plexity
Complet
enes
s of
ana
lysis
16
LabCPS
What test methods are out there?
0 0.2 0.4 0.6 0.8 1
-0.6
-0.5
-0.4
-0.3
-0.2
-0.1
0
0.1
0.2
0.3
y(1)
y(2)
Robust testingRandom Rapidly exploring Trees
Not easy to test real time specifications using these methods.
17
LabCPS
What test methods are out there?
0 5 10 15 20 25 300
50
100Throttle
0 5 10 15 20 25 300
5000RPM
0 5 10 15 20 25 300
100
200Speed
t
uAssume constant inputs
Systematic testing
0 5 10 15 20 25 300
50
100Throttle
0 5 10 15 20 25 300
5000RPM
0 5 10 15 20 25 300
100
200Speed
Monte Carlo testing
Spec: (F(v120km/h) F(ω4500RPM))
18
LabCPS
Both approaches manage to falsify the specification
0 10 20 30 40 50 60 70 80 90 1000
0.5
1
u
y |=
Monte Carlo testing
0 10 20 30 40 50 60 70 80 90 1000
0.5
1
u
y |=
Systematic testing
What if either method cannot find a bad trajectory?We can only provide probabilistic guarantees, but no other insight.
19
LabCPS
0 2 4 6 8 10-15
-10
-5
0
5
10
15s1
s2 MTL Spec:
G(p1F2 p2)
p2
p1
Two signals that satisfy the same spec, but …
20
LabCPS
Robustness of Temporal Logics
LTL / MTLΦ = G(p1F2 p2)
Monitor/Tester
Robustness parameterε R»{±¶}
|ε|
|ε|
Fainekos and Pappas, Robustness of temporal logic specifications for continuous-time signals, TCS, 2009
21
LabCPS
Discrete-time Robust Semantics for MTL
Algorithm I• Based on formula re-writing• Suitable for runtime monitoring algorithms • Details TCS 2009
timed traceμ = (σ,τ)
Algorithm II• Based on dynamic programming• Suitable for offline testing• Details ACC 2012
22
LabCPS
XSpec : FpO (p)
Temporal Logic falsification as robustness minimization
ε
Bρ(s,ε) Œ L(Φ)s
X0
23
LabCPS
Testing Temporal Logic Robustness
LTL / MTLΦ = G p1 ⁄ F[0,Τ]G p2
System Σx0X0u U
δ = infy Distρ(y, L(Φ)) = ?if δ<0, then system can be falsified
Optimizer
Nghiem, Sankaranarayanan, Fainekos, Ivancic, Gupta, Pappas, Monte-Carlo Techniques for Falsification of Temporal Properties of Non-Linear Hybrid Systems, HSCC 2010
y=Δ(x0,u)
24
LabCPS
Minimizing Temporal Logic Robustness
• We need to solve an optimization problem:
min Distρ(y, L(Φ)) yY is the set of all observable trajectories of the hybrid system
• Challenges:• Non-linear system dynamics• Unknown input signals • Unknown system parameters• Non-differentiable cost function
• not known in closed form• needs to computed
25
LabCPS
How does our cost function look like?
020
4060
80100
020
4060
80100
-1000
0
1000
2000
3000
4000
u1u2
Rob
uste
nss
Throttle % parameterization with 2 variables
tu1
0 20 40 60 80 100-500
0
500
1000
1500
2000
2500
3000
3500
u
Rob
uste
nss
Throttle % parameterization with 1 variable
t
u
Spec: (F(v120km/h) F(ω4500RPM))
u2
26
LabCPS
S-TaLiRo
S-TaLiRo: Systems TemporAl LogIc RObustness
Simulink/StateflowSimulation Engine
(or hybrid automata simulator)
TaLiRo
ConvexOptimization
Stochastic Optimization
MTLspec
Model
MinimumRobustness
FalsifyingTrajectory
https://sites.google.com/a/asu.edu/s-taliro/
observationtrajectory y
robustness ε
y(i), O(p) distance
next x0, u(t), w
27
LabCPS
Goal: Falsify the system or find non-robust behaviors or the worst possible behavior
Minimizing Temporal Logic Robustness• Classical solution to difficult engineering problems:
Stochastic optimization algorithms
• S-TaLiRoø supports:• Monte-Carlo (Simulated Annealing)• Extended Ant Colony Optimization• Genetic Algorithms• Cross-Entropy methods
Negative robustness Small positive robustnessø Annapureddy, Liu, Fainekos, Sankaranarayanan, S-TaLiRo: A Tool for Temporal Logic Falsification for Hybrid Systems, TACAS ‘11
28
LabCPS
Why Cross-Entropy?
• Main point: Sound underlying theory• Important properties, e.g., convergence, can be studied
• Way fewer parameters than other stochastic optimization heuristics
• Very important: It is not be possible to tune parameters on industrial size models
• Industrial size models can take several seconds to simulate• We need stochastic optimization algorithms that can be readily
parallelized and actually achieve better performance
• Get for free optimization of expected value of noisy cost functions• Handle stochastic hybrid systems
29
LabCPS
Cross Entropy (CE) Method
Consider the optimization problem:
min {Distρ(y, L(Φ)) | y = Δ(x0,u), x0X0, u U}remark: U is the set of all possible input signals
and its associated stochastic problem:
P{Distρ(Δ(X,V), L(Φ))ε} = EΙ{Distρ(Δ(X,V), L(Φ))ε}
where X, V are random vectors with pdf f(.;θ).
*For falsification, we need to estimate p = P{Distρ(Δ(X,V), L(Φ))0}
R. Y. Rubinstein and D. P. Kroese. The Cross-EntropyMethod, Springer, 2004.
30
LabCPS
Cross Entropy MethodChallenge: Distρ(Δ(X,V), L(Φ)) ε is a rare event
Solution: Generate a sequence of pdfsf .,θ0 ,f .,θ1 ,f .,θ2 ,…
using the Kullback-Leibler divergence
Ω, . , log,
Ω
between the distribution Ω defined asΩ(x0,u) 1/Wexp ‐KDistρ(Δ(x0,u), L(Φ)))
and f .,θi .
31
LabCPS
Cross Entropy Method
ε*xε
xE.g. Assume normal distribution
Parameters: μ and σ
Use nb best samples to update μ and σ
xε* ε
x
33
LabCPS
Cross Entropy Algorithm
Example: update rules for Normal distribution
1. Choose some θ0 and set i=0 E.g. θ0 = (μ0,σ0) for N(μ0,σ0)
2. While stopping criterion is not met E.g. while ||σi||>δ
1. i = i+12. Generate samples X1, …, Xn according to pdf f(.,θi-1)
E.g., Assume independent components in X and N(μi-1,(σi-1)2)3. Use nbn best samples to update θi
E.g. μij = ΣkXkj/nb and σij = (Σk(Xkj- μij)/nb)1/2
4. Smooth E.g. μi = aμi+(1-a)μi and σi = aσi+(1-a)σi
R. Y. Rubinstein and D. P. Kroese. The Cross-EntropyMethod, Springer, 2004.
34
LabCPS
Update rules for Piecewise Uniform Distributions
• Important in the case of constraint optimization• Well suited for search spaces that are hyper-rectangles• Well suited for correlated variables
• Split each search interval Cj into a number of cells m• Associate a probability Pjk with each cell Cjk
• Then, the update rule becomes
∑ ∈
∑
where
,
36
LabCPS
Experimental Results
[9] A. Chutinan and K. R. Butts. Dynamic analysis of hybrid system models for design validation. Technical report, Ford Motor Company, 2002.[12] T. Dang, A. Donzé, and O. Maler. Verification of analog and mixed-signal circuits using hybrid system techniques. In ICFEM, volume 3142 of LNCS, pages 97–109. Springer, 2004.[26] J. Lygeros. On reachability and minimum cost optimal control. Automatica, 40:917–927, 2004.[37] Q. Zhao, B. H. Krogh, and P. Hubbard. Generating test inputs for embedded control systems. IEEE Control Systems Magazine, pages 49–57, August 2003.
38
LabCPS
Powertrain benchmark*
* A. Chutinan and K. R. Butts, “Dynamic analysis of hybrid system models for design validation,” Ford Motor Company, Tech. Rep., 2002
shift_speed21
C*x <= d
shift_speed12
C*x <= d
shift_scheduler
schedule
STaliro_StateVar
inert21_c1slip_dz
C*x <= d
inert12_c2slip_neg
C*x <= d
first_c2slip_pos
C*x <= d
first_c2slip_dz
C*x <= d
dynamic mode selection
mode
gear
reset
abs_Tc2_gt_abs_RTc2updn_2nd_tg1
C*x <= d
To Workspace1
events
To Workspace
states
Tc2_lt1_tq21_tg1_c2slip_pos
C*x <= d
Tc2_lt1_tq21_tg1_c2slip_neg
C*x <= d
Tc2_lt1_tq21_tg1_c2slip_dz
C*x <= d
Tc2_gt1_1st_tg2_c2slip_pos
C*x <= d
Tc2_gt1_1st_tg2_c2slip_neg
C*x <= d
Tc2_gt1_1st_tg2_c2slip_dz
C*x <= d
Switched ContinuousSystem
RTsp1_lt0_tq12_tg2_c2slip_pos
C*x <= d
RTsp1_lt0_tq12_tg2_c2slip_neg
C*x <= d
RTsp1_lt0_tq12_tg2_c2slip_dz
C*x <= d
LogicalOperator9
AND
LogicalOperator8
AND
LogicalOperator7
AND
LogicalOperator6
AND
LogicalOperator5
AND
LogicalOperator4
AND
LogicalOperator3
NOT
LogicalOperator2
AND
LogicalOperator17
AND
LogicalOperator16
OR
LogicalOperator15
OR
LogicalOperator14
OR
LogicalOperator13
AND
LogicalOperator12
AND
LogicalOperator11
AND
LogicalOperator10
AND
LogicalOperator1
NOT
LogicalOperator
NOT
shift_speed21
shift_speed12
to_first
to_torque12
to_inertia12
to_second
to_inertia21
to_torque21
first_gearentry: schedule =1;STaliro_StateVar = 1;
transition12_shiftingentry : schedule = 2;STaliro_StateVar = 2;
transition21_shiftingentry:schedule = 4;STaliro_StateVar = 4;
second_gearentry: schedule =3;STaliro_StateVar = 3;
to_first
1
shift_speed12
shift_speed21
2
shift_speed12
2
to_second
1
shift_speed21
39
LabCPS
Powertrain Example: Specifications1. Find values for the initial parameters such that starting from 0
speed, the gear transitions from second to first to second.
2. A more “useful” property is to find constrain the gear change from second to first to second not happen within 2.5 sec.
3. Verify that the jitter is within acceptable limits
φ1 = F(gear2 F(gear1 Fgear2))
φ2 = G((gear1 X gear1) G[0,2.5] gear2)
φ3 = G(gear21 b)
40
LabCPS
Powertrain Example: Specifications
0 10 20 30 40 50 601
2
3
4
0 10 20 30 40 50 601
2
3
4
0 10 20 30 40 50 600
1000
2000
3000Torque
0 10 20 30 40 50 601
2
3
4Shift Schedule
Falsifying φ1
Falsifying φ2
Falsifying φ3
Throttle 93.9, Grade 0.2453
41
LabCPS
Robustness cost functionφ2 = G((gear1 X gear1) G[0,2.5] gear2)
0
20
40
60
80
100 00.1
0.20.3
0.40.5
1
1.5
2
2.5
3
gradethrottle
Rob
uste
nss
92
93
94
95
0.230.235
0.240.245
0.250.255
-1
0
1
2
throttlegrade
Rob
uste
nss
42
LabCPS
Satisfying φ2Throttle 93.9, Grade 0.24
0 20 40 600
500
1000
1500
2000
2500
3000Ts
0 20 40 60-5
0
5
10
15
20veh speed
0 20 40 600
50
100
150
200
250pc2,filter
0 20 40 60-100
0
100
200
300
400
500t
0 20 40 60-50
0
50
100
150cr
0 20 40 601
1.5
2
2.5
3
3.5
4location
43
LabCPS
Falsifying φ2Throttle 93.9, Grade 0.2453
0 20 40 600
500
1000
1500
2000
2500
3000Ts
0 20 40 60-5
0
5
10
15
20veh speed
0 20 40 600
50
100
150
200
250pc2,filter
0 20 40 60-100
0
100
200
300
400
500t
0 20 40 60-50
0
50
100
150cr
0 20 40 601
1.5
2
2.5
3
3.5
4location
44
LabCPS
Satisfying φ2Throttle 93.9, Grade 0.25
0 20 40 60-1000
0
1000
2000
3000Ts
0 20 40 60-40
-20
0
20veh speed
0 20 40 600
50
100
150
200
250pc2,filter
0 20 40 60-2
0
2
4
6
8x 104 t
0 20 40 60-400
-200
0
200cr
0 20 40 601
1.2
1.4
1.6
1.8
2location
45
LabCPS
Conclusions• Functional verification of arbitrary hybrid systems
remains a challenging problem
• Robustness minimization for functional falsification offers a practical alternative
• Future work:• Study convergence properties• Demonstrate applicability over stochastic hybrid systems
46
LabCPS
AcknowledgementsStudents• Houssam Abbas - PhD (ECEE)• Bardh Hoxha – PhD (CIDSE)• Hengyi Yang – MS (CIDSE)Former Students• Y. Annapureddy - MS (CIDSE) • Che Liu – MS (CIDSE)
Recent collaborators• Aarti Gupta (NEC Labs)• Franjo Ivancic (NEC Labs)• Truong Nghiem (UPenn)• George Pappas (UPenn)• Sriram Sankaranarayanan
(U of Colorado)• Koichi Ueda (Toyota)• Hakan Yazarel (Toyota)
Tools at: https://sites.google.com/a/asu.edu/s-taliro/
Sponsors