Verified Runtime Validation for Partially Observable Hybrid Systems

Formal verification provides strong safety guarantees but only for models of cyber-physical systems. Hybrid system models describe the required interplay of computation and physical dynamics, which is crucial to guarantee what computations lead to safe physical behavior (e.g., cars should not collide). Control computations that affect physical dynamics must act in advance to avoid possibly unsafe future circumstances. Formal verification then ensures that the controllers correctly identify and provably avoid unsafe future situations under a certain model of physics. But any model of physics necessarily deviates from reality and, moreover, any observation with real sensors and manipulation with real actuators is subject to uncertainty. This makes runtime validation a crucial step to monitor whether the model assumptions hold for the real system implementation. The key question is what property needs to be runtime-monitored and what a satisfied runtime monitor entails about the safety of the system: the observations of a runtime monitor only relate back to the safety of the system if they are themselves accompanied by a proof of correctness! For an unbroken chain of correctness guarantees, we, thus, synthesize runtime monitors in a provably correct way from provably safe hybrid system models. This paper addresses the inevitable challenge of making the synthesized monitoring conditions robust to partial observability of sensor uncertainty and partial controllability due to actuator disturbance. We show that the monitoring conditions result in provable safety guarantees with fallback controllers that react to monitor violation at runtime.

[1]  Alessandro Cimatti,et al.  Efficient Scenario Verification for Hybrid Automata , 2011, CAV.

[2]  Nathan Fulton,et al.  Bellerophon: Tactical Theorem Proving for Hybrid Systems , 2017, ITP.

[3]  André Platzer,et al.  Towards Formal Verification of Freeway Traffic Control , 2012, 2012 IEEE/ACM Third International Conference on Cyber-Physical Systems.

[4]  Nathan Fulton,et al.  KeYmaera X: An Axiomatic Tactical Theorem Prover for Hybrid Systems , 2015, CADE.

[5]  Matthias Althoff,et al.  Reachset Conformance Testing of Hybrid Automata , 2016, HSCC.

[6]  André Platzer,et al.  Logics of Dynamical Systems , 2012, 2012 27th Annual IEEE Symposium on Logic in Computer Science.

[7]  Wei Chen,et al.  dReach: δ-Reachability Analysis for Hybrid Systems , 2015, TACAS.

[8]  James H. Davenport,et al.  Real Quantifier Elimination is Doubly Exponential , 1988, J. Symb. Comput..

[9]  André Platzer,et al.  Logical Foundations of Cyber-Physical Systems , 2018, Springer International Publishing.

[10]  André Platzer,et al.  Differential Equation Axiomatization: The Impressive Power of Differential Ghosts , 2018, LICS.

[11]  Ashish Tiwari,et al.  SOTER: Programming Safe Robotics System using Runtime Assurance , 2018, ArXiv.

[12]  Sriram Sankaranarayanan,et al.  Falsification of temporal properties of hybrid systems using the cross-entropy method , 2012, HSCC '12.

[13]  André Platzer,et al.  European Train Control System: A Case Study in Formal Verification , 2009, ICFEM.

[14]  Jean-Baptiste Jeannin,et al.  Hybrid Theorem Proving of Aerospace Systems: Applications and Challenges , 2014, J. Aerosp. Inf. Syst..

[15]  Mo Chen,et al.  FaSTrack: A modular framework for fast and guaranteed safe motion planning , 2017, 2017 IEEE 56th Annual Conference on Decision and Control (CDC).

[16]  Chao Wang,et al.  Shield Synthesis: Runtime Enforcement for Reactive Systems , 2015, TACAS.

[17]  André Platzer,et al.  Formal verification of obstacle avoidance and navigation of ground robots , 2016, Int. J. Robotics Res..

[18]  André Platzer,et al.  ModelPlex: verified runtime validation of verified cyber-physical system models , 2014, Formal Methods in System Design.

[19]  Hanêne Ben-Abdallah,et al.  Formally specified monitoring of temporal properties , 1999, Proceedings of 11th Euromicro Conference on Real-Time Systems. Euromicro RTS'99.

[20]  Georgios E. Fainekos,et al.  On-Line Monitoring for Temporal Logic Robustness , 2014, RV.

[21]  André Platzer,et al.  Differential Dynamic Logic for Hybrid Systems , 2008, Journal of Automated Reasoning.

[22]  Bernd Finkbeiner,et al.  LOLA: runtime monitoring of synchronous systems , 2005, 12th International Symposium on Temporal Representation and Reasoning (TIME'05).

[23]  Lui Sha,et al.  Using Simplicity to Control Complexity , 2001, IEEE Softw..

[24]  Sanjit A. Seshia,et al.  Combining Model Checking and Runtime Verification for Safe Robotics , 2017, RV.

[25]  Dejan Nickovic,et al.  AMT: A Property-Based Monitoring Tool for Analog Systems , 2007, FORMATS.

[26]  Krishnendu Chatterjee,et al.  Synthesizing robust systems , 2009, 2009 Formal Methods in Computer-Aided Design.

[27]  Ufuk Topcu,et al.  Shield synthesis , 2017, Formal Methods Syst. Des..

[28]  André Platzer,et al.  A Complete Uniform Substitution Calculus for Differential Dynamic Logic , 2016, Journal of Automated Reasoning.

[29]  Antoine Girard,et al.  SpaceEx: Scalable Verification of Hybrid Systems , 2011, CAV.

[30]  S. Shankar Sastry,et al.  Synthesis for Human-in-the-Loop Control Systems , 2014, TACAS.

[31]  Alessandro Abate,et al.  Proceedings of the 19th International Conference on Hybrid Systems: Computation and Control , 2016, HSCC.

[32]  Marco Caccamo,et al.  Sandboxing Controllers for Cyber-Physical Systems , 2011, 2011 IEEE/ACM Second International Conference on Cyber-Physical Systems.

[33]  André Platzer,et al.  VeriPhy: verified controller executables from verified cyber-physical system models , 2018, PLDI.

[34]  Garvit Juniwal,et al.  Robust online monitoring of signal temporal logic , 2015, Formal Methods in System Design.

[35]  S. Shankar Sastry,et al.  Conflict resolution for air traffic management: a study in multiagent hybrid systems , 1998, IEEE Trans. Autom. Control..

[36]  Grigore Rosu,et al.  An overview of the MOP runtime verification framework , 2012, International Journal on Software Tools for Technology Transfer.

[37]  Edmund M. Clarke,et al.  The Image Computation Problem in Hybrid Systems Model Checking , 2007, HSCC.

[38]  Ufuk Topcu,et al.  Counter-strategy guided refinement of GR(1) temporal logic specifications , 2013, 2013 Formal Methods in Computer-Aided Design.

[39]  Grigore Rosu,et al.  Efficient monitoring of safety properties , 2004, International Journal on Software Tools for Technology Transfer.

[40]  Sanjit A. Seshia,et al.  Mining assumptions for synthesis , 2011, Ninth ACM/IEEE International Conference on Formal Methods and Models for Codesign (MEMPCODE2011).

[41]  Thomas Ferrère,et al.  Efficient Robust Monitoring for STL , 2013, CAV.

[42]  André Platzer,et al.  The Complete Proof Theory of Hybrid Systems , 2012, 2012 27th Annual IEEE Symposium on Logic in Computer Science.