Formal Methods for Design and Verification of Embedded Control Systems: Application to an Autonomous Vehicle

The design of reliable embedded control systems inherits the difficulties involved in designing both control systems and distributed (concurrent) computing systems. Design bugs in these systems may arise from the unforeseen interactions among the computing, communication and control subsystems. Motivated by the difficulties of finding this type of design bugs, this thesis develops mathematical frameworks, based on formal methods, to facilitate the design and analysis of such embedded systems. An expressive specification language of linear temporal logic (LTL) is used to specify the desired system properties. The practicality of the proposed frameworks is demonstrated through autonomous vehicle case studies and autonomous urban driving problems. Our approach incorporates methodology from computer science and control, including model checking, theorem proving, synthesis of digital designs, reachability analysis, Lyapunov-type methods and receding horizon control. This thesis consists of two complementary parts, namely, verification and design. First, we introduce Periodically Controlled Hybrid Automata (PCHA), a subclass of hybrid automata that abstractly captures a common design pattern in embedded control systems. New sufficient conditions that exploit the structure of PCHAs in order to simplify their invariant verification are presented. Although the aforementioned technique simplifies an invariant verification of PCHAs, finding a proper invariant remains a challenging problem. To complement the verification efforts, in the second part of the thesis, we present a methodology for automatic synthesis of embedded control software that provides a formal guarantee of system correctness, with respect to its desired properties expressed in linear temporal logic. The correctness of the system is guaranteed even in the presence of an adversary (typically arising from changes in the environments), disturbances and modeling errors. A receding horizon framework is proposed to alleviate the associated computational complexity of LTL synthesis. The effectiveness of this framework is demonstrated through the autonomous urban driving problems.

[1]  Marco Pistore,et al.  NuSMV 2: An OpenSource Tool for Symbolic Model Checking , 2002, CAV.

[2]  Nancy A. Lynch,et al.  High-level modeling and analysis of TCAS , 1999, Proceedings 20th IEEE Real-Time Systems Symposium (Cat. No.99CB37054).

[3]  J. Doyle,et al.  Optimization-based methods for nonlinear and hybrid systems verification , 2005 .

[4]  Nancy A. Lynch,et al.  The Theory of Timed I/o Automata , 2003 .

[5]  Eric Klavins A Formal Model of a Multi-Robot Control and Communication Task , 2003 .

[6]  Mahesh Viswanathan,et al.  STORMED Hybrid Systems , 2008, ICALP.

[7]  Antoine Girard,et al.  Approximate simulation Relations for Hybrid Systems , 2006, ADHS.

[8]  R.M. Murray,et al.  Nonlinear lateral control strategy for nonholonomic vehicles , 2008, 2008 American Control Conference.

[9]  Richard M. Murray,et al.  Verification of Periodically Controlled Hybrid Systems: Application to an Autonomous Vehicle , 2012, TECS.

[10]  Zohar Manna,et al.  The Temporal Logic of Reactive and Concurrent Systems , 1991, Springer New York.

[11]  Rajeev Alur,et al.  Progress on Reachability Analysis of Hybrid Systems Using Predicate Abstraction , 2003, HSCC.

[12]  Francesco Borrelli,et al.  Constrained Optimal Control of Linear and Hybrid Systems , 2003, IEEE Transactions on Automatic Control.

[13]  Ufuk Topcu,et al.  Automatic Synthesis of Robust Embedded Control Software , 2010, AAAI Spring Symposium: Embedded Reasoning.

[14]  Michel D. Ingham,et al.  Engineering Complex Embedded Systems with State Analysis and the Mission Data System , 2004 .

[15]  Alexandre M. Bayen,et al.  Aircraft Autolander Safety Analysis Through Optimal Control-Based Reach Set Computation , 2007 .

[16]  E. Allen Emerson,et al.  Temporal and Modal Logic , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[17]  Mark B. Milam,et al.  A new computational approach to real-time trajectory generation for constrained mechanical systems , 2000, Proceedings of the 39th IEEE Conference on Decision and Control (Cat. No.00CH37187).

[18]  Lalita Jategaonkar Jagadeesan,et al.  A formal approach to reactive systems software: A telecommunications application in Esterel , 1996, Formal Methods Syst. Des..

[19]  Shengbing Jiang,et al.  Failure diagnosis of discrete event systems with linear-time temporal logic fault specifications , 2002, Proceedings of the 2002 American Control Conference (IEEE Cat. No.CH37301).

[20]  George J. Pappas,et al.  Discrete abstractions of hybrid systems , 2000, Proceedings of the IEEE.

[21]  Christopher W. Brown QEPCAD B: a program for computing with semi-algebraic sets using CADs , 2003, SIGS.

[22]  Gerard J. Holzmann,et al.  The Theory and Practice of A Formal Method: NewCoRe , 1994, IFIP Congress.

[23]  George J. Pappas,et al.  Hierarchical control system design using approximate simulation , 2001 .

[24]  F. Lin Analysis and synthesis of discrete event systems using temporal logic , 1991, Proceedings of the 1991 IEEE International Symposium on Intelligent Control.

[25]  Ali Jadbabaie,et al.  Safety Verification of Hybrid Systems Using Barrier Certificates , 2004, HSCC.

[26]  George J. Pappas,et al.  A Framework for Worst-Case and Stochastic Safety Verification Using Barrier Certificates , 2007, IEEE Transactions on Automatic Control.

[27]  Nancy A. Lynch,et al.  An introduction to input/output automata , 1989 .

[28]  Valentin Goranko,et al.  Logic in Computer Science: Modelling and Reasoning About Systems , 2007, J. Log. Lang. Inf..

[29]  Leslie Lamport,et al.  Model Checking TLA+ Specifications , 1999, CHARME.

[30]  Pablo A. Parrilo,et al.  Introducing SOSTOOLS: a general purpose sum of squares programming solver , 2002, Proceedings of the 41st IEEE Conference on Decision and Control, 2002..

[31]  Nancy A. Lynch,et al.  Safety Verification of Model Helicopter Controller Using Hybrid Input/Output Automata , 2003, HSCC.

[32]  Amir Pnueli,et al.  Synthesis of Reactive(1) designs , 2006, J. Comput. Syst. Sci..

[33]  Mahesh Viswanathan,et al.  A decidable class of planar linear hybrid systems , 2008, Theor. Comput. Sci..

[34]  Thomas A. Henzinger,et al.  HYTECH: a model checker for hybrid systems , 1997, International Journal on Software Tools for Technology Transfer.

[35]  Ufuk Topcu,et al.  Local stability analysis using simulations and sum-of-squares programming , 2008, Autom..

[36]  Hscc Hybrid systems : computation and control : 6th International Workshop, HSCC 2003, Prague, Czech Republic, April 3-5, 2003 : proceedings , 2003 .

[37]  Hadas Kress-Gazit,et al.  Automatically synthesizing a planning and control subsystem for the DARPA urban challenge , 2008, 2008 IEEE International Conference on Automation Science and Engineering.

[38]  K. Mani Chandy,et al.  Parallel program design - a foundation , 1988 .

[39]  Pravin Varaiya,et al.  What's decidable about hybrid automata? , 1995, STOC '95.

[40]  E. Gilbert,et al.  Optimal infinite-horizon feedback laws for a general class of constrained discrete-time systems: Stability and moving-horizon approximations , 1988 .

[41]  Paulo Tabuada,et al.  Linear Time Logic Control of Discrete-Time Linear Systems , 2006, IEEE Transactions on Automatic Control.

[42]  Yan Gao,et al.  The Reachability Problem for Uncertain Hybrid Systems Revisited: A Viability Theory Perspective , 2006, HSCC.

[43]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[44]  Kiam Tian Seow,et al.  A temporal framework for assembly sequence representation and analysis , 1994, IEEE Trans. Robotics Autom..

[45]  Thomas A. Henzinger,et al.  Automatic symbolic verification of embedded systems , 1993, 1993 Proceedings Real-Time Systems Symposium.

[46]  Ian M. Mitchell Comparing Forward and Backward Reachability as Tools for Safety Analysis , 2007, HSCC.

[47]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[48]  Ufuk Topcu,et al.  Receding horizon temporal logic planning for dynamical systems , 2009, Proceedings of the 48h IEEE Conference on Decision and Control (CDC) held jointly with 2009 28th Chinese Control Conference.

[49]  J. K. Hedrick,et al.  Implementation of an Active Suspension, Preview Controller for Improved Ride Comfort , 2002 .

[50]  Glenn Reeves,et al.  Software architecture themes in JPL's mission data system , 1999 .

[51]  Nancy Lynch,et al.  Safety Verification for Automated Platoon Maneuvers: A Case Study , 1997, HART.

[52]  Emilio Frazzoli,et al.  Sampling-based motion planning with deterministic μ-calculus specifications , 2009, Proceedings of the 48h IEEE Conference on Decision and Control (CDC) held jointly with 2009 28th Chinese Control Conference.

[53]  Nancy A. Lynch Input/Output Automata: Basic, Timed, Hybrid, Probabilistic, Dynamic, , 2003, CONCUR.

[54]  Peter Norvig,et al.  Artificial Intelligence: A Modern Approach , 1995 .

[55]  Richard M. Murray,et al.  Feedback Systems An Introduction for Scientists and Engineers , 2007 .

[56]  Ufuk Topcu,et al.  Receding horizon control for temporal logic specifications , 2010, HSCC '10.

[57]  Sayan Mitra,et al.  A verification framework for hybrid systems , 2007 .

[58]  Martín Abadi,et al.  An old-fashioned recipe for real time , 1994, TOPL.

[59]  T. Keviczky,et al.  Flight test of a receding horizon controller for autonomous UAV guidance , 2005, Proceedings of the 2005, American Control Conference, 2005..

[60]  Seif Haridi,et al.  Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[61]  Gerardo Lafferriere,et al.  A New Class of Decidable Hybrid Systems , 1999, HSCC.

[62]  Sumit Gulwani,et al.  Constraint-Based Approach for Analysis of Hybrid Systems , 2008, CAV.

[63]  G. Papageorgiou,et al.  A combined MBPC/H/sub /spl infin// automatic pilot for a civil aircraft , 1997, Proceedings of the 1997 American Control Conference (Cat. No.97CH36041).

[64]  Hadas Kress-Gazit,et al.  Valet parking without a valet , 2007, 2007 IEEE/RSJ International Conference on Intelligent Robots and Systems.

[65]  Amir Pnueli,et al.  Applications of Temporal Logic to the Specification and Verification of Reactive Systems: A Survey of Current Trends , 1986, Current Trends in Concurrency.

[66]  G.J. Holzmann,et al.  Using SPIN model checking for flight software verification , 2002, Proceedings, IEEE Aerospace Conference.

[67]  Calin Belta,et al.  A Fully Automated Framework for Control of Linear Systems from Temporal Logic Specifications , 2008, IEEE Transactions on Automatic Control.

[68]  Raffaello D'Andrea,et al.  Near-optimal dynamic trajectory generation and control of an omnidirectional vehicle , 2004, Robotics Auton. Syst..

[69]  Kenneth L. McMillan,et al.  Symbolic model checking , 1992 .

[70]  Edmund M. Clarke,et al.  Computing differential invariants of hybrid systems as fixedpoints , 2008, Formal Methods Syst. Des..

[71]  Kees Middelburg,et al.  Formalisation of Properties for Feature Interaction Detection: Experience in a Real-Life Situation , 1994, IS&N.

[72]  Doron A. Peled,et al.  Stutter-Invariant Temporal Properties are Expressible Without the Next-Time Operator , 1997, Inf. Process. Lett..

[73]  Johan Löfberg,et al.  YALMIP : a toolbox for modeling and optimization in MATLAB , 2004 .

[74]  David Q. Mayne,et al.  Constrained model predictive control: Stability and optimality , 2000, Autom..

[75]  Lydia E. Kavraki,et al.  Sampling-based motion planning with temporal goals , 2010, 2010 IEEE International Conference on Robotics and Automation.

[76]  Anders Rantzer,et al.  Primal-Dual Tests for Safety and Reachability , 2005, HSCC.

[77]  Dimitri P. Bertsekas,et al.  Convex Analysis and Optimization , 2003 .

[78]  Ricardo G. Sanfelice,et al.  Optimal control of Mixed Logical Dynamical systems with Linear Temporal Logic specifications , 2008, 2008 47th IEEE Conference on Decision and Control.

[79]  Goran Frehse PHAVer: Algorithmic Verification of Hybrid Systems Past HyTech , 2005, HSCC.

[80]  N. P. Bhatia,et al.  Dynamical Systems: Stability, Theory and Applications , 1967 .

[81]  Mato Baotic,et al.  Multi-Parametric Toolbox (MPT) , 2004, HSCC.

[82]  George J. Pappas,et al.  SIMULATION RELATIONS FOR DISCRETE-TIME LINEAR SYSTEMS , 2002 .

[83]  Robert Rasmussen,et al.  Goal-based fault tolerance for space systems using the mission data system , 2001, 2001 IEEE Aerospace Conference Proceedings (Cat. No.01TH8542).

[84]  Richard M. Murray,et al.  Periodically Controlled Hybrid Systems , 2009, HSCC.

[85]  Thomas A. Henzinger,et al.  The Algorithmic Analysis of Hybrid Systems , 1995, Theor. Comput. Sci..

[86]  Leslie Lamport,et al.  The temporal logic of actions , 1994, TOPL.

[87]  Marta Cialdea Mayer,et al.  Using Linear Temporal Logic to Model and Solve Planning Problems , 1998, AIMSA.

[88]  Richard M. Murray,et al.  Distributed algorithms for cooperative control , 2004, IEEE Pervasive Computing.

[89]  W. Rudin Principles of mathematical analysis , 1964 .

[90]  Gul A. Agha,et al.  LTLC: Linear Temporal Logic for Control , 2008, HSCC.

[91]  Antony Galton,et al.  Temporal logics and their applications , 1987 .

[92]  Richard M. Murray,et al.  Optimization-Based Control , 2010 .

[93]  Stephen P. Boyd,et al.  Convex Optimization , 2004, Algorithms and Theory of Computation Handbook.

[94]  Henny B. Sipma,et al.  Constructing invariants for hybrid systems , 2004, Formal Methods Syst. Des..

[95]  Richard M. Murray,et al.  Verifying A Controller for An Autonomous Vehicle , 2009 .

[96]  Johannes Schumacher,et al.  An Introduction to Hybrid Dynamical Systems, Springer Lecture Notes in Control and Information Sciences 251 , 1999 .

[97]  Gerard J. Holzmann,et al.  The SPIN Model Checker , 2003 .

[98]  Dov M. Gabbay,et al.  Handbook of Logic in Artificial Intelligence and Logic Programming: Volume 3: Nonmonotonic Reasoning and Uncertain Reasoning , 1994 .

[99]  A. Papachristodoulou,et al.  Analysis of Non-polynomial Systems using the Sum of Squares Decomposition , 2005 .

[100]  Nancy A. Lynch,et al.  Hybrid I/O automata , 1995, Inf. Comput..

[101]  K. Mani Chandy,et al.  Convergence Verification: From Shared Memory to Partially Synchronous Systems , 2008, FORMATS.

[102]  R. D'Andrea,et al.  The RoboFlag competition , 2003, Proceedings of the 2003 American Control Conference, 2003..

[103]  Natarajan Shankar,et al.  PVS: Combining Specification, Proof Checking, and Model Checking , 1996, FMCAD.

[104]  Michael R. Lowry,et al.  Formal Analysis of a Space-Craft Controller Using SPIN , 2001, IEEE Trans. Software Eng..

[105]  Christel Baier,et al.  Principles of Model Checking (Representation and Mind Series) , 2008 .

[106]  D. Mayne,et al.  Robust receding horizon control of constrained nonlinear systems , 1993, IEEE Trans. Autom. Control..

[107]  Dov M. Gabbay,et al.  Epistemic and temporal reasoning , 1995 .

[108]  William B. Dunbar,et al.  Online Control Customization via Optimization‐Based Control , 2003 .

[109]  Joel W. Burdick,et al.  Situational reasoning for road driving in an urban environment , 2008 .

[110]  Amir Pnueli,et al.  Synthesis of Reactive(1) Designs , 2006, VMCAI.

[111]  George J. Pappas LINEAR TIME LOGIC CONTROL OF LINEAR SYSTEMS , 2004 .

[112]  Manfred Morari,et al.  Hybrid Systems: Computation and Control, 8th International Workshop, HSCC 2005, Zurich, Switzerland, March 9-11, 2005, Proceedings , 2005, HSCC.

[113]  Leslie Lamport,et al.  Specifying Concurrent Program Modules , 1983, TOPL.

[114]  Jean H. Gallier,et al.  Logic for Computer Science: Foundations of Automatic Theorem Proving , 1985 .

[115]  Hadas Kress-Gazit,et al.  Where's Waldo? Sensor-Based Temporal Logic Motion Planning , 2007, Proceedings 2007 IEEE International Conference on Robotics and Automation.

[116]  Joao P. Hespanha,et al.  Stabilization Through Hybrid Control , 2011 .

[117]  Stephan Merz,et al.  Model Checking , 2000 .

[118]  Joel W. Burdick,et al.  Sensing, Navigation and Reasoning Technologies for the DARPA Urban Challenge , 2007 .

[119]  Anthony Barrett,et al.  Mission planning and execution within the Mission Data System , 2004 .

[120]  Graham C. Goodwin,et al.  Constrained Control and Estimation: an Optimization Approach , 2004, IEEE Transactions on Automatic Control.