ModelPlex: verified runtime validation of verified cyber-physical system models

Formal verification and validation play a crucial role in making cyber-physical systems (CPS) safe. Formal methods make strong guarantees about the system behavior if accurate models of the system can be obtained, including models of the controller and of the physical dynamics. In CPS, models are essential; but any model we could possibly build necessarily deviates from the real world. If the real system fits to the model, its behavior is guaranteed to satisfy the correctness properties verified w.r.t. the model. Otherwise, all bets are off. This paper introduces ModelPlex, a method ensuring that verification results about models apply to CPS implementations. ModelPlex provides correctness guarantees for CPS executions at runtime: it combines offline verification of CPS models with runtime validation of system executions for compliance with the model. ModelPlex ensures that the verification results obtained for the model apply to the actual system runs by monitoring the behavior of the world for compliance with the model, assuming the system dynamics deviation is bounded. If, at some point, the observed behavior no longer complies with the model so that offline verification results no longer apply, ModelPlex initiates provably safe fallback actions. This paper, furthermore, develops a systematic technique to synthesize provably correct monitors automatically from CPS proofs in differential dynamic logic.

[1]  Rajeev Alur,et al.  Syntax-guided synthesis , 2013, 2013 Formal Methods in Computer-Aided Design.

[2]  Bernd Finkbeiner,et al.  LOLA: runtime monitoring of synchronous systems , 2005, 12th International Symposium on Temporal Representation and Reasoning (TIME'05).

[3]  Stanley Bak,et al.  Hybrid Cyberphysical System Verification with Simplex Using Discrete Abstractions , 2010, 2010 16th IEEE Real-Time and Embedded Technology and Applications Symposium.

[4]  Dejan Nickovic,et al.  AMT: A Property-Based Monitoring Tool for Analog Systems , 2007, FORMATS.

[5]  André Platzer,et al.  KeYmaera: A Hybrid Theorem Prover for Hybrid Systems (System Description) , 2008, IJCAR.

[6]  André Platzer,et al.  Collaborative Verification-Driven Engineering of Hybrid Systems , 2014, Math. Comput. Sci..

[7]  André Platzer,et al.  Adaptive Cruise Control: Hybrid, Distributed, and Now Formally Verified , 2011, FM.

[8]  André Platzer,et al.  European Train Control System: A Case Study in Formal Verification , 2009, ICFEM.

[9]  John D. Schierman,et al.  Run-Time Assurance for Advanced Flight-Critical Control Systems * , 2010 .

[10]  Gautam Biswas,et al.  Hybrid Systems Diagnosis , 2000, HSCC.

[11]  Thomas Ferrère,et al.  Efficient Robust Monitoring for STL , 2013, CAV.

[12]  Alessandro Cimatti,et al.  SMT-based scenario verification for hybrid systems , 2013, Formal Methods Syst. Des..

[13]  C.E. Shannon,et al.  Communication in the Presence of Noise , 1949, Proceedings of the IRE.

[14]  Feng Zhao,et al.  Monitoring and fault diagnosis of hybrid systems , 2005, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[15]  André Platzer,et al.  The Complete Proof Theory of Hybrid Systems , 2012, 2012 27th Annual IEEE Symposium on Logic in Computer Science.

[16]  S. Stoller,et al.  Runtime Verification with Particle Filtering , 2013, RV.

[17]  André Platzer,et al.  On Provably Safe Obstacle Avoidance for Autonomous Robotic Ground Vehicles , 2013, Robotics: Science and Systems.

[18]  André Platzer,et al.  Refactoring, Refinement, and Reasoning - A Logical Characterization for Hybrid Systems , 2014, FM.

[19]  Ezio Bartocci,et al.  Adaptive Runtime Verification , 2012, RV.

[20]  Lui Sha,et al.  ORTEGA: An Efficient and Flexible Online Fault Tolerance Architecture for Real-Time Control Systems , 2008, IEEE Transactions on Industrial Informatics.

[21]  André Platzer,et al.  Logical Analysis of Hybrid Systems - A Complete Answer to a Complexity Challenge , 2012, DCFS.

[22]  Paul B. Jackson,et al.  Direct Formal Verification of Liveness Properties in Continuous and Hybrid Dynamical Systems , 2015, FM.

[23]  Xenofon D. Koutsoukos,et al.  A Comprehensive Diagnosis Methodology for Complex Hybrid Systems: A Case Study on Spacecraft Power Distribution Systems , 2010, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[24]  André Platzer,et al.  Differential Dynamic Logic for Hybrid Systems , 2008, Journal of Automated Reasoning.

[25]  Insup Lee,et al.  Runtime Verification of Traces under Recording Uncertainty , 2011, RV.

[26]  Grigore Rosu,et al.  Efficient monitoring of safety properties , 2004, International Journal on Software Tools for Technology Transfer.

[27]  Grigore Rosu,et al.  An overview of the MOP runtime verification framework , 2012, International Journal on Software Tools for Technology Transfer.

[28]  Edmund M. Clarke,et al.  The Image Computation Problem in Hybrid Systems Model Checking , 2007, HSCC.

[29]  André Platzer,et al.  Towards Formal Verification of Freeway Traffic Control , 2012, 2012 IEEE/ACM Third International Conference on Cyber-Physical Systems.

[30]  Nathan Fulton,et al.  KeYmaera X: An Axiomatic Tactical Theorem Prover for Hybrid Systems , 2015, CADE.

[31]  Edmund M. Clarke,et al.  dReal: An SMT Solver for Nonlinear Theories over the Reals , 2013, CADE.

[32]  Lui Sha,et al.  ORTEGA: An Efficient and Flexible Software Fault Tolerance Architecture for Real-Time Control Systems , 2008, 2008 Euromicro Conference on Real-Time Systems.

[33]  Antoine Girard,et al.  SpaceEx: Scalable Verification of Hybrid Systems , 2011, CAV.

[34]  André Platzer Logical Analysis of Hybrid Systems: A Answer to a Complexity Challenge , 2012, J. Autom. Lang. Comb..

[35]  Danwei Wang,et al.  Model-based Health Monitoring of Hybrid Systems , 2013, Springer New York.

[36]  Martin Leucker,et al.  A brief account of runtime verification , 2009, J. Log. Algebraic Methods Program..

[37]  André Platzer,et al.  A Uniform Substitution Calculus for Differential Dynamic Logic , 2015, CADE.

[38]  Lui Sha,et al.  The Simplex architecture for safe online control system upgrades , 1998, Proceedings of the 1998 American Control Conference. ACC (IEEE Cat. No.98CH36207).

[39]  A. Platzer,et al.  ModelPlex: verified runtime validation of verified cyber-physical system models , 2016, Formal Methods Syst. Des..

[40]  Bernd Finkbeiner,et al.  Monitoring Realizability , 2011, RV.

[41]  George E. Collins,et al.  Partial Cylindrical Algebraic Decomposition for Quantifier Elimination , 1991, J. Symb. Comput..

[42]  André Platzer,et al.  Logics of Dynamical Systems , 2012, 2012 27th Annual IEEE Symposium on Logic in Computer Science.

[43]  André Platzer,et al.  The Structure of Differential Invariants and Differential Cut Elimination , 2011, Log. Methods Comput. Sci..

[44]  Grigore Rosu,et al.  Runtime Verification with the RV System , 2010, RV.

[45]  Jan Olaf Blech,et al.  Towards Certified Runtime Verification , 2012, ICFEM.

[46]  Johann Schumann,et al.  Software health management: a necessity for safety critical systems , 2013, Innovations in Systems and Software Engineering.

[47]  James H. Davenport,et al.  Real Quantifier Elimination is Doubly Exponential , 1988, J. Symb. Comput..

[48]  André Platzer,et al.  Differential-algebraic Dynamic Logic for Differential-algebraic Programs , 2010, J. Log. Comput..