Controller Verification and Design with Logical Analysis Support

Modern computer-controlled systems deployed for safety-critical applicationsare growing increasingly large and complex. Industry professionals submit theirdesigns to rigorous testing procedures to detect possible errors and re-design thesystem as necessary. Nonetheless, design errors can go undetected and appear in thefinal product. In safety-critical systems, these errors may cause severe financial andeven human losses. As a result, the modern engineering development process needsto address safety specifications as well as performance specifications.This dissertation proposes the use of control envelopes, which are abstractionson the input-output relation of a controller. Control envelopes can be used to verifysafety of proposed controllers. Since the control envelope does not depend onany specific controller implementation, it can be reused throughout the system developmentcycle. As a result, safety specifications can be checked with the controlenvelope by a static check on the input-output of the controller. Second, controlenvelopes constitute a reusable specification. Initial effort devoted to computing agood control pays for itself throughout the rest of the development process in termsof flexibility and reusability.We describe a tool called Perseus to automatically check when a controller satisfiesa control envelope. We illustrate our approach on control design case studies forautonomous driving scenarios intended to reduce accidents at traffic intersections.Our case studies make use of the theorem prover KeYmaera to verify plants controlledby control envelopes. KeYmaera uses a powerful representation languagecalled differential dynamic logic, which supports symbolic parameters and can handlenonlinear dynamics without resorting to approximation techniques that incur errors.However, KeYmaera (and theorem proving approaches in general) suffer froma lack of automation, and often require specialized knowledge to operate. We proposethe addition of a forward invariant cut proof rule to KeYmaera’s reasoningcalculus, which allows one to leverage designer insights into proofs of safety of aclosed-loop system. We describe the tool Manticore, which aids the search for forwardinvariants. We illustrate our approach on a case study of a benchmark fuelcontrol system.

[1]  Yves Bertot,et al.  Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions , 2010 .

[2]  Claire J. Tomlin,et al.  Robust reach-avoid controller synthesis for switched nonlinear systems , 2010, 49th IEEE Conference on Decision and Control (CDC).

[3]  Danilo Alves de Lima,et al.  Navigation of an Autonomous Car Using Vector Fields and the Dynamic Window Approach , 2013 .

[4]  Paulo Tabuada,et al.  Verification and Control of Hybrid Systems , 2009 .

[5]  Peter B. Andrews An introduction to mathematical logic and type theory - to truth through proof , 1986, Computer science and applied mathematics.

[6]  Ufuk Topcu,et al.  Local stability analysis using simulations and sum-of-squares programming , 2008, Autom..

[7]  Peter B. Andrews,et al.  A Look at TPS , 1982, CADE.

[8]  Tobias Nipkow,et al.  A FORMAL PROOF OF THE KEPLER CONJECTURE , 2015, Forum of Mathematics, Pi.

[9]  John Lygeros,et al.  Controlled Invariance of Discrete Time Systems , 2000, HSCC.

[10]  C J Kahane,et al.  PRELIMINARY EVALUATION OF THE EFFECTIVENESS OF ANTILOCK BRAKE SYSTEMS FOR PASSENGER CARS , 1994 .

[11]  J. Doyle,et al.  Optimization-based methods for nonlinear and hybrid systems verification , 2005 .

[12]  Michael Holden Low Cost Autonomous Vehicles Using Just Gps , 2004 .

[13]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[14]  M. Mashaal,et al.  Bourbaki: A Secret Society of Mathematicians , 2006 .

[15]  Edmund M. Clarke,et al.  Characterizing Correctness Properties of Parallel Programs Using Fixpoints , 1980, ICALP.

[16]  T. Hales The Kepler conjecture , 1998, math/9811078.

[17]  Antoine Girard,et al.  Controller synthesis for safety and reachability via approximate bisimulation , 2010, Autom..

[18]  Thomas C. Hales A computer verification of the Kepler conjecture , 2003 .

[19]  Francesco Maurelli,et al.  A 3D laser scanner system for autonomous vehicle navigation , 2009, 2009 International Conference on Advanced Robotics.

[20]  Lui Sha,et al.  The Simplex architecture for safe online control system upgrades , 1998, Proceedings of the 1998 American Control Conference. ACC (IEEE Cat. No.98CH36207).

[21]  Patrick Cegielski Theorie elementaire de la multiplication des entiers naturels , 1981 .

[22]  Jyotirmoy V. Deshmukh,et al.  Simulation-guided Contraction Analysis , 2015 .

[23]  André Platzer,et al.  Safe intersections: At the crossing of hybrid systems and verification , 2011, 2011 14th International IEEE Conference on Intelligent Transportation Systems (ITSC).

[24]  Thai Son Hoang,et al.  Rodin: an open toolset for modelling and reasoning in Event-B , 2010, International Journal on Software Tools for Technology Transfer.

[25]  R. Scattolini,et al.  A stabilizing receding horizon controller for nonlinear discrete time systems , 2000, Proceedings of the 2000 American Control Conference. ACC (IEEE Cat. No.00CH36334).

[26]  David Q. Mayne,et al.  Constrained model predictive control: Stability and optimality , 2000, Autom..

[27]  Oliver E. Theel,et al.  Decompositional Construction of Lyapunov Functions for Hybrid Systems , 2009, HSCC.

[28]  M. Johansson,et al.  Piecewise Linear Control Systems , 2003 .

[29]  Manuel Mazo,et al.  Specification-guided controller synthesis for linear systems and safe linear-time temporal logic , 2013, HSCC '13.

[30]  F. Blanchini Ultimate boundedness control for uncertain discrete-time systems via set-induced Lyapunov functions , 1994, IEEE Trans. Autom. Control..

[31]  K. Appel,et al.  Every planar map is four colorable. Part I: Discharging , 1977 .

[32]  Ali Jadbabaie,et al.  Safety Verification of Hybrid Systems Using Barrier Certificates , 2004, HSCC.

[33]  Matthias Althoff,et al.  Set-based computation of vehicle behaviors for the online verification of autonomous vehicles , 2011, 2011 14th International IEEE Conference on Intelligent Transportation Systems (ITSC).

[34]  K. Gödel Über formal unentscheidbare Sätze der Principia Mathematica und verwandter Systeme I , 1931 .

[35]  Antoine Girard,et al.  Low-Complexity Quantized Switching Controllers using Approximate Bisimulation , 2012, ArXiv.

[36]  Stacking Up the Evidence , 2003, Science.

[37]  André Platzer,et al.  Differential Dynamic Logic for Verifying Parametric Hybrid Systems , 2007, TABLEAUX.

[38]  Amir Pnueli,et al.  Towards Component Based Design of Hybrid Systems: Safety and Stability , 2010, Essays in Memory of Amir Pnueli.

[39]  Alfred North Whitehead,et al.  Principia Mathematica to *56 , 1910 .

[40]  Kenneth R. Butts,et al.  Powertrain control verification benchmark , 2014, HSCC.

[41]  P. Olver Nonlinear Systems , 2013 .

[42]  Jyotirmoy V. Deshmukh,et al.  Discovering Forward Invariant Sets for Nonlinear Dynamical Systems , 2015 .

[43]  Ufuk Topcu,et al.  Optimization-based Control of Nonlinear Systems with Linear Temporal Logic Specifications , 2022 .

[44]  P. Parrilo Structured semidefinite programs and semialgebraic geometry methods in robustness and optimization , 2000 .

[45]  Rajesh Subramanian,et al.  CICAS-V research on comprehensive costs of intersection crashes , 2007 .

[46]  Tzuu-Hseng S. Li,et al.  Implementation of human-like driving skills by autonomous fuzzy behavior control on an FPGA-based car-like mobile robot , 2003, IEEE Trans. Ind. Electron..

[47]  S. Prajna Barrier certificates for nonlinear model validation , 2003, 42nd IEEE International Conference on Decision and Control (IEEE Cat. No.03CH37475).

[48]  William Craig,et al.  Three uses of the Herbrand-Gentzen theorem in relating model theory and proof theory , 1957, Journal of Symbolic Logic.

[49]  James H. Davenport,et al.  Real Quantifier Elimination is Doubly Exponential , 1988, J. Symb. Comput..

[50]  Edmund M. Clarke,et al.  dReal: An SMT Solver for Nonlinear Theories over the Reals , 2013, CADE.

[51]  Anders Kullgren,et al.  The Effectiveness of Electronic Stability Control (ESC) in Reducing Real Life Crashes and Injuries , 2006, Traffic injury prevention.

[52]  M. Althoff,et al.  Safety Assessment of Autonomous Cars using Verification Techniques , 2007, 2007 American Control Conference.

[53]  George G. Szpiro,et al.  Mathematics: Does the proof stack up? , 2003, Nature.

[54]  Sebastian Thrun,et al.  Traffic light mapping, localization, and state detection for autonomous vehicles , 2011, 2011 IEEE International Conference on Robotics and Automation.

[55]  Edmund M. Clarke,et al.  δ-Complete Decision Procedures for Satisfiability over the Reals , 2012, IJCAR.

[56]  Edmund M. Clarke,et al.  Computing differential invariants of hybrid systems as fixedpoints , 2008, Formal Methods Syst. Des..

[57]  Sriram Sankaranarayanan,et al.  Simulation-guided lyapunov analysis for hybrid dynamical systems , 2014, HSCC.

[58]  Tobias Nipkow,et al.  A Proof Assistant for Higher-Order Logic , 2002 .

[59]  C. A. R. HOARE,et al.  An axiomatic basis for computer programming , 1969, CACM.

[60]  G. Sacks A DECISION METHOD FOR ELEMENTARY ALGEBRA AND GEOMETRY , 2003 .

[61]  Philippe Roussel,et al.  The birth of Prolog , 1993, HOPL-II.

[62]  André Platzer,et al.  Differential Dynamic Logic for Hybrid Systems , 2008, Journal of Automated Reasoning.

[63]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[64]  Joseph Sifakis,et al.  Specification and verification of concurrent systems in CESAR , 1982, Symposium on Programming.

[65]  André Platzer,et al.  The Structure of Differential Invariants and Differential Cut Elimination , 2011, Log. Methods Comput. Sci..

[66]  Amanda Kate Delaney,et al.  Evaluation of anti-lock braking systems effectiveness , 2004 .

[67]  Kenneth L. McMillan,et al.  Lazy Abstraction with Interpolants , 2006, CAV.

[68]  Akio Okada,et al.  ANALYSIS OF VEHICLE STABILITY CONTROL (VSC)'S EFFECTIVENESS FROM ACCIDENT DATA , 2003 .

[70]  Amir Pnueli,et al.  Symbolic Controller Synthesis for Discrete and Timed Systems , 1994, Hybrid Systems.

[71]  F. Allgower,et al.  Towards a practical nonlinear predictive control algorithm with guaranteed stability for large-scale systems , 1998, Proceedings of the 1998 American Control Conference. ACC (IEEE Cat. No.98CH36207).

[72]  Edsger W. Dijkstra,et al.  Guarded commands, nondeterminacy and formal derivation of programs , 1975, Commun. ACM.

[73]  Raúl Rojas,et al.  Semi-autonomous Car Control Using Brain Computer Interfaces , 2012, IAS.

[74]  André Platzer,et al.  Efficiency analysis of formally verified adaptive cruise controllers , 2013, 16th International IEEE Conference on Intelligent Transportation Systems (ITSC 2013).

[75]  André Platzer,et al.  Refactoring, Refinement, and Reasoning - A Logical Characterization for Hybrid Systems , 2014, FM.

[76]  A. Seidenberg A NEW DECISION METHOD FOR ELEMENTARY ALGEBRA , 1954 .

[77]  André Platzer,et al.  A Differential Operator Approach to Equational Differential Invariants - (Invited Paper) , 2012, ITP.

[78]  André Platzer,et al.  KeYmaera: A Hybrid Theorem Prover for Hybrid Systems (System Description) , 2008, IJCAR.

[79]  Kyung-Joong Kim,et al.  Optimization of an Autonomous Car Controller Using a Self-Adaptive Evolutionary Strategy: , 2012 .

[80]  André Platzer,et al.  Adaptive Cruise Control: Hybrid, Distributed, and Now Formally Verified , 2011, FM.

[81]  M. Fischer,et al.  SUPER-EXPONENTIAL COMPLEXITY OF PRESBURGER ARITHMETIC , 1974 .

[82]  Bruce H. Krogh,et al.  Using verified control envelopes for safe controller design , 2014, 2014 American Control Conference.

[83]  E. Kerrigan Robust Constraint Satisfaction: Invariant Sets and Predictive Control , 2000 .

[84]  Nadine Gottschalk,et al.  Computer Controlled Systems Theory And Design , 2016 .

[85]  M. Branicky Stability of switched and hybrid systems , 1994, Proceedings of 1994 33rd IEEE Conference on Decision and Control.

[86]  André Platzer,et al.  Differential-algebraic Dynamic Logic for Differential-algebraic Programs , 2010, J. Log. Comput..

[87]  Michael Huth Logic In Computer Science , 1999 .

[88]  Jeremy Broughton,et al.  The effectiveness of antilock braking systems in reducing accidents in Great Britain. , 2002, Accident; analysis and prevention.

[89]  André Platzer,et al.  Characterizing Algebraic Invariants by Differential Radical Invariants , 2014, TACAS.

[90]  Thomas C. Hales,et al.  Introduction to the Flyspeck Project , 2005, Mathematics, Algorithms, Proofs.

[91]  A. Papachristodoulou,et al.  On the construction of Lyapunov functions using the sum of squares decomposition , 2002, Proceedings of the 41st IEEE Conference on Decision and Control, 2002..