Dynamic Analysis of Cyber-Physical SystemsPARASARA SRIDHAR DUGGIRALA
1
Trends in Air Traffic Air traffic is going to double in next 20-25 years
Improving throughput of airports
Cost of adding runways ~ $15B+
2
Trends in Air Traffic Air traffic is going to double in next 20-25 years
Improving throughput of airports
Cost of adding runways ~ $15B+
Packing more planes on runways
Physical limits to packing e.g. wake vortices
Human in the loop
3
Trends in Air Traffic Air traffic is going to double in next 20-25 years
Improving throughput of airports
Cost of adding runways ~ $15B+
Packing more planes on runways
Physical limits to packing e.g. wake vortices
Human in the loop
Solution: Software
4
Safe Parallel Landing From NASA:Ensuring Safe Separation
Ensure safety among ownship and intruder
5
Intruder
Ownship
(𝑥0, 𝑦0)
(𝑥𝑖 , 𝑦𝑖)⟨𝑣𝑥𝑖 , 𝑣𝑦𝑖⟩
⟨𝑣𝑥𝑜, 𝑣𝑦𝑜⟩
Ensure safety among ownship and intruder
6
Intruder
Ownship
(𝑥0, 𝑦0)
(𝑥𝑖 , 𝑦𝑖)⟨𝑣𝑥𝑖 , 𝑣𝑦𝑖⟩
⟨𝑣𝑥𝑜, 𝑣𝑦𝑜⟩
𝑠𝑥 𝑠𝑦
Safe Parallel Landing From NASA:Ensuring Safe Separation
Ensure safety among ownship and intruder
Fail-safe alarming system ALAS by NASA (similar to TCAS)
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Did they get it right?
7
Intruder
Ownship
(𝑥0, 𝑦0)
(𝑥𝑖 , 𝑦𝑖)⟨𝑣𝑥𝑖 , 𝑣𝑦𝑖⟩
⟨𝑣𝑥𝑜, 𝑣𝑦𝑜⟩
𝑠𝑥 𝑠𝑦
ALAS: New Alerting Mechanism
Ensure safety among ownship and intruder
Fail-safe alarming system ALAS by NASA (similar to TCAS)
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Did they get it right?
Motion described by ODEs: 𝑑
𝑑𝑡𝑥𝑖 = 𝑣𝑥𝑖;
𝑑
𝑑𝑡𝑦𝑖 = 𝑣𝑦𝑖; …
8
Intruder
Ownship
(𝑥0, 𝑦0)
(𝑥𝑖 , 𝑦𝑖)⟨𝑣𝑥𝑖 , 𝑣𝑦𝑖⟩
⟨𝑣𝑥𝑜, 𝑣𝑦𝑜⟩
𝑠𝑥 𝑠𝑦
ALAS: New Alerting MechanismA Typical Cyber-Physical System
Ensure safety among ownship and intruder
Fail-safe alarming system ALAS by NASA (similar to TCAS)
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Did they get it right?
Motion described by ODEs: 𝑑
𝑑𝑡𝑥𝑖 = 𝑣𝑥𝑖;
𝑑
𝑑𝑡𝑦𝑖 = 𝑣𝑦𝑖; …
Software changes the type of motion
9
Intruder
Ownship
(𝑥0, 𝑦0)
(𝑥𝑖 , 𝑦𝑖)⟨𝑣𝑥𝑖 , 𝑣𝑦𝑖⟩
⟨𝑣𝑥𝑜, 𝑣𝑦𝑜⟩
𝑠𝑥 𝑠𝑦
approach 𝑥 = 𝑓𝑎(𝑥)
ALAS: New Alerting MechanismA Typical Cyber-Physical System
ALAS: New Alerting MechanismA Typical Cyber-Physical System Ensure safety among ownship and intruder
Fail-safe alarming system ALAS by NASA (similar to TCAS)
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Did they get it right?
Motion described by ODEs: 𝑑
𝑑𝑡𝑥𝑖 = 𝑣𝑥𝑖;
𝑑
𝑑𝑡𝑦𝑖 = 𝑣𝑦𝑖; …
Software changes the type of motion
10
Intruder
Ownship
(𝑥0, 𝑦0)
(𝑥𝑖 , 𝑦𝑖)⟨𝑣𝑥𝑖 , 𝑣𝑦𝑖⟩
⟨𝑣𝑥𝑜, 𝑣𝑦𝑜⟩
𝑠𝑥 𝑠𝑦
turn 𝑥 = 𝑓𝑏(𝑥)
ALAS: New Alerting MechanismA Typical Cyber-Physical System Ensure safety among ownship and intruder
Fail-safe alarming system ALAS by NASA (similar to TCAS)
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Did they get it right?
Motion described by ODEs: 𝑑
𝑑𝑡𝑥𝑖 = 𝑣𝑥𝑖;
𝑑
𝑑𝑡𝑦𝑖 = 𝑣𝑦𝑖; …
Software changes the type of motion
11
Intruder
Ownship
(𝑥0, 𝑦0)
(𝑥𝑖 , 𝑦𝑖)⟨𝑣𝑥𝑖 , 𝑣𝑦𝑖⟩
⟨𝑣𝑥𝑜, 𝑣𝑦𝑜⟩
𝑠𝑥 𝑠𝑦
approach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
ALAS: New Alerting MechanismA Typical Cyber-Physical System Ensure safety among ownship and intruder
Fail-safe alarming system ALAS by NASA (similar to TCAS)
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Did they get it right?
Motion described by ODEs: 𝑑
𝑑𝑡𝑥𝑖 = 𝑣𝑥𝑖;
𝑑
𝑑𝑡𝑦𝑖 = 𝑣𝑦𝑖; …
Software changes the type of motion
12
Intruder
Ownship
(𝑥0, 𝑦0)
(𝑥𝑖 , 𝑦𝑖)⟨𝑣𝑥𝑖 , 𝑣𝑦𝑖⟩
⟨𝑣𝑥𝑜, 𝑣𝑦𝑜⟩
𝑠𝑥 𝑠𝑦
approach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
Continuous behavior + software control = CPS
13
CPS Everywhere!
14
CPS Everywhere!
Problems in CPS
Toyota recalled 1.9 Million Prius cars (total cars recalled in 2013 ~20M)
FDA report: Software failure is responsible for 24% of recalls in medical devices (of 2M)
Northeast blackout of 2003 caused due to a race condition
15
CPS Everywhere!
Problems in CPS
Toyota recalled 1.9 Million Prius cars (total cars recalled in 2013 ~20M)
FDA report: Software failure is responsible for 24% of recalls in medical devices (of 2M)
Northeast blackout of 2003 caused due to a race condition
My Research: Develop Tools, Techniques, and Algorithms for Design, Analysis, and Verification of CPS
Outline Introduction
◦ Need for Verification of Cyber-Physical Systems and it’s Challenges
◦ Overview of My Research
Overview of Abstraction-Refinement
Dynamic Analysis
◦ Algorithm for Dynamic Analysis
◦ Verifying the Alerting Protocol in Parallel Landing
◦ Verifying Powertrain Control System
Future Work
16
Simulation/Testing Based Design Methodology
17
Modeling•Build a model, e.g. Simulink/Stateflow
Analysis
•Simulate/Test the model with several configurations, e.g. with different initial positions and velocities of aircraft
Deployment
•Prototype deployment
• Industrial production
Simulation/Testing Does Not Find All Bugs
18
Simulations do not give coverage guarantees
Manifestation of bugs in the deployment stage is catastrophic
Modeling•Build a model, e.g. Simulink/Stateflow
Analysis
•Simulate/Test the model with several configurations, e.g. with different initial positions and velocities of aircraft
Deployment
•Prototype deployment
• Industrial production
Simulation/Testing Does Not Find All Bugs
19
Simulations do not give coverage guarantees
Manifestation of bugs in the deployment stage is catastrophic
Are there any alternative techniques to provide guarantees in safety critical CPS?
Modeling•Build a model, e.g. Simulink/Stateflow
Analysis
•Simulate/Test the model with several configurations, e.g. with different initial positions and velocities of aircraft
Deployment
•Prototype deployment
• Industrial production
Formal Verification Can Give Guarantees
Formal Verification: Prove that the system does not have any bugs
Checking all possible behaviors of the system
Model Checking – industrial practice in Hardware
20
Formal Verification Can Give Guarantees
Formal Verification: Prove that the system does not have any bugs
Checking all possible behaviors of the system
Model Checking – industrial practice in Hardware
Reachable Set: Set of all possible states that can be reached
21
Formal Verification Can Give Guarantees
Formal Verification: Prove that the system does not have any bugs
Checking all possible behaviors of the system
Model Checking – industrial practice in Hardware
Reachable Set: Set of all possible states that can be reached
22
Intruder
Ownshipapproach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
Formal Verification Can Give Guarantees
Formal Verification: Prove that the system does not have any bugs
Checking all possible behaviors of the system
Model Checking – industrial practice in Hardware
Reachable Set: Set of all possible states that can be reached
23
Intruder
Ownshipapproach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
Formal Verification Can Give Guarantees
Formal Verification: Prove that the system does not have any bugs
Checking all possible behaviors of the system
Model Checking – industrial practice in Hardware
Reachable Set: Set of all possible states that can be reached
24
Intruder
Ownshipapproach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
Formal Verification Can Give Guarantees
Formal Verification: Prove that the system does not have any bugs
Checking all possible behaviors of the system
Model Checking – industrial practice in Hardware
Reachable Set: Set of all possible states that can be reached
25
Intruder
Ownshipapproach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
Represent the reachable set in a symbolic formatEx: 𝑥𝑖 ≥ 4 ∧ 𝑥𝑖 ≤ 10 ∧ 𝑦𝑖 ≥ 20 ∧ 𝑦𝑖 ≤ 25
Undecidability Barrier for CPS Verification Reachable set computation is undecidable for simple CPS
◦ Two variables 𝑥 = 1, 𝑦 = 2 with different modes [Alur, Henzinger‘96]
26
Scalability Barrier for CPS Verification Reachable set computation is undecidable for simple CPS
◦ Two variables 𝑥 = 1, 𝑦 = 2 with different modes [Alur, Henzinger‘96]
For linear systems 𝑣 = 𝐴𝑣, analytical solution is given by 𝑣 𝑡 = 𝑒𝐴𝑡𝑣 0
Matrix exponentials 𝑒𝐴𝑡 cannot be computed exactly
Symbolic and numerical techniques suffer curse of dimensionality [Frehse‘12]
27
28
Toyota Powertrain Control System
29
Toyota Powertrain Control System
𝑝 = 𝑐1(2𝜃 𝑐20𝑝2 + 𝑐21𝑝 + 𝑐22 − 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝
2 + 𝑐5𝜔𝑝2))
𝜆 = 𝑐26(𝑐15 + 𝑐16𝑐25𝐹𝑐 + 𝑐17𝑐252 𝐹𝑐
2 + 𝑐18 𝑚𝑐 + 𝑐19 𝑚𝑐𝑐25𝐹𝑐 − 𝜆) 𝑝𝑒 = 𝑐1(2𝑐23𝜃 𝑐20𝑝
2 + 𝑐21𝑝 + 𝑐22 − (𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝
2)) 𝑖 = 𝑐14 𝑐24𝜆 − 𝑐11
where
𝐹𝑐 =1
𝑐11(1 + 𝑖 + 𝑐13(𝑐24𝜆 − 𝑐11))(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝
2 + 𝑐5𝜔𝑝2)
𝑚𝑐 = 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝
2)
No closed form solution for nonlinear systems
30
Toyota Powertrain Control System
𝑝 = 𝑐1(2𝜃 𝑐20𝑝2 + 𝑐21𝑝 + 𝑐22 − 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝
2 + 𝑐5𝜔𝑝2))
𝜆 = 𝑐26(𝑐15 + 𝑐16𝑐25𝐹𝑐 + 𝑐17𝑐252 𝐹𝑐
2 + 𝑐18 𝑚𝑐 + 𝑐19 𝑚𝑐𝑐25𝐹𝑐 − 𝜆) 𝑝𝑒 = 𝑐1(2𝑐23𝜃 𝑐20𝑝
2 + 𝑐21𝑝 + 𝑐22 − (𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝
2)) 𝑖 = 𝑐14 𝑐24𝜆 − 𝑐11
where
𝐹𝑐 =1
𝑐11(1 + 𝑖 + 𝑐13(𝑐24𝜆 − 𝑐11))(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝
2 + 𝑐5𝜔𝑝2)
𝑚𝑐 = 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝
2)
No closed form solution for nonlinear systems
My Research: Developing scalable verification techniques to handle industrial CPS
Verification Tools [UPPAAL, HyTech, SpaceEx, … ]
Research Overview: Verification of CPS
31
Simple Continuous Dynamics Complex Nonlinear Dynamics
Simple computation
Distributedcomputation
[EMSOFT’13]*
[ICCPS’11] [HSCC’12]
[VMCAI’13]
*best paper award at EMSOFT 2013
[EMSOFT’13]
[TACAS’15]
[RTSS’12]
[FM’14]
[CAV’15]
Dynamic Analysis
Abstraction-Refinement
Research Overview: Verification of CPS
32
Simple Continuous Dynamics Complex Nonlinear Dynamics
Simple computation
Distributedcomputation
[EMSOFT’13]
[TACAS’15]
[RTSS’12]
[FM’14]
[EMSOFT’13]*
[ICCPS’11] [HSCC’12]
[VMCAI’13]
*best paper award at EMSOFT 2013
Verification Tools [UPPAAL, HyTech, SpaceEx, … ]
[CAV’15]
Abstraction Refinement - Overview
33
Abstract
Verify
Refine
Validate
Concrete System
AbstractSystem
Certificate
AbstractCounterexample
Concrete Counterexample
SpuriousCounterexample
NewAbstraction
𝑏𝑒ℎ𝑎𝑣𝑖𝑜𝑟𝑠 𝐶𝑜𝑛𝑐𝑟𝑒𝑡𝑒 𝑆𝑦𝑠𝑡𝑒𝑚 ⊆ 𝑏𝑒ℎ𝑎𝑣𝑖𝑜𝑟𝑠(𝐴𝑏𝑠𝑡𝑟𝑎𝑐𝑡 𝑆𝑦𝑠𝑡𝑒𝑚)
Abstraction Refinement - Overview
34
Abstract
Verify
Refine
Validate
Concrete System
CertificateConcrete
Counterexample
Abstraction-Refinement
𝑏𝑒ℎ𝑎𝑣𝑖𝑜𝑟𝑠 𝐶𝑜𝑛𝑐𝑟𝑒𝑡𝑒 𝑆𝑦𝑠𝑡𝑒𝑚 ⊆ 𝑏𝑒ℎ𝑎𝑣𝑖𝑜𝑟𝑠(𝐴𝑏𝑠𝑡𝑟𝑎𝑐𝑡 𝑆𝑦𝑠𝑡𝑒𝑚)
Abstraction Refinement - Overview
35
Abstract
Verify
Refine
Validate
Concrete System
CertificateConcrete
Counterexample
Abstraction-Refinement
𝑏𝑒ℎ𝑎𝑣𝑖𝑜𝑟𝑠 𝐶𝑜𝑛𝑐𝑟𝑒𝑡𝑒 𝑆𝑦𝑠𝑡𝑒𝑚 ⊆ 𝑏𝑒ℎ𝑎𝑣𝑖𝑜𝑟𝑠(𝐴𝑏𝑠𝑡𝑟𝑎𝑐𝑡 𝑆𝑦𝑠𝑡𝑒𝑚)
Region Stability
ICCPS’11
HSCC’12
Safety
VMCAI’13
EMSOFT’13*
*won the best paper award at EMSOFT 2013
Abstraction Refinement - Overview
36
Abstract
Verify
Refine
Validate
Concrete System
CertificateConcrete
Counterexample
Abstraction-Refinement
𝑏𝑒ℎ𝑎𝑣𝑖𝑜𝑟𝑠 𝐶𝑜𝑛𝑐𝑟𝑒𝑡𝑒 𝑆𝑦𝑠𝑡𝑒𝑚 ⊆ 𝑏𝑒ℎ𝑎𝑣𝑖𝑜𝑟𝑠(𝐴𝑏𝑠𝑡𝑟𝑎𝑐𝑡 𝑆𝑦𝑠𝑡𝑒𝑚)
Region Stability
New techniques for proving stability of systems with
unstable modes
Safety
Discovered new decidable class of linear systems.Proved systems with 28
dimensions
Region Stability
ICCPS’11
HSCC’12
Safety
VMCAI’13
EMSOFT’13*
*won the best paper award at EMSOFT 2013
Outline Introduction
◦ Need for Verification of Cyber-Physical Systems and it’s Challenges
◦ Overview of My Research
Overview of Abstraction-Refinement
Dynamic Analysis
◦ Algorithm for Dynamic Analysis
◦ Verifying the Alerting Protocol in Parallel Landing
◦ Verifying Powertrain Control System
Future Work
37
Dynamic Analysis
38
NASA’s ALAS Protocol Fail-safe alarming system ALAS by NASA
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Ownship and Intruder landing on nearby parallel runways
39
Intruder
Ownship
(𝑥0, 𝑦0)
(𝑥𝑖 , 𝑦𝑖)⟨𝑣𝑥𝑖 , 𝑣𝑦𝑖⟩
⟨𝑣𝑥𝑜, 𝑣𝑦𝑜⟩
NASA’s ALAS Protocol Fail-safe alarming system ALAS by NASA
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Ownship and Intruder landing on nearby parallel runways
Unexpected trajectory of Intruder
40
Intruder
Ownship
approach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
NASA’s ALAS Protocol Fail-safe alarming system ALAS by NASA
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Ownship and Intruder landing on nearby parallel runways
Unexpected trajectory of Intruder
Validation of ALAS by performing several simulations – no proof
41
Intruder
Ownship
approach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
NASA’s ALAS Protocol Fail-safe alarming system ALAS by NASA
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Ownship and Intruder landing on nearby parallel runways
Unexpected trajectory of Intruder
Validation of ALAS by performing several simulations – no proof
Proving that ALAS works
1. Compute all trajectories that violate safe separation (unsafe)
2. For unsafe trajectories, prove that alarm is issued 4 seconds before
safe separation is violated
42
Intruder
Ownship
approach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
NASA’s ALAS Protocol Fail-safe alarming system ALAS by NASA
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Ownship and Intruder landing on nearby parallel runways
Unexpected trajectory of Intruder
Validation of ALAS by performing several simulations – no proof
Proving that ALAS works
1. Compute all trajectories that violate safe separation (unsafe)
2. For unsafe trajectories, prove that alarm is issued 4 seconds before
safe separation is violated
43
Intruder
Ownship
approach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
Computing Unsafe Trajectories Let us consider a simple motion of intruder and compute all
trajectories that are unsafe
44
Intruder
Ownship
Let us consider a simple motion of intruder and compute all
trajectories that are unsafe
Compute unsafe trajectories (overapproximation) from samples
45
Intruder
Ownship
Dynamic Analysis:Computing Unsafe Trajectories From Samples
Let us consider a simple motion of intruder and compute all
trajectories that are unsafe
Compute unsafe trajectories (overapproximation) from samples
Continuity property
46
Intruder
Ownship
Exploiting Continuity for Dynamic Analysis
Exploiting Continuity for Dynamic Analysis Let us consider a simple motion of intruder and compute all
trajectories that are unsafe
Compute unsafe trajectories (overapproximation) from samples
Continuity property
◦ Trajectories starting close stay close
47
𝑥1𝑥2
𝑥2(𝑡)
𝑥1(𝑡)
Intruder
Ownship
Exploiting Continuity for Dynamic Analysis Let us consider a simple motion of intruder and compute all
trajectories that are unsafe
Compute unsafe trajectories (overapproximation) from samples
Continuity property
◦ Trajectories starting close stay close
◦ In the limit, the distance between trajectories goes to zero
48
𝑥1𝑥2
𝑥3
Intruder
Ownship
Discrepancy Function Let us consider a simple motion of intruder and compute all
trajectories that are unsafe
Compute unsafe trajectories (overapproximation) from samples
Continuity property
◦ Trajectories starting close stay close
Discrepancy function 𝛽 that captures continuity
◦ 𝑥1(𝑡) − 𝑥2(𝑡) ≤ 𝛽(|𝑥1 − 𝑥2|, 𝑡)
49
𝑥1𝑥2
𝑥2(𝑡)
𝑥1(𝑡)
Intruder
Ownship
𝛽(|𝑥1 − 𝑥2|, 𝑡)
Discrepancy Function Let us consider a simple motion of intruder and compute all
trajectories that are unsafe
Compute unsafe trajectories (overapproximation) from samples
Continuity property
◦ Trajectories starting close stay close
◦ In the limit, the distance between trajectories goes to zero
Discrepancy function 𝛽 that captures continuity
◦ 𝑥1(𝑡) − 𝑥2(𝑡) ≤ 𝛽(|𝑥1 − 𝑥2|, 𝑡)
◦ 𝛽 𝑥1 − 𝑥2 , 𝑡 → 0 as 𝑥1 − 𝑥2 → 0
50
𝑥1𝑥2
𝑥3
Intruder
Ownship
Computing Unsafe TrajectoriesGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from
sample simulations
51
Intruder
Ownship
Computing Unsafe TrajectoriesGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from
sample simulations
Partition the initial set into 𝛿-neighborhoods
52
Intruder
Ownship
Computing Unsafe TrajectoriesGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from
sample simulations
Partition the initial set into 𝛿-neighborhoods
Simulate from the center of each neighborhood
53
Intruder
Ownship
Computing Unsafe TrajectoriesGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from
sample simulations
Partition the initial set into 𝛿-neighborhoods
Simulate from the center of each neighborhood
Bloat the simulation by 𝜖 = 𝛽(𝛿, 𝑡)
Check if all trajectories are safe
54
Intruder
Ownship
Computing Unsafe TrajectoriesGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from
sample simulations
Partition the initial set into 𝛿-neighborhoods
Simulate from the center of each neighborhood
Bloat the simulation by 𝜖 = 𝛽(𝛿, 𝑡)
Check if all trajectories are safe
55
Intruder
Ownship
Computing Unsafe TrajectoriesGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from
sample simulations
Partition the initial set into 𝛿-neighborhoods
Simulate from the center of each neighborhood
Bloat the simulation by 𝜖 = 𝛽(𝛿, 𝑡)
Check if all trajectories are safe
If all neighborhoods are safe, return safe
If any neighborhood violates safety, return violated
Else, refine the partitioning.
56
Intruder
Ownship
Computing Unsafe TrajectoriesGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from
sample simulations
Partition the initial set into 𝛿-neighborhoods
Simulate from the center of each neighborhood
Bloat the simulation by 𝜖 = 𝛽(𝛿, 𝑡)
Check if all trajectories are safe
If all neighborhoods are safe, return safe
If any neighborhood violates safety, return violated
Else, refine the partitioning.
57
Intruder
Ownship
Computing Unsafe TrajectoriesGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from
sample simulations
Partition the initial set into 𝛿-neighborhoods
Simulate from the center of each neighborhood
Bloat the simulation by 𝜖 = 𝛽(𝛿, 𝑡)
Check if all trajectories are safe
If all neighborhoods are safe, return safe
If any neighborhood violates safety, return violated
Else, refine the partitioning (better overapproximation)
58
Intruder
Ownship
Safety Verification AlgorithmGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from
sample simulations
Partition the initial set into 𝛿-neighborhoods
Simulate from the center of each neighborhood
Bloat the simulation by 𝜖 = 𝛽(𝛿, 𝑡)
Check if all trajectories are safe
If all neighborhoods are safe, return safe
If any neighborhood violates safety, return violated
Else, refine the partitioning (better overapproximation)
59
Intruder
Ownship
Algorithm can be applied for any nonlinear systems with given discrepancy function
60
Intruder
Ownship
Soundness and Completeness Results
Theorem[Soundness]: Given any HA 𝐴, with an initial set Θ, and unsafe set𝑈, if the algorithm terminates and returns safe (unsafe) then the system is indeed safe (unsafe)
Always performing a sound analysis : 𝒙𝟏(𝒕) − 𝒙𝟐(𝒕) ≤ 𝜷(|𝒙𝟏 − 𝒙𝟐|, 𝒕)
61
Intruder
Ownship
Soundness and Completeness Results
Theorem[Soundness]: Given any HA 𝐴, with an initial set Θ, and unsafe set𝑈, if the algorithm terminates and returns safe (unsafe) then the system is indeed safe (unsafe)
Always performing a sound analysis : 𝒙𝟏(𝒕) − 𝒙𝟐(𝒕) ≤ 𝜷(|𝒙𝟏 − 𝒙𝟐|, 𝒕)
62
Soundness and Completeness Results
Theorem[Relative Completeness]: Given any HA 𝐴, with an initial set Θ,and unsafe set 𝑈, if the system is robustly safe (unsafe) then the algorithm will terminates and return the correct answer
Theorem[Soundness]: Given any HA 𝐴, with an initial set Θ, and unsafe set𝑈, if the algorithm terminates and returns safe (unsafe) then the system is indeed safe (unsafe)
Intruder
Ownship
Always performing a sound analysis : 𝒙𝟏(𝒕) − 𝒙𝟐(𝒕) ≤ 𝜷(|𝒙𝟏 − 𝒙𝟐|, 𝒕)
Improving the partitioning improves the approximation
𝜷 𝒙𝟏 − 𝒙𝟐 , 𝒕 → 𝟎 as 𝒙𝟏 − 𝒙𝟐 → 𝟎
63
Soundness and Completeness Results
Theorem[Relative Completeness]: Given any HA 𝐴, with an initial set Θ,and unsafe set 𝑈, if the system is robustly safe (unsafe) then the algorithm will terminates and return the correct answer
Theorem[Soundness]: Given any HA 𝐴, with an initial set Θ, and unsafe set𝑈, if the algorithm terminates and returns safe (unsafe) then the system is indeed safe (unsafe)
Intruder
Ownship
Always performing a sound analysis : 𝒙𝟏(𝒕) − 𝒙𝟐(𝒕) ≤ 𝜷(|𝒙𝟏 − 𝒙𝟐|, 𝒕)
Improving the partitioning improves the approximation
𝜷 𝒙𝟏 − 𝒙𝟐 , 𝒕 → 𝟎 as 𝒙𝟏 − 𝒙𝟐 → 𝟎
64
Intruder
Ownship
Soundness and Completeness Results
Theorem[Relative Completeness]: Given any HA 𝐴, with an initial set Θ,and unsafe set 𝑈, if the system is robustly safe (unsafe) then the algorithm will terminates and return the correct answer
Theorem[Soundness]: Given any HA 𝐴, with an initial set Θ, and unsafe set𝑈, if the algorithm terminates and returns safe (unsafe) then the system is indeed safe (unsafe)
Always performing a sound analysis : 𝒙𝟏(𝒕) − 𝒙𝟐(𝒕) ≤ 𝜷(|𝒙𝟏 − 𝒙𝟐|, 𝒕)
Improving the partitioning improves the approximation
𝜷 𝒙𝟏 − 𝒙𝟐 , 𝒕 → 𝟎 as 𝒙𝟏 − 𝒙𝟐 → 𝟎
65
Intruder
Ownship
Algorithm can be applied for any nonlinear systems with given discrepancy function
Soundness and Completeness Results
Theorem[Soundness]: Given any HA 𝐴, with an initial set Θ, and unsafe set𝑈, if the algorithm terminates and returns safe (unsafe) then the system is indeed safe (unsafe)
Theorem[Relative Completeness]: Given any HA 𝐴, with an initial set Θ,and unsafe set 𝑈, if the system is robustly safe (unsafe) then the algorithm will terminates and return the correct answer
C2E2: A Tool For Verifying Stateflow Models
66
Comparison with Existing Approaches on Academic Benchmarks
67
Benchmark Variables Sims. C2E2(time)
Flow*(time)
Ariadne(time)
Moore-G. Jet Engine 2 36 1.56 10.54 56.57
BrussellatorSystem 2 115 5.26 16.77 72.75
VanDerPolOscillator 2 17 0.75 8.93 98.36
Coupled VanDerPol 4 62 1.43 90.96 270.61
Sinusoidal Tracking 6 84 3.68 48.63 763.32
Linear Adaptive 3 16 0.47 NA NA
Nonlinear Adaptive 2 32 1.23 NA NA
Nonlinear Disturbance 3 48 1.52 NA NA
C2E2 Flow*
Overview Introduction
◦ Need for Verification of Cyber-Physical Systems and it’s Challenges
◦ Overview of My Research
Overview of Abstraction-Refinement
Dynamic Analysis
◦ Algorithm for Dynamic Analysis
◦ Verifying the Alerting Protocol in Parallel Landing
◦ Verifying Powertrain Control System
Future Work
68
Back To Parallel Landing Fail-safe alarming system ALAS by NASA
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Proving that ALAS works
1. Compute all trajectories that violate safe separation (unsafe)
2. For unsafe trajectories, prove that alarm is issued 4 seconds
before safe separation is violated
How to analyze 𝐴𝑙𝑎𝑟𝑚 predicate?
69
Intruder
Ownship
Alarm Predicate Closed Form 𝑑𝑖𝑟 = 𝑠𝑖𝑔𝑛 𝑥𝑜 − 𝑥𝑖 × 𝑣𝑦𝑖 − 𝑦𝑜 − 𝑦𝑖 × 𝑣𝑥𝑖
𝑟 =𝑣𝑥𝑖
2+𝑣𝑦𝑖2
𝜔; 𝑐𝑥 = 𝑥𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑦𝑖
𝜔; 𝑐𝑥 = 𝑦𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑥𝑖
𝜔
𝑖𝑓 𝑟2 × 𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2 − 𝑥𝑜 − 𝑐𝑥 𝑣𝑦𝑜 − 𝑦𝑜 − 𝑐𝑦 𝑣𝑥𝑜2
< 0 ; 𝐴𝑙𝑎𝑟𝑚 = 0
𝑀 = 𝑥𝑜 − 𝑐𝑥 𝑣𝑥𝑜 + 𝑦𝑜 − 𝑐𝑦 𝑣𝑦𝑜; 𝑁 =1
𝑟2( 𝑥𝑜 − 𝑐𝑥 𝑥𝑖 − 𝑐𝑥 + 𝑦𝑜 − 𝑐𝑦 𝑦𝑖 − 𝑐𝑦 )
𝑡𝑜=1
𝑣𝑥𝑜2+𝑣𝑦𝑜
2 [−𝑀 + (𝑀2−𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2)( 𝑥𝑜 − 𝑐𝑥2 + 𝑦𝑜 − 𝑐𝑦
2− 𝑟2) ]
𝑡𝑖 = 𝑎𝑏𝑠(𝑟
𝑑𝑖𝑟× 𝑣𝑥𝑜2+𝑣𝑦𝑜
2× acos(𝑁))
𝑖𝑓(𝑡𝑜 > 𝑡𝑖 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐹𝑟𝑜𝑛𝑡2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
𝑖𝑓(𝑡𝑖 > 𝑡𝑜 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐵𝑎𝑐𝑘2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
70
Alarm Predicate Closed Form 𝑑𝑖𝑟 = 𝑠𝑖𝑔𝑛 𝑥𝑜 − 𝑥𝑖 × 𝑣𝑦𝑖 − 𝑦𝑜 − 𝑦𝑖 × 𝑣𝑥𝑖
𝑟 =𝑣𝑥𝑖
2+𝑣𝑦𝑖2
𝜔; 𝑐𝑥 = 𝑥𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑦𝑖
𝜔; 𝑐𝑥 = 𝑦𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑥𝑖
𝜔
𝑖𝑓 𝑟2 × 𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2 − 𝑥𝑜 − 𝑐𝑥 𝑣𝑦𝑜 − 𝑦𝑜 − 𝑐𝑦 𝑣𝑥𝑜2
< 0 ; 𝐴𝑙𝑎𝑟𝑚 = 0
𝑀 = 𝑥𝑜 − 𝑐𝑥 𝑣𝑥𝑜 + 𝑦𝑜 − 𝑐𝑦 𝑣𝑦𝑜; 𝑁 =1
𝑟2( 𝑥𝑜 − 𝑐𝑥 𝑥𝑖 − 𝑐𝑥 + 𝑦𝑜 − 𝑐𝑦 𝑦𝑖 − 𝑐𝑦 )
𝑡𝑜=1
𝑣𝑥𝑜2+𝑣𝑦𝑜
2 [−𝑀 + (𝑀2−𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2)( 𝑥𝑜 − 𝑐𝑥2 + 𝑦𝑜 − 𝑐𝑦
2− 𝑟2) ]
𝑡𝑖 = 𝑎𝑏𝑠(𝑟
𝑑𝑖𝑟× 𝑣𝑥𝑜2+𝑣𝑦𝑜
2× acos(𝑁))
𝑖𝑓(𝑡𝑜 > 𝑡𝑖 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐹𝑟𝑜𝑛𝑡2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
𝑖𝑓(𝑡𝑖 > 𝑡𝑜 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐵𝑎𝑐𝑘2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
71
Current state-of-the-artsolvers cannot handled this
predicate
Alarm Predicate 𝐴𝑙𝑎𝑟𝑚𝑖 = 𝑥 ∃ 𝑡 ∈ 0, 𝑇 , 𝑝𝑟𝑜𝑗𝑖 𝑥, 𝑡 ∈ 𝑈𝑛𝑠𝑎𝑓𝑒}, where 𝑝𝑟𝑜𝑗𝑖 are different worst-case-scenarios of intruder
If any of the projected behaviors can violate the
safety envelope of ownship, then raises 𝐴𝑙𝑎𝑟𝑚
72
Ownship
Intruder
𝑝𝑟𝑜𝑗1
𝑝𝑟𝑜𝑗2
Points of intersection
Alarm Predicate 𝐴𝑙𝑎𝑟𝑚𝑖 = 𝑥 ∃ 𝑡 ∈ 0, 𝑇 , 𝑝𝑟𝑜𝑗𝑖 𝑥, 𝑡 ∈ 𝑈𝑛𝑠𝑎𝑓𝑒}, where 𝑝𝑟𝑜𝑗𝑖 are different worst-case-scenarios of intruder
If any of the projected behaviors can violate the
safety envelope of ownship, then raises 𝐴𝑙𝑎𝑟𝑚
73
Ownship
Intruder
𝑝𝑟𝑜𝑗1
𝑝𝑟𝑜𝑗2
Points of intersection
A common design principle in MPC : Estimate the worst possible behavior and correct your trajectory
Alarm Predicate Closed Form 𝑑𝑖𝑟 = 𝑠𝑖𝑔𝑛 𝑥𝑜 − 𝑥𝑖 × 𝑣𝑦𝑖 − 𝑦𝑜 − 𝑦𝑖 × 𝑣𝑥𝑖
𝑟 =𝑣𝑥𝑖
2+𝑣𝑦𝑖2
𝜔; 𝑐𝑥 = 𝑥𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑦𝑖
𝜔; 𝑐𝑥 = 𝑦𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑥𝑖
𝜔
𝑖𝑓 𝑟2 × 𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2 − 𝑥𝑜 − 𝑐𝑥 𝑣𝑦𝑜 − 𝑦𝑜 − 𝑐𝑦 𝑣𝑥𝑜2
< 0 ; 𝐴𝑙𝑎𝑟𝑚 = 0
𝑀 = 𝑥𝑜 − 𝑐𝑥 𝑣𝑥𝑜 + 𝑦𝑜 − 𝑐𝑦 𝑣𝑦𝑜; 𝑁 =1
𝑟2( 𝑥𝑜 − 𝑐𝑥 𝑥𝑖 − 𝑐𝑥 + 𝑦𝑜 − 𝑐𝑦 𝑦𝑖 − 𝑐𝑦 )
𝑡𝑜=1
𝑣𝑥𝑜2+𝑣𝑦𝑜
2 [−𝑀 + (𝑀2−𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2)( 𝑥𝑜 − 𝑐𝑥2 + 𝑦𝑜 − 𝑐𝑦
2− 𝑟2) ]
𝑡𝑖 = 𝑎𝑏𝑠(𝑟
𝑑𝑖𝑟× 𝑣𝑥𝑜2+𝑣𝑦𝑜
2× acos(𝑁))
𝑖𝑓(𝑡𝑜 > 𝑡𝑖 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐹𝑟𝑜𝑛𝑡2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
𝑖𝑓(𝑡𝑖 > 𝑡𝑜 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐵𝑎𝑐𝑘2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
74
Implicit solution Of differential
equation
𝑑𝑖𝑟 = 𝑠𝑖𝑔𝑛 𝑥𝑜 − 𝑥𝑖 × 𝑣𝑦𝑖 − 𝑦𝑜 − 𝑦𝑖 × 𝑣𝑥𝑖
𝑟 =𝑣𝑥𝑖
2+𝑣𝑦𝑖2
𝜔; 𝑐𝑥 = 𝑥𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑦𝑖
𝜔; 𝑐𝑥 = 𝑦𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑥𝑖
𝜔
𝑖𝑓 𝑟2 × 𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2 − 𝑥𝑜 − 𝑐𝑥 𝑣𝑦𝑜 − 𝑦𝑜 − 𝑐𝑦 𝑣𝑥𝑜2
< 0 ; 𝐴𝑙𝑎𝑟𝑚 = 0
𝑀 = 𝑥𝑜 − 𝑐𝑥 𝑣𝑥𝑜 + 𝑦𝑜 − 𝑐𝑦 𝑣𝑦𝑜; 𝑁 =1
𝑟2( 𝑥𝑜 − 𝑐𝑥 𝑥𝑖 − 𝑐𝑥 + 𝑦𝑜 − 𝑐𝑦 𝑦𝑖 − 𝑐𝑦 )
𝑡𝑜=1
𝑣𝑥𝑜2+𝑣𝑦𝑜
2 [−𝑀 + (𝑀2−𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2)( 𝑥𝑜 − 𝑐𝑥2 + 𝑦𝑜 − 𝑐𝑦
2− 𝑟2) ]
𝑡𝑖 = 𝑎𝑏𝑠(𝑟
𝑑𝑖𝑟× 𝑣𝑥𝑜2+𝑣𝑦𝑜
2× acos(𝑁))
𝑖𝑓(𝑡𝑜 > 𝑡𝑖 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐹𝑟𝑜𝑛𝑡2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
𝑖𝑓(𝑡𝑖 > 𝑡𝑜 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐵𝑎𝑐𝑘2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
75
Implicit solution Of differential
equation
Time if intersectionof trajectories
Alarm Predicate Closed Form
𝑑𝑖𝑟 = 𝑠𝑖𝑔𝑛 𝑥𝑜 − 𝑥𝑖 × 𝑣𝑦𝑖 − 𝑦𝑜 − 𝑦𝑖 × 𝑣𝑥𝑖
𝑟 =𝑣𝑥𝑖
2+𝑣𝑦𝑖2
𝜔; 𝑐𝑥 = 𝑥𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑦𝑖
𝜔; 𝑐𝑥 = 𝑦𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑥𝑖
𝜔
𝑖𝑓 𝑟2 × 𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2 − 𝑥𝑜 − 𝑐𝑥 𝑣𝑦𝑜 − 𝑦𝑜 − 𝑐𝑦 𝑣𝑥𝑜2
< 0 ; 𝐴𝑙𝑎𝑟𝑚 = 0
𝑀 = 𝑥𝑜 − 𝑐𝑥 𝑣𝑥𝑜 + 𝑦𝑜 − 𝑐𝑦 𝑣𝑦𝑜; 𝑁 =1
𝑟2( 𝑥𝑜 − 𝑐𝑥 𝑥𝑖 − 𝑐𝑥 + 𝑦𝑜 − 𝑐𝑦 𝑦𝑖 − 𝑐𝑦 )
𝑡𝑜=1
𝑣𝑥𝑜2+𝑣𝑦𝑜
2 [−𝑀 + (𝑀2−𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2)( 𝑥𝑜 − 𝑐𝑥2 + 𝑦𝑜 − 𝑐𝑦
2− 𝑟2) ]
𝑡𝑖 = 𝑎𝑏𝑠(𝑟
𝑑𝑖𝑟× 𝑣𝑥𝑜2+𝑣𝑦𝑜
2× acos(𝑁))
𝑖𝑓(𝑡𝑜 > 𝑡𝑖 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐹𝑟𝑜𝑛𝑡2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
𝑖𝑓(𝑡𝑖 > 𝑡𝑜 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐵𝑎𝑐𝑘2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
76
Implicit solution Of differential
equation
Time if intersectionof trajectories
Condition forIssuing 𝐴𝑙𝑎𝑟𝑚
Alarm Predicate Closed Form
Analyzing Predictive Predicate Alarm Implicit solutions → numerical solutions
Expressions for 𝑡𝑜, 𝑡𝑖 → sound numerical approximations 𝑇𝑜 , 𝑇𝑖
Condition of issuing Alarm → Overapproximation 𝐴𝑙𝑎𝑟𝑚′
77
Implicit solutions → numerical solutions
Expressions for 𝑡𝑜, 𝑡𝑖 → sound numerical approximations 𝑇𝑜 , 𝑇𝑖
Condition of issuing Alarm → Overapproximation 𝐴𝑙𝑎𝑟𝑚′
78
Ownship
Intruder
𝑝𝑟𝑜𝑗1
𝑝𝑟𝑜𝑗2
Points of intersection
Analyzing Predictive Predicate Alarm
Implicit solutions → numerical solutions
Expressions for 𝑡𝑜, 𝑡𝑖 → sound numerical approximations 𝑇𝑜 , 𝑇𝑖
Condition of issuing Alarm → Overapproximation 𝐴𝑙𝑎𝑟𝑚′
79
Ownship
Intruder
𝑝𝑟𝑜𝑗1
𝑝𝑟𝑜𝑗2
Points of intersection
Analyzing Predictive Predicate Alarm
Implicit solutions → numerical solutions
Expressions for 𝑡𝑜, 𝑡𝑖 → sound numerical approximations 𝑇𝑜 , 𝑇𝑖
Condition of issuing Alarm → Overapproximation 𝐴𝑙𝑎𝑟𝑚′
𝐴𝑙𝑎𝑟𝑚𝑖 𝑥 ≡ 𝑡𝑖 > 𝑡𝑜 then Δ𝑡2 × 𝑣𝑥𝑖2 + 𝑣𝑦𝑖
2 < 𝐵𝑎𝑐𝑘2
else Δ𝑡2 × 𝑣𝑥𝑖2 + 𝑣𝑦𝑖
2 < 𝐹𝑟𝑜𝑛𝑡2
𝐴𝑙𝑎𝑟𝑚𝑖′ 𝑥 ≡ 𝑇𝑖 > 𝑇𝑜 then Δ𝑇2 × 𝑣𝑥𝑖
2 + 𝑣𝑦𝑖2 < 𝐵𝑎𝑐𝑘2
else Δ𝑇2 × 𝑣𝑥𝑖2 + 𝑣𝑦𝑖
2 < 𝐹𝑟𝑜𝑛𝑡2
80
Ownship
Intruder
𝑝𝑟𝑜𝑗1
𝑝𝑟𝑜𝑗2
Points of intersection
Analyzing Predictive Predicate Alarm
Verifying ALAS System Verified the property that Alarm is raised
at least 4 time units before safety violation
for different configurations in the order
of minutes
Identified False Alarm configuration and
Missed Alarm configurations
81
ScenarioAlarm ≼4
UnsafeRunning time
(mins:sec) Alarm ≼?
Unsafe
6 False 3:27 2.16
7 True 1:13 –
8 True 2:21 –
6.1 False 7:18 1.54
7.1 True 2:34 –
8.1 True 4:55 –
9 False 2:18 1.8
10 False 3:04 2.4
9.1 False 4:30 1.8
10.1 False 6:11 2.4
Verifying ALAS System Verified the property that Alarm is raised
at least 4 time units before safety violation
for different configurations in the order
of minutes
Identified False Alarm configuration and
Missed Alarm configurations
82
ScenarioAlarm ≼4
UnsafeRunning time
(mins:sec) Alarm ≼?
Unsafe
6 False 3:27 2.16
7 True 1:13 –
8 True 2:21 –
6.1 False 7:18 1.54
7.1 True 2:34 –
8.1 True 4:55 –
9 False 2:18 1.8
10 False 3:04 2.4
9.1 False 4:30 1.8
10.1 False 6:11 2.4
How do we get discrepancy functions?
Finding Discrepancy Functions Sufficient conditions for finding discrepancy functions (borrowed from Control Theory)
◦ Lipschitz continuity: 𝑥 = 𝑓(𝑥) has Lipschitz constant 𝐿, then 𝑥1(𝑡) − 𝑥2(𝑡) ≤ |𝑥1 − 𝑥2|𝑒𝐿𝑡
◦ Contraction Metric: If 𝐽𝑇𝑀 +𝑀 𝐽 + 𝑏𝑀𝑀 ≼ 0, then ∃𝑘, 𝛿 > 0, 𝑥1 𝑡 − 𝑥2 𝑡 2 ≤ 𝑘 𝑥1 − 𝑥22𝑒−𝛿𝑡
◦ Incremental Lyapunov Function: With function 𝑉, then 𝑥1 𝑡 − 𝑥2(𝑡) ≤ 𝑘 𝑥1 − 𝑥2 ; 𝑘 = 𝐹(𝑉)
83
Finding Discrepancy Functions Sufficient conditions for finding discrepancy functions (borrowed from Control Theory)
◦ Lipschitz continuity: 𝑥 = 𝑓(𝑥) has Lipschitz constant 𝐿, then 𝑥1(𝑡) − 𝑥2(𝑡) ≤ |𝑥1 − 𝑥2|𝑒𝐿𝑡
◦ Contraction Metric: If 𝐽𝑇𝑀 +𝑀 𝐽 + 𝑏𝑀𝑀 ≼ 0, then ∃𝑘, 𝛿 > 0, 𝑥1 𝑡 − 𝑥2 𝑡 2 ≤ 𝑘 𝑥1 − 𝑥22𝑒−𝛿𝑡
◦ Incremental Lyapunov Function: With function 𝑉, then 𝑥1 𝑡 − 𝑥2(𝑡) ≤ 𝑘 𝑥1 − 𝑥2 ; 𝑘 = 𝐹(𝑉)
Finding such discrepancy function automatically
◦ Nonlinear optimization for Lipschitz continuity
◦ For 𝑣 = 𝐴𝑣 that are exponentially stable, compute Lyapunov function
◦ Solving LMIs using Sum-Of-Squares tools to compute contraction metric
84
For the benchmark nonlinear systems automatic techniques could find discrepancy functions
85
Toyota Powertrain Control System
86
Toyota Powertrain Control System
𝑝 = 𝑐1(2𝜃 𝑐20𝑝2 + 𝑐21𝑝 + 𝑐22 − 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝
2 + 𝑐5𝜔𝑝2))
𝜆 = 𝑐26(𝑐15 + 𝑐16𝑐25𝐹𝑐 + 𝑐17𝑐252 𝐹𝑐
2 + 𝑐18 𝑚𝑐 + 𝑐19 𝑚𝑐𝑐25𝐹𝑐 − 𝜆) 𝑝𝑒 = 𝑐1(2𝑐23𝜃 𝑐20𝑝
2 + 𝑐21𝑝 + 𝑐22 − (𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝
2)) 𝑖 = 𝑐14 𝑐24𝜆 − 𝑐11
where
𝐹𝑐 =1
𝑐11(1 + 𝑖 + 𝑐13(𝑐24𝜆 − 𝑐11))(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝
2 + 𝑐5𝜔𝑝2)
𝑚𝑐 = 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝
2)
Is it possible to find discrepancy functions automatically for this system?
87
Toyota Powertrain Control System
𝑝 = 𝑐1(2𝜃 𝑐20𝑝2 + 𝑐21𝑝 + 𝑐22 − 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝
2 + 𝑐5𝜔𝑝2))
𝜆 = 𝑐26(𝑐15 + 𝑐16𝑐25𝐹𝑐 + 𝑐17𝑐252 𝐹𝑐
2 + 𝑐18 𝑚𝑐 + 𝑐19 𝑚𝑐𝑐25𝐹𝑐 − 𝜆) 𝑝𝑒 = 𝑐1(2𝑐23𝜃 𝑐20𝑝
2 + 𝑐21𝑝 + 𝑐22 − (𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝
2)) 𝑖 = 𝑐14 𝑐24𝜆 − 𝑐11
where
𝐹𝑐 =1
𝑐11(1 + 𝑖 + 𝑐13(𝑐24𝜆 − 𝑐11))(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝
2 + 𝑐5𝜔𝑝2)
𝑚𝑐 = 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝
2)
Is it possible to find discrepancy functions automatically for this system?
SOS Tools failed to find any discrepancy functions
On-The-Fly-Discrepancy Computing discrepancy function from simulations and static analysis [Fan.et.al.’15]
Sketch:
◦ Simulate from a given neighborhood
◦ Compute Overestimate of behaviors – Lipschitz constant
◦ Compute better bounds by analyzing eigenvalues of Jacobian
88
We apply on-the-flyDiscrepancy function for verifying
Powertrain control system
Powertrain Verification ResultsVerified many key specification for a given set of driver behaviors (First to do so!)
89
Property Mode Sat Sim. Time
□ 𝜆 ∈ [0.8𝜆𝑟𝑒𝑓 , 1.2𝜆𝑟𝑒𝑓] all modes Yes 53 11m58s
□ 𝜆 ∈ [0.8𝜆𝑟𝑒𝑓 , 1.2𝜆𝑟𝑒𝑓] startup Yes 50 10m21s
□ 𝜆 ∈ [0.8𝜆𝑟𝑒𝑓 , 1.2𝜆𝑟𝑒𝑓] normal Yes 50 10m21s
□ 𝜆 ∈ [0.8𝜆𝑟𝑒𝑓 , 1.2𝜆𝑟𝑒𝑓] power Yes 53 11m12s
□ 𝜆 ∈ [0.8𝜆𝑟𝑒𝑓 , 1.2𝜆𝑟𝑒𝑓] power No 4 0m43s
𝑟𝑖𝑠𝑒 ⇒ □(𝜂,𝜉)𝜆 ∈ [0.98 𝜆𝑟𝑒𝑓, 1.02𝜆𝑟𝑒𝑓] normal Yes 50 10m15s
(𝑙 = 𝑝𝑤𝑟) ⇒ □(𝜂,𝜉)𝜆 ∈ [0.95 𝜆𝑟𝑒𝑓, 1.05𝜆𝑟𝑒𝑓] power Yes 53 11m35s
(𝑙 = 𝑝𝑤𝑟) ⇒ □(𝜂/2,𝜉)𝜆 ∈ [0.95 𝜆𝑟𝑒𝑓, 1.05𝜆𝑟𝑒𝑓] power No 4 0m45s
Safety properties
Performance properties
Outline Introduction
◦ Need for Verification of Cyber-Physical Systems and it’s Challenges
◦ Overview of My Research
Overview of Abstraction-Refinement
Dynamic Analysis
◦ Algorithm for Dynamic Analysis
◦ Verifying the Alerting Protocol in Parallel Landing
◦ Verifying Powertrain Control System
Future Work
90
Future Work
91
92
Doomsday in 10 Years!
93
With great software, comes great risks!
Avoiding The Doomsday
94
Avoiding The Doomsday
95
Building Certified CPS
Software Verification + Dynamic Analysis = Certified CPS
Dynamic Analysis – taming complex dynamics
Software Verification + Dynamic Analysis of Continuous Systems
96
Software Verification + Dynamic Analysis = Certified CPS
Dynamic Analysis – taming complex dynamics
Software Verification + Dynamic Analysis of Continuous Systems
97
+ Dynamic Analysis
Challenges in Bridging Software Verification and Dynamic Analysis
SOFTWARE VERIFICATION
Time abstract notion of execution
Assertions/Invariants hold at discrete places in program
Exact computations
DYNAMIC ANALYSIS
Continuous time notion of execution
Invariants/Lyapunov functions should be satisfied globally
Noisy environments
98
Challenges in Bridging Software Verification and Dynamic Analysis
SOFTWARE VERIFICATION
Time abstract notion of execution
Assertions/Invariants hold at discrete places in program
Exact computations
DYNAMIC ANALYSIS
Continuous time notion of execution
Invariants/Lyapunov functions should be satisfied globally
Noisy environments
99
Solution: Software Verification Techniques+ Control Theory (Dynamic Analysis)+ Proof Composition Techniques
Collaborators Mahesh Viswanathan (UIUC)
Sayan Mitra (UIUC)
Ashish Tiwari (SRI)
Pavithra Prabhakar (IMDEA)
Cesar Munoz (NASA Langley)
Taylor Johnson (UT Arlington)
Le Wang (UIUC)
Matthew Potok (UIUC)
Aarti Gupta (Princeton)
Vineet Kahlon (Google)
Khalil Ghorbal (CMU)
Franjo Ivancic (Google)
100
Dynamic Analysis
Abstraction-Refinement
Thank You
101
Simple Continuous Dynamics Complex Nonlinear Dynamics
Simple computation
Distributedcomputation
[EMSOFT’13]
[TACAS’15]
[RTSS’12]
[FM’14]
[EMSOFT’13]*
[ICCPS’11] [HSCC’12]
[VMCAI’13]
*best paper award at EMSOFT 2013
Verification Tools [UPPAAL, HyTech, SpaceEx, … ]
[CAV’15]
Backup Slides
102
Annotations – conservative upper bound among distance between
trajectories
Annotations for ODE 𝑥 = 𝑓(𝑥) is 𝑉, 𝛽 such that
∀𝑡 > 0, 𝑉 𝜉 𝑥1, 𝑡 , 𝜉 𝑥2, 𝑡 ≤ 𝛽(𝑥1, 𝑥2, 𝑡)
Computing ReachTubes
𝑥1
𝑥2𝜉 𝑥2, 𝑡
𝜉 𝑥1, 𝑡
𝛽 𝑥1, 𝑥2, 𝑡
103
Verification of Annotated Models From Executions [DMV’13]
Annotations – conservative upper bound among distance between trajectories
Annotations for ODE 𝑥 = 𝑓(𝑥) is 𝑉, 𝛽 such that
∀𝑡 > 0, 𝑉 𝜉 𝑥1, 𝑡 , 𝜉 𝑥2, 𝑡 ≤ 𝛽(𝑥1, 𝑥2, 𝑡)
Utility of annotation:
𝝃 𝒚, 𝒕 ∈ 𝑩𝒍𝒐𝒂𝒕𝝐(𝝃(𝒙, 𝒕)) where 𝝐 = 𝒔𝒖𝒑𝒚∈𝑩𝜹(𝒙)
{𝜷 𝒙, 𝒚, 𝒕 }
Computing ReachTubes
𝑥1
𝑥2𝜉 𝑥2, 𝑡
𝜉 𝑥1, 𝑡
𝛽 𝑥1, 𝑥2, 𝑡
104
Verification of Annotated Models From Executions [DMV’13]
𝜉(𝑥0, 𝑡) – general analytical solution does not exist
Validated simulation engines generate regions for time intervals
ρ = 𝑅1, 𝑡0, 𝑡1 , … , 𝑅𝑙 , 𝑡𝑙−1, 𝑡𝑙 , ∀𝑡 ∈ 𝑡𝑖−1, 𝑡𝑖 , 𝜉 𝑡 ∈ 𝑅𝑖
ReachTubes From Simulations And Annotations
𝑥1
𝜉 𝑥1, 𝑡
105
𝜉(𝑥0, 𝑡) – general analytical solution does not exist
Validated simulation engines generate regions for time intervals
ρ = 𝑅1, 𝑡0, 𝑡1 , … , 𝑅𝑙 , 𝑡𝑙−1, 𝑡𝑙 , ∀𝑡 ∈ 𝑡𝑖−1, 𝑡𝑖 , 𝜉 𝑡 ∈ 𝑅𝑖
ReachTube 𝜓 = 𝐵𝜖 𝜌 where 𝜖 = sup𝑦∈𝐵𝛿(𝑥)
{𝛽 𝑥, 𝑦, 𝑡 }
Overapproximation can be madearbitrarily small
How to infer temporal propertiesfrom such ReachTubes
ReachTubes From Simulations And Annotations
𝑥1
𝑥2𝜉 𝑥2, 𝑡
𝜉 𝑥1, 𝑡
𝛽 𝑥1, 𝑥2, 𝑡
106
For a predicate 𝑃, and ReachTube 𝜓 = 𝑂1, 𝑡0, 𝑡1 , … , 𝑂𝑙 , 𝑡𝑙−1, 𝑡𝑙 the
interval [𝑡𝑖−1, 𝑡𝑖] is
in 𝑀𝑢𝑠𝑡(𝑃) if 𝑂𝑖 ⊆ 𝑃
in 𝑁𝑜𝑡(𝑃) if 𝑂𝑖 ∩ 𝑃 = ∅
in 𝑀𝑎𝑦 𝑃 otherwise
Must, Not, and MayIntervals
𝑃1 ≡ 𝐹1 > 0
𝑴𝒖𝒔𝒕
𝑴𝒂𝒚
𝑵𝒐𝒕
𝑥1
𝜉 𝑥1, 𝑡
𝑃2 ≡ 𝐹2 > 0
𝑥1
𝜉 𝑥1, 𝑡
𝑵𝒐𝒕
𝑴𝒂𝒚
𝑴𝒖𝒔𝒕
107
Temporal precedence 𝑃1 ≺𝑏 𝑃2 is satisfied by ReachTube 𝜓 if
∀ 𝐼2 ∈ 𝑀𝑢𝑠𝑡 𝑃2 ∪𝑀𝑎𝑦 𝑃2 , ∃𝐼1 ∈ 𝑀𝑢𝑠𝑡 𝑃1 , 𝐼1 < 𝐼2 − 𝑏
Temporal precedence 𝑃1 ≺𝑏 𝑃2 is violated by ReachTube 𝜓 if∃𝐼2 ∈ 𝑀𝑢𝑠𝑡 𝑃2 , ∀ 𝐼1 ∈ 𝑀𝑢𝑠𝑡 𝑃1 ∪𝑀𝑎𝑦 𝑃1 , 𝐼1 > 𝐼2 − 𝑏
Checking Temporal Precedence
Property 𝑃1 ≺0 𝑃2 is satisfied𝑃1 ≡ 𝐹1 > 0
𝑴𝒖𝒔𝒕
𝑴𝒂𝒚
𝑵𝒐𝒕
𝑥1
𝜉 𝑥1, 𝑡
𝑃2 ≡ 𝐹2 > 0
𝑥1
𝜉 𝑥1, 𝑡
𝑵𝒐𝒕
𝑴𝒂𝒚
𝑴𝒖𝒔𝒕
108
Simulation Guided Synthesis
109
Incomplete model of CPS
+Specification
Infeasible
Synthesizer
Model Generator
Satisfying Model
Verifier
Simulation Guided Synthesis
Intuition for system designer comes from simulations
Learning Linear and Nonlinear control theory
◦ Learned the basic principles about controls
◦ Design iterations guided by simulations
110
Incomplete model of CPS
+Specification
Infeasible
Synthesizer
Model Generator
Satisfying Model
Verifier
Simulation Guided Synthesis: Classroom Experiment
111
slow down
turnspeed up
turn
Homework Problem: Generate parameters for autonomous car controllerand verify using C2E2 if all the specification is satisfied
Parameter Synthesis:Classroom Experiment
112
slow down
turnspeed up
turn
Homework Problem: Generate parameters for autonomous car controllerand verify using C2E2 if all the specification is satisfied
Goals of the course included
◦ Familiarize students with different tools in CPS verification (interactive demos)
◦ Push new research directions – handling a nontrivial verification problem
Results
◦ 90% of students solved it without a single office hour
◦ Students researched literature, provided new techniques we did not anticipate
Parameter Synthesis:Classroom Experiment
113
slow down
turnspeed up
turn
Homework Problem: Generate parameters for autonomous car controllerand verify using C2E2 if all the specification is satisfied
Goals of the course included
◦ Familiarize students with different tools in CPS verification (interactive demos)
◦ Push new research directions – handling a nontrivial verification problem
Results
◦ 90% of students solved it without a single office hour
◦ Students researched literature, provided new techniques we did not anticipate
Inspiration to future research directions: Simulation Guided Synthesis