Date post: | 30-Dec-2015 |
Category: |
Documents |
Upload: | lawrence-booth |
View: | 213 times |
Download: | 0 times |
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Observability and Diagnosability of Hybrid Automata, and their application
in Air Traffic Management
M.D. Di Benedetto, S. Di Gennaro and A. D’Innocenzo
University of L’AquilaCenter of Excellence DEWS
L’Aquila, Italy
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Motivation
• ATM procedures define behaviours and
interactions among actors of a multi
agent system
• With the increase of air traffic,
bottlenecks of current procedures are
arising: decentralize decisions?
• It is extremely hard to convince people
that a “new” procedure is more efficient
than the “old” one, but equally safe
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
General framework for testingATM procedures
In order to convince - formally prove - that
an ATM procedure satisfies certain
properties:
• Compositional mathematical framework for
modeling ATM procedures
• Propositional logics to mathematically
define properties of interest
• Tools to automatically verify properties
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Automatically verify properties
of ATM procedures
ATM procedureAutomatic
Verification Tool
Property of interest
Yes
No +counterexample
• Can the procedure terminate correctly?
• Does the procedure terminate in time t [min, max]?
• Is it possible to immediately detect if the procedure is not
performed correctly?
• Is it possible to detect propagation of situation awareness
incongruency due to interconnection of agents?
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Automatically verify properties
of ATM procedures
Hybrid model Model checking
Formula
Yes
No +counterexample
• Can the procedure terminate correctly? CTL PROPERTY
• Does the procedure terminate in time t [min, max]? TCTL PROPERTY
• Is it possible to immediately detect if the procedure is not performed
correctly? OBSERVABILITY PROPERTY
• Is it possible to detect propagation of situation awareness incongruency
due to interconnection of agents? DIAGNOSABILITY PROPERTY
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Hybrid system definition
Continuous Layer
q1
q2
q3
Discrete LayerInvariant Sets
Guard Sets
Reset Maps
uBxAx 11 uBxAx 22 uBxAx 33
/1
13 /
21 /
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Hybrid execution
)( 1qInv
)( 2qInv
),( 1 xeRx
1e
3e),( 3 xeRx
0X
1q
2q
)( 1eG
)( 3eG
)( 2eG2e
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Language of executions of discrete state
q1q2 q4q3
2,,1,,4,,3, 4321 qqqq3 s 4 s 2 s1 s
2,,14,,3)( 21 P
1 2
L language of all discrete state executions
P language of all discrete observations
LQb executions that terminate in Qb Q
PQb observations of string in LQb
then bQife.g.bb QQ , PL )(4 Pq
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Regular language of executions
• Consider observations without time
delays:
then L, P, LQb, PQb
are regular languages
• Regular languages are closed w.r.t.
union, intersection, concatenation.
214321 ,)(,,,, Pqqqq
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Discrete state observability: motivation
Unauthorized crossing
Waiting at stop-bar
Emergency Braking
Authorized crossing Taxi to
hangar
Taxiing
Engines Running
Taxi on airport way
Ask for
crossing grant
Crossing
Crossing completed
Taxiing
Unobs.
Unobs.Unobs.
Unobs.
[Di Benedetto et al. MED’05]
Qb = {unauth. crossing}
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Observability definition
Definition: Set Qb Q is observable
for hybrid system H if observer of
Qb exists.
Hybrid system Observer of Qb
bQq
bQq or)(P
[Di Benedetto et al. LNCIS’05, CDC’06]
Let Qb Q be a subset of the discrete state space, that models a faulty behavior of the
system.
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Classical observability definition
Proposition: Classical discrete
state observability is a special
case of observability of Qb
Observer of q1
Observer of qN
…
Observer of H q̂
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Observability condition
Proposition: Set Qb is observable
for hybrid system H if and only if
Q0 Qb
bb QQQ \PP
a
b c d
a b c d
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Observability verification
Algorithm:
1. Compute regular languages PQb and
PQ\Qb
2. Compute intersection PQb PQ\Qb
3. Check if PQb
PQ\Qb is empty.
Algorithm terminates in polynomial time w.r.t. dimension of discrete state
space
[Di Benedetto et al. IJRNC’08]
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Diagnosability definition
Definition: Set Qb is -diagnosable for
a hybrid system H if it is possible to
detect within a delay that Qb has
been visited, using the observable
output.Proposition: Set Qb is observable if and only if it is-diagnosable with =0.
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
6-diagnosability conditions
q1q2 q4q3
3 s 4 s 2 s1 s
1 2
q1q5 q7q6
3 s 4 s 2 s1 s
1 2
notadmitted
admitted
q1q2 q4q3
3 s 2 s 2 s1 s
1 2
q1q5 q7q6
3 s 2 s 2 s1 s
1 2
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Faulty executions
q1q2 q4q3
3 s 4 s 2 s1 s
1 2
Definition: A δ-faulty execution is a
trajectory that enters the faulty set
at a certain time instant, and then
continues flowing for a time duration
δ.
2,,1,,4,,3, 4321 qqqq is 3-faulty
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Diagnosability conditions
)()(,,*
*
*
*
PP FLF \
Proposition: Qb is -diagnosable for H iff
executions all of set the is Lexecutions faulty- all of set the is *
* F
Problem: Compute the minimum m
such that Qb is m-diagnosable for H.
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Diagnosability verification for HA
•It is extremely hard to automatically verify diagnosability conditions on a general hybrid model.•It is probably undecidable.•This problem has been solved for discrete event systems and timed automata
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Abstraction methods
Hybrid system HDiscrete event
system D
Hybrid system HTimed
automaton T
Timed abstraction:
Pro: preserve time information!
Con: more complex algorithms…
safety
temporalproperties
Durationalgraph G
Untimed
Timed
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Diagnosability Verification by abstraction
[Di Benedetto et Al., IEEE TAC]
Hybrid system H Abstraction G
G is diagnosable
• Construct abstraction G to
preserve properties of interest
• Verification procedure on G
Find conditions to construct an abstraction G such that:
property true for Hif and only if true for G
H is diagnosable
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Diagnosability verification complexity
Timed automata
Durational graphs
Discrete event systems
<<
Complexity class:
PSPACE [Tripakis]
P[Lafortune]
P[Di Benedetto et Al., IEEE TAC]
Exp
ress
ive p
ow
er
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
In-Trail Procedures:ATSA and ASEP ITP
• ATSA-ITP application is currently being standardized by the Requirements Focus Group as part of Airborne Separation Assistance System (ASAS) Package 1 applications.
• Tested since spring 2008 in the North Atlantic Airspace above Iceland (where radar coverage is available) with a small set of aircraft equipped with special ADS-B devices. ATSA-ITP is the near-future of ITP oceanic airspace applications.
• Airborne Separation In Trail Procedure (ASEP-ITP) studied inside the Advanced Safe Separation Technologies and Algorithms (ASSTAR) project introduces an innovative transfer of separation management responsibilities from ATC to the flight crew throughout the ITP manoeuvre.
• The rationale behind this is that the flight crew, in contrast to ATC, disposes of the appropriate surveillance equipment (i.e. ADS-B and ASAS Equipment), and is therefore instantly able to monitor separation and act if necessary.
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
ATSA and ASEP ITP
• ATSA-ITP: improvement in the situation awareness of the agents, but the procedure is the same as the traditional, and does not include any transfer of responsibility from the controller to the pilot.
• ASEP-ITP: for the first time in oceanic applications, the pilot has the responsability of separation during execution. He can change the Mach number, whenever the ASAS systems suggests. Reduce the separation minimum to 5NM.
• ASEP-ITP is strongly based on ATSA-ITP: step-by-step evolution of the application inside the ASAS concept, gradual implementation of a new concept and of safety assessment.
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
>10 minutes Actual Separation ( ~80 NM)
FL350
FL360
FL340
Reference Aircraft
ITP Aircraft
10 NM ATSA Separation minimum
FL350
FL360
FL340
ITP Aircraft
5 NM ASEP Separation minimum
FL350
FL360
FL340
Reference Aircraft
Reference Aircraft
ITP Aircraft
Separation minimum improvement
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
• Agents: • ITP Aircraft modeled by Rectangular automaton• Oceanic Controller modeled by Discrete Event System• ASAS Technical System is working
Assumptions
• Aircraft Dynamics are described by• longitudinal position• altitude• longitudinal absolute speed, measured in Mach • climb rate
• Operational hazards: [Requirements Focus Group (RFG). In-trail procedure in non-radar oceanic airspace (atsa-itp) - operational safety assessment (osa), v2.3. November 2007.]
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
From ASEP-ITP specificationto automatic verification
Hybrid System or Rectangular Aut.
H
Timed
automaton T
Propertytrue on H
Propertytrue on T
Most of the properties of our interest for ATM
procedure analysis are decidable for timed
and rectangular automata [Alur et Al., TAC’00]
ASEP-ITP
specification
Property true on ASEP-ITP
specification
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Q1
Cruise Q2 ITP
Initation
Q3 ITP
Instruction
Q4 ITP
StandardExecutio
n
Q5 ITP
Termination
Q1
Cruise
Q2 ITP
Initiation
Q6 ITP
Aborted
Q7 ITP
Denied
Q8 ITP
Rejected
Q9Abnormal Terminatio
n
ε
σ1
σ6
ε
σ4ψ2
ψ3
ψ5
σ2ε
σ3
ψ1
ψ6
σ5
σ9
ψ7
Q12Asas alert
Q10Non-ITP Criteria
compliant
Q10Non-ITP Criteria
compliant
Q11Wrong
Execution
Q11Wrong
Execution
Q13 Wrong
termination
Q13 Wrong
termination
σ8
εε
εε
σ9
ψ7
ψ4
ψ4
ψ4σ7
σ7
σ7
σ7
ψ5
ψ5
ψ5
ψ4
ε
ε
ε
ε
ASEP-ITP observability analysis
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Q1
Cruise Q2 ITP
Initation
ITPInstruction
ITP StandardExecutio
n
ITP Terminatio
n
Cruise
ITP Initiation
ITP Aborted
ITP Denied
ITP Rejecte
d
Abnormal Terminatio
n
Asas alert
Non-ITP Criteria compliant
NON-ITP Criteria Complia
nt
Wrong Termination
Wrong Execution
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
ASEP-ITP observer
ψ1
ψ6
Q1,Q2,Q6
Q3
Q7
Q8
ψ2
Q4,Q10,Q11
Q9
ψ5
ψ4
Q12
ψ7
ψ3
ψ4
ψ5
Q5,Q13
The operational hazards are not observable even if the ASEP-ITP procedure satisfies the ED78a check, some operational hazards cannot be
detected!
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Conclusions
• Apply hybrid systems theory for formal
modeling of ATM procedures
• Propose a mathematical framework for
formal analysis of ATM procedures
• Develop tools for automatic verification
of observability and diagnosability
• Analyze observability of ASEP-ITP