samad/confs/artist02/ high-confidence control ensuring reliability in high-performance real- time...

Samad/confs/Artist02/

High-Confidence Control

Ensuring Reliability in High-Performance Real-Time Systems

Tariq SamadHoneywell Automation and Control Solutions

Minneapolis, U.S.A.

[email protected]

Collaborators: Pam Binns, Mike Elgersma, Vu Ha

Research supported by DARPA/AFRL contract F33615-01-C-1848


Increasing Autonomy in UAVs (USAF Perspective)Increasing Autonomy in UAVs (USAF Perspective)


Limitations of “Automation”Limitations of “Automation”

• Human operators are not needed for nominal conditions today

– straight-and-level cruise flight in good weather

– steady-state operation of process plants

– urban roadways under light traffic flows

• Invariably, abnormal conditions require human intervention

• Autonomy implies appropriate responses to unforeseen situations

– all control behaviors cannot be pre-compiled

• Much research in systems and control is focused on enabling autonomy

– but there’s a theory/practice gap


The Theory/Practice Gap in ControlThe Theory/Practice Gap in Control

• Several new theoretical and analytical developments in systems and control over the last decade or two

– nonlinear control

– intelligent control

– adaptive control

• Notable successes in practical applications, but the full potential of these and other techniques hasn’t been realized

• The problem isn’t incomplete theory, or a lack of simulation results

• The problem is the lack of “confidence” for real-time, life- and mission-critical applications

• Human operators are not primarily employed for performance, but for confidence


Difficulties with DeterminismDifficulties with Determinism

• Current verification and validation (V&V) approaches are infeasible for future systems

– focus on deterministic guarantees of safety

– complex algorithms are analytically intractable

– exhaustive analyses are impossible

• Promising alternative: probabilistic methods

– algorithmic performance measures (inc. control stability)

– Reliability and dependability analyses

– Probabilistic online admission control

– Statistical verification of execution properties: focus of our work


The Verification Problem for Advanced ControlThe Verification Problem for Advanced Control

• For safety- and mission-critical systems, verification practices today focus on exhaustive, worst-case analyses

– e.g., ensure, under all conceivable conditions, that the calculation will complete within the deadline

• Computationally sophisticated algorithms are either avoided entirely, or only used in restricted, provably safe situations

– nondeterministic execution times

– computations performed depend on state and inputs

• Real-time control applications impose hard deadlines on computation

– difficult to guarantee that calculation will be completed by deadline


Performance with ConfidencePerformance with Confidence

The conservative, deterministically verified region of acceptance:

xmin < x < xmax

Unacceptable Acceptable

Continuous dimension x1

Discretedimension x2

Characterization of computational assurance

The new,statistically verified region of acceptance

Unacceptable AcceptableDiscrete

Characterization of computational assurance

Continuous dimension x1

dimension x2

0)(0)(0)()( 321 xdxdxdxh

Example problem: computation of trim solution

Iterative computation for x may or may not converge within deadline

Convergence a function of state and inputs

),(const uxfxtrim


Asymmetric PenaltiesAsymmetric Penalties

• In most cases of interest, some degree of conservatism will likely be desirable

h1

h3

h2

XHypothesis h1 tolerates false positives in the

interests of high performance

Hypothesis h2 is “minimally safe” for the given data set

Hypothesis h3 results in conservative decisions


Some Basic SLT ResultsSome Basic SLT Results

• For any probability distribution D on X {-1,0}, any hypothesis h in H that makes k errors on a training set of m random examples will have a generalization error probability bounded as follows (the result applies with probability 1- and assumes that d m):

4

ln2

ln42

d

emd

mm

kR

• Assume we observe an empirical error (more generally, risk) of classification, Remp, based on

a “training set” of m examples for classifiers from a hypothesis space H. The statistical learning theory model formulates how Remp differs from R:

1)()(supPr hRhR emp

Hh

• The result above is assured under fairly general conditions provided that (where d is the VC dimension of the hypothesis space H of classifiers we are considering):

13

log82

log41

22 dm ~Independent of problem dimension!Assumes “consistency” of H

Specialized for classification problems; consistency not assumed

A distribution-free formulation!


VC DimensionVC Dimension

• Intuitively, a measure of the flexibility or richness of a hypothesis space

• Examples:

– lines in R2 have VC-dimension of 3

– half-planes in Rn have VC-dimension n+1

– axis-aligned hyperrectangles in Rn have VC-dimension 2n

– n-sided polygons in R2: 2n+1

– k-sided convex polyhedra in Rn: 2klog2(ek)(n+1)


A Methodology for Statistical VerificationA Methodology for Statistical Verification

• Given a data set of m samples {(x1, y1), (x2, y2), …, (xm, ym)}

• Find hypothesis in hypothesis space H of VC dimension d with

– zero false positives (i.e.,wrong prediction of computing feasibility)

– low false negatives (I.e., wrong prediction of computing infeasibility)

• Calculate ub as

ub is an upper bound (with confidence 1-) of the true probability

for a false positive

• Given H and confidence level , we can estimate safety as a function of m and vice versa

• Allows explicit tradeoff between safety and performance

m

dmdub

4/ln1/2ln


OAV Features and FunctionsOAV Features and Functions

Navigation performance:

• GPS has 20 ft. error: landing area must be 40 ft. in diameter and flat.

• Station location keeping is within 5 to 10 ft.

• Altitude is known within 5 ft.

Flight

• AV2 endurance: 95 minutes

• Speed: 100kts

• Auto start, take-off/landing

• Waypoint designation at any resolution (direction, distance, speed).

• Blind descent: 1ft/sec. descent with weight-on-wheel sensors; terrain data not required.

• Flight control allows for hover and translation maneuvers.


OAV ApplicationOAV Application

• OAV has lift surfaces in propulsion airflow

– causes significant nonlinear interactions between thrust and surface variables

• Requires the online calculation of equilibrium angle of attack

• Initial dependency explored: net lift force and flight path angle

– net lift force = 2S/2mg (: air density, : speed, S: effective wing area)

– flight path angle () is zero for upright flight

• Currently working on 4-D problem

– includes body-axis unit vector


Application in ProgressApplication in Progress

Upper bound on probability of unsafe condition is 0.045, with 95% confidence

Can increase safety with more samples or lower VC dimension m = 700000

VC dimension = 137 = 0.05 (95% confidence)ub = 0.045

• Iterative equilibrium angle of attack computation for new small-scale UAV• 2-d slice of computational complexity shown, as a function of two inputs to the computation• Characterize region of performance where 2 iterations suffice (red region in graphs)• Hypothesis space: logical combination of four

quadratics• Realistic 4-d application in progress


ConclusionsConclusions

• Automation is pervasive, autonomy is not

• High-performance algorithms aren’t sufficient; higher confidence implementations are needed

• One problem/solution: Statistical verification of advanced control software

• Many other possibilities to close the theory/practice gap

• Exciting opportunities for both research and impact!

• Multidisciplinary efforts essential

samad/confs/artist02/ high-confidence control ensuring reliability in high-performance real- time...

Documents