Verification of Discrete & HybridPowertrain Controllers

Bruce H. Krogh

Carnegie Mellon University

Overview

• model checking

– SMV

• verification of state charts

– sf2smv

• verification of hybrid systems

– CheckMate

Overview

• model checking

– SMV• verification of state charts

– sf2smv

• verification of hybrid systems

– CheckMate

Verification via Model Checking

systemmodel

systemproperty

(specification)

MODELCHECKER

confirm property is TRUE OR generate a counterexample

Model Checking vs. Simulation

In one run, a model checker investigates every possible behavior of the system for the given set of initial conditions and input signals ... a simulator generates only one trajectory for a particular initial condition and input signal.

Where does Verification fit in the Powertrain Control Feature Design Cycle?

test on engine/vehicle

feature specification

code

production

executable spec.

code generation

simulation

hardware in the loop

executable spec.

CACSD

model checking

Objective: Verify feature behavior for the entire range of operating conditions.

Potential role of formal verification

Verification of Finite-State Systems

FINITE-STATE SYSTEM

PROPERTYTO VERIFY

MODEL CHECKINGPROGRAM

PROPERTY IS TRUE OR A COUNTER EXAMPLE

propagates sets of states, not individual trajectories

FSM Model Checkers

key strength: exhaustive search of reachable states

key theory: fixed-point operations for temporal logic assertions

key technology: OBBDs (ordered binary decision diagrams)

SMV (symbolic model verification)

• Textual programming language– interacting state-transition systems– Boolean, integer, symbolic variables– modules with multiple instantiations– temporal logic specifications

• Originally developed at Carnegie Mellon– www.cs.cmu.edu/~modelcheck/smv.html

• Cadence Labs version– www-cad.eecs.berkeley.edu/~kenmcmil/smv/

Cadence Labs SMV Graphical Interface

From “Getting started with SMV”by Ken L. McMillan

“Model checking by itself is limited to fairly small designs …

For large designs, the user must [use] compositional verification …

These techniques include refinement verification, symmetry reduction, temporal case splitting, data type reduction, and induction.”

Overview

• model checking

– SMV

• verification of state charts

–sf2smv• verification of hybrid systems

– CheckMate

Mathworks Stateflow® Charts

States•AND states (dashed lines)•OR states (solid lines)

Transitions fire when •source state is active,•conditions (in brackets) are true•labeling events occur

Actions•transition actions (follow / in transition label)•state actions: enter, during, exit

Junctionsconnect multiple input-output transition branches for "flowchart" logic

Example from Stateflow example: automotive\fuelsys

Statecharts = Hierarchical State Machines

Verification of Stateflow Charts

FEATURESPECIFICATIONS

DESIGNER

STATEFLOWDIAGRAM

(SIMULINK)

VERIFICATIONRESULTS

specificationsto verify

SMV

M. Rausch and B. Krogh, “Symbolic Verification of Stateflow Logic,” WODES 98

sf2smv SMVMODULES

(new Matlab command)

Stateflow Charts SMV Modules

OR state group SMV module

module name = parent state namemodule states = states in OR state groupassign statements = state transitions

AND state group SMV module

same as OR, except states are set/reset with the parent

Transitions SMV variables

DEFINE block = state transition conditions

Stateflow Charts SMV Modules

MODULE main

VARstate : {no_states,A3,A1,A2};A3_child : A3_c(…);A2_child : A2_c(…);

ASSIGNinit(state):=no_states;next(state):=case t42_f : A3; t39_f | t41_f : A1; t43_f : A2; 1 :state; esac;

MODULE A3_c(…)

VARstate : {no_states,A3b,A3a};

ASSIGNinit(state):=no_states;next(state):=case t41_f : no_states; t42_f : A3b; t40_f : A3a; 1 : state; esac;

MODULE A2a_c(…)

VARstate : {no_states,a1,a2,a3};

ASSIGNinit(state):=no_states;next(state):=case t42_f : no_states; t44_f | t46_f : a1; t48_f : a2; t50_f : a3; 1 : state; esac;

MODULE A2b_c(…)

VARstate : {no_states,b1,b2,b3};

ASSIGNinit(state):=no_states;next(state):=case t42_f : no_states; t45_f | t47_f : b1; t49_f : b2; t51_f : b3; 1 : state; esac;

MODULE A2_c(…)

VARA2a : and_state(…);A2b : and_state(…);A2a_child : A2a_c(…);A2b_child : A2b_c(…);

.

.

.

“Verification of Stateflow Diagrams Using SMV,” CMU Tech Report, Oct. 1998

Sensor-Filter Example

Sensor-Filter Example

Sensor-Filter Example

Sensor-Filter Example

Sensor-Filter Example

problem: initializes with default value (10.0) although

sensor_flag = 0 at t = 1.0

Sensor-Filter Example:Application of sf2smv

FEATURESPECIFICATIONS

DESIGNER

STATEFLOWDIAGRAM

(SIMULINK)

VERIFICATIONRESULTS

specificationsto verify

SMV

sf2smv SMVMODULES

(new Matlab command)

Generation of SMV Model

Specification for Verification

AG(input_sel=1 -> init_sel=1)

if input_sel = 1theninit_sel should be 1on the first pass(but it apparently isn’t -- so I want atrace of what happens)

SMV Verification Result

when trig_init occurred

starting.state was not active!

Using the Trace for Debugging

Starting is activated after main,so it is not active when trig_initis generated on the first pass.

Sensor-Filter Example

correct filter initialization from the

good sensor measurement

For code generation, the semantics matter!

Overview

• model checking

– SMV

• verification of state charts

– sf2smv

• verification of hybrid systems

–CheckMate

CAM Controller Example

Verification Problem: Determine whether the controller will switch only once from saturation to PID mode.

Continuous-Time Model

Switching Rule

1

1

3.01

)1(7.0)(

z

zzH

Discrete-time ruleSwitch on magnitude of the error and the sign of this filter

Continuous-time ruleSwitch on magnitude of the error and the sign of this filter

5.150

5.150)(

s

ssH

s tat

e of

th e

fil t

e r

error

Finite State Analysis

• Assign discrete states to each switch boundary and the initial condition set

• Determine reachability from each discrete state to the other discrete states

• Analyze the resulting finite state system

Reachability Analysis

Resulting Finite-State System

Verification is inconclusive since it is a conservative

approximation

Possible switch back to thesaturation controller

Precise Reachability Analysis

Portion of A1 that doesn’tlead to switching

Portion of A1 that reaches A2

(leads to switching)

“Exact” Finite-State System

Switch back to thesaturation controlleris certain from some

initial states

Applying Model Checking to Hybrid Systems:

• interpret a hybrid system as a transition system (with an infinite state space)

• find an equivalent finite-state transition systems (bisimulation)

• perform verification using the bisimulation

Can this approach be generalized to higher-order systems?

Hybrid System Verification via Finite-State Bisimulation

hybrid system model: H

BisimulationProcedure

finite-statetransition system T

H

PROPERTYTO VERIFY

MODEL CHECKINGPROGRAM

PROPERTY IS TRUE OR A COUNTER EXAMPLE

modeselect

integrator

m(t)

xdot(t)

flow constraints

x(t)

x(t)

jump mapping

initial condition

e(t)

discrete-state system with guarded transitions

x(t)e(t)

m(t)

cont. state

discrete state

discrete event

F1

F2

F31S

X0

Je

e(t)

Je

jump dynamics

cont. state

discrete state

discrete event

discrete dynamics

Simulink Diagram of General Hybrid System Dynamics

F1

F2

F3

1S

continuous dynamics

modeselect

integrator

m(t)

xdot(t)

flow constraints

x(t)

x(t)

jump mapping

initial condition

e(t)

discrete-state system with guarded transitions

x(t)e(t)

m(t)

cont. state

discrete state

discrete event

F1

F2

F3

1S

X0

Je

e(t)

Simulink Diagram of a Hybrid System

modeselect

integrator

m(t)

xdot(t)

flow constraints

x(t)

x(t)

jump mapping

initial condition

e(t)

discrete-state system with guarded transitions

x(t)e(t)

m(t)

cont. state

discrete state

discrete event

F1

F2

F3

1S

X0

Je

e(t)

Continuous-StateReachable Set Mapping

Objective:Compute mappings from initial state sets to next initial state sets at the discrete-state transitions.

X0(mk) X0(mk+1)

Hybrid System VerificationDecidability Results

Hybrid Automata (flows,guards,jumps)

Linear Hybrid Automata (P,P,P)

Rectangular Automata (In,In,In)

Multirate Automata (Zn,In,In)

Timed Automata (1n, In,{reset,continue}n )

Stopwatch Automata(2-slopes w/o reset)

InitializedPSPACE-c

Initialized

isomorphic(initialized)

Bisim

(finite slope, triangular, state-dependent assignment or initialize)

Uninitialized

1 Courtesy of Enrique Ferreira, CMU, 1999

Piecewise-Trivial Hybrid Systems1

modeselect

integrator

m(t)

xdot(t)

flow constraints

x(t)

x(t)

jump mapping

initial condition

e(t)

discrete-state system with guarded transitions

x(t)e(t)

m(t)

cont. state

discrete state

discrete event

F1

F2

F31S

X0

Je

e(t)

1Dang & Maler, HS’98

Reacht(Xo,Fk) can berepresented and

computed

Piecewise-Trivial Hybrid Systems (PTHS)

m(t)

x(t)

jump mapping

initial condition

e(t)

discrete-state system with guarded transitions

x(t)

e(t)

m(t)

cont. state

discrete state

discrete event

X0

Je

e(t)

X(t; Xo,m)

modeselect

integrator

m(t)

xdot(t)

x(t)

jump mapping

initial condition

e(t)

discrete-state system with guarded transitions

x(t)e(t)

m(t)

cont. state

discrete state

discrete event

F1

F2

F3

1S

X0

Je

e(t)

Linear Hybrid AutomataHyTech (UCBerkeley)

• Fk (flow constraints), Je (jump mappings), and Gjk (guards) are convex polyhedra

• Fk are independent of x(t)

Verification of General Hybrid Systems

CheckMate Block Diagram

x1

x2

x3

th1

th2

q1

q2

th3

SwitchedContinuous System 3

SwitchedContinuous System 2

SwitchedContinuous System 1

C*x <= d

PolyhedralThreshold 3

C*x <= d

PolyhedralThreshold 2

C*x <= d

PolyhedralThreshold 1

Mux

Mux2

MuxMux1

Mux

Mux

OR

LogicalOperator

c1

c2q

FiniteState Machine 2

c1

c2q

FiniteState Machine 1

Simulink Model

Switched Continuous System

• Parameter: Switching function f• Input: Discrete condition signal u• Output: Continuous state vector

x• Description: Continuous

dynamics selected by discrete input signal

)(xfx u

u x

SwitchedContinuous System

Switched Continuous System Parameters

Polyhedral Threshold

• Parameters: C,d• Input: Continuous state vector x• Output: Boolean signal

1 if Cx d

0 otherwise• Description: Outputs Boolean

signal indicating whether continuous state variable x is in polyhedron Cx d

x

C*x <= d

PolyhedralThreshold

Visualization Tool

Finite State Machine (Stateflow)

• Inputs:

– Data: Boolean condition signals which are functions of PTHB and FSMB outputs

– Event: Transition edges of Boolean condition signals which are functions of PTHB outputs

• Output: Discrete signal (integer) indicating active state of FSM

event input(vectorized)

scalardata inputs

.

.

.

data 1

data N

q

Finite State Machine

modeselect

integrator

m(t)

xdot(t)

flow constraints

x(t)

x(t)

jump mapping

initial condition

e(t)

discrete-state system with guarded transitions

x(t)e(t)

m(t)

cont. state

discrete state

discrete event

F1

F2

F3

1S

X0

Je

e(t)

Approximating the Continuous-StateReachable Set Mapping

Objective:Compute mappings from initial state sets to next initial state sets at the discrete-state transitions.

X0(mk) X0(mk+1)

Approximating reachable sets

E.K. Kornoushenko. Finite-automaton approximation to the behavior of continuous plants, Automation and Remote Control, 1975

J. Reisch and S. O’Young, A DES approach to control of hybrid dynamical systems, Hybrid Systems III, LNCS 1066, Springer, 1996

A. Puri, V. Borkar and P. Varaiya, -Approximation of differential inclusions, Hybrid Systems III, LNCS 1066, Springer, 1996

M.R. Greenstreet, Verifying safety properties of differential equations, CAV’96

M.R. Greenstreet and I. Mitchell, Integrating projections, HS'98

T. Dang and O. Maler, Reachability analysis via face lifting, HS'98

A. Chutinan and B. H. Krogh, Computing polyhedral approximations to dynamic flow pipes, IEEE CDC, 1998

A. Chutinan and B. H. Krogh, Verification of polyhedral-invariant hybrid systems using polygonal flow pipe approximations, HSCC99

Polyhedral Flow Pipe Approximations

A. Chutinan and B. H. Krogh, Computing polyhedral approximations to dynamic flow pipes, IEEE CDC, 1998

X0

t1

t2

t3

t4

t5t6 t7

t8

t9

• divide R[0,T](X0) into [tk,tk+1] segments

• enclose each segment with a convex polytope

• RM[0,T](X0) = union of polytopes

Flow Pipe Segment Approximation

Vertices(X0) at tk

Vertices(X0) at tk+1

Step 1.a. Simulate trajectories from each vertex of X0.

Step 2.Solve optimization for di

flow pipe segment approximated by { x | ci

Tx di, i }

b. Take the convex hulland identify outwardnormal vectors.

Flow Pipe ApproximationExample 1: Van der Pol Equation

X x x0 1 20 8 1 0 { . , }

. ( )

x x

x x x x1 2

2 12

2 10 2 1

Van der Pol Equation

Uniform time steptk = 0.5

Initial Set

Flow Pipe ApproximationExample 2: Linear System

A

0 1 0

0 0 1

1 2 2

1

1

1

2

1

1

2

2

1

1

2

1

, , , and

Vertices for X0

Uniform time steptk = 0.1

Flow Pipe Approximation

• Applies in arbitrary dimensions• Approximation error doesn't grow with time• Estimation error (Hausdorff distance) can be

made arbitrarily small with t < and size of X0 <

• Integrated into a complete verification tool (paper in next session)

Polyhedral-Invariant Hybrid Automaton (PIHA)

Conversion

Simulink/Stateflow Front End(graphical editing, simulation)

Threshold-event-driven Hybrid Systems (TEDHS)

Flow PipeApproximations

Quotient Transition System

ACTL Verification

PartitionRefinement

Initial Partition

Elements of CheckMate

Using Reachability Approximationsfor Verification

Hybrid system model: H

SimulationIteration

Transition system TM/P

PROPERTYTO VERIFY

MODEL CHECKINGPROGRAM

PROPERTY IS TRUE OR A COUNTER EXAMPLE

Conclusive for H?

No

For universal assertions (A - for all paths), TRUE for TM/P implies TRUE for TH

Comparison to Bisimulation Approach

constructinitial partition

BPiterations

finite bisimulation

verification

stop: specification

is true

stop: specification

is false

yes

no

constructinitial partition

refinepartition

finite quotient system

verification

test for bisimulation

no

yes

no

stop:specification

is true

stop:specification

is false

yes

Powertrain Control Application

“Hybrid control in automotive applications: the cut-off control” A. Balluchi et. al, Automatica Special Issue on Hybrid Systems, vol. 35, no. 3, March 99

Problem: Verify the event-driven implementation of a control law designed in continuous time.

Control law: Decide when to inject air/fuel for torque to decrease speed along a prescribed trajectory.

Cut-off Control

Plant– four-stroke, four-cylinder engine– discrete-event model of torque generation

• 4-state FSM model for each piston

– continuous-time powertrain model1

• axle torsion angle• crankshaft speed• wheel speed• crankshaft angle ----> FSM transition event• input: engine torque from pistons

1Model from Magneti Marlli Engine Control Division

CheckMate Model

CheckMate Model

power traindynamics

Piston FSM

CheckMate Model

Predictive Control Logic

Verification for Powertrain Control Features

• Problems are hybrid• Logic introduces combinatorial complexity• Potential savings if control logic can be

evaluated early in the design cycle• Flowpipe reachability analysis applies to

purely continuous problems• Verification requires model “abstraction” (i.e.,

insight and effort)

BUT formal verification often reveals unanticipated behaviors