Embed Size (px)
Citation preview
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 1/26
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
Conflict-Tolerant Safety Specifications
Deepak D’Souza
Department of Computer Science and AutomationIndian Institute of Science, Bangalore.
Joint work with Madhu Gopinathan, Raj Mohan M., Sumesh Divakaran, S.
Ramesh, Prahlad Sampath.
NAL, 08 April 2013
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 2/26
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
Outline
1 Motivation
2 Example: Insulin Controller
3 Example: Water-Level Controller
4
Conflict-tolerant specifications
5 Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 3/26
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
Overview
We consider systems which are composed of a base system +multiple controllers + a supervisor.
Supervisor chooses when to provide the control input of acontroller to the base system (e.g. based on priority).
Cruise ControlController
Stability ControlController
CarEngine Supervisory Controller
ControllerBasic operation
We propose a way of specifying the behaviour of individualcontrollers.
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 4/26
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
Classical model-checking framework
of a commercially sold software package is permitted. © 2001, Carlo Kopp
Distribution of this artwork as part of the xfig package, where xfig ispart
System
System Model SpecSatisfies
Abstraction
?
U.S. AIRFORCE
602
AMC
40602
G (¬Bad )
Proof that Model satisfies Spec.
Counter-example.
M i i E l I li C ll E l W L l C ll C fli l ifi i R l i h h
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 5/26
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
Control mechanism
Controller Base System
Control inputs
Plant behaviour
Controller reads plant behaviour and gives advice in the form of control inputs to the plant.
M ti ti E l I li C t ll E l W t L l C t ll C fli t t l t ifi ti R lt i th th
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 6/26
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
Control mechanism
Example model:
no−rel,
rel, timer
rel−double
timer
rel, rel−doubleno−rel,
Controller Base System
Control inputs
Plant behaviour
Controller reads plant behaviour and gives advice in the form of control inputs to the plant.
Motivation Example: Insulin Controller Example: Water Level Controller Conflict tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 7/26
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
Classical safety specification
Specifies a safety “cone” (prefix-closed set of behaviours) withinwhich the behaviour of the controlled system must lie.
Time
S y s t e m s
t a t e
Motivation Example: Insulin Controller Example: Water Level Controller Conflict tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 8/26
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
What about systems with multiple controllers?
Cruise ControlController
Stability ControlController
CarEngine Supervisory Controller
ControllerBasic operation
Composed system is large
Specification is complex.
Would like to reason about each controller separately.
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 9/26
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
Why a classical safety specification is inadaquate
What happens if the controller’s input is disregarded by thesupervisor (due to a conflict)?
The resumed controller has no specification to adhere to.
advice taken advice not taken
Time
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 10/26
Motivation Example: Insulin Controller Example: Water Level Controller Conflict tolerant specifications Results in the theory
Conflict-tolerant specification
Time
σ
f (ε)
f (σ)
An advice function f which specifies a safety cone f (σ) after eachbehaviour σ of the base system.
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 11/26
p p p y
Conflict-tolerant specification
Time
σ
f (ε)
f (σ)
An advice function f which specifies a safety cone f (σ) after eachbehaviour σ of the base system.A controller satisfies a CT-spec f (wrt a plant B ) if after each
plant behaviour σ, the controlled plant’s behaviour lies in f (σ).
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 12/26
p p p y
Conflict-tolerant Specification: Guarantee
Suppose a controller C satisfies its tolerant specification S wrt abase system B .
Time
advice taken advice not taken advice taken
Then in every period in which it is in control, C does “theright thing” (according to S ).
This guarantee is regardless of other controllers/supervisors itis com osed with.
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 13/26
y
Insulin Control
no−rel,
rel, timer
rel−double
timer
rel, rel−doubleno−rel,
Base SystemController
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 14/26
Conflict-Tolerant Specifications for Insulin Controller
timer
rel
rel-double
(a)
(b)
(c)
timer
rel
timer
timer
no-rel
no-relrel
rel-double
rel-doublerel
no-rel
timer
rel
rel-double, no-rel
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 15/26
Example hybrid system: Water tank with pump
System variables:
w : level of water in tank.
p : On/Off status of pump (1=“on”).
w = 1.
w := 2
p = 1w < 6
p = 0w > 0
w = -1.
b1
b2
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 16/26
Example hybrid system: Water tank with pump
System variables:
w : level of water in tank.
p : On/Off status of pump (1=“on”).
w = 1.
w := 2
p = 1w < 6
p = 0w > 0
w = -1.
b1
b2
w
p
0 1 2 3 4
0
1
2
3
4
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 17/26
Controller for water tank
System variables: X = {w }Control variables: U = {p }.
w = 1.w := 2
p = 1w < 6
p = 0w > 0
w = -1.b
1
b2
Water Tank
2 <= w <= 4
p := 1
p = 1
2 <= w <= 4
p = 0
w = 4 p := 0
w = 2 p := 1
q1 q2p = 0.
p = 0.
Controller
w
p
0 1 2 3 4
0
1
2
3
4
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 18/26
A classical specification for water-level controller
Classical safety specification = prefix-closed set of signals.
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 19/26
Conflict-tolerant specification
An advice function over a set of variables W is functionf : Signals → 2Signals such that each f (σ) is prefix-closed.
Mechanism to specify such advice functions: S = (Acc ,Adv ,E )where
Acc and Adv are hybrid automata over W
E is a set of edges between Acc and Adv called an advicerelation.
Acc Adv E
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 20/26
Example tolerant specification for water-level controller I
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 21/26
Example tolerant specification for water-level controller II
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 22/26
Example tolerant specification for water-level controller II
Note: Both tolerant specs
induce the same classical
spec but are quite different
as tolerant specs.
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 23/26
Components of the theory
Transition system based mechanism for specifyingconflict-tolerant specs, for discrete [CAV 2008], timed [QEST2008], and hybrid systems [manuscript].
Temporal logics for CT-specs (discrete and timed) [ISEC
2010, TIME 2010].Algorithms for verifying whether a given controller satisfies agiven CT-spec with respect to a given base system.
Algorithms for automatic synthesis of CT controllers.
Construction of a priority-based superviser that maximallyutilizes controllers.
Some “toy” case-studies: elevator features (discrete), cardoor-motor control (timed), cruise-control vs stability control(hybrid).
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 24/26
Conclusion
Cruise ControlController
Stability ControlController
CarEngine Supervisory Controller
ControllerBasic operation
Consider setting of multiple intermittent control.
Conflict-tolerant specifications more richly capture acontroller’s specification.
A modular or “compositional” way of developing and
reasoning about systems with multiple controllers.
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 25/26
Thanks for your attention.
Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory
7/30/2019 Nal 2013 Deepak
http://slidepdf.com/reader/full/nal-2013-deepak 26/26
Verification for rectangular hybrid automata
We can solve the verification problem for such specs: Given
a base system B modelled as an initialized rectangular
automaton over (X ,Y ),a controller C modelled as an initialized rectangularautomaton over (X ,Y ),
a tolerant spec S = (Acc ,Adv ,E ) whose components are
IRHA:we can check whether C satisfies S wrt B .
