formal methods in cps a control perspectivedisc-cps15.imtlucca.it/pdf/tabuada_1.pdf · paulo...

Formal Methods in CPSA Control Perspective

Paulo Tabuada

Cyber-Physical Systems LaboratoryDepartment of Electrical Engineering

University of California at Los Angeles

Paulo Tabuada (CyPhyLab - UCLA) Formal Methods in CPS DISC Summer School 2015 1 / 55

Introduction to Cyber-Physical SystemsWhat are Cyber-Physical Systems?

Different people interpret the expression Cyber-Physical Systems (CPSs)differently;

In my lectures, CPSs satisfy the following 2 properties:

1 The cyber components receive information fromthe physical world, process it, and feed it backso as to influence the physical components;

2 The interaction between the cyber and physicalcomponents is so tight that these componentscannot be studied in isolation.

Physical

Cyber components have traditionally been studied in Computer Science whilephysical components have traditionally been studied in Control Theory.

In these lectures we will use results and techniques from both these areas.

Different people interpret the expression Cyber-Physical Systems (CPSs)differently;In my lectures, CPSs satisfy the following 2 properties:

Physical

Different people interpret the expression Cyber-Physical Systems (CPSs)differently;In my lectures, CPSs satisfy the following 2 properties:

Physical

Introduction to Cyber-Physical SystemsExamples of Cyber-Physical Systems

The timing of the decisions made by the software is critical to the success of themission.

The “dynamics” of the software needs to analyzed in conjunction with thedynamics of the physical components.

Introduction to Cyber-Physical SystemsExamples of Cyber-Physical Systems

A combination of time-driven and event-driven precise control decisions isrequired to avoid paper jams and maintain high throughput.

Introduction to Cyber-Physical SystemsSome challenges

Control theory provides analysis and design techniques for simple objectives.

But current applications require sophisticated functionalities, e.g., adaptivecruise control (International Standard ISO 15622).

Unfortunately, it is well known that switching between correct control softwaremay lead to incorrect behavior.

How to synthesize code enforcing high-level specifications on CPSs?

Synthesis for Cyber-Physical SystemsKey ingredients

Our approach will be based on finite-state abstractions of the physical world soas to leverage discrete verification and synthesis techniques (Prof. Kim Larsen’slecture).

Lecture plan

Models for CPS

Relating systems and properties

A preview of PESSOA

Approximate finite-state abstractions

Application to ACC

Controller refinement

Lecture plan

Models for CPS

A preview of PESSOA

Application to ACC

Models for the physical worldDifferential and difference equations

Differential equations is the most common model for the physical world. In theselectures we will consider only linear differential equations:

ddtξ = Aξ + Bν. (1)

We can bring (1) closer to the models used in computer science by moving fromcontinuous time to discrete time.

1 Choose a sampling period τ ∈ R+;

2 Keep the input constant during the intervals[kτ, (k + 1)τ [, k ∈ N0.

0 1τ 2τ 3τ 4τ 5τ

3 Compute new matrices A′ = eAτ andB′ =

∫ τ0 eA(t−s)B ds so that the solution

ξ′x,ν′ : N0 → Rn of the difference equation:

ξ′(k + 1) = A′ξ′(k) + B′ν′(k)

satisfies ξ′x,ν′(k) = ξx,ν′(kτ).0 1τ 2τ 3τ 4τ 5τ

There are 2 concepts that we need in order to make sense of (1):States x ∈ Rn and state trajectories ξ : R+

0 → Rn;Inputs u ∈ Rm and input trajectories ν : R+

0 → Rm;

0 1τ 2τ 3τ 4τ 5τ

ξ′(k + 1) = A′ξ′(k) + B′ν′(k)

There are 2 concepts that we need in order to make sense of (1):States x ∈ Rn and state trajectories ξ : R+

0 → Rn;Inputs u ∈ Rm and input trajectories ν : R+

0 → Rm;For each initial state x ∈ Rn and input trajectory ν : R+

0 → Rm there exists aunique state trajectory (solution, execution, run, trace, ...) ξx,ν : R+

0 → Rn

satisfying:ξx,ν(0) = x ;the time derivative of ξx,ν at time t ∈ R+

0 is equal to Aξx,ν(t) + Bν(t).

0 1τ 2τ 3τ 4τ 5τ

ξ′(k + 1) = A′ξ′(k) + B′ν′(k)

0 1τ 2τ 3τ 4τ 5τ

ξ′(k + 1) = A′ξ′(k) + B′ν′(k)

0 1τ 2τ 3τ 4τ 5τ

ξ′(k + 1) = A′ξ′(k) + B′ν′(k)

0 1τ 2τ 3τ 4τ 5τ

ξ′(k + 1) = A′ξ′(k) + B′ν′(k)

0 1τ 2τ 3τ 4τ 5τ

ξ′(k + 1) = A′ξ′(k) + B′ν′(k)

Models for the cyber and the physical worldSystems

Difference equations as well as finite-state automata can be modeled assystems:

Definition (System)

A system S is a sextuple (X ,X0,U, - ,Y ,H) consisting of:

a set of states X ;

a set of initial states X0 ⊆ X ;

a set of inputs U;

a transition relation - ⊆ X × U × X ;

a set of outputs Y ;

an output map H : X → Y .

Definition (Metric system)

A system S is said to be a metric system if the set of outputs Y is equipped with ametric d : Y × Y → R+

Models for the cyber and the physical worldSystems

Difference equations as well as finite-state automata can be modeled assystems:

Definition (System)

A system S is a sextuple (X ,X0,U, - ,Y ,H) consisting of:

a set of states X ;

a set of initial states X0 ⊆ X ;

a set of inputs U;

a transition relation - ⊆ X × U × X ;

a set of outputs Y ;

an output map H : X → Y .

Definition (Metric system)

A system S is said to be a metric system if the set of outputs Y is equipped with ametric d : Y × Y → R+

Models for the cyber and the physical worldA useful graphical description

X = {x0, x1, x2, x3}

X0 = {x0, x2}U = {u0, u1}

- = {(x0, u0, x1), (x0, u1, x2), (x1, u0, x1),

(x1, u0, x3), (x2, u1, x3), (x3, u1, x1)}Y = {y0, y1, y2}

H(x0) = y0, H(x1) = y0, H(x2) = y1

H(x3) = y2.

X = {x0, x1, x2, x3}X0 = {x0, x2}

U = {u0, u1}- = {(x0, u0, x1), (x0, u1, x2), (x1, u0, x1),

(x1, u0, x3), (x2, u1, x3), (x3, u1, x1)}Y = {y0, y1, y2}

H(x0) = y0, H(x1) = y0, H(x2) = y1

H(x3) = y2.

X = {x0, x1, x2, x3}X0 = {x0, x2}U = {u0, u1}

- = {(x0, u0, x1), (x0, u1, x2), (x1, u0, x1),

(x1, u0, x3), (x2, u1, x3), (x3, u1, x1)}Y = {y0, y1, y2}

H(x0) = y0, H(x1) = y0, H(x2) = y1

H(x3) = y2.

X = {x0, x1, x2, x3}X0 = {x0, x2}U = {u0, u1}

- = {(x0, u0, x1), (x0, u1, x2), (x1, u0, x1),

(x1, u0, x3), (x2, u1, x3), (x3, u1, x1)}

Y = {y0, y1, y2}H(x0) = y0, H(x1) = y0, H(x2) = y1

H(x3) = y2.

X = {x0, x1, x2, x3}X0 = {x0, x2}U = {u0, u1}

- = {(x0, u0, x1), (x0, u1, x2), (x1, u0, x1),

(x1, u0, x3), (x2, u1, x3), (x3, u1, x1)}Y = {y0, y1, y2}

H(x0) = y0, H(x1) = y0, H(x2) = y1

H(x3) = y2.

X = {x0, x1, x2, x3}X0 = {x0, x2}U = {u0, u1}

- = {(x0, u0, x1), (x0, u1, x2), (x1, u0, x1),

(x1, u0, x3), (x2, u1, x3), (x3, u1, x1)}Y = {y0, y1, y2}

H(x0) = y0, H(x1) = y0, H(x2) = y1

H(x3) = y2.

Models for the cyber and the physical worldA software example

Suppose that we want to compute the average of a stream of numbers but we donot know a priori the length of the stream.

x := 0;

n := 0;

While(true){y := read(input);

x := xn

n + 1+ y

n + 1;

n := n + 1; }

The variable y contains the latest received number and the variable x containsthe average of the numbers that have been received so far.

Assume now that we are interested in knowing if x is smaller, equal, or greaterthan 1 when y is restricted to assume values in the set {1, 2}.

x := 0;

n := 0;

x := xn

n + 1+ y

n + 1;

n := n + 1; }

x := 0;

n := 0;

x := xn

n + 1+ y

n + 1;

n := n + 1; }

x := 0;

n := 0;

x := xn

n + 1+ y

n + 1;

n := n + 1; }

Models for the cyber and the physical worldAn economy example

Consider the controlled model for the national income inspired by PaulSamuelson’s 1939 model1:

c(k + 1) = α(c(k) + i(k) + g(k)

)i(k + 1) = βα

(c(k) + i(k) + g(k)

)− βc(k) (2)

g(k + 1) = d(k).

where the national income is the sum c + i + g of three kinds of expenditures:consumption (c), investment (i), and government expenditures (g). Theparameters α, β ∈ R are identified from data.

We can describe this model by the following system:

X = R3, X0 = X , U = R+0 ;

(c(k), i(k), g(k))d(k)- (c(k + 1), i(k + 1), g(k + 1)) if equations (2) are

satisfied;Y = R, H = c + i + g.

1Interactions between the multiplier analysis and the principle of acceleration.

The Review of Economic Statistics, 21(2):75-78, 1939.

Models for the cyber and the physical worldAn economy example

Consider the controlled model for the national income inspired by PaulSamuelson’s 1939 model1:

c(k + 1) = α(c(k) + i(k) + g(k)

)i(k + 1) = βα

(c(k) + i(k) + g(k)

)− βc(k) (2)

g(k + 1) = d(k).

where the national income is the sum c + i + g of three kinds of expenditures:consumption (c), investment (i), and government expenditures (g). Theparameters α, β ∈ R are identified from data.

We can describe this model by the following system:

X = R3, X0 = X , U = R+0 ;

(c(k), i(k), g(k))d(k)- (c(k + 1), i(k + 1), g(k + 1)) if equations (2) are

satisfied;Y = R, H = c + i + g.

1Interactions between the multiplier analysis and the principle of acceleration.

The Review of Economic Statistics, 21(2):75-78, 1939.

Lecture plan

Models for CPS

A preview of PESSOA

Application to ACC

Relating systems and their propertiesSimulation relations

We now have a class of models (systems) that can describe both physicalsystems as well as its finite-state abstractions.

But what is the relation between the properties enforced by the controller and thehybrid controller?

We now have a class of models (systems) that can describe both physicalsystems as well as its finite-state abstractions.

But what is the relation between the properties enforced by the controller and thehybrid controller?

Properties expressed in temporal logic can be transferred between systemsrelated by simulation relations.

Definition (Simulation Relation)

Let Sa = (Xa,Xa0,Ua, a- ,Ya,Ha) and Sb = (Xb,Xb0,Ub, b

- ,Yb,Hb) be systemswith Ya = Yb. A relation R ⊆ Xa × Xb is a simulation relation from Sa to Sb if thefollowing three conditions are satisfied:

1 for every xa0 ∈ Xa0, there exists xb0 ∈ Xb0 with (xa0, xb0) ∈ R;

2 for every (xa, xb) ∈ R we have Ha(xa) = Hb(xb);

3 for every (xa, xb) ∈ R we have that:

a- x ′a in Sa implies the existence of xb

b- x ′b in Sb satisfying (x ′a, x ′b) ∈ R.

We say that Sa is simulated by Sb or that Sb simulates Sa, denoted by Sa �S Sb, ifthere exists a simulation relation from Sa to Sb.

Relating systems and their propertiesSimulation relations: Example

Consider the following two systems and the relation:

R = {(xa0, xb0), (xa0, xb2), (xa1, xb1), (xa2, xb1)}.

1 for every xa0 ∈ Xa0, there exists xb0 ∈ Xb0 with (xa0, xb0) ∈ R;2 for every (xa, xb) ∈ R we have Ha(xa) = Hb(xb);

3 xaua

b- x ′b in Sb

satisfying (x ′a, x ′b) ∈ R.

3 xaua

b- x ′b in Sb

3 xaua

b- x ′b in Sb

3 xaua

b- x ′b in Sb

3 xaua

b- x ′b in Sb

3 xaua

b- x ′b in Sb

3 xaua

b- x ′b in Sb

3 xaua

b- x ′b in Sb

3 xaua

b- x ′b in Sb

Relating systems and their propertiesApproximate simulation relations

It will be more convenient to work with an approximate version of simulation relation.

Definition (Approximate Simulation Relation)

Consider two metric systems Sa and Sb with Ya = Yb, and let ε ∈ R+0 . A relation

R ⊆ Xa × Xb is an ε-approximate simulation relation from Sa to Sb if the following threeconditions are satisfied:

2 for every (xa, xb) ∈ R we have d(Ha(xa),Hb(xb)) ≤ ε;3 for every (xa, xb) ∈ R we have that:

We say that Sa is ε-approximately simulated by Sb or that Sb ε-approximatelysimulates Sa, denoted by Sa �εS Sb, if there exists an ε-approximate simulationrelation from Sa to Sb.

Relating systems and their propertiesApproximate simulation relations

It will be more convenient to work with an approximate version of simulation relation.

Definition (Approximate Simulation Relation)

Consider two metric systems Sa and Sb with Ya = Yb, and let ε ∈ R+0 . A relation

R ⊆ Xa × Xb is an ε-approximate simulation relation from Sa to Sb if the following threeconditions are satisfied:

2 for every (xa, xb) ∈ R we have d(Ha(xa),Hb(xb)) ≤ ε;3 for every (xa, xb) ∈ R we have that:

We say that Sa is ε-approximately simulated by Sb or that Sb ε-approximatelysimulates Sa, denoted by Sa �εS Sb, if there exists an ε-approximate simulationrelation from Sa to Sb.

Existence of a simulation relation from Sa to Sb can be used to transfer LinearTemporal Logic (LTL) properties from Sb to Sa.

PropositionFor any LTL formula ϕ we have:

Sa �S Sb =⇒ (Sb |= ϕ =⇒ Sa |= ϕ)

Sa �εS Sb =⇒ (Sb |= ϕ =⇒ Sa |=ε ϕ) .

But we really want to transfer properties enforced by controllers. In other words,we want to transfer, not properties, but the ability to enforce properties.

Enforcing properties, i.e., controlling, requires a battle against nondeterminism.

Sa �S Sb =⇒ (Sb |= ϕ =⇒ Sa |= ϕ)

Sa �εS Sb =⇒ (Sb |= ϕ =⇒ Sa |=ε ϕ) .

Sa �S Sb =⇒ (Sb |= ϕ =⇒ Sa |= ϕ)

Sa �εS Sb =⇒ (Sb |= ϕ =⇒ Sa |=ε ϕ) .

Relating systems and their propertiesNondeterminism

A system is deterministic if given a state x ∈ X and an input u ∈ U there existsat most one state x ′ ∈ X for which x

u- x ′.

In general, we have to work with nondeterministic systems since models are notaccurate:

The differential equation models for physical systems are always anapproximate description of reality.Sensors and actuators are never perfect and are subject to noise.Models for software only describe a partial view of what happens inside acomputer.

Given a state x ∈ X and an input u ∈ U we denote by Postu(x) the set of all thestates that can be reached from x under input u, formally:

Postu(x) = {x ′ ∈ X | xu- x ′}.

u- x ′.

Postu(x) = {x ′ ∈ X | xu- x ′}.

u- x ′.

Postu(x) = {x ′ ∈ X | xu- x ′}.

Relating systems and their propertiesAlternating simulation relations

The enforcement of properties expressed in LTL can be transferred betweensystems related by alternating simulations.

Definition (Alternating simulation relation)

Let Sa = (Xa,Xa0,Ua, a- ,Ya) and Sb = (Xb,Xb0,Ub, b

- ,Yb) be systems withYa = Yb. A relation R ⊆ Xa × Xb is an alternating simulation relation from Sa to Sb ifthe following three conditions are satisfied:

1 for every xa0 ∈ Xa0 there exists xb0 ∈ Xb0 with (xa0, xb0) ∈ R;

3 for every (xa, xb) ∈ R and for every ua ∈ Ua there exists ub ∈ Ub such that forevery x ′b ∈ Postub (xb) there exists x ′a ∈ Postua (xa) satisfying (x ′a, x ′b) ∈ R.

We say that Sa is alternatingly simulated by Sb or that Sb alternatingly simulates Sa,denoted by Sa �AS Sb, if there exists an alternating simulation relation from Sa to Sb.

How is simulation related to alternating simulation?

The relation R = {(xa0, xb0), (xa1, xb1), (xa2, xb2)} is a simulation relation from Sa

to Sb but not an alternating simulation. Although xb3 ∈ Posta(xb0) in Sb no statein Sa is related to xb3.

The relation R = {(xa0, xb0), (xa1, xb1), (xa2, xb2)} is a simulation relation from Sa

to Sb but not an alternating simulation. Although xb3 ∈ Posta(xb0) in Sb no statein Sa is related to xb3.

Conversely, the relation R′ = {(xa0, xb0), (xa1, xb1), (xa1, xb2), (xa1, xb3)} is analternating simulation relation from Sa to Sb but not a simulation relation from Sa

to Sb. The transition xa0a

a- xa2 in Sa cannot be matched by Sb.

Alternating simulation degenerates into simulation in the very special case ofdeterministic systems.

Determinism implies |Postub (xb)| ≤ 1 and |Postua (xa)| ≤ 1.

Hence:

∀ua ∈ Ua ∃ub ∈ Ub ∀x ′b ∈ Postub (xb) ∃x ′a ∈ Postua (xa) satisfying (x ′a, x ′b) ∈ R.

becomes:

∀ua ∈ Ua ∃ub ∈ Ub such that (x ′a, x ′b) ∈ R.

Equivalently:

Can we use alternating simulations to relate properties enforced by controllers?

Determinism implies |Postub (xb)| ≤ 1 and |Postua (xa)| ≤ 1. Hence:

becomes:

Equivalently:

becomes:

Equivalently:

becomes:

Equivalently:

PropositionAssume that Sa �AS Sb. If there exists a controller enforcing a LTL formula on Sa thenthere exists a controller enforcing the same formula on Sb.

PropositionAssume that Sa �εAS Sb. If there exists a controller enforcing a LTL formula on Sa thenthere exists a controller enforcing the same formula on Sb with an error of at most ε.

This result ensures correctness of the approach. Any controller synthesized forthe abstraction will lead to a controller for the original model.

How about completeness?

PropositionAssume that Sa �AS Sb. If there exists a controller enforcing a LTL formula on Sa thenthere exists a controller enforcing the same formula on Sb.

PropositionAssume that Sa �εAS Sb. If there exists a controller enforcing a LTL formula on Sa thenthere exists a controller enforcing the same formula on Sb with an error of at most ε.

This result ensures correctness of the approach. Any controller synthesized forthe abstraction will lead to a controller for the original model.

How about completeness?

Definition ((alternating) Bisimulation)

Let Sa and Sb be systems with Ya = Yb. We say that Sa is (alternatingly) bisimilar toSb, denoted by Sa ∼=S Sb (Sa ∼=AS Sb), if there exists a (alternating) simulation relationR from Sa to Sb such that R−1 is a (alternating) simulation relation from Sb to Sa.

Sa �AS Sb: every controller designed for Sa leads to a controller for Sb.

Sb �AS Sa: if there is a controller for Sb then it can be synthesized as acontroller for Sa.

Given a linear differential equation, can we construct a finite-state abstractionrelated by an (alternating) (bi)simulation?

Lecture plan

Models for CPS

A preview of PESSOA

Application to ACC

A preview of PESSOA

Consider a DC motor:

x1 = −BJ

x1 +kJ

x2 = −kL

x1 −RL

x2 +1L

where x1 represents angular velocity and x2 represents current.

The input voltage u is controlled by an H-bridge and thus ranges in the set{−10, 0, 10}.

A preview of PESSOA

The specification is:

reach and stay at an angular velocity of 20 rad/s.

equivalently, 3�(x1 = 20).

Maximal current too high!

Large current ripple when velocity is close to 20 rad/s.

A preview of PESSOA

Change specification to:

reach and stay at an angular velocity of 20 rad/s AND never exceed ±3A beforereaching 20 rad/s AND never exceed ±0.7A after.

equivalently, (−3 ≤ x2 ≤ 3) U�(x1 = 20 ∧ −0.7 ≤ x2 ≤ 0.7).

A preview of PESSOA

Lecture plan

Models for CPS

A preview of PESSOA

Application to ACC

Approximate finite-state abstractionsKey idea

All the results in this lecture are generalizations of the following simple idea.

Consider the dynamical system Σ described by the linear differential equation:

ddtξ = −ξ, ξ(t) ∈ R, t ∈ R+

with trajectory ξx (t) = e−tx .

Claim: the relation Rε ⊆ R× R defined by (x , x ′) ∈ Rε iff ‖x − x ′‖ ≤ ε is anε-approximate simulation relation from S(Σ) to S(Σ).

Why: consider a pair (x , x ′) ∈ Rε and a transition x - x ′′ in S(Σ).

By definition of - we have x ′′ = ξx (τ) = e−τx .

Does there exist a point x ′′′ satisfying x ′ - x ′′′ and (x ′′, x ′′′) ∈ Rε?x ′′′ = ξx′(τ):

‖x ′′−x ′′′‖ = ‖ξx (τ)−ξx′(τ)‖ = ‖e−τx−e−τx ′‖ = ‖e−τ‖‖x−x ′‖ ≤ ‖x−x ′‖ ≤ ε.

ddtξ = −ξ, ξ(t) ∈ R, t ∈ R+

Does there exist a point x ′′′ satisfying x ′ - x ′′′ and (x ′′, x ′′′) ∈ Rε?

x ′′′ = ξx′(τ):

ddtξ = −ξ, ξ(t) ∈ R, t ∈ R+

‖x ′′−x ′′′‖

= ‖ξx (τ)−ξx′(τ)‖ = ‖e−τx−e−τx ′‖ = ‖e−τ‖‖x−x ′‖ ≤ ‖x−x ′‖ ≤ ε.

ddtξ = −ξ, ξ(t) ∈ R, t ∈ R+

‖x ′′−x ′′′‖ = ‖ξx (τ)−ξx′(τ)‖

= ‖e−τx−e−τx ′‖ = ‖e−τ‖‖x−x ′‖ ≤ ‖x−x ′‖ ≤ ε.

ddtξ = −ξ, ξ(t) ∈ R, t ∈ R+

‖x ′′−x ′′′‖ = ‖ξx (τ)−ξx′(τ)‖ = ‖e−τx−e−τx ′‖

= ‖e−τ‖‖x−x ′‖ ≤ ‖x−x ′‖ ≤ ε.

ddtξ = −ξ, ξ(t) ∈ R, t ∈ R+

‖x ′′−x ′′′‖ = ‖ξx (τ)−ξx′(τ)‖ = ‖e−τx−e−τx ′‖ = ‖e−τ‖‖x−x ′‖

≤ ‖x−x ′‖ ≤ ε.

ddtξ = −ξ, ξ(t) ∈ R, t ∈ R+

Approximate finite-state abstractionsStability of control systems

Although we work with control systems in discrete-time we will use the samplingtime τ as a design parameter. Therefore, we need to recall continuous-timecontrol systems and the corresponding stability properties.

ddtξ = Aξ + Bν (4)

with ξ(t) ∈ Rn, ν(t) ∈ Rm, A ∈ Rn×n, B ∈ Rn×m, and t ∈ R+0 .

Definition (Input-to-state stability)

A linear control system (Rn,Rm,A,B) is said to be input-to-state stable (ISS) whenthere exist constants κ, λ, ρ ∈ R+ such that for any x ∈ Rn, any ν ∈ U , and any t ∈ R+

0 ,the following inequality is satisfied:

‖ξx,ν(t)‖ ≤ κe−λt‖x‖+ ρ‖ν‖.

Although we work with control systems in discrete-time we will use the samplingtime τ as a design parameter. Therefore, we need to recall continuous-timecontrol systems and the corresponding stability properties.

ddtξ = Aξ + Bν (4)

with ξ(t) ∈ Rn, ν(t) ∈ Rm, A ∈ Rn×n, B ∈ Rn×m, and t ∈ R+0 .

A linear control system (Rn,Rm,A,B) is said to be input-to-state stable (ISS) whenthere exist constants κ, λ, ρ ∈ R+ such that for any x ∈ Rn, any ν ∈ U , and any t ∈ R+

0 ,the following inequality is satisfied:

A linear control system (Rn,Rm,A,B) is said to be input-to-state stable (ISS) whenthere exist constants κ, λ, ρ ∈ R+ such that for any x ∈ Rn, any ν ∈ U , and any t ∈ R+,the following inequality is satisfied:

For linear control systems, ISS provides “self-similarity” among trajectories:

A linear control system (Rn,Rm,A,B) is said to be input-to-state stable (ISS) whenthere exist constants κ, λ, ρ ∈ R+ such that for any x ∈ Rn, any ν ∈ U , and any t ∈ R+,the following inequality is satisfied:

For linear control systems, ISS provides “self-similarity” among trajectories:

3.5 4.0 4.5 5.0 5.5

Approximate finite-state abstractionsA simple construction of abstractions

If trajectories are “self-similar”, why don’t we keep a single trajectory asrepresentative of the infinitely many trajectories starting inside a ball?

2√nη

Approximate finite-state abstractionsFormalizing the simple construction of abstractions

We quantize:

time using the parameter τ ;states using the parameter η;and inputs using the parameter ω.

DefinitionThe system Sτηω(Σ) = (X ,X0,U, - ,Y ,H) associated with a linear controlsystem Σ = (Rn,Rm,A,B) and with quantization parameters τ, η, ω ∈ R+ consists of:

x ∈ Rn | xi = `i2√nη for some `i ∈ Z and i = 1, 2, . . . , n

u ∈ Rm | xi = `i2√nω for some `i ∈ Z and i = 1, 2, . . . ,m

xu- x ′ if ξx,ν : [0, τ ]→ Rn, with ν(t) = u ∈ U for t ∈ [0, τ ], satisfies

‖ξx,ν(τ)− x ′‖ ≤ η;

Y = Rn;

H = ı : X ↪→ Rn.

Approximate finite-state abstractionsFormalizing the simple construction of abstractions

We quantize:

time using the parameter τ ;states using the parameter η;and inputs using the parameter ω.

DefinitionThe system Sτηω(Σ) = (X ,X0,U, - ,Y ,H) associated with a linear controlsystem Σ = (Rn,Rm,A,B) and with quantization parameters τ, η, ω ∈ R+ consists of:

x ∈ Rn | xi = `i2√nη for some `i ∈ Z and i = 1, 2, . . . , n

u ∈ Rm | xi = `i2√nω for some `i ∈ Z and i = 1, 2, . . . ,m

xu- x ′ if ξx,ν : [0, τ ]→ Rn, with ν(t) = u ∈ U for t ∈ [0, τ ], satisfies

‖ξx,ν(τ)− x ′‖ ≤ η;

Y = Rn;

H = ı : X ↪→ Rn.

Approximate finite-state abstractionsISS Lyapunov functions

When is S(Σ) approximately bisimilar to Sτηω(Σ)?

Definition (ISS Lyapunov function)

Let (Rn,Rm,A,B) be a linear control system and consider a function V : Rn → Rsatisfying the following three properties:

1 V is continuous on Rn and smooth on Rn\{0};2 V (x) ≥ 0 for all x ∈ Rn;

3 V (x) = 0 implies x = 0.

The function V is an ISS-Lyapunov function for Σ if there exist constants λ, σ ∈ R+

such that for all x ∈ Rn\{0}, u ∈ Rm, the following inequality holds:

∂V∂x

(Ax + Bu) ≤ −λV (x) + σ‖u‖.

TheoremA linear control system Σ is input-to-state stable iff Σ admits an ISS-Lyapunovfunction.

3 V (x) = 0 implies x = 0.

∂V∂x

(Ax + Bu) ≤ −λV (x) + σ‖u‖.

TheoremA linear control system Σ is input-to-state stable iff Σ admits an ISS-Lyapunovfunction.

3 V (x) = 0 implies x = 0.

∂V∂x

(Ax + Bu) ≤ −λV (x) + σ‖u‖.

TheoremA linear control system Σ is input-to-state stable iff Σ admits an ISS-Lyapunovfunction.Paulo Tabuada (CyPhyLab - UCLA) Formal Methods in CPS DISC Summer School 2015 39 / 55

For linear systems, existence of an ISS-Lyapunov function also implies theexistence of an ISS-Lyapunov function of the form V (x) =

√xT Px for some

P ∈ Rn×n that is:symmetric (PT = P);positive-definite (xT Px > 0 for all x 6= 0).

Moreover, Lyapunov functions of this form satisfy several useful inequalities.

Proposition

Let V : Rn → R+0 be a function of the form V (x) =

√xT Px for some symmetric and

positive-definite P ∈ Rn×n. There exist constants α, α, γ ∈ R+ such that for allx , x ′, x ′′ ∈ Rn, the following inequalities are satisfied:

α‖x‖ ≤ V (x) ≤ α‖x‖,V (x − x ′)− V (x − x ′′) ≤ γ‖x ′ − x ′′‖.

α =√λm(P), α =

√λM (P), γ =

λM (P)√λm(P)

For linear systems, existence of an ISS-Lyapunov function also implies theexistence of an ISS-Lyapunov function of the form V (x) =

√xT Px for some

P ∈ Rn×n that is:symmetric (PT = P);positive-definite (xT Px > 0 for all x 6= 0).

Moreover, Lyapunov functions of this form satisfy several useful inequalities.

Proposition

Let V : Rn → R+0 be a function of the form V (x) =

√xT Px for some symmetric and

positive-definite P ∈ Rn×n. There exist constants α, α, γ ∈ R+ such that for allx , x ′, x ′′ ∈ Rn, the following inequalities are satisfied:

α‖x‖ ≤ V (x) ≤ α‖x‖,V (x − x ′)− V (x − x ′′) ≤ γ‖x ′ − x ′′‖.

α =√λm(P), α =

√λM (P), γ =

λM (P)√λm(P)

Approximate finite-state abstractionsExistence

Theorem

Let Σ = (Rn,Rm,A,B) be a linear control system admiting aa ISS-Lyapunov functionV of the form V (x) =

√xT Px with P ∈ SP(n). For any desired precision ε ∈ R+, for

any desired time quantization τ ∈ R+, for any desired input quantization ω ∈ R+, andfor any space quantization η ∈ R+ satisfying:

η ≤ min{γ−1αε

(1− e−λτ

)− γ−1λ−1σ ω, α−1αε

}, (5)

the relation Rε ⊆ Xτηω × Xτ defined by:

Rε = {(xτηω, xτ ) ∈ Xτηω × Xτ | V (xτ − xτηω) ≤ αε}

is an ε-approximate bisimulation relation between S(Σ) and Sτηω(Σ).

α =√λm(P), α =

√λM (P), γ =

λM (P)√λm(P)

∂V∂x

(Ax + Bu) ≤ −λV (x) + σ‖u‖.

Theorem

(1− e−λτ

)− γ−1λ−1σ ω, α−1αε

}, (5)

If we restrict the computation of Sτηω(Σ) to bounded subsets of Rn and Rm,X and U become finite.

Theorem

(1− e−λτ

)− γ−1λ−1σ ω, α−1αε

}, (5)

What if Σ is not ISS?

We design a preliminary controller rendering Σ ISS.This is a simple task for linear control systems.

Theorem

(1− e−λτ

)− γ−1λ−1σ ω, α−1αε

}, (5)

What if Σ is not ISS? We design a preliminary controller rendering Σ ISS.This is a simple task for linear control systems.

Approximate finite-state abstractionsExample

Consider the linear control system defined by:

[−1 1−8 5

], B =

Since this system is not ISS, we first design the feedback control law:

u = Kx + u′ = 7x1 − 6x2 + u′

rendering the controlled system (Rn,Rm,A + BK ,B) ISS where:

A + BK =

[−1 1−1 −1

Using the function V (x) =√

xT Px with:

16116 1

]as a Lyapunov function we obtain:

γ =17

15, λ =

16−√

, α =1516, α =

Consider the linear control system defined by:

[−1 1−8 5

], B =

Since this system is not ISS, we first design the feedback control law:

u = Kx + u′ = 7x1 − 6x2 + u′

rendering the controlled system (Rn,Rm,A + BK ,B) ISS where:

A + BK =

[−1 1−1 −1

Using the function V (x) =√

xT Px with:

]as a Lyapunov function we obtain:

γ =17

15, λ =

16−√

, α =1516, α =

For simplicity, we assume the only available inputs to be {0,±0.25,±0.5};

If we choose a sampling time τ = 0.25 and a precision ε = 0.1 we concludefrom (5) that η needs to be smaller than 0.017. We choose η =

100 ≈ 0.014 andrestrict Σ to the set [−1, 1]× [−1, 1].We now consider a safety game with specification set:

W = [−0.3,−0.1]× [−0.1, 0.1]

and compute the maximal controlled invariant subset.

-0.30 -0.25 -0.20 -0.15 -0.10

For simplicity, we assume the only available inputs to be {0,±0.25,±0.5};If we choose a sampling time τ = 0.25 and a precision ε = 0.1 we concludefrom (5) that η needs to be smaller than 0.017. We choose η =

100 ≈ 0.014 andrestrict Σ to the set [−1, 1]× [−1, 1].

We now consider a safety game with specification set:

W = [−0.3,−0.1]× [−0.1, 0.1]

-0.30 -0.25 -0.20 -0.15 -0.10

W = [−0.3,−0.1]× [−0.1, 0.1]

-0.30 -0.25 -0.20 -0.15 -0.10

W = [−0.3,−0.1]× [−0.1, 0.1]

-0.30 -0.25 -0.20 -0.15 -0.10

Consider now the specification requiring a periodic orbit visiting the points(−0.2, 0) and (0.2, 0).

-0.3 -0.2 -0.1 0.1 0.2 0.3

Consider now the specification requiring a periodic orbit visiting the points(−0.2, 0) and (0.2, 0).

-0.3 -0.2 -0.1 0.1 0.2 0.3

Approximate finite-state abstractionsExtensions of the main result

How about more general classes of systems?

The main result also holds for switched linear systems with a common ISSLyapunov function.When a common ISS Lyapunov function does not exist, we can imposedwell time requirements as part of the specification.The main result also holds for nonlinear systems but one has to useincremental ISS instead of ISS. For linear systems:incremental ISS=ISS=asymptotic stability.The main result also holds for switched nonlinear systems with theprevious provisos.The main result also holds for all the above classes in the presence ofdisturbances in the differential equation, e.g., ξ = f (ξ, ν, δ). In this case weobtain an approximate alternating bisimulation.

What if we cannot or do not want to design a preliminary controller enforcingISS?

Under a suitably modified construction, we can still compute a finite-stateabstraction Sτηω(Σ) satisfying Sτηω(Σ) �εAS S(Σ) �εS Sτηω(Σ).

The main result also holds for switched linear systems with a common ISSLyapunov function.

When a common ISS Lyapunov function does not exist, we can imposedwell time requirements as part of the specification.The main result also holds for nonlinear systems but one has to useincremental ISS instead of ISS. For linear systems:incremental ISS=ISS=asymptotic stability.The main result also holds for switched nonlinear systems with theprevious provisos.The main result also holds for all the above classes in the presence ofdisturbances in the differential equation, e.g., ξ = f (ξ, ν, δ). In this case weobtain an approximate alternating bisimulation.

The main result also holds for switched linear systems with a common ISSLyapunov function.When a common ISS Lyapunov function does not exist, we can imposedwell time requirements as part of the specification.

The main result also holds for nonlinear systems but one has to useincremental ISS instead of ISS. For linear systems:incremental ISS=ISS=asymptotic stability.The main result also holds for switched nonlinear systems with theprevious provisos.The main result also holds for all the above classes in the presence ofdisturbances in the differential equation, e.g., ξ = f (ξ, ν, δ). In this case weobtain an approximate alternating bisimulation.

The main result also holds for switched linear systems with a common ISSLyapunov function.When a common ISS Lyapunov function does not exist, we can imposedwell time requirements as part of the specification.The main result also holds for nonlinear systems but one has to useincremental ISS instead of ISS. For linear systems:incremental ISS=ISS=asymptotic stability.

The main result also holds for switched nonlinear systems with theprevious provisos.The main result also holds for all the above classes in the presence ofdisturbances in the differential equation, e.g., ξ = f (ξ, ν, δ). In this case weobtain an approximate alternating bisimulation.

The main result also holds for switched linear systems with a common ISSLyapunov function.When a common ISS Lyapunov function does not exist, we can imposedwell time requirements as part of the specification.The main result also holds for nonlinear systems but one has to useincremental ISS instead of ISS. For linear systems:incremental ISS=ISS=asymptotic stability.The main result also holds for switched nonlinear systems with theprevious provisos.

The main result also holds for all the above classes in the presence ofdisturbances in the differential equation, e.g., ξ = f (ξ, ν, δ). In this case weobtain an approximate alternating bisimulation.

Lecture plan

Models for CPS

A preview of PESSOA

Application to ACC

Adaptive Cruise ControlWhat is Adaptive Cruise Control?

Two distinct modes of operation:

1 regulate velocity in the absence of a lead car;2 otherwise regulate headway (distance) to the lead car.

Two sources of requirements:

1 International Standard ISO 15622;2 European New Car Assessment Program (Euro NCAP).

Adaptive Cruise ControlQuick review of Linear Temporal Logic

Linear Temporal Logic (LTL) is becoming the standard formalism to specifyformal properties in academia and industry2;

We will work in discrete-time, i.e., we view the temporal evolution of physicalquantities as a map x : N→ Rn.

For ACC the physical quantities of interest are headway, denoted by h, and velocity,denoted by v . Hence, x(t) = (h(t), v(t)) ∈ R2.

An atomic proposition p is a subset of Rn. We say that a state x(t) at time tsatisfies p if x(t) ∈ p.

In ACC we need to maintain the time headway h/v above or equal to 1 at all time.Hence, a relevant atomic proposition is p = {(h, v) ∈ R2 | h/v ≥ 1}.

We can use the usual propositional connectives (∧, ∨, ¬,⇒) to build formulasfrom atomic propositions, e.g., p ∧ q or p ⇒ q;

We can also use the temporal operators 2 and 3. Intuitively, 2 means alwaysand 3 means eventually.

Maintaining the constraint h/v ≥ 1 all the time can be expressed by the LTL formula2p where p = {(h, v) ∈ R2 | h/v ≥ 1}.

2Property Specification Language (PSL) is used in the hardware industry and has been standardized by IEEE.

Adaptive Cruise ControlLTL specification for ISO 15622

The ISO 15622 standard requires:

h/v shall be greater than or equal to 1s in the presence of a lead car.“When the ACC is active, the vehicle speed shall be controlledautomatically either to maintain a time gap to a forward vehicle, or tomaintain the set speed, whichever speed is lower. The change betweenthese two control modes is made automatically by the ACC system.”

We introduce 2 atomic propositions, M1 (no lead car) and M2 (lead car),describing the mode of operation.

We introduce the atomic proposition S1 = {(h, v) ∈ R2 | h/v ≥ 1} and capturethe first requirement with the formula3 2(S1 ∨M1).

The goal for mode 1 is to track a desired velocity. This can be captured by theformula 2(2M1 ⇒ 32G1) with G1 = {(h, v) ∈ R2 | v ∈ [v−, v+]}.The goal for mode 2 is to enforce a desired time headway τdes and not to exceedthe maximum velocity v+. This can be captured by the formula2(2M2 ⇒ 32G2) with G2 = {(h, v) ∈ R2 | h/v ≥ τdes ∧ v ≤ v+}.

3Since M1 = ¬M2 this formula is equivalent to 2(M2 ⇒ S1).

The goal for mode 1 is to track a desired velocity. This can be captured by theformula 2(2M1 ⇒ 32G1) with G1 = {(h, v) ∈ R2 | v ∈ [v−, v+]}.

The goal for mode 2 is to enforce a desired time headway τdes and not to exceedthe maximum velocity v+. This can be captured by the formula2(2M2 ⇒ 32G2) with G2 = {(h, v) ∈ R2 | h/v ≥ τdes ∧ v ≤ v+}.

Summarizing:

2(S1 ∨M1) ∧ 2 ((2M1 ⇒ 32G1) ∧ (2M2 ⇒ 32G2)).

For comfort reasons we constrain the car’s acceleration to the range[−0.3g, 0.2g]. This leads to a new atomic proposition S2 and a revisedspecification:

2((S1 ∨M1) ∧ S2) ∧ 2 ((2M1 ⇒ 32G1) ∧ (2M2 ⇒ 32G2)).

Summarizing:

2(S1 ∨M1) ∧ 2 ((2M1 ⇒ 32G1) ∧ (2M2 ⇒ 32G2)).

For comfort reasons we constrain the car’s acceleration to the range[−0.3g, 0.2g]. This leads to a new atomic proposition S2 and a revisedspecification:

2((S1 ∨M1) ∧ S2) ∧ 2 ((2M1 ⇒ 32G1) ∧ (2M2 ⇒ 32G2)).

Adaptive Cruise ControlDynamics

Recall the specification:

2((S1 ∨M1) ∧ S2) ∧ 2 ((2M1 ⇒ 32G1) ∧ (2M2 ⇒ 32G2)) .

In mode M1 (no lead car) the physical dynamics is given by:

mv = Fw − f0 − f1v − f2v2.

In mode M2 (lead car) we have one additional equation governing the evolutionof the headway:

mv = Fw − f0 − f1v − f2v2

h = vL − v

This results in a hybrid system with two modes:

mv = Fw − f0 − f1v − f2v2mv = Fw − f0 − f1v − f2v2

h = vL − vvL = d .

Car cuts in

Car leaves

New lead car

M1: M2:

2((S1 ∨M1) ∧ S2) ∧ 2 ((2M1 ⇒ 32G1) ∧ (2M2 ⇒ 32G2)) .

mv = Fw − f0 − f1v − f2v2.

mv = Fw − f0 − f1v − f2v2

h = vL − v

h = vL − vvL = d .

Car cuts in

Car leaves

New lead car

M1: M2:

2((S1 ∨M1) ∧ S2) ∧ 2 ((2M1 ⇒ 32G1) ∧ (2M2 ⇒ 32G2)) .

mv = Fw − f0 − f1v − f2v2.

mv = Fw − f0 − f1v − f2v2

h = vL − v

h = vL − vvL = d .

Car cuts in

Car leaves

New lead car

M1: M2:

2((S1 ∨M1) ∧ S2) ∧ 2 ((2M1 ⇒ 32G1) ∧ (2M2 ⇒ 32G2)) .

mv = Fw − f0 − f1v − f2v2.

mv = Fw − f0 − f1v − f2v2

h = vL − v

h = vL − vvL = d .

Car cuts in

Car leaves

New lead car

M1: M2:

Adaptive Cruise ControlExample

Following a car whose velocity is 13m/s. After 15s the lead car changes lane.

Specification requires a time headway ≥ 2.7s and a desired velocity in the range[28, 34]m/s.

In PESSOA we used a discretization of 0.5 for time, 0.5 a state spacediscretization of 0.5, an input space discretization of 0.1, resulting in a precisionof ε = 1.

0 5 10 15 20 25 30 35 40 45 505

Time s

0 5 10 15 20 25 30 35 40 45 500

Time s

Lecture plan

Models for CPS

A preview of PESSOA

Application to ACC

Controller refinementA pictorial description

The refinement process consists in implementing the supervisory commandsissued by the finite-state controller on the physical system.

Current time: tkCurrent physical state: x

Current time: tkCurrent physical state: xCurrent cyber state: q satisfying (x , q) ∈ R

Current time: tkCurrent physical state: xCurrent cyber state: q satisfying (x , q) ∈ RCommand from finite-state controller: u

Current time: tkCurrent physical state: xCurrent cyber state: q satisfying (x , q) ∈ RCommand from finite-state controller: uPhysical input: υ(t) = k(ξx (t), u), t ∈ [tk , tk + τ [

Current time: tk+1 = tk + τCurrent physical state: ξxυ(τ)Current cyber state: q satisfying (x , q) ∈ RCommand from finite-state controller: uPhysical input: υ(t) = k(ξx (t), u), t ∈ [tk , tk + τ [

Current time: tk+1 = tk + τCurrent physical state: ξxυ(τ)Current cyber state: q′ satisfying (ξxυ(τ), q′) ∈ RCommand from finite-state controller: uPhysical input: υ(t) = k(ξx (t), u), t ∈ [tk , tk + τ [

Since the hybrid controller is a formal model for the control software, it is conceptuallysimple to refine it into actual code for a target platform.

∼=ε

References and more details

All the missing details and references can be found in:

Verification and Control of Hybrid Systems: A Symbolic ApproachSpringer, 2009.

For the latest results:http://www.cyphylab.ee.ucla.edu/

The tool PESSOA supports the computation of abstractions, synthesis andrefinement of controllers, and simulation via Simulink.

Acknowledgements:

Students and collaborators;National Science Foundation and DARPA;Alberto Bemporad and Maurice Heemels for inviting me.

Acknowledgements:

formal methods in cps a control perspectivedisc-cps15.imtlucca.it/pdf/tabuada_1.pdf · paulo...

Documents