Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems

ADPM’2000

Norbert Völker

University of Essex, England

Two Tanks System

V0

V2V1

L

Given a controller, verify that the tanks do not overflow and an equilibrium is reached.

Controllers

PLC Languages

Plants

Differential Equations

Control Loops

Requirements

Isabelle/HOL model

verify propertiesand requirements

The Idea

ODE solverModel checker

HOL

• Version of higher order predicate logic designed for

mechanical hardware verification.

• Polymorphic type system: , , list, …

• Very expressive due to abstraction and quantification

over functions.

• Widely studied and well understood logical systems.

• Methodology of embedding other formalisms in HOL,

for example subsets of VHDL and Java.

Isabelle/HOL

• Popular, interactive HOL theorem proving assistant.

• Stresses logical safety - avoidance of inconsistency.

• Supports safe theory extension by definitions, data types, primitive recursive functions, ...

• Comes with libraries: nat, int, real, set, .... • Open and extendible• Proof results from external tools can be imported

via oracles.

Discrete Components in HOL

f

stream = ( )

f :: stream stream

causal f = g. n x. take n (f x) = g (take n x)

stream operators, LTL operators

transition systems, automata

a a a a

b b b b

Real Time

clock = ( )

constant T :: clock

T T 1 T 2 T 3

Clocks are strictly monotonous, unbounded and start at 0.Conceptual clocks - cycle duration can vary

Function Blocks in HOL

• IEC 61131-3 PLC programming languages Structured Text (ST) and Sequential Function Charts (SFC)

• Function blocks written in an idealised subset of ST/SFC are mapped to automata in HOL.

• Mapping is similar to writing an interpreter in a functional programming language.

• Automata are not executed - size is not important as long as there is a compact representation in HOL.

• The HOL embedding defines a semantics.

A Verifiable Subset of ST

• Restriction to function block level: no configurations, resources, tasks or scheduling

• Omission of absolute, global, reference or retentive variables.

• Reactive model: actions are atomic• Idealised data types: Int, Bool, String, records,

arrays• Disregard of implementation limitations.• Function block invocation has no side effects!

Real Analysis in Isabelle/HOL

• Axiomatic type class V of finite-dimensional, normed vector spaces over

• Limits, continuity, differentiation• Type flow = ( )

• Differentiation operator D:: (:: V ) flow flow

• Lots of elementary lemmas and theorems.• Currently no integration, exp, sqrt, ln, sin, …• Currently 17 K theory files, 95 K proof code files.

Differential Systems in HOL

• A differential system (f,x0) without input is a transition system

diffsys = ([, ] ) where f is continuous and :: V.

• Behaviour is given by the solution of the associated differential equation

bhvD :: diffsys flow bhvD (f, x0) = ( g. g 0 = x0 D g = f g)

where is Hilbert’s choice operator. • This does not mean we have solved the ODE.

Plants in HOL

F

F :: stream flow

causal F

Transition systems (f,y0)

f :: [, ] , y0 ::

a. continuous (f a)

g 0 = bhvD (f (x 0), y0)

g (n+1) = bhvD (f (x (n+1),

g n (T (n+1)))

g 0 g 1 g 2 g 3 g 4

A Control Loop in HOL

ttc ttpB B B

4,4

tt = feedback (ttp ttc) 4,4 0

ttc :: stream (B B B) stream

ttp :: (B B B) stream ( )

stream

Verification

• Use standard Isabelle proof strategies and tools:– induction, case distinctions, algebraic manipulation

– conditional term rewriting

– proof search algorithms

• Problems:– command line user interface

– still relatively low level of proofs

– real number library not well developed yet

– algebraic manipulation often cumbersome

– few decision procedures

– analytically intractable systems remain intractable in HOL

What’s There

• HOL models of automata, stream operators, LTL operators, PLC language subsets, differential and hybrid systems.

• The beginnings of a HOL Real Analysis library. • Small verification examples (standard function

blocks, traffic light, container control) • Strong points:

– Compositional model of hybrid systems as causal functions on stream and flows.

– Verification lemmas yield understanding – Trustworthiness of Isabelle/HOL

What’s Missing

• Models of bigger/ more faithful PLC language subsets

• More automation of HOL modelling and proofs• Connection to other tools• A better theorem prover front-end.• Comprehensive Real Analysis and Control theory

libraries• Bigger examples • Verification of function block libraries• An answer to: What contribution can HOL make?

Questions or

Comments?

Transition Systems in HOL

(,) trsys = ([, ] ) bhvT :: [(,) trsys, stream ] stream

bhvT (f,y0) x 0 = y0

bhvT (f,y0) x (n+1) = f (x n) (bhvT (f,y0) x n)

Theorem: causal bhvT

Automata in HOL

(,,) automaton = (, ) trsys ([, ] )

bhvA :: [(,, ) automaton, stream ] stream

bhvA (S,w) x n = w (x n) (bhvT S x n)

Theorem: causal bhvA

SFC ControllerS0

S1

S2

S3

S4 R

S

S

S

Start

T1 S1.T

T2 S2.T

Level L

L Level

V0

V2

V2

V1

bool

bool

bool level

time

V0

V1

V2

Controller in HOL

ttc_autom :: ( , , BBB) automaton

ttc_autom = ((ttc_tf, (0,0)), ttc_outf )

ttc_tf :: [ , ] ttc_tf (level, t) (step, t0) =

if step = 0 then (1,t)else if step = 1 T1 t t0 then (2,t)else if step = 2 T2 t t0 then (3,t)else if step = 3 Level L then (4,t)else if step = 4 Level L then (3,t)else (step, t0 )

Controller in HOL (continued)

ttc_outf :: [ , ] B B B

ttc_outf (level, t) (step, t0) =

if step = 0 then (False,False,False)else if step = 1 then (True, False, False)else if step = 2 then (True, True, False)else if step = 3 then (True, True, True)else (True, False, False)

General Hybrid Systems

g :: [ stream, flow] stream flow

causal g

g