towards a hol framework for the deductive analysis of hybrid control systems adpm’2000 norbert...
Post on 21-Dec-2015
214 views
TRANSCRIPT
![Page 1: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/1.jpg)
Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems
ADPM’2000
Norbert Völker
University of Essex, England
![Page 2: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/2.jpg)
Two Tanks System
V0
V2V1
L
Given a controller, verify that the tanks do not overflow and an equilibrium is reached.
![Page 3: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/3.jpg)
Controllers
PLC Languages
Plants
Differential Equations
Control Loops
Requirements
Isabelle/HOL model
verify propertiesand requirements
The Idea
ODE solverModel checker
![Page 4: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/4.jpg)
HOL
• Version of higher order predicate logic designed for
mechanical hardware verification.
• Polymorphic type system: , , list, …
• Very expressive due to abstraction and quantification
over functions.
• Widely studied and well understood logical systems.
• Methodology of embedding other formalisms in HOL,
for example subsets of VHDL and Java.
![Page 5: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/5.jpg)
Isabelle/HOL
• Popular, interactive HOL theorem proving assistant.
• Stresses logical safety - avoidance of inconsistency.
• Supports safe theory extension by definitions, data types, primitive recursive functions, ...
• Comes with libraries: nat, int, real, set, .... • Open and extendible• Proof results from external tools can be imported
via oracles.
![Page 6: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/6.jpg)
Discrete Components in HOL
f
stream = ( )
f :: stream stream
causal f = g. n x. take n (f x) = g (take n x)
stream operators, LTL operators
transition systems, automata
a a a a
b b b b
![Page 7: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/7.jpg)
Real Time
clock = ( )
constant T :: clock
T T 1 T 2 T 3
Clocks are strictly monotonous, unbounded and start at 0.Conceptual clocks - cycle duration can vary
![Page 8: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/8.jpg)
Function Blocks in HOL
• IEC 61131-3 PLC programming languages Structured Text (ST) and Sequential Function Charts (SFC)
• Function blocks written in an idealised subset of ST/SFC are mapped to automata in HOL.
• Mapping is similar to writing an interpreter in a functional programming language.
• Automata are not executed - size is not important as long as there is a compact representation in HOL.
• The HOL embedding defines a semantics.
![Page 9: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/9.jpg)
A Verifiable Subset of ST
• Restriction to function block level: no configurations, resources, tasks or scheduling
• Omission of absolute, global, reference or retentive variables.
• Reactive model: actions are atomic• Idealised data types: Int, Bool, String, records,
arrays• Disregard of implementation limitations.• Function block invocation has no side effects!
![Page 10: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/10.jpg)
Real Analysis in Isabelle/HOL
• Axiomatic type class V of finite-dimensional, normed vector spaces over
• Limits, continuity, differentiation• Type flow = ( )
• Differentiation operator D:: (:: V ) flow flow
• Lots of elementary lemmas and theorems.• Currently no integration, exp, sqrt, ln, sin, …• Currently 17 K theory files, 95 K proof code files.
![Page 11: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/11.jpg)
Differential Systems in HOL
• A differential system (f,x0) without input is a transition system
diffsys = ([, ] ) where f is continuous and :: V.
• Behaviour is given by the solution of the associated differential equation
bhvD :: diffsys flow bhvD (f, x0) = ( g. g 0 = x0 D g = f g)
where is Hilbert’s choice operator. • This does not mean we have solved the ODE.
![Page 12: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/12.jpg)
Plants in HOL
F
F :: stream flow
causal F
Transition systems (f,y0)
f :: [, ] , y0 ::
a. continuous (f a)
g 0 = bhvD (f (x 0), y0)
g (n+1) = bhvD (f (x (n+1),
g n (T (n+1)))
g 0 g 1 g 2 g 3 g 4
![Page 13: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/13.jpg)
A Control Loop in HOL
ttc ttpB B B
4,4
tt = feedback (ttp ttc) 4,4 0
ttc :: stream (B B B) stream
ttp :: (B B B) stream ( )
stream
![Page 14: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/14.jpg)
Verification
• Use standard Isabelle proof strategies and tools:– induction, case distinctions, algebraic manipulation
– conditional term rewriting
– proof search algorithms
• Problems:– command line user interface
– still relatively low level of proofs
– real number library not well developed yet
– algebraic manipulation often cumbersome
– few decision procedures
– analytically intractable systems remain intractable in HOL
![Page 15: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/15.jpg)
What’s There
• HOL models of automata, stream operators, LTL operators, PLC language subsets, differential and hybrid systems.
• The beginnings of a HOL Real Analysis library. • Small verification examples (standard function
blocks, traffic light, container control) • Strong points:
– Compositional model of hybrid systems as causal functions on stream and flows.
– Verification lemmas yield understanding – Trustworthiness of Isabelle/HOL
![Page 16: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/16.jpg)
What’s Missing
• Models of bigger/ more faithful PLC language subsets
• More automation of HOL modelling and proofs• Connection to other tools• A better theorem prover front-end.• Comprehensive Real Analysis and Control theory
libraries• Bigger examples • Verification of function block libraries• An answer to: What contribution can HOL make?
![Page 17: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/17.jpg)
Questions or
Comments?
![Page 18: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/18.jpg)
Transition Systems in HOL
(,) trsys = ([, ] ) bhvT :: [(,) trsys, stream ] stream
bhvT (f,y0) x 0 = y0
bhvT (f,y0) x (n+1) = f (x n) (bhvT (f,y0) x n)
Theorem: causal bhvT
![Page 19: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/19.jpg)
Automata in HOL
(,,) automaton = (, ) trsys ([, ] )
bhvA :: [(,, ) automaton, stream ] stream
bhvA (S,w) x n = w (x n) (bhvT S x n)
Theorem: causal bhvA
![Page 20: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/20.jpg)
SFC ControllerS0
S1
S2
S3
S4 R
S
S
S
Start
T1 S1.T
T2 S2.T
Level L
L Level
V0
V2
V2
V1
bool
bool
bool level
time
V0
V1
V2
![Page 21: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/21.jpg)
Controller in HOL
ttc_autom :: ( , , BBB) automaton
ttc_autom = ((ttc_tf, (0,0)), ttc_outf )
ttc_tf :: [ , ] ttc_tf (level, t) (step, t0) =
if step = 0 then (1,t)else if step = 1 T1 t t0 then (2,t)else if step = 2 T2 t t0 then (3,t)else if step = 3 Level L then (4,t)else if step = 4 Level L then (3,t)else (step, t0 )
![Page 22: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/22.jpg)
Controller in HOL (continued)
ttc_outf :: [ , ] B B B
ttc_outf (level, t) (step, t0) =
if step = 0 then (False,False,False)else if step = 1 then (True, False, False)else if step = 2 then (True, True, False)else if step = 3 then (True, True, True)else (True, False, False)
![Page 23: Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems ADPM’2000 Norbert Völker University of Essex, England](https://reader031.vdocuments.mx/reader031/viewer/2022032704/56649d5e5503460f94a3d863/html5/thumbnails/23.jpg)
General Hybrid Systems
g :: [ stream, flow] stream flow
causal g
g