View
2
Download
0
Category
Preview:
Citation preview
Automatic Verification of Control SystemImplementations
Adolfo Anta1,2, Rupak Majumdar3,4, Indranil Saha3 and Paulo Tabuada3
1Max Planck Institute for Dynamics of Complex Technical Systems
2TU Berlin
3University of California Los Angeles
4Max Planck Institute for Software Systems
EMSOFT 2010October 25, 2010
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 1/24
Applications of Control Systems
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 2/24
Applications of Control Systems
The systems are mostlylife-critical or mission-critical
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 2/24
Control Software Development Flow
Closed-loop SystemModel in
Simulink/Stateflow
Floating-pointC Code
Control System
MathematicalModel of
Physical System
Control Design
Code Generation
Integration
Floating-point to Fixed-point Code
Converter
Fixed-pointC Code
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 3/24
Control Software Development Flow
!"#$%&'"##()*+$,%-.#&%")/0
*/-1"/023*,4,%5"#6
7"#4,/08'(#/0,!)!#&%
!#0,9#")*+$,%-
*/-1"4,/#07#9
:%95#9-40;%
.4,<%-4,/;4".#&%")#5
:<+$/;4")*+$,%-
!#0,9#")=%$/80
!#&%)>%0%94,/#0
?0,%894,/#0
7"#4,/08'(#/0,),#)7/@%&'(#/0,)!#&%
!#0A%9,%9
7/@%&'(#/0,!)!#&%
.4,<%-4,/;4"B04"+$/$)#5*,4C/"/,+
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 4/24
Semantic Gap between Mathematical Controller andSoftware Implementation
Automatic code generators are not certified
Sensor and actuator errors
Limited precision arithmetic
It is often unclear if the implemented system exhibits the samebehavior as the mathematical model
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 5/24
Semantic Gap between Mathematical Controller andSoftware Implementation
Automatic code generators are not certified
Sensor and actuator errors
Limited precision arithmetic
It is often unclear if the implemented system exhibits the samebehavior as the mathematical model
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 5/24
Control Software Development Flow
!"#$%&'"##()*+$,%-.#&%")/0
*/-1"/023*,4,%5"#6
7"#4,/08'(#/0,!)!#&%
!#0,9#")*+$,%-
*/-1"4,/#07#9)
:%95#9-40;%
.4,<%-4,/;4".#&%")#5
:<+$/;4")*+$,%-
!#0,9#")=%$/80
!#&%)>%0%94,/#0
?0,%894,/#0
7"#4,/08'(#/0,),#)7/@%&'(#/0,)!#&%
!#0A%9,%9
7/@%&'(#/0,!)!#&%
.4,<%-4,/;4"B04"+$/$)#5*,4C/"/,+
!#&%'"%A%")*/-1"4,/#0
*+$,%-'"%A%"*/-1"4,/#0
*,4C/"/,+)B04"+$/$
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 6/24
Limitations of Simulation
Simulation can find out bugs, but cannot guaranteecorrectness
Does not take into account any knowledge frommathematical properties of the control systems
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 7/24
Proposed Control Software Development Flow
!"#$%&'"##()*+$,%-.#&%")/0
*/-1"/023*,4,%5"#6
7"#4,/08'(#/0,!)!#&%
!#0,9#")*+$,%-
*/-1"4,/#0
.4,:%-4,/;4".#&%")#5
<:+$/;4")*+$,%-
!#0,9#")=%$/80
!#&%)>%0%94,/#0
?0,%894,/#0
7"#4,/08'(#/0,),#)7/@%&'(#/0,)!#&%
!#0A%9,%9
7/@%&'(#/0,!)!#&%
.4,:%-4,/;4"B04"+$/$
7#9-4")*,4C/"/,+)B04"+$/$)D##"
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 8/24
Model of a Control System
!"#$%
&'$%('"")(
*)$+'(,-%.#%'(
/)+0()1
2)3#40'(
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 9/24
Stability of a Control System
!"#$%
&'$%('"")(
*)$+'(,-%.#%'(
/)+0()1
2)3#40'(
StabilityThe physical plant converges to a desired behavior under theactions of the controller.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 10/24
Different Sources of Implementation Error
FactWhen we implement the controller in software, we introduceerror in the output of the controller due to
Large sampling timeSensor and actuator error (noise, saturations,quantization...)Limited precision arithmetic
QuestionWhat is the effect of the implementation error on the stability ofa control system?
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 11/24
Effect of Implementation Error on Stability
Linear Control SystemIf γC is the L2 gain of a linear control system, and be is the bound onthe implementation error e, then the implementation guarantees thatthe output trajectories of the controlled system asymptoticallyconverge to the set of outputs y ∈ Rn satisfying
‖y‖ ≤ γC × be
For linear control systems,ξ = Aξ + Bυ
y = Cξ
where υ is the input to the plant
γC can be calculated using classical control theory
γC = maxψ∈[0,2π[
∥∥∥C(eiψ1n×n − A)−1B∥∥∥ .
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 12/24
Effect of Implementation Error on Stability
Nonlinear Control SystemsFor a nonlinear system
ddtξ = f (ξ, υ)
with a feedback controller of the form
υ = k(ξ)
the effect of implementation error e is computed using an ISSLyapunov function, and the following constraint from robust controltheory
∂V∂x
f (x , k(x) + e) ≤ −λV (x) + σ‖e‖2
The trajectories of the controlled system are guaranteed to convergeto the set of states x defined by V (x) ≤ (σ/λ)× be.
The value of σ and λ can be found using Sum of Squares (SoS)optimization technique.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 13/24
Finding the Bound on Implementation Error
FactTypical embedded controller implementations use periodsin the millisecond to microsecond range.- Quantization error dominates the sampling error.
Bounds on the errors arising from sensors and actuatorsare available from sensor and actuator specifications.
QuestionHow to calculate a bound on the implementation error due toquantization?
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 14/24
Finding the Bound on Implementation Error
FactTypical embedded controller implementations use periodsin the millisecond to microsecond range.- Quantization error dominates the sampling error.
Bounds on the errors arising from sensors and actuatorsare available from sensor and actuator specifications.
QuestionHow to calculate a bound on the implementation error due toquantization?
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 14/24
Effect of Quantization Error on Stability
Example: Vehicle SteeringThe control objective is to make the vehicle stable parallelto the x-axis at a certain distance of d meter.
Plant
DoublePrecision
Implementation of Controller
ReferenceInput
Fixed-pointImplementation
of Controller
Subtract
Plant
Out
!"#$
%&&'&
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 15/24
Example of Controller ProgramControl Lawu = 0.81× (x1 − x2)− 1.017× ref
Real-valued program// Input variablesreal In1;real In2;real In3;
// Intermediate variablesreal Subtract;real Gain;real Gain2;
// Output variablesreal Out1;
static void output(void) {Subtract = In1 - In2;Gain = 0.81 * Subtract;Gain2 = 1.017 * In3;Out1 = Gain - Gain2;
}
Fixed-point implementation (16-bit)// Input variablesshort int In1; // range: [0, 100], fixdt(1,16,8)short int In2; // range: [50, 110], fixdt(1,16,8)short int In3; // range: [-10, 50], fixdt(1,16,9)
// Intermediate variablesshort int Subtract; // fixdt(1,16,8)short int Gain; // fixdt(1,16,8)short int Gain2; // fixdt(1,16,9)
// Output variablesshort int Out1; // fixdt(1,16,8)
static void output(void) {Subtract = (short int)(In1 - In2);Gain = (short int)(26542 * Subtract� 15);Gain2 = (short int)(16663 * In3� 14);Out1 = (short int)(((Gain� 1) - Gain2)� 1);
}
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 16/24
Calculating the bound on Quantization Error
Inputs
A real-valued polynomial function u = k(y).A program K implementing k using finite precisionarithmetic.Range [ymin, ymax ] for y .
QuestionHow far the value k(y) can be from the output of K (y) when yis chosen from the range [ymin, ymax ] and y is the closestrepresentation of y using the finite precision implementation ofreal numbers?
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 17/24
Algorithm
Construct the strongest post-condition SP(K )(y , u) for thefunction K .
Set up a set of constraints that is the conjunction of:y ∈ [ymin, ymax ],|y − y | ≤ δ,u = k(y),SP(K )(y , u)
Ask: What is the maximum difference between u and uunder the above constraints?
The problem can be solved by bisection optimizationmethod using off-the-shelf decision procedures.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 18/24
Stability Analysis Tool: Costan
A tool to compute the error bound in fixed-pointimplementation of control law automatically.
Reduces the error bound computation problem to a seriesof decision problems.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 19/24
Stability Analysis Tool: Costan
Costan Supports both linear and nonlinear controllers, fornonlinear controllers both polynomial implementation andlookup table based implementation.
For linear controllers, Costan uses Yices [SRI] and fornonlinear controllers Costan uses HySat [Franzle et al]solver.
For large linear controllers and nonlinear controllersimplemented as large lookup table, we adoptcompositional strategy.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 20/24
Stability Analysis Tool: Costan
Costan Supports both linear and nonlinear controllers, fornonlinear controllers both polynomial implementation andlookup table based implementation.
For linear controllers, Costan uses Yices [SRI] and fornonlinear controllers Costan uses HySat [Franzle et al]solver.
For large linear controllers and nonlinear controllersimplemented as large lookup table, we adoptcompositional strategy.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 20/24
Stability Analysis Tool: Costan
Costan Supports both linear and nonlinear controllers, fornonlinear controllers both polynomial implementation andlookup table based implementation.
For linear controllers, Costan uses Yices [SRI] and fornonlinear controllers Costan uses HySat [Franzle et al]solver.
For large linear controllers and nonlinear controllersimplemented as large lookup table, we adoptcompositional strategy.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 20/24
Experimental Results
Example Error bound Set size (ρ) Run timevehicle steering (16bit) 0.0163 0.0375 1m14.313spendulum (16bit) 0.0508 0.1806 2m36.409sdc motor (16bit) 0.0473 1.0889 2m15.110strain car - 1 car (32bit) 5e-7 2.6080e-5 3m25.478strain car - 2 cars (32bit) 1.5e-6 9.4000e-5 5m39.607strain car - 3 cars (32bit) 8.5e-6 0.0010 9m34.485strain car - 4 cars (32bit) 3.351e-5 0.0080 10m9.179strain car - 5 cars (32bit) 1.655e-4 0.0627 20m28.822sjet engine[poly] (16bit) 4e-3 0.0230 0m0.551sjet engine[3× 8] 6.40 37.0431 0m34.636sjet engine[5× 10] 4.48 25.9296 0m34.293sjet engine[7× 14] 2.73 15.8009 1m6.981sjet engine[21× 21] 1.25 7.2348 18m15.794sjet engine[21× 101] 0.88 5.0933 50m23.127sjet engine[100× 100] 0.33 1.9100 103m19.977s
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 21/24
Interpretation of Result
Example: Vehicle SteeringThe control objective is to make the vehicle stable parallelto the x-axis at a certain distance d .
If we find the set size for d to be r , then in the steady statethe vehicle will be between d − r and d + r distance awayfrom the x-axis.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 22/24
Related Works
YazarelPappasGirardAlur2005 , NghiemPappasGirardAlur2006characterizes the stability performance gap of the model of thecontrol system and its implementation on a time-triggeredarchitecture.
AlurWeiss2008 models dependency of control performance onschedules by an automaton that can be used for onlinescheduling.
ZhangSzwaykowskaWolfMooney2008 codesigns the control lawand the task scheduling algorithm for predictable stabilityperformance.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 23/24
Conclusion
We bridge the gap of model-based design of controlsystems and finite-precision implementation of controllers.
We show how the result of program analysis of controllercode can be utilized in judging the performance of a controlsystem.
We have developed a tool that can find out theimplementation error in the fixed-point implementation oflinear and nonlinear controllers.
EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 24/24
Recommended