Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,

Automatic Verification of Control SystemImplementations

Adolfo Anta1,2, Rupak Majumdar3,4, Indranil Saha3 and Paulo Tabuada3

1Max Planck Institute for Dynamics of Complex Technical Systems

2TU Berlin

3University of California Los Angeles

4Max Planck Institute for Software Systems

EMSOFT 2010October 25, 2010

EMSOFT 2010 Anta, Majumdar, Saha, Tabuada Automatic Verification of Control System Implementations 1/24

Applications of Control Systems


Applications of Control Systems

The systems are mostlylife-critical or mission-critical


Control Software Development Flow

Closed-loop SystemModel in

Simulink/Stateflow

Floating-pointC Code

Control System

MathematicalModel of

Physical System

Control Design

Code Generation

Integration

Floating-point to Fixed-point Code

Converter

Fixed-pointC Code



!"#$%&'"##()*+$,%-.#&%")/0

*/-1"/023*,4,%5"#6

7"#4,/08'(#/0,!)!#&%

!#0,9#")*+$,%-

*/-1"4,/#07#9

:%95#9-40;%

.4,<%-4,/;4".#&%")#5

:<+$/;4")*+$,%-

!#0,9#")=%$/80

!#&%)>%0%94,/#0

?0,%894,/#0

7"#4,/08'(#/0,),#)7/@%&'(#/0,)!#&%

!#0A%9,%9

7/@%&'(#/0,!)!#&%

.4,<%-4,/;4"B04"+$/$)#5*,4C/"/,+


Semantic Gap between Mathematical Controller andSoftware Implementation

Automatic code generators are not certified

Sensor and actuator errors

Limited precision arithmetic

It is often unclear if the implemented system exhibits the samebehavior as the mathematical model


Semantic Gap between Mathematical Controller andSoftware Implementation

Automatic code generators are not certified

Sensor and actuator errors

Limited precision arithmetic

It is often unclear if the implemented system exhibits the samebehavior as the mathematical model



!"#$%&'"##()*+$,%-.#&%")/0

*/-1"/023*,4,%5"#6

7"#4,/08'(#/0,!)!#&%

!#0,9#")*+$,%-

*/-1"4,/#07#9)

:%95#9-40;%

.4,<%-4,/;4".#&%")#5

:<+$/;4")*+$,%-

!#0,9#")=%$/80

!#&%)>%0%94,/#0

?0,%894,/#0

7"#4,/08'(#/0,),#)7/@%&'(#/0,)!#&%

!#0A%9,%9

7/@%&'(#/0,!)!#&%

.4,<%-4,/;4"B04"+$/$)#5*,4C/"/,+

!#&%'"%A%")*/-1"4,/#0

*+$,%-'"%A%"*/-1"4,/#0

*,4C/"/,+)B04"+$/$


Limitations of Simulation

Simulation can find out bugs, but cannot guaranteecorrectness

Does not take into account any knowledge frommathematical properties of the control systems


Proposed Control Software Development Flow

!"#$%&'"##()*+$,%-.#&%")/0

*/-1"/023*,4,%5"#6

7"#4,/08'(#/0,!)!#&%

!#0,9#")*+$,%-

*/-1"4,/#0

.4,:%-4,/;4".#&%")#5

<:+$/;4")*+$,%-

!#0,9#")=%$/80

!#&%)>%0%94,/#0

?0,%894,/#0

7"#4,/08'(#/0,),#)7/@%&'(#/0,)!#&%

!#0A%9,%9

7/@%&'(#/0,!)!#&%

.4,:%-4,/;4"B04"+$/$

7#9-4")*,4C/"/,+)B04"+$/$)D##"


Model of a Control System

!"#$%

&'$%('"")(

*)$+'(,-%.#%'(

/)+0()1

2)3#40'(


Stability of a Control System

!"#$%

&'$%('"")(

*)$+'(,-%.#%'(

/)+0()1

2)3#40'(

StabilityThe physical plant converges to a desired behavior under theactions of the controller.


Different Sources of Implementation Error

FactWhen we implement the controller in software, we introduceerror in the output of the controller due to

Large sampling timeSensor and actuator error (noise, saturations,quantization...)Limited precision arithmetic

QuestionWhat is the effect of the implementation error on the stability ofa control system?


Effect of Implementation Error on Stability

Linear Control SystemIf γC is the L2 gain of a linear control system, and be is the bound onthe implementation error e, then the implementation guarantees thatthe output trajectories of the controlled system asymptoticallyconverge to the set of outputs y ∈ Rn satisfying

‖y‖ ≤ γC × be

For linear control systems,ξ = Aξ + Bυ

y = Cξ

where υ is the input to the plant

γC can be calculated using classical control theory

γC = maxψ∈[0,2π[

∥∥∥C(eiψ1n×n − A)−1B∥∥∥ .


Effect of Implementation Error on Stability

Nonlinear Control SystemsFor a nonlinear system

ddtξ = f (ξ, υ)

with a feedback controller of the form

υ = k(ξ)

the effect of implementation error e is computed using an ISSLyapunov function, and the following constraint from robust controltheory

∂V∂x

f (x , k(x) + e) ≤ −λV (x) + σ‖e‖2

The trajectories of the controlled system are guaranteed to convergeto the set of states x defined by V (x) ≤ (σ/λ)× be.

The value of σ and λ can be found using Sum of Squares (SoS)optimization technique.


Finding the Bound on Implementation Error

FactTypical embedded controller implementations use periodsin the millisecond to microsecond range.- Quantization error dominates the sampling error.

Bounds on the errors arising from sensors and actuatorsare available from sensor and actuator specifications.

QuestionHow to calculate a bound on the implementation error due toquantization?


Finding the Bound on Implementation Error

FactTypical embedded controller implementations use periodsin the millisecond to microsecond range.- Quantization error dominates the sampling error.

Bounds on the errors arising from sensors and actuatorsare available from sensor and actuator specifications.

QuestionHow to calculate a bound on the implementation error due toquantization?


Effect of Quantization Error on Stability

Example: Vehicle SteeringThe control objective is to make the vehicle stable parallelto the x-axis at a certain distance of d meter.

Plant

DoublePrecision

Implementation of Controller

ReferenceInput

Fixed-pointImplementation

of Controller

Subtract

Plant

Out

!"#$

%&&'&


Example of Controller ProgramControl Lawu = 0.81× (x1 − x2)− 1.017× ref

Real-valued program// Input variablesreal In1;real In2;real In3;

// Intermediate variablesreal Subtract;real Gain;real Gain2;

// Output variablesreal Out1;

static void output(void) {Subtract = In1 - In2;Gain = 0.81 * Subtract;Gain2 = 1.017 * In3;Out1 = Gain - Gain2;

}

Fixed-point implementation (16-bit)// Input variablesshort int In1; // range: [0, 100], fixdt(1,16,8)short int In2; // range: [50, 110], fixdt(1,16,8)short int In3; // range: [-10, 50], fixdt(1,16,9)

// Intermediate variablesshort int Subtract; // fixdt(1,16,8)short int Gain; // fixdt(1,16,8)short int Gain2; // fixdt(1,16,9)

// Output variablesshort int Out1; // fixdt(1,16,8)

static void output(void) {Subtract = (short int)(In1 - In2);Gain = (short int)(26542 * Subtract� 15);Gain2 = (short int)(16663 * In3� 14);Out1 = (short int)(((Gain� 1) - Gain2)� 1);

}


Calculating the bound on Quantization Error

Inputs

A real-valued polynomial function u = k(y).A program K implementing k using finite precisionarithmetic.Range [ymin, ymax ] for y .

QuestionHow far the value k(y) can be from the output of K (y) when yis chosen from the range [ymin, ymax ] and y is the closestrepresentation of y using the finite precision implementation ofreal numbers?


Algorithm

Construct the strongest post-condition SP(K )(y , u) for thefunction K .

Set up a set of constraints that is the conjunction of:y ∈ [ymin, ymax ],|y − y | ≤ δ,u = k(y),SP(K )(y , u)

Ask: What is the maximum difference between u and uunder the above constraints?

The problem can be solved by bisection optimizationmethod using off-the-shelf decision procedures.


Stability Analysis Tool: Costan

A tool to compute the error bound in fixed-pointimplementation of control law automatically.

Reduces the error bound computation problem to a seriesof decision problems.



Costan Supports both linear and nonlinear controllers, fornonlinear controllers both polynomial implementation andlookup table based implementation.

For linear controllers, Costan uses Yices [SRI] and fornonlinear controllers Costan uses HySat [Franzle et al]solver.

For large linear controllers and nonlinear controllersimplemented as large lookup table, we adoptcompositional strategy.












Experimental Results

Example Error bound Set size (ρ) Run timevehicle steering (16bit) 0.0163 0.0375 1m14.313spendulum (16bit) 0.0508 0.1806 2m36.409sdc motor (16bit) 0.0473 1.0889 2m15.110strain car - 1 car (32bit) 5e-7 2.6080e-5 3m25.478strain car - 2 cars (32bit) 1.5e-6 9.4000e-5 5m39.607strain car - 3 cars (32bit) 8.5e-6 0.0010 9m34.485strain car - 4 cars (32bit) 3.351e-5 0.0080 10m9.179strain car - 5 cars (32bit) 1.655e-4 0.0627 20m28.822sjet engine[poly] (16bit) 4e-3 0.0230 0m0.551sjet engine[3× 8] 6.40 37.0431 0m34.636sjet engine[5× 10] 4.48 25.9296 0m34.293sjet engine[7× 14] 2.73 15.8009 1m6.981sjet engine[21× 21] 1.25 7.2348 18m15.794sjet engine[21× 101] 0.88 5.0933 50m23.127sjet engine[100× 100] 0.33 1.9100 103m19.977s


Interpretation of Result

Example: Vehicle SteeringThe control objective is to make the vehicle stable parallelto the x-axis at a certain distance d .

If we find the set size for d to be r , then in the steady statethe vehicle will be between d − r and d + r distance awayfrom the x-axis.


Related Works

YazarelPappasGirardAlur2005 , NghiemPappasGirardAlur2006characterizes the stability performance gap of the model of thecontrol system and its implementation on a time-triggeredarchitecture.

AlurWeiss2008 models dependency of control performance onschedules by an automaton that can be used for onlinescheduling.

ZhangSzwaykowskaWolfMooney2008 codesigns the control lawand the task scheduling algorithm for predictable stabilityperformance.


Conclusion

We bridge the gap of model-based design of controlsystems and finite-precision implementation of controllers.

We show how the result of program analysis of controllercode can be utilized in judging the performance of a controlsystem.

We have developed a tool that can find out theimplementation error in the fixed-point implementation oflinear and nonlinear controllers.


Documents

Automatic Verification of Control System Implementations fileApplications of Control Systems The systems are mostly life-criticalormission-critical EMSOFT 2010 Anta, Majumdar, Saha,