Upload
vlora
View
18
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems. ADPM’2000 Norbert Völker University of Essex, England. Two Tanks System. V 0. L. V 2. V 1. Given a controller, verify that the tanks do not overflow and an equilibrium is reached. The Idea. - PowerPoint PPT Presentation
Citation preview
Towards a HOL Framework for the Deductive Analysis of Hybrid Control Systems
ADPM’2000
Norbert Völker
University of Essex, England
Two Tanks System
V0
V2V1
L
Given a controller, verify that the tanks do not overflow and an equilibrium is reached.
Controllers
PLC Languages
Plants
Differential Equations
Control Loops
Requirements
Isabelle/HOL model
verify propertiesand requirements
The Idea
ODE solverModel checker
HOL
• Version of higher order predicate logic designed for
mechanical hardware verification.
• Polymorphic type system: , , list, …
• Very expressive due to abstraction and quantification
over functions.
• Widely studied and well understood logical systems.
• Methodology of embedding other formalisms in HOL,
for example subsets of VHDL and Java.
Isabelle/HOL
• Popular, interactive HOL theorem proving assistant.
• Stresses logical safety - avoidance of inconsistency.
• Supports safe theory extension by definitions, data types, primitive recursive functions, ...
• Comes with libraries: nat, int, real, set, .... • Open and extendible• Proof results from external tools can be imported
via oracles.
Discrete Components in HOL
f
stream = ( )
f :: stream stream
causal f = g. n x. take n (f x) = g (take n x)
stream operators, LTL operators
transition systems, automata
a a a a
b b b b
Real Time
clock = ( )
constant T :: clock
T T 1 T 2 T 3
Clocks are strictly monotonous, unbounded and start at 0.Conceptual clocks - cycle duration can vary
Function Blocks in HOL
• IEC 61131-3 PLC programming languages Structured Text (ST) and Sequential Function Charts (SFC)
• Function blocks written in an idealised subset of ST/SFC are mapped to automata in HOL.
• Mapping is similar to writing an interpreter in a functional programming language.
• Automata are not executed - size is not important as long as there is a compact representation in HOL.
• The HOL embedding defines a semantics.
A Verifiable Subset of ST
• Restriction to function block level: no configurations, resources, tasks or scheduling
• Omission of absolute, global, reference or retentive variables.
• Reactive model: actions are atomic• Idealised data types: Int, Bool, String, records,
arrays• Disregard of implementation limitations.• Function block invocation has no side effects!
Real Analysis in Isabelle/HOL
• Axiomatic type class V of finite-dimensional, normed vector spaces over
• Limits, continuity, differentiation• Type flow = ( )
• Differentiation operator D:: (:: V ) flow flow
• Lots of elementary lemmas and theorems.• Currently no integration, exp, sqrt, ln, sin, …• Currently 17 K theory files, 95 K proof code files.
Differential Systems in HOL
• A differential system (f,x0) without input is a transition system
diffsys = ([, ] ) where f is continuous and :: V.
• Behaviour is given by the solution of the associated differential equation
bhvD :: diffsys flow bhvD (f, x0) = ( g. g 0 = x0 D g = f g)
where is Hilbert’s choice operator. • This does not mean we have solved the ODE.
Plants in HOL
F
F :: stream flow
causal F
Transition systems (f,y0)
f :: [, ] , y0 ::
a. continuous (f a)
g 0 = bhvD (f (x 0), y0)
g (n+1) = bhvD (f (x (n+1),
g n (T (n+1)))
g 0 g 1 g 2 g 3 g 4
A Control Loop in HOL
ttc ttpB B B
4,4
tt = feedback (ttp ttc) 4,4 0
ttc :: stream (B B B) stream
ttp :: (B B B) stream ( )
stream
Verification
• Use standard Isabelle proof strategies and tools:– induction, case distinctions, algebraic manipulation
– conditional term rewriting
– proof search algorithms
• Problems:– command line user interface
– still relatively low level of proofs
– real number library not well developed yet
– algebraic manipulation often cumbersome
– few decision procedures
– analytically intractable systems remain intractable in HOL
What’s There
• HOL models of automata, stream operators, LTL operators, PLC language subsets, differential and hybrid systems.
• The beginnings of a HOL Real Analysis library. • Small verification examples (standard function
blocks, traffic light, container control) • Strong points:
– Compositional model of hybrid systems as causal functions on stream and flows.
– Verification lemmas yield understanding – Trustworthiness of Isabelle/HOL
What’s Missing
• Models of bigger/ more faithful PLC language subsets
• More automation of HOL modelling and proofs• Connection to other tools• A better theorem prover front-end.• Comprehensive Real Analysis and Control theory
libraries• Bigger examples • Verification of function block libraries• An answer to: What contribution can HOL make?
Questions or
Comments?
Transition Systems in HOL
(,) trsys = ([, ] ) bhvT :: [(,) trsys, stream ] stream
bhvT (f,y0) x 0 = y0
bhvT (f,y0) x (n+1) = f (x n) (bhvT (f,y0) x n)
Theorem: causal bhvT
Automata in HOL
(,,) automaton = (, ) trsys ([, ] )
bhvA :: [(,, ) automaton, stream ] stream
bhvA (S,w) x n = w (x n) (bhvT S x n)
Theorem: causal bhvA
SFC ControllerS0
S1
S2
S3
S4 R
S
S
S
Start
T1 S1.T
T2 S2.T
Level L
L Level
V0
V2
V2
V1
bool
bool
bool level
time
V0
V1
V2
Controller in HOL
ttc_autom :: ( , , BBB) automaton
ttc_autom = ((ttc_tf, (0,0)), ttc_outf )
ttc_tf :: [ , ] ttc_tf (level, t) (step, t0) =
if step = 0 then (1,t)else if step = 1 T1 t t0 then (2,t)else if step = 2 T2 t t0 then (3,t)else if step = 3 Level L then (4,t)else if step = 4 Level L then (3,t)else (step, t0 )
Controller in HOL (continued)
ttc_outf :: [ , ] B B B
ttc_outf (level, t) (step, t0) =
if step = 0 then (False,False,False)else if step = 1 then (True, False, False)else if step = 2 then (True, True, False)else if step = 3 then (True, True, True)else (True, False, False)
General Hybrid Systems
g :: [ stream, flow] stream flow
causal g
g