Ayca Balkan

Preliminary results on correct-by-construction control software synthesis for adaptive cruise control

A plethora of driver convenience and safety automation systems are being introduced into production vehicles, such as electronic stability control, adaptive cruise control, lane keeping, and obstacle avoidance. Assuring the seamless and safe integration of each new automation function with existing control functions is a major challenge for vehicle manufacturers. This challenge is compounded by having different suppliers providing software modules for different control functionalities. In this paper, we report on our preliminary steps to address this problem through a fresh perspective combining formal methods, control theory, and correct-by-construction software synthesis. In particular, we begin the process of synthesizing the control software module for adaptive cruise control from formal specifications given in Linear Temporal Logic. In the longer run, we will endow each interacting software module with an assume-guarantee specification stating under which environment assumptions the module is guaranteed to meet its specifications. These assume-guarantee specifications will then be used to formally prove correctness of the cyber-physical system obtained when the integrated modules interact with the physical dynamics.

Input-output robustness for discrete systems

Robustness is the property that a system only exhibits small deviations from the nominal behavior upon the occurrence of small disturbances. While the importance of robustness in engineering design is well accepted, it is less clear how to verify and design discrete systems for robustness. We present a theory of input-output robustness for discrete systems inspired by existing notions of input-output stability (IO-stability) in continuous control theory. We show that IO-stability captures two intuitive goals of robustness: bounded disturbances lead to bounded deviations from nominal behavior, and the effect of a sporadic disturbance disappears in finitely many steps. We show that existing notions of robustness for discrete systems do not have these two properties. For systems modeled as finite-state transducers, we show that IO-stability can be verified and the synthesis problem can be solved in polynomial time. We illustrate our theory using a reference broadcast synchronization protocol for wireless networks.

Correct-by-Construction Adaptive Cruise Control: Two Approaches

Motivated by the challenge of developing control software provably meeting specifications for real-world problems, this paper applies formal methods to adaptive cruise control (ACC). Starting from a linear temporal logic specification for ACC, obtained by interpreting relevant ACC standards, we discuss in this paper two different control software synthesis methods. Each method produces a controller that is correct-by-construction, meaning that trajectories of the closed-loop systems provably meet the specification. Both methods rely on fixed-point computations of certain set-valued mappings. However, one of the methods performs these computations on the continuous state space whereas the other method operates on a finite-state abstraction. While controller synthesis is based on a low-dimensional model, each controller is tested on CarSim, an industry-standard vehicle simulator. Our results demonstrate several advantages over classical control design techniques. First, a formal approach to control design removes potential ambiguity in textual specifications by translating them into precise mathematical requirements. Second, because the resulting closed-loop system is known a priori to satisfy the specification, testing can then focus on the validity of the models used in control design and whether the specification captures the intended requirements. Finally, the set from where the specification (e.g., safety) can be enforced is explicitly computed and thus conditions for passing control to an emergency controller are clearly defined.

Underminer: a framework for automatically identifying non-converging behaviors in black box system models

Evaluation of industrial embedded control system designs is a time-consuming and imperfect process. While an ideal process would apply a formal verification technique such as model checking or theorem proving, these techniques do not scale to industrial design problems, and it is often difficult to use these techniques to verify performance aspects of control system designs, such as stability or convergence. For industrial designs, engineers rely on testing processes to identify critical or unexpected behaviors. We propose a novel framework called Underminer to improve the testing process; this is an automated technique to identify non-converging behaviors in embedded control system designs. Underminer treats the system as a black box, and lets the designer indicate the model parameters, inputs and outputs that are of interest. It supports a multiplicity of convergence-like notions, such as those based on Lyapunov analysis and those based on temporal logic formulae. Underminer can be applied in the context of testing models created in the controller-design phase, and can also be applied in a scenario such as hardware-in-the-loop testing. We demonstrate the efficacy of Underminer by evaluating its performance on several examples.

Controller Synthesis for Mode-Target Games

Cyber-Physical Systems (CPS) are notoriously difficult to verify due to the intricate interactions between the cyber and the physical components. To address this difficulty, several researchers have argued that the synthesis paradigm is better suited to ensure the correct operation of CPS than the verification paradigm. The key insight of synthesis is that design should be constrained so that resulting systems are easily verified and, ideally, synthesis algorithms should directly provide a proof of correctness. In this paper we present a Linear Temporal Logic fragment inspired by specifications that frequently occur in control applications where we have a set of modes and corresponding targets to be reached for each mode. The synthesis problem for this fragment is formulated as a mode-target game and we show that these games can be solved in polynomial time by providing two embeddings of mode-target games into Generalized Reactivity(1) (GR(1)) games. While solving GR(1) games requires

Automated generation of dynamics-based runtime certificates for high-level control

O(mnN^2)

Underminer: A Framework for Automatically Identifying Nonconverging Behaviors in Black-Box System Models

symbolic steps when we have m assumptions, n guarantees, and a game graph with N states, mode-target games can be solved in

Dynamics-Based Reactive Synthesis and Automated Revisions for High-Level Robot Control.

O(nN^2)

A Behavioral Algorithm for State of Charge Estimation

symbolic steps when we have n modes and a game graph with N states. These embeddings, however, do not make full use of the specificity of mode-target games. For this reason we investigate in this paper a solution to mode-target games that does not rely on GR(1) embeddings. The resulting algorithm has the same worst case time complexity and we illustrate through experimental results the extent to which it improves upon the algorithms obtained via GR(1) embeddings. In doing so, we highlight the commonalities between mode-target games and GR(1) games while providing additional insight into the solution of GR(1) games.

Data Driven Stability Analysis of Black-box Switched Linear Systems

This paper addresses the problem of synthesizing controllers for reactive missions carried out by dynamical systems operating in environments of known physical geometry but consisting of uncontrolled elements that the system must react to at execution time. Such problems have value in semi-structured industrial automation settings, especially those in which robots must behave collaboratively yet safely with their human counterparts. The proposed synthesis framework addresses cases where there exists no satisfying controller for the mission, given the dynamical system and the environment’s assumed behaviors. We introduce an approach that leverages information about an abstraction of the dynamical system to automatically generate a concise set of revisions to such specifications. We provide a graphical visualization tool as a design aid, allowing the revisions to be conveyed to the user interactively and added to the specification at the user’s discretion. Any accepted statements become certificates that, if satisfied at runtime, provide guarantees for the current mission on the given dynamics. Our approach is cast into a general framework that works with various discrete representations (i.e. abstractions) of the system dynamics. We present case studies that illustrate application of our approach to controller synthesis for two example robotic missions employing different abstractions of the system.