![Page 1: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/1.jpg)
Dynamic Analysis of Cyber-Physical SystemsPARASARA SRIDHAR DUGGIRALA
1
![Page 2: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/2.jpg)
Trends in Air Traffic Air traffic is going to double in next 20-25 years
Improving throughput of airports
Cost of adding runways ~ $15B+
2
![Page 3: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/3.jpg)
Trends in Air Traffic Air traffic is going to double in next 20-25 years
Improving throughput of airports
Cost of adding runways ~ $15B+
Packing more planes on runways
Physical limits to packing e.g. wake vortices
Human in the loop
3
![Page 4: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/4.jpg)
Trends in Air Traffic Air traffic is going to double in next 20-25 years
Improving throughput of airports
Cost of adding runways ~ $15B+
Packing more planes on runways
Physical limits to packing e.g. wake vortices
Human in the loop
Solution: Software
4
![Page 5: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/5.jpg)
Safe Parallel Landing From NASA:Ensuring Safe Separation
Ensure safety among ownship and intruder
5
Intruder
Ownship
(𝑥0, 𝑦0)
(𝑥𝑖 , 𝑦𝑖)⟨𝑣𝑥𝑖 , 𝑣𝑦𝑖⟩
⟨𝑣𝑥𝑜, 𝑣𝑦𝑜⟩
![Page 6: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/6.jpg)
Ensure safety among ownship and intruder
6
Intruder
Ownship
(𝑥0, 𝑦0)
(𝑥𝑖 , 𝑦𝑖)⟨𝑣𝑥𝑖 , 𝑣𝑦𝑖⟩
⟨𝑣𝑥𝑜, 𝑣𝑦𝑜⟩
𝑠𝑥 𝑠𝑦
Safe Parallel Landing From NASA:Ensuring Safe Separation
![Page 7: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/7.jpg)
Ensure safety among ownship and intruder
Fail-safe alarming system ALAS by NASA (similar to TCAS)
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Did they get it right?
7
Intruder
Ownship
(𝑥0, 𝑦0)
(𝑥𝑖 , 𝑦𝑖)⟨𝑣𝑥𝑖 , 𝑣𝑦𝑖⟩
⟨𝑣𝑥𝑜, 𝑣𝑦𝑜⟩
𝑠𝑥 𝑠𝑦
ALAS: New Alerting Mechanism
![Page 8: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/8.jpg)
Ensure safety among ownship and intruder
Fail-safe alarming system ALAS by NASA (similar to TCAS)
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Did they get it right?
Motion described by ODEs: 𝑑
𝑑𝑡𝑥𝑖 = 𝑣𝑥𝑖;
𝑑
𝑑𝑡𝑦𝑖 = 𝑣𝑦𝑖; …
8
Intruder
Ownship
(𝑥0, 𝑦0)
(𝑥𝑖 , 𝑦𝑖)⟨𝑣𝑥𝑖 , 𝑣𝑦𝑖⟩
⟨𝑣𝑥𝑜, 𝑣𝑦𝑜⟩
𝑠𝑥 𝑠𝑦
ALAS: New Alerting MechanismA Typical Cyber-Physical System
![Page 9: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/9.jpg)
Ensure safety among ownship and intruder
Fail-safe alarming system ALAS by NASA (similar to TCAS)
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Did they get it right?
Motion described by ODEs: 𝑑
𝑑𝑡𝑥𝑖 = 𝑣𝑥𝑖;
𝑑
𝑑𝑡𝑦𝑖 = 𝑣𝑦𝑖; …
Software changes the type of motion
9
Intruder
Ownship
(𝑥0, 𝑦0)
(𝑥𝑖 , 𝑦𝑖)⟨𝑣𝑥𝑖 , 𝑣𝑦𝑖⟩
⟨𝑣𝑥𝑜, 𝑣𝑦𝑜⟩
𝑠𝑥 𝑠𝑦
approach 𝑥 = 𝑓𝑎(𝑥)
ALAS: New Alerting MechanismA Typical Cyber-Physical System
![Page 10: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/10.jpg)
ALAS: New Alerting MechanismA Typical Cyber-Physical System Ensure safety among ownship and intruder
Fail-safe alarming system ALAS by NASA (similar to TCAS)
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Did they get it right?
Motion described by ODEs: 𝑑
𝑑𝑡𝑥𝑖 = 𝑣𝑥𝑖;
𝑑
𝑑𝑡𝑦𝑖 = 𝑣𝑦𝑖; …
Software changes the type of motion
10
Intruder
Ownship
(𝑥0, 𝑦0)
(𝑥𝑖 , 𝑦𝑖)⟨𝑣𝑥𝑖 , 𝑣𝑦𝑖⟩
⟨𝑣𝑥𝑜, 𝑣𝑦𝑜⟩
𝑠𝑥 𝑠𝑦
turn 𝑥 = 𝑓𝑏(𝑥)
![Page 11: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/11.jpg)
ALAS: New Alerting MechanismA Typical Cyber-Physical System Ensure safety among ownship and intruder
Fail-safe alarming system ALAS by NASA (similar to TCAS)
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Did they get it right?
Motion described by ODEs: 𝑑
𝑑𝑡𝑥𝑖 = 𝑣𝑥𝑖;
𝑑
𝑑𝑡𝑦𝑖 = 𝑣𝑦𝑖; …
Software changes the type of motion
11
Intruder
Ownship
(𝑥0, 𝑦0)
(𝑥𝑖 , 𝑦𝑖)⟨𝑣𝑥𝑖 , 𝑣𝑦𝑖⟩
⟨𝑣𝑥𝑜, 𝑣𝑦𝑜⟩
𝑠𝑥 𝑠𝑦
approach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
![Page 12: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/12.jpg)
ALAS: New Alerting MechanismA Typical Cyber-Physical System Ensure safety among ownship and intruder
Fail-safe alarming system ALAS by NASA (similar to TCAS)
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Did they get it right?
Motion described by ODEs: 𝑑
𝑑𝑡𝑥𝑖 = 𝑣𝑥𝑖;
𝑑
𝑑𝑡𝑦𝑖 = 𝑣𝑦𝑖; …
Software changes the type of motion
12
Intruder
Ownship
(𝑥0, 𝑦0)
(𝑥𝑖 , 𝑦𝑖)⟨𝑣𝑥𝑖 , 𝑣𝑦𝑖⟩
⟨𝑣𝑥𝑜, 𝑣𝑦𝑜⟩
𝑠𝑥 𝑠𝑦
approach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
Continuous behavior + software control = CPS
![Page 13: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/13.jpg)
13
CPS Everywhere!
![Page 14: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/14.jpg)
14
CPS Everywhere!
Problems in CPS
Toyota recalled 1.9 Million Prius cars (total cars recalled in 2013 ~20M)
FDA report: Software failure is responsible for 24% of recalls in medical devices (of 2M)
Northeast blackout of 2003 caused due to a race condition
![Page 15: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/15.jpg)
15
CPS Everywhere!
Problems in CPS
Toyota recalled 1.9 Million Prius cars (total cars recalled in 2013 ~20M)
FDA report: Software failure is responsible for 24% of recalls in medical devices (of 2M)
Northeast blackout of 2003 caused due to a race condition
My Research: Develop Tools, Techniques, and Algorithms for Design, Analysis, and Verification of CPS
![Page 16: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/16.jpg)
Outline Introduction
◦ Need for Verification of Cyber-Physical Systems and it’s Challenges
◦ Overview of My Research
Overview of Abstraction-Refinement
Dynamic Analysis
◦ Algorithm for Dynamic Analysis
◦ Verifying the Alerting Protocol in Parallel Landing
◦ Verifying Powertrain Control System
Future Work
16
![Page 17: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/17.jpg)
Simulation/Testing Based Design Methodology
17
Modeling•Build a model, e.g. Simulink/Stateflow
Analysis
•Simulate/Test the model with several configurations, e.g. with different initial positions and velocities of aircraft
Deployment
•Prototype deployment
• Industrial production
![Page 18: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/18.jpg)
Simulation/Testing Does Not Find All Bugs
18
Simulations do not give coverage guarantees
Manifestation of bugs in the deployment stage is catastrophic
Modeling•Build a model, e.g. Simulink/Stateflow
Analysis
•Simulate/Test the model with several configurations, e.g. with different initial positions and velocities of aircraft
Deployment
•Prototype deployment
• Industrial production
![Page 19: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/19.jpg)
Simulation/Testing Does Not Find All Bugs
19
Simulations do not give coverage guarantees
Manifestation of bugs in the deployment stage is catastrophic
Are there any alternative techniques to provide guarantees in safety critical CPS?
Modeling•Build a model, e.g. Simulink/Stateflow
Analysis
•Simulate/Test the model with several configurations, e.g. with different initial positions and velocities of aircraft
Deployment
•Prototype deployment
• Industrial production
![Page 20: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/20.jpg)
Formal Verification Can Give Guarantees
Formal Verification: Prove that the system does not have any bugs
Checking all possible behaviors of the system
Model Checking – industrial practice in Hardware
20
![Page 21: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/21.jpg)
Formal Verification Can Give Guarantees
Formal Verification: Prove that the system does not have any bugs
Checking all possible behaviors of the system
Model Checking – industrial practice in Hardware
Reachable Set: Set of all possible states that can be reached
21
![Page 22: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/22.jpg)
Formal Verification Can Give Guarantees
Formal Verification: Prove that the system does not have any bugs
Checking all possible behaviors of the system
Model Checking – industrial practice in Hardware
Reachable Set: Set of all possible states that can be reached
22
Intruder
Ownshipapproach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
![Page 23: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/23.jpg)
Formal Verification Can Give Guarantees
Formal Verification: Prove that the system does not have any bugs
Checking all possible behaviors of the system
Model Checking – industrial practice in Hardware
Reachable Set: Set of all possible states that can be reached
23
Intruder
Ownshipapproach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
![Page 24: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/24.jpg)
Formal Verification Can Give Guarantees
Formal Verification: Prove that the system does not have any bugs
Checking all possible behaviors of the system
Model Checking – industrial practice in Hardware
Reachable Set: Set of all possible states that can be reached
24
Intruder
Ownshipapproach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
![Page 25: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/25.jpg)
Formal Verification Can Give Guarantees
Formal Verification: Prove that the system does not have any bugs
Checking all possible behaviors of the system
Model Checking – industrial practice in Hardware
Reachable Set: Set of all possible states that can be reached
25
Intruder
Ownshipapproach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
Represent the reachable set in a symbolic formatEx: 𝑥𝑖 ≥ 4 ∧ 𝑥𝑖 ≤ 10 ∧ 𝑦𝑖 ≥ 20 ∧ 𝑦𝑖 ≤ 25
![Page 26: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/26.jpg)
Undecidability Barrier for CPS Verification Reachable set computation is undecidable for simple CPS
◦ Two variables 𝑥 = 1, 𝑦 = 2 with different modes [Alur, Henzinger‘96]
26
![Page 27: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/27.jpg)
Scalability Barrier for CPS Verification Reachable set computation is undecidable for simple CPS
◦ Two variables 𝑥 = 1, 𝑦 = 2 with different modes [Alur, Henzinger‘96]
For linear systems 𝑣 = 𝐴𝑣, analytical solution is given by 𝑣 𝑡 = 𝑒𝐴𝑡𝑣 0
Matrix exponentials 𝑒𝐴𝑡 cannot be computed exactly
Symbolic and numerical techniques suffer curse of dimensionality [Frehse‘12]
27
![Page 28: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/28.jpg)
28
Toyota Powertrain Control System
![Page 29: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/29.jpg)
29
Toyota Powertrain Control System
𝑝 = 𝑐1(2𝜃 𝑐20𝑝2 + 𝑐21𝑝 + 𝑐22 − 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝
2 + 𝑐5𝜔𝑝2))
𝜆 = 𝑐26(𝑐15 + 𝑐16𝑐25𝐹𝑐 + 𝑐17𝑐252 𝐹𝑐
2 + 𝑐18 𝑚𝑐 + 𝑐19 𝑚𝑐𝑐25𝐹𝑐 − 𝜆) 𝑝𝑒 = 𝑐1(2𝑐23𝜃 𝑐20𝑝
2 + 𝑐21𝑝 + 𝑐22 − (𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝
2)) 𝑖 = 𝑐14 𝑐24𝜆 − 𝑐11
where
𝐹𝑐 =1
𝑐11(1 + 𝑖 + 𝑐13(𝑐24𝜆 − 𝑐11))(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝
2 + 𝑐5𝜔𝑝2)
𝑚𝑐 = 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝
2)
No closed form solution for nonlinear systems
![Page 30: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/30.jpg)
30
Toyota Powertrain Control System
𝑝 = 𝑐1(2𝜃 𝑐20𝑝2 + 𝑐21𝑝 + 𝑐22 − 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝
2 + 𝑐5𝜔𝑝2))
𝜆 = 𝑐26(𝑐15 + 𝑐16𝑐25𝐹𝑐 + 𝑐17𝑐252 𝐹𝑐
2 + 𝑐18 𝑚𝑐 + 𝑐19 𝑚𝑐𝑐25𝐹𝑐 − 𝜆) 𝑝𝑒 = 𝑐1(2𝑐23𝜃 𝑐20𝑝
2 + 𝑐21𝑝 + 𝑐22 − (𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝
2)) 𝑖 = 𝑐14 𝑐24𝜆 − 𝑐11
where
𝐹𝑐 =1
𝑐11(1 + 𝑖 + 𝑐13(𝑐24𝜆 − 𝑐11))(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝
2 + 𝑐5𝜔𝑝2)
𝑚𝑐 = 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝
2)
No closed form solution for nonlinear systems
My Research: Developing scalable verification techniques to handle industrial CPS
![Page 31: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/31.jpg)
Verification Tools [UPPAAL, HyTech, SpaceEx, … ]
Research Overview: Verification of CPS
31
Simple Continuous Dynamics Complex Nonlinear Dynamics
Simple computation
Distributedcomputation
[EMSOFT’13]*
[ICCPS’11] [HSCC’12]
[VMCAI’13]
*best paper award at EMSOFT 2013
[EMSOFT’13]
[TACAS’15]
[RTSS’12]
[FM’14]
[CAV’15]
![Page 32: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/32.jpg)
Dynamic Analysis
Abstraction-Refinement
Research Overview: Verification of CPS
32
Simple Continuous Dynamics Complex Nonlinear Dynamics
Simple computation
Distributedcomputation
[EMSOFT’13]
[TACAS’15]
[RTSS’12]
[FM’14]
[EMSOFT’13]*
[ICCPS’11] [HSCC’12]
[VMCAI’13]
*best paper award at EMSOFT 2013
Verification Tools [UPPAAL, HyTech, SpaceEx, … ]
[CAV’15]
![Page 33: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/33.jpg)
Abstraction Refinement - Overview
33
Abstract
Verify
Refine
Validate
Concrete System
AbstractSystem
Certificate
AbstractCounterexample
Concrete Counterexample
SpuriousCounterexample
NewAbstraction
𝑏𝑒ℎ𝑎𝑣𝑖𝑜𝑟𝑠 𝐶𝑜𝑛𝑐𝑟𝑒𝑡𝑒 𝑆𝑦𝑠𝑡𝑒𝑚 ⊆ 𝑏𝑒ℎ𝑎𝑣𝑖𝑜𝑟𝑠(𝐴𝑏𝑠𝑡𝑟𝑎𝑐𝑡 𝑆𝑦𝑠𝑡𝑒𝑚)
![Page 34: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/34.jpg)
Abstraction Refinement - Overview
34
Abstract
Verify
Refine
Validate
Concrete System
CertificateConcrete
Counterexample
Abstraction-Refinement
𝑏𝑒ℎ𝑎𝑣𝑖𝑜𝑟𝑠 𝐶𝑜𝑛𝑐𝑟𝑒𝑡𝑒 𝑆𝑦𝑠𝑡𝑒𝑚 ⊆ 𝑏𝑒ℎ𝑎𝑣𝑖𝑜𝑟𝑠(𝐴𝑏𝑠𝑡𝑟𝑎𝑐𝑡 𝑆𝑦𝑠𝑡𝑒𝑚)
![Page 35: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/35.jpg)
Abstraction Refinement - Overview
35
Abstract
Verify
Refine
Validate
Concrete System
CertificateConcrete
Counterexample
Abstraction-Refinement
𝑏𝑒ℎ𝑎𝑣𝑖𝑜𝑟𝑠 𝐶𝑜𝑛𝑐𝑟𝑒𝑡𝑒 𝑆𝑦𝑠𝑡𝑒𝑚 ⊆ 𝑏𝑒ℎ𝑎𝑣𝑖𝑜𝑟𝑠(𝐴𝑏𝑠𝑡𝑟𝑎𝑐𝑡 𝑆𝑦𝑠𝑡𝑒𝑚)
Region Stability
ICCPS’11
HSCC’12
Safety
VMCAI’13
EMSOFT’13*
*won the best paper award at EMSOFT 2013
![Page 36: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/36.jpg)
Abstraction Refinement - Overview
36
Abstract
Verify
Refine
Validate
Concrete System
CertificateConcrete
Counterexample
Abstraction-Refinement
𝑏𝑒ℎ𝑎𝑣𝑖𝑜𝑟𝑠 𝐶𝑜𝑛𝑐𝑟𝑒𝑡𝑒 𝑆𝑦𝑠𝑡𝑒𝑚 ⊆ 𝑏𝑒ℎ𝑎𝑣𝑖𝑜𝑟𝑠(𝐴𝑏𝑠𝑡𝑟𝑎𝑐𝑡 𝑆𝑦𝑠𝑡𝑒𝑚)
Region Stability
New techniques for proving stability of systems with
unstable modes
Safety
Discovered new decidable class of linear systems.Proved systems with 28
dimensions
Region Stability
ICCPS’11
HSCC’12
Safety
VMCAI’13
EMSOFT’13*
*won the best paper award at EMSOFT 2013
![Page 37: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/37.jpg)
Outline Introduction
◦ Need for Verification of Cyber-Physical Systems and it’s Challenges
◦ Overview of My Research
Overview of Abstraction-Refinement
Dynamic Analysis
◦ Algorithm for Dynamic Analysis
◦ Verifying the Alerting Protocol in Parallel Landing
◦ Verifying Powertrain Control System
Future Work
37
![Page 38: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/38.jpg)
Dynamic Analysis
38
![Page 39: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/39.jpg)
NASA’s ALAS Protocol Fail-safe alarming system ALAS by NASA
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Ownship and Intruder landing on nearby parallel runways
39
Intruder
Ownship
(𝑥0, 𝑦0)
(𝑥𝑖 , 𝑦𝑖)⟨𝑣𝑥𝑖 , 𝑣𝑦𝑖⟩
⟨𝑣𝑥𝑜, 𝑣𝑦𝑜⟩
![Page 40: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/40.jpg)
NASA’s ALAS Protocol Fail-safe alarming system ALAS by NASA
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Ownship and Intruder landing on nearby parallel runways
Unexpected trajectory of Intruder
40
Intruder
Ownship
approach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
![Page 41: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/41.jpg)
NASA’s ALAS Protocol Fail-safe alarming system ALAS by NASA
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Ownship and Intruder landing on nearby parallel runways
Unexpected trajectory of Intruder
Validation of ALAS by performing several simulations – no proof
41
Intruder
Ownship
approach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
![Page 42: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/42.jpg)
NASA’s ALAS Protocol Fail-safe alarming system ALAS by NASA
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Ownship and Intruder landing on nearby parallel runways
Unexpected trajectory of Intruder
Validation of ALAS by performing several simulations – no proof
Proving that ALAS works
1. Compute all trajectories that violate safe separation (unsafe)
2. For unsafe trajectories, prove that alarm is issued 4 seconds before
safe separation is violated
42
Intruder
Ownship
approach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
![Page 43: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/43.jpg)
NASA’s ALAS Protocol Fail-safe alarming system ALAS by NASA
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Ownship and Intruder landing on nearby parallel runways
Unexpected trajectory of Intruder
Validation of ALAS by performing several simulations – no proof
Proving that ALAS works
1. Compute all trajectories that violate safe separation (unsafe)
2. For unsafe trajectories, prove that alarm is issued 4 seconds before
safe separation is violated
43
Intruder
Ownship
approach 𝑥 = 𝑓𝑎(𝑥)
turn 𝑥 = 𝑓𝑏(𝑥)
𝑡 = 3
![Page 44: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/44.jpg)
Computing Unsafe Trajectories Let us consider a simple motion of intruder and compute all
trajectories that are unsafe
44
Intruder
Ownship
![Page 45: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/45.jpg)
Let us consider a simple motion of intruder and compute all
trajectories that are unsafe
Compute unsafe trajectories (overapproximation) from samples
45
Intruder
Ownship
Dynamic Analysis:Computing Unsafe Trajectories From Samples
![Page 46: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/46.jpg)
Let us consider a simple motion of intruder and compute all
trajectories that are unsafe
Compute unsafe trajectories (overapproximation) from samples
Continuity property
46
Intruder
Ownship
Exploiting Continuity for Dynamic Analysis
![Page 47: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/47.jpg)
Exploiting Continuity for Dynamic Analysis Let us consider a simple motion of intruder and compute all
trajectories that are unsafe
Compute unsafe trajectories (overapproximation) from samples
Continuity property
◦ Trajectories starting close stay close
47
𝑥1𝑥2
𝑥2(𝑡)
𝑥1(𝑡)
Intruder
Ownship
![Page 48: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/48.jpg)
Exploiting Continuity for Dynamic Analysis Let us consider a simple motion of intruder and compute all
trajectories that are unsafe
Compute unsafe trajectories (overapproximation) from samples
Continuity property
◦ Trajectories starting close stay close
◦ In the limit, the distance between trajectories goes to zero
48
𝑥1𝑥2
𝑥3
Intruder
Ownship
![Page 49: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/49.jpg)
Discrepancy Function Let us consider a simple motion of intruder and compute all
trajectories that are unsafe
Compute unsafe trajectories (overapproximation) from samples
Continuity property
◦ Trajectories starting close stay close
Discrepancy function 𝛽 that captures continuity
◦ 𝑥1(𝑡) − 𝑥2(𝑡) ≤ 𝛽(|𝑥1 − 𝑥2|, 𝑡)
49
𝑥1𝑥2
𝑥2(𝑡)
𝑥1(𝑡)
Intruder
Ownship
𝛽(|𝑥1 − 𝑥2|, 𝑡)
![Page 50: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/50.jpg)
Discrepancy Function Let us consider a simple motion of intruder and compute all
trajectories that are unsafe
Compute unsafe trajectories (overapproximation) from samples
Continuity property
◦ Trajectories starting close stay close
◦ In the limit, the distance between trajectories goes to zero
Discrepancy function 𝛽 that captures continuity
◦ 𝑥1(𝑡) − 𝑥2(𝑡) ≤ 𝛽(|𝑥1 − 𝑥2|, 𝑡)
◦ 𝛽 𝑥1 − 𝑥2 , 𝑡 → 0 as 𝑥1 − 𝑥2 → 0
50
𝑥1𝑥2
𝑥3
Intruder
Ownship
![Page 51: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/51.jpg)
Computing Unsafe TrajectoriesGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from
sample simulations
51
Intruder
Ownship
![Page 52: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/52.jpg)
Computing Unsafe TrajectoriesGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from
sample simulations
Partition the initial set into 𝛿-neighborhoods
52
Intruder
Ownship
![Page 53: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/53.jpg)
Computing Unsafe TrajectoriesGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from
sample simulations
Partition the initial set into 𝛿-neighborhoods
Simulate from the center of each neighborhood
53
Intruder
Ownship
![Page 54: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/54.jpg)
Computing Unsafe TrajectoriesGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from
sample simulations
Partition the initial set into 𝛿-neighborhoods
Simulate from the center of each neighborhood
Bloat the simulation by 𝜖 = 𝛽(𝛿, 𝑡)
Check if all trajectories are safe
54
Intruder
Ownship
![Page 55: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/55.jpg)
Computing Unsafe TrajectoriesGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from
sample simulations
Partition the initial set into 𝛿-neighborhoods
Simulate from the center of each neighborhood
Bloat the simulation by 𝜖 = 𝛽(𝛿, 𝑡)
Check if all trajectories are safe
55
Intruder
Ownship
![Page 56: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/56.jpg)
Computing Unsafe TrajectoriesGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from
sample simulations
Partition the initial set into 𝛿-neighborhoods
Simulate from the center of each neighborhood
Bloat the simulation by 𝜖 = 𝛽(𝛿, 𝑡)
Check if all trajectories are safe
If all neighborhoods are safe, return safe
If any neighborhood violates safety, return violated
Else, refine the partitioning.
56
Intruder
Ownship
![Page 57: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/57.jpg)
Computing Unsafe TrajectoriesGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from
sample simulations
Partition the initial set into 𝛿-neighborhoods
Simulate from the center of each neighborhood
Bloat the simulation by 𝜖 = 𝛽(𝛿, 𝑡)
Check if all trajectories are safe
If all neighborhoods are safe, return safe
If any neighborhood violates safety, return violated
Else, refine the partitioning.
57
Intruder
Ownship
![Page 58: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/58.jpg)
Computing Unsafe TrajectoriesGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from
sample simulations
Partition the initial set into 𝛿-neighborhoods
Simulate from the center of each neighborhood
Bloat the simulation by 𝜖 = 𝛽(𝛿, 𝑡)
Check if all trajectories are safe
If all neighborhoods are safe, return safe
If any neighborhood violates safety, return violated
Else, refine the partitioning (better overapproximation)
58
Intruder
Ownship
![Page 59: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/59.jpg)
Safety Verification AlgorithmGiven a discrepancy function 𝛽, how to obtain unsafe trajectories from
sample simulations
Partition the initial set into 𝛿-neighborhoods
Simulate from the center of each neighborhood
Bloat the simulation by 𝜖 = 𝛽(𝛿, 𝑡)
Check if all trajectories are safe
If all neighborhoods are safe, return safe
If any neighborhood violates safety, return violated
Else, refine the partitioning (better overapproximation)
59
Intruder
Ownship
Algorithm can be applied for any nonlinear systems with given discrepancy function
![Page 60: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/60.jpg)
60
Intruder
Ownship
Soundness and Completeness Results
Theorem[Soundness]: Given any HA 𝐴, with an initial set Θ, and unsafe set𝑈, if the algorithm terminates and returns safe (unsafe) then the system is indeed safe (unsafe)
![Page 61: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/61.jpg)
Always performing a sound analysis : 𝒙𝟏(𝒕) − 𝒙𝟐(𝒕) ≤ 𝜷(|𝒙𝟏 − 𝒙𝟐|, 𝒕)
61
Intruder
Ownship
Soundness and Completeness Results
Theorem[Soundness]: Given any HA 𝐴, with an initial set Θ, and unsafe set𝑈, if the algorithm terminates and returns safe (unsafe) then the system is indeed safe (unsafe)
![Page 62: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/62.jpg)
Always performing a sound analysis : 𝒙𝟏(𝒕) − 𝒙𝟐(𝒕) ≤ 𝜷(|𝒙𝟏 − 𝒙𝟐|, 𝒕)
62
Soundness and Completeness Results
Theorem[Relative Completeness]: Given any HA 𝐴, with an initial set Θ,and unsafe set 𝑈, if the system is robustly safe (unsafe) then the algorithm will terminates and return the correct answer
Theorem[Soundness]: Given any HA 𝐴, with an initial set Θ, and unsafe set𝑈, if the algorithm terminates and returns safe (unsafe) then the system is indeed safe (unsafe)
Intruder
Ownship
![Page 63: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/63.jpg)
Always performing a sound analysis : 𝒙𝟏(𝒕) − 𝒙𝟐(𝒕) ≤ 𝜷(|𝒙𝟏 − 𝒙𝟐|, 𝒕)
Improving the partitioning improves the approximation
𝜷 𝒙𝟏 − 𝒙𝟐 , 𝒕 → 𝟎 as 𝒙𝟏 − 𝒙𝟐 → 𝟎
63
Soundness and Completeness Results
Theorem[Relative Completeness]: Given any HA 𝐴, with an initial set Θ,and unsafe set 𝑈, if the system is robustly safe (unsafe) then the algorithm will terminates and return the correct answer
Theorem[Soundness]: Given any HA 𝐴, with an initial set Θ, and unsafe set𝑈, if the algorithm terminates and returns safe (unsafe) then the system is indeed safe (unsafe)
Intruder
Ownship
![Page 64: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/64.jpg)
Always performing a sound analysis : 𝒙𝟏(𝒕) − 𝒙𝟐(𝒕) ≤ 𝜷(|𝒙𝟏 − 𝒙𝟐|, 𝒕)
Improving the partitioning improves the approximation
𝜷 𝒙𝟏 − 𝒙𝟐 , 𝒕 → 𝟎 as 𝒙𝟏 − 𝒙𝟐 → 𝟎
64
Intruder
Ownship
Soundness and Completeness Results
Theorem[Relative Completeness]: Given any HA 𝐴, with an initial set Θ,and unsafe set 𝑈, if the system is robustly safe (unsafe) then the algorithm will terminates and return the correct answer
Theorem[Soundness]: Given any HA 𝐴, with an initial set Θ, and unsafe set𝑈, if the algorithm terminates and returns safe (unsafe) then the system is indeed safe (unsafe)
![Page 65: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/65.jpg)
Always performing a sound analysis : 𝒙𝟏(𝒕) − 𝒙𝟐(𝒕) ≤ 𝜷(|𝒙𝟏 − 𝒙𝟐|, 𝒕)
Improving the partitioning improves the approximation
𝜷 𝒙𝟏 − 𝒙𝟐 , 𝒕 → 𝟎 as 𝒙𝟏 − 𝒙𝟐 → 𝟎
65
Intruder
Ownship
Algorithm can be applied for any nonlinear systems with given discrepancy function
Soundness and Completeness Results
Theorem[Soundness]: Given any HA 𝐴, with an initial set Θ, and unsafe set𝑈, if the algorithm terminates and returns safe (unsafe) then the system is indeed safe (unsafe)
Theorem[Relative Completeness]: Given any HA 𝐴, with an initial set Θ,and unsafe set 𝑈, if the system is robustly safe (unsafe) then the algorithm will terminates and return the correct answer
![Page 66: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/66.jpg)
C2E2: A Tool For Verifying Stateflow Models
66
![Page 67: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/67.jpg)
Comparison with Existing Approaches on Academic Benchmarks
67
Benchmark Variables Sims. C2E2(time)
Flow*(time)
Ariadne(time)
Moore-G. Jet Engine 2 36 1.56 10.54 56.57
BrussellatorSystem 2 115 5.26 16.77 72.75
VanDerPolOscillator 2 17 0.75 8.93 98.36
Coupled VanDerPol 4 62 1.43 90.96 270.61
Sinusoidal Tracking 6 84 3.68 48.63 763.32
Linear Adaptive 3 16 0.47 NA NA
Nonlinear Adaptive 2 32 1.23 NA NA
Nonlinear Disturbance 3 48 1.52 NA NA
C2E2 Flow*
![Page 68: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/68.jpg)
Overview Introduction
◦ Need for Verification of Cyber-Physical Systems and it’s Challenges
◦ Overview of My Research
Overview of Abstraction-Refinement
Dynamic Analysis
◦ Algorithm for Dynamic Analysis
◦ Verifying the Alerting Protocol in Parallel Landing
◦ Verifying Powertrain Control System
Future Work
68
![Page 69: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/69.jpg)
Back To Parallel Landing Fail-safe alarming system ALAS by NASA
◦ Issues an alarm 4 seconds before aircraft violate safe separation
Proving that ALAS works
1. Compute all trajectories that violate safe separation (unsafe)
2. For unsafe trajectories, prove that alarm is issued 4 seconds
before safe separation is violated
How to analyze 𝐴𝑙𝑎𝑟𝑚 predicate?
69
Intruder
Ownship
![Page 70: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/70.jpg)
Alarm Predicate Closed Form 𝑑𝑖𝑟 = 𝑠𝑖𝑔𝑛 𝑥𝑜 − 𝑥𝑖 × 𝑣𝑦𝑖 − 𝑦𝑜 − 𝑦𝑖 × 𝑣𝑥𝑖
𝑟 =𝑣𝑥𝑖
2+𝑣𝑦𝑖2
𝜔; 𝑐𝑥 = 𝑥𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑦𝑖
𝜔; 𝑐𝑥 = 𝑦𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑥𝑖
𝜔
𝑖𝑓 𝑟2 × 𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2 − 𝑥𝑜 − 𝑐𝑥 𝑣𝑦𝑜 − 𝑦𝑜 − 𝑐𝑦 𝑣𝑥𝑜2
< 0 ; 𝐴𝑙𝑎𝑟𝑚 = 0
𝑀 = 𝑥𝑜 − 𝑐𝑥 𝑣𝑥𝑜 + 𝑦𝑜 − 𝑐𝑦 𝑣𝑦𝑜; 𝑁 =1
𝑟2( 𝑥𝑜 − 𝑐𝑥 𝑥𝑖 − 𝑐𝑥 + 𝑦𝑜 − 𝑐𝑦 𝑦𝑖 − 𝑐𝑦 )
𝑡𝑜=1
𝑣𝑥𝑜2+𝑣𝑦𝑜
2 [−𝑀 + (𝑀2−𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2)( 𝑥𝑜 − 𝑐𝑥2 + 𝑦𝑜 − 𝑐𝑦
2− 𝑟2) ]
𝑡𝑖 = 𝑎𝑏𝑠(𝑟
𝑑𝑖𝑟× 𝑣𝑥𝑜2+𝑣𝑦𝑜
2× acos(𝑁))
𝑖𝑓(𝑡𝑜 > 𝑡𝑖 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐹𝑟𝑜𝑛𝑡2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
𝑖𝑓(𝑡𝑖 > 𝑡𝑜 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐵𝑎𝑐𝑘2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
70
![Page 71: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/71.jpg)
Alarm Predicate Closed Form 𝑑𝑖𝑟 = 𝑠𝑖𝑔𝑛 𝑥𝑜 − 𝑥𝑖 × 𝑣𝑦𝑖 − 𝑦𝑜 − 𝑦𝑖 × 𝑣𝑥𝑖
𝑟 =𝑣𝑥𝑖
2+𝑣𝑦𝑖2
𝜔; 𝑐𝑥 = 𝑥𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑦𝑖
𝜔; 𝑐𝑥 = 𝑦𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑥𝑖
𝜔
𝑖𝑓 𝑟2 × 𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2 − 𝑥𝑜 − 𝑐𝑥 𝑣𝑦𝑜 − 𝑦𝑜 − 𝑐𝑦 𝑣𝑥𝑜2
< 0 ; 𝐴𝑙𝑎𝑟𝑚 = 0
𝑀 = 𝑥𝑜 − 𝑐𝑥 𝑣𝑥𝑜 + 𝑦𝑜 − 𝑐𝑦 𝑣𝑦𝑜; 𝑁 =1
𝑟2( 𝑥𝑜 − 𝑐𝑥 𝑥𝑖 − 𝑐𝑥 + 𝑦𝑜 − 𝑐𝑦 𝑦𝑖 − 𝑐𝑦 )
𝑡𝑜=1
𝑣𝑥𝑜2+𝑣𝑦𝑜
2 [−𝑀 + (𝑀2−𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2)( 𝑥𝑜 − 𝑐𝑥2 + 𝑦𝑜 − 𝑐𝑦
2− 𝑟2) ]
𝑡𝑖 = 𝑎𝑏𝑠(𝑟
𝑑𝑖𝑟× 𝑣𝑥𝑜2+𝑣𝑦𝑜
2× acos(𝑁))
𝑖𝑓(𝑡𝑜 > 𝑡𝑖 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐹𝑟𝑜𝑛𝑡2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
𝑖𝑓(𝑡𝑖 > 𝑡𝑜 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐵𝑎𝑐𝑘2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
71
Current state-of-the-artsolvers cannot handled this
predicate
![Page 72: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/72.jpg)
Alarm Predicate 𝐴𝑙𝑎𝑟𝑚𝑖 = 𝑥 ∃ 𝑡 ∈ 0, 𝑇 , 𝑝𝑟𝑜𝑗𝑖 𝑥, 𝑡 ∈ 𝑈𝑛𝑠𝑎𝑓𝑒}, where 𝑝𝑟𝑜𝑗𝑖 are different worst-case-scenarios of intruder
If any of the projected behaviors can violate the
safety envelope of ownship, then raises 𝐴𝑙𝑎𝑟𝑚
72
Ownship
Intruder
𝑝𝑟𝑜𝑗1
𝑝𝑟𝑜𝑗2
Points of intersection
![Page 73: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/73.jpg)
Alarm Predicate 𝐴𝑙𝑎𝑟𝑚𝑖 = 𝑥 ∃ 𝑡 ∈ 0, 𝑇 , 𝑝𝑟𝑜𝑗𝑖 𝑥, 𝑡 ∈ 𝑈𝑛𝑠𝑎𝑓𝑒}, where 𝑝𝑟𝑜𝑗𝑖 are different worst-case-scenarios of intruder
If any of the projected behaviors can violate the
safety envelope of ownship, then raises 𝐴𝑙𝑎𝑟𝑚
73
Ownship
Intruder
𝑝𝑟𝑜𝑗1
𝑝𝑟𝑜𝑗2
Points of intersection
A common design principle in MPC : Estimate the worst possible behavior and correct your trajectory
![Page 74: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/74.jpg)
Alarm Predicate Closed Form 𝑑𝑖𝑟 = 𝑠𝑖𝑔𝑛 𝑥𝑜 − 𝑥𝑖 × 𝑣𝑦𝑖 − 𝑦𝑜 − 𝑦𝑖 × 𝑣𝑥𝑖
𝑟 =𝑣𝑥𝑖
2+𝑣𝑦𝑖2
𝜔; 𝑐𝑥 = 𝑥𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑦𝑖
𝜔; 𝑐𝑥 = 𝑦𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑥𝑖
𝜔
𝑖𝑓 𝑟2 × 𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2 − 𝑥𝑜 − 𝑐𝑥 𝑣𝑦𝑜 − 𝑦𝑜 − 𝑐𝑦 𝑣𝑥𝑜2
< 0 ; 𝐴𝑙𝑎𝑟𝑚 = 0
𝑀 = 𝑥𝑜 − 𝑐𝑥 𝑣𝑥𝑜 + 𝑦𝑜 − 𝑐𝑦 𝑣𝑦𝑜; 𝑁 =1
𝑟2( 𝑥𝑜 − 𝑐𝑥 𝑥𝑖 − 𝑐𝑥 + 𝑦𝑜 − 𝑐𝑦 𝑦𝑖 − 𝑐𝑦 )
𝑡𝑜=1
𝑣𝑥𝑜2+𝑣𝑦𝑜
2 [−𝑀 + (𝑀2−𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2)( 𝑥𝑜 − 𝑐𝑥2 + 𝑦𝑜 − 𝑐𝑦
2− 𝑟2) ]
𝑡𝑖 = 𝑎𝑏𝑠(𝑟
𝑑𝑖𝑟× 𝑣𝑥𝑜2+𝑣𝑦𝑜
2× acos(𝑁))
𝑖𝑓(𝑡𝑜 > 𝑡𝑖 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐹𝑟𝑜𝑛𝑡2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
𝑖𝑓(𝑡𝑖 > 𝑡𝑜 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐵𝑎𝑐𝑘2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
74
Implicit solution Of differential
equation
![Page 75: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/75.jpg)
𝑑𝑖𝑟 = 𝑠𝑖𝑔𝑛 𝑥𝑜 − 𝑥𝑖 × 𝑣𝑦𝑖 − 𝑦𝑜 − 𝑦𝑖 × 𝑣𝑥𝑖
𝑟 =𝑣𝑥𝑖
2+𝑣𝑦𝑖2
𝜔; 𝑐𝑥 = 𝑥𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑦𝑖
𝜔; 𝑐𝑥 = 𝑦𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑥𝑖
𝜔
𝑖𝑓 𝑟2 × 𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2 − 𝑥𝑜 − 𝑐𝑥 𝑣𝑦𝑜 − 𝑦𝑜 − 𝑐𝑦 𝑣𝑥𝑜2
< 0 ; 𝐴𝑙𝑎𝑟𝑚 = 0
𝑀 = 𝑥𝑜 − 𝑐𝑥 𝑣𝑥𝑜 + 𝑦𝑜 − 𝑐𝑦 𝑣𝑦𝑜; 𝑁 =1
𝑟2( 𝑥𝑜 − 𝑐𝑥 𝑥𝑖 − 𝑐𝑥 + 𝑦𝑜 − 𝑐𝑦 𝑦𝑖 − 𝑐𝑦 )
𝑡𝑜=1
𝑣𝑥𝑜2+𝑣𝑦𝑜
2 [−𝑀 + (𝑀2−𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2)( 𝑥𝑜 − 𝑐𝑥2 + 𝑦𝑜 − 𝑐𝑦
2− 𝑟2) ]
𝑡𝑖 = 𝑎𝑏𝑠(𝑟
𝑑𝑖𝑟× 𝑣𝑥𝑜2+𝑣𝑦𝑜
2× acos(𝑁))
𝑖𝑓(𝑡𝑜 > 𝑡𝑖 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐹𝑟𝑜𝑛𝑡2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
𝑖𝑓(𝑡𝑖 > 𝑡𝑜 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐵𝑎𝑐𝑘2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
75
Implicit solution Of differential
equation
Time if intersectionof trajectories
Alarm Predicate Closed Form
![Page 76: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/76.jpg)
𝑑𝑖𝑟 = 𝑠𝑖𝑔𝑛 𝑥𝑜 − 𝑥𝑖 × 𝑣𝑦𝑖 − 𝑦𝑜 − 𝑦𝑖 × 𝑣𝑥𝑖
𝑟 =𝑣𝑥𝑖
2+𝑣𝑦𝑖2
𝜔; 𝑐𝑥 = 𝑥𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑦𝑖
𝜔; 𝑐𝑥 = 𝑦𝑖 + 𝑑𝑖𝑟 ×
𝑣𝑥𝑖
𝜔
𝑖𝑓 𝑟2 × 𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2 − 𝑥𝑜 − 𝑐𝑥 𝑣𝑦𝑜 − 𝑦𝑜 − 𝑐𝑦 𝑣𝑥𝑜2
< 0 ; 𝐴𝑙𝑎𝑟𝑚 = 0
𝑀 = 𝑥𝑜 − 𝑐𝑥 𝑣𝑥𝑜 + 𝑦𝑜 − 𝑐𝑦 𝑣𝑦𝑜; 𝑁 =1
𝑟2( 𝑥𝑜 − 𝑐𝑥 𝑥𝑖 − 𝑐𝑥 + 𝑦𝑜 − 𝑐𝑦 𝑦𝑖 − 𝑐𝑦 )
𝑡𝑜=1
𝑣𝑥𝑜2+𝑣𝑦𝑜
2 [−𝑀 + (𝑀2−𝑣𝑥𝑜2 + 𝑣𝑦𝑜
2)( 𝑥𝑜 − 𝑐𝑥2 + 𝑦𝑜 − 𝑐𝑦
2− 𝑟2) ]
𝑡𝑖 = 𝑎𝑏𝑠(𝑟
𝑑𝑖𝑟× 𝑣𝑥𝑜2+𝑣𝑦𝑜
2× acos(𝑁))
𝑖𝑓(𝑡𝑜 > 𝑡𝑖 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐹𝑟𝑜𝑛𝑡2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
𝑖𝑓(𝑡𝑖 > 𝑡𝑜 ∧ 𝑡𝑜 − 𝑡𝑖2 × 𝑣𝑥𝑜
2 + 𝑣𝑦𝑜2 < 𝐵𝑎𝑐𝑘2) ; 𝐴𝑙𝑎𝑟𝑚 = 1
76
Implicit solution Of differential
equation
Time if intersectionof trajectories
Condition forIssuing 𝐴𝑙𝑎𝑟𝑚
Alarm Predicate Closed Form
![Page 77: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/77.jpg)
Analyzing Predictive Predicate Alarm Implicit solutions → numerical solutions
Expressions for 𝑡𝑜, 𝑡𝑖 → sound numerical approximations 𝑇𝑜 , 𝑇𝑖
Condition of issuing Alarm → Overapproximation 𝐴𝑙𝑎𝑟𝑚′
77
![Page 78: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/78.jpg)
Implicit solutions → numerical solutions
Expressions for 𝑡𝑜, 𝑡𝑖 → sound numerical approximations 𝑇𝑜 , 𝑇𝑖
Condition of issuing Alarm → Overapproximation 𝐴𝑙𝑎𝑟𝑚′
78
Ownship
Intruder
𝑝𝑟𝑜𝑗1
𝑝𝑟𝑜𝑗2
Points of intersection
Analyzing Predictive Predicate Alarm
![Page 79: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/79.jpg)
Implicit solutions → numerical solutions
Expressions for 𝑡𝑜, 𝑡𝑖 → sound numerical approximations 𝑇𝑜 , 𝑇𝑖
Condition of issuing Alarm → Overapproximation 𝐴𝑙𝑎𝑟𝑚′
79
Ownship
Intruder
𝑝𝑟𝑜𝑗1
𝑝𝑟𝑜𝑗2
Points of intersection
Analyzing Predictive Predicate Alarm
![Page 80: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/80.jpg)
Implicit solutions → numerical solutions
Expressions for 𝑡𝑜, 𝑡𝑖 → sound numerical approximations 𝑇𝑜 , 𝑇𝑖
Condition of issuing Alarm → Overapproximation 𝐴𝑙𝑎𝑟𝑚′
𝐴𝑙𝑎𝑟𝑚𝑖 𝑥 ≡ 𝑡𝑖 > 𝑡𝑜 then Δ𝑡2 × 𝑣𝑥𝑖2 + 𝑣𝑦𝑖
2 < 𝐵𝑎𝑐𝑘2
else Δ𝑡2 × 𝑣𝑥𝑖2 + 𝑣𝑦𝑖
2 < 𝐹𝑟𝑜𝑛𝑡2
𝐴𝑙𝑎𝑟𝑚𝑖′ 𝑥 ≡ 𝑇𝑖 > 𝑇𝑜 then Δ𝑇2 × 𝑣𝑥𝑖
2 + 𝑣𝑦𝑖2 < 𝐵𝑎𝑐𝑘2
else Δ𝑇2 × 𝑣𝑥𝑖2 + 𝑣𝑦𝑖
2 < 𝐹𝑟𝑜𝑛𝑡2
80
Ownship
Intruder
𝑝𝑟𝑜𝑗1
𝑝𝑟𝑜𝑗2
Points of intersection
Analyzing Predictive Predicate Alarm
![Page 81: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/81.jpg)
Verifying ALAS System Verified the property that Alarm is raised
at least 4 time units before safety violation
for different configurations in the order
of minutes
Identified False Alarm configuration and
Missed Alarm configurations
81
ScenarioAlarm ≼4
UnsafeRunning time
(mins:sec) Alarm ≼?
Unsafe
6 False 3:27 2.16
7 True 1:13 –
8 True 2:21 –
6.1 False 7:18 1.54
7.1 True 2:34 –
8.1 True 4:55 –
9 False 2:18 1.8
10 False 3:04 2.4
9.1 False 4:30 1.8
10.1 False 6:11 2.4
![Page 82: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/82.jpg)
Verifying ALAS System Verified the property that Alarm is raised
at least 4 time units before safety violation
for different configurations in the order
of minutes
Identified False Alarm configuration and
Missed Alarm configurations
82
ScenarioAlarm ≼4
UnsafeRunning time
(mins:sec) Alarm ≼?
Unsafe
6 False 3:27 2.16
7 True 1:13 –
8 True 2:21 –
6.1 False 7:18 1.54
7.1 True 2:34 –
8.1 True 4:55 –
9 False 2:18 1.8
10 False 3:04 2.4
9.1 False 4:30 1.8
10.1 False 6:11 2.4
How do we get discrepancy functions?
![Page 83: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/83.jpg)
Finding Discrepancy Functions Sufficient conditions for finding discrepancy functions (borrowed from Control Theory)
◦ Lipschitz continuity: 𝑥 = 𝑓(𝑥) has Lipschitz constant 𝐿, then 𝑥1(𝑡) − 𝑥2(𝑡) ≤ |𝑥1 − 𝑥2|𝑒𝐿𝑡
◦ Contraction Metric: If 𝐽𝑇𝑀 +𝑀 𝐽 + 𝑏𝑀𝑀 ≼ 0, then ∃𝑘, 𝛿 > 0, 𝑥1 𝑡 − 𝑥2 𝑡 2 ≤ 𝑘 𝑥1 − 𝑥22𝑒−𝛿𝑡
◦ Incremental Lyapunov Function: With function 𝑉, then 𝑥1 𝑡 − 𝑥2(𝑡) ≤ 𝑘 𝑥1 − 𝑥2 ; 𝑘 = 𝐹(𝑉)
83
![Page 84: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/84.jpg)
Finding Discrepancy Functions Sufficient conditions for finding discrepancy functions (borrowed from Control Theory)
◦ Lipschitz continuity: 𝑥 = 𝑓(𝑥) has Lipschitz constant 𝐿, then 𝑥1(𝑡) − 𝑥2(𝑡) ≤ |𝑥1 − 𝑥2|𝑒𝐿𝑡
◦ Contraction Metric: If 𝐽𝑇𝑀 +𝑀 𝐽 + 𝑏𝑀𝑀 ≼ 0, then ∃𝑘, 𝛿 > 0, 𝑥1 𝑡 − 𝑥2 𝑡 2 ≤ 𝑘 𝑥1 − 𝑥22𝑒−𝛿𝑡
◦ Incremental Lyapunov Function: With function 𝑉, then 𝑥1 𝑡 − 𝑥2(𝑡) ≤ 𝑘 𝑥1 − 𝑥2 ; 𝑘 = 𝐹(𝑉)
Finding such discrepancy function automatically
◦ Nonlinear optimization for Lipschitz continuity
◦ For 𝑣 = 𝐴𝑣 that are exponentially stable, compute Lyapunov function
◦ Solving LMIs using Sum-Of-Squares tools to compute contraction metric
84
For the benchmark nonlinear systems automatic techniques could find discrepancy functions
![Page 85: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/85.jpg)
85
Toyota Powertrain Control System
![Page 86: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/86.jpg)
86
Toyota Powertrain Control System
𝑝 = 𝑐1(2𝜃 𝑐20𝑝2 + 𝑐21𝑝 + 𝑐22 − 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝
2 + 𝑐5𝜔𝑝2))
𝜆 = 𝑐26(𝑐15 + 𝑐16𝑐25𝐹𝑐 + 𝑐17𝑐252 𝐹𝑐
2 + 𝑐18 𝑚𝑐 + 𝑐19 𝑚𝑐𝑐25𝐹𝑐 − 𝜆) 𝑝𝑒 = 𝑐1(2𝑐23𝜃 𝑐20𝑝
2 + 𝑐21𝑝 + 𝑐22 − (𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝
2)) 𝑖 = 𝑐14 𝑐24𝜆 − 𝑐11
where
𝐹𝑐 =1
𝑐11(1 + 𝑖 + 𝑐13(𝑐24𝜆 − 𝑐11))(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝
2 + 𝑐5𝜔𝑝2)
𝑚𝑐 = 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝
2)
Is it possible to find discrepancy functions automatically for this system?
![Page 87: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/87.jpg)
87
Toyota Powertrain Control System
𝑝 = 𝑐1(2𝜃 𝑐20𝑝2 + 𝑐21𝑝 + 𝑐22 − 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝
2 + 𝑐5𝜔𝑝2))
𝜆 = 𝑐26(𝑐15 + 𝑐16𝑐25𝐹𝑐 + 𝑐17𝑐252 𝐹𝑐
2 + 𝑐18 𝑚𝑐 + 𝑐19 𝑚𝑐𝑐25𝐹𝑐 − 𝜆) 𝑝𝑒 = 𝑐1(2𝑐23𝜃 𝑐20𝑝
2 + 𝑐21𝑝 + 𝑐22 − (𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝
2)) 𝑖 = 𝑐14 𝑐24𝜆 − 𝑐11
where
𝐹𝑐 =1
𝑐11(1 + 𝑖 + 𝑐13(𝑐24𝜆 − 𝑐11))(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝
2 + 𝑐5𝜔𝑝2)
𝑚𝑐 = 𝑐12(𝑐2 + 𝑐3𝜔𝑝 + 𝑐4𝜔𝑝2 + 𝑐5𝜔𝑝
2)
Is it possible to find discrepancy functions automatically for this system?
SOS Tools failed to find any discrepancy functions
![Page 88: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/88.jpg)
On-The-Fly-Discrepancy Computing discrepancy function from simulations and static analysis [Fan.et.al.’15]
Sketch:
◦ Simulate from a given neighborhood
◦ Compute Overestimate of behaviors – Lipschitz constant
◦ Compute better bounds by analyzing eigenvalues of Jacobian
88
We apply on-the-flyDiscrepancy function for verifying
Powertrain control system
![Page 89: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/89.jpg)
Powertrain Verification ResultsVerified many key specification for a given set of driver behaviors (First to do so!)
89
Property Mode Sat Sim. Time
□ 𝜆 ∈ [0.8𝜆𝑟𝑒𝑓 , 1.2𝜆𝑟𝑒𝑓] all modes Yes 53 11m58s
□ 𝜆 ∈ [0.8𝜆𝑟𝑒𝑓 , 1.2𝜆𝑟𝑒𝑓] startup Yes 50 10m21s
□ 𝜆 ∈ [0.8𝜆𝑟𝑒𝑓 , 1.2𝜆𝑟𝑒𝑓] normal Yes 50 10m21s
□ 𝜆 ∈ [0.8𝜆𝑟𝑒𝑓 , 1.2𝜆𝑟𝑒𝑓] power Yes 53 11m12s
□ 𝜆 ∈ [0.8𝜆𝑟𝑒𝑓 , 1.2𝜆𝑟𝑒𝑓] power No 4 0m43s
𝑟𝑖𝑠𝑒 ⇒ □(𝜂,𝜉)𝜆 ∈ [0.98 𝜆𝑟𝑒𝑓, 1.02𝜆𝑟𝑒𝑓] normal Yes 50 10m15s
(𝑙 = 𝑝𝑤𝑟) ⇒ □(𝜂,𝜉)𝜆 ∈ [0.95 𝜆𝑟𝑒𝑓, 1.05𝜆𝑟𝑒𝑓] power Yes 53 11m35s
(𝑙 = 𝑝𝑤𝑟) ⇒ □(𝜂/2,𝜉)𝜆 ∈ [0.95 𝜆𝑟𝑒𝑓, 1.05𝜆𝑟𝑒𝑓] power No 4 0m45s
Safety properties
Performance properties
![Page 90: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/90.jpg)
Outline Introduction
◦ Need for Verification of Cyber-Physical Systems and it’s Challenges
◦ Overview of My Research
Overview of Abstraction-Refinement
Dynamic Analysis
◦ Algorithm for Dynamic Analysis
◦ Verifying the Alerting Protocol in Parallel Landing
◦ Verifying Powertrain Control System
Future Work
90
![Page 91: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/91.jpg)
Future Work
91
![Page 92: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/92.jpg)
92
Doomsday in 10 Years!
![Page 93: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/93.jpg)
93
With great software, comes great risks!
![Page 94: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/94.jpg)
Avoiding The Doomsday
94
![Page 95: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/95.jpg)
Avoiding The Doomsday
95
Building Certified CPS
![Page 96: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/96.jpg)
Software Verification + Dynamic Analysis = Certified CPS
Dynamic Analysis – taming complex dynamics
Software Verification + Dynamic Analysis of Continuous Systems
96
![Page 97: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/97.jpg)
Software Verification + Dynamic Analysis = Certified CPS
Dynamic Analysis – taming complex dynamics
Software Verification + Dynamic Analysis of Continuous Systems
97
+ Dynamic Analysis
![Page 98: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/98.jpg)
Challenges in Bridging Software Verification and Dynamic Analysis
SOFTWARE VERIFICATION
Time abstract notion of execution
Assertions/Invariants hold at discrete places in program
Exact computations
DYNAMIC ANALYSIS
Continuous time notion of execution
Invariants/Lyapunov functions should be satisfied globally
Noisy environments
98
![Page 99: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/99.jpg)
Challenges in Bridging Software Verification and Dynamic Analysis
SOFTWARE VERIFICATION
Time abstract notion of execution
Assertions/Invariants hold at discrete places in program
Exact computations
DYNAMIC ANALYSIS
Continuous time notion of execution
Invariants/Lyapunov functions should be satisfied globally
Noisy environments
99
Solution: Software Verification Techniques+ Control Theory (Dynamic Analysis)+ Proof Composition Techniques
![Page 100: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/100.jpg)
Collaborators Mahesh Viswanathan (UIUC)
Sayan Mitra (UIUC)
Ashish Tiwari (SRI)
Pavithra Prabhakar (IMDEA)
Cesar Munoz (NASA Langley)
Taylor Johnson (UT Arlington)
Le Wang (UIUC)
Matthew Potok (UIUC)
Aarti Gupta (Princeton)
Vineet Kahlon (Google)
Khalil Ghorbal (CMU)
Franjo Ivancic (Google)
100
![Page 101: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/101.jpg)
Dynamic Analysis
Abstraction-Refinement
Thank You
101
Simple Continuous Dynamics Complex Nonlinear Dynamics
Simple computation
Distributedcomputation
[EMSOFT’13]
[TACAS’15]
[RTSS’12]
[FM’14]
[EMSOFT’13]*
[ICCPS’11] [HSCC’12]
[VMCAI’13]
*best paper award at EMSOFT 2013
Verification Tools [UPPAAL, HyTech, SpaceEx, … ]
[CAV’15]
![Page 102: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/102.jpg)
Backup Slides
102
![Page 103: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/103.jpg)
Annotations – conservative upper bound among distance between
trajectories
Annotations for ODE 𝑥 = 𝑓(𝑥) is 𝑉, 𝛽 such that
∀𝑡 > 0, 𝑉 𝜉 𝑥1, 𝑡 , 𝜉 𝑥2, 𝑡 ≤ 𝛽(𝑥1, 𝑥2, 𝑡)
Computing ReachTubes
𝑥1
𝑥2𝜉 𝑥2, 𝑡
𝜉 𝑥1, 𝑡
𝛽 𝑥1, 𝑥2, 𝑡
103
Verification of Annotated Models From Executions [DMV’13]
![Page 104: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/104.jpg)
Annotations – conservative upper bound among distance between trajectories
Annotations for ODE 𝑥 = 𝑓(𝑥) is 𝑉, 𝛽 such that
∀𝑡 > 0, 𝑉 𝜉 𝑥1, 𝑡 , 𝜉 𝑥2, 𝑡 ≤ 𝛽(𝑥1, 𝑥2, 𝑡)
Utility of annotation:
𝝃 𝒚, 𝒕 ∈ 𝑩𝒍𝒐𝒂𝒕𝝐(𝝃(𝒙, 𝒕)) where 𝝐 = 𝒔𝒖𝒑𝒚∈𝑩𝜹(𝒙)
{𝜷 𝒙, 𝒚, 𝒕 }
Computing ReachTubes
𝑥1
𝑥2𝜉 𝑥2, 𝑡
𝜉 𝑥1, 𝑡
𝛽 𝑥1, 𝑥2, 𝑡
104
Verification of Annotated Models From Executions [DMV’13]
![Page 105: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/105.jpg)
𝜉(𝑥0, 𝑡) – general analytical solution does not exist
Validated simulation engines generate regions for time intervals
ρ = 𝑅1, 𝑡0, 𝑡1 , … , 𝑅𝑙 , 𝑡𝑙−1, 𝑡𝑙 , ∀𝑡 ∈ 𝑡𝑖−1, 𝑡𝑖 , 𝜉 𝑡 ∈ 𝑅𝑖
ReachTubes From Simulations And Annotations
𝑥1
𝜉 𝑥1, 𝑡
105
![Page 106: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/106.jpg)
𝜉(𝑥0, 𝑡) – general analytical solution does not exist
Validated simulation engines generate regions for time intervals
ρ = 𝑅1, 𝑡0, 𝑡1 , … , 𝑅𝑙 , 𝑡𝑙−1, 𝑡𝑙 , ∀𝑡 ∈ 𝑡𝑖−1, 𝑡𝑖 , 𝜉 𝑡 ∈ 𝑅𝑖
ReachTube 𝜓 = 𝐵𝜖 𝜌 where 𝜖 = sup𝑦∈𝐵𝛿(𝑥)
{𝛽 𝑥, 𝑦, 𝑡 }
Overapproximation can be madearbitrarily small
How to infer temporal propertiesfrom such ReachTubes
ReachTubes From Simulations And Annotations
𝑥1
𝑥2𝜉 𝑥2, 𝑡
𝜉 𝑥1, 𝑡
𝛽 𝑥1, 𝑥2, 𝑡
106
![Page 107: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/107.jpg)
For a predicate 𝑃, and ReachTube 𝜓 = 𝑂1, 𝑡0, 𝑡1 , … , 𝑂𝑙 , 𝑡𝑙−1, 𝑡𝑙 the
interval [𝑡𝑖−1, 𝑡𝑖] is
in 𝑀𝑢𝑠𝑡(𝑃) if 𝑂𝑖 ⊆ 𝑃
in 𝑁𝑜𝑡(𝑃) if 𝑂𝑖 ∩ 𝑃 = ∅
in 𝑀𝑎𝑦 𝑃 otherwise
Must, Not, and MayIntervals
𝑃1 ≡ 𝐹1 > 0
𝑴𝒖𝒔𝒕
𝑴𝒂𝒚
𝑵𝒐𝒕
𝑥1
𝜉 𝑥1, 𝑡
𝑃2 ≡ 𝐹2 > 0
𝑥1
𝜉 𝑥1, 𝑡
𝑵𝒐𝒕
𝑴𝒂𝒚
𝑴𝒖𝒔𝒕
107
![Page 108: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/108.jpg)
Temporal precedence 𝑃1 ≺𝑏 𝑃2 is satisfied by ReachTube 𝜓 if
∀ 𝐼2 ∈ 𝑀𝑢𝑠𝑡 𝑃2 ∪𝑀𝑎𝑦 𝑃2 , ∃𝐼1 ∈ 𝑀𝑢𝑠𝑡 𝑃1 , 𝐼1 < 𝐼2 − 𝑏
Temporal precedence 𝑃1 ≺𝑏 𝑃2 is violated by ReachTube 𝜓 if∃𝐼2 ∈ 𝑀𝑢𝑠𝑡 𝑃2 , ∀ 𝐼1 ∈ 𝑀𝑢𝑠𝑡 𝑃1 ∪𝑀𝑎𝑦 𝑃1 , 𝐼1 > 𝐼2 − 𝑏
Checking Temporal Precedence
Property 𝑃1 ≺0 𝑃2 is satisfied𝑃1 ≡ 𝐹1 > 0
𝑴𝒖𝒔𝒕
𝑴𝒂𝒚
𝑵𝒐𝒕
𝑥1
𝜉 𝑥1, 𝑡
𝑃2 ≡ 𝐹2 > 0
𝑥1
𝜉 𝑥1, 𝑡
𝑵𝒐𝒕
𝑴𝒂𝒚
𝑴𝒖𝒔𝒕
108
![Page 109: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/109.jpg)
Simulation Guided Synthesis
109
Incomplete model of CPS
+Specification
Infeasible
Synthesizer
Model Generator
Satisfying Model
Verifier
![Page 110: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/110.jpg)
Simulation Guided Synthesis
Intuition for system designer comes from simulations
Learning Linear and Nonlinear control theory
◦ Learned the basic principles about controls
◦ Design iterations guided by simulations
110
Incomplete model of CPS
+Specification
Infeasible
Synthesizer
Model Generator
Satisfying Model
Verifier
![Page 111: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/111.jpg)
Simulation Guided Synthesis: Classroom Experiment
111
slow down
turnspeed up
turn
Homework Problem: Generate parameters for autonomous car controllerand verify using C2E2 if all the specification is satisfied
![Page 112: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/112.jpg)
Parameter Synthesis:Classroom Experiment
112
slow down
turnspeed up
turn
Homework Problem: Generate parameters for autonomous car controllerand verify using C2E2 if all the specification is satisfied
Goals of the course included
◦ Familiarize students with different tools in CPS verification (interactive demos)
◦ Push new research directions – handling a nontrivial verification problem
Results
◦ 90% of students solved it without a single office hour
◦ Students researched literature, provided new techniques we did not anticipate
![Page 113: Static and Dynamic Analysis of Cyber-Physical Systems · Analysis •Simulate/Test the model with several configurations, ... Guarantees Formal Verification: Prove that the system](https://reader035.vdocuments.site/reader035/viewer/2022071212/60265ef35cdfe134414c7169/html5/thumbnails/113.jpg)
Parameter Synthesis:Classroom Experiment
113
slow down
turnspeed up
turn
Homework Problem: Generate parameters for autonomous car controllerand verify using C2E2 if all the specification is satisfied
Goals of the course included
◦ Familiarize students with different tools in CPS verification (interactive demos)
◦ Push new research directions – handling a nontrivial verification problem
Results
◦ 90% of students solved it without a single office hour
◦ Students researched literature, provided new techniques we did not anticipate
Inspiration to future research directions: Simulation Guided Synthesis