university of l’aquila center of excellence dews l’aquila, italy

Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009

Observability and Diagnosability of Hybrid Automata, and their application

in Air Traffic Management

M.D. Di Benedetto, S. Di Gennaro and A. D’Innocenzo

University of L’AquilaCenter of Excellence DEWS

L’Aquila, Italy


Motivation• ATM procedures define behaviours and

interactions among actors of a multi agent system

• With the increase of air traffic, bottlenecks of current procedures are arising: decentralize decisions?

• It is extremely hard to convince people that a “new” procedure is more efficient than the “old” one, but equally safe


General framework for testingATM procedures

In order to convince - formally prove - that an ATM procedure satisfies certain properties:

• Compositional mathematical framework for modeling ATM procedures

• Propositional logics to mathematically define properties of interest

• Tools to automatically verify properties


Automatically verify properties

of ATM procedures

ATM procedureAutomatic

Verification Tool

Property of interest

Yes

No +counterexample

• Can the procedure terminate correctly?• Does the procedure terminate in time t [min, max]?• Is it possible to immediately detect if the procedure is not

performed correctly?• Is it possible to detect propagation of situation awareness

incongruency due to interconnection of agents?


Automatically verify properties

of ATM procedures

Hybrid model Model checking

Formula

Yes

No +counterexample

• Can the procedure terminate correctly? CTL PROPERTY• Does the procedure terminate in time t [min, max]? TCTL PROPERTY • Is it possible to immediately detect if the procedure is not performed

correctly? OBSERVABILITY PROPERTY• Is it possible to detect propagation of situation awareness incongruency

due to interconnection of agents? DIAGNOSABILITY PROPERTY


Hybrid system definition

Continuous Layer

q1q2

q3

Discrete LayerInvariant Sets

Guard SetsReset Maps

uBxAx 11 uBxAx 22 uBxAx 33

/1

13 /

21 /


Hybrid execution

)( 1qInv

)( 2qInv

),( 1 xeRx

1e

3e),( 3 xeRx

0X

1q

2q

)( 1eG

)( 3eG

)( 2eG2e


Language of executions of discrete state

q1 q2 q4q3

2,,1,,4,,3, 4321 qqqq3 s 4 s 2 s1 s

2,,14,,3)( 21 P

1 2

L language of all discrete state executions

P language of all discrete observations

LQb executions that terminate in Qb Q

PQb observations of string in LQb

then bQife.g.bb QQ , PL )(4 Pq


Regular language of executions

• Consider observations without time delays:

then L, P, LQb, PQb

are regular languages

• Regular languages are closed w.r.t. union, intersection, concatenation.

214321 ,)(,,,, Pqqqq


Discrete state observability: motivation

Unauthorized crossing

Waiting at stop-bar

Emergency Braking

Authorized crossing Taxi to

hangar

TaxiingEngines Running

Taxi on airport wayAsk for

crossing grant

Crossing

Crossing completed

Taxiing

Unobs.

Unobs.Unobs.

Unobs.

[Di Benedetto et al. MED’05]

Qb = {unauth. crossing}


Observability definition

Definition: Set Qb Q is observable for hybrid system H if observer of Qb exists.

Hybrid system Observer of QbbQq

bQq or)(P

[Di Benedetto et al. LNCIS’05, CDC’06]

Let Qb Q be a subset of the discrete state space, that models a faulty behavior of the

system.


Classical observability definition

Proposition: Classical discrete state observability is a special case of observability of Qb

Observer of q1

Observer of qN

…Observer of H q̂


Observability condition

Proposition: Set Qb is observable for hybrid system H if and only if

Q0 Qb

bb QQQ \PP

ab c d

a b c d


Observability verification

Algorithm:1. Compute regular languages PQb

and PQ\Qb

2. Compute intersection PQb PQ\Qb

3. Check if PQb

PQ\Qb is empty.

Algorithm terminates in polynomial time w.r.t. dimension of discrete state

space

[Di Benedetto et al. IJRNC’08]


Diagnosability definition

Definition: Set Qb is -diagnosable for a hybrid system H if it is possible to detect within a delay that Qb has been visited, using the observable output.Proposition: Set Qb is observable if and only if it is-diagnosable with =0.


6-diagnosability conditions

q1 q2 q4q3

3 s 4 s 2 s1 s

1 2

q1 q5 q7q6

3 s 4 s 2 s1 s

1 2not

admitted

admittedq1 q2 q4q3

3 s 2 s 2 s1 s

1 2

q1 q5 q7q6

3 s 2 s 2 s1 s

1 2


Faulty executions

q1 q2 q4q3

3 s 4 s 2 s1 s

1 2

Definition: A δ-faulty execution is a trajectory that enters the faulty set at a certain time instant, and then continues flowing for a time duration δ.

2,,1,,4,,3, 4321 qqqq is 3-faulty


Diagnosability conditions

)()(,,*

**

*

PP FLF \Proposition: Qb is -diagnosable for H iff

executions all of set the is Lexecutions faulty- all of set the is *

*

F

Problem: Compute the minimum m such that Qb is m-diagnosable for H.


Diagnosability verification for HA

•It is extremely hard to automatically verify diagnosability conditions on a general hybrid model.•It is probably undecidable.•This problem has been solved for discrete event systems and timed automata


Abstraction methods

Hybrid system H Discrete event system D

Hybrid system H Timedautomaton T

Timed abstraction:Pro: preserve time information!Con: more complex algorithms…

safety

temporalproperties

Durationalgraph G

Untimed

Timed


Diagnosability Verification by abstraction

[Di Benedetto et Al., IEEE TAC]

Hybrid system H Abstraction G

G is diagnosable

• Construct abstraction G to preserve properties of interest

• Verification procedure on G

Find conditions to construct an abstraction G such that:

property true for Hif and only if true for G

H is diagnosable


Diagnosability verification complexity

Timed automata

Durational graphs

Discrete event systems

<<

Complexity class:PSPACE

[Tripakis]

P[Lafortune]

P[Di Benedetto et Al., IEEE TAC]

Expr

essiv

e po

wer


In-Trail Procedures:ATSA and ASEP ITP

• ATSA-ITP application is currently being standardized by the Requirements Focus Group as part of Airborne Separation Assistance System (ASAS) Package 1 applications.

• Tested since spring 2008 in the North Atlantic Airspace above Iceland (where radar coverage is available) with a small set of aircraft equipped with special ADS-B devices. ATSA-ITP is the near-future of ITP oceanic airspace applications.

• Airborne Separation In Trail Procedure (ASEP-ITP) studied inside the Advanced Safe Separation Technologies and Algorithms (ASSTAR) project introduces an innovative transfer of separation management responsibilities from ATC to the flight crew throughout the ITP manoeuvre.

• The rationale behind this is that the flight crew, in contrast to ATC, disposes of the appropriate surveillance equipment (i.e. ADS-B and ASAS Equipment), and is therefore instantly able to monitor separation and act if necessary.


ATSA and ASEP ITP• ATSA-ITP: improvement in the situation awareness of

the agents, but the procedure is the same as the traditional, and does not include any transfer of responsibility from the controller to the pilot.

• ASEP-ITP: for the first time in oceanic applications, the pilot has the responsability of separation during execution. He can change the Mach number, whenever the ASAS systems suggests. Reduce the separation minimum to 5NM.

• ASEP-ITP is strongly based on ATSA-ITP: step-by-step evolution of the application inside the ASAS concept, gradual implementation of a new concept and of safety assessment.


>10 minutes Actual Separation ( ~80 NM)

FL350

FL360

FL340

Reference Aircraft

ITP Aircraft

10 NM ATSA Separation minimumFL350

FL360

FL340

ITP Aircraft

5 NM ASEP Separation minimumFL350

FL360

FL340

Reference Aircraft

Reference Aircraft

ITP Aircraft

Separation minimum improvement


• Agents: • ITP Aircraft modeled by Rectangular automaton• Oceanic Controller modeled by Discrete Event System• ASAS Technical System is working

Assumptions

• Aircraft Dynamics are described by• longitudinal position• altitude• longitudinal absolute speed, measured in Mach • climb rate

• Operational hazards: [Requirements Focus Group (RFG). In-trail procedure in non-radar oceanic airspace (atsa-itp) - operational safety assessment (osa), v2.3. November 2007.]


From ASEP-ITP specificationto automatic verification

Hybrid System or Rectangular Aut.

HTimed

automaton T

Propertytrue on H

Propertytrue on T

Most of the properties of our interest for ATM procedure analysis are decidable for timed and rectangular automata [Alur et Al., TAC’00]

ASEP-ITPspecification

Property true on ASEP-ITP

specification


Q1

Cruise Q2 ITP

Initation

Q3 ITP

Instruction

Q4 ITP

StandardExecutio

n

Q5 ITP

Termination

Q1

Cruise Q2 ITP

Initiation

Q6 ITP

Aborted

Q7 ITP

Denied

Q8 ITP

Rejected

Q9Abnormal Terminatio

n

ε

σ1

σ6

ε

σ4 ψ2

ψ3

ψ5

σ2ε

σ3

ψ1

ψ6σ5

σ9ψ7

Q12Asas alertQ10

Non-ITP Criteria

compliant

Q11Wrong

Execution

Q13 Wrong

termination

σ8

εε

εε

σ9ψ7

ψ4

ψ4

ψ4σ7

σ7

σ7

σ7

ψ5

ψ5

ψ5

ψ4

ε

ε

ε

ε

ASEP-ITP observability analysis


Q1

Cruise Q2 ITP

Initation

ITPInstruction

ITP StandardExecutio

n

ITP Terminatio

n

Cruise

ITP Initiation

ITP Aborted

ITP Denied

ITP Rejecte

d

Abnormal Terminatio

n

Asas alert

Non-ITP Criteria compliant

NON-ITP Criteria Complia

nt

Wrong Termination

Wrong Execution


ASEP-ITP observer

ψ1

ψ6

Q1,Q2,Q6

Q3

Q7

Q8

ψ2

Q4,Q10,Q11

Q9

ψ5

ψ4

Q12

ψ7

ψ3

ψ4

ψ5

Q5,Q13

The operational hazards are not observable even if the ASEP-ITP procedure satisfies the ED78a check, some operational hazards cannot be

detected!


Conclusions

• Apply hybrid systems theory for formal modeling of ATM procedures

• Propose a mathematical framework for formal analysis of ATM procedures

• Develop tools for automatic verification of observability and diagnosability

• Analyze observability of ASEP-ITP


Future work

• Stochastic definitions of observability and diagnosability

• Use abstraction tools for stochastic hybrid systems analysis

• Compositional analysis for complexity reduction

university of l’aquila center of excellence dews l’aquila, italy

Documents