Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Conflict-Tolerant Safety Specifications
Deepak D’Souza
Department of Computer Science and Automation Indian Institute of Science, Bangalore. Joint work with Madhu Gopinathan, Raj Mohan M., Sumesh Divakaran, S. Ramesh, Prahlad Sampath.
NAL, 08 April 2013

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Outline

1

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

2

3

4

5

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Overview
We consider systems which are composed of a base system + multiple controllers + a supervisor. Supervisor chooses when to provide the control input of a controller to the base system (e.g. based on priority).
Basic operation Controller

Car Engine

Supervisory Controller

Cruise Control Controller

Stability Control Controller

We propose a way of specifying the behaviour of individual controllers.

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Classical model-checking framework

?
System Model Satisfies Spec

G (¬Bad )

Abstraction

AMC

40602

602 U.S. AIR FORCE

System

Distribution of this artwork as part of the xfig package, where xfig is part of a commercially sold software package is permitted. © 2001, Carlo Kopp

Proof that Model satisfies Spec. Counter-example.

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Control mechanism

Control inputs Controller Plant behaviour Base System

Controller reads plant behaviour and gives advice in the form of control inputs to the plant.

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Control mechanism
Example model:
timer

rel, timer no−rel, rel−double no−rel, rel, rel−double

Control inputs Controller Plant behaviour Base System

Controller reads plant behaviour and gives advice in the form of control inputs to the plant.

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Classical safety specification
Specifies a safety “cone” (prefix-closed set of behaviours) within which the behaviour of the controlled system must lie.

System state

Time

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

What about systems with multiple controllers?
Basic operation Controller

Car Engine

Supervisory Controller

Cruise Control Controller

Stability Control Controller

Composed system is large Specification is complex. Would like to reason about each controller separately.

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Why a classical safety specification is inadaquate
What happens if the controller’s input is disregarded by the supervisor (due to a conflict)? The resumed controller has no specification to adhere to.

Time

advice taken

advice not taken

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Conflict-tolerant specification

f (ε) f (σ )

σ

Time

An advice function f which specifies a safety cone f (σ ) after each behaviour σ of the base system.

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Conflict-tolerant specification

f (ε) f (σ )

σ

Time

An advice function f which specifies a safety cone f (σ ) after each behaviour σ of the base system. A controller satisfies a CT-spec f (wrt a plant B ) if after each plant behaviour σ , the controlled plant’s behaviour lies in f (σ ).

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Conflict-tolerant Specification: Guarantee
Suppose a controller C satisfies its tolerant specification S wrt a base system B .

Time

advice taken

advice not taken

advice taken

Then in every period in which it is in control, C does “the right thing” (according to S ). This guarantee is regardless of other controllers/supervisors it is composed with.

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Insulin Control

timer

rel, timer no−rel, rel−double no−rel, rel, rel−double

Controller

Base System

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Conflict-Tolerant Specifications for Insulin Controller
timer
rel

(a) timer
rel-double rel no-rel rel-double rel-double, no-rel

timer
rel no-rel

timer
rel

(c)
rel rel-double

timer
no-rel

(b)

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Example hybrid system: Water tank with pump

System variables: w : level of water in tank. p : On/Off status of pump (1=“on”).

w := 2

. 1 w=1 w<6 p=1

b

. 2 w = -1 w>0 p=0

b

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Example hybrid system: Water tank with pump

System variables: w : level of water in tank. p : On/Off status of pump (1=“on”).
4

3

w := 2

. 1 w=1 w<6 p=1

b

. 2 w = -1 w>0 p=0

b

2

w p

1

0 0 1 2 3 4

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Controller for water tank
System variables: X = {w } Control variables: U = {p }.

w := 2

. 1 w=1 w<6 p=1

b

. 2 w = -1 w>0 p=0

b

4

3

Water Tank
2

w p

1

p := 1

p=0 2 <= w <= 4 p=1

q . 1

w=4 p := 0 w=2 p := 1

. p=0 2 <= w <= 4 p=0

q2

0 0 1 2 3 4

Controller

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

A classical specification for water-level controller

Classical safety specification = prefix-closed set of signals.

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Conflict-tolerant specification
An advice function over a set of variables W is function f : Signals → 2Signals such that each f (σ ) is prefix-closed. Mechanism to specify such advice functions: S = (Acc , Adv , E ) where Acc and Adv are hybrid automata over W E is a set of edges between Acc and Adv called an advice relation.

Acc E

Adv

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Example tolerant specification for water-level controller I

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Example tolerant specification for water-level controller II

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Example tolerant specification for water-level controller II

Note: Both tolerant specs induce the same classical spec but are quite different as tolerant specs.

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Components of the theory
Transition system based mechanism for specifying conflict-tolerant specs, for discrete [CAV 2008], timed [QEST 2008], and hybrid systems [manuscript]. Temporal logics for CT-specs (discrete and timed) [ISEC 2010, TIME 2010]. Algorithms for verifying whether a given controller satisfies a given CT-spec with respect to a given base system. Algorithms for automatic synthesis of CT controllers. Construction of a priority-based superviser that maximally utilizes controllers. Some “toy” case-studies: elevator features (discrete), car door-motor control (timed), cruise-control vs stability control (hybrid).

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Conclusion
Basic operation Controller

Car Engine

Supervisory Controller

Cruise Control Controller

Stability Control Controller

Consider setting of multiple intermittent control. Conflict-tolerant specifications more richly capture a controller’s specification. A modular or “compositional” way of developing and reasoning about systems with multiple controllers.

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Thanks for your attention.

Motivation Example: Insulin Controller Example: Water-Level Controller Conflict-tolerant specifications Results in the theory

Verification for rectangular hybrid automata

We can solve the verification problem for such specs: Given a base system B modelled as an initialized rectangular automaton over (X , Y ), a controller C modelled as an initialized rectangular automaton over (X , Y ), a tolerant spec S = (Acc , Adv , E ) whose components are IRHA: we can check whether C satisfies S wrt B .

Sign up to vote on this title
UsefulNot useful