Compositional Verification of Hybrid Systems
Using Simulation Relations
Doctorate Defense
Goran Frehse
Radboud Universiteit, Nijmegen, Oct. 10, 2005
1
Example 1: Überlingen, July 1, 2002
B757-200
TU154M
!
• Boeing & Tupolew crossing
• 21:33:03
– Alarm from Collision
Avoidance System (TCAS)
2
Example 1: Überlingen, July 1, 2002
B757-200
TU154M
!
• Boeing & Tupolew crossing
• 21:33:03
– Alarm from Collision
Avoidance System (TCAS)
• 21:34:49
– Human controller command
3
Example 1: Überlingen, July 1, 2002
B757-200
TU154M
!
• Boeing & Tupolew crossing
• 21:33:03
– Alarm from Collision
Avoidance System (TCAS)
• 21:34:49
– Human controller command
• 21:34:56
– TCAS recommendation
4
Example 1: Überlingen, July 1, 2002
B757-200
TU154M
!
• Boeing & Tupolew crossing
• 21:33:03
– Alarm from Collision
Avoidance System (TCAS)
• 21:34:49
– Human controller command
• 21:34:56
– TCAS recommendation
• 21:35:32
– Collision
5
Example 1: Überlingen, July 1, 2002
B757-200
!
• Boeing & Tupolew crossing
TU154M
• 21:33:03
Official Recommendation:
– Alarm from Collision
Avoidance System (TCAS)
“pilots are to obey
and
• 21:34:49
follow TCAS advisories,
– Human controller command
regardless of whether
contrary instruction
is given”
• 21:34:56
– TCAS recommendation
Trust a computer!?
• 21:35:32
– Collision
6
Formal Verification
• Characteristics
Hybrid System
Model of
Environment
Model of
Software
– mathematical rigour
– sound proofs & algorithms
• Hybrid System
– continuous environment
– discrete software
• Problems
Precise
Specification
– only computable for certain
types of models
– must check all possibilities
 computational complexity
• Solution
– abstraction
– compositionality
7
Formal Verification
• Characteristics
Hybrid System
Model of
Environment
Model of
Software
– mathematical rigour
– sound proofs & algorithms
• Hybrid System
– continuous environment
– discrete software
• Problems
Precise
Specification
Proof
(algorithmic)
– only computable for certain
types of models
– must check all possibilities
 computational complexity
• Solution
– abstraction
– compositionality
8
Formal Verification
• Characteristics
Hybrid System
Model of
Environment
Model of
Software
– mathematical rigour
– sound proofs & algorithms
• Hybrid System
– continuous environment
– discrete software
• Problems
Precise
Specification
Proof
(algorithmic)
– only computable for certain
types of models
– must check all possibilities
 computational complexity
TCAS verified
in part
Livadas, Lygeros,
Lynch, ‘00
• Solution
Guaranteed
Correctness
– abstraction
– compositionality
9
Example 2: Join Manoeuvre [Tomlin et al.]
• Traffic Coordination Problem
– join paths at different speed
• Goals
– avoid collision
– join with sufficient separation
10
Example 2: Join Manoeuvre [Tomlin et al.]
• Traffic Coordination Problem
– join paths at different speed
• Goals
– avoid collision
– join with sufficient separation
• Models
– Environment: Planes
– Software:
Controller
• switches fast/slow
• Specification
– keep min. distance
11
Abstraction and Simulation Relations
• Goal
– check all possibilities
disturbances
• Abstraction
 simplified model
– here: linear bounds on
direction
12
Abstraction and Simulation Relations
• Goal
– check all possibilities
disturbances
• Abstraction
bounds on direction
 simplified model
– here: linear bounds on
direction
– bounds on trajectories
original trajectory
bounds on trajectories
of abstraction
13
Abstraction and Simulation Relations
• Goal
– check all possibilities
disturbances
• Abstraction
bounds on direction
 simplified model
– here: linear bounds on
direction
– bounds on trajectories
• Simulation Relation
original trajectory
bounds on trajectories
of abstraction
 formal relationship between
original and abstraction
– everything possible in
implementation is also
possible in abstraction
– specification = abstraction
14
Compositionality
while active do
if altitude > 13000
check distance
else if speed >= 10
check heading
check distance
else
warning
end while
Original
Abstract
satisfies
Controller
Controller
while active do
check distance
end while
• From Components to
Systems
– Simulation relations must
hold after composition
Original
Abstract
satisfies
Plane
Plane
15
Compositionality
while active do
if altitude > 13000
check distance
else if speed >= 10
check heading
check distance
else
warning
end while
Original
Abstract
satisfies
Controller
Controller
while active do
check distance
end while
• From Components to
Systems
– Simulation relations must
hold after composition
Original
Abstract
satisfies
Plane
Plane
Original
Plane
Original
sat.
Controller
composed
system
Abstract Abstract
Plane Controller
composed
abstraction
16
Compositionality
while active do
if altitude > 13000
check distance
else if speed >= 10
check heading
check distance
else
warning
end while
Original
Abstract
satisfies
Controller
Controller
while active do
check distance
end while
Original
Abstract
satisfies
Plane
Plane
• From Components to
Systems
– Simulation relations must
hold after composition
• Benefits
– modular verification
– advanced deduction
techniques possible
• Difficulty
Original
Plane
Original
sat.
Controller
composed
system
Abstract Abstract
Plane Controller
composed
abstraction
– formalisms must fit together
• hybrid system
• simulation relation
• composition
17
Contribution of this Thesis
collision possible!
time
• Formal Framework for
Compositional Verification
– simulation relations for hybrid
systems
– semi-computable for linear
bounds
safety
margin
18
Contribution of this Thesis
collision possible!
time
safety
margin
• Formal Framework for
Compositional Verification
– simulation relations for hybrid
systems
– semi-computable for linear
bounds
• Verification Tool: PHAVer
(Polyhedral Hybrid Automaton Verifier)
– compute simulation relations
and reachable states
– most powerful verification tool
for hybrid systems
19
Contribution of this Thesis
collision possible!
time
safety
margin
• Formal Framework for
Compositional Verification
– simulation relations for hybrid
systems
– semi-computable for linear
bounds
• Verification Tool: PHAVer
(Polyhedral Hybrid Automaton Verifier)
– compute simulation relations
and reachable states
– most powerful verification tool
for hybrid systems
• Future Work
– compositional overapproximations (submitted)
– efficiency & applications
20