University of L’Aquila
Center of Excellence DEWS
L’Aquila, Italy
Observability and Diagnosability of Hybrid
Automata, and their application in Air
Traffic Management
M.D. Di Benedetto, S. Di Gennaro and A. D’Innocenzo
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Motivation
• ATM procedures define behaviours and
interactions among actors of a multi agent
system
• With the increase of air traffic, bottlenecks
of current procedures are arising: decentralize
decisions?
• It is extremely hard to convince people that a
“new” procedure is more efficient than the
“old” one, but equally safe
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
General framework for testing
ATM procedures
In order to convince - formally prove - that an
ATM procedure satisfies certain properties:
• Compositional mathematical framework for
modeling ATM procedures
• Propositional logics to mathematically define
properties of interest
• Tools to automatically verify properties
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Automatically verify properties
of ATM procedures
Property of
interest
ATM procedure
Yes
Automatic
Verification Tool
No +
counterexample
•
Can the procedure terminate correctly?
•
Does the procedure terminate in time t  [min, max]?
•
Is it possible to immediately detect if the procedure is not performed
correctly?
•
Is it possible to detect propagation of situation awareness incongruency
due to interconnection of agents?
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Automatically verify properties
of ATM procedures
Formula
Hybrid model
Model checking
Yes
No +
counterexample
•
Can the procedure terminate correctly? CTL PROPERTY
•
Does the procedure terminate in time t  [min, max]? TCTL PROPERTY
•
Is it possible to immediately detect if the procedure is not performed
correctly? OBSERVABILITY PROPERTY
•
Is it possible to detect propagation of situation awareness incongruency
due to interconnection of agents? DIAGNOSABILITY PROPERTY
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Hybrid system definition
Discrete Layer
q1
1 / 
q2
q3
 3 / 1
Invariant Sets
Guard Sets
Reset Maps
1 / 2
x  A1 x  B1u x  A2 x  B2u x  A3 x  B3u
Continuous Layer
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Hybrid execution
Inv(q2 )
G (e3 )
q2

x  R(e3 , x)
e3
x   R(e1 , x)
e1
q1
X0
G(e1 ) G(e )
2
e2
Inv(q1 )
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Language of executions of discrete state
q1
3s
1
q2
4s

q3
2
1s
q4
2s
  q1 ,3, q2 ,4, q3 ,1, q4 ,2
P(  )  3, 1 ,4  1, 2 ,2
LQb executions that terminate in Qb  Q
L language of all discrete state executions
PQb observations of string in LQb
Piflanguage
all discrete
e.g.
q4  Qbofthen
  LQbobservations
, P(  )  PQb
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Regular language of executions
• Consider observations without time delays:
  q1 , q2 , q3 , q4 , P(  )   1 ,  2
then
L, P, LQb, PQb are regular languages
• Regular languages are closed w.r.t. union,
intersection, concatenation.
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Discrete state observability: motivation
[Di Benedetto et al. MED’05]
Qb = {unauth. crossing}
Taxiing
Ask for
crossing
grant
Taxi on
airport way
Waiting at
stop-bar
Crossing
Authorized
crossing
Engines
Running
Unobs.
Emergency
Braking
Taxiing
Unauthorized
crossing
Unobs.
Unobs.
Unobs.
Crossing completed
Taxi to
hangar
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Observability definition
Let Qb  Q be a subset of the discrete state space,
that models a faulty behavior of the system.
Definition: Set Qb  Q is observable
for hybrid system H if observer of Qb
exists.
Hybrid system
[Di Benedetto et al. LNCIS’05, CDC’06]
P(  )
Observer of Qb
q  Qb
or q  Qb
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Classical observability definition
Proposition: Classical discrete state
observability is a special case of
observability of Qb
Observer of q1
…
Observer of H
q̂
Observer of qN
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Observability condition
Proposition: Set Qb is observable for
hybrid system H if and only if
PQb  PQ \Qb  
b
Q0
c
a
a
b
c
d
Qb
d
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Observability verification
Algorithm:
1. Compute regular languages PQb and PQ\Qb
2. Compute intersection PQb  PQ\Qb
3. Check if PQb  PQ\Qb is empty.
[Di Benedetto et al. IJRNC’08]
Algorithm terminates in polynomial time
w.r.t. dimension of discrete state space
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Diagnosability definition
Definition: Set Qb is -diagnosable for a
hybrid system H if it is possible to detect
within a delay  that Qb has been visited,
using the observable output.
Proposition: Set Qb is observable if and
only if it is-diagnosable with =0.
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
6-diagnosability conditions
q1
3s
q1
1
4s
1
3s
q1
3s
q5


4s
3s
q1
q2
1
q2
2s
1
q5
2s
q3
2
1s
q6
2s
2
1s


q3
1s
q7
not
admitted
2s
2
1s
q6
q4
q4
2s
2
admitted
q7
2s
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Faulty executions
Definition: A δ-faulty execution is a
trajectory that enters the faulty set at a
certain time instant, and then continues
flowing for a time duration δ.
q1
3s
1
q2
4s

q3
1s
  q1 ,3, q2 ,4, q3 ,1, q4 ,2
2
q4
2s
is 3-faulty
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Diagnosability conditions
L is the set of all executions
*
F * is the set of all  - faulty executions
Proposition: Qb is -diagnosable for H iff
   F  * ,    L \
 * 
 F
*
, P(  )  P(  )
 * 
Problem: Compute the minimum m such
that Qb is m-diagnosable for H.
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Diagnosability verification for HA
•It is extremely hard to automatically
verify diagnosability conditions on a general
hybrid model.
•It is probably undecidable.
•This problem has been solved for discrete
event systems and timed automata
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Abstraction methods
Hybrid system H
Discrete event
system D
safety
Untimed
Hybrid system H
Durational
Timed
graph G T
automaton
temporal
Timed
properties
Timed abstraction:
Pro: preserve time information!
Con: more complex algorithms…
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Diagnosability Verification by abstraction
[Di Benedetto et Al., IEEE TAC]
Hybrid system H
Abstraction G
H is diagnosable
G is diagnosable
conditions
to construct
an
• Find
Construct
abstraction
G to preserve
abstraction
G such that:
properties
of interest
property true for H
• Verification procedure on G
if and only if true for G
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Diagnosability verification complexity
PSPACE
[Tripakis]
<
Timed automata
Durational
graphs
P
[Di Benedetto et Al., IEEE TAC]
<
Expressive power
Complexity class:
Discrete event
systems
P
[Lafortune]
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
In-Trail Procedures:
ATSA and ASEP ITP
• ATSA-ITP application is currently being standardized by the
Requirements Focus Group as part of Airborne Separation
Assistance System (ASAS) Package 1 applications.
• Tested since spring 2008 in the North Atlantic Airspace above
Iceland (where radar coverage is available) with a small set of
aircraft equipped with special ADS-B devices. ATSA-ITP is the
near-future of ITP oceanic airspace applications.
• Airborne Separation In Trail Procedure (ASEP-ITP) studied inside
the Advanced Safe Separation Technologies and Algorithms
(ASSTAR) project introduces an innovative transfer of separation
management responsibilities from ATC to the flight crew
throughout the ITP manoeuvre.
• The rationale behind this is that the flight crew, in contrast to
ATC, disposes of the appropriate surveillance equipment (i.e.
ADS-B and ASAS Equipment), and is therefore instantly able to
monitor separation and act if necessary.
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
ATSA and ASEP ITP
• ATSA-ITP: improvement in the situation awareness of the
agents, but the procedure is the same as the traditional, and
does not include any transfer of responsibility from the controller
to the pilot.
• ASEP-ITP: for the first time in oceanic applications, the pilot
has the responsability of separation during execution. He can
change the Mach number, whenever the ASAS systems suggests.
Reduce the separation minimum to 5NM.
• ASEP-ITP is strongly based on ATSA-ITP: step-by-step
evolution of the application inside the ASAS concept, gradual
implementation of a new concept and of safety assessment.
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Separation minimum improvement
FL360
Reference Aircraft
FL350
>10 minutes
Actual Separation ( ~80 NM)
FL340
ITP Aircraft
FL360
Reference Aircraft
FL350
10 NM ATSA Separation minimum
FL340
ITP Aircraft
FL360
Reference Aircraft
FL350
5 NM ASEP Separation minimum
FL340
ITP Aircraft
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Assumptions
• Agents:
• ITP Aircraft modeled by Rectangular automaton
• Oceanic Controller modeled by Discrete Event System
• ASAS Technical System is working
• Aircraft Dynamics are described by
• longitudinal position
• altitude
• longitudinal absolute speed, measured in Mach
• climb rate
• Operational hazards:
[Requirements Focus Group (RFG). In-trail procedure in non-radar
oceanic airspace (atsa-itp) - operational safety assessment (osa),
v2.3. November 2007.]
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
From ASEP-ITP specification
to automatic verification
ASEP-ITP
Timed
specification
Hybrid System or
Rectangular Aut. H
automaton T
Property true on
ASEP-ITP
specification
Property
true on H
Property
true on T
Most of the properties of our interest for
ATM procedure analysis are decidable for
timed and rectangular automata
[Alur et Al., TAC’00]
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
ASEP-ITP observability analysis
σ1
ε
Q1
Cruise
σ4
σ5
ψ6
ψ4
ε ψ5
ε ψ5
σ7 ψ4
σ8 ε
ψ3
σ7
Criteria
compliant
ε ψ5
σ7
ψ4
Q4
ITP
Standard
Execution
ε
ψ5
Q5
ITP
Termination
Q9
Abnormal
Termination
Instruction
σ6
ψ7
Q10
Non-ITP
Q3
ITP
Q12
Asas
alert
σ9
ε
ψ2
ψ1
Q8
ITP
Rejected
σ2
Q2
Q2
ITP
ITP
Initatio
Initiation
n
Q7
ITP
Denied
σ3
Q6
ITP
Aborted
σ7
ε
ε
ε
ε
Q13
Wrong
termination
ψ4
Q11
Wrong
Execution
σ9
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
ψ7
Non-ITP Criteria compliant
ITP
Aborted
Q1
Cruise
Cruise
ITP
Denied
Asas
alert
Q2
ITP
ITP
Initiation
Initatio
n
NON-ITP
Criteria
Compliant
ITP
ITP
Termination
Instruction
Abnormal
Termination
Wrong
Termination
ITP
Rejected
ITP
Standard
Execution
Wrong
Execution
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
ASEP-ITP observer
Q1,Q2
,Q6
ψ2
Q7
ψ6
Q12
ψ7
ψ4
Q3
ψ5
Q9
ψ1
ψ4
Q8
ψ3
Q4,Q10,Q11
Q5,Q13
ψ5
The operational hazards are not observable even if
the ASEP-ITP procedure satisfies the ED78a check,
some operational hazards cannot be detected!
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Conclusions
• Apply hybrid systems theory for formal
modeling of ATM procedures
• Propose a mathematical framework for formal
analysis of ATM procedures
• Develop tools for automatic verification of
observability and diagnosability
• Analyze observability of ASEP-ITP
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009
Future work
• Stochastic definitions of observability and
diagnosability
• Use abstraction tools for stochastic hybrid
systems analysis
• Compositional analysis for complexity reduction
Workshop on FORMAL METHODS IN AEROSPACE, Eindhoven,November 3, 2009