1

LabCPS

School of Computing, Informatics and Decision System Engineering

Arizona State University

fainekos at asu edu

http://www.public.asu.edu/~gfaineko

Adel Dokhanchi, Bardh Hoxha and Georgios Fainekos

On-Line Monitoring for Temporal Logic Robustness

Safe & Secure Systems & Software Symposium 2015

2

LabCPS

Modern Vehicles

Engine Transmission

Control

Hybrid Powertrain

Control

Electronic Stability Control

Active Collision

Avoidance

Already demonstrated:

• Lane following

• Fully autonomous driving

3

LabCPS

• "A software error may prevent the transmission from downshifting, such as shifting from 5th to 4th gear when coasting," said NHTSA in its recalls summary of the problem. "This may result in decreased engine RPMs and possible engine stall, increasing the risk of a crash."

• … the software that “allows the ECU to establish a ‘handshake’ with the engine is in error. The ECU monitors certain driving conditions, and when the engine is found to be out of tolerance, the software picks up an anomaly. When this happens, the ECU triggers a fault code. As the ECU tries to find an optimal driving condition outside its prescribed tolerances, a rough idle or stalling situation ensues.”

• … to update the software that controls the hybrid electric motor. Under certain circumstances, it is possible, according to the company, "...for the electric motor to rotate in the direction opposite to that selected by the transmission.“

• If the fault occurs, cruise control can only be disabled by turning of the ignition while driving -which would mean a loss of some control and in many cars also disables power steering. Braking or pressing the cancel button will not work.

• …

No downshifting from 5th to 4th

Rough idling or stalling due to complicated adaptive ECU

Electric motor to rotate in the direction opposite to that selected by the transmission

Cruise control does not disengage unless turning off the ignition

Many more …

Focus: Sampling of automotive recalls (~2011-12) due to software errors …

4

LabCPS

Why is the problem challenging?

Engine dynamicsVehicle dynamics & Environment

SwitchTo3

gear1 gear2 gear3

SwitchTo2

SwitchTo2SwitchTo1

u = fi(x,v,p)

Challenges:

1. High dim nonlinear dynamics

2. Discrete + Continuous dynamics

3. Real-time requirements E.g. ~10ms

5

LabCPS

In practice: Testing

[Image: SimuQuest®]

Requirement: “If the A/F ratio output exceeds the allowed bounds, then within one second it should settle inside the bounds and stay there for a second”

However testing may miss bad behaviors!

6

LabCPS

Solution: Monitoring

[Image: SimuQuest®]

Requirement: “If the A/F ratio output exceeds the allowed bounds, then within one second it should settle inside the bounds and stay there for a second”

Check requirement while the system operates:

1. Issue a warning if a requirement failed

2. Issue a warning if the requirement might fail in the future

3. Quantify how robustly is currently the requirement satisfied.

7

LabCPS

• Motivation

• Specification Language

• On-line monitoring

• Examples & Experiments

• Conclusions & Future Research

Overview

8

LabCPS

Metric Temporal Logic (𝑴𝑻𝑳) with unbounded past and bounded future (𝑴𝑻𝑳+𝒑𝒕

<+∞)

Syntax:

I is bounded and I’ is unbounded interval of ℕ, but I,I’

i.e. I = [5, 8]

I’ = [0,+), I’ = [2,9]

Φ ::= T | p | Φ1 | Φ1 Φ2 | Φ1 UIΦ2 | Φ1 SI’Φ2

until since

Koymans ’90, Specifying real-time properties with metric temporal logic

Requirement: “If the A/F ratio output exceeds the allowed bounds, then within one second it should settle inside the bounds and stay there for a second”

9

LabCPS

LTL+pt intuition

a – a now

□a □[0,)a – always in the past a

◇[1,3] a – eventually a

a U b – a until b

a S[1,]b – a since b

now

time

. .

time

10

LabCPS

Monitoring A/F Ratio

“If the A/F ratio exceeds the allowed bounds, then the ratio should have been settled for at least one second within the last two seconds” *

We can formally write system invariants for monitoring:

* For those who are familiar with linear temporal logics think that we would like to verify or prevent φpt from evaluating to false.

11

LabCPS

Monitoring A/F Ratio

“If the A/F ratio output exceeds the allowed bounds, then within one second it should settle inside the bounds and stay there for a second”

“In the last two seconds, when λ is out of bounds then within the next second, λ will not be out of bounds and stay there for one second”

12

LabCPS

Temporal Logic Monitoring

Truth Value

{,T}

[Maler and Nickovic ‘04]

[Thati and Rosu ‘04]

[Rosu and Havelund ‘05]

[Geilen ‘01]

others …

Monitoring

Algorithm

𝑀𝑇𝐿

Φ = ⟐ p1□[0,Τ] p2

A/DBoolean

abstraction

13

LabCPS

0 2 4 6 8 10-15

-10

-5

0

5

10

15

s1

s2

MTL Spec:

□(p1 ◇[0,2] p2)

p2

p1

Two signals that satisfy the same spec, but …

14

LabCPS

Robustness of Temporal Logics

LTL / MTLΦ =□(p1 ◇[0,2] p2)

Monitor/Tester

Robustness parameter

ε R{±}

|ε|

|ε|

Abbas et al, Probabilistic Temporal Logic Falsification of Cyber-Physical Systems, ACM TECS 2013

Fainekos and Pappas, Robustness of temporal logic specifications for continuous-time signals, TCS 2009

15

LabCPS

Discrete-time Robust Semantics for MTL

16

LabCPS

(Signed) Distance

x

S

depthd(x,S)

x

Bd(x,ε)

X

distd(x,S)

x

Let xX be a point, SX be a set and d be a generalized quasi metric. Then we define

distd(x,S) = inf {d(x,y) | yS}

depthd(x,S) = inf {d(x,y) | yX\S}

-distd(x,S) if xS

depthd(x,S) if xSDistd(x,S) =

17

LabCPS

• Motivation

• Specification Language

• On-line monitoring

• Examples & Experiments

• Conclusions & Future Research

Overview

18

LabCPS

On-Line Monitoring problem

Input:

𝑀𝑇𝐿+𝑝𝑡<+∞ specification φ

sampling instance i

execution trace s’=s0s1…sm (m=i+Hrz)

Output:

Robustness estimate of φ at i ( )

19

LabCPS

Finite Horizon

Number of Steps (in future) that the current robustness value depends on

Example: φ =◇[0,2]□[0,3] p hrz(φ)=5

Robustness of φ at time i

i i+1 i+2 i+3 i+5i+4time

D(i) D(i+1) D(i+2) D(i+5)D(i+4)D(i+3)

Min Min Min

Max

p

□[0,3] p

◇[0,2]□[0,3] p

20

LabCPS

Finite History

Number of Steps (in past) that the robustness value at present time depends on:

Example: φ = ⊡[0,3]⟐[0,2] p hst(φ)=5

Robustness of φ at time i

i-5 i-4 i-3 i-2 ii-1 time

D(i-5) D(i-4) D(i-3) D(i)D(i-1)D(i-2)

Max Max Max

p

⟐[0,2] p

⊡[0,3] ⟐[0,2] p

Max

Min

21

LabCPS

Robustness Table

Matrix of size |φ|x(Hrz+1+Hst)

|φ| is size of formula φ

Hrz=hrz(φ)

Hst=Hrz+hst(φ)

Example:

φ= ⊡[0,+∞) p ˄□[1,2] q

|φ|=5 , Hrz=2 , Hst=2 Robustness table is 5x5

i-2 i-1 i i+1i-3 i+2

Current time

Store in Pre

Time Index

22

LabCPS

Robustness Table Pre-Computation

Sub-formula Pre -2 -1 0 1 2

⊡[0,+∞) p ˄□[1,2] q

φ2=□[1,2] q

φ3=⊡[0,+∞) p

φ4=p D(-1,p) D(0,p) D(1,p) D(2,p)

φ5= q D(-1,q) D(0,q) D(1,q) D(2,q)

φ1 = ⊡[0,+∞) p ˄□[1,2] q

D(k,q)≡ Distd(si+k,𝒪(q))

23

LabCPS

Robustness Computation (Predicates)

Sub-formula Pre -2 -1 0 1 2

⊡[0,+∞) p ˄□[1,2] q

φ2=□[1,2] q

φ3=⊡[0,+∞) p

φ4=p D(-2,p) D(-1,p) D(0,p) D(1,p)

φ5= q D(-2,q) D(-1,q) D(0,q) D(1,q)

φ1 = ⊡[0,+∞) p ˄□[1,2] q

D(2,q)

D(2,p)

D(k,q)≡ Distd(si+k,𝒪(q))

24

LabCPS

Robustness Computation (Past MTL)

Sub-formula Pre -2 -1 0 1 2

⊡[0,+∞) p ˄□[1,2] q

φ2=□[1,2] q

φ3=⊡[0,+∞) p

φ4=p D(-2,p) D(-1,p) D(0,p) D(1,p)

φ5= q D(-2,q) D(-1,q) D(0,q) D(1,q)

φ1= ⊡[0,+∞) p ˄□[1,2] q

D(2,q)

D(2,p)

D(k,q)≡ Distd(si+k,𝒪(q))

25

LabCPS

Robustness Computation (Future MTL)

Sub-formula Pre -2 -1 0 1 2

⊡[0,+∞) p ˄□[1,2] q

φ2=□[1,2] q

φ3=⊡[0,+∞) p

φ4=p D(-2,p) D(-1,p) D(0,p) D(1,p)

φ5= q D(-2,q) D(-1,q) D(0,q) D(1,q)

φ1= ⊡[0,+∞) p ˄□[1,2] q

D(2,q)

D(2,p)

D(k,q)≡ Distd(si+k,𝒪(q))

26

LabCPS

Robustness Computation (Conjunction)

Sub-formula Pre -2 -1 0 1 2

⊡[0,+∞) p ˄□[1,2] q

φ2=□[1,2] q

φ3=⊡[0,+∞) p

φ4=p D(-2,p) D(-1,p) D(0,p) D(1,p)

φ5= q D(-2,q) D(-1,q) D(0,q) D(1,q)

φ1= ⊡[0,+∞) p ˄□[1,2] q

D(2,q)

D(2,p)

D(k,q)≡ Distd(si+k,𝒪(q))

27

LabCPS

• Motivation

• Specification Language

• On-line monitoring

• Examples & Experiments

• Conclusions & Future Research

Overview

28

LabCPS

Runtime Overhead Test

Automatic Transition

30 𝑀𝑇𝐿+𝑝𝑡<+∞ formulas

100 tests for each formula

29

LabCPS

Runtime Overhead

Generate formulas using nested Eventually/Until operators

n=number of MTL operators , H=Finite Horizon

E:

U:

WCET≃O(n2) n=Horizon+HistoryTimes in msec

30

LabCPS

Case Study

SimuQuest Enginuity Simulink Model

λ= Normalized Air to Fuel Ratio

Ideal λ=1 with ±%10 fluctuation

http://www.simuquest.com/products/enginuity

31

LabCPS

Monitoring A/F Ratio

“If the A/F ratio exceeds the allowed bounds, then the ratio should have been settled for at least one second within the last two seconds”

“If the A/F ratio output exceeds the allowed bounds, then within one second it should settle inside the bounds and stay there for a second”

“Without predictor the future time formula reduces to the propositional formula”

32

LabCPS

Alternative Specification

“In the last two seconds, when λ is out of bounds then within the next second, λ will not be out of bounds and stay there for one second”

Benefits information from the past as well as future (predictor)

33

LabCPS

Alternative Specification

Δt=0.01s

runtime overhead < %1

34

LabCPS

Robustness Monitoring of A/F ratio

35

LabCPS

• Motivation

• Specification Language

• On-line monitoring

• Examples & Experiments

• Conclusions & Future Research

Overview

36

LabCPS

Conclusions

• We developed a temporal logic robustness monitor for unbounded past and bounded future time operators• Many requirements are better expressed using past & future operators

• We incorporated the possibility for predictive horizon

• We implemented the method as a SimulinkTM blockset• Can be readily used in various applications with small overhead

37

LabCPS

Vision: a complete theory for MBD for CPS

Autocode Generation

(with multi-core in mind)

Formal

Specifications

Model Design

System

Deployment

Informal

Requirements

Transparent from the user perspective:

1. Automated synthesis

2. Testing and verification support

with guarantees

Awards:

1017074, 1116136,

1319560, 1350420

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

System

Calibration

Hardware In the

Loop (HIL)

Processor In the

Loop (PIL)

38

LabCPS

S-Taliro support in the V-process

Autocode Generation

(with multi-core in mind)

S-Taliro

support

1

2

Formal

Specifications

Model Design

System

Deployment

Informal

Requirements

4

3

1

2

5

System

Calibration

Hardware In the

Loop (HIL)

Processor In the

Loop (PIL)1. Testing formal specifications and specification mining [TECS 2013, ICTSS 2012, …]

2. Conformance testing: models, HIL/PIL or tuned/calibrated model [MEMOCODE 2014]

3. Testing formal specifications on the HIL/PIL calibrated system [TECS 2013, …]

4. Runtime monitoring of formal requirements [RV 2014]

5. Specification visualization [DIFTS 2014]

39

LabCPS

Future Possible Directions

• Run experiments with predictive horizon

• Expand multi-valued logic lattice to distinguish between likely, unlikely and certain robustness values

• We will close the loop by using the robustness monitor as feedback

• There are still improvements to be made (e.g. allowing arbitrary timestamps)

“After a takeoff command is received, then reach altitude of 600ft within 5 minutes”

from Reinbacher, T., Rozier, K.Y., Schumann, J. TACAS 14

40

LabCPS

Acknowledgements

Awards:

1116136, 1319560

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

Koichi Ueda atSimuquest®

Thank you!