Proofs from Simulations and Modular Annotationsβ¬Β¦Β Β· discrepancy of the system if for any two...
Transcript of Proofs from Simulations and Modular Annotationsβ¬Β¦Β Β· discrepancy of the system if for any two...
Proofs from Simulations and Modular Annotations
Zhenqi Huang and Sayan Mitra
Department of Electrical and Computer Engineering
University of Illinois at Urbana-Champaign
Background
β’ Invariant verification for dynamical systems. β’ Through computing the set of state the system can reach (reach set)
β’ Exact Reach set computation is in general undecidable β Over-approximation
β’ Static analysis and symbolic approaches β’ E.g. SpaceEx, PHAVer, CheckMate, d/dt
β’ Dynamic+Static analysis using numerical simulations β’ E.g. S-TaLiRo, Breach, C2E2
2 HSCC 2014, Berlin
Simulation-based Reachability
β’ π₯ = π π₯ , Ξ β π π
β’ Denote π(π, π‘) as a trajectory from π β Ξ
β’ Simulation-based Verification β’ Finite cover of Ξ ( ).
β’ Simulate from the center of each cover.
β’ Bloat the simulation with some factor, such that the bloated tube contains all trajectories starting from the cover.
β’ Union of all such tubes gives an over-approximation of reach set
β’ In [1], we expect the bloating factor to be given by the user as an annotation to the model
3 HSCC 2014, Berlin [1] Duggirala, Mitra, Viswannathan. EMSOFT2013
Annotation: Discrepancy Function
Definition. Functions V: π Γ π β ββ₯0 and π½: ββ₯0 Γ π β ββ₯0 define a
discrepancy of the system if for any two states π1 and π2 β Ξ, For any π‘,
V π π, π‘ , π πβ², π‘ β€ π½ |π β πβ²|, π‘
where, π½ β 0 as π β πβ²
β’ Stability not required
β’ Discrepancy can be found automatically for
linear systems
β’ For nonlinear systems, several template-based
heuristics were proposed
π(π(π, π‘), π(πβ², π‘))
πβ²
π(πβ², π‘) π
π(π, π‘)
4
HSCC 2014, Berlin
Key challenge: Finding Discrepancy
Functions for Large Models
HSCC 2014, Berlin 5
Models of Cardiac Cell Networks β’ Find quadratic contraction metric [2]:
β’ π½(π£,π€) = 0.5 β 3π£2 β11 β1
β’ Search for π½ β β and the coefficients of
π π£,π€ = πππ π£
ππ€π πππ π£ππ€π
πππ π£ππ€π πππ π£
ππ€π,
s.t. 0 β€ π + π β€ 2, π β» 0, and π½ππ + π π½ + π βΊ βπ½π
Cardiac Cell
π£ = 0.5 π£ β π£3 β π€ + π’π€ = π£ β π€ + 0.7
β’ FitzHughβNagumo (FHN) model [1] β’ Invariant property
β’ Threshold of voltage β’ Periodicity of behavior
6 HSCC 2014, Berlin
π π½
Pacemaker
[1] FitzHugh. Biophysical J. 1961 [2] Aylward,Parrilo, Slotine. Automatica. 2008
ππ (π π, π‘ , π πβ², π‘ ) β€ πβπ½π‘ππ (π, πβ²)
π’
Scalability of Finding Annotation
Pace Maker
Pace Maker Cardiac
Cell
Cardiac Cell
Cardiac Cell
Cardiac Cell
Cardiac Cell
7 HSCC 2014, Berlin
?
πΏ = πΏ1 Γ |πΏ2|
[1] Grosu, et al. CAV2011 [1]
Input-to-State (IS) Discrepancy
8
Definition. Functions π: π1 Γ π1 β ββ₯0, π½: ββ₯0 Γ ββ₯0 β ββ₯0and πΎ:ββ₯0 β ββ₯0 define a IS discrepancy of the system:
π1 π1 π1, π’1, π‘ , π π1β², π’1β², π‘ β€ π½1 |π1 β π1β²|, π‘ + πΎ1 |π’1 π β π’1β² π | ππ
π
0
and πΎ1 β β 0 as π’1 β π’1β² (π1, π2) and (π1
β² , π2β²) are a pair of trajectories of the overall ring:
π1 π1 π‘ , π1β² π‘ β€ π½1 π1 β π1
β² , π‘ + 0π‘πΎ1(|π2(π ) β π2
β² (π )|)ππ
π2 π2 π‘ , π2β² π‘ β€ π½2 π2 β π2β² , π‘ + 0
π‘πΎ2(|π1(π ) β π1
β²(π )|)ππ
π΄1 π₯ 1 = π1(π₯1, π’1)
π΄2 π₯ 2 = π2(π₯2, π’2)
π’2 = π1 π’1 = π2
π’1 π1 π΄1 π₯ 1 = π1(π₯1, π’1)
HSCC 2014, Berlin
More on IS Discrepancy
β’ IS Discrepancy:
π π π, π’, π‘ , π πβ², π’β², π‘ β€ π½ π β πβ² , π‘ + πΎ( π’ π β π’β² π )ππ π‘
0
β’ Incremental integral input-to-state stability [1], except no stability property is required.
β’ Most methods of finding discrepancy of π₯ = π(π₯) can be modified to find IS discrepancy systems with linear input π₯ = π π₯ + π΅π’.
9 HSCC 2014, Berlin [1] Angeli D. TAC. 2009
IS Discrepancy βΉ Reachability
β’ We will build a reduced model π(πΏ) with a unique trajectory π(π‘) using the IS Discrepancy.
β’ Theorem: π πππβ(π΅πΏπ π , π) β π΅π π‘
π (π(π, π‘))π‘β[0,π]
β’ Theorem: for small enough πΏ and precise enough simulation, the over-approximation can be computed arbitrarily precise.
π
π(π, π‘) π(π‘)
πΏ
10 HSCC 2014, Berlin
Construction of the Reduced Model
β’ Reduced model π πΏ
β’ π₯ = ππ(π₯) with π₯ = β¨π1, π2, πππβ©
β’
π1π2
πππ
=
π½1 πΏ,πππ +πΎ1 (π2)
π½2 πΏ,πππ +πΎ2 (π1)
1
β’ ππ 0 = π½π πΏ, 0 , πππ 0 = 0
β’ π(πΏ) has a unique trajectory π(π‘).
π1, π’2
π2, π’1
11 HSCC 2014, Berlin
Reduced Model βΉ Bloating Factor
β’ Lemma: |π1 β π1β² | β€ πΏ, and |π2 β π2
β² | β€ πΏ βΉ π1 π1 π‘ , π1
β² π‘ β€ π1(π‘), and π2 π2 π‘ , π2β² π‘ β€ π2(π‘).
12
The IS Discrepancy functions:
π1 π1 π‘ , π1β² π‘ β€ π½1 π1 β π1
β² , π‘ + 0π‘πΎ1(|π2(π ) β π2
β² (π )|)ππ
π2 π2 π‘ , π2β² π‘ β€ π½2 π2 β π2β² , π‘ + 0
π‘πΎ2(|π1(π ) β π1
β²(π )|)ππ
The ODE of the reduced model π(πΏ) :
π1
π2
πππ
=π½1 πΏ, πππ + πΎ1 (π2)
π½2 πΏ, πππ + πΎ2 (π1)1
π
π(π, π‘) π(π‘)
πΏ
β’ Thus, bloating π(π, π‘) by π(π‘) gives an over-approximation of reach set from a ball.
HSCC 2014, Berlin
Simulation & Modular Annotation βΉ Proof
13
Simulation Engine
Reach set over-
approximation
Reduced Model
Pace Maker
Trajectory
Bloating factor
IS Discrepancy
HSCC 2014, Berlin
Sat Inv?
Proof
Counter Example
Refinement
Soundness and Relative Complete
β’ Robustness Assumption: β’ Invariant is closed.
β’ If an initial set Ξ satisfies the invariant, βπ > 0, such that all trajectories are at least π distance from the boundary of the invariant.
β’ Theorem: the Algorithm is sound and relatively complete
β’ We verify systems with upto 30 dimensions in minutes.
14 HSCC 2014, Berlin
System # Variables # Module # Init. cover Run Time
Lin. Sync 24 6 128 135.1
Nonli. WT 30 6 128 140.0
Nonli. Robot 6 2 216 166.8
Conclusion
β’ A scalable technique to verify nonlinear dynamical systems using modular annotations
β’ Modular annotations are used to construct a reduced model of the overall system whose trajectory gives the discrepancy of trajectories
β’ Sound and relatively complete β’ Ongoing: extension to hybrid, cardiac cell network with 5 cells each has 4
continuous var. and 29 locations β’ Thank you for your attention!
15 HSCC 2014, Berlin