Automatic Verification of Control System Implementations Adolfo Anta1,2 , Rupak Majumdar3,4 , Indranil Saha3 and Paulo Tabuada3 1 Max

Planck Institute for Dynamics of Complex Technical Systems 2 TU 3 University 4 Max

Berlin

of California Los Angeles

Planck Institute for Software Systems

EMSOFT 2010 October 25, 2010

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 1/24

Applications of Control Systems

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 2/24

Applications of Control Systems

The systems are mostly life-critical or mission-critical

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 2/24

Control Software Development Flow

Floating-point to Fixed-point Code Converter

Mathematical Model of Physical System

EMSOFT 2010

Control Design

Closed-loop System Model in Simulink/Stateflow

Anta, Majumdar, Saha, Tabuada

Code Generation

Floating-point C Code

Fixed-point C Code

Integration

Control System

Automatic Verification of Control System Implementations 3/24

Control Software Development Flow

*/-1"4,/#0 7#9 :%95#9-40;%

.4,%0%94,/#0

7"#4,/08'(#/0, !)!#&%

7/@%&'(#/0, !)!#&%

?0,%894,/#0

!#0,9#") *+$,%-

.4,%0%94,/#0

7"#4,/08'(#/0, !)!#&%

7/@%&'(#/0, !)!#&%

?0,%894,/#0

!#0,9#") *+$,%-

7#9-4")*,4C/"/,+)B04"+$/$)D##"

Automatic Verification of Control System Implementations 8/24

Model of a Control System

,-%.#%'(

!"#

%$*)$+'(

&'$%('"")(

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

/)+0()1 2)3#40'(

Automatic Verification of Control System Implementations 9/24

Stability of a Control System

,-%.#%'(

!"#

%$*)$+'(

&'$%('"")(

/)+0()1 2)3#40'(

Stability The physical plant converges to a desired behavior under the actions of the controller.

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 10/24

Different Sources of Implementation Error

Fact When we implement the controller in software, we introduce error in the output of the controller due to Large sampling time Sensor and actuator error (noise, saturations, quantization...) Limited precision arithmetic Question What is the effect of the implementation error on the stability of a control system?

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 11/24

Effect of Implementation Error on Stability Linear Control System If γC is the L2 gain of a linear control system, and be is the bound on the implementation error e, then the implementation guarantees that the output trajectories of the controlled system asymptotically converge to the set of outputs y ∈ Rn satisfying ky k ≤ γC × be For linear control systems, ξ˙ = Aξ + Bυ y = Cξ where υ is the input to the plant γC can be calculated using classical control theory

ˆ iψ ˆ −1 B ˆ γC = max C(e 1n×n − A)

. ψ∈[0,2π[

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 12/24

Effect of Implementation Error on Stability Nonlinear Control Systems For a nonlinear system d ξ = f (ξ, υ) dt with a feedback controller of the form υ = k (ξ) the effect of implementation error e is computed using an ISS Lyapunov function, and the following constraint from robust control theory ∂V f (x, k (x) + e) ≤ −λV (x) + σkek2 ∂x The trajectories of the controlled system are guaranteed to converge to the set of states x defined by V (x) ≤ (σ/λ) × be . The value of σ and λ can be found using Sum of Squares (SoS) optimization technique. EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 13/24

Finding the Bound on Implementation Error

Fact Typical embedded controller implementations use periods in the millisecond to microsecond range. - Quantization error dominates the sampling error. Bounds on the errors arising from sensors and actuators are available from sensor and actuator specifications. Question How to calculate a bound on the implementation error due to quantization?

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 14/24

Finding the Bound on Implementation Error

Fact Typical embedded controller implementations use periods in the millisecond to microsecond range. - Quantization error dominates the sampling error. Bounds on the errors arising from sensors and actuators are available from sensor and actuator specifications. Question How to calculate a bound on the implementation error due to quantization?

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 14/24

Effect of Quantization Error on Stability Example: Vehicle Steering The control objective is to make the vehicle stable parallel to the x-axis at a certain distance of d meter.

Plant

Reference Input

Subtract Fixed-point Implementation of Controller

Out

%&&'&

Double Precision Implementation of Controller

Plant

!"#$

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 15/24

Example of Controller Program Control Law u = 0.81 × (x1 − x2 ) − 1.017 × ref Real-valued program

Fixed-point implementation (16-bit)

// Input variables real In1; real In2; real In3;

// Input variables short int In1; // range: [0, 100], fixdt(1,16,8) short int In2; // range: [50, 110], fixdt(1,16,8) short int In3; // range: [-10, 50], fixdt(1,16,9)

// Intermediate variables real Subtract; real Gain; real Gain2;

// Intermediate variables short int Subtract; // fixdt(1,16,8) short int Gain; // fixdt(1,16,8) short int Gain2; // fixdt(1,16,9)

// Output variables real Out1;

// Output variables short int Out1; // fixdt(1,16,8)

static void output(void) { Subtract = In1 - In2; Gain = 0.81 * Subtract; Gain2 = 1.017 * In3; Out1 = Gain - Gain2;

static void output(void) { Subtract = (short int)(In1 - In2); Gain = (short int)(26542 * Subtract  15); Gain2 = (short int)(16663 * In3  14); Out1 = (short int)(((Gain  1) - Gain2)  1);

}

}

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 16/24

Calculating the bound on Quantization Error

Inputs A real-valued polynomial function u = k (y ). A program K implementing k using finite precision arithmetic. Range [ymin , ymax ] for y . Question How far the value k (y ) can be from the output of K (yˆ ) when y is chosen from the range [ymin , ymax ] and yˆ is the closest representation of y using the finite precision implementation of real numbers?

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 17/24

Algorithm

ˆ ) for the Construct the strongest post-condition SP(K )(yˆ , u function K . Set up a set of constraints that is the conjunction of: y ∈ [ymin , ymax ], |y − yˆ | ≤ δ, u = k (y ), ˆ) SP(K )(yˆ , u

ˆ Ask: What is the maximum difference between u and u under the above constraints? The problem can be solved by bisection optimization method using off-the-shelf decision procedures.

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 18/24

Stability Analysis Tool: Costan

A tool to compute the error bound in fixed-point implementation of control law automatically. Reduces the error bound computation problem to a series of decision problems.

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 19/24

Stability Analysis Tool: Costan

Costan Supports both linear and nonlinear controllers, for nonlinear controllers both polynomial implementation and lookup table based implementation. For linear controllers, Costan uses Yices [SRI] and for ¨nzle et al] nonlinear controllers Costan uses HySat [Fra solver. For large linear controllers and nonlinear controllers implemented as large lookup table, we adopt compositional strategy.

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 20/24

Stability Analysis Tool: Costan

Costan Supports both linear and nonlinear controllers, for nonlinear controllers both polynomial implementation and lookup table based implementation. For linear controllers, Costan uses Yices [SRI] and for ¨nzle et al] nonlinear controllers Costan uses HySat [Fra solver. For large linear controllers and nonlinear controllers implemented as large lookup table, we adopt compositional strategy.

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 20/24

Stability Analysis Tool: Costan

Costan Supports both linear and nonlinear controllers, for nonlinear controllers both polynomial implementation and lookup table based implementation. For linear controllers, Costan uses Yices [SRI] and for ¨nzle et al] nonlinear controllers Costan uses HySat [Fra solver. For large linear controllers and nonlinear controllers implemented as large lookup table, we adopt compositional strategy.

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 20/24

Experimental Results Example vehicle steering (16bit) pendulum (16bit) dc motor (16bit) train car - 1 car (32bit) train car - 2 cars (32bit) train car - 3 cars (32bit) train car - 4 cars (32bit) train car - 5 cars (32bit) jet engine[poly] (16bit) jet engine[3 × 8] jet engine[5 × 10] jet engine[7 × 14] jet engine[21 × 21] jet engine[21 × 101] jet engine[100 × 100]

EMSOFT 2010

Error bound 0.0163 0.0508 0.0473 5e-7 1.5e-6 8.5e-6 3.351e-5 1.655e-4 4e-3 6.40 4.48 2.73 1.25 0.88 0.33

Anta, Majumdar, Saha, Tabuada

Set size (ρ) 0.0375 0.1806 1.0889 2.6080e-5 9.4000e-5 0.0010 0.0080 0.0627 0.0230 37.0431 25.9296 15.8009 7.2348 5.0933 1.9100

Run time 1m14.313s 2m36.409s 2m15.110s 3m25.478s 5m39.607s 9m34.485s 10m9.179s 20m28.822s 0m0.551s 0m34.636s 0m34.293s 1m6.981s 18m15.794s 50m23.127s 103m19.977s

Automatic Verification of Control System Implementations 21/24

Interpretation of Result

Example: Vehicle Steering The control objective is to make the vehicle stable parallel to the x-axis at a certain distance d. If we find the set size for d to be r , then in the steady state the vehicle will be between d − r and d + r distance away from the x-axis.

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 22/24

Related Works

YazarelPappasGirardAlur2005 , NghiemPappasGirardAlur2006 characterizes the stability performance gap of the model of the control system and its implementation on a time-triggered architecture. AlurWeiss2008 models dependency of control performance on schedules by an automaton that can be used for online scheduling. ZhangSzwaykowskaWolfMooney2008 codesigns the control law and the task scheduling algorithm for predictable stability performance.

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 23/24

Conclusion

We bridge the gap of model-based design of control systems and finite-precision implementation of controllers. We show how the result of program analysis of controller code can be utilized in judging the performance of a control system. We have developed a tool that can find out the implementation error in the fixed-point implementation of linear and nonlinear controllers.

EMSOFT 2010

Anta, Majumdar, Saha, Tabuada

Automatic Verification of Control System Implementations 24/24