Verification of annotated models from executions

Duggirala, Parasara Sridhar; Mitra, Sayan; Viswanathan, Mahesh

doi:10.1109/emsoft.2013.6658604

Cited by 68 publications

(108 citation statements)

References 20 publications

(33 reference statements)

Supporting

Mentioning

104

Contrasting

Order By: Relevance

“…In other words, the model satisfies the stricter requirement that the normalized air-fuel ratio error is less than 1%. The results on transference presented in this paper guarantee that as long as the largest Skorokhod distance between the two models is less than 4% of 14.7, i.e., 0.588, the model with the nonpolynomial dynamics satisfies Requirement (18).…”

Section: Skorokhod Distance Between Systems: Case Studiesmentioning

confidence: 70%

“…We call this polynomial dynamical system A 2 . The rationale for these system versions is as follows: existing formal methods tools cannot reason about highly nonlinear dynamical systems, but tools such as Flow* [12], C2E2 [18], and CORA [3] demonstrate good capabilities for polynomial dynamical systems. Thus, the hope is to analyze the simpler systems instead.…”

Section: Skorokhod Distance Between Systems: Case Studiesmentioning

confidence: 99%

See 1 more Smart Citation

Quantifying conformance using the Skorokhod metric

Deshmukh¹,

Majumdar

Prabhu

2017

Form Methods Syst Des

View full text Add to dashboard Cite

The conformance testing problem for dynamical systems asks, given two dynamical models (e.g., as Simulink diagrams), whether their behaviors are "close" to each other. In the semi-formal approach to conformance testing, the two systems are simulated on a large set of tests, and a metric, defined on pairs of real-valued, real-timed trajectories, is used to determine a lower bound on the distance. We show how the Skorokhod metric on continuous dynamical systems can be used as the foundation for conformance testing of complex dynamical models. The Skorokhod metric allows for both state value mismatches and timing distortions, and is thus well suited for checking conformance between idealized models of dynamical systems and their implementations. We demonstrate the robustness of the metric by proving a transference theorem: trajectories close under the Skorokhod metric satisfy "close" logical properties in the timed linear time logic FLTL (Freeze LTL) containing a rich class of temporal and spatial constraint predicates involving time and value freeze variables. We provide efficient window-based streaming algorithms to compute the Skorokhod metric for both piecewise affine and piecewise constant traces, and use these as a basis for a conformance testing tool for Simulink. We experimentally demonstrate the effectiveness of our tool in finding discrepant behaviors on a set of control system benchmarks, including an industrial challenge problem.

show abstract

Section: Skorokhod Distance Between Systems: Case Studiesmentioning

confidence: 70%

Section: Skorokhod Distance Between Systems: Case Studiesmentioning

confidence: 99%

Quantifying conformance using the Skorokhod metric

Deshmukh¹,

Majumdar

Prabhu

2017

Form Methods Syst Des

View full text Add to dashboard Cite

show abstract

“…For deterministic models, control theoretic properties of the models, such as stability, contractiveness, and continuity, can be used to compute these tubes. [18][19][20] For example, if the right-hand side of the differential equations are Lipchitz continuous or if the system executions are asymptotically stable, then the tube containing all executions starting from a ball around x 0 can be computed in a straightforward manner. Checking a dynamical system's asymptotic stability isn't generally an easy problem; however, it's reasonable to expect that the simulation models are annotated with certificates that ensure these control theoretic properties (for example, Lyapunov functions, Lipchitz constants, and contraction metrics) hold.…”

Section: Safety-critical Systemsmentioning

confidence: 99%

Verifying Cyber-Physical Interactions in Safety-Critical Systems

Mitra

Wongpiromsarn

Murray

2013

IEEE Secur. Privacy

Self Cite

View full text Add to dashboard Cite

Safety-compromising bugs in software-controlled systems are often hard to detect. In a 2007 DARPA Urban Challenge vehicle, such a defect remained hidden during more than 300 miles of test-driving, manifesting for the first time during the competition. With this incident as an example, the authors discuss formalisms and techniques available for safety analysis of cyber-physical systems.T urning left during the third round of the 2007 DARPA Urban Challenge, Alice-an autonomous Ford Econoline van-dangerously deviated from the computer-generated path and started stuttering in the middle of a busy intersection. Earlier in the competition, Alice had completed two rounds of missions involving on-and off-road driving, parking, merging, and U-turns while obeying traffic rules-all with style and with no human driver. This was a testament to 15 months of programming, debugging, and test-driving by a team of 50 students and researchers from Caltech, Jet Propulsion Laboratory, and Northrop Grumman.Alice's onboard hardware included 10 cameras; eight laser radars (LADARs); two ordinary radars; an inertial navigation system; two pan-tilt units; 25 CPUs; and actuators for the steering, throttle, brake, transmission, and ignition (see Figure 1). The software included the sensing and the control systems, with 48 individual programs and more than 100 concurrent threads. The control system had modules for making actuation decisions at different spatial and temporal scales on the basis of the processed data streams (see Figure 2a). For instance, the mission planner computed routes for completing high-level missions using a road map, the traffic planner ensured traffic rule conformance on the basis of finite state machines (FSMs), the path planner generated waypoints on the basis of inputs from the upper levels and obstacles, and the controller computed acceleration and steering signals for the vehicle to follow the waypoints. For safety, we "unit tested" each component against reasonable-sounding but informal assumptions about the other components and its own physical environment.An unforeseen interaction among the control modules and the physical environment, not witnessed during more than 300 miles of autonomous test-driving and hours of extensive simulations, led to this safety violation and Alice's unfortunate disqualification. What happened? We implemented a reactive obstacle avoidance (ROA) subsystem to rapidly decelerate Alice for collision avoidance. Under normal operation, ROA would send a brake command to the controller when Alice got too close to an obstacle or when it deviated too much from the planned path. The controller would then rapidly stop Alice, and the path planner would generate

show abstract

“…Request permissions from permissions@acm.org. Several recent papers [1][2][3][4] present techniques for proving or disproving properties of such models. The details vary to some extent, but the common strategy relies on the following simulate-and-bloat step: For a particular initial state x and a time bound T , compute a (possibly inaccurate) simulation of the system ξx starting from x upto time T .…”

Section: Introductionmentioning

confidence: 99%

Proofs from simulations and modular annotations

Huang

Mitra

2014

Proceedings of the 17th International Conference on Hybrid Systems: Computation and Control

Self Cite

View full text Add to dashboard Cite

We present a modular technique for simulation-based bounded verification for nonlinear dynamical systems. We introduce the notion of input-to-state discrepancy of each subsystem Ai in a larger nonlinear dynamical system A which bounds the distance between two (possibly diverging) trajectories of Ai in terms of their initial states and inputs. Using the IS discrepancy functions, we construct a low dimensional deterministic dynamical system M (δ). For any two trajectories of A starting δ distance apart, we show that one of them bloated by a factor determined by the trajectory of M contains the other. Further, by choosing appropriately small δ's the overapproximations computed by the above method can be made arbitrarily precise. Using the above results we develop a sound and relatively complete algorithm for bounded safety verification of nonlinear ODEs. Our preliminary experiments with a prototype implementation of the algorithm show that the approach can be effective for verification of nonlinear models.

show abstract

Verification of annotated models from executions

Cited by 68 publications

References 20 publications

Quantifying conformance using the Skorokhod metric

Quantifying conformance using the Skorokhod metric

Verifying Cyber-Physical Interactions in Safety-Critical Systems

Proofs from simulations and modular annotations

Contact Info

Product

Resources

About