Safety Verification Proofs for Physical Systems

2017

The standard method used for verifying the behaviour of a dynamical system is simulation. But simulation can check only a finite number of operating conditions and system parameters, leading to a potentially incomplete verification result. This dissertation presents several automated theorem proving based methods that can, in contrast to simulation, completely guarantee the safety of a dynamical system model. To completely verify a purely continuous dynamical system requires proving a universally quantified first order conjecture, which represents all possible trajectories of the system. Such a closed form solution may contain transcendental functions, rendering the problem undecidable in the general case. The automated theorem prover MetiTarski can be used to solve such a problem by reducing it to one over the real closed fields. The main issue is the doubly exponential complexity of the back-end decision procedures that it depends on. This dissertation proposes several techniques ...

Tools and Algorithms for the Construction and Analysis of Systems, 2015

Mathworks' Stateflow is a predominant environment for modeling embedded and cyber-physical systems where control software interacts with physical processes. We present Compare-Execute-Check-Engine (C2E2)-a verification tool for continuous and hybrid Stateflow models. It checks bounded time invariant properties of models with nonlinear dynamics, and discrete transitions with guards and resets. C2E2 transforms the model, generates simulations using a validated numerical solver, and then computes reachtube over-approximations with increasing precision. For this last step it uses annotations that have to be added to the model. These annotations are extensions of proof certificates studied in Control Theory and can be automatically obtained for linear dynamics. The C2E2 algorithm is sound and it is guaranteed to terminate if the system is robustly safe (or unsafe) with respect to perturbations of guards and invariants of the model. We present the architecture of C2E2, its workflow, and examples illustrating its potential role in model-based design, verification, and validation. 1 Introduction Cyber-physical systems (CPS) are systems that involve the close interaction between a software controller and a physical plant. The state of the physical plant evolves continuously with time and is often modeled using ordinary differential equations (ODE). The software controller, on the other hand, evolves through discrete steps and these steps influence the evolution of the physical process. This results in a "hybrid" behavior of discrete and continuous steps that makes the formal analysis of these models particularly challenging, so much so, that even models that are mathematically extremely simple are computationally intractable. In addition, many physical plants have complicated continuous dynamics that are described by nonlinear differential equations. Such plants, even without any interaction with a controlling software, are often unamenable to automated analysis. On the other hand, the widespread deployment of CPS in safety critical scenarios like automotives, avionics, and medical devices, have made formal, automated analysis of such systems necessary. This is evident from the extensive activity in the research community [20,19,7]. Given the challenges of formally verifying CPS, the sole analysis technique that is commonly used to analyze nonlinear systems is numerical simulation. However, given the large, uncountable space of behaviors, using numerical simulations

Artificial Intelligence, 1997

We demonstrate an automated method for proving temporal logic statements about solutions to ordinary di erential equations (ODEs), even in the face of an incomplete speci cation of the ODE. The method combines an implemented, on-they , model-checking algorithm for statements in the temporal logic CTL* 3, 7, 8] with the output of the qualitative simulation algorithm QSIM 13, 16]. Based on the QSIM Guaranteed Coverage Theorem, we prove that for certain CTL* statements, , if is true for the temporal structure produced by QSIM, then a corresponding temporal statement, 0 , holds for the solution of any ODE consistent with the qualitative di erential equation (QDE) that QSIM used to generate the temporal structure.

Safe Comp 96, 1997

Safety verification of hybrid dynamical systems relies crucially on the ability to reason about reachable sets of continuous systems whose evolution is governed by a system of ordinary differential equations (ODEs). Verification tools are often restricted to handling a particular class of continuous systems, such as e.g. differential equations with constant right-hand sides, or systems of affine ODEs. More recently, verification tools capable of working with non-linear differential equations have been developed. The behavior of non-linear systems is known to be in general extremely difficult to analyze because solutions are rarely available in closed-form. In order to assess the practical utility of the various verification tools working with non-linear ODEs it is very useful to maintain a set of verification problems. Similar efforts have been successful in other communities, such as automated theorem proving, SAT solving and numerical analysis, and have accelerated improvements in the tools and their underlying algorithms. We present a set of 65 safety verification problems featuring non-linear polynomial ODEs and for which we have proofs of safety. We discuss the various issues associated with benchmarking the currently available verification tools using these problems.

Lecture Notes in Computer Science, 2013

The formal verification of cyber-physical systems is a challenging task mainly because of the involvement of various factors of continuous nature, such as the analog components or the surrounding environment. Traditional verification methods, such as model checking or automated theorem proving, usually deal with these continuous aspects by using abstracted discrete models. This fact makes cyber-physical system designs error prone, which may lead to disastrous consequences given the safety and financial critical nature of their applications. Leveraging upon the high expressiveness of higher-order logic, we propose to use higher-order-logic theorem proving to analyze continuous models of cyber-physical systems. To facilitate this process, this paper presents the formalization of the solutions of second-order homogeneous linear differential equations. To illustrate the usefulness of our foundational cyberphysical system analysis formalization, we present the formal analysis of a damped harmonic oscillator and a second-order op-amp circuit using the HOL4 theorem prover.

Annual Reviews in Control, 2009

Safety verification and reachability analysis for hybrid systems is a very active research domain. Many approaches that seem quite different, have been proposed to solve this complex problem. This paper presents an overview of various approaches for autonomous, continuous-time hybrid systems and presents them with respect to basic problems related to verification.

1995

In this paper, we propose a new approach to validating formal specifications of observable behavior of discrete dynamic systems. By observable behavior we mean system behavior as observed by users or other systems in the environment of the system. Validation of a formal specification of an informal domain tries to answer the question whether the specification actually describes the intended domain. This differs from the verification problem, which deals with the correspondence between formal objects, e.g. between a formal specification of a system and an implementation of it. We consider formal specifications of object-oriented dynamic systems that are subject to static and dynamic integrity constraints. To validate that such a specification expresses the intended behavior, we propose to use a tool that can answer reachability queries. In a reachability query we ask whether the system can evolve from one state into another without violating the integrity constraints. If the query is answered positively, the system should exhibit an example path between the states; if the answer is negative, the system should explain why this is so. An example path produced by the tool can be used to produce scenarios for presentations of system behavior, but can also be used as a basis for acceptance testing. In this paper, we discuss the use of planning and theoremproving techniques to answer such queries, and illustrate the use of reachability queries in the context of information system development.

2000

The incorporation of timing makes circuit verification computationally expensive. This paper proposes a new approach for the verification of timed circuits. Rather than calculating the exact timed stare space, a conservative overestimation that fulfills the property under verification is derived. Timing analysis with absolute delays is efficiently performed at the level of event structures and transformed into a set of relative timing constraints. With this approach, conventional symbolic techniques for reachability analysis can be efficiently combined with timing analysis. Moreover the set of timing constraints used to prove the correctness of the circuit can also be reported for backannotation purposes. Some preliminary results obtained by a naive implementation of the approach show that systems with more than 106 untimed states can be verified

2016

We address the problem of verifying safety properties of infinite state reactive systems that use unbounded integer variables. We consider systems specified by using linear constraints over the integers and we assume that, for verifying safety properties of these systems, one uses reachability analysis techniques. Our method improves the effectiveness of forward and backward reacha-bility analyses by preprocessing the system specification. For forward reachability our method consists in: (i) transforming the system specification into an equivalent one (with respect to the safety property of interest) by a constraint propagation technique that works backward from the constraints representing the unsafe states, and then (ii) applying to the transformed system specification a reachability analysis that works forward from the constraints representing the initial states. For backward reachability our method works as for forward reachability, by inter-changing the roles of the initial sta...