Jas-95 Lite: Modelling and Formal Analysis of Dynamic Properties

In this report we present the multi-disciplinary work performed in the rst phase of the COHSY project concerning generation of models and analysis of hybrid systems { mathematical models including both continuous and discrete elements. The participants of the project were SAAB Military aircraft, Volvo aerospace, and VOAC hydraulics, as well as three departments from Link oping University: Computer Science, Electrical engineering and Mechanical engineering. The report addresses modelling and formal veri cation of a ctitious system, the landing gear of an aircraft referred to as JAS-95 Lite, which involves hydro-mechanical and electro-mechanical sensors and actuators as well as electronic and software modules performing diagnosis and control. The technical system, is moreover in dynamic interaction with a human operator (the pilot). The main aim of this work has been to mathematically prove that speci ed requirements are satis ed by given design speci cations for the controller and alternative models for the physical environment. An architectural model is used to facilitate the combination of alternative congurations. The report provides a summary of several tracks of activity, a major one being the application and illustration of state of the art techniques in physical modelling of the hardware, and mathematical modelling and veri cation of the closed loop system. The languages used for modelling range from engineering schematic diagrams to Bond Graphs, hybrid transition systems, hybrid automata, and the temporal logic Extended Duration Calculus. It also provides some insights into modelling in synchronous languages for high level speci cation of real-time programs { the interest being the investigation of the applicability of tools available for analysis and subsequent code generation from high level designs. Two languages from this family are examined in the context of the case study: discrete models in Esterel and timed models in statecharts as implemented in the tool Statemate. Parts of this work have been presented at a number of international conferences [20, 21, 30, 34, 29]. Contents 1 Introduction 3 1.1 Scope of the report : : : : : : : : : : : : : : : : : : : : : : : : 3 1.2 Selected example : : : : : : : : : : : : : : : : : : : : : : : : : 4 1.3 Summary of the report : : : : : : : : : : : : : : : : : : : : : : 6 2 From engineering documents to mathematical models 9 2.1 Apparatus modelling of hardware : : : : : : : : : : : : : : : : 9 2.2 Physical modelling : : : : : : : : : : : : : : : : : : : : : : : : 12 2.2.1 Classical Bond Graphs : : : : : : : : : : : : : : : : : : 13 2.2.2 Switched Bond Graphs : : : : : : : : : : : : : : : : : : 14 2.2.3 The Landing Gear Models : : : : : : : : : : : : : : : : 15 2.3 The architectural model : : : : : : : : : : : : : : : : : : : : : 17 2.3.1 A generic decomposition : : : : : : : : : : : : : : : : : 17 2.3.2 Framework for iterative modelling : : : : : : : : : : : 17 3 Hybrid mathematical models 19 3.1 Models of the controller : : : : : : : : : : : : : : : : : : : : : 19 3.2 Closed loop models : : : : : : : : : : : : : : : : : : : : : : : : 21 3.3 Hybrid Transition Systems : : : : : : : : : : : : : : : : : : : : 23 3.3.1 Operational semantics : : : : : : : : : : : : : : : : : : 25 3.3.2 Parallel composition : : : : : : : : : : : : : : : : : : : 26 3.3.3 HTS representation of the landing gear : : : : : : : : 26 4 Automatic veri cation 27 4.1 Requirements Speci cations : : : : : : : : : : : : : : : : : : : 27 4.2 State space search in Statemate : : : : : : : : : : : : : : : : : 28 4.3 Symbolic model checking with HyTech : : : : : : : : : : : : : 29 4.4 Veri cation of safety properties in Esterel : : : : : : : : : : : 31 1 4.5 Discussion : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 35 4.5.1 Comparison of tools : : : : : : : : : : : : : : : : : : : 35 4.5.2 Modelling and language issues : : : : : : : : : : : : : 36 5 Verifying non-linear hybrid models 38 5.1 A brief introduction to EDC : : : : : : : : : : : : : : : : : : : 38 5.2 EDC model of the landing gear : : : : : : : : : : : : : : : : : 42 5.3 Requirement speci cations in EDC : : : : : : : : : : : : : : : 44 5.4 Veri cation of R1 : : : : : : : : : : : : : : : : : : : : : : : : : 44 5.5 Veri cation of R2 : : : : : : : : : : : : : : : : : : : : : : : : : 46 5.6 Veri cation of the non-linear hybrid model : : : : : : : : : : : 57 5.7 Discussion : : : : : : : : : : : : : : : : : : : : : : : : : : : : : 59 6 Concluding remarks 61 2 Chapter 1 Introduction 1.1 Scope of the report In this report we present the multi-disciplinary work performed in the rst two years of the COHSY project concerning generation of models and analysis of hybrid systems { mathematical models including both continuous and discrete elements. An earlier report [6] can be consulted for a general description of the project. This report addresses modelling and formal veri cation of a ctitious system, referred to as JAS-95 Lite, involving hydro-mechanical and electro-mechanical sensors and actuators as well as electronic and software modules performing diagnosis and control. The technical system, hereafter referred to as \the system", is moreover in dynamic interaction with a human operator (the pilot). The aim of this work is to prove that speci ed requirements are satis ed by a given design speci cation for the controller(s) and the physical hardware and environment con guration. The work reported here has been partially presented in international conferences in the form of shorter articles. This report can primarily be seen as the full version of [20, 21, 30]. It also provides the context to the work reported in [34]. Some extentions to the work reported here will further appear in [29]. In order to formally verify the properties of a given system, we rst need a mathematical model of it. However, models suitable for formal veri cation are not generated in the development of computer-based systems as a matter of routine. Thus, a signi cant part of a veri cation e ort concerns methods for deriving modular mathematical models from the existing informal engineering documents. In this modelling process we give as much 3 weight to the physical environment as to the controlling software. The models of the hardware and the software are typically fundamentally di erent in their character. Hence, di erent competences are required in development and documentation of these models. However, it is the composition of the models for these two parts, also referred to as the closed loop model, which is needed for proving the properties we are interested in. To derive mathematical models from engineering documents, is an inherently di cult task. Even if international document standards are commonly adopted today, the mathematical interpretation of such documents still is rather ambiguous. We have approached this problem by adopting an iterative process in which models are successively re ned as a result of earlier analysis. The pragmatic reason for this is the following. The level of detail in the model is dependent on factors such as the requirement speci cation, assumptions made about the physical components, and the choice of veri cation technique. Hence, in real-world applications, the modelling and the analysis processes must go hand-in-hand. For this kind of iterative process to be realistic in a multi-disciplinary setting, the formal models derived and the assumptions made must be easy to convey to the domain specialists. Also, new assumptions derived from results made available by earlier analysis, must be easy to incorporate into the model at any time. The above process necessitates the employment of a range of formalisms and methodologies in our application. To mention a few, we have, at the physical level of abstraction, ideal physical model diagrams and switched bond graphs [31]. At the mathematical level of abstraction, we have employed hybrid transition systems (HTS), and an architecture for the top-level decomposition of hybrid systems [19, 18]. This modular framework allows us to plug in a re ned version of an arbitrary module without having to consider (or redo) the rest of the model. In connection with the veri cation technique, we have experimented with several other mathematical modelling languages: Linear Hybrid Auatomata (LHA) [2] and the Extended Duration Calculus (EDC) [4] from the hybrid family of languages, Esterel (I/O automata) and statecharts from the synchronous family of languages. 1.2 Selected example The issues above are illustrated in the context of one of the selected examples in [6]; that is, the subsystem in JAS-95 Lite in which the response to the landing command by a pilot are analyzed (see Figure 1.1). When deriving 4 A A Cut A-A Gear actuator + x1 = 1 x1 = 0 Door actuator x2 = 0 x2 = 1 + + Figure 1.1: The mechanical view of the system studied. the mathematical models we note that some major elements of the physical con guration have already been xed due to other demands on the aircraft as a whole (weight etc.). Also, some back up mechanisms have already been envisaged. That is, under abnormal situations there should always be possible to initiate landing using a reserve power supply. Thus we have started the modelling activity at an architectural level. A basic problem at this level is that the segregation of the landing gear subsystem from the rest of the aircraft is not a straight-forward task. This is due to the fact that achieving the goals of the landing gear is not solely dependent on the functional correctness of a single controller. Rather, the proper operation of the landing gear is possible under certain conditions in the rest of the aircraft. For example the physical operation of the mechanical door and gear components is dependent on hydraulic power at certain locations in the hydraulic power supply system and at certain times. Thus, in order to identify the mode of operation in the gear control system there should be another module for monitoring and diagnosis of the hydraulic power supply. Based on the above observations we have identi ed a sub-system consisting of four blocks for modelling and analysis. Figure 1.2 shows the topology of the system under study, where the full arrows denote directions of infor5 Valves & actuators Distribution network Mechanical system Gear control system Hydraulic diagnosis system uy Pumps and valves Power source d1 d2 d4 d5 d3 Hydraulic power supply system Mechanical linkage Figure 1.2: An abstraction of the landing gear system. mation exchange and half arrows directions of (positive) energy exchange. The inputs denoted by di are abstractions of other activities in the aircraft treated as disturbances, u denotes pilot commands, and y denotes system state information delivered to the pilot. 1.3 Summary of the report The work in the project has led to derivation of physical and mathematical abstractions for all four components of the system. At the rst stage, models for the hydro-mechanical subsystems (in terms of schematic engineering diagrams) have been developed. These models have been transformed to the 6 energy-based graphical language of switched bond graphs. The latter step signi cantly aids the derivation of mathematical models for mode-switching physical systems. These are physical systems which can not be described by one set of di erential and algebraic equations (DAEs); rather di erent sets of DAEs are needed depending on the discrete mode in the system. Next, models for diagnosis and controller modules (to be implemented in hardware or software) have been developed. The model for the diagnosis unit necessarily includes a mapping from continuous variables to discrete indications of leakage. This model and the various impacts of the leakage model on the closed loop system has not been integrated in the veri cation models presented in the current report. As for dynamic properties, the modelling phase was followed by proofs of the following three properties for several models of the landing gear system. The door and the gear do not collide under movement Whenever the pilot issues the landing (airborne) command, the gear will be out (in) and the door closed within T seconds. The above modelling activity has made it possible to investigate di erent veri cation techniques on the same example. First, we have tried composition of the coarsest model of the door and gear with a timed dynamic controller, and applied the symbolic model checking techniques implemented in the HyTech veri cation tool. The physical models could be used to justify that under certain hydraulic power modes the operation of the door and the gear could be approximated by time-linear evolutions. Hence, the safety and timeliness of the controller under these conditions can be tested using automatic methods. The same underlying models were also used to experiment with other, more familiar modelling and veri cation techniques: the Statemate environment for the language of statecharts, and the development environment for Esterel programs (translated into Input/Output machines by Mauto). Second, for the same (time-linear) model of the physical system we have analyzed its composition with a di erent controller (consisting of a static mapping). This composition was then subjected to a manual proof within Extended Duration Calculus leading to a proof of the same 3 properties. The point with this hand proof is that it provides the necessary structure over which the same proofs for a non-linear model of the hydro-mechanical system can be based. This corresponds to a mathematical model for a more re ned version of the hydraulic supply system in which the hydralic 7 pressure is not assumed to be constant, it is rather assumed to be regulated by a hydro-mechanic pump. The structure of the report is as follows. Chapter 2 presents the steps for translating engineering schematic diagrams (or appartus models) of the physical environment to physically based models in Switched Bond Graphs. This work leads to the mathematical models on which the formal veri cation is based. The chapter also provides an abstract architectural breakdown of the closed loop system. Chapter 4 re nes the architectural model by lling alternative models for the constituents. It also introduces the notion of hybrid transition systems used for mathematical modelling of the closed loop system. Chapter 5 is devoted to the automatic veri cation techniques applied to this example, and chapter 6 deals with the deductive proofs in EDC which are extended to the nonlinear environment model. In the nal chapter we comment on observations and the insights gained during these studies. Acknowledgements This research was partially funded by the Swedish National Board for Industrial and Technical Development (NUTEK). Also, the authors wish to thank G oran Backlund and his associates at Saab Military Aircraft, Link oping and Arne Jansson at the division of Fluid Power, dept. of Mechanical Engineering, Link oping University, for many valuable contributions and comments on the hydraulic and mechanical models of which only a fraction were presented here. 8 Chapter 2 From engineering documents to mathematical models The chapter illustrates the multi-paradigm modelling approach leading from the documents currently produced by domain experts to the mathematical models suitable for formal veri cation in the following chapters. 2.1 Apparatus modelling of hardware We let the term 'apparatus' refer to anything that is controlled by a discrete controller and of which the behaviour is described by physical laws. Note that this excludes software components. Apparatus models cover electromechanical or electrohydraulic actuators, the systems governed by these actuators and the sensors used to measure the e ect of the actuation. As an example, Figure 2.1 depicts an apparatus model of a system involving three di erent physical domains: electric, hydraulic and mechanic. This particular diagram is a model of the landing gear subsystem of an aircraft. Industrial documentation of the components constituting an apparatus, whether they are electric, hydraulic or mechanic, is typically informal. The icons used in Figure 2.1 are fairly well standardized in as far as they refer to functions within the system, implemented by speci c devices. However, they are ambiguous with respect to the underlying physics: it is not clear which physical e ects must be taken into account. The industrial description for such devices typically consists of a well de ned 'item' or 'order code' number associated with each device. As a matter of fact, it is not even possible to precisely de ne the un9 Landing gear controller Valves Door Sensors Hydraulic actuators wires Electric Pump Landing gear Gear Hydraulic pipes Power supply Pilot command switch In Out Aircraft engine Tank Figure 2.1: The landing gear system as documented by a mechanical engineer. 10 ... p = c R qdt q = rpp Automatic composition Mathematical characterization _ x = Ax+Bu Abstraction Objects Mathematical relations Computational models Figure 2.2: The structure of 'object oriented' modelling languages such as Omola/Dymola. derlying physics of a device component. The reason for this is that the behaviour of a component depends on the circumstances in which the device is used and its characteristics with respect to accuracy, timing, dynamic range etc. Hence, the type of 'models' typically used in industry are in themselves not informative enough for determining a unique mathematical behaviour model suitable for e.g. formal veri cation. Nevertheless, it is possible to link, in an organized way, mathematical models to each of the icons (objects) used in schematic diagrams, provided we know the context in which the objects are being used. This is the approach adopted in so called 'object oriented modelling languages' such as Omola [15, 3] and Dymola [5]; see Figure 2.2. Links between objects and mathematical relations describing the behaviour of each object are here made explicit. Once the behaviour of the individual objects has been speci ed, the composed overall model can be automatically generated. This compositional approach is of course necessary in order to allow for the modelling of real-sized systems. Although the object oriented approach solves some problems, there are still some unresolved ones. For example, a major problem is how to describe the assumptions underlying the mathematical device models in a standardized way. Also, we have the more fundamental problem of having to link behaviour models to unique objects. This is not always possible since behaviour ever so often emerges from the interaction between two or more devices or objects. In 'object oriented' languages such as Omola/Dymola, this problem is typically circumvented by introducing abstract 'interaction objects'. 11 ... p = c R qdt q = rpp Mathematical characterization Automatic composition Reticulation TF E C R Abstraction _ x = Ax+Bu Mechanisms Math. relations Comp. models Objects Figure 2.3: The structure of the energy oriented bond graph language. A clarifying example of an interaction e ect is friction. Friction is the e ect of two bodies moving relative to each other. In languages like Omola or Dymola a 'friction object' is to be inserted in between the objects representing the two moving bodies. Hence, in that case the clear relationship between the objects in the original schematic diagram and the Omola/Dymola type of representation cannot be maintained. Thus we get an intermingling of models for concrete devices with models of abstract interactions. To summarize, in these models the links between objects and mathematical relations are made explicit, but the assumptions made in the mathematical characterization are not. Also, abstract 'interaction objects' typically have to be introduced. 2.2 Physical modelling Bond graphs [24, 13], provide a neater solution to the fundamental modelling problems mentioned in the previous chapter. This is done by introducing an additional modelling formalism 'in between' the concrete device oriented technical level and the more abstract mathematical level; see Figure 2.3. In this chapter we rst give a brief introduction to classical Bond graphs and their swithed extension, followed by a BG model of the landing gear of JAS-95 Lite. 12 Electric u = e [V] + i = f [A] fe Bond graphC + p = e [Pa] q = f [m3=s] Hydraulic Mechanic F = e [N] v = f [m=s] Figure 2.4: The bond graph representation of three di erent storage mechanisms. 2.2.1 Classical Bond Graphs As opposed to the Dymola/Omola type of language, the bond graph language is not a programming language. Bond graphs represent the energetic interaction structure of an apparatus and nothing else. This also implies that bond graphs are restricted to systems which can be naturally represented using energy as the basic concept. The advantage of adopting energy concepts is that they are well understood and have a common meaning to almost all classical engineers; no matter the particular engineering domain. The original bond graph language consists of only nine basic elements. These nine elements form the nodes of a graph connected by half-arrow shaped bonds representing exchange of energy. The elements represent energy processes. With each bond a pair of power variables e ort and ow is associated, with e f = power. E ort and ow are generalisations of force and velocity, voltage and current, temperature and entropy ow in di erent domains. The nine energy processes de ned by the language fall into one of the following ve categories: (1) sources (Se;Sf), (2) storages (C; I), (3) dissipations (R), (4) distributions (E;F) and (5) conversions (TF;GY). Each of these processes corresponds to a well de ned ideal physical mechanism. For example, a bond graph C-element represents an idealized model of a hydraulic accumulator, an electric capacitor or a mechanic mass-less spring (see Figure 2.4). By selecting and combining these ideal elements, the modeller is forced to express every assumption in a standard and formal way. The rst phase in the bond graph modelling procedure is referred to as reticulation [24]. As a matter of fact, this inherently di cult modelling phase is always present no matter the modelling approach employed. Based on the purpose of the model and the context in which the devices are used it is here decided which physical e ects to consider. Bond graphs are unique 13 in that they force the modeller to represent this phase and the decisions made explicitly. Moreover, bond graphs accommodate the modeller with the smallest possible set of primitive concepts su cient for a wide class of apparatus. Of course bond graphs provide little or no support when systems outside this class are considered. Once the system has been reticulated successfully, i.e. the bond graph has been drawn, the mathematical characterization of the nodes in the graph is in most cases straightforward. This is due to the fact that each node is associated with a well de ned mathematical structure: the constitutive relation. Note that a constitutive relation is a relation in the original mathematical sense; not a computation. Therefore, a bond graph is acausal , i.e. a declarative description of a computational model. The composition of the individual relations into a complete computational whole is completely algorithmic. The result of automatic composition is a system of di erential and algebraic equations (DAE). This provides a well-de ned mathematical semantics for bond graphs [31]. 2.2.2 Switched Bond Graphs Classical bond graphs allow for nite ows of energy only and are thus restricted to modelling continuous changes. However, many practical devices undergo abrupt changes in their behaviour, mostly due to external or internal discrete control. Such devices will be referred to as mode-switching systems. In order to carry over the bond graph methodology to mode-switching systems, an extension referred to as the switched bond graph was introduced in 1993 [32, 33, 31, 28]. The idea is to allow for reticulation of hybrid systems without loosing any of the conceptual clarity of the traditional bond graph language. The main ingredient in the extension is a new ideal element, viz. the ideal generalized switch (Sw) [32, 28]. As opposed to the other bond graph elements, the Sw-element is not associated with a constitutive mathematical relation over e ort and ow. Instead, it is associated with a discrete mathematical structure determining the discrete state of the switch. Once all elements of a switched bond graph have been mathematically characterized { including the Sw-elements { it can be automatically converted into a computational hybrid system: two sets of DAEs and boolean transition conditions. Further details on how to characterize individual Sw-elements and how to compose a switched bond graph to a computational whole, is provided in [31, 28]. 14 r pq Se:supply pq R -1 F:spool C:spring Modelled environment Pilot Engine Hydraulic actuation linkage supply Hydraulic Mechanical p ! q ud; ug xd; xg r ! E:supply C:accum R:leak TF:pump TF:spool ! Figure 2.5: The physical environment models. Left: the coarsest model of the hydraulic supply. Right: the model including a hydro-mechanically regulated pump. 2.2.3 The Landing Gear Models The landing gear system has been chosen as one of the test cases in an ongoing multi-disciplinary research e ort in cooperation with aerospace industries in Sweden. The project concerns evaluation and development of tools and methods for the modelling and formal analysis of complex hybrid systems. The system involves hydro-mechanic, electro-hydraulic and electro-mechanic hardware components interacting with hardwired as well as software based modules performing diagnostic and controlling tasks. The system contains continuous control loops, implemented in hydro-mechanic hardware, and discrete control loops, implemented in hardware and software. Finally, the system interacts with a human operator, namely the pilot, who in turn critically depends on its proper operation. The hardware components in the landing gear system consist of the landing gear itself, i.e. the wheel{and{suspension system, a pair of doors protecting the gear during ight and landing, and a pair of hydraulic actuators for the manouvering of the gear and the doors; see also Figure 2.1. As part of the landing gear system, the hydraulic power supply system provides the hydro-mechanic energy needed to manoeuvre the gear and the doors under all operating conditions. The software components implement a discrete controller for the door 15 and gear actuators, as well as a diagnosis module which detects malfunctions in the hydraulic power supply system. For the purpose of illustration, we present two di erent bond graph models of the hydraulic power supply subsystem and a single model of the door{and{gear subsystem. These models di er in the assumptions made about the subsystems, and therefore illustrate the capability of bond graphs to make such assumptions clear. In the coarsest model of the hydraulic power supply we represent the assumption that the hydraulic power supply system behaves as an ideal constant pressure source; see the lowest left-most box in Figure 2.5 where p and q stand for hydraulic supply pressure and ow respectively. Combining it with the model of the door{and{gear subsystem, the overall plant model converts to a simple time-linear dynamic system _ xd = d ud; xd 2 [0; 1] (2.1) _ xg = g ug; xg 2 [0; 1] (2.2) where d; g > 0 are constants (time-invariants), xd (xg) the normalized door (gear) position and ud (ug) 2 f 1; 0;+1g is the three-valued door (gear) control signal. In the more detailed model of the power supply system (lowest rightmost box in Figure 2.5), we no longer assume that the hydraulic pressure is ideal. Instead we make an explicit model of the hydro-mechanic regulator which in fact attempts to make the pressure 'as constant as possible' given a particular engine velocity !. In this case the overall bond graph converts to a non-linear dynamic system _ xd = 0d p ud; xd 2 [0; 1] (2.3) _ xg = 0g p ug; xg 2 [0; 1] (2.4) _ p = ( + d judj+ g jugj) p+ (2.5) where 0d; 0g; d; g > 0 are constants and p is the hydraulic supply pressure. The quotient = is a monotonic function of the aircraft engine velocity !. These models are only a small selection of models we have derived. Other models consisting of some fty bond graph elements have been e ciently developed in cooperation with hardware experts from Saab Military Aircraft and the Dept. of Fluid Power at Link oping University. The e ciency of this iterative modelling process has signi cantly gained from the use of bond graphs. By means of the bond graphs we were able to communicate our 16 models with all engineers from the industrial partners and were able to sort out misunderstandings and misconceptions at an early stage of the modelling process. The DAEmodels derived can now be plugged into the model of the closed loop system as required. To do this we use a hybrid modelling architecture [17] described in the next section. 2.3 The architectural model This section advocates a framework for putting together the environment models derived earlier with mathematical models for the other parts of the system. It can be used for re ning the overall architecture in Figure 1.2 by making the interface between the controller/diagnoser and the physical world more explicit. 2.3.1 A generic decomposition The generic architecture as depicted in Figure 2.6, accomodates both the mathematical models for the physical environment and the mathematical models for the discrete controllers and supervisory systems. It has been adopted from the multi-layer architecture for hierarchical control suggested earlier [17]. This architectural decomposition is used as a framework for veri cation and makes the interfaces (as dictated by the choice of sensors and actuators) explicit. The discrete controller consists of a selector asynchronously reacting on discrete events e detected by the characterizer. The characterizer generates these events using a classi cation function over the real valued environment variables z. The output of the selector is the discrete choices c of control algorithms implemented by the e ector. The environment is driven by the real valued control variables u. The unpredictability of the environment is made explicit by the disturbance variable v. This variable is typically used for allowing uncertainties in sensor measurements. In addition, it may be used to model major elements of the environment not under control. 2.3.2 Framework for iterative modelling This architecture has been used in a number of di erent applications and aids the process of modelling the closed loop system for the purpose of veri cation. In the landing gear study we have used the architecture as a 17 v Discrete Continuous e Characterizer E ector Environment Selector c z u Figure 2.6: A generic architecture for decomposition of hybrid systems framework for iterative modelling of the closed loop system. It was thus used to plug in di erent models of the environment which keeping the same selector, characterizer and e ector; or di erent selectors while keeping the same environment model. Thus, we have been able to study and illustrate di erent veri cation techniques depending on the complexity (granularity) of the closed loop model and the property to be veri ed. In the following chapter we will show the details of the alternative landing gear models by lling the boxes in the above architecture. 18 Chapter 3 Hybrid mathematical models In this chapter we describe how the models for the closed loop system can be derived using the alternative mathematical models for the hardware derived earlier. We recall that the alternative hardware models were based on alternative assumptions during physical modelling. Similarly, alternative mathematical models of the designed controller can be established and plugged into the decomposition architechture presented earlier. 3.1 Models of the controller In what follows we give two alternative design models for the landing gear controller. These di erent models re ect assumptions made about the alternative implementations. The rst one is a dynamic selector and models a software implementation of the controller incorporating delays. The model includes discrete state transitions where the label [l; u] on each transition may be used to represent the lower and upperbound on the delay associated with that transition. These delays may be used to model communication and computation delays within the computer system to the extent that they are relevant. The second model is a static selector which corresponds to an implementation of the controller in hardwired electronic, and hence does not incorporate any delays. The rst controller may be considered as that used under normal operation, whereas the second controller being a backup-system taking over in emergency situations. The two di erent controller models are 19 AND AND AND AND OR AND AND OR AND AND AND AND [1,1] [1,1] idle [1,1] [1,1] [1,1] [1,1] closed cmd [1,1] [1,1] Selector Plant E ector Characterizer open out in retracting extending opening closing g1 g2 g3 g4 g5 g6 g7 g8 Engine Pilot _ xd = d ud d; g > 0 _ xg = g ug xd; xg 2 [0; 1] _ xd = 0d p ud xd 2 [0; 1] _ xg = 0g p ug xg 2 [0; 1] _ p = ( + d judj+ gjugj) p+ opening closing extending retracting u12 u11 u21 u22 Figure 3.1: Alternative mathematical models for the plant and the controller giving rise to 4 di erent closed loop models. 20 outlined in Figure 3.1. Note that in this simple version, we have associated deterministic unit delays with every transition. As it can be seen in the gure, the inputs to the static selector are discrete states open, closed, in, out, cmd. These events are determined by the characterizer based on the sensed values of the door and gear position and the current pilot command. The same inputs are also used to determine the somewhat more complex conditions (guards) gi used in the dynamic selector. The following formulas describe the condition for each change of state in the dynamic selector: g1 open _ [7]_ [1] g2 (:cmd^ ([8]_ [2]))_ (cmd^ ([9]_ [3])) g3 closed_ [7]_ [4] g4 (cmd^ ([8]_ [5]))_ (:cmd ^ ([9]_ [6])) g5 out _ [9]_ [7] g6 (cmd^ ([4]_ [6]))_ [1] g7 in _ [1]_ [7] g8 :cmd ^ ([4]_ [5]) and where the conditions [k] are given by [1] :open ^ closed ^ :in ^ :out [2] :open ^ closed ^ :in ^ out [3] :open ^ closed ^ in ^ :out [4] open ^ :closed ^ :in ^ :out [5] open ^ :closed ^ :in ^ out [6] open ^ :closed ^ in ^ :out [7] :open ^ :closed ^ :in ^ :out [8] :open ^ :closed ^ :in ^ out [9] :open ^ :closed ^ in ^ :out 3.2 Closed loop models Figure 3.1 combines the alternative models presented earlier in a uniform framework. In what follows we show the mathematical closed loop models 21 ((cmd^ :out) _ (:cmd^ :in)) ^ :open ^ :u12 , u11 ((cmd^ out) _ (:cmd ^ in)) ^ :closed ^ :u11 , u12 cmd ^ open ^ :out ^ :u22 , u21 :cmd ^ open ^ :in ^ :u21 , u22 open , xd 1 closed , xd 0 in , xg 0 out , xg 1 cmd , r > 0 u11 ^ :u12 , ud = 1 (:u11 ^ :u12) _ (u11 ^ u12) , ud = 0 :u11 ^ u12 , ud = 1 u21 ^ :u22 , ug = 1 (:u21 ^ :u22) _ (u21 ^ u22) , ug = 0 :u21 ^ u22 , ug = 1 _ xd = d ud d; g > 0 _ xg = g ug xd; xg 2 [0; 1] Environment Selector Characterizer E ector r Pilot command Figure 3.2: The system built up from the time-linear environment model and the static selector. for 3 of the 4 resulting models obtained by composing di erent selector and environment models. To begin with we take the coarsest model of the environment which gives a time-linear evolution for the door and gear positions. This corresponds to choosing either of the selector models in Figure 3.1 and composing it with the di erential equation model in the bottom left corner of the gure. To achieve this we will further make the mappings in the interface between the controller and its environment (i.e. the characterizer and the e ector) explicit. First we obtain a model of the system consisting of the static selector and the coarse environment model as depicted in Figure 3.2. This model is clear enough from a representational point of view. However, the concrete mathematical models are presented in chapter 5. There, in order to prove the desired properties of the model we will embed the di erent system components in an interval based temporal logic, Extended Duration Calculus. The proof system of EDC is then used for carrying out the logical reasoning about the intended properties. Note also that keeping the same selector and changing the environment model to a more realistic one is simply achieved 22 by plugging in the bottom right model of the environment in Figure 3.1. Chapter 5 also includes the EDC model based on this architectural decomposition. Next we consider the combination of the dynamic selector (top right box in Figure 3.1) with the time-linear environment model. In this case the somewhat simpler e ector mapping from the discrete states of the selector to the parameters of the environment model is shown in Figure 3.3. This closed loop combination gives rise to a compact model of the system expressed in hybrid transition systems. Here we give an informal introduction to this formalism followed by the actual model resulting from the above composition. 3.3 Hybrid Transition Systems In [18] we formally de ne hybrid transition systems (HTS) as a modular extention of timed transition systems [11]. Here we give an informal account of the HTS formalism. In HTS, the system variables are partitioned into disjoint sets of input and state variables. Both input and state variables may be either continuous or discrete. The behaviour of the system is modelled by phases of continuous activity interleaved with discrete mode changes. In each mode, the change of continuous state variables is de ned by di erential or algebraic equations, and the value of the discrete variables remains constant. The change in each state variable is de ned in terms the other state and (or) input variables, given in terms of DAE in state space form. Discrete mode changes take place only if the guard to some outgoing transition becomes true. A guard is a boolean condition over the input and state variables and elements from their value domains. We use hybrid transition graphs for representing HTS. Each mode m of the system is represented by a node in the graph. With each node we associate one set of di erential and algebraic equations, e.g. x = Gm(x; u) and _ x = Fm0(x; u) provided in Figure 3.4. Each discrete transition in the system is represented by an arc in the graph labelled with a guard g and a pair of timing constraints [l;u]. Transitions are taken instantaneously whereas the delays l and u belong to non-negative real numbers. These timing constraints are essentially used to model delays in controllers. Hence, for plant models l = u = 0 except where explicit actuator delays are modelled. 23 open , xd 1 closed , xd 0 in , xg 0 out , xg 1 cmd , r > 0 _ xd = d ud d; g > 0 _ xg = g ug xd; xg 2 [0; 1] [1; 1] g1 [1; 1] g3 g6 [1; 1] g8 [1; 1] g5 [1; 1] g7 [1; 1] [1; 1] g2 [1; 1] g4 idle opening closing extending retracting u21 u22 u12 u11 Environment Characterizer E ector r Pilot command opening () ud = 1 ^ ug = 0 closing () ud = 1 ^ ug = 0 extending () ud = 0 ^ ug = 1 retracting () ud = 0 ^ ug = 1 idle () ud = 0 ^ ug = 0 Selector Figure 3.3: The system built up from the dynamic selector and the timelinear environment. m m0 x = Gm(x; u) _ x = Fm0(x; u) g [l;u] Figure 3.4: An example hybrid transition graph. 24 [1; 1] g2 g6 [1; 1] [1; 1] g1 [1; 1] g3 [1; 1] g4 g8 [1; 1] g7 [1; 1] g5 [1; 1] _ xd = 0 _ xg = 0 _ xd = 0 _ xg = g _ xd = 0 _ xg = g _ xd = d _ xg = 0 _ xd = d _ xg = 0 Figure 3.5: A HTS model of the closed loop system incorporating the timed selector and the time-linear hardware model. 3.3.1 Operational semantics The operational semantics can be informally described as follows (see [18] for a formal de nition). The system remains in its current modem while the guard g is not true. If g remains true over an interval of length l, then the system may move to the next mode m0. If g remains true over an interval u, then the system must change its mode to m0. In other words the system changes its mode from m to m0 within l and u time units. If l = u = 0, then the mode change takes place instantanuously as in the case of models for physical systems. On the other hand, l = u 6= 0, can be used to model deterministic delays in (cyclic) computational processes. When a continuous variable is de ned by a di erential equation in a mode, then the initial value of that variable is the same as its nal value in the previous mode. Otherwise, if a continuous variable is de ned by an algebraic equation, the value of the variable may change discontinuously in the transition. The new value will then be de ned in terms of the other variables in accordance with the algebraic equation. 25 3.3.2 Parallel composition Parallel composition is de ned as a binary operator which produces a new HTS from two existing HTS's. The constituent subsystems are required to have no common state variables, but otherwise communicate through shared variables. The composition operator resembles the product operation in automata theory in the sense that the set of modes of the new HTS is a Cartesian product of the modes of the two original subsystems. The new set of state variables is the union of the subsystems' state variables, and the set of input variables is the union of the respective input variables reduced by shared variables (used for internal communication). Since the state variables in the subsystems are disjoint, the set of di erential and algebraic equations in each new mode is the union of equations existing in the original subsystems restricted to the state variables of the composed system. Each transition in each subsystem gives rise to several transitions in the composed system, modelling the case where one subsystem changes its mode and the other remains in its current mode. 3.3.3 HTS representation of the landing gear The generic architecture and the modular character of hybrid transition systems can be used to obtain a compact mathematical representation of the closed loop system as depicted in Figure 3.5 where the guards gi are de ned in terms of xg, xd and r by translating the formulas over the events in, out, open, closed, cmd provided earlier using the characterizer mappings in Figure 3.3. In the chapters which follow we use the above models to analyze the safety and timeliness properties of the closed loop system. In particular, the above HTS model will be analysed using automatic veri cation techniques. 26 Chapter 4 Automatic veri cation In this chapter we give a brief survey of a number of automatic veri cation techniques applied to the landing gear models developed earlier. The tools employed in this study include both research prototypes and commercial modelling tools. Sections 4.3 to 4.4 provide more detail on this work and section 4.5 includes some comparative remarks. 4.1 Requirements Speci cations In order to analyse the models derived by means of formal veri cation techniques we need to state the essential requirements about the system in a formal language. According to our experience, in complex engineering applications there are great di culties in capturing these requirements (even when stated informally) in a systemmatic manner. However, despite the importance of the topic, here we leave out the issues connected with requirements engineering, the systemmatic decomposition of higher level requiremnts into lower level reqiurements, tracibility, and so on. For the purpose of studying the veri cation techniques, we simply assume that certain safety and timeliness requirements can be identi ed and stated. Using a mathematical model of the closed loop system, our main concern has been to study two safety and timeliness properties of the system, that is: Safety: the closed loop model guarantees that the door and the gear will not collide in movement; 27 Timeliness: given that the pilot command is not changed more frequently than every t seconds, the composed system will have the property that a pilot command leads to the desirable state ("closed and extended" or "closed and retracted") within d seconds (t d). In what follows, and also in the next chapter we will show variations of methods applied to verify these properties formally. 4.2 State space search in Statemate A primitive technique for detecting violation of safety properties uses systematic and exhaustive search of the state space. This method is obviously not optimal for large systems but it is unfortunately the only veri cation technique available in commercial environments for high level design descriptions of complex systems1. One such speci cation tool is Statemate which supports development of high level hierarchical speci cations and code generation from statecharts. The \dynamic check" facility in the tool Statemate falls into the above category and should be seen as an organized simulation of a particular design description until the proof of violation of a certain property is obtained. The exploration of the state space follows all possible execution branches according to the version of statecharts semantics implemented in Statemate [10]. Note that considering Statemate as a semi-formal software engineering tool is due to the fact that the formal semantics exists for a fragment of the features supported by the tool. For example, the di erent model views, i.e. the data ow like language of activity charts and the architectural view provided by module charts, have not been mathematically connected to the statecharts language. Also, formal semantics has only been provided for the pure event-based fraction of statecharts although state variables with value domains ranging over reals or integers are also supported by the tool2. The latter feature was exploited in representing the closed loop model for the landing gear in order to stay as close to the hybrid mathematical model as possible. We found that modelling controllers with complex control struc1We classify system speci cations in propositional logic, as supported by NP Tools (Logikkonsult AB) for example, as low level descriptions into which higher level system speci cations may well be transformed eventually. 2Though full formal semantics for Statemate languages is a topic for active research. So is the translation of statechart like languages to boolean equations or BDDs. 28 tures is not a problem but continuous plant models have to be represented as discrete time (di erence) equations. The landing gear model at the top most level can be presented in Statemate according to Figure 6.1 in the Appendix. It includes a test environment by parallel composition with a pilot model and a clock which can be reset for verifying timeliness properties (a timer). The door and gear are represented as state machines with one state, where the event of entering the state at every system time step coincides with incrementing the value of the door (respectively gear) position by a constant value. The model for the door is depicted as the statechart in Figure 6.2. Note that the continuous mathematical model is thus transformed to a discrete time model using a speci c sampling interval. The model of the controller corresponds in a natural way to the dynamic model at the right hand top of Figure 3.1. where an intermediate state is introduced to model waiting of the system for the duration of the transition delay. This is depicted in Figure 6.3. Next we show how the requirements speci cations are modelled. To check each requirement we devise a watchdog which observes the variables of all the system components and takes the transition from a safe to an alarm state whenever the required property is violated. the watchdog for the timeliness property is shown in Figure 6.4. The search for reachable unsafe states (or overdue responses) is then taken care of by the use of dynamic check analysis function in Statemate over the landing gear test system together with the watchdog. 4.3 Symbolic model checking with HyTech Within algorithmic techniques for hybrid models a speci c subclass of models dominate the scene. These are hybrid systems in which the continuous variables change at a linear rate of time (e.g. our coarsest model of the hydromechanics). One of the suggested methods is symbolic model checking, originally developed for purely discrete models using representations in binary decision diagrams (BDD) [16]. Nicollin et al. and Alur et al. extend this method for proving properties of timed and hybrid stystems [22, 2]. Linear hybrid automata (LHA) is an example formalism [1] in which symbolic model checking can be used as a veri cation technique. This method works on partitions of the in nite state space of the system. Symbolic manipulation is performed on nite descriptions (polyhedra) of 29 :cmd _ t = 1 not-landing t := 0 t = 5! t := 0 t = 5! t := 0 _ t = 1 cmd landing Figure 4.1: A possible model for the pilot in LHA: changing commands every 5 seconds. in nite sets of points in the n-dimensional state space. More precisely, the set of reachable states is computed symbolically by iterative computations of the xed point of a function, whereby the unreachability of unsafe states can be proved if the xed point computation terminates. The problem is in general undecidable for hybrid systems (even with the restriction to LHA), but there are suggestions that computations terminate for most practical cases. This is a proposition which we have tested in this practical example. The symbolic model checking tool that we have tested is the HyTech prototype implemented by Henzinger et. al. The tool accepts a model of the hybrid system and its surrounding environment (the pilot) in a restricted form of LHA. It also requires a set of \bad" states characterized as a boolean expression over the continuous state variables. In our example bad states are those in which the the door is not open and the gear is moving. The hybrid model of the landing gear was therefore transformed to a form suitable for this software tool. The hybrid model of the landing gear was a transformed version of Figure 3.5 to the (textual) syntax accepted by HyTech (later versions of HyTech have a graphical interface, but this work used the 1994 version). This involved several straight forward but tedious transformations, mainly due to not accepting non-convex guards and invariances. The model for alternative pilots can be provided as di erent LHA; for example, Figure 4.1 presents a pilot which changes its landing command every 5 seconds. Our experiments show the viability of the technique for applications with subcomponents which can be assumed to have time-linear evolutions. At the same time they point out the need for a higher level representation of the design than that accepted by HyTech. After splitting the transitions and locations and when several local clocks are added to a system, the representation in HyTech is far from the simple compact model presented 30 in Figure 3.5. The results of the experiments with the above example can be summarized as follows: All experiments with the tool terminated within seconds. The hybrid model of the landing gear was veri ed to have the safety property "the door is always open when the gear is in movement". This was proved with many di erent pilot models, starting from an initial con guration in which the controller was idle, the door closed and the gear in. For a door which is opened (closed) at a rate of 2 (-2) and a gear which is extended (retracted) at a rate of 1 (-1), and for di erent pilots who change the landing command at di erent rates, several experiments were performed to check the timeliness requirements. For example, whether it is always the case that the door is closed and the gear extended within 7 seconds of issuing the landing command (and similarly for the not-landing command), if the pilot changes the command every 5 seconds. 4.4 Veri cation of safety properties in Esterel A common approach to modelling and veri cation of discrete control systems is the discrete events approach, whereby the system is represented as parallel composition of a set of nite automata. The requirements may be represented according to di erent preferences (e.g. as formulas in a temporal logic or as nite automata). Although the theory for synthesis of discrete controllers has existed for a while [25], its application to veri cation requires obtaining natural discrete models of the plant, and practical automatic veri cation tools. In this section we report on an application of these ideas within the development environment of Esterel { a language falling in the framework of synchronous languages[8]. This family of languages have the bene t of a formal semantics (as synchronous I/O machines or Mealy automata) and an intuitive appeal within the engineering community. One may question why is formal veri cation in such a setting worth some attention when recent advances in veri cation techniques are within the timed and hybrid domains? One argument is the attractiveness of code generation capabilities in the development environments for this class of languages. Once the 31 model of a controller in interaction with a plant has been formally veri ed for certain properties, then the high level controller representation can be automatically translated to C, Ada or a circuit design language. Furthermore, models in Esterel and statecharts with the above underlying semantics can be bridged to models in the data ow languages of Lustre and Signal (with the associated commercial tools e.g. SAO+). Our application of these techniques to the landing gear example rests on two basic ideas. First, that realistic discrete models of the mechanics and hydraulics can be developed once the physically driven models are available and well understood. Second, that the safety requirements can easily be encoded as synchronous observers [9] of the plant and the controller. An observer is a reactive state machine which \watches" the emitted signals of another machine. If a particular safety property is violated the observer emits an alarm ( signal). Formal veri cation amounts to checking that a parallel composition of the observer and the system does not emit alarms. This approach suits verifying safety properties (i.e. \something bad will not happen"). For bounded response properties (i.e. \something good will happen within x steps") formulas of temporal logic are easier to specify. Though there exists a system which gives an automatic translation of such a property in temporal logic to a synchronous observer [12]. In [34] we report on whether the proof of a property of the system should be proved on a model of the composition of its subsystems, or that it should be split into di erent properties of the subsystems and proved separately for each subsystem. The study of the compositional versus decompositional proof techniques in the case of tightly interacting systems is exempli ed by providing the numbers of states and transitions (and hence the size of proofs and intermediate proof steps) in both compositional and decompositional methods. In what follows we include a number of models developed for the purpose of the study in [34]. For example Figure 4.2 depicts the door model as an I/O machine automatically obtained from the Esterel compilation process and drawn by the autograph package. Transitions on the graphs are signal operator pairs concatenated by full stops. The ' !' operator represents that a signal is being output, a '?' operator represents signal input, and a '#' is an operator representing the absence of a signal from the input of a reaction. The machine in gure 4.2 has four states, the double ringed one representing the initial state. The two states shown here on the left and right of the diagram represent the fact that the door is stationary, and open or closed respectively. The top and bottom states represent the movement of 32 #cd . #dq . c . c . c ?dq . !dro . #cd . ! r . ? c . ! r . ? c . ! r . ? c ?cd . #dq . ?c . ?c . ?c ?cd . ?dq . !dro . . ! r ?c ? . . ! r ?c ? . . ! r ?c ? !d . #od ! . ! . ! . !d . !dc . #od ! . ! . c ! . ! . c ! . ! . c ?od . !d . ! ? . ! ? . ! ? ?od . !d . !dc . ! . ! ? c . ! . ! ? c . ! . ! ? c !d . #cd ! . c ! . c ! . c !d . !dro . #cd ! . ! r . c ! . ! r . c ! . ! r . c ?cd . !d . ! ?c . ! ?c . ! ?c ?cd . !d . !dro . ! . ! r ?c . ! . ! r ?c . ! . ! r ?c #dq . #od . . . ?dq . !dc . #od . ! . ? c . ! . ? c . ! . ? c ?od . #dq . ? . ? . ? ?dq . ?od . !dc . . ! ? ? c . . ! ? ? c . . ! ? ? c OPEN CLOSING III OPENING III CLOSED inputs outputs od open door dro door open cd close door dc door closed dq door query d door in motion Figure 4.2: A model of the door as an I/O machine showing input and output signals 33 α ?d . ?g . ! . . ! ? ? . . ! ? ? . . ! ? ? ?g . #d . ? . ? . ? #g α α ?g . ! . #dro . ! . r ? . ! . r ? . ! . r ? ?dro r ? r ? r ? #dro . #g r . r . r . ?dc ? c ? c ? c #dcccc α inputs outputs d door in motion alarm g gear in motion dro door open dc door closed Figure 4.3: An observer of the safety property that the door and gear do not collide. The actual observer is the parallel composition of these two machines. the door. The door can receive three inputs: od and cd are requests from the controller for the door to be opened and closed respectively, dq is a request from the controller for the door to report its state. As we can see from the transitions if the door is stationary (in states OPEN or CLOSED) and it receives a dq, it will report its current state with the outputs dro or dc, (door open and closed). If the door is in motion, the dq signal is ignored. On the transition from OPENING to the the OPEN state the door emits a dro without prompting, (and of course a dc for the corresponding CLOSING case). The signal d is a signal indicating the movement of the door. It is emitted spontaneously on an empty input whenever the position of the door is updated i.e. when the door moves. The model for the gear is very similar in structure only the opening and closing actions are replaced by extending and retracting. The property that we are interested in verifying is that the landing gear and the door will not collide. This property we prove by proving the stronger property that the door should always be open and stationary when the landing gear is in motion. This second property can be seen as two properties, that the door and gear are never moving at the same time, and that the door 34 is always open when the gear is in motion. Notice that both properties, are properties of the composed system, and cannot hold over just the plant or controller. These two properties can be checked by a pair of observer machines combined in parallel. Figure 4.3 shows these machines. The rst simply emits an alarm ( signal) and halts whenever an event occurs containing the signals g and d at the same time, indicating that the door and gear have moved at the same time. The second machine watches the signals dro and dc which are sensor states from the plant emitted when the door is open and closed respectively. This second machine emits an alarm if g ever occurs when the sensors have indicated that the door is not open. In order to check that the system satis es the safety property, the complete observer was combined in parallel with the system, and the resulting state machine checked for the emission of signals. This veri cation exercise is fully described in [34]. 4.5 Discussion Each of the approaches described above have positive and negative characteristics. 4.5.1 Comparison of tools Our Statemate and Esterel veri cations were based on standard search in the state space whereas HyTech uses a more advanced representation of the search space. This is useful for larger systems or systems with in nite state spaces. Though later versions of the Esterel environment provide translations to BDDs and thus facilitate symbolic model checking. Note that HyTech is a representative for a family of symbolic model checkers (including SMC, Uppaal, Kronos, Spin) all developed in recent years based on similar techniques but with di ering levels of expressivity in the used languages. Such symbolic model checking packages can be incorporated in future commercial veri cation tools to make their application to realistic examples more practical. As far as user interface is concerned, Statemate is a stable commercial tool with a reasonable (but far from perfect) user interface, whereas the other two tools are advanced research prototypes with less user support. The Esterel and Statemate environments support automatic translation to code (C, Ada or circuits) whereas HyTech is essentially an analysis tool. 35 Another practical aspect of the veri cation activity is the need for some indication of the reason for failure to comply with a requirement. As models get more complex, the compliance of the design for a dynamic system with its requirement speci cations becomes more of an exception than a rule. Hence, trace facilities for nding the cause of reachability of the \bad" states is an essential ingredient. None of the tool versions examined could give diagnostic information to trace the cause of the reachability of bad states. They simply report that a bad state was reachable, and return the set of reachable bad states. 4.5.2 Modelling and language issues Obviously none of the languages support development of the natural (hybrid) model provided earlier as an HTS in Figure 3.5. However, statecharts could be used in this particular case to get models with timers and integrators, preserving much of the structure in the HTS. This was dependent on a translation of the di erential equations to di erence equations. The translation from the HTS to LHA, which was needed by HyTech, necessitates the addition of invariances at the di erent locations of the LHA. The motivation for invariances in the LHA formalism is the need to force progress which in turn allows the representation of upper bounds on enabling of the guards. The operational semantics of HTS ensures progress if the guard of some outgoing transition from a mode is satis ed. The motivation there is the intrinsic (causal) determinism in physical plants and the need for reactive and deterministic behaviour in real-time controllers (i.e every input in every state has a well-de ned and unique reaction). Hence, for the deterministic example we have here, the invariance at an LHA location simply becomes the \inverse" of the guard(s) for the outgoing transition(s). Having time-determinism (the same lower and upperbound on each transition) also makes it straight forward for translation to an LHA. A clock has to be reset at the entry to each location and advanced until the deterministic bound is reached. However, if there are a lot of transitions with nonderterministic timing constraints (di erent lower and upper bounds) then the LHA model becomes much more clottered than the HTS model. The above discussion can be summarized as follows. The form and content of the model subject to analysis is determined by several factors. In particular, the property we have to prove about the model, the analysis technique adopted and the available tool have a major impact. It is there36 fore of utter importance that the translations between di erent modelling levels (languages) preserves all the necessary properties of the model. Thus modelling continues to be an important step within the formal veri cation process. 37 Chapter 5 Verifying non-linear hybrid models In this chapter we adopt a deductive approach to veri cation of hybrid models. The approach builds on representation of the closed loop model and the required properties in a variant of interval temporal logic called Extended Duration Calculus (EDC). Then verifying that the requirements are met by the given model are achieved through proving theorems in the proof system of the logic. In this chapter we show the details of the proofs for two of the four closed loop models presented earlier in the report. First we show how proofs in EDC can be used to verify the design consisting of the static controller and the coarse environment model. Next, we show that the proof for the closed loop system consisting of the static controller and the non-linear environment model can be carried out by just adding two extra lemmas and preserving the proof structure for the simpler plant model. 5.1 A brief introduction to EDC We use the version of EDC in accordance with [26] in which a mathematical theory about state functions is assumed as given. The syntactic constituents of the language are state names (f; g; _ f; _ g, etc) denoting a real valued function on time, boolean state names denoting a boolean valued function on time, operators and relations on real numbers, and propositional logic operators, resulting in state expressions and state assertions. For example, here state names xd; xg; _ xd; _ xg, boolean state names open 38 and closed, as well as the other boolean state names are constituents in the mathematical theory over which assertions can be made. Furthermore, EDC uses the notions of `length of an interval' and `duration'. The length of an interval is equal to the duration of the constant boolean state true (which has a value 1 at any time), expressed as ` = R true. Furthermore, for Q being an assertion, the notion of Q holding over an interval (represented by dQe) is related to durations by the following de nition: dQeb =(RQ = `)^ (` > 0) Informally speaking, state assertions are evaluated to 0 or 1 whereby their durations can be reasoned about. In particular, true and false as state assertions evaluate to 1 and 0 respectively. Atomic duration formulas have the form dQe or /(dt1; : : : ; dtn) where / is an n-ary relation on reals and dti are duration terms. Duration terms have essentially the form R se (for state expression se), b.se and e.se denoting the value of the state expression se at the beginning and end of an interval respectively, and terms built with operators on reals. Compound duration formulas are build from atomic formulas using the usual logical connectives as well as the chop connective of interval tempotal logic (denoted by ;) which chops an interval in two parts. Formulas are interpreted over an interval [b,e] in an interpretation I. An interpretation I assigns values to state names, types and operator symbols of the language. In particular, I(`)[b; e] = e b. Semantics of the chop operator is de ned as follows. The meaning of the formula D1;D2 in an interpretation I over an interval [b; e] is de ned as: VI ; [b; e] j= D1;D2 i VI ; [b;m] j= D1 and VI ; [m; e] j= D2 for some m 2 [b; e]: A formula D is satis able in an interpretation I (written VI j= D) i VI ; [0; t] j= D for all t 2 TIME. The set of time points TIME usually chosen to be R 0. A formula D is valid (written j= D) i VI j= D for every interpretation I. The following abbreviations are introduced at the formula level: d e b = ` = 0 the empty interval 3D b = true;D; true D holds in some sub-interval 2D b = :3:D D holds in every sub-interval 39 Next we present a number of proof rules (laws) from the proof system of EDC [26]. which will be used in the proofs later on in the chapter. P-And: dP ^ Qe , dPe ^ dQe P-Always: dPe ) 2 (dPe _ d e) Somewhere-Neg::3D, 2:D and 3:D, :2D Always-intro:2D ^ (D1 ; D2)) (2D ^D1) ; (2D ^D2) Always-Once-Somewhere: 2D ) D and D ) 3D Zero: R false = 0 Chop-false: D ; false) false and false ; D ) false Chop-P-Or: dP1 _ P2e ; true, dP1e ; true _ dP2e ; true Dur-Chop: (RP = r1) ; (RP = r2), RP = r1 + r2 Chop-Exists: provided v does not occur free in D1 D1 ; (9v : T D2), 9v : T D1 ; D2 Continuity: e.se = v1 ; b.se = v2 ) v1 = v2 40 Note that the last law applies only to continuous state expressions. In the proofs which follow we sometimes use analysis where the current line can be motivated by the immediately preceding line and real arithmetic. As well as the above rules, the proofs which will follow will be using another motivation denoted by PL, whenever the preceding line in the proof leads to the current line according to the rules in predicate logic. We further include two general EDC results which will also be used in later proofs. Lemma 1 For duration formulas D1 and D2 2D1 ^ (D2 ; D3)) (D1 ^D2) ; (D1 ^D3) 2 Proof: 2D1 ^ (D2 ; D3) ) fAlways-introg (2D1 ^D2) ; (2D1 ^D3) ) fAlways-Once-Somewhereg (D1 ^D2) ; (D1 ^D3) 2 Lemma 2 For state assertions P1; P2 and P3 dP1e ^ (dP2e ; dP3e)) (dP1e ^ dP2e) ; (dP1e ^ dP3e) 2 Proof: dP1e ^ (dP2e ; dP3e) ) fP-Alwaysg 2 (dP1e _ d e) ^ (dP2e ; dP3e) ) fAlways-introg (2 (dP1e _ d e) ^ dP2e) ; (2 (dP1e _ d e) ^ dP3e) ) fAlways-Once-Somewhereg ((dP1e _ d e) ^ dP2e) ; ((dP1e _ d e) ^ dP3e) ) fPLg ((dP1e ^ dP2e) _ (d e ^ dP2e)) ; ((dP1e ^ dP3e) _ (d e ^ dP3e)) ) fDefn, analysisg ((dP1e ^ dP2e) _ false) ; ((dP1e ^ dP3e) _ false) ) fPLg (dP1e ^ dP2e) ; (dP1e ^ dP3e) 2 41 Name: Signature Type: Description xd : R! R Plant state: door position (closed: 0, opened: 1) xg : R! R Plant state: gear position (retracted: 0, extended: 1) d : R Plant parameter: door speed g : R Plant parameter: gear speed u11 : R! f0; 1g Controller command: open door (hold: 0, open: 1) u12 : R! f0; 1g Controller command: close door (hold: 0, close: 1) u21 : R! f0; 1g Controller command: extend gear (hold: 0, extend: 1) u22 : R! f0; 1g Controller command: retract gear (hold: 0, retract: 1) r : R! f0; 1g Pilot command: extend gear (retract: 0, extend: 1) Table 5.1: Declaration of states and global variables. 5.2 EDC model of the landing gear Table 5.1 gives the declaration of the constituents in the coarse plant model of the landing gear. Using the above notation and the architectural breakdown in Figure 3.2, the closed loop system for the landing gear is represented by S P ^ C where the plant model P Env ^ E and the controller model C Char ^ Sel Here Env, Char, Sel, and E are assertions within the underlying mathematical theory and de ned in accordance with the formulas provided in the appropriate boxes in Figure 3.2. Then the behaviour of the system over an interval of time can be represented by lifted duration formulas over these assertions. Note that the composition of the environment and e ector model leads to the following two sets of constraints on the door and the gear parts of the model respectively. That is, dPe ) dP1e ^ dP2e. 42 P1 b = 8>>><>>>: (u11 ^ :u12 ) _ xd = d)^ ((:u11 ^ :u12)_ (u11 ^ u12) ) _ xd = 0)^ (:u11 ^ u12 ) _ xd = d) 0 xd 1 0 d 1 (5.1) P2 b = 8>>><>>>: (u21 ^ :u22 ) _ xg = g)^ ((:u21 ^ :u22)_ (u21 ^ u22) ) _ xg = 0)^ (:u21 ^ u22 ) _ xg = g) 0 xg 1 0 g 1 (5.2) Likewise, the selector and characterizer models can be combined to the give the following EDC formulation: C b = (5.3) 8>><>>: (r > 0 ^ :(xg 1))_ (r 0 ^ :(xg 0))^ :(xd 1) ^ :u12 , u11 ((r > 0 ^ (xg 1))_ (r 0 ^ (xg 0)))^ :(xd 0)^ :u11 , u12 r > 0 ^ (xd 1) ^ :(xg 1)^ :u22 , u21 r 0 ^ (xd 1) ^ :(xg 0)^ :u21 , u22 Given the static controller model, for example, it is possible to verify e.g. dCe ) d:(u11 ^ u12)e (5.4) dCe ) d:(u21 ^ u22)e (5.5) i.e. open and close (extend and retract) commands can never be issued simultaneously. Also, the overall system model can be summarized by the following invariant 2 (:d:Se ^ continuous(xd) ^ continuous(xg)): Note that di erent mathematical models for the closed loop system are simply obtained by replacing some assertion with a new one. This will be illustrated in more detail in section 5.6. 43 5.3 Requirement speci cations in EDC We now present the EDC formulations of the two closed loop system properties which were presented in the last chapter. First we consider the safety property, i.e. the fundamental requirement that the gear must never move when the door is not fully open. This requirement R1 may be formalized as R1 2:d _ xg 6= 0 ^ xd < 1e (5.6) The second performance (or timeliness) property requires that the extension (or retraction) to be completed within T time units, is presented as follows. These requirements may now be formalized by the two formulae R2 and R3. R2 2:((dr > 0e ^ ` = T ) ; d:(xg 1 ^ xd 0)e) (5.7) R3 2:((dr 0e ^ ` = T ) ; d:(xg 0 ^ xd 0)e) (5.8) In other words, it is never the case that the landing (no landing) command is in operation for an interval of length T and the desired e ect has not been achieved immediately after the interval. In order to verify these properties we thus have to prove dSe ) R1 ^R2 ^ R3 In the following two sections we give the proofs for requirements R1 and R2. The proof for R3 is analogous to the one for R2 and is therefore omitted. 5.4 Veri cation of R1 In order to verify the rst requirement we employ proof by contradiction within the proof system of EDC [26]. But before that we need to state the following lemma which gives a property of the application model as presented in Section 5.2. Lemma 3 dP ^ Ce ^ d _ xg 6= 0 ^ xd < 1e ) false 2 44 Proof: dP ^ Ce ^ d _ xg 6= 0 ^ xd < 1e ) fP-Andg dP ^ C ^ _ xg 6= 0 ^ xd < 1e ) f5.2, PLg dC ^ :((:u21^ :u22)_ (u21^ u22))^ xd < 1e ) fPLg dC ^ ((u21^ :u22) _ (:u21 ^ u22))^ xd < 1e ) f5.3, PLg d((xd 1)_ (xd 1))^ xd < 1e ) fPLg dfalsee ) fDefng R false = ` > 0 ) fZerog 0 = ` > 0 ) fanalysisg false 2 Next we present the proof of the safety property. Theorem 1 dSe ^ :R1 ) false 2 45 Proof: dP ^ Ce ^ :2:d _ xg 6= 0 ^ xd < 1e ) fSomewhere-Neg, PLg dP ^ Ce ^ 3 d _ xg 6= 0 ^ xd < 1e ) fDefng dP ^ Ce ^ true ; d _ xg 6= 0 ^ xd < 1e ; true ) fP-Alwaysg 2 (d e _ dP ^ Ce) ^ (true ; d _ xg 6= 0 ^ xd < 1e ; true) ) fLemma 1g ((d e _ dP ^ Ce) ^ true) ; ((d e _ dP ^ Ce)^ d _ xg 6= 0^ xd < 1e) ; ((d e _ dP ^ Ce) ^ true) ) fLemma 3, PLg (d e _ dP ^ Ce) ; (d e ^ d _ xg 6= 0 ^ xd < 1e) ; (d e _ dP ^ Ce) ) fDefng (d e _ dP ^ Ce) ; false ; (d e _ dP ^ Ce) ) fChop-falseg false 2 5.5 Veri cation of R2 To prove the timeliness property we rst need to make the structure of the application more explicit. This conceptualization then provides the necessary structure over which a case-based proof can be carried out. First, going back to our closed loop model as depicted in Figure 3.2 and the mathematical formulation of the controller in equation (5.3) we note that the controller represents the combination of a static selector and a static characterizer. Whereas the plant equations (5.1) and (5.2) can be seen as a combination of the static e ector and the dynamic environment model. Let's consider what the HTS closed loop model for this con guration would look like1. With no knowledge about the controller, the model of the environment could be represented by a hybrid transition system with two di erential equations in each mode. The derivatives of the door and gear 1The analysis which follows here performs a kind of application-based simpli cation (minimization) of the HTS model which could have been formally obtained. In general, we need formal rewrite rules and tools to obtain the simplest form for each application. 46 positions ( _ xi) could then take any of the values ( i; 0; i) for i 2 fd; gg in di erent modes. The system would then have 9 modes and would change its mode depending on various choices of e ector output. There would therefore be 8 transitions into each mode from all the other 8 modes, and 8 transitions out of each mode each going to one of the other 8 modes. The model of the closed loop system, however, contains more structure. First, not all 9 combinations of e ector output are allowed by the combination of the e ector and the selector. In other words, the composition of the characterizer, selector and e ector mappings is not surjective. To see this note that if the e ector is seen as a function E : B4 ! fhud; ugi j ud 2 f d; 0; dg and ug 2 f g; 0; ggg then it is surjective. However, the selector mapping S : B5 ! B4 is not surjective. More speci cally, some combinations of hu11; u12; u21; u22i are not in the range of the selector function. For example, u11 and u12 are not allowed to be true at the same time (see equation 5.4). Also, if the landing command is active then based on the selector equations it is possible to eliminate some other combinations of uij . The following lemma formalizes this property of the selector-e ector composition. Note that the state regions Si provide a covering of the state space in presence of the landing command. Lemma 4 Let Si be de ned according to the following combinations of state variables and pilot command: S1 (((0 < xd < 1) ^ (0 < xg < 1))_ ((xd 0) ^ (0 < xg < 1))_ ((xd 0) ^ (xg 0))_ ((0 < xd < 1)^ (xg 0)))^ r > 0 S2 (((xd 1) ^ (0 < xg < 1))_ ((xd 1) ^ (xg 0)))^ r > 0 S3 (((0 < xd < 1) ^ (xg 1))_ ((xd 1) ^ (xg 1)))^ r > 0 S4 (xd 0)^ (xg 1) ^ r > 0 Then we have dPe ^ dr > 0e ) dS1 _ S2 _ S3 _ S4e 2 47 Lemma 5 Let Si be de ned according to Lemma 4. Then the following statements can be derived using propositional logic: dS1 ^ Ce ) du11 ^ :u12 ^ :u21 ^ :u22e dS2 ^ Ce ) d:u11 ^ :u12 ^ u21 ^ :u22e dS3 ^ Ce ) d:u11 ^ u12 ^ u21 ^ :u22e dS4 ^ Ce ) d:u11 ^ :u12 ^ :u21 ^ :u22e 2 Note that the above result implies that while the landing command is in operation, no combinations of uij other than those listed above are possible. This is a direct corollary to Lemma 4. It rests on the fact that the domain of the function composed from the characterizer and selector functions has been completely covered by the conditions on the left hand side of ) in the above formulas. Based on this result and the e ector mapping described in P1 and P2, we can now state the following lemma, again proved using propositional logic and Lemma 5. Lemma 6 Let Si be de ned according to Lemma 4. Then we have dS1e ^ dP ^ Ce ) d _ xd = d ^ _ xg = 0e dS2e ^ dP ^ Ce ) d _ xd = 0 ^ _ xg = ge dS3e ^ dP ^ Ce ) d _ xd = d ^ _ xg = 0e dS4e ^ dP ^ Ce ) d _ xd = 0 ^ _ xg = 0e 2 This lemma provides the necessary structure over which the proof of the timeliness property R2 can be carried out. To make the structure of the proof for the main theorem more visible we present a fraction of a hybrid transition system which can be derived for the closed loop system. Each mode in this system corresponds to a region in the continuous state space given that the pilot command is in operation2. 2A similar but slightly di erent fraction can also be derived for the case when r 0 holds, in order to prove the property R3. 48 S2 S4 xd 0 xd 1 xg 1 _ xd = d _ xg = 0 _ xd = 0 _ xg = g _ xd = d _ xg = 0 S1 S3 _ xd = 0 _ xg = 0 Figure 5.1: State space regions of the closed loop system with landing command in operation. 49 Figure 5.1 associates one mode with each of the state space regions Si in Lemma 4 above. Each mode in the graph is annotated with the corresponding door and gear equations derived in Lemma 6. Note that re exive transitions have an implicit \otherwise" condition. They have been drawn to aid visualization: if the guard of the outgoing transition is not true the system remains in the current Si region. In particular, the system will remain in the S4 region unless the landing command is altered { a transition condition for moving out to the other half of the model which has not been depicted. Based on this pictorial representation and using the de nition of regions Si we can justify the choice of arcs in the graph together with their respective labels. This analysis is formalized in the following EDC formulation. Lemma 7 For Si as de ned in Lemma 4 we have: (1) (dS1e ; true)^ dr > 0e ) (dS1e _ (dS1e ; dS2e ; true)) (2) (dS2e ; true)^ dr > 0e ) (dS2e _ (dS2e ; dS3e ; true)) (3) (dS3e ; true)^ dr > 0e ) (dS3e _ (dS3e ; dS4e ; true)) (4) (dS4e ; true) ^ dr > 0e ) dS4e and dS4e ) (true ; dS4e) 2 The rst formula, for example, states that if S1 holds during a subinterval which starts an interval, then it will either continue to hold during the rest of the interval, or the sub-interval will be followed by an adjacent sub-interval in which S2 holds. Proof: By straight forward mathematical analysis, we can motivate the transition from S1 to S2 as follows: based on Lemma 6 the value of xg in the region S1 is constant. Therefore, during every interval in which the landing command remains constant (r > 0), if the state of the system should move out of this region, it should do so due to the value of xd. That is, xd should increase beyond the bounds set by the region. This will take the system to state S2 with xd 1 as a condition. Similar reasoning can be performed for other transitions. 2 To give the proof for satis ability of R2 we need to make the following assumption on the constants d and g. Alternatively stated, we obtain these additional constraints as a by-product of the main proof. We assume 50 that 2= d + 1= g T . Now we proceed with two more results before the main proof is presented. First, we show that niether of S1; : : : ; S3 can last for as long as T time units. Lemma 8 Let Si be de ned as in Lemma 4. Then we have: (1) dS1e ^ ` = T ) false (2) dS2e ^ ` = T ) false (3) dS3e ^ ` = T ) false 2 Proof: Below we show the proof for (1). (2) and (3) are proved analogously. dS1e ^ ` = T ) fLemma 6g d _ xd = d ^ _ xg = 0e ^ ` = T ) fanalysisg ` 1= d ^ ` = T ) fanalysisg false 2 Next, we show that reaching region S4 contradicts violation of R2. Lemma 9 Let S4 be de ned as in Lemma 4. Then we have: (dP ^ Ce ^ true ; dS4e) ; d:(xg 1 ^ xd 0)e ) false 2 51 Proof: (dP ^ Ce ^ true ; dS4e) ; d:(xg 1 ^ xd 0)e ) fLemma 2, Lemma 6g (dP ^ Ce ^ true) ; (dP ^ Ce ^ dS4e ^ d _ xd = 0 ^ _ xg = 0e) ; d:(xg 1 ^ xd 0)e ) fanalysis, PLg dP ^ Ce ; (dP ^ Ce ^ dS4e ^ (9v1v2 : R b.xg = e.xg = v1 ^ b.xd = e.xd = v2)) ; d:(xg 1 ^ xd 0)e ) fChop-Existsg (9v1v2 : R dP ^ Ce ; (dP ^ Ce ^ dS4e ^ b.xg = e.xg = v1 ^ b.xd = e.xg = v2) ; d:(xg 1 ^ xd 0)e) ) fContinuityg (9v1v2 : R dP ^ Ce ; (dP ^ Ce ^ dS4e ^ b.xg = e.xg = v1 ^ b.xd = e.xd = v2) ; (b.xg = v1 ^ b.xd = v2 ^ d:(xg 1 ^ xd 0)e)) ) fDefn S4g (9v1v2 : R dP ^ Ce ; (v1 1 ^ v2 0) ; (b.xg = v1 ^ b.xd = v2 ^ d:(xg 1 ^ xd 0)e)) ) fanalysisg (9v1v2 : R dP ^ Ce ; (v1 1 ^ v2 0) ; false) ) fChop-Existsg (9v1v2 : R dP ^ Ce ; (v1 1 ^ v2 0)) ; false ) fChop-falseg false 2 We are now in a position to carry out a complete proof of property R2. Theorem 2 Let 2= d + 1= g T . Then dSe ^ :R2 ) false 2 52 Proof:dP ^ Ce ^ :2:((dr > 0e ^ ` = T ) ; d:(xg 1^ xd 0)e) ) fSomewhere-Neg, PLg dP ^ Ce ^ 3 ((dr > 0e ^ ` = T ) ; d:(xg 1 ^ xd 0)e) ) fDefng dP ^ Ce ^ (true ; (dr > 0e ^ ` = T ) ; d:(xg 1 ^ xd 0)e ; true) ) fP-Alwaysg 2 (d e _ dP ^ Ce)^ (true ; (dr > 0e ^ ` = T ) ; d:(xg 1 ^ xd 0)e ; true) ) fLemma 1, PLg (d e _ dP ^ Ce) ; (d e _ dP ^ Ce) ^ ((dr > 0e ^ ` = T ) ; d:(xg 1 ^ xd 0)e) ; (d e _ dP ^ Ce) Considering the middle intervals: (d e _ dP ^ Ce) ^ ((dr > 0e ^ ` = T ) ; d:(xg 1 ^ xd 0)e) ) fPLg (d e ^ (dr > 0e ^ ` = T ) ; d:(xg 1 ^ xd 0)e)_ (dP ^ Ce ^ (dr > 0e ^ ` = T ) ; d:(xg 1 ^ xd 0)e) ) fDefng false _ (dP ^ Ce ^ (dr > 0e ^ ` = T ) ; d:(xg 1 ^ xd 0)e) ) fLemma 2, PLg (dP ^ Ce ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fP-And, Lemma 4g (dP ^ Ce ^ dS1 _ S2 _ S3 _ S4e ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) f??g dP ^ Ce^ (dS1e ; true _ dS2e ; true _ dS3e ; true _ dS4e ; true)^ dr > 0e ^ ` = T ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) We prove each case separately, starting from the case where S4 holds at the beginning of the rst subinterval: 53 Case 1: (dP ^ Ce ^ (dS4e ; true) ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1^ xd 0)e) ) fLemma 7g (dP ^ Ce ^ (true ; dS4e) ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1^ xd 0)e) ) fLemma 9g false The next three cases cover the possibilities that the rst subinterval is started by S3, S2, and S1 respectively. Case 2: (dP ^ Ce ^ (dS3e ; true) ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fLemma 7g (dP ^ Ce ^ (dS3e _ (dS3e ; dS4e ; true))^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fLemma 8, PLg (dP ^ Ce ^ (dS3e ; dS4e ; true) ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fLemma 7g (dP ^ Ce ^ (dS3e ; true ; dS4e) ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fLemma 9, Chop-falseg false 54 Case 3: (dP ^ Ce ^ (dS2e ; true) ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fLemma 7g (dP ^ Ce ^ (dS2e _ (dS2e ; dS3e ; true)) ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fLemma 8, PLg (dP ^ Ce ^ (dS2e ; dS3e ; true) ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fLemma 7g (dP ^ Ce ^ ((dS2e ; dS3e) _ (dS2e ; dS3e ; dS4e ; true)) ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fLemma 7g (dP ^ Ce ^ ((dS2e ; dS3e) _ (dS2e ; dS3e ; true ; dS4e)) ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fLemma 9, Chop-falseg ((dS2e ; dS3e _ false)^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fanalysis, PLg (` 1= g ; ` 1= d ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fDur-Chop, analysisg false ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fChop-falseg false 55 Case 4: (dP ^ Ce ^ (dS1e ; true) ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fLemma 7g (dP ^ Ce ^ (dS1e _ (dS1e ; dS2e ; true)) ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fLemma 8, PLg (dP ^ Ce ^ (dS1e ; dS2e ; true) ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fLemma 7g (dP ^ Ce ^ (((dS1e ; dS2e) _ (dS1e ; dS2e ; dS3e ; true))^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fanalysis, PLg (dP ^ Ce^ ((` 1= d ; ` 1= g _ (dS1e ; dS2e ; dS3e ; true)) ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fDur-Chop, analysisg (dP ^ Ce ^ (false _ (dS1e ; dS2e ; dS3e ; true)) ^ dr > 0e ^ ` = T ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fLemma 7, PLg (dP ^ Ce^ (((dS1e ; dS2e ; dS3e) _ (dS1e ; dS2e ; dS3e ; dS4e ; true)) ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fanalysisg (dP ^ Ce^ ((` 1= d ; ` 1= g ; ` 1= d _ (dS1e ; dS2e ; dS3e ; dS4e ; true))^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fDur-Chop, analysisg (dP ^ Ce ^ (false _ (dS1e ; dS2e ; dS3e ; dS4e ; true) ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fLemma 7, PLg (dP ^ Ce ^ (dS1e ; dS2e ; dS3e ; true ; dS4e) ^ dr > 0e ^ ` = T ) ; (dP ^ Ce ^ d:(xg 1 ^ xd 0)e) ) fLemma 9, Chop-falseg false 56 Based on the last four cases and through two further applications of Chop-false we can conclude the proof for dSe ^ :R2 ) false 2 5.6 Veri cation of the non-linear hybrid model We now present the additional proof steps necessary to show that the same properties hold in presence of the non-linear environment model. Let the environment model in Env be replaced by Env0 to give the mathematical model S 0. With this re ned physical model of the hydraulic supply system (corresponding to the bond graph to the right of Figure 2.5) we have: _ xd = 0d p ud _ xg = 0g p ug _ p = ( + d judj+ g jugj) p+ where 0d; 0g; ; ; d; g > 0 are constants, xd; xg 2 [0; 1] are the positions of the door and the gear actuators as before and where p is the hydraulic supply pressure. First we note that the proofs for lemma 3 and Theorem 1 are not a ected by the new plant model. Hence, the safety property continues to hold. Next, we study the proof of the timeliness propertyR2. The coarse model S was shown to have this property under the assumption that 2= d+1= g T . We need similar assumptions in the case of S 0, only the di erence is that due to the higher complexity in the model more insights from the physical world are needed to formulate and validate the assumptions. More speci cally, the new proof requires that the values of the constants ; d; g; and the pressure level p are made explicit. But before that we review the impact of the new plant model on the existing lemmas. We note that lemma 5 still holds since it is based on the combination of the characterizer and the selector which remain unchanged. Lemma 6 will be restated as the following lemma taking account of Env0 equations. Lemma 10 Let Si be de ned according to Lemma 4. Let P 0 b = Env0 ^ E . Then we have dS1e ^ dP 0 ^ Ce ) d _ xd = 0dp ^ _ xg = 0e ^ d _ p = ( + d)p+ e 57 dS2e ^ dP 0 ^ Ce ) d _ xd = 0 ^ _ xg = 0gpe ^ d _ p = ( + g)p+ e dS3e ^ dP 0 ^ Ce ) d _ xd = 0dp ^ _ xg = 0e ^ d _ p = ( + d)p+ e dS4e ^ dP 0 ^ Ce ) d _ xd = 0 ^ _ xg = 0e ^ d _ p = p+ e 2 The above lemma can then be used to redraw the Figure 5.1 to get a similar gure which covers the state space of S 0 in presence of r > 0. This is done by simply replacing the di erential equations in Figure 5.1 with the equations on the right hand side of implications in Lemma 10. Based on the above lemma, Lemma 9 will continue to hold for S 0. The new structure and the following lemma can then be used to show that the earlier result about S stated in Lemma 7 continues to hold for S 0. Lemma 11 Let S 0 P 0 ^ C. Let ̂ = max ( + d; + g). Let p(0) p̂ = = ̂. Then p(t) p̂ > 0 for all t 0. 2 Proof: at the same time (Lemma 10). Based on physical knowledge we know that is positive constant dependable on the engine velocity ! (for a particular ! we get a particular ); also that d and g are positive. We show that if p is positive to begin with, it will remain positive under all circumstances. We consider two cases. Case 1: p(0) = p̂. Then _ p = 0 and hence p = p̂ at all times. This case reduces the problem to the coarse model analysed earlier. Case 2: p(0) > p̂. Then _ p < 0 and hence p will eventually reach p̂, in which case the argument under case 1 will continue to hold. 2 Thus, p̂ is the minimum value that p can take if the system is initialized with adequate pressure. Next we show that the positions of the door and gear will monotonically increase (decrease) in every Si region. Lemma 12 For any interval in which ud and ug have xed values, p is monotonic in t. 2 Therefore, the earlier transition relations between the regions hold even in the new system S 0. That is, Lemma 7 holds also for S 0. The last two results can be used to derive the upperbound for the duration of staying in each region in terms of the minimal pressure value p̂. 58 Theorem 3 Let 2 p̂ 0d + 1 p̂ 0g T . Then dS 0e ^ :R2 ) false 2 Proof: We follow the same proof structure as in Theorem 2 only with the initial assumption that 2 p̂ 0d+ 1 p̂ 0g T . In addition, we systematically replace the references to Lemma 6 and the associated right hand side di erential equations with references to Lemma 10 and the new equations from Env0 as given in Lemma 10. 2 5.7 Discussion Going back to our generic hybrid architecture, the work reported in this chapter illustrates a possible technique when the complexities and the dynamics of the closed loop system lies in the lower half (the environment model). Typical for these cases is that a fair amount of the formal veri cation is mathematical analysis over the real-valued variables. This can be contrasted with the methods illustrated in chapter 4 which were more suited to cases where the complexity arises due to the size or non-deterministic timing characteristics of the upper half of the architecture (discrete controllers). This study is to our knowledge the rst application of formal deductive proofs to hybrid systems with non-linear DAEs. It should be obvious from the illustration of the method that the EDC formulation of the closed loop model, using the architectural decomposition and the mathematical models for each component, were easy to obtain. The EDC proofs of course require a general familiarity with constructing logical proofs. However, having this familiarity, the use of EDC proof system was not particularly di cult. Nevertheless, since similar proof tactics (contradiction, case analysis, etc) tend to appear in di erent applications, the use of mechanized proof assistants is recommendable. Thus, the next step for making this type of analysis worthwhile in a larger example is the use of theorem provers. A mechanical prover for Duration Calulus implemented on top of PVS [23] exists and will be subject study in future works [27]. Another re ection over the work performed is the close connection between the region based transition system (Figure 5.1) and the structure of the proof. Much of the literature on formal veri cation assumes that the 59 model (axiomatization) of the system to be analyzed exists apriori. This formalization is additionally assumed to be in a form suitable for application of the given proof technique. HyTech could for example analyze the transition system based on the coarse model automatically, thereby eliminating the need for the hand proof in the time-linear model. However, the exercise illustrates that the very derivation of this model may be nontrivial { or rather, once a satisfactory model is found the proof work is more or less routine. Moreover, the insights gained while modelling can be reused for verifying later re nements of the model (e.g. for the non-linear case). Thus modelling remains a cornerstone of the veri cation activities even in this class of models. 60 Chapter 6 Concluding remarks In this report we have studied the application of a range of modelling and veri cation techniques to a ctitious aircraft landing gear system consisting of mechanical, hydraulical, electronic and software components. We have initiated the study at the informal engineering documents describing the physical components, derived bond graph and mathematical models for the environment systematically, and then combined them with the mathematical model of the discrete controller(s). We used a generic architecture to derive alternative closed loop models based on alternative plant and controller models. The plant models ranged from simple time-linear models to non-linear models allowing variable hydraulic pressure. We also illustrated di erent formal veri cation techniques, ranging from state space search in Statemate to hand proofs in Extended Duration Calculus to arrive at proofs of safety and timeliness properties of the di erent closed loop models. While symbolic model checking techniques could be used for verifying complex timed dynamic controllers with a simple model of the environment, the proof with the next (re ned) model of the environment necessitated deductive reasoning in a real-time temporal logic (EDC). The experience with the di erent modelling and veri cation techniques con rms that a principled derivation of the models remains a cornerstone of the veri cation activities. For smaller systems it is possible to manually translate between model types while preserving their essential properties; but applications in an industrial setting require more support tools for derivation and management of models. 61 Appendix In this appendix we provide a series of plots obtained from a speci cation of the landing gear example in the tool Statemate. These statecharts are commented upon in section 4.2 of chapter 4. 62 LG_TEST_SYSTEM LG_SYSTEM @LG_CONTROL_SYSTEM @LG_ACTUATION_SYSTEM @CLOCK @PILOT_SYSTEM Figure 6.1: The top level model of the landing gear system in Statemate. 63 DOOR DOOR_POS_UPDATE tm(en(DOOR_POS_UPDATE),1)/XD:=XD+UD Figure 6.2: Modelling of the door in Statemate. 64 LG_CONTROL_SYSTEM OPENING