Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

acc06-auv-verify by hedongchenchen


									                                  CONFIDENTIAL. Limited circulation. For review only.

         A Bottom-Up Approach to Verification of Hybrid Model-Based
        Hierarchical Controllers with application to Underwater Vehicles
                 M. O’Connor, S. Tangirala, R. Kumar, S. Bhattacharyya, M. Sznaier and L.E. Holloway

   Abstract — We present a systematic method of verification                  often more abstract and includes additional requirements
for a hierarchical hybrid system. The method of verification is               such as re-configurability, learning, safety, failure tolerance,
developed using a bottom-up approach, in which the bottom                     the ability to manage dynamically changing mission goals,
level of the hybrid system hierarchy is verified first, and each              and increased autonomy. In order to cope with such
higher-level is subsequently verified with the assumption that
                                                                              complexity, mission control is often hierarchically
all lower levels are correct. At each step in the verification
process, lower and higher levels than the one currently being                 decomposed, and thus a hierarchical method of hybrid
verified may be abstracted, thus reducing the complexity of                   system design, in which each layer of the hierarchy is
verification. This method is algorithmically developed and                    responsible for either executing or coordinating a set of
integrated into the design of a hierarchical hybrid mission-level             tasks, may be used [1]. In order to deal with the complexity
controller for an autonomous underwater.                                      of verifying a hierarchical hybrid system, we present a
                                                                              bottom-up approach to verification, where subsystems on all
                          I. INTRODUCTION                                     levels, other than the level currently being verified, may be

H     ybrid systems, those containing both continuous
      dynamics and discrete transitions, have become the
focus of much research in the areas of control and computer
                                                                              abstracted by removing all irrelevant details. Our approach
                                                                              to hierarchical modeling and verification is systematic and
                                                                              can easily be applied to a wide range of hybrid systems.
science because of their wide range of practical use, which                      In Section II, we present a rigorous definition of hybrid
includes automated highway systems, high-level embedded                       system modeling that is used to formalize a hierarchical
controllers, manufacturing process control, robotics, air                     hybrid system. Section III describes our approach to hybrid
traffic management systems, and communication network                         system verification, specifically describing a bottom-up
synthesis. In each of these areas, much emphasis must be                      approach and a high-level verification algorithm. Section IV
placed on safe, reliable and correct operation. Informally,                   discusses a hybrid mission control architecture for a generic
safe, reliable and correct operation requires that the system,                survey AUV. Following our method of verification, in
during all times of operation, will never perform any unsafe                  Section V, we provide examples of verification of an AUV
tasks and will eventually complete a desired task. For the                    hybrid mission controller using the Uppaal model checking
case of an Autonomous Underwater Vehicle (AUV), a                             tool [5].
simple example of safe and correct operation requires that
the vehicle never exceeds a certain depth and eventually                                        II. HYBRID SYSTEM MODEL
completes the mission tasks. An AUV, like many                                A     controlled       hybrid          automaton    is    a    tuple
autonomous systems, contains multiple levels of control that                  H = (Q,Σ,U , Y , F , H , I , E , G, R ) consisting of the following
must each satisfy a set of requirements in order to guarantee
correctness of the overall system. In this paper, we present a
                                                                              State space: Q = L × X is the state space of H, where L is a
methodology for the verification of hierarchical hybrid
systems that is integrated with the design process and,                       finite set of locations and X = ℜ n is the continuous state
specifically, verification of a hierarchical AUV mission                      space. Each state Q can be described by (l , x) ∈ Q , where
controller, where the verification specifications (at this                    l ∈ L and x ∈ ℜ n .
level) are derived from high-level specifications.                            Events: Σ is the finite alphabet or event set of H..
   High-level control of AUV’s, such as mission control, is
                                                                              Continuous Controls and Parameters: U = ℜ m is the
                                                                              continuous control space consisting of control and
     Manuscript received March 7, 2005. This work was supported in part       exogenous continuous-time parameters.           u : [0, ∞ ) → U
by an Exploratory and Foundational Research Grant from ARL.
     M. O’Connor (phone: 814-863-8418; email: and S.
                                                                              denotes a vector comprised of these controls and parameters.
Tangirala (phone: 814-863-7594; email: are with the           Outputs: Y is the output space of H, which may consist of
Applied Research Laboratory at Penn State University.                         both continuous and discrete elements.
      R. Kumar is with Iowa State University, Dept. of Electrical and         Continuous Dynamics: F is a function on L × U assigning a
Computer Engineering.
   S. Bhattacharyya is with the University of Kentucky, Dept. of Electrical   vector field or differential inclusion to each location and
and Computer Engineering.                                                     continuous control vector. The notation F (l , u ) = f l (⋅, u ) is
   M. Sznaier is with Penn State University, Dept. of Electrical
                                                                              also used.

                                      Preprint submitted to 2006 American Control Conference.
                                                  Received September 23, 2005.
                                   CONFIDENTIAL. Limited circulation. For review only.

Output Functions: H is a set of output functions, one for                      Invariant Conditions: For each l ∈ L j , I j (l ) ⊆ X j × Π Y k ,
each location l ∈ L . The notation H (l ) = hl is used, where                                                                                          k

                                                                               where k=1…j-1, j+1…n.
 hl : X × U → Y is the output function associated with
                                                                               Guard            Conditions:                For          each      e∈ E j,
location l ∈ L .
Invariant conditions: I ⊂ 2 X is a set of invariant                            G j (e) = g e j ⊆ X j × Π Y k , where k=1…j-1, j+1…n.
conditions on the continuous states, one for each location                     All other components of the tuple are analogous to those of
 l ∈ L . The notation I (l ) = il ⊆ X may also be used. If no                  the single hybrid automaton defined above.
il is specified for some l ∈ L , then the default value is                     Event Synchronization: For an event σ ∈ Σ = U j Σ j , let
taken to be il = X .
Edges: E ⊂ L × Σ × L is a set of directed edges.
                                                                                          {             }
                                                                                In(σ ) = j | σ ∈ Σ j be the set of indices of the event sets
                                                                               that contain the event σ . Then each σ-step must be taken
 e = (l , σ , l ′) ∈ E is a directed edge between a source location
                                                                               synchronously by each of the hybrid automata H j if
 l ∈ L and a target location l ′ ∈ L with event label σ ∈ Σ .
                                                                                j ∈ In(σ ) , the corresponding guard condition g e j is
Guard conditions: G ⊂ 2 X is the set of guard conditions
on the continuous states, one for each edge e ∈ E . The                        satisfied, and the invariant condition I j (l ) of the accepting
notation Ge = g e ⊆ X may also be used. If no g e is                           state is satisfied. In other words, for each j ∈ In(σ ) ,
explicitly specified for some edge e ∈ E , then the default                               σ
                                                                               (l1j , x1j ) →(l 2j , x2j ) if and only if (a) e j = (l1j ,σ , l 2j ) ∈ E j (b)
value is taken to be g e = X .
Reset conditions: R is the set of reset conditions, one for                    x1j ∈ g e j ∩ il j and (c) x2j ∈ r j e j ( x1j ) ∩ i j l2j .
each edge e ∈ E . The notation R(e) = re is used, where
                                                                                                III. HYBRID SYSTEM VERIFICATION
 re : X → 2 X is a set-valued map. If no re is explicitly
specified for some edge e ∈ E , then the default value is                        A. Verification Techniques
taken to be the identity function.                                                Since hybrid systems are prevalent in a variety of real-
Definition: σ-step: For σ ∈ Σ , a σ-step is a binary relation                  world applications, verification techniques for such systems
 σ                                              σ
→ ⊂ Q × Q and it is true that (l , x) →(l ′, x′) if and only if (a)            have been extensively researched and developed. In general,
                                                                               three methods of hybrid system verification are available:
e = (l , σ , l ′) ∈ E , (b) x ∈ g e ∩ il and (c) x′ ∈ re ( x) ∩ il ′ . A σ-    simulation, model checking, and theorem proving. No single
step is a transition between discrete states and is also know                  method is perfect, as simulation can never exhaustively test
as a discrete jump. A σ-step need not be taken even if                         every possible path in the system, model checking may not
 x ∈ g e , but some σ-step must be taken before it holds that                  be decidable for certain classes of hybrid systems, and
 x ∉ il .                                                                      theorem proving is often too complex for reasonably sized
                                                                               systems [4]. When verifying real-time systems, simulation
Definition: t-step: Let ϕ tl ( x, u ) be a trajectory of f l (⋅, u )           and model checking are used more prominently, as both
with initial state x and evolving for time t. For t ∈ ℜ + , a t-               methods are made available through computational tools. In
                                        t                                      this paper, we present a methodology for the verification of
step is a binary relation → ⊂ Q × Q and it is true that                        hierarchical hybrid systems that is tightly coupled with the
                                                                               design process and uses the automated model checking tool
(l , x) →(l ′, x′) if and only if (a) l = l ′ , (b) x′ = x for t = 0
                                                                               Uppaal [5]. Uppaal was chosen due to its compatibility with
and (c)      x′ = ϕ tl ( x, u )   for       t>0     where for τ ∈ [0, t ] ,    the modeling formalism, graphical front end, ease of use,
ϕτl ( x, u ) ∈ f l (ϕτl ( x, u )) and (d) for all τ ∈ [0, t ] , x(τ ) ∈ il .
&                                                                              and portability.
Accordingly, a t-step is a time trajectory of the system that is                 B. Bottom-up Approach
valid for τ ∈ [0, t ] .                                                          In order to deal with the complexity of verifying multiple
                                                                               levels in a hierarchical hybrid system, we propose a bottom-
Interacting Controlled Hybrid Automata                                         up method of hybrid verification, in which the bottom-most
In order to cope with complexity of real-life applications, it                 subsystems are verified first, the subsequent higher level is
is often convenient to model a hybrid system in a modular                      verified next, assuming the bottom level has been correctly
fashion as a set of interacting hybrid automata, {H j}. Each                   verified, and this process is continued until all levels have
hybrid automaton in the set is a tuple as before:                              been properly verified. Using this approach, the verification
       {                                                  }
 H j = Q j , Σ j ,U j , Y j , F j , H j , I j , E j , G j , R j (1)
                                                                               process is simplified in the following ways: (1) subsystems
                                                                               on lower levels, once verified, may be abstracted by
The interaction among various hybrid autonomous modules                        removing all irrelevant details; (2) subsystems on higher
takes place through event synchronization and sharing of                       levels, before being verified, may be abstracted by removing
variables in invariant and guard conditions, as follows.                       all intrinsic details, as well as, all states not relevant to the
                                                                               subsystem currently being verified; (3) changes to

                                            Preprint submitted to 2006 American Control Conference.
                                                        Received September 23, 2005.
                                         CONFIDENTIAL. Limited circulation. For review only.

subsystems arising from their verification do not necessitate                            - Compose the system as H = H ij ||H’ lk for k,l as found
re-verification of other subsystems.
   In a hierarchical hybrid system, subsystems may
                                                                                         - Formulate queries using temporal logic formulas
synchronize with other subsystems on either higher, lower,
                                                                                            based on the requirements of the system and check
or the same level (lateral subsystems). During verification of
                                                                                            queries on the composed system H’
a particular subsystem, a conservatively abstracted
subsystem, called a driver subsystem, may be created to                                  - Correct any problems with subsystem H ij
emulate only the relevant commands issued by either a                                  Next j
higher level or lateral subsystem. Similarly, a conservatively                       Next i
abstracted subsystem, called a stub subsystem, may be
created to emulate relevant responses issued by either lower                               IV. HIERARCHICAL HYBRID MISSION CONTROLLER
level or lateral subsystems. Driver and stub subsystems
serve the purpose of simplifying the complexity of                                     A. Mission Controller Design and Implementation
verification by reducing the number of discrete states and                              A mission control architecture for AUVs that has been
clocks in a composed system. Subsystems whose internal                               designed to include verification of a set of requirements in
states, guard conditions, or update laws affect the subsystem                        every design phase is presented in [1]. A specific application
being verified should not be abstracted.                                             of this architecture to a generic survey AUV is shown in
  C. Hierarchical Verification Algorithm                                             Figure 1. The primary mission of a survey AUV is to transit
   The first step of the verification process involves                               to a user specified location and conduct a survey following a
determining a set of requirements that the system must                               specific pattern in 3D, at a specified speed and
satisfy, which may be safety and/or progress-based. This                             depth/altitude. The survey AUV control architecture of
step can often prove to be very difficult and time-consuming                         Figure 1 is organized hierarchically and is composed of
and is currently the subject of further research. Examples of                        various modules, where each module is a hybrid system, and
high-level requirements for a specific hierarchical hybrid                           the entire architecture is modeled as a set of interacting
system are provided in Section V.                                                    hybrid systems. At the lowest level of the hierarchy is the
   Once the high-level requirements have been identified,                            underwater vehicle (plant) and the vehicle controllers (VCs),
the verification process for a hierarchical interacting hybrid                       which have a hybrid state space and, together, serve as the
system                                                                               plant for the higher level mission controller (MC). The VC
       {                                                        }
H ji = Qi j , Σ ij , U i j , Yi j , Fi j , H i j , I i j , E i j , Gi j , Ri j (2)   and MC communicate through the interface layer shown in
                                                                                     Figure 1.
which synchronize as H = H || H … H … H mn , where
                                          1      n
i=1…n (number of levels) and j=1…mi (number of                                        Coordinators
interacting hybrid automata on level i), may be performed
using the following algorithm, which has been derived from

                                                                                                                                                                                                Vehicle Commands
the bottom-up approach.                                                               Operation

                                                                                                                                                                                                                   Vehicle State
                                                                                                                              WPNav            GPSFix                  Launch
                                                                                      Controllers                                                                                  Commander

Initially, model each subsystem as an interacting hybrid
system as given by eq. (2), where i=1 corresponds to the                              Controllers
                                                                                                                              Steering           Loiter           Surface/Dive       Pause

lowest level and j=1 corresponds to the first subsystem on
each level. Order the subsystems on each level according to                             Interface
                                                                                                                                      Conflict      MC2VC                  VC2MC

their lateral dependence: if H ij2 commands H ij1 , then

 j2 > j1 .
                                                                                       Vehicle                                                              VBS                     Device
For i = 1 to n                                                                        Controllers                                                         Controller               Controller

  For j = 1 to mi                                                                                                                          Autonomous Underwater Vehicle

     - Select subsystem H           i    for verification                                            Figure 1: Hybrid Survey AUV Control Architecture
      - Find all subsystems H , k=1 to n, l=1 to mk,
                                                                                        The mission controller consists of a collection of high-
           (k , l ) ≠ (i, j ) that interact with subsystem H        i
                                                                                     level hybrid automata that communicate via shared data and
                                                   l                                 synchronization events. As shown in Figure 1, the MC,
      - Abstract all subsystems H k , for k,l as found above,
         whose internal states are not relevant to verification,                     formally {H ij }, is comprised of a number of subsystems that
         as drivers or stubs, and replace the original                               operate at various levels, where i denotes the level and j
         subsystems with the abstracted subsystems. Denote                           denotes the subsystem on level i. Each subsystem consists of
         the abstracted subsystems by H’ lk                                          a hybrid automaton that is responsible for completing a
                                                                                     predetermined set of tasks. The MC is hierarchically

                                              Preprint submitted to 2006 American Control Conference.
                                                          Received September 23, 2005.
                              CONFIDENTIAL. Limited circulation. For review only.

decomposed into Behavior Controllers, Operation                      for executing a mission consisting of a sequence of
Controllers, and at the highest level, the Mission                   operations; the interrupt-driven coordinator is responsible
Coordinators. A mission is defined as a coordinated                  for executing a time or state-based interrupt driven sequence
sequence of operations, each of which is a sequence of               of operations; and the safety coordinator ensures safe
behaviors, which are in turn, sequences of vehicle                   operation of the vehicle. Interrupt-driven operations have
commands. Command events propagate down the mission                  priority over sequential ones according to the following rule.
controller hierarchy and response events propagate up the            When an interrupt-driven operation is due, if necessary and
mission controller hierarchy via event synchronization,              allowed, the current sequential operation is suspended until
creating a high-level dependency on low-level operation. An          the interrupt-driven operation has been executed. Sequential
event is initiated by a particular module and its recipients are     operation is then resumed until the next (if any) interrupt-
controlled by an event dependency table which may be static          driven order is due. The safety coordinator has priority over
or dynamic. An event may also initialize parameters within           all other coordinators. When an unsafe condition is detected,
modules in the hierarchy. Command events take the general            the commands from the safety coordinator supersede all
form dom (command , params ) , where m is the requesting
          n                                                          other commands and seek to move the vehicle into a safe
                                                                     region or abort the mission if necessary. These priorities are
controller module, n is the receiving controller module,
                                                                     implemented by a Command Conflict Manager located in
command is the task to be performed and may take on
                                                                     the MC/VC interface and by event synchronization.
values such as initialize, abort, etc., and params are
parameters and initial states for the receiving module.                B. Development Tool vs. Verification Tool
Similarly, response events are of the general form                      The survey AUV hybrid mission controller has been
 donem (response, results ) , where response is an indication of
                                                                     designed and implemented in Teja NP. Teja NP [3] is a
the completion of the commanded task and may take on                 graphical hybrid system design tool that contains built-in
values such as normal, abnormal, etc., and results are               support for automatic code generation. Following a hybrid
parameters returned to the requesting module on task                 system description, Teja facilitates communication between
completion.                                                          hybrid subsystems via shared data and event
   Referring again to Figure 1, the lowest level of the              synchronization. Each Teja system must contain a user-
mission controller is comprised of four behavior controllers:        defined event dependency table that specifies which
Steering which is responsible for steering the vehicle to a          subsystems may receive events that are sent from another
specified location in space; Loiter which controls the vehicle       subsystem. When a Teja subsystem initiates an event, it is
to loiter at a specific location in space for a specified            passed to all subsystems listed within the event dependency
duration; Surface/Dive which commands the vehicle to go to           table, causing synchronization.
or come off of the surface; and Pause which is used under              Teja, however, does not contain functionality for formal
certain situations to let the vehicle remain at it’s current state   verification; thus an external tool such as Uppaal must be
for a specified duration. These behavior controllers issue           used for verification. In order to facilitate rapid (re)design
appropriate commands to the vehicle controllers and monitor          and verification, a converter was created that converts a
their responses, via the vehicle state vector, to achieve their      hybrid (timed) autonomous system description in Teja to an
                                                                     Uppaal system description. The details of this converter are
control objectives.
                                                                     omitted here due to space restrictions.
   The behavior controllers are, in turn, commanded by the
                                                                       Although Teja and Uppaal both support timed autonomous
operation controllers which correspond directly to mission
                                                                     systems, there are several differences in the tools that must
orders that are specified by the user. The Launch operation          not be overlooked. As previously mentioned, event
controller is responsible for bringing the vehicle off of the        synchronization in Teja occurs according to an event
surface and running at depth with enough forward speed to            dependency table; thus, events can only be sent to
achieve controllability. The GPSFix operation controller             subsystems listed in the event dependency table, and any
sequentially commands the AUV to shut off propulsion, rise           number of subsystems, if enabled, can synchronize on any
to the surface, raise the GPS mast, obtain a GPS-aided               given event. Uppaal, however, does not contain an event
position fix, retract the GPS mast, and re-launch the AUV.           dependency table. Two, and only two, Uppaal subsystems
The WaypointNavigator operation controller controls the              may synchronize on two enabled edges over a normal
AUV to transit to waypoints specified by the mission orders.         channel if one edge is commanding and one edge is
The Device Commander is used to control sensors and                  accepting. Any one Uppaal subsystem with an enabled edge
devices on the AUV in response to mission orders.                    may synchronize with the commanding subsystem, and if no
   Finally, at the highest level of the AUV mission                  synchronizing edge is available, no transition will take
controller are the mission coordinators of which there are           place; whereas in Teja, the transition will take place in the
two types: Progress and Safety, where the progress                   commanding subsystem regardless of how many systems,
coordinator is divided into two parts: Sequential and                including zero, are synchronizing on the event.
Interrupt-driven. The sequential coordinator is responsible             To overcome this problem, all channels in Uppaal must be
                                                                     declared as broadcast channels. Zero, one, or multiple

                                 Preprint submitted to 2006 American Control Conference.
                                             Received September 23, 2005.
                                     CONFIDENTIAL. Limited circulation. For review only.

Uppaal subsystems may synchronize on a single event over                             process involves identifying a set of system requirements.
a broadcast channel. We are however restricted in that a                             For the case of the AUV mission controller presented in
certain subsystem, not listed to receive an event in the Teja                        Section IV, a set of requirements based on high-level
event dependency table, may still synchronize on that event                          specifications has been derived for each level within the
in Uppaal. This restriction must be overcome by examining                            hierarchy. The behavior and operation controllers, which are
the Teja event dependency table during Uppaal verification.                          responsible for executing tasks, share the same requirements
                                                                                     that are listed below.
                                                                                     (1-b)   The composed system must never be deadlocked
  A. Hybrid System Abstractions                                                      (2-b)   The subsystem, when in any state, must properly
   A hybrid system may be abstracted in two ways [2]: the                                    respond to an abort command
discrete behavior of the system may be abstracted or the                             (3-b)   The subsystem must not improperly abort
continuous behavior of the system may be abstracted. In the                                  commanding subsystems
context of logical verification, the survey AUV mission                              (4-b)   The subsystem must properly respond to a
controller does not depend on the continuous dynamics of                                     command from a higher level or lateral subsystem
the underwater vehicle. At this level of verification, the                           (5-b)   The subsystem must properly issue commands to
continuous dynamics are ignored, except in the case of real-                                 other subsystems, if necessary
valued clocks. A similar approach is taken in [6].                                   (6-b)   States in which outgoing transitions rely on the
                                                                                             navigational or functional state of the vehicle must
                                                                                             contain timeout conditions
                           NewVCData?      Idle            Start
                                                                                     An example of verifying requirement (2-b), which may be
                                                                                     used for every behavior or operation subsystem, is
                                   Safeties_VoltageAbort||Safeties_WaterDepthAbort   illustrated using the Uppaal query shown below.
       MinimumAltitude                            Abort!      SafetyAbort
                                                                                     E<> SafetyDriver.Aborting and not Subsystem.Idle
                                                   LowAltitudeTimer>LowAltitudeTO       a. Does a path exist where the safety driver has issued
                                                                                           an abort command but the subsystem has not
                                                                                           correctly responded by transitioning to the Idle
                      Figure 2 - Safeties subsystem
                                                                                        b. If the query is satisfied, the subsystem contains a
                                                                                           path that does not correctly respond to an abort
   A hybrid system may also be discretely abstracted. An
                                                                                           command; otherwise, the subsystem correctly
example of discretely abstracting a hybrid automaton is now
                                                                                           responds to an abort command throughout all paths
presented. The Safeties mission coordinator, shown in
                                                                                           in the system.
Figure 2, resides at the top level of the AUV mission control
architecture and maintains safe operation of the vehicle at all
                                                                                     As with requirement (2-b), generic Uppaal queries have
times. If an unsafe condition is detected, Safeties may abort
                                                                                     been formulated to check requirements (1-b), (3-b), and (4-
the mission by aborting operation of all subsystems. Thus, if
                                                                                     b) on every behavior and operation subsystem; however,
a safety abort occurs, all subsystems must properly respond
and abort operation. An abstracted version of the safeties                           requirements (5-b) and (6-b) necessitate a more rigorous
subsystem, called the safeties driver, was created for                               inspection of each individual subsystem. Several cases are
verification and is shown in Figure 3(a). The safeties driver                        examined in Example 1 below.
must be included in the verification of every subsystem in                              The mission coordinators are responsible for coordinating
the mission controller.                                                              tasks (rather than executing tasks), and thus share a different
                                                                                     set of requirements, which are listed below.
      Start                     Aborting
                  Abort!                      Idle                     Run
                                                                                     (1-c)   The composed system must never be deadlocked
                                                                                     (2-c)   Each coordinator must always properly respond to
                                                            Done?                            an abort command.
   Figure 3: (a) Safeties driver              (b) Generic driver susbsystem          (3-c)   Each coordinator must properly respond to a done
                                                                                             event from a lower-level subsystem.
  All other drivers generally take the form shown in Figure                          (4-c)   Each coordinator must properly issue commands to
3(b), where the ! denotes a commanding transition and the ?                                  lower-level subsystems.
denotes an accepting transition.                                                     (5-c)   Interaction among coordinators must always occur
                                                                                             correctly. (e.g.) The Interrupt coordinator must
 B. Mission Controller Subsystem Requirements
                                                                                             properly suspend the Sequential coordinator when
As previously mentioned, the first step in the verification                                  necessary.

                                          Preprint submitted to 2006 American Control Conference.
                                                      Received September 23, 2005.
                                                           CONFIDENTIAL. Limited circulation. For review only.

(6-c)        Coordinators only issue commands when                                                                      The Launcher subsystem (not shown) is an operation
             appropriate. (e.g.) The Interrupt coordinator must                                                         controller that is commanded by the GPSFixer. Since the
             not start a timed order before the order is scheduled                                                      GPSFixer (laterally) depends on the Launcher, the Launcher
             to occur.                                                                                                  was verified first and replaced by an abstracted stub
                                                                                                                        subsystem and included in the verification of the GPSFix
The requirements listed above must be examined with all                                                                 subsystem. Also included in the integrated system is the
coordinators in the composed system. An example of                                                                      abstracted Safeties driver shown in Figure 3(a).
checking requirement (2-c) is illustrated using the Uppaal                                                                 The GPSFix subsystem, GPSFix driver subsystem,
query shown below.                                                                                                      Steering stub subsystem, Launcher stub subsystem, and
                                                                                                                        Safeties driver subsystem, which interact according to (2),
E<> Coordinator1.End and not Coordinator2.End                                                                           are synchronously composed in Uppaal, and a set of
   a. Does a path exist where Coordinator1 is in the End                                                                temporal logic queries are formulated based on requirements
      state but Coordinator2 is not?                                                                                    (1-b) through (6-b), a few of which are listed below. Note
   b. If the query is satisfied, Coordinator2 may not                                                                   that the subsystem requirements are transformed into
      properly end execution when Coordinator1 ends                                                                     temporal logic queries that specify an erroneous set of states,
      execution; otherwise, Coordinator2 properly                                                                       and Uppaal is used to check whether this set is reachable. If
      transitions to the End state when Coordinator1                                                                    the set is reachable, Uppaal generates a diagnostic trace that
      transitions to the End state.                                                                                     is used to identify and correct the problem.
   c. This query must also be verified in the reverse case.
                                                                                                                        A[] not deadlock
   C. Example 1: Operation level verification
                                                                                                                          - Requirement (1-b)
   Applying the algorithm listed in Section III.C to the survey                                                           - For all paths, is the system not deadlocked?
AUV, verification begins at the behavior level, proceeds to                                                               - The query is satisfied signifying no immediate
the operation level, then finally to the coordinator level. In                                                                deadlocks.
the following verification example, the GPSFix subsystem,
shown in Figure 4 and denoted by H 2 , is verified using
                                          2                                                                             E<> SafetyDriver.Aborting and not GPSFixer.Idle
Uppaal.                                                                                                                   - Requirement (2-b)
   Following the algorithm for verifying a hierarchical hybrid                                                            - Does a path exist where a safety abort has occurred
system, the behavior controllers, which, in this case, have                                                                  but the GPSFix subsystem does not properly abort?
already been verified, are replaced by stub subsystems, as is                                                             - The query is satisfied suggesting that the GPSFixer
illustrated for the Steering subsystem in Figure 5a. Likewise,                                                               may not properly abort under certain conditions.
a driver subsystem has been created to imitate the                                                                        - The ReportTO state is missing an abort response
synchronization that normally occurs between the GPSFix                                                                      transition to the Idle state, which must be added.
subsystem and a coordinator level subsystem, as shown in
Figure 5b.                                                                                                              E<> GPSdriver.Idle and not GPSFixer.Idle
                                                          GoToSurface_ds                                                  - Requirement (3-b)
                                                                                                                         -   Does a path exist where the GPSFix driver is in the
                                               TimeInState:=0, t:=0
                                                                                                                             Idle state but GPSFix is not?
                                                                                                                          - The query is satisfied indicating that the GPSFixer
                                 Idle_ds            Abort?
                                                                                                                             may improperly abort the GPSFix driver.
                                                                                                                          - The abort output event on the transition from
                                                    Abort?            ReportTO_ds
                                                                                                                             ReturnToStart to Decide should be changed to a
                                                                                                                             SteeringDone output event.
                           Abort?                                                             DevState__MastState==UP
                         TimeInState:=0                      TimeInState:=0,                    TimeInState:=0
                            !GPSOrd__ReturnToStart           NumFailed:=NumFailed+1

                                                                                                                        E<> GPSdriver.TakingFix and GPSFixer.Idle
               Steer!      Abort!
      TimeInState:=0        Helm__DistanceToPoint<=WPThresholdDistance
                                                                                                                          - Requirement (4-b)
                                GPSOrd__ReturnToStart:=0                                                                  - Does a path exist where the GPSFixer does not
                                                                                Launch!                                      properly respond to a TakeGPSFix command?
                                                                                                                          - The query is not satisfied, signifying proper GPSFix
                                      TimeInState:=0      DevState__GPSFixState==DONE
                         Decide_ds                                       TimeInState:=0      TakeFix_ds
                                                                                                                             subsystem response.
                                      Figure 4: GPSFix subsystem

                                                                                                                           Once verification of the GPSFix subsystem is complete, it
                                                                                 TakeGPSFix!                            can be replaced with a stub system, as shown in Figure 6,
    Idle                                   Steering
                                                                                                      TakingFix         when subsequently verifying the top level of the mission
                                                                                                                        controller hierarchy. Notice that, in Figure 6, the GPSFix
                Abort?                                                           GPSFixDone?
                                                                                                                        stub subsystem contains more than two states. Since the
                                                                                                                        GPSFix subsystem commands other subsystems (in this case
    Figure 5: (a) Steering stub subsystem (b) GPSFix driver subsystem
                                                                                                                        the Launcher subsystem and Steering subsystem), do/done

                                                                 Preprint submitted to 2006 American Control Conference.
                                                                             Received September 23, 2005.
                                                                CONFIDENTIAL. Limited circulation. For review only.

transitions that command/respond to the other subsystems                                                                                                                Start_ds
                                                                                                                                                                                              NonSeqController__Idle              !NonSeqController__Idle&&MissionTime>=CurrTimedOrd__Time
must be included in the abstracted subsystem.                                                                                                                         t:=0, MissionTime:=0,
                                                          Abort?                                                                             &&MissionTime<CurrTimedOrd__Time
                                                                                                                                                                       Resume!                                                          t:=0 Suspend!
                                                                                                                                           SeqController__Suspended           Resume!
                                                                                                                                                                              MissionTime>=CurrTimedOrd__Time        Suspend!
                                 TakeGPSFix?                                 LaunchDone?                                                                                      &&TimedActions_CheckSuspend_FCN                           Wait4Suspend_ds
                                                                                                                                                                            !SeqController__Suspended                  t:=0, Time2Suspend:=0
                                          t:=0                                                                                                                Check4Resume_ds                  &&(!TimedActions_CheckSuspend_FCN||SeqController__Idle||SeqController__Suspended)
                                         Abort?                                  Launch!                                                                                            Wait!

           Idle_ds                                       TakingFix_ds                                    Launching_ds                                                                                          Abort!

                                                                                   SteeringDone?                                                                        LaunchDone?                                                            Device_ds
                                   GPSFixDone!                        Steer!                                                                                                          Launch!                             TakeGPSFix!
                                                                                                                                                              Wait_ds                                      Abort?

                                                                                                                                                                                        Abort?                       Abort?
                                           Abort?                                 Steering_ds                                                                              Launch_ds     Abort?                                    GPSFix_ds

                                       Figure 6: GPSFix stub subsystem                                                                                                                                    End_ds

                                                                                                                                                                                      Figure 8: Interrupt coordinator

   D. Example 2: Coordinator level verification                                                                                            A[] not deadlock
   Following the verification algorithm, once all behavior and                                                                               - Requirement (1-c)
operation subsystems (levels i = 1,2 ) have been verified and                                                                                - For all paths, is the system not deadlocked?
abstracted, we can begin verification of the coordinator level                                                                               - The query is only satisfied when the mission has been
( i = 3 ). The Uppaal models of the two mission coordinators,                                                                                    terminated (both coordinators in the End state), which
known as the Sequential coordinator and the Interrupt                                                                                            is not a requirement violation.
coordinator, are shown in Figure 7 and Figure 8,
respectively.                                                                                                                              E<>SafetyDriver.Aborting                 and           not
   Both the Sequential and Interrupt coordinator may                                                                                          InterruptCoordinator.End
concurrently or consecutively issue commands, depending                                                                                      - Requirement (2-c)
on the mission orders. Thus, the coordinators must be                                                                                        - Does a path exist where a safety abort has occurred
verified simultaneously, with all lower-level abstracted                                                                                         but the Interrupt coordinator has not responded?
subsystems resident in the composed system. At the                                                                                           - The query is satisfied implying that the Interrupt
coordinator level, requirements (1-c) through (6-c) must be                                                                                      coordinator may not properly respond to a safety
verified, and, as in the previous example, queries are                                                                                           abort.
formulated based on each requirement and checked in                                                                                          - The Interrupt coordinator is missing an abort
Uppaal, and the diagnostic trace is used to identify and                                                                                         response transition from the CheckOrders state to
correct any problems. A few of the queries are listed below.                                                                                     the End state, which must be added.

                                                                                                                                           E<>SafetyDriver.Aborting               and             not

                                   t:=0                           t:=0, Suspendable:=0
                                                                                                                                             - Requirement (2-c)
                                                   t:=0, Suspendable:=0,
                                                                              Suspendable:=0, t:=0
                                                                                                                Suspend?                     - Does a path exist where a safety abort has occurred
                                                                                                                                                but the Sequential coordinator has not responded?
                                                                                                                  t:=0, Suspendable:=0
                 t:=0, MissionTime:=0, Suspendable:=0                     t>=1
                                                                                              t:=0, Suspendable:=0
                        t:=0, Suspendable:=0
                                                                                                t:=0, Suspendable:=0
                                                                                                                                             - The query is satisfied implying that the Sequential
                        GPSFixer_ds t:=0, Suspendable:=0, SeqController__Idle:=0
                                                                                              t:=0, Suspendable:=1, WaypointNavigator_ds
                                                                                                                                                coordinator may not properly respond to a safety
                                  t:=0, Suspendable:=0               run_ds
                                                                                                                 t:=0, Suspendable:=0
                                  t:=0, Suspendable:=0,
                                                                               t:=0, Suspendable:=1,

                                                                     t:=0, Suspendable:=0
                                                                               SeqController__Idle:=0 PayloadDone?                           - The Sequential coordinator is missing an abort
                                                                    Suspendable:=0, SeqController__Idle:=0
                                                                                                           t:=0, Suspendable:=0
                                                                                                                                                response transition from the DeviceOrder state to
                                                                                                                                                the EndMission state, which must be added.
                                 t:=0, Suspendable:=0,                   LaunchDone?
                  Pause_ds       SeqController__Idle:=0
                                                    Abort?       Launcher_ds     t:=0, Suspendable:=0                  Payload_ds
                                 t:=0        Abort? t:=0
                       Abort?                                              Rendezvous!
                         t:=0                t:=0
                                                            t:=0                                                                           E<>InterruptCoordinator.End           and            not

                                                                                                                                             - Requirement (5-c)
                                                                                                Rendezvous_ds                                - Does a path exist where the Sequential coordinator
                     DevState__MastState==UP                                                                                                    does not end the mission at the same time as the
                                                                                                                                                Interrupt coordinator?
                                       Figure 7: Sequential coordinator                                                                      - The query is satisfied suggesting that the Interrupt
                                                                                                                                                coordinator may improperly abort the Sequential
                                                                                                                                             - When suspended, the Sequential coordinator
                                                                                                                                                aborts operation of lower level subsystems by
                                                                                                                                                issuing an abort event. The abort event is

                                                                         Preprint submitted to 2006 American Control Conference.
                                                                                     Received September 23, 2005.
                                      CONFIDENTIAL. Limited circulation. For review only.

            improperly being sent to the Interrupt                               [4]   Greenstreet, M., “Pragmatic Verification for Hybrid and Real-time
                                                                                       Designs”, Proceedings of the American Control Conference, Chicago,
            coordinator. This problem can be fixed in Teja by                          Illinois, June 2000.
            removing the entry in the event dependency table                     [5]
            that specifies that the Sequential coordinator can                   [6]   Puri, A. and Varaiya, P., “Modeling and Verification of Hybrid
            send an abort event to the Interrupt coordinator.                          Systems”, Proceedings from the American Control Conference,
                                                                                       Seattle, Washington, June 1996.
            The problem will however remain in Uppaal and
            must be carefully noted.

E<>            InterruptCoordinator.Wait4Suspend      and     not
      -     Requirement (5-c)
      -     Does a path exist where the Interrupt coordinator has
            issued a suspend notification but the Sequential
            coordinator has not responded?
      -     The query is satisfied indicating that the Interrupt
            coordinator may not properly suspend the Sequential
            coordinator when necessary.
      -     The Interrupt coordinator issued a suspend
            notification without checking whether the
            Sequential coordinator was suspendable.

                              VI. CONCLUSION
   In a complicated hierarchically structured hybrid system,
the verification process may be greatly simplified by using a
bottom-up approach and employing the verification
algorithm that has been presented. This approach is tractable
and efficient, as it significantly reduces the complexity of
verification for two distinct reasons. First, the verification
process is divided according to the number of levels in the
system, verification occurs at each level, and the overall
system is guaranteed to be correct when all levels have been
verified. Second, when verifying a particular level, all
subsystems on other levels may be abstracted thus reducing
the number of states in the system and, consequently, the
complexity and computational requirements of verification.
Following the bottom-up approach, we present a high-level
verification algorithm for a hierarchal hybrid system. This
algorithm, along with the state machine description
converter that allows Teja NP hybrid systems to be semi-
automatically imported into Uppaal, results in a tightly
coupled design/verification process. This allows for
verification to be integrated into the design process resulting
in high-level controllers that are guaranteed to satisfy a set
of requirements.
   Examples of verification in Uppaal for an AUV hybrid
mission controller that has been designed in Teja NP are
provided to illustrate the design/verification procedure.

[1]       Tangirala, S., Kumar, R., Bhattacharyya, S., O’Connor, M., and
          Holloway, L.E., “Hybrid-Model based Hierarchical Mission Control
          Architecture for Autonomous Underwater Vehicles”, Proceedings
          from the American Control Conference, 2005.
[2]       Alur, R., Henzinger, T., Lafferriere, G., and Pappas, G., “Discrete
          Abstractions of Hybrid Systems”, Proceedings of the IEEE, v 88, n 7,
          July 2000.

                                          Preprint submitted to 2006 American Control Conference.
                                                      Received September 23, 2005.

To top