ModelPlex: Verified Runtime Validation of Verified Cyber-Physical System Models

  • Stefan Mitsch
  • André Platzer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8734)

Abstract

Formal verification and validation play a crucial role in making cyber-physical systems (CPS) safe. Formal methods make strong guarantees about the system behavior if accurate models of the system can be obtained, including models of the controller and of the physical dynamics. In CPS, models are essential; but any model we could possibly build necessarily deviates from the real world. If the real system fits to the model, its behavior is guaranteed to satisfy the correctness properties verified w.r.t. the model. Otherwise, all bets are off. This paper introduces ModelPlex, a method ensuring that verification results about models apply to CPS implementations. ModelPlex provides correctness guarantees for CPS executions at runtime: it combines offline verification of CPS models with runtime validation of system executions for compliance with the model. ModelPlex ensures that the verification results obtained for the model apply to the actual system runs by monitoring the behavior of the world for compliance with the model, assuming the system dynamics deviation is bounded. If, at some point, the observed behavior no longer complies with the model so that offline verification results no longer apply, ModelPlex initiates provably safe fallback actions. This paper, furthermore, develops a systematic technique to synthesize provably correct monitors automatically from CPS proofs in differential dynamic logic.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Aiello, A.M., Berryman, J.F., Grohs, J.R., Schierman, J.D.: Run-time assurance for advanced flight-critical control systems. In: AIAA Guidance, Nav. and Control Conf. AIAA (2010)Google Scholar
  2. 2.
    Alur, R., Bodík, R., Juniwal, G., Martin, M.M.K., Raghothaman, M., Seshia, S.A., Singh, R., Solar-Lezama, A., Torlak, E., Udupa, A.: Syntax-guided synthesis. In: FMCAD, pp. 1–17. IEEE (2013)Google Scholar
  3. 3.
    Bak, S., Greer, A., Mitra, S.: Hybrid cyberphysical system verification with Simplex using discrete abstractions. In: Caccamo, M. (ed.) IEEE Real-Time and Embedded Technology and Applications Symposium, pp. 143–152. IEEE Computer Society (2010)Google Scholar
  4. 4.
    Bartocci, E., Grosu, R., Karmarkar, A., Smolka, S.A., Stoller, S.D., Zadok, E., Seyster, J.: Adaptive runtime verification. In: Qadeer, S., Tasiran, S. (eds.) RV 2012. LNCS, vol. 7687, pp. 168–182. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  5. 5.
    Blech, J.O., Falcone, Y., Becker, K.: Towards certified runtime verification. In: Aoki, T., Taguchi, K. (eds.) ICFEM 2012. LNCS, vol. 7635, pp. 494–509. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  6. 6.
    Cimatti, A., Mover, S., Tonetta, S.: SMT-based scenario verification for hybrid systems. Formal Methods in System Design 42(1), 46–66 (2013)CrossRefMATHGoogle Scholar
  7. 7.
    Collins, G.E., Hong, H.: Partial cylindrical algebraic decomposition for quantifier elimination. J. Symb. Comput. 12(3), 299–328 (1991)MathSciNetCrossRefMATHGoogle Scholar
  8. 8.
    Daigle, M.J., Roychoudhury, I., Biswas, G., Koutsoukos, X.D., Patterson-Hine, A., Poll, S.: A comprehensive diagnosis methodology for complex hybrid systems: A case study on spacecraft power distribution systems. IEEE Transactions on Systems, Man, and Cybernetics, Part A 40(5), 917–931 (2010)CrossRefGoogle Scholar
  9. 9.
    D’Angelo, B., Sankaranarayanan, S., Sánchez, C., Robinson, W., Finkbeiner, B., Sipma, H.B., Mehrotra, S., Manna, Z.: LOLA: Runtime monitoring of synchronous systems. In: TIME, pp. 166–174. IEEE Computer Society (2005)Google Scholar
  10. 10.
    Donzé, A., Ferrère, T., Maler, O.: Efficient robust monitoring for STL. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 264–279. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  11. 11.
    Ehlers, R., Finkbeiner, B.: Monitoring realizability. In: Khurshid, S., Sen, K. (eds.) RV 2011. LNCS, vol. 7186, pp. 427–441. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  12. 12.
    Frehse, G., et al.: SpaceEx: Scalable verification of hybrid systems. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 379–395. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  13. 13.
    Gao, S., Kong, S., Clarke, E.M.: dReal: An SMT solver for nonlinear theories over the reals. In: Bonacina, M.P. (ed.) CADE 2013. LNCS (LNAI), vol. 7898, pp. 208–214. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  14. 14.
    Havelund, K., Roşu, G.: Efficient monitoring of safety properties. STTT 6(2), 158–173 (2004)CrossRefGoogle Scholar
  15. 15.
    Kalajdzic, K., Bartocci, E., Smolka, S.A., Stoller, S.D., Grosu, R.: Runtime verification with particle filtering. In: Legay, A., Bensalem, S. (eds.) RV 2013. LNCS, vol. 8174, pp. 149–166. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  16. 16.
    Leucker, M., Schallhart, C.: A brief account of runtime verification. J. Log. Algebr. Program. 78(5), 293–303 (2009)CrossRefMATHGoogle Scholar
  17. 17.
    Liu, X., Wang, Q., Gopalakrishnan, S., He, W., Sha, L., Ding, H., Lee, K.: ORTEGA: An efficient and flexible online fault tolerance architecture for real-time control systems. IEEE Trans. Industrial Informatics 4(4), 213–224 (2008)CrossRefGoogle Scholar
  18. 18.
    Loos, S.M., Platzer, A., Nistor, L.: Adaptive cruise control: Hybrid, distributed, and now formally verified. In: Butler, M., Schulte, W. (eds.) FM 2011. LNCS, vol. 6664, pp. 42–56. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  19. 19.
    McIlraith, S.A., Biswas, G., Clancy, D., Gupta, V.: Hybrid systems diagnosis. In: Lynch, N.A., Krogh, B.H. (eds.) HSCC 2000. LNCS, vol. 1790, pp. 282–295. Springer, Heidelberg (2000)Google Scholar
  20. 20.
    Meredith, P.O., Jin, D., Griffith, D., Chen, F., Roşu, G.: An overview of the MOP runtime verification framework. STTT 14(3), 249–289 (2012)CrossRefGoogle Scholar
  21. 21.
    Meredith, P., Roşu, G.: Runtime verification with the RV system. In: Barringer, H., et al. (eds.) RV 2010. LNCS, vol. 6418, pp. 136–152. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  22. 22.
    Mitsch, S., Ghorbal, K., Platzer, A.: On provably safe obstacle avoidance for autonomous robotic ground vehicles. In: Robotics: Science and Systems (2013)Google Scholar
  23. 23.
    Mitsch, S., Loos, S.M., Platzer, A.: Towards formal verification of freeway traffic control. In: Lu, C. (ed.) ICCPS, pp. 171–180. IEEE (2012)Google Scholar
  24. 24.
    Mitsch, S., Passmore, G.O., Platzer, A.: Collaborative verification-driven engineering of hybrid systems. J. Math. in Computer Science (2014)Google Scholar
  25. 25.
    Mitsch, S., Platzer, A.: ModelPlex: Verified runtime validation of verified cyber-physical system models. Tech. Rep. CMU-CS-14-121, Carnegie Mellon (2014)Google Scholar
  26. 26.
    Nickovic, D., Maler, O.: AMT: A property-based monitoring tool for analog systems. In: Raskin, J.-F., Thiagarajan, P.S. (eds.) FORMATS 2007. LNCS, vol. 4763, pp. 304–319. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  27. 27.
    Platzer, A.: Differential dynamic logic for hybrid systems. J. Autom. Reas. 41(2), 143–189 (2008)MathSciNetCrossRefMATHGoogle Scholar
  28. 28.
    Platzer, A.: Differential-algebraic dynamic logic for differential-algebraic programs. J. Log. Comput. 20(1), 309–352 (2010); advance access published on November 18, 2008Google Scholar
  29. 29.
    Platzer, A.: Logical Analysis of Hybrid Systems. Springer (2010)Google Scholar
  30. 30.
    Platzer, A.: The structure of differential invariants and differential cut elimination. Logical Methods in Computer Science 8(4) (2011)Google Scholar
  31. 31.
    Platzer, A.: The complete proof theory of hybrid systems. In: LICS. IEEE (2012)Google Scholar
  32. 32.
    Platzer, A.: Logics of dynamical systems. In: LICS, pp. 13–24. IEEE (2012)Google Scholar
  33. 33.
    Platzer, A., Clarke, E.M.: The image computation problem in hybrid systems model checking. In: Bemporad, A., Bicchi, A., Buttazzo, G. (eds.) HSCC 2007. LNCS, vol. 4416, pp. 473–486. Springer, Heidelberg (2007)Google Scholar
  34. 34.
    Platzer, A., Quesel, J.-D.: KeYmaera: A hybrid theorem prover for hybrid systems. In: Armando, A., Baumgartner, P., Dowek, G. (eds.) IJCAR 2008. LNCS (LNAI), vol. 5195, pp. 171–178. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  35. 35.
    Platzer, A., Quesel, J.-D.: European Train Control System: A case study in formal verification. In: Breitman, K., Cavalcanti, A. (eds.) ICFEM 2009. LNCS, vol. 5885, pp. 246–265. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  36. 36.
    Seto, D., Krogh, B., Sha, L., Chutinan, A.: The Simplex architecture for safe online control system upgrades. In: American Control Conference, pp. 3504–3508 (1998)Google Scholar
  37. 37.
    Shannon, C.: Communication in the presence of noise. Proc. of the IRE 37(1), 10–21 (1949)MathSciNetCrossRefGoogle Scholar
  38. 38.
    Srivastava, A.N., Schumann, J.: Software health management: a necessity for safety critical systems. ISSE 9(4), 219–233 (2013)Google Scholar
  39. 39.
    Wang, D., Yu, M., Low, C.B., Arogeti, S.: Model-based Health Monitoring of Hybrid Systems. Springer (2013)Google Scholar
  40. 40.
    Wang, S., Ayoub, A., Sokolsky, O., Lee, I.: Runtime verification of traces under recording uncertainty. In: Khurshid, S., Sen, K. (eds.) RV 2011. LNCS, vol. 7186, pp. 442–456. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  41. 41.
    Zhao, F., Koutsoukos, X.D., Haussecker, H.W., Reich, J., Cheung, P.: Monitoring and fault diagnosis of hybrid systems. IEEE Transactions on Systems, Man, and Cybernetics, Part B 35(6), 1225–1240 (2005)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Stefan Mitsch
    • 1
  • André Platzer
    • 1
  1. 1.Computer Science DepartmentCarnegie Mellon UniversityPittsburghUSA

Personalised recommendations