Post on 20-Mar-2022
Verified Traffic Networks: Component-based Verification of
Cyber-Physical Flow SystemsAndreas Mül ler – andreas.muel ler@jku.at
Stefan Mitsch - stefan.mitsch@jku.at
J o h a n n e s Ke p l e r U n i v e rs i t y, L i n z
D e p a r t m e n t o f C o o p e ra t i v e I n fo r m a t i o n Sy st e m s ( C I S )
h t t p : / / c i s . j ku . a t /
André P latzer - ap latzer@cs.cmu.edu
C a r n e g i e M e l l o n U n i v e rs i t y, P i t t s b u rg h
C o m p u t e r S c i e n c e D e p a r t m e n t
h t t p : / / w w w. l s . c s . c m u . e d u /
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Overview
Introduction
Challenges
Approach
Implementation
Conclusion
2
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Traffic ManagementTraffic Management System Operate traffic through control actions→Safety of critical actions is crucial
3
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Traffic ManagementTraffic Management System Operate traffic through control actions→Safety of critical actions is crucial
3
- - - - - - - - - - - - - - - - - - - - - - -
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Traffic ManagementTraffic Management System Operate traffic through control actions→Safety of critical actions is crucial
3
- - - - - - - - - - - - - - - - - - - - - - -
adapt interval
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Traffic ManagementTraffic Management System Operate traffic through control actions→Safety of critical actions is crucial
3
- - - - - - - - - - - - - - - - - - - - - - -
adapt intervalset speed limit
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Traffic ManagementTraffic Management System Operate traffic through control actions→Safety of critical actions is crucial
Safety No traffic breakdown=load never exceeds capacity
3
- - - - - - - - - - - - - - - - - - - - - - -
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Traffic ManagementTraffic Management System Operate traffic through control actions→Safety of critical actions is crucial
Safety No traffic breakdown=load never exceeds capacity
3
- - - - - - - - - - - - - - - - - - - - - - -
load
capacity
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Traffic ManagementTraffic Management System Operate traffic through control actions→Safety of critical actions is crucial
Safety No traffic breakdown=load never exceeds capacity
3
- - - - - - - - - - - - - - - - - - - - - - -
load
capacity
load ≤ capacity
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Traffic ManagementTraffic Management System Operate traffic through control actions→Safety of critical actions is crucial
Safety No traffic breakdown=load never exceeds capacity
3
- - - - - - - - - - - - - - - - - - - - - - -
capacity
load
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Traffic ManagementTraffic Management System Operate traffic through control actions→Safety of critical actions is crucial
Safety No traffic breakdown=load never exceeds capacity
3
- - - - - - - - - - - - - - - - - - - - - - -
capacity
load
load ≥ capacity
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Traffic ManagementTraffic Management System Operate traffic through control actions→Safety of critical actions is crucial
Safety No traffic breakdown=load never exceeds capacity
Property: Starting in safe state, all runs stay in safe state
3
- - - - - - - - - - - - - - - - - - - - - - -
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Traffic ManagementTraffic Management System Operate traffic through control actions→Safety of critical actions is crucial
Safety No traffic breakdown=load never exceeds capacity Property: Starting in safe state, all runs stay in safe state
Cyber-physical systems (CPS) Cyber and physical capabilities Continuous physical-part: traffic flow Discrete cyber-part: traffic light switching
3
- - - - - - - - - - - - - - - - - - - - - - -
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Traffic ManagementTraffic Management System Operate traffic through control actions→Safety of critical actions is crucial
Safety No traffic breakdown=load never exceeds capacity Property: Starting in safe state, all runs stay in safe state
Cyber-physical systems (CPS) Cyber and physical capabilities Continuous physical-part: traffic flow Discrete cyber-part: traffic light switching
3
- - - - - - - - - - - - - - - - - - - - - - -
𝑙𝑜𝑎𝑑′ = 𝑡𝑙𝑡𝑙 ≔ 𝑟𝑒𝑑/𝑔𝑟𝑒𝑒𝑛
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Traffic ManagementTraffic Management System Operate traffic through control actions→Safety of critical actions is crucial
Safety No traffic breakdown=load never exceeds capacity Property: Starting in safe state, all runs stay in safe state
Cyber-physical systems (CPS) Cyber and physical capabilities Continuous physical-part: traffic flow Discrete cyber-part: traffic light switching
Methods to analyze models of CPS Simulation and Testing (analyze some runs): good for complex phenomena Verification (mathematically prove correctness of all runs): simplified models
3
- - - - - - - - - - - - - - - - - - - - - - -
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Traffic ManagementTraffic Management System Operate traffic through control actions→Safety of critical actions is crucial
Safety No traffic breakdown=load never exceeds capacity Property: Starting in safe state, all runs stay in safe state
Cyber-physical systems (CPS) Cyber and physical capabilities Continuous physical-part: traffic flow Discrete cyber-part: traffic light switching
Methods to analyze models of CPS Simulation and Testing (analyze some runs): good for complex phenomena Verification (mathematically prove correctness of all runs): simplified models
3
- - - - - - - - - - - - - - - - - - - - - - -
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Verification
VerificationTransform property by user-guided application of proof rules
Starting in safe state, all runs stay in safe state
Example
4
- - - - - - - - - - - - - - - - - -
≤ → 𝑖𝑓 𝑟𝑒𝑑 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ∪ 𝑖𝑓 𝑔𝑟𝑒𝑒𝑛 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 − 𝑜𝑢𝑡
- - - - - - - - - - - - - - - - - -
≤
or
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Verification
VerificationTransform property by user-guided application of proof rules
Starting in safe state, all runs stay in safe state
Example
4
- - - - - - - - - - - - - - - - - -
≤ → 𝑖𝑓 𝑟𝑒𝑑 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ∪ 𝑖𝑓 𝑔𝑟𝑒𝑒𝑛 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 − 𝑜𝑢𝑡
- - - - - - - - - - - - - - - - - -
≤
∪
or
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Verification
VerificationTransform property by user-guided application of proof rules
Starting in safe state, all runs stay in safe state
Example
4
- - - - - - - - - - - - - - - - - -
≤ → 𝑖𝑓 𝑟𝑒𝑑 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ∪ 𝑖𝑓 𝑔𝑟𝑒𝑒𝑛 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 − 𝑜𝑢𝑡
- - - - - - - - - - - - - - - - - -
≤
∪
→
≤ → 𝑖𝑓 𝑟𝑒𝑑 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ≤
→
≤ → 𝑖𝑓 𝑔𝑟𝑒𝑒𝑛 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 − 𝑜𝑢𝑡 ≤
or
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Verification
VerificationTransform property by user-guided application of proof rules
Starting in safe state, all runs stay in safe state
Example
4
- - - - - - - - - - - - - - - - - -
≤ → 𝑖𝑓 𝑟𝑒𝑑 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ∪ 𝑖𝑓 𝑔𝑟𝑒𝑒𝑛 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 − 𝑜𝑢𝑡
- - - - - - - - - - - - - - - - - -
≤
∪
→
≤ → 𝑖𝑓 𝑟𝑒𝑑 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ≤
→
≤ → 𝑖𝑓 𝑔𝑟𝑒𝑒𝑛 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 − 𝑜𝑢𝑡 ≤
…
or
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Verification
VerificationTransform property by user-guided application of proof rules
Starting in safe state, all runs stay in safe state
Example
4
- - - - - - - - - - - - - - - - - -
≤ → 𝑖𝑓 𝑟𝑒𝑑 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ∪ 𝑖𝑓 𝑔𝑟𝑒𝑒𝑛 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 − 𝑜𝑢𝑡
- - - - - - - - - - - - - - - - - -
≤
∪
→
≤ → 𝑖𝑓 𝑟𝑒𝑑 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ≤
→
≤ → 𝑖𝑓 𝑔𝑟𝑒𝑒𝑛 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 − 𝑜𝑢𝑡 ≤
∧ →
≤ ∧ 𝑟𝑒𝑑 → 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ≤ …𝑖𝑓
or
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Verification
VerificationTransform property by user-guided application of proof rules
Starting in safe state, all runs stay in safe state
Example
4
- - - - - - - - - - - - - - - - - -
≤ → 𝑖𝑓 𝑟𝑒𝑑 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ∪ 𝑖𝑓 𝑔𝑟𝑒𝑒𝑛 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 − 𝑜𝑢𝑡
- - - - - - - - - - - - - - - - - -
≤
∪
→
≤ → 𝑖𝑓 𝑟𝑒𝑑 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ≤
→
≤ → 𝑖𝑓 𝑔𝑟𝑒𝑒𝑛 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 − 𝑜𝑢𝑡 ≤
∧ →
≤ ∧ 𝑟𝑒𝑑 → 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ≤
[′]…
…𝑖𝑓
or
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Introduction – Verification
VerificationTransform property by user-guided application of proof rules
Starting in safe state, all runs stay in safe state
Example
4
- - - - - - - - - - - - - - - - - -
≤ → 𝑖𝑓 𝑟𝑒𝑑 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ∪ 𝑖𝑓 𝑔𝑟𝑒𝑒𝑛 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 − 𝑜𝑢𝑡
- - - - - - - - - - - - - - - - - -
≤
∪
→
≤ → 𝑖𝑓 𝑟𝑒𝑑 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ≤
→
≤ → 𝑖𝑓 𝑔𝑟𝑒𝑒𝑛 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 − 𝑜𝑢𝑡 ≤
∧ →
≤ ∧ 𝑟𝑒𝑑 → 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ≤
[′]…
…𝑖𝑓
or
VerificationOne rule application/proof step per statement
Not fully automatable
Tool support: KeYmaeraTheorem prover
Some automation
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Real systems are largeVerification for large systems is
challenging
Challenges
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Real systems are largeVerification for large systems is
challenging
5
Challenges
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Real systems are largeVerification for large systems is
challenging
6
Challenges
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Real systems are large
6
Challenges
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Real systems are large Any change to the model requires full re-verificationRe-verification only for affected parts
7
Challenges
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Real systems are large Any change to the model requires full re-verificationRe-verification only for affected parts
7
Challenges
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Real systems are large
Any change to the model requires full re-verification
8
Challenges
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Real systems are large
Any change to the model requires full re-verification
Systems often consist of multiple similar patterns Redundancy should be utilized in verification
9
Challenges
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Real systems are large
Any change to the model requires full re-verification
Systems often consist of multiple similar patterns Redundancy should be utilized in verification
9
Challenges
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
33
Real systems are large
Any change to the model requires full re-verification
Systems often consist ofmultiple similar patterns Redundancy should be utilized in verification
10
Challenges
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
34
Real systems are large
Any change to the model requires full re-verification
Systems often consist ofmultiple similar patterns
10
Challenges
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Real systems are large
Any change to the model requires full re-verification
Systems often consist of multiple similar patterns
Component-based modeling
11
Challenges
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Real systems are large
Any change to the model requires full re-verification
Systems often consist of multiple similar patterns
Component-based modeling
11
Challenges
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Real systems are large
Any change to the model requires full re-verification
Systems often consist of multiple similar patterns
Component-based modeling Verified components do not necessarily entail
verified system
11
Challenges
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Component-based modeling Verified components do not
necessarily entail verified system
12
Challenges
Real systems are large
Any change to the model requires full re-verification
Systems often consist of multiple similar patterns
How do verification results about traffic flow components transfer
to entire traffic networks?
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
ApproachComponent-based VerificationVerified Components and Verified CompositionComposition comes down to arithmetic checks
Process(1) Model component types(2) Verify safety conditions for each type
and their compositionNo traffic breakdown
(3) Compose component instances to form system model
Check arithmetic constraints
Result Fully verified system model
13
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
ApproachComponent-based VerificationVerified Components and Verified CompositionComposition comes down to arithmetic checks
Process(1) Model component types(2) Verify safety conditions for each type
and their compositionNo traffic breakdown
(3) Compose component instances to form system model
Check arithmetic constraints
Result Fully verified system model
13
• Once per type• Verification expert
• Once per network• Traffic expert
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Generic component Inflows
(load, capacity, actual, max)
Outflows (actual, max)
Controller
Approach – Components
14
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Traffic Light
- - - - - - - - - - - - - - - - - - -
Generic component Inflows
(load, capacity, actual, max)
Outflows (actual, max)
Controller
Example:
Approach – Components
14
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Traffic Light
- - - - - - - - - - - - - - - - - - -
Generic component Inflows
(load, capacity, actual, max)
Outflows (actual, max)
Controller
Example:
Approach – Components
Traffic Light Component
𝑖𝑛𝑚𝑎𝑥
𝑖𝑓 𝑟𝑒𝑑𝑙𝑜𝑎𝑑′ = 𝑖𝑛
∪𝑖𝑓 𝑔𝑟𝑒𝑒𝑛
𝑙𝑜𝑎𝑑′ = 𝑖𝑛 − 𝑜𝑢𝑡
load
capInflows Outflows
𝑖𝑛𝑎𝑐𝑡 𝑜𝑢𝑡𝑎𝑐𝑡 𝑜𝑢𝑡𝑚𝑎𝑥
Co
ntro
ller
14
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Generic component Inflows
(load, capacity, actual, max)
Outflows (actual, max)
Controller
Component typesTraffic light (one in, one out)
Flow merge (two in, one out)
Flow split (one in, two out)
Approach – Components
14
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Approach – Safety Properties
Safety Property: No traffic breakdown occursNo load ever exceeds its capacity
Must once be verified for each component type
15
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Approach – Safety Properties
Safety Property: No traffic breakdown occursNo load ever exceeds its capacity
Must once be verified for each component type
Contracts
𝑐𝑎𝑝 ≥ max 𝑇𝑟𝑔 ∗ 𝑖𝑚𝑎𝑥, 𝑇 ∗ 𝑖𝑚𝑎𝑥 −max 0, 𝑜𝑚𝑎𝑥 ∗𝑇 − 𝑇𝑟𝑔
2→ ℎ𝑝𝑡𝑙 𝑡 ≤ 𝑇 → 𝑙𝑜𝑎𝑑 ≤ 𝑐𝑎𝑝
𝑐𝑎𝑝1 ≥ 𝑇 ∗ 𝑖1𝑚𝑎𝑥 ∧ 𝑐𝑎𝑝2 ≥ 𝑇 ∗ 𝑖2𝑚𝑎𝑥 → ℎ𝑝𝑚 𝑡 ≤ 𝑇 → 𝑙𝑜𝑎𝑑1 ≤ 𝑐𝑎𝑝1 ∧ 𝑙𝑜𝑎𝑑2 ≤ 𝑐𝑎𝑝2
𝑐𝑎𝑝 ≥ max 0, 𝑇 ∗ 𝑖𝑚𝑎𝑥 −min 𝑜1𝑚𝑎𝑥, 𝑜2𝑚𝑎𝑥 → ℎ𝑝𝑠 𝑡 ≤ 𝑇 → 𝑙𝑜𝑎𝑑 ≤ 𝑐𝑎𝑝
15
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Approach – Safety Properties
Safety Property: No traffic breakdown occursNo load ever exceeds its capacity
Must once be verified for each component type
Contracts
𝑐𝑎𝑝 ≥ max 𝑇𝑟𝑔 ∗ 𝑖𝑚𝑎𝑥, 𝑇 ∗ 𝑖𝑚𝑎𝑥 −max 0, 𝑜𝑚𝑎𝑥 ∗𝑇 − 𝑇𝑟𝑔
2→ ℎ𝑝𝑡𝑙 𝑡 ≤ 𝑇 → 𝑙𝑜𝑎𝑑 ≤ 𝑐𝑎𝑝
𝑐𝑎𝑝1 ≥ 𝑇 ∗ 𝑖1𝑚𝑎𝑥 ∧ 𝑐𝑎𝑝2 ≥ 𝑇 ∗ 𝑖2𝑚𝑎𝑥 → ℎ𝑝𝑚 𝑡 ≤ 𝑇 → 𝑙𝑜𝑎𝑑1 ≤ 𝑐𝑎𝑝1 ∧ 𝑙𝑜𝑎𝑑2 ≤ 𝑐𝑎𝑝2
𝑐𝑎𝑝 ≥ max 0, 𝑇 ∗ 𝑖𝑚𝑎𝑥 −min 𝑜1𝑚𝑎𝑥, 𝑜2𝑚𝑎𝑥 → ℎ𝑝𝑠 𝑡 ≤ 𝑇 → 𝑙𝑜𝑎𝑑 ≤ 𝑐𝑎𝑝
15
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Approach – Composition
Compose componentsConnect Outputs to Inputs
Flow is passed on
≤ 𝑜𝑚𝑎𝑥
Both components safe
→Composition is again a safe component
Rebuild overall networkCompose components until
desired network is rebuilt
Check if condition fulfilled
C1 C2
16
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Approach – Composition
Compose componentsConnect Outputs to Inputs
Flow is passed on
≤ 𝑜𝑚𝑎𝑥
Both components safe
→Composition is again a safe component
Rebuild overall networkCompose components until
desired network is rebuilt
Check if condition fulfilled
C1 C2
16
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Approach – Composition
Compose componentsConnect Outputs to Inputs
Flow is passed on
≤ 𝑜𝑚𝑎𝑥
Both components safe
→Composition is again a safe component
Rebuild overall networkCompose components until
desired network is rebuilt
Check if condition fulfilled
C1 C2C3
16
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Approach – Composition
Compose componentsConnect Outputs to Inputs
Flow is passed on
≤ 𝑜𝑚𝑎𝑥
Both components safe
→Composition is again a safe component
Rebuild overall networkCompose components until
desired network is rebuilt
Check if condition fulfilled
C1 C2C3
16
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Approach – Composition𝑜 𝑚𝑎𝑥 𝑜𝑜 𝑜 𝑚𝑎𝑥 𝑚𝑚𝑎𝑎𝑥𝑥 𝑜 𝑚𝑎𝑥
Compose components Connect Outputs to Inputs Flow is passed on
Theorem: Preserve Safety Both components safe→Composition is again
a safe component→Composition is again
a safe component
Rebuild overall network Compose components until
desired network is rebuilt Check if condition fulfilled
C1 C2C3
16
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Approach – Composition𝑜 𝑚𝑎𝑥 𝑜𝑜 𝑜 𝑚𝑎𝑥 𝑚𝑚𝑎𝑎𝑥𝑥 𝑜 𝑚𝑎𝑥
Compose componentsConnect Outputs to Inputs Flow is passed on
Theorem: Preserve SafetyBoth components safe→Composition is again
a safe component
Rebuild overall networkCompose components until
desired network is rebuiltCheck if condition fulfilledCheck if condition fulfilled
C1 C2C3
16
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Implementation – SAFE-T
Network Graph
Add components
Connect components (automatic compatibility check)
ExtensibleComponent Library
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Implementation – SAFE-T
Network Graph
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Implementation – SAFE-T
Network Graph
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Implementation – SAFE-T
Load Graph
Time Slider
AnalysisPanel
t=7: OVERFLOW@‘C1‘
load=10.0…
Analyze model:How long is it safe?
Simulate Model:How do loads change over time?
Analyze model:Which components overflows first?
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Traffic NetworkX Traffic lights
Y Flow Splits
Z Flow Merges
N Connections
Conclusion
Monolithic Component-based
Number of Proofs 1(presumably large)
3 + N Checks(traffic light/split/merge)
Model Size # Variables X*6 + Y*6 + Z*7 6/6/7
LoC X*60 + Y*50 + Z*50 60/50/50
Connect… …Components Reproof of Composite Arithmetic Check
Change… …Component or Properties Reproof Entire Model Redo Arithmetic Checks
…Connections Reproof Entire Model Redo Arithmetic Checks
Add… …Component Type Reproof Entire Model Reproof Component Model
20
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Example Network5 Traffic lights
5 Flow Splits
5 Flow Merges
10 Connections
Conclusion
Monolithic Component-based
Number of Proofs 1 3 + 10 Checks(traffic light/split/merge)
Model Size # Variables 95 6/6/7
LoC 800 60/50/50
Connect… …Components Reproof of Composite Arithmetic Check
Change… …Component or Properties Reproof Entire Model Redo Arithmetic Checks
…Connections Reproof Entire Model Redo Arithmetic Checks
Add… …Component Type Reproof Entire Model Reproof Component Model
21
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Example Network5 Traffic lights
5 Flow Splits
5 Flow Merges
10 Connections
Conclusion
Monolithic Component-based
Number of Proofs 1 3 + 10 Checks(traffic light/split/merge)
Model Size # Variables 95 6/6/7
LoC 800 60/50/50
Connect… …Components Reproof of Composite Arithmetic Check
Change… …Component or Properties Reproof Entire Model Redo Arithmetic Checks
…Connections Reproof Entire Model Redo Arithmetic Checks
Add… …Component Type Reproof Entire Model Reproof Component Model
21
AdvantagesSmall proofs & checks instead of one huge proof
Increased reusability
Easy model evolution
LimitationSimplified models
THANKS FOR YOUR ATTENTION!
22
Verified Traffic Networks: Component-based Verification of
Cyber-Physical Flow Systems
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Related WorkComponent-based CPS modeling and verification Few handle discrete and continuous CPS aspects Formal verification is not consideredE.g.: Damm et al. [1], Henzinger et al. [2]
Traffic modelsPlethora of modelsMostly purely continuousVerification not consideredE.g.: Greenshields et al. [3], Lighthill et al. [4]
Intelligent traffic management systems Support traffic operatorsComplementary to our approachE.g.: Baumgartner et al. [5], Almejalli et al. [6]
[1] Damm, W.; et al. (2010): Towards Component BasedDesign of Hybrid Systems: Safety and Stability. In: Time forVerification. Springer Berlin Heidelberg.[2] Henzinger, T.; et al. (2001): Assume-Guarantee Reasoning for Hierarchical Hybrid Systems. In: Hybrid Systems: Computation and Control. Springer Berlin Heidelberg.[3] Greenshields, B. D.; et al. (1933): The Photographic Method of Studying Traffic Behavior. In: Proceedings of the 13th Annual Meeting of the Highway Research Board.[4] Lighthill, M. J.;et al. (1955): On Kinematic Waves. II. A Theory of Traffic Flow on Long Crowded Roads. In: Proceedings of the Royal Society of London.[5] Baumgartner, N.; et al. (2014): A Tour of BeAware! – A situation awareness framework for control centers. In: Information Fusion 20.[6] Almejalli, K.; et al. (2007): Intelligent Traffic Control Decision Support System. In: Applications of EvolutionaryComputing. Springer Berlin Heidelberg.
23
Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015
Future Work
Consider traffic phenomena (e.g., shock-waves)
Introduce further components
Automatically transform networks into components and compositions
Generic Component DefinitionsCurrently work-in-progress
24