Verified Traffic Networks: Component-based Verification of ...

Verified Traffic Networks: Component-based Verification of

Cyber-Physical Flow SystemsAndreas Mül ler – andreas.muel [email protected]

Stefan Mitsch - [email protected]

J o h a n n e s Ke p l e r U n i v e rs i t y, L i n z

D e p a r t m e n t o f C o o p e ra t i v e I n fo r m a t i o n Sy st e m s ( C I S )

h t t p : / / c i s . j ku . a t /

André P latzer - ap [email protected]

C a r n e g i e M e l l o n U n i v e rs i t y, P i t t s b u rg h

C o m p u t e r S c i e n c e D e p a r t m e n t

h t t p : / / w w w. l s . c s . c m u . e d u /

mailto:[email protected]


http://cis.jku.at/


http://www.ls.cs.cmu.edu/

Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015

Overview

Introduction

Challenges

Approach

Implementation

Conclusion

2


Introduction – Traffic ManagementTraffic Management System Operate traffic through control actions→Safety of critical actions is crucial

3



3

- - - - - - - - - - - - - - - - - - - - - - -



3

- - - - - - - - - - - - - - - - - - - - - - -

adapt interval



3

- - - - - - - - - - - - - - - - - - - - - - -

adapt intervalset speed limit



Safety No traffic breakdown=load never exceeds capacity

3

- - - - - - - - - - - - - - - - - - - - - - -




3

- - - - - - - - - - - - - - - - - - - - - - -

load

capacity




3

- - - - - - - - - - - - - - - - - - - - - - -

load

capacity

load ≤ capacity




3

- - - - - - - - - - - - - - - - - - - - - - -

capacity

load




3

- - - - - - - - - - - - - - - - - - - - - - -

capacity

load

load ≥ capacity




Property: Starting in safe state, all runs stay in safe state

3

- - - - - - - - - - - - - - - - - - - - - - -



Safety No traffic breakdown=load never exceeds capacity Property: Starting in safe state, all runs stay in safe state

Cyber-physical systems (CPS) Cyber and physical capabilities Continuous physical-part: traffic flow Discrete cyber-part: traffic light switching

3

- - - - - - - - - - - - - - - - - - - - - - -





3

- - - - - - - - - - - - - - - - - - - - - - -

𝑙𝑜𝑎𝑑′ = 𝑡𝑙𝑡𝑙 ≔ 𝑟𝑒𝑑/𝑔𝑟𝑒𝑒𝑛





Methods to analyze models of CPS Simulation and Testing (analyze some runs): good for complex phenomena Verification (mathematically prove correctness of all runs): simplified models

3

- - - - - - - - - - - - - - - - - - - - - - -


Introduction – Verification

VerificationTransform property by user-guided application of proof rules

Starting in safe state, all runs stay in safe state

Example

4

- - - - - - - - - - - - - - - - - -

≤ → 𝑖𝑓 𝑟𝑒𝑑 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ∪ 𝑖𝑓 𝑔𝑟𝑒𝑒𝑛 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 − 𝑜𝑢𝑡

- - - - - - - - - - - - - - - - - -

≤

or





Example

4

- - - - - - - - - - - - - - - - - -


- - - - - - - - - - - - - - - - - -

≤

∪

or





Example

4

- - - - - - - - - - - - - - - - - -


- - - - - - - - - - - - - - - - - -

≤

∪

→

≤ → 𝑖𝑓 𝑟𝑒𝑑 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ≤

→

≤ → 𝑖𝑓 𝑔𝑟𝑒𝑒𝑛 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 − 𝑜𝑢𝑡 ≤

or





Example

4

- - - - - - - - - - - - - - - - - -


- - - - - - - - - - - - - - - - - -

≤

∪

→


→


…

or





Example

4

- - - - - - - - - - - - - - - - - -


- - - - - - - - - - - - - - - - - -

≤

∪

→


→


∧ →

≤ ∧ 𝑟𝑒𝑑 → 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ≤ …𝑖𝑓

or





Example

4

- - - - - - - - - - - - - - - - - -


- - - - - - - - - - - - - - - - - -

≤

∪

→


→


∧ →

≤ ∧ 𝑟𝑒𝑑 → 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ≤

[′]…

…𝑖𝑓

or





Example

4

- - - - - - - - - - - - - - - - - -


- - - - - - - - - - - - - - - - - -

≤

∪

→


→


∧ →

≤ ∧ 𝑟𝑒𝑑 → 𝑙𝑜𝑎𝑑′ = 𝑖𝑛 ≤

[′]…

…𝑖𝑓

or

VerificationOne rule application/proof step per statement

Not fully automatable

Tool support: KeYmaeraTheorem prover

Some automation


Real systems are largeVerification for large systems is

challenging

Challenges



challenging

5

Challenges



challenging

6

Challenges


Real systems are large

6

Challenges


Real systems are large Any change to the model requires full re-verificationRe-verification only for affected parts

7

Challenges



Any change to the model requires full re-verification

8

Challenges




Systems often consist of multiple similar patterns Redundancy should be utilized in verification

9

Challenges


33



Systems often consist ofmultiple similar patterns Redundancy should be utilized in verification

10

Challenges


34



Systems often consist ofmultiple similar patterns

10

Challenges




Systems often consist of multiple similar patterns

Component-based modeling

11

Challenges





Component-based modeling Verified components do not necessarily entail

verified system

11

Challenges


Component-based modeling Verified components do not

necessarily entail verified system

12

Challenges




How do verification results about traffic flow components transfer

to entire traffic networks?


ApproachComponent-based VerificationVerified Components and Verified CompositionComposition comes down to arithmetic checks

Process(1) Model component types(2) Verify safety conditions for each type

and their compositionNo traffic breakdown

(3) Compose component instances to form system model

Check arithmetic constraints

Result Fully verified system model

13


ApproachComponent-based VerificationVerified Components and Verified CompositionComposition comes down to arithmetic checks

Process(1) Model component types(2) Verify safety conditions for each type

and their compositionNo traffic breakdown

(3) Compose component instances to form system model

Check arithmetic constraints

Result Fully verified system model

13

• Once per type• Verification expert

• Once per network• Traffic expert


Generic component Inflows

(load, capacity, actual, max)

Outflows (actual, max)

Controller

Approach – Components

14


Traffic Light

- - - - - - - - - - - - - - - - - - -




Controller

Example:


14


Traffic Light

- - - - - - - - - - - - - - - - - - -




Controller

Example:


Traffic Light Component

𝑖𝑛𝑚𝑎𝑥

𝑖𝑓 𝑟𝑒𝑑𝑙𝑜𝑎𝑑′ = 𝑖𝑛

∪𝑖𝑓 𝑔𝑟𝑒𝑒𝑛

𝑙𝑜𝑎𝑑′ = 𝑖𝑛 − 𝑜𝑢𝑡

load

capInflows Outflows

𝑖𝑛𝑎𝑐𝑡 𝑜𝑢𝑡𝑎𝑐𝑡 𝑜𝑢𝑡𝑚𝑎𝑥

Co

ntro

ller

14





Controller

Component typesTraffic light (one in, one out)

Flow merge (two in, one out)

Flow split (one in, two out)


14


Approach – Safety Properties

Safety Property: No traffic breakdown occursNo load ever exceeds its capacity

Must once be verified for each component type

15


Approach – Safety Properties

Safety Property: No traffic breakdown occursNo load ever exceeds its capacity

Must once be verified for each component type

Contracts

𝑐𝑎𝑝 ≥ max 𝑇𝑟𝑔 ∗ 𝑖𝑚𝑎𝑥, 𝑇 ∗ 𝑖𝑚𝑎𝑥 −max 0, 𝑜𝑚𝑎𝑥 ∗𝑇 − 𝑇𝑟𝑔

2→ ℎ𝑝𝑡𝑙 𝑡 ≤ 𝑇 → 𝑙𝑜𝑎𝑑 ≤ 𝑐𝑎𝑝

𝑐𝑎𝑝1 ≥ 𝑇 ∗ 𝑖1𝑚𝑎𝑥 ∧ 𝑐𝑎𝑝2 ≥ 𝑇 ∗ 𝑖2𝑚𝑎𝑥 → ℎ𝑝𝑚 𝑡 ≤ 𝑇 → 𝑙𝑜𝑎𝑑1 ≤ 𝑐𝑎𝑝1 ∧ 𝑙𝑜𝑎𝑑2 ≤ 𝑐𝑎𝑝2

𝑐𝑎𝑝 ≥ max 0, 𝑇 ∗ 𝑖𝑚𝑎𝑥 −min 𝑜1𝑚𝑎𝑥, 𝑜2𝑚𝑎𝑥 → ℎ𝑝𝑠 𝑡 ≤ 𝑇 → 𝑙𝑜𝑎𝑑 ≤ 𝑐𝑎𝑝

15


Approach – Composition

Compose componentsConnect Outputs to Inputs

Flow is passed on

≤ 𝑜𝑚𝑎𝑥

Both components safe

→Composition is again a safe component

Rebuild overall networkCompose components until

desired network is rebuilt

Check if condition fulfilled

C1 C2

16


Approach – Composition

Compose componentsConnect Outputs to Inputs

Flow is passed on

≤ 𝑜𝑚𝑎𝑥

Both components safe

→Composition is again a safe component


desired network is rebuilt

Check if condition fulfilled

C1 C2C3

16


Approach – Composition𝑜 𝑚𝑎𝑥 𝑜𝑜 𝑜 𝑚𝑎𝑥 𝑚𝑚𝑎𝑎𝑥𝑥 𝑜 𝑚𝑎𝑥

Compose components Connect Outputs to Inputs Flow is passed on

Theorem: Preserve Safety Both components safe→Composition is again

a safe component→Composition is again

a safe component

Rebuild overall network Compose components until

desired network is rebuilt Check if condition fulfilled

C1 C2C3

16


Approach – Composition𝑜 𝑚𝑎𝑥 𝑜𝑜 𝑜 𝑚𝑎𝑥 𝑚𝑚𝑎𝑎𝑥𝑥 𝑜 𝑚𝑎𝑥

Compose componentsConnect Outputs to Inputs Flow is passed on

Theorem: Preserve SafetyBoth components safe→Composition is again

a safe component


desired network is rebuiltCheck if condition fulfilledCheck if condition fulfilled

C1 C2C3

16


Implementation – SAFE-T

Network Graph

Add components

Connect components (automatic compatibility check)

ExtensibleComponent Library



Network Graph



Load Graph

Time Slider

AnalysisPanel

t=7: OVERFLOW@‘C1‘

load=10.0…

Analyze model:How long is it safe?

Simulate Model:How do loads change over time?

Analyze model:Which components overflows first?


Traffic NetworkX Traffic lights

Y Flow Splits

Z Flow Merges

N Connections

Conclusion

Monolithic Component-based

Number of Proofs 1(presumably large)

3 + N Checks(traffic light/split/merge)

Model Size # Variables X*6 + Y*6 + Z*7 6/6/7

LoC X*60 + Y*50 + Z*50 60/50/50

Connect… …Components Reproof of Composite Arithmetic Check

Change… …Component or Properties Reproof Entire Model Redo Arithmetic Checks

…Connections Reproof Entire Model Redo Arithmetic Checks

Add… …Component Type Reproof Entire Model Reproof Component Model

20


Example Network5 Traffic lights

5 Flow Splits

5 Flow Merges

10 Connections

Conclusion


Number of Proofs 1 3 + 10 Checks(traffic light/split/merge)

Model Size # Variables 95 6/6/7

LoC 800 60/50/50





21


Example Network5 Traffic lights

5 Flow Splits

5 Flow Merges

10 Connections

Conclusion


Number of Proofs 1 3 + 10 Checks(traffic light/split/merge)

Model Size # Variables 95 6/6/7

LoC 800 60/50/50





21

AdvantagesSmall proofs & checks instead of one huge proof

Increased reusability

Easy model evolution

LimitationSimplified models

THANKS FOR YOUR ATTENTION!

22

Verified Traffic Networks: Component-based Verification of

Cyber-Physical Flow Systems


Related WorkComponent-based CPS modeling and verification Few handle discrete and continuous CPS aspects Formal verification is not consideredE.g.: Damm et al. [1], Henzinger et al. [2]

Traffic modelsPlethora of modelsMostly purely continuousVerification not consideredE.g.: Greenshields et al. [3], Lighthill et al. [4]

Intelligent traffic management systems Support traffic operatorsComplementary to our approachE.g.: Baumgartner et al. [5], Almejalli et al. [6]

[1] Damm, W.; et al. (2010): Towards Component BasedDesign of Hybrid Systems: Safety and Stability. In: Time forVerification. Springer Berlin Heidelberg.[2] Henzinger, T.; et al. (2001): Assume-Guarantee Reasoning for Hierarchical Hybrid Systems. In: Hybrid Systems: Computation and Control. Springer Berlin Heidelberg.[3] Greenshields, B. D.; et al. (1933): The Photographic Method of Studying Traffic Behavior. In: Proceedings of the 13th Annual Meeting of the Highway Research Board.[4] Lighthill, M. J.;et al. (1955): On Kinematic Waves. II. A Theory of Traffic Flow on Long Crowded Roads. In: Proceedings of the Royal Society of London.[5] Baumgartner, N.; et al. (2014): A Tour of BeAware! – A situation awareness framework for control centers. In: Information Fusion 20.[6] Almejalli, K.; et al. (2007): Intelligent Traffic Control Decision Support System. In: Applications of EvolutionaryComputing. Springer Berlin Heidelberg.

23


Future Work

Consider traffic phenomena (e.g., shock-waves)

Introduce further components

Automatically transform networks into components and compositions

Generic Component DefinitionsCurrently work-in-progress

24

Andreas Müller – Johannes Kepler University, Linz, Austria – September 7, 2015 25

Verified Traffic Networks: Component-based Verification of ...

Documents

Transcript of Verified Traffic Networks: Component-based Verification of ...