Abstract
The Simplex architecture ensures the safe use of an unverifiable complex/smart controller by using it in conjunction with a verified safety controller and verified supervisory controller (switching logic). This architecture enables the safe use of smart, high-performance, untrusted, and complex control algorithms to enable autonomy without requiring the smart controllers to be formally verified or certified. Simplex incorporates a supervisory controller that will take over control from the unverified complex/smart controller if it misbehaves and use a safety controller. The supervisory controller should (1) guarantee that the system never enters an unsafe state (safety), but should also (2) use the complex/smart controller as much as possible (minimize conservatism). The problem of precisely and correctly defining the switching logic of the supervisory controller has previously been considered either using a control-theoretic optimization approach or through an offline hybrid-systems reachability computation. In this work, we show that a combined online/offline approach that uses aspects of the two earlier methods, along with a real-time reachability computation, also maintains safety, but with significantly less conservatism, allowing the complex controller to be used more frequently. We demonstrate the advantages of this unified approach on a saturated inverted pendulum system, in which the verifiable region of attraction is over twice as large compared to the earlier approach. Additionally, to validate the claims that the real-time reachability approach may be implemented on embedded platforms, we have ported and conducted embedded hardware studies using both ARM processors and Atmel AVR microcontrollers. This is the first ever demonstration of a hybrid-systems reachability computation in real time on actual embedded platforms, which required addressing significant technical challenges.
- Michael Aiello, John Berryman, Jonathan Grohs, and John Schierman. 2010. Run-time assurance for advanced flight-critical control systems. In Proceedings of the American Institute of Aeronautics and Astronautics Guidance, Navigation, and Control Conference (AIAA’10).Google Scholar
Cross Ref
- R. Alur, C. Courcoubetis, N. Halbwachs, T. A. Henzinger, P.-H. Ho, X. Nicollin, A. Olivero, J. Sifakis, and S. Yovine. 1995. The algorithmic analysis of hybrid systems. Theoretical Computer Science 138, 3--34. Google Scholar
Digital Library
- Rajeev Alur and David L. Dill. 1994. A theory of timed automata. Theoretical Computer Science 126, 183--235. Google Scholar
Digital Library
- Jean-Pierre Aubin. 1991. Viability Theory. Birkhauser Boston Inc., Cambridge, MA. Google Scholar
Digital Library
- R. Bagnara, P. M. Hill, and E. Zaffanella. 2008. The Parma Polyhedra Library: Toward a complete set of numerical abstractions for the analysis and verification of hardware and software systems. Science of Computer Programming 72, 1--2, 3--21. Google Scholar
Digital Library
- Stanley Bak. 2009. Industrial Application of the System-Level Simplex Architecture for Real-Time Embedded System Safety. Master’s thesis. University of Illinois at Urbana-Champaign, Champaign, IL.Google Scholar
- Stanley Bak. 2013a. HyCreate: A Tool for Overapproximating Reachability of Hybrid Automata. Retrieved January 17, 2016 from http://stanleybak.com/projects/hycreate/hycreate.html.Google Scholar
- Stanley Bak. 2013b. Verifiable COTS-Based Cyber-Physical Systems. Ph.D. dissertation. University of Illinois at Urbana-Champaign, Urbana, IL.Google Scholar
- Stanley Bak, Sergiy Bogomolov, and Taylor T. Johnson. 2015. HyST: A source transformation and translation tool for hybrid automaton models. In Proceedings of the 18th International Conference on Hybrid Systems: Computation and Control (HSCC’15). ACM, New York, NY. Google Scholar
Digital Library
- Stanley Bak, Deepti K. Chivukula, Olugbemiga Adekunle, Mu Sun, Marco Caccamo, and Lui Sha. 2009. The system-level Simplex architecture for improved real-time embedded system safety. In 15th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS’09). Google Scholar
Digital Library
- Stanley Bak, Ashley Greer, and Sayan Mitra. 2010. Hybrid cyberphysical system verification with Simplex using discrete abstractions. In IEEE Real-Time and Embedded Technology and Applications Symposium, Vol. 0. IEEE Computer Society, Los Alamitos, CA, 143--152. DOI:http://dx.doi.org/10.1109/RTAS.2010.27 Google Scholar
Digital Library
- Stanley Bak, Taylor T. Johnson, Marco Caccamo, and Lui Sha. 2014. Real-time reachability for verified Simplex design. In IEEE Real-Time Systems Symposium (RTSS’14). IEEE Computer Society, Rome, Italy.Google Scholar
Cross Ref
- Stanley Bak, Karthik Manamcheri, Sayan Mitra, and Marco Caccamo. 2011. Sandboxing controllers for cyber-physical systems. In Proceedings of International Conference on Cyber-Physical Systems (ICCPS’11). Google Scholar
Digital Library
- Johan Bengtsson, Kim Larsen, Fredrik Larsson, Paul Pettersson, and Wang Yi. 1996. UPPAAL: A tool suite for automatic verification of real-time systems. In Hybrid Systems III, Rajeev Alur, Thomas Henzinger, and Eduardo Sontag (Eds.). Lecture Notes in Computer Science, Vol. 1066. Springer, Berlin, 232--243. DOI:http://dx.doi.org/10.1007/BFb0020949 Google Scholar
Digital Library
- Luca Benvenuti, Davide Bresolin, Pieter Collins, Alberto Ferrari, Luca Geretti, and Tiziano Villa. 2014. Assume-guarantee verification of nonlinear hybrid systems with Ariadne. International Journal of Robust and Nonlinear Control 24, 4, 699--724. DOI:http://dx.doi.org/10.1002/rnc.2914Google Scholar
Cross Ref
- S. Boyd, L. El Ghaoui, E. Feron, and V. Balakrishnan. 1994. Linear Matrix Inequalities in System and Control Theory. Studies in Applied Mathematics, Vol. 15. SIAM, Philadelphia, PA.Google Scholar
- M. S. Branicky. 1998. Multiple Lyapunov functions and other analysis tools for switched and hybrid systems. IEEE Transactions on Automatic Control 43, 4, 475--482. DOI:http://dx.doi.org/10.1109/9.664150Google Scholar
Cross Ref
- Lei Bu, Qixin Wang, Xin Chen, Linzhang Wang, Tian Zhang, Jianhua Zhao, and Xuandong Li. 2011. Toward online hybrid systems model checking of cyber-physical systems’ time-bounded short-run behavior. SIGBED Rev 8, 2, 7--10. Google Scholar
Digital Library
- Xin Chen, Erika Abraham, and Sriram Sankaranarayanan. 2012. Taylor model flowpipe construction for non-linear hybrid systems. 2013 IEEE 34th Real-Time Systems Symposium 0, 183--192. DOI:http://dx.doi.org/10.1109/RTSS.2012.70 Google Scholar
Digital Library
- Matthew Clark, Xenofon Koutsoukos, Ratnesh Kumar, Insup Lee, George Pappas, Lee Pike, Joseph Porter, and Oleg Sokolsky. 2013. Study on Run Time Assurance for Complex Cyber Physical Systems. Technical Report, Air Force Research Lab, Wright-Patterson AFB, OH.Google Scholar
- Tanya L. Crenshaw, Elsa Gunter, C. L. Robinson, Lui Sha, and P. R. Kumar. 2007. The Simplex reference model: Limiting fault-propagation due to unreliable components in cyber-physical system architectures. In RTSS’07. Washington, DC, 400--412. DOI:http://dx.doi.org/10.1109/RTSS.2007.50 Google Scholar
Digital Library
- Thao Dang. 2000. Verification et Synthese des Systemes Hybrides. Ph.D. Dissertation. INPG, Grenoble, France.Google Scholar
- Thao Dang and Oded Maler. 1998. Reachability analysis via face lifting. In Hybrid Systems: Computation and Control (HSCC’98). Lecture Notes in Computer Science, Vol. 1386. Springer, Berlin, 96--109. Google Scholar
Digital Library
- Thao Dang, Oded Maler, and Romain Testylier. 2010. Accurate hybridization of nonlinear systems. In Proceedings of the 13th ACM International Conference on Hybrid Systems: Computation and Control (HSCC’10). ACM, New York, NY, USA, 11--20. Google Scholar
Digital Library
- Parasara Sridhar Duggirala, Sayan Mitra, Mahesh Viswanathan, and Matthew Potok. 2015. C2E2: A verification tool for stateflow models. In Tools and Algorithms for the Construction and Analysis of Systems, Christel Baier and Cesare Tinelli (Eds.). Lecture Notes in Computer Science, Vol. 9035. Springer, Berlin, 68--82. DOI:http://dx.doi.org/10.1007/978-3-662-46681-0_5Google Scholar
- Parasara Sridhar Duggirala, Sayan Mitra, and Mahesh Viswanathan. 2013. Verification of annotated models from executions. In Proceedings of the 11th ACM International Conference on Embedded Software (EMSOFT’13). IEEE Press, Piscataway, NJ, Article 26, 10 pages. Google Scholar
Digital Library
- Andreas Eggers, Nacim Ramdani, Nedialko Nedialkov, and Martin Fränzle. 2011. Improving SAT modulo ODE for hybrid systems analysis by combining different enclosure methods. In Software Engineering and Formal Methods, Gilles Barthe, Alberto Pardo, and Gerardo Schneider (Eds.). Lecture Notes in Computer Science, Vol. 7041. Springer Berlin, 172--187. DOI:http://dx.doi.org/10.1007/978-3-642-24690-6_13 Google Scholar
Digital Library
- Goran Frehse. 2008. PHAVer: Algorithmic verification of hybrid systems past HyTech. International Journal on Software Tools for Technology Transfer (STTT) 10, 3, 263--279. DOI:http://dx.doi.org/10.1007/s10009-007-0062-x Google Scholar
Digital Library
- Goran Frehse, Colas Le Guernic, Alexandre Donzé, Scott Cotton, Rajarshi Ray, Olivier Lebeltel, Rodolfo Ripado, Antoine Girard, Thao Dang, and Oded Maler. 2011. SpaceEx: Scalable verification of hybrid systems. In Computer Aided Verification (CAV). Lecture Notes in Computer Science. Springer, Berlin. Google Scholar
Digital Library
- Sicun Gao, Soonho Kong, and Edmund Clarke. 2013. Satisfiability modulo ODEs. In International Conference on Formal Methods in Computer-Aided Design (FMCAD’13). DOI:http://dx.doi.org/10.1109/FMCAD.2008.ECP.14Google Scholar
- Jeremy H. Gillula, Shahab Kaynama, and Claire J. Tomlin. 2014. Sampling-based approximation of the viability kernel for high-dimensional linear sampled-data systems. In Proceedings of the 17th International Conference on Hybrid Systems: Computation and Control (HSCC’14). ACM, New York, NY, 173--182. DOI:http://dx.doi.org/10.1145/2562059.2562117 Google Scholar
Digital Library
- Hervé Guéguen, Marie-Anne Lefebvre, Janan Zaytoon, and Othman Nasri. 2009. Safety verification and reachability analysis for hybrid systems. Annual Reviews in Control 33, 1, 25--36. DOI:http://dx.doi.org/DOI:10.1016/j.arcontrol.2009.03.002Google Scholar
Cross Ref
- Thomas A. Henzinger, Pei-Hsin Ho, and Howard Wong-Toi. 1997. HyTech: A model checker for hybrid systems. Journal on Software Tools for Technology Transfer 1, 1, 110--122. DOI:http://dx.doi.org/10.1007/s100090050008Google Scholar
Digital Library
- Thomas A. Henzinger, Peter W. Kopke, Anuj Puri, and Pravin Varaiya. 1995. What’s decidable about hybrid automata? In Journal of Computer and System Sciences. ACM Press, New York, NY, 373--382. Google Scholar
Digital Library
- Alan C. Hindmarsh, Peter N. Brown, Keith E. Grant, Steven L. Lee, Radu Serban, Dan E. Shumaker, and Carol S. Woodward. 2005. SUNDIALS: Suite of nonlinear and differential/algebraic equation solvers. ACM Transactions on Mathematical Software 31, 3, 363--396. DOI:http://dx.doi.org/10.1145/1089014.1089020 Google Scholar
Digital Library
- Taylor T. Johnson and Sayan Mitra. 2014. Anonymized reachability of rectangular hybrid automata networks. In Formal Modeling and Analysis of Timed Systems (FORMATS’14).Google Scholar
- J. Kapinski and B. H. Krogh. 2002. A new tool for verifying computer controlled systems. In IEEE Conference on Computer-Aided Control System Design. 98--103.Google Scholar
- H. K. Khalil. 2002. Nonlinear Systems (3rd ed.). Prentice Hall, Upper Saddle River, NJ.Google Scholar
- Gerardo Lafferriere, George J. Pappas, and Shankar Sastry. 2000. O-minimal hybrid systems. Mathematics of Control, Signals and Systems 13, 1, 1--21.Google Scholar
Cross Ref
- Tao Li, Feng Tan, Qixin Wang, Lei Bu, Jian-Nong Cao, and Xue Liu. 2012. From offline toward real-time: A hybrid systems model checking and CPS co-design approach for medical device plug-and-play (MDPnP). In 2012 IEEE/ACM 3rd International Conference on Cyber-Physical Systems (ICCPS’12). 13--22. DOI:http://dx.doi.org/10.1109/ICCPS.2012.10 Google Scholar
Digital Library
- Tao Li, Feng Tan, Qixin Wang, Lei Bu, Jian-Nong Cao, and Xue Liu. 2014. From offline toward real time: A hybrid systems model checking and CPS codesign approach for medical device plug-and-play collaborations. IEEE Transactions on Parallel and Distributed Systems 25, 3, 642--652. DOI:http://dx.doi.org/10.1109/TPDS.2013.50 Google Scholar
Digital Library
- Kwei-Jay Lin, Swaminathan Natarajan, and Jane W.-S. Liu. 1987. Imprecise results: Utilizing partial computations in real-time systems. In RTSS. 210--217.Google Scholar
- C. L. Liu and J. W. Layland. 1973. Scheduling algorithms for multiprogramming in a hard-real-time environment. Journal of the Association for Computing Machinery 20, 1. Google Scholar
Digital Library
- J. W. S. Liu, Wei-Kuan Shih, Kwei-Jay Lin, R. Bettati, and J. Y. Chung. 1994. Imprecise computations. Proceedings of the IEEE 82, 1, 83--94. DOI:http://dx.doi.org/10.1109/5.259428Google Scholar
Cross Ref
- J. Löfberg. 2004. YALMIP: A toolbox for modeling and optimization in MATLAB. In Proceedings of the CACSD Conference. Taipei, Taiwan. http://users.isy.liu.se/johanl/yalmip/.Google Scholar
Cross Ref
- Stefan Mitsch and Andre Platzer. 2014. ModelPlex: Verified runtime validation of verified cyber-physical system models. In Runtime Verification, Borzoo Bonakdarpour and Scott A. Smolka (Eds.). Lecture Notes in Computer Science, Vol. 8734. Springer, Berlin, 199--214. DOI:http://dx.doi.org/10.1007/978-3-319-11164-3_17Google Scholar
- Sibin Mohan, Stanley Bak, Emiliano Betti, Heechul Yun, Lui Sha, and Marco Caccamo. 2013. S3A: Secure system Simplex architecture for enhanced security and robustness of cyber-physical systems. In Proceedings of the 2nd ACM International Conference on High Confidence Networked Systems (HiCoNS’13). 10. DOI:http://dx.doi.org/10.1145/2461446.2461456 Google Scholar
Digital Library
- R. E. Moore. 1966. Interval Analysis. Prentice-Hall.Google Scholar
- Abhishek Murthy. 2012. Simplex Architecture for Run Time Assurance of Hybrid Systems. Safe and Secure Systems and Software Symposium (S5).Google Scholar
- David J. Musliner and Edmund H. Durfee. 1995. World modeling for the dynamic construction of real-time control plans. Artificial Intelligence 74, 1, 83--127. DOI:http://dx.doi.org/10.1016/0004-3702(94)00008-O Google Scholar
Digital Library
- M. Neher, K. R. Jackson, and N. S. Nedialkov. 2007. On Taylor model based integration of ODEs. SIAM Journal on Numerical Analysis 45. Google Scholar
Digital Library
- Stefan Ratschan and Zhikun She. 2007. Safety verification of hybrid systems by constraint propagation-based abstraction refinement. ACM Transactions on Embedded Computing Systems 6, 1, Article 8. DOI:http://dx.doi.org/10.1145/1210268.1210276 Google Scholar
Digital Library
- Danbing Seto, Enrique Ferreira, and Theodore F. Marz. 2000. Case Study: Development of a Baseline Controller for Automatic Landing of an F-16 Aircraft using Linear Matrix Inequalities (LMIs). Carnegie Mellon University Software Engineering Institute, Pittsburgh, PA 15213. Technical report number CMU/SEI-99-TR-020. http://www.sei.cmu.edu/reports/99tr020.pdf.Google Scholar
- D. Seto and Lui Sha. 1999. A Case Study on Analytical Analysis of the Inverted Pendulum Real-Time Control System. CMU/SEI Technical Report 99-TR-023. Carnegie Mellon University, Pittsburgh, PA.Google Scholar
- Lui Sha. 2001. Using simplicity to control complexity. IEEE Software 18, 4, 20--28. DOI:http://dx.doi.org/dx.doi.org/10.1109/ MS.2001.936213 Google Scholar
Digital Library
- T. Söderström and P. Stoica (Eds.). 1988. System Identification. Prentice-Hall, Inc., Upper Saddle River, NJ.Google Scholar
- O. Stauning. 1997. Automatic Validation of Numerical Solutions. Ph.D. Dissertation. Informatics and Mathematical Modelling, Technical University of Denmark, DTU, Richard Petersens Plads, Building 321, DK-2800 Kgs. Lyngby.Google Scholar
- Ashish Tiwari. 2008. Abstractions for hybrid systems. Formal Methods in System Design 32, 1, 57--83. DOI:http://dx.doi.org/10.1007/s10703-007-0044-3 Google Scholar
Digital Library
- K. C. Toh, M. J. Todd, and R. H. Tutuncu. 1999. SDPT3: A MATLAB software package for semidefinite programming. Optimization Methods and Software 11, 545--581.Google Scholar
Cross Ref
- Lieven Vandenberghe, Stephen Boyd, and Shao-Po Wu. 1998. Determinant maximization with linear matrix inequality constraints. SIAM Journal on Matrix Analysis and Applications 19, 2, 499--533. DOI:http://dx.doi.org/10.1137/S0895479896303430 Google Scholar
Digital Library
- Xiaofeng Wang, N. Hovakimyan, and Lui Sha. 2013. L1Simplex: Fault-tolerant control of cyber-physical systems. In 2013 ACM/IEEE International Conference on Cyber-Physical Systems (ICCPS’13). 41--50. DOI:http://dx.doi.org/10.1109/ICCPS.2013.6603998 Google Scholar
Digital Library
- Jianguo Yao, Xue Liu, Guchuan Zhu, and Lui Sha. 2013. NetSimplex: Controller fault tolerance architecture in networked control systems. IEEE Transactions on Industrial Informatics 9, 1, 346--356. DOI:http://dx.doi.org/10.1109/TII.2012.2219060Google Scholar
Cross Ref
Index Terms
Real-Time Reachability for Verified Simplex Design
Recommendations
VeriPhy: verified controller executables from verified cyber-physical system models
PLDI 2018: Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and ImplementationWe present VeriPhy, a verified pipeline which automatically transforms verified high-level models of safety-critical cyber-physical systems (CPSs) in differential dynamic logic (dL) to verified controller executables. VeriPhy proves that all safety ...
Verifying cyber-physical systems by combining software model checking with hybrid systems reachability
EMSOFT '16: Proceedings of the 13th International Conference on Embedded SoftwareCyber-physical systems (CPS) span the communication, computation and control domains. Creating a single, complete, and detailed model of a CPS is not only difficult, but, in terms of verification, probably not useful; current verification algorithms are ...
VeriPhy: verified controller executables from verified cyber-physical system models
PLDI '18We present VeriPhy, a verified pipeline which automatically transforms verified high-level models of safety-critical cyber-physical systems (CPSs) in differential dynamic logic (dL) to verified controller executables. VeriPhy proves that all safety ...






Comments