Community Research and Development Information Service - CORDIS


UnCoVerCPS Report Summary

Project ID: 643921
Funded under: H2020-EU.

Periodic Reporting for period 1 - UnCoVerCPS (Unifying Control and Verification of Cyber-Physical Systems)

Reporting period: 2015-01-01 to 2015-12-31

Summary of the context and overall objectives of the project

UnCoVerCPS provides methods for a faster and more efficient development process of safety-critical or operation-critical cyber-physical systems in (partially) unknown environments. Cyber-physical systems are very hard to control and verify because of the mix of discrete dynamics (originating from computing elements) and continuous dynamics (originating from physical elements). We are developing completely new methods for de-verticalising the development processes by a generic and holistic approach towards reliable cyber-physical systems development with formal guarantees. In order to guarantee that specifications are met in unknown environments and in unanticipated situations, we synthesise and verify controllers on-the-fly during system execution. This requires to unify control and verification approaches, which were previously considered separately by developers. For instance, each action of an automated car (e.g. lane change) is verified before execution, guaranteeing safety of the passengers. Our new methods are integrated in tools for modelling, control design, verification, and code generation that will leverage the development towards reliable and at the same time open cyber-physical systems. Our new methods are demonstrated for wind turbines, automated vehicles, smart grids, and physical human-robot interaction within a consortium that has a balanced participation of academic and industrial partners.

Work performed from the beginning of the project to the end of the period covered by the report and main results achieved so far

The overall goal in UnCoVerCPS is to develop holistic model-based design methods of future cyber-physical systems with a special focus on researching essentially new methods to guarantee safety and reliability in (partially) unknown environments. This is realized by a cross-domain approach for synthesizing and verifying controllers on-the-fly, i.e. during operation. In order to quickly react to situations that become critical, a tight integration between the control software and the verification software is realized. We will provide:
• novel on-the-fly control and verification concepts,
• ground-breaking methods for unifying control and verification to quickly react to changing environments,
• seamless integration of modeling and conformance testing,
• a unique tool chain that makes it possible to integrate modeling, control design, formal verification, and automatic code generation,
• prototypical realizations of the novel methods in automated vehicles, human-robot col laborative manufacturing, wind turbines and smart grids, which will clearly demonstrate the benefits of formal methods,
• a new development process that reduces development time and costs for critical cyber-physical systems to strengthen European companies, which design or produce cyber-physical systems.

Novel on-the-fly control and verification concepts

It is impossible for designers to think of all possible scenarios that intelligent, autonomous, cyber-physical systems are facing during their deployment. There always exists an infinite number of situations for cyber-physical systems since real-valued state variables are uncountable. In order to predict what actions of surrounding intelligent agents are possible, we use reachability analysis to predict the set of possible future behaviors. The obtained future occupancies of surrounding entities are unsafe regions for the ego system (i.e. the system to be controlled and verified). For instance, in a human-robot scenario, the future set of occupancies of a human is an unsafe region for a robot (ego system), that it should never enter. These regions are forwarded to the controller of the ego system as constraints, such that we can guarantee that surrounding
entities are not harmed.

This problem is subject of task 2.1 Constraint generation based on behavior prediction. The task has been completed on time and a detailed description of constraint generation in dynamic environments for human-robot scenarios and automated driving is provided in deliverable 2.1 Report on behavior prediction for cyber-physical systems. The deliverable presents a lot of firsts: For the first time, human arm movement has been predicted in a set-based, non-probabilistic but conservative fashion based on measurements of real humans. Also for the first time, the future occupancies of other traffic participants have been computed in an over-approximative way for an arbitrary road network. Publications describing these innovations are currently under preparation. To complete this task, we have used the models from task 1.2 and reachability analysis from task 3.1 and task 4.3. The results are used as constraints for the decision making and control in tasks 2.2 and 2.3.

The work in task 2.2 on new on-the-fly control techniques has led to deterministic and probabilistic versions of model-predictive control for distributed systems. These methods, which rely on the formal models determined in task 1.1, and which are documented already in several paper submissions, are geared towards efficiently considering (time-varying) constraints. These constraints may be imposed by other subsystems, e.g. if two autonomous vehicles have to maintain a certain minimum distance.

Unification of control and verification

Complementing online control decisions with online verification is a self-evident option: if all desirable system properties were to be considered within the control task as constraints, this step would be too complex in many cases to be solved in time. It is thus reasonable to interleave alternating steps of control and verification with a distinct set of properties. The combination of making decisions and verifying them on-the-fly, of course, poses new challenges: For instance, when some sensors become noisy in a certain situation, the set of possible deviations from a plan increases and thus might cause a violation of a specification. In such a situation, one could adapt the control gains to reduce the effect of uncertain sensor measurements. According to the on-the-fly adaptation, the on-the-fly formal verification would return that the new plan is safe and thus can be safely executed.

The goal to unify control and verification is one that will be solved later in the project as scheduled in the description of action. However, since this is a challenging problem, we have already started working in this direction, although the deliverable for this overall goal is due in M48 (deliverable 2.3). We have started to develop optimal controllers that do not only optimize the solution for a particular initial state under a particular disturbance, but under a set of initial states and for a set of disturbances. Despite these uncertainties, the controller guarantees that constraints are met and that a goal set is reached on time. This is possible by integrating reachability analysis into the optimization routines. A first solution in this direction will be submitted for publication to the IEEE Conference on Decision and Control.

Seamless integration of modeling and conformance testing

A critical point in every model-based development process is that the modeling is internally formalized and standardized. It is not the goal to provide another way of modeling cyber-physical systems, but rather to extend existing formalisms and to offer automatic conversion of models obtained from common software tools (such as SCADE, Simplorer, Dymola, MATLAB/Simulink ) to (networked) hybrid automata which are used for the proposed control and verification methods. The main innovation is the systematic test of conformance between the models and the behavior of the real system. This is carefully addressed by developing methods that automatically generate critical test cases. In order to achieve conformance, we include set-based and stochastic uncertainty in our models, especially the models describing entities surrounding the considered system (which we refer to as from now on). The set of possible behaviors is computed by novel algorithms for set-based and stochastic reachability analysis.

The modeling is performed in task 1.1 Modeling and identification of networked cyberphysical systems. In UnCoVerCPS, we have agreed to use (stochastic) hybrid automata to model our use cases. The detailed modeling procedures are described in deliverable 5.1 Report on application models. Models for all use cases (wind turbines, automated vehicles, smart grids, and physical human-robot interaction) have been completed before M12 and are currently refined to address control design and verification needs. A further focus in the first period was to provide a systematic approach to formally describe system requirements (task 1.4 Semi-automatic formalization of system requirements). This task has been completed on time. The results of this task are manifold: a) a thorough comparison with existing tools on generating formal specifications has been performed; b) A concept for specifying formal requirements of cyber-physical systems using hybrid monitoring automata has been worked out; and c) the prototypical tool formalSpec for realizing monitoring automata and linking them to hybrid system models in SpaceEx has been developed. Details can be found in the deliverable 1.1 Assessment of languages and tools for the automatic formalization of system requirements. Finally, we have obtained first results on conformance testing of cyberphysical systems (task 1.3): Since industrial-scale hybrid systems are typically not amenable to formal verification techniques one typically aims to verify abstractions of (parts of) the original system. However, one needs to show that this abstraction conforms to the actual system implementation including its physical dynamics. In particular, verified properties of the abstract system need to transfer to the implementation. To this end, we have developed a formal conformance relation, called reachset conformance, which guarantees transference of safety properties, while being a weaker relation than the existing trace inclusion conformance. We have experimentally shown the benefits of our novel techniques based on an example from autonomous driving. This work has already been published in the conference Hybrid Systems: Computation and Control.

Tool chain

In order to realize the vision of cyber-physical systems that control and verify their actions on-the-fly, we provide a tool chain for the development of cyber-physical systems. Based on SCADE and Simplorer from Esterel Technologies, we model the considered cyberphysical systems and the relevant classes of surrounding entities (e.g. human workers in human-robot collaborative task, or other traffic participants in automated driving). Those models are translated to hybrid automata, which is the common modeling formalism for the subsequent control and verification algorithms. SCADE is able to formally verify discrete systems, but lacks the ability to verify mixed discrete and continuous systems. This will be complemented by the tools SpaceEx developed at Universite Joseph Fourier Grenoble 1 and CORA developed at Technische Universität München. SpaceEx is more mature and user-friendly than CORA, but CORA can handle nonlinear systems, which have not yet been implemented in SpaceEx.

In the first phase of the project, we have already started transferring the capabilities to compute reachable sets from CORA to SpaceEx. The set representation used by CORA— zonotopes—have already been implemented in SpaceEx. Also the algorithm how CORA computes reachable sets of linear systems has been integrated. Currently, we are working on embedding the already transferred capabilities into the algorithms for computing reachable sets of nonlinear systems. We have also laid the basis for improving reachable set computations for nonlinear systems as described in task 3.1 Faster methods for reachability analysis of nonlinear systems. The advances in that area are presented in deliverable 3.1 Report on reachability analysis of nonlinear systems. The marriage between CORA and SpaceEx also helped assessing the different advantages and disadvantages of the set representations used in each tool: support functions and zonotopes. The comparison is summarized in deliverable 4.1 Theoretical foundation for combining zonotopes and support functions.

Use cases

From the very beginning of the project, we have tried to integrate the theoretical findings and developed tools in the development process of our four applications: wind turbines, automated vehicles, smart grids, and physical human-robot interaction. We are currently at the stage that we have formulated the requirements of each application as listed in deliverable 1.1 Assessment of languages and tools for the automatic formalization of system requirements. We have also finished modeling all of our applications as described in deliverable 5.1 Report on application models.

Progress beyond the state of the art and expected potential impact (including the socio-economic impact and the wider societal implications of the project so far)

In the following the project impact from section 2.1 of the Description of Action (DoA) is reviewed. Concretizations of the previous expectations are given. If not addressed, specific expectations are still deemed valid.

Reduction of development time and costs

The UnCoVerCPS toolchain is taking shape and is expected to decrease development time and costs. We have developed the tool ’formal-Spec’, which assists the engineer in formalizing system specifications, see deliverable D1.1. Due to the application of readily available, formal building blocks, the specification time and the probability of specification errors are reduced. The formal descriptions can be directly applied for offline verification in SpaceEx. The capabilities of SpaceEx have been improved by integrating methods from CORA. Using a single powerful tool saves development time and cost. Bosch added a refined estimation of impact on development time and cost for Bosch Mobility Solutions to the exploitation plan (deliverable D6.3) confirming the impact estimated in the proposal. In deliverable D2.1 we have already realized set-based prediction of surrounding agents. This enables robotic systems collaborating physically with human agents to perform online verification, e.g. to prove the safety of an intended action during operation. Development time is saved by replacing exhaustive specification and testing of all possible operation scenarios with automatically performed on-the-fly verification of each individual situation at runtime. As described in deliverable D3.1, the computation speed of the reachability analysis has been improved and thus saves development during controller verification. The methods developed for online control in WP2 (and particular Task 2.2. within this reporting period) help to reduce time and cost for control design by providing techniques, which run online and can automatically adapt to new situations. If measurements indicate that controller modification is required, online optimization is used to determine control inputs, which are consistent with current constraints. This allows to avoid exhaustive offline controller design for all possible situations. Therefore the effort for control parametrization by the designer is drastically reduced. Furthermore, by embedding verification into the online controller optimization (as envisaged for the tasks 2.3/2.4), the time for testing and validation of the control architecture will be considerably reduced.

Enabling of open and critical cyber-physical systems

The modeling formalism of SpaceEx and SCADE enables the interchange of models. Some models have already been implemented in SpaceEx and SCADE. In contrast to MATLAB/Simulink models, those models are formally specified. The set-based prediction of surrounding entities makes it possible to operate CPSs in open, unrestricted environments.

Stronger pan-European collaboration across value chains

Formal system specifications have been developed in collaboration of different industry partners. SCADE is used by partners who have not used it before. Furthermore, RURobots tests online verification and control techniques developed by TU München for their GRAIL robot.

Uplifting Europe’s innovation capacity and competitiveness

In task 2.2 and task 5.2, UnCoVerCPS develops new methods for energy management in power networks and energy systems, at the transmission and distribution level, to ensure reliable system operation. This task is becoming more challenging since the amount of installed capacity of renewable energy sources is expected to increase, as witnessed by the ambitious objectives of the European Commission under the Paris Agreement, thereby increasing the level of uncertainty in the system. To account for high uncertainty levels without degrading performance, conventional energy management methods must not only be revisited, but also conceptually different modeling and control schemes designed. This can significantly contribute to Europe’s competitiveness and innovation capabilities on the modernization of operational principles of energy

Ecological impacts

The integration of increasing shares of renewable energy sources in energy systems has evident potential for significant ecological impact. In turn, the distributed and stochastic nature of renewable energy sources poses challenges to efficient, reliable, and safe management and operation of new generation low-carbon energy systems, and calls for new paradigms to appropriately handle complexity and uncertainty. Distributed stochastic optimization strategies have been developed to this purpose.

Related information

Follow us on: RSS Facebook Twitter YouTube Managed by the EU Publications Office Top