Combining Quantitative and Qualitative Analysis for Safe and Resilient Intelligent Hybrid Systems

Combining Quantitative and Qualitative Analysis for Safe and Resilient Intelligent Hybrid Systems PaulineBlohm University of Münster

Münster Germany

PaulaHerber University of Münster

Münster Germany

AnneRemke University of Münster

Münster Germany

Combining Quantitative and Qualitative Analysis for Safe and Resilient Intelligent Hybrid Systems 1613-0073 278E58DB16027C9FA89BFC973B4BAD43 GROBID - A machine learning software for extracting information from scholarly documents Hybrid Systems Formal Verification Stochastic Failures Learning Simulink Hybrid Automata

Model-driven development frameworks such as MATLAB Simulink are widely used in industrial design processes to conquer the increasing complexity of embedded control systems such as self-driving cars or critical infrastructures. As these systems are often safety-critical, formal methods to ensure safety, performance and resilience are highly desirable, in particular also in the presence of dynamic and uncertain environments. Formal verification has the potential to a) ensure that embedded systems function correctly for all possible system parameters and input scenarios, and b) provide statistical guarantees in the presence of uncertainty and probabilistic behavior. However, the application of existing formal verification and stochastic analysis techniques to embedded control systems is a major challenge, in particular if they are hybrid, i.e. combine discrete and continuous behavior, and include learning components to adapt to dynamic environments. To tackle this challenge, we aim at providing a quantitative analysis for intelligent Simulink models via a transformation to Stochastic Hybrid Automata (SHA) that gives us access to established analysis techniques for stochastic systems, such as reachability analysis or (statistical) model checking. To incorporate dynamic adaptations via learning, we investigate techniques to integrate domain-specific abstractions of the learning components into the SHA model. To ensure resilience of learning hybrid systems, we aim at combining the strengths of qualitative and quantitative analyses.

Problem

The demands on the functionality and flexibility of embedded control systems are steadily increasing. At the same time, they are more and more used in critical infrastructures, for example, controlling the supply of energy or water, and in safety-critical systems such as self-driving cars and other autonomous vehicles. With that, we increasingly use embedded control systems not only for our convenience or for profit, but also trust our lives and personal well-being to these systems. At the same time, learning components are nowadays often used to cope with dynamic environments. This makes it crucial to ensure the safety, performance, and resilience of these systems under all circumstances. Qualitative analysis techniques such as deductive verification can provide safety guarantees for hybrid systems, however, they typically only consider the worst case scenario. In contrast, quantitative analysis techniques like analytical reachability analysis or statistical model checking (SMC) can provide statistical guarantees for safety or performance properties even in the presence of uncertainty, however, they might not provide guarantees for all possible scenarios.

The integration of learning components and uncertainties further complicates formal verification of hybrid systems. Qualitative analysis techniques often rely on abstractions, such as contracts, to handle learning components or uncertainties. While these abstractions are necessary to provide safety guarantees, they usually abstract from all quantitative information, yielding imprecise and overly pessimistic results. In contrast, quantitative techniques exploit statistical information like the distribution of events or failure and repair times. However, they suffer from state-space explosion, in particular if learning components have to be verified to ensure safety under all circumstances or with high accuracy. Furthermore, quantitative analyses techniques typically do not provide us with PhD Symposium of the 19th International Conference on Integrated Formal Methods (iFM) at the University of Manchester, UK, 12 November 2024. Envelope pauline.blohm@uni-muenster.de (P. Blohm); paula.herber@uni-muenster.de (P. Herber); anne.remke@uni-muenster.de (A. Remke) techniques for modular reasoning.

Proposed Solution

To ensure the safety and resilience of hybrid systems even in the presence of learning and in uncertain environments, we aim at combining the strengths of qualitative analysis with the strength of quantitative analysis. We focus on hybrid systems modelled in Simulink as it is widely adopted for embedded control systems that combine discrete and continuous behavior. Previous work of one of the co-authors has presented an approach for a qualitative analysis of Simulink models via a transformation to Differential Dynamic Logic (dL) [1,2] which is implemented in the tool Simulink2dL. The resulting dL Model can then be analyzed using Deductive Verification to obtain formal guarantees that a system satisfies a given Safety Property. Our aim is to complement this with efficient and scalable quantitative analysis [3,4,5] and also to combine these techniques to provide an approach for comprehensive safety, resilience and performance analysis for intelligent hybrid systems. The concept of the thesis is shown in Fig. 1 and consists of four main parts:

1. We plan to provide an automated transformation Simulink2SHA from Simulink to Stochastic Hybrid Automata. With this transformation, we define a formal semantics for Simulink, and it gives us access to established Quantitative Analysis techniques, such as reachability analysis or (statistical) model checking.

We aim at investigating how to introduce stochastic components via Probability Distributions into

the Simulink model to model uncertainties like component failure or sensor noise. With that, we can also investigate resilience and performance of a model under verification. 3. We aim at investigating how Qualitative and Quantitative Properties for the dL and SHA models can be derived from safety, resilience and performance requirements. 4. We plan to provide a technique to combine Qualitative Analysis results (e.g. from deductive verification) with a Quantitative Analysis for (potentially learning) Simulink models. In particular, we aim at investigating two different approaches: a) the integration of shielded SMC-based learning, which has been proposed by one of the co-authors in previous work [6], and b) the use of contracts or other domain-specific abstractions to safely integrate learning components, as has been proposed by two of the co-authors in [2,7].

As a first step, we have presented an approach for a manual transformation from Simulink to SHA, which has been accepted at iFM 2024 [8]. Open research problems we plan to address in this thesis are how to model uncertainties such that the resulting models are still analyzable, how to capture qualitative and quantitative properties of intelligent systems appropriately and also how to combine qualitative with quantitative analysis techniques for SHA with learning components. One key challenge is that, while modular reasoning would be highly desirable to handle complex systems, there exists no established concept to include quantitative and statistical information in contracts.

Related Work

There have been quite some efforts to enable the formal verification of systems that are modeled in Simulink [9,10,11,12,13,14,15]. Yet, all of these approaches, including the Simulink Design Verifier [16], are limited to discrete subsets of Simulink. Formal verification methods that support hybrid systems modeled in Simulink are, e.g., proposed in [1,17,18,19,20,21]. However, they either focus on techniques for a special class of systems and do not provide general transformation rules for a broader set of blocks or focus on the qualitative analysis of safety properties and they neither take stochastic components nor learning into consideration.

There also has been a number of works on statistical model checking (SMC) for Simulink, for example [22,23,24]. Still they do not provide a stochastic model with formal semantics and thus cannot make use of more advanced quantitative analysis techniques. In [25], the authors propose a transformation from Simulink into stochastic timed automata (STA) and perform SMC with UPPAAL SMC on the resulting network of STA. However, they do not consider stochastic blocks and transform a given Simulink model into a deterministic STA model where all probabilities are one.

There also exists a broad variety of approaches to formally ensure safety of learning components using shielding or runtime monitoring [26,27,28]. These approaches do not directly support Simulink though, and they do not consider formal analysis techniques that take stochastic failures and learning into account.

Uppaal Stratego [29] uses priced timed automata to model stochastic behavior, and provides tooling for statistical model checking [30], timed games [31] and learning-based strategy synthesis [32]. While Uppaal Stratego comes with a graphical interface and is designed for usability, the underlying formalisms are less expressive than stochastic hybrid automata, in particular w.r.t. continuous system behavior governed by differential equations and controlled by continuous and stochastic variables.

Finally, there has been some work on combining rigorous formal and statistical methods. In [33], the authors incorporate statistical hypothesis testing to compute promising configurations of program verifiers automatically. However, they do not support hybrid systems, and they do not consider both safety and performance properties. In [34], the authors present a formal framework for an integrated qualitative and quantitative model-based safety analysis. However, they do not support hybrid systems and do not consider deductive verification methods.

Progress and Current State

The first step towards safe and resilient hybrid system is enabling a quantitative analysis for (stochastic) Simulink models. As Simulink does not offer elaborate quantitative analysis, such as reachability analysis or statistical model checking, a transformation into a formal model is desired. To tackle this problem, we are currently working on a modular approach to transform Simulink models into SHA. In [8], we present an approach that enables us to transform a subset of Simulink models to SHA and analyze the SHA using the tool RealySt [3] to obtain reachability probabilities for critical safety properties. This is an important first step towards ensuring safety and resilience of hybrid systems in the presence of uncertainties. However, it still has some limitations, e.g. we only provide transformation rules for a subset of Simulink blocks and the parallel composition has to be performed manually. To tackle these limitations, we are currently working on a tool to automatically transform a given Simulink model to an SHA using the transformation rules provided in [8]. Additionally, we plan to define transformation rules for a larger subset of Simulink blocks and provide better support for the integration of stochasticity into Simulink models, e.g. by providing parameterized subsystems that model specific stochastic behaviour.

As next steps, we plan to address the research challenges defined above, namely the integration of stochastic and learning components in Simulink, the derivation of qualitative and quantitative properties that are important for safety, resilience and performance of intelligent Simulink models in uncertain and dynamic environments, and the development of combined quantitative and quantitative analysis techniques that enable us to formally analyze these properties.

Figure 1 :1Figure 1: Combining the Strengths of Quantitative and Qualitative Analysis.

Deductive verification of hybrid control systems modeled in Simulink with KeYmaera X TLiebrenz PHerber SGlesner 10.1007/978-3-030-02450-5_6 Int. Conference on Formal Engineering Methods Springer 2018 11232 Formal Verification of Intelligent Hybrid Systems that are modeled with Simulink and the Reinforcement Learning Toolbox JAdelt TLiebrenz PHerber 10.1007/978-3-030-90870-6_19 Formal Methods Springer 2021 13047 Realyst: A C++ tool for optimizing reachability probabilities in stochastic hybrid systems JDelicaris JStübbe SSchupp ARemke 10.1007/978-3-031-48885-6_11 16th EAI Int. Conference on Performance Evaluation Methodologies and Tools Springer 2023 539 Optimizing reachability probabilities for a restricted class of stochastic hybrid automata via flowpipe construction CDaSilva SSchupp ARemke 10.1145/3607197 ACM Trans. Model. Comput. Simul 33 2023 The best of both worlds: Analytically-guided simulation of hpngs for optimal reachability MNiehage ARemke 10.1007/978-3-031-48885-6_5 Performance Evaluation Methodologies and Tools 2024 Learning optimal decisions for stochastic hybrid systems MNiehage AHartmanns ARemke 10.1145/3487212.3487339 ACM-IEEE Int. Conference on Formal Methods and Models for System Design ACM 2021 Safe Integration of Learning in SystemC using Timed Contracts and Model Checking PBlohm JAdelt PHerber 10.1145/3610579.3611078 21st ACM-IEEE International Symposium on Formal Methods and Models for System Design, ACM / IEEE RHanxleden SAEdwards JBrandt QZhu 2023 Towards Quantitative Analysis of Simulink Models using Stochastic Hybrid Automata PBlohm PHerber ARemke International Conference on Integrated Formal Methods 2024 accepted for publication Formal verification of control systems' properties with theorem proving DAraiza-Illan KEder ARichards 10.1109/CONTROL.2014.6915147 UKACC Int. Conference on Control IEEE 2014 Z3: An efficient SMT solver LDeMoura NBjørner 10.1007/978-3-540-78800-3_24 International conference on Tools and Algorithms for the Construction and Analysis of Systems Springer 2008 Why3 -where programs meet provers J.-CFilliâtre APaskevich 10.1007/978-3-642-37036-6_8 European Symposium on Programming Springer 2013 Bit-precise formal verification of discrete-time MAT-LAB/Simulink models using SMT solving PHerber RReicherdt PBittner 10.1109/EMSOFT.2013.6658586 Int. Conference on Embedded Software IEEE 2013 The UCLID decision procedure SKLahiri SASeshia 10.1007/978-3-540-27813-9_40 Int. Conference on Computer Aided Verification Springer 2004 Formal verification of discrete-time MATLAB/Simulink models using Boogie RReicherdt SGlesner 10.1007/978-3-319-10431-7_14 Int. Conference on Software Engineering and Formal Methods Springer 2014 8702 Boogie: A modular reusable verifier for object-oriented programs MBarnett B.-YEChang RDeline BJacobs KR MLeino 10.1007/11804192_17 Int. Symposium on Formal Methods for Components and Objects Springer 2005 Simulink Design Verifier 2024 The MathWorks Computational techniques for hybrid system verification AChutinan BHKrogh 10.1109/TAC.2002.806655 IEEE Trans. on Automatic Control 48 1 2003 IEEE SL2SX translator: from Simulink to SpaceEx models SMinopoli GFrehse 10.1145/2883817.2883826 Int. Conf. on Hybrid Systems: Computation and Control ACM 2016 Formal Verification of Simulink/Stateflow Diagrams LZou NZhan SWang MFränzle 10.1007/978-3-319-47016-0 Int. Symposium on Automated Technology for Verification and Analysis (ATVA) Springer 2015 9364 MARS: A toolchain for modelling, analysis and verification of hybrid systems MChen XHan TTang SWang MYang NZhan HZhao LZou 10.1007/978-3-319-48628-4_3 Provably Correct Systems Springer 2017 A service-oriented approach for decomposing and verifying hybrid system models TLiebrenz PHerber SGlesner 10.1007/978-3-030-40914-2_7 Int. Conference on Formal Aspects of Component Software Springer 2019 12018 Bayesian statistical model checking with application to stateflow/simulink verification PZuliani APlatzer EMClarke 10.1007/s10703-013-0195-3 Formal Methods in System Design 43 2013 Statistical model checking of simulink models with Plasma Lab ALegay L.-MTraonouez 10.1007/978-3-319-29510-7_15 Formal Techniques for Safety-Critical Systems: 4th International Workshop Springer 2016 PLASMA-lab: A flexible, distributable statistical model checking library BBoyer KCorre ALegay SSedwards 10.1007/978-3-642-40196-1_12 Quantitative Evaluation of Systems: 10th International Conference Springer 2013 Simulink to uppaal statistical model checker: Analyzing automotive industrial systems PFilipovikj NMahmud RMarinescu CSeceleanu OLjungkrantz HLönn 10.1007/978-3-319-48989-6_46 International Symposium on Formal Methods Springer 2016 Safe Reinforcement Learning via Shielding MAlshiekh RBloem REhlers BKönighofer SNiekum UTopcu 10.5555/3504035.3504361 Proceedings of the AAAI Conference on Artificial Intelligence the AAAI Conference on Artificial Intelligence 2018 32 Shield synthesis for reinforcement learning BKönighofer FLorber NJansen RBloem 10.1007/978-3-030-61362-4_16 International Symposium on Leveraging Applications of Formal Methods Springer 2020 A Component-Based Simplex Architecture for High-Assurance Cyber-Physical Systems DPhan JYang MClark RGrosu JSchierman SSmolka SStoller 10.1109/ACSD.2017.23 2017 17th International Conference on Application of Concurrency to System Design (ACSD), IEEE 2017 Uppaal stratego ADavid PGJensen KGLarsen MMikučionis JHTaankvist 10.1007/978-3-662-46681-0_16 Int. Conf. on Tools and Algorithms for the Construction and Analysis of Systems Springer 2015 Uppaal smc tutorial ADavid KGLarsen ALegay MMikučionis DBPoulsen International Journal on Software Tools for Technology Transfer 17 2015 Efficient on-the-fly algorithms for the analysis of timed games FCassez ADavid EFleury KGLarsen DLime 10.1007/11539452_9 Concurrency Theory MAbadi LAlfaro

Berlin, Heidelberg

Springer 2005 SOS: Safe, optimal and small strategies for hybrid markov decision processes PAshok JKřetínskỳ KGLarsen ALe Coënt JHTaankvist MWeininger 10.1007/978-3-030-30281-8_9 International Conference on Quantitative Evaluation of Systems Springer 2019 GUIDO: Automated Guidance for the Configuration of Deductive Program Verifiers AKnüppel TThüm ISchaefer 10.1109/FormaliSE52586.2021.00018 IEEE/ACM Int. Conference on Formal Methods in Software Engineering (FormaliSE) IEEE 2021 A framework for qualitative and quantitative formal model-based safety analysis MGudemann FOrtmeier 10.1109/HASE.2010.24 IEEE Int. Symposium on High Assurance Systems Engineering IEEE 2010