Hybrid Automata for Formal Modeling and Verification of Cyber-Physical Systems

The presence of a tight integration between the discrete control (the "cyber") and the analog environment (the "physical")---via sensors and actuators over wired or wireless communication networks---is the defining feature of cyber-physical systems. Hence, the functional correctness of a cyber- physical system is crucially dependent not only on the dynamics of the analog physical environment, but also on the decisions taken by the discrete control that alter the dynamics of the environment. The framework of Hybrid automata---introduced by Alur, Courcoubetis, Henzinger, and Ho---provides a formal modeling and specification environment to analyze the interaction between the discrete and continuous parts of a cyber-physical system. Hybrid automata can be considered as generalizations of finite state automata augmented with a finite set of real-valued variables whose dynamics in each state is governed by a system of ordinary differential equations. Moreover, the discrete transitions of hybrid automata are guarded by constraints over the values of these real-valued variables, and enable discontinuous jumps in the evolution of these variables. Considering the richness of the dynamics in a hybrid automaton, it is perhaps not surprising that the fundamental verification questions, like reachability and schedulability, for the general model are undecidable. In this article we present a review of hybrid automata as modeling and verification framework for cyber-physical systems, and survey some of the key results related to practical verification questions related to hybrid automata.Comment: 17 page

Automated Synthesis of Safe and Robust PID Controllers for Stochastic Hybrid Systems

We present a new method for the automated synthesis of safe and robust Proportional-Integral-Derivative (PID) controllers for stochastic hybrid systems. Despite their widespread use in industry, no automated method currently exists for deriving a PID controller (or any other type of controller, for that matter) with safety and performance guarantees for such a general class of systems. In particular, we consider hybrid systems with nonlinear dynamics (Lipschitz-continuous ordinary differential equations) and random parameters, and we synthesize PID controllers such that the resulting closed-loop systems satisfy safety and performance constraints given as probabilistic bounded reachability properties. Our technique leverages SMT solvers over the reals and nonlinear differential equations to provide formal guarantees that the synthesized controllers satisfy such properties. These controllers are also robust by design since they minimize the probability of reaching an unsafe state in the presence of random disturbances. We apply our approach to the problem of insulin regulation for type 1 diabetes, synthesizing controllers with robust responses to large random meal disturbances, thereby enabling them to maintain blood glucose levels within healthy, safe ranges.Comment: Extended version of paper accepted at the 13th Haifa Verification Conferenc

SReach: A Bounded Model Checker for Stochastic Hybrid Systems

In this paper we describe a new tool, SReach, which solves probabilistic bounded reachability problems for two classes of stochastic hybrid systems. The first one is (nonlinear) hybrid automata with parametric uncertainty. The second one is probabilistic hybrid automata with additional randomness for both transition probabilities and variable resets. Standard approaches to reachability problems for linear hybrid systems require numerical solutions for large optimization problems, and become infeasible for systems involving both nonlinear dynamics over the reals and stochasticity. Our approach encodes stochastic information by using random variables, and combines the randomized sampling, a $\delta$-complete decision procedure, and statistical tests. SReach utilizes the $\delta$-complete decision procedure to solve reachability problems in a sound manner, i.e., it always decides correctly if, for a given assignment to all random variables, the system actually reaches the unsafe region. The statistical tests adapted guarantee arbitrary small error bounds between probabilities estimated by SReach and real ones. Compared to standard simulation-based methods, our approach supports non-deterministic branching, increases the coverage of simulation, and avoids the zero-crossing problem. We demonstrate our method's feasibility by applying SReach to three representative biological models and to additional benchmarks for nonlinear hybrid systems with multiple probabilistic system parameters

Verification for Machine Learning, Autonomy, and Neural Networks Survey

This survey presents an overview of verification techniques for autonomous systems, with a focus on safety-critical autonomous cyber-physical systems (CPS) and subcomponents thereof. Autonomy in CPS is enabling by recent advances in artificial intelligence (AI) and machine learning (ML) through approaches such as deep neural networks (DNNs), embedded in so-called learning enabled components (LECs) that accomplish tasks from classification to control. Recently, the formal methods and formal verification community has developed methods to characterize behaviors in these LECs with eventual goals of formally verifying specifications for LECs, and this article presents a survey of many of these recent approaches

How to Learn a Model Checker

We show how machine-learning techniques, particularly neural networks, offer a very effective and highly efficient solution to the approximate model-checking problem for continuous and hybrid systems, a solution where the general-purpose model checker is replaced by a model-specific classifier trained by sampling model trajectories. To the best of our knowledge, we are the first to establish this link from machine learning to model checking. Our method comprises a pipeline of analysis techniques for estimating and obtaining statistical guarantees on the classifier's prediction performance, as well as tuning techniques to improve such performance. Our experimental evaluation considers the time-bounded reachability problem for three well-established benchmarks in the hybrid systems community. On these examples, we achieve an accuracy of 99.82% to 100% and a false-negative rate (incorrectly predicting that unsafe states are not reachable from a given state) of 0.0007 to 0. We believe that this level of accuracy is acceptable in many practical applications and we show how the approximate model checker can be made more conservative by tuning the classifier through further training and selection of the classification threshold.Comment: 16 pages, 13 figures, short version submitted to HSCC201

Hardware-In-The-Loop Vulnerability Analysis of a Single-Machine Infinite-Bus Power System

The dynamic performance of the generators is a critical factor for the safe operation of the power grid. To this extent, the stability of the frequency of generators is the target of cyber attacks since its instability may lead to sizable cascade failures in the whole network. In this paper, we perform the vulnerability analysis in a developed power grid Hardware-In-The-Loop (HITL) testbed with a Wago 750-881 PLC sending control commands to the generators and a 750 Feeder Management Relay connected to a local load. A process-aware coordinated attack is demonstrated by spoofing control commands sent by the PLC and the relay to the simulated power system which is modeled as a single-machine infinite-bus (SMIB). Based on the reachability analysis, the attacker can find the optimal attack signal to drive the system state out of their safe set of values. Thereafter, it is experimentally demonstrated that the attacker does not need to send attack signal continuously if he implements a carefully designed coordinated attack on the PLC and the relay. The presented assessments provide information about the best time to launch an attack in order to destabilize the power system.Comment: Pages1-

Computational methods for stochastic control with metric interval temporal logic specifications

This paper studies an optimal control problem for continuous-time stochastic systems subject to reachability objectives specified in a subclass of metric interval temporal logic specifications, a temporal logic with real-time constraints. We propose a probabilistic method for synthesizing an optimal control policy that maximizes the probability of satisfying a specification based on a discrete approximation of the underlying stochastic system. First, we show that the original problem can be formulated as a stochastic optimal control problem in a state space augmented with finite memory and states of some clock variables. Second, we present a numerical method for computing an optimal policy with which the given specification is satisfied with the maximal probability in point-based semantics in the discrete approximation of the underlying system. We show that the policy obtained in the discrete approximation converges to the optimal one for satisfying the specification in the continuous or dense-time semantics as the discretization becomes finer in both state and time. Finally, we illustrate our approach with a robotic motion planning example.Comment: 8 pages, 6 figures, submitted to IEEE CDC 201

Probabilistic bounded reachability for hybrid systems with continuous nondeterministic and probabilistic parameters

We develop an algorithm for computing bounded reachability probability for hybrid systems, i.e., the probability that the system reaches an unsafe region within a finite number of discrete transitions. In particular, we focus on hybrid systems with continuous dynamics given by solutions of nonlinear ordinary differential equations (with possibly nondeterministic initial conditions and parameters), and probabilistic behaviour given by initial parameters distributed as continuous (with possibly infinite support) and discrete random variables. Our approach is to define an appropriate relaxation of the (undecidable) reachability problem, so that it can be solved by $\delta$-complete decision procedures. In particular, for systems with continuous random parameters only, we develop a validated integration procedure which computes an arbitrarily small interval that is guaranteed to contain the reachability probability. In the more general case of systems with both nondeterministic and probabilistic parameters, our procedure computes a guaranteed enclosure for the range of reachability probabilities. We have applied our approach to a number of nonlinear hybrid models and validated the results by comparison with Monte Carlo simulation

Dynamic Security Analysis of Power Systems by a Sampling-Based Algorithm

Dynamic security analysis is an important problem of power systems on ensuring safe operation and stable power supply even when certain faults occur. No matter such faults are caused by vulnerabilities of system components, physical attacks, or cyber-attacks that are more related to cyber-security, they eventually affect the physical stability of a power system. Examples of the loss of physical stability include the Northeast blackout of 2003 in North America and the 2015 system-wide blackout in Ukraine. The nonlinear hybrid nature, that is, nonlinear continuous dynamics integrated with discrete switching, and the high degree of freedom property of power system dynamics make it challenging to conduct the dynamic security analysis. In this paper, we use the hybrid automaton model to describe the dynamics of a power system and mainly deal with the index-1 differential-algebraic equation models regarding the continuous dynamics in different discrete states. The analysis problem is formulated as a reachability problem of the associated hybrid model. A sampling-based algorithm is then proposed by integrating modeling and randomized simulation of the hybrid dynamics to search for a feasible execution connecting an initial state of the post-fault system and a target set in the desired operation mode. The proposed method enables the use of existing power system simulators for the synthesis of discrete switching and control strategies through randomized simulation. The effectiveness and performance of the proposed approach are demonstrated with an application to the dynamic security analysis of the New England 39-bus benchmark power system exhibiting hybrid dynamics. In addition to evaluating the dynamic security, the proposed method searches for a feasible strategy to ensure the dynamic security of the system in face of disruptions.Comment: 23 pages, 12 figure

PAC Statistical Model Checking for Markov Decision Processes and Stochastic Games

Statistical model checking (SMC) is a technique for analysis of probabilistic systems that may be (partially) unknown. We present an SMC algorithm for (unbounded) reachability yielding probably approximately correct (PAC) guarantees on the results. We consider both the setting (i) with no knowledge of the transition function (with the only quantity required a bound on the minimum transition probability) and (ii) with knowledge of the topology of the underlying graph. On the one hand, it is the first algorithm for stochastic games. On the other hand, it is the first practical algorithm even for Markov decision processes. Compared to previous approaches where PAC guarantees require running times longer than the age of universe even for systems with a handful of states, our algorithm often yields reasonably precise results within minutes, not requiring the knowledge of mixing time or the topology of the whole model