The converted automata can then be verified against an uncertain set of conditions using an existing symbolic model checker such as PHAVs. Lr,k Set of executable branches of target inSr,k Sr,k Set of descendants of root targetg0,0r in groupGk U Set of uncertain state variables.
Motivation
One way to design a fault-tolerant autonomous system is to create a flexible control system that can reconfigure itself in the event of a fault. The fault tolerant control system must be tested to ensure that the system operates in a safe manner when a fault occurs and it must be tested to ensure that there is a control tactic to account for all possible errors and failures.
Fault Tolerant Control
Although many fault-tolerant control systems achieve reconfiguration capability, few actually change the control tactics assigned to the system. As the control system becomes more state and model based, traditional command sequences become too rigid.
Control System Verification
Naturally, by encoding the intent of the robot's actions, MDS has allowed for multiple error response options to be independently explored by the control system [27]. The original abstract algebraic specifications are then used to prove properties of the control system.
Stochastic Verification
Another verification procedure design was applied to Object Oriented Analysis to enable a smooth interface with model-based verification techniques [56]. Probabilistic techniques for reachability analysis have been developed for discrete-time controlled stochastic hybrid systems [70, 71] and for large-scale stochastic hybrid systems using rare event estimation theory [72] and subset simulation [73].
Outline
Any planned goal is then achieved by the evaluator or controller of the state variable that is bounded. The tactics shown in the goal trees contain passive goals in two state variables, SystemHealth and SatelliteConnection, that guide the choice of tactics.
![Figure 2.1: A depiction of the state and model-based architecture of the Mission Data System, from Dvorak [78]](https://thumb-ap.123doks.com/thumbv2/123dok/11369430.0/21.918.242.730.115.408/figure-depiction-state-model-based-architecture-mission-dvorak.webp)
Linear Hybrid Automata
The firing of the second time point will occur when the transition goal, GetToPoint, is completed. However, this can cause a large explosion of the state space, so symbolic model checkers divide the state space into sets that are similar in the given reachability analysis.
Stochastic Hybrid Systems
The reachability analysis used in the safety verification of these hybrid automata finds the set of all states connected to a given initial state by a valid run. In Section 3.2, more detailed information is given on the types of target networks that can be converted and verified.
Properties of Convertible Goal Networks
Structure of the Goal Network
If the transitions are state-based (which will be formally defined later), this means that all possible states of the passively constrained state variables in a target network satisfy the passive constraints in a given set of tactics. Target networks with state-based transitions have nice properties that are described in section 3.4.
State Variables
Resource state variables, such as power, memory, or charge cycles, are state variables that can be consumed (and in some cases recovered). Projection, which will be discussed in section 3.3, is a useful way to deal with resource state variables.
Heuristic Conversion and Verification Procedure
- Goal Network Definitions
- Procedure Description
- Goals Automaton
- Uncontrollable and Dependent State Variables
- Hybrid System Verification
- Projection
- Comparison with Formal Method
An example of the fusion logic table for this state variable is given in Table 3.1. The condition for this transition will be a combination of the StartsIn logic for each tactic represented in the location.
Conversion and Verification Procedure
- Formal Description of Goal Network Executions
- Procedure Description
- Soundness and Completeness
- Simple Rover Example
Further explanation of the model checking and verification of the target network will be provided in the following sections. The target automaton includes the complete set of possible executions of the target network in its locations and transitions.
Conversion Software Design
Input Parser
This means that the discrete modes of the models of these state variables have different rates of change of the continuous state variable. The time points that constrain each target, the state variable constrained, the constraint type, and the constraint value are included in each non-macro target.
Automaton Creation Algorithm
These locations are then listed with the other state variable constraints in the uncertain set specification. The target automaton and the transformed uncertain set specification (PHAVs only) are then passed to the appropriate output file creation algorithm.
Output File Creation
Finally, when PHAVs are used as verification software, the uncertain set transformation algorithm takes the set of uncertain conditions and transforms them into a form that PHAVs can use. PHAVs cannot control speed ratios, although these may be common unsafe set specifications; an example is controlling a rover's speed when its sensor health state variables are degraded.
Goal Network Verification
Working with Model Checkers
Reverse Conversion Procedure
Constraints that appear only in one uncertain set, Zk,in , are sibling goals belonging to a new tactic of the goal, gn, associated with the uncertain set. If there is only one setCk,in ∈C¯kn, the constraints in that set represent the children's goals expanded in different tactics from the potential parent goal.
Conclusion
The design tool used to create target networks with state-based transitions (defined in Section 4.2), the SBT Checker, is introduced in Section 4.3. The application of the InVeriant model checker to a class of linear hybrid systems is discussed in Section 4.5.
State-Based Transitions
Therefore, target networks designed to have state-based transitions can be verified using a very simple search algorithm that can handle complex systems. Although designing target networks with state-based transitions imposes some structure on the target network, one could argue that the requirement is good design practice.
SBT Checker
But according to the definition of state-based transitions, for each Lr,k, there exists some Lr,γ ∈ Lr,k such that γ |= pcons(Lr,γ), because Lr,k has state-based transitions overDr,k⊆ Dk . SBT Checker exploits this modularity of target networks to check that each root target's tactic has state-based transitions.
InVeriant Verification Procedure
Let Vγc ⊂ V be the set of locations satisfied by some state γc ∈ Γc, Vγc = {vi|γc |= inv(vi)}, where V has state-based transitions. For each di ∈ D, the set of discrete states constrained passively in the target network is Λi.
Verification of State and Completion-Based Linear Hybrid Systems
So any number of state-based automata can be composed into an automaton that has state-based transitions. Because of this modularity, SBT Checker can be used to check state-based transitions of state-based automata.
Discussion
Because transitions are ignored, the complexity of the verification problem no longer depends on the number of state variables. PHAVer and HyTech only extract the states of the state variables that allow the system to reach the uncertain set; even unsafe countries are excluded from their production.
Conclusion
Stochastic hybrid systems include uncertainty in the transitions of the hybrid automaton as probabilistic transition conditions. However, a complete analysis of this system must include the calculation of the error probability due to the estimation uncertainty.
Problem Definition
Automata Specification and Models
First, the definition of the complete system state is given by the uncertain state variables. The actual value of the state variableχica can be accessed using its associated val(χi)∈Λi function.
Unsafe System States
The other direction of proof is obvious from the definition of the uncertain set. The complete states of the system that allow the execution of the set to occur normally are elements of the nominal set,sξ∈Ξk.
Failure Path Specification
The uniform completion case applies to groups that have only one task completion rate; In this case, the group would have more than one rate that limits the achievement of the completion task.
Probability Calculations
Uniform Completion Case
The matrix of transition probabilities between all nominal complete system states is Qk, where the probability of a transition between sξi to sξj is. 5.15) Since all uncertain complete system states are accepting states, only transitions to these states from the nominal complete system states are considered. The vector Wu,k contains the probability. of transitions from each nominal complete system state to each uncertain complete system state.
Non-Uniform Completion Case
Initialize the search tree with the enclosure of the initial error path, β∅. The initial failure path is the failure path without nominal transitions. The calculation of failure path probabilities is similar to the method described for the uniform completion case.
System Failure Probability
The failure path probabilities are calculated using the initial and transition vectors and matrices described above, and then all the path probabilities are summed to determine the group failure probability. The failure probability of a hybrid system is the sum of the probabilities of failure paths through the system.
Variations on the Failure Probability Problem
Subgroups
Any access to Safing removes the execution of the hybrid system and prevents failure in the future, and is therefore excluded from the failure probability calculation. These subgroup failure probabilities, Ws(k, h), are calculated in the same way as the group failure probability for a connected group, except that there is no initial failure probability (ak) in the failure path probability sum.
Completion Time Uncertainty
It is possible to approximate a group's failure probability with this completion time uncertainty to varying degrees of accuracy. For uniform completion groups, the failure probability can be calculated for a range of completion times centered around ck, Ckn = {ci|ci ∈ Z+∧ci ∈ [ck−nσ, ck+nσ]}.
Missing State Transitions
Since the transition scheme is still deterministic and with the exception of the missing transitions, it is state-based, so if the transition exists, by definitionξi 2 inv(vj). If the original transition matrix for the set S = {GG,GF,FG,FF} for the similar example in Figure 5.2 would look like this.
Problem Complexity and Reduction Techniques
Problem Complexity
The number of failure path groups increases as the number of contribution values and the completion time increases, and decreases as the actual contribution values increase. The difficulty then becomes the number of mathematical operations required to find the failure probability, which is based on the number of complete system states and the number of failure path groups.
Complete System State Reduction Techniques
However, the failure path creation algorithm is very efficient and can handle the path groups with little difficulty. This state variable's state propagation can be adequately modeled as a stationary Markov process; however, if the relative position of the sun (SP) independently affects the hybrid control system, some reduction in the number of complete system states may be possible.
Approximate Methods
Stochastic Hybrid Model Verification
The transition conditions of the original automaton were based on the discrete states of environmental variables whose state propagation could be modeled by a stationary Markov process. Many of the available stochastic verification methods are affected by the number of reachable locations.
Markov Chain Monte Carlo Simulation
Finally, let the augmented probability matrix for each state variable, Pχ,i, be the matrix giving the transition probability between complete states of the individual uncertain state variable. Then the stationary probability of each set can be calculated from the sum of the stationary probabilities of its elements.
Conclusion
Therefore, this example is reformulated and verified using the new verification method described in Chapter 4. The failure probability calculation for this case should be approximated by the Markov Chain Monte Carlo technique described in Chapter 5.
Complex Rover Example
Goal Network Design
Conversion and Verification
In the final model reduction, the SystemHealth state variable was removed in favor of using the three sensor health state variables instead. These changes were added, verified, and then translated back to the target network by adding a new tactic in the rate limit target tree, which can be found in Figure 6.10.
Uncertainty Analysis
For this example, different estimation uncertainty values were chosen and the probability of failure was calculated for each of them. The probability of failure was calculated for different values of the estimation uncertainty and the results are shown in Figure 2.
Titan Aerobot Example Mission
- Problem Statement
- Goal Networks
- Verification
- Uncertainty Analysis
The third task for the aerobot is power control, which is controlled in the target tree shown in Figure 6.16. It is assumed that when the aerobot is in positive control (ie, the position and map uncertainties are low, the wind vector is low, etc.), the low-level position controls successfully avoid low-altitude terrain.
Conclusion
First, the provable modularity of the state-based transition property allows for distributed design of goal networks. Fault-tolerant systems designed with the concept of state-based transitions are highly dependent on the quality of the state estimators for the passive state variables.
Future Directions