CC BY
81III. ИНФО-КОММУНИКАЦИОННЫЕ ТЕХНОЛОГИИ
For citation: Staroletov S., Tengis T. Model-driven development methods and formal verification algorithms for cyber-physical systems as applied to system software of unmanned aerial vehicles //
URL: http://rectors.altstu.rU/ru/periodical/archiv/2020/1/articles/3_1.pdf DOI: 10.25712/ASTU.2410-485X.2020.01.008
UDK 004.05
Model-driven development methods and formal
verification algorithms for cyber-physical systems as applied to system software of unmanned aerial vehicles
S.Staroletov1, T.Tengis2
The development of unmanned aerial vehicles is an important task for science and technology, because such devices can have many applications in the modern digital economy (including environmental monitoring, border patrols, air reconnaissance, traffic control, precision agriculture, disaster relief, assistance in the field of agriculture, delivery of goods), especially for Mongolia, a country with large void spaces, see Figure 1.
Figure 1. Using a quadcopter with a camera to filming a tourist trip near Kharkhorin, Mongolia
In this paper, we consider quadcopters — aircraft with four engines and a programmed flight controller device. An example of recent public testing of a
1 Polzunov Altai State Technical University, Barnaul, Russia Email: serg_soft@mail.ru
2 Mongolian University of Science and Technology, Ulaanbaatar, Mongolia Email: tengis@must.edu.mn
Наука и образование Большого Алтая»
75
Russian Post drone that crashed just a few seconds from the start of the test shows us that it is necessary to create highly reliable software for such machines, which in most cases should prevent possible fails and crashes (given hardware breakdowns or failures in software, incorrect and conflicting pilot commands).
In addition, we should keep in mind that unmanned aerial vehicles like quadcopters can be considered as a reduced representation of normal air vehicles. Most of the technologies for creating quadcopter software, taking into account safety and survivability, modeling the physical properties of flight remain unchanged for large air vehicles.
The scope of work includes:
• assembly of a flying quadcopter in order to obtain a hardware prototype (from components that are freely sold on the market);
• development of a software solution for a flight controller with high reliability requirements, which will to some extent meet the standards of avionics software;
• formal verification of critical control and system code using deductive approach and cyber-physical models of flight using dynamic logic extensions;
• obtaining a model for teaching courses as the design of operating system components, software verification and control theory.
Consider the parts of the DIY quadcopter with parts available on the market (Figure 2):
Figure 2. A self-assembled quadcopter and its parts [1]
• the frame connects all components and provides electrical transmission of high current energy to the motors;
• brushless motors (4x for quadcopters) provide lift for propellers, which allows the copter to fly or rotate;
1'2020
■----
• ESC (Electronic Speed Controller) provides a high-level interface for controlling the corresponding motor, translates given speed into electrical voltage and controls the results of the rotation of the motors;
• a battery (usually of the LiPo type) supplies electricity to the copter, and the operating time depends on it;
• the power module after connecting to the battery provides two electrical circuits: a low-current for the flight controller and a strong-current for the motors, it also has a control signal for the flight controller to monitoring the current state of the battery;
• an external GPS / compass module is used to obtain current coordinates for use in flight control algorithms for waypoints, it should be separated from the flight controller and frame to minimize the effect of electrical noise;
• telemetry is a radio transceiver operating at a frequency of 915 MHz and it allows to create a radio channel for the ground control module to send the current status and receive commands by providing a UART (communication port) with data transmission via radio;
• the additional periphery is a payload for the quadcopter, in the simplest case it can be a camera, in difficult cases, it can be, for example, a fire extinguishing device, this load can be controlled by an additional controller or even the main flight controller with special isolated processes;
• the flight controller which is responsible for control the entire state of the quadcopter (the state of all internal hardware components) like a car ECU, has built-in sensors and software code for the flight, either controlled by an operator or autonomously controlled [1]. Our goal is to create reliable software for it.
The creation of system software with increased reliability requirements for unmanned aerial vehicles (as well as for airplanes) is closely related to the development of the operating system, with the original design focused on reliability. Today's OSs for aircraft should belong to the class of real-time systems and should provide secure separation of memory space and processor time. For these requirements, there is an industry avionics standard developed by Aeronautical Radio, Inc., ARINC 653. An open-source BSD-licensed OS in the proof-of-concept state POK (Partitioned Operating Kernel) that satisfies this standard with some restrictions was created in France by Julien Delange; it uses an approach based on the initial use of models to describe the system configuration in a declarative language AADL (Architecture Analysis & Design Language).
Consider the structure of a real-time OS for a flight controller with increased reliability requirements using the POK approach. In the example [2], the authors give some tips on how to implement such a structure (Figure 3).
Наука и образование Большого Алтая»
Figure 3. Model-driven design of flight controller OS with partitions [2]
The scheme is generated from AADL code and represents the following separation: four sections and four memory segments for interaction with a GPS receiver, throttle, yaw control and a PID controller code for stabilization.
PID (Proportional, Integral, Differential) controller is a feedback system for adjusting the state of the control object. When controlling an object, an error is calculated between the current and the desired state (for example, between the current and the given height of the device position), then, based on the current error, the effect is calculated on the basis of three parts with given P, I, D coefficients. At present, the coefficients are set in the user interface of a ground-based control station, for example, using Mission Control software. There are some assumptions for setting the coefficients, and for some standard quadcopter assemblies they are known, but for a non-standard one, they should be determined as a result of experiments. According to [3], in the currently popular Ardupilot / Arducopter firmware implementation, a combined circuit of P- and PID-controllers is used to control altitude retention. The orientation on each axis is controlled using a special P-controller for converting the angular error (the difference between the given angle and the actual angle) into the required rotation speed, and then the PID controller for converting the rotation speed error into high-level commands to the motors. As the part of the P-controller, the "square-root controller" is set to represent the rotation angle function first linearly, and then using the approximation with the square root function.
The construction of complex control schemes with smooth behaviour leads to potential stability problems that can cause to lose the quadcopter. So, we propose using formal methods to statically verify such schemes. For continuous state systems, currently there is growing a set of methods of formal verification at the level of cyber-physical systems.
For example, verification of a simple PD-controller (a simplification of PIDcontroller) can be done fully automatically using the differential dynamic logic [4] and its implementation in KeYmaera hybrid theorem prover which takes hybrid programs with first-order differential equations and their systems as input. For these purposes, the model of the system can be represented as a Hoare's triple (1):
init ^ [controller](req) (1)
Then, we decompose the system into precondition, continuous PD-controller and requirements. Precondition (2):
init: ==v>0Ac>0AKp = 2AKd = 3A V(p, pr, v) < c (2)
Here v is the speed, c is a constant, Kp and Kd are PD-coefficients, p and pr are the current and required positions respectively.
The continuous state (3):
controller: == p' = v,v' = —Kp X (p — pr) — KdXv (3)
As for the requirement (4) it is proposed in [5] to check the system stability using the Lyapunov method with choosing a Lyapunov function (5):
req: == V(p, pr, v) < c (4)
V(p, pr, v)=5x(p- pr)2 + (p-pr)x^ + Z2 (5)
The corresponding hybrid program (Figure 4) is devoid of any cycles and represents one continuous state in which the physical model is defined as a system of two equations. The program as evolution statement is placed inside the modal operator "[]", while the rule for the Lyapunov function is set as post- and preconditions. Executing the evolution statement means for the modelled system to stay in the continuous state as long as it wishes (the time to stay is chosen non-deterministically), after it we quit with a solution and check the precondition.
\problen {
\[
Rp, v, a, S, Kp , Kd t e , r
\] C((v >- 0) k (Kp - 2)) & (Kd = 3) 4 (c > 0) k C(5 / 4) * ip - r) ~ 2 + (<p - r) * v) / 2 + (v * 2) / 4 < c) -> C\[
<p' - vj v' = (-Kp) * Cp - r) - Kd * V, v 0) M ((5 / 4) « (p - r) " 2) + < Cp - r) • v) / 2
+ (y * 2) / 4 < cX) }
Figure 4. Example program in KeYmaera language
For controllers with "I" part and their combinations, rule I' = (p — pr) should be used.
The advantages of using formal methods here is a possibility to try different Lyapunov functions automatically. For controllers with "I" part and their combinations, the formal verification process is not developed yet to be so mature.
Currently, model-driven methods are established to express cyber-physical systems and, in the engineering world, a lot of engineers use Matlab Simulink or its open-source analogue Scilab Xcos to create and simulate physical models in a graphical editor by connecting blocks with the possibility to write some additional code. For example, refer to a state feedback controller for a quadcopter, that we did in [6], as an apposite and more complex method to the PID controller scheme, when we tried to consider the usage of full state feedback control. The scheme is represented as a collection of blocks (see Figure 5). Here, the control input, u, consists of 4 angular velocities [®] of rotors and it is formed by the sum of reference input multiplied by the gain matrix N and internal states multiplied by the feedback matrix K. The control parameters can be elaborated using the dynamic test stand (Figure 6).
Figure 5. Block scheme of the state feedback
We have a strong intuition that using block traversal through the diagram, generating code in hybrid program languages of formal proving tools, using control
theory methods and dynamic logic extensions, we will be able to provide formal methods to statically verify such systems.
Figure 6. Dynamic test stand for the elaboration of control parameters for a quadcopter in Mongolia [6]
Nowadays, there is a trend to use AI or machine learning methods in the control systems, which help to abandon from the complex models. For example, PID coefficients can be learned using supervising process for a neural network. Proving such systems is extremely complex, and some preliminary results were recently demonstrated in [7].
The control and system code that runs in a flight controller, can also have hidden errors which can lead the quadcopter to misoperation. A way to formally prove the code is called deductive verification and it requires to write annotations in a first-ordered logic on pure C terms. That means that the verification engineer creates a model for the code as Hoare-style specifications. In the work [1] we show this approach as applied to a piece of code for PID control (Figure 7). The corresponding specification is given in Figure 8. The reader can see that writing such a specification requires a lot of efforts, so the deductive verification should be done only for critical valued code.
float get_iCPID *pld, float error, float dt) { if ((pid->ki B) && Cdt {
pid->intet|rator 4= CCfloatJ error * pirt->ki) * dt;
If tpitf->integrator < -pid->imnx3 { pid->integrator = -pid-?imax;
} else
(pirt->integrator > pid->imax) { pid->integrator = pirf->i?nax;
}
return pidisintegrator;
}
return B;
>
Figure 7. A piece code of PID control in Ardupilot to prove [1]
axiomatic CheckAxiomatic {
logic float Checkllp{L}(float integrator, integer max); lemma CheckUpMin{l}: Vforall float integrator, integer max;
(integrator -max) CheckUpfiintegrator, max) (float)-max; lemma CheckUpMax{l}: \foratl float Integrator, integer max;
integrator > max CheckJp(integrator, max} (floatjmax; lemma CheckUpNorm{L}: \forall float integrator, integer max;
(integrator -max) && (integrator <= max) => CheckUp(integrator, max) == integrator;
J
requires \valid(pid}; requires pid->imnx > 0; assigns pid->integrator;
ensures ((pirt->ki != 0) t& (eft != 0)) => \nt(pid->inteprotor, Post} =
Checkllp(( float) (\old(pid->integrator) + ((float) error * pid->ki) * dt), (int) pid->imax);
ensures !((pid->ki !*= 0) Sift (dt 0)) ==> \e>t(pirt->integrator, Post) \old(pid->integrator);
ensures ((pid->ki !*= 0) K& (dt [=s 0)) ==> \result ~ \at(pid->integrntor, Post);
ensures !((pid->ki 0) № (dt 1= 0)) ™> \result ™ 0;
Figure 8. A model of code in Figure 7 as a specification [1]
For the conclusion, we are going to use modern achievements in the design of operating systems, methods of formal deductive verification, methods of requirements engineering, methods of control theory, methods of theorem proving for developing and formal verification of properties of the quadcopter cyber-physical system. The reliability of the further results can be confirmed using the tools approved by the community:
• Code level verification: Frama-C tool with WP plugin or connecting third-party theorem proof tools via Why3, with the creation of annotations in the ISO-standardized ACSL language.
• Verification at the level of cyber-physical system: KeYmaera / KeYmaera X tool that implements differential dynamic logic; Ariadne tool may also potentially be used.
• Quadcopter control code based on open-source Ardupilot / Arducopter solution and our developed and/or improved models.
• The system level code will be developed based on open-source code of POK and FreeRTOS for the ARM platform.
Список литературы
1. Старолетов С.М., Амосов М.С., Шульга К.М. Разработка программного обеспечения квадрокоптера с повышенными требованиями к надёжности на основе партицированной ОС и технологий формальной верификации // Труды Института системного программирования РАН. 2019. Т.31. №.4. С.39-60. DOI: https://doi.org/10.15514/ISPRAS-2019-31(4)-3
2. POK. Examples. Case Study Ardupilot. Режим доступа: https://github.com/pok-kernel/pok/tree/master/examples/case-study-ardupilot
3. Copter Attitude Control. URL : http://ardupilot.org/dev/docs/apmcopter-programming-attitude-control-2.html
4. Platzer A. The complete proof theory of hybrid systems // Proceedings of the 2012 27th Annual IEEE/ACM Symposium on Logic in Computer Science. IEEE Computer Society, 2012. С.541-550.
5. Quesel J. D. et al. How to model and prove hybrid systems with KeYmaera: a tutorial on safety // International Journal on Software Tools for Technology Transfer. 2016. Т.18. №.1. С.67-91.
6. Tengis T., Batmunkh A. Quadcopter stabilization using state feedback controller by pole placement method //International Journal of Internet, Broadcasting and Communication. 2017. Т.9. №.1. С.1-8.
7. Ivanov R. et al. Verisig: verifying safety properties of hybrid systems with neural network controllers // Proceedings of the 22nd ACM International Conference on Hybrid Systems: Computation and Control. ACM, 2019. С.169-178.
References
1. Staroletov S.M., Amosov M.S., Shulga K.M. Designing robust quadcopter software based on a real-time partitioned operating system and formal verification techniques, Proceedings of ISP RAS, 2019, Volume 31, Issue 4, 39-60. DOI: https://doi.org/10.15514/ISPRAS-2019-31(4)-3
2. POK. Examples. Case Study Ardupilot. Available under the link: https://github.com/pok-kernel/pok/tree/master/examples/case-study-ardupilot
3. Copter Attitude Control. Available under the link: http://ardupilot.org/dev/docs/apmcopter-programming-attitude-control-2.html
4. Platzer, André. "The complete proof theory of hybrid systems." Proceedings of the 2012 27th Annual IEEE/ACM Symposium on Logic in Computer Science. IEEE Computer Society, 2012.
5. Quesel, Jan-David, et al. "How to model and prove hybrid systems with KeYmaera: a tutorial on safety." International Journal on Software Tools for Technology Transfer 18.1 (2016): 67-91.
6. Tengis, Tserendondog, and Amar Batmunkh. "Quadcopter stabilization using state feedback controller by pole placement method." International Journal of Internet, Broadcasting and Communication 9.1 (2017): 1-8.
7. Ivanov, Radoslav, et al. "Verisig: verifying safety properties of hybrid systems with neural network controllers". Proceedings of the 22nd ACM International Conference on Hybrid Systems: Computation and Control. ACM, 2019.
