Automotive Control Revisited 1 Introduction

Download PDF
0 downloads 0 Views 300KB Size Report
Comment
to approximate the reachable set of linear systems by linear inequalities. It .... This section presents the hybrid system used for the automotive control problem ..... is unknown, we can not choose such a zf and determine the normal cf. But.
Automotive Control Revisited

Linear Inequalities as Approximation of Reachable Sets Ansgar Fehnker CSI

P.O. Box 9010, 6500 GL Nijmegen, the Netherlands [email protected]

Abstract: Reachability analysis of hybrid system imposes restrictions on

the continuous and discrete behavior. In this paper a method is proposed to approximate the reachable set of linear systems by linear inequalities. It allows to use the full continuous dynamics of hybrid systems for reachability analysis. This method is applied to an automotive control problem, which was presented by Stauner et al. in [SMF97]. Keywords and Phrases: Hybrid Systems, HIOA, Reachability, SafetyProperties, Linear Programming, Bang-Bang Control. AMS Subject Classification: 49N05, 93B03, 93C83 CR Subject Classification: G.1.3, G.1.6, J.2, J.7 Note. This paper will appear in Tom Henzinger and Shankar Sastry, editors, Hybrid Systems 98, LNCS, Springer Verlag, 1998. Research supported by Netherlands Organization for Scienti c Research (NWO) under contract SION 612-14-004.

1 Introduction This paper presents an approximation technique for reachable sets of hybrid systems and applies this technique to a problem known from literature. Stauner, Muller and Fuchs presented in [SMF97] an automotive control problem as real-life benchmark problem for the analysis of embedded reactive systems. They veri ed some safety-properties for a system which controls the height of one wheel of a car. They determined upper and lower bounds on the height, they showed that the (extended) controller does not change the height in bends, and proved that two special control locations can not be attained at the same moment. In addition Stauner et al. examined the step response (in the sense of Control Theory) of the system. Veri cation of safety properties, which impose restrictions on the reachable states, requires the use of approximation techniques, because the exact reachable 1

2. THE HIOA MODEL

2

sets are dicult to compute and dicult to handle. In general there are two possibilities to cope with this problem. First, one can use an approximation of the hybrid system, i.e. specify a hybrid system with simpler continuous dynamics, which includes the behavior of the original system. Stauner et al. used an approximation of nonlinear hybrid systems by linear hybrid systems, i.e. systems where the continuous behavior is governed by variables with piecewise constant derivatives [SMF97, Sta97]. This method is based on the method presented in [HH95, HWT96]. The second possibility is to approximate the reachable sets, but to use (a slight approximation of) the full continuous dynamics of the original speci cation. Puri, Borkar and Varaiya presented an approximation technique for Lipschitz di erential inclusions [PBV95] using a small perturbation of the original system. These perturbations use variables with piecewise constant derivatives. The approximation technique presented in this paper is of the second type. It uses bounded polyhedra, which include the reachable sets, and requires that the continuous behavior is governed by piecewise linear di erential equations. The following section presents the HIOA model of Lynch et al. A short description of the automotive control problem is given in the third section. In section 4 and 5 some aspects of linear inequalities and linear systems are discussed, leading to an approximation method. The last section presents some results for the automotive control problem.

2 The HIOA model We use the model of Hybrid I/O Automata (HIOA) by Lynch, Segala, Vaandrager and Weinberg [LSVW96] for the description of systems which show both continuous and discrete behavior. This model allows shared variables as well as shared actions. Within this model it is possible to reason about composition of hybrid systems, implementation relations between systems and it allows to describe the continuous behavior of hybrid systems separately from the discrete behavior. A hybrid I/O automaton (HIOA) A = (U; X; Y; in ; int; out ; ; D; W ) consists of:

 Three disjoint sets of input, internal and output variables U; X; Y , respectively. Let V be the union of these sets. V is the set of valuations of V . Valuations will also be called states.

 Three disjoint sets in ; int; out of input, internal and output actions. in

contains e, a special environment action, which models the occurrence of input which is unobservable except (possibly) through its e ect on input variables.  denotes the union of the input, internal en output actions.

3

 A nonempty set , a subset of V, containing the initial states. This set is

closed under change of values for input variables.  A set D  V  V of discrete transitions. By de nition each input action of a HIOA is always enabled. The environment action only a ects inputs and the input variables may change, when a discrete transition occurs.  A set of trajectories W over V . A trajectory w is a mapping from I to states, where I is a left-closed interval of the time axis R , with left endpoint equal to 0. (In general it is sucient to de ne the time axis as subgroup of the real numbers with addition.) W must contain point trajectories, it has to be closed under subintervals and if a trajectory w restricted to [0; t] is an element of W for all t 2 R , then w has to be an element of W , too. We assume in this paper that w is integrable. An important concept of HIOA is that of hybrid executions. A hybrid execution fragment is an alternating in nite or nite sequence of trajectories and actions = w a w : : : . If is a nite sequence then it ends with a trajectory. We call a hybrid execution, when the rst state of is an element of . A state s is de ned to be reachable if there exists a nite hybrid execution, with last state equal to s. The hybrid trace of an hybrid execution records the visible behavior of the execution. All trajectories are projected on the external (input and output) variables. The internal actions and the environment action are replaced by a special placeholder, which will be removed if the states before and after the action agrees. In the latter case the surrounding trajectories are concatenated. The set of all hybrid traces describes the external behavior of a HIOA. A HIOA A implements a HIOA B, if the traces of A are a subset of the traces of B. A implements B requires that A and B are comparable, meaning they have the same external actions and the same external variables. A simulation relation (or just simulation) is usually used to prove that the traces of HIOA A are a subset of the traces of a HIOA B. A simulation is a relation which maps all states of a hybrid execution of A to states of some hybrid execution of B, such that the traces of these executions are the same. For more detail see [DL97] or [HSV94]. Complex hybrid systems can be modeled by composing HIOAs. Two HIOAs A and B can be composed if they are compatible, which means they have no output actions or output variables in common and no internal variable of either is a variable of the other. The composition of two compatible HIOA is itself an HIOA. The input variables of the composition are the union of A and B's input variables minus the union of their output variables. The same holds for the input actions. A HIOA is closed if there are no input actions or input variables. Consequently the environment action has no in uence on closed systems and can be omitted in the speci cation. One might wonder why use hybrid Input/Output 0

0

0 1

1

3. THE SYSTEM

4 chassis reset

EHC filter wheel

compressor

valve

Figure 1: The EHC in its environment automata without any input. This gets clear when we consider two HIOA, in which one HIOA models the input of the other and vice versa. Considering the automotive control problem, we will see in section 3 that the EHC and ltered environment are modeled with input and output, but the composition of these has no input at all. Hybrid systems typically use two types of variables: variables which range over nite (or at most countable) sets, and variables which range over (a subset of) R. The model of Alur et al [ACH 95] uses locations and data variables for this purpose. We de ne VD as the set of discrete variables and VC as the set variables ranging over reals. We can de ne V as VD [ VC , and the set of valuations V as VD  VC . We identify VC with (a subset of) Rn . Let sD an sC denote the projection of the state s on VD and VC respectively. Transitions are speci ed in precondition/e ect style (table 1 and 2). Preconditions are predicates with variables from V . If a transition is enabled and eventually taken, the state is changed according to the speci cation of the e ect. If a precondition is true or the e ect is de ned by identity, it is usually omitted. When a transition takes place, the values of the input variables may change arbitrarily. We call a hybrid system clocked with sampling time tsample, if discrete transitions may only occur every tsample time units. See for example table 2. +

3 The System This section presents the hybrid system used for the automotive control problem [SMF97] in terms of the HIOA model by Lynch et al. The model used by Stauner

5 actions:

continuous variables:

input: c 2 R internal: e; h 2 R output: f 2 R

input: back internal: none output: none

init:

e 2 [emin ; emax] h = sp f = sp

discrete transitions:

back:

f := sp w is an I -trajectory, if the following holds for all t 2 I : w:f_ = T1 (h ? f ) w:h_ = e + c w:e 2 [emin; emax]

E ect:

trajectories:

Table 1: The ltered environment et al. is followed as closely as possible. For further technical details and a motivation of the speci c choices within this model see [SMF97] or [Sta97]. The system consists of di erent components. First, we have the chassis, whose height can be changed by pneumatic suspension with a compressor and an escape valve. The height is measured by a low-pass lter, which lters high-frequency disturbances caused for example by holes in the road. The electronic height control (EHC) uses the ltered height to decide whether to use the compressor or the escape valve or to do nothing. The chassis level is in uenced by external disturbances and by the escape valve and compressor. The rate of change of the height h of the chassis is the sum of the changes due to disturbances, denoted by e, and the changes due to the compressor and escape valve, denoted by c. The continuous behavior of h is modeled by the linear di erential equation h_ = e + c (1) If the controller uses the escape valve, the height h decreases with a rate c in the interval [evmin; evmax], while using the compressor increases the height h with c 2 [cpmin ; cpmax]. The bounds of the disturbances are given by e 2 [emin; emax]. To ensure that the EHC is able to avoid unbounded increases or decreases in height we assume emin = evmax and emax = cpmin . Of course, one would prefer more realistic and less restrictive assumptions, such as that the average in uence of the environment has to be smaller than the average in uence by the controller. Stauner et al. believed \(...) that the limits of the expressiveness of (linear) hybrid automata are reached with statements of this kind\ [SMF97, p. 144]. The lter keeps track of the height, with the restriction that it takes some time until changes in height are properly detected. This feature is useful, because it limits the in uence of brief and small disturbances. The lter is modeled by f_ = T1 (h ? t) (2)

3. THE SYSTEM

6 actions

continuous variables

input: none input: f 2 R internal: stay internal: tclock 2 R0 output: to down, output: c 2 R to up, back

init:

tclock = 0 ^ c = 0 ^ loc = in tolerance

discrete transitions:

to down(m):

^ loc 2 fin tolerance; upg ^ (loc = up) ! (m = mode) ^ f  otum E : loc := down tclock := 0 c :2 [evmin; evmax] mode := m

Pre: ^ tclock = tsample ^ _ ^ loc = in tolerance ^ _ f 2 [otls; otus] _ f 2 [otld; otud] _ ^ loc = down E :

^ f  itumode _ ^ loc = up ^ f  itlmode tclock := 0

loc 2 fdown; up; in toleranceg

output: none

to up(m):

Pre: ^ tclock = tsample

stay:

discrete variables

input: none internal: mode 2 fd; sg

Pre: ^ tclock = tsample

^ loc 2 fin tolerance; downg ^ (loc = down) ! (m = mode) ^ f  otlm E : loc := up tclock := 0 c :2 [cpmin ; cpmax] mode := m

back:

Pre: ^ tclock = tsample ^_ ^ loc = down ^ f 2 [otlmode; itumode] _ ^ loc = up ^ f 2 [itlmode; otumode] E : loc := in tolerance tclock := 0 c := 0

w is an I -trajectory, if the following holds for all t 2 I : w:t_clock = 1 w:tclock  tsample If w:loc = in tolerance then w:c = 0 If w:loc = up then w:c 2 [cpmin ; cpmax] If w:loc = down then w:c 2 [evmin ; evmax]

trajectories:

Table 2: The EHC Here the constant T determines the time the lter needs to adjust the ltered height properly. The lter also has an input action back (synchronization label set f in [SMF97]), which allows to reset the ltered height to the setpoint sp. The ltered environment (table 1) describes the behavior of the height and the ltered height due to input of the EHC and disturbances by the environment. Initially, the controller is in control location in tolerance and neither the escape valve nor the compressor are used, so that c = 0. If the ltered height exceeds an

7 upper limit otu, then the controller enters control location down, with the e ect that the height decreases with a rate c 2 [evmin; evmax]. If the controller is in location down and the ltered height fall below a given upper limit itu, then the controller re-enters control location in tolerance and resets the ltered height to the setpoint sp. Similarly, there is a control location up, which is entered if the ltered height f falls below a lower limit otl, with the e ect c 2 [cpmin ; cpmax]. In this case, the controller re-enters in tolerance when f exceeds itl. To get a realistic model, we assume otl  itl  sp  itu  otu. The controller uses di erent values for otl; itl; itu; otu; depending on whether the car is driving or stopped, denoted by indices d and s. If the controller leaves in tolerance it makes a nondeterministic choice between the modes driving and stopped. The HIOA of the EHC (table 2) uses the modes s for the stopped car and d for the driving car. The model additionally assumes that transitions can only be taken every tsample seconds. In the remainder of this paper matrix and vector multiplication are used. We assume that all matrices and vectors have elements in R and are of a proper size. The block matrix ( BA ) will be denoted as (A; B ). AT and aT denotes the transposition of the matrix A and vector a respectively. We assume a norm k  k like the Euclidean norm. The maximum, minimum, compactness of sets etc. are de ned with respect to this norm. 1

4 Transitions and Linear Inequalities The composition of the EHC and the ltered environment has some useful properties, which allow a reachability analysis of this system. The system is clocked, the enabling conditions of the transitions are de ned by linear inequalities and the assignments are linear. Additionally the continuous behavior is governed by piecewise linear di erential equations and the initial set is a bounded polyhedron. The composition of the EHC with the ltered environment is also closed. The main components of a hybrid system are the transitions and the trajectories, sometimes referred to as discrete transitions and continuous transitions. In this and the next section we discuss some features of both (discrete) transitions and trajectories. Many examples of hybrid systems use linear inequalities for the speci cation of transitions or to de ne the set of initial states. Linear inequalities occur also in approximation techniques of nonlinear hybrid systems [HH95, PBV95] and are also used to verify invariants hybrid regular expressions [XHT97]. Given the linear inequality

aT x  b 1

The hybrid automata used in [SMF97] uses on some places strict equalities like >.

(3)

4. TRANSITIONS AND LINEAR INEQUALITIES

8

with x 2 Rn, a 2 Rn and b 2 R, the set of solutions K is a half-space of Rn. The vector a is a normal on the hyper-plane which separates K from K c, i.e. a is orthogonal to the hyper-plane, and points to the complement of K . An intersection of halfspaces is called polyhedron. Using the matrix product we can de ne a polyhedron as set of solutions K  Rn of

Ax  b

(4)

A is a m  n matrix, with m the number of inequalities, b 2 Rm is a vector and '' means that each element of A x is less than or equal to the corresponding element of b. We see that the EHC and the ltered environment have preconditions and e ects of a special structure. The atomic predicates over continuous variables are of the form A sC  b, with sC ; b 2 Rn ; A 2 Rmn . Consequently the preconditions of the EHC de ne unions respectively intersections of polyhedra. Note that no strict inequality like '