controller synthesis for discrete and timed systems stavros trypakis (joint work with karine...
Post on 21-Dec-2015
219 views
TRANSCRIPT
Controller Synthesisfor Discrete and Timed Systems
Stavros Trypakis
(joint work with Karine Altisen)
Controller Synthesis
Given a controller embedded in a certain environment,and a property, restrict the controller so that the propertyis satisfied, no matter how the environment behaves.
Properties:
• Invariance: the controller keeps the system inside a set of safe states.
• Reachability: the controller leads the system to a set of target states.
Synthesizing a controller for a rail crossing
Gate
Controller
Train
lower?
is_down
is_up
raise?
y := 0y <= 1
y <= 2
y >= 1
y := 0
lower!
exit?
approach?
raise!
approach!
exit!
far near
in
enter!
x := 0
x := 0 x > 2
x <= 5
x <= 1
x <= 0
Environment
x >= 1
Invariance:in is_down
down!up!
Scheduling periodic tasks with deadlines
Task 1
start2!
end2?end1?
start1!
ready1!
end1!
idle wait
exec
start1?x1 := 0
y1 := 0
x1 > 5
Environment
x1[9,11]
Invariance: error
y1[2,3] error
missed!
Task 2
ready2!
end2!
idle wait
exec
start2?x2 := 0
y2 := 0
x2 > 4
x2[7,10]
y2[1,2] error
missed!
Processor
• Synthesized controller corresponds to scheduler.
Controller synthesis for discrete systems
• Model : finite graph with edges labeled controllable - uncontrollable.
• similar to 2-player games :
… …
Strategies
• Strategy : sub-graph containing, for each node, at least one controllable and all uncontrollable successors.
1st strategy :
2nd strategy :
Winning strategies (invariance)
• Invariance of a property P : all nodes of the strategy satisfy P.
winning strategyw.r.t. invariance of P
P
Winning strategies (reachability)
• Reachability of a property P : all paths of the strategy eventually reach a node satisfying P.
winning strategyw.r.t. reachability of P
P
P
Computing winning nodes with fix-points
• contr-pre(S) : set of nodes which have at least one controllable successor in S and all uncontrollable successors in S.
• Invariance of P : gfp X . P contr-pre(X)
• Reachability of P : lfp X . P contr-pre(X)
Computing winning strategies on-the-fly
• Perform a forward DFS on the graph :
• For invariance:
• For reachability:
- nodes/edges are inserted in the strategy during exploration- ensure that for each node included in the strategy, all u-succs and at least one c-succ are also in the strategy- stop at already visited nodes- as soon as the first strategy is found, it is returned
- nodes initially marked “maybe”, potentially changed to “no”- strategy exists if initial node remains “maybe” till the end
- nodes initially marked “maybe”, potentially changed to “yes”- strategy exists if initial node changes to “yes” at the end
• Back-tracking may be necessary.
Illustration of on-the-fly algorithm
• Back-tracking:
P
• Reachability of P:
BAD
…
Controller synthesis for timed systems
• Model : timed automata with discrete transitions labeled controllable - uncontrollable.
• Additional feature: time transitions. …
…
• Condition for strategy: if in the original graph, then, in the strategy sub-graph:
t
t- either
- or for some t’ < tt’
Controller synthesis for timed systems
• Winning strategies and contr-pre( ) operator defined similarly.
• Winning nodes computed by fix-points.
• Implemented in Kronos.
• Problems: - costly operations (non-convex polyhedra) - algorithm not on-the-fly (unreachable states, etc) - sometimes Zeno controllers
Alternative: use the on-the-fly algorithmon the time-abstracting quotient graph.
The Time-abstracting Bisimulation
Equivalence on TA states:
Preserve discretestate changes.
Abstract exacttime delays.
s1 s2
s3
a
s4a t1
s1 s2
s3
t2
s4t1, t2 R
The Time-abstracting Quotient Graph
- Nodes = symbolic states (equivalence classes).- Edges = symbolic transitions (discrete and time).
• Finite symbolic graph:
• Basic property: pre-stability
Q1 Q2
s1 s2
t
a
Q1 Q2
s1 s2a
Q1 pre (Q2) = Q1a
Q1 pre (Q2) = Q1time
• The quotient induced by the greatest time-abstracting bisimulation defined on the TA.
Example of Quotient graph
down
lower
up
exit
raise
enter
approach
approach
approach
up
up
up down down down down down
lower lowerlower
raise raise
exitenter
enter
(near, going up, 1, 1 < x <= y <= 2 z < x+1)
How to apply the untimed algorithmto the time-abstracting quotient graph
1. Remove all edges which can be obtained by reflexive-transitive closure.
2. All remaining edges are labeled controllable.
Justification:
Case 1:
Case 2:
The controller can choose tolet time pass or issuebefore moving to next node.
The controller has no choicebut to let time pass.
Example of on-the-fly algorithm
down
lower
up
exit
raise
enter
approach
approach
approach
up
up
up down down down down down
lower lowerlower
raise raise
exitenter
enter
Still …
TAQuotient
graphOn-the-flyalgorithm Controller
pre-stability of quotient graph essential for correctness cannot use forward reachability graph…
• Extend algorithm to more general properties (liveness).
minimization
• Method not fully on-the-fly:
• Implementation …
Verification on the Quotient graph:Verification on the Quotient graph:Linear-timeLinear-time
Analysis with Time-abstracting Bisimulations
Every cycle in the quotient graph contains an infinite runand vice versa.
Q1 Q4Q3Q2
s1 s2 s3 s4s5 ...
Timed Büchi Automatamodel checking
DFS for cycles or SCCsin the quotient graph
Verification on the Quotient graph:Verification on the Quotient graph:Branching-timeBranching-time
Analysis with Time-abstracting Bisimulations
If s1 s2, then for any TCTL formula ,s1 satisfies iff s2 satisfies .
TCTLmodel checking
CTL model checkingin the quotient graph
1
s1 s2
s3
2
s4
s5s6
Due to determinism of time.
PlanPlan
• Analysis with the Time-abstracting Bisimulation
• On-the-fly Verification
• Diagnostics
• Controller Synthesis
• Case studies
• Conclusions and Perspectives
• Implementation
Controller SynthesisController SynthesisController Synthesis
• Untimed case:
- Model: graph with edges labeled controllable - uncontrollable.
...- Semantics: strategy = sub-graph containing, for each node, at least one controllable
and all uncontrollable successors
...
c uuc c
• Timed case:
- Model: TA with discrete actions labeled controllable - uncontrollable
- Semantics: dense strategies (time transitions ?)
u
sc
s
Controller Synthesis using Fix-pointsController Synthesis using Fix-points
Controller Synthesis
• controllable-predecessor operator contr-pre(Q) = all states from which the system can be led to Q, no matter how the environment behaves.
• compute winning states as fix-points of contr-pre( ).
• obtain controller = intersect TA with winning states.
Q
c
us
• method costly (complementation in contr-pre( ), fix-point computes maximal strategy).
On-the-fly Controller SynthesisOn-the-fly Controller Synthesis
Controller Synthesis
• on-the-fly algorithm for the untimed case: - a DFS is used to find a strategy - the algorithm stops as soon as first strategy is found
• untimed algorithm can be used for timed synthesis, too:
PlanPlan
• Analysis with the Time-abstracting Bisimulation
• On-the-fly Verification
• Diagnostics
• Controller Synthesis
• Case studies
• Conclusions and Perspectives
• Implementation
Implementation in KronosImplementation in Kronos
Implementation
Full TCTLmodel
checking
Minim.TBA
model checking
ControllerSynthesis
(On-the-fly) ParallelComposition
Reachability
Aldebaran:- reduction/comparison- model checking- simulation/visualization
Safe TCTLmodel
checking
TA ...TA TA
TA
TBA
initialpartition
QuotientGraph
P,<=k P, ... PP, P
Yes/No,diagnostics
Restricted TA(controller)
Yes/No,diagnostics
Matrix library
Connection of Kronos to Open-CaesarConnection of Kronos to Open-Caesar
Implementation
Optimizedpolyhedra library
Open-Caesar’sgraph library
Kronos-Open
input: model
TA network+ discrete shared vars.+ message passing
model.c
C-compiler
code generationinterface to
Open-Caesar
evaluator
generator
exhibitor
simulator
profounder
-calculus formula
regular expression
State formulaTBA
Yes/No + untimed diagnostics
- Reachability + timed diagnostics- TBA model checking.
Yes/No + untimed diagnostics
Simulation graph
PlanPlan
• Analysis with the Time-abstracting Bisimulation
• On-the-fly Verification
• Diagnostics
• Controller Synthesis
• Case studies
• Conclusions and Perspectives
• Implementation
Case StudiesCase Studies
• FRP/DT protocol (project with CNET, Lannion) - found inconsistency error (known to designers)
• Bang&Olufsen protocol (from previous case study by Uppaal) - found error not reported in Uppaal case study
• Multimedia documents (from INRIA project OPERA) - modeled documents as Timed Automata - checked executability (model checking) - computed schedulers (controller synthesis)
Case studies
• Benchmarks: STARI chip, Fischer’s protocol, CSMA/CD protocol, FDDI protocol, Philips protocol
Experiences: performanceExperiences: performance
• improved performance in benchmarks, often by many orders of magnitude.
Case studies
• tools and techniques able to handle real-world case studies:
7- Bang&Olufsen: 30 discrete variables, large constants simulation graph = 10 symbolic states, 15 mins, 300 MB counter example = 1500 steps long, 20 secs
- STARI: 30 clocks, 60 boolean variables
• often bottleneck is discrete state space
Experiences: comparison of methodsExperiences: comparison of methodsCase studies
Techniques are complementary
Quotient graph Simulation graph
Fischer
Real-timescheduling
Philips
CSMA/CD
nodes edges time(secs)
22,085
929
481
503
1,503
875
122,804
1,001
70
1
3
1,000
nodes edges time(secs)
164,935
10,839
60
194
22,382
96
457,799
488
150
1
1
1,060
Casestudy
ConclusionsConclusions
Practicality not measured only in seconds, megabytes
Conclusions
• Expressive models : - discrete variables (Kronos-open) - different property-specification formalisms (TBA, TCTL)
• Variety : - of problems (model checking, controller synthesis) - of techniques (on-the-fly, using untimed tools) - of feedback (symbolic/timed diagnostics, controllers)
• Case studies : source of inspiration.
PerspectivesPerspectives
• Performance: - homogeneous representation of discrete and continuous state space (e.g., BDDs + polyhedra) - adaptation/combination with untimed techniques reducing interleavings (e.g., partial orders)
Perspectives
• Methodology for correct & efficient modeling: - domain-specific guidelines - composition theory
• Controller synthesis: - more properties (e.g., liveness) - more efficient techniques (e.g., completely on-the-fly)