sayan mitra verifying cyberphysicalsystems mitras@illinois
TRANSCRIPT
⢠HW3 out⢠Read chapter 5
What is composition?
⢠Complex models and systems are built by putting together components or modules
⢠Composition is the mathematical operation of putting together
⢠Leads to precise definition of moduleinterfaces
⢠What properties are preserved undercomposition?
model of a network of oscillators [Huang et. al 14]
Powertrain model from Toyota [Jin et al. 15]
⢠Give an example of how youâve built something more complex from simple components
⢠Throughout the lecture, think if your notion ofcomposition is captured by what we define
Outline
⢠Composition operationâ Input/output interfaces
⢠I/O automata⢠hybrid I/O automata⢠Examples⢠Properties of composition
Composition of automata
⢠Complex systems are built by âputting togetherâ simpler subsystems
⢠Recall ð = âšð, Î, ðŽ, ð«â©â¢ ð = ð*||ð,âð*,ð, are the component automata and âðis the composed automatonâ || symbol for the composition operator
Composition: asynchronous modules
a
b
c
ð
d
e
f
â¬ð||â¬
a d
a e
a f
b d
b e
b f
c d
c e
c f
composition: modules synchronize
a d
a e
a f
b d
b e
b f
c d
c e
c f
a
b
c
ð
d
e
f
â¬
Composition of (discrete) automata
⢠More generally, some transitions of ð and ⬠may synchronize, while others may not synchronize
⢠Further, some transitions may be controlled byð which when occurs forces the corresponding transition of â¬
⢠Thus, we will partition the set of actions ðŽ of ð = âšð, Î, ðŽ, ð«â© intoâ ð»: internal (do not synchronize)â ð: output (synchronized and controlled by ð)â ðŒ: input (synchronized and controlled by some other automaton)
⢠ðŽ = ð» ⪠ð ⪠ðŒâ¢ This gives rise to I/O automata [Lynch, Tuttle 1996]
Reactivity: Input enabling⢠Consider a shared action brakeOn controlled by ð1 and listend-to or
read by ð2
⢠Input enabling ensures that when ð1 and ð2 are composed then ð2can react to brakeOn
Definition. An input/output automaton is a tuple ð =âšð, Î, ðŽ, ðâ© where⢠ð is a set of names of variables⢠Πâ ð£ðð(ð) is the set of initial states⢠ðŽ = ðŒ ⪠ð ⪠ð» is a set of names of actions⢠ð â ð£ðð ð ÃðŽÃð£ðð ð is the set of transitions and ð
satisfies the input enabling condition:E1. For each ð â ð£ðð ð , ð â ðŒ there exists ð@ â ð£ðð ð such that ð âB ðâ²
Controllerð*
Vehicle
ð,
ðððððððPre ProxSensorCritEff (do nothing)
ðððððððPre ???Eff accel := -5
MovePre âŠEff âŠ
ððððððð
Compatibility IOAA pair of I/O automata ð* and ð, are compatible if ð»I â© ðŽK = â no unintended interactionsðI â© ðK = â no duplication of authority
Extended to collection of automata in thenatural way
ð*
ð,d
e
f
a
b
c
ðM
ðN
Composition of I/O automaton
Definition. For compatible automata ð1 and ð2 their composition ð1 || ð2 is the structure ð= ð, Î, ðŽ, ð
â ð = ð* ⪠ð,â Î = ð â ð£ðð(ð) â ð â 1,2 : ðâðð â Îð}â ð» = ð»1 ⪠ð»2
â O = ð1 ⪠ð2â I = ðŒ1 ⪠ðŒ, â ðâ ð, ð, ðâ² â ð iff for ð â {1,2}
⢠ð â ðŽI and (ðâðI, ð, ð@âð) â ðI⢠ð â ðŽI ðâðI = ðâðI
} ðŽ = ð» ⪠ð ⪠ðŒ
Theorem. The class of IO-automata is closed under composition. If ð1and ð2 are compatible I/O automata thenð = ð1||ð2 is also an I/O automaton.Proof. Only 2 things to check- Input, output, and internal actions are disjoint---by construction- ð satisfies E1. Consider any state ð â ð£ðð ð* ⪠ð, and any input
action a â ðŒ1 ⪠ðŒ, â ð such that a is enabled in ð. - Suppose, w.lo.g. a â ðŒ1- We know by E1 of ð1 that there exists ðð@ â ð£ðð(ð*) such that ðâð* âB ðð@
- ð â ð,, ðŒ,, ð», (by compatibility)- Therefore, ð âB (ðð@ , ð¥ ð, is a valid transition of ð (by definition
of composition)
Example: Sending process and channel
Automaton Sender(u)variables internal
failed:Boolean := F output send(m:M)input failtransitions:
output send(m)pre ~failedeff
input failpre trueeff failed := T
Loc 1
failed
send(m)~failed
failtrue
failed := T
Sender Channelsend(m) receive(m)fail
ReceiverSystem
FIFO channel & Simple Failure Detector
Automaton Channel(M)variables internal queue: Queue[M] := {}actions input send(m:M)
output receive(m:M)transitions:
input send(m)pre trueeff queue := append(m, queue)
output receive(m)pre head(queue)=m
eff queue := queue.tail
Automaton System(M)variables queue: Queue[M] := {}, failed: Boolactions input fail
output send(m:M), receive(m:M)transitions:
output send(m)pre ~failedeff queue := append(m, queue)
output receive(m)pre head(queue)=m
eff queue := queue.tailinput fail
pre trueeff failed := true
Automaton Sender(u)variables internal
failed:Boolean := F output send(m:M)input failtransitions:
output send(m)pre ~failedeff
input failpre trueeff failed := T
COMPOSING HYBRID SYSTEMS
Hybrid IO AutomatonIn addition to interaction through shared actions hybrid input/output automata (HIOA) will allow interaction through shared variables
Recall a hybrid automaton ð = âšð, Î, ðŽ, ð«, ð»â©
We will partition the set of variables ð of ð intoâ ð: internal or state variables (do not
interact)
â ð: output variables
â ð: input variables
⢠ð = ð ⪠ð ⪠ð
This gives rise to hybrid I/O automata (HIOA) [Lynch, Segala, Vaandrager 2002]
Plant
ð¥* = ð* ð¥*, ð¥,ðŠ* = ð¥*
Controller
ð¥, = ð ð¥,, ð¥*ðŠ, = ð¥,
ðŠ*ðŠ,
Reactivity: Input trajectory enablingConsider a shared variable throttle controlled by ð1 and listened-to or read by ð2
Input trajectory enabling ensures that when ð1 and ð2 are composed then ð2can react to any signal generated by ð*
If the trajectories of ð, are defined by ordinary differential equations, then input enabling is guaranteed if ð* only generates piece-wise continuous signals (throttle)
Definition. An hybrid input/output automaton is a tuple ð = âšð, Î, ðŽ,ð, ð»â© where
⢠ð = ð ⪠ð ⪠ð is a set of variables
⢠Πâ ð£ðð(ð) is the set of initial states
⢠ðŽ = ðŒ ⪠ð ⪠ð» is a set of actions
⢠ð â ð£ðð ð ÃðŽÃð£ðð ð is the set of transitions
⢠ð» is a set of trajectories for ð closed under prefix, suffix, and concatenation
E1. For each ð â ð£ðð ð , ð â ðŒ there exists ð@ â ð£ðð ð such that ð âB ðâ²
E2. For each ð â ð£ðð ð ,ð should be able to react to any trajectory ð of ð.
i.e, â ð â ð» with ð. ðð ð¡ðð¡ð = ð such that ð â ð is a prefix of ð and either (a) ð âð = ð or (b) ð is closed and some ð â ð» ⪠ð is enabled at ð. ðð ð¡ðð¡ð.
Controllerð*
Vehicle
ð,
ð¡âððð¡ð¡ðð
Compatibility of hybrid automata
⢠For the interaction of hybrid automata ð1 and ð2 to be well-defined we need to ensure that they have the right interfaces
⢠compatibility conditions
Controller
ð*
Vehicle
ð,
Output ððððð Input ðððððððððð
ðððððððOutput ððððððð Input ððððððð
ððð ðð¡ððð
Compatibility HIOAA pair of hybrid I/O automata ð* and ð, are compatible if ð»I â© ðŽK = â no unintended discrete interactionsðI â© ðK = â no duplication of discrete authorityðI â© ðK = â no unintended continuous interactions
ðI â© ðK = â no duplication of continuous authority
Extended to collection of automata in the natural way and captures most common notions of composition in, for example, Matlab/Simulink
Composition⢠For compatible ð1 and ð2 their composition ð1 || ð2 is the
structure ð= ð, Î, ðŽ, ð, ð¯â¢ Variables ð = ð ⪠ð ⪠ð
â ð = ð1 ⪠ð2, Y = ð1 ⪠ð2 ,ð = ð1 ⪠ð, â ð
⢠Π= ð â ð£ðð(ð) â ð â 1,2 : ðâðð â Îð}⢠Actions ðŽ = ð» ⪠ð ⪠ðŒ
â ð» = ð»1 ⪠ð»2, O = ð1 ⪠ð2 ,I = ðŒ1 ⪠ðŒ, â ð,⢠ð, ð, ðâ² â ð iff for ð â {1,2}
â ð â ðŽI and (ðâðI, ð, ð@âðI) â ðIâ ð â ðŽI ðâðI = ðâðI
⢠ð¯: set of trajectories for Vâ ð â ð¯ iff â ð â 1,2 ,ð â ðI â ð¯i
ð,
ᅵᅵ* = ð(ð¥*, ð¢,)
e
f
ðM
ðN
a1
a1
a1
a1
u2
e
f
u2
Closure under composition
⢠Conjecture. The class of HIOA is closed under composition. If ð1 and ð2 are compatible HIOA then ð1||ð2 is also a HIOA.
⢠Can we ensure that input trajectory enabled condition is satisfied in the composed automaton?
⢠No, in generalâ Additional conditions are needed Plant
Input ð¢}ð¥* = ð¢}
output ðŠ~ = ð¥*
ControllerInput yᅵ
ð¥, = ðŠ~ + 1Output ð¢} = ð¥,
ðŠ~ð¢}
Example 2: Periodically Sending Process
Automaton PeriodicSend(u)variables internal clock: Reals := 0, z:Reals, failed:Boolean := F signature output send(m:Reals)
input failtransitions:
output send(m)pre clock = u /\ m = z /\ ~failedeff clock := 0input failpre trueeff failed := T
trajectories:evolve d(clock) = 1, d(z) = f(z)invariant failed \/ clockâ€u
Loc 1ð ððððð = 1ð ð§ = ð(ð§)
~failedâððððð †ð
send(m)clock = u /\ m = z /\ ~failed
clock := 0
clock:= 0
failtrue
failed := T
Time bounded channel & Simple Failure Detector
Automaton Timeout(u,M)variables: suspected: Boolean := F,
clock: Reals := 0signature input receive(m:M)
output timeouttransitions:
input receive(m)pre trueeff clock := 0; suspected := false;output timeoutpre ~suspected /\ clock = ueff suspected := true
trajectories:evolve d(clock) = 1invariant clock†u\/suspected
Automaton Channel(b,M)variables internal queue: Queue[M,Reals] := {}
clock: Reals := 0signature input send(m:M)
output receive(m:M)transitions:
input send(m)pre trueeff queue := append(<m, clock+b>, queue)output receive(m)pre head(queue)[1]=mâ§
head(queue)[2]=clockeff queue := queue.tail
trajectories:evolve d(clock) = 1invariant â<m,d>âqueue:d ⥠clock
Example 3: Oscillator and pulse generator
pulseGen Oscillator
pre:ððð€â¥ð ï¿œ
ᅵᅵef
f:ððð€â0
Composed automatonOn,Mode
ð ððð€ = 1ð ð¥* = âð¥* ð¥*, + 0.9ð¥* + 0.9 â ð¥, + 1ð ð¥, = ð¥* â 2ð¥,ððð€ †ðᅵ¢
Off,Modeð ððð€ = 1ð ð¥* = âð¥* ð¥*, + 0.9ð¥* + 0.9 â ð¥, + 0ð ð¥, = ð¥* â 2ð¥,ððð€ †ðᅵᅵᅵ
pre:ððð€â¥ð ï¿œ
¢ef
f:ððð€â0
pulseGen
Oscillator1
Oscillator2
Oscillator3
Oscillator4
Oscillator6
Oscillator5
Cardiac oscillator network models, Grosu et al. CAV, HSCC 2007-2015
Restriction operation on exections
⢠Sometimes it is useful to restrict our attention to only some subset of variables and actions in an execution
⢠Recall the restriction operations ð¥âð ððð ð â ð⢠Let ðŒ = ð€ð*ð*ð, be an execution fragment of a hybrid automaton with
set of variables ð and set of actions ðŽ. Let ðŽâ² be a set of actions and ðâ² be a set of variables.
⢠Restriction of ðŒ to (ðŽâ², ðâ²), written as ðŒâ(ðŽâ², ðâ²) is the sequence defined inductively as:â ðŒâ ðŽ@, ð@ = ð â ð@ if ðŒ = ðâ ðŒ ð ð â ðŽ@, ð@ =
⢠ðŒ â ðŽ@, ð@ ð (ð â ð@) if a â ðŽâ²â¢ ðŒ â ðŽ@, ð@ ðððððð¡ (ð â ð@) if a â ðŽ@
⢠From the definition it follows ðŒ. ðð ð¡ðð¡ð âð@ = ðŒâ ðŽâ², ð@ . ðð ð¡ðð¡ð for any ðŽ@, ðâ²
Properties of CompositionsProposition. Let ð = ð*||ð,. ðŒ is an execution fragment of ð iffðŒâ ðŽI, ðI , ð â 1,2 are both execution fragments of ðI.
⢠Proof of the forward direction. Fix ðŒ and i. We prove this by induction on the length of ðŒ.
⢠Base case: ðŒ = ð. ðŒâ ðŽI, ðI = ð â ðI by definition of composition ð â ðI â ðI. So, ð â ðI â ð¹ðððI
⢠ðŒ = ðŒâ² ð ð â ðŽI, ðI and ð â ðŽI and by induction hypothesis ðŒâ²â ðŽI, ðI â ð¹ðððI. Let ðŒâ²â ðŽI, ðI . lstate = ð£. By the definition of composition: ð â ðI â ðI. â It remains to show that ð£âðI âB ð â ðI . ðð ð¡ðð¡ð. Since ð â ðŽI, by the definition of
composition: ðŒâ²â ðŽI, ðI . lstate âB ð â ðI. ðð ð¡ðð¡ð
⢠ðŒ = ðŒâ² ð ð â ðŽI, ðI and ð â ðŽI and by induction hypothesis ðŒâ²â ðŽI, ðI âðžð¥ððI. Let ðâ² be the last trajectory in that execution.â Since ð â ðŽI, by the definition of composition:ð@. ðð ð¡ðð¡ð = ð â ðI. ðð ð¡ðð¡ð . By concatenation
closure of ΀I, it follows that ð@ðððððð¡ ð â ðI â ΀I. Therefore ðŒâ ðŽI, ðI â ðžð¥ððI.
properties of executions of composed automata
⢠ðŒ is an execution iff ðŒâ ðŽI, ðI , ð â 1,2 are both executions.
⢠ðŒ is time bounded iff ðŒâ ðŽI, ðI , ð â 1,2 are both time bounded.
⢠ðŒ is admissible iff ðŒâ ðŽI, ðI , ð â 1,2 are both admissible.
⢠ðŒ is closed iff ðŒâ ðŽI, ðI , ð â 1,2 are both closed.
⢠ðŒ is non-Zeno iff ðŒâ ðŽI, ðI , ð â 1,2 are both time non-Zeno.
Summary
⢠Composition operationâ I/O interfaces: actions and variablesâ Reactivity/input enablingâ (non) Closure under composition
⢠Properties of executions preserved under composition
⢠Inductive invariants
Example Inductive Invariance ProofS:â<m,d>âx.queue:x.clock †d †x.clock+bIs an invariant for the timed channel.
Proof. Use the theorem. ⢠Check start condition. Holds vacuously as x.queue ={}[Def ofinitial
states]⢠Checktrajectorycondition.Consideranyð, let x = ð.fstate and xâ =
ð.lstate and ð.ltime = t. Assume x satisfies (1) and show that xâ also.â x.queue =xâ.queue [trajectoryDef],Fix<m,d> inx.queueâ x.clock â€d[ByAssumption]â Supposexâ.clock >dâ xâ.clock - x.clock >d- x.clockâ t>d- x.clock,thenthereexiststââð.dom andtâ<twhereð(tâ).clock=dâ Byinvariantð.ltime =tâwhichisacontradictionâ Also,since d â€x.clock+b, dâ€xâ.clock+t+b
⢠Checktransitions:â ð âððððððð(ð) ðâ.Followsfromassumptionð â ðº.â ð âðððð (ð) ðâ âŠ