Presentation is loading. Please wait.

Presentation is loading. Please wait.

Controller Synthesis for Discrete and Timed Systems Stavros Trypakis (joint work with Karine Altisen)

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Controller Synthesis for Discrete and Timed Systems Stavros Trypakis (joint work with Karine Altisen)"— Presentation transcript:

1 Controller Synthesis for Discrete and Timed Systems Stavros Trypakis (joint work with Karine Altisen)

2 Controller Synthesis Given a controller embedded in a certain environment, and a property, restrict the controller so that the property is satisfied, no matter how the environment behaves. Properties: Invariance: the controller keeps the system inside a set of safe states. Reachability: the controller leads the system to a set of target states.

3 Synthesizing a controller for a rail crossing Gate Controller Train lower? is_down is_up raise? y := 0 y <= 1 y <= 2 y >= 1 y := 0 lower! exit? approach? raise! approach! exit! farnear in enter! x := 0 x > 2 x <= 5 x <= 1 x <= 0 Environment x >= 1 Invariance: in  is_down down!up!

4 Scheduling periodic tasks with deadlines Task 1 start2! end2?end1? start1! ready1! end1! idlewait exec start1? x1 := 0 y1 := 0 x1 > 5 Environment x1  [9,11] Invariance:  error y1  [2,3] error missed! Task 2 ready2! end2! idlewait exec start2? x2 := 0 y2 := 0 x2 > 4 x2  [7,10] y2  [1,2] error missed! Processor Synthesized controller corresponds to scheduler.

5 Controller synthesis for discrete systems Model : finite graph with edges labeled controllable - uncontrollable. similar to 2-player games : ……

6 Strategies Strategy : sub-graph containing, for each node, at least one controllable and all uncontrollable successors. 1st strategy : 2nd strategy :

7 Winning strategies (invariance) Invariance of a property P : all nodes of the strategy satisfy P. winning strategy w.r.t. invariance of P PP

8 Winning strategies (reachability) Reachability of a property P : all paths of the strategy eventually reach a node satisfying P. winning strategy w.r.t. reachability of P P P

9 Computing winning nodes with fix-points contr-pre(S) : set of nodes which have at least one controllable successor in S and all uncontrollable successors in S. Invariance of P : gfp X. P  contr-pre(X) Reachability of P : lfp X. P  contr-pre(X)

10 Computing winning strategies on-the-fly Perform a forward DFS on the graph : For invariance: For reachability: - nodes/edges are inserted in the strategy during exploration - ensure that for each node included in the strategy, all u-succs and at least one c-succ are also in the strategy - stop at already visited nodes - as soon as the first strategy is found, it is returned - nodes initially marked “maybe”, potentially changed to “no” - strategy exists if initial node remains “maybe” till the end - nodes initially marked “maybe”, potentially changed to “yes” - strategy exists if initial node changes to “yes” at the end Back-tracking may be necessary.

11 Illustration of on-the-fly algorithm Back-tracking: P Reachability of P: BAD …

12 Controller synthesis for timed systems Model : timed automata with discrete transitions labeled controllable - uncontrollable. Additional feature: time transitions. … … Condition for strategy: if in the original graph, then, in the strategy sub-graph: t t - either - orfor some t’ < t t’

13 Controller synthesis for timed systems Winning strategies and contr-pre( ) operator defined similarly. Winning nodes computed by fix-points. Implemented in Kronos. Problems: - costly operations (non-convex polyhedra) - algorithm not on-the-fly (unreachable states, etc) - sometimes Zeno controllers Alternative: use the on-the-fly algorithm on the time-abstracting quotient graph.

14 The Time-abstracting Bisimulation Equivalence  on TA states: Preserve discrete state changes. Abstract exact time delays. s1s2 s3  a s4  a t1 s1s2 s3  t2 s4  t1, t2  R

15 The Time-abstracting Quotient Graph - Nodes = symbolic states (equivalence classes). - Edges = symbolic transitions (discrete and time). Finite symbolic graph: Basic property: pre-stability Q1Q2 s1s2  t a Q1Q2 s1s2 a Q1  pre (Q2) = Q1 a time The quotient induced by the greatest time-abstracting bisimulation defined on the TA.

16 Example of Quotient graph down lower up exit raise enter  approach          up down lower  raise exitenter (near, going up, 1, 1 < x <= y <= 2  z < x+1)

17 How to apply the untimed algorithm to the time-abstracting quotient graph 1. Remove all  edges which can be obtained by reflexive-transitive closure. 2. All remaining  edges are labeled controllable. Justification: Case 1: Case 2: The controller can choose to let time pass or issue before moving to next node. The controller has no choice but to let time pass.

18 Example of on-the-fly algorithm down lower up exit raise enter  approach          up down lower  raise exitenter

19 Still … TA Quotient graph On-the-fly algorithm Controller pre-stability of quotient graph essential for correctness  cannot use forward reachability graph…  Extend algorithm to more general properties (liveness). minimization Method not fully on-the-fly: Implementation …

20 Plan Analysis with the Time-abstracting Bisimulation On-the-fly Verification Diagnostics Controller Synthesis Case studies Conclusions and Perspectives Implementation

21 Verification on the Quotient graph: Linear-time Analysis with Time-abstracting Bisimulations Every cycle in the quotient graph contains an infinite run and vice versa. Q1Q4Q3Q2 s1s2s3s4 s5... Timed Büchi Automata model checking DFS for cycles or SCCs in the quotient graph

22 Verification on the Quotient graph: Branching-time Analysis with Time-abstracting Bisimulations If s1  s2, then for any TCTL formula , s1 satisfies  iff s2 satisfies . TCTL model checking CTL model checking in the quotient graph 11 s1s2 s3  22 s4  s5 s6  Due to determinism of time.

23 Plan Analysis with the Time-abstracting Bisimulation On-the-fly Verification Diagnostics Controller Synthesis Case studies Conclusions and Perspectives Implementation

24 Controller Synthesis Untimed case: - Model: graph with edges labeled controllable - uncontrollable.... - Semantics: strategy = sub-graph containing, for each node, at least one controllable and all uncontrollable successors... c u u c c Timed case: - Model: TA with discrete actions labeled controllable - uncontrollable - Semantics: dense strategies (time transitions ?) u  s c  s

25 Controller Synthesis using Fix-points Controller Synthesis controllable-predecessor operator contr-pre(Q) = all states from which the system can be led to Q, no matter how the environment behaves. compute winning states as fix-points of contr-pre( ). obtain controller = intersect TA with winning states. Q c u  s method costly (complementation in contr-pre( ), fix-point computes maximal strategy).

26 On-the-fly Controller Synthesis Controller Synthesis on-the-fly algorithm for the untimed case: - a DFS is used to find a strategy - the algorithm stops as soon as first strategy is found untimed algorithm can be used for timed synthesis, too:

27 Plan Analysis with the Time-abstracting Bisimulation On-the-fly Verification Diagnostics Controller Synthesis Case studies Conclusions and Perspectives Implementation

28 Implementation in Kronos Implementation Full TCTL model checking Minim. TBA model checking Controller Synthesis (On-the-fly) Parallel Composition Reachability Aldebaran: - reduction/comparison - model checking - simulation/visualization Safe TCTL model checking TA... TA TBA initial partition  Quotient Graph   P,  <=k P,...  P  P,  P  Yes/No, diagnostics Restricted TA (controller) Yes/No, diagnostics Matrix library

29 Connection of Kronos to Open-Caesar Implementation Optimized polyhedra library Open-Caesar’s graph library Kronos-Open input: model TA network + discrete shared vars. + message passing model.c C-compiler code generation interface to Open-Caesar evaluator generator exhibitorsimulator profounder  -calculus formula regular expression State formula TBA Yes/No + untimed diagnostics - Reachability + timed diagnostics - TBA model checking. Yes/No + untimed diagnostics Simulation graph

30 Plan Analysis with the Time-abstracting Bisimulation On-the-fly Verification Diagnostics Controller Synthesis Case studies Conclusions and Perspectives Implementation

31 Case Studies FRP/DT protocol (project with CNET, Lannion) - found inconsistency error (known to designers) Bang&Olufsen protocol (from previous case study by Uppaal) - found error not reported in Uppaal case study Multimedia documents (from INRIA project OPERA) - modeled documents as Timed Automata - checked executability (model checking) - computed schedulers (controller synthesis) Case studies Benchmarks: STARI chip, Fischer’s protocol, CSMA/CD protocol, FDDI protocol, Philips protocol

32 Experiences: performance improved performance in benchmarks, often by many orders of magnitude. Case studies tools and techniques able to handle real-world case studies: 7 - Bang&Olufsen: 30 discrete variables, large constants simulation graph = 10 symbolic states, 15 mins, 300 MB counter example = 1500 steps long, 20 secs - STARI: 30 clocks, 60 boolean variables often bottleneck is discrete state space

33 Experiences: comparison of methods Case studies Techniques are complementary Quotient graphSimulation graph Fischer Real-time scheduling Philips CSMA/CD nodesedges time (secs) 22,085 929 481 503 1,503 875 122,804 1,001 70 1 3 1,000 nodesedges time (secs) 164,935 10,839 60 194 22,382 96 457,799 488 150 1 1 1,060 Case study

34 Conclusions Practicality not measured only in seconds, megabytes Conclusions Expressive models : - discrete variables (Kronos-open) - different property-specification formalisms (TBA, TCTL) Variety : - of problems (model checking, controller synthesis) - of techniques (on-the-fly, using untimed tools) - of feedback (symbolic/timed diagnostics, controllers) Case studies : source of inspiration.

35 Perspectives Performance: - homogeneous representation of discrete and continuous state space (e.g., BDDs + polyhedra) - adaptation/combination with untimed techniques reducing interleavings (e.g., partial orders) Perspectives Methodology for correct & efficient modeling: - domain-specific guidelines - composition theory Controller synthesis: - more properties (e.g., liveness) - more efficient techniques (e.g., completely on-the-fly)

Download ppt "Controller Synthesis for Discrete and Timed Systems Stavros Trypakis (joint work with Karine Altisen)"

Similar presentations

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.

Hybrid BDD and All-SAT Method for Model Checking Orna Grumberg Joint work with Assaf Schuster and Avi Yadgar Technion – Israel Institute of Technology.
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Chapter 16 : KRONOS (Model Checking of Real-time Systems)

Chapter 16 : KRONOS (Model Checking of Real-time Systems)
1 Fault Diagnosis for Timed Automata Stavros Tripakis VERIMAG.

1 Fault Diagnosis for Timed Automata Stavros Tripakis VERIMAG.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.

Timed Automata.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
UPPAAL Andreas Hadiyono Arrummaisha Adrifina Harya Iswara Aditya Wibowo Juwita Utami Putri.

UPPAAL Andreas Hadiyono Arrummaisha Adrifina Harya Iswara Aditya Wibowo Juwita Utami Putri.
CSE 522 UPPAAL – A Model Checking Tool Computer Science & Engineering Department Arizona State University Tempe, AZ 85287 Dr. Yann-Hang Lee

CSE 522 UPPAAL – A Model Checking Tool Computer Science & Engineering Department Arizona State University Tempe, AZ Dr. Yann-Hang Lee
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

Similar presentations

Ads by Google