Controller Synthesis for Discrete and Timed Systems Stavros Trypakis (joint work with Karine Altisen)
Controller Synthesis Given a controller embedded in a certain environment, and a property, restrict the controller so that the property is satisfied, no matter how the environment behaves. Properties: Invariance: the controller keeps the system inside a set of safe states. Reachability: the controller leads the system to a set of target states.
Synthesizing a controller for a rail crossing Gate Controller Train lower? is_down is_up raise? y := 0 y <= 1 y <= 2 y >= 1 y := 0 lower! exit? approach? raise! approach! exit! farnear in enter! x := 0 x > 2 x <= 5 x <= 1 x <= 0 Environment x >= 1 Invariance: in is_down down!up!
Scheduling periodic tasks with deadlines Task 1 start2! end2?end1? start1! ready1! end1! idlewait exec start1? x1 := 0 y1 := 0 x1 > 5 Environment x1 [9,11] Invariance: error y1 [2,3] error missed! Task 2 ready2! end2! idlewait exec start2? x2 := 0 y2 := 0 x2 > 4 x2 [7,10] y2 [1,2] error missed! Processor Synthesized controller corresponds to scheduler.
Controller synthesis for discrete systems Model : finite graph with edges labeled controllable - uncontrollable. similar to 2-player games : ……
Strategies Strategy : sub-graph containing, for each node, at least one controllable and all uncontrollable successors. 1st strategy : 2nd strategy :
Winning strategies (invariance) Invariance of a property P : all nodes of the strategy satisfy P. winning strategy w.r.t. invariance of P PP
Winning strategies (reachability) Reachability of a property P : all paths of the strategy eventually reach a node satisfying P. winning strategy w.r.t. reachability of P P P
Computing winning nodes with fix-points contr-pre(S) : set of nodes which have at least one controllable successor in S and all uncontrollable successors in S. Invariance of P : gfp X. P contr-pre(X) Reachability of P : lfp X. P contr-pre(X)
Computing winning strategies on-the-fly Perform a forward DFS on the graph : For invariance: For reachability: - nodes/edges are inserted in the strategy during exploration - ensure that for each node included in the strategy, all u-succs and at least one c-succ are also in the strategy - stop at already visited nodes - as soon as the first strategy is found, it is returned - nodes initially marked “maybe”, potentially changed to “no” - strategy exists if initial node remains “maybe” till the end - nodes initially marked “maybe”, potentially changed to “yes” - strategy exists if initial node changes to “yes” at the end Back-tracking may be necessary.
Illustration of on-the-fly algorithm Back-tracking: P Reachability of P: BAD …
Controller synthesis for timed systems Model : timed automata with discrete transitions labeled controllable - uncontrollable. Additional feature: time transitions. … … Condition for strategy: if in the original graph, then, in the strategy sub-graph: t t - either - orfor some t’ < t t’
Controller synthesis for timed systems Winning strategies and contr-pre( ) operator defined similarly. Winning nodes computed by fix-points. Implemented in Kronos. Problems: - costly operations (non-convex polyhedra) - algorithm not on-the-fly (unreachable states, etc) - sometimes Zeno controllers Alternative: use the on-the-fly algorithm on the time-abstracting quotient graph.
The Time-abstracting Bisimulation Equivalence on TA states: Preserve discrete state changes. Abstract exact time delays. s1s2 s3 a s4 a t1 s1s2 s3 t2 s4 t1, t2 R
The Time-abstracting Quotient Graph - Nodes = symbolic states (equivalence classes). - Edges = symbolic transitions (discrete and time). Finite symbolic graph: Basic property: pre-stability Q1Q2 s1s2 t a Q1Q2 s1s2 a Q1 pre (Q2) = Q1 a time The quotient induced by the greatest time-abstracting bisimulation defined on the TA.
Example of Quotient graph down lower up exit raise enter approach up down lower raise exitenter (near, going up, 1, 1 < x <= y <= 2 z < x+1)
How to apply the untimed algorithm to the time-abstracting quotient graph 1. Remove all edges which can be obtained by reflexive-transitive closure. 2. All remaining edges are labeled controllable. Justification: Case 1: Case 2: The controller can choose to let time pass or issue before moving to next node. The controller has no choice but to let time pass.
Example of on-the-fly algorithm down lower up exit raise enter approach up down lower raise exitenter
Still … TA Quotient graph On-the-fly algorithm Controller pre-stability of quotient graph essential for correctness cannot use forward reachability graph… Extend algorithm to more general properties (liveness). minimization Method not fully on-the-fly: Implementation …
Plan Analysis with the Time-abstracting Bisimulation On-the-fly Verification Diagnostics Controller Synthesis Case studies Conclusions and Perspectives Implementation
Verification on the Quotient graph: Linear-time Analysis with Time-abstracting Bisimulations Every cycle in the quotient graph contains an infinite run and vice versa. Q1Q4Q3Q2 s1s2s3s4 s5... Timed Büchi Automata model checking DFS for cycles or SCCs in the quotient graph
Verification on the Quotient graph: Branching-time Analysis with Time-abstracting Bisimulations If s1 s2, then for any TCTL formula , s1 satisfies iff s2 satisfies . TCTL model checking CTL model checking in the quotient graph 11 s1s2 s3 22 s4 s5 s6 Due to determinism of time.
Plan Analysis with the Time-abstracting Bisimulation On-the-fly Verification Diagnostics Controller Synthesis Case studies Conclusions and Perspectives Implementation
Controller Synthesis Untimed case: - Model: graph with edges labeled controllable - uncontrollable Semantics: strategy = sub-graph containing, for each node, at least one controllable and all uncontrollable successors... c u u c c Timed case: - Model: TA with discrete actions labeled controllable - uncontrollable - Semantics: dense strategies (time transitions ?) u s c s
Controller Synthesis using Fix-points Controller Synthesis controllable-predecessor operator contr-pre(Q) = all states from which the system can be led to Q, no matter how the environment behaves. compute winning states as fix-points of contr-pre( ). obtain controller = intersect TA with winning states. Q c u s method costly (complementation in contr-pre( ), fix-point computes maximal strategy).
On-the-fly Controller Synthesis Controller Synthesis on-the-fly algorithm for the untimed case: - a DFS is used to find a strategy - the algorithm stops as soon as first strategy is found untimed algorithm can be used for timed synthesis, too:
Plan Analysis with the Time-abstracting Bisimulation On-the-fly Verification Diagnostics Controller Synthesis Case studies Conclusions and Perspectives Implementation
Implementation in Kronos Implementation Full TCTL model checking Minim. TBA model checking Controller Synthesis (On-the-fly) Parallel Composition Reachability Aldebaran: - reduction/comparison - model checking - simulation/visualization Safe TCTL model checking TA... TA TBA initial partition Quotient Graph P, <=k P,... P P, P Yes/No, diagnostics Restricted TA (controller) Yes/No, diagnostics Matrix library
Connection of Kronos to Open-Caesar Implementation Optimized polyhedra library Open-Caesar’s graph library Kronos-Open input: model TA network + discrete shared vars. + message passing model.c C-compiler code generation interface to Open-Caesar evaluator generator exhibitorsimulator profounder -calculus formula regular expression State formula TBA Yes/No + untimed diagnostics - Reachability + timed diagnostics - TBA model checking. Yes/No + untimed diagnostics Simulation graph
Plan Analysis with the Time-abstracting Bisimulation On-the-fly Verification Diagnostics Controller Synthesis Case studies Conclusions and Perspectives Implementation
Case Studies FRP/DT protocol (project with CNET, Lannion) - found inconsistency error (known to designers) Bang&Olufsen protocol (from previous case study by Uppaal) - found error not reported in Uppaal case study Multimedia documents (from INRIA project OPERA) - modeled documents as Timed Automata - checked executability (model checking) - computed schedulers (controller synthesis) Case studies Benchmarks: STARI chip, Fischer’s protocol, CSMA/CD protocol, FDDI protocol, Philips protocol
Experiences: performance improved performance in benchmarks, often by many orders of magnitude. Case studies tools and techniques able to handle real-world case studies: 7 - Bang&Olufsen: 30 discrete variables, large constants simulation graph = 10 symbolic states, 15 mins, 300 MB counter example = 1500 steps long, 20 secs - STARI: 30 clocks, 60 boolean variables often bottleneck is discrete state space
Experiences: comparison of methods Case studies Techniques are complementary Quotient graphSimulation graph Fischer Real-time scheduling Philips CSMA/CD nodesedges time (secs) 22, , ,804 1, ,000 nodesedges time (secs) 164,935 10, , , ,060 Case study
Conclusions Practicality not measured only in seconds, megabytes Conclusions Expressive models : - discrete variables (Kronos-open) - different property-specification formalisms (TBA, TCTL) Variety : - of problems (model checking, controller synthesis) - of techniques (on-the-fly, using untimed tools) - of feedback (symbolic/timed diagnostics, controllers) Case studies : source of inspiration.
Perspectives Performance: - homogeneous representation of discrete and continuous state space (e.g., BDDs + polyhedra) - adaptation/combination with untimed techniques reducing interleavings (e.g., partial orders) Perspectives Methodology for correct & efficient modeling: - domain-specific guidelines - composition theory Controller synthesis: - more properties (e.g., liveness) - more efficient techniques (e.g., completely on-the-fly)