Controller Synthesisfor Discrete and Timed Systems

Stavros Trypakis

(joint work with Karine Altisen)

Controller Synthesis

Given a controller embedded in a certain environment,and a property, restrict the controller so that the propertyis satisfied, no matter how the environment behaves.

Properties:

• Invariance: the controller keeps the system inside a set of safe states.

• Reachability: the controller leads the system to a set of target states.

Synthesizing a controller for a rail crossing

Gate

Controller

Train

lower?

is_down

is_up

raise?

y := 0y <= 1

y <= 2

y >= 1

y := 0

lower!

exit?

approach?

raise!

approach!

exit!

far near

in

enter!

x := 0

x := 0 x > 2

x <= 5

x <= 1

x <= 0

Environment

x >= 1

Invariance:in is_down

down!up!

Scheduling periodic tasks with deadlines

Task 1

start2!

end2?end1?

start1!

ready1!

end1!

idle wait

exec

start1?x1 := 0

y1 := 0

x1 > 5

Environment

x1[9,11]

Invariance: error

y1[2,3] error

missed!

Task 2

ready2!

end2!

idle wait

exec

start2?x2 := 0

y2 := 0

x2 > 4

x2[7,10]

y2[1,2] error

missed!

Processor

• Synthesized controller corresponds to scheduler.

Controller synthesis for discrete systems

• Model : finite graph with edges labeled controllable - uncontrollable.

• similar to 2-player games :

… …

Strategies

• Strategy : sub-graph containing, for each node, at least one controllable and all uncontrollable successors.

1st strategy :

2nd strategy :

Winning strategies (invariance)

• Invariance of a property P : all nodes of the strategy satisfy P.

winning strategyw.r.t. invariance of P

P

Winning strategies (reachability)

• Reachability of a property P : all paths of the strategy eventually reach a node satisfying P.

winning strategyw.r.t. reachability of P

P

P

Computing winning nodes with fix-points

• contr-pre(S) : set of nodes which have at least one controllable successor in S and all uncontrollable successors in S.

• Invariance of P : gfp X . P contr-pre(X)

• Reachability of P : lfp X . P contr-pre(X)

Computing winning strategies on-the-fly

• Perform a forward DFS on the graph :

• For invariance:

• For reachability:

- nodes/edges are inserted in the strategy during exploration- ensure that for each node included in the strategy, all u-succs and at least one c-succ are also in the strategy- stop at already visited nodes- as soon as the first strategy is found, it is returned

- nodes initially marked “maybe”, potentially changed to “no”- strategy exists if initial node remains “maybe” till the end

- nodes initially marked “maybe”, potentially changed to “yes”- strategy exists if initial node changes to “yes” at the end

• Back-tracking may be necessary.

Illustration of on-the-fly algorithm

• Back-tracking:

P

• Reachability of P:

BAD

…

Controller synthesis for timed systems

• Model : timed automata with discrete transitions labeled controllable - uncontrollable.

• Additional feature: time transitions. …

…

• Condition for strategy: if in the original graph, then, in the strategy sub-graph:

t

t- either

- or for some t’ < tt’

Controller synthesis for timed systems

• Winning strategies and contr-pre( ) operator defined similarly.

• Winning nodes computed by fix-points.

• Implemented in Kronos.

• Problems: - costly operations (non-convex polyhedra) - algorithm not on-the-fly (unreachable states, etc) - sometimes Zeno controllers

Alternative: use the on-the-fly algorithmon the time-abstracting quotient graph.

The Time-abstracting Bisimulation

Equivalence on TA states:

Preserve discretestate changes.

Abstract exacttime delays.

s1 s2

s3

a

s4a t1

s1 s2

s3

t2

s4t1, t2 R

The Time-abstracting Quotient Graph

- Nodes = symbolic states (equivalence classes).- Edges = symbolic transitions (discrete and time).

• Finite symbolic graph:

• Basic property: pre-stability

Q1 Q2

s1 s2

t

a

Q1 Q2

s1 s2a

Q1 pre (Q2) = Q1a

Q1 pre (Q2) = Q1time

• The quotient induced by the greatest time-abstracting bisimulation defined on the TA.

Example of Quotient graph

down

lower

up

exit

raise

enter

approach

approach

approach

up

up

up down down down down down

lower lowerlower

raise raise

exitenter

enter

(near, going up, 1, 1 < x <= y <= 2 z < x+1)

How to apply the untimed algorithmto the time-abstracting quotient graph

1. Remove all edges which can be obtained by reflexive-transitive closure.

2. All remaining edges are labeled controllable.

Justification:

Case 1:

Case 2:

The controller can choose tolet time pass or issuebefore moving to next node.

The controller has no choicebut to let time pass.

Example of on-the-fly algorithm

down

lower

up

exit

raise

enter

approach

approach

approach

up

up

up down down down down down

lower lowerlower

raise raise

exitenter

enter

Still …

TAQuotient

graphOn-the-flyalgorithm Controller

pre-stability of quotient graph essential for correctness cannot use forward reachability graph…

• Extend algorithm to more general properties (liveness).

minimization

• Method not fully on-the-fly:

• Implementation …

Verification on the Quotient graph:Verification on the Quotient graph:Linear-timeLinear-time

Analysis with Time-abstracting Bisimulations

Every cycle in the quotient graph contains an infinite runand vice versa.

Q1 Q4Q3Q2

s1 s2 s3 s4s5 ...

Timed Büchi Automatamodel checking

DFS for cycles or SCCsin the quotient graph

Verification on the Quotient graph:Verification on the Quotient graph:Branching-timeBranching-time

Analysis with Time-abstracting Bisimulations

If s1 s2, then for any TCTL formula ,s1 satisfies iff s2 satisfies .

TCTLmodel checking

CTL model checkingin the quotient graph

1

s1 s2

s3

2

s4

s5s6

Due to determinism of time.

PlanPlan

• Analysis with the Time-abstracting Bisimulation

• On-the-fly Verification

• Diagnostics

• Controller Synthesis

• Case studies

• Conclusions and Perspectives

• Implementation

Controller SynthesisController SynthesisController Synthesis

• Untimed case:

- Model: graph with edges labeled controllable - uncontrollable.

...- Semantics: strategy = sub-graph containing, for each node, at least one controllable

and all uncontrollable successors

...

c uuc c

• Timed case:

- Model: TA with discrete actions labeled controllable - uncontrollable

- Semantics: dense strategies (time transitions ?)

u

sc

s

Controller Synthesis using Fix-pointsController Synthesis using Fix-points

Controller Synthesis

• controllable-predecessor operator contr-pre(Q) = all states from which the system can be led to Q, no matter how the environment behaves.

• compute winning states as fix-points of contr-pre( ).

• obtain controller = intersect TA with winning states.

Q

c

us

• method costly (complementation in contr-pre( ), fix-point computes maximal strategy).

On-the-fly Controller SynthesisOn-the-fly Controller Synthesis

Controller Synthesis

• on-the-fly algorithm for the untimed case: - a DFS is used to find a strategy - the algorithm stops as soon as first strategy is found

• untimed algorithm can be used for timed synthesis, too:

PlanPlan

• Analysis with the Time-abstracting Bisimulation

• On-the-fly Verification

• Diagnostics

• Controller Synthesis

• Case studies

• Conclusions and Perspectives

• Implementation

Implementation in KronosImplementation in Kronos

Implementation

Full TCTLmodel

checking

Minim.TBA

model checking

ControllerSynthesis

(On-the-fly) ParallelComposition

Reachability

Aldebaran:- reduction/comparison- model checking- simulation/visualization

Safe TCTLmodel

checking

TA ...TA TA

TA

TBA

initialpartition

QuotientGraph

P,<=k P, ... PP, P

Yes/No,diagnostics

Restricted TA(controller)

Yes/No,diagnostics

Matrix library

Connection of Kronos to Open-CaesarConnection of Kronos to Open-Caesar

Implementation

Optimizedpolyhedra library

Open-Caesar’sgraph library

Kronos-Open

input: model

TA network+ discrete shared vars.+ message passing

model.c

C-compiler

code generationinterface to

Open-Caesar

evaluator

generator

exhibitor

simulator

profounder

-calculus formula

regular expression

State formulaTBA

Yes/No + untimed diagnostics

- Reachability + timed diagnostics- TBA model checking.

Yes/No + untimed diagnostics

Simulation graph

PlanPlan

• Analysis with the Time-abstracting Bisimulation

• On-the-fly Verification

• Diagnostics

• Controller Synthesis

• Case studies

• Conclusions and Perspectives

• Implementation

Case StudiesCase Studies

• FRP/DT protocol (project with CNET, Lannion) - found inconsistency error (known to designers)

• Bang&Olufsen protocol (from previous case study by Uppaal) - found error not reported in Uppaal case study

• Multimedia documents (from INRIA project OPERA) - modeled documents as Timed Automata - checked executability (model checking) - computed schedulers (controller synthesis)

Case studies

• Benchmarks: STARI chip, Fischer’s protocol, CSMA/CD protocol, FDDI protocol, Philips protocol

Experiences: performanceExperiences: performance

• improved performance in benchmarks, often by many orders of magnitude.

Case studies

• tools and techniques able to handle real-world case studies:

7- Bang&Olufsen: 30 discrete variables, large constants simulation graph = 10 symbolic states, 15 mins, 300 MB counter example = 1500 steps long, 20 secs

- STARI: 30 clocks, 60 boolean variables

• often bottleneck is discrete state space

Experiences: comparison of methodsExperiences: comparison of methodsCase studies

Techniques are complementary

Quotient graph Simulation graph

Fischer

Real-timescheduling

Philips

CSMA/CD

nodes edges time(secs)

22,085

929

481

503

1,503

875

122,804

1,001

70

1

3

1,000

nodes edges time(secs)

164,935

10,839

60

194

22,382

96

457,799

488

150

1

1

1,060

Casestudy

ConclusionsConclusions

Practicality not measured only in seconds, megabytes

Conclusions

• Expressive models : - discrete variables (Kronos-open) - different property-specification formalisms (TBA, TCTL)

• Variety : - of problems (model checking, controller synthesis) - of techniques (on-the-fly, using untimed tools) - of feedback (symbolic/timed diagnostics, controllers)

• Case studies : source of inspiration.

PerspectivesPerspectives

• Performance: - homogeneous representation of discrete and continuous state space (e.g., BDDs + polyhedra) - adaptation/combination with untimed techniques reducing interleavings (e.g., partial orders)

Perspectives

• Methodology for correct & efficient modeling: - domain-specific guidelines - composition theory

• Controller synthesis: - more properties (e.g., liveness) - more efficient techniques (e.g., completely on-the-fly)