Logical Specification and Uniform Synthesis of Robust Controllerspandya/Lect/Edinburgh20.pdf · 2020. 3. 11. · TheGreatest Fixed Point based MPS computationas well as the Value

Logical Specification and Uniform Synthesis ofRobust Controllers

Paritosh Pandya1

(Joint work with Amol Wakankar2)

1Tata Institute of Fundamental Research, Mumbai2Bhabha Atomic Research Center , Mumbai

1 / 28 P.K. Pandya,Amol Wakankar Specification and Uniform Synthesis of Robust Controllers

Controller Synthesis

Church Synthesis Problem

Given a logical requirement REQ(I ,O) synthesize a circuit/MealyMachine C : (2I )+ → (2O) giving Ĉ : (2I )∗ → (2O)∗ s.t.

∀ii ∈ (2I )∗. REQ(ii , Ĉ (ii))

Synthesis from Regular Assume-Guarantee Specification

Ramadge-Wonham [Siam J.Control and Opt 1987, 1989]

(DA, DC ) of regular properties over variables I ∪ O.Each property is equivalent to a finite state automaton overthe alphabet 2I × 2O .

σ, i |= D iff σ[0 : i ] ∈ L(A(D))DA assumption over the environment and the plant behaviour.

DC commitment on the controller behaviour

Be Correct Synthesis Goals

AG (pref (DA)⇒ DC )2 / 28 P.K. Pandya,Amol Wakankar Specification and Uniform Synthesis of Robust Controllers

Robust Synthesis

Robustness deals with the ability of the synthesized controllers tomeet DC even under intermittent violations of DA.

Robust Synthesis Literature

k-robustness [Bloem et al: Acta Inf.2014]For some m, Invariantly Count(!DC ) < k ∗ Count(!DA) + m.k,b-resilience [Ehlers and Topcu: HSCC’2014] After at most kassumption errors, there must be a recovery period of b cycleswithout assumption errors.

Quantitative synthesis [Bloem, Chatterjee et al: CAV’2009],[Bloem, Henzinger et al: FMCAD’2009] Model robustnessusing Mean-payoff or Ratio games.

Issues

The notion of robustness is defined semantically on systembehaviour.

A separate algorithm is designed for each notion of robustness.3 / 28 P.K. Pandya,Amol Wakankar Specification and Uniform Synthesis of Robust Controllers

Main Contribution

A logical specification of Robust Controller using logic QDDCas (DA,DC ,Rb(A)).

This allows encoding existing as well as new notions ofrobustness in our framework.

We give uniform synthesis method from logical specificationof robustness combining both hard and soft robustness.

Experimental evaluation of various robust controllers.


Robust Controller Specification (DA,DC ,Rb(A))

Be Correct: Invariance of (pref (DA)⇒ DC ).Robustness pertains to the ability to meet commitment DC evenwhen DA does not hold invariantly in past.

1 Relaxed assumption denoted by Rb(DA) specifies weakercondition than Pref (DA).E.g. Rb(DA) may state that DA evaluates to false at most 3times in the past.

2 Hard Robustness: Synthesize the controller for the invarianceof Dh = (Rb(DA) => DC ).

3 Soft Robustness: Synthesize a controller that maximizes thefrequency of DC , when averaged over all inputs.

Synthesis Goal: Computer a controller which

1 invariantly satisfies Dh, and

2 is H-optimal w.r.t. DC among all the controllers satisfying (1).


Synthesis Goal: Computer a controller which



H-optimality criterion: design a controller which at each stepchooses the output which

maximizes the expected value of count of DC over next Hmoves.

The count is averaged over all input sequences of length H.


Controller Synthesis Algorithm

Algorithm

Input: Spec = (DA,DC ,Rb(A)), Horizon H, Output ordering OrdOutput: Controller Cnt for Spec.

1. Monitor Automaton for Dh = (Rb(DA)⇒ DC )Compute A(Dh) for formula Dh

2. Maximally Permissive Supervisor for Invariance of Dh

AMPS = MPS(A(Dh))3. Maximally Permissive H-optimal sub-supervisor for DC

AMPHOS = MPHOS(AMPS ,DC ,H)4. Resolve non-determinism in MPHOS by output preferenceordering

Cnt = Detord (AMPHOS )5. Encode the automaton Cnt in an implementation language.



Algorithm




AMPS = MPS(A(Dh))

3. Maximally Permissive H-optimal sub-supervisor for DCAMPHOS = MPHOS(AMPS ,DC ,H)

4. Resolve non-determinism in MPHOS by output preferenceordering




Algorithm





AMPHOS = MPHOS(AMPS ,DC ,H)

4. Resolve non-determinism in MPHOS by output preferenceordering




Algorithm






Cnt = Detord (AMPHOS )

5. Encode the automaton Cnt in an implementation language.



Algorithm








Monitor for 2 client Arbiter with 2 cycle response

I = {r1, r2}O = {a1, a2}

Figure: Monitor Automaton: 2 Client Arbiter


Supervisor and Controller

Definition (Output-nondeterministic Mealy Machine)

A DFA over input-output alphabet Σ = 2I × 2O is a tupleA = (Q,Σ, s, δ,F ) where δ : Q × 2I × 2O → Q.An output-nondeterministic Mealy machine is a DFA with aunique reject state r , s.t. F = Q − {r} and δ(r , i , o) = r , ∀i ∈ 2I ,o ∈ 2O .

Definition (Supervisor and Controller)

A supervisor is an output-nondeterministic Mealy machine whichis non-blocking i.e. ∀s ∈ F , ∀i ∈ 2I ∃o ∈ 2O s.t. δ(s, i , o) ∈ F .An deterministic supervisor is called a controller.

Definition (Determinism Order and Sub-supervisor)

For supervisors S1 and S2, we say S1 ≤det S2, iff L(S2) ⊆ L(S1).We call S2 to be a sub-supervisor of S1.


MPS and MPHOS for 2 Client Arbiter

I = {r1, r2}O = {a1, a2}

Figure: Supervisors for Arbiter n = 2 and k = 2 (a): MPS (b): MPHOS


Maximally Permissive Supervisor

1 Define Mealy Machine S realizes AG D providedL(S) ⊆ L(D) and S is non-blocking.

Definition

A supervisor S for a formula D is called maximally permissive iffS ≤det S ′ holds for any supervisor S ′ such that S ′ realizes AG D.This S (when it exists) is unique upto language equivalence ofautomata, and the minimum state maximally permissive supervisoris denoted as MPS(D).

Ramadge and Wonham pioneered the study of such maximallypermissive supervisors [1].

Standard safety synthesis algorithm on A(Dh) gives MPS(Dh)(See Gradel et al. [?]).


MPS Construction: Hard requirement

Algorithm

Input: monitor automaton A(Dh) for DhOutput: MPS for Dh.For A(Dh), compute the largest set G ⊆ F s.t.:

s ∈ G iff ∀i∃o : δ(s, (i , o)) ∈ G as follows:1. G=F;

doG1=G;G=Cpre(A(Dh),G1);

while (G != G1);2. If initial state s0 /∈ G , then return UNREALIZABLE3. Otherwise, return an automaton AMPS with

all the transitions in A(Dh) between states in G andremaining transitions redirected to a unique reject state r


Computing H-Optimal Sub-supervisor [Bellman:1957]

Given a supervisor MPS , the requirement DC and horizon H, wecompute H-optimal MPHOS(MPS ,DC ,H)

1 Assign utility value to each state s of MPS as Val(s,H),giving the maximal achievable count of DC over next H steps.Maximized over all non-deterministic choices of outputs. Thisvalue is averaged over all possible input sequences of length H.

2 Val(s,H) is computed as follows.

Val(s, 0) = 0Val(s, p + 1) = Ei∈2I maxo∈2(O∪{w}) : δ(s,(i ,o)) 6=r

{wt(o) + Val(δ(s, (i , o)), p)},

w is indicator for DC , wt(o) = 1 if w ∈ o and 0 otherwise3 We get MPHOS by retaining (from any state) all output

transitions going to the maximal utility states.


SSDFA data-structure (Tool:MONA) [Klarlund et al]

Figure: Example automaton (a): External format (b): SSDFA format

Implementation

The Greatest Fixed Point based MPS computation as well as theValue iteration based H-Optimal subsupervisor computation arecarried out symbolically on SSDFA data structure, giving hugeperformance gains.


Tool DCSynth: Comparison with other tools [LNCS 19]

1 In DCSynth all the synthesis steps work on MTBDD basedSSDFA representation.

2 Regular properties allow aggressive minimization at each step.3 Controller is computed without game graph expansion.4 This gives better scalability and performance.

Acacia+ BoSy DCSynthHard time Memory / time Memory / time Memory /

Requirement (Sec) States (Sec) States (Sec) States

Arbhard (4, 4) 0.4 29.8/ 55 0.75 -/4 0.08 9.1/ 50

Arbhard (5, 5) 11.4 71.9/ 293 14.5 -/8 5.03 28.1/ 432

Arbhard (6, 6) TOa - TO - 80 1053.0/ 4802

Arbtok (7) 9.65 39.1/ 57 TO - 0.3 7.3/ 7

Arbtok (8) 46.44 77.9/ 73 - - 2.2 16.2/ 8

Arbtok (10) NCb - - - 152 82.0/ 10Mine-pump NC - TO - 0.06 50/ 32

Experiments with BoSy are using online version.

aTO=timeout(DCSynth and Acacia+ 3600secs, BoSy 600secs)bNC=synthesis inconclusive


Structure of the talk

1 Robust Controller

2 Synthesis Method

3 Brief introduction to the logic QDDC

4 Logical Specification of Robust Controllers

5 Study of various Robustness Criterion

6 Experimental results


Temporal Logics for Reactive Systems

Temporal logic formulas specify evolution of system state in time.

Founders

Amir Pnueli (Logic LTL) [Turing Award 1996]Emerson, Clarke, Sifakis (Model Checking) [Turing Award 2007]


Interval Temporal Logics and Duration Calculus

Activities Span Time IntervalsMakeOmlett ⇒

BreakEgg ^ (Sing ∧ (BeatEgg ^ FryEgg))

BreakeggSing

Beategg Fryegg

Makeomlett

Quantitative MeasurementsIn any interval of 15 cycles where request is continuously highthere must be at least 3 ack signals.

[]([[req]] && slen >= 14 => scount ack >= 3)

Visual and Highly Expressive Language.


Quantified Discrete Duration Calculus

QDDC [P.:RTTOOLS01,TACAS01] is an interval temporal logic.Discrete time version of Duration Calulus [Zhou,Hoare,Ravn 91].

QDDC Features

Discrete time

Interval Temporal Logic

Measurement of interval lengths and counts of events upto athreshold.

Temporal Quantification: E.g. ∃Q. D1[P,Q] ∧ D2[Q,R].


Logic Quantified Discrete Duration Calculus (QDDC)

QDDC [P. TACAS01] is an interval temporal logic. Discrete timeversion of Duration Calulus [Zhou,Hoare,Ravn 91].

Pos 0 1 2 3 4 5 6 7 8 9

σ(P) 0 0 1 0 1 1 1 1 0 1

Interval temporal logic: σ, [b, e] |= D

Formula [[P]]: propositional P is invariantly true in aobservation interval e.g. [4,7].

Term slen gives the length e − b of the observation interval.e.g. [2,7]

Term (scount P) counts the number of occurrences ofproposition P in an observation interval.

Modality []D states that formula D should hold for allsub-interval of the observation interval.


Logic Quantified Discrete Duration Calculus (QDDC)

QDDC [P.:RTTOOLS01,TACAS01] is an interval temporal logic.Discrete time version of Duration Calulus [Zhou,Hoare,Ravn 91].

Pos 0 1 2 3 4 5 6 7 8 9

σ(P) 0 0 1 0 1 1 1 1 0 1

Interval temporal logic: σ, [b, e] |= DFormula [[P]]: propositional P is invariantly true in aobservation interval e.g. [4,7].

Term slen gives the length e − b of the observation interval.Term (scount P) counts the number of occurrences ofproposition P in an observation interval. E.g. [2,8].

Modality []D states that formula D should hold for allsub-interval of the observation interval

Formula [!P]ˆ[P]ˆ[[!P]] states that interval can be split inthree parts satisfying [!P], [P] and [[!P]], respectively. E.g.[0,3].


QDDC Syntax

Let ϕ denote propositions over variables PV .

The syntax of a QDDC formula over PV is given by:

D := 〈ϕ〉 | [ϕ] | [[ϕ]] | D ˆD | ¬D | D||D | D&&D |D∗ |∃p. D | ∀p. D | slen ./ c | scount ϕ ./ c ,

where ϕ ∈ Prop(PV ), p ∈ PV , c ∈ N and./∈ {}.Semantics of QDDC formula.

σ, [b, e] |= 〈ϕ〉 iff b = e and σ, b |= ϕ,σ, [b, e] |= [ϕ] iff ∀b ≤ i < e : σ, i |= ϕ,σ, [b, e] |= [[ϕ]] iff ∀b ≤ i ≤ e : σ, i |= ϕ,σ, [b, e] |= D1 ˆD2 iff ∃b ≤ i ≤ e : σ, [b, i ] |= D1, σ, [i , e] |= D2.

Measurement terms slen and scount

Derived operators 〈〉D = true ˆD ˆtrue, and []D = ¬〈〉¬DPref (D) = ¬((¬D)ˆtrue), and SUFF (D) = ¬(true ˆ(¬D)).


Past satisfaction and Language QDDC

Past satisfaction

σ, i |= D iff σ, [0, i ] |= DPast of position i satisfies the requirement D.

Language L(D)

L(D) = {σ | σ, (#ρ− 1) |= D}


Logic SeCeNL for capturing Timing Diagram

A Timing Diagram is a collection of binary signals and a set oftiming/ordering constraints on them.

SeCeN Formula

ex1. a’, b’, c’, d’, e’, f’– Waveforms

[!a]ˆ < a′ > ˆ[a]ˆ < f ′ > ˆ[[!a]] &&[!b]ˆ < b′ > ˆ[b]ˆ < e ′ > ˆ[[!b]] &&[!c]ˆ < c ′ > ˆ[c]ˆ < d ′ > ˆ[[!c]]

– Constraintstrue ˆ < a′ > ˆ(slen > 0)ˆ < b′ > ˆtrue &&true ˆ < b′ > ˆ(slen > 0)ˆ < c ′ > ˆtrue &&true ˆ < d ′ > ˆ(slen > 0)ˆ < e ′ > ˆtrue &&

true ˆ < e ′ > ˆ(slen > 0)ˆ < f ′ > ˆtrue


Logic SeCeNL for capturing Timing Diagram

A Timing Diagram is a collection of binary signals and a set oftiming/ordering constraints on them.

SeCeN Formula

ex1. a’, b’, c’, d’, e’, f’– Waveforms

[!a]ˆ < a′ > ˆ[a]ˆ < f ′ > ˆ[[!a]] &&[!b]ˆ < b′ > ˆ[b]ˆ < e ′ > ˆ[[!b]] &&[!c]ˆ < c ′ > ˆ[c]ˆ < d ′ > ˆ[[!c]]

– Constraintstrue ˆ < a′ > ˆ(slen > 0)ˆ < b′ > ˆtrue &&true ˆ < b′ > ˆ(slen > 0)ˆ < c ′ > ˆtrue &&true ˆ < d ′ > ˆ(slen > 0)ˆ < e ′ > ˆtrue &&

true ˆ < e ′ > ˆ(slen > 0)ˆ < f ′ > ˆtrue24 / 28 P.K. Pandya,Amol Wakankar Specification and Uniform Synthesis of Robust Controllers

Comparison with LTL and PSL

LTL/MTL

[¬a & ¬b & ¬c] UU [a & ¬b & ¬c] UU [a & b & ¬c] UU [a & b & c]UU [a & b & ¬c] UU [a & ¬b & ¬c] UU [¬a & ¬b & ¬c]

Here, a UU b is the derived modality (a & X(aUb)).

PSL [IEEE 1850 Standard]

((¬a & ¬b & ¬c ; )[+]; (a & ¬b & ¬c ; )[+]; (a & b & ¬c ; )[+];(a & b & c ; )[+]; (a & b & ¬c ; )[+];(a & ¬b & ¬c ; )[+]; (¬a & ¬b & ¬c ; )[+].

• LTL/PSL: non-compositional, complex and cumbersome.• Formula size: PSL/LTL is O(n2), SeCeN O(n).


Formula Automaton Construction

Theorem (Automata Theoretic Decidability of QDDC )

For each D ∈ QDDC we can effectively construct finite stateautomaton AD such that L(D) = L(AD).

For each FSM A we can effectively construct DA ∈ QDDCsuch that L(A) = L(DA).

Tool DCVALID – next slide.


DCVALID: Validity/Model Checker for QDDC formulas

Constructs deterministic finite state automaton A(D) forQDDC formula D.

The automaton is used as a synchronous observer to modelcheck QDDC properties of Esterel, SMV, Verilog,SCADE/Lustre and SAL models.

Uses efficient MT-BDD based representation of automatausing MONA.

Constructs automaton for formula bottom up keeping eachautomaton in minimal deteterminstic form.

[RTTOOLS2001, TACAS2001, SLAP2002, CAV2003, AVOCS2004,FSTTCS2005, TACAS2006,TACAS2008]


Example: n-Client Arbiter Specification in QDDC

1 n-Client arbiter has request inputs r1 . . . rn and outputsa1 . . . an corresponding to n-clients.−Mutual Exclusion Requirement R1:

[[ ∧i 6=j ¬(ai ∧ aj ) ]]−k-cycle Response Requirement R2:∧i []( ([[ri ]] && (slen >= (k − 1)) ⇒ (scount ai > 0))

Pos 0 1 2 3 4 5 6 7 8 9σ(r1) 0 0 1 0 1 1 1 1 0 1σ(r2) 0 0 0 1 1 1 1 1 0 1σ(a1) 0 0 1 0 1 0 1 1 1 1σ(a2) 1 0 0 1 0 1 0 0 1 1


Monitor for 2 client Arbiter with 2 cycle response

I = {r1, r2}O = {a1, a2}

Figure: Monitor Automaton: 2 Client Arbiter


Complexity and Utility

Theorem (succinctness)

The lower bound on the size of the formula automaton A(D) isnon-elementary in the size of D. An automaton of size n can bedescribed by a formula of size O(n).

Lemma (SeCeNL ⊂ QDDC )For any SeCeNL formula D of size n we can effectively construct a

language equivalent DFA of size at most Ω(2222

2n

).

Uses of Formula Automaton

Checking validity/satisfiability of a formula.

Visualizing models/counter-models: every accepting path inA(D) is a model.

Monitor automaton can be used for run-time monitoring,property based testing and model checking.

. 30 / 28 P.K. Pandya,Amol Wakankar Specification and Uniform Synthesis of Robust Controllers


1 Robust Controller

2 Synthesis Method






Robust Controller Specification (DA,DC ,Rb(A))

Be Correct: Invariance of (pref (DA)⇒ DC ).Robustness pertains to the ability to meet commitment DC evenwhen DA does not hold invariantly in past.

1 Relaxed assumption denoted by Rb(DA) specifies weakercondition than Pref (DA).E.g. Rb(DA) may state that DA evaluates to false at most 3times in the past.

2 Hard Robustness: Synthesize the controller for the invarianceof Dh = (Rb(DA) => DC ).

Synthesis Goal: Compute a controller which



H-optimality criterion, tries to choose those outputs whichmaximize expected value of cumulative count of DC over next Hmoves. The count is averaged over all input sequences of length H.


Robustness Criterion: Logical Specification for Relaxing DA

1 We structure Rb(DA) as a pair (DA,Rb(A)), whereRobustness Criterion Rb(A) is a QDDC formula over auxiliaryproposition A. Indicator variable A witnesses positions wherethe assumption is true.Formula Rb(A) logically specifies a generic method to relaxany user given assumption DA.Example: scount !A )⇔ D)

2 The Hard Robustness formula

Dh = ((Ind(DA,A) && Rb(A))⇒ DC )


Example of a Robustness Criterion

Criterion LenCntInt(A, k, b) holds at a position i , iff in last bcycles, there are at-most k violations.

SUFF ((slen < b) ⇒ (scount !A


1 Robust Controller

2 Synthesis Method






Designing Robustness Criterion (Hard Robustness)

Degraded Mode of holding the assumptions.

Error-Types: Intervals with Assumption Error

1 LocalErr(A) = (true ˆ)

2 CountErr(A, k) = (scount !A > k)

3 BurstErr(A, k) = ([[!A]] && slen >= k)HasBurstErr(A, k) = ( (BurstErr(A, k)))

Pos 0 1 2 3 4 5 6 7 8 9

σ(A) 1 0 0 1 0 1 0 0 0 1

Example: The interval [6,8] satisfy BurstErr(A, 2) and hence [3,9]satisfy HasBurstErr(A, 2)


Designing Robustness Criterion (Hard Robustness) cont...

Error-Scope: Forbidden Intervals for Errors

1 Position Based:NeverInPast(Err) = ! ErrNeverInSuffix(Err) = ! (true ˆErr)

2 Length Based:NeverInPastLen(b,Err) = ! (slen < b && Err)NeverInSuffixLen(b,Err) = !(true ˆ((slen < b) && Err))

3 Resilience Based:HasNoRecovery(A, b) = ([]([[A]]⇒ slen < b − 1))NeverInPastRes(b,Err) =

NeverInPast(Err && HasNoRecovery(A, b))NeverInSuffixRes(b,Err) =

NeverInSuffix(Err && HasNoRecovery(A, b))


Various Robustness Criterion

We have formulated some existing Robustness Criterion and alsoproposed some new criteria.

Sr. Robustness DefinitionNo. Criteria of Rb(A)

1. AssumeFalse(A) (false)2. BeCorrect(A) NeverInPast(LocalErr(A))3. BeCurrentlyCorrect(A) NeverInSuffix(LocalErr(A))4. LenCnt(A,k,b) NeverInPastLen(b,CountErr(A, k))5. LenCntInt(A,k,b) NeverInSuffixLen(b,CountErr(A, k))6. LenBurst(A,k,b) NeverInPastLen(b,HasBurstErr(A, k))7. LenBurstInt(A,k,b) NeverInSuffixLen(b,HasBurstErr(A, k))8. ResCnt(A,k,b) NeverInPastRes(b,CountErr(A, k))9. ResCntInt(A,k,b) NeverInSuffixRes(b,CountErr(A, k))

10. ResBurst(A,k,b) NeverInPastRes(b,HasBurstErr(A, k))11. ResBurstInt(A,k,b) NeverInSuffixRes(b,HasBurstErr(A, k))12. AssumeTrue(A) (true)


Robustness Order and Comparison

AssumeTrue

LenBurstInt

LenCntInt ResBurstInt

BeCurrentlyCorrect

ResCntInt

ResBurst↔LenBurst

LenCnt

ResCnt

BeCorrect

AssumeFalse

TheoremAll implication order on the robustness criteria holds. X → Y denotes the validity|= X ⇒ Y . Implication holds for same value of parameters k, b.



1 Robust Controller

2 Synthesis Method






Experiments: Robust Controller Synthesis

Table: Expected value of Commitment DC holding in Long Runs overrandom inputs for Controllers synthesized under various RobustnessCriteria and integer parameters (k,b).

Arbiter(4,3,2) Minepump(8,2,6,2)Robustness E(ARB- E(MP-

Criteria MPS) MPS)k=1, b=3 k=2, b=8

AssumeFalse 0.000000 0.000000BeCorrect 0.000000 0.000000

ResCnt(K,B) 0.000000

0.000000LenCnt(K,B) 0.000000

ResBurst(K,B)0.000000

LenBurst(K,B)ResCntInt(K,B) 0.544309

0.000966ResBurstInt(K,B) 0.669069LenCntInt(K,B) 0.768066 0.0027342

LenBurstInt(K,B) 0.835205 0.004514BeCurrentlyCorrect 0.687500 0.997070


Experiments: Robust Controller Synthesis

Table: Expected value of Commitment DC holding in Long Runs overrandom inputs for Controllers synthesized under various RobustnessCriteria and integer parameters (k,b).

Arbiter(4,3,2) Minepump(8,2,6,2)Robustness E(ARB- E(ARB- E(MP- E(MP-

Criteria MPS) MPHOS) MPS) MPHOS)k=1, b=3 k=2, b=8

AssumeFalse 0.000000

0.998175

0.0000000.997070

BeCorrect 0.000000 0.000000ResCnt(K,B) 0.000000

0.000000 0.997070LenCnt(K,B) 0.000000

ResBurst(K,B)0.000000

LenBurst(K,B)ResCntInt(K,B) 0.544309

0.000966 0.997070ResBurstInt(K,B) 0.669069LenCntInt(K,B) 0.768066 0.0027342

0.997070LenBurstInt(K,B) 0.835205 0.004514BeCurrentlyCorrect 0.687500 0.992647 0.997070


Main Features and Results

1 Developed a theory of specification of Robust Controller.

2 Proposed a logic based method to specify the Robustnesscriterion. Used it for specification of various existing as well asnew robustness notions.

3 A Uniform method for synthesis .

4 A Framework for theoretical analysis of various notions ofrobustness has been developed (implication order).

5 Performance of synthesized controller is measured usingExpected Value of meeting the commitment.


Questions ??

P. Ramadge and W. Wonham.The Control of Discrete Event Systems.In Proceedings of IEEE, volume 77, pages 81–98, 1989.


Backup Slides


QDDC Syntax

Syntax of a propositional formula over Σ is:

ϕ := false | true | p ∈ Σ | ϕ&&ϕ | ϕ||ϕ | ¬ϕ

The syntax of a QDDC formula over Σ is given by:


where ϕ ∈ ΩΣ, p ∈ Σ, c ∈ N and ./∈ {}.Semantics of QDDC formula.



Derived operators 〈〉D = true ˆD ˆtrue, and []D = ¬〈〉¬D


QDDC Syntax





where ϕ ∈ ΩΣ, p ∈ Σ, c ∈ N and ./∈ {}.

Semantics of QDDC formula.





QDDC Syntax










QDDC Syntax








Derived operators 〈〉D = true ˆD ˆtrue, and []D = ¬〈〉¬D46 / 28 P.K. Pandya,Amol Wakankar Specification and Uniform Synthesis of Robust Controllers

Translation of SeCeNL (without nominals) to QDDC

Translation function ℵ

1 ℵ(pref(D) ) def≡ �pref D.

2 ℵ(init(D2/D3))def≡ �pref (Ξ(D3)⇒ D2 ˆtrue).

3 ℵ(anti(D)) def≡ ¬(true ˆD ˆtrue).

4 ℵ(implies(D1 D2))def≡ �(D1 ⇒ D2).

5 ℵ(follows(D1 D2/D3))def≡

�(¬(D1 ˆ(Ξ(D3) ∧ ¬(D2 ˆtrue)))).

6 ℵ(triggers(D1 D2/D3))def≡ �(D1 ˆtrue ⇒ (Ξ(D3)⇒

D2 ˆtrue)) ∧ �(D1 ⇒ �pref (Ξ(D3)⇒ D2 ˆtrue)).



Algorithm

Input: Spec = (I ,O,Dh,Ds). Horizon H, Output ordering OrdOutput: Controller Cnt for Spec.

1. Monitor Automaton for Dh

Compute A(Dh) for Dh


AMPS = MPS(A(Dh))3. Maximally Permissive H-optimal sub-supervisor for Ds

AMPHOS = MPHOS(AMPS ,Ds ,H)4. Resolve non-determinism in MPHOS by output preferenceordering



SSDFA data-structure

Figure: Example automaton (a): External format (b): SSDFA format49 / 28 P.K. Pandya,Amol Wakankar Specification and Uniform Synthesis of Robust Controllers


Algorithm



Compute A(Dh) for Dh2. Maximally Permissive Supervisor for Invariance of Dh





Maximally Permissive Supervisor

1 Define Mealy Machine S realizes AG D providedL(S) ⊆ L(D) and S is non-blocking.

Definition

A supervisor S for a formula D is called maximally permissive iffS ≤det S ′ holds for any supervisor S ′ such that S ′ realizes AG D.This S (when it exists) is unique upto language equivalence ofautomata, and the minimum state maximally permissive supervisoris denoted as MPS(D).

Ramadge and Wonham pioneered the study of such maximallypermissive supervisors [1].

Standard safety synthesis algorithm on A(Dh) gives MPS(Dh)(See Gradel et al).


MPS Construction: Hard requirement

Algorithm

Input: monitor automaton A(Dh) for DhOutput: MPS for Dh.1. For A(Dh), compute the largest set G ⊆ F s.t.:

s ∈ G iff ∀i∃o : δ(s, (i , o)) ∈ G . as follows.G=F;do

G1=G;G=Cpre(A(Dh),G1);

while (G != G1);2. If initial state s0 /∈ G , then return UNREALIZABLE3. Otherwise, return an automaton AMPS with

all the transitions in A(Dh) between states in G andremaining transitions redirected to a unique reject state r



Algorithm








Computing Controller: Resolving non-determinism inMPHOS

1 MPHOS can be non-deterministic.

2 Any possible pruning of outputs preserves the invariance andH-optimality.

3 In our tool, user provides a preference ordering on outputs.For any state and any input, the highest ordered output isretained. This gives controller Cnt.


Detailed Algorithm for MPHOS Construction

1 Given a supervisor S and a formula Ds over (I ,O)

2 Compute AArena = S ×A(Ind(Ds ,w)). It has a property that– L(AArena) ↓ (I ∪ O) = L(S) and– ∀σ ∈ L(AArena) and i ∈ dom(σ), w ∈ σ[i ] iff σ[0 : i ] |= D.

3 Let, wt(o) = 1 if w ∈ o and 0 otherwise, for o ∈ 2(O∪{w}).4 AArena = (Q,Σ, s, δ,Q − {r}) is a weighted automaton, Then

We define LegalOutputs(q, i) = {o | δ(q, i) 6= r} for(q ∈ Q) 6= r and i ∈ 2I .

5 H-horizon policy π is a sequence F1,F2, . . . ,FH ofnon-deterministic selection rules.


Detailed Algorithm for MPHOS Construction Cont..

1 Given a state s, a policy π and an input sequence ii ∈ (2I )H(of length H), we define Lπ(AArena, ii , s) as all runs of AArenaover the input ii starting from state s and following thesection Fi at step i .

2 For a run (ii , oo) let Value(ii , oo) = Σ1≤i≤#ii wt(oo[i ])).– VMINπ(s, ii) = min{Value(ii , oo) | (ii , oo) ∈ Lπ(AArena, ii , s)}– VMAX (s, ii) = max{Value(ii , oo) | (ii , oo) ∈ L(AArena, ii , s)}

3 For a horizon H, AArena and a non-deterministic H-horizon policy π– ValAvgMax(s) = Eii∈(2I )H VMAX (s, ii)– ValAvgMinπ(s) = Eii∈(2I )H VMINπ(s, ii)

4 Aim is to construct a horizon-H policy π∗ = argmaxπ ValAvgMinπ(s).


Detailed Algorithm for MPHOS Construction Cont..

Lemma

For all states s of AArena, ValAvgMinπ∗(s) = ValAvgMax(s).Thus, ∀s ∈ Q of AArena and for any H-horizon policy π,ValAvgMinπH(s) ≤ ValAvgMinπ

∗(s) also holds.

1 Efficient computation of ValAvgMax(s):– Val(s, 0) = 0– Val(s, p + 1) = Ei∈2I maxo∈2(O∪{w}) : δ(s,(i ,o)) 6=r

{wt(o) + Val(δ(s, (i , o)), p)}2 ValAvgMax(s) = Val(s,H).

3 optimal selection rule F ∗ giving stationary policy π∗

F ∗(s, i) = argmaxo∈2O{wt(o) + Val(s,H)| δAArena (s, (i , o)) = s ′ ∧ s ′ 6= r}


Obtaining controller from MPHOS

1 MPHOS can be non-deterministic.

2 Any possible pruning preserves the invariance andH-optimality.

3 In out tool user can give preference ordering on output andhighest order output is retained.

Method based on preference output ordering

1 Given a supervisor S and an ordering Ord relation over the setof output variable 2O .

2 Determinize S by retaining only the highest ordered output.

3 Ord is specified as a lexicographically ordered list.e.g. For O = {o1, o2} and Ord = o1 > !o2The preference order of outputs would be{(o1 = true, o2 = false), (o1 = true, o2 = true),(o1 = false, o2 = false), (o1 = false, o2 = true)}


Performance Measurement Expected Case Performance

Expected Case Performance

1 Given a controller Cnt over (I ,O) and a formula C .

2 Construct a DTMC , Munif (Cnt,C ),Steady state analysis of this gives the Steady state probabilityof C holding in Cnt under i.i.d. inputs.

Construction of Munif (Cnt,C )

1 Compute Cnt ×A(C )2 Assign uniform discrete probabilities to all inputs from any

state to get Munif (Cnt,C ).

3 DCSynth provide facility to get this automaton in MRMCformat.

4 We use MRMC to compute Steady state value.


Performance Measurement: Guaranteed Performance

Definition (Must Dominance: Guaranteed Performance)

Given two supervisors S1,S2 and a formula DC over (I ,O), themust dominance of S2 over S1 is defined as S1 ≤DCdom S2 iffMustInp(S1,DC ) ⊆ MustInp(S2,DC ), where MustInp(Si ,DC ) ={ii ∈ (2I )+ | ∀oo ∈ (2O)+.((ii , oo) ∈ L(Si )⇒ (ii , oo) |= DC}.

Lemma

For any formulas DA and DC , and horizon H, following mustdominance relations holds

1 MPHOS1(DA,DC )) ≤DCdom MPHOS3(DA,DC )) ≤

DCdom MPHOS0(DA,DC ))

2 MPHOS2(DA,DC )) ≤DCdom MPHOS0(DA,DC ))

where, MPHOSi (DA,DC ) denote AMPHOS of Algorithm 7 forspecification Typei (DA,DC ).


Experimental Results: Arb(5,3,2) and MP(8,2,6,2)

DCSynth Specification Synthesis (States/Time)Controller Output MPS MPHOS Controller Expected

type Ordering Stats Stats Stats ValueMine− pump(8, 2, 6, 2)

Type0 - UnrealizableType1 PUMPON 70/0.00045 70/0.00254 21/0.00220 0.0Type2 PUMPON 1/0.00004 10/0.00545 10/0.00033 0.99805Type3 PUMPON 70/0.00045 75/0.044216 73/0.00081 0.99805

Arb(5, 3, 2)Type0 - UnrealizableType1 ArbDef 13/0.00023 13/0.00479 11/0.00705 0.0Type2 ArbDef 1/0.00001 207/1.86435 201/0.05842 0.993099Type3 ArbDef 13/0.00021 207/1.89791 201/0.05706


Synthesis from Robustness Specification in DCSynth

Robustness specification: = (DA,DC ,Rb(A)),DA is Assumption formula over I ∪ ODC is Commitment formulas over I ∪ OWhere I and O are the set of input and output variables.

(Hard Robustness) is given by Rb(A) is Robustness Criterion,which is a formulas over propositional variable A

(Soft Robustness) is given by the soft requirement DC to optimizethe satisfaction of DC over next H-moves on random inputs.

Corresponding DCSynth Specification

RbSpec(DA,DC ,Rb(A)) =(I , (O ∪ {A}), ((Rb(A)� Ind(DA,A)) ⇒ DC ), DC )


Documents

Logical Specification and Uniform Synthesis of Robust Controllerspandya/Lect/Edinburgh20.pdf · 2020. 3. 11. · TheGreatest Fixed Point based MPS computationas well as the Value