Exposing Architecture in Hybrid Programs

  • Published on
    08-Jul-2015

  • View
    109

  • Download
    2

Embed Size (px)

DESCRIPTION

The formalism of hybrid programs is a relatively recent development by Platzer et al. (CSD) that allows holistic reasoning about discrete and continuous behavior within the same model. This makes hybrid modeling and verification, supported by tools like KeYmaera, an attractive method for analyzing cyber-physical systems. However, hybrid programs do not operate architectural concepts, making it difficult to relate them between each other and other kinds of CPS models. My talk introduces architectural annotations for hybrid programs that allow engineers to express the otherwise implicit architectural knowledge. This presentation discusses annotation primitives and their interpretation.

Transcript

A Framework for Contract-Based Composition of CPS Analyses

Exposing Architectures inHybrid ProgramsIvan Ruchkin

In collaboration withStefan Mitsch,Jan-David Quesel,Andre Platzer,David Garlan,and othersSSSGNovember 18, 2013OutlineProblem: hidden architectural knowledgeHybrid programs basicsArchitectural AnnotationsApproachCollision avoidance example 2OutlineProblem: hidden architectural knowledgeHybrid programs basicsArchitectural AnnotationsApproachCollision avoidance example 3

Deadlock model

Control modelPhysical model

Hybrid model4

CPS Modeling Ecosystem

???Cyber-Physical System

Deadlock model

Control modelPhysical model

Hybrid model5Architectural Approach to CPS Modeling

This presentationExposing ArchitectureProblem: implicit architectural structures and behavior in hybrid programs. Inconsistencies with other models.Missed opportunities for verification.Goal: create a means to expose architecture in hybrid programs.Benefits: System level: relate to other models, expose architectural inconsistencies, raise level of abstraction for design. Hybrid program level: generate templates, differentiate models, support verification (additional properties, refinement). 6OutlineProblem: hidden architectural knowledgeHybrid programs basicsArchitectural AnnotationsApproachCollision avoidance example 7Hybrid Programs and Dynamic LogicHybrid systems are systems that exhibit discrete and continuous behavior.

Hybrid programs (HP) are models for hybrid systems.8

HP-Robot: ( (?X; a:= A) ++ (a:=-b); {v' = a, x' = v, v >= 0})*Accelerate

v' = ax' = vv >= 0Brake

v' = ax ' = vv >= 0a:= Aa:= -bXXHybrid Program Operationsa := Xdeterministic assignmenta := *non-deterministic assignmentif (P) conditional branching then X else YX ++ Y non-deterministic choiceX; Ysequential compositionX*non-deterministic repetition{a' = X, b' = Y, }continuous evolution

9Differential Dynamic LogicConsists of:FOL over real arithmetic (, , ^, , , ).Modalities over HP:[HP] P: after all runs of HP, P holds. P: exists at least one run of HP, after which P holds.Express properties over HP: E.g., (X x < wall 50) [HP-Robot] (x < wall)Canonical form: Pre [HP] (Prop)Use a hybrid prover (KeYmaera) to prove properties.Summary: a convenient formal logic to express hybrid system models and their properties.

10OutlineProblem: hidden architectural knowledgeHybrid programs basicsArchitectural AnnotationsApproachCollision avoidance example 11Hidden Architecture in Hybrid ProgramsWhat are the components of the system?E.g., a car and a wall.How do the components interact?E.g., sense each other or interact through forces.What assumptions do components make of each other and the environment?E.g., max speed of obstacles or immediate position sensing. 12Exposing Architecture13

Component: robotComponent: obstacleConnector: robot senses obstacle immediately and preciselyRobots property: control algorithmObstacles property: control algorithmRobots property: physicsSolution: annotationsApproach for AnnotationsFor each model operator, unambiguously determine its architectural interpretation if any. Allow automatic generation of architectural descriptions for hybrid programs.Allow flexibility for the model designer to express architectureRedundancy is acceptable.14Example: robot collision avoidance15RobotObstacle A robot and an obstacle move in a one-dimensional space. The robot periodically senses the surrounding and may decide to accelerate or brake. The robot knows the bounds and senses the obstacles location. The obstacle is assumed to have maximum speed.

Safety property: robot does not collide with the obstacle or the bounds.Example: model structure16Constants declarationsVariables declarationsPreconditions->[(robot control; obstacle control; {differential equations})*](Property)

Example: constants17\functions{ //a.k.a. constantsR b; /* minimum braking power */R A; /* maximum acceleration */R ep; /* time limit for control decisions */ R V; /* maximum obstacle velocity */R xbmin;/* minimum bound */R xbmax;/* maximum bound */}

Example: constants18\functions{ //a.k.a. constants@component(robot) (R b; /* minimum braking power */R A; /* maximum acceleration */R ep; /* time limit for control decisions */ )

@component(obstacle) (R V; /* maximum obstacle velocity */)

@component(global) (R xbmin;/* minimum bound */R xbmax;/* maximum bound */)}Example: variables19\programVariables {R xr;/* robot position */R vr; /* robot velocity */R ar; /* robot acceleration */R or;/* robot orientation (1=in direction of space, -1=opposite) */R xo;/* obstacle position */R vo;/* obstacle velocity */R oo;/* obstacle orientation */R t;/* time */}Example: variables20\programVariables {@component(robot) (R xr;/* robot position */R vr; /* robot velocity */R ar; /* robot acceleration */R or;/* robot orientation (1=in direction of space, -1=opposite) */)@component(obstacle) (R xo;/* obstacle position */R vo;/* obstacle velocity */R oo;/* obstacle orientation */)@component(global) (R t;/* time */)}Example: robot control21\programVariables {// preconditions: robot is inside the bounds, obstacle is far enough away, sensing period and other constants are positive -> \[((ar := -b)/* braking is allowed */++ (? pred1 /* far enough from maximum bound of navigation space */& pred2/* far enough from minimum bound of navigation space */& pred3 ; /* far enough from the obstacle*/ar := *;?-b