Sidestepping verification complexity with supervisory control

1
Sidestepping verification complexity with
supervisory control
Ugo Buy Department of Computer Science Houshang
Darabi Department of Mechanical and Industrial
Engineering University of Illinois at Chicago
2
Outline

• Background
• P-invariant-based mutex enforcement
• Net unfolding
• Assessment

3
Acknowledgements

• Panos Antsaklis, Michael Lemmon, Univ. of Notre
  Dame
• Starthis Corporation, Rosemont, Illinois
• NIST/ATP program
• Graduate students Bharat Sundararaman and Vikram
  Venepally

4
Background

• Supervisory control methods for discrete event
  systems (DES)
• Enforcing concurrency and real-time properties of
  embedded systems
• Model DES with Finite Automata (FA) or Petri nets
• Add controller that enforces desired properties
  to system model
• Supervisory control vs. verification
• Potential benefits of supervisory control
• Likely obstacles to widespread applicability

5
Definitions

• Discrete Event System (DES) is characterized by
• Discrete state set
• Event-driven state transitions
• Supervisory controller of a DES
• Given controlled system (a DES) and correctness
  property,
• supervisor restricts DES behaviors in such a way
  that combined system will satisfy the property
• Observable and controllable events

6
Why Supervisory Control?

• Some SC methods for DES are much more tractable
  than verification algorithms
• Promising methods
• P-invariant-based supervisors (mutex properties)
• Unfolding of Petri nets (deadlock, RT deadlines)
• Caveat
• System must be sufficiently observable,
  controllable to permit supervisor definition

7
Why Petri nets?

• Support tractable supervisory control algorithms
• P-invariants and net unfoldings
• Automata-based supervisors usually intractable
• Widely used in some embedded applications
• Sequential Function Charts (SFCs) widely used in
  manufacturing applications
• Part of IEC 61131 standard
• Supported by Matlab, RSLogix 5000

8
Petri nets

• Ordinary Petri net Bipartite, directed graph
• N(P,T,F,m0)
• With node sets P and T,
• arc set F, and
• initial marking m0
• Supervisory control problem Given controlled net
  N and property P, generate subnet S (supervisor)
  that restricts N behaviors to satisfy P

9
Enforcing Mutex Constraints

• Exploit property of Petri net P-invariants
• Place subset such that weighted sum of tokens in
  subset is constant in all reachable net markings
• Computed by finding integer solutions x to
  invariant equation involving incidence matrix D
  of Petri net
• xD 0

10
Examples of P-invariants
p2
P-invariants p1, p4 p2, p5, p7 p1, p2,
p4, p5, p7 (unit coefficients)
p3
p1
t1
t2
p5
p4
t3
p6
p7
t4
t5
11
P-invariant based supervisors

• Method (Yamalidou et al. 96)
• Specify mutex properties as linear inequalities
  on reachable markings of controlled net
• l1,1m1 l1,2m2 l1,3m3 lt b1
• l2,1m1 l2,2m2 l2,3m3 lt b2
• lk,1m1 lk,2m2 lk,3m3 lt bk
• Treat constraints matrix as invariant equation,
  find Petri net (controller) satisfying P-invariant

12
Supervisor synthesis

• Supervisor net defined by simple matrix
  multiplication
• DC L D
• L is matrix of mutex constraints
• D is incidence matrix of controlled net
• Supervisor net will have k places, zero
  transitions
• k is number of mutex constraints
• Supervisor will be maximally permissive

13
Example of supervisor generation

• The readers and writers example without mutex

• Mutex constraints
• p6 p9 p10 lt 1
• p7 p9 p10 lt 1
• p8 p9 p10 lt 1

14
Example (contd)

• The readers and writers example with supervisor

15
Advantages of Mutex Supervisors

• Complexity proportional to D (aka controlled
  system) and L (constraints)
• Overall complexity polynomial for broad class of
  mutex constraints
• Supervisors generated are small (no transitions)
• Maximally permissive supervisors

16
Limitations of Mutex Supervisors

• Cannot guarantee net liveness (e.g., freedom from
  deadlock)
• Open issues
• Integration with other supervisors
• Priorities on mutex enforcement policy
• Empirical evaluation of constraint size

17
Unfolding Petri nets

• Transform net into acyclic net capturing
  repetitive bevahiors of original net
• Unfolding appeal
• Capture causal relationship on transition firing
• Identify choice points
• Identify fundamental execution paths
• History of net unfolding
• McMillan 92, Esparza et al. 02, He and Lemmon 02,
  Semenov and Yakovlev 96 (time Petri nets)

18
Net unfolding Definitions

• Node x in net N precedes node y if there is path
  from x to y in N
• Write xlty
• Node x in conflict with y if N contains paths
  diverging immediately after a place p and leading
  to x and y
• Write xy
• Node x in self-conflict if N contains paths
  diverging immediately after a place p and leading
  to x
• Write xx

19
Unfolding untimed nets

• Given net N, unfolding of N is a net U subject
  such that
• Nodes in U are mapped to nodes in N
• Each place in U has at most one input transition
• Net U is acyclic
• No U node is in self conflict
• Completeness property Every reachable marking
  of N is in U

20
Example of unfolding
p2
p3
p1
t1
t2
The original net
p5
p4
t3
t4
p6
p7
p8
t5
t6
p9
t7
t8
21
Example of unfolding
p2
p1
p3
t2
t1
p4
p6
p5
p5
t3
t4
t3
t4
The unfolded net
p7
p8
p7
p8
t5
t6
t5
t6
p9
p9
p9
p9
t8
t7
p1
p2
p3
p2
22
Applications of unfolding

• Enforcing freedom from deadlock (He and Lemmon
  02)
• Deadlocks detected directly in unfolding
• Eliminate deadlocks by dynamically disabling
  transition that causes deadlock
• Enforcing compliance with real-time deadlines
  (Buy and Darabi 03)
• Latency of transition t upper bound on the delay
  between the firing of t and the time when a
  target transition can be fired

23
A New Programming Paradigm?

• Design/Code concurrent system without paying
  attention to correctness properties
• Submit system description and property
  specification to supervisor generator
• Generator adds supervisor to original system
• Allegedly, a very long shot

24
Future work

• Integration of supervisors for different
  properties
• Refine properties enforced
• System, property specifications