Controller Synthesis for Discrete and Timed Systems

1
Controller Synthesisfor Discrete and Timed
Systems

• Stavros Trypakis
• (joint work with Karine Altisen)

2
Controller Synthesis
Given a controller embedded in a certain
environment, and a property, restrict the
controller so that the property is satisfied, no
matter how the environment behaves.
Properties

• Invariance the controller keeps the system
  inside
• a set of safe states.

• Reachability the controller leads the system to
• a set of target states.

3
Synthesizing a controller for a rail crossing
is_up
approach!
lower?
far
near
y lt 1
x gt 1
y 0
x lt 5
x 0
down!
up!
enter!
y gt 1
exit!
raise?
x gt 2
x 0
y lt 2
y 0
in
is_down
Gate
Train
Environment
approach?
Invariance in ? is_down
Controller
lower!
raise!
exit?
4
Scheduling periodic tasks with deadlines
ready1!
ready2!
idle
wait
idle
wait
x1?9,11
x2?7,10
x1 0
x2 0
start1?
start2?
end1!
end2!
y1 0
y2 0
y1?2,3
error
y2?1,2
error
x1 gt 5
x2 gt 4
missed!
missed!
exec
exec
Task 1
Task 2
Environment
Processor
start2!
start1!
Invariance ? error
end2?
end1?

• Synthesized controller corresponds to scheduler.

5
Controller synthesis for discrete systems

• Model finite graph with edges labeled
• controllable - uncontrollable.

• similar to 2-player games

6
Strategies

• Strategy sub-graph containing, for each node,
• at least one controllable
• and all uncontrollable successors.

7
Winning strategies (invariance)

• Invariance of a property P
• all nodes of the strategy satisfy P.

winning strategy w.r.t. invariance of P
?P
8
Winning strategies (reachability)

• Reachability of a property P
• all paths of the strategy eventually
• reach a node satisfying P.

P
winning strategy w.r.t. reachability of P
P
9
Computing winning nodes with fix-points

• contr-pre(S) set of nodes which have at least
  one
• controllable successor in S and all
  uncontrollable
• successors in S.

• Invariance of P gfp X . P ? contr-pre(X)

• Reachability of P lfp X . P ? contr-pre(X)

10
Computing winning strategies on-the-fly

• Perform a forward DFS on the graph

- nodes/edges are inserted in the strategy during
exploration - ensure that for each node included
in the strategy, all u-succs and at least one
c-succ are also in the strategy - stop at already
visited nodes - as soon as the first strategy is
found, it is returned

• For invariance

- nodes initially marked maybe, potentially
changed to no - strategy exists if initial node
remains maybe till the end

• For reachability

- nodes initially marked maybe, potentially
changed to yes - strategy exists if initial
node changes to yes at the end

• Back-tracking may be necessary.

11
Illustration of on-the-fly algorithm
P

• Reachability of P

• Back-tracking

12
Controller synthesis for timed systems

• Model timed automata with discrete transitions
• labeled controllable - uncontrollable.

• Additional feature
• time transitions.

• Condition for strategy if in the original
• graph, then, in the strategy sub-graph

- either
t
- or for some t lt t
13
Controller synthesis for timed systems

• Winning strategies and contr-pre( ) operator
• defined similarly.

• Winning nodes computed by fix-points.

• Implemented in Kronos.

• Problems
• - costly operations (non-convex polyhedra)
• - algorithm not on-the-fly (unreachable
  states, etc)
• - sometimes Zeno controllers

Alternative use the on-the-fly algorithm on the
time-abstracting quotient graph.
14
The Time-abstracting Bisimulation
Equivalence ? on TA states
?
?
s1
s2
s1
s2
a
a
t1
t2
t1, t2 ? R
?
?
s3
s4
s3
s4
Preserve discrete state changes.
Abstract exact time delays.
15
The Time-abstracting Quotient Graph

• The quotient induced by the greatest
  time-abstracting
• bisimulation defined on the TA.

• Finite symbolic graph

- Nodes symbolic states (equivalence classes).
- Edges symbolic transitions (discrete and
time).

• Basic property pre-stability

?
a
t
a
s1
s2
s1
s2
Q1
Q2
Q1
Q2
16
Example of Quotient graph
?
up
approach
approach
up
?
enter
?
?
?
lower
up
lower
lower
lower
?
?
exit
enter
up
down
down
down
down
down
down
?
?
?
exit
enter
raise
raise
?
raise
?
?
approach
17
How to apply the untimed algorithmto the
time-abstracting quotient graph
1. Remove all ? edges which can be obtained
by reflexive-transitive closure.
2. All remaining ? edges are labeled controllable.
Justification
The controller can choose to let time pass or
issue before moving to next node.
Case 1
The controller has no choice but to let time pass.
Case 2
18
Example of on-the-fly algorithm
?
up
approach
approach
up
?
enter
?
?
?
lower
up
lower
lower
lower
?
?
exit
enter
up
down
down
down
down
down
down
?
?
?
exit
enter
raise
raise
?
raise
?
?
approach
19
Still

• Implementation

• Extend algorithm to more general properties
• (liveness).

• Method not fully on-the-fly

Quotient graph
On-the-fly algorithm
minimization
TA
Controller
pre-stability of quotient graph essential for
correctness ? cannot use forward reachability
graph ?
20
Plan

• Analysis with the Time-abstracting Bisimulation

• On-the-fly Verification

• Diagnostics

• Controller Synthesis

• Implementation

• Case studies

• Conclusions and Perspectives

21
Verification on the Quotient graphLinear-time
Analysis with Time-abstracting Bisimulations
Every cycle in the quotient graph contains an
infinite run and vice versa.
Q1
Q4
Q3
Q2
s1
22
Verification on the Quotient graphBranching-time
Analysis with Time-abstracting Bisimulations
If s1 ? s2, then for any TCTL formula ?, s1
satisfies ? iff s2 satisfies ?.
Due to determinism of time.
23
Plan

• Analysis with the Time-abstracting Bisimulation

• On-the-fly Verification

• Diagnostics

• Controller Synthesis

• Implementation

• Case studies

• Conclusions and Perspectives

24
Controller Synthesis
Controller Synthesis

• Untimed case

u
c
u
- Model graph with edges labeled controllable
- uncontrollable.
c
c
...
...
- Semantics strategy sub-graph containing,
for each node, at least one controllable
and all uncontrollable successors
25
Controller Synthesis using Fix-points
Controller Synthesis

• controllable-predecessor operator contr-pre(Q)
  
• all states from which the system can be led to
  Q,
• no matter how the environment behaves.

• compute winning states as fix-points of
  contr-pre( ).

• obtain controller intersect TA with winning
  states.

• method costly (complementation in contr-pre( ),
• fix-point computes maximal strategy).

26
On-the-fly Controller Synthesis
Controller Synthesis

• on-the-fly algorithm for the untimed case
• - a DFS is used to find a strategy
• - the algorithm stops as soon as first
  strategy is found

• untimed algorithm can be used for timed
  synthesis, too

27
Plan

• Analysis with the Time-abstracting Bisimulation

• On-the-fly Verification

• Diagnostics

• Controller Synthesis

• Implementation

• Case studies

• Conclusions and Perspectives

28
Implementation in Kronos
Implementation
TA
TA
initial partition
TA
?? P, ??ltk P, ...
...
?
?? P
?P, ?P
(On-the-fly) Parallel Composition
TA
TBA
Quotient Graph
Yes/No, diagnostics
Restricted TA (controller)
Yes/No, diagnostics
?????
Aldebaran - reduction/comparison - model
checking - simulation/visualization
29
Connection of Kronos to Open-Caesar
Implementation
interface to Open-Caesar
input model
code generation
?-calculus formula
Yes/No untimed diagnostics
Yes/No untimed diagnostics
regular expression
Simulation graph
State formula
- Reachability timed diagnostics - TBA model
checking.
profounder
TBA
30
Plan

• Analysis with the Time-abstracting Bisimulation

• On-the-fly Verification

• Diagnostics

• Controller Synthesis

• Implementation

• Case studies

• Conclusions and Perspectives

31
Case Studies
Case studies

• FRP/DT protocol (project with CNET, Lannion)
• - found inconsistency error (known to
  designers)

• Multimedia documents (from INRIA project OPERA)
• - modeled documents as Timed Automata
• - checked executability (model checking)
• - computed schedulers (controller synthesis)

• BangOlufsen protocol (from previous case study
  by Uppaal)
• - found error not reported in Uppaal case
  study

• Benchmarks STARI chip, Fischers protocol,
• CSMA/CD protocol, FDDI protocol, Philips
  protocol

32
Experiences performance
Case studies

• improved performance in benchmarks,
• often by many orders of magnitude.

• tools and techniques able to handle
• real-world case studies

- BangOlufsen 30 discrete variables, large
constants simulation graph 10 symbolic
states, 15 mins, 300 MB counter example 1500
steps long, 20 secs
7
- STARI 30 clocks, 60 boolean variables

• often bottleneck is discrete state space

33
Experiences comparison of methods
Case studies
Techniques are complementary
Quotient graph
Simulation graph
Case study
time (secs)
time (secs)
nodes
edges
nodes
edges
Fischer
22,085
122,804
1,000
164,935
457,799
1,060
Real-time scheduling
929
1,503
70
10,839
22,382
150
Philips
503
1,001
3
194
488
1
CSMA/CD
481
875
1
60
96
1
34
Conclusions
Conclusions
Practicality not measured only in seconds,
megabytes

• Expressive models
• - discrete variables (Kronos-open)
• - different property-specification formalisms
  (TBA, TCTL)

• Variety
• - of problems (model checking, controller
  synthesis)
• - of techniques (on-the-fly, using untimed
  tools)
• - of feedback (symbolic/timed diagnostics,
  controllers)

• Case studies source of inspiration.

35
Perspectives
Perspectives

• Controller synthesis
• - more properties (e.g., liveness)
• - more efficient techniques (e.g., completely
  on-the-fly)

• Performance
• - homogeneous representation of discrete and
• continuous state space (e.g., BDDs
  polyhedra)
• - adaptation/combination with untimed
  techniques
• reducing interleavings (e.g., partial orders)

• Methodology for correct efficient modeling
• - domain-specific guidelines
• - composition theory