710 likes | 882 Views
Nancy Lynch, MIT Mathematical Foundations of Programming Semantics Montreal, Canada March 20, 2003. Joint work with Roberto Segala (U. Verona), Frits Vaandrager (U. Nijmegen), Carl Livadas, Sayan Mitra, Eric Feron, Yong Wang,….
E N D
Nancy Lynch, MIT Mathematical Foundations of Programming Semantics Montreal, Canada March 20, 2003 Joint work with Roberto Segala (U. Verona), Frits Vaandrager (U. Nijmegen), Carl Livadas, Sayan Mitra, Eric Feron, Yong Wang,… Hybrid Input/Output Automata:Theory and Applications
Hybrid Systems Plant Actuator Sensor Controller • Continuous, real-world components + discrete, computer components • Examples: • Automated transportation systems • Robots • Embedded systems • Mobile computing systems • Complex • Strong safety, performance requirements • Formal models needed for design and analysis.
The HIOA Model[Lynch, Segala, Vaandrager 01, 03] • General, mathematical modeling framework. • State machines with discrete transitions and trajectories. • Model plants, controllers, sensors, actuators, software, communication services, human operators,… • Support for decomposing hybrid system descriptions: • External behavior: Models discrete and continuous interaction of component with its environment. • Composition: Synchronizes external actions, external “flows”. • Levels of abstraction, implementation. • Can incorporate analysis methods from: • CS: Invariants, simulation relations, compositional methods. • Control theory: Invariant sets, stability analysis, robust control.
Applications • Automated transportation systems: • Simple vehicle maneuvers [Weinberg, Lynch 96] • People-mover (Raytheon) [Livadas, Lynch, Weinberg, De Lisle 96] [Livadas, Lynch 98] • PATH automated highway system [Branicky, Dolginova, Lynch 97] [Dolginova, Lynch 97][Lygeros, Lynch 98] • Aircraft control: • TCAS [Livadas, Lygeros, Lynch 99] • Quanser helicopter system [Mitra, Wang, Feron, Lynch 02, 03] • Spacecraft: • ACME [Ha, Lynch, Garland, Kochocki, Tanzman 03] • Robotics • Lego cars [Fehnker, Vaandrager, Zhang 02] • Algorithms for ad hoc mobile networks • Routing [Mitra]
Other kinds of I/O Automata Models • Basic I/O Automata [Lynch, Tuttle 87] • States, start states, actions, transitions, tasks • Used for asynchronous distributed algorithms • Timed I/O Automata [Lynch, Vaandrager 91] • Add time-passage transitions • Used for timing-based distributed algorithms • Local clocks, clock synchronization. • Timing/performance analysis. • Hybrid I/O Automata, v.1 [Lynch, Segala, Vaandrager, Weinberg 96] • Add explicit trajectories • Probabilistic I/O Automata [Segala 95] • Add probabilistic transitions • Used for randomized distributed algorithms • Security protocols
All the IOA models PHIOA HIOA PTIOA TIOA PIOA IOA
Talk Outline • Introduction • I/O Automata and Timed I/O Automata • Hybrid I/O Automata definitions and results • HIOA applications • HIOA future work • Timed IOA, revisited • Probabilistic IOA, revisited • Conclusions
I/O Automata and Timed I/O Automata
Basic I/O Automata • Infinite-state, nondeterministic automaton models. • States, transitions • Describe system modularity: • Parallel composition of interacting components. • Levels of abstraction.
I/O Automata • Static description: • Actions: input, output, internal • States, start states • Transitions (q, a, q'), input-enabled • Dynamic description: • Execution: q0 a1 q1a2 q2 … • Trace: Project on external actions; externally visible behavior. • A implements B: traces(A) traces(B). • Operations for building automata: • Parallel composition, identifying inputs and outputs. • Action hiding. • Reasoning methods: • Invariant assertions: Property holds in all reachable states. • Simulation relations: Imply one automaton implements another. • Prove using induction on length of execution. • Compositional methods
Reliable FIFO Channel Model • Signature: • Inputs: • send(m), m in M • Outputs: • receive(m), m in M • States: • queue, a finite sequence of elements of M, initially empty • Transitions: • send(m) • Effect: Add m to end of queue • receive(m) • Precondition: m is first on queue • Effect: remove first element of queue send(m) receive(m) Channel(M)
Example Applications • Basic distributed algorithms: • Resource allocation, consensus, atomic objects, concurrency control, group communication,… • Distributed systems: • Orca distributed shared memory system [Fekete, Kaashoek, Lynch] • Transis, Ensemble group communication systems [Hickey, Lynch, van Renesse] • Algorithms for dynamic networks: • Reconfigurable atomic memory [Lynch, Shvartsman 02] [Gilbert, Lynch, Shvartsman 03] [Musial, Shvartsman 03] [Dolev, Gilbert, Lynch, Shvartsman, Welch]
Group Communication [Fekete, Lynch, Shvartsman] TO-Bcast GCS GCS • We define automata modeling: • Totally ordered reliable broadcast service • Group communication service • Algorithm (based on [Keidar, Dolev]) • Prove that the composition of the algorithm and GCS automata implements TO-Broadcast. • Proofs checked using PVS theorem-prover [Archer]
IOA Language + Toolset[Garland, Lynch] I A O • Formally-defined programming/modeling language for describing and analyzing systems modeled as I/O automata. • Current tools: • Simulator, including levels of abstraction • Connection with Daikon invariant detector [Ernst] • Connection to Larch, Isabelle/HOL theorem-provers • Support inductive proofs of invariants and simulation relations • In progress: • Automatic distributed code generator
Timed I/O Automata • Add time-passage actions, pass(t) • Example: FIFO channel that delivers messages within time d. • send(m) • Effect: Add (m, now + d) to end of queue • receive(m) • Precondition: (m,u) is first on queue (for some u) • Effect: remove first element of queue • pass(t) • Precondition: for all (m,u) in queue, now + t u • Effect: now := now + t • Can use standard automaton-based reasoning methods: • Invariant: If (m,u) in queue, then now u now + d. • Inductive proofs.
Applications • Distributed algorithms: • Resource allocation, consensus,… • Timeout-based communication protocols: • TCP [Smith] • Reliable multicast [Livadas] • Performance (latency) analysis: • Group communication systems: [Fekete, Lynch, Shvartsman], [Khazan, Keidar 00, 02] • Reconfigurable atomic memory [Lynch, Shvartsman 02] • Dynamic atomic broadcast [Bar-Joseph, Keidar, Lynch 02] • Peer-to-peer network maintenance and routing [Lynch, Stoica 03] • Hybrid systems challenge problems: • RR crossing • Steam boiler controller
Describing Hybrid Behavior • Variable v • Static type, type(v) • Dynamic type, dtype(v): Allowed “trajectories” for v • Functions from time intervals to type(v). • Closed under time shift, subinterval, countable pasting. • Examples: Pasting closure of constant functions, continuous functions, differentiable functions, integrable functions • Valuation for V: • Assigns value in type(v) to each v in V.
Describing Hybrid Behavior I • Trajectory • Models evolution of variables over a time interval. • I-trajectory for V: Maps I to valuations for V; restriction to each v is in dtype(v). • Hybrid sequence • Models a series of discrete and continuous changes. • 0 a11a22…, alternating sequence of trajectories and actions.
Hybrid I/O Automaton • U, Y, X: Input, output, and internal (state) variables • Q: States, a set of valuations of X • : Start states • I, O, H: Input, output, and internal actions • D Q (I O H) Q: Discrete transitions • T:Trajectories for (U Y X) in which the valuations of X are in Q. I O X U Y H
Basic Trajectory Axioms • Set T of trajectories is closed under: • Prefix • Suffix • Countable concatenation
Input-Enabling Axioms • Input action enabling: • For every state q and every input action a, there is some discrete transition (q,a,q´). • Input trajectory enabling: • For every state q and every input trajectory, there is some trajectory that starts with q, and either: • Spans the whole input trajectory, or • Spans a prefix of the input trajectory, after which some locally-controlled action is enabled.
Executions and Traces • Execution fragment: • Hybrid sequence 0a11a22…, where: • Each iis a trajectoryof the automaton and • Each (i.lstate, ai ,i+1.fstate) is a discrete step. • Execution: • Execution fragment beginning in a start state. • Trace: • Restrict to external actions and external variables. • A implements B if they have the same external interface and traces(A) traces(B).
Notation for specifying trajectories • Differential and algebraic equations and inclusions. • Trajectory satisfies algebraic equation v = e if the constraints on the variables expressed by this equation hold in every state of . • Trajectory satisfies differential equation d(v) = e if for every t in the domain of , v(t) = v(0) + 0t e(t´) dt´ • Algebraic/differential inclusions are handled similarly.
Example: Vehicle HIOA Vehicle acc-in vel-out acc, vel • Follows suggested acceleration to within . • Outputs actual velocity. • U: acc-in; Y: vel-out; X: acc,vel • Q: all valuations of X • : acc = vel = 0 • I, O, H, D: empty • Trajectories: • acc(t) [acc-in(t)- , acc-in(t) + ], for t > 0 • d(vel) = acc • vel-out = vel
Example: Controller HIOA Controller vel-out acc-in vel-sensed acc-suggested clock • Monitors velocity, suggests acceleration every time d. • Tries to ensure velocity does not exceed pre-specified vmax. • U: vel-out; Y: acc-in; X: vel-sensed, acc-suggested, clock • : all 0 • H: suggest • Discrete steps: • clock = d, clock´ = 0, • vel-sensed unchanged • vel-sensed + (acc-suggested´ + ) d vmax • Trajectories: • vel-sensed(t) = vel-out(t), for t > 0 • acc-suggested unchanged • d(clock) = 1 • acc-in = acc-suggested • stops when clock = d
Composition A = A1 || A2 • Assume A1 and A2 are compatible (no common outputs, internal actions/variables are private). • Obtain A = A1 || A2 by matching external actions, variables: • Y = Y1 Y2; X = X1 X2; U = (U1 U2 ) - (Y1 Y2 ) • O = O1 O2; H = H1 H2; I = (I1 I2 ) - (O1 O2 ) • States Q: Projections in Q1, Q2 • Start states : Projections in 1, 2 • Discrete steps D: Projections in D1, D2 • Trajectories T: Projections in T1, T2 • Technicality: Composition need not satisfy input flow enabling. Assume “strong compatibility”; holds in many interesting special cases. Ignore in this talk.
Composition Theorems • Projection/pasting theorem: • If A = A1 || A2 then tracesA is the set of hybrid sequences (of the right type) whose restrictions to A1 and A2 are traces of A1 and A2, respectively. • Substitutivity theorem: • If A1 implements A2 and both are compatible with B, then A1 || B implements A2 || B.
Example: Vehicle and Controller Vehicle Controller • Vehicle || Controller: • Invariant of Vehicle || Controller: vel vmax. • Prove using induction. • Uses auxiliary invariants, most importantly: vel + (acc-suggested + ) (d – clock) vmax vel-out vel-sensed acc-suggested clock acc-in acc, vel
Invariants for HIOAs • Example: vel + (acc-suggested + ) (d – clock) vmax • Prove by induction on structure of executions: • True in initial states • Preserved by discrete steps • Uses standard algebraic reasoning. • Preserved by closed trajectories • Uses results about continuous functions. • Manual proof, could support with theorem-prover.
Hiding • ActHide(E,A) reclassifies external actions in E as internal. • VarHide(W,A) removes the external variables in W, but retains their induced constraints on the trajectories.
Example: Hiding Vehicle Controller • Hide the acc-in variable, which is used for communication between the components: A = VarHide(acc-in, Vehicle || Controller) • The only remaining external variable is vel-out. • Prove correctness of Aby showing that it implements an abstract specification HIOA Vspec, which expresses just the constraint vel-out vmax. • Show using simulation relation.
Simulation Relation R from A to B • Relation from states(A) to states(B) satisfying: • Every start state of A is related to some start state of B. • If xR y and is a discrete step of A starting with x, then there is an execution fragment starting with y such that trace() = trace(), and .lstate R .lstate. y .lstate. R R x.lstate. • If xR y and is a closed trajectory of A starting with x, then there is …
Simulation Relation • Theorem: If there is a simulation relation from A to B then A implements B (inclusion of trace sets). • Proved by induction on structure of execution: • Initial states • Discrete steps • Closed trajectories • Example: • Vehicle(1) implements Vehicle(2), if 1 2 • Show using simulation relation: Identity mapping
Allowing Time to Pass • HIOA should provide some response from any state, for any sequence of input actions and input trajectories. • Should not “block the passage of time”. • Definition: An HIOA is progressive if it has no execution fragment in which it generates infinitely many non-input actions in finite time. • Theorem: A progressive HIOA A can accommodate any input from any state: For each state x and each (I,U)-sequence , there is an execution fragment from x such that (I,U) = . • Theorem: Composition of progressive HIOAs is progressive.
Receptive HIOAs • But progressiveness isn’t quite enough: • E.g., HIOAs involving only upper bounds on timing are not progressive. • Definition: A strategy for an HIOA A is an HIOA that is the same as A except that it restricts the sets of discrete steps and trajectories. • Definition: HIOA is receptive if it has a progressive strategy. • Theorem: A receptive HIOA can accommodate any input from any state. • Theorem: If A1 and A2 are compatible receptive HIOAs with progressive strategies B1 and B2, then A1 || A2 is receptive with progressive strategy B1 || B2.
Applications • Automated transportation systems: • Simple vehicle maneuvers [Weinberg, Lynch 96] • People-mover (Raytheon) [Livadas, Lynch, Weinberg, De Lisle 96] [Livadas, Lynch 98] • PATH automated highway system [Branicky, Dolginova, Lynch 97] [Dolginova, Lynch 97][Lygeros, Lynch 98] • Aircraft control: • TCAS [Livadas, Lygeros, Lynch 99] • Quanser helicopter system [Mitra, Wang, Feron, Lynch 02, 03] • Spacecraft: • ACME [Ha, Lynch, Garland, Kochocki, Tanzman 03] • Robotics • Lego car [Fehnker, Vaandrager, Zhang 02] • Algorithms for ad hoc mobile networks • Routing [Mitra]
TCAS[Livadas, Lygeros, Lynch 99] • On-board aircraft collision avoidance system. • Aircraft can detect the presence of nearby aircraft. • For two aircraft: TCAS tries to tell one aircraft to climb and the other to descend. • Conducts communication protocol to break the symmetry. • Decision based on combination of altitudes, transponder numbers, and timing of messages. • Correct operation is not obvious; validation carried out via extensive simulations (Lincoln Labs).
TCAS System Components Aircraft Aircraft Sensor Sensor Pilot Pilot Conflict detector Conflict detector Channel Conflict resolver Conflict resolver Channel
TCAS Model and Analysis • We modeled all components using HIOAs. • Proved that, for two planes, and under reasonable assumptions about speeds and accelerations, the planes remain sufficiently far apart.
Quanser Model Helicopter System[Mitra, Wang, Feron, Lynch 02, 03] • 3 degrees-of-freedom models, manufactured by Quanser • User controllers not necessarily safe, can crash the helicopter on the table. • Supervisory pitch controller needed to ensure safety. • Must contend with: • Sensor inaccuracies • Actuator delay • Limited sampling frequency
Helicopter Models and Analysis • We developed HIOA models for all system components: Plant, Sensor, Actuator, User Controller, Supervisor • Including realistic dynamics, delays, inaccuracies. • Used the models to help design a safe supervisory controller.
D D tact Discrete Communication Among Components sample control command dequeue usrCtrl sensor sensor plant supervisor actuator 0
Executions in the User and Supervisor modes Cannot jump from U to outside of R in a single step Recovery Phase Switch to supervisor : settling phase Return to user mode
Quanser Helicopter • Controller has been implemented • We proved correctness (manually) • Using induction • Each inductive step involves either discrete or continuous reasoning. • Continuous reasoning uses Lyapunov stability argument. • Developed candidate language constructs for specifying trajectories of HIOAs • Algebraic and differential equation notation • Unchanged, invariants, stopping conditions • State models and activities
Lego Car [Fehnker, Vaandrager, Zhang 02] • Lego car, consisting of: • A Chassis • Two Caterpillar Treads, one on each side • Move backwards or forwards, independently, at constant speed. • Two sensors, one on each side • See if the ground is black or white. • RCX programmable control brick • Reads sensors periodically. • Controls direction of motion of both treads. • Goal: Car should follow a straight black tape. • Algorithm: If a sensor sees black, then tell the caterpillar tread on the opposite side to go forward. If white, go backward.
Lego Car Caterpillar forward, backward RCX Chassis black white Sensor Sensor Caterpillar
Lego Car • Modeled all components using HIOA • Safety: In all reachable states, at least one tread goes forward. • Proofs, using induction. • Liveness: In infinitely many sample intervals, both treads go forward (following the black tape). • Proofs, ad hoc. • Results verified by experiments.