500 likes | 687 Views
Towards component based design of hybrid systems. W.Damm 1 , H. Dierks 3 , J. Oehlerking 4 , A. Pnueli 2. Structure of Presentation. Motivation and Industrial Context Hybrid Interface Specifications Component Based Design of Hybrid Systems: Assuring Safety and Stability Conclusion
E N D
Towards component based design of hybrid systems W.Damm1, H. Dierks3, J. Oehlerking4, A. Pnueli2
Structure of Presentation • Motivation and Industrial Context • Hybrid Interface Specifications • ComponentBased Design of Hybrid Systems: AssuringSafetyandStability • Conclusion Thispresentationisbased on a publicationwhich will appear in the LNCS memorialvolumededicatedto Amir Pnueli
Answers requirement to decouple growth in number of functions from decoupling number of ECUs: SW components of different functions can be allocated to one ECU Allows SW components of one function to be distributed over multiple ECUs (to optimize overall architecture) Components can correspond to different modes or subsystems of hybrid controllers Induces distributed execution Mode switching can cause task switching Autosar Approach
Towardscomponentbased design of hybrid controllers Can wepropose a component model for hybrid controllers … supportingre-useofcomponents in multiple applicationcontexts? • Characterizingstabilityandsafetyproperties in specifiedenvironmentsthroughhybrid interfacespecifications … supportingincrementalconstructionof hybrid controllers • From a libraryofcontrollermodels • bycomposingcontrollersthroughtransitioncomposition • automaticverificationof hybrid interfacespecificationofcomposedsystemfrominterfacespecificationsofsubsystems … allowingtobridgethegapbetweenspecificationand design • Specificationmodelswithidealized time behaviour • Distributed implementationwithinducedimpurities such aslatencies in mode-switching
Requirements on Hybrid Interface Specifications • Characterize plant regionsforwhichsafety and stabilityisguaranteed • Support compositionalreasoningforsafety and stability • Support transitionfromspecificationmodels to design • Specificationmodels • Focus on nominal behaviour • Assumeinstantenousobservability and controllability of plant • Design models • control-lawsbecometasks: supportactivation/suspension of components • provideexceptionhandlingadressingantitipatedrisksorfailures • caterfortask-switchinglatencies
The inner envelope design paradigm Consider a safety property given as conjunction of linear constraints. We identify an inner envelope o with the following properties • any only slightly perturbed trajectory originating in o stays there forever • whenever a sampled trajectory leaves o , then there is a time window of length at least until is violated when extrapolating the current dynamics even taking into account the specified worst-case dynamics for unmodelleddisturbances
Choose as entry condition an inner envelope of safesuch that all slightly disturbed trajectories originating in it will converge to (inner envelope) region of stability within specified bound Similarly for stable … and how we apply it safe0 stable stable0 safe set-point
Raising alarms along bad trajectories safe0 stable stable0 safe set-point Combining Modes Safely
A ComponentLifecycle: threeroles • Controlunder nominal conditions • Ensure plant safety • Enforceconvergence of plant according to stabilityrequirements (asymptoticstability, drive plant intospecifiedregionwithingiven time bound) • Deviationsfromnonimalconditions: • Detectrisksforendangeringsafety and stability • Raisealarmearly to provideforsafetransition of control • Offeringhelp • Check forraisedalarms and offerhelpifcomponentspeccanadressdynamicscausingalarm
Approach • Componentsprovide • Inports: • To invoke nominal service • To offerhelp • To specify plant conditionsforwhichhelpcanbeoffered • Outports • To raisealarms • To characterize plant conditionscausingalarm • Componentscanraise multiple alarms • Conditionscausingalarmcandisappear
Specification of nominal behaviour • Stabilityrequirements • thissubsumesasymptoticstability • thecontrollerisrequired to meetthestabilityrequirementsunless an alarmisraised • Safetyrequirements • thecontrollerisrequired to meetthe plant safetyrequirementunless an alarmisraised
Being helpful: specification of inports Is given by where • cβsignals an incoming alarm • λβ is the latest reaction time for granting acceptance • takeβ signals acceptance of alarm • startβis the verdict of the distributed alarm resolution protocol to become the hero • Mmm is the entry predicate required to be satisfied when control is transferred to the component over this port
Askingforhelp: specification of outports Isgivenby where • bαistheoutgoingalarmsignal isthe plant condition causingthealarm • μαisthe minimal persistency of thealarm • Δαisthedurationfollowingthealarmforwhichsafety and stabilityis still guaranteed • takeαsignalsthat at least onehelperisavailable • switchαsignalsdelegation of control to helper • Mmmoverapproximates plant state at switch time
Staticinterface • Data • Control
Inportspecifications • Outportspecifications
Stabilityrequirements • Assumptions • Promises
Hierarchical component based design and verification
Hierarchicalconstruction of controllers actuators sensors Plant
Sequentialcomposition of components Pragmatics • All subsystems offer alternate ways of controlling same plant • Choice of subsystem dependent on current dynamics • if current subsystem is no longer able to ensure stability and safety objectives, a warning is raised using one of its exits • Control then either switches to other subsystem, or warning is passed to enclosing hierarchy level • Hence all subsystems share same static interface and safety and stability requirements relate to same equilibrium
Findingtheheroamong all offeringhelp • In a contextofincrementaldistributedcontrollerdesing, all of thesemightofferhelp • 5 neighbours on the same level of thehierarchy, but allocated on different Electronic Control Units • Some not yetknownfriend in a so-farunspecifiedenvironmentof thecomponent • Needdistributedagreementprotocol to ensureuniquetransfer of control • Wrapperforeachcomponent • Negotiateswithothercomponentswho will betheherousingprotocol on control-signals • Alarms, I cantakethis, Please do so, Activate, Suspend • Specifiedforeachinport
Real-timerequirementsfornegotiation Negotiations must beclosedbeforesystembecomesunsafe • Criticalcomponentpromises to maintainsafety and stabilityforfixed time periodafterraisingalarm • takingintoaccountcostsforcontextswitches • Alarms mustensure minimal persistency to guaranteedistributedidenfication of helper • Helpers must provideoffer in given time window • Oncehelperisselected, it still takes tau time unitstoperformcontextswitch
Semantics of transitioncomposition • Let [[Ci]] denote hybrid automataexpressingthesemantics of subsystemCi . • Wedefinethesemantics [[C]] of thetransitioncomposition C = S(P,Q)(C1,...,Cn) as the parallel composition of hybrid automata • [[Ci]] representingthesemantics of itssubcomponents • HCpropagatingactivation and failures: itimplements • HQpropogatingcontrolsignalsfrominports: itimplements • HPimplementingdistributedidentification of hero
Distributedidentification of heroes ... Automaton codes in itsstateset • internallyraisedalarms • iffor such an alarmhelpersareavailable all such pairs (alarm, helper) Collects to this end all controlsignalsfromlocaloutports and controlsignals of localinports and externaloutportsbased on P-Port connection
CompositionalVerificationofstability - Approach In a white-box viewwewouldconsiderthecomposedLyapunovfunctions V() X | if in(Cj) thenVj(,X) as a candidateLyapunovfunctionforthecomposedsystemandprove, thatthisfunctionisdecreasing A keyingredient in thisproofis, thatcriticalitydoes not increase in modeswitching
Lyapunovfunctionsdemonstrateconvergence to equilibrium • Lyapunovfunctionprovidemeasuresofcriticalityofstatesoftheclosedloop H||P: redstatesarefarfrompointofequilibrium • Lyapunovfunctionsarewitnessesofstability: anytrajectoryoriginating in entry-regionofcontroller will convergetoequilibirum
Turning a hybrid automatainto a basiccomponentimplementation • Have to provideforactivation and suspension • Have to providewrappersupportingdistributedagreementprotocol • Leads to hybrid automatadefiningcomponentsemantics • Canverifywithautomatedverificationtechniquesthat hybrid automatameetscomponentinterfacespecifications • Nominal: safety and stability • Specifications of inports (partlyguaranteedbywrapperautomata) • Specifications of outports (partlyguaranteedbywrapperautomata)
Semantics of basiccomponents Let be a hybrid automataadmissableforcomponentspecification C and plant P. Wedefinethesemantics of theinducedcomponentimplementation I [[C(H)]] as the parallel composition of hybrid automata with • H1allowingforchaoswhen I isnotactive • H2providingforactivation and suspension of H • H3supportingdistributedagreement on handling all alarms • Hβsupportingprotocolsforinports
Interface verificationofbasiccomponents (I) Let denotethe hybrid automatainducingthebasiccomponentimplementation, and considertheclosedloop H ||P . Recall that a Lyapunovfunctionfor H||P is a function meetingthefollowingrequirements
Verificationconditionsforbasiccomponents (1) Nochattering – noimmediatealarms wherereachreferstothelinear(!) closedloopdynamicsof H||P Tools forestablishingverificationconditions: - usingbarriercertificates/Lyapunovfunctions - usingforwardreachabilityanalysistools such as PHAVER
Verificationconditionsforbasiccomponents (2) • Asymptoticstability • GeneratefamilyofLyapunovfunctionstoprovidemoreflexibilitywhencomposingsystems • for H||P • Time boundedconvergence • Weexploitthatany linear combinationof a Lyapunovfunctionsisagain a Lyapunovfunction • Letand
Verificationconditionsforbasiccomponents (3) • Exit conditionsareestablishedwithinescapeperiod • Promisesaremet Theorem If all verificationconditionsaresatisfied, then H||P satisfiesits hybrid interfacespecification
InductiveAssertions As a basisforcompositionalgrey box verification, wemustprovidethefollowing „invariants“ inductively at theinterface of components Additionally, parameterdependentconstantsforcomputingconvergencerates must bemadevisible
Conclusion • Haveproposedtheoreticalfoundationforcomponentbaseddesign of hybrid controlsupportingcompositionalverification of nominal and exceptionhandlingrequirements • Verificationconditionsbothforbasic and composedsystemscanbedischargedautomatically • Future work • Extensions to parallel composition • Bridgingthegapbetweenidealized plant models and physicalplants