DIVES: Design, Implementation and

Validation of Embedded Software

Alur, Kumar, Lee(PI), Pappas, Sokolsky

GRASP/SDRLUniversity of Pennsylvania

www.cis.upenn.edu/mobies/MOBIES PI Meeting, Jan 2001

CHARON Team

FacultyRajeev Alur (CIS)Vijay Kumar (MEAM)Insup Lee (CIS)George Pappas (EE)

Research AssociatesRafael Fiero (GRASP)John Koo (GRASP)Oleg Sokolsky (SDRL)

PhD StudentsJoel EspositoYerang HurFranjo IvancicSalvatore La Torre

Pradumna Mishra Jiaxiang Zhou

ProgrammersUsa SamuppanValya Sokolsky

DIVES Summary

High-level modeling language and design environment: CHARON Combines the state-of-the-art in formal and

object-oriented methods

Tools for Formal Analysis Simulation

Model Checking

Controller Synthesis

Runtime monitoring

Focus on Hierarchy and Compositionality

CHARON Language Features

Individual components described as agents Composition, instantiation, and hiding

Individual behaviors described as modes Encapsulation, instantiation, and Scoping

Support for concurrency Shared variables as well as message passing

Support for discrete and continuous behavior

Differential as well as algebraic constraints

Discrete transitions can call Java routines

Accomplishments

Language Design Syntax and Semantics

Tool Development Parser, Type checker, Simulator, GUI

Research Results Accurate event detection

Modular (multi-rate) simulation

Compositional semantics & refinement

Optimal control in timed automata

Synthesis of mode switching

See www.cis.upenn.edu/mobies/ for tool/papers

Talk Outline

Overview

Research in Formal Verification

Compositional Refinement (AGLS01)

Synthesis of Mode Switching (KPS01)

Optimal Control in Timed Automata (ALP01)

Demo (today evening)

Automated Formal Analysis

Background Decidability results: Timed automata, o-minimal systems ….

Reachability tools: Polyhedra-based (HyTech), ellipsoidal, flowpipes (Checkmate)

Research Themes Can modular reasoning be combined with state-space analysis?

Beyond reachability: Optimization

Systematic abstraction techniques

Talk Outline

Compositional Semantics/Refinement for Hierarchical Hybrid Systems

Synthesis of Mode Switching

Optimal Control in Weighted Timed Automata

Why Modular Reasoning?

Behavior of a component can be computed from behaviors of its parts

Components can be analyzed in isolation

Assume-guarantee rules -> Scalable analysis

MoBIES Theme: Composable Behavioral Interfaces!

Syntax: Modes and Agents

Modes describe sequential behavior Agents describe concurrency

Emergency

{t = 1} • local t, rate

global level, infusion

Agent Controller

dx de

Agent Tank

infusion

global levelglobal infusion

{level = f(infusion)} •

{ level[2,10] } level

level[2,10]

level[4,8]

dxde

Compute

Normal

e

dedx

xt=10t:=0

Maintain{t<10}

Mode Executions

(ctl,t,level,infusion,rate,h)

(dx,0,5.1,1,0.2,Maintain)

(dx,10,15.1,3,0.2,Maintain)

Flow Step

(de,10,15.1,5,0.2,Maintain)

Env Step

(dx,10,15.1,5,0.1,Compute)

Discrete Mode Step

{t = 1} •

dx

{ level[2,10] }

de

Compute

Normal

e

dedx

xt=10

t:=0

Maintain

{t<10}

Semantics of modes

Semantics of a mode consists of: entry and exit points global variables traces

Key Thm: Semantics is compositional

traces of a mode can be computed from traces of its sub-modes

Refinement

Refinement is trace inclusion

dx

Compute

Normal

e

dedx

x

t=10 t:=0

Maintain{t<10} dx

Compute

Normal’

e

dedx

x

t 10 t:=0

Maintain{t<10}

de de<

{t = 1} •

{ level[2,10] }

{t = 1} •

{ level 10 }

• Same control points and global variables

• Guards and constraints are relaxed

Normal Normal’

Sub-mode refinement

Normal

Controller

dx

de

Normal’

Controller’

dx

Emergency

de

level[2,10]

level[4,8]

dx

Emergency

de

level[2,10]

level[4,8]

dx

de

Refines

Compositional Reasoning

N N’< M<

M’

N

M

N’

M<

Sub-mode refinement

N

M< N

M’

Context refinement

Talk Outline

Compositional Semantics/Refinement

Synthesis of Mode Switching

Optimal Control of Timed Automata

Synthesis of Mode Switching Background

Multi-agent, multi-objective systems are designed for many modes of operation

Input: collection of control modes

Research Challenge Does there exist a finite switching sequence of control modes for satisfying a set of given reachability specifications?

Illustrative Example

Multi-Modal Control of a Helicopter ModelControl Modes: Hover, Cruise, Ascend, Descend

Task: High-altitude take-off

Hover Ascend Cruise

Trajectories leading to ARegardless of initial cond

Trajectories leading to CRegardless of initial cond

Common Trajectories

Key Computational Step

Consistent mode switching condition:

Pair-wise controlled bisimulation

Output-tracking controllers simplify required reachability

computation

x1 t

X i

Si(r i)Sj(r j)

x2

Results Summary

Algorithm “Consistent Control Mode Graph”

Input : Control Modes

Output: Control Mode Graph

Computation for N control modesReachability Computation: N2

Intersection Computation: N3

Framework for Multi-Modal ControlOffline: Synthesis of control mode graph

Online : Synthesis of control switching sequence

Talk Outline

Compositional Semantics/Refinement

Synthesis of Mode Switching

Optimal Control of Timed Automata

Background: Timed Automata

Model for real-time systems

Many Theoretical Results + Tools

Key step: Finite bisimulation partitions

Optimal Controller Synthesis

System Model Timed Automaton + weights (costs) on transitions and locations (WTA)

Goal Synthesize a Controller to drive System form Start to Target at minimal cost

Key Step of the Solution Solve Shortest Paths Problem in WTA

An Air-traffic Control Problem

Start

c0

c2 :

c1:

w1

:

x:=0

wait1

c3 :

c4 :

w’1

w2 :

w’2

wait2

hold1

hold2

land2

Land1

x<1 y<1

y:=0

y<2

x<1 y<1

x:=0

x>1

y>1

c0 + w1

1<y<2x>1

y:=0

y>1

x>1

c0 + w2

y>11<x<2

Done

x<2

Shortest Paths in WTA

Algorithm1. Reduce to Parametric Shortest Path

Problem on graphs (PSP)

2. Solve PSP

Optimum solution may only be a limit

Region graph construction not enough

w0

Startw1 Target

x<2 x=2

From WTA to Weighted Graphs

Augmented Region AutomatonRegions are split in boundary sub-regions

wait1

hold1

c3+ w1 (2 + 3)

y=00<x<1

(1,2)

0<y<x<1x=0

0<y<1

x=0Y>0

y=0x=0

~(1,2

)

(1)

(2,1) (2,1

)

c3

c3

w1 (2 + 3)

hold1

hold1

wait1

Summary of Results

Algorithmic solution to Shortest Paths Problem in WTA

Reduction causes exponential blow-up

Symbolic fix-point algorithm can compute solution to all source states

(Optimal Controller Synthesis can be solved similarly)

Ongoing Work

Tool Development Modular simulator

Research Distributed simulation

Predicate Abstraction for hybrid systems

Applications/Case-studies Inverted pendulum, Robot soccer

MoBIES challenge problems

Animation, Biomolecular networks…