Formal Model Based Design of Control Software

Formal Model Based Design of Control Software

Vadim Alimguzhin

Computer Science DepartmentSapienza University of Rome

Ph.D. Thesis

Thesis Committee ReviewersProf. Enrico Tronci (advisor) Prof. Gennady KulikovProf. Igor Melatti Prof. Ganesh GopalakrishnanProf. Nafisa Yusupova Prof. Tiziano Villa

Acknowledgement

This work has been partially supported by Erasmus MundusMULTIC scholarship from the European Commission

(EMA 2 MULTIC 10-837).

Published papers

2012

V. Alimguzhin, F. Mari, I. Melatti, I. Salvo and E. Tronci.

Automatic control software synthesis for quantized discrete time hybrid systems.

In Proceedings of the 51th IEEE Conference on Decision and Control, CDC 2012, pages 6120–6125. IEEE,2012.


On model based synthesis of embedded control software.

In Proceedings of the 12th International Conference on Embedded Software, EMSOFT 2012, pages227–236. ACM, 2012.

2013


A map-reduce parallel approach to automatic synthesis of control software.

In Proc. of International SPIN Symposium on Model Checking of Software (SPIN 2013), volume 7976 ofLecture Notes in Computer Science, pages 43–60. Springer - Verlag, 2013.


On-the-fly control software synthesis.


Outline

Model Based Control Sofware Design

Nonlinear Systems

Parallel Approach

Small Size Controller Synthesis

On-The-Fly Synthesis

Future Work

Outline


Nonlinear Systems

Parallel Approach



Future Work

Model Based Design Nonlinear Systems Parallel Small Size Controllers On-The-Fly Future

Embedded Systems

Formal Model Based Design of Control Software Vadim Alimguzhin


Software bugs are dangerousSpanair Flight JK 5022, 20 August 2008

Investigations

The software that should haveprevented the crash failed to do so.

We need to synthesize correct-by-construction software forembedded systems.



Model Based Control Software Design

Input (H, I ,G ,A/D + D/A)

◮ DTLHS H, initial region I , goal region G(linear constraints)

◮ conversion A/D and D/A

Output Feedback Controller K

1. mathematical function K s.t.◮ (K ,H) eventually reaches G◮ K has known controllable region◮ K is robust w.r.t. parameters variations

2. C implementation of K s.t.◮ guaranteed WCET ≤ Sampling Time T

K HD/A

A/D

Problem is undecidable [ICTAC, 2012].

[ICTAC, 2012] Federico Mari, Igor Melatti, Ivano Salvo and Enrico Tronci.

Undecidability of Quantized State Feedback Control for Discrete Time Linear Hybrid

Systems.

In Proc. of the International Colloquium on Theoretical Aspects of Computing, ICTAC, volume 7521 ofLNCS, pages 243–258. Springer-Verlag Berlin Heidelberg, 2012.



Our Solutionhttp://mclab.di.uniroma1.it/software qks.html

Algorithm and Tool QKS [TOSEM, 2013]

(H, I ,G ,ADDA)

QKSK +

controlledregion D

Sol

DI NoSolno solution exists

Unknown

Unknown stems from undecidability of the problem [ICTAC, 2012].

[TOSEM, 2013] Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci.

Model based synthesis of control software from system level formal specifications.

ACM Trans. on Soft. Eng. and Meth., To appear, 2013.

[ICTAC, 2012] Federico Mari, Igor Melatti, Ivano Salvo and Enrico Tronci.

Undecidability of Quantized State Feedback Control for Discrete Time Linear Hybrid

Systems.

In Proc. of the International Colloquium on Theoretical Aspects of Computing, ICTAC, volume 7521 ofLNCS, pages 243–258. Springer-Verlag Berlin Heidelberg, 2012.



QKS Flow

Step 1: Control AbstractionComputation

Finite LTS Control Problem

Step 2: Symbolic StrongController Synthesis

Most General OptimalController

Step 3: C Code Generationfrom OBDD

Control Software

SpecificationsPlant Model(DTLHS)

Implementation Specification(Quantization Schema)

System Level Formal Specification(Liveness and Safety)



Nonlinear Hybrid Systems

Problem

◮ QKS can deal only with linear hybrid systems.

◮ Dynamics of many interesting hybrid systems cannot be directly modelledby linear constraints.

Solution=⇒ Overapproximate nonlinear DTHS with DTLHS, s.t. controllers forDTLHS are also controllers for DTHS [CDC, 2012].

[CDC, 2012] V. Alimguzhin, F. Mari, I. Melatti, I. Salvo and E. Tronci.

Automatic control software synthesis for quantized discrete time hybrid systems.

In Proceedings of the 51th IEEE Conference on Decision and Control, CDC 2012, pages 6120–6125. IEEE,2012.



Parallel Approach

Problem

◮ Interesting systems have lots of continuous variables.

◮ The higher the number of bits – the better non-functional specifications(setup time and ripple).

◮ Control abstraction computation (99% of computation time): exponentialnumber of MILP problems w.r.t. number of bits.

Solution=⇒ Use a parallel approach to compute control abstraction [SPIN, 2013a].

[SPIN, 2013a] V. Alimguzhin, F. Mari, I. Melatti, I. Salvo and E. Tronci.

A map-reduce parallel approach to automatic synthesis of control software.





Problem

◮ Embedded systems have limited memory resources.

◮ Time optimal controller code generated by QKS may be too large to beput on the microcontroller.

Solution=⇒ Reduce code footprint possibly at the cost of having suboptimal setuptime and ripple [EMSOFT, 2012].

[EMSOFT, 2012] V. Alimguzhin, F. Mari, I. Melatti, I. Salvo and E. Tronci.

On model based synthesis of embedded control software.

In Proceedings of the 12th International Conference on Embedded Software, EMSOFT 2012, pages227–236. ACM, 2012.




Problem

◮ Design space exploration: find suitable choice for design parameters(number of bits for AD conversion b and sampling time T ).

◮ For many choices of b and T there is no solution for the synthesisproblem.

◮ QKS takes the same time when it finds solution and when not.

Solution=⇒ On-The-Fly synthesis algorithm, that detects as soon as possible when asolution cannot be found [SPIN, 2013b].

[SPIN, 2013b] V. Alimguzhin, F. Mari, I. Melatti, I. Salvo and E. Tronci.

On-the-fly control software synthesis.



Outline


Nonlinear Systems

Parallel Approach



Future Work


Overapproximation of DTHS

f (x)




f (x)

f+(x)

f−(x)




f (x)

f+(x)

f−(x)

Overapproximation has more behavior than original system.




f (x)

I1 I2 I3 I4





f (x)

I1 I2 I3 I4

f−1 (x)

f+1 (x)

f−2 (x)

f+2 (x)

f−3 (x)

f+3 (x)

f−4 (x)

f+4 (x)




Inverted Pendulum as a DTHS

θ̈ = glsinθ + 1

ml2uF

{

x ′1 = x1 + Tx2x ′2 = x2 + T g

lsinx1 + T 1

ml2uF

State variables:

◮ x1: angle (θ)

◮ x2: angular speed (θ̇)

Action variables:

◮ u: torquing force direction

Parameters:

◮ F : torquing force value

◮ T : sampling time

◮ l : length

◮ m: mass

θ

u



Underactuated Inverted Pendulum (F = 0.5)Trajectories (9 and 10 bits)

-1

0

1

2

3

4

5

6

7

0 2 4 6 8 10 12 14

time in seconds

angle [x1] 10 bitsangle [x1] 9 bits



Underactuated Inverted Pendulum (F = 0.5)Ripple (10 bits)

-0.102

-0.1

-0.098

-0.096

-0.094

-0.092

-0.09

-0.088

-0.086

-0.084

20 30 40 50 60 70 80 90 100

time in seconds



Strongly Underactuated Inverted Pendulum (F = 0.3)Trajectories (11 bits)

-15

-10

-5

0

5

10

15

20

25

30

35

0 50 100 150 200 250 300 350

time in seconds

angle [x1]angular speed [x2]

torque [u]



Overactuated Inverted Pendulum (F = 2)Trajectories in phases space (11 bits)

-1.8

-1.6

-1.4

-1.2

-1

-0.8

-0.6

-0.4

-0.2

0

0.2

0 0.5 1 1.5 2 2.5 3

angu

lar

spee

d [x

2]

angle [x1]

π/4π/2

3/4 π3


Outline


Nonlinear Systems

Parallel Approach



Future Work


QKS Flow






Control Software






Parallel Control Software Synthesis Flow

Step 1: Parallel ControlAbstraction Computation





Control Software






Control Abstraction Computation (QKS Step 1)

x1

x2




x1

x2




x1

x2




x1

x2




x1

x2




Computation for each cell is independent from others.

=⇒ We can use MapReduce-style parallel aproach.



Parallel Control Abstraction Computation

Example

Number of workers: 3Number of abstract states: 16 (2 state variables, 2 bits each)

x1

x2




Example


x1

x2

MAP

1 2 3 1

2 3 1 2

3 1 2 3

1 2 3 1

x1

x2




Example


x1

x2

MAP

1 2 3 1

2 3 1 2

3 1 2 3

1 2 3 1

x1

x2

WORK

N̂1

Worker1

N̂2

Worker2

N̂3

Worker3




Example


x1

x2

MAP

1 2 3 1

2 3 1 2

3 1 2 3

1 2 3 1

x1

x2

WORK

N̂1

Worker1

N̂2

Worker2

N̂3

Worker3

REDUCE

x1

x2 N̂



Parallel Control Abstraction ComputationImplementation Details

◮ Distributed memory model.

◮ Use MPI Barrier to synchronize processes.

◮ Use shared filesystem to exchange data between processes.



Parallel vs SequentialInverted Pendulum: Speedup and Efficiency

0

10

20

30

40

50

60

10 20 30 40 50 60

Spe

edup

Number of processes

9 bits10 bits11 bits

Speedup = Sequential TimeParallel Time

55

60

65

70

75

80

85

90

95

100

10 20 30 40 50 60

Sca

ling

effic

ienc

y (%

)

Number of processes


Scaling Efficiency = SpeedupNumber of Processes

100%



Parallel vs SequentialInverted Pendulum: Communication time and I/O time

0

5000

10000

15000

20000

25000

10 20 30 40 50 60

Com

mun

icat

ion

time

(sec

onds

)

Number of processes


0

50

100

150

200

10 20 30 40 50 60

I/O ti

me

(sec

onds

)

Number of processes


Comm Time = Waiting Time + I/O Time



Experiments Details

9 bits, 30 workers 9 bits, 40 workers


Outline


Nonlinear Systems

Parallel Approach



Future Work


QKS Flow






Control Software






Small Size Control Software Synthesis Flow



Step 2: Symbolic Small SizeController Synthesis

Small Size Controller


Control Software






Controller Synthesis (QKS Step 2)

OBDD-based computation of acontroller from a finite state machine(control abstraction) [Cimatti, 98]

K

0xb9b1a

0xb9b0x[2]

0xb9afx[1]

0xa4dex[0]

1

[Cimatti, 98] Alessandro Cimatti and Marco Roveri and Paolo Traverso.

Strong planning in non-deterministic domains via model checking.

In AIPS, pp. 36–43, 1998.



Code Generation (QKS Step 3)

From OBDD to C code [IARIA, 2012]:taking into account node sharing

int K_exists(unsigned char *);

int K_w1(unsigned char *);

int K(unsigned char *x, unsigned char *a)

{

if (! K_exists(x)) return 0;

a[1] = K_w1(x);

return 1;

}

int K_exists(unsigned char *x)

{

int return_bit = 1;

L_924ed61:

return_bit = !return_bit;

if (x[2] == 1) goto L_92595a0;

else goto L_924ed40;

L_92595a0:

if (x[4] == 1) goto L_92566a0;

else goto L_9259580;

L_92566a0:

if (x[6] == 1) goto L_9254f80;

else goto L_9256660;

[IARIA, 2012] Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci.

Synthesizing control software from boolean relations.

Int. J. on Advances in SW, 5(3&4):212–223, 2012.



ExampleFinite State Machine A

0 1 2

3start4

0,1

1

0101

0

0

1



ExampleControllers for A

Most general optimal controller (mgo)Kmgo

0 1 2

3start4

0,1

1

0101

0

0

1

Small size controller (sc)K sc

0 1 2

3start4

0,1

1

0101

0

0

1

Try to use always the same action



ExampleControllers OBDDs for A

Kmgo

f

v1x[2]

v2 v3x[1]

v4x[0]

1

K sc

f

v1x[2]

v2x[1]

v3x[0]

1

Increase sharingSame height



ExampleC Code for Controllers for OBDDs for A

Kmgo

int ctrlLaw(unsigned char *x) {

int act =0;

L_v1: if (x[2]==1) goto L_v3;

else { act = !act;

goto L_v2; }

L_v2: if (x[1]==1) goto L_v4;

else { act = !act;

goto L_v4; }

L_v3: if (x[1]==1) return act;

else goto L_v4;


else { act = !act;

return act; }

}

K sc

int ctrlLaw(unsigned char *x) {

int act=0;

L_v1: if (x[2]==1) goto L_v2;

else return act;


else goto L_v3;


else { act = !act;

return act; }

}

Reduced code sizeSame WCET



Inverted Pendulum: MGO vs Small SizePros and Cons

b Kmgo

Ksc K sc

Kmgo Pathmgo Pathsc Pathsc

Pathmgo

8 163 44 27.4% 132.96 234.35 1.769 352 92 26.3% 69.64 147.74 2.1210 752 206 27.5% 59.16 133.70 2.26

|K |: code size in Kilobytes of .o file after gcc compilation



Inverted Pendulum: MGO vs Small SizeSetup Time (10 seconds vs 14 seconds)

-2

-1

0

1

2

3

4

5

6

7

0 5 10 15 20

time (seconds)

mgo x1mgo x2

sc x1sc x2



Inverted Pendulum: MGO vs Small SizeRipple: 0.0001 radiants vs 0.0002 radiants

-0.0946

-0.09455

-0.0945

-0.09445

-0.0944

-0.09435

-0.0943 25 30 35 40

x1

time (seconds)

mgo x1

MGO Controller

6.1719

6.17195

6.172

6.17205

6.1721

6.17215

6.1722 25 30 35 40

x1

time (seconds)

sc x1

Small Size Controller



Inverted Pendulum: MGO vs Small SizeEnabled Actions

MGO Controller Small Size Controller


Outline


Nonlinear Systems

Parallel Approach



Future Work


QKS Flow






Control Software






On-The-Fly Control Sofware Synthesis Flow

Step 1: On-The-Fly StrongController Synthesis



Control Software






Design Space Exploration SpeedupInverted Pendulum

b n CPUexh RAMexh CPUotf RAMotf |K̂ | % Speedup Result

8 10 9.90e+04 1.70e+08 4.58e+02 3.03e+07 1.25e+02 99.54 216.16 FAIL8 8 4.41e+04 1.68e+08 3.06e+02 3.05e+07 2.06e+02 99.31 144.12 FAIL8 6 2.28e+04 1.65e+08 2.77e+04 9.12e+07 6.40e+03 -21.49 0.82 PASS8 4 1.17e+04 1.63e+08 1.47e+04 8.68e+07 7.53e+03 -25.64 0.80 PASS8 2 4.91e+03 1.63e+08 1.35e+01 2.98e+07 1.63e+02 99.73 363.70 FAIL8 1 2.69e+03 1.53e+08 4.72e+00 2.98e+07 1.61e+02 99.82 569.92 FAIL9 10 4.95e+05 2.39e+08 2.70e+03 3.16e+07 1.88e+02 99.45 183.33 FAIL9 8 2.31e+05 2.31e+08 2.40e+05 2.70e+08 1.08e+04 -3.90 0.96 PASS9 6 1.20e+05 2.18e+08 1.19e+05 2.71e+08 1.25e+04 0.83 1.01 PASS9 4 5.66e+04 1.98e+08 5.34e+04 2.50e+08 1.55e+04 5.65 1.06 PASS9 2 2.18e+04 1.91e+08 2.29e+04 2.43e+08 2.16e+04 -5.05 0.95 PASS9 1 1.16e+04 1.78e+08 1.97e+01 3.02e+07 2.11e+02 99.83 588.83 FAIL10 10 3.82e+06 6.08e+08 1.45e+04 3.65e+07 2.87e+02 99.62 263.45 FAIL10 8 1.71e+06 5.40e+08 6.74e+03 3.83e+07 6.01e+02 99.61 253.71 FAIL10 6 7.45e+05 4.72e+08 6.67e+05 8.81e+08 2.45e+04 10.47 1.12 PASS10 4 3.05e+05 4.13e+08 2.77e+05 8.31e+08 2.99e+04 9.18 1.10 PASS10 2 1.05e+05 3.29e+08 9.96e+04 8.12e+08 4.52e+04 5.14 1.05 PASS10 1 5.29e+04 2.64e+08 5.09e+04 8.07e+08 6.31e+04 3.78 1.04 PASS

Overall 7.85e+06 6.08e+08 1.60e+06 8.81e+08 79.62 4.91

Samping time T = nτ , where τ is system time step.


Outline


Nonlinear Systems

Parallel Approach



Future Work


Future WorkMethodology

◮ Develop load-balanced parallel algorithm.

◮ Adapt parallel algorithm for the commodity hardware.

◮ Investigate control software synthesis when the state is notfully observable.

◮ Devise fully symbolic approach.



Future WorkPractical Applications

European projects:

◮ FP7 Call 8 - ICT-8-6.1 (Smart energy grids)SmartHG (Energy Demand Aware Open Services for SmartGrid Intelligent Automation)

◮ FP7 Call 9 - ICT-2011.5.2 (Virtual Physiological Human)PAEON (Model Driven Computation of Treatments forInfertility Related Endocrinological Diseases)


Any Questions?

Documents

Formal Model Based Design of Control Software