Heterogeneous Modeling: Hybrid SystemsHeterogeneous Modeling: Hybrid Systems

u Hybrid Models

u Languages and Verification Problems

sSimulink and StateFlow

sCheckMate

sCharon

sMasaccio

sSHIFT

MotivationMotivation

u Hybrid Systems are becoming a major modeling paradigm for embedded systemssCapability of modeling controller and plant

sUse of concurrent multiple levels of abstraction

u Difficult to verify and designsCombination of continuous and discrete dynamics of different types

sLack of “operationally strong” theoretical results

u Variety of tools and approaches mutually incompatible due to modeling differences

Foundations of Hybrid ModelFoundations of Hybrid Model

u Used classic model by J. Lygeros, S. Sastry and C. Tomlin as basis

u Model consists of three parts:s Structure= sets, discrete and dynamical components

s Time Bases= intervals over which behavior is continuous

s Hybrid execution= rules according to which we have jumps and continuous flows

u Observations:s Non deterministic behavior allowed (needed)

s Fixed interaction structure

CheckMate Hybrid Model Source: B. Krogh

System SpecificationsSystem Specifications

Driver Vehicle

force, speed, acceleration, jerk, rpm, fuel consumption,...

emissions, external noise, temperature, ...

Key, Brake, Gas, Transm.

Engine &

Driveline

Controller

spark advance, injection time,throttle angle

Closed loop vehicle modelClosed loop vehicle model

Fast NegativeForce Transient

min f(D, Mfuel)�

<

�

max

Force Tracking

Fast PositiveForce Transient

Speed Tracking

n=n(.) n=n(.)

Idle &Trasm On

.G>0 | t>

�

. .G < GB| B=1

.G<0 | t>

� . .G > GA

G > 0

G = 0

T > 0

T=0 T=0

(G>0)&(T>0)

T=0

fI(n) = 0 & G=0

fI(n,G) > 0

.G=0 & C=1

.G > 0|B = 1

T > 0

T=0

OUTPUT:

n - Engine Speedn - Engine SpeedFFG G - Generated ForceVVGG - Vehicle Speed - Vehicle Speed

n=n(G)FG=0

Rpm Trackingn=argmin(Mfuel)

Idle

FG=0

VG= VG(.)

Stopn=0

FG=0

Startup

FG=0n= .

G > 0G = 0

(n < nmin)| (K=Off) n > nstartup

K = Start

(n < nmin)| (K = Off)

FG=FG(G,T,n)FG=FG(G,T,n)

max D�

<

�

max

min

�

FG=FG(G,T,n)

Mfuel < Mmax; D>Dmin

T>0 &G=0

INPUTS:

G - Gas PedalG - Gas PedalT - Clutch Pedal & Gear StickT - Clutch Pedal & Gear StickB - Brake PedalB - Brake PedalC - Cruise ControlC - Cruise Control

K - Key

D - Comfort

fI(n) = 0 & G=0

Model of Power-trainModel of Power-train

��� � � ���

� �� � � � �� � � � �� � �� � �

� �� � �� �� ���� � !� " #�$ �&% � � � ��

��� � � � �� � � � �� � �� �' � � (� ( ) �* � �* + � �) � � � � �

, -/.0 1 1 2/304 35 657 857 2/394 8. : 1 6; 657 ,0 .<= 3

> 85 6 ?0 2@4 . 3A A = . 3 B 2= 1C -D5 A 3 . 1 60 5 EF3 2 3 8A 3G 3 8.C - 857 3

H3 - 6 C 2/394 3 3 @Simple?

Combustion ProcessCombustion Process

INTAKE COMPRESSION EXPANSION EXHAUSTED

120°

320°

440°

570°CRANKSHAFT ANGLE

Engine and Drive-lineEngine and Drive-line

positive spark advance:the spark is given beforethe TDC between C and E

negative spark advance:the spark is given afterthe TDC between C and E

FSM for a single cylinderFSM for a single cylinder

Single Cylinder Hybrid ModelSingle Cylinder Hybrid Model

u Mean-Value Model: accurate over a longer time window

sregulation control problems

s low performance transient problems

u Hybrid Model: cycle accurate

stransient control problems

sstability of delay-sensitive control algorithms

shigh performance control algorithms

Hybrid Model vs Mean-Value ModelHybrid Model vs Mean-Value Model

Hybrid Systems LanguagesHybrid Systems Languages

u Simulation (Charon, Shift, Stateflow+Simulink)

u Formal Verification (Masaccio, Checkmate)

OutlineOutline

u Hybrid Models

u Languages and Verification Problems

sSimulink and StateFlow

sCheckMate

sCharon

sMasaccio

sSHIFT

What is a simulator?What is a simulator?

u Given a mathematical model of the system, computes its evolution and its outputs under a

pre-determined set of inputs

u The mathematical model expresses heterogeneity and concurrency

u The simulator computes the response of the model by mapping it onto the “device” used to

carry out the computation

u In general, the computing device has limited resources and is digital

s We must embed the model of time of the model into the model of the computing device that gives the “common denominator” (e.g., discretize time, synchronize)

s We must map a set of concurrent processes into a sequential system (e.g., schedule execution of concurrent processes)

Hybrid Systems SimulationHybrid Systems Simulation

FSM,Discrete Eventand other MOCs

Continuous Time

• Integrator (hold)

Interface

Inputs Outputs

t

t

• Invariants & Guards• Sampling

Hybrid System SimulationHybrid System Simulation

A simulator for hybrid systems must capture different types of behaviors:

sContinuos Time

sDiscrete Events

sFSMs …

and resolve the domain interface problems.

Continuous TimeContinuous Time

u Model of computation is DISCRETE TIME

sAll variables are computed at each time pointt no run-time scheduling decisions on variable computation

sTime interval can be t fixed (bad for stiff systems), but no run-time decision

t variable (sophisticated solvers have this)u Variable time step algorithm predicts a time step that will satisfy accuracy criterion

based on previous behavioru After actual computation, step may be rejected because constraints are violatedu Run-time scheduling

Discrete DomainDiscrete Domain

u Two basic techniques:

sZero-time assumption: t Static scheduling of computation

t Can be done off-line for maximum efficiency (cycle-based simulation)

sComponents modeled with delay (Discrete Event Model). t All components evaluated at the same time-point always (wasteful)t Follow reaction to events: schedule components whose inputs have changed (assumes

internal dynamics completely captured by pure delay) Selective-trace event-driven simulation.

Zero-time LoopsZero-time Loops

xdtdx

IJ

/ xdtdx

K

/0

L

x0

M

x

Fo r f : S → S , de fine the se m a ntic s to be a fixe d p o int o f f

i. e . s suc h tha t

f (s) = s

Synchronization ProblemSynchronization Problem

u “Synchronization” between domains:

ssample the continuous time interface variables

s integrate discrete event interface signals

sdetect guards and invariants (zero crossing detection)

Simulator ArchitectureSimulator Architecture

u One simulator (e.g. Ptolemy)

s different algorithms for each domain and unique scheduler

u N simulators (e.g. Simulink-StateFlow, Simulink-Bones, Simulink-VCC)

sOne simulator per domain (different schedulers per domain) and communication among simulators.

sScheduler works by transferring control to simulator

sMuch less efficient but easier to do!

Invariant DetectionInvariant Detection

u An approach: s the discrete event simulator checks the conditions sampling the continuos time variables

u Advantages:s easiest implementation

s strong separation between the two domains

u Drawbacks:s high precision detection reached only with long simulation time.

s high inter-process communication overhead

u Partial Solution:

s Simulation look-ahead

OutlineOutline

u Introduction to WP

u Hybrid Models

u Languages and Verification Problems

sSimulink and StateFlow

sCheckMate

sCharon

sMasaccio

sSHIFT

u Conclusions and Future Work

Source: B. Krogh

The CheckMate Model: TEDHSThe CheckMate Model: TEDHS

Three parts:

sSwitched Continuous System (SCS), that takes in the discrete-valued input u and produces continuous state vector x as output into TEG.

sThreshold Event Generator (TEG), produces an event when a component of x crosses a corresponding threshold from the specified direction (rising, falling, or both) and feeds FSM.

sFinite State Machine (FSM), whose output, in turn, drives the continuous dynamics of the SCS.

Source: B. Krogh

Source: B. Krogh

The Polyhedral Invariant Hybrid Automaton

A PIHA is a hybrid automaton with the following restrictions:

s The continuous dynamics for each location is governed by an ordinary differential equation (ODE).

s Each guard condition is a linear inequality (a hyper-plane guard).

s Each reset condition is an identity.

s For the hybrid automaton to remain in any location, of the hybrid system all guard conditions must be false. This restriction implies that the invariant condition for any location is the convex polyhedron defined by conjunction of the complements of the guards. This gives rise to the name polyhedral-invariant hybrid automaton.

CheckMate SummaryCheckMate Summary

u Integrated with Matlab/Simulink/StateFlow

u Limited semantics to simplify analysis and allow formal verification

u Uses Simulink constructs to enter data

u Based on reachability analysis to abstract continuous away

u Can perform simulation, partial and complete verification

u Computationally complex…

OutlineOutline

u Hybrid Models

u Languages and Verification Problems

sSimulink and StateFlow

sCheckMate

sCharon

sMasaccio

sSHIFT

Charon is a high-level modeling language and a design environment for hybrid systems

reflecting the current state of the art both in formal and object oriented methods

(UML).

NArchitectural Hierarchy (Agents)OBehavioral Hierarchy (Modes)

P

Charon toolkitQSyntax-directed editorRParser and type checkerSGlobal simulatorTPlotter (from Ptolemy)

What is Charon?What is Charon?

Language SummaryLanguage Summary

u Individual components described as agents

u Individual behaviors described as modes

u Support for concurrency

s Shared variables as well as message passing

u Support for discrete and continuous behavior

u Well-defined formal semantics

Continuous Behavior in CharonContinuous Behavior in Charon

U

Differential ConstraintsV

write Position robot_Pos;W

diff diffStop {d(robot_ Pos.x)=0.0; d(robot_ Pos.y)=1.0;}

X

Algebraic EquationsY

write real robotEST;Z

read x ;[

alge contEST { robotEST = foo(x) + bar(x); }

\

Invariant Constraints in Modes]

inv invTUCost { lub <= x <= gub; }

Simulation in CharonSimulation in Charon

u In the present approach, a program-specific simulator is generated from the Charon program

u Each object of the Charon program is converted into an executable Java object

u Together with a program-independent core, these objects implement behavior of the program (Compiled-Code simulator)

^

Graphical input language

_

Modular simulation

`

Model Checker

Future ExtensionsFuture Extensions

OutlineOutline

u Hybrid Models

u Languages and Verification Problems

sSimulink and StateFlow

sCheckMate

sCharon

sMasaccio

sSHIFT

a b c d

e fg h i j h ik l j f mon hg j f fp j p n q r

sut vow x y zt { |} ~ ��� y } � �� z� � �� ������ � � � �� �� � ��� �� � �� �

� �� � � � �� � � � � � � � � � � �� �� � �� � � � � ��

� ��� �¡  ¢¡£ ¤ � ¥¡¦ § � ¨© ª � � ª�«¬­® ® ¯ ¬ °± ¯² ² ³�´² ¬ µ ¯ ¶�· ¸º¹ ³» ¸ » °´ ¹ ± ¹ ¸ ´ ² » ²¹ ¼¹ » ± ² °® ¯² ­ · ® ¬ ¯²

Code

Model (e.g., Simulink)

Design Simulate

½¿¾ À ÁàÁÅÄ ÆÇ ÆÈ À

Code generation

No exact correspondence between model and code:

-difficult to upgrade code

-difficult to reuse code

No formal connection between requirements, model, and resources:

- expensive development cycle iterates all stages

Redesign

Embedded Software Design: Current State

Code

Model Design Verify

Compilation (analysis, optimization, and code generation)

Embedded Software Design: UCB and PARADES Vision

SLDLSLDL

SLDLSLDL

MASACCIO ATL

GIOTTO GIOTTO-ASC

SLDL 1

RTOS 1

DESIGN

MODEL

PROGRAM

EXECUTABLE

ARCHITECTURESCHEDULERCOMMUNICATION

HierarchicalHybrid

Modules

Time-TriggeredBlocks of

C Code

Model-check

Compile

given

Synthesize Refine

REQUIREMENTS

CONSTRAINTS

MASACCIOMASACCIO

Semantics:

Component = interface + behaviors

Interface (the “statics”):

u Variables: input/output, discrete/continuous (data)

u Locations: entry/exit (control)

Behavior (the “dynamics”):

u Jumps: all variables may change (instantaneous)

u Flows: continuous variables evolve (real-valued duration)

Masaccio & Charon: an informal comparisonMasaccio & Charon: an informal comparison

Charon’s hierarchy: architectural -> agents -> parallel composition

behavioral -> modes -> parallel & serial comp

Masaccio’s hierarchy:both architectural & behavioral -> components ->

parallel & serial comp.

Features:

É

Charon -> Simulation; more developed

Ê

Masaccio -> Formal Verification; few papers and few applications; focusing on Giotto at the moment

OutlineOutline

u Introduction to WP

u Hybrid Models

u Languages and Verification Problems

sSimulink and StateFlow

sCheckMate

sCharon

sMasaccio

sSHIFT

u Conclusions and Future Work

SHIFTSHIFT

Ë

Motivation: California PATH Smart AHS (Automated Highway Systems)

3. Semantics: similar to other languages, but with extensions for creating and deleting components (i.e. hybrid sub-systems) dynamically.

5. Syntax: C-like (component types akin to struct types in C).

SHIFTSHIFT

u SHIFT = Hybrid System Tool Interchange Format

u Programming language for describing dynamic networks of hybrid automata.

u Hybrid systems are components: can be created, interconnected and destroyed as the system evolves.

u Components may evolve independently, or interact through their inputs, outputs and exported events. The interaction network itself may evolve.