A Hybrid Event-B Study of Lane Centering · R. Banach, M. Butler A Hybrid Event-B Study of Lane Centering 5 2. Discrete Event-B Event-B is a simpli cation of the Classical B-Method

A Hybrid Event-B Study of Lane Centering

Richard Banach1 and Michael Butler2

1School of Computer Science, University of Manchester, UK2Electronics and Computer Science, University of Southampton, UK

R. Banach, M. Butler A Hybrid Event-B Study of Lane Centering 2

Contents

1. Hybrid and Cyber-Physical Systems2. Discrete Event-B3. A Framework for Hybrid Systems4. Extending Event-B for Hybrid Behaviour5. Schematic Syntax6. Proof Obligations7. Lane Centering8. Conclusions


1. Hybrid and Cyber-Physical Systems

Nowadays, computing devices get ever smaller.

Nowadays, computing devices get ever more distributed andinterconnected.

This enables ever easier/routine coupling of computing devices tothe physical environment.

• Hybrid Systems — discrete + continuous behaviour.• Cyber-Physical Systems — distributed embedded behaviour.

Requires an extension of the usual discrete transition frameworksfor faithful modeling.

• Most existing work is automaton based.• Most existing work focuses on verification

rather than top-down development

... enhance Event-B.


1. Hybrid and Cyber-Physical Systems

Nowadays, computing devices get ever smaller.

Nowadays, computing devices get ever more distributed andinterconnected.

This enables ever easier/routine coupling of computing devices tothe physical environment.

• Hybrid Systems — discrete + continuous behaviour.• Cyber-Physical Systems — distributed embedded behaviour.

Requires an extension of the usual discrete transition frameworksfor faithful modeling.

• Most existing work is automaton based.• Most existing work focuses on verification

rather than top-down development ... enhance Event-B.


2. Discrete Event-B

Event-B is a simplification of the Classical B-Method that was oneof the earliest ‘full process’ top-down development methodologies.A typical Event-B model has the following characteristics:

• static contexts

• commands – guards (no preconditions)

• commands – actions (deterministic, nondeterministic)

• invariants

Straightforward trace style semantics, policed by proof obligations.

• intended for industrial application


Example

MACHINE NodesSEES NCtxVARIABLES nodINVARIANTSnod ∈ P(NSet)

EVENTSINITIALISATION

STATUS ordinaryBEGIN nod := ∅ END

AddNodeSTATUS ordinaryANY nWHERE n ∈ NSet − nodTHEN nod := nod ∪ {n}END

END

CONTEXT NCtxSETS NSetCONSTANTS aa, bb, cc , ddAXIOMSNSet = {aa, bb, cc , dd}

END


3. A Framework for Hybrid Systems

Integrating formal reasoning in discrete and continuous domainsrequires a suitable semantic framework, which:

• is expressive enough for continuous applications;

• defaults cleanly for discrete reasoning.

• Time is an interval T of the reals R.

• There are mode variables (piecewise constant),and pliant variables (piecewise continuously varying).

• T partitions into a sequence of left-closed right-open intervals,〈[t0 . . . t1), [t1 . . . t2), . . .〉, such that (all) discontinuous changestake place at some boundary point ti .


3. A Framework for Hybrid Systems

Integrating formal reasoning in discrete and continuous domainsrequires a suitable semantic framework, which:

• is expressive enough for continuous applications;

• defaults cleanly for discrete reasoning.

• Time is an interval T of the reals R.

• There are mode variables (piecewise constant),and pliant variables (piecewise continuously varying).

• T partitions into a sequence of left-closed right-open intervals,〈[t0 . . . t1), [t1 . . . t2), . . .〉, such that (all) discontinuous changestake place at some boundary point ti .


In an interval [ti . . . ti+1), the mode variables will be constant, butthe pliant variables will change continuously, subject to:

I Zeno: there is a constant δZeno, such that for all i needed,ti+1 − ti ≥ δZeno.

II Limits: for every variable x , and for every time t ∈ T , the left

limit limδ→0 x(t − δ) written−−→x(t) and right limit

limδ→0 x(t + δ), written←−−x(t) (with δ > 0) exist, and for every

t, x(t) =←−−x(t).

III Differentiability: The behaviour of every pliant variable x inthe interval [ti . . . ti+1) is given by the solution of a well posedinitial value problem D xs = φ(xs, t). “Well posed” meansφ(xs, t) has uniformly bounded Lipschitz constants (w.r.t. xs),and φ(xs, t) is measurable in t.


There are mode transitions ((any) variable can changediscontinuously), and pliant transitions (pliant variables canchange continuously). We say that a set of rules is well formed iff:

• Every enabled mode transition is feasible, i.e. has anafter-state, and on its completion enables a pliant transition(but does not enable any mode transition).

• Every enabled pliant transition is feasible, i.e. has atime-indexed family of after-states, and EITHER:

(i) During the run of the pliant transition a mode transitionbecomes enabled. It preempts the pliant transition. ORELSE

(ii) During the run of the pliant transition it becomes infeasible:finite termination. ORELSE

(iii) The pliant transition continues indefinitely: nontermination.

A mode transition establishes the initial state.


4. Extending Event-B forHybrid Behaviour

First: keep the discrete transitions as is.

Sequence of states σi of standard (discrete, i.e. mode) E-Bvariables becomes a sequence of piecewise constant functions[ti . . . ti+1) 7→ σi

These stitch together to give a state function T → TY .

Usual E-B transition σi → σi+1 are from/to:

Before-state: −−→σi+1

After-state: σi+1

Use the same semantics for discrete transitions of pliant variables.


4. Extending Event-B forHybrid Behaviour

First: keep the discrete transitions as is.

Sequence of states σi of standard (discrete, i.e. mode) E-Bvariables becomes a sequence of piecewise constant functions[ti . . . ti+1) 7→ σi

These stitch together to give a state function T → TY .

Usual E-B transition σi → σi+1 are from/to:

Before-state: −−→σi+1

After-state: σi+1

Use the same semantics for discrete transitions of pliant variables.


Second: allow pliant variables to change according to Caratheodorysemantics of ordinary differential equations.

SOLVE D x = φ

(This allows discontinuities in RHS of the ODE, while ensuringabsolute continuity of solutions, and (pointwise) validity of theODE almost everywhere.)

Allow initial value and guard conditions (on before-states (only))to control enabledness.

General theory ensures the existence a (t-dependent) family oftransitions Q(ti , t) (... for t ∈ (ti . . . t)), where t > ti , and Qrelates σi = σ(ti ) at ti to σ(t) at t.

Preemption/feasibility defines ti+1 obeying ti < ti+1 ≤ t.


Caratheodory formulation underpins other forms of expression forpliant events.

SOLVE y := E

Direct assignment to E : semantics via D y := DE

Allow additional conditions during the evolution to influencefeasibility.

COMPLY BDApred

Specifies the family of absolutely continuous behaviours satisfyingBDApred .

Preemption/feasibility defines ti+1 obeying ti < ti+1 ≤ t.


Formal Semantics (Sketch)

[1] Initialise. (Mode event.) i := 0[2a] choose an enabled pliant event from each machine that has

one. (Consistency.) or else[2b] choose a pliant continuation for each machine that has

one. (Consistency.) or else[2b] abort if any pliant variable unspecified.[3] find maximal mutually consistent solution on [ti . . . tnew).[4] find earliest mode event preemption point in (ti . . . tnew),

if there is one. (If not, finite or infinite termination).[5] implement mode event preemption; i++; discard solution in

(ti . . . tnew).[6] goto [2].

Semantics is a set of behaviours over [t0 . . . tfinal), or void.


Refinement

Fundamental Principle:

• In Hybrid Event-B, time moves at the same rate in all modelsof a refinement chain. Gives tight abstract/concrete coupling.

MoEvA1 MoEvA2MoEvA3

MoEvC1 MoEvC2 MoEvC3

MoEvC2.1 MoEvC2.2

PliEvA1

PliEvA2

PliEvC1

PliEvC2.1

PliEvC2.2

PliEvC2.3


5. Schematic Syntax

Mode events ... nothing special:

MoEvANY i?, l , o!WHERE grd(−→u , i?, l)THEN u, o! : | BApred(−→u , i?, l ,

←−u′ , o!)

END

The overarrows constitute semantic decoration.


A full machine:

MACHINE HyEvBMchTIME tCLOCK clkPLIANT x , yVARIABLES uINVARIANTS

x ∈ Ry ∈ Ru ∈ N


STATUS ordinaryWHEN

t = 0THEN

clk := 1x := x0

y := y0

u := u0

END. . . . . .

. . . . . .MoEv

STATUS ordinaryANY i?, l , o!WHERE grd(x , y , u, i?, l , t, clk)THEN

x , y , u, o!, clk : | BApred(x , y , u, i?, l , t, clk, x ′, y ′, u′, o!, clk ′)

ENDPliEv

STATUS pliantINIT iv(x , y , u, t, clk)WHERE grd(u)ANY i?, l , o!COMPLY BDApred(x , y , u, i?, l , o!, t, clk)SOLVE D x = φ(x , y , u, i?, l , t, clk)

y , o! := E(x , u, i?, l , t, clk)END

END


6. Proof Obligations

Like discrete Event-B, Hybrid Event-B semantics are enforced viaproof obligations.

• Initialisation.

• Event feasibility: mode/pliant.

• Event invariant preservation: mode/pliant.

• Well-formedness: mode→pliant/pliant→mode.

• Refinement, guard strengthening: mode/pliant.

• Refinement, invariant preservation: mode/pliant.

• Relative deadlock freedom: mode/pliant.

• Etc.


7. Lane Centering

Overview.

Target Path

Lane boundary

Correction Anglecentral line

Offset: -1


7. Lane Centering

Overview.

LCCPath

Generator

Image Processing

Unit

1. Yaw angle2. Yaw rate3. Steering angle4. Lateral speed5. Longitudinal speed6. Offset (by Driver)

Target Path

Predicted Path Steering angle

1. Lateral position2. Road curvature

Safety Margin


7. Lane Centering

State transition diagram.

STANDBY

OFF

ACTIVE

SwOn SwOff

Aligned

OVERRIDE

ERROR

SwOff,OOAl

SwOffIndOff,

IndOn,ResumeOvrSteer

Error

Error

Error

UnAl


MACHINE LCC 0VARIABLES modeINVARIANTS

mode ∈ {OFF , STANDBY , ACTIVE ,OVERRIDE , ERROR}


STATUS ordinaryBEGIN

mode := OFFEND

SwOnSTATUS ordinaryANY in?WHERE in? = swOn ∧ mode = OFFTHEN mode := STANDBYEND

. . . . . . . . . . . .UnAl

STATUS ordinaryANY in?WHERE in? = tryAct∧

mode = STANDBYTHEN skipEND

AlignedSTATUS ordinaryANY in?WHERE in? = tryAct∧

mode = STANDBYTHEN mode := ACTIVEEND

. . . . . . . . . . . .

. . . . . . . . . . . .OvrSteer

STATUS ordinaryANY in?WHERE in? = ovrSteer∧

mode = ACTIVETHEN mode := OVERRIDEEND

ResumeSTATUS ordinaryANY in?WHERE in? = resume∧

mode = OVERRIDETHEN mode := ACTIVEEND

. . . . . . . . . . . .Error

STATUS ordinaryANY in?WHERE in? = error ∧ mode ∈{STANDBY , ACTIVE ,OVERRIDE}

THEN mode := ERROREND

PliTrueSTATUS pliantCOMPLY INVARIANTSEND

END


INTERFACE LCC PG IFPLIANT trq, θT , dINVARIANTS

trq ∈ R ∧ |trq| ≤ MAXtrqθT ∈ R ∧ |θT| ≤ MAXθd ∈ R ∧ |d| ≤ MAXd

INITIALISATIONtrq ∈ [−MAXtrq . . .MAXtrq ]θT := 0d := 0

END

MACHINE LCC 1REFINES LCC 0CONNECTS LCC PG IFVARIABLES modePLIANT θINVARIANTS

mode ∈ {OFF , STANDBY , ACTIVE ,OVERRIDE , ERROR}

θ ∈ R ∧ |θ| ≤ MAXθEVENTS

INITIALISATION. . . . . . . . . . . .

PliDefaultSTATUS pliantREFINES PliTrueWHEN mode 6= ACTIVECOMPLY INVARIANTSEND

SwOn. . . . . . . . . . . .

SwOff. . . . . . . . . . . .

UnAlSTATUS ordinaryREFINES UnAlANY in?, out!WHERE in? = tryAct∧

mode = STANDBY∧¬(|d| < ∆d ∧ |θ − θT| < ∆θ)

THEN out! := BEEPEND

AlignedSTATUS ordinaryANY in?WHERE in? = tryAct∧

mode = STANDBY∧(|d| < ∆d ∧ |θ − θT| < ∆θ)

THEN mode := ACTIVEEND

LCC ActiveSTATUS pliantREFINES PliTrueWHEN mode = ACTIVESOLVE Dθ = −C(θ − θT )− KdEND

SwOff EmrgSTATUS ordinaryREFINES SwOffANY out!WHEN mode = ACTIVE∧¬(|d| < ∆d ∧ |θ − θT| < ∆θ)

THEN mode := OFFout! := BEEP

END. . . . . . . . . . . .. . . . . . . . . . . .


8. Conclusions

Hybrid Event-B gives the capability of addressing continuousconcerns in an honest manner ... e.g. closed-loop control.

In future:

• Reasoning framework(s).

• RODIN enhancement.

• Etc.

A Hybrid Event-B Study of Lane Centering · R. Banach, M. Butler A Hybrid Event-B Study of Lane Centering 5 2. Discrete Event-B Event-B is a simpli cation of the Classical B-Method

Documents