Heterogeneous Modeling: Hybrid Systems Heterogeneous Modeling: Hybrid Systems ◆ Hybrid Models ◆ Languages and Verification Problems ▲ Simulink and StateFlow ▲ CheckMate ▲ Charon ▲ Masaccio ▲ SHIFT
Heterogeneous Modeling: Hybrid SystemsHeterogeneous Modeling: Hybrid Systems
u Hybrid Models
u Languages and Verification Problems
sSimulink and StateFlow
sCheckMate
sCharon
sMasaccio
sSHIFT
MotivationMotivation
u Hybrid Systems are becoming a major modeling paradigm for embedded systemssCapability of modeling controller and plant
sUse of concurrent multiple levels of abstraction
u Difficult to verify and designsCombination of continuous and discrete dynamics of different types
sLack of “operationally strong” theoretical results
u Variety of tools and approaches mutually incompatible due to modeling differences
Foundations of Hybrid ModelFoundations of Hybrid Model
u Used classic model by J. Lygeros, S. Sastry and C. Tomlin as basis
u Model consists of three parts:s Structure= sets, discrete and dynamical components
s Time Bases= intervals over which behavior is continuous
s Hybrid execution= rules according to which we have jumps and continuous flows
u Observations:s Non deterministic behavior allowed (needed)
s Fixed interaction structure
CheckMate Hybrid Model Source: B. Krogh
System SpecificationsSystem Specifications
Driver Vehicle
force, speed, acceleration, jerk, rpm, fuel consumption,...
emissions, external noise, temperature, ...
Key, Brake, Gas, Transm.
Engine &
Driveline
Controller
spark advance, injection time,throttle angle
Closed loop vehicle modelClosed loop vehicle model
Fast NegativeForce Transient
min f(D, Mfuel)�
<
�
max
Force Tracking
Fast PositiveForce Transient
Speed Tracking
n=n(.) n=n(.)
Idle &Trasm On
.G>0 | t>
�
. .G < GB| B=1
.G<0 | t>
� . .G > GA
G > 0
G = 0
T > 0
T=0 T=0
(G>0)&(T>0)
T=0
fI(n) = 0 & G=0
fI(n,G) > 0
.G=0 & C=1
.G > 0|B = 1
T > 0
T=0
OUTPUT:
n - Engine Speedn - Engine SpeedFFG G - Generated ForceVVGG - Vehicle Speed - Vehicle Speed
n=n(G)FG=0
Rpm Trackingn=argmin(Mfuel)
Idle
FG=0
VG= VG(.)
Stopn=0
FG=0
Startup
FG=0n= .
G > 0G = 0
(n < nmin)| (K=Off) n > nstartup
K = Start
(n < nmin)| (K = Off)
FG=FG(G,T,n)FG=FG(G,T,n)
max D�
<
�
max
min
�
FG=FG(G,T,n)
Mfuel < Mmax; D>Dmin
T>0 &G=0
INPUTS:
G - Gas PedalG - Gas PedalT - Clutch Pedal & Gear StickT - Clutch Pedal & Gear StickB - Brake PedalB - Brake PedalC - Cruise ControlC - Cruise Control
K - Key
D - Comfort
fI(n) = 0 & G=0
Model of Power-trainModel of Power-train
��� � � ���
� �� � � � �� � � � �� � �� � �
� �� � �� �� ���� � !� " #�$ �&% � � � ��
��� � � � �� � � � �� � �� �' � � (� ( ) �* � �* + � �) � � � � �
, -/.0 1 1 2/304 35 657 857 2/394 8. : 1 6; 657 ,0 .<= 3
> 85 6 ?0 2@4 . 3A A = . 3 B 2= 1C -D5 A 3 . 1 60 5 EF3 2 3 8A 3G 3 8.C - 857 3
H3 - 6 C 2/394 3 3 @Simple?
Combustion ProcessCombustion Process
INTAKE COMPRESSION EXPANSION EXHAUSTED
120°
320°
440°
570°CRANKSHAFT ANGLE
Engine and Drive-lineEngine and Drive-line
positive spark advance:the spark is given beforethe TDC between C and E
negative spark advance:the spark is given afterthe TDC between C and E
FSM for a single cylinderFSM for a single cylinder
Single Cylinder Hybrid ModelSingle Cylinder Hybrid Model
u Mean-Value Model: accurate over a longer time window
sregulation control problems
s low performance transient problems
u Hybrid Model: cycle accurate
stransient control problems
sstability of delay-sensitive control algorithms
shigh performance control algorithms
Hybrid Model vs Mean-Value ModelHybrid Model vs Mean-Value Model
Hybrid Systems LanguagesHybrid Systems Languages
u Simulation (Charon, Shift, Stateflow+Simulink)
u Formal Verification (Masaccio, Checkmate)
OutlineOutline
u Hybrid Models
u Languages and Verification Problems
sSimulink and StateFlow
sCheckMate
sCharon
sMasaccio
sSHIFT
What is a simulator?What is a simulator?
u Given a mathematical model of the system, computes its evolution and its outputs under a
pre-determined set of inputs
u The mathematical model expresses heterogeneity and concurrency
u The simulator computes the response of the model by mapping it onto the “device” used to
carry out the computation
u In general, the computing device has limited resources and is digital
s We must embed the model of time of the model into the model of the computing device that gives the “common denominator” (e.g., discretize time, synchronize)
s We must map a set of concurrent processes into a sequential system (e.g., schedule execution of concurrent processes)
Hybrid Systems SimulationHybrid Systems Simulation
FSM,Discrete Eventand other MOCs
Continuous Time
• Integrator (hold)
Interface
Inputs Outputs
t
t
• Invariants & Guards• Sampling
Hybrid System SimulationHybrid System Simulation
A simulator for hybrid systems must capture different types of behaviors:
sContinuos Time
sDiscrete Events
sFSMs …
and resolve the domain interface problems.
Continuous TimeContinuous Time
u Model of computation is DISCRETE TIME
sAll variables are computed at each time pointt no run-time scheduling decisions on variable computation
sTime interval can be t fixed (bad for stiff systems), but no run-time decision
t variable (sophisticated solvers have this)u Variable time step algorithm predicts a time step that will satisfy accuracy criterion
based on previous behavioru After actual computation, step may be rejected because constraints are violatedu Run-time scheduling
Discrete DomainDiscrete Domain
u Two basic techniques:
sZero-time assumption: t Static scheduling of computation
t Can be done off-line for maximum efficiency (cycle-based simulation)
sComponents modeled with delay (Discrete Event Model). t All components evaluated at the same time-point always (wasteful)t Follow reaction to events: schedule components whose inputs have changed (assumes
internal dynamics completely captured by pure delay) Selective-trace event-driven simulation.
Zero-time LoopsZero-time Loops
xdtdx
IJ
/ xdtdx
K
/0
L
x0
M
x
Fo r f : S → S , de fine the se m a ntic s to be a fixe d p o int o f f
i. e . s suc h tha t
f (s) = s
Synchronization ProblemSynchronization Problem
u “Synchronization” between domains:
ssample the continuous time interface variables
s integrate discrete event interface signals
sdetect guards and invariants (zero crossing detection)
Simulator ArchitectureSimulator Architecture
u One simulator (e.g. Ptolemy)
s different algorithms for each domain and unique scheduler
u N simulators (e.g. Simulink-StateFlow, Simulink-Bones, Simulink-VCC)
sOne simulator per domain (different schedulers per domain) and communication among simulators.
sScheduler works by transferring control to simulator
sMuch less efficient but easier to do!
Invariant DetectionInvariant Detection
u An approach: s the discrete event simulator checks the conditions sampling the continuos time variables
u Advantages:s easiest implementation
s strong separation between the two domains
u Drawbacks:s high precision detection reached only with long simulation time.
s high inter-process communication overhead
u Partial Solution:
s Simulation look-ahead
OutlineOutline
u Introduction to WP
u Hybrid Models
u Languages and Verification Problems
sSimulink and StateFlow
sCheckMate
sCharon
sMasaccio
sSHIFT
u Conclusions and Future Work
Source: B. Krogh
The CheckMate Model: TEDHSThe CheckMate Model: TEDHS
Three parts:
sSwitched Continuous System (SCS), that takes in the discrete-valued input u and produces continuous state vector x as output into TEG.
sThreshold Event Generator (TEG), produces an event when a component of x crosses a corresponding threshold from the specified direction (rising, falling, or both) and feeds FSM.
sFinite State Machine (FSM), whose output, in turn, drives the continuous dynamics of the SCS.
Source: B. Krogh
Source: B. Krogh
The Polyhedral Invariant Hybrid Automaton
A PIHA is a hybrid automaton with the following restrictions:
s The continuous dynamics for each location is governed by an ordinary differential equation (ODE).
s Each guard condition is a linear inequality (a hyper-plane guard).
s Each reset condition is an identity.
s For the hybrid automaton to remain in any location, of the hybrid system all guard conditions must be false. This restriction implies that the invariant condition for any location is the convex polyhedron defined by conjunction of the complements of the guards. This gives rise to the name polyhedral-invariant hybrid automaton.
CheckMate SummaryCheckMate Summary
u Integrated with Matlab/Simulink/StateFlow
u Limited semantics to simplify analysis and allow formal verification
u Uses Simulink constructs to enter data
u Based on reachability analysis to abstract continuous away
u Can perform simulation, partial and complete verification
u Computationally complex…
OutlineOutline
u Hybrid Models
u Languages and Verification Problems
sSimulink and StateFlow
sCheckMate
sCharon
sMasaccio
sSHIFT
Charon is a high-level modeling language and a design environment for hybrid systems
reflecting the current state of the art both in formal and object oriented methods
(UML).
NArchitectural Hierarchy (Agents)OBehavioral Hierarchy (Modes)
P
Charon toolkitQSyntax-directed editorRParser and type checkerSGlobal simulatorTPlotter (from Ptolemy)
What is Charon?What is Charon?
Language SummaryLanguage Summary
u Individual components described as agents
u Individual behaviors described as modes
u Support for concurrency
s Shared variables as well as message passing
u Support for discrete and continuous behavior
u Well-defined formal semantics
Continuous Behavior in CharonContinuous Behavior in Charon
U
Differential ConstraintsV
write Position robot_Pos;W
diff diffStop {d(robot_ Pos.x)=0.0; d(robot_ Pos.y)=1.0;}
X
Algebraic EquationsY
write real robotEST;Z
read x ;[
alge contEST { robotEST = foo(x) + bar(x); }
\
Invariant Constraints in Modes]
inv invTUCost { lub <= x <= gub; }
Simulation in CharonSimulation in Charon
u In the present approach, a program-specific simulator is generated from the Charon program
u Each object of the Charon program is converted into an executable Java object
u Together with a program-independent core, these objects implement behavior of the program (Compiled-Code simulator)
^
Graphical input language
_
Modular simulation
`
Model Checker
Future ExtensionsFuture Extensions
OutlineOutline
u Hybrid Models
u Languages and Verification Problems
sSimulink and StateFlow
sCheckMate
sCharon
sMasaccio
sSHIFT
a b c d
e fg h i j h ik l j f mon hg j f fp j p n q r
sut vow x y zt { |} ~ ��� y } � �� z� � �� ������ � � � �� �� � ��� �� � �� �
� �� � � � �� � � � � � � � � � � �� �� � �� � � � � ��
� ��� �¡ ¢¡£ ¤ � ¥¡¦ § � ¨© ª � � ª�«¬® ® ¯ ¬ °± ¯² ² ³�´² ¬ µ ¯ ¶�· ¸º¹ ³» ¸ » °´ ¹ ± ¹ ¸ ´ ² » ²¹ ¼¹ » ± ² °® ¯² · ® ¬ ¯²
Code
Model (e.g., Simulink)
Design Simulate
½¿¾ À ÁàÁÅÄ ÆÇ ÆÈ À
Code generation
No exact correspondence between model and code:
-difficult to upgrade code
-difficult to reuse code
No formal connection between requirements, model, and resources:
- expensive development cycle iterates all stages
Redesign
Embedded Software Design: Current State
Code
Model Design Verify
Compilation (analysis, optimization, and code generation)
Embedded Software Design: UCB and PARADES Vision
SLDLSLDL
SLDLSLDL
MASACCIO ATL
GIOTTO GIOTTO-ASC
SLDL 1
RTOS 1
DESIGN
MODEL
PROGRAM
EXECUTABLE
ARCHITECTURESCHEDULERCOMMUNICATION
HierarchicalHybrid
Modules
Time-TriggeredBlocks of
C Code
Model-check
Compile
given
Synthesize Refine
REQUIREMENTS
CONSTRAINTS
MASACCIOMASACCIO
Semantics:
Component = interface + behaviors
Interface (the “statics”):
u Variables: input/output, discrete/continuous (data)
u Locations: entry/exit (control)
Behavior (the “dynamics”):
u Jumps: all variables may change (instantaneous)
u Flows: continuous variables evolve (real-valued duration)
Masaccio & Charon: an informal comparisonMasaccio & Charon: an informal comparison
Charon’s hierarchy: architectural -> agents -> parallel composition
behavioral -> modes -> parallel & serial comp
Masaccio’s hierarchy:both architectural & behavioral -> components ->
parallel & serial comp.
Features:
É
Charon -> Simulation; more developed
Ê
Masaccio -> Formal Verification; few papers and few applications; focusing on Giotto at the moment
OutlineOutline
u Introduction to WP
u Hybrid Models
u Languages and Verification Problems
sSimulink and StateFlow
sCheckMate
sCharon
sMasaccio
sSHIFT
u Conclusions and Future Work
SHIFTSHIFT
Ë
Motivation: California PATH Smart AHS (Automated Highway Systems)
3. Semantics: similar to other languages, but with extensions for creating and deleting components (i.e. hybrid sub-systems) dynamically.
5. Syntax: C-like (component types akin to struct types in C).
SHIFTSHIFT
u SHIFT = Hybrid System Tool Interchange Format
u Programming language for describing dynamic networks of hybrid automata.
u Hybrid systems are components: can be created, interconnected and destroyed as the system evolves.
u Components may evolve independently, or interact through their inputs, outputs and exported events. The interaction network itself may evolve.