Bridging the Gap between Reactive Synthesis and Supervisory Control · 2013-11-06 · Bridging the...
Transcript of Bridging the Gap between Reactive Synthesis and Supervisory Control · 2013-11-06 · Bridging the...
Bridging the Gap between
Reactive Synthesis and Supervisory Control
Rudiger Ehlers (Berkeley, Cornell), Stephane Lafortune(Michigan), Stavros Tripakis (Berkeley), and Moshe Vardi (Rice)
ExCAPE Review Meeting – 20 August 2013
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 1 / 20
“Classic” Synthesis Frameworks
I Reactive synthesis:I From declarative specifications (e.g., LTL formulas) to
implementations (e.g., Mealy or Moore state machines).I On the Synthesis of a Reactive Module [Pnueli-Rosner,
POPL’89], but also earlier, e.g., [Church ’63].I See, e.g., Moshe Vardi’s summer school tutorial for details.
I Supervisory control:I Feedback control for discrete-event systems (DES).I Supervisory control of a class of discrete event processes and
On the supremal controllable sublanguage of a given language[Ramadge-Wonham, SIAM J. Control Optim. ’87].
I See, e.g., [Cassandras & Lafortune ’08] .
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 2 / 20
This Work
I Bridge the gap: how are the two frameworks relatedI in theory?I in practice?
I Bridge the communities.
I Pedagogical, although results are new to our knowledge.
I Work in progress.
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 3 / 20
SUPERVISORY CONTROL
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 4 / 20
Supervisory Control: General Framework
Supervisor S
closed-loop system S/G:
Plant G
events disabling
actions
I Plant generally modeled as deterministic finite-state automaton(G): regular language
I Supervisor (S) can disable controllable events.I Specifications vary, but typically:
I Safety: all behaviors of the closed-loop system must be in someset of “good” behaviors (regular sublanguage of that of G).
I Non-blockingness: supervisor must always allow system to reachan accepting (aka marked ) state.
I Maximal permissiveness: supervisor must not disable moreevents than strictly necessary.
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 5 / 20
Supervisory Control: General Framework
Supervisor S
closed-loop system S/G:
Plant G
events disabling
actions
I Plant generally modeled as deterministic finite-state automaton(G): regular language
I Supervisor (S) can disable controllable events.
I Specifications vary, but typically:I Safety: all behaviors of the closed-loop system must be in some
set of “good” behaviors (regular sublanguage of that of G).I Non-blockingness: supervisor must always allow system to reach
an accepting (aka marked ) state.I Maximal permissiveness: supervisor must not disable more
events than strictly necessary.
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 5 / 20
Supervisory Control: General Framework
Supervisor S
closed-loop system S/G:
Plant G
events disabling
actions
I Plant generally modeled as deterministic finite-state automaton(G): regular language
I Supervisor (S) can disable controllable events.I Specifications vary, but typically:
I Safety: all behaviors of the closed-loop system must be in someset of “good” behaviors (regular sublanguage of that of G).
I Non-blockingness: supervisor must always allow system to reachan accepting (aka marked ) state.
I Maximal permissiveness: supervisor must not disable moreevents than strictly necessary.
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 5 / 20
Supervisor Synthesis: a basic problem
Simple Supervisory Control Problem (SSCP)
Given plant G, synthesize (if possible) supervisor S such that:
I S is non-blocking.
I S is maximally-permissive, that is, for any other non-blockingsupervisor S ′:
Lm(S′/G) ⊆ Lm(S/G)
I We proved: Can reduce the standard supervisory control problem(safety and non-blocking) to SSCP (non-blocking only).
I Can show that if a non-blocking supervisor exists, then themaximally-permissive non-blocking supervisor is unique andstate-based (“memoryless”).
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 6 / 20
Supervisor Synthesis: a basic problem
Simple Supervisory Control Problem (SSCP)
Given plant G, synthesize (if possible) supervisor S such that:
I S is non-blocking.
I S is maximally-permissive, that is, for any other non-blockingsupervisor S ′:
Lm(S′/G) ⊆ Lm(S/G)
I We proved: Can reduce the standard supervisory control problem(safety and non-blocking) to SSCP (non-blocking only).
I Can show that if a non-blocking supervisor exists, then themaximally-permissive non-blocking supervisor is unique andstate-based (“memoryless”).
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 6 / 20
Supervisor Synthesis: a basic problem
Simple Supervisory Control Problem (SSCP)
Given plant G, synthesize (if possible) supervisor S such that:
I S is non-blocking.
I S is maximally-permissive, that is, for any other non-blockingsupervisor S ′:
Lm(S′/G) ⊆ Lm(S/G)
I We proved: Can reduce the standard supervisory control problem(safety and non-blocking) to SSCP (non-blocking only).
I Can show that if a non-blocking supervisor exists, then themaximally-permissive non-blocking supervisor is unique andstate-based (“memoryless”).
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 6 / 20
REACTIVE SYNTHESIS
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 7 / 20
Reactive Synthesis
Reactive Synthesis Problem (RSP)
Given LTL formula φ with input/output atomic propositions,synthesize (if possible) a controller M (Moore or Mealy machine)such that all behaviors of M (inputs are uncontrollable) satisfy φ.
This is the implementability problem [Pnueli-Rosner POPL 1989].
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 8 / 20
BRIDGING THE GAP
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 9 / 20
Summary: Main Differences
I Supervisory control has explicit plants – reactive synthesis doesnot.
I Supervisors are parents – controllers are ... controllers.
I Supervisory control asks for maximally-permissive controllers –these generally don’t exist in reactive synthesis.
I (Most of) supervisory control theory done in a finite-stringsetting – reactive synthesis is about infinite strings.
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 10 / 20
Reactive Synthesis with Plants
Inspired from [Kupferman et al CONCUR 2000]:
Reactive Synthesis Control Problem (RSCP)
Given plant P and temporal logic formula φ synthesize (if possible) astrategy f such that the closed-loop system satisfies φ.
I Plant modeled as a transition system with system states andenvironment states.
I Strategy disables some successors of system states.
I Different versions of the problem depending on the temporallogic used: RSCP-LTL, RSCP-CTL, RSCP-CTL*, ...
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 11 / 20
Reactive Synthesis with Plants
Inspired from [Kupferman et al CONCUR 2000]:
Reactive Synthesis Control Problem (RSCP)
Given plant P and temporal logic formula φ synthesize (if possible) astrategy f such that the closed-loop system satisfies φ.
I Plant modeled as a transition system with system states andenvironment states.
I Strategy disables some successors of system states.
I Different versions of the problem depending on the temporallogic used: RSCP-LTL, RSCP-CTL, RSCP-CTL*, ...
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 11 / 20
Reactive Synthesis with Plants
Inspired from [Kupferman et al CONCUR 2000]:
Reactive Synthesis Control Problem (RSCP)
Given plant P and temporal logic formula φ synthesize (if possible) astrategy f such that the closed-loop system satisfies φ.
I Plant modeled as a transition system with system states andenvironment states.
I Strategy disables some successors of system states.
I Different versions of the problem depending on the temporallogic used: RSCP-LTL, RSCP-CTL, RSCP-CTL*, ...
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 11 / 20
Reactive Synthesis with Plants
Inspired from [Kupferman et al CONCUR 2000]:
Reactive Synthesis Control Problem (RSCP)
Given plant P and temporal logic formula φ synthesize (if possible) astrategy f such that the closed-loop system satisfies φ.
I Plant modeled as a transition system with system states andenvironment states.
I Strategy disables some successors of system states.
I Different versions of the problem depending on the temporallogic used: RSCP-LTL, RSCP-CTL, RSCP-CTL*, ...
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 11 / 20
Maximal Permissiveness in RSCP-CTL
For some formulas maximally-permissive strategies always exist:
TheoremFor any CTL formula φ := AG EF p, where p is a state formula,RSCP admits a unique maximally-permissive state-based strategyenforcing φ (if such a strategy exists).
We therefore define a variant of RSCP-CTL:
RSCP-CTLmax
Given plant P and CTL φ := AG EF p compute (if it exists) theunique maximally-permissive state-based strategy enforcing φ.
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 12 / 20
Maximal Permissiveness in RSCP-CTL
For some formulas maximally-permissive strategies always exist:
TheoremFor any CTL formula φ := AG EF p, where p is a state formula,RSCP admits a unique maximally-permissive state-based strategyenforcing φ (if such a strategy exists).
We therefore define a variant of RSCP-CTL:
RSCP-CTLmax
Given plant P and CTL φ := AG EF p compute (if it exists) theunique maximally-permissive state-based strategy enforcing φ.
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 12 / 20
Results
Relations between different synthesis problems:
BSCP-NB SSCP RSCP-CTLmax
RSCP-LTLRSP
Corollary 1
special case
Theorem 5
Section 3.4
Section 3.5
supervisory control problems reactive synthesis problems
Cf. technical report under preparation. : work in progress
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 13 / 20
Results
Relations between different synthesis problems:
BSCP-NB SSCP RSCP-CTLmax
RSCP-LTLRSP
Corollary 1
special case
Theorem 5
Section 3.4
Section 3.5
supervisory control problems reactive synthesis problems
Cf. technical report under preparation. : work in progress
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 13 / 20
Reducing SSCP to RSCP-CTLmax
Main idea:
I DES can be transformed to a transition system.I Marked states labeled with atomic proposition acc.
I Non-blockingness can be expressed in CTL:
φnb := AG EF acc
i.e., from any reachable state, there exists a path to anaccepting state.
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 14 / 20
Reducing SSCP to RSCP-CTLmax
TheoremLet G be a DES plant and PG its transformation.
1. A non-blocking supervisor exists for G iff a strategy enforcingφnb := AG EF acc exists for PG.
2. Assuming supervisor/strategy exist, there is a 1-1 computablemapping between the unique non-blocking maximally-permissivestate-based supervisor for G, and the uniquemaximally-permissive state-based strategy enforcing φnb on PG.
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 15 / 20
Discussion
First (to our knowledge) bridge between the reactive synthesis andDES/supervisory control problems and communities.
This work would not have happened without ExCAPE!
Merely scratched the surface; expand bridge to:
I Partial observability.
I Modular, decentralized, hierarchical control architectures.
I Algorithmic procedures.
I ω-regular supervisory control theory (cf. [Thistle ’96]).
I Supervisory control of Petri nets.
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 16 / 20
Discussion
First (to our knowledge) bridge between the reactive synthesis andDES/supervisory control problems and communities.
This work would not have happened without ExCAPE!
Merely scratched the surface; expand bridge to:
I Partial observability.
I Modular, decentralized, hierarchical control architectures.
I Algorithmic procedures.
I ω-regular supervisory control theory (cf. [Thistle ’96]).
I Supervisory control of Petri nets.
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 16 / 20
Discussion
First (to our knowledge) bridge between the reactive synthesis andDES/supervisory control problems and communities.
This work would not have happened without ExCAPE!
Merely scratched the surface; expand bridge to:
I Partial observability.
I Modular, decentralized, hierarchical control architectures.
I Algorithmic procedures.
I ω-regular supervisory control theory (cf. [Thistle ’96]).
I Supervisory control of Petri nets.
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 16 / 20
Case Studies
Two applications of supervisory control being considered:
I Collision avoidance in vehicular/robotic systemsI New discrete-event approach based on discretization in time
and space and on applying supervisory control techniques(disturbances, measurement errors, etc.)
I Efficient algorithmic techniquesI Initiating a collaboration with Hadas Kress-Gazit at Cornell
I Avoidance of concurrency bugsI Building on the Gadara Project (Michigan - HP Labs - Georgia
Tech)I Petri net models are suitable to reduced control logic overheadI From deadlock avoidance to regular language specificationsI Will collaborate with Stavros Tripakis at Berkeley
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 17 / 20
Case Studies
“Gadara” Methodology
C program source code
control flow graph
Petri net control logic
compile
translation control logic synthesis
inst
rum
enta
tion
Instrumented binary
prog
ram
compile
observe
control
observe
control
observe
control
cont
rol l
ogic
offline online
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 18 / 20
ExCAPE and the Control Systems Community
Reaching out to control community: discrete-event, hybrid,cyber-physical systems
I Invited session on control problems in software systems at IEEEConference on Decision and Control (CDC), December 2012
I Special session on ExCAPE at American Control Conference(ACC), June 2013
I Planned invited session on ExCAPE at International Workshopon Discrete Event Systems (WODES), May 2014
I More to come...
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 19 / 20
Bibliography
C. Cassandras and S. Lafortune.
Introduction to Discrete Event Systems.Springer, Boston, MA, 2nd edition, 2008.
A. Church.
Logic, arithmetic and automata.In Proceedings of the International Congress of Mathematics, 1963.
O. Kupferman, P. Madhusudan, P. S. Thiagarajan, and M. Y. Vardi.
Open systems in reactive environments: Control and synthesis.In 11th Intl. Conf. on Concurrency Theory, CONCUR’00, pages 92–107. Springer, 2000.
A. Pnueli and R. Rosner.
On the synthesis of a reactive module.In ACM Symp. POPL, 1989.
P. Ramadge and W. Wonham.
Supervisory control of a class of discrete event processes.SIAM J. Control Optim., 25(1):206–230, 1987.
J.G. Thistle.
Supervisory control of discrete event systems.Mathl. Comput. Modelling, 23(11/12):25–53, 1996.
W. Wonham and P. Ramadge.
On the supremal controllable sublanguage of a given language.SIAM J. Control Optim., 25(3):637–659, 1987.
ExCAPE Review Meeting () Bridging the Gap 20 August 2013 20 / 20