Model-based Analysis andImplementation of Embedded

Systems

Rajeev Alur

University of Pennsylvania www.cis.upenn.edu/~alur/

MIT Workshop, August 2005

Model-Based Design

Benefits of model-based design Detecting errors in early stages

Powerful and formal analysis

Reusable components

Automatic code generation

Many commercial tools are available for design of embedded control systems (e.g. Simulink)

Typically, semantics is not formal

Typically, only simulation-based analysis

Code generation available, but precise relationship between model and code not understood

Charon Project at Penn

Programming/Modeling LanguageBased on Hybrid Automata

Libraries in Base LanguagePlatform Description

Design and Analysis ToolsSimulation, Verification, Optimization

Formal SpecificationEnvironment ModelPerformance Metrics

Executable Code onEmbedded Processor

Compiler +Scheduler

Can we formally prove safety properties of models?

Can we infer properties of code from properties of models?

Hybrid Modeling

State machines

offon

+ Dynamical systems

dx=kxx<70

dx=-k’xx>60

x>68

x<63

Automotive Robotics AnimationSystemsBiology

CoordinationProtocols

CHARON Language Features

Individual components described as agents Composition, instantiation, and hiding

Individual behaviors described as modes Encapsulation, instantiation, and Scoping

Support for concurrency Shared variables as well as message passing

Support for discrete and continuous behavior

Differential as well as algebraic constraints

Discrete transitions can call Java routines

Compositional semantics with refinement rules

CHARON ToolkitCHARON Toolkit

Model Checker

AdvantagesAutomated formal verification, Effective debugging tool

Impressive industrial successIn-house groups: Intel, Microsoft, Lucent, Motorola…Commercial model checkers: FormalCheck by Cadence

Model checking for discrete systemsEnumerative state-space search (SPIN)Symbolic search using Binary decision diagrams (SMV)Bounded model checking using SAT solvers

model

temporalproperty

yes

error-trace

Symbolic Safety Verification

Data type: region to represent state-setsR:=I(X) /* initial set */Repeat

If R intersects target F report “violation”

Else if R contains Post(R) report “safe”Else R := R union Post(R)

Post(R): Set of successors of states in RTermination may or may not be guaranteed

I

F

Reachability for Hybrid Systems

What’s a suitable representation of regions?

Region: subset of Rk

Main problem: handling continuous dynamics

Precise solutions available for restricted continuous dynamics

Timed automata (Uppaal, Kronos, …)

Linear hybrid automata (HyTech)

Even for linear systems, over-approximations of reachable set needed

Timed Automata

Analog of finite-state automata in discrete case

Continuous variables: Clocks increasing at rate 1

All constraints of the form: x compared to constant

Can express lower and upper bounds on delays

Well-developed theory of automata and logics Closure properties

Decision problems

Equivalent characterizations

a,x:=0 b,y:=0

x<3,d

y>2,c

Region-based AnalysisFinite partitioning of state space

x1

x2

An equivalence class (i.e. a region)in fact there is only a finite number of regions!!

1 2 3

1

2

w w’ iff they satisfy the same set of constraints of the formxi < c, xi = c, xi – xj < c, xi –xj =cfor c <= largest const relevant to xi

Region equivalence is a time-abstractbisimulation, and correspondingquotient can be used for temporallogic model checking

Model Checking for Hybrid Systems

Timed automata tools use matrices as a symbolic representation (all constraints are bounds on differences)

Next step: use polyhedra as a representation (HyTech)

Linear hybrid automaton allows linear constraints in guards/resets

Dynamics: linear constraints among derivates

The set of reachable states at every iteration is union of polyhedra

If dynamics is dX=AX, and R is a polyhedron, Post(R) is not a polyehdron

Many approximate solutions proposed:Approximate Post(R) with enclosing convex polyhedra (Checkmate)

Polyhedral Flow Pipe Approximations

X0

t1

t2

t3

t4

t5t6 t7

t8

t9

• divide R[0,T](X0) into [tk,tk+1] segments

• enclose each segment with a polyhedron

• RM[0,T](X0) = union of polyhedra

Abstraction and Refinement

Abstraction-based verificationGiven a model M, build an abstraction ACheck A for violation of propertiesEither A is safe, or is adequate to indicate a bug in M, or gives false negatives (in that case, refine the abstraction and repeat)

Many projects exploring abstraction-based verification for hybrid systems

Predicate abstraction (Charon at Penn)Counter-example guided abstraction refinement (CEGAR at CMU)Qualitative abstraction using symbolic derivatives (SAL at SRI)

Predicate Abstraction

Input is a hybrid automaton and a set of k boolean predicates, e.g. x+y > 5-z.

The partitioning of the concrete state space is specified by the user-defined k predicates.

t

x

Concrete Space:L x R n

Abstract Space:L x {0,1} k

Overview of the Approach

Safetyproperty

Hybridsystem

Booleanpredicates

Search in abstract space

Analyze counter-example

Propertyholds

No!Counter-example

Realcounter-examplefound

additionalpredicates

Charon Project at Penn

Programming/Modeling LanguageBased on Hybrid Automata

Libraries in Base LanguagePlatform Description

Design and Analysis ToolsSimulation, Verification, Optimization

Formal SpecificationEnvironment ModelPerformance Metrics

Executable Code onEmbedded Processor

Compiler +Scheduler

Can we formally prove safety properties of models?

Can we infer properties of code from properties of models?

x

y

j1

j2

L1

(x, y)

v

L2

Walking Model: Behavior and Modes

dx = dy = 0 dy = kvdt = 1

dy = -kv dx = kvx < str /2

On Ground Up

ForwardDown

y==0->

turn++

turn == i

t==2

Shared variable

Time triggered

2x==str

Event triggered

Code Generation Case Study

Front-endTranslate CHARON objects into modular C++ objects

Back-endMap C++ objects to execution environment

agent

mode

analog var

diff/alge eqn

transition

class agent

class mode diff() trans()

class var

scheduler

API

CHARON objects C++ objectsExecution

environment Targetplatform

front-end back-end

Gap Between Models and Code

Rich theory of sampled control (but mainly for purely continuous systems)

Discrete-time control design

Sampling errors

No theory of interacting control blocks Mapping individual blocks to periodic real-time tasks does not lead to predictability

Lack of compositionality affects integration

Hybrid systems poses new challenges: How can code ensure that events are not missed ?

Code from Structured Models

How to map control blocks to tasks?

The choice can depend on many parameters: computation times, sensitivity ox x to u and v,

performance objective

Many choices for code Two tasks: C1 and C2 with their own periods

One task: Read(x);C1;C2;Actuate

One task: Read(x);C1;Read(x);C2;Actuate

C1x C2

u v

Quantifying the Gap (1)

Appealing implementation platform: Time-triggered architecture

Time divided into fixed-size slotsAppealing programming paradigm: Fixed

Logical Execution Time Block mapped to slot i reads inputs at the beginning, computes, and outputs at the end of the slot i

Micro-schedule: Map each slot to at most one control block

Given a micro-schedule s, and a plant model, continuous-time trajectory of execution uniquely defined

From Model to Code1. Continuous-time semantics: all blocks at all times

Continuous

2. Discrete/simulation semantics: all blocks every T s

3. Periodic tasks: Red block every T1 s, Blue every T2 s

Compute all Compute all Compute all Compute all

4. Micro-schedule on TTA: Fixed-size slots

Idle,Red,Blue,Idle, Blue,Red,Idle,Blue, Idle,Red, Blue…

Quantifying the Gap (2)

Define a performance metric: for two continuous-time trajectories t1 and t2, d(t1,t2) measures the distance

Quality of a micro-schedule s is d(t*,ts), where t* is the continuous-time simulation trajectory and ts is the trajectory of code when executed according to s

For linear systems, d(t*,ts) is computable when d is, say, L2-norm, using ideas from PLTIs (Periodic linear time invariant systems)

This allows comparing micro-schedules by precisely quantifying their metrics

Wrap-Up

Modeling and Analysis in symbiosis Progress on safety verification by combining

symbolic representations and abstraction Many application domains for hybrid

systems Current Focus: Understanding and

quantifying the gap between models and code to add rigor in the code generation step

Ongoing: Stochastic hybrid systems