Continuous Action Systems

Ralph-Johan Back,Luigia Petre

Ivan Porres-Paltor

Åbo Akademi University and TUCS

Discrete action systems

• Define state of system (program variables)– local variables and global variables

• Initialization statement (for local variables)

• Defines possible actions of the system (guardedcommands)

• Iterate actions until no action is enabled anymore (->termination)

• Execution proceeds in discrete steps

Example: simple sorting

A= |[ do x1 > x2 -> x1,x2:= x2,x1 -- EX1 [] x2 > x3 -> x2,x3:= x3,x2 -- EX2 [] x3 > x4 -> x3,x4 := x4,x3 -- EX3

od ]|: x1, x2, x3, x4

• iterate until variables are sorted

Actions and variables

x1 x2 x3 x4

EX1 EX2 EX3

General syntax

A= |[ var x+, -- public variable y; -- local variable S0; -- initialization do g1 -> S1 -- action 1 [] g1 -> S2 -- action 2 … [] gm -> Sm -- action m od

]|: z -- imported variables

Actions and variables

A0 A1 A2 A3 A4 A6

public local imported

x1 x2 y1 y2 y3 z1 z2

Continuous action systems

• all program variables are functions on time (Real+ ):

• discrete variables– x: Real+ -> Int,

– y: Real+ -> Bool

– z: Real+ -> {red, green, yellow}

• continuous variables– u: Real+ -> Real

Continuous action systems (cont.)• Initialization assigns intial values (time functions) to to

program variables– x:= (λ t. 1)

– u := (λ t. sin t)

• System evolves by moving time forward continuously,starting from 0

• Current time is given by "now

• Guards may refer to variable values at now, as well asto values that variables had in the past and will have inthe future (unless the future is changed by anassignment)

System behavior

now

x

1

2

3

0

u

(discrete)

(continuous)

Continuous action systems (cont.)

• As soon as now reaches a time when some action guard isenabled:– one of the enabled actions is selected (nondeterministically)

– the action is executed

• An action can change the future behavior of some programvariables

• Time then proceeds to next time instance when an action isenabled

• Next time instance can be same as previous time instance

Actions

• Example action:x.now = u.now -> u:- (λ t. u.t + 1)

• when now reaches a time where x.now = u.now:– change the future behavior of u (from now onwards) to be

(λ t. u.t + 1)

– u is not changed for time values before now

– behavior of other program variables are unchanged

• If no action is enabled, then last values assigned tovariables determine future behaviour

Changing system behavior

now

x

1

2

3

0

u

now'

Semantics

• A continuous action system defines a collection offunctions on time

• Functions are defined in a piecewise fashion (thesystem goes through phases)

• The interval between changes depends on the systemstate

• Because of nondeterminism, actually a family offunction sets is defined

Example: triangular waveform

|( var x+, clock: Real+ ->Real;

up: Real+ -> Bool;

x:- (λ t. 0); up:- (λ t. false);

do x.now = 0 & – up.now ->

clock:- (λ t. t-now);

x:- clock;

up:- (λ t. true)

[] x.now = 1 & up.now ->

clock:- (λ t. t-now);

x:- (λ t. 1 - clock.t);

up:- (λ t. false)

od )

up

x

now

clock

now

now

false

true

0

1

0

1

Defined functions

clock

up

x

t

t

t

Translate continuous system todiscrete system

C =

|( var x;

S0;

do g1->S1

[] g2 -> S2

…

[] gm->Sm

od )|

C' =

|[ var x, now;

now:= 0; S0'; now:= next.gg.now;

do g1 -> S1'; now:= next.gg.now

[] g2 -> S2'; now:= next.gg.now

…

[] g1 -> S1'; now:= next.gg.now

od ]|

Next time function

• We define

next.gg.now = min{t'≥now | gg.t'}, when defined

next.gg.now = now, if {t'≥now | gg.t'} is empty

• System not well-defined if {t'≥now | gg.t'} is non-empty but does not have a minimum

• Actionnow >0 -> x:- (λ t. 0)

would e.g. not be allowed.

History preserving assignments

• The statement Si' is Si, except that each assignmentx:- e

is changed tox := x /now/ e

where we definex /now/e =(λ t. if t < now then x.t else e.t fi)

• Only future behavior of x is thus changed.

Discrete computation

• The continuous system has phases where timeadvances and phases where time does not advance

• A discrete computation is a computation where thetime does not advance– Time (now) does not advance if a guard is enabled at the

same time point after the previous action terminates

• Possible that a discrete computation gets stuck in aninfinite loop– This is not a well-defined continuous system

Covering time• The system as executed might not cover the whole

time axis (Zeno behavior)

• Example: now converges to some fixed time pointnow = 0, 1, 1.5, 1.75, 1.87, …. -> 2

• Can either forbid Zeno behavior, or restart system atlimit

• Latter requires changing the semantics of the do-loop,to allow for iterating system past ω (transfiniteexecution)

Reasoning about continuoussystems

• Prove properties about a continuous system C byproving corresponding property about discrete systemC'

• Example: prove that I is true in each reachable state byproving that it is an invariant of the loop:

true {now:= 0; S0; now:= next.gg.now} I -- initialization

I & g1 {S1'; now:= next.gg.now} I -- action 1

…

I & gm {Sm'; now:= next.gg.now} I -- action m

Typical form of invariant

start

x

1

2

3

0

u

now

• I(x,u,start, now) holds in range [0,now) -- the history• J(x,u, now) holds in range (now, ∞) -- the default future

Parallel composition fordiscrete action systems

A = |[ var x+,a; A0; do A1[] … [] Am od ]|:z

B = |[ var y+,b; B0; do B1 [] … [] Bm od ]|:u

A || B =

|[ var x+,y+,a,b;

A0; B0; do A1[] … [] Am [] B1 [] … [] Bm od

]|:z,u

Actions and variables

x1 x2 x3 x4 x5 x6 x7 x8 x9

A1 A2 A3 A4 A5 B1 B2 B3

A B

Parallel composition forcontinuous systems

• Parallel composition of continuous systems defined inthe same way as for discrete systems

• Parallel composition of two systems means that pointsof changes occur more frequently

• Systems interact by reading and setting global (shared)variables.

• This provides a simple mechanism for composing largecontinuous systems from smaller systems.

Alternative formalizations

• Hybrid automata traditional way to describe thebehavior of continuous systems

• Somewhat more restricted, can be modelled by ourcontinuous systems

• Model checking rather than verification can be veryefficient, in particular for linear systems (Hytec)

Case studies• Carried out a few case studies

– Elevator

– Press

– Train movement

– Temperature control in atomic reactor

• Need to introduce states similar to those in hybridautomata

• Verification can be complex, invariant can be difficultto find

• Allows to prove properties of non-linear systems

Conclusions• Have a simple generalization of discrete action systems

to continuous action systems

• Can prove general properties about system behavior(safety, liveness etc.)

• No new proof theory needs to be developed, can usestandard proof theory for action systems

• Can define large continuous systems by parallelcomposition in terms of smaller systems

• Hybrid action systems can be expressed as continuoussystems (special case)

Conclusions (cont.)• Model very general, allows also non-standard

behavior, like Zeno-behavior (time does not progressbesides a certain point)

• Discrete and continuous program variables are treatedin a uniform way

• Can describe continuous systems withnondeterministic choice

• Program-like description of continuous/hybrid systems

• Model seems to model examples nicely, butverification can be labourous (reasoning aboutfunctions)

Reference

• Ralph-Johan Back, Luigia Petre and Ivan PorresPaltor: Generalizing Action Systems to HybridSystems. TUCS Technical Report no 307, October1999

Continuous action system asdiscrete action system

• Consider continuous action system

C = |( var x; S0; do g1->S1[] g2 -> S2 … [] gm->Sm od )|

• This can be translated into discrete action system

C' = |[ var x, now;

now:= 0; S0; now:= next.gg.now;

do g1 -> S1'; now:= next.gg.now

[] g2 -> S2'; now:= next.gg.now

…

[] g1 -> S1'; now:= next.gg.now

od ]|