Model-based Analysis and Implementation of Embedded Systems Rajeev Alur University of Pennsylvania www.cis.upenn.edu/~alur/ MIT Workshop, August 2005

Model-Based Design Benefits of model-based design Detecting errors in early stages Powerful and formal analysis Reusable components Automatic code generation Many commercial tools are available for design of embedded control systems (e.g. Simulink) Typically, semantics is not formal Typically, only simulation-based analysis Code generation available, but precise relationship between model and code not understood

Charon Project at Penn Can we formally prove safety properties of models? Formal Specification Environment Model Performance Metrics Can we infer properties of code from properties of models? Programming/Modeling Language Based on Hybrid Automata Design and Analysis Tools Simulation, Verification, Optimization Compiler + Scheduler Libraries in Base Language Platform Description Executable Code on Embedded Processor

Hybrid Modeling State machines + Dynamical systems off on dx=kx Coordination Protocols Systems Biology Automotive Robotics Animation

CHARON Language Features Individual components described as agents Composition, instantiation, and hiding Individual behaviors described as modes Encapsulation, instantiation, and Scoping Support for concurrency Shared variables as well as message passing Support for discrete and continuous behavior Differential as well as algebraic constraints Discrete transitions can call Java routines Compositional semantics with refinement rules Composition of submodes is called encapsulation. Sequential composition. Follow the wall and obstacle avoidance can be sequentially implemented

CHARON Toolkit

Model Checker Advantages Impressive industrial success yes temporal property error-trace Advantages Automated formal verification, Effective debugging tool Impressive industrial success In-house groups: Intel, Microsoft, Lucent, Motorola… Commercial model checkers: FormalCheck by Cadence Model checking for discrete systems Enumerative state-space search (SPIN) Symbolic search using Binary decision diagrams (SMV) Bounded model checking using SAT solvers

Symbolic Safety Verification Data type: region to represent state-sets R:=I(X) /* initial set */ Repeat If R intersects target F report “violation” Else if R contains Post(R) report “safe” Else R := R union Post(R) Post(R): Set of successors of states in R Termination may or may not be guaranteed F I

Reachability for Hybrid Systems What’s a suitable representation of regions? Region: subset of Rk Main problem: handling continuous dynamics Precise solutions available for restricted continuous dynamics Timed automata (Uppaal, Kronos, …) Linear hybrid automata (HyTech) Even for linear systems, over-approximations of reachable set needed

Timed Automata Analog of finite-state automata in discrete case a,x:=0 b,y:=0 y>2,c x<3,d Analog of finite-state automata in discrete case Continuous variables: Clocks increasing at rate 1 All constraints of the form: x compared to constant Can express lower and upper bounds on delays Well-developed theory of automata and logics Closure properties Decision problems Equivalent characterizations

Region-based Analysis Finite partitioning of state space w @ w’ iff they satisfy the same set of constraints of the form xi < c, xi = c, xi – xj < c, xi –xj =c for c <= largest const relevant to xi x2 2 Region equivalence is a time-abstract bisimulation, and corresponding quotient can be used for temporal logic model checking 1 1 2 3 x1 An equivalence class (i.e. a region) in fact there is only a finite number of regions!!

Model Checking for Hybrid Systems Timed automata tools use matrices as a symbolic representation (all constraints are bounds on differences) Next step: use polyhedra as a representation (HyTech) Linear hybrid automaton allows linear constraints in guards/resets Dynamics: linear constraints among derivates The set of reachable states at every iteration is union of polyhedra If dynamics is dX=AX, and R is a polyhedron, Post(R) is not a polyehdron Many approximate solutions proposed: Approximate Post(R) with enclosing convex polyhedra (Checkmate)

Polyhedral Flow Pipe Approximations divide R[0,T](X0) into [tk,tk+1] segments enclose each segment with a polyhedron X0 RM[0,T](X0) = union of polyhedra

Abstraction and Refinement Abstraction-based verification Given a model M, build an abstraction A Check A for violation of properties Either A is safe, or is adequate to indicate a bug in M, or gives false negatives (in that case, refine the abstraction and repeat) Many projects exploring abstraction-based verification for hybrid systems Predicate abstraction (Charon at Penn) Counter-example guided abstraction refinement (CEGAR at CMU) Qualitative abstraction using symbolic derivatives (SAL at SRI) Composition of submodes is called encapsulation. Sequential composition. Follow the wall and obstacle avoidance can be sequentially implemented

Predicate Abstraction Input is a hybrid automaton and a set of k boolean predicates, e.g. x+y > 5-z. The partitioning of the concrete state space is specified by the user-defined k predicates. Abstract Space: L x {0,1} k t x Concrete Space: L x R n

Overview of the Approach Hybrid system Boolean predicates additional predicates Search in abstract space Safety property No! Counter-example Property holds Analyze counter-example Real counter- example found

Charon Project at Penn Can we formally prove safety properties of models? Formal Specification Environment Model Performance Metrics Can we infer properties of code from properties of models? Programming/Modeling Language Based on Hybrid Automata Design and Analysis Tools Simulation, Verification, Optimization Compiler + Scheduler Libraries in Base Language Platform Description Executable Code on Embedded Processor

Walking Model: Behavior and Modes Shared variable On Ground Up x turn == i dy = kv dt = 1 dx = dy = 0 L1 j1 Time triggered y==0 -> turn++ L2 j2 t==2 (x, y) y 2x==str Event triggered dx = kv x < str /2 dy = -kv Down Forward

Code Generation Case Study Front-end Translate CHARON objects into modular C++ objects Back-end Map C++ objects to execution environment front-end back-end CHARON objects C++ objects Execution environment Target platform agent class agent scheduler mode class mode diff() trans() diff/alge eqn API transition analog var class var

Gap Between Models and Code Rich theory of sampled control (but mainly for purely continuous systems) Discrete-time control design Sampling errors No theory of interacting control blocks Mapping individual blocks to periodic real-time tasks does not lead to predictability Lack of compositionality affects integration Hybrid systems poses new challenges: How can code ensure that events are not missed ?

Code from Structured Models How to map control blocks to tasks? C1 x C2 u v Many choices for code Two tasks: C1 and C2 with their own periods One task: Read(x);C1;C2;Actuate One task: Read(x);C1;Read(x);C2;Actuate The choice can depend on many parameters: computation times, sensitivity ox x to u and v, performance objective

Quantifying the Gap (1) Appealing implementation platform: Time-triggered architecture Time divided into fixed-size slots Appealing programming paradigm: Fixed Logical Execution Time Block mapped to slot i reads inputs at the beginning, computes, and outputs at the end of the slot i Micro-schedule: Map each slot to at most one control block Given a micro-schedule s, and a plant model, continuous-time trajectory of execution uniquely defined

From Model to Code 1. Continuous-time semantics: all blocks at all times Continuous 2. Discrete/simulation semantics: all blocks every T s Compute all 3. Periodic tasks: Red block every T1 s, Blue every T2 s 4. Micro-schedule on TTA: Fixed-size slots Idle,Red,Blue,Idle, Blue,Red,Idle,Blue, Idle,Red, Blue…

Quantifying the Gap (2) Define a performance metric: for two continuous-time trajectories t1 and t2, d(t1,t2) measures the distance Quality of a micro-schedule s is d(t*,ts), where t* is the continuous-time simulation trajectory and ts is the trajectory of code when executed according to s For linear systems, d(t*,ts) is computable when d is, say, L2-norm, using ideas from PLTIs (Periodic linear time invariant systems) This allows comparing micro-schedules by precisely quantifying their metrics

Wrap-Up Modeling and Analysis in symbiosis Progress on safety verification by combining symbolic representations and abstraction Many application domains for hybrid systems Current Focus: Understanding and quantifying the gap between models and code to add rigor in the code generation step Ongoing: Stochastic hybrid systems