Hybrid Input/Output Automata: Theory and Applications Nancy Lynch, MIT Mathematical Foundations of Programming Semantics Montreal, Canada March 20, 2003 Joint work with Roberto Segala (U. Verona), Frits Vaandrager (U. Nijmegen), Carl Livadas, Sayan Mitra, Eric Feron, Yong Wang,…

Hybrid Systems Continuous, real-world components + discrete, computer components Examples: Automated transportation systems Robots Embedded systems Mobile computing systems Complex Strong safety, performance requirements Formal models needed for design and analysis. Actuator Sensor Plant Controller

The HIOA Model [Lynch, Segala, Vaandrager 01, 03] General, mathematical modeling framework. State machines with discrete transitions and trajectories. Model plants, controllers, sensors, actuators, software, communication services, human operators,… Support for decomposing hybrid system descriptions: External behavior: Models discrete and continuous interaction of component with its environment. Composition: Synchronizes external actions, external “flows”. Levels of abstraction, implementation. Can incorporate analysis methods from: CS: Invariants, simulation relations, compositional methods. Control theory: Invariant sets, stability analysis, robust control.

Applications Automated transportation systems: Aircraft control: Simple vehicle maneuvers [Weinberg, Lynch 96] People-mover (Raytheon) [Livadas, Lynch, Weinberg, De Lisle 96] [Livadas, Lynch 98] PATH automated highway system [Branicky, Dolginova, Lynch 97] [Dolginova, Lynch 97][Lygeros, Lynch 98] Aircraft control: TCAS [Livadas, Lygeros, Lynch 99] Quanser helicopter system [Mitra, Wang, Feron, Lynch 02, 03] Spacecraft: ACME [Ha, Lynch, Garland, Kochocki, Tanzman 03] Robotics Lego cars [Fehnker, Vaandrager, Zhang 02] Algorithms for ad hoc mobile networks Routing [Mitra]

Other kinds of I/O Automata Models Basic I/O Automata [Lynch, Tuttle 87] States, start states, actions, transitions, tasks Used for asynchronous distributed algorithms Timed I/O Automata [Lynch, Vaandrager 91] Add time-passage transitions Used for timing-based distributed algorithms Local clocks, clock synchronization. Timing/performance analysis. Hybrid I/O Automata, v.1 [Lynch, Segala, Vaandrager, Weinberg 96] Add explicit trajectories Probabilistic I/O Automata [Segala 95] Add probabilistic transitions Used for randomized distributed algorithms Security protocols

All the IOA models PHIOA HIOA PTIOA TIOA PIOA IOA

Talk Outline Introduction  I/O Automata and Timed I/O Automata Hybrid I/O Automata definitions and results HIOA applications HIOA future work Timed IOA, revisited Probabilistic IOA, revisited Conclusions

I/O Automata and Timed I/O Automata

Basic I/O Automata Infinite-state, nondeterministic automaton models. States, transitions Describe system modularity: Parallel composition of interacting components. Levels of abstraction.

I/O Automata Static description: Dynamic description: Actions: input, output, internal States, start states Transitions (q, a, q'), input-enabled Dynamic description: Execution: q0 a1 q1 a2 q2 … Trace: Project on external actions; externally visible behavior. A implements B: traces(A)  traces(B). Operations for building automata: Parallel composition, identifying inputs and outputs. Action hiding. Reasoning methods: Invariant assertions: Property holds in all reachable states. Simulation relations: Imply one automaton implements another. Prove using induction on length of execution. Compositional methods

Reliable FIFO Channel Model Signature: Inputs: send(m), m in M Outputs: receive(m), m in M States: queue, a finite sequence of elements of M, initially empty Transitions: send(m) Effect: Add m to end of queue receive(m) Precondition: m is first on queue Effect: remove first element of queue send(m) receive(m) Channel(M)

Example Applications Basic distributed algorithms: Resource allocation, consensus, atomic objects, concurrency control, group communication,… Distributed systems: Orca distributed shared memory system [Fekete, Kaashoek, Lynch] Transis, Ensemble group communication systems [Hickey, Lynch, van Renesse] Algorithms for dynamic networks: Reconfigurable atomic memory [Lynch, Shvartsman 02] [Gilbert, Lynch, Shvartsman 03] [Musial, Shvartsman 03] [Dolev, Gilbert, Lynch, Shvartsman, Welch]

Group Communication [Fekete, Lynch, Shvartsman] We define automata modeling: Totally ordered reliable broadcast service Group communication service Algorithm (based on [Keidar, Dolev]) Prove that the composition of the algorithm and GCS automata implements TO-Broadcast. Proofs checked using PVS theorem-prover [Archer] TO-Bcast GCS

IOA Language + Toolset [Garland, Lynch] Formally-defined programming/modeling language for describing and analyzing systems modeled as I/O automata. Current tools: Simulator, including levels of abstraction Connection with Daikon invariant detector [Ernst] Connection to Larch, Isabelle/HOL theorem-provers Support inductive proofs of invariants and simulation relations In progress: Automatic distributed code generator I O A

Timed I/O Automata Add time-passage actions, pass(t) Example: FIFO channel that delivers messages within time d. send(m) Effect: Add (m, now + d) to end of queue receive(m) Precondition: (m,u) is first on queue (for some u) Effect: remove first element of queue pass(t) Precondition: for all (m,u) in queue, now + t  u Effect: now := now + t Can use standard automaton-based reasoning methods: Invariant: If (m,u) in queue, then now  u  now + d. Inductive proofs.

Applications Distributed algorithms: Resource allocation, consensus,… Timeout-based communication protocols: TCP [Smith] Reliable multicast [Livadas] Performance (latency) analysis: Group communication systems: [Fekete, Lynch, Shvartsman], [Khazan, Keidar 00, 02] Reconfigurable atomic memory [Lynch, Shvartsman 02] Dynamic atomic broadcast [Bar-Joseph, Keidar, Lynch 02] Peer-to-peer network maintenance and routing [Lynch, Stoica 03] Hybrid systems challenge problems: RR crossing Steam boiler controller

Hybrid I/O Automata, Definitions and Basic Results

Describing Hybrid Behavior Variable v Static type, type(v) Dynamic type, dtype(v): Allowed “trajectories” for v Functions from time intervals to type(v). Closed under time shift, subinterval, countable pasting. Examples: Pasting closure of constant functions, continuous functions, differentiable functions, integrable functions Valuation for V: Assigns value in type(v) to each v in V.

Describing Hybrid Behavior Trajectory Models evolution of variables over a time interval. I-trajectory for V: Maps I to valuations for V; restriction to each v is in dtype(v). Hybrid sequence Models a series of discrete and continuous changes. 0 a1 1 a2 2 …, alternating sequence of trajectories and actions. I

Hybrid I/O Automaton I O X U Y H U, Y, X: Input, output, and internal (state) variables Q: States, a set of valuations of X : Start states I, O, H: Input, output, and internal actions D  Q  (I  O  H)  Q: Discrete transitions T: Trajectories for (U Y  X) in which the valuations of X are in Q. I O X U Y H

Basic Trajectory Axioms Set T of trajectories is closed under: Prefix Suffix Countable concatenation

Input-Enabling Axioms Input action enabling: For every state q and every input action a, there is some discrete transition (q,a,q´). Input trajectory enabling: For every state q and every input trajectory, there is some trajectory that starts with q, and either: Spans the whole input trajectory, or Spans a prefix of the input trajectory, after which some locally-controlled action is enabled.

Executions and Traces Execution fragment: Execution: Trace: Hybrid sequence 0 a1 1 a2 2 …, where: Each i is a trajectory of the automaton and Each (i.lstate, ai , i+1.fstate) is a discrete step. Execution: Execution fragment beginning in a start state. Trace: Restrict to external actions and external variables. A implements B if they have the same external interface and traces(A)  traces(B).

Notation for specifying trajectories Differential and algebraic equations and inclusions. Trajectory  satisfies algebraic equation v = e if the constraints on the variables expressed by this equation hold in every state of . Trajectory  satisfies differential equation d(v) = e if for every t in the domain of , v(t) = v(0) + 0t e(t´) dt´ Algebraic/differential inclusions are handled similarly.

Example: Vehicle HIOA Vehicle acc, vel acc-in vel-out Follows suggested acceleration to within . Outputs actual velocity. U: acc-in; Y: vel-out; X: acc, vel Q: all valuations of X : acc = vel = 0 I, O, H, D: empty Trajectories: acc(t)  [acc-in(t) - , acc-in(t) + ], for t > 0 d(vel) = acc vel-out = vel Vehicle acc, vel acc-in vel-out

Example: Controller HIOA Monitors velocity, suggests acceleration every time d. Tries to ensure velocity does not exceed pre-specified vmax. U: vel-out; Y: acc-in; X: vel-sensed, acc-suggested, clock : all 0 H: suggest Discrete steps: clock = d, clock´ = 0, vel-sensed unchanged vel-sensed + (acc-suggested´ + ) d  vmax Trajectories: vel-sensed(t) = vel-out(t), for t > 0 acc-suggested unchanged d(clock) = 1 acc-in = acc-suggested stops when clock = d vel-out acc-in Controller vel-sensed acc-suggested clock

Composition A = A1 || A2 Assume A1 and A2 are compatible (no common outputs, internal actions/variables are private). Obtain A = A1 || A2 by matching external actions, variables: Y = Y1  Y2; X = X1  X2; U = (U1  U2 ) - (Y1  Y2 ) O = O1  O2; H = H1  H2; I = (I1  I2 ) - (O1  O2 ) States Q: Projections in Q1, Q2 Start states : Projections in 1, 2 Discrete steps D: Projections in D1, D2 Trajectories T: Projections in T1, T2 Technicality: Composition need not satisfy input flow enabling. Assume “strong compatibility”; holds in many interesting special cases. Ignore in this talk.

Composition Theorems Projection/pasting theorem: If A = A1 || A2 then tracesA is the set of hybrid sequences (of the right type) whose restrictions to A1 and A2 are traces of A1 and A2, respectively. Substitutivity theorem: If A1 implements A2 and both are compatible with B, then A1 || B implements A2 || B.

Example: Vehicle and Controller Vehicle || Controller: Invariant of Vehicle || Controller: vel  vmax. Prove using induction. Uses auxiliary invariants, most importantly: vel + (acc-suggested + ) (d – clock)  vmax Vehicle Controller vel-out vel-sensed acc-suggested clock acc-in acc, vel

Invariants for HIOAs Example: vel + (acc-suggested + ) (d – clock)  vmax Prove by induction on structure of executions: True in initial states Preserved by discrete steps Uses standard algebraic reasoning. Preserved by closed trajectories Uses results about continuous functions. Manual proof, could support with theorem-prover.

Hiding ActHide(E,A) reclassifies external actions in E as internal. VarHide(W,A) removes the external variables in W, but retains their induced constraints on the trajectories.

Example: Hiding Vehicle Controller Hide the acc-in variable, which is used for communication between the components: A = VarHide(acc-in, Vehicle || Controller) The only remaining external variable is vel-out. Prove correctness of A by showing that it implements an abstract specification HIOA Vspec, which expresses just the constraint vel-out  vmax. Show using simulation relation.

Simulation Relation R from A to B Relation from states(A) to states(B) satisfying: Every start state of A is related to some start state of B. If x R y and  is a discrete step of A starting with x, then there is an execution fragment  starting with y such that trace() = trace(), and .lstate R .lstate. y  .lstate. R R x  .lstate. If x R y and  is a closed trajectory of A starting with x, then there is …

Simulation Relation Theorem: If there is a simulation relation from A to B then A implements B (inclusion of trace sets). Proved by induction on structure of execution: Initial states Discrete steps Closed trajectories Example: Vehicle(1) implements Vehicle(2), if 1  2 Show using simulation relation: Identity mapping

Allowing Time to Pass HIOA should provide some response from any state, for any sequence of input actions and input trajectories. Should not “block the passage of time”. Definition: An HIOA is progressive if it has no execution fragment in which it generates infinitely many non-input actions in finite time. Theorem: A progressive HIOA A can accommodate any input from any state: For each state x and each (I,U)-sequence , there is an execution fragment  from x such that   (I,U) = . Theorem: Composition of progressive HIOAs is progressive.

Receptive HIOAs But progressiveness isn’t quite enough: E.g., HIOAs involving only upper bounds on timing are not progressive. Definition: A strategy for an HIOA A is an HIOA that is the same as A except that it restricts the sets of discrete steps and trajectories. Definition: HIOA is receptive if it has a progressive strategy. Theorem: A receptive HIOA can accommodate any input from any state. Theorem: If A1 and A2 are compatible receptive HIOAs with progressive strategies B1 and B2, then A1 || A2 is receptive with progressive strategy B1 || B2.

Hybrid I/O Automata, Applications

Applications Automated transportation systems: Aircraft control: Simple vehicle maneuvers [Weinberg, Lynch 96] People-mover (Raytheon) [Livadas, Lynch, Weinberg, De Lisle 96] [Livadas, Lynch 98] PATH automated highway system [Branicky, Dolginova, Lynch 97] [Dolginova, Lynch 97][Lygeros, Lynch 98] Aircraft control: TCAS [Livadas, Lygeros, Lynch 99] Quanser helicopter system [Mitra, Wang, Feron, Lynch 02, 03] Spacecraft: ACME [Ha, Lynch, Garland, Kochocki, Tanzman 03] Robotics Lego car [Fehnker, Vaandrager, Zhang 02] Algorithms for ad hoc mobile networks Routing [Mitra]

TCAS [Livadas, Lygeros, Lynch 99] On-board aircraft collision avoidance system. Aircraft can detect the presence of nearby aircraft. For two aircraft: TCAS tries to tell one aircraft to climb and the other to descend. Conducts communication protocol to break the symmetry. Decision based on combination of altitudes, transponder numbers, and timing of messages. Correct operation is not obvious; validation carried out via extensive simulations (Lincoln Labs).

TCAS System Components Aircraft Aircraft Sensor Sensor Pilot Pilot Conflict detector Conflict detector Channel Conflict resolver Conflict resolver Channel

TCAS Model and Analysis We modeled all components using HIOAs. Proved that, for two planes, and under reasonable assumptions about speeds and accelerations, the planes remain sufficiently far apart.

Quanser Model Helicopter System [Mitra, Wang, Feron, Lynch 02, 03] 3 degrees-of-freedom models, manufactured by Quanser User controllers not necessarily safe, can crash the helicopter on the table. Supervisory pitch controller needed to ensure safety. Must contend with: Sensor inaccuracies Actuator delay Limited sampling frequency

Helicopter Models and Analysis We developed HIOA models for all system components: Plant, Sensor, Actuator, User Controller, Supervisor Including realistic dynamics, delays, inaccuracies. Used the models to help design a safe supervisory controller.

Discrete Communication Among Components sample control command dequeue sensor sensor usrCtrl plant supervisor actuator D D tact

Executions in the User and Supervisor modes Cannot jump from U to outside of R in a single step Recovery Phase Switch to supervisor : settling phase Return to user mode

Quanser Helicopter Controller has been implemented We proved correctness (manually) Using induction Each inductive step involves either discrete or continuous reasoning. Continuous reasoning uses Lyapunov stability argument. Developed candidate language constructs for specifying trajectories of HIOAs Algebraic and differential equation notation Unchanged, invariants, stopping conditions State models and activities

Lego Car [Fehnker, Vaandrager, Zhang 02] Lego car, consisting of: A Chassis Two Caterpillar Treads, one on each side Move backwards or forwards, independently, at constant speed. Two sensors, one on each side See if the ground is black or white. RCX programmable control brick Reads sensors periodically. Controls direction of motion of both treads. Goal: Car should follow a straight black tape. Algorithm: If a sensor sees black, then tell the caterpillar tread on the opposite side to go forward. If white, go backward.

Lego Car Caterpillar Chassis Sensor RCX forward, backward black white

Lego Car Modeled all components using HIOA Safety: In all reachable states, at least one tread goes forward. Proofs, using induction. Liveness: In infinitely many sample intervals, both treads go forward (following the black tape). Proofs, ad hoc. Results verified by experiments.

Hybrid I/O Automata, Future Work

Language Support Extend the IOA language with features for describing trajectories. Restrictions: Variables are either discrete or continuous. Discrete variables remain constant over trajectories. Language constructs for trajectories: State space partitioned into “modes”. Continuous variables in each mode evolve according to differential/algebraic equations. Each mode is specified by an “activity”.

Activities Activity: [α]: Set of trajectories defined by activity α E: State model, algebraic and differential equations P  Q: Operating condition P+  Q: Stopping condition [α]: Set of trajectories defined by activity α Automaton trajectories: [α] Composition of automata A1 || A2 described in terms of composition of their activities. Composition of activities α = α 1 || α 2 E: Collection of all the equations in α 1 and α 2 q  P iff q  X1  P1 and q  X2  P2 q  P+ iff q  X1  P1+ or q  X2  P2+

HIOA Code Example

Control theory methods: Proving invariance For an autonomous system x´ = g(x): Theorem [Bhatia, Szego]: If g(x) is subtangential to S everywhere in S, then S is positively invariant. For a HIOA with one activity of the form d(x) = g(x): Claim: Suppose that S is a closed convex set, S is invariant with respect to the discrete transitions, and n(y).g(y) < 0 for all y on boundary of S, where n(y) is the outer normal at y. Then S is invariant. Technique used, e.g., in Quanser case study. Can be extended to multiple activities.

Control theory methods: Proving stability Multiple Lyapunov functions [Branicky] Xc: Continuous state variables Lyapunov function for activity α = (E,P,P+): Continuous function f: val(Xc)  R defined in P with d(f  τ) ≤ 0 for all τ in [α]. Claim: Suppose each activity α of HIOA A has a Lyapunov function f such that in any execution, for any two successive trajectories τ1 and τ2 in [α], f(τ2.fstate)  f(τ1.lstate). Then A is stable in the sense of Lyapunov.

Case Studies Algorithms for mobile ad hoc systems Objectives: Location determination, e.g. Grid [Li 2000] Geographic message forwarding (Geocast) Leader election, maintaining communication structures. Objectives: Specialize HIOA framework to mobile systems Develop methods for analyzing behavior/performance guarantees under mobility. Consider examples with interesting discrete behavior. More control-oriented problems Quantized double-integrator system Objective: Incorporate analysis methods from control theory

Tools Theorem-provers Automated tools Simulator Larch, PVS, and/or Isabelle/HOL Extend IOA theorem-proving tools Automated tools Simulator

Timed I/O Automata, Revisited

TIOA, revisited [Kaynar, Lynch, Segala, Vaandrager 03] Reformulate our timed automata as a special case of hybrid automata. Timing behavior described as in HIOA, using trajectories and hybrid sequences. Timed systems include computers and communication networks, but no cars, airplanes, helicopters,… Don’t need to consider continuous interaction. However, it’s still useful to consider continuous state evolution, e.g., to model clocks.

Example: Time bounded channel X: now, queue : now = 0, queue is empty I: send(m) O: receive(m) Discrete steps: send(m) Effect: add (m, now + d) to end of queue receive(m) Precondition: (m,u) is first on queue Effect: remove first element of queue Trajectories: queue unchanged d(now) = 1 stops when now = u for some (m, u) on queue

Current Work: TIOAs Complete the development of a general TIOA modeling framework for timing-based systems, including: External behavior, composition, levels of abstraction Receptivity, liveness properties Express major ideas from other timed system models in the common framework of TIOA: Congruence, region construction (for model-checking) [Alur, Dill] timed automata Built-in upper and lower bounds for tasks [Maler, Manna, Pnueli] timed transition systems [Merritt, Modugno, Tuttle] timed automata Timing constraints that “sometimes hold”. [DePrisco] clock timed automata Linguistic support, tool support.

Probabilistic I/O Automata, Revisited

Probabilistic I/O Automata (PIOA) [Segala 95] Adds probabilistic transitions (s, a, P), where P is a probability distribution on states. Includes both nondeterministic and probabilistic choices. Scheduler: Resolves all nondeterminism. External behavior represented by a set of probability distributions on traces, one distribution per scheduler. Implementation: Subset (of sets of trace distributions). Example applications: Randomized distributed algorithms: Rabin-Lehmann Dining Philosophers Aspnes-Herlihy randomized consensus Security protocols

Current work: Compositional semantics Trace distribution preorder D on PIOAs: Subset (of sets of trace distributions). Not preserved by composition. Trace distribution precongruence  DC: Defined as the coarsest precongruence included in  D. Preserved by composition. But this is not very informative. Characterization for  DC [Segala, Vaandrager, Lynch 03] Probabilistic forward simulation relation from A1 to A2: Relates states of A1 to distributions over states of A2. Transitions preserve probabilities. Allows arbitrary internal actions. Theorem: A1  DC A2 if and only if there exists a probabilistic forward simulation relation from A1 to A2 .

Probabilistic Timed I/O Automata (PTIOA) [Segala 95] Include time-passage steps, with probability distributions on the new state: (s, pass(t), P) Scheduler determines amount of time that passes (nondeterministic, not probabilistic). External behavior represented by a set of probability distributions of timed traces (one per scheduler). Timed trace distribution preorder. Timed trace distribution precongruence.

Future work: PTIOA, PHIOA PIOA: Restrict the set of schedulers to those that can see only external behavior of the component automata. Yields a smaller set of trace distributions. Characterize the resulting trace distribution precongruence. PTIOA: Reformulate in terms of trajectories, as for TIOA. Characterize the timed trace distribution precongruence. Generalize TIOA results to include probabilities. PHIOA Define a model that generalizes PTIOA and HIOA Define external behavior, composition, implementation,…prove all the right theorems.

All the IOA Models How do they relate to each other? How orthogonal are all the features? TIOA HIOA IOA PIOA PTIOA PHIOA

Conclusions Hybrid I/O Automata, definitions, results, and applications. Future work on the HIOA framework: More applications, especially, examples with more interesting discrete behavior. Import control theory techniques, including invariant sets, stability analysis methods, robust control methods. Language support Analysis tools Develop general modeling framework combining timed, hybrid and probabilistic behavior.