Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chess Review November 18, 2004 Berkeley, CA Semantics of Hybrid Systems Roberto Passerone Cadence Berkeley Laboratories with contributions from E. Lee,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Chess Review November 18, 2004 Berkeley, CA Semantics of Hybrid Systems Roberto Passerone Cadence Berkeley Laboratories with contributions from E. Lee,"— Presentation transcript:

1 Chess Review November 18, 2004 Berkeley, CA Semantics of Hybrid Systems Roberto Passerone Cadence Berkeley Laboratories with contributions from E. Lee, A. Pinto, A. Sangiovanni-Vincentelli, H. Zheng

2 Chess Review, November 18, 2004 2 Columbus: A Comparative Study Considered several existing models and tools –Charon, Checkmate, Hysdel, HSIF, HyVisual, Masaccio, Metropolis, Modelica, Scicos, Shift, Simulink Systematically compared the models for –Expressiveness –Concurrency model –Discrete/Continuous Communication –Hierarchy and Object Oriented design –Algebraic loops Compared models by running simple, but representative, examples –Zeno behavior –Level crossing detection

3 Chess Review, November 18, 2004 3 Summary LanguageNatureMain FeatuesFeaturing Also CHARONModelling LanguageFormal semantic for hierarchy, concurrency, refinementSimulator, Type Checker, Java interface CHECKMATEVerification ToolboxFormal semantic for simulation, exploration, verificationBased on MATLAB/SIMULINK/STATEFLOW HSIFInterchange FormatModelling of networks of hybrid automataSimulation through HyVisual HYVISUALVisual ModellerHierarchy support, block diagram editor and simulatorPtolemy-II BASED MASACCIOFormal ModelSupport for concurrent sequential and timed compositionalityEnables assume/guarantee reasoning METROPOLISDesign EnvironmentHeterogeneity, formal refinement, mappingVerification, Simulation MODELICAModelling LanguageObject Oriented, non-causal modellingCommercial and open simulator available SCICOSHybrid System ToolboxModelling and simulation of hybrid systemsC code generation, interface to Syndex SHIFTProgramming LanguageModelling of dynamic networks of hybrid componentsC code generation SIMULINKInteractive ToolSimulator, hierarchy, model discretizerMATLAB-based, library of predefined blocks.

4 Chess Review, November 18, 2004 4 LanguageContinuous/Discrete SignalsDerivativeAutomataState/Dynamics mapping CHECKMATE Separation between FSM and dynamical system. Communication through event generator. YESSTATEFLOW model Discrete output form FSM to dynamical system. HYVISUAL Signal attribute. Automatic detection of type or enforced by user. IntegrationGraphical Editor State refinement into continuous time models MODELICADefined by a language modifierYESDescribed by algorithm sections. Different equation sets depending on events. SCICOSDefined by port attributeIntegration Implemented by interconnection of conditional blocks. Implemented by connection of events selectors. HYSDELReal and Boolean signals Discrete difference Implemented by logic functions Discrete output form FSM to dynamical system. Summary

5 Chess Review, November 18, 2004 5 LanguageHierarchyObject OrientedNon-Causal Modelling CHECKMATE NNN HYVISUAL YYN MODELICA YYY SCICOS YNN HYSDEL NNN Summary

6 Chess Review, November 18, 2004 6 LanguageDiscrete/Continuous CommunicationAlgebraic LoopsDirac Pulses CHECKMATE Event Generator and First Order HoldNN HYVISUAL ToContinuous and ToDiscrete actorsYN MODELICA Indirect through when statementsYY SCICOS Interaction between discrete state and continuous state NN HYSDEL Event Generator and First Order Hold. There are no continuous signals NN Summary

7 Chess Review, November 18, 2004 7 Conclusions Comparative study shows a fragmented landscape –Underlying models mostly incompatible –Key issues approached differently Consolidated view needed to advance the research and rate of adoption –Evidence from industry using ad-hoc translators –Difficult for engineers and practitioners to choose the right model Our activities are complementary ways of providing a consolidated view

8 Chess Review, November 18, 2004 8 Overview Solid and clean semantics for hybrid systems Interchange Format for hybrid systems Approximations for incompatible models

9 Chess Review, November 18, 2004 9 Operational Semantics for Hybrid Systems A solid and complete executable semantics for simulation –Robust and with no ambiguities –Designed to cover embedded software issues Focuses on deterministic behavior –It is incorrect to choose one trajectory –Creating deterministic models must be easy –Non-deterministic models must be explored either exhaustively or using Monte Carlo methods Avoids continuous time models to represent discrete behaviors –Inaccurate for software –Truly heterogeneous models are more faithful abstractions

10 Chess Review, November 18, 2004 10 HyVisual: Hybrid Systems as Networks of Automata

11 Chess Review, November 18, 2004 11 Some Semantics Questions Expressiveness of model –non-deterministic, guard expression language, actions, … Coordination between subsystems (both discrete and continuous) –synchronous, time-driven, event-driven, dataflow, … –can outputs and updates be separated? What is the meaning of directed cycles? –fixed point, error, infinite loop, … What is the meaning of simultaneous events? –secondary orderings, such as data precedences, priorities, … Discontinuous signals must have zero transition times –Precise transition times –Accurate model of Zeno conditions Discrete signals should have values only at discrete times –Accurately heterogeneous model (vs. continuous approximation) Sampling of discontinuous signals must be well-defined –Avoid unnecessary nondeterminism Transient states must be active for zero time –Properly represent glitches

12 Chess Review, November 18, 2004 12 Transient States and Glitches

13 Chess Review, November 18, 2004 13 Overview Solid and clean semantics for hybrid systems Interchange Format for hybrid systems Approximations for incompatible models

14 Chess Review, November 18, 2004 14 Interchange Format for Hybrid Systems Define a common format that can be used to exchange data between different tools –Similar to other standards, such as LEF-DEF, Edif, and more recently OpenAccess –Avoid a proliferation of ad-hoc translators Flexible model that doesn’t tie you into one particular semantics –Unlike HSIF, avoid casting a preferred semantics in stone –Instead, a proper IF needs to include a meta model describing the semantics

15 Chess Review, November 18, 2004 15 Basic elements can be composed to build a domain specific Model of Computation –Semantics formally defined as Action Automata Flexible infrastructure that supports –Heterogeneous modeling –Flexible communication semantics –Non-determinism –Hierarchical, Object Oriented design –Explicit causality and scheduling –Declarative constraints (invariant, equations) –Refinement Metropolis Meta-Model

16 Chess Review, November 18, 2004 16 Anatomy of a model State Analog Process Transition Analog variable Equations

17 Chess Review, November 18, 2004 17 Application Scenarios

18 Chess Review, November 18, 2004 18 Towards a Manipulable Semantics Action automata determine the semantics of a model through its quantity managers –However, if not careful, extracting the automata and analyzing them could be very expensive –We are investigating ways of defining quantity manager in simpler and more manageable terms When intractable, translations and analysis could be obtained by ignoring certain aspects –This is sometimes desirable to decrease the complexity of a model for formal verification –This is essential when the information that is ignored is irrelevant Models of hybrid systems can be related through approximations

19 Chess Review, November 18, 2004 19 Overview Solid and clean semantics for hybrid systems Interchange Format for hybrid systems Approximations for incompatible models

20 Chess Review, November 18, 2004 20 Conservative Approximations Use conservative abstractions to relate different models –Why use abstraction A as opposed to abstraction B? Study preservation properties of abstractions –If a property holds before applying the abstraction, does it also hold after the abstraction? What are the properties of interest? –Compositionality or commutativity –Preservation of the refinement relation

21 Chess Review, November 18, 2004 21 Preservation of refinement Each model defines refinement differently –A block (actor) implements another when you can replace the former for the latter –Refinement denoted by the symbol  (partial or pre-order) Refinement verification in the abstract is potentially more efficient, but does it hold in the concrete? –In other words, does the abstraction preserve refinement? –Verification will necessarily be conservative, but is it sound?

22 Chess Review, November 18, 2004 22 Preservation of refinement Refinement preserving approximation –A function H between two models preserves refinement if and only if H(p 1 )  H(p 2 ) implies p 1  p 2 –In other words, H is “inverse” monotonic –Analogy (not) for real numbers r and s if  r    s  then not r  s Inverse monotonic functions are not useful –Say H(p 1 ) = H(p 2 ). Then p 1 = p 2 –In other words, H is injective (not giving up information) –Hence H is not an abstraction at all! One function does not fit all H concrete abstract

23 Chess Review, November 18, 2004 23 Preservation of refinement Conservative approximation –A pair of functions  = (  l,  u ) is a conservative approximation if and only if  u (p 1 )   l (p 2 ) implies p 1  p 2 –Analogy: if  r    s  then r  s –Abstract implies detailed Conservative approximations are useful –Implication going in the right direction –  l and  u are both abstractions (they need not be injective) Refinement verification is always sound uu ll concrete abstract

24 Chess Review, November 18, 2004 24 Verification problem A specification q requires that action “b” always be preceded by action “a” –Going from reals to integers, the order between events during the same integer interval is lost –Verification unsound when the specification is not represented exactly at the abstract level Conservative approximations detect when the solution would be unsound –But  l ( q ) is not empty! –It has all the behaviors for which a and b are separated by at least one time unit –Verification possible if the implementation is “slow enough” There is a relation between our sampling frequency and the ability to verify in the abstract –Subtle interaction between implementation and verification strategy –Conservative approximations separate those concerns

25 Chess Review, November 18, 2004 25 Inverse of conservative approximation The inverse of an abstraction does not necessarily exist –H( p ) does not determine p uniquely –Similarly,  u ( p ) and  l ( p ) do not determine p uniquely Inverse defined when upper and lower bound coincide –If  u (p) =  l (p), then p can be represented exactly at the abstract level –p is uniquely determined in this case H concrete abstract uu ll concrete abstract

26 Chess Review, November 18, 2004 26 Abstraction and Refinement  inv identifies actors that can be used indifferently in either domain –If Q’ is an abstraction of Q, then  inv is an injection from Q’ to Q –Actors are “domain polymorphic” Other actors are only approximated in the other semantic domain –  u and  l are different “views” –  inv   u is a closure operator –  inv   l is an interior operator uu ll Q Q’  inv

27 Chess Review, November 18, 2004 27 Conclusions Comparative study shows a fragmented landscape –Underlying models mostly incompatible –Key issues approached differently Consolidated view needed to advance the research –Evidence from industry using ad-hoc translators –Difficult for practitioners to choose the right model Our activities are complementary ways of providing a consolidated view –HyVisual: Solid and clean semantics for hybrid systems –Metropolis Interchange Format for hybrid systems –Conservative Approximations for incompatible models

Download ppt "Chess Review November 18, 2004 Berkeley, CA Semantics of Hybrid Systems Roberto Passerone Cadence Berkeley Laboratories with contributions from E. Lee,"

Similar presentations

The need for AMS assertions Verify the analog/digital interfaces at block and SoC levels –Check properties involving voltages and currents –Check complex.

The need for AMS assertions Verify the analog/digital interfaces at block and SoC levels –Check properties involving voltages and currents –Check complex.
Use trace algebra to formalize the YAPI model EE290N Spring2002 Alessandro Pinto Mentors: Roberto Passerone Jerry Burch.

Use trace algebra to formalize the YAPI model EE290N Spring2002 Alessandro Pinto Mentors: Roberto Passerone Jerry Burch.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
Semantic Translation of Simulink/Stateflow Models to Hybrid Automata using Graph Transformations A. Agarwal, Gy. Simon, G. Karsai ISIS, Vanderbilt University.

Semantic Translation of Simulink/Stateflow Models to Hybrid Automata using Graph Transformations A. Agarwal, Gy. Simon, G. Karsai ISIS, Vanderbilt University.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.

Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
The Operational Semantics of Hybrid Systems Edward A. Lee Professor, Chair of EE, and Associate Chair of EECS, UC Berkeley With contributions from: Adam.

The Operational Semantics of Hybrid Systems Edward A. Lee Professor, Chair of EE, and Associate Chair of EECS, UC Berkeley With contributions from: Adam.
10.6.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.
Overview This project applies the tagged-signal model to explain the semantics of piecewise continuous signals. Then it illustrates an operational way.

Overview This project applies the tagged-signal model to explain the semantics of piecewise continuous signals. Then it illustrates an operational way.
DATAFLOW PROCESS NETWORKS Edward A. Lee Thomas M. Parks.

DATAFLOW PROCESS NETWORKS Edward A. Lee Thomas M. Parks.
Chess Review November 21, 2005 Berkeley, CA Edited and presented by Interchange Format for Hybrid Systems Alessandro Pinto UC Berkeley.

Chess Review November 21, 2005 Berkeley, CA Edited and presented by Interchange Format for Hybrid Systems Alessandro Pinto UC Berkeley.
PTIDES: Programming Temporally Integrated Distributed Embedded Systems Yang Zhao, EECS, UC Berkeley Edward A. Lee, EECS, UC Berkeley Jie Liu, Microsoft.

PTIDES: Programming Temporally Integrated Distributed Embedded Systems Yang Zhao, EECS, UC Berkeley Edward A. Lee, EECS, UC Berkeley Jie Liu, Microsoft.
7th Biennial Ptolemy Miniconference Berkeley, CA February 13, 2007 Causality Interfaces for Actor Networks Ye Zhou and Edward A. Lee University of California,

7th Biennial Ptolemy Miniconference Berkeley, CA February 13, 2007 Causality Interfaces for Actor Networks Ye Zhou and Edward A. Lee University of California,
Integrated Design and Analysis Tools for Software-Based Control Systems Shankar Sastry (PI) Tom Henzinger Edward Lee University of California, Berkeley.

Integrated Design and Analysis Tools for Software-Based Control Systems Shankar Sastry (PI) Tom Henzinger Edward Lee University of California, Berkeley.
Type System, March 12, 2002 - 1 Data Types and Behavioral Types Yuhong Xiong Edward A. Lee Department of Electrical Engineering and Computer Sciences University.

Type System, March 12, Data Types and Behavioral Types Yuhong Xiong Edward A. Lee Department of Electrical Engineering and Computer Sciences University.
7th Biennial Ptolemy Miniconference Berkeley, CA February 13, 2007 Leveraging Synchronous Language Principles for Hybrid System Models Haiyang Zheng and.

7th Biennial Ptolemy Miniconference Berkeley, CA February 13, 2007 Leveraging Synchronous Language Principles for Hybrid System Models Haiyang Zheng and.
Behavioral Types as Interface Definitions for Concurrent Components Center for Hybrid and Embedded Software Systems Edward A. Lee Professor UC Berkeley.

Behavioral Types as Interface Definitions for Concurrent Components Center for Hybrid and Embedded Software Systems Edward A. Lee Professor UC Berkeley.
A denotational framework for comparing models of computation Daniele Gasperini.

A denotational framework for comparing models of computation Daniele Gasperini.
Using Interfaces to Analyze Compositionality Haiyang Zheng and Rachel Zhou EE290N Class Project Presentation Dec. 10, 2004.

Using Interfaces to Analyze Compositionality Haiyang Zheng and Rachel Zhou EE290N Class Project Presentation Dec. 10, 2004.
Chess Review October 4, 2006 Alexandria, VA Edited and presented by Advanced Tool Architectures Edward A. Lee UC Berkeley.

Chess Review October 4, 2006 Alexandria, VA Edited and presented by Advanced Tool Architectures Edward A. Lee UC Berkeley.

Similar presentations

Ads by Google