Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model-based Analysis and Implementation of Embedded Systems

Published byJanel Annabel Matthews Modified over 9 years ago

Similar presentations

Presentation on theme: "Model-based Analysis and Implementation of Embedded Systems"— Presentation transcript:

1 Model-based Analysis and Implementation of Embedded Systems
Rajeev Alur University of Pennsylvania MIT Workshop, August 2005

2 Model-Based Design Benefits of model-based design
Detecting errors in early stages Powerful and formal analysis Reusable components Automatic code generation Many commercial tools are available for design of embedded control systems (e.g. Simulink) Typically, semantics is not formal Typically, only simulation-based analysis Code generation available, but precise relationship between model and code not understood

3 Charon Project at Penn Can we formally prove safety properties of models? Formal Specification Environment Model Performance Metrics Can we infer properties of code from properties of models? Programming/Modeling Language Based on Hybrid Automata Design and Analysis Tools Simulation, Verification, Optimization Compiler + Scheduler Libraries in Base Language Platform Description Executable Code on Embedded Processor

4 Hybrid Modeling State machines + Dynamical systems off on dx=kx
Coordination Protocols Systems Biology Automotive Robotics Animation

5 CHARON Language Features
Individual components described as agents Composition, instantiation, and hiding Individual behaviors described as modes Encapsulation, instantiation, and Scoping Support for concurrency Shared variables as well as message passing Support for discrete and continuous behavior Differential as well as algebraic constraints Discrete transitions can call Java routines Compositional semantics with refinement rules Composition of submodes is called encapsulation. Sequential composition. Follow the wall and obstacle avoidance can be sequentially implemented

6 CHARON Toolkit

7 Model Checker Advantages Impressive industrial success
yes temporal property error-trace Advantages Automated formal verification, Effective debugging tool Impressive industrial success In-house groups: Intel, Microsoft, Lucent, Motorola… Commercial model checkers: FormalCheck by Cadence Model checking for discrete systems Enumerative state-space search (SPIN) Symbolic search using Binary decision diagrams (SMV) Bounded model checking using SAT solvers

8 Symbolic Safety Verification
Data type: region to represent state-sets R:=I(X) /* initial set */ Repeat If R intersects target F report “violation” Else if R contains Post(R) report “safe” Else R := R union Post(R) Post(R): Set of successors of states in R Termination may or may not be guaranteed F I

9 Reachability for Hybrid Systems
What’s a suitable representation of regions? Region: subset of Rk Main problem: handling continuous dynamics Precise solutions available for restricted continuous dynamics Timed automata (Uppaal, Kronos, …) Linear hybrid automata (HyTech) Even for linear systems, over-approximations of reachable set needed

10 Timed Automata Analog of finite-state automata in discrete case
a,x:=0 b,y:=0 y>2,c x<3,d Analog of finite-state automata in discrete case Continuous variables: Clocks increasing at rate 1 All constraints of the form: x compared to constant Can express lower and upper bounds on delays Well-developed theory of automata and logics Closure properties Decision problems Equivalent characterizations

11 Region-based Analysis Finite partitioning of state space
w’ iff they satisfy the same set of constraints of the form xi < c, xi = c, xi – xj < c, xi –xj =c for c <= largest const relevant to xi x2 2 Region equivalence is a time-abstract bisimulation, and corresponding quotient can be used for temporal logic model checking 1 1 2 3 x1 An equivalence class (i.e. a region) in fact there is only a finite number of regions!!

12 Model Checking for Hybrid Systems
Timed automata tools use matrices as a symbolic representation (all constraints are bounds on differences) Next step: use polyhedra as a representation (HyTech) Linear hybrid automaton allows linear constraints in guards/resets Dynamics: linear constraints among derivates The set of reachable states at every iteration is union of polyhedra If dynamics is dX=AX, and R is a polyhedron, Post(R) is not a polyehdron Many approximate solutions proposed: Approximate Post(R) with enclosing convex polyhedra (Checkmate)

13 Polyhedral Flow Pipe Approximations
divide R[0,T](X0) into [tk,tk+1] segments enclose each segment with a polyhedron X0 RM[0,T](X0) = union of polyhedra

14 Abstraction and Refinement
Abstraction-based verification Given a model M, build an abstraction A Check A for violation of properties Either A is safe, or is adequate to indicate a bug in M, or gives false negatives (in that case, refine the abstraction and repeat) Many projects exploring abstraction-based verification for hybrid systems Predicate abstraction (Charon at Penn) Counter-example guided abstraction refinement (CEGAR at CMU) Qualitative abstraction using symbolic derivatives (SAL at SRI) Composition of submodes is called encapsulation. Sequential composition. Follow the wall and obstacle avoidance can be sequentially implemented

15 Predicate Abstraction
Input is a hybrid automaton and a set of k boolean predicates, e.g. x+y > 5-z. The partitioning of the concrete state space is specified by the user-defined k predicates. Abstract Space: L x {0,1} k t x Concrete Space: L x R n

16 Overview of the Approach
Hybrid system Boolean predicates additional predicates Search in abstract space Safety property No! Counter-example Property holds Analyze counter-example Real counter- example found

17 Charon Project at Penn Can we formally prove safety properties of models? Formal Specification Environment Model Performance Metrics Can we infer properties of code from properties of models? Programming/Modeling Language Based on Hybrid Automata Design and Analysis Tools Simulation, Verification, Optimization Compiler + Scheduler Libraries in Base Language Platform Description Executable Code on Embedded Processor

18 Walking Model: Behavior and Modes
Shared variable On Ground Up x turn == i dy = kv dt = 1 dx = dy = 0 L1 j1 Time triggered y==0 -> turn++ L2 j2 t==2 (x, y) y 2x==str Event triggered dx = kv x < str /2 dy = -kv Down Forward

19 Code Generation Case Study
Front-end Translate CHARON objects into modular C++ objects Back-end Map C++ objects to execution environment front-end back-end CHARON objects C++ objects Execution environment Target platform agent class agent scheduler mode class mode diff() trans() diff/alge eqn API transition analog var class var

20 Gap Between Models and Code
Rich theory of sampled control (but mainly for purely continuous systems) Discrete-time control design Sampling errors No theory of interacting control blocks Mapping individual blocks to periodic real-time tasks does not lead to predictability Lack of compositionality affects integration Hybrid systems poses new challenges: How can code ensure that events are not missed ?

21 Code from Structured Models
How to map control blocks to tasks? C1 x C2 u v Many choices for code Two tasks: C1 and C2 with their own periods One task: Read(x);C1;C2;Actuate One task: Read(x);C1;Read(x);C2;Actuate The choice can depend on many parameters: computation times, sensitivity ox x to u and v, performance objective

22 Quantifying the Gap (1) Appealing implementation platform: Time-triggered architecture Time divided into fixed-size slots Appealing programming paradigm: Fixed Logical Execution Time Block mapped to slot i reads inputs at the beginning, computes, and outputs at the end of the slot i Micro-schedule: Map each slot to at most one control block Given a micro-schedule s, and a plant model, continuous-time trajectory of execution uniquely defined

23 From Model to Code 1. Continuous-time semantics: all blocks at all times Continuous 2. Discrete/simulation semantics: all blocks every T s Compute all 3. Periodic tasks: Red block every T1 s, Blue every T2 s 4. Micro-schedule on TTA: Fixed-size slots Idle,Red,Blue,Idle, Blue,Red,Idle,Blue, Idle,Red, Blue…

24 Quantifying the Gap (2) Define a performance metric: for two continuous-time trajectories t1 and t2, d(t1,t2) measures the distance Quality of a micro-schedule s is d(t*,ts), where t* is the continuous-time simulation trajectory and ts is the trajectory of code when executed according to s For linear systems, d(t*,ts) is computable when d is, say, L2-norm, using ideas from PLTIs (Periodic linear time invariant systems) This allows comparing micro-schedules by precisely quantifying their metrics

25 Wrap-Up Modeling and Analysis in symbiosis
Progress on safety verification by combining symbolic representations and abstraction Many application domains for hybrid systems Current Focus: Understanding and quantifying the gap between models and code to add rigor in the code generation step Ongoing: Stochastic hybrid systems

Download ppt "Model-based Analysis and Implementation of Embedded Systems"

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Hybrid Systems Modeling and Analysis of Regulatory Pathways Rajeev Alur University of Pennsylvania www.cis.upenn.edu/~alur/ LSB, August 2006.

Hybrid Systems Modeling and Analysis of Regulatory Pathways Rajeev Alur University of Pennsylvania LSB, August 2006.
Timed Automata Rajeev Alur University of Pennsylvania www.cis.upenn.edu/~alur/ SFM-RT, Bertinoro, Sept 2004.

Timed Automata Rajeev Alur University of Pennsylvania SFM-RT, Bertinoro, Sept 2004.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Budapest University of Technology and EconomicsDagstuhl 2004 Department of Measurement and Information Systems 1 Towards Automated Formal Verification.

Budapest University of Technology and EconomicsDagstuhl 2004 Department of Measurement and Information Systems 1 Towards Automated Formal Verification.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.

Timed Automata.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.

1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.
ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.

ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.
Combining Symbolic Simulation and Interval Arithmetic for the Verification of AMS Designs Mohamed Zaki, Ghiath Al Sammane, Sofiene Tahar, Guy Bois FMCAD'07.

Combining Symbolic Simulation and Interval Arithmetic for the Verification of AMS Designs Mohamed Zaki, Ghiath Al Sammane, Sofiene Tahar, Guy Bois FMCAD'07.
August 27-29 2007Moscow meeting1August 27-29 2007Moscow meeting1August 27-29 2007Moscow meeting11 Deductive tools in insertion modeling verification A.Letichevsky.

August Moscow meeting1August Moscow meeting1August Moscow meeting11 Deductive tools in insertion modeling verification A.Letichevsky.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Modular Specification of Hybrid Systems in CHARON R. Alur, R. Grosu, Y. Hur, V. Kumar, I. Lee University of Pennsylvania SDRL and GRASP.

Modular Specification of Hybrid Systems in CHARON R. Alur, R. Grosu, Y. Hur, V. Kumar, I. Lee University of Pennsylvania SDRL and GRASP.

Similar presentations

Ads by Google