Hybrid Systems From Models to Code Tom Henzinger

Hybrid Systems: From Models to Code Tom Henzinger UC Berkeley NSF UC Berkeley: Chess Vanderbilt University: ISIS University of Memphis: MSI Foundations of Hybrid and Embedded Software Systems

French Guyana, June 4, 1996 $800 million embedded software failure

Mars, December 3, 1999 Crashed due to uninitialized variable ITR Kickoff / Chess 3

$4 billion development effort 40 -50% system integration & validation cost

Sources of Complexity -concurrency -real time -heterogeneity A hybrid system consists of multiple continuous (physical) and discrete (computational) components that interact with each other in real time. ITR Kickoff / Chess 5

Embedded Software Design: Current State Design Simulate Redesign Optimize Test Model (e. g. , Simulink) No formal connection between requirements, model, and resources: expensive development cycle iterates all stages Code generation Code No exact correspondence between model and code: -difficult to upgrade code -difficult to reuse code ITR Kickoff / Chess 6

Embedded Software Design: Our Vision Design Verify Model Compilation (analysis, optimization, and code generation) Code ITR Kickoff / Chess 7

The FRESCO Project (Formal Real-Time Software Components) Hybrid System Model Time-Safe Code MASACCIO: correctness by formal verification against requirements GIOTTO: correctness by schedulability analysis against resources ITR Kickoff / Chess 8

Continuous (Euclidean) Systems State space: Rn Dynamics: initial condition + differential equations Room temperature: x(0) = x 0 x’(t) = -K·x(t) x x 0 t Analytic complexity. ITR Kickoff / Chess 9

Discrete (Boolean) Systems State space: B m Dynamics: initial condition + transition relation Heater: heat off on t Combinatorial complexity. ITR Kickoff / Chess 10

The Curse of Concurrency 300, 000 latches

11 stars 11 10 10 stars 10100, 000 states

Hybrid Systems m n State space: B R Dynamics: initial condition + transition relation + differential equations Thermostat: off x’ = -K·x x L x 0 x l on off on x u x’ = K·(H-x) x U t ITR Kickoff / Chess 13

Hybrid Automata y x ITR Kickoff / Chess 14

Hybrid Automata far x’ [-50, -40] x 1000 x = 1000 app! x = 100 exit! x : [2000, ) train past x’ [30, 50] x 100 near x’ [-50, -30] x 0 app x=0 exit ITR Kickoff / Chess 15

Hybrid Automata up y’ = 9 y 90 raise? open y’ = 0 raise lower? down y’ = -9 y 0 gate y = 90 raise? y=0 lower closed y’ = 0 lower? ITR Kickoff / Chess 16

Hybrid Automata app t’ = 1 t t : = 0 app? lower! exit idle t : = 0 exit? t’ = 1 t raise! controller lower raise ITR Kickoff / Chess 17

Requirements Safety: ( x 10 loc[gate] = closed ) Liveness: ( loc[gate] = open ) Real time: z : =0. ( z’ = 1 ( loc[gate] = open z 60 )) Verification and failure analysis by model checking (e. g. , Hy. Tech). ITR Kickoff / Chess 18

Two Problems with Hybrid Automata 1. Scalability Possible solutions: -hierarchy (MASACCIO) -assume-guarantee decomposition (interfaces) 2. Robustness Possible solutions: - -variability -discounted future ITR Kickoff / Chess 19

MASACCIO Hierarchical Hybrid Automata ITR Kickoff / Chess 20

MASACCIO Hierarchical Hybrid Automata ITR Kickoff / Chess 21

MASACCIO Hierarchical Hybrid Automata ITR Kickoff / Chess 22

MASACCIO Hierarchical Hybrid Automata ITR Kickoff / Chess 23

MASACCIO ITR Kickoff / Chess 24

Two Problems with Hybrid Automata 1. Scalability Possible solutions: -hierarchy (MASACCIO) -assume-guarantee decomposition (interfaces) 2. Robustness Possible solutions: - -variability -discounted future ITR Kickoff / Chess 25

The Robustness Problem Hybrid Automaton Property slightly perturbed automaton ITR Kickoff / Chess 26

The Robustness Problem Hybrid Automaton Safe x=3 ITR Kickoff / Chess 27

The Robustness Problem Hybrid Automaton Unsafe x = 3+ ITR Kickoff / Chess 28

A Possible Solution of the Robustness Problem: Metrics on Traces Model instead of consider Property Yes or No -Variation ITR Kickoff / Chess 29

A More Radical Solution of the Robustness Problem: Discounting the Future value(Model, Property): States {Yes, No} value(Model, Property): States R ITR Kickoff / Chess 30

A More Radical Solution of the Robustness Problem: Discounting the Future value(Model, Property): States {Yes, No} value(m, T) = X. (T pre(X)) discounted. Value(Model, Property): States R discounted. Value(m, T) = X. max(T, pre(X)) discount factor 0< <1 ITR Kickoff / Chess 31

A More Radical Solution of the Robustness Problem: Discounting the Future Robustness Theorem: If discounted. Bisimilarity(m 1, m 2) > 1 - , then |discounted. Value(m 1, p) - discounted. Value(m 2, p)| < f( ). Further Advantages of Discounting: -approximability because of geometric convergence (avoids non-termination of verification algorithms) -applies also to probabilistic systems and to games (enables reasoning under uncertainty and control) ITR Kickoff / Chess 32

The FRESCO Project (Formal Real-Time Software Components) Hybrid System Model Time-Safe Code MASACCIO: correctness by formal verification against requirements GIOTTO: correctness by schedulability analysis against resources ITR Kickoff / Chess 33

The History of Computer Science: Lifting the Level of Abstraction High-level languages: Programming to the application Requirements focused code Compilation The “assembly age”: Programming to the platform Resource focused code -Traditional high-level languages abstract time. -This abstraction is unsuitable for real-time applications, which are still programmed in terms of platform time (“priority tweaking”). -GIOTTO: Real-time programming in terms of application time. ITR Kickoff / Chess 34

GIOTTO MASACCIO Time-Triggered Programming ITR Kickoff / Chess 35

GIOTTO MASACCIO Time-Triggered Programming ITR Kickoff / Chess 36

GIOTTO MASACCIO Time-Triggered Programming 200 Hz 400 Hz 200 Hz 1 k. Hz ITR Kickoff / Chess 37

GIOTTO MASACCIO Time-Triggered Programming 1. Concurrent Periodic Tasks: -sensing -control law computation -actuating 2. Multiple Modes of Operation: -navigational modes (autopilot, manual, etc. ) -maneuver modes (taxi, takeoff, cruise, etc. ) -degraded modes (sensor, actuator, CPU failures) ITR Kickoff / Chess 38

GIOTTO MASACCIO Time-Triggered Programming Mode 1 Condition 1. 2 Mode 2 Task S 400 Hz Task C 200 Hz Task A 1 k. Hz Condition 2. 1 Task A’ 1 k. Hz Task A” 1 k. Hz Mode 3 Task S 400 Hz Task C 200 Hz Mode 4 Task C’ 100 Hz Task A 1 k. Hz Task A 2 k. Hz ITR Kickoff / Chess 39

GIOTTO MASACCIO Separation of Concerns Functionality. Host code e. g. C -No time. -Atomic. -Sequential. This kind of software is reasonably well understood. Timing and interaction. Glue code Giotto -Real time. -Reactive. -Concurrent. The software complexity lies in the glue code. ITR Kickoff / Chess 40

Two Opposing Forces Requirements Verification automatic (model checking) Model Implementation Environment automatic (compilation) Resources ITR Kickoff / Chess 41

Two Opposing Forces Requirements Verification Model Implementation Environment property preserving Resources ITR Kickoff / Chess 42

Two Opposing Forces Requirements Verification Composition Component Implementation Resources ITR Kickoff / Chess 43

Two Opposing Forces Requirements (time, fault tolerance, etc. ) Verification no change Component Implementation no change Component Deep Compositionality Resources ITR Kickoff / Chess 44

Achieving Verifiability and Compositionality in GIOTTO: The FLET (Fixed Logical Execution Time) Assumption Software Task read sensor input at time t d>0 is the task's "logical execution time" write actuator output at time t+d, for fixed d ITR Kickoff / Chess 45

Embedded Programming in GIOTTO The programmer specifies sample rate d and jitter j to solve the control problem at hand. The compiler ensures that d and j are met on a given platform (hardware resources and performance); otherwise it rejects the program. ITR Kickoff / Chess 46

Implementing the FLET Assumption time t possible physical execution on CPU time t+d buffer output ITR Kickoff / Chess 47

Contrast the FLET with Standard Practice output as soon as ready ITR Kickoff / Chess 48

Advantages of the FLET and GIOTTO -predictable timing and value behavior (no internal race conditions, minimal jitter) -portable, composable code (as long as the platform offers sufficient performance) ITR Kickoff / Chess 49

Research Agenda From Hybrid Models -robust hybrid models (tube topologies, discounting) -model checking for hierarchical and stochastic hybrid models -multi-aspect assume-guarantee decomposition of hybrid models (interface theories for time, resources, fault tolerance) To Embedded Code -distributed schedulability analysis and code generation -on-line code modification and fault tolerance ITR Kickoff / Chess 50

Credits Scalable and Robust Hybrid Systems: Luca de Alfaro, Arkadeb Ghosal, Marius Minea, Vinayak Prabhu, Marcin Jurdzinski, Rupak Majumdar GIOTTO: Ben Horowitz, Christoph Kirsch, Rupak Majumdar, Slobodan Matic, Marco Sanvido ITR Kickoff / Chess 51

Collaborators of the FRESCO Project -Alex Aiken on time-safety analysis of embedded code -Karl Hedrick on Giotto implementation of electronic throttle control -Edward Lee on Giotto modeling and code generation in Ptolemy -Edward Lee on rich interface theories as type theories for component interaction -George Necula on model checking device drivers -George Necula on scheduler-carrying embedded code -Alberto Sangiovanni-Vincentelli on synthesis of protocol converters from interfaces -Alberto Sangiovanni-Vincentelli and Shankar Sastry on platform-based design of a helicopter flight control system using Giotto -Shankar Sastry on hybrid automata ITR Kickoff / Chess 52