on the synthesis of correct-by-design embedded control ...lab correct-by-design synthesis a three...

Lab

On the synthesis of correct-by-designembedded control software

Paulo Tabuada

Cyber-Physical Systems LaboratoryDepartment of Electrical Engineering

University of California at Los Angeles

Paulo Tabuada (CyPhyLab - UCLA) Berkeley 04/17/09 1 / 45

Lab

IntroductionExamples of networked embedded control systems


Lab


The OneWireless Plant

Honeywell’s innovative OneWireless™solutions turn valuable data into knowledge, helping plants:

© 2007 Honeywell International, Inc. All rights reserved.

• Keep people, plants and the environment safe • Improve plant and asset reliability • Optimize through efficient employees, equipment and processes


Lab



Lab

IntroductionExisting paradigm

How are embedded control systems designed today?

Softwaredesign

Softwarevalidation


Lab

IntroductionExisting paradigm

Softwaredesign

Softwarevalidation

This iterative scheme has several drawbacks:

Validation by extensive simulation and testingincreases our confidence in the software but fails to provideadequate guarantees of correct operation and performance;

Formal verificationis currently limited to finite state systems and thus cannot beused to verify properties depending on continuous components;

Extensive validation is time consuming thusincreasing the cost and time-to-market of embedded software.

Some of these disadvantages can be mitigated by adopting a correct-by-designapproach to the development of embedded control software.


Lab

Correct-by-design synthesisA three step approach

I shall adopt a three step approach to the synthesis of correct-by-design embeddedcontrol software.

x(t+1)=f(x(t),u(t))dx(t)/dt=f(x(t),u(t))continuous dynamics

finite bisimulation


Lab




finite bisimulation hardware+software discrete controller


Lab





q(t+1)=g(q(t),x(t))u=k(q(t),x(t))

hybrid controller


Lab


Ultimately, I would like to:

1 Specify the continuous dynamics;

2 Specify the software+hardware platform;

3 Define the specification;

4 Obtain embedded code enforcing the specification for the continuous dynamicson the given software+hardware platform.

This is a long term goal. Nevertheless, several key ingredients of the proposedapproach are already available. In this talk I will focus on one such ingredient:

Existence of finite approximate bisimulations for control systems.


Lab

Key ingredientsControl systems as transition systems

DefinitionA transition system is a quintuple T = (Q, L, - ,O,H), consisting of:

A set of states Q;

A set of inputs L;

A transition relation - ⊆ Q × L×Q;

An output set O;

An output function H : Q → O.

a:=4b:=1while a>0a:=a+bend while

q1

evenq2

odd

e

e


Lab


Can we regard control systems as transition systems?

Definition

A control system is a quadruple Σ = (Rn,U,U , f ), where:

Rn is the state space;

U ⊆ Rm is the input space;

U is “nice” subset of the set of all functions of time from intervals of the form]a, b[⊆ R to U with a < 0 and b > 0;

f : Rn × U → Rn is a “nice” continuous map.

A “nice” curve x :]a, b[→ Rn is said to be a trajectory of Σ if there exists u ∈ Usatisfying x(t) = f (x(t),u(t)), for almost all t ∈ ]a, b[.


Lab


Given a control system Σ = (Rn,U,U , f ) and sampling time τ ∈ R+, define thetransition system:

Tτ (Σ) := (Q, L, - ,O,H),

where:

Q = Rn;

L is the set of all the curves in U of duration τ ;

qu- p if x(τ, q,u) = p;

O = Rn;

H = 1Rn .

The output set O = Rn is equipped with the metric d(p, q) = ‖p − q‖.

Can we replace Tτ (Σ) with an equivalent and yet finite transition system?


Lab

Key ingredientsApproximate (bi)simulation

The usual notion of (bi)simulation requires exact matching of outputs.

Definition

Let T1 = (Q1, L1, 1- ,O,H1) and T2 = (Q2, L2, 2

- ,O,H2) be transition systemswith the same output space O. A relation R ⊆ Q1 ×Q2 is said to be a simulationrelation from T1 to T2 if (p1, p2) ∈ R implies:

1 H(p1) = H(p2);

2 p1l11- q1 imply the existence of q2 ∈ Q2 such that p2

l22- q2 with (q1, q2) ∈ R.

Relation R is said to be a bisimulation relation between T1 and T2 if, in addition to 1.and 2., (p1, p2) ∈ R also implies:


l11- q1 with (q1, q2) ∈ R.


Lab

Key ingredientsApproximate (bi)simulation

Relaxing the equality constraint H(p1) = H(p2) leads to approximate (bi)simulation.

Definition (Girard and Pappas 2005, Tabuada 2005)

Let T1 = (Q1, L1, 1- ,O,H1) and T2 = (Q2, L2, 2

- ,O,H2) be metric transition

systems with the same output space O and let ε ∈ R+. A relation R ⊆ Q1 ×Q2 is saidto be a ε-approximate simulation relation from T1 to T2 if (p1, p2) ∈ R implies:

1 d(H(p1),H(p2)) ≤ ε;


l22- q2 with (q1, q2) ∈ R.

Relation R is said to be a bisimulation relation between T1 and T2 if, in addition to 1.and 2., (p1, p2) ∈ R also implies:


l11- q1 with (q1, q2) ∈ R.


Lab

Key ingredientsA simple idea

x1 = x2

x2 = u

U = {u−, u0, u+}u−(t) = −1 ∀t ∈ [0, 1]

u0(t) = 0 ∀t ∈ [0, 1]

u+(t) = 1 ∀t ∈ [0, 1]

x2

x1u0

u+

u-


Lab


x1 = x2

x2 = u

U = {u−, u0, u+}u−(t) = −1 ∀t ∈ [0, 1]

u0(t) = 0 ∀t ∈ [0, 1]

u+(t) = 1 ∀t ∈ [0, 1]

x2

x1u0

u0

u+

u-

u+

u+

u-

u-

u0


Lab


x1 = x2

x2 = u

U = {u−, u0, u+}u−(t) = −1 ∀t ∈ [0, 1]

u0(t) = 0 ∀t ∈ [0, 1]

u+(t) = 1 ∀t ∈ [0, 1]

u0

x2

x1

u0

u0 u0

u0 u0

u0

u+ u+

u- u-

u+ u+ u+

u+ u+

u-u-

u-u-u-

Can we extrapolate from this finite transition system?


Lab


x1 = x2

x2 = u

U = {u−, u0, u+}u−(t) = −1 ∀t ∈ [0, 1]

u0(t) = 0 ∀t ∈ [0, 1]

u+(t) = 1 ∀t ∈ [0, 1]

x2

x1

Yes, provided that we know how to robustify it!


Lab


x1 = x2

x2 = u

U = {u−, u0, u+}u−(t) = −1 ∀t ∈ [0, 1]

u0(t) = 0 ∀t ∈ [0, 1]

u+(t) = 1 ∀t ∈ [0, 1]

x2

x1



Lab

Key ingredientsIncremental stability

Definition (δ-GAS)A control system Σ is incrementally globally asymptotically stable (δ–GAS) if it isforward complete and there exist a KLa function β such that for any t ∈ R+

0 , anyx , y ∈ Rn and any u ∈ U the following condition is satisfied:

‖x(t , x ,u)− x(t , y ,u)‖ ≤ β(‖x − y‖ , t).

aA continuous function β : R+

0 × R+0 → R+

0 is said to belong to classKL∞ if, for each fixed s, the map β(r, s) is strictlyincreasing, β(0, s) = 0 and β(r, s)→∞ as r →∞, and for each fixed r , the map β(r, s) is decreasing with respect to s andβ(r, s)→ 0 as s →∞.


Lab




‖x(t , x ,u)− x(t , y ,u)‖ ≤ β(‖x − y‖ , t).


0 × R+0 → R+



Lab


Definition (δ-ISS)A control system Σ is incrementally input–to–state stable (δ–ISS) if it is forwardcomplete and there exist a KL function β and a K∞a function γ such that for anyt ∈ R+

0 , any x , y ∈ Rn and any u, v ∈ U the following condition is satisfied:

‖x(t , x ,u)− x(t , y , v)‖ ≤ β(‖x − y‖ , t) + γ(‖u− v‖∞).

aA continuous function γ : R+

0 → R+0 is said to belong to classK∞ if γ is strictly increasing, γ(0) = 0 and γ(r)→∞ as

r →∞.


Lab


1 For linear control systems, that is, x = Ax + Bu, both δ-GAS and δ-ISS areequivalent to stability of A (all the eigenvalues of A have negative real part);

2 In the nonlinear case, by restricting attention to a compact set, GAS impliesδ-GAS and ISS implies δ-ISS;

3 Both δ-GAS and δ-ISS admit Lyapunov characterizations.


Lab

Main resultsQuantization of control systems

Given a control system Σ = (Rn,U,U , f ), a time quantization τ ∈ R+, a spacequantization η ∈ R+, and an input quantization Uτ ⊆ U , define the transition system:

TηUτ (Σ) := (QηUτ , L, ηUτ

- ,O,H),

where:

QηUτ = [Rn]η;

L = Uτ ;

qu

ηUτ

- p if ‖x(τ, q,u)− p‖ ≤ η2 ;

O = Rn;

H = 1Rn .


Lab

Main resultsExistence of approximate simulations

Theorem

Let Σ be a control system and let ε ∈ R+ be any desired precision. If Σ is δ-GAS, thenfor any τ ∈ R+, for any Uτ ⊆ U , and for any η ∈ R+ satisfying the following inequality:

β(ε, τ) +η

2≤ ε

there exists an ε-approximate simulation relation R from TηUτ (Σ) to Tτ (Σ) satisfyingR(QηUτ ) = Rn.

x2

x1


Lab


Theorem


β(ε, τ) +η

2≤ ε


x2

x1


Lab


Theorem

Let Σ be a control system and let ε ∈ R+ be any desired precision. If Σ is δ-GAS, thenfor any τ ∈ R+ for any Uτ ⊆ U , and for any η ∈ R+ satisfying the following inequality:

β(ε, τ) +η

2≤ ε


Under the assumptions of the previous theorem, there exists a countable set of controlquanta Uτ rendering TηUτ (Σ) ε-approximate bisimilar to Tτ (Σ).

But how do we compute Uτ?


Lab


Theorem

Let Σ be a control system and let ε ∈ R+ be any desired precision. If Σ is δ-GAS, thenfor any τ ∈ R+ for any Uτ ⊆ U , and for any η ∈ R+ satisfying the following inequality:

β(ε, τ) +η

2≤ ε


Under the assumptions of the previous theorem, there exists a countable set of controlquanta Uτ rendering TηUτ (Σ) ε-approximate bisimilar to Tτ (Σ).But how do we compute Uτ?


Lab

Main resultsExistence of approximate bisimulations

Theorem

Let Σ be a digital control system and let ε ∈ R+ be any desired precision. If Σ is δ-ISS,then for any τ ∈ R+, for U(τ) = [U]µ, and for any η ∈ R+ satisfying the followinginequality:

β(ε, τ) +η

2+ γ(µ) ≤ ε

there exists an ε-approximate bisimulation relation R between TηUτ (Σ) and Tτ (Σ).


Lab

ExampleA non-holonomic robot

Let us consider the simplest nonholonomic robot:

x = v cos θ (1)

y = v sin θ (2)

θ = ω (3)

and construct a finite abstraction by working on [−2, 2]× [−2, 2]× [0, 2π] and byconsidering constant input curves of duration 3s and assuming values on{0, 1} × {−1.1,−1, 1, 1.1}.

-2 -1 1 2

-2

-1

1

2

-2 -1 1 2

2

4

6

-2 -1 1 2

2

4

6


Lab


Periodic orbits: find a periodic orbit passing through the origin.

Searching on the discrete abstraction we obtain:

(0, 0, 0.55π)(1,−1.1)- (1.73, 0, 1.47π)

(1,−1)- (0, 0, 0.55π)

0.5 1 1.5

-0.5

0.5

1

0.5 1 1.5

-0.5

0.5

1

0.5 1 1.5 2

-1

-0.5

0.5

1


Lab


Language specifications: execute periodic orbits according to the sequence

right→right→left→left→left→right→right→left→left→left.

-2-1

01

-1-0.5

00.5

1

0

2

4

6-1-0.5

00.5

-2 -1 1 2

-1

-0.5

0.5

1


Lab


Switching specifications.

rotate counter-clockwise

rotate clockwise

either clockwise or counter-clockwise

-3 -2 -1 1 2 3

-1

-0.5

0.5

1


Lab


Interaction with discrete signals.


Lab

Putting the pieces togetherAbstraction


finite bisimulation

The abstraction step can be done for a reasonable class of control systems;

Recent results eliminate the stability assumption by ensuring only the existenceof approximate alternating simulation relations;

Multi-resolution quantization and other techniques can be used to reduce thesize of the abstractions.


Lab

Putting the pieces togetherSynthesis of discrete controllers



Synthesis of controllers based on language specifications can be done byresorting to supervisory control or algorithmic game theory;

Synthesis of controllers based on (bi)simulation specifications can be done bymodifying existing algorithms for the construction of (bi)simulations;

Incorporating timing considerations is crucial to address real-time issues.


Lab

Putting the pieces togetherController refinement



q(t+1)=g(q(t),x(t))u=k(q(t),x(t))

hybrid controller

The refinement of discrete to hybrid controllers is based on the approximatebisimulation relation between the discrete abstraction and the continuous plant;

The hybrid controller is a formal model for embedded code. Automated codegeneration from this model is conceptually simple;

Correctness of operation depends on real-time scheduling and many otherconsiderations.


Lab

Questions?

Many questions remain open and much work is to be done before we can synthesizecorrect-by-design embedded control software.

The ingredients, however, are becoming available.

The work described in this talk was the result of:

the dedication of my students and postdocs: Giordano Pola (now AssistantProfessor at University of L’Aquila), Manuel Mazo Jr., and Anna Davitian;

the inspiring discussions with my collaborators: Aaron Ames, Antoine Girard,Agung Julius, Rupak Majumdar, and George Pappas;

the financial support from the National Science Foundation.

For papers and more information:http://www.cyphylab.ee.ucla.edu/

http://www.ee.ucla.edu/∼tabuada


on the synthesis of correct-by-design embedded control ...lab correct-by-design synthesis a three...

Documents