exposing architecture in hybrid programs
DESCRIPTION
The formalism of hybrid programs is a relatively recent development by Platzer et al. (CSD) that allows holistic reasoning about discrete and continuous behavior within the same model. This makes hybrid modeling and verification, supported by tools like KeYmaera, an attractive method for analyzing cyber-physical systems. However, hybrid programs do not operate architectural concepts, making it difficult to relate them between each other and other kinds of CPS models. My talk introduces architectural annotations for hybrid programs that allow engineers to express the otherwise implicit architectural knowledge. This presentation discusses annotation primitives and their interpretation.TRANSCRIPT
![Page 1: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/1.jpg)
Exposing Architectures inHybrid Programs
Ivan Ruchkin
In collaboration with
Stefan Mitsch,
Jan-David Quesel,
Andre Platzer,
David Garlan,
and others
SSSGNovember 18, 2013
![Page 2: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/2.jpg)
Outline
● Problem: hidden architectural knowledge
● Hybrid programs basics
● Architectural Annotations
– Approach
– Collision avoidance example
2
![Page 3: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/3.jpg)
Outline
● Problem: hidden architectural knowledge
● Hybrid programs basics
● Architectural Annotations
– Approach
– Collision avoidance example
3
![Page 4: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/4.jpg)
Deadlock model
Control model
Physical model
Hybrid model
4
CPS Modeling Ecosystem
?
??
Cyber-Physical System
![Page 5: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/5.jpg)
Deadlock model
Control model
Physical model
Hybrid model
5
Architectural Approach to CPS Modeling
This presentation
![Page 6: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/6.jpg)
Exposing Architecture
● Problem: implicit architectural structures and behavior in hybrid programs.
– Inconsistencies with other models.
– Missed opportunities for verification.
● Goal: create a means to expose architecture in hybrid programs.
● Benefits:
– System level: relate to other models, expose architectural inconsistencies, raise level of abstraction for design.
– Hybrid program level: generate templates, differentiate models, support verification (additional properties, refinement).
6
![Page 7: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/7.jpg)
Outline
● Problem: hidden architectural knowledge
● Hybrid programs basics
● Architectural Annotations
– Approach
– Collision avoidance example
7
![Page 8: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/8.jpg)
Hybrid Programs and Dynamic Logic
● Hybrid systems are systems that exhibit discrete and continuous behavior.
● Hybrid programs (HP) are models for hybrid systems.
8
HP-Robot:((?X; a:= A) ++ (a:=-b);{v' = a, x' = v, v >= 0}
)*
Accelerate
v' = ax' = vv >= 0
Brake
v' = ax ' = vv >= 0
a:= A
a:= -b
X
X
![Page 9: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/9.jpg)
Hybrid Program Operations
● a := X deterministic assignment
● a := * non-deterministic assignment
● if (P) conditional branching
then X else Y
● X ++ Y non-deterministic choice
● X; Y sequential composition
● X* non-deterministic repetition
● {a' = X, b' = Y, … } continuous evolution9
![Page 10: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/10.jpg)
Differential Dynamic Logic
● Consists of:
– FOL over real arithmetic (∃, ∀, ^, ∨, ¬, ⇒).
– Modalities over HP:
● [HP] P: after all runs of HP, P holds.
● <HP> P: exists at least one run of HP, after which P holds.
● Express properties over HP:
– E.g., (X ⇔ x < wall – 50) ⇒ [HP-Robot] (x < wall)
– Canonical form: Pre ⇒[HP] (Prop)
● Use a hybrid prover (KeYmaera) to prove properties.
● Summary: a convenient formal logic to express hybrid system models and their properties.
10
![Page 11: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/11.jpg)
Outline
● Problem: hidden architectural knowledge
● Hybrid programs basics
● Architectural Annotations
– Approach
– Collision avoidance example
11
![Page 12: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/12.jpg)
Hidden Architecture in Hybrid Programs
● What are the “components” of the system?
– E.g., a car and a wall.
● How do the “components” interact?
– E.g., sense each other or interact through forces.
● What assumptions do “components” make of each other and the environment?
– E.g., max speed of obstacles or immediate position sensing.
12
![Page 13: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/13.jpg)
Exposing Architecture
13
Component: robot
Component: obstacle
Connector: robot senses obstacle immediately and precisely
Robot’s property: control algorithm
Obstacle’s property: control algorithm
Robot’s property: physics
Solution: annotations
![Page 14: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/14.jpg)
Approach for Annotations
● For each model operator, unambiguously determine its architectural interpretation if any.
● Allow automatic generation of architectural descriptions for hybrid programs.
● Allow flexibility for the model designer to express architecture
● Redundancy is acceptable.
14
![Page 15: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/15.jpg)
Example: robot collision avoidance
15
Robot Obstacle
• A robot and an obstacle move in a one-dimensional space.• The robot periodically senses the surrounding and may decide to accelerate or brake. • The robot knows the bounds and senses the obstacle’s location.• The obstacle is assumed to have maximum speed.
Safety property: robot does not collide with the obstacle or the bounds.
![Page 16: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/16.jpg)
Example: model structure
16
Constants declarationsVariables declarationsPreconditions->[
(robot control; obstacle control; {differential equations})*
](Property)
![Page 17: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/17.jpg)
Example: constants
17
\functions{ //a.k.a. constantsR b; /* minimum braking power */R A; /* maximum acceleration */R ep; /* time limit for control decisions */ R V; /* maximum obstacle velocity */R xbmin; /* minimum bound */R xbmax; /* maximum bound */
}
![Page 18: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/18.jpg)
Example: constants
18
\functions{ //a.k.a. constants@component(robot) (R b; /* minimum braking power */R A; /* maximum acceleration */R ep; /* time limit for control decisions */ )
@component(obstacle) (R V; /* maximum obstacle velocity */)
@component(global) (R xbmin; /* minimum bound */R xbmax; /* maximum bound */)
}
![Page 19: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/19.jpg)
Example: variables
19
\programVariables {R xr; /* robot position */R vr; /* robot velocity */R ar; /* robot acceleration */R or; /* robot orientation (1=in direction of space, -
1=opposite) */R xo; /* obstacle position */R vo; /* obstacle velocity */R oo; /* obstacle orientation */R t; /* time */
}
![Page 20: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/20.jpg)
Example: variables
20
\programVariables {@component(robot) (R xr; /* robot position */R vr; /* robot velocity */R ar; /* robot acceleration */R or; /* robot orientation (1=in direction of space, -
1=opposite) */)@component(obstacle) (R xo; /* obstacle position */R vo; /* obstacle velocity */R oo; /* obstacle orientation */)@component(global) (R t; /* time */)
}
![Page 21: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/21.jpg)
Example: robot control
21
\programVariables {// … preconditions: robot is inside the bounds, obstacle is far enough away, sensing period and other constants are positive-> \[ (
(ar := -b)/* braking is allowed */++ (
? pred1 /* far enough from maximum bound of navigation space */
& pred2 /* far enough from minimum bound of navigation space */
& pred3 ; /* far enough from the obstacle*/ar := *;?-b <= ar & ar <= A /*accelerate*/
)++ (?vr = 0; ar := 0; or := *; ?or^2 = 1); /* change
direction if stopped*/// ...
![Page 22: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/22.jpg)
Example: robot control
22
\programVariables {// … preconditions: robot is inside the bounds, obstacle is far enough away, sensing period and other constants are positive-> \[ (
@control(robot)((ar := -b)/* braking is allowed */++ (
? pred1 /* far enough from maximum bound of navigation space */
& pred2 /* far enough from minimum bound of navigation space */& pred3 ; /* far enough from the obstacle; uses
obstacle’s position*/ar := *;?-b <= ar & ar <= A /*accelerate within limits*/
)++ (?vr = 0; ar := 0; or := *; ?or^2 = 1); /* change direction
if stopped*/)
//…
![Page 23: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/23.jpg)
Example: continuous evolution
23
{xr' = or*vr, vr' = ar, xo' = oo*vo, t' = 1, /* evolution domain: */vr >= 0, t <= ep, vo >= 0
}
![Page 24: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/24.jpg)
Example: continuous evolution
24
{@physics(robot) (
xr' = or*vr, vr' = ar,
)
@physics(obstacle)(xo' = oo*vo,
)
@physics(global)(t' = 1,
)/* evolution domain: */vr >= 0, t <= ep, vo >= 0
}
![Page 25: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/25.jpg)
Architectural Annotations Summary
● @component(NAME) – introduces a component and associates variables and constants with it.
● @control(NAME) – designates a block of operators/equations as a component’s control block.
– Reads of other components’ variables are interpreted as sensing connectors. Assignments are actuation connectors.
● @physics(NAME) – designates a block of operators/equations as a component’s physics block.
– Reads and assignments of other components’ variables are interpreted as physical interaction connectors.
● global – designates variables/operators as shared variables describing the environment.
– Global variables can ready anywhere, but only be assigned in global physics or control blocks.
25
![Page 26: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/26.jpg)
Behavior Categories
26
Discrete behavior: state changes, algorithms
Continuous behavior: physical processes, analog devices
Control behavior: component’s sensing, planning, and actuation
E.g., a decision to accelerate or brake
E.g., a PID controller
Physics: environment, “rules of the game”
E.g., an elastic collision E.g., movement or an inelastic collision
Architecturalannotations
Hybrid program
![Page 27: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/27.jpg)
Further work
● Causality/directionality of physics connectors.
● Component refinement.
● Flexible syntax for multi-component interaction.
27
![Page 28: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/28.jpg)
Summary
● Hybrid programs are convenient for specification and proving for hybrid systems.
– However, HPs do not expose architectural knowledge.
● Architectural annotations expose architecture to:
– Relate to other models of the system for consistency checking and simulation.
– Assist verification with extra information.
28
![Page 29: Exposing Architecture in Hybrid Programs](https://reader034.vdocument.in/reader034/viewer/2022052623/559c55c61a28ab9e1c8b473b/html5/thumbnails/29.jpg)
References
● A. Platzer, “Logic and Compositional Verification of Hybrid Systems,” in proceedings of LICS’12.
● S. Mitsch, A. Platzer, “Modeling and Verification of Hybrid Systems with Sphinx and KeYmaera,” in proceedings of HSCC’13.
● A. Rajhans, “Multi-Model Heterogeneous Verification of Cyber-Physical Systems,” PhD Thesis, Carnegie Mellon University, 2013.
● A. Bhave, “Multi-View Consistency in Architectures for Cyber-Physical Systems,” PhD Thesis, Carnegie Mellon University, 2011.
29