Formal Model Based Design of Control Software

Formal Model Based Design of Control Software
Vadim Alimguzhin
Computer Science Department
Sapienza University of Rome
Ph.D. Thesis
Thesis Committee Reviewers
Prof. Enrico Tronci (advisor) Prof. Gennady Kulikov
Prof. Igor Melatti Prof. Ganesh Gopalakrishnan
Prof. Naﬁsa Yusupova Prof. Tiziano Villa

Acknowledgement
This work has been partially supported by Erasmus Mundus
MULTIC scholarship from the European Commission
(EMA 2 MULTIC 10-837).

Published papers
2012
V. Alimguzhin, F. Mari, I. Melatti, I. Salvo and E. Tronci.
Automatic control software synthesis for quantized discrete time hybrid systems.
In Proceedings of the 51th IEEE Conference on Decision and Control, CDC 2012, pages 6120–6125. IEEE,
2012.
On model based synthesis of embedded control software.
In Proceedings of the 12th International Conference on Embedded Software, EMSOFT 2012, pages
227–236. ACM, 2012.
2013
A map-reduce parallel approach to automatic synthesis of control software.
In Proc. of International SPIN Symposium on Model Checking of Software (SPIN 2013), volume 7976 of
Lecture Notes in Computer Science, pages 43–60. Springer - Verlag, 2013.
On-the-fly control software synthesis.

Outline
Model Based Control Sofware Design
Nonlinear Systems
Parallel Approach
Small Size Controller Synthesis
On-The-Fly Synthesis
Future Work

Model Based Design Nonlinear Systems Parallel Small Size Controllers On-The-Fly Future
Embedded Systems
Formal Model Based Design of Control Software Vadim Alimguzhin

Software bugs are dangerous
Spanair Flight JK 5022, 20 August 2008
Investigations
The software that should have
prevented the crash failed to do so.
We need to synthesize correct-by-construction software for
embedded systems.

Model Based Control Software Design
Input (H, I, G, A/D + D/A)
◮ DTLHS H, initial region I, goal region G
(linear constraints)
◮ conversion A/D and D/A
Output Feedback Controller K
1. mathematical function K s.t.
◮ (K, H) eventually reaches G
◮ K has known controllable region
◮ K is robust w.r.t. parameters variations
2. C implementation of K s.t.
◮ guaranteed WCET ≤ Sampling Time T
K HD/A
A/D
Problem is undecidable [ICTAC, 2012].
[ICTAC, 2012] Federico Mari, Igor Melatti, Ivano Salvo and Enrico Tronci.
Undecidability of Quantized State Feedback Control for Discrete Time Linear Hybrid
Systems.
In Proc. of the International Colloquium on Theoretical Aspects of Computing, ICTAC, volume 7521 of
LNCS, pages 243–258. Springer-Verlag Berlin Heidelberg, 2012.

Our Solution
http://mclab.di.uniroma1.it/software qks.html
Algorithm and Tool QKS [TOSEM, 2013]
(H, I, G,
ADDA)
QKS
K +
controlled
region D
Sol
DI NoSol
no solution exists
Unknown
Unknown stems from undecidability of the problem [ICTAC, 2012].
[TOSEM, 2013] Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci.
Model based synthesis of control software from system level formal specifications.
ACM Trans. on Soft. Eng. and Meth., To appear, 2013.
[ICTAC, 2012] Federico Mari, Igor Melatti, Ivano Salvo and Enrico Tronci.
Undecidability of Quantized State Feedback Control for Discrete Time Linear Hybrid
Systems.
In Proc. of the International Colloquium on Theoretical Aspects of Computing, ICTAC, volume 7521 of
LNCS, pages 243–258. Springer-Verlag Berlin Heidelberg, 2012.

QKS Flow
Step 1: Control Abstraction
Computation
Finite LTS Control Problem
Step 2: Symbolic Strong
Controller Synthesis
Most General Optimal
Controller
Step 3: C Code Generation
from OBDD
Control Software
Specifications
Plant Model
(DTLHS)
Implementation Specification
(Quantization Schema)
System Level Formal Specification
(Liveness and Safety)

Nonlinear Hybrid Systems
Problem
◮ QKS can deal only with linear hybrid systems.
◮ Dynamics of many interesting hybrid systems cannot be directly modelled
by linear constraints.
Solution
=⇒ Overapproximate nonlinear DTHS with DTLHS, s.t. controllers for
DTLHS are also controllers for DTHS [CDC, 2012].
[CDC, 2012] V. Alimguzhin, F. Mari, I. Melatti, I. Salvo and E. Tronci.
Automatic control software synthesis for quantized discrete time hybrid systems.
In Proceedings of the 51th IEEE Conference on Decision and Control, CDC 2012, pages 6120–6125. IEEE,
2012.

Parallel Approach
Problem
◮ Interesting systems have lots of continuous variables.
◮ The higher the number of bits – the better non-functional speciﬁcations
(setup time and ripple).
◮ Control abstraction computation (99% of computation time): exponential
number of MILP problems w.r.t. number of bits.
Solution
=⇒ Use a parallel approach to compute control abstraction [SPIN, 2013a].
[SPIN, 2013a] V. Alimguzhin, F. Mari, I. Melatti, I. Salvo and E. Tronci.
A map-reduce parallel approach to automatic synthesis of control software.

Small Size Controller Synthesis
Problem
◮ Embedded systems have limited memory resources.
◮ Time optimal controller code generated by QKS may be too large to be
put on the microcontroller.
Solution
=⇒ Reduce code footprint possibly at the cost of having suboptimal setup
time and ripple [EMSOFT, 2012].
[EMSOFT, 2012] V. Alimguzhin, F. Mari, I. Melatti, I. Salvo and E. Tronci.
On model based synthesis of embedded control software.
In Proceedings of the 12th International Conference on Embedded Software, EMSOFT 2012, pages
227–236. ACM, 2012.

On-The-Fly Synthesis
Problem
◮ Design space exploration: ﬁnd suitable choice for design parameters
(number of bits for AD conversion b and sampling time T).
◮ For many choices of b and T there is no solution for the synthesis
problem.
◮ QKS takes the same time when it ﬁnds solution and when not.
Solution
=⇒ On-The-Fly synthesis algorithm, that detects as soon as possible when a
solution cannot be found [SPIN, 2013b].
[SPIN, 2013b] V. Alimguzhin, F. Mari, I. Melatti, I. Salvo and E. Tronci.
On-the-fly control software synthesis.

Overapproximation of DTHS
f (x)

f (x)
f +
(x)
f −
(x)

f (x)
f +
(x)
f −
(x)
Overapproximation has more behavior than original system.

f (x)
I1 I2 I3 I4

f (x)
I1 I2 I3 I4
f −
1 (x)
f +
1 (x)
f −
2 (x)
f +
2 (x)
f −
3 (x)
f +
3 (x)
f −
4 (x)
f +
4 (x)

Inverted Pendulum as a DTHS
¨θ = g
l
sinθ + 1
ml2 uF
x′
1 = x1 + Tx2
x′
2 = x2 + T g
l
sinx1 + T 1
ml2 uF
State variables:
◮ x1: angle (θ)
◮ x2: angular speed ( ˙θ)
Action variables:
◮ u: torquing force direction
Parameters:
◮ F: torquing force value
◮ T: sampling time
◮ l: length
◮ m: mass
θ
u

Underactuated Inverted Pendulum (F = 0.5)
Trajectories (9 and 10 bits)
-1
0
1
2
3
4
5
6
7
0 2 4 6 8 10 12 14
time in seconds
angle [x1] 10 bits
angle [x1] 9 bits

Underactuated Inverted Pendulum (F = 0.5)
Ripple (10 bits)
-0.102
-0.1
-0.098
-0.096
-0.094
-0.092
-0.09
-0.088
-0.086
-0.084
20 30 40 50 60 70 80 90 100
time in seconds

Strongly Underactuated Inverted Pendulum (F = 0.3)
Trajectories (11 bits)
-15
-10
-5
0
5
10
15
20
25
30
35
0 50 100 150 200 250 300 350
time in seconds
angle [x1]
angular speed [x2]
torque [u]

Overactuated Inverted Pendulum (F = 2)
Trajectories in phases space (11 bits)
-1.8
-1.6
-1.4
-1.2
-1
-0.8
-0.6
-0.4
-0.2
0
0.2
0 0.5 1 1.5 2 2.5 3
angularspeed[x2]
angle [x1]
π/4
π/2
3/4 π
3

Parallel Control Software Synthesis Flow
Step 1: Parallel Control
Abstraction Computation
Step 2: Symbolic Strong
Controller
from OBDD
Control Software
Speciﬁcations
Plant Model
(DTLHS)

Control Abstraction Computation (QKS Step 1)
x1
x2

Control Abstraction Computation (QKS Step 1)
Computation for each cell is independent from others.
=⇒ We can use MapReduce-style parallel aproach.

Parallel Control Abstraction Computation
Example
Number of workers: 3
Number of abstract states: 16 (2 state variables, 2 bits each)
x1
x2

Example
x1
x2
MAP
1 2 3 1
2 3 1 2
3 1 2 3
1 2 3 1
x1
x2

Example
x1
x2
MAP
1 2 3 1
2 3 1 2
3 1 2 3
1 2 3 1
x1
x2
WORK
ˆN1
Worker1
ˆN2
Worker2
ˆN3
Worker3

Example
x1
x2
MAP
1 2 3 1
2 3 1 2
3 1 2 3
1 2 3 1
x1
x2
WORK
ˆN1
Worker1
ˆN2
Worker2
ˆN3
Worker3
REDUCE
x1
x2 ˆN

Implementation Details
◮ Distributed memory model.
◮ Use MPI Barrier to synchronize processes.
◮ Use shared ﬁlesystem to exchange data between processes.

Parallel vs Sequential
Inverted Pendulum: Speedup and Eﬃciency
0
10
20
30
40
50
60
10 20 30 40 50 60
Speedup
Number of processes
9 bits
10 bits
11 bits
Speedup = Sequential Time
Parallel Time
55
60
65
70
75
80
85
90
95
100
10 20 30 40 50 60
Scalingefficiency(%)
Number of processes
9 bits
10 bits
11 bits
Scaling Eﬃciency = Speedup
Number of Processes
100%

Parallel vs Sequential
Inverted Pendulum: Communication time and I/O time
0
5000
10000
15000
20000
25000
10 20 30 40 50 60
Communicationtime(seconds)
Number of processes
9 bits
10 bits
11 bits
0
50
100
150
200
10 20 30 40 50 60
I/Otime(seconds)
Number of processes
9 bits
10 bits
11 bits
Comm Time = Waiting Time + I/O Time

Experiments Details
9 bits, 30 workers 9 bits, 40 workers

Small Size Control Software Synthesis Flow
Step 1: Control Abstraction
Computation
Step 2: Symbolic Small Size
Small Size Controller
from OBDD
Control Software
Speciﬁcations
Plant Model
(DTLHS)

Controller Synthesis (QKS Step 2)
OBDD-based computation of a
controller from a ﬁnite state machine
(control abstraction) [Cimatti, 98]
K
0xb9b1a
0xb9b0x[2]
0xb9afx[1]
0xa4dex[0]
1
[Cimatti, 98] Alessandro Cimatti and Marco Roveri and Paolo Traverso.
Strong planning in non-deterministic domains via model checking.
In AIPS, pp. 36–43, 1998.

Code Generation (QKS Step 3)
From OBDD to C code [IARIA, 2012]:
taking into account node sharing
int K_exists(unsigned char *);
int K_w1(unsigned char *);
int K(unsigned char *x, unsigned char *a)
{
if (! K_exists(x)) return 0;
a[1] = K_w1(x);
return 1;
}
int K_exists(unsigned char *x)
{
int return_bit = 1;
L_924ed61:
return_bit = ! return_bit;
if (x[2] == 1) goto L_92595a0;
else goto L_924ed40;
L_92595a0:
if (x[4] == 1) goto L_92566a0;
else goto L_9259580;
L_92566a0:
if (x[6] == 1) goto L_9254f80;
else goto L_9256660;
[IARIA, 2012] Federico Mari, Igor Melatti, Ivano Salvo, and Enrico Tronci.
Synthesizing control software from boolean relations.
Int. J. on Advances in SW, 5(3&4):212–223, 2012.

Example
Finite State Machine A
0 1 2
3start4
0,1
1
0
101
0
0
1

Example
Controllers for A
Most general optimal controller (mgo)
Kmgo
0 1 2
3start4
0,1
1
0
101
0
0
1
Small size controller (sc)
Ksc
0 1 2
3start4
0,1
1
0
101
0
0
1
Try to use always the same action

Example
Controllers OBDDs for A
Kmgo
f
v1x[2]
v2 v3x[1]
v4x[0]
1
Ksc
f
v1x[2]
v2x[1]
v3x[0]
1
Increase sharing
Same height

Example
C Code for Controllers for OBDDs for A
Kmgo
int ctrlLaw(unsigned char *x) {
int act =0;
L_v1: if (x[2]==1) goto L_v3;
else { act = !act;
goto L_v2; }
L_v2: if (x[1]==1) goto L_v4;
else { act = !act;
goto L_v4; }
L_v3: if (x[1]==1) return act;
else goto L_v4;
else { act = !act;
return act; }
}
Ksc
int ctrlLaw(unsigned char *x) {
int act =0;
L_v1: if (x[2]==1) goto L_v2;
else return act;
else goto L_v3;
else { act = !act;
return act; }
}
Reduced code size
Same WCET

Inverted Pendulum: MGO vs Small Size
Pros and Cons
b Kmgo Ksc Ksc
Kmgo Pathmgo Pathsc Pathsc
Pathmgo
8 163 44 27.4% 132.96 234.35 1.76
9 352 92 26.3% 69.64 147.74 2.12
10 752 206 27.5% 59.16 133.70 2.26
|K|: code size in Kilobytes of .o ﬁle after gcc compilation

Setup Time (10 seconds vs 14 seconds)
-2
-1
0
1
2
3
4
5
6
7
0 5 10 15 20
time (seconds)
mgo x1
mgo x2
sc x1
sc x2

Ripple: 0.0001 radiants vs 0.0002 radiants
-0.0946
-0.09455
-0.0945
-0.09445
-0.0944
-0.09435
-0.0943
25 30 35 40
x1
time (seconds)
mgo x1
MGO Controller
6.1719
6.17195
6.172
6.17205
6.1721
6.17215
6.1722
25 30 35 40
x1
time (seconds)
sc x1
Small Size Controller

Enabled Actions
MGO Controller Small Size Controller

On-The-Fly Control Sofware Synthesis Flow
Step 1: On-The-Fly Strong
Controller
from OBDD
Control Software
Speciﬁcations
Plant Model
(DTLHS)

Design Space Exploration Speedup
Inverted Pendulum
b n CPUexh
RAMexh
CPUotf
RAMotf
| ˆK| % Speedup Result
8 10 9.90e+04 1.70e+08 4.58e+02 3.03e+07 1.25e+02 99.54 216.16 FAIL
8 8 4.41e+04 1.68e+08 3.06e+02 3.05e+07 2.06e+02 99.31 144.12 FAIL
8 6 2.28e+04 1.65e+08 2.77e+04 9.12e+07 6.40e+03 -21.49 0.82 PASS
8 4 1.17e+04 1.63e+08 1.47e+04 8.68e+07 7.53e+03 -25.64 0.80 PASS
8 2 4.91e+03 1.63e+08 1.35e+01 2.98e+07 1.63e+02 99.73 363.70 FAIL
8 1 2.69e+03 1.53e+08 4.72e+00 2.98e+07 1.61e+02 99.82 569.92 FAIL
9 10 4.95e+05 2.39e+08 2.70e+03 3.16e+07 1.88e+02 99.45 183.33 FAIL
9 8 2.31e+05 2.31e+08 2.40e+05 2.70e+08 1.08e+04 -3.90 0.96 PASS
9 6 1.20e+05 2.18e+08 1.19e+05 2.71e+08 1.25e+04 0.83 1.01 PASS
9 4 5.66e+04 1.98e+08 5.34e+04 2.50e+08 1.55e+04 5.65 1.06 PASS
9 2 2.18e+04 1.91e+08 2.29e+04 2.43e+08 2.16e+04 -5.05 0.95 PASS
9 1 1.16e+04 1.78e+08 1.97e+01 3.02e+07 2.11e+02 99.83 588.83 FAIL
10 10 3.82e+06 6.08e+08 1.45e+04 3.65e+07 2.87e+02 99.62 263.45 FAIL
10 8 1.71e+06 5.40e+08 6.74e+03 3.83e+07 6.01e+02 99.61 253.71 FAIL
10 6 7.45e+05 4.72e+08 6.67e+05 8.81e+08 2.45e+04 10.47 1.12 PASS
10 4 3.05e+05 4.13e+08 2.77e+05 8.31e+08 2.99e+04 9.18 1.10 PASS
10 2 1.05e+05 3.29e+08 9.96e+04 8.12e+08 4.52e+04 5.14 1.05 PASS
10 1 5.29e+04 2.64e+08 5.09e+04 8.07e+08 6.31e+04 3.78 1.04 PASS
Overall 7.85e+06 6.08e+08 1.60e+06 8.81e+08 79.62 4.91
Samping time T = nτ, where τ is system time step.

Future Work
Methodology
◮ Develop load-balanced parallel algorithm.
◮ Adapt parallel algorithm for the commodity hardware.
◮ Investigate control software synthesis when the state is not
fully observable.
◮ Devise fully symbolic approach.

Future Work
Practical Applications
European projects:
◮ FP7 Call 8 - ICT-8-6.1 (Smart energy grids)
SmartHG (Energy Demand Aware Open Services for Smart
Grid Intelligent Automation)
◮ FP7 Call 9 - ICT-2011.5.2 (Virtual Physiological Human)
PAEON (Model Driven Computation of Treatments for
Infertility Related Endocrinological Diseases)

Formal Model Based Design of Control Software

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (6)

Semelhante a Formal Model Based Design of Control Software

Semelhante a Formal Model Based Design of Control Software (20)

Formal Model Based Design of Control Software