Bridging the Gap between Reactive Synthesis and Supervisory Control

Size: px

Start display at page:

Download "Bridging the Gap between Reactive Synthesis and Supervisory Control"

Roderick Lane
5 years ago
Views:

1 Bridging the Gap between Reactive Synthesis and Supervisory Control Stavros Tripakis University of California, Berkeley Joint work with Ruediger Ehlers (Berkeley, Cornell), Stéphane Lafortune (Michigan) and Moshe Vardi (Rice) ExCAPE PI Meeting June 2013 ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 1 / 26

2 Classic Synthesis Frameworks Reactive synthesis: From declarative specifications (e.g., LTL formulas) to implementations (e.g., Mealy or Moore state machines). On the Synthesis of a Reactive Module [Pnueli-Rosner, POPL 89], but also earlier, e.g., [Church 63]. See Moshe s summer school tutorial for details. Supervisory control: Feedback control for discrete-event systems (DES). Supervisory control of a class of discrete event processes and On the supremal controllable sublanguage of a given language [Ramadge-Wonham, SIAM J. Control Optim. 87]. See Stéphane s textbook for more [Cassandras & Lafortune 08]. ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 2 / 26

3 This Work Bridge the gap: how are the two frameworks related in theory? in practice? Bridge the communities. Pedagogical, although results are new to our knowledge. Work in progress. ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 3 / 26

4 Agenda Supervisory control. Reactive synthesis. Bridging the gap. ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 4 / 26

5 Agenda Supervisory control. Reactive synthesis. Bridging the gap. More details in summer school talk. ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 4 / 26

6 SUPERVISORY CONTROL ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 5 / 26

7 Supervisory Control: General Framework Supervisory control problems (in general) Given plant G, synthesize (if possible) supervisor S such that the closed-loop system S/G meets a certain specification. Closed-loop system: Supervisor S S/G: Plant G ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 6 / 26

8 Supervisory Control: General Framework closed-loop system S/G: events Supervisor S disabling actions Plant G Plant generally modeled as discrete event system (DES): regular language, deterministic finite automaton (G). ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 7 / 26

9 Supervisory Control: General Framework closed-loop system S/G: events Supervisor S disabling actions Plant G Plant generally modeled as discrete event system (DES): regular language, deterministic finite automaton (G). Supervisor (S) can disable controllable events. ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 7 / 26

10 Supervisory Control: General Framework events disabling Supervisor S actions closed-loop system S/G: Plant G Plant generally modeled as discrete event system (DES): regular language, deterministic finite automaton (G). Supervisor (S) can disable controllable events. Specifications vary, but typically: Safety: all behaviors of the closed-loop system must be in some set of good behaviors. Non-blockingness: supervisor must always allow system to reach an accepting (aka marked ) state. Maximal permissiveness: supervisor must not disable more events than strictly necessary. ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 7 / 26

11 Supervisor Synthesis: a basic problem Simple Supervisory Control Problem (SSCP) Given plant G, synthesize (if possible) supervisor S such that: S is non-blocking. S is maximally-permissive, that is, for any other non-blocking supervisor S : L m (S /G) L m (S/G) ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 8 / 26

12 Supervisor Synthesis: a basic problem Simple Supervisory Control Problem (SSCP) Given plant G, synthesize (if possible) supervisor S such that: S is non-blocking. S is maximally-permissive, that is, for any other non-blocking supervisor S : L m (S /G) L m (S/G) We proved: Can reduce the standard supervisory control problem (safety and non-blocking) to SSCP (non-blocking only). ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 8 / 26

13 Supervisor Synthesis: a basic problem Simple Supervisory Control Problem (SSCP) Given plant G, synthesize (if possible) supervisor S such that: S is non-blocking. S is maximally-permissive, that is, for any other non-blocking supervisor S : L m (S /G) L m (S/G) We proved: Can reduce the standard supervisory control problem (safety and non-blocking) to SSCP (non-blocking only). Can show that if a non-blocking supervisor exists, then the maximally-permissive non-blocking supervisor is unique and state-based ( memoryless ). ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 8 / 26

14 Supervisory Control of DES Much more to the story: Partial observability Decentralized, distributed, hierarchical control architectures ω-regular frameworks Supervisory control of DES modeled as Petri nets Not only control: Monitoring, fault diagnosis (partial observation)... Application areas: Automated systems in control engineering: manufacturing, transportation, process control, etc. Recently: Controlling execution of software for avoiding deadlocks in multithreaded programs [Wang et al. POPL 09]. (Cf. summer school lecture of Stéphane.) ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 9 / 26

15 REACTIVE SYNTHESIS ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 10 / 26

16 Reactive Synthesis Reactive Synthesis Problem (RSP) Given LTL formula φ with input/output atomic propositions, synthesize (if possible) a controller M (Moore or Mealy machine) such that all behaviors of M (inputs are uncontrollable) satisfy φ. This is the implementability problem [Pnueli-Rosner POPL 1989]. ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 11 / 26

17 RSP Specification: (G: always, X: next) φ := G (c ( Xg XXg XXX(b g) )) ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 12 / 26

18 RSP Specification: (G: always, X: next) φ := G (c ( Xg XXg XXX(b g) )) g Controller interface: c Controller b ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 12 / 26

19 RSP Specification: (G: always, X: next) φ := G (c ( Xg XXg XXX(b g) )) g Controller interface: c Controller b Controller generates a computation tree: all its paths must satisfy φ {g false, b false} {c false} {g false, b false} {c true} {g true, b false} {g false, b false} {g true, b false} {g true, b false} {g true, b false} {g false, {g false, b true} b true} {g false, {g false, b true} b true} ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 12 / 26

20 BRIDGING THE GAP ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 13 / 26

21 Summary: Main Differences Supervisory control has explicit plants reactive synthesis does not. Supervisors are parents controllers are... controllers. Supervisory control asks for maximally-permissive controllers these generally don t exist in reactive synthesis. (Most of) supervisory control theory done in a finite-string setting reactive synthesis is about infinite strings. ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 14 / 26

22 Controllers, Plants and Closed-Loop Systems in the Reactive Synthesis Framework inputs Controller outputs ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 15 / 26

23 Controllers, Plants and Closed-Loop Systems in the Reactive Synthesis Framework inputs outputs? Controller? ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 15 / 26

24 Controllers, Plants and Closed-Loop Systems in the Reactive Synthesis Framework inputs Controller outputs Plant (Environment) ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 15 / 26

25 Controllers, Plants and Closed-Loop Systems in the Reactive Synthesis Framework inputs Controller outputs Plant (Environment) How to capture plants in the reactive synthesis framework? ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 15 / 26

26 Capturing Plants in RSP Instead of asking for a controller implementing φ we can ask for a controller implementing φ plant φ where φ plant models the plant. ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 16 / 26

27 Capturing Plants in RSP Example: plant never issues two p s in a row φ plant := G(p X p) ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 17 / 26

28 Capturing Plants in RSP Example: plant never issues two p s in a row φ plant := G(p X p) However: Not always natural to capture the plant s behavior: plant typically modeled as an automaton. Inefficient to do so: most synthesis algorithms start by transforming the formula into some automaton form. This typically incurs an exponential blow-up. ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 17 / 26

29 Capturing Plants in RSP Example: plant never issues two p s in a row φ plant := G(p X p) However: Not always natural to capture the plant s behavior: plant typically modeled as an automaton. Inefficient to do so: most synthesis algorithms start by transforming the formula into some automaton form. This typically incurs an exponential blow-up. motivation to define a reactive synthesis problem with plants ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 17 / 26

30 Reactive Synthesis with Plants Inspired from [Kupferman et al CONCUR 2000]: Reactive Synthesis Control Problem (RSCP) Given plant P and temporal logic formula φ synthesize (if possible) a strategy f such that the closed-loop system satisfies φ. ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 18 / 26

31 Reactive Synthesis with Plants Inspired from [Kupferman et al CONCUR 2000]: Reactive Synthesis Control Problem (RSCP) Given plant P and temporal logic formula φ synthesize (if possible) a strategy f such that the closed-loop system satisfies φ. Plant modeled as a transition system with system states and environment states. ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 18 / 26

32 Reactive Synthesis with Plants Inspired from [Kupferman et al CONCUR 2000]: Reactive Synthesis Control Problem (RSCP) Given plant P and temporal logic formula φ synthesize (if possible) a strategy f such that the closed-loop system satisfies φ. Plant modeled as a transition system with system states and environment states. Strategy disables some successors of system states. ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 18 / 26

33 Reactive Synthesis with Plants Inspired from [Kupferman et al CONCUR 2000]: Reactive Synthesis Control Problem (RSCP) Given plant P and temporal logic formula φ synthesize (if possible) a strategy f such that the closed-loop system satisfies φ. Plant modeled as a transition system with system states and environment states. Strategy disables some successors of system states. Different versions of the problem depending on the temporal logic used: RSCP-LTL, RSCP-CTL, RSCP-CTL*,... ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 18 / 26

34 Maximal Permissiveness in RSCP Generally no unique maximally-permissive strategy. Example: no unique maximally-permissive strategy to ensure Fp: p p p original plant strategy 1 strategy 2 : system state : environment state ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 19 / 26

35 Maximal Permissiveness in RSCP Generally no unique maximally-permissive strategy. Example: no unique maximally-permissive strategy to ensure Fp: p p p original plant strategy 1 strategy 2 : system state : environment state Many other (non-state-based) strategies. ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 19 / 26

36 Maximal Permissiveness in RSCP-CTL Yet for some formulas maximally-permissive strategies always exist: Theorem For any CTL formula φ := AG EF p, where p is a state formula, RSCP admits a unique maximally-permissive state-based strategy enforcing φ (if such a strategy exists). ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 20 / 26

37 Maximal Permissiveness in RSCP-CTL Yet for some formulas maximally-permissive strategies always exist: Theorem For any CTL formula φ := AG EF p, where p is a state formula, RSCP admits a unique maximally-permissive state-based strategy enforcing φ (if such a strategy exists). We therefore define a variant of RSCP-CTL: RSCP-CTL max Given plant P and CTL φ := AG EF p compute (if it exists) the unique maximally-permissive state-based strategy enforcing φ. ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 20 / 26

38 Results Relations between different synthesis problems: Section 3.4 Corollary 1 Theorem 5 RSCP-LTL BSCP-NB SSCP RSCP-CTL max RSP special case Section 3.5 supervisory control problems reactive synthesis problems Cf. technical report under preparation. : work in progress ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 21 / 26

39 Results Relations between different synthesis problems: Section 3.4 Corollary 1 Theorem 5 RSCP-LTL BSCP-NB SSCP RSCP-CTL max RSP special case Section 3.5 supervisory control problems reactive synthesis problems Cf. technical report under preparation. : work in progress ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 21 / 26

40 Reducing SSCP to RSCP-CTL max Main idea: DES can be transformed to a transition system. Marked states labeled with atomic proposition acc. Non-blockingness can be expressed in CTL: φ nb := AG EF acc i.e., from any reachable state, there exists a path to an accepting state. ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 22 / 26

41 Reducing SSCP to RSCP-CTL max : Example x 1, u x 1 x 1 x 0, c 1 x 3, c 2 x 0 c 1 c 2 x 2 u c 1 c 2 x 3 x0 x0, u x 0, c 2 x 3 x 2 x 3, u x 3, c 1 DES G x 2, u Transition system P G : system state : environment state ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 23 / 26

42 Reducing SSCP to RSCP-CTL max Theorem Let G be a DES plant and P G its transformation. 1. A non-blocking supervisor exists for G iff a strategy enforcing φ nb := AG EF acc exists for P G. 2. Assuming supervisor/strategy exist, there is a 1-1 computable mapping between the unique non-blocking maximally-permissive state-based supervisor for G, and the unique maximally-permissive state-based strategy enforcing φ nb on P G. ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 24 / 26

43 Conclusions and Perspectives First (to our knowledge) bridge between the reactive synthesis and DES/supervisory control problems and communities. ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 25 / 26

44 Conclusions and Perspectives First (to our knowledge) bridge between the reactive synthesis and DES/supervisory control problems and communities. This work would not have happened without ExCAPE! ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 25 / 26

45 Conclusions and Perspectives First (to our knowledge) bridge between the reactive synthesis and DES/supervisory control problems and communities. This work would not have happened without ExCAPE! Merely scratched the surface; expand bridge to: Partial observability. Modular, decentralized, hierarchical control architectures. Algorithmic procedures. ω-regular supervisory control theory (cf. [Thistle 96]). Supervisory control of Petri nets. ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 25 / 26

46 Bibliography C. Cassandras and S. Lafortune. Introduction to Discrete Event Systems. Springer, Boston, MA, 2nd edition, A. Church. Logic, arithmetic and automata. In Proceedings of the International Congress of Mathematics, O. Kupferman, P. Madhusudan, P. S. Thiagarajan, and M. Y. Vardi. Open systems in reactive environments: Control and synthesis. In 11th Intl. Conf. on Concurrency Theory, CONCUR 00, pages Springer, A. Pnueli and R. Rosner. On the synthesis of a reactive module. In ACM Symp. POPL, P. Ramadge and W. Wonham. Supervisory control of a class of discrete event processes. SIAM J. Control Optim., 25(1): , J.G. Thistle. Supervisory control of discrete event systems. Mathl. Comput. Modelling, 23(11/12):25 53, Y. Wang, S. Lafortune, T. Kelly, M. Kudlur, and S. Mahlke. The theory of deadlock avoidance via discrete control. In ACM Symp. POPL, pages , W. Wonham and P. Ramadge. On the supremal controllable sublanguage of a given language. SIAM J. Control Optim., 25(3): , ExCAPE PI Meeting June 2013 Stavros Tripakis (UC Berkeley) Bridging the Gap 26 / 26

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct. EE 244: Fundamental Algorithms for System Modeling, Analysis, and Optimization Fall 2016 Temporal logic Stavros Tripakis University of California, Berkeley Stavros Tripakis (UC Berkeley) EE 244, Fall 2016