Symbolic Control. From discrete synthesis to certified continuous controllers. Antoine Girard

Size: px

Start display at page:

Download "Symbolic Control. From discrete synthesis to certified continuous controllers. Antoine Girard"

Bertram Summers
5 years ago
Views:

1 Symbolic Control From discrete synthesis to certified continuous controllers Antoine Girard CNRS, Laboratoire des Signaux et Systèmes Gif-sur-Yvette, France Journées de l Automatique du GdR MACS Nantes, November 16, 2018 A. Girard (CNRS, L2S) Symbolic Control 1 / 40

Cyber-physical systems Cyber-physical systems (CPS) consist of physical entities enhanced

Design of reliable CPS is challenging, time consuming and costly: Innovative approaches to

and computation must be developed for rapid design and deployment of CPS.

2 Cyber-physical systems Cyber-physical systems (CPS) consist of physical entities enhanced with computation and communication capabilities, used for monitoring and control purpose. Design of reliable CPS is challenging, time consuming and costly: Innovative approaches to abstraction and architectures that enable seamless integration of control, communication, and computation must be developed for rapid design and deployment of CPS. Baheti & Gill, Cyber-physical systems, The impact of control technology, 2011 A. Girard (CNRS, L2S) Symbolic Control 2 / 40

3 Programmable CPS A programmable CPS should consist of: A high-level language enabling the specification of the CPS behavior while abstracting computational and physical details; An automated synthesis tool, based on a model (including description of physical system), generating from a high-level program, controllers enforcing the specified behavior. We aim at giving strong guarantees on the synthesized controllers: Correct by construction design through formal controller synthesis techniques. Rapid and dependable development/evolution of advanced functions of a CPS. A. Girard (CNRS, L2S) Symbolic Control 3 / 40

4 Example - vehicle platoon High level program Model based automatic synthesis { ẋi = v i v i = f i (v i, u i ), i = 1, 2. CbC controller { u1 =... u 2 =... Controller not existing/found A. Girard (CNRS, L2S) Symbolic Control 4 / 40

5 Formal synthesis using symbolic control Model-based synthesis for CPS from high-level behavioral specifications: CPS Physical system Controller Continuous to discrete abstraction Discrete to continuous interface Symbolic model Discrete controller synthesis Symbolic controller High-level specs Unrealizable specs A. Girard (CNRS, L2S) Symbolic Control 5 / 40

6 Outline of the talk 1 Brief overview of symbolic control Symbolic control architecture System abstraction and interface High-level specifications and synthesis 2 Compositional synthesis of symbolic controllers Assume-guarantee contracts Overlapping abstractions 3 Quantitative synthesis of symbolic controllers Quantitative safety, reachability and stability A. Girard (CNRS, L2S) Symbolic Control 6 / 40

7 Symbolic control architecture u Physical I/O v/y Physical system ẋ = f(x, u, v) y = h(x) x A. Girard (CNRS, L2S) Symbolic Control 7 / 40

8 Symbolic control architecture Physical I/O v/y b a 5, b 5 q 1 Symbolic model a 1, b 1 u q 2 a 2, b 2 a 4, b 4 q a a 3, b 3 q 3 Physical system ẋ = f(x, u, v) y = h(x) x Symbolic model: Finite abstraction of the physical system dynamics Based on a formal abstraction relation A. Girard (CNRS, L2S) Symbolic Control 7 / 40

9 Symbolic control architecture Physical I/O v/y b a 5, b 5 q 1 Symbolic model a 1, b 1 a 2, b 2 a 4, b 4 q a q 2 Interface u a 3, b 3 q 3 Physical system ẋ = f(x, u, v) y = h(x) x Interface: Low-level controller implementing the formal abstraction relation between the two models Makes the physical system and the symbolic model behave similarly A. Girard (CNRS, L2S) Symbolic Control 7 / 40

10 Symbolic control architecture Digital I/O α/β b Physical I/O v/y Symbolic controller a 5, b 5 q 1 Symbolic model a 1, b 1 q 2 a 2, b 2 a 4, b 4 q a Interface u a 3, b 3 q 3 Physical system ẋ = f(x, u, v) y = h(x) x Symbolic controller: High-level controller implementing the advanced functions of the CPS Automatic synthesis from high-level specifications, based on the symbolic model A. Girard (CNRS, L2S) Symbolic Control 7 / 40

11 System abstraction Physical system P: x + F (x, u), x X, u U Symbolic model S: q + T (q, a), q Q, a A Finite partition (or cover) (X q ) q Q of the state space X Finite subset A of the input set U Over-approximation of the dynamics by reachability analysis (u = a) A. Girard (CNRS, L2S) Symbolic Control 8 / 40

12 System abstraction Physical system P: x + F (x, u), x X, u U Symbolic model S: q + T (q, a), q Q, a A x q Feedback may reduce non-determinism: e.g. u = µ(a, x, q) = a + K(x x q ) A. Girard (CNRS, L2S) Symbolic Control 9 / 40

13 Formal abstraction relation Simulation, bisimulation relations [Park 81, Milner 89], their approximate and alternating versions [Girard & Pappas 07, Pola & Tabuada 09] Given a distance d between physical and symbolic states: e.g. d(x, q) = x x q Definition Let ε > 0, the relation R = {(x, q) x X q } is an alternating ε-approximate simulation relation if for all (x, q) R: d(x, q) ε, a A, u U, x + F (x, u), q + T (q, a), s.t. (x +, q + ) R. Interface: { u = µ(a, x, q) q + T (q, a) R(x + ) A. Girard (CNRS, L2S) Symbolic Control 10 / 40

14 Control refinement through the interface b Symbolic controller Symbolic model q { Interface u = µ(a, x, q) b = R(x + ) u Physical system x + F (x, u) x a q + T (q, a) b Behavioral similarity: Theorem For all symbolic input sequences a(.), (x(0), q(0)) R = d(x(k), q(k)) ε, k N. A. Girard (CNRS, L2S) Symbolic Control 11 / 40

15 Related work Symbolic dynamics [Hadamard 1898, Morse & Hedlund ] Partition-based approaches finite bisimulations [Alur & Dill 1994, Lafferriere et al. 2000, Tabuada & Pappas ] finite abstractions: early works [Lunze 1994, Raisch & O Young 1998, Koutsoukos et al ], and more recently [Yordanov & Belta 2010, Reissig 2011, Liu & Ozay 2016, Coogan & Arcak 2017, Reissig et al ] with feedback [Caines & Wei 1998, Habets et al. 2006, Belta & Habets 2006, Girard & Martin ] Lyapunov-based approaches [Tabuada 2008, Pola et al. 2008, Girard et al. 2010, Zamani et al ] Continuous abstractions [Girard & Pappas 2009, Fainekos et al. 2009, Ames et al ] A. Girard (CNRS, L2S) Symbolic Control 12 / 40

16 Specifications - safety and reachability Symbolic model S: q + T (q, a), q Q, a A, q 0 Q 0 Symbolic controller: a = C(q) Symbolic controller a = C(q) a Symbolic model q + T (q, a) q Definition Given a safe set Q s Q, C is a safety controller if: k N, q k Q s. Given a target set Q t Q, C is a reachability controller if: k N, q k Q t. A. Girard (CNRS, L2S) Symbolic Control 13 / 40

17 Synthesis - safety and reachability Controllable predecessors of a subset P Q: Pre(P) = {q Q a A, T (q, a) P}. Safety synthesis P 0 = Q loop P k+1 = Q s Pre(P k ) until P k+1 = P k Reachability synthesis P 0 = loop P k+1 = Q t Pre(P k ) until P k+1 = P k Synthesis through greatest and least fixed point computation Termination guaranteed by finiteness of Q A. Girard (CNRS, L2S) Symbolic Control 14 / 40

18 Stability and recurrence Q t Q t Definition Given a target set Q t Q C is a stability controller if: j N, k j, q k Q t. C is a recurrence controller if: j N, k j, q k Q t. Synthesis through nested greatest and least fixed point computation Termination guaranteed by finiteness of Q A. Girard (CNRS, L2S) Symbolic Control 15 / 40

19 Automata-based specifications x G 31 m 3 : x I 3 m 1 : x I 1 x G 21 x G 12 m 2 : x I 2 Hybrid automata semantics Compute the product of symbolic model and automaton Specifications and controllers defined on the product space: safety, reachability... stability and... recurrence = Linear Temporal Logic (LTL) x G 23 A. Girard (CNRS, L2S) Symbolic Control 16 / 40

20 Outline of the talk 1 Brief overview of symbolic control Symbolic control architecture System abstraction and interface High-level specifications and synthesis 2 Compositional synthesis of symbolic controllers Assume-guarantee contracts Overlapping abstractions 3 Quantitative synthesis of symbolic controllers Quantitative safety, reachability and stability A. Girard (CNRS, L2S) Symbolic Control 17 / 40

21 Towards scalable symbolic control Symbolic control suffers from scalability issues (partition of the state-space, discretization of input set): Intermediate lower-dimensional continuous abstractions [Girard & Pappas 2009, Fainekos et al. 2009, Ames et al. 2017] Efficient abstraction techniques Optimal abstraction parameters [Weber et al. 2017, Saoud & Girard 2017] On-the-fly abstraction [Rungger & Stursberg 2012, Pola et al. 2012, Girard et al. 2017] Input-based abstraction [Le Corronc et al 2013, Zamani et. al 2015] Compositional and structure-guided abstraction [Tazaki & Imura 2008, Reissig 2010, Rungger and Zamani 2015, Hussien et al. 2017, Gruber et al. 2017] Compositional synthesis [Dallal & Tabuada 2015, Kim et al. 2015, Meyer et al 2018] A. Girard (CNRS, L2S) Symbolic Control 18 / 40

22 Component-based design of systems Interconnected systems: u 1 u 2 S 1 S 2 Subsystem S i : x + i F i (x i, x Mi, u i ) x i X i, u i U i x Mi = (x 1,..., x i 1, x i+1,..., x m ) Distributed controllers: u i = C i (x i, x Mi ) u 4 S 4 S 3 u 3 Safety specifications: k N, x i (k) X s i Component-based design: Synthesize distributed controllers locally Objective: improve scalability and modularity A. Girard (CNRS, L2S) Symbolic Control 19 / 40

23 Assume-guarantee contracts AG contracts: properties that a component (subsystem + controller) must guarantee under assumptions on the behavior of its environment (other components). AG contract for component i: { Assumption: k = 0,..., j, xmi (k) XM s i Guarantee: k = 0,..., j + 1, x i (k) Xi s where X s M i = X s 1 X s i 1 X s i+1 X s m. Theorem If all components satisfy their AG contract, then: k N, x i (k) X s i, i = 1,..., m. A. Girard (CNRS, L2S) Symbolic Control 20 / 40

24 Assume-guarantee synthesis Local synthesis (at the level of components) of controllers achieving AG contract satisfaction Fully decentralized control: u 1 u 2 S 1 S 2 System abstraction from component i (assumption): { x + i F i (x i, X s M i, u i ) x i X i, u i U i Controller C i : u i = C i (x i ) u 4 S 4 S 3 u 3 Specification (guarantee): k N, x i (k) X s i A. Girard (CNRS, L2S) Symbolic Control 21 / 40

25 Assume-guarantee synthesis Safety synthesis using symbolic control techniques Advantages: Reduced dimension (both state and input) = Scalability Independence between components = Modularity Drawbacks: No information about other components (state, dynamics) = Conservatism Compromise between scalability/modularity and conservatism: Include partial description of environment for AG synthesis = Overlapping abstractions and partially decentralized controllers A. Girard (CNRS, L2S) Symbolic Control 22 / 40

26 Overlapping abstractions Partially decentralized control: u 1 u 2 S 1 S 2 u 4 u 3 S 4 S 3 System abstraction from component i (assumption): x + i F i (x i, x Ni, XP s i, u i ) x + N i F Ni (x i, x Ni, XP s i, U Ni ) x i X i, x Ni X Ni, u i U i Controller C i : u i = C i (x i, x Ni ) Specification (AG contract): k = 0,..., j, x Ni (k) X s N i = k = 0,..., j + 1, x i (k) X s i A. Girard (CNRS, L2S) Symbolic Control 23 / 40

27 Synthesis with overlapping abstractions Subtlety AG contract can be satisfied by: enforcing the guarantee, or... falsifying the assumption reformulation as a safety synthesis problem x Ni X s Ni X s i x i A. Girard (CNRS, L2S) Symbolic Control 24 / 40

28 Example - temperature regulation 4-room building: u 1 u 2 T 1 T 2 T 4 T 3 u 4 u 3 T + = AT + Bu + c Symbolic control synthesis: Centralized (C) approach Fully decentralized (FD) approach A room is a component No information from other rooms Partially decentralized (PD) approach A room is a component Information about neighboring rooms Meyer, Girard & Witrant, IEEE TAC, A. Girard (CNRS, L2S) Symbolic Control 25 / 40

Example - temperature regulation state symbols (#) controllable states (%) CPU times (s) C FD PD C FD PD 625 (= 5 4 ) 84 0 0 5.49 0.07 0.

29 Example - temperature regulation state symbols (#) controllable states (%) CPU times (s) C FD PD C FD PD 625 (= 5 4 ) (= 10 4 ) (= 20 4 ) Controllable states for room 4 A. Girard (CNRS, L2S) Symbolic Control 26 / 40

30 Outline of the talk 1 Brief overview of symbolic control Symbolic control architecture System abstraction and interface High-level specifications and synthesis 2 Compositional synthesis of symbolic controllers Assume-guarantee contracts Overlapping abstractions 3 Quantitative synthesis of symbolic controllers Quantitative safety, reachability and stability A. Girard (CNRS, L2S) Symbolic Control 27 / 40

31 Towards robust symbolic control Specifications in symbolic control are typically qualitative = hard to reason on robustness! Robustness margins using symbolic models with additional non-determinism (bounded disturbances) [Pola & Tabuada 2009, Liu & Ozay 2014] Quantitative semantics of specifications [Fainekos & Pappas 2009, Donzé & Maler 2010] Input-output stability [Tabuada et al. 2014] Model predictive control [Sadraddini & Belta 2015, Raman et al. 2014] Optimal control [Grüne & Junge 2007, Mazo & Tabuada 2011, Girard 2012, Reissig & Rungger 2017] A. Girard (CNRS, L2S) Symbolic Control 28 / 40

32 Quantitative approach to safety and reachability Safety Reachability Q s Q t Signed distance: { sup{δ 0 B d(q, P) = δ (q) P } sup{δ 0 B δ (q) P} if q / P if q P P q 1 q 2 A. Girard (CNRS, L2S) Symbolic Control 29 / 40

33 Quantitative safety synthesis Optimal control formulation: Quantitative safety synthesis Minimize sup d(q k, Q s ) k N V 0 (q) = loop ( V k+1 (q) = max d(q, Q s ), min a A ) max V k(q ) q T (q,a) Q s until V k+1 = V k Termination guaranteed by finiteness of Q Extension of the fixed point computation for qualitative synthesis A. Girard (CNRS, L2S) Symbolic Control 30 / 40

34 Quantitative safety synthesis Theorem For all δ R, the level set P δ = {q Q V (q) δ} is the maximal safety controllable set for B δ (Q s ). Moreover, there exists a controller C such that k N, d(q k, Q s ) V (q 0 ). The fixed point of the qualitative approach is given by P 0 Computation of a parameterized family of safety controllable sets P δ Common safety controller for all the family A. Girard (CNRS, L2S) Symbolic Control 31 / 40

35 Quantitative reachability synthesis Optimal control formulation: Quantitative reachability synthesis Minimize inf k N d(q k, Q t ) V 0 (q) = + loop ( V k+1 (q) = min d(q, Q t ), min a A ) max V k(q ) q T (q,a) Q t until V k+1 = V k Termination guaranteed by finiteness of Q Extension of the fixed point computation for qualitative synthesis A. Girard (CNRS, L2S) Symbolic Control 32 / 40

36 Quantitative reachability synthesis Theorem For all δ R, the level set P δ = {q Q V (q) δ} is the maximal reachability controllable set for B δ (Q t ). Moreover, there exists a controller C such that k N, d(q k, Q t ) V (q 0 ). The fixed point of the qualitative approach is given by P 0 Computation of a parameterized family of reachability controllable sets P δ Common reachability controller for all the family A. Girard (CNRS, L2S) Symbolic Control 33 / 40

37 Qualitative stability synthesis Stability as reachability then safety Quantitative stability synthesis V 0(q) = loop ( V k+1 (q) = max d(q, Q t), min a A until V k+1 = V k V (q) = V k (q), W 0(q) = + loop ( W k+1 (q) = min V (q), min a A until W k+1 = W k max q T (q,a) max q T (q,a) ) V k (q ) ) W k (q ) Termination guaranteed by finiteness of Q Computation of a parameterized family of stability controllable sets with a common controller Theorem There exists a controller C such that j N, k j, d(q k, Q t ) W (q 0 ). A. Girard (CNRS, L2S) Symbolic Control 34 / 40

38 Example - DC/DC converter Model: ẋ = A p x + b p, p {1, 2} Safety specification: Q s = [1.1, 1.6] [5.4, 5.9] Quantitative safety (left: value function, right: trajectory) Eqtami & Girard, ADHS 2018 A. Girard (CNRS, L2S) Symbolic Control 35 / 40

39 Example - DC/DC converter Model: ẋ = A p x + b p, p {1, 2} Reachability specification: Q t = [1.1, 1.6] [5.4, 5.9] Quantitative reachability (left: value function, right: trajectory) A. Girard (CNRS, L2S) Symbolic Control 36 / 40

40 Example - DC/DC converter Model: ẋ = A p x + b p, p {1, 2} Stability specification: Q t = [1.1, 1.6] [5.4, 5.9] Quantitative stability (left: value function, right: trajectory) A. Girard (CNRS, L2S) Symbolic Control 37 / 40

41 Conclusion Symbolic control is a very rich and lively area at the interface between automatic control and computer science It is a rigorous computational approach to controller design from high level specifications, applicable to broad classes of systems Challenging problems include: Scalability and modularity (systems and specifications) Robustness (unmodeled disturbances) and adaptation (uncertain / time-varying parameters) A. Girard (CNRS, L2S) Symbolic Control 38 / 40

International Graduate School on Control www.

eu Independent Graduate Modules one 21 hours

registration: - to the modules M01 to M09:

42 International Graduate School on Control Independent Graduate Modules one 21 hours module per week (3 ECTS) Deadline for advance registration: - to the modules M01 to M09: 31/12/ to the modules M10 to M27: 28/02/2019 A. Girard (CNRS, L2S) Symbolic Control 39 / 40

43 Many thanks to Students & postdocs: Pierre-Jean Meyer Adnane Saoud Alina Eqtami Vladimir Sinyakov Zohra Kader Elena Ivanova Daniele Zonetti Euriell Le Corronc Sebti Mouelhi Javier Camara Collaborators: Laurent Fribourg Gregor Gössler Majid Zamani Paulo Tabuada Giordano Pola George Pappas A. Girard (CNRS, L2S) Symbolic Control 40 / 40

Symbolic Control of Incrementally Stable Systems

Symbolic Control of Incrementally Stable Systems Antoine Girard Laboratoire Jean Kuntzmann, Université Joseph Fourier Grenoble, France Workshop on Formal Verification of Embedded Control Systems LCCC,