HRML: a hybrid relational modelling language. He Jifeng

Similar documents
Unifying Theories of Programming

A Tutorial Introduction to CSP in Unifying Theories of Programming

A Timed Model of Circus with the Reactive Design Miracle

Denotational Semantics of Mobility in Unifying Theories of Programming (UTP)

A UTP Semantics for Communicating Processes with Shared Variables

Circus Time with Reactive Designs

This is an author produced version of Towards a UTP semantics for Modelica.

Embedded Systems Development

Relational Interfaces and Refinement Calculus for Compositional System Reasoning

Initial Semantics of Modelica

Towards a Mechanised Denotational Semantics for Modelica

Analysis of a Boost Converter Circuit Using Linear Hybrid Automata

Supervisory Control of Hybrid Systems

Automata-Theoretic Model Checking of Reactive Systems

Control Synthesis of Discrete Manufacturing Systems using Timed Finite Automata

Stéphane Lafortune. August 2006

Verification, Refinement and Scheduling of Real-time Programs

Trace semantics: towards a unification of parallel paradigms Stephen Brookes. Department of Computer Science Carnegie Mellon University

Embedded Systems 2. REVIEW: Actor models. A system is a function that accepts an input signal and yields an output signal.

The algorithmic analysis of hybrid system

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Co-simulation of embedded systems: a PVS-Simulink integrated environment

REAL-TIME control systems usually consist of some

Algebraic Trace Theory

Linking Duration Calculus and TLA

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Formally Correct Monitors for Hybrid Automata. Verimag Research Report n o TR

EDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

PSL Model Checking and Run-time Verification via Testers

Formal Models of Timed Musical Processes Doctoral Defense

Consistent Global States of Distributed Systems: Fundamental Concepts and Mechanisms. CS 249 Project Fall 2005 Wing Wong

Halting and Equivalence of Program Schemes in Models of Arbitrary Theories

Formal Methods in Software Engineering

03 Review of First-Order Logic

Hierarchical Control of Piecewise Linear Hybrid Dynamical Systems Based on Discrete Abstractions Λ

Zone-based Synthesis of Timed Models with Strict Phased Fault Recovery

Abstracting real-valued parameters in parameterised boolean equation systems

Automata-based Verification - III

Communicating Parallel Processes. Stephen Brookes

Algebraic Trace Theory

Reasoning About Imperative Programs. COS 441 Slides 10b

Formal Methods for Probabilistic Systems

Duration Calculus of Weakly Monotonic Time

Modelling Real-Time Systems. Henrik Ejersbo Jensen Aalborg University

Lecture 16: Computation Tree Logic (CTL)

Modeling Synchronous Systems in BIP

Marie Farrell Supervisors: Dr Rosemary Monahan & Dr James Power Principles of Programming Research Group

Lecture 9: DC Implementables II

A Denotational Semantic Theory of Concurrent Systems

Spiking Neural P Systems with Anti-Spikes as Transducers

Timed Automata. Chapter Clocks and clock constraints Clock variables and clock constraints

An Alternative Construction in Symbolic Reachability Analysis of Second Order Pushdown Systems

Discrete Mathematics Review

The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security

Modeling and Verifying a Temperature Control System using Continuous Action Systems

The AADL behavior annex - experiments and roadmap

Automatic Generation of Safe Handlers for Multi-Task Systems

Timo Latvala. February 4, 2004

The Journal of Logic and Algebraic Programming

{},{a},{a,c} {},{c} {c,d}

Synchronous Sequential Circuit

Mechanising the Alphabetised Relational Calculus

Automata-based Verification - III

Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Denotational Semantics for a Probabilistic Timed Shared-Variable Language

Real-Time Reactive System - CCS with Time Delays

BASIC MATHEMATICAL TECHNIQUES

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

THE LANGUAGE OF FIRST-ORDER LOGIC (FOL) Sec2 Sec1(1-16)

First Steps Towards a CPU Made of Spiking Neural P Systems

COP4020 Programming Languages. Introduction to Axiomatic Semantics Prof. Robert van Engelen

5. The Logical Framework

Formal Semantics for Grafcet Controlled Systems 1 Introduction 2 Grafcet

COMP2111 Glossary. Kai Engelhardt. Contents. 1 Symbols. 1 Symbols 1. 2 Hoare Logic 3. 3 Refinement Calculus 5. rational numbers Q, real numbers R.

An introduction to Uppaal and Timed Automata MVP5 1

From CCS to Hybrid π via baby steps. Bill Rounds CSE, U of Michigan

Course Runtime Verification

T Reactive Systems: Temporal Logic LTL

Logic Model Checking

A Weak Bisimulation for Weighted Automata

Notes. Corneliu Popeea. May 3, 2013

Timed Automata VINO 2011

Lecture 05: Duration Calculus III

CIS (More Propositional Calculus - 6 points)

The State Explosion Problem

Hoare Calculus and Predicate Transformers

Propositional Logic. What is discrete math? Tautology, equivalence, and inference. Applications

From Sequential Circuits to Real Computers

arxiv: v2 [cs.lo] 8 Feb 2018

Projections: A Technique for Verifying Real-Time Programs in Duration Calculus

DISTINGUING NON-DETERMINISTIC TIMED FINITE STATE MACHINES

Simulation of Spiking Neural P Systems using Pnet Lab

Logic Synthesis and Verification

The Quasi-Synchronous Approach to Distributed Control Systems

How do PLC look like? What s special about PLC? What is a PLC? /50 2/50 5/50 6/50 3/ Splc main

Controller Synthesis with UPPAAL-TIGA. Alexandre David Kim G. Larsen, Didier Lime, Franck Cassez, Jean-François Raskin

Formal Techniques for Software Engineering: CCS: A Calculus for Communicating Systems

540 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 43, NO. 4, APRIL Algorithmic Analysis of Nonlinear Hybrid Systems

Transcription:

HRML: a hybrid relational modelling language He Jifeng

Hybrid Systems Systems are composed by continuous physical component and discrete control component The system state evoles over time according to interacting law of discrete and continuous dynamics. For discrete dynamics, it changes state instantaneously and discontinuously. During continuous transitions, its state is a continuous function of continuous time and varies according to a differential equation. Modelers mix discrete time reactive systems with continuous time ones.

Key issues (1) to invent formal modeling techniques for hybrid systems using which one can easily model discrete and continuous behaviours. These techniques should also compositional and hierarchical and enable the user to uniformly model a complex system at different levels. (2) to develop formal analysis, verification and synthesis techniques to support the architecture model of hybrid systems, and guarantee the correctness of refinement and combination of subsystem models, thus solving the constructivity problem of complex systems.

History Simulink: Explicit model made of ODEs Modelica: Implicit model made of DAEs Hybrid automata (Alur, Henzinger,Tavermini) Phase transition system (Maler), Declarative control (Kohn), Extended state-transition system (Zhou) Hybrid action systems (Rönkkö) Differential Dynamic Logic (Platzer)

Modelling Languages Hybrid CSP (He, Zhou) Extended Guarded Command Language with Differential Equations (Rönkkö) Hybrid π-calculuds (Rounds and Song) SHIFT: Network of hybrid automata R-Charon: Reconfigurable systems

Our approach We propose a hybrid relational modelling language, where (1) the discrete transitions are modelled by assignment and output as zero time actions, while the continuous transitions of physical world are described by differential equations and synchronous constructs. (2) The signal mechanism is used for describing interaction between system controller with physical device. (3) Three types of guards are introduced to model the condition under which the system controller switches to a new mode.

Contents 1. Hybrid Relation calculs. 2. HRML: a hybrid modelling language 3. Laws of Hybrid Programs 4. Case study

Relation A relation is a pair (αp, P), where P is a predicate containing no free variables other than in αp, and αp is a set of variable names: αp = inα outα where inα is a set of undashed variables standing for initial value and outα is a set of dashed variables standing for final value.

Hybrid relation A hybrid relation is a binary relation P where its alphabet αp is enlarged with a set conα of continuous variables, which are introduced to record the dynamic behaviour of physical coponents αp = inα conα outα

0 Discrete variables The discrete variables observable at the start of a hybrid program are the same as those observable at the end, in this case the output alphabet is obtained just by putting a dash on all the variables of the input alphabet: outα = {x x inα}

1 Continuous variables The continuous variables of are used to record dynamic behavior of the physical devices controlled by the program, and they are modelled as mappings from time to physical state of the devices. conα is divided into two sets ownα and envα which represent the set of continuous variables owned by P and the set of continuous variables accessble by P respectively.

2 Differential equation Differential equation DF = df as a hybrid relation (F(v, v) = 0) can be seen inα = df {t} outα = df {t } ownα = df DF = df {v} (t t ) τ [t, t ) (F(v, v)(τ) = 0)

3 Hybrid Relatin Calculus Sequential operators: Choice Conditional Composition Parallel operators: Disjoint parallel Parallel by merge Recursion

4 Disjoint parallel Let P and Q be hybrid relations with disjoint output alphabet and conα. Deine their parallel composition P Q by P Q = df (P Q) where inα = df outα = df conα = df inαp inαq outαp outαq conαp conαq

5 Parallel with shared output A merge mechanism M is a pair (x : Val, op), where x is a variable of type Val, and op is a binary operator over V al. Examples (1) M1 = (x : Real, max) is a merge mechanism. (2) M3 = (x : L, glb), where L is a lattice, is a merge mechanism.

6 Parallel by merge Let P and Q be hybrid relations with x outαp outαq. We define their parallel composition equipped with the merge mechanism M, denoted by P M Q, as follows: P M Q = df m, n : Val (P[m/x ] Q[n/x ] (x = (mop n))) inα = df outα = df conα = df inαp inαq outαp outαq conαp conαq

7 Healthiness Conditions The healthiness conditions of hybrid programs are closely related to the following features: Time Interaction mechanism Intermediate Observation Divergence

8 Introducing Time Time variables t and t are introduced in an alphabet of hybrid relation to record the start and complete time instants of a transition. a hybrid relation P has to meet the following condition P(t, t ) = P(t, t ) (t t ) We introduce a function H1 to convert a hybrid relation into a healthy hybrid relation: H1(P) = df P (t t )

9 Interaction mechanism A signal, denoted by its name, has two types of status, i.e., either presence or absence. A signal is present if (1) it is an input signal received from the environment, or (2) it is emitted as the result of performing an output command. For any signal s, we use a clock variable s.clock to record the time instants at which the signal s is present.

0 Healthiness condition of clock variable s.clock has to be a subset of s.clock since the latter may be added some time instants of [t, t ] at which the signal s is present. Thus, a hybrid relation is required to meet the following condition: P = P inv(s) where inv(s) = df (s.clock s.clock ) (s.clock (s.clock [t, t ])) We introduce a function H2 to convert a hybrid relation into a healthy hybrid relation: H2(P) = df P inv(s)

1 Introducing program status variables We add st and st to the output alphabet of a hybridrelation to describe the program status. st = term indicates its sequential predecessor terminates successfully. As a result, the control passes to the hybrid program. st = stable indicates the predecessor has not finished yet (for example, it is waiting for occurrences of some events). As a result, the hybrid program can not start its execution. st = div indicates the predecessor enters a chaotic status, and can not be rescued by its environment.

2 Healthiness condition of st A hybrid program has to keep idle until its sequential predecessor terminates successfully. P = (H1 H2)(P) st = term skip where skip = df II A (st div) (H1 H2)( ) We define a mapping to convert a hybrid relation into a HC3-healthy one: H3(P) = df (H1 H2)(P) st = term skip

3 Healthiness condition of st Once a hybrid program enters a divergent state, its future behaviour becomes uncontrollable. This requires it to meet the following condition: P = P;skip Define H4(P) = df P;skip

4 Composition of healthy convertions Hi Define Theorem H = df (H1 H2 H3 H4) P satisfies HC1 HC4 if and only if P = H(P) Theorem (1) H is monotonic and idempotent. (2) Healthy hybrid relations form a complete lattice L.

5 Closure of healthy hybrid relations Theorem (1) H(P) H(Q) = H(P Q) (2) H(P) b H(Q) = H(P b Q) (3) H(P);H(Q) = H(P;H(Q)) (4) If P and Q lie in the complete lattice L, then so does (P M Q) where the merge mechanism M = df (st : {term, stable, div}, glb).

6 HRML: a hybrid relational modelling language AP ::= skip chaos stop x := e!s delay(δ) EQ ::= R(v, v) EQinitv 0 EQ EQ P ::= AP P P P; P P b(x) P P P EQuntilg when(g) µx P(X) timer c P signals P g ::= skip s test g g g g test ::= true v e v e test test test test G ::= g& P G[]G

7 Alphabet of HRML programs The alphabet of an HRML program P of HRML consists of the following components αp = df inαp outαp conαp where conαp = ownαp envαp, and ownα comprises two types of continuous variables: conα = df phyα timerα to specify the physical devices and timers owned by P respectively.

8 Elements of the input alphabet inαp denotes the set of input variables of P inαp = df {st, t, count} PV ar ClockV ar count (of the type non-negative reals) describes the emitting order of the signals that occur in the same time instant. PV ar denotes the set of program variables. ClockV ar is the set of clock variables: ClockV ar = df {s.clock s InSignal OutSignal} where s.clock records the time instant t and the emit order count at which signal s occurs.

9 Atomic commands 1. Assignment: it is used to model the discrete change. The execution of x := e assigns the value of e to variable x instantaneously (x := e) = df H(II inα [e/x]) 2. Output:!s emits signal s, and then terminates immediately.!s = df H(II inα [(s.clock {(t, count)})/s.clock])

0 Laws of output Theorem (1)!s 1 ;!s 2 =!s 2 ;!s 1 (2)!s;!s =!s (3)!s; (x := e) = (x := e);!s

1 Guard Let g be a guard g, the boolean function g.fired : Intervel Time Bool is used to specify its status over the time interval [t, t ]. For any τ [t, t ] g.fired([t, t ])(τ) = true indicates the guard g is ignited at the time instant τ.

2 Laws of guard Define (g = h) = df (g.fired = h.fired) Theorem (1) (Guard,,,false,true) forms a Boolean algebra. (2) has false as its zero. (3) has true as zero. Corollary g (g h) = g

3 Order We say g is weaker than h (denoted by g h), if the ignition of h can fire g immediately: g h = df h = (h g) Theorem is a partial order. Theorem g h iff g = (g h)

4 Ignition of guards We introduce the following boolean function g.triggered : Interval Bool to identify the cases when the guard g is only fired at the endpoint of the interval g.triggered([t, t ]) = df g.fired([t, t ])(t ) τ [t, t ) g.fired([t, t ])(τ) To specify those cases when the guard g remains idle we introduce the boolean function g.inactive g.inactive([t, t ]) = df τ [t, t ] g.fired([t, t ])(τ)

5 Properties of triggeredandinactive Theorem (1) (g1 g2).triggered = g1.triggered (g2.triggered g2.inactive) g2.triggered (g1.triggered g1.inactive) (2) (g1 g2).inactive = g1.inactive g2.inactive

6 when statement The program when(g 1 &P 1 []...[]g n &P n ) waits for one of its guards to be fired, then selects a program P i with the ignited guard to be executed. when(g 1 &P 1 []...[]g n &P n ) = df H(st = stable II C {count} time passing 1 k n (g k.inactive)) 1 i n H st = term II C PV ar time passing update(count, g i ) g i.triggered k i (g k.triggered g k.inactive) ; P i

7 when statememt where C = df update(count, g) = df {s.clock s OutSignal} (count = count) g InSignal = (count > max(count, index(g)) index(g) = df max({0} {π 2 (last(s.clock )) s g})

8 Laws of when statement If a when construct comprises a skip guard, then other guarded branches can be selected only when their corresponding guards are fired immediately after the when statement starts its execution. L1 when((skip&p) [] (g&)q []G) = when((skip&p) [] ((skip g)&q) []G) Corollary when((skip&p) [] (g&p) []G) = when((skip&p) []G)

9 Laws of when statement Once a guard is fired, so does the same guard in its guarded when-construct. L2 when(((g h 1 )&when((g h 2 )&P [] G 1 )) [] G 2 ) = when(((g h 1 )&when(((skip g) h 2 ) [] G 1 )) [] G 2 ) Corollary If g h, then when(h&when(g&p [] G 1 ) [] G 2 ) = when(h&when(skip&p [] G 1 ) [] G 2 )

0 Laws of concurrency An input signal can ignite the corresponding guard in the when and until statements. L1 (!s;p) (Runtil(s g) ; Q) = (!s;p) Q L2 (!s;p) when((s&q) []G) = (!s;p) when((skip&q) []G) Corollary (!s;p) when(s&q) = (!s;p) Q

1 Laws of concurrency when statements are closed under concurrent composition. L3 Let P = when((g 1 &P 1 ) []...[] (g n &P n )) and Q = when((h 1 &Q 1 ) []...[] (h m &Q m )). Then (g 1 &(P 1 Q)) []...[] (g n &(P n Q)) [] P Q = when (h 1 &(P Q 1 )) []...[] (h m &(P Q m ))[] [] i, j ((g i h j )&(P i Q j )) Corollary when(g& P) when(g& Q) = when(g& (P Q))

2 Introducing signal The first theorem demonstrates how to introduce signals as an interaction mechanism to link a physical device with a controller Theorem Let l < m < n. If R ( v > 0) then (Rinitmuntil (v n)) = (Rinitmuntils) sig s, u when((v n)&!s [] (v l)&!u)

3 Introduce signal Theorem Let l < m < n. If R ( v < 0) then (Rinitmuntil (v l)) (Rinitmuntilu) = signals, u when(((v n)&!s) [] ((v l)&!u))

4 Adjust the sampling rate The following theorem is used to reduce the sampling rate of the controller by estimating the change speed of physical state Theorem Let l < m < n. If R (0 < v r) and δ < (n m)/r, then (Rinitmuntil(v n)) (Rinitmuntils) = signals, u delay(δ); when(((v n)&!s) [] ((v l)&!u))

5 Water Tank The system is used to control the water level in a tank by switching on a control valve, The water level will rise whenever the valve is open, otherwise it will drop down. Assume that the rising and dropping phases are governed by the following differential equations: Rise = df Drop = df (ḣ = f(h)) (ḣ = g(h)) where f(h) > 0 and g(h) > 0.

6 Requirement The goal is to maintain the water level between L and M units. Assume that initially the water level is M and the control valve is open. Such a requirement can be formalised as an until statement. Req = df (h M); (Goaluntilfalse) where Goal = df (L h H) (ḣ 0)

7 Design 1 To deliver a refinement of Req by investigating the rising up and falling down phases of the water level separately Let L < M < M < M < H. Define Up 1 = df (L < h < H) (0 < ḣ < r)until(h M ) Down 1 = df (L < h < H) (l < ḣ < 0)until(h M ) where we assume that the variations of water level are bounded r = df sup{f(h) L h M} l = df inf{ g(h) L h M} Define Design 1 = df (h M); (Up 1 ; Down 1 ) Theorem Req Design 1

8 Design 2 To refine Up 1 and Down 1 by introducing the differential equations Rise and Drop: Up 2 = df Riseuntil(h M ) Down 2 = df Dropuntil(h M ) Let Design 2 = df (h M); (Up 2 ; Down 2 ) Theorem Design 1 Design 2

9 Design 3 To construct a control program to monitor the variations in water level, and emit signals to alternate the transition modes of the tank. Let and define where C = df Up 3 = df Riseuntiloff Down 3 = df Dropuntilon Ctrl = df C (delay(ρ);when(h M &!off[]h M &!on)) The delay command delay(ρ) of C is inserted to avoid the reignition of consecutive when statements.

0 Design 3 The water tank can then be described by the hybrid program Tank Tank(x) = df (h x); WL where WL = df (Up 3 ; Down 3 ) and the parameter x denotes the initial water level. Define Design 3 = df signal on, off (Tank(M) Ctrl) Theorem Design 2 Design 3 (M)

1 Conclusion The objectives of this work are: to invent formal modeling techniques for hybrid systems using which one can easily model discrete and continuous behaviours. These techniques should also compositional and hierarchical and enable the user to uniformly model a complex system at different levels, thus solving the modeling problem of complex systems. to develop formal analysis, verification and synthesis techniques to support the above architecture model of hybrid systems, and guarantee the correctness of refinement and combination of subsystem models using the above modeling techniques, thus solving the constructivity problem of complex systems.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback