Towards component based design of hybrid systems
Download
1 / 50

Towards component based design of hybrid systems - PowerPoint PPT Presentation


  • 139 Views
  • Uploaded on

Towards component based design of hybrid systems. W.Damm 1 , H. Dierks 3 , J. Oehlerking 4 , A. Pnueli 2. Structure of Presentation. Motivation and Industrial Context Hybrid Interface Specifications Component Based Design of Hybrid Systems: Assuring Safety and Stability Conclusion

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Towards component based design of hybrid systems' - orly


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Towards component based design of hybrid systems

Towards component based design of hybrid systems

W.Damm1, H. Dierks3, J. Oehlerking4, A. Pnueli2


Structure of presentation
Structure of Presentation

  • Motivation and Industrial Context

  • Hybrid Interface Specifications

  • ComponentBased Design of Hybrid Systems: AssuringSafetyandStability

  • Conclusion

    Thispresentationisbased on a publicationwhich will appear in the LNCS memorialvolumededicatedto

    Amir Pnueli


Motivation and industrial context

Motivation andindustrialcontext


The underlying mathematics hybrid automata
The underlyingmathematics: hybrid automata


Autosar approach

Answers requirement to decouple growth in number of functions from decoupling number of ECUs:

SW components of different functions can be allocated to one ECU

Allows SW components of one function to be distributed over multiple ECUs (to optimize overall architecture)

Components can correspond to different modes or subsystems of hybrid controllers

Induces distributed execution

Mode switching can cause task switching

Autosar Approach


Towards component based design of hybrid controllers
Towards functions from decoupling number of ECUs:componentbased design of hybrid controllers

Can wepropose a component model for hybrid controllers

… supportingre-useofcomponents in multiple applicationcontexts?

  • Characterizingstabilityandsafetyproperties in specifiedenvironmentsthroughhybrid interfacespecifications

    … supportingincrementalconstructionof hybrid controllers

  • From a libraryofcontrollermodels

  • bycomposingcontrollersthroughtransitioncomposition

  • automaticverificationof hybrid interfacespecificationofcomposedsystemfrominterfacespecificationsofsubsystems

    … allowingtobridgethegapbetweenspecificationand design

  • Specificationmodelswithidealized time behaviour

  • Distributed implementationwithinducedimpurities such aslatencies in mode-switching


Hybrid interface specifications

Hybrid Interface functions from decoupling number of ECUs:Specifications


Requirements on hybrid interface specifications
Requirements functions from decoupling number of ECUs: on Hybrid Interface Specifications

  • Characterize plant regionsforwhichsafety and stabilityisguaranteed

  • Support compositionalreasoningforsafety and stability

  • Support transitionfromspecificationmodels to design

    • Specificationmodels

      • Focus on nominal behaviour

      • Assumeinstantenousobservability and controllability of plant

    • Design models

      • control-lawsbecometasks: supportactivation/suspension of components

      • provideexceptionhandlingadressingantitipatedrisksorfailures

      • caterfortask-switchinglatencies


The inner envelope design paradigm
The inner envelope design paradigm functions from decoupling number of ECUs:

Consider a safety property  given as conjunction of linear constraints. We identify an inner envelope o with the following properties

  • any only slightly perturbed trajectory originating in o stays there forever

  • whenever a sampled trajectory leaves o , then there is a time window of length at least  until  is violated when extrapolating the current dynamics even taking into account the specified worst-case dynamics for unmodelleddisturbances


And how we apply it

Choose as entry condition an inner envelope of functions from decoupling number of ECUs:safesuch that all slightly disturbed trajectories originating in it will converge to (inner envelope) region of stability within specified bound

Similarly for stable

… and how we apply it

safe0

stable

stable0

safe

set-point


Raising alarms along bad trajectories
Raising alarms along bad trajectories functions from decoupling number of ECUs:

safe0

stable

stable0

safe

set-point

Combining Modes Safely


A component lifecycle three roles
A functions from decoupling number of ECUs:ComponentLifecycle: threeroles

  • Controlunder nominal conditions

    • Ensure plant safety

    • Enforceconvergence of plant according to stabilityrequirements (asymptoticstability, drive plant intospecifiedregionwithingiven time bound)

  • Deviationsfromnonimalconditions:

    • Detectrisksforendangeringsafety and stability

    • Raisealarmearly to provideforsafetransition of control

  • Offeringhelp

    • Check forraisedalarms and offerhelpifcomponentspeccanadressdynamicscausingalarm


Approach
Approach functions from decoupling number of ECUs:

  • Componentsprovide

    • Inports:

      • To invoke nominal service

      • To offerhelp

      • To specify plant conditionsforwhichhelpcanbeoffered

    • Outports

      • To raisealarms

      • To characterize plant conditionscausingalarm

  • Componentscanraise multiple alarms

  • Conditionscausingalarmcandisappear


Specification of nominal behaviour
Specification functions from decoupling number of ECUs: of nominal behaviour

  • Stabilityrequirements

    • thissubsumesasymptoticstability

    • thecontrollerisrequired to meetthestabilityrequirementsunless an alarmisraised

  • Safetyrequirements

    • thecontrollerisrequired to meetthe plant safetyrequirementunless an alarmisraised


Being helpful specification of inports
Being helpful: specification of functions from decoupling number of ECUs:inports

Is given by

where

  • cβsignals an incoming alarm

  • λβ is the latest reaction time for granting acceptance

  • takeβ signals acceptance of alarm

  • startβis the verdict of the distributed alarm resolution protocol to become the hero

  • Mmm is the entry predicate required to be satisfied when control is transferred to the component over this port


Asking for help specification of outports
Asking functions from decoupling number of ECUs:forhelp: specification of outports

Isgivenby

where

  • bαistheoutgoingalarmsignal

    isthe plant condition causingthealarm

  • μαisthe minimal persistency of thealarm

  • Δαisthedurationfollowingthealarmforwhichsafety and stabilityis still guaranteed

  • takeαsignalsthat at least onehelperisavailable

  • switchαsignalsdelegation of control to helper

  • Mmmoverapproximates plant state at switch time


  • Static functions from decoupling number of ECUs:interface

    • Data

    • Control


  • Inport functions from decoupling number of ECUs:specifications

  • Outportspecifications


  • Stability functions from decoupling number of ECUs:requirements

  • Assumptions

  • Promises


Hierarchical component based design

Hierarchical component based design functions from decoupling number of ECUs:

and verification


Hierarchical construction of controllers
Hierarchical functions from decoupling number of ECUs:construction of controllers

actuators

sensors

Plant


Sequential composition of components
Sequential functions from decoupling number of ECUs:composition of components

Pragmatics

  • All subsystems offer alternate ways of controlling same plant

  • Choice of subsystem dependent on current dynamics

  • if current subsystem is no longer able to ensure stability and safety objectives, a warning is raised using one of its exits

  • Control then either switches to other subsystem, or warning is passed to enclosing hierarchy level

  • Hence all subsystems share same static interface and safety and stability requirements relate to same equilibrium


Finding the hero among all offering help
Finding functions from decoupling number of ECUs:theheroamong all offeringhelp

  • In a contextofincrementaldistributedcontrollerdesing, all of thesemightofferhelp

    • 5 neighbours on the same level of thehierarchy, but allocated on different Electronic Control Units

    • Some not yetknownfriend in a so-farunspecifiedenvironmentof thecomponent

  • Needdistributedagreementprotocol to ensureuniquetransfer of control

    • Wrapperforeachcomponent

    • Negotiateswithothercomponentswho will betheherousingprotocol on control-signals

      • Alarms, I cantakethis, Please do so, Activate, Suspend

      • Specifiedforeachinport


Real time requirements for negotiation
Real-time functions from decoupling number of ECUs:requirementsfornegotiation

Negotiations must beclosedbeforesystembecomesunsafe

  • Criticalcomponentpromises to maintainsafety and stabilityforfixed time periodafterraisingalarm

  • takingintoaccountcostsforcontextswitches

  • Alarms mustensure minimal persistency to guaranteedistributedidenfication of helper

  • Helpers must provideoffer in given time window

  • Oncehelperisselected, it still takes tau time unitstoperformcontextswitch


Distributed agreement on heroes
Distributed functions from decoupling number of ECUs:agreementon heroes ...


Semantics of transition composition
Semantics functions from decoupling number of ECUs: of transitioncomposition

  • Let [[Ci]] denote hybrid automataexpressingthesemantics of subsystemCi .

  • Wedefinethesemantics [[C]] of thetransitioncomposition C = S(P,Q)(C1,...,Cn) as the parallel composition of hybrid automata

    • [[Ci]] representingthesemantics of itssubcomponents

    • HCpropagatingactivation and failures: itimplements

    • HQpropogatingcontrolsignalsfrominports: itimplements

    • HPimplementingdistributedidentification of hero


Distributed identification of heroes
Distributed functions from decoupling number of ECUs:identification of heroes ...

Automaton

codes in itsstateset

  • internallyraisedalarms

  • iffor such an alarmhelpersareavailable all such pairs (alarm, helper)

    Collects to this end all controlsignalsfromlocaloutports and controlsignals of localinports and externaloutportsbased on P-Port connection


Compositional verification of stability approach
Compositional functions from decoupling number of ECUs:Verificationofstability - Approach

In a white-box viewwewouldconsiderthecomposedLyapunovfunctions V()

X | if in(Cj) thenVj(,X)

as a candidateLyapunovfunctionforthecomposedsystemandprove, thatthisfunctionisdecreasing

A keyingredient in thisproofis, thatcriticalitydoes not increase in modeswitching


Lyapunov functions demonstrate convergence to equilibrium
Lyapunov functions from decoupling number of ECUs:functionsdemonstrateconvergence to equilibrium

  • Lyapunovfunctionprovidemeasuresofcriticalityofstatesoftheclosedloop H||P: redstatesarefarfrompointofequilibrium

  • Lyapunovfunctionsarewitnessesofstability: anytrajectoryoriginating in entry-regionofcontroller will convergetoequilibirum


Turning a hybrid automata into a basic component implementation
Turning functions from decoupling number of ECUs: a hybrid automatainto a basiccomponentimplementation

  • Have to provideforactivation and suspension

  • Have to providewrappersupportingdistributedagreementprotocol

  • Leads to hybrid automatadefiningcomponentsemantics

  • Canverifywithautomatedverificationtechniquesthat hybrid automatameetscomponentinterfacespecifications

    • Nominal: safety and stability

    • Specifications of inports (partlyguaranteedbywrapperautomata)

    • Specifications of outports (partlyguaranteedbywrapperautomata)


Semantics of basic components
Semantics functions from decoupling number of ECUs: of basiccomponents

Let

be a hybrid automataadmissableforcomponentspecification C and plant P. Wedefinethesemantics of theinducedcomponentimplementation I [[C(H)]] as the parallel composition of hybrid automata

with

  • H1allowingforchaoswhen I isnotactive

  • H2providingforactivation and suspension of H

  • H3supportingdistributedagreement on handling all alarms

  • Hβsupportingprotocolsforinports


Interface verification of basic components i
Interface functions from decoupling number of ECUs:verificationofbasiccomponents (I)

Let

denotethe hybrid automatainducingthebasiccomponentimplementation, and considertheclosedloop H ||P .

Recall that a Lyapunovfunctionfor H||P is a function

meetingthefollowingrequirements


Verification conditions for basic components 1
Verification functions from decoupling number of ECUs:conditionsforbasiccomponents (1)

Nochattering – noimmediatealarms

wherereachreferstothelinear(!) closedloopdynamicsof H||P

Tools forestablishingverificationconditions:

- usingbarriercertificates/Lyapunovfunctions

- usingforwardreachabilityanalysistools such as PHAVER


Verification conditions for basic components 2
Verification functions from decoupling number of ECUs:conditionsforbasiccomponents (2)

  • Asymptoticstability

    • GeneratefamilyofLyapunovfunctionstoprovidemoreflexibilitywhencomposingsystems

    • for H||P

  • Time boundedconvergence

    • Weexploitthatany linear combinationof a Lyapunovfunctionsisagain a Lyapunovfunction

    • Letand


Verification conditions for basic components 3
Verification functions from decoupling number of ECUs:conditionsforbasiccomponents (3)

  • Exit conditionsareestablishedwithinescapeperiod

  • Promisesaremet

    Theorem

    If all verificationconditionsaresatisfied, then

    H||P satisfiesits hybrid interfacespecification


Inductive assertions
Inductive functions from decoupling number of ECUs:Assertions

As a basisforcompositionalgrey box verification, wemustprovidethefollowing „invariants“ inductively at theinterface of components

Additionally, parameterdependentconstantsforcomputingconvergencerates must bemadevisible


Conclusion and future work

Conclusion and Future Work functions from decoupling number of ECUs:


Conclusion
Conclusion functions from decoupling number of ECUs:

  • Haveproposedtheoreticalfoundationforcomponentbaseddesign of hybrid controlsupportingcompositionalverification of nominal and exceptionhandlingrequirements

  • Verificationconditionsbothforbasic and composedsystemscanbedischargedautomatically

  • Future work

    • Extensions to parallel composition

    • Bridgingthegapbetweenidealized plant models and physicalplants


Thanks amir
Thanks functions from decoupling number of ECUs:, Amir


ad