CSE 522Model-based Development (1)

Computer Science & Engineering DepartmentArizona State University

Tempe, AZ 85287

Dr. Yann-Hang Leeyhlee@asu.edu(480) 727-7507

Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU)

2

Modeling, Design, Analysis

Modeling is the process of gaining a deeper understanding of a system through imitation. Models specify what a system does.

Design is the structured creation of artifacts. It specifies how a system does what it does. This includes optimization.

Analysis is the process of gaining a deeper understanding of a system through dissection. It specifies why a system does what it does (or fails to do what a model says it should do).

3

What is Modeling?

A mathematical model in the form of a set of definitions and mathematical formulas. Use mathematical objects to describe the (dynamical or

static) properties and behavior of the system Developing insight about a system, process, or artifact

through imitation. The artifact that imitates the system, process, or artifact of

interest. Mathematical models can help us

understand the system behavior predict the system behavior analyze the system behavior identify system parameters

4

What is Model-Based Design?

Create a mathematical model of all the parts of the embedded system Physical world Control system Software environment Hardware platform Network Sensors and actuators

Construct the implementation from the model Construction may be automated, like a compiler More commonly, portions are automatically constructed

When is a Design of a System “Correct”?

A design is correct when it meets its specification (requirements) in its operating environment

“A design without specification cannot be right or wrong, it can only be surprising!”

Simply running a few tests is not enough!

Many embedded systems are deployed in safety-critical applications (avionics, automotive, medical, …)

Specification, Verification, and Control

SpecificationA mathematical statement of the design objective (desired

properties of the system)

Verification

Does the designed system achieve its objective in the

operating environment?

Synthesis

Given an incomplete design, synthesize a strategy to complete the system so that it achieves its

objective in the operating environment

Model-Based Design: Verification

Design ToolVerify:

Does model satisfy spec.?

Model

Specification

No

Use error trace information to revise model/spec.

Need a mathematical way to write models and specifications so that a verification algorithm can process it

Model-Based Design: Synthesis

Automatic ModelSynthesis Tool

Partial Description of

the Model

Specification

Automatic code synthesis for

specific platform

Need a mathematical way to write models and specifications so that an algorithm can process it

9

Representation (i.e. variables, time) state space and control function

Continuous System continuous dynamics differential equations

Discrete System (FSM) in a sequence of discrete steps difference equations

Hybrid System digital controller (thermostat) with both continuous and discrete dynamic behavior

System Models

10

Continuous Models

Ordinary differential equations, Laplace transforms, feedback control systems, stability analysis, robustness analysis, …

Modeling a Simple Suspension (SS1)

m1car body

m2 axles (all combined)

coil springs

tires

k1

k2

c1

x2

x1

shock

absorbers

xroad

021121111 xxkxxcxm

txxkxxkxxcxm road 2221121122

Input

Outputs: x1, x2, dx1/dt, dx2/dt

Modeling a Simple Suspension (SS1)

Recall: let us set

and

Then where roadBxAzz

22

11

xv

xv

2

1

2

1

2

1

2

1

v

v

x

x

x

x

x

x

z

2

1

2

1

2

21

2

1

1

1

1

1

1

1

1

1

1000

0100

m

c

m

c

m

kk

m

km

c

m

c

m

k

m

kA

2

2

0

0

0

m

kB

Actor Model of a Continuous System

Example: integrator:

Continuous-time signal:

Continuous-time actor:

Blockx y

d/dtx y=dx/dt

1/sx y(t)=x0+0

tx(τ)dτ

(SS1)xroad z

(integradtion)

(differentiation) (our simple suspension system)

Discrete Systems

Example: count the number of cars that enter and leave a parking garage:

Pure signal:

Discrete actor:

Discrete Time Signals

Consider a signal x : R + {absent} x R, where R is some range and let T be the points in time that it is present

T = {t R + | x(t) absent}.

Then, x is discrete if there exists 1-1 function f : T N which is order preserving.

The system is event triggered. t

absentpresent

up : N + {absent, present}

Garage Counter Finite State Machine

A garage has a finite space

state space = {0,1,2,…M}

declaration of inputs and outputs

the arrow denotes the initial state states

down is presentup is absent

FSM Notation

“guard / action” A guard is a predicate (a boolean-valued expression) that evaluates

to true when the transition should be taken The transition is enabled

transition

self loop

state

initial state

Formal Definition of FSM

An FSM (finite state automaton) is a 5-tuple

(states, inputs, outputs, update, initialstate)

where States is a finite set of states Inputs is a set of input valuations Outputs is a set of output valuations update : States x Inputs States x Outputs is an update

function, mapping a state and input valuation to a next state and an output valuation

initialState is the initial state

Garage Counter Mathematical Model

The picture above defines the update function.

Garage Counter Mathematical Model

update(s,i) =

(s+1,s+1) if s<M and i(up)=present and i(down) = absent

(s-1,s-1) if s>0 and i(up)=absent and i(down) = present

(s,absent) otherwise

update : States x Inputs States x Outputs

FSM Execution

The dynamics of a discrete system can be described by a sequence of reactions We ignore how much time has passed between each reaction

For each reaction the FSM moves from the current state to the next state s : N S is the state of FSM for each reaction

We can number the visited states (0 for the initial)

Input & output valuations x : N Inputs and y : N Ouputs

The FSM dynamics are (s(n+1),y(n)) = update(s(n),x(n))

22

FSM Behavior

Each port p, for each reaction will take a value from Vp{absent}, generating a sequence (or function)

sp : N Vp {absent}

Behavior: the assignment of signals to each input port such that an output sequence can be produced Observable trace ((xi, yi))iN Execution trace ((xi, si, yi))iN

The set of all behaviors of an FSM M is called the language of M and it is denoted by L(M)

Garage Counter: Behavior

Behavior:sup = (present, absent, present, absent, present, …)

sdown = (present, absent, absent, present, absent, …)

scount = (absent, absent, 1, 0, 1, …)

Note if scount was something else, then this might not have been a behavior of the system.

A default transition is enabled if no non-default transition is enabled and it either has no guard or the guard is true.

Extended state machines augment the FSM model with variables that may be read or written.

Extended State Machines

Question: What is the size of the state space?

Definitions

Stuttering transition: Implicit default transition that is enabled when inputs are absent and that produces absent outputs.

Receptiveness: For any input values, some transition is enabled. Our structure together with the implicit default transition ensures that our FSMs are receptive.

Determinism: In every state, for all input values, exactly one (possibly implicit) transition is enabled, i.e. next possible state is uniquely determined.

Non-deterministic: If for any state of a state machine, there are two distinct transitions with guards that can evaluate to true in the same reaction.

Example: Nondeterministic FSM

Nondeterministic model of pedestrians arriving at a crosswalk:

Formally, the update function is replaced by a function

Behaviors and Traces

FSM behavior is a sequence of (non-stuttering) steps. A trace is the record of inputs, states,

and outputs in a behavior. A computation tree is a graphical

representation of all possible traces.

FSMs are suitable for formalanalysis. For example, safetyanalysis might show that some unsafestate is not reachable.

Uses of Nondeterminism

Modeling unknown aspects of the environment or system Such as: how the environment changes the iRobot’s orientation

Hiding detail in a specification of the system We will see an example of this later

More compact than deterministic FSMs For a fixed input sequence: A deterministic system exhibits a single behavior A non-deterministic system exhibits a set of behaviors

. . .

. . .

. . .

. . .

What we will be able to do with FSMs

FSMs provide: A way to represent the system for:

Mathematical analysis So that a computer program can manipulate it

A way to model the environment of a system. A way to represent what the system must do and must not do

– its specification. A way to check whether the system satisfies its specification

in its operating environment.

Example from Industry: Engine Control

Source: Delphi Automotive

Systems (2001)

Traffic Light Controller

When does a reaction occur time-triggered model -- if one reaction per second event-triggered model -- when any input is present