1 / 24

Sidestepping verification complexity with supervisory control

Sidestepping verification complexity with supervisory control. Ugo Buy Department of Computer Science Houshang Darabi Department of Mechanical and Industrial Engineering University of Illinois at Chicago. Outline. Background P-invariant-based mutex enforcement Net unfolding Assessment.

leigh
Download Presentation

Sidestepping verification complexity with supervisory control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sidestepping verification complexity with supervisory control Ugo Buy Department of Computer Science Houshang Darabi Department of Mechanical and Industrial Engineering University of Illinois at Chicago U. Buy -- SEES 2003

  2. Outline • Background • P-invariant-based mutex enforcement • Net unfolding • Assessment U. Buy -- SEES 2003

  3. Acknowledgements • Panos Antsaklis, Michael Lemmon, Univ. of Notre Dame • Starthis Corporation, Rosemont, Illinois • NIST/ATP program • Graduate students Bharat Sundararaman and Vikram Venepally U. Buy -- SEES 2003

  4. Background • Supervisory control methods for discrete event systems (DES) • Enforcing concurrency and real-time properties of embedded systems • Model DES with Finite Automata (FA) or Petri nets • Add controller that enforces desired properties to system model • Supervisory control vs. verification • Potential benefits of supervisory control • Likely obstacles to widespread applicability U. Buy -- SEES 2003

  5. Definitions • Discrete Event System (DES) is characterized by: • Discrete state set • Event-driven state transitions • Supervisory controller of a DES: • Given controlled system (a DES) and correctness property, • supervisor restricts DES behaviors in such a way that combined system will satisfy the property • Observable and controllable events U. Buy -- SEES 2003

  6. Why Supervisory Control? • Some SC methods for DES are much more tractable than verification algorithms • Promising methods: • P-invariant-based supervisors (mutex properties) • Unfolding of Petri nets (deadlock, RT deadlines) • Caveat: • System must be sufficiently observable, controllable to permit supervisor definition U. Buy -- SEES 2003

  7. Why Petri nets? • Support tractable supervisory control algorithms • P-invariants and net unfoldings • Automata-based supervisors usually intractable • Widely used in some embedded applications • Sequential Function Charts (SFCs) widely used in manufacturing applications • Part of IEC 61131 standard • Supported by Matlab, RSLogix 5000 U. Buy -- SEES 2003

  8. Petri nets • Ordinary Petri net: Bipartite, directed graph • N=(P,T,F,m0) • With: node sets P and T, • arc set F, and • initial marking m0 • Supervisory control problem: Given controlled net N and property P, generate subnet S (supervisor) that restricts N behaviors to satisfy P U. Buy -- SEES 2003

  9. Enforcing Mutex Constraints • Exploit property of Petri net P-invariants • Place subset such that weighted sum of tokens in subset is constant in all reachable net markings • Computed by finding integer solutions x to invariant equation involving incidence matrix D of Petri net: • x·D = 0 U. Buy -- SEES 2003

  10. Examples of P-invariants p2 P-invariants: { p1, p4 } { p2, p5, p7} { p1, p2, p4, p5, p7 } … (unit coefficients) p3 p1 t1 t2 p5 p4 t3 p6 p7 t4 t5 U. Buy -- SEES 2003

  11. P-invariant based supervisors • Method (Yamalidou et al. 96) • Specify mutex properties as linear inequalities on reachable markings of controlled net • l1,1·m1 + l1,2·m2 + l1,3·m3 + … <=b1 • l2,1·m1 + l2,2·m2 + l2,3·m3 + … <=b2 • … • lk,1·m1 + lk,2·m2 + lk,3·m3 + … <=bk • Treat constraints matrix as invariant equation, find Petri net (controller) satisfying P-invariant U. Buy -- SEES 2003

  12. Supervisor synthesis • Supervisor net defined by simple matrix multiplication • DC = – L ·D • Lis matrix of mutex constraints • D is incidence matrix of controlled net • Supervisor net will have k places, zero transitions • kis number of mutex constraints • Supervisor will be maximally permissive U. Buy -- SEES 2003

  13. Example of supervisor generation • The readers and writers example without mutex: • Mutex constraints: • p6 + p9 + p10 <≤ 1 • p7 + p9 + p10 <≤ 1 • p8 + p9 + p10 <≤ 1 U. Buy -- SEES 2003

  14. Example (cont’d) • The readers and writers example with supervisor: U. Buy -- SEES 2003

  15. Advantages of Mutex Supervisors • Complexity proportional to D (aka controlled system) and L (constraints) • Overall complexity polynomial for broad class of mutex constraints • Supervisors generated are small (no transitions) • Maximally permissive supervisors U. Buy -- SEES 2003

  16. Limitations of Mutex Supervisors • Cannot guarantee net liveness (e.g., freedom from deadlock) • Open issues: • Integration with other supervisors • Priorities on mutex enforcement policy • Empirical evaluation of constraint size U. Buy -- SEES 2003

  17. Unfolding Petri nets • Transform net into acyclic net capturing repetitive bevahiors of original net • Unfolding appeal: • Capture causal relationship on transition firing • Identify choice points • Identify fundamental execution paths • History of net unfolding • McMillan 92, Esparza et al. 02, He and Lemmon 02, Semenov and Yakovlev 96 (time Petri nets) U. Buy -- SEES 2003

  18. Net unfolding: Definitions • Node x in net Nprecedes node y if there is path from x to y in N • Write x<y • Node x in conflict with y if N contains paths diverging immediately after a place p and leading to x and y • Write x#y • Node x in self-conflict if N contains paths diverging immediately after a place p and leading to x • Write x#x U. Buy -- SEES 2003

  19. Unfolding untimed nets • Given net N, unfolding of N is a net U subject such that: • Nodes in U are mapped to nodes in N • Each place in U has at most one input transition • Net U is acyclic • No U node is in self conflict • Completeness property: Every reachable marking of N is in U U. Buy -- SEES 2003

  20. Example of unfolding p2 p3 p1 t1 t2 The original net: p5 p4 t3 t4 p6 p7 p8 t5 t6 p9 t7 t8 U. Buy -- SEES 2003

  21. Example of unfolding p1 p2 p3 t2 t1 p4 p6 p5 p5’ t3 t4 t3’ t4’ The unfolded net: p7 p8 p7’ p8’ t5 t6 t5’ t6’ p9 p9’ p9” p9’” t8 t7 p1’ p2’ p2’’ p3’ U. Buy -- SEES 2003

  22. Applications of unfolding • Enforcing freedom from deadlock (He and Lemmon 02) • Deadlocks detected directly in unfolding • Eliminate deadlocks by dynamically disabling transition that causes deadlock • Enforcing compliance with real-time deadlines (Buy and Darabi 03) • Latency of transition t:upper bound on the delay between the firing of t and the time when a target transition can be fired U. Buy -- SEES 2003

  23. A New Programming Paradigm? • Design/Code concurrent system without paying attention to correctness properties • Submit system description and property specification to supervisor generator • Generator adds supervisor to original system • Allegedly, a very long shot… U. Buy -- SEES 2003

  24. Future work • Integration of supervisors for different properties • Refine properties enforced • System, property specifications U. Buy -- SEES 2003

More Related