Compositional Semantics and Analysis of Hierarchical Block...

Compositional Semantics and Analysis of HierarchicalBlock Diagrams

Iulia Dragomir1

joint work with Viorel Preoteasa1 and Stavros Tripakis1,2

1Aalto University, Finland2UC Berkeley, USA

Hierarchical block diagrams

Constant Scope

Inport Outport

DelaySum

e c a 1

Outport1

Inportz1

UnitDelayAdd

Consist of:

atomic components

composed components (orsubsystems)

communication links(instantaneous)

Simulink is a HBD language forembedded control system design.

Goal: compositional semantics and analysis of HBDs

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams April 8, 2016 2 / 34

Compositional semantics and analysis of HBDs

Compositional semantics:

How to translate HBDs into a formal compositional reasoning framework

Compositional analysis:

Compositional verificationCompatibility checking

Refinement calculus for reactive systems (RCRS):a compositional reasoning framework

Introduced in [Tripakis et al., TOPLAS 2011], and [Preoteasa et al.,EMSOFT 2014]

Formal model:

monotonic predicate transformers3 composition operators: serial (◦), parallel (‖) and feedback (feedback)refinement operator

Allows for:

modeling open, non-deterministic, and non-input-receptive systemsmodeling safety and liveness propertiescomponent substitutability, reusabilitycompositional and incremental design

A non-trivial problem: translating HBDs into RCRSTranslation

Input diagram

A non-trivial problem: translating HBDs into RCRSTranslation 1

Input diagram

RCRS term: feedbacka(PA ◦ (PB ‖ Id))

Input diagram

RCRS term: feedbackc((PB ‖ Id) ◦ PA)

Input diagram

RCRS term: feedbacka,c(PA ‖ PB)

A non-trivial problem: translating HBDs into RCRSQuestions

Input diagram

feedbacka(PA ◦ (PB ‖ Id))

feedbackc((PB ‖ Id) ◦ PA)

feedbacka,c(PA ‖ PB)

What are the advantages/drawbacks of these expressions?→ How efficiently can these terms be analyzed?

Are these expressions semantically equivalent?

Another non-trivial problem: expansion and simplificationof RCRS terms

“DelaySum” block diagram:

e c a 1

Outport1

Inportz1

UnitDelayAdd

translation

DelaySum = feedback((Add ‖ Id) ◦ UnitDelay ◦ (Split ‖ Id))

expansion and simplification

DelaySum = [e, s s, s+ e]

Contributions

1 Implementation of RCRS in the Isabelle theorem prover

2 Translation of HBDs into RCRS

3 Expansion and simplification of RCRS terms in Isabelle

4 Case study: realistic Simulink model from Toyota

Outline

1 Context and motivation

2 The RCRS framework

3 Translation of HBDs to RCRS

4 Expansion and simplification

5 Implementation and evaluation

6 Conclusions

Outline

6 Conclusions

Monotonic predicate transformers

Classic mechanism to represent programs

Weakest precondition semantics [Dijkstra et al.]

Atomic Simulink components can be represented by monotonic predicatetransformers (MPTs)

Example:

Div = {x, y : y 6= 0} ◦ [x, y xy ] Div

Composition operators

Serial composition

Parallel composition

Feedback composition

Serial composition

Outline

3 Translation of HBDs to RCRSTranslating atomic componentsTranslating HBDs

6 Conclusions

Outline

6 Conclusions

Translating (standard) atomic components

An atomic component becomes an atomic monotonic predicate transformer.

Examples:

a Div componentDiv = {x, y : y 6= 0} ◦ [x, y x

y] Div

an Add componentAdd = [x, y x+ y]

Translating stateful atomic components

Stateful atomic components define current- and next-state variables

Example:

a UnitDelay componentUnitDelay = [x, s s, x]

UnitDelayx y

s, s′

Simulink representation

UnitDelay

Atomic MPT representation

Translating continuous-time atomic components

Continuous-time atomic components are discretized and parameterized by dt

Example:

an Integrator componentIntegrator(dt) = [x, s s, s+ x · dt] x yIntegrator

s, s′, dt

Simulink representation

Integratordt

Atomic MPT representation

Outline

6 Conclusions

Composite monotonic predicate transformers

e c a 1

Outport1

Inportz1

UnitDelayAdd

Simulink diagram

?translation

Composite MPT

Translation strategies

3 translation strategies:

feedback-parallel

incremental

feedbackless

e c a 1

Outport1

Inportz1

UnitDelayAdd

Simulink diagram

Add UnitDelay Split

Atomic MPTs representation

Feedback-parallel translation

Key idea: compose all components in parallel and then connect outputs toinputs by applying feedback operations

e c a 1

Outport1

Inportz1

UnitDelayAdd

feedback-parallel

UnitDelay

DelaySum = feedbackf,c,a(Add ‖ UnitDelay ‖ Split)

Incremental translation

Key idea:

sort components topologically according to dependencies in the diagramcompose components 1-by-1for each pair of components determine which composition operator(s) to use

e c a 1

Outport1

Inportz1

UnitDelayAdd

incremental

Add UnitDelay Split

Aux = (Add ‖ Id) ◦ UnitDelay

DelaySum = feedbackf (Aux ◦ (Split ‖ Id))

Feedbackless translation

Key idea: eliminate feedback by replacing it with direct operations oncurrent- and next-state variables (like for stateful atomic components)

e c a 1

Outport1

Inportz1

UnitDelayAdd

Add UnitDelay Split

feedbackless

Add Idud1

Idsplt1

sIdud2 Idsplt2

aIdud2

DelaySum = [s, e s, s, e] ◦ (Id ‖ Add)

Outline

6 Conclusions

From composite MPTs to atomic MPTs

e c a 1

Outport1

Inportz1

UnitDelayAdd

Simulink diagram

translation

Composite MPT

expansion and simplification ?

DelaySum = [e, s s, s+ e]

Simplified (atomic) MPT

Obtaining simplified MPTs

Expand definitions of MPTs, ◦, ‖ and feedback→ an MPT of the form {p} ◦ [f ] is obtained→ but formulas p and f can grow very large ...

Simplify p and f using rewriting rules

2050 lines of Isabelle code

Compatibility checking

Simplify the CPT to an MPT {p} ◦ [f ]

Verify that p is not false

A satisfiability problem

Outline

6 Conclusions

Toolset

Simulinkdiagram

simulink2isabelle

options(-fp, -ic, ...)

Isabelletheory

Isabelle

simplified MPT

compatibility check

Python simulation code

Powertrain Control Benchmark Model

Toyota Technial Center

This is a model of a hybrid automaton with polynomial dynamics, and an implementation of the 3rd model that appears in

"Powertrain Control Verification Benchmark", 2014 Hybrid Systems: Computation and Control,

X. Jin, J. V. Deshmukh, J.Kapinski, K. Ueda, and K. Butts

Fuel Control System Model This model uses only the ODEs to implement the dynamics.

controller_mode

lambda

Starup Mode

Power Mode Guard

ODE4 Open

ODE4 Closed

InputPoly

Fuel Cmd Open Pwr

Fuel Cmd Open

Fuel Cmd Closed

FaultInjection

1: Failure

0: Normal

theta [0 90]

(rpm) to (rad/s)

engine speed (rpm)

[900,1100]

throttle input (deg)

[0, 81.2]

1.1s+1

Throttle del ay1

Base opening angle

In Out

Startup Mode Latch

In Out

Sensor Failure Detection Latch

boolean

airbyfuel_ref

~= double

RCRStheory

Publicly available at: users.ics.aalto.fi/iulia/sim2isa.shtml

Case study: Automotive Fuel Control System by Toyota

Publicly available benchmark: http://cps-vo.org/group/ARCH/benchmarks

Simulink model:

3-level hierarchy104 blocks: 97 atomic blocks and 7 subsystems101 links of which 7 feedbacks

PowertrainControlBenchmarkModelToyotaTechnialCenter

Thisisamodelofahybridautomatonwithpolynomialdynamics,andanimplementationofthe3rdmodelthatappearsin"PowertrainControlVerificationBenchmark",2014HybridSystems:ComputationandControl,X.Jin,J.V.Deshmukh,J.Kapinski,K.Ueda,andK.Butts

FuelControlSystemModel ThismodelusesonlytheODEstoimplementthedynamics.

controller_mode

lambda

StarupMode

PowerModeGuard

ODE4Open

ODE4Closed

InputPoly

FuelCmdOpenPwr

FuelCmdOpen

FuelCmdClosed

FaultInjection1:Failure0:Normal

theta[090]

(rpm)to(rad/s)

enginespeed(rpm)[900,1100]

throttleinput(deg)[0,81.2]

1.1s+1

Throttledelay1

Baseopeningangle

In Out

StartupModeLatch

In Out

SensorFailureDetectionLatch

boolean

airbyfuel_ref

~= double

Evaluation results I

Negligible translation time (< 1sec) for all 3 strategies

Expansion/simplification time:

feedback-parallel strategy: 15min to 1h (depending on translation options)incremental strategy: 10min to 14min (depending on translation options)feedbackless strategy: < 1min

Evaluation results I

Negligible translation time (< 1sec) for all 3 strategies

Expansion/simplification time:

feedback-parallel strategy: 15min to 1h (depending on translation options)incremental strategy: 10min to 14min (depending on translation options)feedbackless strategy: < 1min

Evaluation results II

Length of the final, top-level, simplified MPT: 122k characters

Semantical equivalence of the translation strategies

For all studied examples, including FCS, the simplified MPTs are semanticallyequivalent

→ proved in Isabelle

Proving this in general: ongoing work

The FCS Simulink model is proven compatible ∀dt > 0

i.e., the model’s simplified assert condition is satisfiable ∀dt > 0

All Isabelle proofs available at users.ics.aalto.fi/iulia/sim2isa.shtml

The FCS Simulink model is proven compatible ∀dt > 0

i.e., the model’s simplified assert condition is satisfiable ∀dt > 0

All Isabelle proofs available at users.ics.aalto.fi/iulia/sim2isa.shtml

Validation by simulation

From Isabelle we can automatically generate simulation code (in Python)

Simulation plots obtained from the FCS model using Simulink vs. our toolare nearly identical

|error| ≤ 6.1487 · 10−5

0 5 10 15 20 25 30 35 40 45 50

0 5 10 15 20 25 30 35 40 45 50-0.01

Simulink simulation Simulation of the simplified MPT

Outline

6 Conclusions

Conclusion

Simulinkdiagram

simulink2isabelle

Isabelletheory

Isabelle

simplified MPT

compatibility check

controller_mode

lambda

Starup Mode

Power Mode Guard

ODE4 Open

ODE4 Closed

InputPoly

Fuel Cmd Open Pwr

Fuel Cmd Open

Fuel Cmd Closed

FaultInjection

1: Failure

0: Normal

theta [0 90]

(rpm) to (rad/s)

engine speed (rpm)

[900,1100]

[0, 81.2]

1.1s+1

Throttle del ay1

Base opening angle

In Out

Startup Mode Latch

In Out

boolean

airbyfuel_ref

~= double

RCRStheory

Compositional semantics of HBDs

3 translation strategies of HBDs to RCRS

Implementation of the RCRS framework in Isabelle

Evaluation on real-life automotive case study

Thank you!Questions?

Conclusion

Simulinkdiagram

simulink2isabelle

Isabelletheory

Isabelle

simplified MPT

compatibility check

controller_mode

lambda

Starup Mode

Power Mode Guard

ODE4 Open

ODE4 Closed

InputPoly

Fuel Cmd Open Pwr

Fuel Cmd Open

Fuel Cmd Closed

FaultInjection

1: Failure

0: Normal

theta [0 90]

(rpm) to (rad/s)

engine speed (rpm)

[900,1100]

[0, 81.2]

1.1s+1

Throttle del ay1

Base opening angle

In Out

Startup Mode Latch

In Out

boolean

airbyfuel_ref

~= double

RCRStheory

Compositional semantics of HBDs

3 translation strategies of HBDs to RCRS

Implementation of the RCRS framework in Isabelle

Evaluation on real-life automotive case study

Thank you!Questions?

Compositional Semantics and Analysis of Hierarchical Block...

Documents

A Hierarchical Compositional Model for Face Representation ...Sczhu/Papers/PAMI_face_ZJXU.pdfA Hierarchical Compositional Model for Face Representation and Sketching Zijian Xu, Hong

Learning a Hierarchical Compositional Shape Vocabulary for

Compositional triangles

Hierarchical Krylov and Nested Krylov Methods for Extreme ... · Hierarchical Krylov methods are a generalization of block Jacobi and overlapping additive Schwarz methods, where each

Unsupervised Learning of Dictionaries of Hierarchical Compositional Modelssczhu/papers/Conf_2014/Dictionary_Learning_cvpr... · Unsupervised Learning of Dictionaries of Hierarchical

Syddansk Universitet Hierarchical Unilamellar Vesicles of … · 2017-01-29 · unilamellar vesicles of controlled compositional heterogeneity and will ease the development of eukaryotic

Hierarchical Self-Assembly of Block Copolymers for Lithography …bonghoonkim.com/1_SCI Journal_008_080526.pdf · 2019. 9. 3. · DOI: 10.1002/adma.200702285 Hierarchical Self-Assembly

Adam Kortylewski Clemens Blumer Aleksander …Greedy Structure Learning of Hierarchical Compositional Models Adam Kortylewski Clemens Blumer Aleksander Wieczorek Mario Wieser Sonali

Additively manufactured hierarchical stainless …The volume fraction and size of the cellular structures vary from sample to sample, in agreement with previous reports18. Our compositional

Introduction to Categorical Compositional Distributional Semantics Lecture · PDF fileIntroduction to Categorical Compositional Distributional Semantics ... We’ve described compositional

MCP: Learning Composable Hierarchical Control with ...MCP: Learning Composable Hierarchical Control with Multiplicative Compositional Policies Xue Bin Peng, Michael Chang, Grace Zhang,

Compositional Semantics and Analysis of Hierarchical Block ...users.ics.aalto.fi › stavros › papers › spin2016.pdf · Our framework is based on the theories of relational interfaces

CompactNets: Compact Hierarchical Compositional Networks ... · to visual question answering (Jahangiri et al., 2017). At the heart of these impressive results lies their deep hierarchical

Probabilistic Compositional Active Basis Models for Robust … · 2016. 9. 20. · University of Basel Basel, Switzerland Abstract Hierarchical compositional models (HCMs) have recently

Compositional Hierarchical Tensor Factorization: Representing …web.cs.ucla.edu/~maov/Compositional_Hierarchical_Tensor... · 2020-01-19 · compositional hierarchical tensor factorization

1 A Compositional Approach to Verifying Hierarchical Cache Coherence Protocols Xiaofang Chen 1 Yu Yang 1 Ganesh Gopalakrishnan 1 Ching-Tsun Chou 2 1 University

A Concise Guide to Compositional Data Analysisima.udg.edu/.../A_concise_guide_to_compositional_data_analysis.pdf · A Concise Guide to Compositional Data Analysis ... 3.2 Compositional

Compositional Rules

A New Pyramidal Approach for the Address Block Location Based on Hierarchical Graph Coloring

Hierarchical Memory with Block Transfer