1

Hybrid Input/Output Automata:Theory and Applications

Nancy Lynch, MITMathematical Foundations of Programming SemanticsMontreal, CanadaMarch 20, 2003

Joint work with Roberto Segala (U. Verona), Frits Vaandrager (U. Nijmegen), Carl Livadas, Sayan Mitra, Eric Feron, Yong Wang,…

2

Hybrid Systems

• Continuous, real-world components + discrete, computer components

• Examples:– Automated transportation systems – Robots– Embedded systems– Mobile computing systems

• Complex• Strong safety, performance requirements• Formal models needed for design and analysis.

Actuator Sensor

Plant

Controller

3

The HIOA Model[Lynch, Segala, Vaandrager 01, 03]

• General, mathematical modeling framework.• State machines with discrete transitions and trajectories.• Model plants, controllers, sensors, actuators, software,

communication services, human operators,…• Support for decomposing hybrid system descriptions:

– External behavior: Models discrete and continuous interaction of component with its environment.

– Composition: Synchronizes external actions, external “flows”.– Levels of abstraction, implementation.

• Can incorporate analysis methods from:– CS: Invariants, simulation relations, compositional methods.– Control theory: Invariant sets, stability analysis, robust control.

4

Applications• Automated transportation systems:

– Simple vehicle maneuvers [Weinberg, Lynch 96]– People-mover (Raytheon) [Livadas, Lynch, Weinberg, De Lisle 96]

[Livadas, Lynch 98] – PATH automated highway system [Branicky, Dolginova, Lynch 97]

[Dolginova, Lynch 97][Lygeros, Lynch 98]• Aircraft control:

– TCAS [Livadas, Lygeros, Lynch 99]– Quanser helicopter system [Mitra, Wang, Feron, Lynch 02, 03]

• Spacecraft:– ACME [Ha, Lynch, Garland, Kochocki, Tanzman 03]

• Robotics– Lego cars [Fehnker, Vaandrager, Zhang 02]

• Algorithms for ad hoc mobile networks– Routing [Mitra]

5

Other kinds of I/O Automata Models• Basic I/O Automata [Lynch, Tuttle 87]

– States, start states, actions, transitions, tasks– Used for asynchronous distributed algorithms

• Timed I/O Automata [Lynch, Vaandrager 91]– Add time-passage transitions– Used for timing-based distributed algorithms– Local clocks, clock synchronization.– Timing/performance analysis.

• Hybrid I/O Automata, v.1 [Lynch, Segala, Vaandrager, Weinberg 96] – Add explicit trajectories

• Probabilistic I/O Automata [Segala 95] – Add probabilistic transitions– Used for randomized distributed algorithms– Security protocols

6

All the IOA models

TIOA

HIOA

IOA

PIOA

PTIOA

PHIOA

7

Talk Outline

1. Introduction 2. I/O Automata and Timed I/O Automata3. Hybrid I/O Automata definitions and results4. HIOA applications 5. HIOA future work6. Timed IOA, revisited7. Probabilistic IOA, revisited8. Conclusions

8

I/O Automata and Timed I/O Automata

9

Basic I/O Automata

• Infinite-state, nondeterministic automaton models.• States, transitions• Describe system modularity:

– Parallel composition of interacting components.– Levels of abstraction.

10

I/O Automata • Static description:

– Actions: input, output, internal– States, start states– Transitions (q, a, q'), input-enabled

• Dynamic description:– Execution: q0 a1 q1 a2 q2 …– Trace: Project on external actions; externally visible behavior.– A implements B: traces(A) traces(B).

• Operations for building automata:– Parallel composition, identifying inputs and outputs.– Action hiding.

• Reasoning methods:– Invariant assertions: Property holds in all reachable states.– Simulation relations: Imply one automaton implements another.– Prove using induction on length of execution.– Compositional methods

11

Reliable FIFO Channel Model

• Signature:– Inputs:

• send(m), m in M– Outputs:

• receive(m), m in M• States:

– queue, a finite sequence of elements of M, initially empty• Transitions:

– send(m)• Effect: Add m to end of queue

– receive(m)• Precondition: m is first on queue• Effect: remove first element of queue

Channel(M) send(m) receive(m)

12

Example Applications• Basic distributed algorithms:

– Resource allocation, consensus, atomic objects, concurrency control, group communication,…

• Distributed systems:– Orca distributed shared memory system

[Fekete, Kaashoek, Lynch] – Transis, Ensemble group communication systems

[Hickey, Lynch, van Renesse] • Algorithms for dynamic networks:

– Reconfigurable atomic memory [Lynch, Shvartsman 02] [Gilbert, Lynch, Shvartsman 03] [Musial, Shvartsman 03]

[Dolev, Gilbert, Lynch, Shvartsman, Welch]

13

Group Communication [Fekete, Lynch, Shvartsman]

• We define automata modeling:– Totally ordered reliable broadcast service– Group communication service– Algorithm (based on [Keidar, Dolev])

• Prove that the composition of the algorithm and GCS automata implements TO-Broadcast.

• Proofs checked using PVS theorem-prover [Archer]

TO-Bcast

GCSGCS

14

IOA Language + Toolset[Garland, Lynch]

• Formally-defined programming/modeling language for describing and analyzing systems modeled as I/O automata.

• Current tools: – Simulator, including levels of abstraction– Connection with Daikon invariant detector [Ernst]– Connection to Larch, Isabelle/HOL theorem-provers– Support inductive proofs of invariants and simulation relations

• In progress: – Automatic distributed code generator

IO A

15

Timed I/O Automata • Add time-passage actions, pass(t)• Example: FIFO channel that delivers messages within time d.

– send(m)• Effect: Add (m, now + d) to end of queue

– receive(m)• Precondition: (m,u) is first on queue (for some u)• Effect: remove first element of queue

– pass(t)• Precondition: for all (m,u) in queue, now + t u• Effect: now := now + t

• Can use standard automaton-based reasoning methods:– Invariant: If (m,u) in queue, then now u now + d.– Inductive proofs.

16

Applications• Distributed algorithms:

– Resource allocation, consensus,…• Timeout-based communication protocols:

– TCP [Smith]– Reliable multicast [Livadas]

• Performance (latency) analysis:– Group communication systems: [Fekete, Lynch, Shvartsman],

[Khazan, Keidar 00, 02]– Reconfigurable atomic memory [Lynch, Shvartsman 02]– Dynamic atomic broadcast [Bar-Joseph, Keidar, Lynch 02]– Peer-to-peer network maintenance and routing [Lynch, Stoica 03]

• Hybrid systems challenge problems:– RR crossing – Steam boiler controller

17

Hybrid I/O Automata, Definitions and Basic Results

18

Describing Hybrid Behavior

• Variable v– Static type, type(v)– Dynamic type, dtype(v): Allowed “trajectories” for v

• Functions from time intervals to type(v).• Closed under time shift, subinterval, countable pasting.• Examples: Pasting closure of constant functions,

continuous functions, differentiable functions, integrable functions

• Valuation for V: – Assigns value in type(v) to each v in V.

19

Describing Hybrid Behavior

• Trajectory– Models evolution of variables over a time interval.– I-trajectory for V: Maps I to valuations for V;

restriction to each v is in dtype(v).

• Hybrid sequence– Models a series of discrete and continuous changes. 0 a1 1 a2 2 …, alternating sequence of trajectories and

actions.

I

20

Hybrid I/O Automaton • U, Y, X: Input, output, and internal (state) variables• Q: States, a set of valuations of X : Start states• I, O, H: Input, output, and internal actions• D Q (I O H) Q: Discrete transitions• T: Trajectories for (U Y X) in which the valuations of X

are in Q.

XU Y

I O

H

21

Basic Trajectory Axioms

• Set T of trajectories is closed under:– Prefix– Suffix– Countable concatenation

22

Input-Enabling Axioms

• Input action enabling: – For every state q and every input action a, there is some

discrete transition (q,a,q´).

• Input trajectory enabling: – For every state q and every input trajectory, there is

some trajectory that starts with q, and either:• Spans the whole input trajectory, or• Spans a prefix of the input trajectory, after which

some locally-controlled action is enabled.

23

Executions and Traces

• Execution fragment:– Hybrid sequence 0 a1 1 a2 2 …, where:

• Each i is a trajectory of the automaton and

• Each (i.lstate, ai , i+1.fstate) is a discrete step.• Execution:

– Execution fragment beginning in a start state.• Trace:

– Restrict to external actions and external variables. • A implements B if they have the same external

interface and traces(A) traces(B).

24

Notation for specifying trajectories• Differential and algebraic equations and inclusions.• Trajectory satisfies algebraic equation v = e if the constraints on the variables expressed by this equation

hold in every state of .

• Trajectory satisfies differential equation d(v) = e if for every t in the domain of , v(t) = v(0) + 0

t e(t´) dt´

• Algebraic/differential inclusions are handled similarly.

25

Example: Vehicle HIOA• Follows suggested acceleration to within . • Outputs actual velocity.

• U: acc-in; Y: vel-out; X: acc, vel• Q: all valuations of X : acc = vel = 0• I, O, H, D: empty• Trajectories:

– acc(t) [acc-in(t) - , acc-in(t) + ], for t > 0– d(vel) = acc– vel-out = vel

Vehicle

acc, vel

acc-in vel-out

26

Example: Controller HIOA• Monitors velocity, suggests acceleration every time d.• Tries to ensure velocity does not exceed pre-specified vmax.• U: vel-out; Y: acc-in; X: vel-sensed, acc-suggested, clock : all 0• H: suggest• Discrete steps:

– clock = d, clock´ = 0,– vel-sensed unchanged– vel-sensed + (acc-suggested´ + ) d vmax

• Trajectories: – vel-sensed(t) = vel-out(t), for t > 0– acc-suggested unchanged– d(clock) = 1– acc-in = acc-suggested– stops when clock = d

vel-out acc-in

Controller

vel-sensed

acc-suggested

clock

27

Composition A = A1 || A2

• Assume A1 and A2 are compatible (no common outputs, internal actions/variables are private).

• Obtain A = A1 || A2 by matching external actions, variables:– Y = Y1 Y2; X = X1 X2; U = (U1 U2 ) - (Y1 Y2 ) – O = O1 O2; H = H1 H2; I = (I1 I2 ) - (O1 O2 )

• States Q: Projections in Q1, Q2

• Start states : Projections in 1, 2

• Discrete steps D: Projections in D1, D2

• Trajectories T: Projections in T1, T2

• Technicality: Composition need not satisfy input flow enabling. Assume “strong compatibility”; holds in many interesting special cases. Ignore in this talk.

28

Composition Theorems

• Projection/pasting theorem: – If A = A1 || A2 then tracesA is the set of hybrid sequences

(of the right type) whose restrictions to A1 and A2 are traces of A1 and A2, respectively.

• Substitutivity theorem: – If A1 implements A2 and both are compatible with B,

then A1 || B implements A2 || B.

29

Example: Vehicle and Controller• Vehicle || Controller:

• Invariant of Vehicle || Controller: vel vmax.• Prove using induction.• Uses auxiliary invariants, most importantly: vel + (acc-suggested + ) (d – clock) vmax

acc, vel

vel-out

acc-in

Vehicle

Controller

vel-sensed

acc-suggested

clock

30

Invariants for HIOAs

• Example: vel + (acc-suggested + ) (d – clock) vmax

• Prove by induction on structure of executions:– True in initial states– Preserved by discrete steps

• Uses standard algebraic reasoning.– Preserved by closed trajectories

• Uses results about continuous functions.• Manual proof, could support with theorem-prover.

31

Hiding

• ActHide(E,A) reclassifies external actions in E as internal.• VarHide(W,A) removes the external variables in W, but

retains their induced constraints on the trajectories.

32

Example: Hiding

• Hide the acc-in variable, which is used for communication between the components:

A = VarHide(acc-in, Vehicle || Controller)• The only remaining external variable is vel-out.• Prove correctness of A by showing that it implements an

abstract specification HIOA Vspec, which expresses just the constraint vel-out vmax.

• Show using simulation relation.

Vehicle Controller

33

Simulation Relation R from A to B

• Relation from states(A) to states(B) satisfying:– Every start state of A is related to some start state of B.– If x R y and is a discrete step of A starting with x, then

there is an execution fragment starting with y such that trace() = trace(), and .lstate R .lstate.

y .lstate.

R R

x .lstate.– If x R y and is a closed trajectory of A starting with x,

then there is …

34

Simulation Relation

• Theorem: If there is a simulation relation from A to B then A implements B (inclusion of trace sets).

• Proved by induction on structure of execution:– Initial states– Discrete steps– Closed trajectories

• Example: – Vehicle(1) implements Vehicle(2), if 1 2

– Show using simulation relation: Identity mapping

35

Allowing Time to Pass• HIOA should provide some response from any state, for any

sequence of input actions and input trajectories.• Should not “block the passage of time”.

• Definition: An HIOA is progressive if it has no execution fragment in which it generates infinitely many non-input actions in finite time.

• Theorem: A progressive HIOA A can accommodate any input from any state: For each state x and each (I,U)-sequence , there is an execution fragment from x such that (I,U) = .

• Theorem: Composition of progressive HIOAs is progressive.

36

Receptive HIOAs• But progressiveness isn’t quite enough:

– E.g., HIOAs involving only upper bounds on timing are not progressive.

• Definition: A strategy for an HIOA A is an HIOA that is the same as A except that it restricts the sets of discrete steps and trajectories.

• Definition: HIOA is receptive if it has a progressive strategy.• Theorem: A receptive HIOA can accommodate any input

from any state.• Theorem: If A1 and A2 are compatible receptive HIOAs with

progressive strategies B1 and B2, then A1 || A2 is receptive with progressive strategy B1 || B2.

37

Hybrid I/O Automata, Applications

38

Applications• Automated transportation systems:

– Simple vehicle maneuvers [Weinberg, Lynch 96]– People-mover (Raytheon) [Livadas, Lynch, Weinberg, De Lisle 96]

[Livadas, Lynch 98] – PATH automated highway system [Branicky, Dolginova, Lynch 97]

[Dolginova, Lynch 97][Lygeros, Lynch 98]• Aircraft control:

– TCAS [Livadas, Lygeros, Lynch 99]– Quanser helicopter system [Mitra, Wang, Feron, Lynch 02, 03]

• Spacecraft:– ACME [Ha, Lynch, Garland, Kochocki, Tanzman 03]

• Robotics– Lego car [Fehnker, Vaandrager, Zhang 02]

• Algorithms for ad hoc mobile networks– Routing [Mitra]

39

TCAS [Livadas, Lygeros, Lynch 99]

• On-board aircraft collision avoidance system.• Aircraft can detect the presence of nearby aircraft.• For two aircraft: TCAS tries to tell one aircraft to

climb and the other to descend.• Conducts communication protocol to break the

symmetry.• Decision based on combination of altitudes,

transponder numbers, and timing of messages.• Correct operation is not obvious; validation carried

out via extensive simulations (Lincoln Labs).

40

TCAS System Components

Aircraft

Pilot

ChannelConflictresolver

Conflictdetector

Sensor Sensor

Aircraft

Conflictdetector

Conflictresolver

Pilot

Channel

41

TCAS Model and Analysis

• We modeled all components using HIOAs.• Proved that, for two planes, and under reasonable

assumptions about speeds and accelerations, the planes remain sufficiently far apart.

42

Quanser Model Helicopter System[Mitra, Wang, Feron, Lynch 02, 03]

• 3 degrees-of-freedom models, manufactured by Quanser• User controllers not necessarily safe, can crash the

helicopter on the table.• Supervisory pitch controller needed to ensure safety.• Must contend with:

– Sensor inaccuracies– Actuator delay– Limited sampling frequency

43

Helicopter Models and Analysis• We developed HIOA models for all system components: Plant, Sensor, Actuator,

User Controller, Supervisor– Including realistic dynamics, delays, inaccuracies.

• Used the models to help design a safe supervisory controller.

44

sample

control

command

dequeue

act

0

supervisorplant

sensorsensor usrCtrl

Discrete Communication Among Components

actuator

45

Cannot jump from U to outside of R in a single step

Switch to supervisor : settling phase

Recovery Phase

Executions in the User and Supervisor modes

Return to user mode

46

Quanser Helicopter

• Controller has been implemented• We proved correctness (manually)

– Using induction– Each inductive step involves either discrete or

continuous reasoning.– Continuous reasoning uses Lyapunov stability argument.

• Developed candidate language constructs for specifying trajectories of HIOAs– Algebraic and differential equation notation– Unchanged, invariants, stopping conditions– State models and activities

47

Lego Car [Fehnker, Vaandrager, Zhang 02]

• Lego car, consisting of:– A Chassis – Two Caterpillar Treads, one on each side

• Move backwards or forwards, independently, at constant speed.– Two sensors, one on each side

• See if the ground is black or white.– RCX programmable control brick

• Reads sensors periodically.• Controls direction of motion of both treads.

• Goal: Car should follow a straight black tape.• Algorithm: If a sensor sees black, then tell the caterpillar

tread on the opposite side to go forward. If white, go backward.

48

Lego Car

Caterpillar

Chassis

Caterpillar

Sensor

Sensor

RCX

forward, backward

black

white

49

Lego Car• Modeled all components using HIOA• Safety: In all reachable states, at least one tread goes forward.

– Proofs, using induction.• Liveness: In infinitely many sample intervals, both treads go

forward (following the black tape).– Proofs, ad hoc.

• Results verified by experiments.

50

Hybrid I/O Automata, Future Work

51

Language Support

• Extend the IOA language with features for describing trajectories.

• Restrictions:– Variables are either discrete or continuous.– Discrete variables remain constant over trajectories.

• Language constructs for trajectories:– State space partitioned into “modes”.– Continuous variables in each mode evolve according to

differential/algebraic equations.– Each mode is specified by an “activity”.

52

Activities• Activity:

– E: State model, algebraic and differential equations– P Q: Operating condition – P+ Q: Stopping condition

• [α]: Set of trajectories defined by activity α• Automaton trajectories: [α]• Composition of automata A1 || A2 described in

terms of composition of their activities.• Composition of activities α = α 1 || α 2

– E: Collection of all the equations in α 1 and α 2

– q P iff q X1 P1 and q X2 P2 – q P+ iff q X1 P1

+ or q X2 P2+

53

HIOA Code Example

54

Control theory methods: Proving invariance

• For an autonomous system x´ = g(x):– Theorem [Bhatia, Szego]: If g(x) is subtangential to S

everywhere in S, then S is positively invariant.• For a HIOA with one activity of the form d(x) = g(x):

– Claim: Suppose that S is a closed convex set, S is invariant with respect to the discrete transitions, and n(y).g(y) < 0 for all y on boundary of S, where n(y) is the outer normal at y.

Then S is invariant.• Technique used, e.g., in Quanser case study.• Can be extended to multiple activities.

55

Control theory methods: Proving stability

• Multiple Lyapunov functions [Branicky]• Xc: Continuous state variables • Lyapunov function for activity α = (E,P,P+):

– Continuous function f: val(Xc) R defined in P with d(f τ) ≤ 0 for all τ in [α].

• Claim: Suppose each activity α of HIOA A has a Lyapunov function f such that in any execution, for any two successive trajectories τ1 and τ2 in [α], f(τ2.fstate) f(τ1.lstate). Then A is stable in the sense of Lyapunov.

56

Case Studies• Algorithms for mobile ad hoc systems

– Location determination, e.g. Grid [Li 2000]– Geographic message forwarding (Geocast)– Leader election, maintaining communication structures.

• Objectives:– Specialize HIOA framework to mobile systems– Develop methods for analyzing behavior/performance

guarantees under mobility.– Consider examples with interesting discrete behavior.

• More control-oriented problems– Quantized double-integrator system

• Objective:– Incorporate analysis methods from control theory

57

Tools• Theorem-provers

– Larch, PVS, and/or Isabelle/HOL– Extend IOA theorem-proving tools

• Automated tools• Simulator

58

Timed I/O Automata, Revisited

59

TIOA, revisited [Kaynar, Lynch, Segala, Vaandrager 03]

• Reformulate our timed automata as a special case of hybrid automata.

• Timing behavior described as in HIOA, using trajectories and hybrid sequences.

• Timed systems include computers and communication networks, but no cars, airplanes, helicopters,…

• Don’t need to consider continuous interaction.• However, it’s still useful to consider continuous state

evolution, e.g., to model clocks.

60

Example: Time bounded channel• X: now, queue : now = 0, queue is empty• I: send(m) • O: receive(m)• Discrete steps:

– send(m) • Effect: add (m, now + m, now + dd) ) to end of to end of queuequeue

– receive(receive(mm))• Precondition: (Precondition: (m,um,u) is first on ) is first on queuequeue • Effect: remove first element of Effect: remove first element of queue queue

• Trajectories:– queue unchanged– d(now) = 1– stops when now = u for some (m, u) on queue

61

Current Work: TIOAs• Complete the development of a general TIOA modeling

framework for timing-based systems, including:– External behavior, composition, levels of abstraction– Receptivity, liveness properties

• Express major ideas from other timed system models in the common framework of TIOA:– Congruence, region construction (for model-checking)

• [Alur, Dill] timed automata – Built-in upper and lower bounds for tasks

• [Maler, Manna, Pnueli] timed transition systems • [Merritt, Modugno, Tuttle] timed automata

– Timing constraints that “sometimes hold”.• [DePrisco] clock timed automata

• Linguistic support, tool support.

62

Probabilistic I/O Automata, Revisited

63

Probabilistic I/O Automata (PIOA) [Segala 95]

• Adds probabilistic transitions (s, a, P), where P is a probability distribution on states.

• Includes both nondeterministic and probabilistic choices.• Scheduler: Resolves all nondeterminism.• External behavior represented by a set of probability

distributions on traces, one distribution per scheduler.• Implementation: Subset (of sets of trace distributions).• Example applications:

– Randomized distributed algorithms: • Rabin-Lehmann Dining Philosophers• Aspnes-Herlihy randomized consensus

– Security protocols

64

Current work: Compositional semantics• Trace distribution preorder D on PIOAs:

– Subset (of sets of trace distributions).– Not preserved by composition.

• Trace distribution precongruence DC: – Defined as the coarsest precongruence included in D.– Preserved by composition.– But this is not very informative.

• Characterization for DC [Segala, Vaandrager, Lynch 03]– Probabilistic forward simulation relation from A1 to A2:

• Relates states of A1 to distributions over states of A2.• Transitions preserve probabilities.• Allows arbitrary internal actions.

– Theorem: A1 DC A2 if and only if there exists a probabilistic forward simulation relation from A1 to A2 .

65

Probabilistic Timed I/O Automata (PTIOA) [Segala 95]

• Include time-passage steps, with probability distributions on the new state: (s, pass(t), P)

• Scheduler determines amount of time that passes (nondeterministic, not probabilistic).

• External behavior represented by a set of probability distributions of timed traces (one per scheduler).

• Timed trace distribution preorder.• Timed trace distribution precongruence.

66

Future work: PTIOA, PHIOA• PIOA:

– Restrict the set of schedulers to those that can see only external behavior of the component automata. Yields a smaller set of trace distributions.

– Characterize the resulting trace distribution precongruence. • PTIOA:

– Reformulate in terms of trajectories, as for TIOA.– Characterize the timed trace distribution precongruence.– Generalize TIOA results to include probabilities.

• PHIOA– Define a model that generalizes PTIOA and HIOA– Define external behavior, composition, implementation,…prove all

the right theorems.

67

All the IOA Models

• How do they relate to each other?• How orthogonal are all the features?

TIOA

HIOA

IOA

PIOA

PTIOA

PHIOA

68

Conclusions

• Hybrid I/O Automata, definitions, results, and applications.

• Future work on the HIOA framework:– More applications, especially, examples with more

interesting discrete behavior. – Import control theory techniques, including invariant

sets, stability analysis methods, robust control methods.– Language support– Analysis tools

• Develop general modeling framework combining timed, hybrid and probabilistic behavior.