Synthesizing Robust Systems - University of Pennsylvania · Synthesizing Robust Systems Paulo Tabuada Ayca Balkan, Sina Caliskan, Yasser Shoukry, Rupak Majumdar (MPI) Cyber-Physical

Lab

Synthesizing Robust Systems

Paulo Tabuada

Ayca Balkan, Sina Caliskan, Yasser Shoukry, Rupak Majumdar (MPI)

Cyber-Physical Systems LaboratoryDepartment of Electrical Engineering

University of California at Los Angeles

Paulo Tabuada (CyPhyLab - UCLA) Synthesizing Robust Systems ExCAPE Seminar 12/03/12 1 / 28

Lab

RobustnessThe need for robustness

Software systems are designed based on assumptions about their environment.

But the real environment is either unknown at design time or changing over time.

Hence, the assumptions will be violated and current design methodologies offerno assurance on how software behaves when such violations occur.

Ideally, we would like a modest deviation from the assumptionsto lead to a modest deviation from the nominal correctness guarantees.

Robustness!


Lab






Robustness!


Lab






Robustness!


Lab






Robustness!


Lab






Robustness!


Lab

RobustnessMotivation from control theory

Our starting point:

Robustness is a very familiar concept in control theory;

It is well understood that the models (assumptions) used for controller design areprecious but always wrong:

Weight of a car (1 passenger vs 5 passengers);Aerodynamic characteristics of a car (surfboard on the top of the car orbicycle mounted on a rack in the back);etc.

The most basic controller designs do not explicitly address robustness, but theyare robust against unmodeled disturbances.

Can the same be done for software?


Lab


Our starting point:







Lab


Our starting point:







Lab


Our starting point:







Lab

RobustnessWhat is known about software robustness?

In Computer Science:

Recent work by Bloem, Chatterjee, Chaudhuri, Gulwani, Henzinger, Jobstman,Majumdar, ...

Older work by Dijkstra (self-stabilizing algorithms).

In Control Theory:

There is a subfield of control theory called robust control;

The following classification will be useful:

State based methods (modern view) (first part of the talk);Input-output based methods (older view originated from the analysis ofamplifiers and other electrical circuits) (second part of the talk).


Lab

RobustnessWhat is known about software robustness?

In Computer Science:

Recent work by Bloem, Chatterjee, Chaudhuri, Gulwani, Henzinger, Jobstman,Majumdar, ...

Older work by Dijkstra (self-stabilizing algorithms).

In Control Theory:

There is a subfield of control theory called robust control;

The following classification will be useful:

State based methods (modern view) (first part of the talk);Input-output based methods (older view originated from the analysis ofamplifiers and other electrical circuits) (second part of the talk).


Lab

State based robustnessTowards a definition

We start with a plain automaton.

DefinitionA finite-state automaton is a triple A = (Q,Σ, δ) consisting of:

A finite set of states Q;

A finite set of (control) inputs Σ;

A transition function δ : Q × Σ→ Q.

How to reason about modest deviations from the nominal behavior?


Lab


We start with a plain automaton.

DefinitionA finite-state automaton is a triple A = (Q,Σ, δ) consisting of:



A transition function δ : Q × Σ→ Q.

How to reason about modest deviations from the nominal behavior?


Lab


We introduce metric automata.

DefinitionA finite-state metric automaton is a sextuple Aβ = (Q, d ,Σ,X , β, δ) consisting of:


A metric d : Q ×Q → R+0 ;


A finite set of (disturbance) inputs X including a special symbol ε denotingnominal (no disturbance) behavior;

A parameter β ∈ R+0 defining the “power” of the disturbance;

A transition function δ : Q × Σ×X → Q.

It seems that we are explicitly modeling the disturbances through the transitionfunction δ.


Lab


We introduce metric automata.

DefinitionA finite-state metric automaton is a sextuple Aβ = (Q, d ,Σ,X , β, δ) consisting of:


A metric d : Q ×Q → R+0 ;


A finite set of (disturbance) inputs X including a special symbol ε denotingnominal (no disturbance) behavior;

A parameter β ∈ R+0 defining the “power” of the disturbance;

A transition function δ : Q × Σ×X → Q.

It seems that we are explicitly modeling the disturbances through the transitionfunction δ.


Lab

State based robustnessDisturbance model

Nominal transition:

q δ(q, σ, ε)

δ(q, σ, x1)

δ(q, σ, x2)

(σ, ε)

(σ, x1)

(σ, x2)β

d(δ(q, σ, ε), δ(q, σ, x)) ≤ β ∀q ∈ Q, σ ∈ Σ, x ∈ X .

The parameter β does not need to be known: results will be parameterized by β.


Lab


All the disturbed transitions:

q δ(q, σ, ε)

δ(q, σ, x1)

δ(q, σ, x2)

(σ, ε)

(σ, x1)

(σ, x2)β




Lab


All the disturbed transitions:

q δ(q, σ, ε)

δ(q, σ, x1)

δ(q, σ, x2)

(σ, ε)

(σ, x1)

(σ, x2)β




Lab


We consider first reachability objectives encoded by a set F ⊆ Q.

A trace s of Aβ is winning for a reachability objective F if it enters F in finite time.

Let F = {q6} be a reachability objective.

q0q2

q1

q3

q4

q5 q6

β

b a

a, b

b

a

a, b

a, b

a, b


Lab




Let F = {q6} be a reachability objective.

q0q2

q1

q3

q4

q5 q6

β

b a

a, b

b

a

a, b

a, b

a, b


Lab




The shortest path strategy chooses the control input b at every state.

q0q2

q1

q3

q4

q5 q6

β

b a

a,b

b

a

a,b

a,b

a,b


Lab




The shortest path strategy chooses the control input b at every state.

q0q2

q1

q3

q4

q5 q6

β

b a

a,b

b

a

a,b

a,b

a,b

Guarantee from q0: some state in the green ellipsis will be reached in finite time.


Lab




Our strategy chooses the control input a at every state.

q0q2

q1

q3

q4

q5 q6

β

b a

a, b

b

a

a, b

a, b

a, b


Lab




Our strategy chooses the control input a at every state.

q0q2

q1

q3

q4

q5 q6

β

b a

a, b

b

a

a, b

a, b

a, b

Guarantee from q0: some state in the blue ellipsis is reached in finite time.


Lab


Some standard definitions:

A trace s ∈ Q∗ ∪Qω of the automaton Aβ is a (finite or infinite) sequence ofstates s = q0q1q2 . . . from Q for which there exist control inputs σ0, σ1, σ2, . . . anddisturbance inputs x0, x1, x2, . . . satisfying δ(qi , σi , xi ) = qi+1 for i ≥ 0;

A memoryless (control) strategy for an automaton Aβ is a function S : Q → Σspecifying a control input choice for each state q ∈ Q;

A memoryless (control) strategy is winning for an automaton Aβ if every trace ofAβ complying with S : Q → Σ satisfies the acceptance condition.


Lab







Lab







Lab

State based robustnessA definiton

DefinitionA winning strategy for the automaton A0 and reachability objective F ⊆ Q is γ-robust iffor any β ∈ R+

0 it is winning for the automaton Aβ with reachability objective Bγβ(F ):

Bγβ(F ) = {q ∈ Q | d(q,F ) ≤ γβ} .

Note that if there are no disturbances, β = 0 and Bγβ(F ) = F .

The parameter γ describes how much F is inflated to obtain Bγβ(F ).

The map transforming environment strategies to the language accepted by Aβ isuniformly continuous with modulus of continuity γ.


Lab




Bγβ(F ) = {q ∈ Q | d(q,F ) ≤ γβ} .





Lab




Bγβ(F ) = {q ∈ Q | d(q,F ) ≤ γβ} .





Lab




Bγβ(F ) = {q ∈ Q | d(q,F ) ≤ γβ} .





Lab

State based robustnessVerification and synthesis

Given an automaton A0, γ ∈ R+0 , and a strategy S one can ask:

Verification: Is S γ-robust?

Optimal verification: What is the smallest γ ∈ R+0 for which S is γ-robust?

Synthesis: Can we synthesize a γ-robust strategy?

Optimal synthesis: What is the smallest γ ∈ R+0 for which we can synthesize a

γ-robust strategy?

All the above problems can be reduced to dynamic programmingand are thus polynomially solvable.


Lab







γ-robust strategy?



Lab







γ-robust strategy?



Lab







γ-robust strategy?


All these results extend to Büchi and parity objectives1.

1A theory of ω-regular robust software synthesis

Rupak Majumdar, Elaine Render, and Paulo TabuadaTo appear in ACM Transactions on Embedded Computing Systems.


Lab

State based robustnessCritical assessment

Results for reachability objectives were obtained by a simple analogy withexisting results in control theory.

The fact that the results naturally extended to Büchi and parity objectives wasrewarding.

State based robustness requires a metric.

What if I have two different automata defining the same language?

How to reason about robustness before having an implementation with states?

How to handle refinement and abstraction?


Lab









Lab




Along the way we had to extend known ideas towards robustness: equivalencebetween the existence of winning strategies and rank functions or progressmeasures.






Lab




Along the way we had to extend known ideas towards robustness: equivalencebetween the existence of winning robust strategies and rank functions orprogress measures control Lyapunov functions.






Lab




Along the way we had to extend known ideas towards robustness: equivalencebetween the existence of winning robust strategies and rank functions orprogress measures control Lyapunov functions.






Lab

Input/output based robustnessTowards a definition

Rather than automata we now consider transducers f : Σ∗ → Λ∗;

Rather than a metric we now use cost functions I : Σ∗ → N0 and O : Λ∗ → N0 toplace costs on input and output strings, respectively;

A notion of robustness should have the following two properties:

Bounded disturbances should lead to bounded consequences;The effect of a sporadic disturbance should disappear in finitely manysteps;


Lab







Lab





Bounded disturbances should lead to bounded consequences;

The effect of a sporadic disturbance should disappear in finitely manysteps;


Lab







Lab





Bounded disturbances should lead to bounded consequences;The effect of a sporadic disturbance should disappear in finitely manysteps;Well known requirements in control theory that recently appeared as twoseparate notions of robustness: 2 and 3.

2Synthesizing Robust Systems

R. P. Bloem, K. Greimel, T. Henzinger, B. JobstmannProceedings of the 9th International Conference on Formal Methods in Computer-Aided Design, FMCAD 2009

3Robustness of Sequential Circuits

L. Doyen, T.A. Henzinger, A. Legay, and D. NickovicProceedings of the 10th International Conference on Application of Concurrency to System Design, ACSD 2010.


Lab

Input/output based robustnessA definition

Some notation: |σ| denotes the length of the string σ ∈ Σ∗ and � denotes the prefixpartial order.

Based on the control theoretic notion of Input-to-State Dynamic Stability we propose:

DefinitionGiven parameters γ, η ∈ N, we say the transducer f : Σ∗ → Λ∗ is (γ, η)-Input-OutputStable (IOS) if for each σ ∈ Σ∗ we have:

O (f (σ)) ≤ maxσ′�σ

˘γ I

`σ′

´− η

`|σ| −

˛̨σ′

˛̨´¯.

The parameter γ is called the robustness gain. It measures how much thedisturbance is amplified.

The parameter η is called the rate of decay. It measures how quickly the effectsof a disturbance disappear.


Lab






˘γ I

`σ′

´− η

`|σ| −

˛̨σ′

˛̨´¯.




Lab






˘γ I

`σ′

´− η

`|σ| −

˛̨σ′

˛̨´¯.




Lab






˘γ I

`σ′

´− η

`|σ| −

˛̨σ′

˛̨´¯.




Lab

Input/output based robustnessSome test cases

Some intuition for this inequality.


˘γ I

`σ′

´− η

`|σ| −

˛̨σ′

˛̨´¯

Consider the following sequence of input and output costs:

σ1 σ1σ2 σ1σ2σ3 σ1σ2σ3σ4

I 0 0 0 0O ◦ f 0 1 0 0


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′

˛̨´¯Consider the following sequence of input and output costs:


I 0 0 0 0O ◦ f 0 1 0 0


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 0 0 0O ◦ f 0 1 0 0

We have 3 prefixes of σ = σ1σ2:


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 0 0 0O ◦ f 0 1 0 0


for σ′ = σ1σ2 we have γI(σ′)− η(|σ| − |σ′|) = γ0− η(2− 2) = 0.


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 0 0 0O ◦ f 0 1 0 0


for σ′ = σ1 we have γI(σ′)− η(|σ| − |σ′|) = γ0− η(2− 1) = −η.


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 0 0 0O ◦ f 0 1 0 0


for σ′ = ε we have γI(σ′)− η(|σ| − |σ′|) = γ0− η(2− 0) = −2η.


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 0 0 0O ◦ f 0 1 0 0



Hence, maxσ′�σ {γ I (σ′)− η (|σ| − |σ′|)} = max{0,−η,−2η} = 0.


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 0 0 0O ◦ f 0 1 0 0



Hence, maxσ′�σ {γ I (σ′)− η (|σ| − |σ′|)} = max{0,−η,−2η} = 0.

IOS requires O(f (σ1σ2)) = 1 ≤ 0 which does not hold!


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′

˛̨´¯Consider the following sequence of input and output costs (persistent disturbance):


I 0 2 2 2O ◦ f 0 0 4 4



Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 2 2 2O ◦ f 0 0 4 4


for σ′ = σ1σ2 we have γI(σ′)− η(|σ| − |σ′|) = γ2− η(2− 2) = 2γ.


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 2 2 2O ◦ f 0 0 4 4


for σ′ = σ1 we have γI(σ′)− η(|σ| − |σ′|) = γ0− η(2− 1) = −η.


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 2 2 2O ◦ f 0 0 4 4




Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 2 2 2O ◦ f 0 0 4 4



Hence, maxσ′�σ {γ I (σ′)− η (|σ| − |σ′|)} = max{2γ,−η,−2η} = 2γ.


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 2 2 2O ◦ f 0 0 4 4




IOS requires O(f (σ1σ2)) = 0 ≤ 2γ.


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 2 2 2O ◦ f 0 0 4 4




IOS requires O(f (σ1σ2)) = 0 ≤ 2γ. At this point we can take γ = 0.


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 2 2 2O ◦ f 0 0 4 4

We have 4 prefixes of σ = σ1σ2σ3:


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 2 2 2O ◦ f 0 0 4 4


for σ′ = σ1σ2σ3 we have γI(σ′)− η(|σ| − |σ′|) = γ2− η(3− 3) = 2γ.


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 2 2 2O ◦ f 0 0 4 4


for σ′ = σ1σ2 we have γI(σ′)− η(|σ| − |σ′|) = γ2− η(3− 2) = 2γ − η.


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 2 2 2O ◦ f 0 0 4 4


for σ′ = σ1 we have γI(σ′)− η(|σ| − |σ′|) = γ0− η(3− 1) = −2η.


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 2 2 2O ◦ f 0 0 4 4




Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 2 2 2O ◦ f 0 0 4 4



Hence, maxσ′�σ {γ I (σ′)− η (|σ| − |σ′|)} = max{2γ, 2γ − η,−η,−2η} = 2γ.


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 2 2 2O ◦ f 0 0 4 4




IOS requires O(f (σ1σ2σ3)) = 4 ≤ 2γ.


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 0 2 2 2O ◦ f 0 0 4 4




IOS requires O(f (σ1σ2σ3)) = 4 ≤ 2γ. A similar analysis for the remaining stringsleads to IOS with γ = 2.


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′

˛̨´¯Consider the following sequence of input and output costs (sporadic disturbance):


I 2 0 0 0O ◦ f 0 4 3 2

A similar analysis leads to the following constraints:

O(f (σ1)) = 0 ≤ 2γ

O(f (σ1σ2)) = 4 ≤ 2γ − ηO(f (σ1σ2σ3)) = 3 ≤ 2γ − 2η

O(f (σ1σ2σ3σ4)) = 2 ≤ 2γ − 3η


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 2 0 0 0O ◦ f 0 4 3 2


O(f (σ1)) = 0 ≤ 2γ

O(f (σ1σ2)) = 4 ≤ 2γ − ηO(f (σ1σ2σ3)) = 3 ≤ 2γ − 2η

O(f (σ1σ2σ3σ4)) = 2 ≤ 2γ − 3η


Lab




˘γ I

`σ′

´− η

`|σ| −

˛̨σ′



I 2 0 0 0O ◦ f 0 4 3 2


O(f (σ1)) = 0 ≤ 2γ = 6

O(f (σ1σ2)) = 4 ≤ 2γ − η = 6− 1 = 5

O(f (σ1σ2σ3)) = 3 ≤ 2γ − 2η = 6− 2 = 4

O(f (σ1σ2σ3σ4)) = 2 ≤ 2γ − 3η = 6− 3 = 3

IOS holds for γ = 3 and η = 1.


Lab



DefinitionGiven parameters γ, η ∈ N, we say the transducer f : Σ∗ → Λ∗ is (γ, η)-input-outputstable if for each σ ∈ Σ∗ we have


˘γ I

`σ′

´− η

`|σ| −

˛̨σ′

˛̨´¯.



The notion of (γ, η)-input-output stability captures the two desired properties:



Lab

RobustnessVerification

When is a transducer IOS?

Problem ((γ, η)-IOS Verification)Given a transducer f : Σ∗ → Λ∗, input and output cost functions I : Σ∗ → N0 andO : Λ∗ → N0, respectively, and parameters γ, η ∈ N, is the transducer f (γ, η)-IOS withrespect to (I,O)?

Problem (IOS Verification)Given a transducer f : Σ∗ → Λ∗ and input and output cost functions I : Σ∗ → N0 andO : Λ∗ → N0, respectively, does there exist γ, η ∈ N such that f is (γ, η)-IOS withrespect to (I,O)? If so, find all such γ and η.


Lab

RobustnessVerification

When is a transducer IOS?

Problem ((γ, η)-IOS Verification)Given a transducer f : Σ∗ → Λ∗, input and output cost functions I : Σ∗ → N0 andO : Λ∗ → N0, respectively, and parameters γ, η ∈ N, is the transducer f (γ, η)-IOS withrespect to (I,O)?

Problem (IOS Verification)Given a transducer f : Σ∗ → Λ∗ and input and output cost functions I : Σ∗ → N0 andO : Λ∗ → N0, respectively, does there exist γ, η ∈ N such that f is (γ, η)-IOS withrespect to (I,O)? If so, find all such γ and η.


Lab

RobustnessSolving the verification problem

Assume that f , I, and O are defined by finite-state (weighted) automata and composethem in the single automaton A:

f

I

O

A

We now consider the lattice MQ of functions from the set of states Q of A toM = {1, 2, . . . , γw} where w is the largest weight in the automaton defining I.

On MQ we can define the operator F : MQ → MQ given by:

F (W )(q) = maxγH I(q),W (q), min

q′∈Pre(q)W (q′)− η

ff.


Lab



f

I

O

A





ff.


Lab



f

I

O

A





ff.


Lab


Theorem ((γ, η)-IOS Verification)Let f : Σ∗ → Λ∗, I : Σ∗ → N0, and O : Λ∗ → N0 be defined by (weighted) finite stateautomata. Given η, γ ∈ N, the transducer f is (γ, η)-IOS with respect to (I,O) iff theinfimal fixed point of F , denoted by W ∗, satisfies the following inequality for everyq ∈ Q:

HO(q) ≤ W ∗(q).

Note that W ∗ is computed in O(|Q| · |γw |) steps.

For the IOS verification problem, there exists a different operator whose fixedpoint characterizes the existence of (γ, η) for which f is (γ, η)-IOS.

Furthermore, we can compute all the values of γ (but only some of the values ofη) for which f is (γ, η) -IOS.


Lab



HO(q) ≤ W ∗(q).





Lab



HO(q) ≤ W ∗(q).





Lab

RobustnessSynthesis

How about synthesis?

The set of inputs Σ is split as Σ = Σc × Σd with Σc being control inputs and Σd

being disturbance inputs.

A controller is a map C : Σ∗ × Σc → Σc transforming the history of past inputsσ ∈ Σ∗ and a given control input request σc ∈ Σc into the control input C(σ, σc).

where the set of states of AM is M = {1, 2, . . . , γw} with w being the maximum weightof the automaton defining I.


Lab

RobustnessSynthesis







Lab

RobustnessSynthesis







Lab

RobustnessSynthesis





Recall the automaton A:

f

I

O

A



Lab

RobustnessSynthesis





From A we can construct a monitor AM for the (γ, η)-IOS property:

f

I

OAM

A



Lab

RobustnessSolving the synthesis problem

Theorem

Let f : Σ∗ → Λ∗, I : Σ∗ → N0, and O : Λ∗ → N0 be defined by (weighted) finite stateautomata. Given η, γ ∈ N, the transducer f is (γ, η)-IOS with respect to (I,O) iff everyreachable state (q,m) of A× AM satisfies HO(q) ≤ m.

This result provides a different strategy for the verification problem: verify thatthe set S = {(q,m) ∈ Q ×M|HO(q) ≤ m} is invariant;

It also provides a solution to the synthesis problem: synthesize a controller torender the set S invariant;

Since safety games can be solved in linear time, the complexity of synthesizing acontroller enforcing (γ, η)-IOS is linear in the size of A× AM , i.e., it takesO(|Q| · |γw | · |Σc |) time.


Lab


Theorem






Lab


Theorem






Lab


Theorem






Lab

Robustness

Several issues remain open:

the characterization of all the (γ, η) pairs for which a transducer is (γ, η)-IOS;

How to solve the IOS synthesis problem: existence and characterization of allthe (γ, η) pairs for which there exists a controller rendering a given transducer(γ, η)-IOS;

How to make these ideas practical so that they become more useful. Inparticular, how to define metrics and costs in concrete problems?

The ultimate objective is to understand robustness for cyber-physical systems.


Lab

Robustness







Lab

Robustness







Lab

Robustness







Lab

Robustness

Relevant recent references:

Robust Discrete Synthesis Against Unspecified DisturbancesRupak Majumdar, Elaine Render, and Paulo Tabuada14th International Conference on Hybrid Systems: Computation and Control2011.

A theory of ω-regular robust software synthesisRupak Majumdar, Elaine Render, and Paulo TabuadaTo appear in the ACM Transactions on Embedded Computing Systems.

Input-Output Robustness for Discrete SystemsPaulo Tabuada, Ayca Balkan, Sina Caliskan, Yasser Shoukry, and RupakMajumdarInternational Conference on Embedded Software 2012.

For preprints and other information:[email protected]://www.cyphylab.ee.ucla.edu


Documents

Synthesizing Robust Systems - University of Pennsylvania · Synthesizing Robust Systems Paulo Tabuada Ayca Balkan, Sina Caliskan, Yasser Shoukry, Rupak Majumdar (MPI) Cyber-Physical