Project Team Pop art

Overall Objectives
Scientific Foundations
Application Domains
New Results
Contracts and Grants with Industry
Partnerships and Cooperations
PDF e-pub XML

Section: New Results

Controller Synthesis for the Safe Design of Embedded Systems

Participants : Gwenaël Delaval [contact person] , Gregor Goessler, Sebti Mouelhi.

Synthesis of Switching Controllers using Approximately Bisimilar Multiscale Abstractions

The use of discrete abstractions for continuous dynamics has become standard in hybrid systems design (see e.g.  [92] and the references therein). The main advantage of this approach is that it offers the possibility to leverage controller synthesis techniques developed in the areas of supervisory control of discrete-event systems  [88] . The first attempts to compute discrete abstractions for hybrid systems were based on traditional systems behavioral relationships such as simulation or bisimulation, initially proposed for discrete systems most notably in the area of formal methods. These notions require inclusion or equivalence of observed behaviors which is often too restrictive when dealing with systems observed over metric spaces. For such systems, a more natural abstraction requirement is to ask for closeness of observed behaviors. This leads to the notions of approximate simulation and bisimulation introduced in  [63] .

These notions enabled the computation of approximately equivalent discrete abstractions for several classes of dynamical systems, including nonlinear control systems with or without disturbances, and switched systems. These approaches are based on sampling of time and space where the sampling parameters must satisfy some relation in order to obtain abstractions of a prescribed precision. In particular, the smaller the time sampling parameter, the finer the lattice used for approximating the state-space; this may result in abstractions with a very large number of states when the sampling period is small. However, there are a number of applications where sampling has to be fast; though this is generally necessary only on a small part of the state-space.

In [22] we have presented a novel class of multiscale discrete abstractions for incrementally stable switched systems that allows us to deal with fast switching while keeping the number of states in the abstraction at a reasonable level. We assume that the controller of the switched system has to decide the control input and the time period during which it will be applied before the controller executes again. In this context, it is natural to consider abstractions where transitions have various durations. For transitions of longer duration, it is sufficient to consider abstract states on a coarse lattice. For transitions of shorter duration, it becomes necessary to use finer lattices. These finer lattices are effectively used only on a restricted area of the state-space where the fast switching occurs.

These abstractions allow us to use multiscale iterative approaches for controller synthesis as follows. An initial controller is synthesized based on the dynamics of the abstraction at the coarsest scale where only transitions of longer duration are enabled. An analysis of this initial controller allows us to identify regions of the state-space where transitions of shorter duration may be useful (e.g. to improve the performance of the controller). Then, the controller is refined by enabling transitions of shorter duration in the identified regions. The last two steps can be repeated until we are satisfied with the obtained controller.

In [21] we propose a technique for the synthesis of safety controllers for switched systems using multi-scale abstractions. We present a synthesis algorithm that exploits the specificities of multi-scale abstractions. The finest scales of the abstraction are effectively explored only when fast switching is needed, that is when the system approaches the unsafe set. We provide experimental results that show drastic improvements of the complexity of controller synthesis using multi-scale abstractions instead of uniform abstractions.

Modular Discrete Controller Synthesis

Discrete controller synthesis (DCS) [88] allows to design programs in a mixed imperative/declarative way. From a program with some freedom degrees left by the programmer (e.g., free controllable variables), and a temporal property to enforce which is not a priori verified by the initial program, DCS tools compute off-line automatically a controller which will constrain the program (by e.g., giving values to controllable variables) such that, whatever the values of inputs from the environment, the controlled program satisfies the temporal property.

Our motivation w.r.t. DCS concerns its modular application, improving the scalability of the technique by using contract enforcement and abstraction of components. Moreover, our aim is to integrate DCS into a compilation chain, and thereby improve its usability by programmers, not experts in discrete control. This work has been implemented into the Heptagon /BZR language and compiler [57] . This work is done in collaboration with Hervé Marchand (Vertecs team from Rennes) and Éric Rutten (Sardes team from Grenoble).

The implemented tool allows the generation of the synthesized controller under the form of an Heptagon node, which can in turn be analyzed and compiled, together with the Heptagon source from which it has been generated. This full integration allows this method to aim different target languages (currently C, Java or VHDL), and its integrated use in different contexts.

A formal semantics of BZR has been defined, taking into account its underlying nondeterminism related to the presence of controllable variables.

This language has been used in different contexts. In [15] , BZR is used for the generation of discrete handlers of real-time continuous control tasks, in the framework of the ORCCAD (Open Robot Controller Computer-Aided Design) tool. BZR has also been used in a case-study of a Fractal designed HTTP server [19] . The purpose of the synthesized controller is to control the automatic reconfigurations of the system (e.g., start of new components, migrations of some components from one computing element to another), in order to preserve some properties (either functional, e.g., exclusivity of activities of two components, or non-functional, e.g., bounded overall load of the system).