Sidestepping verification
complexity with supervisory
control
Ugo Buy
Department of Computer Science
Houshang Darabi
Department of Mechanical and Industrial Engineering
University of Illinois at Chicago
26 September 2003
U. Buy -- SEES 2003
Outline
•
Background
•
P-invariant-based mutex enforcement
•
Net unfolding
•
Assessment
26 September 2003
U. Buy -- SEES 2003
2
Acknowledgements
•
Panos Antsaklis, Michael Lemmon, Univ. of Notre Dame
•
Starthis Corporation, Rosemont, Illinois
•
NIST/ATP program
•
Graduate students Bharat Sundararaman and Vikram
Venepally
26 September 2003
U. Buy -- SEES 2003
3
Background
• Supervisory control methods for discrete event
systems (DES)
— Enforcing concurrency and real-time properties of
embedded systems
— Model DES with Finite Automata (FA) or Petri nets
— Add controller that enforces desired properties to
system model
• Supervisory control vs. verification
— Potential benefits of supervisory control
— Likely obstacles to widespread applicability
26 September 2003
U. Buy -- SEES 2003
4
Definitions
•
Discrete Event System (DES) is characterized by:
1. Discrete state set
2. Event-driven state transitions
•
Supervisory controller of a DES:
— Given controlled system (a DES) and correctness
property,
— supervisor restricts DES behaviors in such a way
that combined system will satisfy the property
•
Observable and controllable events
26 September 2003
U. Buy -- SEES 2003
5
Why Supervisory Control?
• Some SC methods for DES are much more tractable
than verification algorithms
• Promising methods:
1. P-invariant-based supervisors (mutex properties)
2. Unfolding of Petri nets (deadlock, RT deadlines)
• Caveat:
— System must be sufficiently observable, controllable
to permit supervisor definition
26 September 2003
U. Buy -- SEES 2003
6
Why Petri nets?
1. Support tractable supervisory control algorithms
• P-invariants and net unfoldings
• Automata-based supervisors usually intractable
2. Widely used in some embedded applications
• Sequential Function Charts (SFCs) widely used in
manufacturing applications
— Part of IEC 61131 standard
— Supported by Matlab, RSLogix 5000
26 September 2003
U. Buy -- SEES 2003
7
Petri nets
• Ordinary Petri net: Bipartite, directed graph
N=(P,T,F,m0)
With:
node sets P and T,
arc set F, and
initial marking m0
• Supervisory control problem: Given controlled net N
and property P, generate subnet S (supervisor) that
restricts N behaviors to satisfy P
26 September 2003
U. Buy -- SEES 2003
8
Enforcing Mutex Constraints
•
Exploit property of Petri net P-invariants
— Place subset such that weighted sum of tokens in
subset is constant in all reachable net markings
— Computed by finding integer solutions x to invariant
equation involving incidence matrix D of Petri net:
x·D = 0
26 September 2003
U. Buy -- SEES 2003
9
Examples of P-invariants
p2
p3
p1
t1
{ p1, p4 }
t2
{ p2, p5, p7}
p5
p4
t3
p6
26 September 2003
{ p1, p2, p4, p5, p7 }
…
(unit coefficients)
p7
t4
P-invariants:
t5
U. Buy -- SEES 2003
10
P-invariant based supervisors
Method (Yamalidou et al. 96)
1. Specify mutex properties as linear inequalities on
reachable markings of controlled net
l1,1·m1 + l1,2·m2 + l1,3·m3 + … <= b1
l2,1·m1 + l2,2·m2 + l2,3·m3 + … <= b2
…
lk,1·m1 + lk,2·m2 + lk,3·m3 + … <= bk
2. Treat constraints matrix as invariant equation, find
Petri net (controller) satisfying P-invariant
26 September 2003
U. Buy -- SEES 2003
11
Supervisor synthesis
• Supervisor net defined by simple matrix multiplication
DC = – L ·D
— L is matrix of mutex constraints
— D is incidence matrix of controlled net
• Supervisor net will have k places, zero transitions
— k is number of mutex constraints
• Supervisor will be maximally permissive
26 September 2003
U. Buy -- SEES 2003
12
Example of supervisor generation
•
The readers and writers example without mutex:
•
Mutex constraints:
p6 + p9 + p10 <≤ 1
p7 + p9 + p10 <≤ 1
p8 + p9 + p10 <≤ 1
26 September 2003
U. Buy -- SEES 2003
13
Example
•
(cont’d)
The readers and writers example with supervisor:
26 September 2003
U. Buy -- SEES 2003
14
Advantages of Mutex Supervisors
•
Complexity proportional to D (aka controlled system)
and L (constraints)
— Overall complexity polynomial for broad class of
mutex constraints
•
Supervisors generated are small (no transitions)
•
Maximally permissive supervisors
26 September 2003
U. Buy -- SEES 2003
15
Limitations of Mutex Supervisors
•
Cannot guarantee net liveness (e.g., freedom from
deadlock)
•
Open issues:
— Integration with other supervisors
— Priorities on mutex enforcement policy
— Empirical evaluation of constraint size
26 September 2003
U. Buy -- SEES 2003
16
Unfolding Petri nets
•
Transform net into acyclic net capturing repetitive
bevahiors of original net
•
Unfolding appeal:
— Capture causal relationship on transition firing
— Identify choice points
— Identify fundamental execution paths
•
History of net unfolding
— McMillan 92, Esparza et al. 02, He and Lemmon 02,
Semenov and Yakovlev 96 (time Petri nets)
26 September 2003
U. Buy -- SEES 2003
17
Net unfolding: Definitions
• Node x in net N precedes node y if there is path from x
to y in N
— Write x<y
• Node x in conflict with y if N contains paths diverging
immediately after a place p and leading to x and y
— Write x#y
• Node x in self-conflict if N contains paths diverging
immediately after a place p and leading to x
— Write x#x
26 September 2003
U. Buy -- SEES 2003
18
Unfolding untimed nets
Given net N, unfolding of N is a net U subject such that:
1. Nodes in U are mapped to nodes in N
2. Each place in U has at most one input transition
3. Net U is acyclic
4. No U node is in self conflict
5. Completeness property: Every reachable marking of N
is in U
26 September 2003
U. Buy -- SEES 2003
19
Example of unfolding
p2
p3
p1
t1
The original net:
t2
p5
p4
t3
t4
p6
p7
t5
t7
26 September 2003
U. Buy -- SEES 2003
p8
t6
p9
t8
20
Example of unfolding
p1
p2
p3
t2
t1
p4
p5
t3
The unfolded net:
p7
t4
t3’
p8
t5
t6
t5’
p9’
p9”
26 September 2003
p8’
t6’
p9’”
t8
t7
p1’
t4’
p7’
p9
p6
p5’
p2’
U. Buy -- SEES 2003
p2’’
p3’
21
Applications of unfolding
• Enforcing freedom from deadlock (He and Lemmon 02)
— Deadlocks detected directly in unfolding
— Eliminate deadlocks by dynamically disabling
transition that causes deadlock
• Enforcing compliance with real-time deadlines (Buy and
Darabi 03)
— Latency of transition t: upper bound on the delay
between the firing of t and the time when a target
transition can be fired
26 September 2003
U. Buy -- SEES 2003
22
A New Programming Paradigm?
1. Design/Code concurrent system without paying
attention to correctness properties
2. Submit system description and property specification
to supervisor generator
3. Generator adds supervisor to original system
4. Allegedly, a very long shot…
26 September 2003
U. Buy -- SEES 2003
23
Future work
1. Integration of supervisors for different properties
2. Refine properties enforced
3. System, property specifications
26 September 2003
U. Buy -- SEES 2003
24