A FOUNDATION FOR THE DESIGN AND ANALYSIS OF ROBOTIC SYSTEMS AND BEHAVIORS by ZHANG YING B.Sc., Zhejiang University, China, 1984 M.Sc., Zhejiang University, China, 1987 M.Sc., The University of British Columbia, 1989 A THESIS SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY in THE FACULTY OF GRADUATE STUDIES (Department of Computer Science) We accept this thesis as conforming THE UNIVERSITY OF BRITISH COLUMBIA September 1994 ©Zhang Ying, 1994 _____ In presenting this thesis in partial fulfilment of the requirements for an advanced degree at the University of British Columbia, I agree that the Library shall make it freely available for reference and study. I further agree that permission for extensive copying of this thesis for scholarly purposes may be granted by the head of my department or by his or her representatives. It is understood that copying or publication of this thesis for financial gain shall not be allowed without my written permission. (Signature) _c. /6:/VC Department of The University of British Columbia Vancouver, Canada Date DE-6 (2188) II, Abstract Robots are generally composed of electromechanical parts with multiple sensors and ac tuators. The overall behavior of a robot emerges from coordination among its various parts and interaction with its environment. Developing inteffigent, reliable, robust and safe robots, or real-time embedded systems, has become a focus of interest in recent years. In this thesis, we establish a foundation for modeling, specifying and verifying discrete/continuous hybrid systems and take an integrated approach to the design and analysis of robotic systems and behaviors. A robotic system in general is a hybrid dynamic system, consisting of continuous, discrete and event-driven components. We develop a semantic model for dynamic systems, that we call Constraint Nets (CN). CN introduces an abstraction and a unitary framework to model discrete/continuous hybrid systems. CN provides aggregation operators to model a complex system hierarchically. CN supports multiple levels of abstraction, based on abstract algebra and topology, to model and analyze a system at different levels of detail. CN, because of its rigorous foundation, can be used to define programming semantics of real-time languages for control systems. While modeling focuses on the underlying structure of a system the organization and coordination of its components requirements specification imposes global constraints on a system’s behavior, and behavior verification ensures the correctness of the behavior with re — — spect to its requirements specification. We develop a timed linear temporal logic and timed V-automata to specify timed as well as sequential behaviors. We develop a formal verifica tion method for timed V-automata specification, by combining a generalized model checking technique for automata with a generalized stability analysis method for dynamic systems. A good design methodology can simplify the verification of a robotic system. We develop a systematic approach to control synthesis from requirements specification, by exploring a relation between constraint satisfaction and dynamic systems using constraint methods. With this approach, control synthesis and behavior verification are coupled through requirements specification. To model, synthesize, simulate, and understand various robotic systems we have studied in this research, we develop a visual programming and simulation environment that we call ALERT: A Laboratory for Embedded Real-Time systems. 11 Contents Abstract ii Contents iii List of Figures viii List of Tables x Acknowledgement Xi 1 Motivation and Introduction 1.1 The Problems 1.2 The Proposed Solutions 1.3 Semantic Model and Behavior Analysis 1.4 Requirements Specification and Behavior Verification 1.5 Control Synthesis and Robotic Architecture 1.6 How This Thesis Fits In 1.6.1 Integrated hybrid systems 1.6.2 Inteffigent real-time systems 1.7 Thesis Outline 1.8 A Guide to the Reader 2 3 5 7 9 11 12 12 14 16 17 I Semantic Model and Behavior Analysis 18 2 Introduction 2.1 Topological Structure of Dynamics 2.2 The Constraint Net Model 2.3 Modeling in Constraint Nets 2.4 Behavior Analysis 2.5 Summary and Related Work 20 20 21 21 22 22 . . 111 3 Topological Structure of Dynamics 3.1 General Topology, Partial Order and Metric Space 3.1.1 General topology 3.1.2 Partial order 3.1.3 Metric space 3.2 Time Structures 3.3 Domain Structures 3.4 Traces and Events 3.5 Transductions 3.5.1 General concepts 3.5.2 Primitive transductions 3.5.3 Event-driven transductions 3.6 Dynamics Structures 23 23 23 25 28 29 31 34 37 37 38 39 40 4 The Constraint Net Model 4.1 Syntax of Constraint Nets 4.1.1 Syntax and graphical representation 4.1.2 Modules and composition 4.2 Semantics of Constraint Nets 4.2.1 Fixpoint theory of partial orders 4.2.2 Semantics of constraint nets 4.2.3 Semantics of modules 4.2.4 Parameterized nets 4.2.5 Temporal integration 4.3 Summary 43 43 43 44 48 49 51 52 54 55 58 5 Modeling in Constraint Nets 5.1 Event Generators and Synchronizers 5.1.1 Event generators 5.1.2 Event synchronizers 5.2 Modeling Hybrid Systems 5.3 Power of Constraint Nets 5.3.1 Sequential computation 5.3.2 Analog computation 59 60 60 61 64 68 68 74 Behavior Analysis 6.1 Abstraction, Quotient and Homomorphism 6.2 Behavior Analysis: General Concepts 6.3 Time and Domain Abstraction 6.4 Behavior Abstraction and Equivalence 6.5 Summary 77 77 79 80 82 84 6 . . . . iv 7 Summary and Related Work 7.1 Summary 7.1.1 Power 7.1.2 Limitations 7.2 Related Work 7.2.1 Automata or state transition models 7.2.2 Processes or multi-agent architectures 7.2.3 Nets or dataflow structures 7.2.4 Constraint-based and biology-based models 7.2.5 Relationships with the Constraint Net Model 85 85 85 86 87 87 89 91 94 96 . II Requirements Specification and Behavior Verification 97 8 Introduction 8.1 Timed Linear Temporal Logic 8.2 Timed V-automata 8.3 Behavior Verification 8.4 Summary and Related Work. 99 99 100 101 101 9 Timed Linear Temporal Logic 9.1 Propositional Linear Temporal Logic (PLTL) 9.1.1 PLTL: syntax and semantics 9.1.2 PLTL: extensions 9.2 Propositional TLTL 9.3 First Order TLTL 9.4 Open State Specification 102 102 102 103 105 106 109 • . . . • . . . 10 Timed V-Automata 10.1 Discrete V-Automata 10.2 Discrete Timed V-Automata 10.3 Timed V-Automata 110 110 114 115 11 Behavior Verification 11.1 Behavior Verification: General Issues 11.2 Verification for Behaviors of Discrete Time Systems 11.2.1 Semi-automatic verification 11.2.2 Automatic verification 11.3 Verification for Behaviors of Hybrid Dynamic Systems 117 117 119 123 126 131 12 Summary and Related Work 12.1 Summary 12.1.1 Specification 12.1.2 Verification 12.1.3 Power and limitations • 135 135 135 136 136 V 12.2 Related Work 12.2.1 Automata-based approaches 12.2.2 Point time temporal logics 12.2.3 Interval time temporal logics 12.2.4 Relationships with TLTL and timed V-automata III 137 137 138 140 141 Control Synthesis and Robotic Architecture 142 13 Introduction 13.1 Constraint-Based Dynamic Systems 13.2 Control Synthesis 13.3 Robotic Architecture 13.4 Summary and Related Work 144 144 145 145 145 14 Constraint-Based Dynamic Systems 14.1 Asymptotic Stability 14.2 Constraint Solvers 14.3 Constraint Methods 14.3.1 Discrete methods 14.3.2 Continuous methods 14.4 Summary 14.5 Constraint-Based Dynamic Systems 146 146 147 149 149 152 154 156 15 Control Synthesis 15.1 Control Synthesis: General Issues 15.2 Constraint-Based Control 15.3 Examples 15.3.1 Linear control 15.3.2 Nonlinear control 15.4 Summary 16 Robotic Architecture 16.1 Abstraction Hierarchy 16.2 Arbitration Hierarchy 17 Summary and Related Work 17.1 Summary 17.1.1 Power 17.1.2 Limitations 17.2 Related Work 17.2.1 Constraint-based control 17.2.2 Robotic architecture 158 158 160 161 161 • 162 165 • . • . • . • • • . • . • . 166 166 168 170 170 170 170 171 171 172 vi IV Conclusions and Further Research 18 Conclusions and Further Research 18.1 Conclusions 18.2 Further Research 18.2.1 Theory 18.2.2 Practice Bibliography V 173 • . • . 175 175 178 178 179 180 Appendixes 192 A Proofs of Theorems A.1 Topological Structure of Dynamics A.2 The Constraint Net Model A.3 Modeling in Constraint Nets A.4 Behavior Analysis A.5 Behavior Verification A.6 Constraint-Based Dynamic Systems A.7 Control Synthesis 193 193 204 207 208 209 215 218 B ALERT B.1 Visual Programming with Constraint Nets B.2 Simulation and Animation B.3 The Maze Traveler 219 219 222 226 C Examples of Design and Analysis C.1 Modeling and Control of an Hydraulically Actuated Arm C.2 Modeling and Verification of an Elevator System C.2.1 Discrete modeling and verification C.2.2 Continuous modeling and verification 230 230 233 234 238 D Model Estimation for the Car 240 Index 242 VII List of Figures 1.1 1.2 1.3 1.4 1.5 A robotic system The configuration of a car The problems and our solutions The constraint net of Equation Li Timed V-automata specification 3 4 6 9 11 3.1 3.2 An event trace: each dot depicts a time point Event logic for “or” 37 38 4.1 4.2 4.3 4.4 The constraint net representing a state automaton The constraint net representing 4 = f(s) Cascade, parallel and feedback connections An input/output automaton (s* denotes either s or s’) 44 44 46 48 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11 5.12 5.13 5.14 5.15 5.16 5.17 Basic modules for event logics Event logic for “and” A producer-consumer event synchronizer An event filter An event select (a) The car-like robot (b) Traveling through a maze The maze traveler robotic system (a) Event generator (b) Control circuit A sequential module A functional composition G o F An event counter A sequential module for a recursive function A sequential module for the minimization operation A sequential module for internal choice A + B A sequential module for external choice C AID —÷ B The FIRST module The TIMEOUT module 60 61 63 63 64 65 65 67 69 69 70 71 72 73 73 74 74 6.1 6.2 Equivalent traces and their abstraction The heading of a maze traveler and its abstraction 83 83 —÷ viii 10.1 10.2 10.3 10.4 V-automata: (a) goal achievement (b) safety (c) bounded response The specification of (a) the producer-consumer problem (b) the maze traveler Real-time response A generalized V-automaton 113 113 115 116 11.1 The algorithm for invariant generation 11.2 The algorithm for boundedness and global timing 11.3 The algorithm for local timing 127 128 129 14.1 A framework for constraint satisfaction 14.2 Constraint solvers and constraint satisfaction 14.3 Specification for (a) Constraint solver (b) Constraint-based dynamic system 154 155 156 15.1 Embedded constraint solvers 15.2 Path planning 160 163 16.1 Abstraction hierarchy 16.2 Arbitration hierarchy (CS’s and A’s denote solvers and arbiters respectively) • • 18.1 Summary 167 168 176 B.1 B.2 B.3 B.4 B.5 B.6 B.7 B.8 B.9 B.10 B.11 B.12 B.13 B.14 ALERT Logic modules Event modules Circuit with latency Latency with 6k = 0.25 Latency with 6k = 2 Circuit with sampling Sampling with 6k = 0.25 Sampling with 6k = 2 The overall structure of the maze traveler system Animation of the maze traveler The car model The control module The event module C.’ C.2 C.3 C.4 C.S C.6 A two-link arm The interface of a simple 3-floor elevator The complete elevator system Specifications of real-time response State transition graphs A more realistic specification ix • . • . 220 221 221 223 223 224 224 225 225 226 227 228 228 229 230 233 234 237 237 238 List of Tables 5.1 Basic types of model for dynamic systems x 59 Acknowledgement This thesis could not have been a success without the contributions of the members of my supervisory committee: Alan, Peter, Nick, Jeff and Dinesh. It has been most fruitful and enjoyable for me to have had Alan Mackworth as my thesis supervisor and research collaborator. Alan’s perspective and interest inspired me to enter this new world. His open-mindedness and trust provided me with the extreme freedom to explore and to learn, and his continued financial support has made the completion of this thesis possible. I have learned much from Peter Lawrence during my long graduate studies at UBC, not only about robotics and control theory, but also about how engineers solve problems. Most concepts of this thesis are the result of my regular discussions with Peter over the years. Nick Pippenger has been acting as an oracle in my research. There is really nothing that Nick has no knowledge of in mathematics. My confidence in my formalisms is rooted in Nick’s approval. Nevertheless, I am fully responsible for every mistake I may have made in the thesis. It was Jeff Joyce who first introduced me to programming semantics, software/hardware co-design, and to formal specification and verification. Jeff always has a crucial insight. His enthusiasm for what should be done and his belief in what can be done have greatly influenced my research. Dinesh Pai’s work on constraint-based robotics has directly stimulated many ideas in this thesis, some of which are the further development of my course project in his exciting com putational robotics class. Dinesh is always a good model for me. His wide knowledge across areas in computer science, electrical and mechanical engineering makes him a good example of a good researcher in both theory and practice. The Laboratory for Computational Inteffigence (LCI) has been a supportive environment. Michael Sahota has always been there to lend me help of any kind at any time I needed. Bill Millar has always been willing to discuss with me everything about my thesis. They are the very first readers and the very effective reviewers of my thesis draft. Andrew Csinger was kind enough to provide me with the final proof-reading of my thesis. An aspiring author with a philological bent, Andrew precisely pointed out subtle problems in my use of English. I am nonetheless responsible for any remaining errors, grammatical or otherwise. Valerie Mcrae, our lab secretary, has always been the first person I turned to whenever I had a problem. I thank Danny Bobrow for providing me with a summer internship and a stimulating envi ronment at XEROX PARC and for referring me to XEROX WRC. It has been a most exciting experience to work with people in both SERA and the responsive environment project. I thank the University of British Columbia for the Graduate Student Fellowships and NSERC for the Post Doctoral Fellowship they granted me. I thank my family back in China, my parents, aunts and uncles, for their wishes, belief, understanding and expectation. Last but not least, I thank Runping Qi, my husband, for his love and support. There is no word that is strong enough to express how much I have received from Runping; life for me would be totally different without him. My long journey as a graduate student comes to an end. I am looking forward to new challenges in the real world. Xl 1 The heaven attained Oneness and became clear. The earth attained Oneness and became settled. The spirit attained Oneness and became numinous. Valleys attained Oneness and became reproductive. All things attained Oneness and became alive. — Tao Teh Ching, Lao Tzu Time attains Oneness and becomes linear. Domains attain Oneness and become universal. Components attain Oneness and become functional. Systems attain Oneness and become alive. Design and analysis attain Oneness and become productive. — Zhang Ying Chapter 1 Motivation and Introduction In applications such as nuclear and chemical plants, forest industries, space and undersea ex ploration, there is a demand for inteffigent, reliable, robust and safe robots. Building control systems for autonomous robots working in complex environments is an important challenge for research in computer science, electrical and mechanical engineering. Robots are generally composed of electromechanical parts with multiple sensors and ac tuators. Robots should be reactive as well as purposive systems, closely coupled with their environments; they must deal with inconsistent, incomplete and delayed information from var ious sources. Robots are usually complex, hierarchically organized and physically distributed; each component functions according to its own dynamics. The overall behavior of a robot emerges from coordination among its various parts and interaction with its environment. We call the coupling of a robot and its environment a robotic system, and the dynamic relationship of a robot and its environment the robotic behavior. A robot controller (or control system) is a subsystem of a robot, designed to regulate its behavior to meet certain requirements. In general, a robot controller is an integrated soft ware/hardware system implemented on various digital/analog devices. Designing control sys tems for robots that meet certain requirements has become an active topic studied in many areas, such as reactive systems, inteffigent systems, real-time embedded systems and integrated hybrid systems. The issues raised in this interdisciplinary research range from programming languages and software/hardware engineering to control theory and dynamic systems. In this thesis, we establish a unified foundation for modeling, specifying and verifying dis crete/continuous hybrid systems and take an integrated approach to the design and analysis of robotic systems and behaviors. 2 CHAPTER 1. MOTIVATION AND INTRODUCTION 1.1 3 The Problems A robotic system is a dynamic system. The study of dynamic systems is the study of dynamics and the study of systems. The study of dynamics is concerned with how things change over time. The study of systems is concerned with how a system’s overall behavior is generated through interaction among its components. From the systemic point of view, a robotic system is a coupling of a robot to its environment, while the robot is a coupling of a controller to its plant (Figure 1.1). The roles of these three Figure 1.1: A robotic system subsystems can be characterized as follows: • Plant: a plant is a set of entities that must be controlled to achieve certain requirements. For example, a robot arm with multiple joints, a car with throttle and steering, an airplane or a nuclear power plant can each be considered as the plant of some robotic system. • Controller: a controller is a set of sensors and actuators, which, together with soft ware/hardware computational systems, senses the observable states of the plant (X) and the environment (Y), and computes desired control inputs (U) to actuate the plant. For example, an analog circuit, a program in a digital computer, various sensors and actuators might be parts of the controller of some robotic system. • Environment: an environment is a set of entities beyond the (direct) control of the con troller, with which the plant may interact. For example, obstacles to be avoided, objects to be reached, and rough terrain to be traversed might from part of the environment of some robotic system. CHAPTER 1. MOTIVATION AND INTRODUCTION 4 From the dynamics point of view, the relationship of a robot and its environment changes over time. In order to develop a robotic system, analyze its behavior and understand its underlying physics, we need a mathematical model for characterizing the behaviors of its components and deriving the behavior of the overall system. Let us introduce an example that will be used throughout this thesis. In our Laboratory for Computational Inteffigence, a testbed has been installed for radio-controlled cars playing soccer [SM94]. Each “soccer player” has a car-like mobile base. It can move forward and backward with a throttle setting, and can make turns by steering its two front wheels. However, it cannot move sideways and its turns are limited by mechanical stops in the steering gear. Figure 1.2 illustrates the configuration of a car. Let v be the velocity of the car and a be the current steering angle of the front wheels; v and a, for now, can be considered as control inputs to the car. The dynamics of the car can be simply modeled by the following differential equations [Lat9i]: th=vcos(8), —_vsin(O), 6=v/R where (x, y) is the position of the tail of the car, is the heading direction and R (1.1) = L/ tan(a) is the turning radius given the length of the car L. The controller of such a car is equipped / R’ x / Figure 1.2: The configuration of a car with both digital and analog devices [SM94). Although differential equations have been used to model continuous dynamic systems, they are not sufficient to model discrete and event-driven systems. Although the continuous and discrete components of a system can be modeled and analyzed separately, it is essential to use a unitary model for discrete/continuous hybrid systems, in order to derive the behavior of the overall system. CHAPTER 1. MOTIVATION AND INTRODUCTION 5 Control systems are designed to meet certain requirements. Typical requirements include safety, reachability and persistence. Safety declares that a system should never be in a certain situation. Reachability declares that a system should reach a certain goal eventually. Persistence declares that a system should approach a certain goal infinitely often. A formal language for requirements specification is essential for characterizing desired properties of a system and a formal method for behavior verification is essential for ensuring the correctness of the behavior of the system with respect to some requirements specification. Yet another challenging task in the design of a robotic system is control synthesis, i.e., given the dynamics of the plant and the environment, produce a controller so that the behavior of the overall system meets certain requirements. As a whole, we propose four problems involved in the design and analysis of robotic systems and behaviors: • How to model a robotic system? • How to specify desired properties? • How to synthesize a control system according to its requirements specification? • How to guarantee the robot will do the right thing? Figure 1.3 presents an overall picture of the problems and our corresponding solutions that we will develope in this thesis. 1.2 The Proposed Solutions We claim in this thesis that a unified foundation for discrete/continuous hybrid dynamic systems can be established and an integrated approach to the design and analysis of robotic systems and behaviors should be taken. First, we develop a semantic model for dynamic systems, that we call Constraint Nets (CN). CN introduces an abstraction and a unitary framework to model discrete/continuous hybrid systems. CN provides aggregation operators to model a complex system hierarchically; therefore, the dynamics of the environment as well as the dynamics of the robot can be modeled individually and then integrated. CN supports multiple levels of abstraction, based on abstract algebra and topology, to model and analyze a system at different levels of detail. CN, because of its rigorous foundation, can be used to define programming semantics of real-time languages for control systems. CHAPTER 1. MOTIVATION AND INTRODUCTION 6 Will The Robot Do The Right Thing? TLTL & Timed The Constraint Net Model What Is The Possible Realization Of The Robot? Control Synthesis V Automata What Is The Right Thing For The Robot To Do? Constraint Methods How To Make The Robot Do The Right Thing? Figure 1.3: The problems and our solutions Second, we develop a timed linear temporal logic (TLTL) and timed V-automata as spec ification languages. TLTL is a linear temporal logic developed on abstract time and domain structures. Timed V-automata are essentially finite automata that accept timed traces; yet they are powerful enough to specify properties of sequential and timed behaviors of hybrid systems, such as safety, reachability, persistence and real-time response. We develop a formal verifica tion method for timed V-automata specification, by combining a generalized model checking technique for automata with a generalized stability analysis method for dynamic systems. This verification method can be semi-automated for discrete time systems and further automated for finite domain systems. Third, we develop a systematic approach to control synthesis from requirements specifica tion, by exploring a relation between constraint satisfaction and dynamic systems using con straint methods. With this approach, control synthesis and behavior verification are coupled through requirements specification. In particular, requirements specification imposes global constraints over a system’s behavior and controllers can be synthesized as embedded constraint solvers that solve constraints over time. For complex control systems, we advocate a twodimensional hierarchical structure. A system with such hierarchical structure will simplify design and analysis significantly. CHAPTER 1. MOTIVATION AND INTRODUCTION 1.3 7 Semantic Model and Behavior Analysis In the past decades, models for continuous, discrete and event-driven dynamic systems have been developed and matured. Models for continuous and discrete dynamic systems include differential and difference equations, respectively [Lue79, San9O]. Models for event-driven dy namic systems include Mealy-Moore Machines [Mea55, Moo56], Petri Nets [Pet8lj, Calculus for Communicating Systems (CCS) [MM79] and Communicating Sequential Processes (CSP) [Hoa85j. However, a robotic system in general is a continuous/discrete hybrid dynamic system. First, the plant and the environment of a robotic system are normally modeled in continuous dynamics. Second, most advanced robots today are controlled by distributed and asynchronous processes in digital computer networks, as well as by analog circuits. In order to develop a system whose behavior can be analyzed and understood, a model for hybrid dynamic systems is essential. In the last two years, hybrid systems have become a focus of interest of a wide community for two reasons. One is that analog computation once again is gaining attention because of the neural net model and analog VLSI technology. Another is that the use of computers to control and monitor continuous dynamic systems shows increasing importance. Our approach to developing a model for hybrid systems is motivated by the following ar guments. First, hybrid systems consist of interacting discrete and continuous components. Instead of fixing a model with particular time and domain structures, a model for hybrid sys tems should be developed on both abstract time structures and abstract data types. Second, hybrid systems are complex systems with multiple components. A model for hybrid systems should support hierarchy and modularity. Third, hybrid systems are generalizations of basic discrete or continuous systems. A model for hybrid systems should be at least as powerful as existing computational models. In short, a model for hybrid systems should be unitary, modular, and powerful. In this thesis, we start with a general definition of time. Time is a linearly ordered set. In addition, a metric distance is associated with any two time points and a measure is associated with some intervals of time points. Such a time structure abstracts the notion of event-based as well as discrete and continuous time. We then examine domain structures in abstract algebra and topology so that discrete and continuous domains can be studied in a unitary framework. Given a time structure and a domain structure, we define two basic types of element in dynamic systems: traces that are functions from time to domains, and transductions that are mappings from traces to traces with the causal restriction, viz., the output value at any time is determined CHAPTER 1. MOTIVATION AND INTRODUCTION 8 oniy by its input values up to that time. For example, a finite state automaton with an initial state defines a transduction from input traces to state traces, and temporal integration is a typical transduction in continuous dynamics. We then develop the Constraint Net model on an abstract dynamics structure composed of a multi-sorted set of trace spaces and a set of basic transductions: transliterations (memory-less combinational processes), transport delays and unit delays (sequential processes), and eventdriven transductions. Event-driven transductions play an important role in this model, acting as ties between continuous and discrete time components, or as synchronizers among asynchronous components. Syntactically, a constraint net is a graph with two types of node: locations and trans ductions, and with a set of connections between locations and transductions. Locations are depicted by circles, transductions by boxes and connections by arcs. A location is an input iff it is not connected to the output of any transduction. A constraint net is open if there is an input location; it is otherwise closed. Semantically, a constraint net represents a set of equations, with locations as variables and transductions as functions. The semantics of the constraint net, with each location denoting a trace, is the least solution of the set of equations. A complex system is generally composed of multiple components. We define a module as a constraint net with a set of locations as its interface. A constraint net can be composed hierarchically using modular and aggregation operators on modules. The semantics of a system can be obtained hierarchically from the semantics of its subsystems and their connections. For example, Equation 1.1 is denoted by an open constraint net, as shown in Figure 1.4 in which sin, cos, tan and * are transliterations, and f is a temporal integrator. A module can be defined with locations v, , x, y, 0 as its interface. In general, we can model a control system as a module that can be further decomposed into a hierarchy of interactive modules. The higher levels are composed of event-driven transductions and the lower levels are analog control components. Furthermore, the environment of the robot can be modeled as a module as well. A robotic system (Figure 1.1) can be modeled as an integration of a plant, a controller and an environment. Formally, the semantics (or behavior) of the system is the solution of the following equations: X = PLANT(U,Y), U = CONTROLLER(X,Y), Y = ENVIRONMENT(X). As we can see here, a robot, composed of a plant and a controller, is an open system, and a robotic system, composed of a robot and its environment, is a closed system. CHAPTER 1. MOTIVATION AND INTRODUCTION 9 Figure 1.4: The constraint net of Equation 1.1 We finally study the issue of behavior analysis for robotic systems. We define the concepts of abstraction and refinement for time and domains based on homomorphism and quotient algebra, and derive equivalence relations on dynamic systems. A semantic model for hybrid dynamic systems defines a formal semantics for real-time programming that may involve hardware/software co-design and digital/analog hybrid com putation. A formal semantics, in turn, supports the formal analysis of real-time embedded systems. 1.4 Requirements Specification and Behavior Verification A semantic model for a robotic system can be considered an executable specification that de fines the underlying structure of the system, i.e., the organization and coordination of the components. Even though a system can be modeled at different levels of abstraction, each com ponent is local in terms of constraints on time and its input/output domains. A requirements specification, in contrast, imposes global constraints on a system’s behavior. Let us consider the car-like robot we introduced previously. We will design control systems for such a robot to perform the following tasks: 1. Maze Trave1er traveling in a maze and trying to get out of the maze The environment of this system is a maze that is composed of various static obstacles. A requirements specification for this robot is to get out of the maze. CHAPTER 1. MOTIVATION AND INTRODUCTION 10 2. Ball Shooter: tracking a moving ball and carrying the ball to a target The environment of this system is a moving ball, a target and a field with boundaries. A requirements specification for this robot is to eventually kick or carry the ball to the target. A requirements specification declares what a system should achieve, while an executable specification shows how a system is implemented (at a certain level of abstraction). A formal language for requirements specification is essential for both formal verification and systematic synthesis. Since robotic behaviors are inherently temporal, it is natural to adopt temporal logic as a language for requirements specification. We first develop a timed linear temporal logic (TLTL) as a specification language, in which “linear” stands for linear orders and “timed” indicates metric distances between time points. Let modal operators and 1J denote “eventually” and “always,” respectively. One possible control for the maze traveler is to make the robot move in a particular direction persistently in order to escape a maze of finite size. This property can be specified in TLTL as DME where ME is a predicate for moving east, or < 6 and v > e for small 6 > 0 and e > 0; [>P is normally referred to as liveness or persistence. Kicking or carrying a ball to a target eventually can be specified as K’DBT where BT is a predicate for the ball arriving at the target, or distance(Ball, Target) < e; DG is normally referred to as reachability or goal achievement. In addition, operators can be augmented with metric time so that real-time properties can be specified. For instance, D(E —÷ T R) declares that any event (E) will be responded to (R) within time r. Even though TLTL can provide a formal specification, there is no general procedure for verifying the behavior of a system. An alternative to temporal logic for representing sequential behaviors is automata. If we take the behavior of a system as a language, then a specification can be represented as an automaton, and the verification checks the inclusion relation between the behavior of the system and the language accepted by the automaton. We then develop timed V-automata, a generalization of (discrete) V-automata [MP871, for requirements specification. V-automata have been proposed for the specification and verification of concurrent systems; they are essentially finite automata that accept c-languages, i.e., sets of sequences of infinite length. We extend V-automata to timed V-automata to accept timed discrete/continuous traces. There are two reasons to adopt automata-type languages. First, automata provide graph ical representations, which are more illuminating, and, in some cases, simpler than their tex CHAPTER 1. MOTIVATION AND INTRODUCTION 11 tual counterparts. The corresponding timed V-automata specification of DØME, DBT and D(E —* KR) are shown in Figure 1.5 (a), (b) and (c), respectively, where nodes are automatonstates and arcs are state transitions; 0 denotes a recurrent state, indicating a condition the system should satisfy periodically, and U denotes a stable state, indicating a “final condition” the system should satisfy. —iE R E E (a) (b) —iE (c) Figure 1.5: Timed V-automata specification Second, automata facilitate a formal verification method— a set of sound and complete verification rules— based on a model checking technique and a stability analysis method. Given a constraint net model of a discrete time system, the set of verification rules can be used to deduce a set of state formulas that can be checked using an automatic or interactive theorem prover. If, in addition, the discrete time system is of a finite number of states, the set of verification rules can be used to deduce an automatic verification algorithm that has polynomial time complexity in both the size of the specification and the size of the system. 1.5 Control Synthesis and Robotic Architecture The problem of behavior verification in general is hard. However, a well-organized and struc tured system will simplify the problem of verification. Therefore, robotic architecture plays an important role in both design and analysis. We first develop a general framework for the synthesis of control systems from require ments specification in timed V-automata. In this framework, constraint satisfaction is viewed as a dynamic process approaching the solution set of the given constraints asymptotically. A constraint solver is a constraint net whose semantics corresponds to a dynamic process of this type. Constraint solvers can be systematically synthesized based on various constraint methods. li particular, continuous time constraint solvers are based on gradient methods and discrete time constraint solvers are based on relaxation algorithms in numerical computation. Control synthesis and behavior verification are coupled through requirements specification. While re CHAPTER 1. MOTIVATION AND INTRODUCTION 12 quirements specification imposes constraints over the behavior of a system, the controller is designed as a set of embedded constraint solvers that, together with the dynamics of the plant and the environment, solve the constraints over time. A control system is a complex system. In this thesis, we advocate a modular and hierar chical robotic architecture. We study two types of hierarchy: composition hierarchy that is the modular or compositional structure of a system, and interaction hierarchy that is the com munication or interaction structure of a system. Furthermore, we propose a two-dimensional structure for the interaction hierarchy: abstraction hierarchy that reflects the granularity of time and domain structures, and arbitration hierarchy that reflects constraint priorities. As a whole, a control system is designed as a set of embedded constraint solvers distributed over the two-dimensional interaction hierarchy. Constraint solvers at lower levels of the abstrac tion hierarchy are normally either continuous or discrete at fast and fixed sampling rates, while constraint solvers at higher levels are either event-driven or with noticeable computational de lays. Constraint solvers at the same level of the abstraction hierarchy are coordinated through various arbitrations, which form an arbitration hierarchy. 1.6 How This Thesis Fits In This thesis provides a foundation for the design of robotic systems and the analysis of robotic behaviors. Robotic systems are integrated hybrid systems and robots are inteffigent real-time systems. In this section, we illustrate how this thesis relates to these subjects. 1.6.1 Integrated hybrid systems Integrated hybrid systems are systems consisting of a non-trivial mixture of discrete and contin uous components, such as a controller realized by a combination of digital and analog circuits, a robot composed of a digital controller and a physical plant, or a robotic system consisting of a computer-controlled robot coupled to a continuous environment. Integrated hybrid systems are more general than traditional real-time systems; the former can be composed of continuous subsystems in addition to discrete or event-controlled components. With the development of computation, control and communication technologies, integrated hybrid systems will come to everyday life, in such things as computer-controlled TVs, autonomous cars and smart buildings. Integrated hybrid systems engineering is a combination of computer engineering and con trol engineering. The life cycle for computer engineering includes specification, implementation and verification. The life cycle for control engineering includes modeling, design and analy CHAPTER 1. MOTIVATION AND INTRODUCTION 13 sis. In practice, integrated hybrid systems require novel design principles and development environments for modeling, design and analysis, as well as specification, implementation and verification. From a theoretical point of view, integrated hybrid models, languages, algorithms and programs propose brand new approaches to computation and control. Research and development in integrated hybrid systems have become very active for the last two years. Typical commercial products for integrated modeling and simulation environ ments are Simulink [Incc] and SystemBuild [Incb]. Both Simulink and SystemBuild provide graphical modeling environments, simulation and animation tools, for discrete/continuous hy brid systems, as well as linear systems analysis libraries. Both systems support modularity and hierarchy with datafiow-, net- or circuit-like representations. Both systems have their advan tages: Simulink is more flexible and simpler, while SystemBuild has more built-in functions. In addition, SystemBuild supports automatic code generation [Inca], which can greatly reduce the cost and time for developing real-time embedded control systems. Some research on languages of hybrid systems for modeling and simulation has also been proposed: a typical example is SHSML: Standard Hybrid Systems Modeling Language [Tay92]. SHSML is based mostly upon the conceptual definition of a hybrid system that underlies hy brid DSTOOL [GN92] and on the modeling and simulation environment provided by SIMNON [E1m77]. A system modeled by SHSML consists of continuous (continuous time and domain, e.g., differential equations), discrete (discrete time and continuous domain, e.g., difference equa tions) and logic (discrete time and domain) components. SHSML can be considered as an architecture definition language for software/hardware co-design. Some theoretical work on hybrid models and topologies has been carried out recently. There are two types of model: models for synchronous systems and models of hybrid automata. SIGNAL [BL9O] and LUSTRE [CPHP87] are based on the synchronous models derived from the Dynamic Network Processes model [KahT4], with the augmentation of clocks. Synchronous models can be considered as general models for discrete time and hybrid domain dynamic systems. Phase transition systems [MMP91], event-driven hybrid systems [NK93aj and hybrid automata [ACHH93] are automata-based models in which states are differential equations, trajectories, or continuous activities. The theory of topological structures for hybrid domains has been brought up [NK93a], so that continuity, stability and controllability of systems with hybrid domains can be further studied. Our work contributes to the research and development of integrated hybrid systems in the following ways. CHAPTER 1. MOTIVATION AND INTRODUCTION 14 First, Constraint Nets serve as a formal semantic model for hybrid dynamic systems; the mathematical rigor underlies the foundation for both modeling and simulation. Just as with formal semantics for programming languages, formal semantics for modeling, control and sim ulation will not only bring unambiguousness and precision to existing real-time programming languages and simulation environments like Simulink and SystemBuild, but will also provide insight into the design of new programming languages for hybrid systems. Second, unlike other efforts to combine discrete and continuous models, we begin by defining concepts of dynamic systems on the abstraction that captures both discrete and continuous time and domains. The Constraint Net model is a model of models, preserving the general structure of dynamic systems. Constraint Nets can be used not only for system design with modeling, control and simulation, but also for behavior analysis with refinement and abstraction. 1.6.2 Intelligent real-time systems Intelligent real-time systems are reactive as well as purposive systems, closely coupled with unstructured/unpredictable environments, such as robots that should promptly make correct decisions in various situations, and accurately perform complex tasks in changing environments. Inteffigent real-time systems have attracted researchers from both the Artificial Intelligence (AT) and real-time control communities [Sch9l]. In the past, Al and control have focused on solving different problems with different interests and applications [DW91]. AT systems focus on highlevel activity like planning, reasoning, and inferencing with facts and rules in knowledge base, while control systems involve sensing and acting in real time. Currently, there are two major trends in the cross-fertilization of AT and control: one is to combine AT techniques (planning, knowledge and belief representation, symbolic processing, temporal and qualitative reasoning, inference rules, heuristic search, etc.) with control theory (linear and nonlinear control, adaptive and fuzzy control, etc.), and the other is to experiment with reactive or situated systems. From the Al point of view, the former is revisionary and the latter is revolutionary. The key differences are the understanding of what is inteffigence and the methodology of how to realize intelligence in embedded real-time systems. In cognitive science, inteffigence is considered as the ability to plan, reason or apply knowl edge to manipulate one’s environment. For robots, inteffigence reflects ways of acquiring, form ing, storing and maintaining knowledge as well as planning and reasoning about actions to achieve desired goals. Much work has been done in Al on knowledge representation, planning and reasoning. However, it has been shown that domain-independent representation, planning CHAPTER 1. MOTIVATION AND INTRODUCTION 15 and reasoning are difficult to fit in to a real-time framework. Many planning and reasoning problems are computationally intractable [Cha87]. For both planning and reasoning, the more powerful and general the knowledge and action representations are, the less feasible it is that these computations can be realized. For example, universal planning [Sch87], generating plans of mappings from situations to actions (reaction plans), and planning under uncertainty [Qi94], producing plans with maximum expected utilities or minimum expected cost, are in general harder than planning action sequences. For any real applications, some compromise between the complexity of plan representation and the complexity of planning must be achieved. Two typical strategies have been studied: one is to adopt reactive planning, and the other is to ap ply any-time algorithms. Reactive planning {GL87, RK89] produces a partial planning strategy given current states, so that the plan representation is simple, but planning and execution are tightly coupled to realize reactive and situated behaviors. Any-time algorithms [BD89, Bod9l] are algorithms producing results approaching the solution over time, so that a compromise can be made between the accuracy of the results and the time for computation. In behavior science, real-time interaction with one’s environment is considered as the intrin sic characteristic of intelligence. Furthermore, such inteffigence is not from deliberate decision, but from distributed constraint satisfaction and cooperation among various components in the system. This view of intelligence is shared by many researchers in AT and psychology (Brooks [Bro9l], Meas {Mae89], Agre and Chapman [AC87j, Hewitt [Hew9lj, Minsky [Min86j, Beer [Bee9O], Braitenberg [Bra84]). Brooks and his colleagues did very interesting work on building artificial creatures {BCN88, Bro88, Con9Oj. Brooks [Bro86, BC86j proposed a robust, layered control system for mobile robots, called the subsumptiori architecture. Unlike the traditional decomposition of a mobile robot control system into functional modules, Brooks decomposed a mobile robot control system into task-achieving behaviors. Maes [Mae89] suggested that ra tional action selection could be modeled as an emergent property of an activation/inhibition dynamics among modules. Similarly, Hewitt [Hew9lJ, Minsky [Min86] and researchers in Dis tributed AT [Huh87] argued that inteffigence comes from the interaction between multiple com ponents and their environment. Agre and Chapman [AC88] claimed that pure planning and reasoning are not suitable for dealing with inconsistent, uncertain and immediate situations; rather, reaction and moment-to-moment improvisation play a central role in most activity. From the point of view of an experimental psychologist, Braitenberg [Bra84] studied various incrementally complex life-like systems. Beer [Bee9O] performed a series of simulations of an artificial insect with adaptive behavior. CHAPTER 1. MOTIVATION AND INTRODUCTION 16 Our work contributes to the research and development of intelligent real-time systems in the following ways. First, by avoiding the controversial issues surrounding inteffigence, we focus on formal meth ods for specifying properties of behaviors and on systematic approaches to synthesizing control systems. Because there can be no rigorous definition of inteffigent or stupid behaviors, we use the concept of desired properties of behaviors. Furthermore, behavior equivalence and system robustness are formalized and studied. Second, instead of advocating one particular type of implementation (knowledge-based or reaction-based) for intelligent real-time systems, we focus on general structures of complex systems and principles for the organization of hybrid dynamic systems. Because Constraint Nets provide a unitary model for components with diversity in both time and domain structures (continuous, discrete or event-based time, and real, integer, logical, or symbolic variables), the behavior of an overall system can be derived and analyzed. 1.7 Thesis Outline This thesis consists of three major parts. Part I presents a mathematical structure of dynamics, the syntax and semantics of the Constraint Net model, and the method of behavior analysis based on algebra and topology. Part II develops two languages, TLTL and timed V-automata, for requirements specification, and examines formal verification methods for timed V-automata specification. Part III discusses a relation between behavior verification and control synthesis through requirements specification using constraint satisfaction, and proposes a robotic archi tecture with hierarchy and modularity. Each part starts with an introduction, and ends with a summary of our approaches and a survey of related work. Mathematical preliminaries on topology, algebra and analysis are presented whenever nec essary; however, most of the proofs are given in Appendix A. A visual programming and sim ulation environment, ALERT A Laboratory for Embedded Real-Time systems has been — — developed for modeling, synthesizing, simulating, and understanding various robotics systems studied in this research. ALERT and some simple examples are presented in Appendix B. The car-like robot is used as a running example throughout the thesis. Two more complex exam ples, an elevator system and a hydraulically actuated robot arm, are presented in Appendix C to further illustrate our approaches. A model estimation technique for the car-like robot is discussed in Appendix D. CHAPTER 1. MOTIVATION AND INTRODUCTION 1.8 17 A Guide to the Reader We assume that, by now, you have read this chapter, Motivation and Introduction. You also have an overall picture of the problems and our proposed solutions. In the rest of this thesis we will systematically develop these solutions. We take an integrated approach towards modeling, specification, verification and control synthesis, each of which, nevertheless, is a research topic by itself. Those who are interested in real-time/hybrid models should start with Part I. Besides using standard techniques in denotational semantics like partial order topologies, we develop topolog ical structures of time, domains and traces. Based on these topological structures, we develop, in series, the concepts of primitive and event-driven transductions, nets, modules, semantics and behaviors. Even though the minimum background for understanding this part is elementary dis crete mathematics (set, relation, function) and calculus (integrals and derivatives), knowledge of dynamic systems, general topology, metric space and partial order would be an asset. Those who are interested in real-time specification/verification should continue onto Part II. The minimum materials from Part I for understanding Part II are topological structures of time, domains and traces (Chapter 3), and general concepts of behaviors and requirements specification (Chapter 6). Besides predicate calculus and the first order logic, knowledge of dynamic systems, temporal/modal logic and regular languages would be an asset. Those who are interested in planning and control should not miss Part III. The minimum materials from Part I and Part II for understanding Part III are parameterized nets (Chapter 4) and generalized V-automata (Chapter 10). Knowledge of nonlinear dynamics and constraint methods would be an asset. Those who are interested in applications of the theory should finish (or start) with the appendixes, where the modeling and simulation environment is discussed, and the methods developed in this thesis are illustrated by examples. The problems of design and analysis are interesting and challenging enough to spend more time on. We hope everyone, with every kind of background, will find something useful in this thesis at every reading. Part I Semantic Model and Behavior Analysis 18 19 The Tao that can be taught is not the everlasting Tao. The Name that can be named is not the everlasting Name. That which has no name is the origin of heaven and earth. That which has a name is the Mother of all things. Tao Teh Ching, Lao Tzu A system that can be modeled is not the system itself. A model that can be made is not the absolute model. That which has no model is the origin of a system. That which has a model is the understanding of the system. — Zhang Ying Chapter 2 Introduction In this chapter, we present an overview of Part I, Semantic Model and Behavior Analysis. There are four major chapters in Part I. Chapter 3 gives a topological structure of dynamics. Chapter 4 describes the Constraint Net model, its syntax and semantics. Chapter 5 illustrates the modeling aspects of the Constraint Net model and discusses its computational power. Chapter 6 focuses on behavior analysis. 2.1 Topological Structure of Dynamics One important feature of this research is abstraction. The purpose of abstraction is for gen eralization. Hybrid systems are systems with possibly multiple data types and multiple time structures. Instead of combining different models, we extract the commonalities shared by various models for dynamic systems. First, we develop a general structure of time, capturing linearity, metric and measure prop erties of time, i.e., for any two time points, there are two important attributes: order and metric distance, and for any interval of time points, there is a measure. Discrete and continuous time can be modeled by this structure uniformly. Two time structures may relate to each other in terms of reference mapping. Second, we develop a general structure of domains that can be either simple or composite. Domains are associated with metrics capturing discreteness or density. They are also associated with partial orders characterizing definedness or information hierarchy. Third, we develop a general structure of traces that are mappings from time to domains. We further formalize event traces as a special kind of trace for modeling event-based time. Fourth, we define transductions as causal mappings from traces to traces. We further characterize two types of transduction: primitive transductions and event-driven transductions. 20 CHAPTER 2. INTRODUCTION 21 A primitive transduction is a functional composition of transliterations and delays for memoryless processes and sequential processes, respectively. An event-driven transduction is a primitive transduction augmented with an event trace input that defines an event-based time structure for the primitive transduction. Finally, we define a dynamics structure, based on a reference time structure and a domain structure, as a pair consisting of a multi-sorted set of trace spaces and a set of primitive and event-driven transductions. All structures are defined on two types of topology: partial order topology and metric topology. The preliminary concepts of general topology, partial order and metric space are given first, following which all concepts are defined formally. 2.2 The Constraint Net Model We start with the syntax of constraint nets. A constraint net is a bipartite graph, with two types of node: locations and transductions. A location is an input if it is not connected to the output of any transduction; it is otherwise an output. A module is a constraint net with a set of locations as its interface and with the rest of its locations as hidden locations. A complex module can be composed hierarchically from simple ones. Also a module can be considered as an abstraction of its net: hidden inputs capture nondeterminism, and hidden outputs capture information encapsulation. We then develop the semantics of constraint nets using continuous algebra. Locations denote traces and transductions are causal mappings from traces to traces. A constraint net denotes a set of equations, each of which corresponds to a transduction. The semantics of a constraint net is the least solution of the set of equations. We further study the well-definedness of constraint nets and modules, and its relationship with algebraic loops. We finally introduce parameterized nets and limiting semantics for temporal integration. 2.3 Modeling in Constraint Nets The Constraint Net model (CN) is an abstraction of dataflow-like models. CN provides a unitary framework to model a hybrid system composed of components of different dynamics. We first define various event generators and synchronizers. Using event generators and synchronizers, components of different time structures can be coordinated. CHAPTER 2. INTRODUCTION 22 We then illustrate the modeling methodology with an example of a typical hybrid system, a maze traveler, whose overall system is composed of both discrete and continuous components. We finally explore the computational power of constraint nets, in terms of sequential compu tation and analog computation. We discover that a constraint net can model discrete sequential computation in which the sequential order of a computation is controlled by events, and simi larly, that it can model nondeterministic choices and time-out. We prove, for a simple domain structure, that the Constraint Net model is as powerful as the Turing Machine model for se quential computation. We also establish, for analog computation, a relationship of smooth non-hypertranscendental functions and constraint nets of continuous dynamics. 2.4 Behavior Analysis We discuss the basic concepts of behavior analysis. Intuitively, the behavior of a system is the set of observable traces of the system. We characterize two important types of behavior: state-based behavior and time-invariant behavior. We then briefly discuss the following issues: requirements specification, robustness of parameterized nets with respect to requirements specification, and behavioral complexity that is analogous to functional complexity in sequential computation. Since the Constraint Net model is developed on abstract time and domains, we can model and analyze a system at different levels of abstraction. We first define the concepts of abstrac tion and refinement for time and domains, and then derive the concepts of abstraction and equivalence for behaviors. 2.5 Summary and Related Work Part I is the kernel and is considered as one of the major contributions of this thesis. It is the first time that a unitary and comprehensive model for discrete/continuous hybrid systems has been proposed. The theory that supports the model is developed from algebra and topology. Even though similar techniques such as continuous algebra and fixpoint theory have been applied to the semantics of sequential or concurrent programs, it is the first time that such techniques are applied to the semantics of dynamic systems. Chapter 3 Topological Structure of Dynamics In this chapter, we present a topological structure of dynamics. We start with concepts in general topology, then focus on two particular types of topology: partial order topology and metric topology. Based on these two types of topology, we formalize time, domain and trace structures. We then present transductions as causal mappings from traces to traces. Finally, we define abstract dynamics structures. 3.1 General Topology, Partial Order and Metric Space In this section, we summarize some mathematical preliminaries that will be used later. For a more comprehensive introduction, the reader is referred to other sources (e.g., [Gem9O, Hen8S, Vic89, MA86, War72, Roy88]). 3.1.1 General topology General topology studies the limit-point concept based on which connectivity and continuity can be defined. Definition 3.1.1 (Topology and Topological space) Let X be a set and set. A collection T of subsets of X is said to be a topology on X if the following axioms are satisfied: • X E T and 0 E • If X 1 E r,X 2 E • If X, e T 0 be an empty T. T, then X 1 fl X 2 E r. for all i E I, then UX e T, given an arbitrary index set I. (X, r) is called a topological space. 23 CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 24 The members of a topology r are said to be r-open subsets of X, or merely open if no ambiguity arises. A subset S of X is closed if X S is open. We will use X to denote topological space — (X, T) if no ambiguity arises. Proposition 3.1.1 For any topology on X, X and 0 are both open and closed. Two topologies r 1 and topology than 2 T 1 If r 2 T on a set can be compared in the following sense: r 1 is a finer . 2 T There are two extreme topologies on X. The coarsest topology is trivial topology in which only X and 0 are open and the finest topology is discrete topology in which all subsets of X are open. Let x E X and N(x) be a T-open subset of X containing x, N(x) is called a neighborhood A point x of X is a limit point of a subset S of X if every neighborhood of x also contains a point of S distinct from x, i.e., VN(x), N(x) fl S — {x} 0. of x w.r.t. T. Topologies can also be defined in terms of limit points. Proposition 3.1.2 (1) A subset is closed if it includes all its limit points. (2) A topology is trivial if every point x is a limit point of any subset with elements distinct from x. A topology is discrete if no point is a limit point of any subset. Now we define connectivity and continuity on topological spaces. A topological space is separated if it is the union of two disjoint, non-empty open sets; it is otherwise connected. Proposition 3.1.3 A topological space is connected if the only sets that are both open and closed are the empty set and the total set. Let (X, T) and (X’, T’) be topological spaces. A function f : X any r’-open subset 5’ of X’, f— (S’) = {xlf(x) E S’} is T-open. 1 —* X’ is continuous if for Proposition 3.1.4 (1) Continuous functions are closed under functional composition. (2) A function f : X — X’ is continuous, if x E X is a limit point of S C X implies that f(x) is a point or a limit point of f(S) = {f(x)Ix E S}. It is natural to ask if there exists any smaller collection of subsets that can be used to represent the open sets. The answer is affirmative, and the following definitions provide such collections. Definition 3.1.2 (Basis and Subbasis) A subset B of a topology r is said to be a basis for r if each member of T is the union of members of B. A subset S of T is said to be a subbasis for T if the set B = {BIB is the intersection of finitely many members of S} is a basis for T. CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 25 We can derive new topologies based on known ones. Subspace topology and product topol ogy are two important types of derived topology. Proposition 3.1.5 Let (X, r) be a topological space, X’ C X and r’ T}. The collection r’ is a topology on X’. = {WIW = X’ fl U, U e We call r’ the subspace topology on X’, and (X’, T’) a .subspace of (X, T). Let {(X, T)}eI be a family of topological spaces and let 1 x be the product set of {Xj}jEI. X Let S = {xjVjIV = X for all but one i E I, and Vj E T for all i E I}. We call T the product topology on xjX if $ is a subbasis for T. We call (xiX, T) the product space of {(X, Ti)}iEI. If X, = X with the same topology for all i E I, x X is denoted by X’. 1 Proposition 3.1.6 Let {X}i be a family of topological spaces and J be an arbitrary index set. Then (x X) = xiXl. 1 A Hausdorff topologies is one with the property that for any two points, there are disjoint neighborhoods. The trivial topology is non-Hausdorif and the discrete topology is Hausdorif. In the next two sections, we will introduce two important types of topology that are between the two extremes: partial order topology and metric topology. We will see that partial order topologies in general are non-Hausdorif and metric topologies are Hausdorif. 3.1.2 Partial order A set and a partial order relation on the set define a partially ordered set, or simply, a partial order. Definition 3.1.3 (Partial order) Let A be a set. A binary relation Ac A x A is called a partial order relation if <_A is reflexive, anti-symmetric and transitive. (A, <A) is called a partial order; it is called a linear order if, in addition, Va ,2 1 a e A, either 1 a <A a 2 or 2 A a a . 1 For any partial order relation and let <A (>A) 1 (a ) and a 2 a 1 A A, let A denote the inverse of denote the strict relation of A (A), viz., a 1 A, viz., a 1 >A <A 2 (ai a >A . We will use A to denote partial order (A, 2 a Definition 3.1.4 (Subpartial order) Let (A, A) 2 if a a 2 <A , 1 a 1 <A a a if a ) 2 2 if no ambiguity arises. be a partial order and A’ C A. A partial order relation A’ C A’ x A’ is called the subpartial order relation on A’ if a 1 A’ a 2 whenever 1 <A a a . (A’, A’) is called a subpartial order of (A, A). 2 A) CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS Definition 3.1.5 (Product partial order) Let x1 . A partial order relation A if a <A a’ whenever a A <_A C 26 be a set of partial orders and A {A}EI = A x A is called the product partial order relation on A a for all i E I. (A, <A) is called the product partial order of {(A, A)}ieI. A partial order may have a least element and/or a greatest element. Definition 3.1.6 (Least (Greatest) element) Let A be a partial order. An element A (TA) E A is a least (greatest) element in A if it satisfies LA<A a (TA A a) for every a in A. It follows from the antisymmetry of <A that least (greatest) elements, if they exist, are unique. Any set A can be extended to a flat partial order by augmenting a least element J-A A. Definition 3.1.7 (Flat partial order) A flat partial order, written A, is a set A augmented with a new element ±A, viz., A = AU {±A} such that a < a’ implies a = a’ or a A 1 = Element ..LA is the least element of A. Usuaily LA means undefined in A. With this augmen tation, any partial function to A can be extended into a total function to A, i.e., f(a) = A if 1 f is not defined at a. In this thesis, functions mean total functions unless explicitly stated. A subset of a partial order may have a least upper bound and/or a greatest lower bound. Definition 3.1.8 (Least upper (Greatest lower) bound) Let A be a partial order, D C A and a e A. Then a is an upper (lower) bound of D if d a (d a) for every d E D. Moreover, a is a least upper bound (lub) (greatest lower bound (glb)) of D if A A 1. a is an upper (lower) bound of D and 2. if d’ is an upper (lower) bound of D then a It follows from the antisymmetry of A <A d’ (a A d’). that least upper bounds (greatest lower bounds), if they exist, are unique. We use VA D (AA D) to denote the least upper (greatest lower) bound of D in A, when it exists. We wifi drop the subscript A if it is clear from context. if A is the set of real numbers with arithmetic ordering, we use “sup” and “inf” to denote V and respectively. If D is finite, we may use “max” and “mm” to denote V and A respectively. A One important kind of subset of a partial order is directed subset. Definition 3.1.9 (Directed subset) Let A be a partial order and D D ,d 1 2 E D, the set {d } has an upper bound in D. 2 ,d 1 0 and for all d c A. D is directed if CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 27 A chain in a partial order A is a linearly ordered subset of A. A chain is a directed subset. One important kind of partial order is complete partial order. Definition 3.1.10 (Complete partial order (cpo)) A partial order A is complete if: 1. it contains a least element, denoted ..LA, and 2. every directed subset of A has a least upper bound in A. Following are two propositions related to cpos. Proposition 3.1.7 A flat partial order is a cpo. Proposition 3.1.8 The product of cpos is a cpo. Let {A}i be a set of cpos and A = x A. 1 The least element of A is J-A with (J-A) 1 -A , Vi e I. Let D be a directed subset of A. The =- least upper bound of D is VA D with (VA D) onto its ith component, i.e., D = llD. = VA D, Vi E I, where D is the projection of D A topology can be defined from a partial order. Definition 3.1.11 (Partial order topology) Let A be a partial order. A subset S of A is open if (1) S is upward closed, i.e., a e S implies that Va’ A a, a’ E 5, and (2) S is inaccessible from any directed subset D of A, i.e., if VAD ES, then a ED, such that a E S. This collection of open sets on A forms the partial order topology of A. A partial order KA, A) is non-trivial if there exist two elements a, a’ in A such that a <A a’. Proposition 3.1.9 The partial order topology of a non-trivial partial order is non-Hausdorff The following two propositions declare the properties of continuous functions in partial order topologies. Proposition 3.1.10 Any continuous function is monotonic, i.e., if f: A then a 1 A 2 implies f(ai) a A’ = {f(d)Id E D} is directed and 2. f(VA D) = VA’ f(D). A’ is continuous, f(a ) 2 . Proposition 3.1.11 Let A and A’ be two cpos. Then f directed subset D ç A, 1. f(D) —* A —f A’ is continuous if for every CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 3.1.3 28 Metric space Metric topology is the most direct generalization of the topology used for real numbers in analysis. Definition 3.1.12 (Metric and Metric Space) Let X be a set and 7+ be the set of non R.+ is a metric on X if negative real numbers. A function d: X x X • d(x,y)—_d(y,x). • d(x,y) d(x,z)+d(z,y). • d(x,y)=Oiffx=y. (X, d) is called a metric space. Let (X, d) be a metric space, x E X and e be a positive real number. The spherical e neighborhood of x is {x’Id(x’, x) < e}, denoted N(x). Definition 3.1.13 (Metric topology) The metric topology of a metric space is a topology with the set of spherical neighborhoods as a subbasis. Proposition 3.1.12 Metric topologies are Hausdorff. Another important concept used in analysis is measure. Let X be a set. A family a of subsets of X is a a-field on X if it contains the empty set, the complement in X of every element in a and the union of every denumerable subcollection. (X, a) is called a measurable space. Definition 3.1.14 (Measure and Measure space) Let (X,a) be a measurable space. A function i : a —* 7+ U {oo} is a measure if ji(O) = 0, and for any denurnerable index set J and any set of mutually disjoint elements {X }j of a, t(ujX) = Ej(X). (X, a, ji) is 3 called a measure space. If (X, T) is a topological space, then the smallest a-field containing sets, denoted T is called the Borel field of A measure defined on Bore1(X) is called a Borel measure. Finishing up this section, we define the concept of limits. Given any linear order L and topological space X, v : L X is called a linear set of values. A limit of v is defined as a generalization of a limit of a sequence. Borel(X). — CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 29 Definition 3.1.15 (Limit) Let X be a topological space and v : L values. A point vK of v’, 3l, V1 L e X is called a limit of v, written v —* X be a linear set of v”, if for every neighborhood N(v*) —* lo,v(l) E N(v*). If L has a greatest element 10, then v —÷ v(lo). Therefore, the concept of limits is also a generalization of the “final” value. We will use limi v(l) to denote the limit of v if it is unique. One important property of Hausdorif topologies is the uniqueness of limits. Proposition 3.1.13 If X is of a Hausdorff topology and v : L then v — v and v —÷ v imply v — —* X is a linear set of values, v. One important property of product topologies is the pointwiseness of limits. Proposition 3.1.14 If xjX: is of the product topology and v : L values, then v 3.2 —+ v’ if v, —* —* X is a linear set of 1 x v for all i E I. Time Structures Understanding time is the key to understanding dynamics. We formalize time using an abstract structure that captures its important aspects. A time structure, in general, can be considered as a linearly ordered set with a start time point, an associated metric for “the distance between any two time points” and a measure for “the duration of an interval of time.” Definition 3.2.1 (Time structure) A time structure is a triple • I’ is a linearly ordered set (T, ) with Kr, d, ) 0 as the least element; • (T, d) forms a metric space with d as a metric satisfying: for all to ) 2 d(to,t where = 1 < t t , 2 )+2 1 d(to,t ,t 1 d(t ) , {tlm(t) < r} has a greatest element and {tlm(t) sup{m(t)It E T} where m(t) = d(0,t); > T} has a least element for all 0 r < • (T, a, t) forms a measure space with a as the Borel set of topological space (7, d) and i as a Borel measure satisfying [t([ti,t )) < 2 2 ,t for all t 1 d(t ) 1 < t 2 where 2 ,t = {t 1 [t ) 1 < t < t } and([ti,t 2 )) ) 2 1 ) 2 =([O,t )—jt([O,t ). CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 30 For simplicity, we will use T to refer to time structure (T, d, i) when no ambiguity arises. For most applications, we have 2 ,t 1 d(t ) . However, if T is an abstraction of another it([ti,t ) ) = 2 time structure, it is possible that 2 Bt , , 1 ) ([t ) < d(t,t t ). Discussions on time abstraction 2 will be found in Chapter 6, Behavior Analysis. A time structure T is infinite 1ff T has no greatest element and (T) = oo. T is discrete if its metric topology is discrete. ‘T is continuous if its metric space is connected. For example, the set of natural numbers A[ and the set of nonnegative real numbers R, with ,t = 1 d(t ) 2 2 and 1 t ([0,t)) = t, are time structures. Al is discrete and ??+ is continuous. — {1 In E .A1} with the metric d and the measure ii also defines a discrete time structure. However, the sets {1 jn E .iV} U {1}, {0} U {In E .iV} and [0,1] U [2,3] with the metric d and the measure form time structures neither discrete nor continuous. The set The set — — of rational numbers Q with the metric d and the measure does not form a time structure. Proposition 3.2.1 (1) For any time structure T, if T C T has an upper bound in T, T has a least upper bound in T. (2) The following properties for a time structure are equivalent: (a) T is discrete. ,t 1 (t ) (b) Let 2 = }. For all t, if t is not the least element of T, then t’ < t, 2 {tIti < t < t 0, and for all t, if t is not the greatest element of T, t, denoted suc(t), such that (t, t’) = 0. denoted pre(t), such that (t’, t) then t’ > (c) T is well-founded, i.e., Vt E ‘T, [0, t) is finite. (3) The following properties for a time structure are equivalent: (a) T is continuous. (b) 7 is dense, i.e., for all t 1 < t , there exists to such that t 2 1 < to < t . 2 htuitively, discrete time is isomorphic to an ordered subset of natural numbers and continuous time is isomorphic to a left-closed interval of a real line. Even though our definition of time structures is general, discrete and continuous time structures are most commonly used. A time structure T,d,j) may be related to another time structure (7,dr,r), where (7., <r) is a linear order with 0,. as the least element, by a reference time mapping h : 7,. satisfying ‘ • the order among time points is preserved: t < t’ implies h(t) <,. h(t’), CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 31 • the least element is preserved: h(O) = • the distance between two time points is preserved: ) 2 , 1 d(t t = dr(h(ti), h(t )), and 2 • the measure on any finite time interval is preserved: tz({O, t)) = tr([Or, h(t))). 7; is called a reference time of T, and T is called a sample time of 7;. For example, if h : Al —+ fl is defined as h(n) n, R,+ is a reference time of .A1. For any time structure T, a reference time of T is as “dense” as T. Furthermore, the reference relation is transitive: Proposition 3.2.2 If To is a reference time of T 1 and T 1 is a reference time of T, then T 0 is a reference time of T . 2 Domain Structures 3.3 As with time, we formalize domains as abstract structures so that discrete and continuous domains are defined uniformly. A domain can be either simple or composite. Simple domains denote simple data types, such as reals, integers, Booleans and characters; composite domains denote structured data types, such as arrays, vectors, strings, objects, structures and records. Definition 3.3.1 (Simple domain) A simple domain is a pair (A U set, JA {!A}, dA) where A is a A means undefined in A, and dA is a metric on A. Let A = A U {IA}. For simplicity, we will use A to refer to simple domain (A, dA) when no ambiguity arises. For example, let fl be the set of real numbers, 7 is a simple domain with a connected metric space; let B = {O, 1}, B is a simple domain with a discrete topology on B. Any simple domain A is associated with a partial order relation <A. (A, x) is a flat partial order with .LA as the least element. In addition, 7- = TA U {A} where Proposition 3.3.1 TA 18 {±A} A is associated with a derived metric topology the metric topology on A derived from the metric dA. is not T-open. The only neighborhood of JA is A. A simple domain (A, dA) can also be represented as a triple (A, A, 7-) where <A is the partial order relation and r is the derived metric topology. A domain is defined recursively based on simple domains. Definition 3.3.2 (Domain) (A, A, T), derived metric topology, is a domain if: with <A as the partial order relation and T as the CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 32 • it is a simple domain; or • it is a composite domain, i.e., it is the product of a family of domains {(A, such that (A, A) <As, is the product partial order of the family of partial orders {(A, r>}ji A)}eI and (A, r) is the product space of the family of topological spaces {(A, r)}ei. Note that there is no restriction on the index set I, which can be arbitrary (finite or infinite, countable or uncountable). For simplicity, we will use A to refer to domain (A, A, r) when no ambiguity arises. For example, let n be a natural number, then with n components; let Al be the set of natural numbers, then Al —f is a composite domain (or equivalently, ) is a composite domain with infinitely many components. Given a simple domain A, a value a E A is well-defined if a JA. Given a composite domain x 1 A, a value a E x 1 A is well-defined ifF a is well-defined for all i E I. A value in a domain is undefined if it is the least element of the domain. Intuitively, for any domain, its partial order topology characterizes the information (or definedness) hierarchies of data and its derived metric topology characterizes the limit properties of data. Proposition 3.3.2 For any domain, its partial order topology is finer than its derived metric topology, and both are non-Hausdorff A signature is a syntactical structure of a multi-sorted set of data with associated functions. Definition 3.3.3 (Signature) Let (S,F) be a signature where S is a set of sorts and F is a set of function symbols. F is equipped with a mapping type: F —* S’ x S where 5* denotes the set of all finite tuples of S. For any denote f E F with type(f) = (s*,s). f E F, type(f) is the type of f. We use f : —* s to For example, the signature of Boolean algebra can be described as: = ({b}, {O, —, A, v}> with 0 :—* b, : b —* b, A: b,b—* b, and V : b,b —* b. Eb has one sort with a constant 0 (nullary function), a unary function — and two binary functions A and V. A domain structure of some signature is defined as follows. Definition 3.3.4 (s-domain structure) Let = (5, F> be a signature. A s-domain struc ture A is a pair ({AS}SES, {fA}fEF) where for each s E 5, 3 A is a domain of sort s, and for s s fA —* s e F with each f : : I —* S and s E 5, 3 —* 3 A 1 : x A is a function denoted by f, which is continuous in the partial order topology. CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 33 To be continuous on a domain in its partial order topology is not a real restriction on a function. Strict functions are continuous functions in partial order topologies. A function is strict w. r. t. an argument liT its output is undefined whenever its input of that argument is undefined. A function is strict iff it is strict w.r.t. all of its arguments. Given any partial or total function be defined as: , 1 a — — We call f f i f: A 1 x —* A, a continuous function XJA, —* A can f(a) if a x A,, and f(a) is defined 1 otherwise. -I-A a strict extension of function f. We will also use f to denote its strict extension if no ambiguity arises. For example, let E,. = ({r}, {O, +, .}) with 0 r, r f: :—* r. Then ({fl}, {O, +, }) is a Er-domain structure, where + and of addition and multiplication on 7, respectively. r, + : r, r — r and are strict extensions —÷ However, not every extension of a function that is continuous should also be strict. For example, ({13}, {O, -‘, A, v}) is a Eb-domain structure where — A and V are negation, conjunction and disjunction, respectively. Function V : 13 x 13 an “or” logic satisfying 1 V x = —* B is continuous but not strict, since V is 1 for all x e , thus, lv The following propositions characterize the general properties of continuous functions on simple domains. A’ is continuous in the partial order topology if f is strict or constant. (2) If f : A —* A’ is continuous in the derived metric topology, then f is continuous in the partial order topology. (3) Function f: A —f A’ is continuous in the derived metric topology if f is continuous in the partial order topology and the restriction of f on A Proposition 3.3.3 (1) Function f : A —* and A’ is continuous in the metric topology, namely, for any open subset S of A’, is open. f (5) fl A The properties of continuous functions in partial order topologies can be generalized to composite domains. A function f: xjA —b A is continuous w.r.t. an argument j, if function )a.f(a,a,)’ is continuous for all a E xI_{}A. Proposition 3.3.4 Let I be a finite index set. (1) Function A,, 1 f : x — A is continuous in the partial order topology if f is continuous w.r.t. all i e I. (2) 1ff: XjA —* A is continuous in the derived metric topology, then f is continuous in the partial order topology. (3) Function J4 —* A is continuous in the derived metric topology if f is continuous in the partial f : x1 Ax.expr(z) is a lambda expression of a function 1 f, equivalent to Vx, f(x) = czpr(x). CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS order topology and the restriction of f 34 on xiA and A is continuous in the product metric topology, namely, for any open subset S of A, 1 f ( S) fl xjA is open. A function is well-defined if its output is well-defined whenever its input is well-defined. Both well-definedness and strictness are closed under functional composition, and a function can be both well-defined and strict. For example, a widely used conditional function, cond: A x A x A’ x A’ follows: cond(x,y,u,v)= I -I-A’ ifx=±Aory=±A u else ifx=y otherwise. v —* A’, is defined as (3.1) Function cond is continuous in the partial order topology; it is continuous in the derived metric topology if A is of a discrete topology. Furthermore, it is well-defined and strict w.r.t. arguments x and y. 3.4 Traces and Events Intuitively, a trace denotes changes of values over time. Formally, a mapping v : T —÷ A from time T to domain A is called a trace. A trace v is well-defined if v(t) is well-defined for all t e T. For example if T = fl+ and A = fl, v 1 = At. sin(t) and v 2 = At.e_t are well-defined traces. A trace v is undefined 1ff v(t) is undefined for all t T. A trace provides complete information at every (finite) time point. Values at infinite time points are not represented explicitly, they can, however, be derived when limits are introduced. For example, lim sin(t) =J 7 and limj...+ e Let A be a domain and v : L v, written v —* —* = 0. A be a linear set of values. A value v A is a limit of v’, if vK is a limit of v in the derived metric topology of A. In the rest of this thesis, limits defined on a domain will mean those in its derived metric topology. Limits of v may not be unique. However, the set of limits of v has the following properties. Proposition 3.4.1 Let v : L —* A be a linear set of values. Then (1) v —*±A, and (2) v —* v and v —÷ v imply that either v Proposition 3.4.2 Let v : £ (1) v —* A for A = = v or one of v and v is ±A. . Then 1 xjA v for alli El, and v*} is a directed subset in (A, (2) the set of limits {v*Iv —* v iffv —* <A) and has a greatest element. CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 35 The greatest limit of v, written lim v, is defined as the greatest element of the set of limits of v, i.e., lim v = VA{v*Iv —* v*}. Note that the greatest limit of a linear set of values always exists and is unique. We will call the greatest limit simply the limit if no ambiguity arises. The following two propositions capture two important properties of the limits. Proposition 3.4.3 Let v : L — Proposition 3.4.4 If 2 ,v 1 v L A for A = 1 x A . Then (limv) = limv,Vi El. —* A and vi(l) <A v ( 2 l)for alli EL, thenlimv 1 Alimv . 2 Proposition 3.4.3 characterizes the composite property of the limits. Proposition 3.4.4 charac terizes the monotonic property of the limits. Using the concept of the limits, we can complete a trace with its values at limit time points. Given a time structure 7, let T°° be the set of downward closed intervals, i.e., for any T e T°°, 0 and (2) t e T implies that for all ‘ t, t’ e T. A trace v : 7 —* A can be extended to its completion v°° : 700 —k A as v°°(T) = lim vIT where vIT denotes the restriction of v onto T. If T has a greatest element to, then v°°(T) = v(to). A trace completion provides values (1) T at infinite as well as at finite time points. Note that 7 E 700, for any trace v : 7 —÷ A, 00 = lim v can be considered as the “final” value. For simplicity, we will use v to refer to v (T) both v and its completion v 00 when no ambiguity arises. Let T< = {t’It’ < t}. Then T< E T°° whenever t> 0. We use pre(t) to denote both T.< and the greatest element of T<, if it exists. Let T<t_T {t’It’ < t,d(t,t’) r} for r > 0. Then Tt_T Proposition 3.4.5 For any time structure 7, We use t — T T<t_T to denote the greatest element of T<t_T e T°° whenever m(t) T. has a greatest element whenever m(t) when m(t) T. T. The set of all possible traces from a time structure to a domain, associated with a partial order relation and a derived metric topology, forms a trace space. Definition 3.4.1 (Trace space) Given a time structure T and a domain (A, space is a triple (AT, A), AT <A, r), the trace ) where AT is the product set (the set of all functions from 7 to is the product partial order relation constructed from the partial order relation A, AT, and F is the product topology constructed from the derived metric topology For simplicity, we will use AT to refer to trace space (AT, AT, T. F) when no ambiguity arises. A trace space is essentially a composite domain. Therefore, limits of a linear set of traces can be defined accordingly. Given a linear set of traces V : L —+ AT, limits and the greatest CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 36 limit of V are defined as follows. A trace V” E AT is a limit of V, written V —÷ V, if V is a limit of V in the derived metric topology of AT. Similar to the properties of limits of a linear set of values, the properties of limits of a linear set of traces are as follows. Proposition 3.4.6 Let V : L —* AT for a linear order L and a trace space AT. Then (1) V —* V if V(t) —* V*(t) for all t e T, and (2) the set of limits {V*IV V’} is a directed subset in (AT, AT) and has a greatest element. The greatest limit of V, written lim V, is defined as the greatest element of the set of limits of V, limV = VAT{V*IV V}. We will call the greatest limit simply the limit if no ambiguity arises. Furthermore, the composite property of the limits holds as well. Proposition 3.4.7 Let V : L —* AT. Then (limV)(t) = limV(t),Vt E T. The concept of the limit of a linear set of traces wifi be used when we introduce limiting semantics in the next chapter. A nonintermittent trace is a special type of trace defined as follows. A trace v : T —+ A j) is nonintermittent if for any T e T°°, v(T) =‘A implies that VT’ D T, v(T’) =JA. A trace v :T A is nonintermittent if v is nonintermittent for all i E I. 1 x A right-continuous trace is a special type of trace defined as follows. A trace v : T — is right-continuous at to if Vt > to, t —* to implies v(t) —* — A v(to); v is right-continuous if it is right-continuous at all t E T. A discrete-time trace is always right-continuous according to this definition. An event trace is a nonintermittent and right-continuous trace whose domain is B. An event trace e : T —+ with e At. ..L generates a structure (Ta, de, l-Le) from (T, d, where: • ‘T C I’ is defined as = {O} U {t > OIe(t) e(t) e(pre(t))}, • dedITXT, • Vt E Te, Ue([O,t)) = 1 t([O,t)), and ite(7e) = p(T) for T = {te(t) }. 43 J Proposition 3.4.8 For any time structure T and any event trace e, (?,de,e) is a discrete sample time structure of 7’. For any event-based time, each transition point of the event trace defines a time point (Figure 3.1). CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 37 e(t) Figure 3.1: An event trace: each dot depicts a time point The set of all possible event traces on a reference time structure, associated with a partial order relation and a derived metric topology, forms an event space. Definition 3.4.2 (Event space) An event space is a triple structure, eT c T T, 8 ( eT, F’) where T is a time is the set of all event traces on T, <r is the sub partial order relation of —T and F is the subspace topology of F that is the derived metric topology of B 3.5 Transductions Transductions are mathematical models of general transformational processes. In this section, we first define general concepts of transductions, then discuss two types of basic transduction: transliterations and delays. Finally, we introduce event-driven transductions for constructing systems with components of different time structures. 3.5.1 General concepts A transduction is a mapping from input traces to output traces that satisfies the causal rela tionship between its inputs and outputs, i.e., the output value at any time depends only on inputs up to that time. Formally, causality can be defined as follows. Definition 3.5.1 (Causality and Transduction) Given v ,v 1 2 E AT and r E R+, v 1 and V2 are coincident up to T iffVt,m(t) < r,vi(t) = v (t). A mapping F : AT —* ART’ from a trace 2 space to a trace space is causal if for any t’ E T’, F(vi)(t’) = F(v )(t’) whenever v 2 1 and 2 v are coincident up to m’(t’). A causal mapping on trace spaces is called a transduction. For instance, a state automaton with an initial state defines a transduction on a discrete time structure; a temporal integration with a given initial value is a typical transduction on a con tinuous time structure. Just as nullary functions represent constants, nullary transductions represent traces. Transductions are closed under functional composition. CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 38 We characterize two classes of transduction: primitive transductions and event-driven trans ductions. 3.5.2 Primitive transductions Primitive transductions are defined on a generic time structure T. Primitive transductions are functional compositions of two types of basic transduction: transliterations and delays. Definition 3.5.2 (Transliteration) A transliteration is a pointwise extension of a function. Formally, let f : A —p A’ be a function and T be a time structure. The pointwise extension of f onto T is a mapping fT : AT A!T satisfying fT(v) = At.f(v(t)). By this definition, (f a g- = fT a ga-. We will also use f to denote transliteration fT if flO ambiguity arises. Intuitively, a transliteration is a transformational process without memory or internal state, such as a combinational circuit. For example, let : x B —f B be a function defined (-‘x) A y V x A (—‘y), i.e., an “exclusive or”. Then a pointwise extension of is a transliteration, functioning as the basic “or” logic in asynchronous event control [Sut89] (Figure as x y 3.2). We wifi discuss more on event logics in Chapter 5, Modeling in Constraint Nets. el ore2 Figure 3.2: Event logic for “or” There are two types of delay: unit delays and transport delays. CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 39 Definition 3.5.3 (Unit delay) Let A be a domain, v 0 a well-defined value in A, and T a AT is a transduction defined as time structure. A unit delay (vo) : AT A ST(vO)(v) fvo I v(pre(t)) ift=O otherwise = At. s where v 0 is called the initial output value of the unit delay. A unit delay 6(vo) acts as a unit memory for data in domain A, given a discrete time structure. We will use tS(vo) to denote unit delay 54(vo) if no ambiguity arises. Unit delays may not be meaningful for non-discrete time structures. Definition 3.5.4 (Transport delay) Let A be a domain, v 0 a well-defined value in A, T a AT is a transduction defined time structure and T > 0. A transport delay 4(r)(vo) : AT as 0 v if m(t) < r AA/ At. v( T) otherwise ‘ I — — — where v 0 is called the initial output value of the transport delay and We will use ) 0 (r)(v 7 is called the time delay. to denote transport delay (r)(v ) if no ambiguity arises. Transport 0 delays are essential for modeling sequential behaviors in dynamic systems. 3.5.3 Event-driven transductions A primitive transduction maps traces to traces with the same time structure. A hybrid system consists of components of different time structures. In this section, we consider event-driven transductions, which are an important component of our model. We define sample and extension traces as follows. Let 7 be a reference time of T with a reference time mapping h. The sample trace of v : —* A onto T is a trace t : T —* A satisfying V The extension trace of v : T — — — f j —* = At.v(h(t)). A onto i is a trace Y: 7 V(h’(tr)) if t E T, r([Or, tr)) otherwise -I-A —* A satisfying it([O, t)) or r([Or, tr)) <(T) where 1 h ( tr) = {tIhQ) r tr} E T°°. Sampling is a type of transduction whose output is a sample trace of its input. Extending is a type of transduction whose output is an extension trace of its input. CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 40 An event-driven transduction is a primitive transduction augmented with an extra input which is an event trace; it operates at each event point and the output value holds between two events. The additional event trace input of an event-driven transduction is called the clock of the transduction. Intuitively, an event-driven transduction works as follows. First, the input trace with the reference time T is sampled onto the sample time 7 generated by the event trace e. Then, the primitive transduction is performed on 7. Finally, the output trace is extended from T back to T. Definition 3.5.5 (Event-driven transduction) Let T be a time structure and FT : AT T a primitive transduction. Let C A’ T be the set of all event traces on time structure T. The event-driven transduction of F is a mapping F CT x AT A” satisfying: At. FT(e,v) ±A’ if e = At. J — — ( FT(V) otherwise. We will use F° to denote event-driven transduction F- if no ambiguity arises. 3.6 Dynamics Structures With preliminaries established, we define an abstract structure of dynamics. Definition 3.6.1 (E-dynamics structure) Let E = (S, F) be a signature. Given a 2-domain structure A and a time structure T, a s-dynamics structure D(’T, A) is pair (V, F) such that • V = • F = T is the event space; s U CT where A is a trace space of sort s and C 3 {A} FT U F- where F, is the set of basic transductions, including the set of transliter ations {f}fEF, the set of unit delays and the set of transport delays F is the set of event-driven transductions derived from the set of basic transductions, i.e., {F°F E FT}. , 3 { (r)(v3)}3es,T>o,VEA Finishing up this chapter, let us explore the properties of dynamics structures. The following propositions establish the fact that the partial order of a trace space and the partial order of an event space are cpos. Proposition 3.6.1 The partial order of a domain is a cpo. Proposition 3.6.2 The partial order of a trace space is a cpo. CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 41 Proposition 3.6.3 The partial order of an event space is a cpo. The following propositions characterize the continuity of basic transductions in partial order topologies. Proposition 3.6.4 A transliteration fT : AT f : A —* —* A!T on any time structure T is continuous if A’ is continuous. Proposition 3.6.5 A unit delay on any discrete time structure is continuous. Proposition 3.6.6 A transport delay is continuous. The following proposition characterizes the continuity of event-driven transductions. Proposition 3.6.7 An event-driven transduction F° is continuous if its primitive transduction F on any discrete time structure is continuous. The following theorem concludes these properties. Theorem 3.6.1 (s-dynamics structure) Let A be a E-domain structure and T a time struc ture. The E-dynamics structure D(T, A) = (V, F) satisfies (1) V is a multi-sorted set of cpos and (2) transliterations, transport delays and event-driven transductions in F are continuous in the partial order topology. If, in addition, T is discrete, all transductions in F are continuous in the partial order topology. Transductions are functions. The well-definedness and strictness of a transduction is the well-definedness and strictness of the function, respectively. The following propositions charac terize well-defined and/or strict transductions in dynamics structures. Proposition 3.6.8 A transliteration fT is well-defined if function f is well-defined; fT is strict w.r.t. an argument if f is strict w.r.t. the argument. Proposition 3.6.9 Any delay is not strict. A unit delay on any discrete time structure is well-defined. A transport delay is well-defined. Proposition 3.6.10 An event-driven transduction F° is well-defined if F on any discrete time structure is well-defined; F° is strict w.r.t. its event input, and F° is strict w.r.t. one of the other input arguments if F is strict w.r.t. the argument. CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 42 Event traces are noniiitermittent and right-continuous. We call a transduction nonintermit tent if its output is nonintermittent whenever its input is nonintermittent. We call a transduc tion right-continuous if its output is right-continuous whenever its input is right-continuous. The following propositions characterize nonintermittent and/or right-continuous transductions in dynamics structures. Proposition 3.6.11 A transliteration fT is right-continuous if f is continuous in the derived A is nonintermittent if f is strict, well-defined and metric topology; fT with f : x 1 A —> continuous in the derived metric topology. Proposition 3.6.12 A delay is nonintermittent. A transport delay is right-continuous. Proposition 3.6.13 An event-driven transduction is right-continuous. An event-driven trans duction F° is nonintermittent if F is nonintermittent. For example, the “event or” transduction (Figure 3.2) is well-defined and strict; it is also right-continuous and nonintermittent. “Event or” is a typical event synchronizer. In Chapter 5, Modeling in Constraint Nets, we will define other event synchronizers that are all noninter mittent and right-continuous. We have presented a topological structure of dynamics by formalizing time, domains and traces in topological spaces and by characterizing primitive and event-driven transductions. With such a topological structure, continuous/discrete time and domains can be represented uniformly, and hybrid dynamic systems can be studied in a unitary model. Chapter 4 The Constraint Net Model A hybrid dynamic system can have multiple sorts corresponding to different data types that can be numerical, symbolic or logical. It can have multiple components with different time structures generated by different clocks, and clocks can be generated or synchronized. In this chapter, we present a formal model for hybrid dynamic systems, that we call Con straint Nets (CN). We first define the syntax of CN. We then provide a fixpoint semantics of CN using the fixpoint theory of partial orders. Finally, we discuss parameterized CN and temporal integration in CN. 4.1 Syntax of Constraint Nets In this section, we introduce the syntax of constraint nets and characterize the composite structure and modularity of the model. 4.1.1 Syntax and graphical representation A constraint net consists of a finite set of locations, a finite set of transductions and a finite set of connections. Definition 4.1.1 (Syntax) A constraint net is a triple CN = (Lc,Td,Cn), where Lc is a finite set of locations, each associated with a sort; Td is a finite set of labels of transductions, each with an output port and a set of input ports, and each port is associated with a sort; Cn is a set of connections between locations and ports of the same sort, with the following restrictions: (1) there is at most one output port connected to each location, (2) each port of a transduction connects to a unique location and (3) no location is isolated. 43 CHAPTER 4. THE CONSTRAINT NET MODEL 44 Intuitively, each location is of fixed sort; a location’s value typically changes over time. A location can be regarded as a wire, a channel, a variable, or a memory cell. Each transduction is a causal mapping from inputs to outputs over time, operating according to a certain reference time or activated by external events. Connections relate locations with ports of transductions. A clock is a special kind of location connected to the event ports of event-driven transductions. A location I is an output location of a transduction F if 1 connects to the output port of F; 1 is an input location of F 1ff 1 connects to an input port of F. A location is an output of the constraint net if it is an output location of a transduction; it is otherwise an input. A constraint net is open if there is an input location; it is otherwise closed. We use I(CN) and O(CN) to denote the set of input locations and the set of output locations, respectively, of a constraint net CN. A constraint net is depicted by a bipartite graph where locations are depicted by circles, transductions by boxes and connections by arcs. For example, the graph in Figure 4.1, where f is a transliteration and is a unit delay, depicts an open net. The net, with a discrete time structure, models a state automaton: s(O) = o, s(n) ° 1E1EH = f(i(n — 1), s(n — 1)). The closed net 6 (s ) 0 Figure 4.1: The constraint net representing a state automaton depicted by the graph in Figure 4.2, with a continuous time structure, models a differential equation = f(s). . S(SO) J- Figure 4.2: The constraint net representing 4.1.2 . = f(s) Modules and composition A system may be composed of subsystems. In order to capture the hierarchical composition structure of systems, we introduce subnets and modules. CHAPTER 4. THE CONSTRAINT NET MODEL Definition 4.1.2 (Subnet) A constraint net CN 1 45 = (Lci,Tdi,Cni) is a subnet of CN 2 = , Td 2 (Lc , Cn 2 1 C CN ), written CN 2 , if Lc 2 , Td 2 1 C Lc , Cn 2 1 C Td 1 C Cn ) C 1 2 and I(CN I(CN ) 2 . Definition 4.1.3 (Module) A module is a triple (CN,I,O), also denoted CN(I,O), where CN is a constraint net, I ç I(CN) and 0 ç O(CN) are subsets of the input and output locations of CN, respectively; I U 0 defines the interface of the module. A module CN(I, 0) is closed if I inputs and locations in O(CN) — = 0; it is otherwise open. Locations in I(CN) — I are hidden 0 are hidden outputs. A module will be depicted by a box with rounded corners. We define three basic operations union, coalescence and hiding — that can be applied to obtain a new module from existing ones. The union operation generates a new module by putting two modules side by side. Formally, let CN 1 = (Lci, Td , Cni) and CN 1 2 = , Td 2 (Lc , Cn 2 ) be two constraint nets, with Lc 2 1 flLc 2 = 2 = 0,’ then the union of CN,(I,, 0,) and 2 1 fl Td (1 02), written CN,(I,, 01)11 CN , 0 and Td (0 CN , ) 2 1 , is a new module CN(I,O) where CN = (Lc,Td,Cn) is a constraint net with Lc = Lc Td , Lc, U 2 = Td and Cu Td, U 2 = Cn, U Cn , I U 0 defines its interface with 2 2 U 1 I=1 1 and 0 =Oiu0 . 2 The coalescence operation coalesces two locations in the interface of a module into one, with the restriction that at least one of these two locations is an input location. Formally, let CN (Lc,Td,Cn) be a constraint net, 1 e I and 1’ E I U 0 be of the same sort, the coalescence of CN(I, 0) for 1 and 1’, denoted CN(I, O)/(l, 1’), is a new module CN’(I’, 0’) with CN’ = (Lc[l’/lj,Td,Cn[l’/l]), I’ = I {l} and 0’ = 0, where X[v/x] denotes that x in — X is replaced by v. The hiding operation deletes a location from the interface. Formally, let CN = (Lc, Td, Cm) be a constraint net and 1 I U 0, the hiding of CN(I, 0) for 1, denoted CN(I, O)\l, is a new module CN’(I’,O’) with CN’ = CN, I’ I— {l} and 0’ = 0— {l}. In addition, we define three combined operations: cascade connection, parallel connection and feedback connection. The cascade connection connects two modules in series. The parallel connection connects two modules in parallel. The feedback connection connects an output of the module to an input of its own. Figure 4.3 depicts the three operations. The formal definitions of these operations, in terms of basic operations, are as follows. ‘Note that Td is a set of transduction labels, which can be different for the same transduction. CHAPTER 4. THE CONSTRAINT NET MODEL 0 (DH)° 46 01 Cascade 0 Parallel A CN2 CN2 —--4 Feedback o I---- Figure 4.3: Cascade, parallel and feedback connections CHAPTER 4. THE CONSTRAINT NET MODEL 47 Let o E 01 and i 2 E 12. A cascade connection of 1 (1 O) and , CN , (1 02), denoted 2 CN (1 02) o 1 CN , 2 (1 Or), produces a new module CN(I, 0), CN , CN(1, 0) Let i 1 e = (1 O) 1 [(CN , II (1 2 2 CN , ))/(i ol)]\O1. 0 , 2 E 12. A parallel connection of ) I and i (0 CN , 1 1 and ) (0 CN , 2 1 , denoted CN ( 1 Ii, O) + 2 (1 02), produces a new module CN(I, 0), CN , CN(I, 0) Let i e I and o e = (1 O) 1 (CN , (1 0 2 CN , ))/(ii, i 2 ). 2 0. A feedback connection of CN(I, 0), denoted F(CN(I, 0)), produces a new module CN’(I’,O’), CN’(I’,O’) = [CN(I,0)/(i,o)]\o. The following relations hold for these syntactic operations. Proposition 4.1.1 (1 0) 1 CN , I (1 02) 2 CN , (1 0) o , 1 CN , (1 02) o , 2 (CN (1 03)) 3 CN = (1 02)11 , 2 CN , (1 Or). 1 CN = (1 Oi) o , 1 (CN , (1 02)) o , 2 CN (1 03) 3 CN = (0 (CN , 1 ) 1+) (0 CN , 2 1 )+3 (0 CN , ) 1 if both sides are defined. (Ii,0 + ) 1 CN ) (0 (CN , 2 1+3 (0 CN , ) 1 ) if both sides are defined. Proposition 4.1.2 Following are some properties of subnets: 1 and CN (1) CN 2 are subnets of CN 1 . 2 CN 1 and CN (2) CN 2 are s’ubnets of CN 1 + CN . 2 1 is a subnet of CN (3) CN 2 o CN , however, CN 1 2 is not a subnet of CN 2 o CN . 1 There are at least three reasons to introduce modules. First, modules facilitate hierarchical composition structures for complex systems. For ex ample, we can create a state automaton module SA by selecting {i, s} or {i, s’} as the interface for the constraint net in Figure 4.1. An input/output automaton IOA can be constructed by cascading SA to a transliteration g as shown in Figure 4.4. IOA defines a transduction from input traces to output traces. CHAPTER 4. THE CONSTRAINT NET MODEL 48 Figure 4.4: An input/output automaton (* denotes either s or s’) Second, modules provide a flexible way to generate different systems from the same set of components. To illustrate this idea, let us again consider input/output automata. In general, an input/output automaton is a tuple I, S,.s , 0 f 0, f°) where I is the set of input values, S is , 3 state, f 3 : I x $ $ is a state transition function, 0 the set of states with —* E $ as the initial is the set of output values and f 0 is an output function. However, there are two ways to define an output function, corresponding to two types of input/output automata, for Mealy machines [Mea55] and 0 f : S —* 0 f : I x $ —÷ 0 0 for Moore machines [Moo56]. In a constraint net model, a Mealy or Moore machine is derived by selecting different output locations as the interface of its state automaton module. If we select {i, s’} as the interface of SA, then IOA is a Mealy machine with f 5 = f and f 0 = g o f. If we select {i, s} as the interface of SA, then IOA is a Moore machine with 3 f = f and f° = g. Third, modules capture the notion of abstraction through hidden locations. Hidden outputs encapsulate internal structures of a system. However, the role of hidden inputs is not so obvious. Consider again the state automaton in Figure 4.1. By hiding the only input location i, we obtain a closed module representing a nondeterministic state transition system. More defines a state transition relation R S x 5, such f(i, s), or equivalently, the set of next possible states of a state .s specifically, the state transition function that (s, s’) E R iff i is e I, s’ = f {f(i, s)Ii E I}. In general, any module CN(I, 0) with I C I(CN) defines a nondeterministic system. Similar concepts have been explored in general systems theory [MT75]. We will discuss more on nondeterministic behaviors of modules in Chapter 6, Behavior Analysis. Furthermore, we can associate hidden locations with random distributions. Thus, while simpler than most inherently nondeterministic models, the Constraint Net model can also incorporate probabilistic and stochastic analysis. 4.2 Semantics of Constraint Nets We have presented the syntactical structure of constraint nets, which is graphical and modular. However, syntax only serves as a mechanism for creating a model, the meaning of which is not CHAPTER 4. THE CONSTRAINT NET MODEL 49 provided. There are many models with syntax similar to constraint nets (Petri Nets [Pet8lj for example) that have totally different interpretations. Since transductions are mappings from traces to traces, a constraint net denotes a set of equations with locations as variables and transductions as functions; the semantics of the constraint net should be a solution of the set of equations. A set of equations may have no solution, or exactly one solution, or more than one solution. For example, if x E fl, x x = — = x — 2 has no solution, x = O.5x — 2 has one solution (—4), and 2 has two solutions (—1 and 2). The fixpoint theory of partial orders has been applied to provide denotational semantics for programming languages and models [Hen88]: a program or a model defines a function f and its semantics is the least solution of x = f(x), or the least fixpoint of f. In this section, we will first present the fixpoint theory of partial orders and then apply this theory to provide a fixpoint semantics for the Constraint Net model. 4.2.1 Fixpoint theory of partial orders A fixpoint of a function f can be considered as a solution of the equation x = f(x). The least fixpoint is the least element in the fixpoint set. Definition 4.2.1 (Fixpoint and Least fixpoint) Let order A. An element a addition, a A e A is a fixpoint of f if a = f : A —+ A be a function on a partial f(a). It is the least fixpoint of f if, in a’ for every fixpoint a’ of f. Least fixpoints, if they exist, are unique. The least fixpoint of f will be denoted by t.f. The first fixpoint theorem is stated as follows. Theorem 4.2.1 (Fixpoint Theorem I) Let A be a cpo. Every continuous function f : A —÷ A has a least fixpoint. We shall provide the proof of this theorem next, since the proof itself is to construct the least fixpoint. Proof: Define x by induction on n: X = f(xfl. because x is the least element in A. Since f is monotonic (Proposition 3.1.10), we have f(x) < f(x}), i.e., x} <x. Continuing this we have a chain CHAPTER 4. THE CONSTRAINT NET MODEL 50 Since A is a cpo, this chain has a least upper bound VA{XITh> 0}, which we denote by Xf. Since f(xf) = VA{f(2))In 0} VA{XIfl 1} = x (Proposition 3.1.11), then xf is a fixpoint of f. We now show that is the least fixpoint. Suppose y is a fixpoint of f. We have: x < y because x is ±A. Furthermore, suppose x < y, then x 1 f(x) < f(y) = y. Therefore < y for any k by induction. Thus, y is an upper bound for the chain {xIn 0}. Hence, Xf Xf <. Therefore, for a continuous function By extending f f:A A, IL.f VA{f(J-A)In 0}. C to a function of two arguments, we have the second fixpoint theorem. —* = Theorem 4.2.2 (Fixpoint Theorem II) Let A and A’ be two cpos. If f: a continuous function, then there exists a unique continuous function t.f : A for all a A x A’ — —f A’ is A’, such that e A, (,u.f)(a) is the least fixpoint of Ax.f(a, x), or equivalently, Va E A, (.f)(a) f(a, (,u.f)(a)). The continuous function t.f: A —* A’ is called the least fixpoint of function f : A x A’ —* = A’ or the least solution of the equation y = f(x, y). Now we further investigate general properties of equations in complete partial orders. Proposition 4.2.1 Let I ç J be an index set. 1ff: x A 1 the extension off, f’: 3 xjA —* A satisfying f’(a) Proposition 4.2.2 Let {fk : XjA 3 f: 3 XjA —* XKAk with j(a)k = fk(a) f: —* Proposition 4.2.3 If then —* XjA, Ak}keK A is a continuous function, then ), is a continuous function. 11 f(a be a family of continuous functions. Then is a continuous function. XKAk A 1 1 has a least fixpoint[L.J: x = —* —* is a continuous function, K c J and I = J K, XKAk. Proposition 4.2.4 Let X be a set of variables and 0 C X a set of output variables. Let 10 x A — A be a set of continuous functions. Then the set of equations {o o } 0 with : 1 —* X has a least solution. —* A set of equations can also be written as 6 = f(, 6) where : 0 {f = is a tuple of input variables and 6 is a tuple of output variables. If f is continuous, then its least fixpoint is a continuous function, denoted t.j. CHAPTER 4. THE CONSTRAINT NET MODEL 51 Semantics of constraint nets 4.2.2 In this section, we define the fixpoint semantics of constraint nets. signature and c CNE = Let E = (5, F) be a e S be a special sort for clocks. A constraint net with signature E is a triple (Lc, Td, Cm) where • each location 1 E Lc is associated with a sort .s E 5, the sort of location 1 is written as s; • each transduction F E Td is a basic transduction or an event-driven transduction, the sorts of the input and output ports of F are as follows: 1. if F is a transliteration of a function f : s and the sort of the input port i is .s*(i); —f 2. if F is a unit delay 6 or a transport delay ports is s E F, the sort of the output port is .s , the sort of both input and output 5; 3. if F is an event-driven transduction, the sort of the event input port is c, the sorts of the other ports are the same as its primitive transduction. Let D(T, A) {o = (V, F) be a E-dynamics structure. CNE on (V, F) denotes a set of equations FO()}OEo(cN), such that for any output location o e O(CN), • F 0 is a continuous transduction in F whose output port connects to o, • is the tuple of input locations of F , i.e., the input port i of F 0 0 connects to location The semantics of a constraint net is defined as follows. Definition 4.2.2 (Semantics) The semantics of a constraint net CN on a dynamics structure (V,F), denoted is the least solution of the set of equations {o that F 0 is a continuous transduction in F for all o e FO(x)}OEo(CN), given O(CN); it is a continuous transduction = from the input trace space to the output trace space, i.e., CN : xI(cN)AE —* . 0 T xo(cN)A Given any set of output locations 0, the restriction of CN onto 0, denoted CN 10 A, is called the semantics of CN for 0. For example, the constraint net in 0 xI(cN)A —+ x Figure 4.1 denotes equations s’ f(i, s) and s (so)(s). Given a discrete time structure .A1, a domain T for inputs and a domain for states, the semantics for .s is F : —* such that F(v)(O) = and F(v)(n) = f(v(n 1), F(v)(n 1)). = — = — The nonintermittent and right-continuous transductions are closed under all types of com position. CHAPTER 4. THE CONSTRAINT NET MODEL 52 Proposition 4.2.5 If a constraint net is composed of nonintermittent transductions, then its semantics is nonintermittent. If a constraint net is composed of right-continuous transductions, then its semantics is right-continuous. The semantics of a subnet can be extended. Proposition 4.2.6 If CN’ is a subnet of CN, I{CN11IO(CN)() 4.2.3 = CN’11(I(cNl)). Semantics of modules We have defined the semantics of a constraint net as a transduction. We now define the semantics of a module as a set of transductions. Definition 4.2.3 (Semantics of modules) Given that the semantics of a constraint net CN is CN11 : xI(cN)A A 1 {F : x —* —* xo(cN)A, the semantics of a module CN(I, 0) is j[CN(I, 0)] = I{CN]io(u,i) and U C xI(cN)_IA is the set of XOAQ}UEU where F(i) well-defined hidden input traces. For example, if locations i and s’ in Figure 4.1 are hidden, the semantics of the module is a set of traces The semantics of a composite module can be derived from the semantics of its components. Proposition 4.2.7 Following are some properties associated with module operations: • Union: If CN(I,O) = (Ii,Oi) 1 CN I{CN(I, 0)] • Cascade connection: If CN(I,O) CN(I,O)] = = (0 CN , ) 2 1 , then (I Oi)11 x 2 CN , 1 (1 02)11. I{CN , (0 CN , ) 2 1o1 (0 CN , ) 1 , then = 2oF {F 1 IF 1 • Parallel connection: If CN(I,O) = e ( CN , ) 1 2 ],F O I e (0 CN , ) 1 1+2 (0 CN , ) 1 , then CN(I,O)]= 1 ( CN , ) 1 ],F O I ,1F {(F ) 2 F E 2 where (i) 101 ) 2 (Fi,F = ( CN , ) 2 ]}. O I ) and (i) 111 Fi(i 102 ) 2 (Fi,F • Feedback connection: If CN’(I’, 0’) = = e ( CN , ) 2 O ]} I (i 2 F ). 112 .F(CN(I, 0)), then = where .F is the the least fixpoint of F. {,u.FIF E CN(I,0)]} CHAPTER 4. THE CONSTRAINT NET MODEL 53 Now we discuss the well-definedness of systems. A constraint net CN is well-defined if its semantics, transduction given a well-defined function is well-defined. For example, the constraint net in Figure 4.1, f and with a discrete time structure, is well-defined. A module is well-defined if all the transductions in its semantics are well-defined. If a constraint net is well-defined, all its modules are well-defined. The well-definedness of modules is closed under some module operations. Proposition 4.2.8 If 1 (1 °i) and 2 CN , (1 02) are well-defined modules, then 1 CN , (1 O) CN , (Ii, O)o 2 1 (1 02), CN 2 CN , (1 02) and CN(Ii, Oi)+ 2 CN , (1 02) are well-defined mod CN , ules. However, well-definedness is not closed under the feedback operation. There is a relationship between the well-definedness of a constraint net and the strictness of transductions in the constraint net, which is derived from the following property of strict continuous functions. Proposition 4.2.9 Let A and A’ be two cpos. If f : A x A’ —* A’ is a strict continuous function w. r. t. its second argument, then the least fixpoint of f, or the least solution of the equation o = f(i, o), is undefined. For example, let +,. : 7?. x 7?. —* 7?. be strict extensions of + and •, respectively. Let +,. —* be the corresponding transliterations. The least solution of x = O.5x + 2 on x D(T, 7?.) is undefined, even though At.4 is a well-defined solution. In general, a net is not well-defined if there is an algebraic loop. Definition 4.2.4 (Algebraic loop) Let CN be a constraint net. dependent on a location 1’ in CN, written 1 — 1’, A location 1 is strictly if: (1) there is a transduction F in CN such that 1 is the output location of F, 1’ is an input location of F, and F is strict w.r.t. the input port (indicating an input argument) that connects with 1’; or (2) al” : 1 an algebraic loop on a location 1 if 1 — — 1”, 1” - I’. CN has 1. Proposition 4.2.10 A module CN(I, 0) is not well-defined if there is an output location 1 e0 such that CN has an algebraic loop on 1. A common strategy to break an algebraic loop is to insert a delay. For example, by inserting a unit delay ö(O) to the equation x = O.5x + 2, we have y = O.5x + 2,x = 6 (O)(y). Let Al be the time structure. The semantics of the net for x is a sequence 0, 2, 3, 3.5,3.75,... and CHAPTER 4. THE CONSTRAINT NET MODEL lim x(n) = 4. Note that 4 is a solution of x f(x) for a continuous function solution of x f 54 O.5x + 2 on R. In general, a well-defined can be computed via a relaxation method: = x(n + 1) = f(x(n)) = f’(x(O)) if lim f(zo) is well-defined, and any relaxation method can be modeled as a state automaton in constraint nets. We will discuss this type of computation further in Part III. 4.2.4 Parameterized nets In this section, we introduce parameterized nets and discuss the limiting semantics of parame terized nets. A system may have qualitatively different properties with respect to different parameters. A parameter is a variable in a transduction whose value does not change over time. For example, mass, friction coefficient, initial state, time delay, gain and threshold are typical parameters of robotic systems. Let CN be a constraint net and P be a set of parameters in CN. We use CN and CN’(I, 0) to denote a parameterized net and a parameterized module, respectively. Associated with each parameter p E P is a set of values D; xpD is called the parameter space. The semantics of a parameterized net CN is defined as follows. Definition 4.2.5 (Semantics of parameterized nets) The semantics of a parameterized net CNN, denoted CN9, is a mapping from the parameter space to the set of transductions, i.e., xpD CN9(v) = ) such that for any parameter tuple v E xpD, 0 T xo(cN)A CN[v/P] where CN[v/P] denotes that each p e P in CN is replaced by its —÷ (xf(cN)A —* corresponding value v(p). The semantics of a parameterized module CN(I, 0), denoted CN(I, O), is a function of parameters as well: CN(I, O)(v) = CN(I, O)[v/P]]. There are at least two reasons to introduce parameterized nets. First, a system can be modeled and analyzed against its parameters. A property of a system may change qualitatively when the value of its parameters changes from one to another. For example, let k be a gain parameter with Dk = R and y = kx + 2, x = 6 (O)(y) be a net on dynamics structure D(.A/i). The semantics for x is a sequence 0,2,2k + 2 If Iki < 1, we have lim. x(n) = -; if Iki > 1, we have lim x(n) =J . In general, lim f(xo) 7 exists in R if f is a contractor [MA861, i.e., dk < 1, If(x) f(y)I kx — yI. A qualitative — property is stable w.r.t. its parameter if the parameter region that supports the property is open. In the previous example, the convergent property is stable since {klk e 1, kI < 1} is CHAPTER 4. THE CONSTRAINT NET MODEL 55 open. Intuitively, a stable property means that a small change in the value of its parameters will not cause a qualitative change of the property. Second, limiting semantics can be defined. Let P be a set of parameters, xpD be the x PD,, be a partial order relation. If (x pD, << PD,,) is a linear order, and CN is a closed parameterized net whose semantics is a mapping CN9 : xpD —* parameter space, and the limiting semantics of CN w.r.t. the parameter set F, written CN*, is defined as the limit of the linear set of traces CN]1, i.e., I{CN* = lim[CN. Infinitesimal is an important parameter for limiting semantics. Let e be a parameter with = (0, 1) C R. Let <D be a partial order relation such that is a linear order. The limiting semantics of CNe w.r.t. parameter € = At.xo; if 4.2.5 f = 0 Ax.(—x) and x = f(x),x = e. (Dc, <Di We call such a < is lim€4CN9. an infinitesimal. For example, let CN, with parameter closed parameterized net denoting y x € 2 , c if e € as an infinitesimal, be a (e)(xo)(y) on D(R,). 1ff = )x.x, then 0, then x(t) =J for all t > 0. Temporal integration So far we have no definition for temporal integration, the most important type of transduction on continuous time structures. We now define temporal integration on vector spaces and provide the semantics of constraint nets with temporal integration using limiting semantics. A vector space [War72] is a set X associated with the functions sum and product: + X x X —* X and : 1?. x X —* X and with Ox E X satisfying the following conditions: x+y= y+x,(x+y)+z=x+(y+z), a(x + y) a(/3z) = = ax + ay, (a + ,6)x (a/3)x,x + ox = x,Ox = = ax + 3x, Ox, lx = x. Let E x denote the sum of all elements in {x}€I. A topological vector space is a vector space 1 with a topology such that + and are continuous functions. Let U be a vector space with functions + : U x U metric topology. Temporal integration f(so) : UT — —÷ U and : 7?. x U —* U continuous in with an initial state E U can be defined as follows. Let + and be strict extensions. Given that T is a discrete time structure, for all t > 0, pre(t) denotes the previous time point. Temporal integration is defined as follows: I j (so)(u) = At. ISo Eo<i<({pre(t’), t’)) u(pre(t’)) . ift=O otherwise. CHAPTER 4. THE CONSTRAINT NET MODEL 56 We can represent f(s ) as the least solution of the following equation 0 s = 6(so)(s)+dt.5(O)(u) where ift=O dt_At 0 1 — i([pre(t),t)) otherwise. 1 This equation can be represented by a constraint net that computes temporal integration on discrete time structures. Given that T is an arbitrary time structure, temporal integration is defined as follows: Let 7 be a discrete sample time of T, generated by an event trace e with e an infinitesimal 30 (u, s) mt L(E)(O)(—e) for (so)(s) + dt . 6(O)(’u). Temporal integration f(so) can be computed by a module CN(u, s) where CN denotes the following two equations: €. Let = s with E> = = 0 (e, u, s), 3 mt e = 0 as an infinitesimal. This definition can be considered as derived by the forward Euler method; however, we are interested in semantics, rather than numerical simulation of differential equations. As an example, let us investigate the limiting semantics of the net in Figure 4.2 with U as R, T as and f : where —* f = As.(—s) is a strict function. This closed net is represented by three equations: s = (e,u,s), e 0 3 int (E)(0)(—ie), u = = —s. The solution for e is: e — — The solution for s is the least solution of s Theorem I, let s 1 2 s = if [J is even otherwise. 0 1 . (e, —s, s). Following the proof of Fixpoint 0 ° 3 int At. J be the least element, then we have 5o 1 = mto ° (e, —s 00 3 , s ) = (—_At. 0 ° 3 int , ) 1 e,—s s . = At. = I.. J f ( ift<€ otherwise, o ift<E 5O—E5O ifEt<2E J otherwise, CHAPTER 4. THE CONSTRAINT NET MODEL 57 ift<c if€<t<2e k+1 5 = int° ( 0 e,—s’,s’) = At. 1 ( 0 (EL C —1) e)so if ke t < (k + 1)e otherwise. Lets = V?+ {sk}. Then s = At.sLH’(t) is theleast solution of the equation .s = int° (e, —s, s). 30 s The limiting semantics of the net for s is = At. lim 0 s(t) = s where k = Li i.e., (—1)’)so = At.soe_t, which is the solution of = —s. 0 = At.(E Some remarks follow about this semantics of constraint nets with temporal integration. . First, limiting semantics only applies to a closed parameterized net and is not composite. For a constraint net with more than one temporal integrator, we will use a single infinitesimal for all the temporal integrators. Second, temporal integration in constraint nets is defined on any time structure, discrete or continuous, and any vector space, numerical or symbolic. Third, in general, a set of differential equations can have no solution or more than one solutions. The limiting semantics produces a unique solution in any case, which might not be well-defined. For example, i = with x(O) = 0 on dynamics structure D(R,) has infinitely many solutions; two significant ones are x limiting semantics gives only x At.0 and x At.0. For another example, th structure D(R, ) has two normal solutions x semantics gives an undefined one x = = At./ and x . However, the 2 At.t with x(0) = = = = 0 on dynamics —At.v’. However, the limiting At. .L. In the next chapter, we will come back to this issue and discuss the conditions under which the constraint net produces the “correct” solution. We can also define three variations of temporal integration: (1) temporal integration with bounds, (2) temporal integration with reset, and (3) integration against another trace on domain 7?. A bounded temporal integration, denoted f(m,M)(80) time points are between m and M, i.e., Vu,t,m ensures that the output values at all jm,M>(80)(U)(t) M. We can realize this restriction by simply letting 0 (u, s) int = min(max(ö(so)(s) + dt 6(0)(u), m), M) . where “mm” and “max” are strict continuous extensions of conventional “mm” and “max,” respectively. A reset temporal integration, denoted fr(5) is a transduction of two arguments with the second argument as an event input. f,.(so)(u, c) sets the output value back to o whenever there CHAPTER 4. THE CONSTRAINT NET MODEL 58 is an event at c. A reset temporal integration can be realized as follows. Let (u,c,s) 30 int = cond(c,6(O)(c),(so)(s) + dt (O)(u),so) where cond is the conditional function defined in Equation 3.1. The reset temporal integra tion .fr(’5°) can be computed by a module CN({u, c}, s) where CN denotes the following two equations: s = int° ( 0 e, u, c, s), e = where e> 0 is an infinitesimal. A trace-based temporal integration, denoted f(so), is a transduction of two arguments with the second argument as a trace on domain j(so)(u, v), also denoted f(so)(u)d(v), integrates . u against the changes of v. A trace-based temporal integration can be realized as follows. Let 30 (u, v, s) jut = 6(so)(s) + dv ö(0)(u) where dV _fo — 1 v(t) — ift=O v(pre(t)) otherwise. The trace-based temporal integration f(so) can be computed by a module CN({u, v}, s) where CN denotes the following two equations: s where 4.3 E> = int ( 0 e,u,v,s), e = 0 is an infinitesimal. Summary We have presented CN, a formal model for hybrid dynamic systems. The syntax of CN is graphical and modular, and the semantics of CN is denotational and composite. The modular aspect of CN not only provides hierarchical structures of system composition, but also provides a simple and general concept for nondeterminism. The fixpoint semantics provides a rigorous and straightforward interpretation for the meaning of CN. Furthermore, parameterized nets and temporal integration increase the representational power of CN. As a result, CN can be used to model a discrete/continuous hybrid dynamic system with various event-driven components, while events can be generated and synchronized within the system. In the next chapter, we will focus on some typical types of event computation and then discuss modeling aspects of CN via examples. Chapter 5 Modeling in Constraint Nets A dynamic system is defined on a dynamics structure D(T, A) where T is a time structure and A is a domain structure; the time and domain structures can be either continuous or discrete. Table 5.1 shows examples of the four basic types of model for dynamic systems. We call a dynamic system composed of components of more than one basic type a hybrid system. We have developed Constraint Nets (CN) as a formal model for hybrid dynamic systems. A hybrid dynamic system consists of modules with different time structures, with its domain structure multi-sorted. A typical hybrid domain structure would include a continuous domain and a discrete or finite domain S, with associated functions. A typical reference time for a hybrid dynamic system is the set of nonnegative real numbers R+. Event-driven modules can be associated with different clocks, characterizing different sample time structures generated by event traces. An event trace can be either of fixed sampling rate, or created by some event generator that responses to changes of its inputs. Multiple event traces can also be combined to generate other event traces. Typical event interactions are “event or,” “event and,” and “event select” that can be defined in terms of event logics. With event logic modules, asynchronous components can be coordinated. In this chapter, we first focus on some general issues on event control logics and typical event generators and synchronizers. We then illustrate constraint net modeling via an example Table 5.1: Basic types of model for dynamic systems Dynamic Systems Discrete Domain Continuous Domain Discrete Time Finite State Machines Difference Equations 59 Continuous Time Asynchronous Circuits Differential Equations CHAPTER 5. MODELING IN CONSTRAINT NETS 60 that characterizes the features of CN. Finally, we discuss the power of CN in terms of both discrete and continuous computation. 5.1 Event Generators and Synchronizers Introducing event-driven transductions makes a simple and unitary model for arbitrary eventtriggered components as well as for various components with fixed sampling rates. Furthermore, events can be generated and synchronized within the model. In this section, we discuss some typical event generators and synchronizers for modeling, programming and design. 5.1.1 Event generators An event generator is a transduction whose output is an event trace. For example, e = (t ) 8 (0)(’e) is an event generator whose output is an event trace of fixed sampling rate. There are event generators with its output capturing the changes of its input. For example, a transition is generated whenever a certain property becomes true. We introduce some basic modules that will be used mostly for event control. (a) (b) (c) Figure 5.1: Basic modules for event logics Let cond be the conditional function defined in Equation 3.1. • Module NE(i, o) (Figure 5.1(a)) is composed of a unit delay and a transliteration ne where ne : B x B —* is defined as ne(x, y) = cond(x, y, 0, 1). • Module NE1(i,o) (Figure 5.1(b)) is the same as NE(i,o) except that ne is replaced by nel : B x —* , nel(x, y) = cond(x, y, 0, cond(x, 1,1,0)). • Module G(i, o) (Figure 5.1(c)) is composed of a unit delay and a transliteration g where g :x B—f Ths defined as g(x,y)= cond(x,0,y,—’y). CHAPTER 5. MODELING IN CONSTRAINT NETS (As a matter of fact, both ne and g are 61 an “exclusive or”.) If the reference time is not discrete, unit delays in these modules are performed at a fast (relative to its inputs and/or , outputs) fixed sampling rate. Note that both NE and NE1 are nonintermittent and right-continuous. Furthermore, G is an event generator, and any cascade connection to G is an event generator. For example, “rising transition” from 0 to 1 5.1.2 — an event generator that generates an event whenever its input changes is a cascade connection of NE1 to G, i.e., G o NE1. Event synchronizers An event synchronizer is a transduction that maps event traces to new event traces. For example, “event or” (Figure 3.2) is an event synchronizer that merges events in its two input traces as long as no two events happen at the same time. Now let us consider “event and” (Figure 5.2), another important event synchronizer. The r. — . — el ande2 Figure 5.2: Event logic for “and” Muller C-element [Sut89] acts as the “and” for events: if both of its inputs are of the same value, the output and its next state are copies of that value, otherwise the output and its next state are unchanged. The Muller C-element can be modeled as a state automaton (Figure 4.1) with a state transition function mc : x x —f , mc(ij, i ,i 1 , s) = cond(i 2 ,i 2 , s). The Muller 1 C-element is a module with i ,i 1 2 and s’ as the interface, i.e., a Mealy machine. We can verify that the transduction of the Muller C-element is indeed nonintermittent and right-continuous; therefore, its output is an event trace as long as its inputs are event traces. CHAPTER 5. MODELING IN CONSTRAINT NETS 62 We should also notice, according to the definition, that the Muller C-element works as “event and” only for inputs with the following properties: 1. both inputs start at the same value (0 or 1), and 2. the order of events in two inputs are paired such that exactly one event in each pair is produced by one of its inputs. Only after an event takes place on both of its inputs will the output produce an event, i.e., an event in the output corresponds to the second event in a pair of input events. The Muller C-element generalizes easily to three or more inputs. Such elements are also called rendezvous elements [Sut89). Although the absolute value (from 0 to 1, or 1 to 0) of a transition in a single event trace does not matter, the value relative to other related traces does matter. Thus, it is sometimes important to invert transition signals. We use the standard “and” logic symbol with a “C” inside it to represent Muller C-elements and “bubbles” on input or output ports to represent inversions. “Event and” elements have been used to coordinate asynchronous events in distributed systems [Sut89j. Consider a simple 1-buffered producer-consumer problem. Both producer and consumer are processes that repeat the following two steps: ask the synchronizer to grant permission for an action (to produce or to consume), and then whenever the request is granted, do the action (the producer produces or the consumer consumes a product). In Figure 5.3, Ri is the request from the producer and R2 is the request from the consumer. We use clock Cl to grant the producer and clock C2 to grant the consumer. Assume that either producing or consuming takes time Two negated Muller C-elements (with initial state 0) and two transport delays are used to synchronize events. T. Requests from Ri and R2 may arrive asynchronously. Given that Ri starts at 0 and R2 starts at 1, we can check by hand that Cl generates a new event if there is a transition at Ri and the buffer is empty (Cl = C2). C2 generates a new event if there is a transition at R2 and the buffer is full (Cl $ C2). hi Part II, we wifi provide formal specification languages for declaring desired properties of a given system and explore formal verification methods for checking the correctness of the given system. “Event filter” is an event synchronizer that selects events from its two event inputs according to the value in its first input. Figure 5.4 is a module for an “event filter” element that is composed of basic modules NE and G as well as a transliteration cond(b, 0, x, y). f defined as f(b, x, y) = CHAPTER 5. MODELING IN CONSTRAINT NETS 63 Figure 5.3: A producer-consumer event synchronizer FILTER Figure 5.4: An event filter CHAPTER 5. MODELING IN CONSTRAINT NETS 64 Similarly, “event select” is an event synchronizer that steers events in its second input to one of two of its outputs according to the value in its first input. Figure 5.5 is a module for an “event select” element that is composed of basic modules NE and G as well as a transliteration s defined as s(b,x) = cond(b,O,(x,O),(O,x)). SELECT I Figure 5.5: An event select FILTER (resp. SELECT) can be extended to three or more input (resp. output) event traces. In this way, we can also model all the event logic elements described in Sutherland’s paper [Sut89], such as “Switch,” “Event-Controlled Storage Element” (ECSE), “Toggle,” “Arbiter,” etc. 5.2 Modeling Hybrid Systems A robotic system is a hybrid system in general, which is an integration of a plant with continuous dynamics, a continuous/discrete hybrid controller, and a possibly changing environment (Figure 1.1). Let us consider an example, a car-like maze traveler. Suppose a maze is composed of blocks of bounded size placed on an unbounded plane. A car-like robot with two touch sensors, forward sensor SF and right-side sensor SR (Figure 5.6(a)), is required to traverse the maze from west to east (Figure 5.6(b)). As any robotic system, this system consists of a plant, a controller and an environment. The plant is the body of the car-like robot, which can move forward/backward by setting a speed v and can make turns by steering two front wheels to some angle o. The environment is the maze, and the controller connects sensor signals and motor commands (Figure 5.7). The plant of the robot has been modeled as a constraint net in Figure 1.2 on dynamics structure D(R+,). The environment can be modeled as a transliteration that maps any CHAPTER 5. MODELING IN CONSTRAINT NETS (a) 65 (b) Figure 5.6: (a) The car-like robot (b) Traveling through a maze Figure 5.7: The maze traveler robotic system CHAPTER 5. MODELING IN CONSTRAINT NETS configuration of the car-like robot ((x, y, 0) e 7?. x 1?. x 66 ) to sensor signals (SF, SR E over time (continuously). If the robot is facing (or to the left of) a wall within some distance, the forward (or right) sensor SF (or SR) is on, i.e., SF SF = 0 (or SR = = 1 (or SR = 1); otherwise it is off, i.e., 0). The simplest strategy for a robot to move out of a maze is to follow a wall with one side (e.g., the right side) [Ad81]. Starting at any position with the correct heading 181 < 6 (e.g., east), the robot is always moving forward until it hits a wail (SF becomes on). Whenever it hits a wall, it turns left (0 = 8+ i-), with its right side against the wall, and moves forward. Whenever the right side is off the wall (SR becomes off) and the heading is not correct (10 kI < 6, k> 0), it turns right (0 = 0 ), again with its right side against the wall, and moves forward, — — This strategy can be modeled as a transliteration that maps the heading of the car and the sensor signals (6, SF, SR) to a control signal c e {0, —1, 1} where 0 means “continuing in the current direction,” —1 means “turning right” and 1 means “turning left:” 0—kI<6,k>0:if SR =Othenc=—1 elseif SF else I0I<6:if else c = 1 then c = 1 =0 SF =lthenc=1 c =0 We will see that (in Part II) if the car is not in a closed block and if there is always enough space for the robot to turn, the robot will move in the correct direction (lOt < 6) persistently. This strategy is made in discrete time, but without any fixed sampling rate, since it may not be known how long the car takes to turn to the next direction, and how long before it hits a wall or moves off a wall. Therefore, the strategy should be event-driven. There are three types of event: (1) 8 enters {(k—6,k+6)Ik= 0,1,2...}, (2) SF changes from 0 to 1 or (3) SR changes from 1 to 0. “Rising transition” elements are used to generate these events and “event or” elements are used to synchronize these events. An event generator (Figure 5.8(a)) is created by combining these elements. As a result, the control circuit is composed of the event generator, the event-driven strategy module and an actualizer (Figure 5.8(b)), which, for simplicity, is set to be v = 1 and o = c. Even though it is a simple hybrid system, in order for the system to work properly, we have to consider the interface between discrete and continuous domains carefully. • The “event or” logic works correctly only when no two events happen at the same time. CHAPTER 5. MODELING IN CONSTRAINT NETS 67 event or negatlOfl rising tranSition GENERATOR (a) GET 0R CrUAL1ZE1 I I’ CONTROL CIRCUIT (b) Figure 5.8: (a) Event generator (b) Control circuit CHAPTER 5. MODELING IN CONSTRAINT NETS 68 In this example, we assume that the sizes of the blocks and the spaces between the blocks are much larger than the size of the car. • The error angle 6 should be assigned based on the sizes of the blocks and the turning radius. Given that the steering angle a is 7r/4 and the length of the car is L, the turning radius R becomes L (since R L/ tan a). Let the maximum size of blocks be M. We have 6 < L/M so that the car wifi not hit the right wall when it moves forward with some = error 6 in its heading. • The front and right sensor ranges are designed according to the the sizes of the blocks, the turning radius and the error angle. Let the turning radius be L and 6 < L/M. If the initial distance from the right wall is L, the distance from the right wall will always be less than 2L when it moves forward with some error 6 in its heading. Therefore, suppose DF is the distance between the front of the car and the front wall, and DR is the distance between the right side of the car and the right wall, we have SF = DF < L and SR = DR < 2L (so that SR will not be off because of error 6 in its heading). These problems seem particular to this special design and the solutions seem ad hoc. However, similar situations, such as choosing errors, thresholds, gains, sampling rates, etc., would be encountered in the design of every hybrid system. In Appendix C, we wifi study more examples of hybrid system design and analysis. In Part III, we will design a more complex control system for the car-like robot. 5.3 Power of Constraint Nets Any computational model is suitable for representing a certain type of computation. For ex ample, Turing machines are used to represent sequential computation and analog circuits are used to represent parallel and continuous computation. The Constraint Net model (CN) is an abstraction of models for dynamic systems. Even though CN is inherently parallel, sequential computation can also be modeled. In this section, we first focus on sequential computation in CN and then discuss continuous computation in CN. 5.3.1 Sequential computation We model any sequential computation as a module with an event input indicating the start of a computation and an event output indicating the end of the computation (Figure 5.9). The CHAPTER 5. MODELING IN CONSTRAINT NETS 69 time duration between the start and the end of the computation is variable, depending on the input data. We call such a module a sequential module. St End I I Figure 5.9: A sequential module A transliteration f is modeled as a sequential module with End = Start and Data_Out = f(Data_In), i.e., there is no time delay in a transliteration. A functional composition of two sequential computations is modeled as a cascade connection of the two sequential modules (Figure 5.10). End Figure 5.10: A functional composition G o F Let g : A — A’ and h : x A x A’ —* A’ be functions. A recursive function based on g and h can be defined as f(O,x) f xA : —÷ A’ g(x),f(n+ 1,x) = h(n,x,f(n,x))). Given that g and h are computed by sequential modules G and H, respectively, a sequential module for can be constructed as follows. f Let COUNTER be a module with two event inputs and one output on domain The first event input resets the output to zero and the second event input increases the output value . by one. COUNTER({cl, c2}, n) (Figure 5.11) is composed of module NE (Figure 5.1(a)), two transliterations suc and cond, and an event-driven unit delay 60(0), where .suc(n) = IJ-.&r I n+1 ifn=JAr otherwise is a successor function. The sequential module for f (Figure 5.12) is composed of sequential modules G and H, modules COUNTER, FILTER and SELECT, and transliteration cond. Unit delays are also CHAPTER 5. MODELING IN CONSTRAINT NETS 70 COUNTER Figure 5.11: An event counter added to avoid algebraic loops. We can see that in order to compute f(n, x), the sequential module G will be triggered initially and the sequential module H will be triggered up to n times. A function f: A —* A is defined using the minimization operation on a function g : kTif: “ — — f1 min{nlg(n, x) L,- = — 1 xA 0} if the set is not empty otherwise. Thus, f(x) is defined as the smallest n for which g(n, x) = 0 if there is such an n; it is otherwise undefined. Given that g is computed by a sequential module G, a sequential module for f can be constructed as in Figure 5.13. If f(x) = n E .iV, the sequential module G will be triggered n + 1 times, otherwise G will be triggered infinitely many times and there will be no event generated in End. Therefore, given a set of basic functions and their sequential modules, the set of functions closed under functional composition, recursive schemes and minimization operations can be computed by sequential modules. In fact, this set is large enough to include all the computable functions given a small set of basic functions. It is well known that the set of Turing computable functions is equal to the set of partial recursive functions. A function f is defined partial recursively if [Yas7l]: • it is the constant 0, the successor function suc, or a projection function projj, projj(2i,...,xi,...,xn)xi; or • it is defined as a functional composition of functions defined partial-recursively; or CHAPTER 5. MODELING IN CONSTRAINT NETS 71 S I I :0 >1 I I I I OUNThRJ 5 ( cond ORO Figure 5.12: A sequential module for a recursive function CHAPTER 5. MODELING IN CONSTRAINT NETS 72 Figure 5.13: A sequential module for the minimization operation • it is defined as a recursive function based on functions defined partial-recursively; or • it is defined using the minimization operation on a function defined partial-recursively. A function f is a partial recursive function if it equals a function that is defined partialrecursively. Theorem 5.3.1 Let E ({n}, {O, suc, cond}) be a signature. A partial recursive function can be computed by a sequential module on En-dynamics structure D(A1, 3V) where )V denotes = the Y2-domain structure ({V}, {O, suc, cond}). Finishing up this section on sequential computation, we give two more examples used mostly in concurrency and real-time models. • Internal choice A + B: either A or B will be computed. Figure 5.14 is a sequential module for this scheme, where id is an event-driven transliteration of an identity function id = Ax.x and location n is a hidden input with Boolean domain. Internal choices are often used for modeling nondeterminism in concurrent systems. • External choice C B: if an event in C comes before an event in D, A is computed, otherwise B is computed. Figure 5.15 is a sequential module for this scheme, —÷ AID —* CHAPTER 5. MODELING IN CONSTRAINT NETS 73 id End Figure 5.14: A sequential module for internal choice A + B :°ond Figure 5.15: A sequential module for external choice C —‘ A(D —f B CHAPTER 5. MODELING IN CONSTRAINT NETS 74 where FIRST is a module that outputs 0 if an event in C comes first and 1 if an event in D comes first. Module FIRST (Figure 5.16) is composed of a transliteration cond for resetting the state whenever there is an event in Start, a transliteration of state transition function f defined as f((c,d),(s,sd)) = (sVcA—isd,sdVdA—isC), g defined as g((s, .5t)) = —‘se A d 8 and a transliteration of an output function Note that events in c have higher priorities for this definition of g, i.e., if events in c and d come at the same time, the event in c will be selected. Figure 5.16: The FIRST module External choices are often used for modeling time-out in real-time systems. For example, if C is a module that generates time-out events (Figure 5.17), C AID —* B means that if D generates an event before time-out, B will be executed, otherwise A will be executed. — TIMEOUT Figure 5.17: The TIMEOUT module 5.3.2 Analog computation We have seen that the Constraint Net model (CN) can represent sequential computation as well, by using events to coordinate the order of computation. However, in general, CN is used CHAPTER 5. MODELING IN CONSTRAINT NETS 75 for modeling computation over time, i.e., relationships between input traces and output traces. If a constraint net CN is closed, the semantics of CN is simply a trace, i.e., a function of time. Many functions that are not easy to model in sequential computation are easy to compute as traces. For example, .)t.Cekt is the solution of a constraint net x = f(C)(kx); At.(sin(t), cos(t)) is the solution of a constraint net x f(1)(—x). In the rest of this section, f(O)(y),y we will ask two questions. First, given a set of basic functions on 7, say + and , what is the set of traces that can be represented as solutions of differential equations? Second, given = differential equations modeled in constraint nets, what is the relationship between the semantics of constraint nets and the solutions of the differential equations? The first question was answered by Shannon. Here we present a variation of the results in [Sha4l]. Let T = [to,t ] C R. A trace x : 1 —+ fl can be obtained as a solution of a set of differential equations composed of only + and Xk — — 13 (4 1,._,Xn) £k, — — ‘V’. , 4O iff x 1 = 1 can be written as: x n 1 where the i’s denote natural numbers. We use P’s to denote polynomial functions. The question is then reduced to: what is the set of functions that can be written in Equation 5.1? It has been shown [Sha4l] that this set is equal to the set of non-hypertranscendental functions. A function x = At.f(t) is non-hypertranscendental iff it can be written as P(t, x, i, , . . = iait0x1(th)%2()z3 ., . . . (x(n))+i = 0. (5.2) Proposition 5.3.1 [Sha4l] Equations 5.1 and 52 are equivalent, i.e., a function written in one form can be transformed into another. Most common analytic functions are non-hypertranscendental [Sha4l] such as exponential and logarithmic, trigonometric and hyperbolic, Bessel functions, elliptic functions, probability functions, and solutions of an algebraic equation in terms of a parameter. Non-hypertranscendental functions are also closed under various operations. Proposition 5.3.2 [Sha4l] If x )t.f’(t), its integralz = At.f(t) is non-hypertranscendental, then its derivative y = At. j f(t)dt, and its inverse w = At.f’(t) are non-hypertranscendental. = Proposition 5.3.3 [Sha4 1] Non-hypertranscendentalfunctions are closed under functional com position. The second question is that given a trace as a solution of a set of differential equations, can that trace be computed as the limiting semantics of the constraint net representing the set CHAPTER 5. MODELING IN CONSTRAINT NETS 76 of differential equations? This question is further decomposed into two questions: first, does the constraint net have a well-defined limiting semantics? second, does the set of differential equations have a unique solution? If the answers to both questions are positive, the trace can be computed by the constraint net. Proposition 5.3.4 Given a constraint net of differential equations thk with Zk(tO) e R. and fk : R’ —* = fk(x), k R as partial or total functions, and given that all fk = 1,. . . , n are smooth at (to), the limiting semantics of the constraint net, based on the forward Euler method, is ’t0)(t 0 well-defined over = 1 ,t for some t 0 [t ] 1 > to. In particular, x = t. to). — if is a polynomial function, then fk is smooth over R . if, in addition, the initial value for 7 is well-defined, the limiting semantics of the constraint net is well-defined. fk It has been shown that a sufficient condition for differential equations = f(s) to have a unique solution is the Lipschitz condition [MA86]. The Lipschitz condition is defined as follows. Given (R’, d) as a metric space, we say that f: R —÷ R7’ satisfies a Lipschitz condition uniformly with respect to t E [to, t ] if there exists a number K> 0 such that 1 d(j(x(t)),j(y(t))) Let II2 and d(x, ) = If((t)) f(t))I 2 IAII(t) I(d((t),(t)) for all t E 1 ,t 0 [t ] . = I y1. — If f is a linear function, i.e., j(x) = Ax, , for all t. 2 (t)I Therefore, linear functions always satisfy the Lipschitz condition, and linear differential equations always have a unique solution. A more general result is as follows. — — Theorem 5.3.2 Let Er = ({r}, {+, .}) be a signature. A non-hypertranscendental function that is defined and smooth over a closed segment T = [to, t ] can be computed by a constraint 1 net of differential equations on Er-dynamics structure V(T, i), where structure ({}, {+, .}) denotes the Er-domain Chapter 6 Behavior Analysis We have presented the Constraint Net model, its syntax and semantics, and its power in model ing dynamics and computation. In this chapter, we relate systems to their behaviors. We start with some preliminaries in abstract algebra on equivalence and abstraction. We then present a formal definition of behaviors and discuss various properties of behaviors. Finally, we formalize the concept of behavior abstraction at different levels of granularity, and the meaning of system equivalence with respect to a certain type of abstraction. 6.1 Abstraction, Quotient and Homomorphism This section introduces some basic, but important, concepts in abstract algebra. These concepts are related to the question of how to generate an abstraction of a given system. Intuitively, equivalence induces partitions, and partitions induce abstraction. An algebraic system is a set with an associated structure, i.e., a set of functions and relations. A structure that is consistent with a partition can be abstracted to a quotient structure on the partition. An algebraic system A’ is a quotient of an algebraic system A if A’, with the quotient structure, is a partition of A. A quotient of an algebraic system can be considered as an abstraction of the algebraic system. An algebraic system A is homomorphic to an algebraic system A’, if there is a surjective (onto) mapping from A to A’ that is consistent with the associated structure; it is isomorphic if the mapping has an inverse. On the other hand, a homomorphic mapping induces a partition and a quotient structure. An algebraic system is homomorphic to its quotient. Given algebraic systems A and A’, if A is homomorphic to A’, A’ is isomorphic to the quotient of A induced by the homomorphic mapping. We present these concepts more formally in the rest of this section. Equivalence relations are characterized as congruences. A binary relation 77 —A over a set A CHAPTER 6. BEHAVIOR ANALYSIS 78 is a congruence if it is reflexive, transitive and symmetric. A congruence induces a partition. A partition of a set A induced by a congruence A, written A/A, is a set of sets {Aj such that (1) A = UA (2) Vi j,A fl A 3 = 0 and (3) 1 —A a a 2 and a 1 E A imply a 2 é A. We use [a] to denote the set that a belongs to. Intuitively, a partition of a set can be considered as an abstraction of the set; [a] is an abstraction of a. If a congruence is consistent with a function f, it is called an f-congruence. Let f: A —* A’ be a function. A congruence Given f : A —* A’ and over AUA’ is an f-congruence if a 1 as f-congruence, an abstraction of of A and A’ induced by the f-congruence. Let f congruence over A U A’. The quotient function of defined as f([a]) = : A f —* w.r.t. [f(a)]. We also say that function f f 2 implies f(ai) a can be defined on the partition A’ be a function and , f(a ) 2 . written f : A/ is abstractable w.r.t. be an —* f A’/, is when is an f-congruence. The concepts of abstraction and quotient structures can be extended to multi-sorted algebra. Let D = (5, F) be a signature and A be an arbitrary E-algebra. A >2-congruence on A is an S-sorted relation , 1. for each s E 5, 2. for any a f satisfies = is a congruence on A , and 3 : 1 s , . .s .s E F and all a , a E ,. 1 31 A a, a E A 1 , if a 3 aç,..., and fA(ai,. fA(a,. a’ hold, then .,a,) .,a). Namely, is an 4 -fr congruence . —* . . for all f ., . E F. Given a >2-congruence on a >2-algebra A, we can define a quotient algebra A/ Let be a >2-congruence over a >2-algebra A. The quotient >2-algebra A/ of A is defined as / and for f : si,. .,s —* se F, a 3 1 E ,. 31 ..,a E A A = A ,, fA/_([ai],. .,[a,]) = 5 . . . [fA(ai,. a,)]. The quotient >2-algebra A/ of A can be considered as an abstraction of A induced by the >2-congruence . . , . The relationship between an algebra and its quotient algebras can be characterized by homomorphism. In general, a homomorphism on >2-algebras is defined as follows. Let A, A’ be two >2-algebras. A Y2-hornornorphism h: A — A’ is a family of surjective (onto) mappings h = {h : A 3 3 —* 3 .,s —*s E F and each a A} € s such that for each f: 1 E ,. 31 ..,a E A A ,, 3 hs(fA(ai,. = 31 fA’(h a,)) ),. 1 (a (a)). It is a >2-isomorphism if h is a bijection. If A’ is 3 h a quotient algebra of A, there exists a homomorphism h from A to A’ with h(a) = [a]. On the . . . , . ., other hand, if there is a homomorphism Ii from A to A’, A’ is isomorphic to a quotient algebra of A. To see this, let us define a congruence h on A as follows: a 1 h a 2 if h(ai) = h(a ). 2 CHAPTER 6. BEHAVIOR ANALYSIS 79 Since h is a s-homomorphism from A to A’, h is an fAcongruence on A for any Therefore, A’ is isomorphic to the quotient algebra of A induced by h. f E F. And, A’, which is isomorphic to a quotient of A, is also considered as an abstraction of A. 6.2 Behavior Analysis: General Concepts Now we discuss the relationship between dynamic systems and their behaviors. Intuitively, the behavior of a dynamic system is the set of observable input/output traces of the system. Formally, let CN(I, 0) be a module. An input-output pair (i, o) is an observable trace of CN(I, 0) if F E CN(I, O) such that o = F(i). The behavior of CN(I, 0) is the set of all observable traces of CN(I,O). We will also use CN(I,O)] to denote the behavior of CN(I,O) if no ambiguity arises. We will use CN as an abbreviation of CN(I,O)] if I o = O(CN). Two modules are equivalent, written CN (I, 0) 1 same behavior, i.e., CN (I, O) 1 = = I(CN) and (I, 0), if they have the 2 CN (I, O). For example, two state transition modules are 2 CN equivalent if they have the same initial state and the same state transition relation. A behavior B is deterministic if for any pair of traces (i , 01), (i 1 , 02) E B, i 2 1 = i 2 implies o = 02; it is otherwise nondeterministic. In general, a module CN(I, 0) will exhibit a nondeterministic behavior if there are hidden inputs, i.e., I C I(CN). Two important types of behavior are state-based behavior and time-invariant behavior. State-based behavior is formalized as follows. Let B be a behavior. Given any time point t e Let T, two traces 2 ,v 1 v B are coincident up tot, written v 1 t , if Vt’ 2 v t, vi(t’) = (t’). 2 v v} where VI>t denotes the restriction of v onto {t’ Tat’ > t}. B is {vj’>Iv’ state-based if for all 1 vv , 2 E B and t e T, vi(t) (t) implies [Vijt = [V2]t, i.e., the behavior 2 v in the future is fully determined by the current snapshot. [V]t = Time-invariant behavior is formalized as follows. Let B = {vlv For any a 2 , 1 a E A, let a 1 -< a 2 if dv E B,t 1 < t 2 such that a 1 time-invariant if -.< is transitive, i.e., -<is independent of time. = : T —> A} be a behavior. v(ti) and a2 = ). B is 2 v(t A state automaton in Figure 4.1 exhibits a state-based and time-invariant behavior. How ever, an input/output automaton in Figure 4.4 may not exhibit a state-based and time-invariant behavior. Any state-based and time-invariant behavior of discrete time corresponds to a state transition system. A state transition system is a pair (5, .—+) where S is a set of states and —+ C S x S is a transition relation between two states. For any discrete time 7’, v : 7’ —* S is a trace of (5, —+) if Vt > 0, v(pre(t)) —÷ v(t). A behavior B corresponds to a state transition system (5, —*) if B CHAPTER 6. BEHAVIOR ANALYSIS 80 is equal to the set of traces of (S, —*). State transition systems can be considered as a compact representation of state-based and time-invariant behaviors. A requirements specification 7 for a system CN(I, 0) is a set of allowable input/output traces of the system: 1 C xjuoAT. CN(I, 0) satisfies a requirements specification 1, written CN(I, 0)] 1= R if CN(I, 0)] c R. With the formal definition of requirements specification, robustness and complexity can be formally defined. The robustness of systems is defined on parameterized ilets. A parameterized system CN(I, 0) is less robust than CNr(I, 0) w.r.t. a requirements specification 7, written CNr(I,O) z CNr(I,O), if CNr(I,0)ji(v) ç R implies I[CNr(I,O)jI(v) C 7, for all v E xpD. Two parameterized systems CN ’(I, 0) and CNr(I, 0) are equivalent w.r.t. a re 1 quirements specification 7, written CNr(I, 0) and CN’(I,O) CNr(I,O). cNr(I, 0), if CN(I, 0) : CNr(I, O) Behavioral complexity is defined with respect to some kind of measurement on the size of a dynamic system: the number of transductions, the number of delay elements, or the maximum number of delay elements in any path. Let ICNIm denote the size of CN w.r.t. measurement m. The complexity of behaviors satisfying 7 w.r.t. m, denoted I7im, is the minimum realization of the dynamic systems satisfying 1?. w.r.t. m, i.e., Proposition 6.2.1 If R 1 c 72, m I1I 17?’Im = min{ICNIm}[cN(I,o)]. I2Im. In Part II, we will present two formal requirements specification languages and a formal method for behavior verification. Time and Domain Abstraction 6.3 We have introduced reference and sample time for modeling multiple time structures of a hybrid dynamic system. Here we study another kind of mapping between two time structures, which is for modeling dynamic systems at different levels of detail. A time structure (T, d, ) may be related to another time structure (T’, d’, ‘) by a ho momorphic time mapping h : T —* T’ where h is a surjective partial or total function, or h:T —* T’ U {±} is a surjective function, such that • it is monotonic: 1 t rt 2 implies h(t ) 1 T’ ) if both sides are defined (L), 2 h(t • the least element is preserved: h(O) = 0’, • the metrics are preserved: m’(t’) = inf{m(t)Ih(t) = CHAPTER 6. BEHAVIOR ANALYSIS 81 • it is continuous: for any open T’ C T’ in its metric topology, h’(T’) is open in its metric topology, and • the measures are preserved: i’(T’) = T’ is an abstraction of T, and T is a refinement of T’. For example, let Ii : —f Al be a partial mapping with 0 ift<1 n elseifn<t<n+1. Function h is a homomorphic time mapping. Al is an abstraction of +, and 7+ is a refinement of Al. A domain A may be related to a domain A’ by a homomorphic domain mapping h: A —k A’ where h is surjective and continuous in the derived metric topology. A’ is an abstraction of A, and A is a refinement of A’. For example, let h : —* S, where $ = {—1, 1}, be a mapping with 1—1 h(x) = [ ifr<0 if r > 0 ifr=0orr=J--i. 1 J.s (6.1) Function h is a homomorphic domain mapping. S is an abstraction of 7, and 7 is a refinement of S. Let = (S, F) be a signature. A s-domain structure A may be related to a s-domain structure A’ by a homomorphic domain structure mapping h = {h 3 : A 3 —f A’ €s where (1) } 3 h(fA(xi,. 3 is an abstraction of A A’ 3 for all s e S, and (2) .,x,)) = fA’(h(xi),.. .,h(x)) for . all f F. A’ is an abstraction of A, and A is a refinement of A’. The condition for a homomorphic domain structure mapping is very strong, since the con gruence induced by the mapping must be a s-congruence. For example, let r = ({“}, {+, .}) and ({}, {+, .}) be a rdomain structure. The mapping defined in Function 6.1 is not a homomorphic domain structure mapping, since ample, let D = h is not a +-congruence. For another ex ({s}, {O, f, g}) be a signature with 0 ({V}, {0, suc, +}) and ({}, {0, -‘, }) :—* s, f : s s and g : s, s —* be s-domain structures. Let h : —f —* s, and be a mapping with 1 I. ifniseven 0 1 ifnisodd J ifn=Jr. Function Ii is a homomorphic domain structure mapping. ({V}, {0, suc, +}), and ({V}, {0, suc, +}) is a refinement ({}, {0, }) is an of ({}, {0, EI}). — — abstraction of CHAPTER 6. BEHAVIOR ANALYSIS 82 Because it is hard to satisfy the strong condition on homomorphic domain structure map pings for most domain structures, in many cases a weaker version of abstraction may apply. So called qualitative algebra/dynamics [Wd90, Wi191] in AT belong to this category. Let D = (S, F> be a signature. A s-domain structure A may be related to a E-domain structure A’ by a do main structure mapping h = {h 8 : A 3 —* A’S} 8 is an abstraction of A 3 for all ES where (1) A’ 3 fA’(xç,. s e S, and (2) . .,x) = AA,{h(f(x1,. . .,x))h(xi) = xç,. . .,h(x) = x} for all f e F. A’ is a qualitative domain structure of A, and A is a quantitative domain structure of A’. We should point out here that the partial order structure for any domain is a semilattice, i.e., any two elements have a lower bound, and if A is a domain, the greatest lower bound AA is defined for any subset of A. This definition is similar to the definition in [Wi191], except that we enforce continuity in domain mapping. For the previous example, let ({S}, {+, .}> be a rdomain structure, with + and defined as: . 11 x+y = ( ifx=y=1 —1 ifx=y=—1 Ls otherwise, and 11 r.y —1 = ( L ifx=y=lorx=y=—1 ifx=1,y=—lorx=—1,y=1 otherwise. The mapping h defined in Function 6.1 is a domain structure mapping. qualitative domain structure of ({R}, {+, ture of ({}, {+, .}). .}>, and ({}, {+, .}) is ({S}, {+, .}) is a a quantitative domain struc However, h is not a homomorphic domain structure mapping, since h(x + y) = h(x) + h(y) does not hold for all x, y e . Qualitative algebra, along with qualita tive diagnosis and qualitative physics [Wd90], has been a major area in AT. In this thesis, we focus only on abstraction with quotient structures. 6.4 Behavior Abstraction and Equivalence A trace is a function from a time structure to a domain. Given T’ as an abstraction time of T with mapping hT and A’ as an abstraction domain of A with mapping hA, a trace v : T —÷ A is abstractable to a trace v’ : ‘T’ —* A’ if hT(tl) = h’r(t ) J implies hA(v(tl)) = hA(v(t 2 )). 2 The abstraction trace of v w.r.t. h T = {hT,hA} is v’ A are equivalent w.r.t. h, written v 1 = 1 and AhT(t).hA(v(t)). Two traces v , if v 2 v 2 and v 2 are abstractable to the same abstraction trace w.r.t. h. We should point out here that h is not a congruence since “-h —÷ h is not reflexive (not every trace is abstractable). For example, let v ,v 1 2 : —÷ R, with CHAPTER 6. BEHAVIOR ANALYSIS 2 )t. sin(irt) and v 83 .sign(vi) where sign : is a function defined as the sign of its argument. Traces v 1 and v 2 are both abstractable to a trace v’ : .A1 —+ S, with v(O) = 1 and = v’(n + 1) = = —* —v’(n) (Figure 6.1). Vft Lu . . . Figure 6.1: Equivalent traces and their abstraction Consider again the example of the car-like maze traveler. The heading trace of the car 8 : —* (Figure 6.2(a)) can be abstracted to a discrete trace (Figure 6.2(b)). Notice that the “ambiguous directions” during the turnings are abstracted away. 0 direction west north east (b) Figure 6.2: The heading of a maze traveler and its abstraction CHAPTER 6. BEHAVIOR ANALYSIS 84 Similar to the abstraction and equivalence defined for traces, abstraction and equivalence for transductions are defined as follows. A transduction F transduction F’ : A’’ —* A’ w.r.t. h = 2 , 1 {h } h iffF(v) A’ —÷ A is abstractable to a F(w) whenever 2 h v Ch w. If there is no input, an abstractable transduction reduces to an abstractable trace. The abstraction of F w.r.t. h = 2 ,h is F’(hi(v)) = h 1 {h } (F(v)). Two transductions F 2 1 and F 2 are equivalent w.r.t. h, written F 1 h , if F 2 F 2 are abstractable to the same abstraction transduction 1 and F w.r.t. h. Abstraction and equivalence for behaviors are based on the abstraction and equivalence for traces. A behavior B is abstractable w.r.t. h iff for all (i,o) E B, o is abstractable w.r.t. h whenever i is abstractable w.r.t. h. If there is no input, an abstractable behavior reduces to the set of abstractable traces. The abstraction of B w.r.t. h is B’ = {(i’, o’)I(i, o) e B and i is abstractable}. Two behaviors are equivalent w.r.t. h, written 1 B h 2 B if B , 1 and B 2 are abstractable to the same abstraction behavior w.r.t. h. Two modules CN (I, 0) 1 and 2 CN ( I,O) are equivalent w.r.t. h, written 1 CN ( I,O) h CN ( 2 I,O), iff 1 CN ( I,O) -‘h (I, 0)]. 2 I{CN We should notice that behavior abstraction may not preserve the property of being statebased or time-invariant. Now we investigate the abstractable condition of a state transition system. A state transition system (S, —b) is abstractable w.r.t. a congruence on S if si 2, —* 3 s and s imply that s 2 e [82] such that 2 ] 1 [s —*[s if state transition system defined as ] is abstractable w.r.t. s e i — [si], s’ E s ] 2 [s —f . 3 s Let (S/, —*) be a such that s —÷ s’. If (S, __*> (S/, —*) is called the abstraction of (5, —*) w.r.t. ; otherwise, it is called the approximate abstraction of (5, —*) w.r.t. . , Proposition 6.4.1 (1) If (5’, —‘) is an abstraction of (5, —÷), the behavior corresponding to (S’, —f’) is the abstraction of the behavior corresponding to (5, —÷). (2) If (S’, —*‘) is an ap proximate abstraction of (5, .—*), the behavior corresponding to (5’, -._*‘) is a superset of the abstraction of the behavior corresponding to (5, —*). 6.5 Summary We have presented formal definitions of the behavior of a system and requirements specification, and a formal relationship between the behavior of a system and a requirements specification. Within this framework, the robustness of parameterized systems and the complexity of behav iors can be studied. We have also presented a systematic approach to the study of behavior abstraction and equivalence using concepts from abstract algebra. Chapter 7 Summary and Related Work We have presented a semantic model for hybrid dynamic systems modeling and behavior analysis in this modeling framework. In this chapter, we summarize the results of Part I and discuss some related work on models for dynamic systems. 7.1 Summary In this section, we summarize the Constraint Net model for design and analysis in terms of its power and limitations. 7.1.1 Power The Constraint Net model is powerful in the following aspects. • Power of Abstraction: The Constraint Net model is based on the abstract notions of time and domains. With this abstraction, both continuous and discrete time and domains can be represented in a uniform framework. Given abstract structures of time and domains, an abstract structure of dynamics can be derived based on the abstract notion of traces and transductions. Developed on abstract algebra and topology, a system can be represented at different levels of abstraction. Quotient and qualitative dynamics can be formalized, behavior abstraction and equivalence can be studied. • Power of Expression: The syntax of the Constraint Net model is graphical and modular, and its semantics is denotational and composite. Nondeterministic and stochastic systems can be represented with hidden inputs. Parameterized systems and various forms of temporal integration can be incorporated into the model. 85 CHAPTER 7. SUMMARY AND RELATED WORK 86 • Power of Computation: The Constraint Net model is an abstraction and generalization of datafiow-like models, so that hybrid systems domain and time structures systems with components in different can be modeled. Furthermore, both sequential computa tion and analog computation are special types of dynamic system that can be modeled with a simple domain and time structure. 7.1.2 Limitations The Constraint Net model is limited in the following sense. • Limitations of Abstraction: The Constraint Net model is based on the abstract notion of traces and transductions, while transductions are causal mappings from input traces to output traces. Not every physical process can be considered as a transduction. For example, a frequency bandwidth ifiter is not a transduction, since the output at any time may depend on the whole input trace. Furthermore, partial differential equations cannot be modeled. • Limitations of Expression: The Constraint Net model is developed on the principles of simplicity and generality. There is no inherent notion of riondeterminism, which must be explicitly expressed by hidden inputs. There is no inherent notion of synchronization for communicating systems nor that of time-out for real-time systems, which must be explicitly modeled by event generators and synchronizers. Sequential computation must be explicitly represented via event coordinations. • Limitations of Computation: We call our model Constraint Nets for two reasons. First, semantically, a constraint net is a set of equations, each of which imposes a constraint on traces. The semantics of a constraint net is the least solution of the set of equations. Second, we will see, in Part III, constraint satisfaction can be viewed as a dynamic process that can be modeled by a constraint net. Such a constraint net may approach a stable equilibrium that is the solution set of the constraint satisfaction problem. However, not every constraint satisfaction problem can be solved using the Constraint Net model. Furthermore, since the semantics of a constraint net is the least solution of the equations, any constraint net with algebraic ioops may result in an undefined solution. From the computational point of view, algebraic loops represent infinite amount of computation in any instant of time. A well-defined constraint net performs only a finite amount of computation in any instant of time. CHAPTER 7. SUMMARY AND RELATED WORK 7.2 87 Related Work Various models for concurrent and distributed systems [FF84] have been developed in the theory, Al and systems communities. Roughly speaking, these models can be characterized as belonging to one of the three categories: (1) Automata or State Transition Models, (2) Communicating Processes or Multi-agent Architectures, and (3) Nets, Circuits or Dataflow Structures. Models in any of these forms can be equivalent in computational power (as with sequential models). The selection of models depends on applications. Typical criteria for model seletion are: • Simple and Uniform, • Modular and Composite, • Parallel or Concurrent, • Sequential or Synchronous, • Nondeterministic or Probabilistic. Some of these criteria are opposed to each other. Most of these models can be augmented with the notion of time for modeling real-time and/or hybrid systems. There are also constraint-based models and biology-based models. We survey some typical models in every category and their extensions to real-time and/or hybrid models, then we discuss the relationship between the Constraint Net model and other existing models. 7.2.1 Automata or state transition models Automata or state transition models are typical for studying discrete event systems [Ho182], and most recently, for modeling hybrid systems [GNRR93]. However, for complex systems with multiple components, global state description will cause the exponential growth of the number of states. Nevertheless, modeling global transitions of a system is important for analyzing the system’s overall behavior. Although nondeterminism can be expressed by this type of model inherently, automata or state transition models go to the extreme for simplicity and global analysis, with little concern for modularity and parallelism. Examples of this type of model are Mealy/Moore Machines and Statecharts. Various forms of timed and hybrid automata have been studied recently. CHAPTER 7. SUMMARY AND RELATED WORK 88 Mealy/Moore Machines Mealy/Moore machines [Mea55, Moo56] are the simplest form of input/output transducer for event control systems [CWG88]. Various adaptations can be made to particular domains. For example, Rosenschein [RK87, Ros89] proposed the situated-automata approach, which seeks to analyze knowledge in terms of relations between the states of a machine and the states of its environment over time. This approach, in contrast to the interpreted-symbolic-structure approach that has prevailed in AT for decades, provides a way of compromising between the representational power and real-time execution of AT systems. A situated automaton is in fact a variation of a Moore machine {Moo56]. The Requirement State Machine (RSM) [JLHM91], a special form of Mealy machine {Mea55], has been proposed as a software requirement analysis language for real-time process-control systems. Statecharts The Statechart method was introduced [HP85] as a visual formalism for specifying the behavior of complex reactive systems. It describes a system’s behavior in terms of states, events and conditions, with combinations of the latter two causing the transitions between the former. Both states and transitions can be associated in various ways with output events, called activities, which can be triggered either by executing a transition or by entering, exiting, or simply being in a state. A system’s inputs are thus the events and its outputs are the activities; their union comprises the interface set. Iii Statecharts, the exponential growth of states is avoided by defining higher-level states. States iii a Statechart can be repeatedly combined into higher-level states using AND and OR modes of clustering. Timed and Hybrid Automata Much work has been done recently on introducing real-time concepts into formal models of concurrency [dHdR9l]. For example, Merritt et al. [MMT91] augmented the input-output automaton model with a notion of time that allows to reason about timed behaviors. Alur and Dill [AD91] developed the theory of timed automata to reason about timed behaviors. Henzinger et al. [HMP91b] incorporated time into an interleaving model of concurrency in which upper and lower bounds on time delay are associated with each transition. None of these models, however, are able to represent continuous change. CHAPTER 7. SUMMARY AND RELATED WORK 89 Some effort has been made recently to develop models for hybrid systems [GNRR93I, systems with both discrete and continuous components. By generalizing timed transition systems to phase transition systems [MMP91, NS91], computation consist of alternating phases of discrete transitions and continuous activities. More specifically, Nerode and Kohn [NK93a] present a model consisting of two automata: a digital control automaton and a plant automaton. The plant automaton can be modeled as a state transition system over intervals. The inputs of a plant automaton are control signals and disturbances, while its states are the solutions of the set of differential equations of the plant for the given control signals and disturbances. 7.2.2 Processes or multi-agent architectures Models in this category represent a system with multiple processes or agents that communicate with each other via channels or shared memories. In most cases, agents and channels can be created dynamically and communication patterns are not fixed at run time. Modularity, compositionality, as well as nondeterminism are features of this type of model. This type of model can be very complex with various communication and synchronization operators; both parallel and sequential computation can be incorporated. Even though discrete time structures can be added to these models, they are concurrent rather than real-time models. Examples of this type of model are algebraic processes, the Actor model and the cc family. Algebraic Processes Much work has been done in algebraic processes. Typical models of this type are CSP and CCS. C.A.R. bare’s Communicating Sequential Processes (CSP) [Hoa85] is a model describing con current and distributed computation. A CSP program is a static set of explicit processes. Pairs of processes communicate by naming each other in input and output statements. Communica tion is nonbuffered and synchronous with unidirectional information flow. Guarded commands are used to introduce indeterminacy. Some work has been done for specifying a robot control system in CSP and formally verifying some properties [LD89]. However, it is hard to capture the essential structure of an analog control system and the dynamics of robot manipulators in CSP. The work of George Milne and Robin Milner [MM79] is an attempt to describe a mathemat ical semantics for concurrent computation and communication. Their goal is a formal calculus of concurrent computation, much as the lambda calculus is a formal calculus of uniprocess com putation. Their model, Calculus for Communicating Systems (CCS), has explicit processes that CHAPTER 7. SUMMARY AND RELATED WORK 90 communicate synchronously and bidirectionally over labeled channels. The number of processes and their communication connections can change dynamically. Syntactically, a system modeled by CCS is a fiowgraph with composition, restriction and relabeling. The semantics of CCS is based on the theory of sets, powerdomains and fixpoint of continuous algebra. Though CCS allows the analysis of the temporal ordering of events, there is no way to specify the relative speeds of events. Synchronous CCS (SCCS) has been studied by Milner [Mil83], in which events are synchronized by timesteps. Timed CCS (TCCS) has also been proposed [MT9O, MT91I as a tool for real-time analysis, which introduces wiffing-to-delay and forcing-to-delay operators. Many basic tools for communication protocol specification and verification are CCS-like lan guages [QAF89, At189]. Some more general work on the semantics of communicating processes has been presented by Hennessy [Hen88]. His approach relies heavily on abstract algebra D-algebras and the fixpoint theory of continuous functions — — which shows that algebraic theory is a powerful tool for programming semantics. Actors The Actor model was proposed by Hewitt for developing highly parallel machines and open systems [Hew88]. The Actor model takes the theme of object-oriented computation seriously and to an extreme. In an Actor system, everything is an actor (object). Actors communicate by sending each other messages, which are themselves actors. Every actor has a script (program) and acquaintance (data, local storage). When a message arrives at an actor, the actor’s script is applied to that message. Clinger [Ci81] gave a denotational semantics for an Actor-like system based on powerdomains and fixpoint theory, and also defined a set of laws that are meant to restrict Actor systems to those that can be physically implemented. Agha [AghS5j further gave a structured operational semantics for an Actor language and discussed compositionality and abstraction from irrelevant detail. The Robot Schema (RS) Model is a variation of the Actor model, where a schema can be considered as a class of object. RS is a special model of computation for sensory-based robot programming [LA89]. RS is a typical concurrent object-oriented model, in which a schema is a general specification and a schema instance is a concurrent object. Each object can be created and terminated by other objects. Therefore, a network is created and changed during computation. Objects communicate with each other through input and output channels. The concept of 1S can be implemented via any concurrent object-oriented language [Zha89, Zha9O]. However, the formal semantics of RS is very complicated, due to various interpretations of the CHAPTER 7. SUMMARY AND RELATED WORK 91 composition, communication and nondeterminism. Furthermore, again, continuous dynamics cannot be represented in this model. The cc Family Saraswat [Sar89] has developed a framework of concurrent constraint programming, that he called the cc Family. In this paradigm, computation emerges from the interaction of the con currently executing agents that place, check and instantiate constraints on shared variables that range over some domain of discourse. Constraints are partial specifications of (possibly infinite) sets of values, and the agents may either collaborate or compute in placing constraints. The major form of concurrency control in the system is through the notion of Atomic Tell and Blocking Ask. The former allows an agent to (instantaneously) place constraints only if they are consistent with the constraints that have already been placed. The latter forces an agent to block when it checks a relationship that is not yet known to hold. This paradigm is a generalization of research in concurrent logic programming languages [Sha87]. It has been shown that concurrent logic programming languages are good candidates for open systems [KM88] and for the simulation of robot behaviors [ZM92]. However, they are not real-time languages, since their computation time is unpredictable. A timed extension of the cc family, timed cc, has been proposed [SJG94] in which real-time requirements (such as time-out) can be expressed. 7.2.3 Nets or dataflow structures Unlike state transition models that represent flow of control, computation in datafiow structures is data-driven. Unlike process-based systems in which processes and communication can be created dynamically, operators and connections in dataflow models are fixed. The advantages of a dataflow model are its inherent parallelism or concurrency, its locality (modularity), its graphical orientation, and most importantly, its generality and simplicity. Nondeterminism is inherent for interleaving concurrency models. However, neither sequential computation nor synchronization is explicitly represented. Examples of this type of model are Petri Nets, circuit models, communicating state machines and operator nets. CHAPTER 7. SUMMARY AND RELATED WORK 92 Petri Nets The Petri Net model is a formal modeling technique that encodes the states of a dynamical sys tem as the markings of tokens on a graph [Pet8l]. The graph is a bipartite, directed multigraph that has two kinds of node, places and transitions, and arcs connect places and transitions. A marked Petri net is the association of a number with each place (the number of tokens on that place), which is not bounded but is always finite. A transition is enabled if every place connected to that transition with k arcs has at least k tokens. A transition may fire at any time if it is enabled. When a transition fires, it moves tokens from its input places to its output places. If multiple transitions are enabled at that time, it nondeterministically choose one to fire. The Petri Net model of a system can be used to prove properties such as mutual exclusion, liveness and reachability. Various extensions (for example, inhibition) of Petri Nets have been proposed to make it Turing equivalent. The Time Petri Net model is a current area in Petri Net theory research [Pet86, BD91]. Circuit Models Circuit models are a typical kind of datafiow model. There are digital circuit models and analog circuit models. Analog circuits are basic systems for analog control. Analog circuits may include resistors, capacitors, amplifiers, differential or integral elements. Digital circuits include synchronous and asynchronous models. Synchronous circuits (sequential circuits) are the building blocks of most digital computer systems. A synchronous circuit consists of a set of basic gates (e.g., and, or and not) and all the gates operate at the same sampling rate controlled by a single clock. The idea of asynchronous circuits was demonstrated by Sutherland’s Turing Award paper “Micropipelines” [Sut89]. Sutherland discards the clocked-logic conceptual framework and thinks instead about a different but equally simple form of control called transition signaling. The basic elements of asynchronous circuits are the exclusive or Qcor) element that acts as the “or” element for events, and the Muller C-element that acts as the “and” element for events. Asynchronous circuits have advantages in hardware design, software and system development. Variations of circuit models have been adapted in AT. For example, the action network {Ni189] is composed of a forest of logical gates that select actions in response to sensory and stored data. The elementary unit of an action net implements a logical and gate. CHAPTER 7. SUMMARY AND RELATED WORK 93 Communicating State Machines Communicating state machines are networks of state machines, each of which has a set of input ports and a set of output ports. Typical examples of this type are the the Augmented Finite State Machine, the Extended State Machine, and temporal automata. The Augmented Finite State Machine (AFSM) {Bro88] was used as the model for the sub sumption architecture. Each AFSM has a set of registers and a set of timers, or alarm clocks, connected to a conventional finite state machine that can control a combinatorial network fed by registers. Registers can be written by attaching input wires to them and receiving messages from other machines. The arrival of a message, or the expiration of a timer, can trigger a change of state in the interior finite state machine. The finite state machine can wait on some event, conditionally dispatch to one of two other states based on some combinational predicate on the registers, or compute a combinatorial function of registers directing the result either back to one of the registers or to an output of the augmented finite state machine. The Extended State Machine (ESM) [0st89] is a framework for modeling systems composed of real-time discrete event processes. ESM can be used to model the processes and devices of a plant, as well as the software tasks of controllers implemented as real-time software. Each ESM description of a process will have a distinguished variable called an activity variable that ranges over a set of activities. In addition, an ESM may have a set of data variables to store numerical or quantitative information. States in ESM refer to values of all the activities and data variables. In addition, each ESM has a set of event labels, a set of communication channels and a set of basic actions. The occurrence of an ESM event causes an instantaneous change from the current activity to some new activity, as well as causing a change in the values of the data variables. The Temporal Automaton model [LS9O] is closer to datafiow models than to automata. A temporal automaton has the characteristics of explicit representation of process time, symmetric representation of a machine and of the environment in which it operates, the wiring together of asynchronous automata, and the ability to aggregate individual machines to form one machine at a coarser level of granularity. Temporal automata are defined on entities and transductions. Entities associate time with data domains and transductions induce causal relationships between entities. Two temporal automata can be connected by wires to form a new temporal automaton. A temporal automaton with empty input entities defines a closed system, it otherwise defines a causal system. CHAPTER 7. SUMMARY AND RELATED WORK 94 Operator Nets The Operator Net model is a generalized deterministic datafiow model [Ash86]. A graphical language is defined that is syntactically extremely simple and that is mainly uninterpreted, i.e., using operator symbols rather than particular operators. This uninterpreted graphical language can then be interpreted in several different ways, by starting with different (continuous) sequence algebras. A mathematical semantics is given by the fixpoint theory that is referred to as Kahn’s Principle [Kah74]. Different possible sequence algebras form families, each of which is based on a different continuous data algebra. If A is a data algebra, then 1(A) is a sequence algebra based on pointwise extensions of functions in A, and E(A) is an enlargement of 1(A) by the addition of a set of continuous operators that are not pointwise based, e.g., next, merge, follow-by, etc. SIGNAL {BL9O] and LUSTRE [CPHP87] are specializations of the Operator Net model. Both of them augment the notion of clocks that are represented by streams of Booleans. Each operator can be associated with a clock such that the operator is performed at the clock’s sampling rate. This type of model can be considered as a general model for real-time systems and for discrete time and hybrid domain dynamic systems. 7.2.4 Constraint-based and biology-based models Models in this category are motivated by physical and biological natural systems. They are not mainly for providing the syntax or semantics of a programming language. Instead, they can be considered as philosophical or mathematical structures of natural systems. Most natural systems are constraint-based, following some natural laws or keeping certain relationships. There are two types of relationship, dynamic or algebraic. Constraint-based models explore relations rather than causalities. There are various biology-based models, such as neural nets and cerebellar models. The categorical theory of biological systems has also been proposed. Constraint-based Models The constraint paradigm [Ste8O] is a model of computation in which values are deduced when ever possible, under the limitation that deductions must be local in a certain sense. One may visualize a constraint “program” as a network of devices connected by wires. Data values may flow along the wires, and computation is performed by the devices. A device computes using CHAPTER 7. SUMMARY AND RELATED WORK 95 only locally available information and places newly derived values on other locally attached wires. In this way computed values are propagated. An advantage of the constraint paradigm is that a single relationship can be used in more than one direction. The connections to a device are not labeled as inputs and outputs; a device will compute with whatever values are available, and produce as many new values as it can. A disadvantage is that it can only deal with very limited classes of constraint satisfaction problem. Differential (resp. difference) algebraic equations (DAE) can be considered as taking both dynamic (causal) and algebraic (relational) constraints in one framework. In general, a dynamic system in continuous time (resp. discrete time) is a set of differential (resp. difference) algebraic equations: th = f(x, y) (resp. z((n + 1)6) y = = f(x(n6), y(n6))), g(x,y). Biology-based Models The Neural Net model is motivated by the principle in physics, i.e., minimizing the energy of a system. Such minimization is performed dynamically by changing the parameters of the system, that is parallel and distributed in general. A neural net can solve a constraint satisfaction problem [RM86] if the energy function is defined according to the degree of satisfaction. The advantages of the Neural Net model for solving constraints are that it can solve soft constraints and that it involves dynamics that is important in behavior simulation and animation [P1a89]. The Cerebellar Model Arithmetic Computer (CMAC) is motivated by the structure and function of the various cells and fiber types in the cerebellum [A1b81]. CMAC is defined by a series of mappings, S —* M —* A —* F, where S is a set of input vectors, M is a set of mossy fiber used to encode 5, A is a set of granule cells contacted by M, and P is a set of outputs. The overall mapping S —* P is a function that represents the causal relationship between the input and the output. Feedback is introduced in the model so that the system can learn. Furthermore, CMAC can simulate finite state automata, as well as compute integrals and other general functions. Hierarchical structures can be used for modeling complex systems. The categorical theory of biological systems was studied by mathematical biologists [Ros85J. Using the categorical theory, the dynamics of a composition system, quotient dynamics, and hierarchies can be studied formally and abstractly. CHAPTER 7. SUMMARY AND RELATED WORK 7.2.5 96 Relationships with the Constraint Net Model A distinguished feature of the Constraint Net model (CN), comparing with all the existing models, is abstraction. CN is an abstraction and generalization of dataflow-like models. With abstract time and domain structures, CN models dynamic systems with components of different dynamics. It is the first time that the programming semantics techniques are applied to dynamic systems modeling. Some important concepts in CN are influenced by Temporal Automata and Operator Nets. Comparing with Temporal Automata, CN is defined on more general and abstract structures of time and domains, based on which, traces, event-driven as well as primitive transductions are formajized. In addition, CN has a more rigorous semantics based on fixpoint theory. Comparing with Operator Nets, CN introduces reference time structures that can be continuous as well as discrete. In addition, events in event traces are transitions so that Sutherland’s event logic is adopted. CN is a net-oriented model, while a component in a net can be an automaton or a state transition system. Processes or components in CN cannot be created or destroyed, and inter connections are fixed. However, such effects can be achieved by event-driven computation. CN can model synchronous, asynchronous and analog circuits. Even though CN does not directly represent synchronous communication and sequential computation, such mechanisms can be generated by event synchronization using the event logic. The syntactic structure of CN is similar to that of Petri Nets, i.e., a bipartite directed graph. However, the semantics of CN is for maximum parallelism, while the semantics of Petri Nets is for concurrency. CN is an inherently deterministic model, while nondeterminism can be captured by hidden inputs. CN can efficiently model differential and difference equations, Neural Nets and CMAC. CN can also simulate constraint-based models, given the underlying dynamics that keeps the relationship as a stable state. Since CN is based on algebraic theory, homomorphism and quotient dynamics can be studied under this model. In summary, the major contributions of CN are: (1) CN models asynchronous and syn chronous components, as well as coordination among components with different time structures; (2) CN supports abstract data types and functions, as well as algebraic specification; (3) CN can provide a programming semantics for the design and analysis of hybrid real-time embedded systems; (4) CN serves as a foundation for the specification and verification of hybrid systems. Part II Requirements Specification and Behavior Verification 97 98 The way of human follows the way of earth. The way of earth follows the way of heaven. The way of heaven follows the way of Tao. The way of Tao follows the way of Nature. — Tao Teh Ching, Lao Tzu Implementations follow algorithms. Algorithms follow specifications. Specifications follow ideas. Ideas follow the way of Nature. — Zhang Ying Chapter 8 Introduction We have developed a semantic model for dynamic systems. A model of a dynamic system rep resents the whole system as a set of components and their connections. However, the behavior of the system is not explicitly represented, since most dynamic systems have no closed form solutions at all. On the other hand, most design requirements can be expressed by qualitative properties and can be satisfied by many models. As a simple example, dynamic system, which fortunately has a closed form solution: x specification may simply be a limit property limt x(t) satisfies the specification limt_ x(t) = = = = —x is a model of a e_ A requirements 0 At.x . t 0. In this case, the model th = —x 0. In Part II, we propose and answer the following two questions: What is an appropriate requirements specification language? How to verify the behavior of a system against certain requirements specification? In this chapter, we present an overview of Part II, Requirements Specification and Behavior Verification. There are three major chapters in Part II. Chapter 9 develops timed linear tem poral logic. Chapter 10 develops timed V-automata. Chapter 11 develops a formal method for ensuring that the behavior of a system satisfies a timed V-automata specification. 8.1 Timed Linear Temporal Logic Since we consider time as a linearly ordered set with a least element, linear temporal logic is the simplest specification language for sequential (dynamic) behaviors. First, we develop a propositional linear temporal logic (PLTL). As with other temporal logics, we define the basic temporal operators ii and S; F 1UF 2 indicates that F 1 is true after the current time until F 2 becomes true, and F 1$F 2 indicates that F 1 is true up to the current time since F 2 becomes true. From these basic operators, we further define K’ (eventually), D (always), Q (next), e (previous), etc. Unlike other temporal logics, PLTL is defined for 99 CHAPTER 8. INTRODUCTION 100 arbitrary time structures, with discrete and continuous time as special instances. Second, we extend PLTL with two real-time operators U T (real-time until) and T S (real-time since) where r > 0 is any positive real number. The resultant language is called a propositional timed linear temporal logic (PTLTL), where “timed” indicates the representation of metric or measure properties of time. From these two basic real-time operators, we further define other real-time operators such as KT (real-time eventually) and T 0 (real-time always). Third, we define FTLTL, a first order TLTL. FTLTL is strongly typed, i.e., its domain is a multi-sorted s-algebra. Terms of FTLTL are defined on the signature E and predicates are associated with types too. Furthermore, any global variable (variable whose value is a constant over time) can be quantified. RFTLTL, a restricted version of FTLTL, is also defined, in which quantifiers are restricted to state formulas (formulas without temporal or real-time operators). FTLTL is strictly more powerful than RFTLTL, however, RFTLTL gains its advantage in the simplicity of verification. Finally, we propose the concept of open state specification and briefly discuss the importance and the use of open state specification. 8.2 Timed V-automata An alternative to linear temporal logic for representing sequential behaviors is automata. Con sider an automaton as a language recognizer that accepts a set of traces. If a trace is accepted by the automaton, the trace satisfies the specification defined by the automaton. The simplest automata are finite state automata. First, we present discrete V-automata, adopted from the definition given by Manna and Pnueli [MP871. Discrete V-automata are finite state automata accepting infinite sequences, i.e., traces of discrete time. V-automata have a graphical representation that is useful and illuminating. Furthermore, it has been shown [MP87] that discrete V-automata are strictly more powerful than PLTL. Second, we extend discrete V-automata to discrete timed V-automata, by augmenting time bounds on automaton-states. With this augmentation, various types of real-time property can be specified. Finally, we generalize discrete timed V-automata to timed V-automata. Timed V-automata can accept traces of arbitrary time structures, with discrete and continuous time structures as special cases. CHAPTER 8. INTRODUCTION 8.3 101 Behavior Verification We start with the concepts of behavior verification in general and the discussion of the theorem proving approach to verification in particular. The rest of the chapter focuses on verification techniques for timed V-automata specification. One of the important advantages of timed V-automata specification is that there exists a formal verification procedure. This verification procedure is derived from the integration of a model checking technique and a stability analysis method. For verifying state-based and time-invariant behaviors of discrete time systems, we modify the verification rules developed by Manna and Pnueli [MP87] in the following ways: • Ranking functions are replaced by Liapunov functions that generalize the functions for stability analysis in dynamic systems. • Verification rules for real-time bounds are augmented so that real-time properties can be verified. We apply the verification rules to the semi-automatic verification of constraint nets on discrete time structures. A verification of this type reduces to a set of first order state formulas that can be checked by a theorem prover. We translate the verification rules into an algorithm for finite domain and discrete time dynamic systems. The algorithm has a polynomial time complexity in both the size of the model and the size of the specification. With the concept of state transition abstraction, further savings in complexity can be explored. Finally, we generalize the verification rules so that behaviors with continuous as well as discrete time structures can be formally verified. 8.4 Summary and Related Work The novelty in specification languages includes: a temporal logic defined on abstract time and domains, a timed extension to finite automata, and a generalized version of finite automata that accepts traces of continuous time. The novelty in behavior verification includes a semi-automatic verification method for discrete constraint nets, an efficient algorithm for finite domain systems, and a formal verification method for behaviors of hybrid systems. Chapter 9 Timed Linear Temporal Logic Temporal logic provide a simple and precise specification for sequential behaviors [Eme9O]. We develop timed linear temporal logic (TLTL) for specifying desired properties of system behaviors, where “linear” refers to linearly ordered time structures and “timed” implies metric distances. First we generalize the propositional linear temporal logic to specifying properties of arbitrary traces (instead of finite or infinite sequences). Then we augment real-time modal operators so that real-time properties (e.g., real-time response) can be specified. Finally, we develop a first order TLTL for arbitrary time and domain structures. 9.1 Propositional Linear Temporal Logic (PLTL) The simplest temporal logic is the propositional linear temporal logic (PLTL). In this section, we present a form of PLTL that can incorporate both discrete and continuous time, so that properties of arbitrary traces can be specified and reasoned about. 9.1.1 PLTL: syntax and semantics The basic form of the propositional linear temporal logic (PLTL) is the classical propositional logic extended with temporal operators. Formally, the syntax of the logic is defined as follows. Definition 9.1.1 (Syntax of PLTL) Let 4 be a set of propositions. The basic syntax can be defined using BNF: F ::= false where p E is a proposition, I 1 F — 2 F I 2 U 1 F F I F S 1 F is a logical connective denoting “implication,” U is a temporal operator denoting “until” and S is a temporal operator denoting “since.” —* 102 CHAPTER 9. TIMED LINEAR TEMPORAL LOGIC 103 We will use the convention that temporal operators have higher priorities than logical connec tives, and unary connectives (operators) have higher priorities than binary connectives (opera tors). A frame of PLTL is a triple (T, A, V) where T is a time structure, A is a domain, and — V: A 2 wifi use a is an interpretation that assigns to each proposition p E p or p(a) to denote a E V(p). A model of PLTL is a pair (F, v) where F = a subset V(p) of A. We (T, A, V) is a frame and v : 7 —÷ A is a trace. Formally, the semantics of the logic is defined as follows. Definition 9.1.2 (Semantics of PLTL) Let F of PLTL. Let F be a PLTL formula. Then v • v = (7, A, V) be a frame and (F, v) be a model H F denotes that v satisfies F at time t: false. • v=tpforpE iffv(t)=p. • vHF 1 —* 2 F iffy 1 HF • v H UF 1 F 2 ifft’ > t,v • v =t 8F 1 F 2 ifft’ < t,v We will use v implies v ‘ . 2 HF 2 and Vt”, t < t” < t’,v F H” . 1 F 2 and Vt”, t’ < t” < t,v F H” . 1 F F to denote that v satisfies F initially, i.e., v F, if for any model (F, v), v =j F. F is valid over a frame F. F is valid, if for any frame F, F is valid over F. F is satisfiable over a frame F, if for some model (F, v), v = F. F is satisfiable, if for some frame F, F is satisfiable over F. 9.1.2 PLTL: extensions More logical connectives and temporal operators can be defined using the basic logic connec tive —* and the basic temporal operators U and S. Some commonly used logical connectives are defined as follows: • Negation: -‘F • True: true F — false. -‘false. • Disjunction: F 1 VF 2 • Conjunction: F 1 AF 2 1 —‘F —* 1 -‘(F . 2 F —* ). 2 -‘F CHAPTER 9. TIMED LINEAR TEMPORAL LOGIC • Equivalence: F 1 2 F €- 1 (F —÷ ) A (F 2 F 2 —* 104 F ) 1 . Some commonly used temporal operators are defined as follows: • Eventually: F F V true U F. • Always: OF • Next: QFFUF. • Previous: eF F$F. • Wait: F 1 ¾) F 2 E 1 VF OF 1 A1 (F U F . 2 )VF 2 Various stronger and weaker variations of these temporal operators [Eme9O] can also be defined. The semantics of these logical connectives and temporal operators can be derived from their definitions. Let F = (T, A, V) be a frame and (F, v) be a model of PLTL. Let F be an extended PLTL formula: • v • v H = -F if v t F. true. • . iffv=tFiorv=tF 2 v=tFiVF • 2 v=tFiAF i ffv=tFi andy =F . 2 • v H F if t’ t, v ‘ F. • vtOFiffVt’t,vt,F. • v = 8F if t’ < t, Vt”,t’ • v • v OF ifft’ > t, Vt”,t < t” = 2 W 1 F F if Vt’> t, v t’,v t” < t,v H’ F. j=t” =“ F. , or 3t’ > t, v Hi F 1 F 2 and Vt”, t < t” < t’,v H” , or 1 F . 2 F We should note that the temporal operators Q and e are generalizations of the “next” and “previous” operators, respectively, from discrete to arbitrary time. However, —(QF) A —‘(Q--F) and -(eF) A -(e-F) are satisfiable, and QF —* Q(QF) and F e(eF) are valid, for any frame with dense time. CHAPTER 9. TIMED LINEAR TEMPORAL LOGIC 105 For the maze traveler example in Part I, let ME be a proposition denoting that the robot is moving east. A desired property of the maze traveler is DOME, i.e., moving east infinitely often, which ensures the escape of the robot from any finite maze, for the given design and environment. We can define some more abbreviations that are more convenient to use in many situations. • final • initial Q true. E • rise(p) • change(p) • event(p) e true. (-‘p A Qp) V (e-’p A p). rise(p) V rise(—ip). (-‘p A p) v (ep A —‘p). Some important properties of behaviors can be specified using PLTL. • Safety: If B is a proposition denoting a bad situation, D-iB. • Goal achievement: If G is a proposition denoting a final goal, 00G. • Persistence: If P is a proposition denoting a persistent condition, DOP. • Precedence Q!3R: • Interleaving QIR: Q Q happens before R, i.e. -‘RW(--iR A and R interleave, i.e. D(R —* Q). QBR) A D(Q —* RI3Q). Now we can formally specify desired properties of the producer-consumer circuit in Figure 5.3. The first desired property is that producing precedes consuming, i.e., event(C1) I3event(C2). The second desired property is that producing and consuming interleave, i.e., event(C1) I event(C2). 9.2 Propositional TLTL In order to specify the metric properties of time, we develop Timed Linear Temporal Logic (TLTL). In this section, we introduce propositional TLTL (PTLTL), and in the next section, we present the first order TLTL (FTLTL). CHAPTER 9. TIMED LINEAR TEMPORAL LOGIC 106 The basic syntax and semantics of PTLTL are the same as those of PLTL. In addition, we augment the basic form of PLTL with two real-time operators. Let r > 0 be a positive {t’lt < t’,d(t,t’) < operators are defined as follows: real number, Tt+T = T} and Tj_T = {t’It’ < t,d(t’,t) 2 jif t’ E Tt+r, v T U 1 F =i 2 and Vt”, t < t” < t’, v F 2 if t’ E Tt_T, v T S 1 • v = F t’ 2 and Vt”,t’ < t” <t,v u F F . 1 • V =jn r}. Two real-time . 1 F Other real-time and temporal operators can be defined using the two basic real-time oper ators. • TF trueU F T . • D F T • ‘1TF true STF. • DTF -(K-’F). The semantics of these real-time operators can be derived as follows: • v I=t T F if t’ E v =t’ F. v =i F. TF if t’ E Tt_T, V 1 =t’ F. DTF iff Vt’ E v H’ F. Tt+T, • v = DF if Vt’ E • V H • v With real-time operators, real-time properties can be specified, for example, real-time response can be specified as D(E —* KR). 9.3 First Order TLTL We present FTLTL and its restricted version RFTLTL. RFTLTL imposes a constraint that quantifiers are associated only with state formulas (formulas without temporal and real-time operators). To define the syntax for FTLTL, we shall first define terms. Let = (S, F) be a signature, Xj be a set of trace variables, also called local variables, and Xg be a set of parameter variables, also called global variables. X = X 1 UX 9 is the set of S-sorted variables. The set of terms of CHAPTER 9. TIMED LINEAR TEMPORAL LOGIC e sort s S induced by 107 and X, denoted T(, X), is the least set of strings that satisfies one of the following: , then xE T(,X) 3 • if x E X , 3 •ifxEX , 3 f thenpre(x),x— orT> lflX TET(,X) 0, • if fe • iff e F with type —* F with type s s, then —* f , 3 E T(E,X) s where s :1 —* S, then f(T) e T(,X) 3 where T :1 —* T(E,X) with T E T(2,X)*. Given each p e and (S, F) as a signature, let ‘ be a set of S-sorted predicate symbols, such that for the type of p is a tuple s : I —* S. The syntax of FTLTL can be defined given D = , . Definition 9.3.1 (Syntax of FTLTL) The basic syntax of FTLTL can be defined as: F::= where T 3 is a term of sort s, p E 8 e T(,X) is a predicate symbol with type s : I T : I —* T(, X) with T E T(, and x E Xg is a global variable. —* S, A frame of FTLTL is a triple (T, A, V) where T is a time structure, A is a Z-domain structure and V is an interpretation that assigns to each predicate symbol p e a subset V(p) , given that the type of p is s : I —* S. 3 A 1 of x A model of FTLTL is a pair (F, a) where F = (T, A, V) is a frame and a = (al, ag) is a valuation for X = X 1 UX , i.e., Ug : Xg —* A and ai : X 9 1 — (T —* A). By extending the valuation a from variables to terms, we have a : T(F, X) —* (T — A), such that for any t E T: • a(x)(t) = ag(x) for any x e X , 9 • a(x)(t) = ai(x)(t), a(pre(x))(t) • a(f(T))(t) = = fA(a(T)(t)) for any ai(x)(pre(t)), a(x f — r)(t) = ai(x)(t — r) for any x E X , 1 E F. Definition 9.3.2 (Semantics of FTLTL) Let F = (T,A,V) be a frame and (F,a) be a model of FTLTL. Let F be an FTLTL formula, a =j F denotes that a satisfies F at time t: • a Vzt false. CHAPTER 9. TIMED LINEAR TEMPORAL LOGIC • a ’ 3 HT • a H p(T),p • a H 1 F • a H UF ifft’ > t, a 1 F 2 • o• 8F 1 F H2 • a H 2 ifft’ E T U 1 F a • a H 2 ifft’ E Tt_T, a T S 1 F • a H = T iffa(T )(t) 1 8 = a(T)(t). iffa(T)(t) E V(p). 2 if o F fft’ 1 HF < t, a implies a H . 2 F H’ 2 and Vt”,t < t” < t’,a F H” . 1 F H’ 2 and Vt”,t’ < t” < t,a F H” . 1 F H’ 2 and Vt”,t < t” < t’,a F H” H’ 2 and Vt”,t’ < t” < t,a F xF, x E 3 X if there is a value a in A , a 3 substitution of x in F by a. We will use a = 108 u . 1 F . 1 F H F[a/x], where F[a/x] stands for F to denote that a satisfies F initially, i.e., a F. F is valid over a frame F, if for any model (F, a), a F. F is valid, if any frame F, F is valid over F. F is satisfiable over a frame F, if for some model (F, a), a F. F is satisfiable, if for some frame F, F is satisfiable over F. Various logical connectives, temporal and real-time operators can be defined as for PTLTL. In addition, let V be the dual of , i.e., VxF -‘x-’F. If we restrict quantifiers to state formulas (formulas without temporal and real-time oper ators), we have RFTLTL, a restricted version of FTLTL. Formally, a state formula is defined as where T 3 3 is a term of sort s, p E 4 is a predicate symbol with type s” : I —* T(>2,X) 3 and x e Xg. Let FV(F T : I —f T(F, X) with T T(F, X)) ) be the set of free variables in 3 . A state formula F 3 F 3 is a state proposition if FV(F ) CX 3 . 1 A RFTLTL formula can be defined as 1 I 3 F::=F F S IFiUF —F S I U 1 2 F T F F where F 8 is any state formula. Every RFTLTL formula is also a FTLTL formula, but not vice versa. FTLTL is strictly more expressive than RFTLTL. For example, limt x(t) = 0 can be expressed by FTLTL as Ve, e> 0 —f DcJxI < E. However, there is no equivalent RFTLTL formula. CHAPTER 9. TIMED LINEAR TEMPORAL LOGIC 109 A RFTLTL formula with all free variables as local variables can be interpreted as a PTLTL formula, with domain 1 As and state propositions. For example, we may use state proposition x Il <ö A v> E to represent proposition ME, where 0 is the heading and v is the velocity of the car. 9.4 Open State Specification Now we discuss an important issue for requirements specification, the openness of state formulas. If F 3 is a state formula and FV(FS) is the set of free variables in F , let V(F 3 ) be the set of 3 tuples satisfying F , i.e., V(F 3 ) = {a : FV(FS) —* Ala 1= F 3 }. 3 A state formula 3 F is open (closed) in A if V(F ) is open (closed) in the derived metric 3 topology. The following properties are directly from the definition of general topology: (1) State formulas true and false are both open and closed; and (2) if F, F , F 1 2 are open (closed), then: • F 1 V F is open (closed); • F 1 AF 2 is open (closed); • —F is closed (open); • xF is open (VxF is closed). We will further discuss the openness of state formulas in the next chapter. Now we consider the meaning of open state formulas for the definedness of information. If a predicate p on X A, 1 is open, llV(p) is either a set of well-defined values or a total set. Extra attention should be paid to this property. For example, let > on x 7 be defined as {(x, y)lx E 7, y E R, x> y}; it is an open predicate that is true only on well-defined tuples 7 x R. Similarly, let < on R.xR.be defined as {(x,y)lx E R,y E fl,x < y}; it is a predicate neither open nor closed that holds only on R x 1?. too. We should notice that for the domain 7 x 1, an obvious relation x > y -* —(x y) does not hold any more, since both L>J and ±fl<J are false. Open state specification is important for requirements specification. For example, for a safety requirements specification D—iB(x) where B is a predicate, B should be closed, so that -B is open. Otherwise, if B is open and -B is closed, an undefined value will satisfy the safety property. That is usually not what safety means. Chapter 10 Timed V-Automata An alternative to temporal logic for specifying sequential behaviors is automata. Consider traces as a generalization of (finite or infinite) sequences. A desired property of traces can be specified by an automaton; a trace satisfies the specification iff the automaton accepts the trace. In this chapter, we develop extensions of V-automata, proposed by Manna and Pnueli {MP87] for the specification and verification of concurrent programs. We start with an introduction to basic V-automata that are defined for sequences, or traces with discrete time structures. Then, we augment discrete V-automata to discrete timed V-automata by specifying real-time constraints on automaton-states. Finally, we generalize discrete timed V-automata to timed V automata whose time structure can be arbitrary. The relationship between timed V-automata and TLTL will also be discussed. 10.1 Discrete V-Automata Discrete V-automata are non-deterministic finite state automata over infinite sequences. These automata were originally proposed as a formalism for the specification and verification of tem poral properties of concurrent programs [MP87]. We briefly introduce discrete V-automata, but in the role of specifying discrete time traces rather than concurrent programs. Formally, a V-automaton is defined as follows. (Q, R, S, e, c) and S ç Q is a Definition 10.1.1 (Syntax of V-automata) A V-automaton A is a quintuple where Q q, q’ E Q, is a finite set of automaton-states, R C Q is a set of recurrent states set of stable states. With each q E Q, we associate a state proposition e(q), which characterizes the entry condition under which the automaton may start its activity in q. With each pair we associate a state proposition c(q, q’), which characterizes the transition condition 110 CHAPTER 10. TIMED V-AUTOMATA 111 under which the automaton may move from q to q’. R and S are the generalization of accepting states to the case of infinite inputs. We denote by B = Q (R U 5) the set of non-accepting (bad) states. — A V-automaton is called complete if the following requirements are met: • VqeQ e(q) is valid. • For every q E Q, Vq’Q c(q,q’) is valid. We will restrict ourselves to complete automata. This is not a substantial restriction, since any automaton can be transformed to a complete automaton by introducing an additional error state q E B, with the entry condition: e(qE)=-1( V e(q)), qeQ—{q} and the transition conditions: c(qE,qE) = true c(qE,q) = false for eachqEQ—{qE} c(q,qE) = —( \/ c(q,q’)) for each q E Q — {q}. q’EQ—{qE} Let T be a discrete time structure, A be a domain and v : T of A over v(t) = v is a mapping r : T —f Q such that (1) v(O) —f A be a trace. A run e(r(O)); and (2) for all t > 0, c(r(pre(t)), r(t)). A complete automaton guarantees that any discrete trace has a run over it, and that any 1 can always be extended to a total run. partial run If r is a run, let Inf(r) be the set of automaton-states appearing infinitely many times in r, i.e., Inf(r) = {qVtto ) = q}. If T has a greatest element t 0 t,r(t , Inf(r) = {r(to)}. 0 Therefore, Inf(r) is a generalization of the “final value.” A run r is defined to be accepting if: 1. Inf(r) n R 0, i.e., some of the states appearing infinitely many times in r belong to R, or 2. Inf(r) C S, i.e., all the states appearing infinitely many times in r belong to S. ‘Consider a run as a function. CHAPTER 10. TIMED V-AUTOMATA 112 Definition 10.1.2 (Semantics of V-automata) A V-automaton A accepts a trace v, written v A, if all possible runs of A over v are accepting. One of the advantages of using automata as a specification language is its graphical rep resentation. It is useful and illuminating to represent V-automata by diagrams. The basic conventions for such representations are the following: • The automaton-states are depicted by nodes in a directed graph. • Each initial automaton-state (e(q) false) is marked by a small arrow, an entry arc, pointing to it. • Arcs, drawn as arrows, connect some pairs of automaton-states. • Each recurrent state is depicted by a diamond shape inscribed within a circle. • Each stable state is depicted by a square inscribed within a circle. Nodes and arcs are labeled by state propositions. A node or an arc that is left unlabeled is considered to be labeled with true. The labels define the entry conditions and the transition conditions of the associated automaton as follows. • Let q e Q be a node in the diagram corresponding to an initial automaton-state. If q is labeled by b and the entry arc is labeled by , the entry condition e(q) is given by e(q) = p A b. If there is no entry arc, e(q) = false. • Let q, q’ be two nodes in the diagram corresponding to automaton-states. If q’ is labeled by q , and arcs from q to q’ are labeled by , i = 1 5 n, the transition condition c(q, q’) . is given by c(q, q’) = (y V . . . . V cp,) A &. If there is no arc from q to q’, c(q, q’) = false. A diagram representing an incomplete automaton is interpreted as a complete automaton by introducing an error state and associated entry and transition conditions. Some examples of V-automata are shown in Figure 10.1. Figure 10.1(a) accepts any trace that satisfies —G only finitely many times, Figure 10.1(b) accepts any trace that never satisfies B, and Figure 10.1(c) accepts any trace that will satisfy R in the finite future whenever it satisfies E. Now we give a definition of open specification. A V-automata specification is open if Vq E RUS,e(q)is open and c(q’,q)is open for any q’ E Q. For discrete domains, open specifica tion implies the well-definedness of accepting states; for continuous domains, open specification CHAPTER 10. TIMED V-AUTOMATA 113 -iR R E (c) (b) (a) Figure 10.1: V-automata: (a) goal achievement (b) safety (c) bounded response provides a relaxed representation for asymptotic behaviors. For example, a relaxed representa tion for limt xQ) = Lxt 0 is an automaton in Figure 10.1 (a) with G < € for some €> 0. We will see that openness should be imposed for any useful requirements specification. V-automata may provide a more compact representation than TLTL. For example, the two desired properties of the producer-consumer synchronizer, precedence and interleaving, can be specified by one V-automaton in Figure 10.2 (a), where E(Ci) indicates there is an event in Ci and NE(Ci) indicates there is no event in Ci. E(Ci) and NE(Ci) can be represented as state propositions as follows. Let Qi be the hidden location of the Muller C-element with output location Ci, E(Ci) neq(Ci, Qi) and NE(Ci) eq(Ci, Qi) with both neq and eq open. The persistent property of the maze traveler can be represented by a V-automaton in Figure 10.2 (b), meaning that the robot will persistently move east. NE(C1) A NE(C1) NE(C2) A NE(C2) ANEC2Q %NC1)AE(C2) (a) (b) Figure 10.2: The specification of (a) the producer-consumer problem (b) the maze traveler It has been shown [MP87] that discrete V-automata have the same expressive power as Buchi automata [Tho9O] and the extended temporal logic (ETL) [Wo183], which are strictly more powerful than the propositional linear temporal logic (PLTL) [Tho9O, Wo183]. CHAPTER 10. TIMED V-AUTOMATA 114 Discrete Timed V-Automata 10.2 In order to represent timeliness, we develop timed V-automata. Timed V-automata are automata augmented with timed automaton-states and time bounds. Formally, a timed V automaton is defined as follows. Definition 10.2.1 (Syntax of timed V-automaton) A timed V-automaton TA is a triple (A,T,r) where A and T : T U {bad} = (Q,R,S,e,c) is a V-automaton, T C 7?, U {oo} is Q is a set of timed automaton-states a time function. A V-automaton is a special timed V-automaton with T = 0 and r(bad) = cc. Graphically, a T-state is denoted by a nonnegative real number indicating its time bound. The conventions for complete V-automata are adopted for timed V-automata. Let v : T —* A be a trace. A run r of TA over v is a run of A over v; r is accepting for TA if 1. r is accepting for A and 2. r satisfies the time constraints, if I C T is an interval of T and q* : I (q*) denote the measure of q* i.e., ,u(q*) = run r, i.e., q* = , 11 let r —÷ Q is a segment of = EtEIu(t) since (q*) I is discrete. Furthermore, let denote the measure of bad automaton-states in q*, i.e., (q*) = EtEI,q*(t)EBII(t). Let Sg(q) be the set of segments of consecutive q’s in r, i.e., q* E Sg(q) implies Vt E I,q*(t) = q. Let BS be the set of segments of consecutive B and S-states in r, i.e., q* E BS implies Vt E I, q*(t) e B U S. The run r satisfies the time condition if e T,q* E Sg(q), p,(q*) T(q) and (b) (global time constraint) Vq* e BS, I(q*) <r(bad). (a) (local time constraint) Vq Definition 10.2.2 (Semantics of timed V-automaton) A timed V-automaton TA accepts a trace v, written v = TA, if all possible runs of TA over v are accepting. For example, the real-time response O(E —* R) is depicted by the timed V-automaton in Figure 10.3, meaning that any event will be responded to within time t([ti, 1 r (assuming ) 2 , 1 d(t t = t ) 2 )). We should notice that timed V-automata are closed under conjunction and disjunction, but not under complementation. Even though discrete V-automata are strictly more expressive than PLTL, discrete timed V-automata and PTLTL are not strictly more expressive than each other, since PTLTL is closed under complementation. CHAPTER 10. TIMED V-AUTOMATA 115 RE Figure 10.3: Real-time response 10.3 Timed V-Automata Now we generalize discrete timed V-automata to timed V-automata that can accept general traces, with discrete time traces as special cases. The syntax and semantics of timed V-automata are the same as those of discrete timed V-automata, except for the definitions of runs and accepting runs. The important concept of general runs is the generalization of the consecution condition. Let T be a time structure and t < oc denote that t is not the greatest element of T. Let v : —* A be a trace. A run of A over v is a trace r : 1. Initiality: v(O) = —* Q satisfying e(r(O)); 2. Consectttion: • inductivity: Vt> O,q E Q,t’ < t,Vt”,t’ < t” < t,r(t”) = q and v(t) = c(r(t”),r(t)) and • continuity: Vt < 00, q € Q,t’ > t,Vt”, t < t” < t’, r(t”) = q and v(t”) 1= c(r(t), r(t”)). When T is discrete, the two conditions in Consecution are reduced to one, i.e., Vt > 0, v(t) 1= c(r(pre(t)), r(t)); and if, in addition, A is complete, every trace has a run. However, if T is not discrete, even if A is complete, not every trace has a run. For example, a trace with infinite transitions among Q within a finite interval has no run. A trace v is specifiable by A if there is a run of A over v. For example, if T and A are [0, 11, trace v : T —* A with v = )t.t is not specifiable by the automaton in Figure 10.4. The definition of accepting runs for V-automata is the same as that for discrete cases. A run r is defined to be accepting for A if: 1. Inf(r) fl R or 0, i.e., some of the states appearing infinitely many times in r belong to R, CHAPTER 10. TIMED V-AUTOMATA 116 (1/2n, 1J(2n-1)] (1/(2n+1),1/2n] Figure 10.4: A generalized V-automaton 2. Inf(r) C S, i.e., all the states appearing infinitely many times in r belong to S. We should notice that dense V-automata is no longer more powerful than PLTL, since the ability of counting in automata {MPT1] is lost when time is dense. In other words, meaningful dense automata are counter-free only, since for any transition between two automaton-states, there is a self-loop at one of the automaton-states. The definition of accepting runs for timed V-automata is similar to that for discrete cases, except for the measures of segments. If I ç T is an interval ofT and q* : I —* Q is a segment of run r, i.e., q* = , 11 let pq*) denote the measure of q*, i.e., j(q*) = u(I) r dt. Furthermore, = J let (q*) denote the measure of bad automaton-states in q* i.e., (q*) where XB is the characterization function for set B. automaton if = A run r is accepting for a timed V 1. r is accepting for its V-automaton and 2. r satisfies the time constraints. Let Sg(q) be the set of segments of consecutive q’s in r, i.e., q* E Sg(q) implies Vt e I, q*(t) = q. Let BS be the set of segments of consecutive B and S-states in r, i.e., q* E BS implies Vt E I, q*(t) E B U S. The run r satisfies the time condition if (a) (local time constraint) Vq e T,q* E Sg(q), pq*) (b) (global time constraint) Vq* E BS, JL(q*) T(q) and T(bad). Timed V-automata are powerful enough to represent various temporal and timed properties of dynamic systems, such as persistence or liveness, goal achievement or reachability, safety and real-time response. More importantly, there is a formal verification method based on a model checking technique and a stability analysis method. Chapter 11 Behavior Verification While modeling focuses on the underlying structure of a system nation of its components — the organization and coordi requirements specification imposes global constraints on a system’s behavior, and behavior verification checks the relationship between the behavior of a system and a requirements specification. In this chapter, we first discuss general issues of behavior verification, then focus on a formal verification method for timed V-automata specification. 11.1 Behavior Verification: General Issues We have defined the behavior of a dynamic system as the set of observable input/output traces. Given B as the behavior of a dynamic system and fl as a requirements specification, the behavior satisfies requirements, written B the relationship B 1= R if Vv E B, v = 7. The verification procedure is to certify fl for any given behavior B and requirements specification . It is not hard to see that there is no automatic verification procedure for behaviors of discrete time and domain dynamic systems and TLTL specification in general. We have seen that any partial recursive function f can be computed by a constraint net. And whether or not is defined for an input value n (the halting problem) can be represented by a specification D[(Dataln = n) A E(Start) —* f E(End)], where E(X) indicates that there is an event at X. There are, as we will see, automatic verification procedures for discrete time and finite domain dynamic systems and PLTL specification. There are generally three methods for system verification: simulation, theorem proving and model checking. Simulation is a procedure of generating partial traces’ by executing the model, and then checking the set of partial traces against its specification. However, simulation ‘Note that time might be infinite. 117 CHAPTER 11. BEHAVIOR VERIFICATION 118 is like program testing, which can oniy discover errors, but cannot guarantee correctness . Both 2 theorem proving and model checking are formal methods for ensuring correctness. Theorem proving is based on syntactic deduction in a formal system. A formal system A is a pair KA, R) consisting of a set of axioms A and a set of rules R each of which has the form F , 1 . F. A formula F is a theorem in A, written ‘A F, if (a) F is an axiom in A or (b) there exists a sequence of theorems F ,. . .,Fm, F such that either F: is an axiom or F can be 1 . ., 1 F z derived from {F ,.. 1 ., } using a rule in R, namely, there is some 1 1 F_ F , .. ., 1 P = P such that P=F: and {Pi,...,Pj}c{Fi,...,F:_i}. A frame F is axiomatizable if F can be captured by a formal system, also denoted by F, such that F is valid over the frame F if F- F, i.e., there is a sound and complete axiomatization. If we can represent a constraint net CN by a formula, also denoted by CN, in the formal system of the specification language F, the behavior of CN satisfies requirements 7?, written CN R, if HF CN —* ?. For example, a state automatons’ = f(i, s), s = 6(so)(s’) in Figure 4.1 can also be represented by a FTLTL formula D(s’ f(i, s)) A(s = so) A QD(s = pre(s’)). There are some inherent difficulties with the theorem proving approach. First, to be ax = iomatizable is a strong condition. In fact, according to Goedel’s incompleteness theorem, there is no sound and complete axiomatization for any set as complex as natural numbers. Second, even the frame is axiomatizable, there might be no computable decision procedure for an infi nite frame. Third, even for finite frames, the problem of checking the validity of a formula is hard in general. However, in many cases, a proof theoretic approach can assist the verification process. One can always have a set of sound axioms and rules describing the properties of the frame and the logic [0st89, MP92]. With an interactive theorem prover like HOL — a higher order logic theorem prover developed by Cambridge University and SRI International one can add more sound axioms and rules for any particular problem at hand. In addition, the reasoning mechanism of theorem proving based on natural deduction might be easier for human to follow. In conclusion, there are three levels of formal specification for the theorem proving approach: • frame specification: a set of axioms and rules of the temporal logic for the given time structure, a set of axioms and rules characterizing s-domain structure, a set axioms and rules for the given set of predicates; • model specification: a set of formulas specifying the equations of a constraint net; Symbolic simulation [BS87] is a different procedure that generates symbolic representations of behaviors. 2 CHAPTER 11. BEHAVIOR VERIFICATION 119 • requirements specification: a set of formulas specifying the desired temporal relations on the interface of the module. We will not discuss further in this thesis the issues Oil the theorem proving approach, rather, in the rest of this chapter, we will focus on the model checking approach for timed V-automata specification. Model checking is a formal procedure of verifying behaviors of models. Given the behavior of a system and a timed V-automaton, model checking is to certify the inclusion relation between the behavior and the language accepted by the automaton. First, we develop a formal verification method for state-based and time-invariant behaviors of discrete time, modified from Manna Pnueli’s verification rules [MP87]. Then, we apply the method to construct a semi-automatic verification procedure for constraint nets with discrete time structures, and translate the verification rules into an automatic algorithm for finite domain systems. Finally, we generalize the verification rules for behaviors of hybrid dynamic systems. 11.2 Verification for Behaviors of Discrete Time Systems Manna & Pnueli [MP87] gave a formal method for checking the validity of a V-automata specification over a concurrent program. We modify the method to verify state-based and time-invariant behaviors of discrete time. First, we generalize ranking functions to Liapunov functions. Then, we augment timing functions to verify real-time behaviors. A state-based and time-invariant behavior B of discrete time corresponds to a state transi tion system (SB, —* with 0 denoting the initial set of states. We write n(s, s’) if .s —÷ s’, and {p}B{b} if the consecutive condition: p(s) A n(s, s’) —* is valid. Let A = (Q, R, S, e, c) be a V-automaton. A set of propositions {aq}qQ is called a set of invariants for B and A if • Initiality: Vq E Q, 0 A e(q) • Consecution: Vq, q’ E Proposition 11.2.1 Let v e B, then Vt e T, v(t) 1= — aq. Q, {cq}B{c(q, q’) {q}qQ — cqi}. be invariants for B and A. If r is a run of A over a trace CHAPTER 11. BEHAVIOR VERIFICATION Let {aq}qQ be 120 B and A. A set of partial functions {pq}qQ is called R,+ satisfies the following conditions: a set of Liapunov functions for B and A if P : SB a set of invariants for • Definedness: Vq E Q,aq • Non-increase: Vq E S, q’ E = W. Q, {aq A Pq • Decrease: e> 0,Vq E B,q’ e w}B{c(q, q’) w}. Pq’ “ Q,{aq Apq = w}B{c(q,q’) “ — 11) The first two conditions are derived from [MP87]. The last condition generalizes the decrease condition for ranking functions on discrete domains [MP87]. Proposition 11.2.2 Let {q}qQ be a set of invariants for B and A and r be a run of A over a trace v E B. If {pq}qQ is a set of Liapunov functions for B and A, then • Pr(i)(V(t)) • Pr(t)(h3(t)) pr(pre(t))(V(pre(t))) — pr(pre(t))(v(pre(t))) when r(pre(t)) e S, < —e when r(pre(t)) e B, and • if BS is the set of segments of consecutive B and S-states in r, then Vq* E BS, q* has a finite number of B-states. (A, T, r). Corresponding to two types of time bound, we define two timing functions. Without loss of generality, we assume that the measurement of time is encoded in R+ be a function of time measure on states. the state transition system and let i : SB Let TA = Let {aq}qQ be a set of invariants for B and A. A set of partial functions is called —* R.+ satisfies the following conditions: a set of local timing functions for B and TA if ‘yq : • Boundedness: Vq E T,oq * • Decrease: Vq E T,{aq A7q = It 7q WA T(q). = u}B{c(q,q)—* 7q — w —u}. A set of partial functions is called a set of global timing functions for B and TA if R satisfies the following conditions: SB —* • Definedness: Vq E q Q, 0 • Boundedness: Vq E B, 0 q W, 7 7 = W. T(bad). • Non-increase: Yq E S,q’ E Q,{aq A-y • Decrease: Vq E B,q’ E Q,{q A7 = = w}B{c(q,q’) wAIL = w}. — u}B{c(q,q’) —÷ — w —u}. CHAPTER 11. BEHAVIOR VERIFICATION be a set of invariants for B and A and r be a run of A over B. If there exist local and global timing functions for B and TA, then Proposition 11.2.3 Let a trace v e 121 {aq}qQ • if Sg(q) is the set of segments of consecutive q ‘s in r, then Vq T(q), and T, q* Sg(q), ,(q*) < • if BS is the set of segments of consecutive B and S-states in r, then Vq* e BS, (q*) < r(bad). Following is the set of verification rules for a behavior B and a timed automaton TA (A,T,r): (I) Associate with each automaton-state q E set of invariants for B and A. (L) Associate with each automaton-state q E set of Liapunov functions for B and A. Q Q a state formula aq, such that a partial function í, such that (T) Associate with each timed automaton-state q e T a partial function 7 q, = {aq}qQ is a {,oq}qQ is a such that {y}p is a set of local timing functions for B and TA. Associate with each automaton-state q E Q a partial function such that {‘y}qq is a set of global timing functions for B and TA. Theorem 11.2.1 For any state-based and time-invariant behavior B with an infinite time structure and a complete timed V-automaton TA, the verification rules are sound and com plete, i.e., B 1= TA if there exist a set of invariants, Liapunov functions and timing functions. We shall provide the proof of this theorem next, since the proof itself will be used later in the verification algorithm for behaviors of finite state systems. Proof: The construction of these rules guarantees the soundness of the verification method. For any trace v, there is a run because TA is complete. For any run r over v, if any automatonstate in R appears infinitely many times in r, r is accepting. Otherwise, there is a time point to e T, the sub-sequence r on I = {t E TIt to}, denoted q* has only bad and stable automaton-states. If there exist a set of invariants and a set of Liapunov functions, q* has only a finite number of B-states. Since time is infinite, all the automaton-states appearing infinitely many times in r belong to 5; so r is accepting too. Therefore, every trace is accepting for the automaton. If there exists a set of local and global timing functions, every trace satisfies the timing constraints. CHAPTER 11. BEHAVIOR VERIFICATION 122 On the other hand, if TA is valid over B, then there exist a set of invariants, a set of Liapunov functions, and a set of local and global timing functions that satisfy the requirements. The construction of invariants and functions will be used later for the verification algorithm. For any state .s and proposition a, we write cr(s) ifs = a. The invariants can be constructed as the fixpoint of the set of equations: aqi(s’) = We can verify that (sq, s, crq(s) A n(s, s’) A c(q, q’)(s’)) {aq}qQ Given the constructed invariants global timing functions e {aq}qQ, aq, pq(S) = (s) 1 0 and ‘y and 7(s) if (q, .s) is a reachable pair for TA and B. a set of Liapunov functions {pq}qQ and a set of = 0. are defined as follows. Construct a directed graph (V,E), such that (q,s) E V if q G aq can be constructed as follows: R,s j= aq,let pq(s) R, s • Vq (11.1) is a set of propositions over SB and satisfies the requirements of initiality and consecution. Furthermore, s • Vq V(0(s’) A e(q’)(s’)). R,s 1= a, and (q,s) —+ (q’,s’) in E if m(s,s’) A c(q, q’)(s’). For any path p starting at (q, .s), let IPIB be the number of B-states in p and uB(p) be the measure of B-states in p. Let pq(s) = sup{IpjBl and 7(s) = sup{1tB(p)}. 1 We can verify that {pq}qQ is a set of Liapunov functions, and that is a set of global timing functions. Similarly, a set of local timing functions {y}’ can be constructed as follows. For all q e T, construct a directed graph G = (V, E), such that .s E V ifs a, and s —* s’ in E if n(s, s’) A c(q, q)(s’). For any path p starting at .s, let p(p) be the measure of the path. Let 7q(5) = sup{(p)}. We can verify that {y}p is a set of local timing functions. 0 This verification method for behaviors of discrete time systems will be the basis of verifica tion for behaviors of hybrid dynamic systems. On the other hand, many hybrid systems can be verified at different levels of implementation. If a system has an event-driven component, we can verify, using this method, the discrete time behavior, where the time is generated by events. For the maze traveler example, the persistent property — the robot moves to the east infinitely many times represented by the V-automaton in Figure 10.2 — can be verified at the strategy level. We can construct a state transition system (5, —*) such that S is the set of con figurations of the car and —* is the state transition relation derived from the strategy. Formally, let (x, y) (x, y, 0) e —* 1? x 1?. and 0 e 1?. be the position and the orientation of the car, respectively, and let (x’, y’, 0) if (x’, y’, 0’) is the configuration of the car at the next event according to CHAPTER 11. BEHAVIOR VERIFICATION 123 the strategy. Associate with qo and q the state proposition -(101 < 6) and 101 < 6, respectively; —÷ + such that p(x, y, 0) qo and q are invariants. Associate with q a function p : 7 x fl x is the distance between the current configuration and the “desired” configuration with heading 101 6. Associate with q a constant function 0. Given that the block sizes are finite, p and 0 are are Liapunov functions for qo and qi, respectively. Therefore, the maze traveler controlled by the strategy will satisfy the desired property. < 11.2.1 Semi-automatic verification Now we apply the verification rules to constraint nets with discrete time structures. Let CN = (Lc, Td, Cn) be a constraint net composed of transliterations and unit delays only. CN can be represented by two sets of domain equations, each of the form i = 1, if l 0 is an output location of a unit delay with the input location 1, or lo = f(i,. i,), if 10 is an output location of a transliteration f with the input location tuple (ii,. ‘in). For example, consider the producer. . ., . consumer circuit in Figure 5.3, and assume that any delay is unit (if not, it can be modeled by a finite number of unit delays), the domain equations for the control circuit are: Cl = mc(R1,—iQ2,Q1), Q1’ = Cl, C2 = mc(Q1,—iR2,Q2) (11.2) Q2’ = C2. (11.3) Let T be a discrete time structure and A be a domain structure. The behavior of CN on dynamics structure D(T, A) corresponds to a state transition system (S, _*) where (1) S C e S ilf for every equation of the form lo = f(ii,. ,in), s(io) = f(s(ii),.. and (2) s .s’ iff for every equation of the form i = 1, s’(io) = s(i). However, the behavior of CN can be verified without generating its state transition system. XLAl and s . . . , —p Let CN i,)} and CNd A{1 = i}. Let ç and & be state formulas with A{lo = f(i,. a subset of Lc as local variables. We use [y]CN{bj to denote that the consistent condition: . . , is valid, and {}CN{} to denote that the consecutive condition: ACNt A CNd A CN[l’/i] ‘ib[i’/l] is valid, where x’/x denotes the replacement of x by x’. Let 0 be a state formula imposing constraints on the set of initial states of CN. Let A = (Q,I1,S,e,c) be a V-automaton. A set of state propositions {ciq}qQ is called a set of invariants for CN and A if CHAPTER 11. BEHAVIOR VERIFICATION • Initiality: Vq E Q, [0 A e(q)]CN[aq]. • Consecution: Vq,q’ Let {aq}qQ 124 e Q,{üq}CN{c(q,q’) —* be a set of invariants for CN and A. A set of partial functions called a set of Liapunov functions for CN and A if P : XLCAS conditions: • Definedness: Vq E Q, [aq]CN[w,pq = • Non-increase: Vq E S, q’ E Let TA = e R, satisfies the following w]. Q, {cq A Pq • Decrease: d€> O,Vq E B,q’ —* {pq}qQ S w}CN{c(q, q’) Q,{aq Aq = * Pq’ w}CN{c(q,q’) —* w}. — W E.} (A, T, T). Corresponding to two types of time bound, we define two timing functions. Without loss of generality, we assume that the measurement of time is encoded in a location and let i : XLA 81 —* 7+ be a function of time measure. Let {ciq}qQ be a set of invariants for CN and A. A set of partial functions is called a set of local timing 7+ satisfies the following conditions: functions for B and TA if 7q : XLA 3 • Boundedness: Vq e T, [cq]CN[ii • Decrease: Vq E T, {q A 7q = 7q <r(q)]. wAu = u}CN{c(q, q) * 7q — W —u}. A set of partial functions is called a set of global timing functions for CN and TA if 7: XiA 8 ÷ 7+ satisfies the following conditions: • Definedness: Vq e Q,[aq]CN[w,7 • Boundedness: Vq E B, [Uq]CN[7 • Non-increase: Vq E S, q’ • Decrease: VqE B,q’ e = r(bad)]. e Q, {aq A Q,{oqA7 w]. = = w}CN{c(q, q’) — w}. wAji=u}CN{c(q,q’) —*-y, —w —u}. We say that the verification method based on this set of rules is semi-automatic because given the invariants, Liapunov functions and timing functions, the method is reduced to checking the validity of a set of formulas in the domain structure A. If there is a first order theorem prover for the domain structure A, the procedure can be done semi-automatically. Now we illustrate the verification method using an example. Some other examples are also studied [ZM94]. CHAPTER 11. BEHAVIOR VERIFICATION 125 A desired property of the asynchronous event controller has been expressed by the V automaton in Figure 10.2(a). The automaton is not complete. To make it complete, in = false,c(qE,qE) = true,c(qE,qI) = false, and let c(qo,qE) be (Qi =..L) V (Q2 =±) V (Cl =±) V (C2 =±) V neq(C2,Q2) and c(ql,qE) be (Qi =±) V (Q2 =±) V (Cl =1) V (C2 =±) V neq(C1,Q1). The domain equations of the troduce an error state q with e(qE) controller have been expressed in Equations 11.2 and 11.3. Let the initial condition e be Qi Q2 = 0, Ri = 0, R2 = 1, and assume that values at Ri and R2 are always well-defined. Let AEC denote the conjunction of domain equations in 11.2 with -i(R1 =±) and -i(R2 =±), and AECd denote the conjunction of domain equations in 11.3. Furthermore, let AEC denote the conjunction of all domain equations, AEC A AECd A AECt[l’/lJ. (I) Associate with qo,ql,qE the state propositions eq(Ci,C2), neq(C1,C2) and false, re spectively. The following verification conditions are satisfied: • Initiality: qo : 0 A true A AEC —* eq(C1, C2). qi : 0 A false A AEC —f neq(C1,C2). q : 0 A false A AEC — false. • Consecution: (qo, qo) : eq(C1, C2) A AEC — (eq(C1’, Q1’) A eq(C2’, Q2’) (qo, q) : eq(C1, C2) A AEC —* (rteq(C1’, Ql’) A eq(C2’, Q2’) —* eq(Ci’, C2’)). —* neq(C1’, C2’)). (qo, q) : eq(Cl, C2) A AEC ((Q1’ =±) V (Q2’ =±) V (Cl’ =±) V (C2’ =1) V rteq(C2’,Q2’) —* false). Therefore, eq(Cl, C2), neq(Cl, C2) and false are invariants for qo, qi and q, respectively. (L) Since qo, q E R and the invariant of q e B is false, any set of functions is a set of Liapunov functions for qo, qi and q. Therefore, according to the verification rules, the behavior of the constraint net satisfies its requirements specification. CHAPTER 11. BEHAVIOR VERIFICATION 11.2.2 126 Automatic verification The existence of the semi-automatic verification method for constraint nets presented in the previous section does not necessarily imply the existence of an automatic procedure. First, the invariants, Liapunov functions and the timing functions are defined separately, and not automatically generated. Second, there is, of course, no decision procedure for determining the validity of a first-order formula in general. However, for finite constraint nets — nets with finite domains — we can automate the verification process against a timed V-automata specification. Derived from the verification rules, the algorithm consists of three phases: 1. Invariant Generation, 2. Boundedness and Global Timing, and 3. Local Timing. Let CN = (Lc, Td, Cm) be a constraint net composed of transliterations and unit delays only. We write CN(s) if for every equation of the form 10 = f(l,. , l,), s(lo) = f(s(li),. and CN(s, s’) if CN(s), CN(s’), and for every equation of the form l = 1, .s’(lo) = . . . . , Invariant generation is a process that produces all reachable pairs of (q, s), denoted a(q, s), where q e Q and s E XLA . According to Equation 11.1, this fixpoint operation can be 8 efficiently realized in two steps: 1. Initiality: Generate a(q,s) if 0(s),e(q)(s),CN(s). 2. Gonsecution: Generate a(q’, s’) if a(q, s), CN(s, .s’), c(q, q’)(s’). The algorithm is shown in Figure 11.1, where start(s) denotes 0(s). We write bstate(q, s) if a(q, s) and q E B, and sstate(q, s) if a(q, s) and q E S. Let (V, E) be the state transition graph where V is the set of pairs (q, s) satisfying sstate(q, .s) or bstate(q, s), E is the set of transitions (q,s,q’,s’) between two states in V, (q,s,q’,s’) E E if CN(s,s’) and c(q, q’)(s’). Boundedness checks whether or not there is a loop consisting of bstate(q, s) in the state transition graph. Global timing checks whether or not there is a path p in the state transition graph whose time measure of bstate(q, s), denoted m(p), is greater than the time bound r(bad), denoted time(bad). The algorithm is shown in Figure 11.2. For each q E T let (V, E) be the state transition graph where V is the set of .s satisfying a(q, s) and E is the set of transitions (s, s’) between two states in V, (s, .s’) e E if CN(s, s’) and CHAPTER 11. BEHAVIOR VERIFICATION Algorithm: Invariant Generation Qs = Rs = []; for all q, s do 1* Initiality *1 if start(s) and e(q)(s) and CN(s) { Qs = [a(q, s)IQsJ; Rs = [a(q, s)IRs]; } while Qs = [a(q, s)IQsl] do /* Consecution *1 { NEts = 0; for all q’, s’ do if a(q, s) and CN(s, s’) and c(q, q’)(s’) and a(q’, s’) not in Rs NEts = [a(q’, s’)INRs]; Rs = Qs = append(Rs, NEts); append(Qsl, NEts); } Figure 11.1: The algorithm for invariant generation 127 CHAPTER 11. BEHAVIOR VERIFICATION Algorithm: Boundedness and Global Timing 1. 1* Generate state transition graph <V,E> */ for all q in B do for all s do if a(q, s) put bstate(q, s) in V for all q in S do for all s do if a(q, s) put sstate(q, s) in V for all (q, s), (q’, s’) in V do if CN(s, s’) and c(q, q’)(s’) put (q, s, q’, s’) mE 2. 1* Check the acyclicity of bstate */ for all bstate(q s) in V do for all path p starting from (q, s) do if p ends at (q, s) return false /* Check the time bound of bstate */ for all bstate(q, s) in V do for all path p starting from (q, s) do if m(p) > time(bad) return false return true Figure 11.2: The algorithm for boundedness and global timing 128 CHAPTER 11. BEHAVIOR VERIFICATION 129 c(q, q)(s’). Local timing checks whether or not there is a path p in the state transition graph whose time measure, denoted m(p), is greater than the time bound T(q), denoted time(q). The algorithm is shown in Figure 11.3. Algorithm: Local Timing for all q in T do if not ttest(q) return false return true ttest(q): 1. 1* Generate state transition graph <V,E> */ for all s do if a(q, s) put s in V for all s, s’ in V do if CN(s, s’) and c(q, q)(s’) put Cs, s’) in E 2. 1* Check the longest path *1 for all s in V with no input edges do for all path p starting from s do if m(p) > time(q) or p has loop return false return true Figure 11.3: The algorithm for local timing The complexity of the verification algorithm is obtained as follows. The invariant generation can be done in polynomial time in IQI XLc 1A j 5 , which is the total number of (q,s) pairs. For each bstate(q, s), searching for a loop including bstate(q, s) or a longest bad state path starting at bstate(q, s) is linear in the number of transitions in the state transition graph, since each state needs to be visited only its outdegree number of times in the search algorithm. Therefore, both checking boundedness and global timing are polynomial in IQI XLc IA I. Similarly, checking 8 local timing is in polynomial in IQI XLc 1. 31 1A As a result, the verification algorithm is polynomial in both the size of the model and the size of the specification. This result seems a little surprising, since it is well-known [Eme9O] that model checking for the linear propositional temporal logic is PSPACE-complete in the length of the formula. However, we should notice that, in the worst case, the size of a V-automaton may be exponential in the length of its equivalent linear propositional temporal logic formula. CHAPTER 11. BEHAVIOR VERIFICATION 130 On the other hand, for many system properties, such as safety, liveness, reachability and bounded response, V-automata do have size equivalent to the length of their corresponding linear propositional temporal logic formulas. However, the number of automaton-states in the complement of a V-automaton may be exponential in the number of automaton-states in the original V-automaton [Tho9O]. This suggests that we should choose the simpler V-automaton, A or -‘A, as a basis to verify finite systems. However, we should also notice that even though the complexity of the algorithm is poly nomial in the size of the model, it is exponential in the number of local variables or locations of the constraint net. In most cases, a property of a system is expressed by only a small subset of locations, for example, locations in the interface of a module. If the algorithm can explore only this small portion of the system, there is an exponential savings in complexity. For a constraint net CN = (Lc, Td, Cn), let *LC denote the transition relation of CN, i.e., if CN(si, 82). For a subset of locations U C Lc, let —u denote the projected relation, i.e., s —* s’ if , 2 s = h(si) and s = h(s ), such that CN(si, 82), where h = )s.srj. 2 i Lc 2 U is an abstraction of the set of locations Lc for CN if (XLCASL, —Lc) is abstractable to (x uA , —u). The following proposition provides an equivalent definition of this concept. 8 Proposition 11.2.4 Given Lc as the set of locations and U c Lc, U is an abstraction of Lc if l{CN(U)]i is state-based and time-invariant. The following propositions underpin the application of this concept of abstraction. Proposition 11.2.5 If U is an abstraction of Lc, any property restricted on relations on U can be verified by exploring the abstraction transition system, (x uAs , —+u). 1 Proposition 11.2.6 If CN 8 is a subnet of CN, the set of locations of CN 3 is an abstraction. Proposition 11.2.7 The set of output locations of unit delays is an abstraction. Proposition 11.2.8 The set of input locations of unit delays is an abstraction. Proposition 11.2.9 If U is an abstraction andi c I(CN), UUI or U—I is still an abstraction. We have implemented the verification algorithm in Prolog, where the model is represented by the initial state predicate start(s) and the state transition predicate cn(s, s’), the specification is represented by the entry condition predicate e(q, s) and the consecution condition predicate c(q, q’, s). For simplicity, each state is assumed to take one unit time. Examples of the producer consumer synchronizer, with an interleaving property, and an elevator system (in Appendix C), with a real-time response property, have been verified in this implementation. CHAPTER 11. BEHAVIOR VERIFICATION 11.3 131 Verification for Behaviors of Hybrid Dynamic Systems Now we generalize the verification rules for behaviors of hybrid dynamic systems. The set of verification rules is the same as that for behaviors of discrete time systems, however, the definitions of invariants, Liapunov functions and timing functions are generalized. For any trace v : A, let {y}v{’l)b} denote the validity of the following two consecutive —* conditions: • {p}v{b}: for all t > 0, t’ < t,Vt”,t’ • {ç}v{’}: for all t < oo, v(t) t” < t,v(t”) 1= cp implies v(t) implies t’ > t,Vt”,t < t” < t’,v(t”) b. ib. If T is discrete, these two conditions are reduced to one, i.e., Vt > 0, v(pre(t)) 1= implies v(t)Hb. Given B as a behavior, let 0 A = (Q, R, S, e,c) be = {v(O)Iv E B} denote the set of initial values in B. Let a V-automaton. A set of propositions {aq}qQ is called a set of invariants for B and A if • Initiality: Vq E Q, 0 A e(q) — • Consecution: Vv E B, Vq,q’ Proposition 11.3.1 Let Vt E T,v(t) 1= e Q,{crq}v{c(q,q’) —÷ ai}. be invariants for B and A. If r is a run of A over v {q}qQ e B, a,.(). Without loss of generality, we assume that time is encoded in domain A by t : A —* T. Given that {aq}qQ is a set of invariants for B and A, a set of partial functions {pq}qQ : A —* fl is called a set of Liapunov functions for B and A if the following conditions are satisfied: • Definedness: Vq e Q, o —* w, • Non-increase: Vv E B, Vq E S,q’ E Q, q’ Q, Apq = {cq A Pq = {aq and Vq E = W. w}v{c(q,q’) .‘ Pq’ w} Pq’ w}. E S, w}v+{c(q, q’) “ CHAPTER 11. BEHAVIOR VERIFICATION • Decrease: VvE B, e> 0, Vq E B,q’ E {uqApq wAtt 132 Q, —w t}v{c(q,q’)_* = IL([, )) and Vq E Q,q’ E B, {aqApq = P’ —w t}v+{c(q,q’) wAtt i({ —E}. )) Proposition 11.3.2 Let {q}qQ be invariants for 13 andA and r be a run of A over a trace v e B. If {pq}qQ is a set of Liapunov functions for B and A, then )(’13(t Pr(t ) ) < • 2 • )(V(t 2 Pr(t when Vt 1 )_Pr;i)(v(tl)) —E t < 2 t r(t) E B U 5, , when t 1 <t 2 and Vt 1 t , r(t) 2 t e B, and • if BS is the set of segments of consecutive B and S-states in r, then Vq* E B5,(q*) is finite. Let TA (A, T, r). Corresponding to two types of time bound, we define two timing functions. Let {oq}qEQ be invariants for B and A. A set of partial functions {7q}q2’ is called = a set of local timing functions for 13 and TA ill 7q : A —* R satisfies the following conditions: • Boundedness: Vv E B, Vq E Q,q’ E T, {uq}v{7q1 and Vq E T, q’ E Q, {aq • Decrease: Vv r(q’)} B, Vq e A tA tc T, {cq A 7q = WA t, = w}v{w = z([t, t))}. t}v{c(q, q) —* < —1}. A set of partial functions is called a set of global timing functions for B and TA if 7+ A —* satisfies the following conditions: • Definedness: Vq E Q,Oq = _+ • Boundedness: Vq E B, aq —* -y r(bad). • Non-increase: Vv E B, Vq E 5, q’ E {aq A w. Q, = w}v{c(q, q’) = w}v{c(q, q’) —÷ < w} —* <w}. and Vq E Q,q’ ES, {aq A CHAPTER 11. BEHAVIOR VERIFICATION • Decrease: Vv e B, Vq E B, {qA and Vq e Q,q’ q’ E 133 Q, = wAtt —_t}v{c(q,q’) = w At —w <—1} E B, {q A7 Proposition 11.3.3 Let = t}v+{c(q,q’) — ILi W —1}. , ci) be invariants for B and A and r be a run of A over a trace v E B. If there exist local and global timing functions for B and TA, then {q}qQ • if Sg(q) is the set of segments of consecutive q ‘s in r, then Yq T(q), and e T, q* E Sg(q), ,j(q*) < • if BS is the set of segments of consecutive B and S-states in r, then Vq* e BS, p(q*) < r(bad). The following theorem is a generalization of the soundness and completeness of the set of verification rules. Theorem 11.3.1 The verification rules (I), (L) and (T) are sound if the following conditions on B and TA are satisfied: • T is an infinite time structure. • All traces in B are specifiable by TA. The verification rules are complete if the following conditions on B and TA are satisfied: • {(v,r)Iv e B,r is a run over v} is time-invariant. • All transitions from R to non-R-states are left-closed, i.e., if r is a run, and there is a transition from a R-state to a B-state or a S-state at t, then r(t) B U S. The conditions for the completeness of the rules are imposed so as to be able to define Liapunov functions for a behavior and an automaton, as long as the behavior satisfies the automaton. The second condition for completeness is always satisfied for traces with discrete time structures. More generally, the following proposition may apply. Proposition 11.3.4 All transitions from R to non-R-states are left-closed, if the following conditions are satisfied: CHAPTER 11. BEHAVIOR VERIFICATION 134 • TA is open and complete. • Vq e R, qi R and q E R, c(q, qi) A c(q, q) is not satisfiable. • All traces in B are right-continuous. This formal method has no practical use yet; we aim at understanding the concept of behavior verification for hybrid systems. In part III, we wifi discuss an important class of behavior with asymptotic properties. By characterizing certain types of hybrid system and property, we may obtain a semi-automatic verification method, similar to the one for discrete time systems. There is much more left to be explored than what we have already understood. Chapter 12 Summary and Related Work We have developed two requirements specification languages, TLTL and timed V-automata, for representing desired global properties of dynamic systems. We have also developed a set of formal verification rules for timed V-automata specification. In this chapter, we summarize the results of Part II and discuss some related work on specification and verification. 12.1 Summary In this section, we summarize the specification languages and the verification procedures, then discuss their power and limitations. 12.1.1 Specification Timed Linear Temporal Logic (TLTL) has the following properties: • Simple properties of dynamic systems (such as safety, reachability and persistence) can be specified. • Some metric or measure properties of dynamic systems (such as real-time response) can be specified. • TLTL is defined for arbitrary time and domain structures; therefore, continuous as well as discrete time dynamic systems can be specified in a unitary framework. Timed V-automata have the following properties: • They are a simple alternative, though not equivalent in expressive power, to TLTL. • They have a graphical representation. 135 CHAPTER 12. SUMMARY AND RELATED WORK 136 • They are powerful enough to specify many important properties of sequential and timed behaviors. • They are simple enough to have a formal verification procedure for behaviors of hybrid dynamic systems, a semi-automatic verification procedure for discrete time systems, and an automatic verification procedure for discrete time and finite domain systems. 12.1.2 Verification The verification procedures have the following properties: • A model checking technique and a stability analysis method are integrated. • The automatic algorithm derived from the verification rules has a polynomial time com plexity in both the size of the model and the size of the specification. • The generalized verification rules can be used to formally verify behaviors of hybrid dy namic systems. 12.1.3 Power and limitations Both TLTL and timed V-automata are powerful enough to specify various properties of sequen tial and timed behaviors. However, there are still many important behaviors that cannot be specified in these languages, such as • energy minimization over time, i.e., mm IT Edt, where C is a function of states, • probabilistic or stochastic properties, and • timed properties on intervals. However, we should also point out that the power of specification and the simplicity of veri fication are in conflict with each other. The more powerful the specification language is, the more complex is the verification procedure. A compromise between these two should be made for any application. Although most research in this area mixes modeling and specification languages, we claim that two different kinds of language are necessary for specifying two different aspects of systems and behaviors: composite structures and global functionalities. We have not yet worked on axiomization for TLTL, since we focused on model checking, rather than theorem proving, for behavior verificatioll. CHAPTER 12. SUMMARY AND RELATED WORK 12.2 137 Related Work Various languages for specification, verification, and reasoning about concurrent, distributed and timed behaviors have been developed in the theory, AT and systems communities. Roughly speaking, these languages can be characterized as belonging to one of the three categories: (1) Automata, (2) Point Time Temporal Logics, and (3) Interval Time Temporal Logics. In any of these languages, there are always two ways to introduce real-time (metric time). One is to embed metric time in modal operators, the other is to use an explicit time variable. Different languages can have different expressive power; some of them may have no formal verification procedures at all. We survey some typical examples in every category, and discuss their relationships with TLTL and timed V-automata. 12.2.1 Automata-based approaches Automata play two kinds of role: as an input/output transducer modeling on-line computation (e.g., Mealy/Moore machines), or as a language recognizer (e.g., V-automata). We have surveyed some related work on automata for modeling in Part I. Here we emphasize their roles for specification and verification. The simplest form of an automata-based representation for sequential behaviors is Buchi automata [Tho9O]. Buchi automata are finite state automata for defining -languages, lan guages consisting of infinite sequences. The expressive power of Buchi automata is the same as that of V-automata [MP87]. In fact, a restricted version of V-automata is a dual of Buchi automata [MP87]. Timed Buchi Automata (TBA) has been proposed [AD9Oj to express constant bounds on timing delays between system events. These automata accept languages of timed traces, traces in which each event has an associated real-valued time of occurrence. A TBA is a Buchi automaton associated with a finite set of (real-valued) clocks. A clock can be set to zero simultaneously with any transition of the automaton. At any instant, the reading on a clock equals the time elapsed since the last time it was set. With each transition, there is an enabling condition that compares the current values of clocks with time constants. TBAs are not closed under complementation and it is undecidable whether the language of one automaton is a subset of the language of another. However, there exists a subclass represented by Deterministic Timed Muller Automata (DTMA) closed under all Boolean operations, and there is a decidable computation to check the subset relation for this class. CHAPTER 12. SUMMARY AND RELATED WORK 138 Hybrid automata [ACHH93] can be viewed as a generalization of timed automata, in which the behavior of variables is governed in each state by a set of differential equations. The reach ability problem is undecidable even for very restricted classes of hybrid automata. However, there exist semi-decision procedures for verifying safety properties of piecewise-linear hybrid automata, in which all variables change at constant rates. In both cases, explicit variables are introduced to reason about time bounds and changes. The extra time variables, however, will increase both the expressive power of the representation and the complexity of the verification. Similar developments along this line include timed Statecharts, timed transition systems, hybrid Statecharts and phase transition systems [MMP91], etc. State Transition Assertions (STA) developed by Gordon [Gor, 0or92] are variations of bare logic for real-time specification. A state transition assertion is a quadruple (A, B, F, Q) where A, B are predicates on states, called state precondition and postcondition, respectively, F, Q are predicates on state sequences, called input precondition and output postcondition, respectively. A machine M satisfies a state transition assertion (A, B, F, Q) as follows: if M is in a state satisfying A and a sequence of inputs arrives that satisfies F, then a state satisfying B will be reached and the sequence of intermediate states will satisfy Q. Some laws for combining STAs are analogous to rules of Hoare logic. In contrast to state transition systems, where states and possible transitions are predefined, the situation calculus [MH69] defines states on the results of actions. Similar to most temporal logics, propositions and functions are interpreted over states (fluents in the situation calculus). Fluents at any state can be computed by frame axioms. The advantage of the situation calculus, namely, states with no structures, is also its disadvantage because of (1) the frame problem [MH69] and (2) the computation cost that may increase with time as the action list gets longer and longer. 12.2.2 Point time temporal logics There are, in general, two kinds of point time temporal logic: linear time temporal logic and branching time temporal logic. A model of a linear time temporal logic is a trace, and a model of a branching time temporal logic is a tree. Computation Tree Logic (CTL) is a typical modal branching time temporal logic [Eme9O]. In CTL, temporal operators occur only in pairs consisting of A (all paths) or E (exists some path), followed by F (eventually), G (always), U (until) or X (next time). CTL has efficient CHAPTER 12. SUMMARY AND RELATED WORK 139 model-checking algorithms, however, it loses some expressive power [Eme9O]. CTL has been used for symbolic model checking of circuits [McM92]. In the rest of this section, we will focus on linear time temporal logics and their timed extensions. There are two kinds of linear time temporal logic: modal logic in which temporal operators are introduced, and the first order logic in which a special time variable is introduced. PLTL is a basic form of modal linear time temporal logic. It has been shown that model checking for PLTL is linear in the size of the model [LP85]. Various timed extensions are based on PLTL. Again, there are two kinds of extension: real-time operators and time variables. The former is simpler and more elegant, but the latter can be more powerful. Temporal proof methodologies for both explicit and implicit time have been studied [HIVIP91a]. Extended Temporal Logic (ETL) [Wol83] is an extended linear (and discrete) time temporal logic, which is strictly more powerful than (discrete) PLTL and has the same expressive power as Buchi Automata. ETL defines temporal operators generated by right-linear grammars, so that (countable) properties such as evem(p) (p is true at even time points) can be specified, which, however, cannot be expressed in PLTL. Metric Temporal Logic (MTL) [MMP91] introduces various types of real-time operator, such as D< and where u is a nonnegative real number. Real Time Temporal Logic (RTTL) [0st89] is a first-order temporal logic, with one of the state variables representing time. For instance, w 1 A t A t < T + 4) may be read as: “if w 1 is true at time T then w2 must happen before the clock reads T + 4,” where T is a parameter (global variable). The problem with this specification language is that the = T —* 2 ø(w unquantified global variables about time (T in the above example) may lead to opacity [AH89]. Timed Propositional Temporal Logic (TPTL) [AH89] is the adoption of temporal operators as quantifiers over state variables; every modality binds a variable to the time(s) it refers to. For instance, “if w 1 is true at time T then w 2 must happen before the clock reads T + 4” can be represented as Da.(wj A y < x + 4)). A tableau-based decision procedure was developed for TPTL. Introducing extra time variables increases the flexibility of expressing —÷ 2 KDy.(w time constraints, and simultaneously, the complexity of verification. The Temporal Logic of Actions (TLA) [Lam9l] is a logic for specifying and reasoning about concurrent systems. Systems and their properties are represented in the same logic, so the assertion that a system meets its specification and the assertion that one system implements another are both expressed by logical implication. TLA introduces a concept called “action,” which is any boolean-valued expression from variables, primed variables and values. An action CHAPTER 12. SUMMARY AND RELATED WORK 140 represents a relation between old states and new states, where the unprimed variables refer to the old state and the primed variables refer to the new state. TLA imposes some constraints for representing actions such that action A can only appear in the form D[Ajj where D(A V (f’ = f is a state tuple. {Lam9l] shows that TLA is powerful enough for representing properties such as liveness and fairness, with a simple set of axioms and rules for the proof system. A real time version of TLA was proposed by introducing an explicit time variable now [Lam93]. Most temporal logics are defined for discrete time systems, i.e., with models as state se quences. It was suggested [BKP86j that linear temporal logic with the time structure of the (non negative) real numbers provides a more abstract logic than that of the natural numbers. Temporal Logic of Reals (TLR) is a logic defined on dense time. For each trace v there exists a denumerable sequence 0 = to < t 1 <t 2 .. with t, —* oo such that v(t) is uniform in TLR within each open interval 1 (t,t÷ ) . The difference between TLR and discrete time temporal logics is that there is no predetermined sampling rate. TLR would be best suited for asynchronous event control systems. Besides modal linear temporal logics, there are first order temporal logics. McDermott [McD9O] developed a first-order temporal logic, in which it is possible to name and prove things about facts, events, plans, and world histories. In particular, the logic provides the analysis of causality, continuous change in quantities, the persistence of facts and the relationship between tasks and actions. Shoham [Sho88, Sho87] generalized McDermott’s temporal logic and defined a clean syntax and semantics. Finer distinctions of fact/event/process trichotomy are allowed under this framework. 12.2.3 Interval time temporal logics Unlike point time temporal logics, formulas of Interval Temporal Logics (ITL) are defined on intervals of state sequences. One distinguished advantage of ITL is that it can represent lengths of intervals, and therefore it can represent time easily. ITL has been applied to multilevel reasoning about hardware properties [Mos85] such as delay and stability of digital circuits. ITL has also been used for the specification of real-time systems [Ha190]. There are properties that can be represent by ITL but not by LTL. For instance, C(E —* Rwithin{time(r)whenS} is an ITL formula {Hal9Oj representing that whenever E is true, R will be true within an interval that S holds for time T in total. The duration calculus [HZ91] is a kind of interval temporal logic defined on continuous time structures. The duration calculus uses the integral of a predicate to formalize critical duration CHAPTER 12. SUMMARY AND RELATED WORK 141 constraints. For example, “a bad situation cannot happen more often than 5 percent of the time over any time interval” can be represented as D(f B 0.051) where 1 indicates the length of the interval. This property is hard to specify in a simple form of linear temporal logic. Besides modal interval temporal logics, there are first order interval temporal logics. Allen [All90] proposed a framework in which time is represented by intervals. The relationships between two time intervals are characterized (before, equal, meets, overlaps, during, starts, finishes) and the properties of facts (that hold in an interval), events (that occur over an interval) and processes (that are occurring over an interval) are examined by logic axioms. Various types of action can be represented in this logic. 12.2.4 Relationships with TLTL and timed V-automata TLTL is a powerful and simple specification language for sequential and timed behaviors. Unlike most specification languages, it is based on abstract time and domain structures. For simplicity, TLTL introduces only two basic real-time operators UT and ST, while other real-time operators can be derived from these basic operators. TLTL is powerful enough to represent properties such as “if w 1 is true at time T then w 2 must happen before the clock reads T + 4.” In fact, this property can be represented by FTLTL without real-time operators as VTO(w 1 A t = T —+ 1 —* K’ 2 A t < T + 4)), or simply by PTLTL as C(w Ow ). TLTL can be considered as a 2 w 4 generalization of TLR. However, there is no axiomization for TLTL yet, since any axiomization is defined for a particular time structure. FTLTL is more expressive than TLA since terms of FTLTL can as well include pre(x) and x — r for any local variable x, and TLTL has no restriction on formulas with these variables. Timed V-automata are generalizations of V-automata to represent timed or continuous be haviors. A local timing constraint in (discrete) timed V-automata can also be specified in TBA. However, global timing constraints cannot be specified within TBA, since it is not possible to stop a clock except by resetting it. On the other hand, there are properties of timed behaviors that can be specified by TBA but cannot be specified by timed V-automata. Some interval time properties that are hard to represent in TLTL, are easy to represent in timed V-automata. For example, D(E —÷ a global time bound C. Rwithin{time(T)whenS} can be specified in a timed V-automaton with T. An example of this type of specification will be discussed in Appendix Part III Control Synthesis and Robotic Architecture 142 143 Attain utmost emptiness. Maintain profound tranquility. All things are running concurrently, cycle follows cycle. Activity overcomes cold. Tranquility overcomes heat. Peace and quiet is the true path in the world. — Tao Teh Ching, Lao Tzu Attain utmost stability. Maintain minimum energy. All things are running concurrently, cycle follows cycle. Constraints overcome chaos. Stability overcomes disturbance. Peace and quiet is the true path in the world. — Zhang Ying Chapter 13 Introduction We have developed a semantic model for dynamic systems and two requirements specification languages for dynamic behaviors. We have also developed a formal method for verifying the behavior of a dynamic system against its requirements specification. Verification in general is hard. However, a good design methodology can result in a well-structured system, which, in turn, may simplify the verification greatly. In Part III, we present a framework of control synthesis with a simple principle. We consider a robotic system as a constraint-based dynamic system and the robot controller as a regulator that, together with the dynamics of the plant and the environment, solves the constraints on-line. We then propose a two-dimensional hierarchical structure for control systems. In this chapter, we present an overview of Part III, Control Synthesis and Robotic Ar chitecture. There are three major chapters in Part III. Chapter 14 studies constraint-based dynamic systems. Chapter 15 proposes a framework for control synthesis. Chapter 16 discusses structures of control systems. 13.1 Constraint-Based Dynamic Systems We view constraint satisfaction as a dynamic process that approaches the solution set of the given constraints asymptotically. Generalizing, we view a constraint-based dynamic system as a dynamic system that approaches the solution set of the given constraints persistently. We first introduce dynamic processes, stable equilibria and attractors. We then define Lia punov functions with respect to dynamic processes and stable states, and study the relationship of a Liapunov function and the stability of a dynamic process. We consider a constraint solver as a constraint net whose behavior is a dynamic process that is asymptotically stable at the solution set of the given constraints. 144 CHAPTER 13. INTRODUCTION 145 We show that various discrete and continuous time constraint methods for solving dis crete/continuous optimization and global consistency problems can be modeled in constraint nets and analyzed using Liapunov functions. We consider constraint-based dynamic systems as a generalization of constraint solvers, whose behaviors can be specified by V-automata. 13.2 Control Synthesis We define the problem of control synthesis as follows. Given a requirements specification and the models of the plant and the environment, produce a model of the controller that, together with the plant and the environment, satisfies the requirements specification. Control synthesis in general is hard. However, we show that there is a systematic approach to control synthesis using constraint methods for constraint-based specification; typical constraintbased specification includes safety requirements, goal achievement and persistent properties. We illustrate, by two examples, that various control algorithms, from simple linear control to complex nonlinear and adaptive control, can be synthesized and analyzed in this framework. 13.3 Robotic Architecture Any complex system should have some kind of hierarchical structure. We consider here two kinds of hierarchy: composition hierarchy and interaction hierarchy. The interaction hierarchy can be further decomposed into a two-dimensional structure: abstraction hierarchy and arbi tration hierarchy. The abstraction hierarchy characterizes the multiple levels of control strategy in a system; the arbitration hierarchy characterizes the priority of constraints to be satisfied within the same abstraction level. 13.4 Summary and Related Work The major contribution of this part includes a unified framework for constraint satisfaction and a unified framework for control synthesis based on a simple principle on-line constraint — satisfaction or energy minimization. Hybrid control systems can be designed and analyzed in this framework. Chapter 14 Constraint-Based Dynamic Systems In this chapter, we start with the basic concepts of dynamic processes, equilibria and stability, then discuss two basic types of constraint solver, discrete state transitions and differential state integrations. Furthermore, we study some typical discrete and continuous time constraint methods for both global consistency and optimization. Finally, we introduce constraint-based dynamic systems. 14.1 Asymptotic Stability In this section, we study properties of dynamic processes in metric space. Given a metric space (X, d), we can define the distance between a point and a set of points as d(x,X*) = inf*cx*{d(x,x*)}. For x E X and e > 0, let Nc(x*) be the spher ical E-neighborhood of x’ and for X C X, let N(X*) = Ux*ex* N€(x*) be the spherical c-neighborhood of X*. A neighborhood of X” is strict 1ff it is a strict superset of X*. Let T be a time structure, X be a metric space, and v : T —* X be a function from time to the metric space. We say v approaches a point x e X 1ff limt d(v(t), x*) = 0; v approaches a setX* C X if limtd(v(t),X*) = 0. Definition 14.1.1 A dynamic process is a mapping p : X conditions: 1. p(x)(O) = — XT, satisfying the following x,Vx E X, 2. p is state-based, i.e., Vt, p(x)(t) 3. p is time-invariant, i.e., {p(x)Ix = p(y)(t) implies that Vt’ t, p(x)(t’) X} is a time-invariant behavior. 146 = p(y)(t’). CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS Let (x) = {p(x)(t)It E T} and (X*) 147 UXEx*p(x) for X C X. A point x” E X x, or (x*) = {x*}. A set is an equilibrium (or fixpoint) of a process p Hf Vt,p(x*)(t) X” C X is an equilibrium of a process p if (X*) = X*. An equilibrium X* is stable {MT75] if V€5, (NS(X*)) C N (X), i.e., g is continuous at X. 6 A set X c X is an attractor [San9O] of a process p if there exists a strict neighborhood N(X*) such that Vx E N(X*), p(x) approaches X*. The largest neighborhood of X” satisfying this property is called the attraction basin of X*. X is an attractor in the large if ‘v/x E X, p(x) approaches X, that is the attraction basin of X” is X. If X’ is an attractor (in the large) and X is a stable equilibrium, X’ is called an asymptotically stable equilibrium (in the large). Proposition 14.1.1 If {X} 1 are ((asymptotically) stable) equilibria, then U X, 1 is an ((asymp totically) stable) equilibrium. Let (X, d) be a metric space, p : X —* XT be a dynamic process and X* C X. A Liapunov —* 1, where 1 is a strict neighborhood of X*, function for p and X* is a function V : satisfying: 1. V is continuous, i.e., d(x,x’) —* 0 implies IV(x) 2. V has its unique minimum within — V(x’)I —* 0. on X. 3. Vx E f,Vt,V(p(x)(t)) < V(x). The following two theorems are analogous to the theorems of sound and complete verification rules in Part II. Theorem 14.1.1 X’’ C X is a stable equilibrium of a process p if there exists a Liapunov function V for p and X*. Theorem 14.1.2 X* C X is an asymptotically stable equilibrium of a process p if there exists fl for p and X*, such that Vx E lim V(p(x)(t)) X, X* is an asymptotically stable equilibrium in the large. a Liapunov function V : Furthermore, if Q 14.2 = — = V(X*). Constraint Solvers We view a constraint as a possibly implicit relation on a set of variables. The constraint satisfaction problem is defined as follows. Given a set of variables V with the associated domains { DV}VEV and a set of constraints 3 {C} € j each on a subset of the variables, i.e., C, C xv D 3 CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS where Vj C V, find an explicit relation tuple x e xvD 148 that satisfies all the given constraints, j e J, x1v, e C where xis denotes the restriction of x onto S C V. If C = {Cj}jEJ is a set of constraints, we use sol(C) to denote the set of solutions, called the solution set. i.e., for all A constraint solver for a constraint satisfaction problem is a closed parameterized net whose behavior is a dynamic process approaching the solution set of the constraints. Definition 14.2.1 (Constraint solver) A closed parameterized net CSV is a constraint solver for a constraint satisfaction problem C on domain X = xvD if (1) the semantics of CSV for V is a dynamic process GSV : X —* XT and (2) sol(C) is an asymptotically sta ble equilibrium of CSV. CSV solves C globally if sol(C) an asymptotically stable equilibrium of CSV in the large. Proposition 14.2.1 If a constraint solver CSV solves a set of constraints C on variables V globally, every equilibrium of CSVjj is a solution of C. As an application of the concept of robustness for parameterized nets, two constraint solvers 1 and 2 CS CS for the set of constraints C can be compared as follows. CS 1 is more robust than 2 if the attraction basin of sol(C) in CS CS 1 is a superset of that in CS . 2 We discuss here two basic types of constraint solver: state transition systems for discrete methods and state integration systems for continuous methods. Let S be a set of states and f : S —* S be a state transition function. (5, f) forms a state transition system (S, —*) with s —÷ s’ if s’ = f(s). Such a state transition system can be represented by a closed parameterized net with a transliteration f and a unit delay S(so) where o is the initial state parameter. The semantic of this net on the discrete time structure .,V is a dynamic process p: S —* S with p(so)(n) = ffl(s). A state s E S is an equilibrium of (5, f) if s = f(*) 7?. is a Liapunov function for (S,f) and 5* {5*I5* f(s*)} C 1, then V(f(x)) V(x),Vx E 2. In addition, if f is continuous and V(f(x)) < S, V(x), Vx i’ S’ is an asymptotically stable equilibrium. Proposition 14.2.2 If V : —* For continuous time structures and domains, integration is used to replace the unit delay. A state integration system is a differential equation = f(s) that can be represented by a closed . parameterized net with a transliteration and an integration f(so) where is the initial state parameter (Figure 4.2). The semantic of this net on the continuous time structure 7?+ is a dynamic process p : S —+ S with p(so) as the solution of = f(s) and s(O) = A state .5 f(s*) E S is an equilibrium of = f(s) if = 0. f . . CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS Proposition 14.2.3 A set S 149 {5*If(5*) = O} C ! is an asymptotically stable equilibrium of 5* a state integration system if f is continuous at and 5* is the unique minimum of f f(s)ds in . If = S, S is an asymptotically stable equilibrium in the large. = — Constraint Methods 14.3 Various constraint methods fit into our framework of constraint satisfaction. In this section, we examine some typical constraint methods and their dynamic properties. We discuss two types of constraint satisfaction problem, namely, global consistency and optimization, for linear, convex and nonlinear relations in n-dimensional Eucidean space (R, d), where d(x, y) = Ix — y — y) . Constraint methods for finite domain constraint satisfaction have 2 = been presented in [ZM93a, ZM93b]. The problem of global consistency is to find a solution tuple that satisfies all the given constraints. The problem of unconstrained optimization is to minimize a function : —÷ 7. Global consistency corresponds to solving hard constraints and unconstrained optimization corresponds to solving soft constraints. A problem of the first kind can be translated into one of the second by introducing an energy function representing the degree of global consistency. For example, given a set of equations gj(x) = 0, i = 1 wjg(x) where w > 0 n, let ‘(x) = 1 and = 1. If a constraint solver CS solves mint’g(x), CS solves g(x) = 0. Inequality . . constraints can be transformed into equality constraints. There are two approaches. Let gj(x) < o be an inequality constraint: the equivalent equality constraint is (i) max(0, gj(x)) 0 or (ii) gj(x) + z 2 = 0 where z is introduced as an extra variable. Constrained optimization is a problem of solving (soft) constraints subject to the satisfaction of a set of hard constraints, or solving a constraint satisfaction problem within a subspace characterized by a set of hard constraints. There are two types of constraint method, discrete relaxation, which can be implemented as state transition systems, and differential optimization, which can be implemented as state integration systems. In the rest of this section, we demonstrate the use of both types of constraint method. 14.3.1 Discrete methods We discuss here two typical discrete constraint methods, the projection method for global consistency, and Newton’s method for unconstrained optimization. CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS 150 Projection method The projection method [GPR67] can be used for solving convex constraints. A function R is convex if for any A e f (0, 1), f(Ax + (1 A)y) < Af(x) + (1 A)f(y); it is strictly convex if the inequality is strict. A strictly convex function has a unique minimal point. Linear functions are convex, but not strictly convex. A quadratic function zTMx + cTx is convex if M — — is semi-positive definite; it is strictly convex if M is positive definite. A set ft ç ‘R7’ is convex if for any A E (0, 1), x, y e ft implies Ax + (1 A)y E ft. if g is a convex function, {xg(x) < 0} — is a convex set. A projection of a point x to a set R in a metric space (X, d) is a point PR(X) E R, such that d(x, PR(x)) = d(x, R). Projections in the n-dimensional Eudidean space (R., d) share the following properties. Proposition 14.3.1 [GPR67] Let R C R7’ be closed and convex. The projection PR(x) of x to ft exists and is unique for every x, and (x PR(x))T(y PR(x)) <0 for any y E ft. — — Suppose we are given a system of convex and closed sets, {X}i, each representing a constraint. The problem is to solve {Xjei, or to find fl X. Let P(x) = Px 1 (x) be a projection 1 of x to a least satisfied set X , i.e., d(x, X 1 ) = maxi d(x, Xi). The projection method [GPR67J 1 for this problem defines a state transition system (R, f) where f(x) = x + A(P(x) x) for — 0< A <2. Let PM be a constraint net representing the projection method. The following theorem is derived from [GPR67J. Theorem 14.3.1 PM solves {X}€j globally if all the X ‘s are convex. The projection method can be used to solve a set of inequality constraints, i.e., X { xg(x) <0}, where each gj is a convex function. Linear functions are convex. Therefore, the projection method can be applied to a set of linear inequalities Ax b, where x = (x , 1 . . Let A be the ith row of A. The projection of a point x to a half space Ax T R defined as I x <0 1 ifAx—b P(x) = x cAT otherwise — where c = (Aix — — . b . , x,) E 0 is — . This reduces to the method described in [Agm54]. Without any 2 b)/IATI modification, this method can be also applied to a set of linear equalities, by simply replacing each linear equality gj(x) = 0 with two linear inequalities: gj(x) 0 and —gj(x) 0. CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS 151 There are various ways to modify this method for faster convergence. simultaneous projection method is given in [CE82], in which f(x) where J c I is an index set of violated constraints, w 3 > = For instance, a x + 3 0 and jjw = — x) 1. A similar method x + A(Ps(x) — x) where S = {xIjEJwjgj(x) 0}, with the same assumption about J and wj. Furthermore, for a large set of inequalities, the problem can be decomposed into a set of K subproblems with fk corresponding to the transition function of is given in [YM] in which f(x) = the kth subproblem. The whole problem can be solved by combining the results of {fi,. . . , fid. Newton’s method Newton’s method [San9O] minimizes a second-order approximation of the given function, at each iterative step. Let L.S = and J be the Jacobian of z6. At each step with current Newton’s method minimizes the function: point = Let = e(x(k)) + 8 T(x)(x — x) + (x — (k) )TJ(x(k))(x — 0, we have: + J(x’)(x — x(k)) = 0. The solution of the above equation becomes the next point, i.e., (k+1) = — j_l(x(k)) Newton’s method defines a state transition system (R7, f) where f(x) = x — 1 (x)6(x). J Let NM be a constraint net representing Newton’s method. The following theorem specifies conditions under which NM solves the problem of local minimization of a function 8. Theorem 14.3.2 Let X* E R7 be the set of local minima of 8. NM solves the problem if IJ(x*)I 0, Vx’ e X’. i.e., C is strictly convex at each local minimal point. NM solves the problem globally if, in addition, C is convex. Here we assume that the Jacobian and its inverse are obtained off-line. Newton’s method can also be used to solve a nonlinear equation g(x) = 0 by replacing i8 with g. For example, consider Newton’s method for solving 2 x = 2. Newton’s method for solving g(x) = 0 can be represented by a constraint net with domain equation: x’ = x In our — = = example, g(x) 2 2, x x NM solves x 2 = 2 since g(x*) = 2x* 0 for + both x = and x = The attraction basin of is {xlx > 0} and the attraction basin —/ of is {xlx < 0}. — — . CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS 14.3.2 152 Continuous methods We discuss here some typical continuous constraint methods: the gradient method for uncon strained optimization, the penalty method and the Lagrange multiplier method for constrained optimization. Gradient method The gradient method [P1a89] is based on the gradient descent algorithm, where state variables slide downhill in the direction opposed to the gradient. Formally, if the function to be minimized is 8(x) where x (x , 1 . x,,), then at any point, the vector that points in the direction of maximum increase oft is the gradient oft. Therefore, the following gradient descent equations model the gradient method: = . , = Let 8 : R7 —k---, k, > 0. (14.1) 1?. be a function. Let GM be a constraint net representing the gradient descent equation (Equation 14.1). The following theorem specifies conditions under which GM —* solves the problem of local minimization of 8. Theorem 14.3.3 Let X* be the set of local minima of 8. GM solves the problem if continuous at X. GM solves the problem globally if, in addition, 8 is convex. Consider again the example of solving x 2 solver GM be i = attraction basin of — = 2 —x(x — = 2. Let 6(x) 2). GM solves x 2 = = 2 (x — 2 since —x(x 2 is {xlx> 0} and attraction basin of —‘/ is 2)2. — {xlx is Let the constraint 2) is continuous. The < 0}. Penalty and Lagrange multiplier methods The prototypical constrained optimization problem can be stated as [P1a89]: locally minimize f(x), subject to g(x) = 0, where g(x) 0 is a set of equations describing a manifold of the state space. There are various methods for solving the constrained optimization problem. Here we focus on methods derived from the gradient method. During constrained optimization, the state x should be attracted to the manifold g(x) = 0 and slide along the manifold until it reaches the locally smallest value of f(x) on g(x) = 0. Different methods arise from the design of the energy function 8 for minimizing f(x) under constraints gk(x) = 0 for k = 0. m. Let 8 be the energy function generated from the constraints, i.e., 8(x) = f(x) + 8(x). . . CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS 153 • Penalty Methods: The penalty method constructs an energy term that penalizes violations of the constraints, i.e., (z) ckg(x). 0 E_ = • Lagrange Multipliers: The Lagrange multiplier method introduces a Lagrange multiplier A for each constraint and A varies as long as its constraint is not satisfied, i.e., (x) = >2LoAkgk(x). In addition, there is a set of differential equations for A, i.e., Ak = gk(x). The advantage of the penalty method is its simplicity; however, the constrained optimization problem may not be solved with finite c. The advantage of the Lagrange multiplier method is its ability to satisfy the hard constraints. Let LM be a constraint net representing the Lagrange multiplier method. The following theorem specifies a condition under which LM solves the constrained optimization problem globally. Theorem 14.3.4 Let A be a matrix where + definite, LM solves the constrained optimization problem mm f(x) subject to = Consider a simple example. Given a function f(x, y) If A is positive gk(x) = 0 globally. 2+y x 2 to be minimized, subject to 0, it is easy to check that the solution to this problem is (0.5, 0.5). The = constraint x + y — 1 = constrained optimization based on the penalty method proceeds as follows: the energy function is 8(x, y) = 2+y x 2 + c(x + y — 1)2 dx where c is a constant. Using the gradient method, let = —0.5— = —(x + c(x + y = —0.5-- = —(y + c(x + y dy -— — — The process is asymptotically stable at 1)), 1)). jy). When c —* oo, the state (x, y) approaches (0.5,0.5). The constraint optimization based on the Lagrange multipler method proceeds as follows: the energy function is (x, y) = x 2+y 2 + A(x + y — 1). Using the gradient method, let dx 08 - = dy = —h-88 —h-- = —(2x + A), = —(2y + A). In addition dA -i-- = (x + y — 1). The process is asymptotically stable at (0.5, 0.5) in the large. CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS 14.4 154 Summary We have presented here a framework for constraint satisfaction. Figure 14.1 illustrates the overall approach. First, we view constraints as relations and constraint satisfaction as a dynamic modeled by Constraint Net Dynamic Process • is a specialized to Constraint Satisfaction (Constraint Method + Constraint) • . models Constraint Solver Figure 14.1: A framework for constraint satisfaction process of approaching the solution set of the constraints. Then, we explore the relationship between constraint satisfaction and constraint nets through constraint solvers. Within this framework, constraint programming is seen as the creation of a constraint solver that solves the set of constraints. A constraint solver “solves” a set of constraints in the following sense (Figure 14.2). Given a constraint satisfaction problem C, and a discrete or continuous (time) constraint method, a constraint solver CS is generated. Starting from any initial state in the attraction basin of sol(C), CS will approach sol(C) asymptotically. In this framework, constraint programming is off-line and constraint satisfaction is on-line. We have also studied various continuous and discrete time constraint methods, which can be realized by state integration systems and state transition systems, respectively. This framework for constraint satisfaction has two advantages. First, the definition of con straint solvers relaxes the condition of solving constraints from finite computation to asymptotic stability. For example, many relaxation methods with the local convergence property are in fact “solvers” under this definition and many problems become “semi-computable” in this sense. This concept is very useful in practice and can be used for generalizing Turing computability from discrete domains to continuous domains. Second, dynamic constraints can be solved in this framework as well. This characteristic will be important later in control synthesis. CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS (thnts Off-line On-line (EtMethod Build Run St1eStat} Figure 14.2: Constraint solvers and constraint satisfaction 155 CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS 14.5 156 Constraint-Based Dynamic Systems Given a set of constraints C on variables V, let C denote the assertion that is true on the e neighborhood of its solution set N(sol(C)) C xvD,,. Let A(C; D) stand for the V-automaton in Figure 14.3(a). (a) (b) Figure 14.3: Specification for (a) Constraint solver (b) Constraint-based dynamic system Proposition 14.5.1 A constraint solver CSV solves C if there exists an initial condition 9 D sol(C) such that Ve> 0, CSv(9)] A(CE; 0). CS solves C globally when 0 = xvD. For example, let C be 2 for solving x Ix <€ or — Ix + < E. In order to prove that Newton’s method 2 satisfies A(C; 0), we do the following. Let 9 be x > 0. (I) Associate with automaton-state qo and q state propositions 0 A -C and 0 A C, respectively. It is easy to check that the following conditions are satisfied. = • Initiality: q : 0 A • Consecution: Let -C 3 f —* 0 A -C and q : 0 A CE -iC}x’ = fs(x){,CE qo,q : {0 A _iCE}xI = (x){CE 3 f —* 0 A CE}. —+ 9 qo,qo : {0 A CE}x! = (x){_,Cc 5 f qi,qi : {0 A C}x’ = (x){CE 3 f q,qo : {0 A 0 A CE. ). + = —* —* —+ 0A A iCc}. 0A6 C } . Therefore, 0 A —C 6 and 0 A C 6 are invariants for qo and qi, respectively. (L) Associate with automaton-state q and q a partial function p: p —Ax — f ifIxI x — 2 2 1 + p( + ) otherwise. CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS 157 It is easy to check that they satisfy the definedness and non-increase conditions. Furthermore, since 0 A ,CE and x’ = f (x) imply that p(x’) p(x) < min(1, EO) where eo = p(/ + e) 3 — — — p(f ( 3 .../ + e)), the decrease condition is satisfied. Therefore, it is a Liapunov function. According to the verification rules, Newton’s method for solving x 2 = 2 satisfies A(Gc; D). We should notice the importance of open specification for the asymptotic goal achievement property; Newton’s method for solving x 2 = 2 does not satisfy A(sol(C); 0). For another example, the gradient method for solving x 2 = 2 satisfies the A(C; 0) for any 0 as well. To see this, let 0 be lxi > 0. Associate with automaton-state qo and q state propositions 0 A _,Cc and 0 A C, which are invariants for qo and qi, respectively. Associate e > with automaton-state q and q the function 8(x) E(x) = (x 2 —x — 2)2 < 4 whenever x —min(2,x)e = e (x 2)2. For any initial state x 2 0 E 0, 0 A _,Cc; 6 is a Liapunov function. — However, when constraints are dynamic, approaching the solution set asymptotically is still too stringent for a constraint satisfaction problem with disturbance and uncertainty in its data variables over time. If we consider the solution set of a set of constraints as the “goal” for the system to achieve, a relaxed property for a constraint solver is to make the system approach the goal persistently. In other words, if the system diverges from the goal by some disturbance, the system should always be able to be regulated back to its goal. We call a system GB constraintbased with respect to a set of constraints C, if there exists an initial condition 0 D sol(C) such that Ye > 0, GB(0) = A(GE; K>) where A(GE; K>) stands for the V-automaton in Figure 14.3(b). In other words, a dynamic system is constraint-based if it approaches the solution set of the constraints persistently. Since cJK>G —÷ KDG, a constraint solver is a constraint-based system as well. We may relax this condition further and define constraint-based systems with errors. We call a system GB constraint-based w.r.t. a set of constraints C with error 6, if Ye > 6, CB(0)]J j= A(G; K>); 6 is called the steady-state error of the system. Normally, steady-state errors are caused by uncertainty and disturbance of the data variables. If A(C; is considered as an open specification of a constraint-based computation for a closed system, A(G’; K>) can been seen as an open specification of a constraint-based control for 0) an open or embedded system. Chapter 15 Control Synthesis Given a constraint-based specification for a controller, the design of the controller is the syn thesis of an embedded constraint solver that, together with the dynamics of the plant, solves constraints on-line. Various constraint methods can be applied to control synthesis under this framework. More importantly, most constraint methods are associated with some type of Li apunov function, which can be directly used by the verification method. In this chapter, we start with general issues of control synthesis and then focus on constraint-based control design and analysis. Finally we illustrate this approach via examples. 15.1 Control Synthesis: General Issues A robotic system, in general, consists of a plant, a controller and an environment (Figure 1.1). The robotic behavior is the set of observable robot/environment traces of the system. A requirements specification is a subset of all the possible robot/environment traces. The problem of control synthesis can be formalized as follows: Given a requirements specification R, the model of the plant PLANT and the model of the environment ENVIRONMENT, synthesize a model of the controller CONTROLLER, such that = PLANT(U,Y), U = CONTROLLER(X,Y), Y = ENVIRONMENT(X) Both planning and control problems can be seen as instances of this formalization. The planning problem is a special case of the control synthesis problem, with the restriction that the controller is an 0-ary transduction (a trace), instead of a transduction in general, and the requirements specification only imposes conditions on the “final state” of the system. If the integration of the plant and the environment is a finite state automaton, with the control 158 CHAPTER 15. CONTROL SYNTHESIS 159 output as the input, planning is the generation a path in the state transition graph, given the initial state. The complexity of this problem is linear in the size of the state transition graph. This simple form of the planning problem can be considered as an open-loop control syn thesis problem. It has been shown in control system theory (and in practice) that open-loop control is not robust. A direct generalization is then synthesizing the controller to behave as a transliteration, i.e., a reactive (universal) plan [Sch87]. Given that S is the space of the robot/environment state tuples and U is the set of possible control values, the number of possible reactive controllers will be lUll . 51 In general, requirements specification may impose other forms of constraints on traces. For example, safety and persistence are typical requirements, other than reachability, for dynamic systems. Some aggregation evaluation of the system, such as the minimum overall energy, is also an important kind of specification. When uncertainty is concerned, minimum overall expected cost is normally imposed as a constraint {Qi94]. Approaching a final goal and minimizing a global function over time (for example, energy) can both be considered as constraints over traces; the former is a typical planning problem and the latter is a typical control problem. Planning and control have been studied as different problems over the years. The planning problem [DW91] is defined as using a model to formulate sequences of actions (or more generally, to composite descriptions of actions over time) to achieve a certain goal. The control problem [DW91] is considered as finding a policy to achieve a goal or minimizing a functional. Planning is normally restricted to symbolic domains in discrete time; while control is often for numerical domains, particularly n-dimensional Eucidean spaces, in either discrete or continuous time. The result of a planning problem (traditionally) is a trace (sequence) of inputs to a plailt for approaching a final goal; the solution to a control problem (closed-loop control) is a transduction from the sensor traces to the command traces for minimizing a required functional, such as time, energy, cost for approaching a goal. Search algorithms and theorem proving are basic techniques for planning; calculus of variations and optimization are basic techniques for control. In our framework of control synthesis, planning and control can be studied together, and techniques developed for one problem may be used for the other. Control synthesis in general, like verification, is hard. Furthermore, there does not exist a uniform algorithm for different control synthesis problems. In the rest of this chapter, we focus on a systematic approach to designing and analyzing constraint-based control systems. CHAPTER 15. CONTROL SYNTHESIS 15.2 160 Constraint-Based Control We restrict requirements specification to constraint-based specification. Most robotic systems are constraint-based, since physical limitations, environmental restrictions and task require ments can be specified as constraints. We have developed a framework of viewing constraint satisfaction as a dynamic process. An important consequence of this framework is to be able to design control systems as embedded constraint solvers. Such an embedded constraint solver is an open system with inputs as observable traces of the plant and the environment. The embedded constraint solver together with the rest of the robotic system satisfies the desired constraint-based specification (Figure 15.1). Build Embedded Constraint Solver Initial State Figure 15.1: Embedded constraint solvers Let C be a set of constraints and CE be an c-neighborhood of sol(C). Typical types of constraint-based specification are: CHAPTER 15. CONTROL SYNTHESIS 161 • safety requirement: EC ; 6 • goal achievement: DC ; 6 • persistence: The safety requirement is the strongest and the persistence is the weakest, since CC DKCE. and K3CE DC — Embedded constraint solvers can be either discrete or continuous according to the constraint methods. Continuous solvers, based on energy functions, generalize potential functions. Dis crete solvers, based on relaxation methods in numerical computation, are more flexible in many applications. The design of an energy function depends on the type of constraint. For goal achievement or persistence constraints, the energy function defines the degree of satisfaction of the constraints; for safety constraints, the energy function defines the degree of satisfaction of the constraints within C and infinity outside of CE. For example, given a requirement specification DKGE with C defined as f(x) = 0, an energy function for this specification can be f (x). If D(f(x) 2 is required, an energy function can be max(— lii o < f(x) < e, then 6 > 0, and if f(x) —f 0), i.e., if f(x) 0, then 6(x) —÷ e, then 6(x) = > 0) 0, if oo. Using these types of energy function, we have designed controllers for a two-link robot arm tracking targets (persistence) and/or avoiding obstacles (safety); details are presented in Appendix C. 15.3 Examples Various existing controllers, from simple linear control to complex nonlinear adaptive control or potential field methods, can be derived and analyzed in this framework. We analyze two simple examples here to illustrate the approach. The first is on the design and analysis of linear controllers, the second is on the design and analysis of a nonlinear controller for a car-like robot. 15.3.1 Linear control Linear controllers are most widely used in real systems. Even though there are many advanced control strategies in theory, linear controllers are still the most robust and reliable ones. A linear proportional and derivative (PD) controller has the form u = ke + kdê where u is the control signal, e x is the current error between the desired position xd and the actual position x, k is a proportional gain and kd is a derivative gain. A desired property for a = Xd — PD controller can be øD(e < e). However, in many cases, we would also like to trade position CHAPTER 15. CONTROL SYNTHESIS 162 errors for low oscillation or frequency. A more appropriate property for a PD controller should be KO(e 2 < E) where A > 0 denotes a trade-off between position and velocity errors. If 2 + Aê A — 0, only position errors are taken into account. We can synthesize a PD controller using an energy function 8 = (e 2 + Aê ). The controller, 2 together with the dynamics of the plant, is to make 8 go to its minimum. Let E = eê + ,\èë = ê(e + Ae). If we let e + Àë = —ké for k > 0, we have E <0, a desired property for the controller. Therefore, we want —ë = (e + kê). In most cases, = 0, so = (e + kê). If the dynamics of the plant is u = ‘ê, let u = (e + kE), which is a PD controller with k = and kd = This . design tells us that if A 0, then k, kd and there will be possibly high oscillation since the constraint on è is neglected. A compromise between the position error and the oscillation —* —* 00, frequency should be made for any application. Furthermore, if the dynamics of the plant is u mã, the PD controller u (e + kê) will make S = 2 (e + mAe ) go to its minimum. If the dynamics of the plant is not fully 2 known, we can still get a good estimation of the control parameters. Since E e(e + Àë) = (Au—e)(e+Aë)/k, if Au and AIëI = = el, we have 0. Therefore, let A = max(lvilrnax) where lelmin is the steady state error, and IUlmax and Ilmax can be estimated even when the dynamics of the plant is unknown. If u can be estimated on-line, A can be adapted over time, and better performance can be achieved. We can design and analyze nontrivial control strategies using the same simple principle on-line constraint satisfaction or energy minimization. 15.3.2 — Nonlinear control Linear PD controllers are simple and easy to analyze. However, they may not fit on to systems with complex nonlinear dynamics. Consider a tracking system for the car-like robot. Let v be the velocity of the car and a be the current steering angle of the wheels; v and a can be considered as control inputs to the car. The dynamics of the car can be modeled by following differential equations: = vcos(6), = vsin(8), Ô = v/R where (x, y) is the position of the tail of the car, 0 is the heading direction and R = L/ tan(a) is the turning radius given the length of the car L (Figure 1.2). A tracking problem for the car-like robot is to design a controller, given a target trace and an actual trace of the configuration of the car up to the current time, produce the control inputs to the car so that the car tracks the target over time. CHAPTER 15. CONTROL SYNTHESIS 163 If the target is constant (for example, parallel parking), the problem can be decomposed into two subproblems: path planning and control. The path planning is to prodnce a set of consecutive circle and line segments that connect the current and the target configuration of the car (Figure 15.2). Although there are more complex tracking algorithms in practice {SM94], Figure 15.2: Path planning the simplest tracking algorithm is as follows. For tracking on the line segments, set a = 0; and for tracking on the circle segments, set a to be a nonzero constant (Left: + tan 1 and Right: 1 ). In either case, the velocity can be set to a constant or to be controlled by a linear tan proportional controller. — When the target is moving, the path planning can be either applied at a fixed sampling rate or event-driven, where an event indicates a substantial change of the target. However, there is a simple control strategy for tracking a dynamic target, so that the path planning problem can be simplified, if not eliminated. Let C denote the constraint for the tracking problem: (x = xd) A (y = Yd) A (0 = Od). The desired property for tracking is persistence that can be expressed as DØCC. We define an energy function for the controller as 6 = (xj — 2 x) + -(yd — y + (O The controller is designed to make 6 go to its minimum. Let p = fvdt be the length of the path. We have v = j3, a = tan L. (—0). Using the gradient method, we would like to have 96 86 p=—k 1 -, 2 0=—k . — 0)2. CHAPTER 15. CONTROL SYNTHESIS where and 164 can be computed as follows: kp(xci = Ox x)— + k(yd — — 08 Dy y)— + kt(Oci — where Ox th Dy 08 —=—=cos(8), —=—=sin(8), Op v Op v Op 8 v . tan(a) L and kp(Xci = Ox x) + k(yd — — Dy y) + kt(Od —0) where Ox = Let d = /(xd — 2+ x) (yd — . —vsin(8), 2 and 0’ y) = Dy. = vcos(8). tan’(yd y,xd — — x). The control law for the tracking problem is: V = ki[kpdcos(8’ a = tan’(k ( 2 kvdsin(0’ — 8) + kt(Od — — )tan(a)] 0 0) + kt(Od — 8))). Now we are able to analyze the stability of this control law. We argue that the control law is stable, since = _[kp(x = — — x)th + kp(yd — y)’+ kt(Od x)cos(9) + k(yd — O. k 1 However, there are local minima or singularities. If = when d — 8)8] y)sin(8) + kt(8d — O)tan(a)]V ——V 10’ — 01 and = d 8 = 0 we get v = 0 even 0. We can prove that they are the only singularities of this control law. Proposition 15.3.1 This control law satisfies the condition that v (d 0 v 8’ — 01 k) A(8d = = 0 if 0). We have applied this control strategy to the soccer-playing robot car with high level target generation and low level target tracking. For the real car, the throttles and steering angles are limited to certain ranges, errors appear iii both sensing and control. Gains in the control law are any positive reals in theory but should be chosen for the best performance in the practice. The model of the car-like robot, with the dynamics of forces, frictions and mechanical delays, has been developed. Even though the development itself is not closely related to the content of this thesis, the method may have a general interest for other applications. We describe the theory behind this model estimation method in Appendix D. CHAPTER 15. CONTROL SYNTHESIS 15.4 165 Summary Constraint-based control synthesis and analysis provide a unitary framework for developing continuous/discrete hybrid control systems. However, we are not aiming either to subsume or to replace existing control theory, rather to formalize the underlying principles that are used informally in practice. Local minima and/or singularities are the major problem for this type of controller. Nor mally singularities can be avoided if a higher level control strategy is used to detect singularities and to produce a sequence of intermediate configurations between the actual and the target configurations. Such a higher level control strategy becomes more important when the robot is embedded in a complex environment. In general, any complex robot control system should be developed and organized hierarchically. In the rest of Part III, we will propose a hierarchical robotic architecture. Chapter 16 Robotic Architecture We propose two kinds of hierarchy in a robot control system: one is composition hierarchy, the other is interaction hierarchy. Both of these hierarchies should be used as systematic mechanisms for building, organizing and analyzing a complex system incrementally. The Constraint Net model supports composition hierarchies with modules, that has a set of inputs and outputs and performs a transduction from input traces to output traces. The composition hierarchy characterizes the hierarchy of composing complex modules from simple ones. The composition hierarchy of a system has a tree structure, in which the root is the whole net, and leaves are basic transductions. A complex module can be incrementally composed of simpler ones. A system can be tested and verified structurally. The interaction hierarchy imposes the hierarchy of interaction or communication between modules. In the rest of this chapter, we focus on interaction hierarchies. We present a twodimensional hierarchical structure, one is abstraction (or vertical) hierarchy and the other is arbitration (or horizontal) hierarchy. 16.1 Abstraction Hierarchy A control system, in general, is implemented in a vertical hierarchy [A1b81] (Figure 16.1) cor responding to a hierarchical abstraction of time and domains (Figure 16.1). The bottom level sends control signals to various actuators, and at the same time, senses the state of actuators. Control signals flow down and the sensing signals flow up. Sensing signals from the environment are distributed over levels. Each level is a black box that represents the causal relationship be tween the inputs and the outputs. The inputs consist of the control signals from the higher level, the sensing signals from the environment and the current states from the lower level. The outputs consist of the control signals to the lower level and the current states to the higher 166 CHAPTER 16. ROBOTIC ARCHITECTURE TIME STRUCTURES CONTROLLER — Figure 16.1: Abstraction hierarchy 167 CHAPTER 16. ROBOTIC ARCHITECTURE 168 level. Usually, the bottom level is implemented by analog circuits that function in continuous dynamics and the higher levels are realized by distributed computing networks. In our framework of control synthesis, constraints are specified at different levels on different domains, with the higher levels more abstract and the lower levels more plant-dependent. For example, a multi-joint arm can be specified by two levels: the low level on joint space and the high level on task space. A control system can be synthesized as a hierarchy of interactive embedded constraint solvers, that form the abstraction hierarchy. Each abstraction level solves constraints on its state space and produces the input to the lower level. The higher levels are composed of digital/symbolic event-driven control derived from discrete constraint methods and the lower levels are analog control based on continuous constraint methods. 16.2 Arbitration Hierarchy Various constraints at same level of the abstraction hierarchy may form a constraint hierarchy. For example, safety requirements may always have the highest priority for satisfaction and persistence properties the lowest. In our framework of control synthesis, constraint solvers at the same level of the abstrac tion hierarchy are coordinated via various arbitrations to compromise among different kinds of constraint, which form the arbitration hierarchy. (Figure 16.2). Figure 16.2: Arbitration hierarchy (CS’s and A’s denote solvers and arbiters respectively) One type of arbitration can be modeled by the subsumption architecture [Bro86]. An output of a module in a higher layer can be subsumed by an output of a module in a lower layer. An input of a module in a lower layer can be inhibited by an output of a module in a higher layer. CHAPTER 16. ROBOTIC ARCHITECTURE 169 Some other forms of subsumption and inhibition mechanism have been proposed in terms of compound synapses in neural activities [Bee9Oj. There are two different interaction functions: gated synapses where fg(Is,IG) = (U + IG)Is and modulated synapses where f fm(IS,IM) (1+I)Is ifIMO Is/(1+IIMI) otherwise. We can define some other arbitration functions: • Subsume: LU_jL ifLO ‘ ‘ U otherwise. — • Conditional pass: Jc ci— 1 I o ifCO otherwise. — • Compromise: fw(I1,12) = , 2 1 2 ,w > O,w 1 w 1 +w w 2 1+w = 1. In most cases, arbitration functions are nonlinear. In general, multiple embedded constraint solvers are distributed and coordinated via various arbiters, which implement constraint hierarchies with the subsumption architecture or with some forms of compromise. We have developed a control system for a hydraulically actuated arm with a low level PD controller and a high level end-point tracking and obstacle avoidance. Obstacle avoidance has a higher priority for satisfaction than end-point tracking. Both levels can be considered as applications of constraint-based control. This control system is a typical example of a hierarchical control system. The model of the arm and the hydraulic actuators, and the joint level and end-point level control strategies are described in detail in Appendix C. We have also developed a modeling and simulation environment, called ALERT (A Labo ratory for Embedded Real-Time systems), in which all the examples described in this thesis have been experimented. In addition to the existing linear and nonlinear modules, we develop event, logic and arbitration modules for constructing complex hybrid control systems. ALERT and some examples are presented in Appendix B. Chapter 17 Summary and Related Work We have developed a systematic approach to control synthesis: a framework for constraint-based control and a framework for robotic architecture. In this chapter, we summarize this approach in terms of its power and limitations, and discuss some related work on constraint-based control and robotic architecture. 17.1 Summary In this section, we summarize our framework for control synthesis and robotic architecture. 17.1.1 Power Most robotic systems are constraint-based dynamic systems. Systems with adaptivity and learning exhibit this type of property as well. Constraint-based control synthesis provides a simple principle, on-line constraint satisfaction or energy minimization, that has been used implicitly in many existing control laws. With this framework, both discrete and continuous control strategies can be derived and analyzed, and many existing constraint methods can be applied to control. With this synthesis principle, verification can be simplified as well. 17.1.2 Limitations Similar to the limitations of V-automata for representing dynamic behaviors, constraint-based specification cannot represent probabilistic or stochastic performance, or minimization of total cost over time (for example, energy cost for control). Constraint-based control differs from optimal control: the former is an on-line optimization that uses on-line constraint satisfaction, and the latter is an off-line optimization that uses calculus of variations {Lue79, War72, NK93a]. 170 CHAPTER 17. SUMMARY AND RELATED WORK 171 Constraint-based control synthesis is a methodology, a framework or a concept for a system atic development of control systems, rather than a new technique for the automatic generation of control systems. We will work on automatic or semi-automatic control synthesis for special classes of system in the future. 17.2 Related Work Much work has been done on control synthesis. In this section, we survey only the most related and influential work. We consider two classes of work: one is on control strategies and the other is on control structures. 17.2.1 Constraint-based control Early work on constraint-based control includes potential functions and the least constraint framework. Potential functions generalize the conceptions of potential fields and forces, so that inten tion and action are intrinsically bound together in the description of the robot’s task [Kod89]. Potential functions are used in obstacle avoidance and target tracking in unstructured environ ments [Kha86]. Various control methods, from PD controllers to adaptive control and neural nets, can be considered as applications of potential functions [KodS9]. The least constraint framework was proposed [Pai89, Pai9l} to program robots with a high degree of freedom in changing environments. In this framework, sensed and actuated variables are related via a set of inequality or equality constraints, possibly changing over time. Con straints are satisfied at run time by a set of real-time constraint methods. This framework can deal with redundancy and the partial specification of motion, at the same time supporting modularity and parallelism. Some recent work on auction-based control [CR93] can be considered as constraint-based control with the objective as the minimization of standard deviation. To the best of our knowledge, there has been no research on formal requirements specification for control synthesis. CHAPTER 17. SUMMARY AND RELATED WORK 17.2.2 172 Robotic architecture Much work has been done on robot control structures. Our concept of a two-dimensional interaction hierarchy derives from the work done by Albus and Brooks. From the point of view of robotic systems design, Albus [Alb8l] studied the hierarchical goal-directed behavior and proposed the sensory-processing hierarchy. In this structure, highlevel goals are decomposed through a succession of levels, each producing strings of more specific commands to the next lower level. The bottom level generates the drive signals to the robot, such as joints and grippers. Each control level is a separate process with a limited scope of responsibility, independent of the details at other levels. Thus, such a structure provides a foundation for future modular, “plug compatible” hardware and software for robots and real time sensory interactive control applications. Brooks [Bro86j proposed a robust layered control system for mobile robots, called the sub sumption architecture, Unlike the traditional decomposition of a mobile robot control system into functional modules, Brooks decomposed a mobile robot control system into task-achieving behaviors. Such a decomposition meets the requirements of multiple goals, multiple sensors and robustness. Many real control systems use the concept of hierarchy. For example, Sahota and Mackworth [SM94] developed a hierarchical control structure for a soccer playing robot, with high level behavior bidding and path generation and low level path tracking. Zhao [Zha9l] developed a synthesis method for nonlinear control systems with high level path planning and navigation in phase spaces and low level path tracking using linear control. Nerode and Kohn [NK93b] proposed a multiple agent hybrid control architecture. The key capabilities of the architecture are: reactive and adaptive mechanisms, distributed structures with coordination, dynamic hierarchization, provable correctness and real-time response. The central mechanism for providing these capabilities is an on-line restricted automated theorem prover associated with each agent. Extensibility and robustness are also considered in this architecture. Some other work on hybrid control systems [GNRR93] has also been done recently. Part IV Conclusions and Further Research 173 174 The greatest accomplishment seems unfinished, yet its applications are endless. The greatest fullness seems empty, yet its applications are never exhausted. — Tao Teh Ching, Lao Tzu The greatest conclusion seems stuttering, yet its implications are endless. The greatest future work seems crude, yet its fruits are never exhausted. — Zhang Ying Chapter 18 Conclusions and Further Research We have taken an integrated approach to the design and analysis of robotic systems and behav iors by establishing a foundation for modeling, analyzing, specifying, verifying and synthesizing complex artifacts that interact with changing environments. We have developed a seman tic model for hybrid dynamic systems, two languages for requirements specification, a formal method for behavior verification, and a systematic approach to control synthesis. In this chapter, we review what has been achieved in this research, and point out possible topics for the future. 18.1 Conclusions We have decomposed the problem of design and analysis into four phases: modeling, specifica tion, synthesis and verification. We have developed formal methods for each individual phase, and the relationships among all the phases. First, we have developed a semantic model for hybrid dynamic systems, that we call Con straint Nets (CN). Based on abstract algebra and topology, we have represented both time and domains in abstract forms, and uniformly formalized basic elements of dynamic systems in terms of traces and transductions. We have studied both primitive and event-driven transductions. CN is an abstraction and generalization of datafiow networks, while the behavior of a system (the semantics of a model) is formally obtained using the fixpoint theory of continuous algebra. In particular, CN models a dynamic system as a set of interconnected transductions, while the behavior of the system is the set of input/output traces of the system satisfying all the relationships imposed by the transductions. CN models a hybrid system using event-driven transductions, while the events are generated and synchronized within the system. 175 CHAPTER 18. CONCLUSIONS AND FURTHER RESEARCH 176 The motivation for developing CN is for modeling hybrid dynamic systems. However, we have shown that CN is as powerful as existing computational models so that both sequential and analog computations can be modeled. In order to study system behaviors formally, we have defined abstraction and equivalence of systems and behaviors using homomorphism and quotient algebra. Second, we have developed two languages, TLTL and timed V-automata, for requirements specification. TLTL is a linear temporal logic extended with real-time modal operators. Timed V-automata are nondeterministic finite state automata augmented with local and global time bounds. As with CN, both languages are defined on abstract time and domains. Third, we have developed a formal method, based on model checking and stability analysis, for behavior verification. This verification method is semi-automatic if the time structure is discrete, and is automatic, if, in addition, the domains are finite as well; the time complexity of the resulting verification algorithm is polynomial in both the size of the model and the size of the specification. Fourth, we have developed a systematic approach to control synthesis. In this approach, desired properties of behaviors are specified with various forms of constraints using timed V automata, such that the accepting automaton-states of the V-automata represent the neighbor hoods of the solution set of the given constraints. Constraint-based control is then synthesized as embedded constraint solvers that, together with the dynamics of the plant and the environ ment, solve the constraints on-line. For the purposes of both design and analysis, we advocate a two-dimensional hierarchical structure for control systems. As a whole, we have established a theoretical foundation for developing robotic systems and analyzing robotic behaviors (Figure 18.1). PART I PART III MODELING REASONING Figure 18.1: Summary CHAPTER 18. CONCLUSIONS AND FURTHER RESEARCH 177 The major contributions of this thesis are summarized as follows: • Constraint Nets for hybrid systems modeling and analysis CN possesses the essential properties of a desired model for robotic systems (modified from {LS9O]), namely: Real- Time: time is explicitly represented, Symmetrical: the dynamics of environments as well as the dynamics of plants and control can be modeled, Hybrid: multiple time and domain structures are uniformly formalized, Hierarchical: multiple levels of abstraction are provided, and Formal: formal syntax and semantics are defined, and formal analysis is facilitated. • TLTL and timed V-automata for requirements specification TLTL specifies discrete/continuous sequential/timed behaviors uniformly; timed V-automata provide a simple alternative to TLTL, which is ifiuminating, and, in some cases, more powerful. • a formal method for behavior verification This method applies to behaviors of hybrid systems in general, and is semi-automatic for discrete time systems and automatic for discrete time and finite domain systems. • constraint-based requirements specification and control synthesis This approach proposes a general framework for control synthesis with a simple principle. Control synthesis and system verification are coupled via requirements specification. • an integrated approach to the design and analysis of robotic systems and behaviors This thesis decomposes the problems in the design and analysis of robotic systems and behaviors, and focuses on the relationships among modeling, specification, synthesis and verification. CHAPTER 18. CONCLUSIONS AND FURTHER RESEARCH 18.2 178 Further Research We propose further research in both theory and practice. 18.2.1 Theory We have proposed a foundation for the design and analysis of robotic systems and behaviors. There are more questions than answers; all we have done is to take the first step in a long journey. Further work includes: • modeling and analyzing probabilistic and stochastic systems and behaviors Many robotic systems cannot be modeled exactly, due to the lack of knowledge of, or to the uncertainty in, the dynamics of the plant and the environment. It is important to model systems under uncertainty and to analyze their behaviors with probabilities. • more expressive specification languages There are behaviors that are not expressible using TLTL or timed V-automata, such as maximizing global utilities and timed behaviors over intervals. Other specification languages, with more expressive power and pertaining formal verification procedures, are yet to be explored. For example, we can extend time bounds on timed automaton-states to both lower and upper bounds, while keeping the verification rules simple. • (semi-)automatic verification for special classes of hybrid system There are simple hybrid systems that have algorithmic verification [ACHH93]. More work along this line can be done. For example, a finite automaton coupled to a linear continuous system is a special class of hybrid system that might have simpler verification procedures. • (semi-)automatic synthesis and analysis of controllers for special classes of system For finite domain systems, controllers can be synthesized automatically, though with a high complexity. For linear systems, stability can be analyzed semi-automatically. More work along this line can be done. For example, it is possible to develop an algorithm that can (semi-)automatically synthesize and analyze a finite automaton that controls a linear continuous system. • more extensive study on behavior abstraction We have provided the notion of behavior abstraction based on homomorphism. Other notions of abstraction can be defined; for example, implication can be considered as a CHAPTER 18. CONCLUSIONS AND FURTHER RESEARCH type of abstraction where A —* 179 B means B is an abstraction of A. (Under this definition, a requirements specification is an abstraction of the system model; a nondeterministic model is an abstraction of the deterministic system.) Given this notion of abstraction, the properties of behavior equivalence can be further studied. 18.2.2 Practice We have already developed, based on our semantic model, a visual programming and simulation environment called ALERT: A Laboratory for Embedded Real-Time systems. Further work includes: • a programming language with a real-time semantics CN is an abstraction of datafiow models for hybrid systems, with abstract data types and abstract reference time. An instantiation of the data types and the reference time results in a programming language, which can be used for both modeling and programming (control). ALERT is such a language for modeling. • a specification and verification environment based on our methods Timed V-automata have a graphical representation, which can be implemented on a graph ical user interface. The formal verification method for discrete time systems can be im plemented on an interactive theorem prover. • an integrated design and analysis environment for developing robotic systems Both CN and timed V-automata can be implemented on a graphical user interface, result ing in an integrated environment that facilitates both verification and simulation. • more extensive study on some real machines to uncover more design problems This thesis establishes a theoretical foundation for the problem of design and analysis, which, nevertheless, are abstracted from our experiences on real machines. Our research alms, not to invent, but to understand, discover, formalize and solve new problems. The guiding research principle is “from practice to theory, and from theory to practice.” Bibliography [AC87] P. E. Agre and D. Chapman. Pengi: An implementation of a theory of activity. In IJCA 1-87, pages 268—272, 1987. [AC88] P. E. Agre and D. Chapman. What are plans for? Technical Report A.I. Memo 1050, MIT Al Lab, September 1988. [ACHH93] R. Alur, C. Courcoubetis, T. A. Henzinger, and P. Ho. Hybrid automata: An algorithmic approach to the specification and verification of hybrid systems. In R. L. Grossman, A. Nerode, A. P. Ravn, and H. Rischel, editors, Hybrid Systems, number 736 in Lecture Notes on Computer Science, pages 209 [Ad81] — 229. Springer-Verlag, 1993. H. Abelson and A. A. diSessa. Turtle Geometry: The Computer as a Medium for Exploring Mathematics. MIT Press, 1981. [AD9O] R. Alur and D. Dill. Automata for modeling real-time systems. In M. S. Paterson, editor, ICALP9O: Automata, Languages and Programming, number 443 in Lecture Notes on Computer Science, pages 322 [AD91I — 335. Springer-Verlag, 1990. R. Alur and D. Dill. The theory of timed automata. In J.W. deBakker, C. Huizing, W.P. dePoever, and G. Rozenberg, editors, Real-Time: Theory in Practice, number 600 in Lecture Notes on Computer Science, pages 45 [Agh85] — 73. Springer-Verlag, 1991. G. A. Agha. Actor: A model of concurrent computation in distributed systems. Technical Report 844, MIT Al LAB, 1985. [Agm54] S. Agmon. The relaxation method for linear inequalities. Canadian Journal of Mathematics, 6:382—392, 1954. [AH89] R. Alur and T. A. Henzinger. A really temporal logic. In 30th Annual Symposium on Foundations of Computer Science, pages 164 169, 1989. — 180 BIBLIOGRAPHY 181 [A1b81] J. S. Albus. Brains, Behavior, and Robotics. BYTE Publications, 1981. [A1190] J. F. Allen. Towards a general theory of action and time. In James Allen, James Hendler, and Austin Tate, editors, Readings in Planning, pages 464 479. Morgan — Kaufmann Publishers Inc., 1990. [Ash86] E. A. Ashcroft. Datafiow and eduction: Data-driven and demand-driven distributed computation. In J. W. deBakker, W.P. deRoever, and G. Rozenberg, editors, Cur rent Trends in Concurrency, number 224 in Lecture Notes on Computer Science, pages 1 50. Springer-Verlag, 1986. — [At189] M. Atlevi. SDT a real-time CASE tool for the CCITT specification language SDL. In FORTE, pages 9 — 13, 1989. [BC86] R. A. Brooks and J. H. Conuell. Asynchronous distributed control system for a mobile robot. SPIE Mobile Robots, 727, 1986. [BCN88] R. A. Brooks, J. H. Connell, and Peter Ning. Herbert: A second generation mobile robot. Technical report, MIT AT Lab, January 1988. A. I. Memo 1016. [BD89] M. Boddy and T. Dean. Solving time-dependent planning problems. In IJCA 1-89, pages 979 984, 1989. — [BD91J B. Berthomien and M. Diaz. Modeling and verification of time dependent systems using Time Petri Nets. IEEE Transactions on Software Engineering, 17(3):259 — 273, March 1991. [Bee9O] R. II. Beer. Intelligence as Adaptive Behavior: An Experiment in Computational Neuroethology. Academic Press, 1990. [BKP86] H. Barringer, R. Kuiper, and A. Pnueli. A really abstract concurrent model and its temporal logic. In Thirteenth Annual ACM Symposium on Principles of Program ming Languages, 1986. [BL9OJ A. Benveniste and P. LeGuernic. Hybrid dynamical systems theory and the SIGNAL language. IEEE Transactions on Automatic Control, 35(5):535 546, May 1990. — [Bod9l] M. Boddy. Anytime problem solving using dynamic programming. In AAAI-91, pages 738 743, 1991. — BIBLIOGRAPHY 182 [Bra84] V. Braitenberg. Vehicles: Experiments in Synthetic Psychology. MIT Press, 1984. [Bro86] R. A. Brooks. A robust layered control system for a mobile robot. IEEE Journal of Robotics and Automation, RA-2(1), March 1986. [Bro88] R. A. Brooks. A robot that walks; emergent behaviors from a carefully evolved network, September 1988. [Bro9l] R. A. Brooks. Inteffigence without representation. Artificial Intelligence, 47(1 January 1991. [BS87] J. A. Brzozowski and C. J. Seger. A characterization of ternary simulation of gate networks. IEEE Transactions on Computers, 36(11), November 1987. [CE82] Y. Censor and T. Elfving. New method for linear inequalities. Linear Algebra and Its Applications, 42:199—211, 1982. [CR93] S. H. Clearwater and B. A. Huberman. Thermal markets for controlling building — 3), environments. Technical report, Dynamics of Computation Group, Xerox Palo Alto Research Center, September 1993. [Cha87] D. Chapman. Planning for conjunctive goals. Artificial Intelligence, 32:333—377, 1987. [Cli81] W. D. Clinger. Foundations of actor semantics. Technical Report 633, MIT AT LAB, May 1981. [Con9O] J. Connell. A Colony Architecture for an Artificial Creature. Academic Press, 1990. [CPHP87] P. Caspi, D. Pilaud, N. Halbwachs, and J. A. Plaice. LUSTRE: A declarative language for programming synchronous systems. In ACM Proceedings on Principles of Programming Languages, pages 178 188, 1987. — [Cra86] J. J. Craig. Introduction to Robotics. Addison-Wesley Publishing Company, Inc., 1986. [CWG88] P. E. Caines, S. Wang, and R. Greiner. Dyllamical (default) logic observers for finite automata. In Conference on Information Sciences and Systems, Princeton, March 1988. BIBLIOGRAPHY [dHdR9l] 183 J.W. deBakker, C. Huizing, W.P. dePoever, and G. Rozenberg, editors. Real-Time: Theory in Practice. Number 600 in Lecture Notes on Computer Science. SpringerVerlag, 1991. [DW91] T. Dean and M. Weilman. Planning and Control. Morgan Kaufman, 1991. {E1m77j H. Elmqvist. SIMNON — an interactive simulation program for nonlinear systems. In Proc. of Simulation 77, 1977. [Eme9O] E. Emerson. Temporal and modal logic. In Jan Van Leeuwen, editor, Handbook of Theoretical Computer Science, volume B: Formal Models and Semantics. Elsevier, MIT Press, 1990. [FF84j R. E. Filman and D. P. Friedman. Coordinated Computing: : Tools and Techniques for Distributed Software. McGraw-Hill Book Company, 1984. {FT89] I. Foster and S. Taylor. Strand: New Concepts in Parallel Programming. Prentice Hall, 1989. {Gem9O] M. C. Gemignani. Elementary Topology. Dover Publications, Inc., 1990. [GL87] M. P. Georgeff and A. L. Lansky. Reactive reasoning and planning. In AAAI-87, pages 677 682, 1987. — [GN92] J. Guckenheimer and A. Nerode. Simulation for hybrid systems and nonlinear control. In Proc. IEEE Conference on Decision and Control, pages 2980—2981, December 1992. [GNRR93] R. L. Grossman, A. Nerode, A. P. Ravn, and H. Rischel, editors. Hybrid Systems. Number 736 in Lecture Notes on Computer Science. Springer-Verlag, 1993. [Gor] M. Gordon. A formal method for hard real-time programming, manuscript. [Gor92j M. Gordon. Verifying real-time programs: A case study. In J. Bowen, editor, Towards Verified Systems. 1992. To appear. [GPR67] L. G. Gubin, B. T. Polyak, and E. V. Raik. The method of projections for find ing the common point of convex sets. U.S.S.R. Computational Mathematics and Mathematical Physics, pages 1—24, 1967. BIBLIOGRAPHY [Ha190j 184 R. Hale. Using temporal logic for prototyping: The design of a lift controller. In H.S.M. Zedan, editor, Real-Time Systems, Theory and Applications. Elsvier Science Publishers B.V. (North-Holland), 1990. [Hen88] M. Hennessy. Algebraic Theory of Processes. MIT Press, 1988. [Hew88] C. Hewitt. Offices are open systems. In B.A. Huberman, editor, The Ecology of Computation. Elsevier Science Publisher B .V. (North-Holland), 1988. [Hew9l] C. Hewitt. Open information systems semantics for DAI. Artificial Intelligence, 47(1 — 3), January 1991. [HMP91a] T. A. Henzinger, Z. Marina, and A. Pnueli. Temporal proof methodologies. In Proceedings of the 18th Annual ACM Symposium on Principles of Programming Languages, 1991. [HMP91b] T. A. Henzinger, Z. Manna, and A. Pnueli. Timed transition systems. In J.W. deBakker, C. Huizing, W.P. dePoever, and G. Rozenberg, editors, Real-Time: The ory in Practice, number 600 in Lecture Notes on Computer Science, pages 226—251. Springer-Verlag, 1991. [Hoa85] C.A.R. Hoare. Communicating Sequential Processes. Pretice-Hall, 1985. [Ho182] W. M. L. Holcombe. Algebraic Automata Theory. Cambridge University Press, 1982. [HP85] D. Harel and A. Pnueli. On the development of reactive system. In K.R. Apt, editor, Logics and Models of Concurrent Systems. Springer-Verlag Beliui Heidelberg, 1985. [Hub88] B. A. Huberman. The ecology of computation. In B. A. Huberman, editor, The Ecology of Computation. Elsevier Science Publishers B.V.(North-Holland), 1988. [Huh87] M. N. Huhns, editor. Distributed Artificial Intelligence. Research Notes in Artificial Inteffigence. Pitman, London, 1987. [HZ91] M. R. Hansen and C. Zhou. Semantics and completeness of duration calculus. In J.W. deBakker, C. Huizing, W.P. dePoever, and G. Rozenberg, editors, Real-Time: Theory in Practice, number 600 in Lecture Notes on Computer Science, pages 209 225. Springer-Verlag, 1991. — BIBLIOGRAPHY 185 [Inca] Integrated Systems Inc. AutoCode User’s Guide. [Incb] Integrated Systems Inc. SystemBuild User’s Guide. [mcd The MathWorks Inc. Similink User’s Guide. [JLHM91] M. S. Jaffe, N. G. Leveson, M. P. E. Heimdahl, and B. E. Meihart. Software requirements analysis for real-time process-control systems. IEEE Transactions on Software Engineering, 17(3):241 [Kah74] 257, March 1991. G. Kahn. The semantics of a simple language for parallel processing. In Proceedings of IFIP Congress 74, pages 471 [Kha86] — — 475, 1974. 0. Khatib. Real-time obstacle avoidance for manipulators and mobile robots. The International Journal of Robotics Research, 5(1):90 — 99, 1986. [Khi6l] G. F. Khilmi. Qualitative Methods in the Many Body Problem. Science Publishers Inc. New York, 1961. [KM88] K. M. Kahn and M. S. Miller. Language design and open systems. In B. A. Huber man, editor, The Ecology of Computation. Elsevier Science Publishers B.V.(North Holland), 1988. [Kod89] D. E. Koditschek. Robot planning and control via potential functions. In J. Craig 0. Khatib and T. Lozano-Perez, editors, The Robotic Review 1. MIT Press, 1989. [LA89] D. M. Lyons and M. A. Arbib. A formal model of computation for sensory-based robotics. IEEE Transactions on Robotics and Automation, 5(3):280 293, June — 1989. [Lam9l] L. Lamport. The temporal logic of actions. Technical Report 79, Digital Systems Research Center, Palo Alto, California, December 1991. [Lam93] L. Lamport. Hybrid systems in tla+. In R. L. Grossman, A. Nerode, A. P. Ravn, and H. Rischel, editors, Hybrid Systems, number 736 in Lecture Notes on Computer Science, pages 77 [Lat9l] — 102. Springer-Verlag, 1993. J. C. Latombe. Robot Motion Planning. Kluwer Academic Publishers, 1991. BIBLIOGRAPHY [LD89] 186 Y.K.H. Lau and R.W. Daniel. A csp model for distributed control software de sign. Technical Report OUEL 1789/89, Robotics Research Group, Department of Engineering Science, University of Oxford, 1989. [LP85] 0. Lichtenstein and A. Pnueli. Checking that finit-state concurrent programs satisfy their linear specification. In Proc. 12th Ann. ACM Sym. on Principles of Program ming Languages, pages 97 — 107, 1985. [LS9O] J. Lavignon and Y. Shoham. Temporal automata. Technical Report STAN-CS90-1325, Robotics Laboratory, Computer Science Department, Stanford University, Stanford, CA 94305, 1990. [Lue79] D. G. Luenberger. Introduction to Dynamic Systems: Theory, Models and Applica tions. John Wiley & Sons, 1979. {MA86] E. G. Manes and M. A. Arbib. Algebraic Approaches to Program Semantics. Springer-Verlag, 1986. [Mae89] P. Maes. The dynamics of action selection. In IJCA 1-89, Detroit, 1989. [McD9O] D. McDermott. A temporal logic for reasoning about processes and plans. In James Allen, James Hendler, and Austin Tate, editors, Readings in Planning, pages 436 — 463. Morgan Kaufmann Publishers Inc., 1990. [McM92J Kenneth L. McMillan. Symbolic model checking. Technical Report CMU-CS-92-131, Department of Computer Science, Carnegie Mellon, 1992. [Mea55] G. H. Mealy. A method for synthesizing sequential circuits. Bell Sys. Tech. Journal, 34:1045 1079, 1955. — {MH69] J. McCarthy and P.J. Hayes. Some philosophical problems from the standpoint of artificial inteffigence. In B. Meltzer and D. Micliie, editors, Machine Intelligence 4, pages 463—502. Edinburgh University Press, 1969. {Mi183] R. Milner. Calculi for synchrony and asynchrony. Theoretical Computer Science, 25:267 310, 1983. — [Min86] M. Minsky. The Society of the Mind. Simon and Schuster, New York, 1986. BIBLIOGRAPHY 187 {MM79] G. Milne and R. Mimer. Concurrent processes and their syntax. JACM, (2):302 321, April 1979. [MMP91] 0. Maler, Z. Manna, and A. Pnueli. From timed to hybrid systems. In J.W. de Bakker, C. Huizing, W.P. dePoever, and G. Rozenberg, editors, Real-Time: Theory in Practice, number 600 in Lecture Notes on Computer Science, pages 448 Springer-Verlag, 1991. {MMT91] 484 M. Merritt, F. Modugno, and M.R. Tuttle. Time-constrained automata. In J.C.M. Baeten and J.F. Groote, editors, CONCUR-91, number 527 in Lecture Notes on Computer Science, pages 393 [Moo56j — — — 407. Springer-Verlag, 1991. E. F. Moore. Gedanken-experiments on sequential machines. In C.E. Shannon and J. McCarthy, editors, Automata Studies. Princeton University Press, 1956. {Mos85] B. Moszkowski. A temporal logic for multilevel reasoning about hardware. Com puter, 18(2), February 1985. [MP71] R. McNaughton and S. Papert. Counter-Free Automata. MIT Press, 1971. [MP87] Z. Manna and A. Pnueli. Specification and verification of concurrent programs by V-automata. In Proc. 14th Ann. ACM Symp. on Principles of Programming Languages, pages 1—12, 1987. [MP92] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems. Springer-Verlag, 1992. [MT75) M. D. Mesarovic and Y. Takahara. General Systems Theory: Mathematical Foun dations. Academic Press, 1975. [MT9O] F. Moller and C. Tofts. A temporal calculus of communicating systems. In J.C.M. Baeten and J.W. Kiop, editors, CONCUR-90, number 458 in Lecture Notes on Computer Science, pages 401 415. Springer-Verlag, 1990. — [MT91] F. Moller and C. Tofts. Relating processes with respect to speed. In J.C.M. Baeten and J.F. Groote, editors, CONCUR-91, number 527 in Lecture Notes on Computer Science. Springer-Verlag, 1991. BIBLIOGRAPHY [Ni189] 188 N. Nilsson. Action networks. In J. Tenenberg et. al, editor, Proceedings from the Rochester Planning workshop: From Formal System to Practical Systems, University of Rochester, New York, 1989. [NK93a] A. Nerode and W. Kohn. Models for hybrid systems: Automata, topologies, control lability, observability. In R. L. Grossman, A. Nerode, A. P. Ravn, and H. Rischel, editors, Hybrid Systems, number 736 in Lecture Notes on Computer Science, pages 317 356. Springer-Verlag, 1993. — [NK93b] A. Nerode and W. Kohn. Multiple agent hybrid control architecture. In R. L. Grossman, A. Nerode, A. P. Ravn, and H. Rischel, editors, Hybrid Systems, number 736 in Lecture Notes on Computer Science. Springer-Verlag, 1993. [NS91] X. Nicoffin and J. Sifakis. From ATP to timed graphs and hybrid systems. In J.W. deBakker, C. Huizing, W.P. dePoever, and G. Rozenberg, editors, Real-Time: Theory in Practice, number 600 in Lecture Notes on Computer Science, pages 549 572. Springer-Verlag, 1991. — [0st89] J. S. Ostroff. Temporal Logic For Real-Time Systems. John Wiley Sons Inc., 1989. [Pai89] D. K. Pai. Programming parallel distributed control for complex systems. In IEEE International Symposium on Intelligent Control, pages 426 432, 1989. — [Pai9l] D. K. Pai. Least constraint: A framework for the control of complex mechanical systems. In Proceedings of American Control Conference, pages 426 432, Boston, — 1991. {Pet8l] J. L. Peterson. Petri-Net Theory and the Modeling of Systems. Prentice-Hail, Inc., Englewood Cliffs, 1981. [Pet86] C. A. Petri. “Forgotten topics” of net theory. In W. Brauer, W. Reisig, and C. Rozenberg, editors, Petri Nets: Applications and Relationships to Other Models of Concurrency, number 255 in Lecture Notes on Computer Science, pages 500 — 514. Springer-Verlag, 1986. [P1a89] J. Platt. Constraint methods for neural networks and computer graphics. Tech nical Report Caltech-CS-TR-89-07, Department of Computer Science, California Institute of Technology, 1989. BIBLIOGRAPHY [QAF89] 189 J. Quemada, A. Azcorra, and D. Frutos. A timed calulus for lotos. In FORTE89, pages 245 263, 1989. — [Qi94] R. Qi. Decision graphs: Algorithms and applications to influence diagram evaluation and high-level path planning under uncertainty, 1994. Ph.D. thesis, forthcoming. [RK87] S. J. Rosenschein and L. P. Kaelbling. The synthesis of digital machines with prov able epistemic properties. Technical Report Technical Note 412, SRI International, April 1987. [RK89} S. J. Rosenschein and L. P. Kaelbling. Integrating planning and reactive control, 1989. [RM86] D. E. Rumelhart and J. L. McClelland, editors. Parallel Distributed Processing — Exploration in the Microstructure of Cognition. MIT Press, 1986. [Ros85] R. Rosen, editor. Theoretical Biology and Complexity. Academic Press, Inc., 1985. [Ros89] S. J. Rosenschein. Synthesizing information—tracking automata from environment description. In First International Conference on Reasoning and Knowledge Repre sentation, Toronoto, pages 386 — 393, 1989. [Roy88] H. L. Royden. Real Analysis, 3rd edition. Macmillan Publishing Company, 1988. [San9O] J. T. Sandfur. Discrete Dynamical Systems: Theory and Applications. Clarendon Press, 1990. [Sar891 V. Saraswat. Concurrent constraint programming languages. Technical report, Computer Science Department, Carnegie—Mellon University, 1989. Ph. D. thesis. [Sch87] M. J. Schoppers. Universal plans for reactive robots in unpredictable environments. In IJCA 1-87, pages 1039—1046, 1987. [Sch9l] M. Schoppers, editor. Communications of ACM. ACM, August 1991. Special Section on Real-Time Knowledge-Based Control Systems. [SDLS9OI N. Sepehri, G.A.M. Dumont, P.D. Lawrence, and F. Sassani. Cascade control of hydraulically actuated manipulators. Robotica, 8:207 216, 1990. — [Sha4l] C. E. Shannon. Mathematical theory of the differential analyzer. Journal of Math ematics and Physics, 20:337 354, 1941. — BIBLIOGRAPHY 190 [Sha87] E. Shapiro, editor. Concurrent Prolog. MIT press, 1987. [Sho87] Y. Shoham. Temporal logics in ai: Semantical and ontological considerations. Ar tificial Intelligence, 33:89—104, 1987. [Sho88] Y. Shoham. Reasoning about Change. MIT Press, 1988. [Shu88] N. C. Shu. Visual Programming. Van Nostrand Reinhold Company Inc., 1988. [SJG94] V. Saraswat, R. Jagadeesan, and V. Gupta. Programming in timed concurrent constraint languages. In B. Mayoh, E. Tyugu, and J. Penjam, editors, Constraint Programming, NATO Advanced Science Institute Series, Series F: Computer And System Sciences. 1994. [SM94] M. Sahota and A. K. Mackworth. Can the situated robot play soccer. In 199 Canadian Artificial Intelligence, Banff, Alberta, May 1994. [Ste8O] Jr. G. L. Steele. The definition and implementation of a computer programming language based on constraints. Technical Report AI-TR-595, MIT Al Lab, August 1980. {Sut89] I. E. Sutherland. Micropipeline. Communication of ACM, 32(6):720 — 738, June 1989. [Tay92] J. H. Taylor. Software requirements specification for modeling design, development, and evaluation of distributed, hybrid, inteffigent contol. Technical. report, Odyssey Research Associates, Ithaca, NY, April 1992. [Tho9Ol W. Thomas. Automata on infinite objects. In Jan Van Leeuwen, editor, Handbook of Theoretical Computer Science. MIT Press, 1990. [Vic89) S. Vickers. Topology via Logic. Cambridge University Press, 1989. [War72] J. Warga. Optimal Control of Differential and Functional Equations. Academic Press, 1972. [Wd90] D. S. Weld and J. deKleer, editors. Qualitative Reasoning About Physical Systems. Morgan Kaufmann Publishers, Inc., 1990. BIBLIOGRAPHY [Wil9lj 191 B. C. Wiffiams. A theory of interactions: Unifying qualitative and quantitive al gebraic reasoning: Extended report. Technical Report P91-00127, SSL-91-03, Palo Alto Research Center, 1991. [Wol83] P. Wolper. Temporal logic can be more expressive. Information and Control, 56:72 99, 1983. — [Yas7l] A. Yasuhara. Recursive Function Theory and Logic. Academic Press, 1971. [YM] K. Yang and K. G. Murty. New iterative methods for linear inequalities. Unpub lished. [Zha89] Y. Zhang. Transputer-based behavioral module for multi-sensory robot control. In Mike Reeve and Steven Ericsson Zenith, editors, Parallel Processing and Artificial Intelligence, Communication Process Architecture. Wiley, 1989. [Zha9O] Y. Zhang. Object oriented modeling for sensor-guided real-time robot control. In Alan S. Wagner, editor, Transputer Research and Applications 3. lOS Press, 1990. [Zha9l] F. Zhao. Phase space navigator: Towards automating control synthesis in phase spaces for nonlinear control systems. In Proc. of the 3rd IFAC International work shop on Artificial Intelligence in Real Time Control. Pergamon Press, 1991. [ZM92] Y. Zhang and A. K. Mackworth. Modeling behavioral dynamics in discrete robotic systems with logical concurrent objects. In S.G. Tzafestas and J.C. Gentina, editors, Robotics and Flexible Manufacturing Systems. Elsevier Science Publishers B.V., 1992. [ZM93a] Y. Zhang and A. K. Mackworth. Constraint programming in constraint nets. In First Workshop on Principles and Practice of Constraint Programming, pages 303— 312, 1993. A revised version will appear in a book with the same title in MIT Press, 1995. [ZM93b] Y. Zhang and A. K. Mackworth. Parallel and distributed constraint satisfaction: Complexity, algorithms and experiments. In Laveen N. Kanal, editor, Parallel Pro cessing for Artificial Intelligence. Elsevier/North Holland, 1993. [ZM94] Y. Zhang and A. K. Mackworth. Will the robot do the right thing? Artificial Intelligence 9, pages 255 262, Banif, Alberta, May 1994. — In Proc. Part V Appendixes 192 Appendix A Proofs of Theorems In this appendix, we prove all the propositions and theorems in this thesis. A.1 Topological Structure of Dynamics Proposition 3.1.1 For any topology on X, X and 0 are both open and closed. Proof: X (0) is closed since 0 (X) is open. J Proposition 3.1.2 (1) A subset is closed if it includes all its limit points. (2) A topology is trivial if every point x is a limit point of any subset with elements distinct from x. A topol ogy is discrete if no point is a limit point of any subset. Proof: (1) If a subset S of X is closed, X limit point of S. If there is no point in X is not closed, X — S is not open. If X — — — S is open and there is no point in X — S that is a S that is a limit point of 5, S is closed, since if S S is not open, there is at least one point in X is a limit point of 5, otherwise every point in X — S has a neighborhood in X — — S that 5, thus X — S is open. (2) If a topology is trivial, any point has only one neighborhood, the total set. If every point x is a limit point of any subset with elements distinct from x, the topology is trivial since otherwise there is an open set S C X and no point in S is a limit point of X 5, contradiction. — If a topology is discrete, any point is a neighborhood of itself, thus cannot be a limit point of any subset. If no point is a limit point of any subset, the topology is discrete since otherwise there is a point that is not open, which is a limit point of the total set, contradiction. 0 Proposition 3.1.3 A topological space is connected if the only sets that are both open and closed are the empty set and the total set. 193 APPENDIX A. PROOFS OF THEOREMS Proof: If there is 194 0 C X’ C X that is both open and closed, both X’ and X — X’ open sets. Therefore, X is separated. are non-empty 0 Proposition 3.1.4 (1) Continuous functions are closed under functional composition. (2) A function f : X —* X’ is continuous, if x E X is a limit point of S C X implies that f(x) is {f(x)Ix e S}. Proof: The first property is deduced directly from the definition of continuous functions. The second property is deduced from an equivalent definition of continuous functions, i.e., a function a point or a limit point of f(S) = is continuous if the inverse image of any closed subset is closed, and from the property that a closed subset includes all its limit points. 0 Proposition 3.1.5 Let(X,r) be a topological space, X’ C X andr’ = {WW X’nU,U E r}. The collection r’ is a topology on X’. Proof: Deduced from the definition of topology. 0 Proposition 3.1.6 Let {X}j be a family of topological spaces and J be an arbitrary in dex set. Then (xiX ) = x 3 X’. 1 Proof: xj(xjX) and Xi(xjX ) are isomorphic. 0 3 Proposition 3.1.7 A flat partial order is a cpo. Proof: LA is the least element and every directed subset is a chain with a greatest element. 0 Proposition 3.1.8 The product of cpos is a cpo. Let A is ±A with (IA)1 =!A,Vi VA D with (VA D), i.e., D = llD. = VA x A 1 . The least element of A el. Let D be a directed subset of A. The least upper bound of D is D,Vi E I, where D is the projection of D onto its ith component, Proof: According to the definition of least elements and least upper bounds. 0 Proposition 3.1.9 The partial order topology of a non-trivial partial order is non-Hausdorff Proof: For any a <A a’, every neighborhood of a includes a’. 0 Proposition 3.1.10 Any continuous function is monotonic, i.e., if ous, then a 1 A 2 implies f(ai) a A’ f(a ) 2 . f : A —* A’ is continu APPENDIX A. PROOFS OF THEOREMS Proof: Suppose f(ai) Therefore, f(S) ç 195 there is an open set S ç A’ including f(ai) but not f(a ). 2 A is an open set including a 1 but not a . So a 2 1 a 0 . 2 ), 2 A’ f(a Proposition 3.1.11 Let A and A’ be two cpos. Then ery directed subset D 1. f(D) . = f : A — A’ is continuous if for ev ç A, {f(d)Id E D} is directed and f(VA D) = VA’ f(D). Proof: The only if part: If f is continuous, f is monotonic (Proposition 3.1.10). Therefore, if d is an upper bound of d 1 and d , f(d) is an upper bound of f(d 2 ) and 2 1 f(d ) . Therefore, if D is directed, then f(D) is directed and f(\/A D) A’ VA’ f(D). We now prove that f(VA D) A’ VA’ f(D). If f(V D) A’ VA’ f(D), there is an open set S ç A’ including f(VA D) but not VA’ f(D). Therefore, f(S) C A is an open set including VA D but not any d E D, contradicting to the definition of open sets in partial order topologies. The if part: If conditions (1) and (2) are satisfied, f is moiiotonic. Therefore, for any upward closed set 5, f’(S) is also upward closed. Since f(VA B) = VA’ f(D), if S is inaccessible from any directed subset f(D), then f— (S) is inaccessible from any directed subset B. Therefore, 1 f is continuous since for any open set S, f’(S) is open. 0 Proposition 3.1.12 Metric topologies are Hausdorff. Proof: Given any two elements x, x’ with 1 = d(x, x’), 1 /N 2(x) fl N (x’) 2 / 1 Proposition 3.1.13 If X is of a Hausdorff topology and v : L ues, then v —* v and v —* v imply v = — —÷ 0. 0 X is a linear set of val v. Proof: If v and v = v, There exist N(v’) and N(v) such that N(v) fl N(v) = 0. Since v v, there is l, for all 1 L 1, v(l) E N(v) fl N(v), contradiction. 0 Proposition 3.1.14 If xiX is of the product topology and v : L of values, then v —* v” if v — —* —* X is a linear set 1 x v for all i E I. Proof: If v —* v, then v —* v for all i E I since for every neighborhood in the subbasis, Ni(v*) = {xiVjfor all j i,Vj = X }, there is l, for all I L 10, v(l) e N(v*). If v —+ v for 3 all i e I, then v —> v since every neighborhood N(v*) is the union of a set of neighborhood in the basis and for every neighborhood in the basis NJ(v*) = {xjVIfor all i J,V, = X} with APPENDIX A. PROOFS OF THEOREMS a finite subset J 196 c I, there is t o, for all 1 >L 10, v(l) é N(v*). U Proposition 3.2.1 (1) For any time structure T, if T C T has an upper bound in T, T has a least upper bound in T. (2) The following properties for a time structure are equivalent: (a) T is discrete. ,t 1 (t ) (b) Let 2 = {tIti }. For all t, 2 < t < t denoted pre(t), such that (t’, t) = 0, if t is not the least element of T, then t’ < t, and for all t, if t is not the greatest element of T, then 3t’ > t, denoted s’uc(t), such that (t, t’) = 0. (c) T is well-founded, i.e., Vt E T, [0, t) is finite. (3) The following properties for a time structure are equivalent: (a) T is continuous. 1 < t , there exists to such that t 2 (b) T is dense, i.e., for all t 1 < to < t . 2 Proof: (1) For any T C Twith an upper bound t e T,let r = inf{m(t)It is an upper bound of T}. Since T is a time structure, {tlm(t) r} has a greatest element to. Since T C {tlm(t) < r}, to is the least upper bound of T. (2) (a) —* (b): For any t, t is not the least element ofT, let r a time structure, {t’Im(t’) = sup{m(t’)It’ < t}. Since T is has a greatest element, denoted t . Since T is discrete, to < t. 0 However, (to, t) = 0. For any t, t is not the greatest element of T, let r inf{m(t’)It’ > t}. Since T is a time structure, {t’Im(t’) > T} has a least element, denoted to. Since ‘T is discrete, to > t. However, (t,to) = 0. (b) < r} (a): Every point has a neighborhood including no other points but itself. So every point is an open (or closed) set. Therefore, ‘T is of discrete metric topology. (b) —* (c): If T is not well-founded, there is t e T, [0, t) is infinite. Therefore, T = —* {suc(O)In E .iV} C [O,t) C T. According to (1), to such that (t, to) = 0, contradiction. (c) = VT e T. However there is no t < to (b): For any t > 0, there exists t’ < t, (t’,t) = 0 since [0,t) is finite. For any t, t is not the greatest element, there exists t’ > t, (t, t’) = 0 since otherwise for any t’ > t, [0, t’) is infinite. —* APPENDIX A. PROOFS OF THEOREMS (3) (a) that (ti, (b) (Not Dense — ) 2 t = 0. 197 Not Continuous): If T is not dense, there exist t and 2 t such Then T is separated (or not continuous) since T is the union of two disjoint, —* {tlm(t) < )+2 1 m(t , 1 d(t ) /2)} t and {tlm(t) > m(t )—) 2 2 , 1 d(t /2}. t (b) —* (a) (Not Continuous —+ Not Dense): If T is not continuous, T is the union of two disjoint, non-empty open (or closed) sets T 1 and T . Let r 2 1 = sup{m(t)It e T } and 1 non-empty open sets }. Since T is a time structure, {tlm(t) < Ti} has a greatest element t 2 inf{m(t)It E T 1 and {tlm(t) > 2} has a least element t . Since T 2 2 are closed, t 1 and T 1 E T 1 and t 2 E T . 2 Therefore, (ti,t ) = 0. D 2 2 = T Proposition 3.2.2 If To is a reference time of T 1 and Ti is a reference time of 7, then 0 is a reference time of T T . 2 Proof: According to the definition of a reference time structure. D Proposition 3.3.1 {±A} is not r-open. The only neighborhood of LA is A. Proof: According to the definition of topology. D Proposition 3.3.2 For any domain, its partial order topology is finer than its derived metric topology, and both are non-Hausdorff. Proof: Trivial. U Proposition 3.3.3 (1) Function f : A —* A’ is continuous in the partial order topology if f is strict or constant. (2) If f: A —* A’ is continuous in the derived metric topology, then f is continuous in the partial order topology. (3) Function f : A —÷ A 7 is continuous in the derived metric topology if f is continuous in the partial order topology and the restriction of f on A and A’ is continuous in the metric topology, namely, for any open subset S of A’, f (5) n A is open. Proof: (1) If f is strict or a constant, is constant since a implies that f is continuous. If f is continuous and f is not strict, f(a) for any a if f(±A) --A’ (2) If f is continuous in the derived metric topology, f is strict or constant, since limit point of any {a} and f(±A) is a point or a limit point of {f(a)}. ±A< f(±A) f = ‘A is a (3) If f is strict or constant, and the restriction off on A and A’ is continuous in the metric topology, then f is continuous in the derived metric topology, since for any open set S of A7, f’(S) is open. If f is continuous in the derived metric topology, f is strict or constant, since APPENDIX A. PROOFS OF THEOREMS in either case, the restriction of f 198 on A and A’ must also be continuous. Proposition 3.3.4 Let I be a finite index set. in the partial order topology if f is continuous w.r.t. all i continuous in the derived metric topology, then (3) Function f : x iJ4 — (1) Function f f e 0 : xjA: I. —* (2) If f A is continuous : xjA —+ A is is continuous in the partial order topology. is continuous in the derived metric topology if f is continuous in the partial order topology and the restriction off on x A and A is continuous in the product 1 metric topology, namely, for any open subset S of A, f(S) fl xA is open. Proof: (1) Let I {1, 2}. If a function = f : 1 A x A 2 —* A is continuous, it is right continu ous since VA f(a, D) = f(a, VA 2 D). Similarly, it is left continuous. On the other hand, if is both left and right coiltinuous, f(VA, xA , VA 1 ) 2 f(T) 2 , ) 2 2 D) = .f(VA, D 2D VA 1 VA D ,D 1 ) = V f(D) (Hen88]). I can be extended to any finite index set. 2 VA f(D (2) If f A : x1 —* T is continuous in the derived metric topology, f f is continuous in the derived metric space w.r.t. any argument i E I, f is continuous in the partial order w.r.t. any argument i e I (Proposition 3.3.3 (2)), f is continuous in the partial order (Proposition 3.3.4 (1)). (3) If f is strict or constant, and the restriction of metric topology, f f on 1 x and A is continuous in the A is continuous in the derived metric topology, since for any open set S of A, f’(S) is open. If f is continuous in the derived metric topology, for all i E I. In either case, the restriction of f f is strict or constant w.r.t. argument i on 1 x A , and A must also be continuous, since for any open set S of A, either f(S) C xA or the projection onto the i-th argument is Aj for any i. Therefore, f(S) fl xiA,, is open. 0 Proposition 3.4.1 Let v : L (1) v —*±A, (2) v —* —* A be a linear set of values. Then and v and v —÷ v imply that either v Proof: (1) The only neighborhood of then one of them must be A = v or one of v and v is is A. Therefore, v(l) e .LA. N(±A) for all 1. (2) If v since the metric topology is Hausdorif with unique limits (Propo sition 3.1.12, Proposition 3.1.13). 0 ±A, Proposition 3.4.2 Let v : L (1) v —* v iffv —+ —* A for A = v for alli el, and x A 1 . Then APPENDIX A. PROOFS OF THEOREMS 199 (2) the set of limits {v*Iv v} is a directed subset in (A, A) and has a greatest element. Proof: (1) follows from Proposition 3.1.14. (2) If v : L A, then {v*Iv —÷ v*} has a greatest — element. If the set of limits of v : L v : L — A has a greatest element v,, then the set of limits of x has a greatest element vK with (v*) v for all i E I. 0 A 1 Proposition 3.4.3 Let v : L —* A for A — x A 1 . Then (limv) = 1 limv , Vi El. Proof: (VA D) = VA, D where D: = llD. Proposition 3.4.4 If 2 ,v : L 1 v Proof: If A is fiat, v J-A fore, limv A limv. (l) A v 1 A and v (l) for alll E L, then 1 2 limv A limv . 2 implies that v J-A. If A is a product, lim v <_A lim v,. There —* 0 Proposition 3.4.5 For any time structure T, T<j_T has a greatest element whenever m(t) > Proof: (1) T<_ = {t’It’ < since r > 0. If m(t) T, has a greatest element. 0 t, d(t, t’) then 0 Proposition 3.4.6 Let V : L (1) V —* r} = {t’It’ < t, m(t’) m(t) — r} = {t’Im(t’) < m(t) — T} m(t) — r < sup m(T). Since T is a time structure, T<_ AT for a linear order L and a trace space AT. Then V(t) for ailt E T, and (2) the set of limits {V*IV V’} is a directed subset in (AT, element. —* T. V” iffV(t) Proof: Similar to the proof of Proposition 3.4.2. AT) and has a greatest 0 AT. Then (limV)(t) = limV(t),Vt E T. Proof: Similar to the proof of Proposition 3.4.3. 0 Proposition 3.4.7 Let V : L — Proposition 3.4.8 For any time structure T and any event trace e, (T,de,ie) is a discrete sample time structure of T. supm(7), let Te = {tIm(t) < r,t E 2} and T = UtETJtIt t}. If T has no greatest element, T has no greatest element. Further more, e(T) is not defined, otherwise to E T,e is constant on {t > to,t E T} and to would Proof: For any te E T and 0 < T < be an upper bound of Te in Te. However, if e(T) is not defined, there will be no te E 7 with m(te) > r, since e is noninterrnittent. Therefore, for any te E T, and 0 r < sup m(T), APPENDIX A. PROOFS OF THEOREMS 200 {tIm(t) T,t E 7} has a greatest element. For any te E Te and 0 T < sup m(Te), let Te 6 e 7} and T = 7-,t’ {tIm(t) T} and to be the least element of {tlm(t) r’}. If t’e}. Let T = inf{m(t)It UtleETe{tlt Te has no least element, e(to) is not defined since e is right-continuous. However, since e is also non-intermittent, e(t) is not defined Vt > to, contradiction. Therefore, for any te E 7 and 0< T < sup m(Te), T = {tjm(t) r,t e 7} has a least element. Te — Therefore, Te is a time structure. For any te E ‘Te, te > 0, let pre(te) = {tIt, < te,t E 7} and T = UtEpre(te){tIt < t’}. If pre(te) has no greatest element, T has no greatest element. Furthermore, e(T) is not defined, otherwise to E T, e is constant on {tlt> to, t E T} and to would be an upper bound of pre(te) in 7. However, if e(T) is not defined, e(te) will not be defined since e is nonintermittent. Therefore, pre(te) has a greatest element. For any te E e, t is not the greatest element of ‘J, let SuC(te) = {tIt > te,t e 7} and T = UtESUC(t){tIt t}. Let T = inf{m(t)It e T} and to be the least element of {tlm(t) r}. If suc(t) has no least element, e(to) is not defined since e is right-continuous. However, since e is also non-intermittent, e(t) is not defined Vt > to, contradiction. Therefore, least element. .sUC(te) has a Therefore 7 is discrete. 0 Proposition 3.6.1 The partial order of a domain is a cpo. Proof: A flat partial order is a cpo. The product partial order of cpos Proposition 3.6.2 The partial order of a trace space Proof: The product partial order of cpos is a cpo. is a cpo. 0 is a cpo. 0 Proposition 3.6.3 The partial order of an event space is a cpo. Proof: We first prove that the subpartial order with the set of nonintermittent and rightcontinuous traces of a trace space is a cpo. Let v c T be the set of nonintermittent and right-continuous traces on a simple domain. The least upper bound of a directed subset D of V is The least element in V is ?t. ±A. Vv D = At. VD(t), which is also in V for the following reasons: First, according to Proposition 3.4.4, (Vv D)(T) VD(T), if (Vv D)(T) is -LA, d(T) is ..LA for all d E D. Second, for any t é T, if (Vv D)(t) -LA, (Vv D) is right-continuous at t; if (Vv D)(t) = a E A, there is d E D, APPENDIX A. PROOFS OF THEOREMS d(t) = a. Since d is right-continuous at t, 201 (Vv D) is right-continuous at t. Because of the composite properties of nonintermittent traces and limits, nonintermitteiit and right-continuous traces are closed under least upper bounds for traces on composite domains as well. Therefore, the partial order of an event space is a cpo. C Proposition 3.6.4 A transliteration fT : AT —* A!T on any time structure T is coritinu ous if f: A —+ A’ is continuous. AT be directed, and v’ be the least upper bound of D. We will prove that Proof: Let D fT(VAT D) = VAIT fT(D), i.e., for any t, fT(v*)(t) fr(v*)(t) = (VA,T fT(D))(t). f(V{v(t)I e D}) A V{f(v(t))Iv D} since f is continuous f(v*(t)) = = = A’ V{fT(v)(t)Iv E = D} A’ V fT(D)(t). AfT C Proposition 3.6.5 A unit delay on any discrete time structure is continuous. Proof: Let D c AT be directed and v be the least upper bound of D. Since T is discrete, pre(t) has a greatest element, which is denoted by pre(t). Af TVOAV I Jt) vO v*(pre(t)) = = = VA{v(pre(t))Iv if t = 0 D} otherwise V{4(vo)(v)(t)Iv E D} A = (V (vo)(D))(t). AT C Proposition 3.6.6 A transport delay is continuous. Proof: Similar to the proof of Proposition 3.6.5. Since T is a time structure, for any r > 0, t — r has a greatest element when m(t)> T. C Proposition 3.6.7 An event-driven transduction F° is continuous F on any discrete time structure is continuous. if its primitive transduction APPENDIX A. PROOFS OF THEOREMS 202 Proof: First, we prove sampling and extending are continuous. Let T be a time structure and Tr be a reference time structure of T with a reference time mapping h. Sampling is a transduction ST,Tr : ATT Let D —* AT. We prove that it is continuous. c ATr be directed and v be the least upper bound of D. Let (t) = v*(h(t)) = i be ST,TT(V). V{vhtIv e D} = V{(t)Iv e D} = (V{Iv e D})(t). A A Therefore, VATr D = VATP-.. Similarly, extending is continuous since h’(tr) = {tlm(t) if t E ‘T,ILr([Or,tr)) t([O,t)) or ,i,.([O,t)) < U(T). AT mr(tr)} has a greatest element The proof is divided into two steps. First, F° is continuous w.r.t. the second argument if F is continuous on discrete time structures, since any event-based time is discrete, both sampling and extending are continuous, and continuity is closed under functional composition. Second, F° is continuous w.r.t the first argument. Therefore, according to Proposition 3.3.4 (1), F° is continuous. Now we prove that it is continuous w.r.t. the first argument. Let T be any time structure T, and v E AT be fixed. For any directed subset D of 8 D is a chain. According to the definition, F(D, v) is a chain too, i.e., a directed subset. Furthermore, for any t if (VeT D)(t) LB, there is d E D such that for all t’ < t,d(t’) = (VCTD)(t’), i.e., VA,TF(D,v)> F(VeTD,v). On the other hand, F is monotonic w.r.t. the first argument, i.e., VAIT F(D, v) F-(VET D, v). Therefore, VAsT Fq-(D, v) = F(VCT D, v), it is continuous w.r.t. the first argument. 0 Theorem 3.6.1 Let A be a 2-domain structure and T a time structure. The E-dynamics structure D(T, A) = (V, F) satisfies (1) V is a multi-sorted set of cpos and (2) transliterations, transport delays and event-driven transductions in F are continuous in the partial order topol ogy. If, in addition, T is discrete, all transductions in F are continuous in the partial order topology. Proof: Follows from Propositions 3.6.1 — 3.6.7. 0 Proposition 3.6.8 A transliteration fT is well-defined if function strict w.r.t. an argument if f is strict w.r.t. the argument. f is well-defined; Proof: According to the definitions of well-definedness and strictness. 0 fT is Proposition 3.6.9 Any delay is not strict. A unit delay on any discrete time structure is APPENDIX A. PROOFS OF THEOREMS 203 well-defined. A transport delay is well-defined. Proof: According to the definitions of well-definedness and strictness. 0 Proposition 3.6.10 An event-driven transduction F° is well-defined if F on any discrete time structure is well-defined; F° is strict w.r.t. its event input, and F° is strict w.r.t. one of the other input arguments if F is strict w. r. t. the argument. Proof: Event-based time is discrete, and sampling and extending are well-defined. 0 Proposition 3.6.11 A transliteration fT is right-continuous if rived metric topology; Jr with f : xi —* continuous in the derived metric topology. f is continuous in the de A is noninterrnittent if f is strict, well-defined and Proof: For any neighborhood N(f(v(t))), there is a neighborhood N(v(t)), such that x é N(v(t)) implies f(x) e N(f(v(t))). For any neighborhood N(v(t)), there is T = (t,t’), t” e T implies v(t”) E N(v(t)). Therefore, for neighborhood N(f(v(t))), there is T = (t, t’), t” E T implies f(v(t”)) E N(f(v(t))). If J is strict and well-defined, v(t) is well-defined implies that not well-defined implies that for all t’ in the derived metric topology, lim t VT 1S fT(v)(t) is well-defined, v(t) is is undefined. If, in addition, J is continuous well-defined implies that lim f(v)IT is well-defined, fT(v)(t’) lim VT is not well-defined implies that lim f(V) T is undefined. 0 1 Proposition 3.6.12 A delay is nonintermittent. A transport delay is right-continuous. Proof: The output of a delay is nonintermittent if its input is nonintermittent. The output of a transport delay is right-continuous if its input is right-continuolls. 0 Proposition 3.6.13 An event-driven transduction is right-continuous. An event-driven trans duction F° is nonintermittent if F is nonintermittent. Proof: Any trace on a discrete time structure is right-continuous. Any extension of a discrete time trace is right-continuous. Both sampling and extending are nonintermittent and nonintermittent transductions are closed under functional composition. 0 APPENDIX A. PROOFS OF THEOREMS A.2 204 The Constraint Net Model Proposition 4.1.1 (1 Oi) 1 CN , (1 02) 2 CN , = (1 02)11 , 2 CN , (1 Or). 1 CN (0 CN , 3 ) 1 ) = (0 (CN , 1 ) 1 ( 1 CN , (0 (CN , 2 Oi) 1+) 1+3 (0 CN , ) 1 ) = ( 1 (CN , 0i) 1+) (0 CN , 2 1 )+3 (0 CN , ) 1 (0 CN , 1 ) 1 o (0 (CN , 2 ) 1 o o (0 CN , 2 ) 1 ) o (0 CN , 3 ) 1 if both sides are defined. if both sides are defined. Proof: According to the definition of basic and combined operations. 0 Proposition 4.1.2 Following are some properties of subnets: 1 and CN 2 are subnets of CN (1) CN 1 . 2 CN 1 and CN 2 are subnets of GN (2) CN . 2 1 + CN 1 is a subnet of CN 2 a CN (3) CN , however, CN 1 2 is not a subnet of CN . 1 2 a CN Proof: According to the definition of basic and combined operations. Theorem 4.2.2 Let A and A’ be two cpos. If then there exists a unique is the least fixpoint of f(a, (u.f)(a)). Proof: Let F°(a) = fa f(a, : 0 A’ is a continuous function, f : A x A’ continuous function .f: A A’, such that for all a E A, (JL.f)(a) A’ A’, where fa Ax.f(a, x), or equivalently, Va e A, (.f)(a) = ±A’) —÷ —* —* and F’’(a) = f(a, Fv(a)). Since is continuous, it is continu ous w.r.t. the second argument. A continuous function in any partial order is also monotonic. Therefore, Fk(a) <. F°(a) A’ F’(a) A’ F (a) 2 A’ ... Let .f(a) VA,{F’(a)Ik> 0}. Clearly .f(a) is the least fixpoint of fa : A’ A’. Next we prove that .f is continuous. Clearly for every k, Fk is continuous since f is continuous and continuity is closed under functional composition. Therefore, for any directed = subset D of A, t.f(V D) = A V{F’(V D)lk A’ = V{V{Fk(D)}Ik A’ 0} A A’ 0} APPENDIX A. PROOFS OF THEOREMS = V{V{Fk(a)Ik A’ = 205 0}Ia E D} A’ V.f(D). A’ C Proposition 4.2.1 Let I then the extension off, c f’: J be an index set. If 3 XjA —* f A satisfying f’(a) : xjA = — A is a continuous function, ), is a continuous function. 11 f(a Proof: According to the definitions of continuous functions and product topologies. C Proposition 4.2.2 Let {fk : XjA 3 —* Ak}keK be a family of continuous functions. 3 — XKAk with j(a)k = fk(a) is a continuous function. XjA Then J: Proof: According to the definitions of continuous functions and product topologies. Proposition 4.2.3 If then f: xjA —* XKAk is a continuous function, K C J and I A 1 J has a least fixpoint i.J: x —* C = J — K, XKAk. Proof: According to Fixpoint Theorem II. C Proposition 4.2.4 Let X be a set of variables and 0 C X a set of output variables. Let { f° : x A 1 0 AO}OEO be a set of continuous functions. fo(x)}oeo with : I —* X has a least solution. Proof: Derived from Proposition 4.2.1, 4.2.2 and 4.2.3. C —* Then the set of equations {o = Proposition 4.2.5 If a constraint net is composed of nonintermittent transductions, then its semantics is nonintermittent. If a constraint net is composed of right-continuous transductions, then its semantics is right-continuous. Proof: Both nonintermittent and right-continuous transductions are closed under least upper bounds. C If CN’ is a subnet of CN, 1 CN o (cNl)() Proof: Trivial. C = Proposition 4.2.7 Following are some properties associated with module operations: APPENDIX A. PROOFS OF THEOREMS • Union: If CN(I,O) = (Ii,0 1 CN ) CN(I,O) • Cascade connection: If GN(I,O) CN(I,O) = CN(I,O)] = (0 CN , 2 ) 1 , then ( CN , 1 ) O I x ) ( CN , 2 O I . = (0 CN , 2 ) 1o) (Ii,0 1 CN , then = 2oF {F IF 1 • Parallel connection: If CN(I,O) 206 2 e CNi(Ii,Oi)],F ( CN , ) O }. I E 2 (0 CN , 1 ) 1+2 (0 CN , ) 1 , then ( CN , ) 1 O ,F IE 2 ( [CN , ) fl. 1 0 1 ) 2 {(Fi,F 1F E 2 • Feedback connection: If CN’(I’,O’) = F(CN(I,O)), then = {.FIF e CN(I,O)]} where ,u.F is the the least fixpoint of F. Proof: According to the definition of the semantics of modules. 0 Proposition 4.2.8 If 1 (I O) and , CN , (1 02) are well-defined modules, then , 2 CN (1 O) 1 CN (1 02), , 2 CN , (1 O)o 2 1 CN (1 02) and CN CN , (Ii, Oi) + 2 1 (1 02) are well-defined mod CN , ules. Proof: According to the definition of the well-definedness of modules. Proposition 4.2.9 Let A and A’ be two cpos. If f : A x A’ function w.r.t. its second argument, then the least fixpoint of equation o = f(i, o), is undefined. Proof: u.f = —* U A’ is a strict continuous f, or the least solution of the Ax. J-A’. 0 Proposition 4.2.10 A module GN(I, 0) is not well-defined if there is an output location 0 such that CN has an algebraic loop on 1. Proof: If I —* 1, 1 results in an undefined trace. However, the inverse is not true. If there exists a not well-defined transduction, the net may not be well-defined either. U 1 APPENDIX A. PROOFS OF THEOREMS A.3 207 Modeling in Constraint Nets Theorem 5.3.1 Let Y2 ({n}, {0, suc, cond}) be a signature. A partial recursive function can be computed by a sequential module in En-dynamics structure D(.A[, V) where denotes = the En-domain structure ({V}, {0, .suc, cond}). Proof: For any partial recursive function f, there is a sequential module CN defined on the given dynamics structure. If f(x) is defined, for any start event, there is an end event indicating the completion of the computation. ci Proposition 5.3.1 [Sha4l] Equations 5.1 and 5.2 are equivalent, i.e., a function written in one form can be transformed into another. Proof: Refer to [Sha4l]. Differentiate Equations 5.1 n from which we my eliminate the n 2 — 1 times we have a total of n 2 equations, 1 variables x ,. 2 , th 2 x; . .; x,, ó,.. , x. Equation 5.2 can be written as Equations 5.1 as follows. Differentiate both sides w.r.t. t we obtain — op o op.. Ot Ox Ox . . , . . —0 Ox’ and +•••+ = _++ 8x(71)1) = —- 8x() Let x 1 ,X2 = = ,. . x(’),xfl+2 = x(n+1). PiQ,x,a,...,x(’)) (t,x,ã,.. 2 P We have 22 thfl+i Xn+2 — = 0 th Xfl+2 xoPi(t,xi,x , 2 .. 2 1 xgP(t,x , x .. where 2 OP (t,xi,x 2 P , . = —--— ut 2 OP 2 OP ----—x + --——x + ...+ 3 + 2 1 vX 2 uX 2 OP Xn-f-2. ux 0 Proposition 5.3.2 [Sha4l] If x )it.f’(t), its integralz = Proof: Refer to [Sha4l]. )t.f(t) is non-hypertranscendental, then its derivative y = At. j f(t)dt, and its inverse iii = At.f’(t) are non-hypertranscendental. 0 = APPENDIX A. PROOFS OF THEOREMS 208 Proposition 5.3.3 [Sha4ll Non-hypertranscendentalfunctions are closed under functional corn- position. Proof: Refer to [Sha4l]. 0 Proposition 5.3.4 Given a constraint net of differential equations thk with Xk(tO) e R and fk : flfl —* = fk(x), k = 1, .. , 1?. as partial or total functions, and given that all fk are smooth at (to), the limiting semantics of the constraint net, based on the forward Euler method, is 0 jt0)(t — well-defined overT = 1 ,t for some t 0 [t ] 1 > to. In particular, x = At.E Proof: If all fk are smooth, x()(to) exists, the semantics results in a Taylor expansion. 0 Theorem 5.3.2 Let ,. = ‘({r}, {+, .}) be a signature. A non-hypertranscendental function that is defined and smooth over a closed segment T = [to, t ] can be computed by a constraint 1 net of differential equations in 2-dynamics structure D(T, fl), where 1?. denotes the Y2r-dornain structure ({}, {+, .}) Proof: A non-hypertranscendental function that is defined and smooth over a closed segment T = [to, ti] can be written as Equations 5.1 with x(to) well-defined. Therefore, the con straint net has a well-defined solution. On the other hand, for any polynomial function P, y)P’(x,y) and P’(x,y) is a polynomial that is bounded in any closed in terval. Therefore, Lipschitz condition is satisfied. 0 P(x) A.4 — P(y) = (x — Behavior Analysis Proposition 6.2.1 If 1C2 n n mum , 72Im. Proof: Trivial. 0 Proposition 6.4.1 (1) If (S’, _*‘) is an abstraction of (S, —*), the behavior corresponding to (S’, —*‘) is the abstraction of the behavior corresponding to (S, —+). (2) If (S’, —*‘) is an approximate abstraction of (S, —f), the behavior corresponding to (S’, —*‘) is a superset of the abstraction of the behavior corresponding to (S, —*). Proof: Trivial. 0 APPENDIX A. PROOFS OF THEOREMS Behavior Verification A.5 Proposition 11.2.1 Let {q}qQ E B, then Vt E T,v(t) a,.(). v Proof: For any trace v(O) 209 1= v, be invariants for B and A. If r is a run of A over a trace v(O) is an initial state, therefore, v(O) e(r(O)). Therefore, v(O) Assume that v(pre(t)) e(r(O))A0. Since e(r(O))AO ar(pre(t)). Therefore, 0. In addition, r is a run, —* ar(o), we have v(O) c(r(pre(t)), r(t)) v(t) —* u,. since n(v(pre(t)),v(t)). In addition, v(t) c(r(pre(t)),r(t)). Therefore, v(t) Use the induction principle for well-founded sets, v(t) cr(t) for all t. J Proposition 11.2.2 Let {crq}qQ over a trace v E B. If {pq}qQ • Pr(t)(t’(t)) • Pr(t)(’’(t)) is a be a set of invariants for B and A and r be a run of A set of Liapunov functions for B and A, then pr(pre(t))(v(pre(t))) — pr(pre(t))(v(pre(t))) when r(pre(t)) e 5, —e when r(pre(t)) e B, and • if BS is the set of segments of consecutive B and S-states in r, Vq* number of B-states. e BS, q* has a finite Proof: According to the conditions of Liapunov functions. D Proposition 11.2.3 Let {aq}qQ be a set of invariants for B and A and r be a run of A over a trace v E B. If there exist local and global timing functions for B and TA, then • if Sg(q) is the set of segments of consecutive q’s in r, Vq E T,q* E Sg(q), j(q*) and • if BS is the set of segments of consecutive B and S-states in r, Vq* r(bad). Proof: Let s, i = 1 . . n be a sequence of q-states. Since 7q(52) — 7q(83) — 7q(Sn) — 7q(Si) ) 1 —t(s 7q(82) ) 2 —,u(s 7q(5n_i) —(s_) e B5,,u(q*) < APPENDIX A. PROOFS OF THEOREMS 210 we have 7q(Sn) Since psn) Let s, i — —:‘(s). 7q(5i) and 7q(si) < T(q), we have ip(sj) < r(q). n be a sub-sequence of B-states in a BS segment. Since 7q(sn) = 1 . . — — — 7(’) —p(si) 72(82) —[‘(52) ‘(s) (5n) and 7’i(S’.) 7,(5+i) we have — Since 7(S) < T(bad) and 7,(s) > (s’) < —Ei(s). [’(s) 1 0, we have E < r(bad). Proposition 11.2.4 Given Lc as the set of locations and U c 0 Lc, U is an abstraction of Lc if CN(U) is state-based and time-invariant. Proof: Trivial. 0 Proposition 11.2.5 If U is an abstraction of Lc, any property restricted on relations on U can be verified by exploring the subspace transition system, (xuA , —÷LJ). 31 Proof: s’ 1 —u s’ —*u —+j s if s 2 Lc Lc S. 0 ... ... Proposition 11.2.6 If CN 8 is a subnet of CN, the set of locations of CN 8 is an abstrac tion. Proof: CN 3 can be considered as an independent subsystem, viz. h(si) S2 Lc ‘2 imply that h(sç) an abstraction. = = h(s ) 2 , i *Lc s and h(s). According to the definition, the set of locations of CN 3 is 0 Proposition 11.2.7 The set of output locations of unit delays is an abstraction. Proof: The set of output locations of unit delays induces a state transition system. 0 APPENDIX A. PROOFS OF THEOREMS 211 Proposition 11.2.8 The set of input locations of unit delays is an abstraction. Proof: The set of input locations of unit delays induces a state transition system. Proposition 11.2.9 If U is an abstraction and I c I(CN), U U I or U — D I is still an ab straction. Proof: Add or delete an input location does not change the property of abstraction. 0 Proposition 11.3.1 Let be invariants for 13 and A. If r is a run of A over v E B, {aq}qEQ Vt E T,v(t) Proof: In order to prove this proposition, we shall introduce a variation of the method of con tinuous induction [Khi6l]. A property I’ is inductive on a time structure T uT for all to E ‘T, F is satisfied at all t < o t implies that F is satisfied at to. F is continuous if F is satisfied at a non-greatest element t e T implies that t’ > t, Vt < t” < t’, F is satisfied at t”. Note that when T is discrete, any property is continuous. The theorem of continuous induction [Khi6l] says: Theorem A.5.1 If the property F is inductive and continuous on a time structure T and F is e satisfied at 0, F is satisfied at all t We prove that the property v(t) 1= T. ar(t) is satisfied at 0 and is both inductive and continuous on any time structure T. • Initiality: Since v(0) 0 and v(0) e(r(0)), we have v(0) the Initiality condition of invariants, we have v(0) • Inductivity: Suppose v(t) 1= 0 A e(r(0)). According to ar(O). is saisfied at 0 < t < to. Since r is a run over v, q e Q and tç < to,Vt,t < t < t , r(t) = q and v(to) 0 c(q,r(to)). According to the Consecution condition of the invariants, t’ < to,Vt,t t < to, v(t) j= aq implies v(to) 1= c(q,r(to)) (assumption), v(to) Therefore, Vt,max(t,t) r(to) 1= c(q,rQo)) • Continuity: Suppose v(to) t < t, r(t) = r(t) q and v(t) —+ ar(to). cx() and v(to) = t < to, r(t) = q, v(t) c(q,r(to)). Thus, v(to) Since r is a run over v, q E Q 1= Qq aT( ) 0 . and t’ 1 > to,Vt,t 0 < 1= c(r(to), q). According to the Consecution condition of the invariants, t’ 2 > to, Vt, to < t < t, v(to) c(r(to), q) ar(to) implies v(t) q• = Therefore, Vt,t 0 < t < min(t,t), r(t) c(r(to),q) — c and v(t) = = q, v(to) c(r(to),q). Thus, Vt,t 0 < t < 1= r(t 0 ) (assumption), v(t) min(tç,t), v(t) 1= APPENDIX A. PROOFS OF THEOREMS 212 C Theorem A.5.1 Proof: We call a time point t E T regular if F is satisfied at all t’, 0 t’ t. Let T denote the set of all regular time points. T is not empty since F is satisfied at 0. We prove the theorem by contradiction, i.e., assume that F is not satisfied at all t e T. Therefore, T C T is bounded above; let to = V T E T be the least upper bound of T (to exists according to Proposition 3.2.1). Since to is the least upper bound, it follows that F is satisfied at all t, 0 <t < to. Since F is inductive, it is satisfied at time to. Therefore, to E T. Since T C T, to is not the greatest element in T. Let T’ = {tlt > to}. There are two cases: (1) if T’ has a least element t’, since F is inductive, t’ E T is a regular time point. (2) otherwise, for any t’ e T’, {tIto is satisfied at all T” < t <t’} {tlto 0. Since F is also continuous, we can find a t’ < t < t’}. Therefore, t is a regular time point Vt e T’ such that 1’ e T”. Both cases contradict the fact that to is the least upper bound of the set T. C Proposition 11.3.2 Let trace {crq}qQ be invariants for B and A and r be a run of A over a v E B. If {pq}qQ is a set of Liapunov functions for B and A, then 1 • 2 Pr(t ) (t’(t2)) < 1 Prt ) (V(ti)) when Vt • )(V(t2)_Pr;;i)(V(tI)) 2 Pr(t t , r(t) 2 t e < —e when t 1 1 <t 2 and Vt B U 5, t < t , r(t) E B, and 2 • if BS is the set of segments of consecutive B and S-states in r, then Vq* e BS, [L(q*) is finite. Proof: For any run r over v and for any segments q* of r with only bad and stable states, p on q* is nonincreasing, i.e., let I be the time interval of q*, for any t 1 < t 2 E I, Pr(ti)(V(tl)) )(V(t Pr(t ) 2 ), and the decreasing speed at the bad states is no less than e. Let m be the upper bound of {Pr(t)(t’(t))It E I}. Since Pq : 0, (q*) Proposition 11.3.3 Let m/E < cc. C be invariants for B and A and r be a run of A over a trace v e B. If there exist local and global timing functions for B and TA, then {aq}qQ • if Sg(q) is the set of segments of consecutive q ‘s in r, then Vq E T, q* e Sg(q), p,(q*) < r(q), and • if BS is the set of segments of consecutive B and S-states in r, then Vq* e BS, p,(q*) r(bad). < APPENDIX A. PROOFS OF THEOREMS 213 Proof: Similar to the proofs of Proposition 11.2.3 and Proposition 11.3.2. 0 Theorem 11.3.1 The verification rules (I), (L) and (T) are sound if the following conditions of B and TA are satisfied: • T is an infinite time structure. • All traces in B are specifiable by TA. The verification rules are complete if the following conditions of B and TA are satisfied: • {(v, r)Iv E B, r is a run over v} is time-invariant. • All transitions from R to non-R-states are left-closed, i.e., if r is a run, and there is a transition from a R-state to a B-state or a S state at t, then r(t) e B U S. (For discrete time structures, this condition is always satisfied.) Proof: Soundness is derived from Propositions 11.3.1, 11.3.2 and 11.3.3. For any trace v, there is a run since v is specifiable by TA. For any run r over v, if any automaton-state in R appears infinitely many times in r, r is accepting. Otherwise there is a time point to, the sub-sequence r on I = {t E TIt }, denoted q* has only bad and stable automaton-states. If there 0 t exist a set of invariants and a set of Liapunov functions, (q*) is finite. Since time is infinite, all the automaton-states appearing infinitely many times in r belong to 5; r is accepting too. Therefore, every trace is accepting for the automaton. If there exists a set of local and global timing functions, every trace satisfies the timing constraints. On the other hand, if TA is valid over B, there exist a set of invariants, a set of Liapunov functions, and a set of local and global timing functions that satisfy the requirements. The set of invariants can be constructed as follows: VsVq, s €q if the pair (q, s) is reachable, i.e., r, v, t, r(t) = q A v(t) = s. We shall prove that {oq}qq is a set of invariants. • Initiality: if 0(s) A e(q)(s), r, v, r(O) • Inductivity: Vv,t, if t’ < t,Vt’ t,Vt v(t) = t” < t, c(q,q’) r(t”) = q. If v(t) = q and v(O) t” < t, = r,r(t”) s. Therefore, s = c(q,q’), then r(t) q (v(t”) = q’, i.e., 1= = aq), v(t) crq. then r, t’ 0 < q’ Therefore, — Qql. • Continuity: Vv, t, if r, r(t) Vt’ < t” < t, r(t”) = q (v(t) 1= c), and t’ > tq’, Vt’ < t” < t, v(t”) q’. Therefore, t’ > t, Vt’ < t” < t, c(q, q’) —* r, r(t”) = q’. = c(q, q’), APPENDIX A. PROOFS OF THEOREMS 214 Given the above constructed invariants, a set of Liapunov functions can be constructed as follows: • VqERands=cq,letpq(s)=O. • Vq i’ R and s cq, the Liapunov function is defined as follows. For any r, v, t with r(t) = q and v(t) s, let q* be a segment of r with only bad and stable states starting at q, and t(q*) be the measure of B-states in q*• Let pq(S) be the longest such measure = for all r, v, t with r(t) = q and v(t) s, i.e., pq(S) = = We shall prove that {pq}qQ is a set of Liapunov functions and global timing functions. For R, let (q, s) -< (q’, s’) if r, v, t < t’, Vt < t” < t’, r(t”) 0 R, r(t) q, q’ q, v(t) = s = q and r(t’) and v(t’) = s’. Since {(v, r)} is time-invariant, - is transitive. Therefore, (q,s) - (q’,s’) implles pq(s) • Definedness: Vq e Q, s pqI(s’). = Qq, P is defined at s. • Non-increase: Vv E B, Vq E S, q’ E R, {aq Aq w}v{c(q,q’) = —* Pq’ w} Pq’ w} Pq’ w} is trivially satisfied. Vq E S, q’ E B U S, {q Apq = w}v{c(q,q’) .‘ is satisfied since (q, s) -.< (q’, s’). Vv E B, Vq E B U S,q’ ES, {aq A Pq = is satisfied since (q, s) -.< (q’, s’). Vq w}v+{c(q, q’) e 1?, q’ = t}v{c(q, q’) e —* 5, c(q, q’) is false since all transitions from R to non-R-states are left-closed. • Decrease: Vv E B, Vq e B,q’ E {Uq A = Q, wAt —1}. ‘- C)) Vq E R,q’ E B, {aqApq = wAtt =t}v{c(q,q’) W t([t, )) is trivially satisfied since c(q, q’) is false. Vq E B U 5, q’ E B, {q A P = w At = t}v{c(q, q’) ; !Liit, c)) <1} APPENDIX A. PROOFS OF THEOREMS 215 The local timing functions can be defined similarly. C Proposition 11.4.4 All transitions from R to non-R-states are left-closed, if the following conditions are satisfied: • TA is open and complete. • Vq E R, qi R and q E R, c(q, qi) A c(q, q) is not satisfiable. • All traces in B are right-continuous. Proof: Since TA is open, Vq e Q,q’ E R, c(q,q’) is open. Therefore, Vq E Q,VqRc(q,q’) is open. Since Vq E R, qi R and q E R, c(q,qi) A c(q,q ) is not satisfiable, (VqIERc(q,q’)) A 2 (Vq’EBUS c(q, q’)) is not satisfiable. Since TA is complete, Vq’ER c(q, q’) and Vq’EBUS c(q, q’) are complementary. Therefore, Vq’R c(q, q’) is closed. Since all traces in B are right-continuous, for all v, t, if t is a limit point to the right time points T, v(t) is a point or a limit point of v(T). If t’ > t, Vt < t” < 1’, v(t”) E Vq’R c(q, q’), v(t) E Vq’R c(q, q’). Therefore, all transitions from R to non-R-states are left-closed. A.6 C Constraint-Based Dynamic Systems Proposition 14.1.1 If {X}EI are ((asymptotically) stable) equilibria, then U X is an ((asymp 1 totically) stable) equilibrium. Proof: Trivial. C Theorem 14.1.1 X C X is a stable equilibrium of a process p if there exists a Liapunov function V for p and X*. Proof: If there exists a Liapunov function V, X C X is a stable equilibrium. First of all, X” is an equilibrium since V takes the unique minimum at X*. Suppose IZ is the domain of V. Given any e, let e’ e such that N’(X*) ç Q. Let y be the minimum over the boundary of Nd’(X*); y > V(X*) since X’ is the unique minimum. Because V is contin uous, there exists a s-neighborhood NS(X*) such that Vx E NS(X*),V(x) < ‘y. Therefore, (Ns(X*)) C N’(X*) C NE(x*). If X* C Xis a stable equilibrium of a process p, let V(x) = supx,E(x){d(x,X*)}. We have (1) V(X*) = 0 since X is an equilibrium, (2) V(p(x)(t)) < V(x) since (p(x)(t)) (x), c APPENDIX A. PROOFS OF THEOREMS and (3) V is continuous since X is stable. 216 0 Theorem 14.1.2 X’ C X is an asymptotically stable equilibrium of a process p if there exists 7?. for p and X*, such that Vx e Q,lim V(p(x)(t)) X, X is an asymptotically stable equilibrium in the large. a Liapunov function V : Furthermore, if f — = V(X*). Proof: Since X is the unique minimum in 2, p(x) approaches X, Vx E 1. Given V defined as the same as that in the previous proof, if X* is an asymptotically stable equilibrium, V(p(x)(t)) approaches V(X*). 0 Proposition 14.2.1 If a constraint solver CSV solves a set of constraints C on variables V globally, every equilibrium of CSV is a solution of C. Proof: Trivial. 0 Proposition 14.2.2 If V : —* 7?. is a Liapunov function for (S,f) and S = f(s*)} C Z, then V(f(x)) < V(x),Vx e f2. In addition, if f is continuous and V(f(x)) < V(x), Vx S, S is an asymptotically stable equilibrium. Proof: If lim, 0 V(f”(s)) = e> V(S*), let X = {sIV(s) < e} D S’, ffl(s) approaches X. 1ff is continuous, however, fn(s) approaches f(X) C X and lim_+ V(f’(s)) < c, contradiction. 0 Proposition 14.2.3 A set S a state integration system if f {s*If(s*) = O} is an asymptotically stable equilibrium of C is continuous at 8* and $* is the unique minimum of — f f(s)ds = 8, S is an asymptotically stable equilibrium in the large. Proof: Let V(s) = f f(s)ds be defined on a neighborhood of S*. V is a Liapunov function for = f(s) and S* since v(s) = —f (s) < 0. Furthermore, V(s) < 0,Vs S’ since f(s) 0. 0 2 in 1. If 2 = — . Proposition 14.3.1 Let R C 7?.’ be closed and convex. exists and is unique for every x, and (x Proof: Refer to [GPR67}. — PR(x))T(y — The projection PR(x) of x to R PR(x)) <0 for any y e R. 0 Theorem 14.3.1 PM solves {X}EJ globally if all the X: Proof: Let X* ‘S are convex. be the solution set of the problem. First of all, it is easy to see that if e X’ is a solution, then x = f(x*) i.e., x is an equilibrium. Moreover, we can prove that = fliX APPENDIX A. PROOFS OF THEOREMS x I f(x) x — If(x) - — x*I for x*12 217 any x and x E X as follows. Ix + A(P(x) x) x*12 2+A Ix x*I IP(x) x1 2 2 + 2A(x x*)T(P(x) x) 2 + (2 2A)IP(x) x1 Ix x*1 2 + 2(P(x) x)T(p(x) 2 A(2 A)IP(x) xI Ix x*1 2 according to Proposition 2 sinceO<A<2. Ix_x*1 = - - = — — — — — = — — — — — — Therefore, let V(x) Furthermore, = — — 14.3.1 d(x,X*), we have V(f(x)) < V(x). Thus, X* is stable. lf”(x) — x is nonincreasing and bounded below. Therefore, lf”(x) x*I — has a limit and max d(f’(x), X) approaches 0. According to [GPR67], limk_+ d(f’(x), X*) 0, since fl” is finite dimensional. As a result, limk V(f’(x)) = 0 = V(Xj. Thus, X* is an asymptotically stable equilibrium of PM in the large, i.e., PM solves the problem globally. 0 Theorem 14.3.2 Let X* E R. be the set of local minima of 6. NM solves the problem if IJ(x*)l 0, Vx’ E X. i.e., 6 is strictly convex at each local minimal point. NM solves the problem globally if, in addition, 8 is convex. Proof: First, we prove that Vx* E X”, x = f(x*) and IJ(x*)I $ 0 implies that x” is asymp totically stable. Let R be the Jacobian of f. It is easy to check that IR(x*)I = 0. There exists a neighborhood of x, NE(x*), for any x E N(x*), If(x) f(x*)I Ax x’ for 0 < A < 1. Therefore, limk Ifk(x)_x*I 0 and x is asymptotically stable. Therefore, X is an asymp — — totically stable equilibrium. If 6 is convex, x” is the unique minimal point, which is an attractor in the large. 0 Theorem 14.3.3 Let X* be the set of local minima of 8. GM solves the problem if is continuous at X’. GM solves the problem globally if, in addition, 6 is convex. Proof: According to Proposition 14.2.3, a local minimum is an asymptotically stable equilib rium. A set of local minima is also an asymptotically stable equilibrium. If 6 is convex, X is the unique minimal set, which is an attractor in the large. Theorem 14.3.4 Let A be a matrix where = 0 Ak 0 + > definite, LM solves the constrained optimization problem mm f(x) subject to ally. If A is positive gk(x) = 0 glob APPENDIX A. PROOFS OF THEOREMS 218 Proof: Let V(x) + = It has been shown in [P1a89] that = Therefore, V is a Liapunov function. D Proposition 14.5.1 A constraint solver CSV solves C if there exists an initial condition 0 D sol(C) such that VE> 0, CS”(O) 1= A(Ce; ). CS solves C globally when 0 = xvD. Proof: According to the definition of constraint solvers, CSV solves C, if CSV]j is asymptoti cally stable at sol(C), i.e., 0 D sol(C), Vx e 0, CS9(x) approaches sol(C) asymptotically. In other word, for any e, 3t , Vt 0 to, CS9(x)(t) E C. Therefore, CS9(x) e A(C; 0) for allxEO. On the other hand, if {CS9(x) E A(C; asymptotically. Therefore, CSV solves C. 0 A.7 0) for any € > 0, I{CS9(x) approaches sol(C) Control Synthesis Proposition 15.3.1 This control law satisfies the condition that v (d = 0V 18’ — 01 Proof: According to the control law for a, v for v, v = 0 implies dcos(8’ 0) = 0. 0 — = = k) A0d 0 implies Od = = = 0 if 0). 0. According to the control law Appendix B ALERT We have developed a visual programming and simulation environment called ALERT (A Labo ratory for Embedded Real-Time Systems) based on the Constraint Net model. In this appendix, we first describe the current version of ALERT, then give some simple examples to illustrate the process of analysis. B.1 Visual Programming with Constraint Nets Visual Programming means the use of meaningful graphic representations in the process of programming [Shu88]. Visual programming has gained momentum in recent years primarily because the faffing cost of graphical-related hardware and software has made it feasible to use pictures as a means of communicating with computers. CN has inherent graphical tokens and the characteristics of hierarchy, which make it an ideal model for visual programming. CN is a generalization of models for dynamic systems. As a first step, we have developed ALERT on Simulink [Incc]. Simulink, based on Matlab, is a visual programming and simulation environment for both continuous and discrete dynamic systems. Each Simulink window consists of five pop-up menus: File ( open and save files), Edit (cut, copy and paste graphical tokens), Options (group, mask, flip or rotate modules), Simulation (start, pause, and parameters for simulations) and Style (color, font and position). Simulink provides various built-in modules such as linear and nonlinear transductions. In addition, it provides test signals, output viewing windows, and various signal analysis tools. Programming in Simulink is simply by choosing a set of modules from the given libraries, setting up parameters and making connections. A system can be developed hierarchically by group and mask operations. On the other hand, a module can be opened by an unmask operation and then be modified accordingly. 219 APPENDIX B. ALERT 220 Even though Simulink supports the integration of discrete and continuous modeling, the internal semantics is different from that of CN. Instead of holding values between sampling points (as does the semantics of Constraint Nets), Simulink assumes linear interpolation. Fur thermore, Simulink does not support event-driven transductions, which are the most important aspect of CN. However, Simulink is a flexible open environment so that new modules can be added easily using Matlab functions and programs. We have extended Simulink with various event-driven transductions and event logics, as weli as with various arbitrations. In particular, we have added four new libraries to Simulink (see Figure B.1); they are logics, events, arbiters and solvers. EJ j. ALERT File Edit 9ptions Simulation Style Logics Events Sources Sinks Arbiters Discrete Solvers Linear Nonlinear Connections Extra pz: Figure B.l: ALERT The basic functionalities of these new libraries are: • Logics: This library (Figure B.2) includes various event logics, such as event synchroniza tion elements, “ifip-flop,” etc. • Events: This library (Figure B.3) includes an event generator and various event-driven transductions. APPENDIX B. ALERT 221 1J Logics Eile Edit ptions Simulation Style Code 1Dft4>+*-Jfr . Logic AND Logic OR . Negation Event OR Trigger Flip—Flop +4r*+R g:zz: Muller—C Neyated Muiier— C Event Switch ECSE Figure B.2: Logic modules 1J Events File Edit ptions Simulation Style Code 1J1 JiJ event tF pzz:: sampler SA Transition State Automaton )1OLDE* Event Holder PTrans . ni e ay tPWE Transliteration Figure B.3: Eveut modules tESA Event—Driven State Automaton APPENDIX B. ALERT 222 • Arbiters: This library includes various arbiters so that arbitration hierarchies can be constructed. • Solvers: This library includes constraint solvers with various constraint methods (where constraints can be given by functions defined in Matlab). B.2 Simulation and Animation A robotic system is a complex dynamic system in general; it is nonlinear in the following sense: • the dynamics of the plant or the environment is nonlinear for any realistic modeling, • the control is nonlinear if we model event-driven transductions or arbitration hierarchies. For a nonlinear system, the behavior of the system is unpredictable in general, and parameters of the system (e.g., latencies and sampling rates) play an important role in the overall behaviors. ALERT is an integrated environment for modeling, programming and analyzing robotic systems. Such an environment is important for building a system with a certain degree of “correctness.” Even though a real system’s behavior can not be guaranteed in advance, the more accurate the model is, the more information can be obtained in the simulation. On the other hand, the more robust the control is, the more relaxed the accuracy of the model can be. ALERT provides an environment for simulation that, in general, is the only approach to analyzing nonlinear dynamic systems. Visualization can be added to the current version of ALERT, using Matlab plot functions. Animation can be done either on-line in Simulink, which is slow, or by saving the traces and down-loading to an SGI machine. Now we present two simple examples to illustrate the use of ALERT. In the first example, we analyze the effect of latencies on stability (Figure B .4). The solution of th = —kx is x(t) e’, which is asymptotically stable at state 0. If we assume latency 0 x 6 for signal x, the solution of —k(x 6) is not trivial, and it may become unstable at 0. For this simple equation, we are able to analyze the solution by hand [Hub88]. Let e be a solution. We have _Ae_t = _ke_)(t_S), i.e., A = ke . Since min{ 6 = 6ke, for any real = — } number A, we have 6ke < 1, i.e., 6k 1/e. If 6k > 1/e, A must be a complex number, and therefore the solution has oscillation. In general, for a stable system, if latency is introduced, it may become unstable (Figure B.5, B.6). In the second example, we show that the sampling of data can cause unstability too (Figure B.7). For the same system, let the sampling rate be 6. We have = —kiZ where u(6n) = x(6n) for any integer n. The solution is not stable if Ii 6k > 1, i.e., 6k > 2 (Figure B.8, B.9). — APPENDIX B. ALERT 223 delay File Edit 2ptions Simulation Style j Auto—scale storage Graph Scope a -- -- -- Figure B.4: Circuit with latency Figure B.5: Latency with 8k = 0.25 - APPENDIX B. ALERT 224 Figure B.6: Latency with 6k = 2 sampling File Edit pptions Simulation Style Figure B.7: Circuit with sampling APPENDIX B. ALERT 225 Figure B.8: Sampling with 6k = Figure B.9: Sampling with 6k 0.25 = 2 APPENDIX B. ALERT 226 In general, parameters like k and 6 play important roles in control systems design: Ic is the parameter for the speed control, and 6 is introduced by unavoidable computation and device latency, or the digital sampling rate. For instance, if 6 is known, we may choose Ic to achieve fast convergence yet maintaining stability. B.3 The Maze Traveler We conclude this appendix with the maze traveler example. Figure B.lO depicts the overall structure of the system. Figure B.ll shows the animation window. The model and the controller of the car are given in Figures B.12 and B.13, respectively. The event generator is depicted in Figure B.14. v_ill mazet File Et9p Dons Suia&n .. le Code j .. Figure B.lO: The overall structure of the maze traveler system APPENDIX B. ALERT iaki 227 Time: 41.6 iiib Figure B.11: Animation of the maze traveler ij APPENDIX B. ALERT 228 IJ Truck File Edit Qptions Simulation Style :::: Figure B.12: The car model I• : Control File Edit 2ptions Simulation Style Code 1—i1 Constant sensor D em ux control L:J:JZZJ Figure B.13: The control module V APPENDIX B. ALERT 229 ill event File Edit Qptions Simulation Style Code Scope sr IjJjj tThm in Figure B.14: The event module Appendix C Examples of Design and Analysis We present in this appendix two complete examples of the design and analysis of robotic systems and behaviors. One is an hydraulically actuated robot arm and the other is an elevator system. C.1 Modeling and Control of an Hydraulically Actuated Arm Figure C.1 depicts a two-link robot arm. For simplicity, we assume that the mass distribution of the two-link arm is extremely simple: All mass exists as a point mass at the distal end of each link. Y 1 m x Figure C.1: A two-link arm 230 APPENDIX C. EXAMPLES OF DESIGN AND ANALYSIS 231 The dynamics of the arm is modeled by the following equations [Cra86]: = m+2 l 1 +m [(m 2m cos(02)]Ol + [m l 1 l+m 2 12 2 )]0 cos(6 )l? + 2 2 1 sin(62)0i02 2 —2m = — 12 2 m )0 + (m sin(6 1 + m2)gli sin(0 )+2 1 gl sin(0i + m 62), 1 cos(6 2 l+m 2 [m )]Ô + m 2 11 2 lÔ + m 2 )8 + m2g1 sin(6 2 2 sin(6i + 62). For simplicity, we further assume m 1 = 2 m = m and l = 12 = 1. Let d 1 = 2 9 and d = 62, the arm model is a set of equations with state variables 01, 62, d 1 and d : 2 x = [Ti 2 sin(6 )Ô + 2 2 2m1 1 + m1 sin(62)0 2 0 ))(T cos(6 —(1 + 2 di = 2 x/m1 2 d = 2 [T 01 = 1 d 02 = 2 d — — 2 sin(6 m1 )Ô 2 ml2sin(6 ) 2 Ô — — 2mlg sin(S ) 1 — 1 + 62) mlgsin(6 1 + 62))]/(1 + 2 mlgsin(6 (6 sin ) ) — mlg sin(0i + 02) — (1 + 2 ))x]/m1 cos(6 where m and 1 are parameters. The joints of the arm are actuated by hydraulic actuators [SDLS9O]. Valves are devices that control the fluid power. The most widely used valve is the sliding valve with spooi type construction. The inputs required to model such a valve are the spool displacement (—0.5 < X, < 0.5), the supply pressure 8 (P ) , the return presure (Pres) and the lines pressure (P and ). The governing nonlinear equations are: 0 P Q — — Q — Out — f1 f KVXV/PSU, KvXv/Pjn I(VXV./PSUJ KvXv”Pout P if X, > 0 .Pres if Xv < 0, — — — P u 0 t if X > 0 Pres if Xv < 0, where K,, is a parameter, and Vmn POut = — (DmÔ Dm0), — where Dm is the volumetric displacement of the hydraulic motor and pliance. The torque generated by the controller is: T = Dm(Pjn — is the hydraulic com APPENDIX C. EXAMPLES OF DESIGN AND ANALYSIS 232 Assume that the low level controller for a hydraulically actuated joint is a simple PD control that produces a spool displacement X, given 0, 0 and Oj: X = B[(0 — 0) — A8] We select A and B by experiment, given the set of other parameters. After we get a stable PD controller for joint tracking, a high level controller for end-point tracking is then developed as follows. Let (x, y) be the coordinate of the end-point of the arm. The constraints for the end-point tracking are x = Xd and y = Yd where (xd, yd> is the desired position. Let 6 = (xd — 2 + (yd x) — 2 be the energy function. We have y) Ox Oy Ox Oy = (xd-x)--+(yd-y) = (xd—x)-—+(yd—y)— 002 802 x = ) 2 lcos(0i)+lcos(0i+0 y Ox = ) 2 lsin(0i)+lsiri(0i+0 = ) 2 —lsin(0i)—lsin(0j+0 = ) 2 lcos(0i)+lcos(0i+0 = —lsm(Oi+ 2 0 ) = ) 2 lcos(0i+0 --- 06 —— 002 where — UU2 y 0 (J02 Using the gradient method, we have: = 06 -k. Then we use d 8 as the input to the low level PD controller. We can consider this end-point tracking controller as a variation of the transpose Jacobian controller [Cra86]. Similarly, a high level controller for avoiding obstacles is developed as follows. Let (x , Yo) 0 be the coordinate of the obstacle and 6(d) = max(— 2 /m ln(d ) , 0) where m is the minimum distance between the obstacle and the arm. Let the energy function for avoiding the obstacle be: 6 = ) + 6(d 31 6(d ) + 6(d 32 ) + 6(d 11 ) 12 APPENDIX C. EXAMPLES OF DESIGN AND ANALYSIS 233 where 1 d = 0 (x Idzil = cos(8i) 0 ly 2 d = 0 (x 1 12 1d = I( — — — 2 + (Yo lcos(0i)) — — 2 ) 1 lsin(0 ) sin(0i)l 0 x lcos(0i) — lcos(0i + 62)) + (Yo ))cos(0 + 02)— (x lsin(6 1 0 — — lsin(6i) — lsin(0i + 02)) lcos(Oi))sin(Oi + 02)1 The obstacle avoiding controller is then designed using the gradient method. We can combine these two high level controllers with some arbiters, such as the subsume function, to make the obstacle avoiding control have a higher priority. The models of the high level controllers and the PD controller as well as the models of the arm and the hydraulic actuator are all developed in ALERT; both simulation and animation are supported. C.2 Modeling and Verification of an Elevator System A simple elevator system for an n-floor building consists of one elevator. Inside the elevator there is a board with n floor buttons, each associated with one floor. Outside the elevator there are two direction buttons for service call on each floor, except the first floor and the top floor where only one button is needed (see Figure C.2). Any button can be pushed at any Floor Buttons Direction Buttons (inside elevator) (outside elevator) 0 Floor 3 ( (iV’ Floor 2 Floor 1 Figure C.2: The interface of a simple 3-floor elevator time. After being pushed, a floor button will be on until the elevator stops at the floor, and a direction button will be on until the elevator stops at the floor and is going to move at the same direction. (Note that a more complex elevator has open and close door buttons, alarm or emergency buttons which, for simplicity, we will not model.) The atomic actions of an elevator APPENDIX C. EXAMPLES OF DESIGN AND ANALYSIS 234 consist of move-up or move-down one floor, serve-a-floor (stop at the floor, open and close the door) and stay-idle. The complete elevator system consists of ELEVATOR BODY, ELEVATOR CONTROL and USER INTERFACE as shown in Figure C.3. [ ELEVATOR CONTROL L [ BEtos J INTRRFACE ELEVATOR L J BODY Figure C.3: The complete elevator system C.2.1 Discrete modeling and verification First we present a discrete model of the elevator system, in which each atomic action takes some finite time. The elevator body is modeled by a transliteration aild a unit delay: I I nf f’ . = min(f+1,n) ifcc=up max(f 1, 1) if cc = down otherwise. f — nf where cc is the current command from the controller with domain {up, down, serve, idie}, and f, nf are the current and next floor numbers, respectively, with domain {1, 2,. n}. . ., The command from the controller is modeled as a function of the current floor number, the current request state and the last control state. Let the request state be a tuple (ub, db, fb) where ub, db, fb E {O, 1}’ with ub(n) = 0 and db(l) = 0; let the last control state be is with domain {up, down, idie}. Let ur, dr E {0, 1} denote the up and down requests, respectively, i.e., • ur indicates whether or not there is a request for the elevator to go up: ur = ub(f) V (ub(i) V db(i) V fb(i)). i>f • dr indicates whether or not there is a request for the elevator to go down: dr = db(f)V(ub(i)Vdb(i)Vfb(i)). i<f APPENDIX C. EXAMPLES OF DESIGN AND ANALYSIS 235 The current control state cs is determined as follows: I cs is’ = up ifurA(isdownV-idr) down if (-ur A f> 1) V (dr A Is otherwise idle = down) Cs. In English, if there is a request for the elevator to go up and either the last state is up or there is no request to go down, the elevator will be iii the up state; if there is no request to go up and the elevator is not at the first floor, or the last state is down and there is a request to go down, then the elevator will be in the down state; otherwise the elevator will be idle, that is, the elevator will be parked at the first floor if there are no more requests. Let cr indicate whether or not there is a request for the elevator to stop and serve the current floor: cr f1 — — db(f) V fb(f) if CS down ub(f) V fb(f) otherwise. In English, if there is an internal request to arrive at this floor or there is an external request to go in the same direction as the elevator, there is a request at this floor. The current command can be defined as follows: CC I = serve if Cr otherwise. CS In English, if there is a request at this floor, the elevator will stop to serve the floor (open the door, let passengers go in and out, then close the door), otherwise the elevator will pass this floor without stopping. Furthermore, the request state (ub, db, fb) is determined based on two factors: the user’s input and the internal reset when a request has been served. Let s denotes u, d or f, we have sb = isb V (—irsb A lsb) lsb’ = sb where isb, rsb and lsb are the user’s input, the reset and the last request state, respectively. The reset state rsb indicates which requests have been served: rsb’ = cub(i) = cdb(i) = b(i) = csb (f = (f = (f = i) A (cc = serve) A (cs i) A (CC = serve) A i) A (CC = serve) = (Cs = up) down) APPENDIX C. EXAMPLES OF DESIGN AND ANALYSIS 236 We have implemented the discrete model of the elevator system in Strand88 [FT89], a concurrent logic programming language. It is easy to simulate discrete time constraint nets in Strand88, since both transliterations and unit delays can be represented: ‘/.f(+in, -out) is a function. fT(+intrace, -out_trace) is a transliteration. fT([IIIs], OS) :— f(I, 0), OS : [OlOs], fT(Is, Os). Y.delay(+init, +intrace, -out_trace) delayClnit, In, Out) :- Out [Initlln]. where a trace is represented as an infinite list. A well-designed elevator system should guarantee that any request will be served within some bounded time. We can specify such requirements in timed V-automata, and show that the constraint net model of the elevator system satisfies the timed V-automaton specification. There are three kinds of request: to go to a particular floor after entering the elevator, or to go up or down when waiting for the elevator. Following are some examples of the state propositions. • 112 : (fb(2) = 1) A (cfb(2) = 0) denotes that “there is a request to go to the second floor.” • 112S: cfb(2) = 1 denotes that “the request to go to the second floor is served.” • RU2 : (nb(2) = 1) A (cub(2) = 0) denotes that “there is a request to go up at the second floor.” • RU2S: cub(2) = 1 denotes that “the request to go up at the second floor is served.” Bounded time responses “the request to go to the second floor will be served in finite time” and “the request to go up at the second floor will be served in finite time” are represented as Figure C.4 (a) and (b), respectively. Let 7 be associated with qo in Figure C.4 (a) and 11 be associated with in Figure C.4 (b). The two timed V-automata specify the properties: “the request to go to the second floor will be served within 7 time units” and “the request to go up to the second floor will be served within 11 time units,” respectively. These specifications can be checked using the verification algorithm. If ii = 4, the state transition graphs of the elevator system with respect to the specifications in Figure C.4 (a) and (b) are shown in Figure C.5 (a) and (b), respectively, where the dotted transitions are disabled in our control strategy and the number associated with the state indicates the length of the APPENDIX C. EXAMPLES OF DESIGN AND ANALYSIS 1 R2S R2 1 ( RU2S qO R2 R2 RU2 RU2S R2S _Fqo 237 9 RU2 q\ 1RU2 RU2 R2 (a) (b) Figure C.4: Specifications of real-time response (4,down,serve) (4,down,serve) state=(f,cs,cc) 4 (3,up,up) 5 (3,up,serve) 6 (2,up,up) 7 8 - (2uPserve) ‘ - 3 (4,down,down) (3,up,up) 9 2 (3,down,serve) (3,up,serve) (3,down,down) (2,up,up) 7 (4,down,down) 10 6 (3,down,serve) n 5 (3,down,down) 4 (2,down,serve) 3 (2,down,down) - .downserve) (1,up,up) 3 (2,down,down) - - (1,up,up) 0 2 (1,up,serve) (1 ,up,serve) (a) Figure C.5: State transition graphs APPENDIX C. EXAMPLES OF DESIGN AND ANALYSIS 238 longest path from the state to the desired states, if there are no self-loop transitions. If the user is not allowed to issue a new request when the same request has just been served, these specifications will be satisfied. If, however, no such a restriction is imposed, an elevator may stop at a floor forever; therefore, these specifications will not be satisfied. A more realistic specification for the elevator system is that any request should be served within bounded time of motion. Such a specification cannot be expressed by TLTL, however, it can be expressed by a timed V-automaton. For example, “the elevator will serve the second floor within 4 unit time of motion” can be depicted by the timed V-automaton in Figure C.6, with MV serve), S2 : (cc (f = 2) A (cc = serve), SN2 (f 2) V (cc = serve) and qi qO Figure C.6: A more realistic specification 4. If n 4, and fb(2) 1 initially, the specification can be satisfied. This example has been verified by the verification procedure written in Prolog. T(bad) C.2.2 = = Continuous modeling and verification In the previous modeling of the elevator system, atomic actions are primitives. Now we shall model how these actions are carried out by the low level control system, which is realized as an analog controller. Furthermore, the user’s request can come at any time on a continuous time line. A continuous model of the elevator system should be developed for the design of the low level control system and for the analysis of the overall behavior of the system. First of all, the plant of the elevator is modeled by a second order differential equation following the Newton’s Law F-Kh=h APPENDIX C. EXAMPLES OF DESIGN AND ANALYSIS 239 where F is the motor force, K is the friction coefficient and h is the height of the elevator. We assume that the mass is 1 since it can be scaled by F and K. We ignore gravity since we assume that it can be added to F to compensate the effect. A low level PD controller is then designed to produce the force to the elevator, given the action command (up, down or stop) and the height trace: 0 IF —F F= 0 3 K,d ( — ifup if down Kh if stop where d 3 is the distance between the current height and the desired height of the elevator. Let the height of each floor be H and the current floor of the elevator be f. We have f = [h/H] + 1 and d 3 h where [x] indicates the closest integer of x. We use the control strategy developed for the discrete model as a high level control. However, this control strategy is activated by events generated from the user interface or within the = (f — 1)H — elevator itself. There are three basic types of event: (1) a user pushes a button at the elevator’s idle state, (2) the elevator becomes close to a floor (d 8 < 15cm, for instance) and (3) a user’s request has been served (it takes 5s to serve a request, for instance). The “event or” of these three events triggers the high level controller to produce a new output. Furthermore, both user’s requests and the internal reset are processed at a fast sampling rate (O.ls, for instance). We have verified that the high level control strategy satisfies the desired properties. Now we have to guarantee that the low level control system does the right thing, i.e., accomplishes every goal that the high level strategy sets. Basically, we have to choose F , I( and K. Suppose 0 that the friction coefficient K is 1, the height of each floor is 2m, and the elevator is said to be at a floor when d 3 15cm. One basic request is that if a stop command is issued when the elevator is crossing a floor, the elevator will remain at the floor as long as the command does not change. We choose F 0 to be 0.5 that both the maximum velocity and acceleration will be 0.5, and it takes at least 4s to move up or down a floor. We choose K = 0.5/0.15 = 3.3 so that the initial acceleration for stop will be no larger than 0.5. Finally, we choose K large enough 50 so that the elevator will not over-shoot. In this case K = 10. We have modeled and simulated this complete elevator system in ALERT, and found that the system works correctly. Appendix D Model Estimation for the Car We present here a method of model estimation for the car-like robot. We have modeled the plant of the car-like robot using the following set of equations: x=vcos(8), y=vsm(6), 8=v tana L where (x, y, 0) is the configuration tuple of the car, v and a are the control inputs to the car. However, for a real car, the velocity v is controlled by the gas throttle g 3 and the turning angle a has its inherent mechanical delay. This two effects can be modeled by the following two equations: — V Jo kggs — ifgs<gmandv=O kv otherwise, — = ka(ada) so that g 3 and aj are the real control inputs to the car and g, kg, k and ka are parameters to be estimated. The minimum static gas g is easy to estimate, by simply increasing the gas throttle of the stopped car until the car moves. Parameter estimation for a dynamic system with equation = k 2 ( 1 k — x) can proceed as follows. Start with z = 0, the system will asymptotically approach x = k . 2 Suppose x can be sensed within error E. Then let k 2 = x(t) as soon as Ix(t) x(t + T)I e for all 7 > 0. Then k 1 can be estimated as follows. Let y = x k . The solution of = —k 2 y is 1 2 and y = , we have k y = yoe_d1t. Since 110 = k 1 = ln()/t. — — 240 APPENDIX D. MODEL ESTIMATION FOR THE CAR 241 The gain factor kg and the friction coefficient k can be estimated by the above procedure. By apply a constant throttle g 8 > g to a initially stopped car, we have ‘b = 8 kv(kgg / kv v). For example, if g 3 = 0.2, v —* 50 and € = 2, we have k = 3/t and kg 750/t. — The delay factor ka can be estimated similarly, except that o has to be sensed via 0. Since ô dO = CO)do. We first apply a constant g 8 to a car until it moves in a constant velocity; then, at time to, we apply a constant ad until IÔ(t) — Ô(t + r)I € for all T > 0. We have ka = ln(L)/(t — to) = ln(COS’)LC)/(t — to). For example, if v = 50, a = r/5, L = 12 = tancr) and € = 2, we have ka 1/(t — to). We can also apply different g 3 and a to the car and average the results. Index V-automata Accepting run, 115 Complete, 111 Discrete Accepting run, 111 Run, 111 Open, 112 Semantics, 112 Specifiable, 115 Syntax, 110 Constraint, 147 Constraint method, 149 Gradient method, 152 Lagrange Multiplier method, 153 Newton’s method, 151 Penalty method, 153 Projection method, 150 Constraint net Closed, 44 Connection, 43 Input location, 44 Input port, 43 Limiting semantics, 55 Location, 43 Open, 44 Output location, 44 Output port, 43 Semantics, 51 Subnet, 45 Syntax, 43 Transduction, 43 Constraint programming, 154 Constraint satisfaction problem, 147 Constrained optimization, 149 Global consistency, 149 Solution set, 148 Unconstrained optimization, 149 Constraint solver, 148 Embedded, 160 State integration system, 148 State transition system, 148 Control problem, 159 Tracking problem, 162 Control synthesis, 158 Abstractable behavior, 84 Abstractable function, 78 Abstractable state transition system, 84 Abstractable trace, 82 Abstractable transduction, 84 Abstraction, 78 Behavior, 84 Domain, 81 Domain structure, 81 State transition system, 84 Time, 81 Trace, 82 Transduction, 84 Algebraic loop, 53 Algebraic system, 77 Behavior, 79 Deterministic, 79 Nondeterministic, 79 State-based, 79 Time-invariant, 79 Complexity of behaviors, 80 Congruence Function congruence, 78 Structure congruence, 78 Domain, 31 242 INDEX 243 Composite, 32 Simple, 31 Domain equation, 123 Domain structure, 32 Domain structure mapping, 82 Dynamic process, 146 Attraction basin, 147 Attractor, 147 Equilibrium, 147 Stable equilibrium, 147 Liapunov function, 147 Dynamic system, 3 Constraint-based dynamic system, 157 Hybrid dynamic system, 59 Integrated hybrid system, 12 Inteffigent real-time system, 14 Dynamics, 3 Dynamics structure, 40 Event space, 37 Trace space, 35 Equivalent Equivalent Equivalent Equivalent Equivalent behavior, 84 system, 79 system with abstraction, 84 traces, 82 transduction, 84 Formal system, 118 FTLTL Frame, 107 Model, 107 Semantics, 107 Syntax, 107 Term, 106 Valid/Satisfiable, 108 Valid/Satisfiable over a frame, 108 Function Fixpoint, 49 Least, 49 Hierarchy Composition hierarchy, 166 Interaction hierarchy, 166 Abstraction hierarchy, 168 Arbitration hierarchy, 168 Homomorphic domain mapping, 81 Homomorphic domain structure mapping, 81 Homomorphic time mapping, 80 Homomorphism, 78 Isomorphism, 78 Interpretation, 103 Measurable space, 28 Measure, 28 Borel, 28 Measure space, 28 Metric, 28 Module, 45 Closed, 45 Hidden input, 45 Hidden output, 45 Interface, 45 Open, 45 Semantics, 52 Sequential module, 69 Module operation Cascade connection, 45 Coalescence, 45 Feedback connection, 45 Hiding, 45 Parallel connection, 45 Union, 45 Parameter, 54 Parameterized module, 54 Parameterized net, 54 Partial order, 25 Complete, 27 Directed subset, 26 Chain, 27 Flat, 26 Greatest element, 26 Greatest lower bound (glb), 26 Least element, 26 Least upper bound (lub), 26 Linear, 25 Lower bound, 26 INDEX Product partial order, 26 Subpartial order, 25 Upper bound, 26 Planning problem, 159 PLTL Frame, 103 Model, 103 Semantics, 103 Syntax, 102 Valid/Satisfiable, 103 Valid/Satisfiable over a frame, 103 Qualitative domain structure, 82 Quantitative domain structure, 82 Quotient algebra, 78 Quotient function, 78 Refinement Domain, 81 Domain structure, 81 Time, 81 Relation Congruence, 78 Partition, 78 Partial order relation, 25 Requirements specification, 80 Persistence, 5 Reachability, 5 Safety, 5 RFTLTL State formula, 108 Open, 109 State proposition, 108 Syntax, 108 Robotic behavior, 2 Robotic system, 2 Controller, 3 Environment, 3 Plant, 3 Robustness of systems, 80 Signature, 32 Function symbol, 32 Mapping type, 32 244 Sort, 32 State transition system, 79 Steady-state error, 157 Strict extension, 33 Strict function, 33 Strict transduction, 41 System, 3 Temporal integration, 55 Bounded, 57 Reset, 57 Trace-based, 58 Time structure, 29 Continuous, 30 Discrete, 30 Infinite, 30 Reference time, 31 Reference time mapping, 30 Sample time, 31 Timed V-automaton Accepting run, 116 Discrete Accepting run, 114 Run, 114 Semantics, 114 Syntax, 114 TLTL Real-time operator, 106 Temporal operator, 102 Topological space, 23 Connected, 24 Continuous function, 24 Metric space, 28 Product space, 25 Separated, 24 Subspace, 25 Topology, 23 Basis, 24 Closed set, 24 Derived metric, 31 Greatest limit, 35, 36 Limit, 34, 36 Discrete, 24 Finer, 24 INDEX Hausdorif, 25 Limit, 29 Limit point, 24 Metric, 28 Spherical neighborhood, 28 Neighborhood, 24 Strict, 146 Open set, 24 Partial order, 27 Product, 25 Subbasis, 24 Subspace, 25 Trivial, 24 Trace, 34 Completion, 35 Event trace, 36 Extension trace, 39 Nonintermittent, 36 Right-continuous, 36 Sample trace, 39 Transduction, 37 Basic, 38 Transliteration, 38 Transport delay, 39 Unit delay, 39 Event generator, 60 Event synchronizer, 61 Event-driven, 40 Clock, 40 Extending, 39 Nonintermittent, 42 Primitive, 38 Right-continuous, 42 Sampling, 39 Undefined trace, 34 Undefined value, 32 Vector space, 55 Topological, 55 Verification, 117 Model checking approach, 119 Theorem proving approach, 118 Verification rules, 121 245 Global timing function, 120, 124, 132 Invariant, 119, 123, 131 Liapunov function, 120, 124, 131 Local timing function, 120, 124, 132 Well-defined Well-defined Well-defined Well-defined Well-defined Well-defined constraint net, 53 function, 34 module, 53 trace, 34 transduction, 41 value, 32
- Library Home /
- Search Collections /
- Open Collections /
- Browse Collections /
- UBC Theses and Dissertations /
- A foundation for the design and analysis of robotic...
Open Collections
UBC Theses and Dissertations
Featured Collection
UBC Theses and Dissertations
A foundation for the design and analysis of robotic systems and behaviors Zhang, Zhenhai 1994
pdf
Page Metadata
Item Metadata
Title | A foundation for the design and analysis of robotic systems and behaviors |
Creator |
Zhang, Zhenhai |
Date Issued | 1994 |
Description | Robots are generally composed of electromechanical parts with multiple sensors and actuators. The overall behavior of a robot emerges from coordination among its various parts and interaction with its environment. Developing intelligent, reliable, robust and safe robots, or real-time embedded systems, has become a focus of interest in recent years. In this thesis, we establish a foundation for modeling, specifying and verifying discrete/continuous hybrid systems and take an integrated approach to the design and analysis of robotic systems and behaviors. A robotic system in general is a hybrid dynamic system, consisting of continuous, discrete and event-driven components. We develop a semantic model for dynamic systems, that we call Constraint Nets (CN). CN introduces an abstraction and a unitary framework to model discrete/continuous hybrid systems. CN provides aggregation operators to model a complex system hierarchically. CN supports multiple levels of abstraction, based on abstract algebra and topology, to model and analyze a system at different levels of detail. CN, because of its rigorous foundation, can be used to define programming semantics of real-time languages for control systems. While modeling focuses on the underlying structure of a system — the organization and coordination of its components — requirements specification imposes global constraints on a system’s behavior, and behavior verification ensures the correctness of the behavior with respect to its requirements specification. We develop a timed linear temporal logic and timed Ʋ-automata to specify timed as well as sequential behaviors. We develop a formal verification method for timed V-automata specification, by combining a generalized model checking technique for automata with a generalized stability analysis method for dynamic systems. A good design methodology can simplify the verification of a robotic system. We develop a systematic approach to control synthesis from requirements specification, by exploring a relation between constraint satisfaction and dynamic systems using constraint methods. With this approach, control synthesis and behavior verification are coupled through requirements specification. To model, synthesize, simulate, and understand various robotic systems we have studied in this research, we develop a visual programming and simulation environment that we call ALERT: A Laboratory for Embedded Real-Time systems. |
Extent | 5120973 bytes |
Genre |
Thesis/Dissertation |
Type |
Text |
File Format | application/pdf |
Language | eng |
Date Available | 2009-04-15 |
Provider | Vancouver : University of British Columbia Library |
Rights | For non-commercial purposes only, such as research, private study and education. Additional conditions apply, see Terms of Use https://open.library.ubc.ca/terms_of_use. |
DOI | 10.14288/1.0051644 |
URI | http://hdl.handle.net/2429/7195 |
Degree |
Doctor of Philosophy - PhD |
Program |
Computer Science |
Affiliation |
Science, Faculty of Computer Science, Department of |
Degree Grantor | University of British Columbia |
Graduation Date | 1994-11 |
Campus |
UBCV |
Scholarly Level | Graduate |
Aggregated Source Repository | DSpace |
Download
- Media
- 831-ubc_1994-954191.pdf [ 4.88MB ]
- Metadata
- JSON: 831-1.0051644.json
- JSON-LD: 831-1.0051644-ld.json
- RDF/XML (Pretty): 831-1.0051644-rdf.xml
- RDF/JSON: 831-1.0051644-rdf.json
- Turtle: 831-1.0051644-turtle.txt
- N-Triples: 831-1.0051644-rdf-ntriples.txt
- Original Record: 831-1.0051644-source.json
- Full Text
- 831-1.0051644-fulltext.txt
- Citation
- 831-1.0051644.ris
Full Text
Cite
Citation Scheme:
Usage Statistics
Share
Embed
Customize your widget with the following options, then copy and paste the code below into the HTML
of your page to embed this item in your website.
<div id="ubcOpenCollectionsWidgetDisplay">
<script id="ubcOpenCollectionsWidget"
src="{[{embed.src}]}"
data-item="{[{embed.item}]}"
data-collection="{[{embed.collection}]}"
data-metadata="{[{embed.showMetadata}]}"
data-width="{[{embed.width}]}"
async >
</script>
</div>
Our image viewer uses the IIIF 2.0 standard.
To load this item in other compatible viewers, use this url:
http://iiif.library.ubc.ca/presentation/dsp.831.1-0051644/manifest