A FOUNDATION FOR THE DESIGN AND ANALYSIS OFROBOTIC SYSTEMS AND BEHAVIORSbyZHANG YINGB.Sc., Zhejiang University, China, 1984M.Sc., Zhejiang University, China, 1987M.Sc., The University of British Columbia, 1989A THESIS SUBMITTED IN PARTIAL FULFILLMENT OFTHE REQUIREMENTS FOR THE DEGREE OFDOCTOR OF PHILOSOPHYinTHE FACULTY OF GRADUATE STUDIES(Department of Computer Science)We accept this thesis as conformingTHE UNIVERSITY OF BRITISH COLUMBIASeptember 1994©Zhang Ying, 1994In presenting this thesis in partial fulfilment of the requirements for an advanceddegree at the University of British Columbia, I agree that the Library shall make itfreely available for reference and study. I further agree that permission for extensivecopying of this thesis for scholarly purposes may be granted by the head of mydepartment or by his or her representatives. It is understood that copying orpublication of this thesis for financial gain shall not be allowed without my writtenpermission.(Signature)_____________________________Department of _c. /6:/VCThe University of British ColumbiaVancouver, CanadaDate II,DE-6 (2188)AbstractRobots are generally composed of electromechanical parts with multiple sensors and actuators. The overall behavior of a robot emerges from coordination among its various partsand interaction with its environment. Developing inteffigent, reliable, robust and safe robots,or real-time embedded systems, has become a focus of interest in recent years. In this thesis,we establish a foundation for modeling, specifying and verifying discrete/continuous hybridsystems and take an integrated approach to the design and analysis of robotic systems andbehaviors.A robotic system in general is a hybrid dynamic system, consisting of continuous, discreteand event-driven components. We develop a semantic model for dynamic systems, that wecall Constraint Nets (CN). CN introduces an abstraction and a unitary framework to modeldiscrete/continuous hybrid systems. CN provides aggregation operators to model a complexsystem hierarchically. CN supports multiple levels of abstraction, based on abstract algebraand topology, to model and analyze a system at different levels of detail. CN, because of itsrigorous foundation, can be used to define programming semantics of real-time languages forcontrol systems.While modeling focuses on the underlying structure of a system — the organization andcoordination of its components— requirements specification imposes global constraints on asystem’s behavior, and behavior verification ensures the correctness of the behavior with respect to its requirements specification. We develop a timed linear temporal logic and timedV-automata to specify timed as well as sequential behaviors. We develop a formal verification method for timed V-automata specification, by combining a generalized model checkingtechnique for automata with a generalized stability analysis method for dynamic systems.A good design methodology can simplify the verification of a robotic system. We developa systematic approach to control synthesis from requirements specification, by exploring arelation between constraint satisfaction and dynamic systems using constraint methods. Withthis approach, control synthesis and behavior verification are coupled through requirementsspecification.To model, synthesize, simulate, and understand various robotic systems we have studiedin this research, we develop a visual programming and simulation environment that we callALERT: A Laboratory for Embedded Real-Time systems.11ContentsAbstract iiContents iiiList of Figures viiiList of Tables xAcknowledgement Xi1 Motivation and Introduction 21.1 The Problems 31.2 The Proposed Solutions 51.3 Semantic Model and Behavior Analysis 71.4 Requirements Specification and Behavior Verification 91.5 Control Synthesis and Robotic Architecture 111.6 How This Thesis Fits In 121.6.1 Integrated hybrid systems 121.6.2 Inteffigent real-time systems 141.7 Thesis Outline 161.8 A Guide to the Reader 17I Semantic Model and Behavior Analysis 182 Introduction 202.1 Topological Structure of Dynamics 202.2 The Constraint Net Model 212.3 Modeling in Constraint Nets .. 212.4 Behavior Analysis 222.5 Summary and Related Work 221114 The Constraint Net Model4.1 Syntax of Constraint Nets4.1.1 Syntax and graphical representation4.1.2 Modules and composition4.2 Semantics of Constraint Nets4.2.1 Fixpoint theory of partial orders4.2.2 Semantics of constraint nets4.2.3 Semantics of modules4.2.4 Parameterized nets4.2.5 Temporal integration4.3 Summary6 Behavior Analysis6.1 Abstraction, Quotient and Homomorphism6.2 Behavior Analysis: General Concepts6.3 Time and Domain Abstraction6.4 Behavior Abstraction and Equivalence6.5 Summary23233 Topological Structure of Dynamics3.1 General Topology, Partial Order and Metric Space3.1.1 General topology3.1.2 Partial order3.1.3 Metric space3.2 Time Structures3.3 Domain Structures3.4 Traces and Events3.5 Transductions3.5.1 General concepts3.5.2 Primitive transductions3.5.3 Event-driven transductions3.6 Dynamics Structures232528293134373738394043434344484951525455585 Modeling in Constraint Nets5.1 Event Generators and Synchronizers5.1.1 Event generators5.1.2 Event synchronizers . .5.2 Modeling Hybrid Systems5.3 Power of Constraint Nets5.3.1 Sequential computation5.3.2 Analog computation . .5960606164686874777779808284iv7 Summary and Related Work7.1 Summary7.1.1 Power7.1.2 Limitations7.2 Related Work7.2.1 Automata or state transition models7.2.2 Processes or multi-agent architectures .7.2.3 Nets or dataflow structures7.2.4 Constraint-based and biology-based models7.2.5 Relationships with the Constraint Net Model85858586878789919496II Requirements Specification and Behavior Verification8 Introduction8.1 Timed Linear Temporal Logic8.2 Timed V-automata8.3 Behavior Verification8.4 Summary and Related Work.9 Timed Linear Temporal Logic9.1 Propositional Linear Temporal Logic9.1.1 PLTL: syntax and semantics9.1.2 PLTL: extensions9.2 Propositional TLTL9.3 First Order TLTL9.4 Open State Specification97110110114115117117119123• 1261311351351351361369999100101101(PLTL)102102• . . . 102103105106• . . . 10910 Timed V-Automata10.1 Discrete V-Automata10.2 Discrete Timed V-Automata10.3 Timed V-Automata11 Behavior Verification11.1 Behavior Verification: General Issues11.2 Verification for Behaviors of Discrete Time Systems11.2.1 Semi-automatic verification11.2.2 Automatic verification11.3 Verification for Behaviors of Hybrid Dynamic Systems12 Summary and Related Work12.1 Summary12.1.1 Specification12.1.2 Verification12.1.3 Power and limitationsV12.2 Related Work12.2.1 Automata-based approaches12.2.2 Point time temporal logics12.2.3 Interval time temporal logics12.2.4 Relationships with TLTL and timed V-automata137137138140141III Control Synthesis and Robotic Architecture 14213 Introduction13.1 Constraint-Based Dynamic Systems13.2 Control Synthesis13.3 Robotic Architecture13.4 Summary and Related Work14414414514514514614614714914915215415615 Control Synthesis15.1 Control Synthesis: General Issues15.2 Constraint-Based Control15.3 Examples15.3.1 Linear control15.3.2 Nonlinear control15.4 Summary16 Robotic Architecture16.1 Abstraction Hierarchy16.2 Arbitration Hierarchy17 Summary and Related Work17.1 Summary17.1.1 Power17.1.2 Limitations17.2 Related Work17.2.1 Constraint-based control17.2.2 Robotic architecture17017017017017117117214 Constraint-Based Dynamic Systems14.1 Asymptotic Stability14.2 Constraint Solvers14.3 Constraint Methods14.3.1 Discrete methods14.3.2 Continuous methods14.4 Summary14.5 Constraint-Based Dynamic Systems158• . 158• . 160• . 161• • 161• 162• . 165166• . 166• . 168viIV Conclusions and Further Research 17318 Conclusions and Further Research18.1 Conclusions18.2 Further Research18.2.1 Theory18.2.2 PracticeBibliography 180V Appendixes 192A Proofs of TheoremsA.1 Topological Structure of DynamicsA.2 The Constraint Net ModelA.3 Modeling in Constraint NetsA.4 Behavior AnalysisA.5 Behavior VerificationA.6 Constraint-Based Dynamic SystemsA.7 Control SynthesisB ALERTB.1 Visual Programming with Constraint NetsB.2 Simulation and AnimationB.3 The Maze TravelerC Examples of Design and Analysis193193204207208209215218219219222226230230233234238D Model Estimation for the CarIndex240242175175• . 178• . 178179C.1 Modeling and Control of an Hydraulically Actuated ArmC.2 Modeling and Verification of an Elevator SystemC.2.1 Discrete modeling and verificationC.2.2 Continuous modeling and verificationVIIList of Figures1.1 A robotic system 31.2 The configuration of a car 41.3 The problems and our solutions 61.4 The constraint net of Equation Li 91.5 Timed V-automata specification 113.1 An event trace: each dot depicts a time point 373.2 Event logic for “or” 384.1 The constraint net representing a state automaton 444.2 The constraint net representing 4 = f(s) 444.3 Cascade, parallel and feedback connections 464.4 An input/output automaton (s* denotes either s or s’) 485.1 Basic modules for event logics 605.2 Event logic for “and” 615.3 A producer-consumer event synchronizer 635.4 An event filter 635.5 An event select 645.6 (a) The car-like robot (b) Traveling through a maze 655.7 The maze traveler robotic system 655.8 (a) Event generator (b) Control circuit 675.9 A sequential module 695.10 A functional composition G o F 695.11 An event counter 705.12 A sequential module for a recursive function 715.13 A sequential module for the minimization operation 725.14 A sequential module for internal choice A + B 735.15 A sequential module for external choice C—÷ AID —÷ B 735.16 The FIRST module 745.17 The TIMEOUT module 746.1 Equivalent traces and their abstraction 836.2 The heading of a maze traveler and its abstraction 83viii10.110.210.310.411.111.211.314.114.214.3C.’C.2C.3C.4C.SC.6113113115116127128129154155156160163220221221• . 223223• . 224224225225226227228228229230233234237237238V-automata: (a) goal achievement (b) safety (c) bounded responseThe specification of (a) the producer-consumer problem (b) the maze travelerReal-time responseA generalized V-automatonThe algorithm for invariant generationThe algorithm for boundedness and global timingThe algorithm for local timingA framework for constraint satisfactionConstraint solvers and constraint satisfactionSpecification for (a) Constraint solver (b) Constraint-based dynamic system15.1 Embedded constraint solvers15.2 Path planning16.1 Abstraction hierarchy 16716.2 Arbitration hierarchy (CS’s and A’s denote solvers and arbiters respectively) • • 16818.1 Summary 176ALERTLogic modulesEvent modulesCircuit with latencyLatency with 6k = 0.25Latency with 6k = 2Circuit with samplingSampling with 6k = 0.25Sampling with 6k = 2B.10 The overall structure of the maze traveler systemB.11 Animation of the maze travelerB.12 The car modelB.13 The control moduleB.14 The event moduleB.1B.2B.3B.4B.5B.6B.7B.8B.9A two-link armThe interface of a simple 3-floor elevatorThe complete elevator systemSpecifications of real-time responseState transition graphsA more realistic specificationixList of Tables5.1 Basic types of model for dynamic systems 59xAcknowledgementThis thesis could not have been a success without the contributions of the members of mysupervisory committee: Alan, Peter, Nick, Jeff and Dinesh.It has been most fruitful and enjoyable for me to have had Alan Mackworth as my thesissupervisor and research collaborator. Alan’s perspective and interest inspired me to enter thisnew world. His open-mindedness and trust provided me with the extreme freedom to exploreand to learn, and his continued financial support has made the completion of this thesis possible.I have learned much from Peter Lawrence during my long graduate studies at UBC, notonly about robotics and control theory, but also about how engineers solve problems. Mostconcepts of this thesis are the result of my regular discussions with Peter over the years.Nick Pippenger has been acting as an oracle in my research. There is really nothing thatNick has no knowledge of in mathematics. My confidence in my formalisms is rooted in Nick’sapproval. Nevertheless, I am fully responsible for every mistake I may have made in the thesis.It was Jeff Joyce who first introduced me to programming semantics, software/hardwareco-design, and to formal specification and verification. Jeff always has a crucial insight. Hisenthusiasm for what should be done and his belief in what can be done have greatly influencedmy research.Dinesh Pai’s work on constraint-based robotics has directly stimulated many ideas in thisthesis, some of which are the further development of my course project in his exciting computational robotics class. Dinesh is always a good model for me. His wide knowledge acrossareas in computer science, electrical and mechanical engineering makes him a good example ofa good researcher in both theory and practice.The Laboratory for Computational Inteffigence (LCI) has been a supportive environment.Michael Sahota has always been there to lend me help of any kind at any time I needed. BillMillar has always been willing to discuss with me everything about my thesis. They are thevery first readers and the very effective reviewers of my thesis draft. Andrew Csinger was kindenough to provide me with the final proof-reading of my thesis. An aspiring author with aphilological bent, Andrew precisely pointed out subtle problems in my use of English. I amnonetheless responsible for any remaining errors, grammatical or otherwise. Valerie Mcrae, ourlab secretary, has always been the first person I turned to whenever I had a problem.I thank Danny Bobrow for providing me with a summer internship and a stimulating environment at XEROX PARC and for referring me to XEROX WRC. It has been a most excitingexperience to work with people in both SERA and the responsive environment project.I thank the University of British Columbia for the Graduate Student Fellowships andNSERC for the Post Doctoral Fellowship they granted me.I thank my family back in China, my parents, aunts and uncles, for their wishes, belief,understanding and expectation.Last but not least, I thank Runping Qi, my husband, for his love and support. There isno word that is strong enough to express how much I have received from Runping; life for mewould be totally different without him.My long journey as a graduate student comes to an end. I am looking forward to newchallenges in the real world.Xl1The heaven attained Oneness and became clear.The earth attained Oneness and became settled.The spirit attained Oneness and became numinous.Valleys attained Oneness and became reproductive.All things attained Oneness and became alive.— Tao Teh Ching, Lao TzuTime attains Oneness and becomes linear.Domains attain Oneness and become universal.Components attain Oneness and become functional.Systems attain Oneness and become alive.Design and analysis attain Oneness and become productive.— Zhang YingChapter 1Motivation and IntroductionIn applications such as nuclear and chemical plants, forest industries, space and undersea exploration, there is a demand for inteffigent, reliable, robust and safe robots. Building controlsystems for autonomous robots working in complex environments is an important challenge forresearch in computer science, electrical and mechanical engineering.Robots are generally composed of electromechanical parts with multiple sensors and actuators. Robots should be reactive as well as purposive systems, closely coupled with theirenvironments; they must deal with inconsistent, incomplete and delayed information from various sources. Robots are usually complex, hierarchically organized and physically distributed;each component functions according to its own dynamics. The overall behavior of a robotemerges from coordination among its various parts and interaction with its environment. Wecall the coupling of a robot and its environment a robotic system, and the dynamic relationshipof a robot and its environment the robotic behavior.A robot controller (or control system) is a subsystem of a robot, designed to regulate itsbehavior to meet certain requirements. In general, a robot controller is an integrated software/hardware system implemented on various digital/analog devices. Designing control systems for robots that meet certain requirements has become an active topic studied in manyareas, such as reactive systems, inteffigent systems, real-time embedded systems and integratedhybrid systems. The issues raised in this interdisciplinary research range from programminglanguages and software/hardware engineering to control theory and dynamic systems.In this thesis, we establish a unified foundation for modeling, specifying and verifying discrete/continuous hybrid systems and take an integrated approach to the design and analysis ofrobotic systems and behaviors.2CHAPTER 1. MOTIVATION AND INTRODUCTION 31.1 The ProblemsA robotic system is a dynamic system. The study of dynamic systems is the study of dynamicsand the study of systems. The study of dynamics is concerned with how things change overtime. The study of systems is concerned with how a system’s overall behavior is generatedthrough interaction among its components.From the systemic point of view, a robotic system is a coupling of a robot to its environment,while the robot is a coupling of a controller to its plant (Figure 1.1). The roles of these threeFigure 1.1: A robotic systemsubsystems can be characterized as follows:• Plant: a plant is a set of entities that must be controlled to achieve certain requirements.For example, a robot arm with multiple joints, a car with throttle and steering, an airplaneor a nuclear power plant can each be considered as the plant of some robotic system.• Controller: a controller is a set of sensors and actuators, which, together with software/hardware computational systems, senses the observable states of the plant (X) andthe environment (Y), and computes desired control inputs (U) to actuate the plant. Forexample, an analog circuit, a program in a digital computer, various sensors and actuatorsmight be parts of the controller of some robotic system.• Environment: an environment is a set of entities beyond the (direct) control of the controller, with which the plant may interact. For example, obstacles to be avoided, objectsto be reached, and rough terrain to be traversed might from part of the environment ofsome robotic system.CHAPTER 1. MOTIVATION AND INTRODUCTION 4From the dynamics point of view, the relationship of a robot and its environment changes overtime. In order to develop a robotic system, analyze its behavior and understand its underlyingphysics, we need a mathematical model for characterizing the behaviors of its components andderiving the behavior of the overall system.Let us introduce an example that will be used throughout this thesis. In our Laboratory forComputational Inteffigence, a testbed has been installed for radio-controlled cars playing soccer[SM94]. Each “soccer player” has a car-like mobile base. It can move forward and backwardwith a throttle setting, and can make turns by steering its two front wheels. However, it cannotmove sideways and its turns are limited by mechanical stops in the steering gear.Figure 1.2 illustrates the configuration of a car. Let v be the velocity of the car and a bethe current steering angle of the front wheels; v and a, for now, can be considered as controlinputs to the car. The dynamics of the car can be simply modeled by the following differentialequations [Lat9i]:th=vcos(8), —_vsin(O), 6=v/R (1.1)where (x, y) is the position of the tail of the car, is the heading direction and R = L/ tan(a)is the turning radius given the length of the car L. The controller of such a car is equipped/ R’x /Figure 1.2: The configuration of a carwith both digital and analog devices [SM94).Although differential equations have been used to model continuous dynamic systems, theyare not sufficient to model discrete and event-driven systems. Although the continuous anddiscrete components of a system can be modeled and analyzed separately, it is essential to usea unitary model for discrete/continuous hybrid systems, in order to derive the behavior of theoverall system.CHAPTER 1. MOTIVATION AND INTRODUCTION 5Control systems are designed to meet certain requirements. Typical requirements includesafety, reachability and persistence. Safety declares that a system should never be in a certainsituation. Reachability declares that a system should reach a certain goal eventually. Persistencedeclares that a system should approach a certain goal infinitely often. A formal language forrequirements specification is essential for characterizing desired properties of a system and aformal method for behavior verification is essential for ensuring the correctness of the behaviorof the system with respect to some requirements specification.Yet another challenging task in the design of a robotic system is control synthesis, i.e., giventhe dynamics of the plant and the environment, produce a controller so that the behavior ofthe overall system meets certain requirements.As a whole, we propose four problems involved in the design and analysis of robotic systemsand behaviors:• How to model a robotic system?• How to specify desired properties?• How to synthesize a control system according to its requirements specification?• How to guarantee the robot will do the right thing?Figure 1.3 presents an overall picture of the problems and our corresponding solutions that wewill develope in this thesis.1.2 The Proposed SolutionsWe claim in this thesis that a unified foundation for discrete/continuous hybrid dynamic systemscan be established and an integrated approach to the design and analysis of robotic systemsand behaviors should be taken.First, we develop a semantic model for dynamic systems, that we call Constraint Nets(CN). CN introduces an abstraction and a unitary framework to model discrete/continuoushybrid systems. CN provides aggregation operators to model a complex system hierarchically;therefore, the dynamics of the environment as well as the dynamics of the robot can be modeledindividually and then integrated. CN supports multiple levels of abstraction, based on abstractalgebra and topology, to model and analyze a system at different levels of detail. CN, becauseof its rigorous foundation, can be used to define programming semantics of real-time languagesfor control systems.CHAPTER 1. MOTIVATION AND INTRODUCTION 6Control SynthesisConstraint MethodsHow To Make The Robot Do The Right Thing?Figure 1.3: The problems and our solutionsSecond, we develop a timed linear temporal logic (TLTL) and timed V-automata as specification languages. TLTL is a linear temporal logic developed on abstract time and domainstructures. Timed V-automata are essentially finite automata that accept timed traces; yet theyare powerful enough to specify properties of sequential and timed behaviors of hybrid systems,such as safety, reachability, persistence and real-time response. We develop a formal verification method for timed V-automata specification, by combining a generalized model checkingtechnique for automata with a generalized stability analysis method for dynamic systems. Thisverification method can be semi-automated for discrete time systems and further automatedfor finite domain systems.Third, we develop a systematic approach to control synthesis from requirements specification, by exploring a relation between constraint satisfaction and dynamic systems using constraint methods. With this approach, control synthesis and behavior verification are coupledthrough requirements specification. In particular, requirements specification imposes globalconstraints over a system’s behavior and controllers can be synthesized as embedded constraintsolvers that solve constraints over time. For complex control systems, we advocate a two-dimensional hierarchical structure. A system with such hierarchical structure will simplifydesign and analysis significantly.Will The Robot Do The Right Thing?The Constraint Net ModelWhat Is The Possible Realization Of The Robot?TLTL & Timed V AutomataWhat Is The Right Thing For The Robot To Do?CHAPTER 1. MOTIVATION AND INTRODUCTION 71.3 Semantic Model and Behavior AnalysisIn the past decades, models for continuous, discrete and event-driven dynamic systems havebeen developed and matured. Models for continuous and discrete dynamic systems includedifferential and difference equations, respectively [Lue79, San9O]. Models for event-driven dynamic systems include Mealy-Moore Machines [Mea55, Moo56], Petri Nets [Pet8lj, Calculusfor Communicating Systems (CCS) [MM79] and Communicating Sequential Processes (CSP)[Hoa85j. However, a robotic system in general is a continuous/discrete hybrid dynamic system.First, the plant and the environment of a robotic system are normally modeled in continuousdynamics. Second, most advanced robots today are controlled by distributed and asynchronousprocesses in digital computer networks, as well as by analog circuits. In order to develop asystem whose behavior can be analyzed and understood, a model for hybrid dynamic systemsis essential.In the last two years, hybrid systems have become a focus of interest of a wide communityfor two reasons. One is that analog computation once again is gaining attention because of theneural net model and analog VLSI technology. Another is that the use of computers to controland monitor continuous dynamic systems shows increasing importance.Our approach to developing a model for hybrid systems is motivated by the following arguments. First, hybrid systems consist of interacting discrete and continuous components.Instead of fixing a model with particular time and domain structures, a model for hybrid systems should be developed on both abstract time structures and abstract data types. Second,hybrid systems are complex systems with multiple components. A model for hybrid systemsshould support hierarchy and modularity. Third, hybrid systems are generalizations of basicdiscrete or continuous systems. A model for hybrid systems should be at least as powerfulas existing computational models. In short, a model for hybrid systems should be unitary,modular, and powerful.In this thesis, we start with a general definition of time. Time is a linearly ordered set. Inaddition, a metric distance is associated with any two time points and a measure is associatedwith some intervals of time points. Such a time structure abstracts the notion of event-based aswell as discrete and continuous time. We then examine domain structures in abstract algebraand topology so that discrete and continuous domains can be studied in a unitary framework.Given a time structure and a domain structure, we define two basic types of element in dynamicsystems: traces that are functions from time to domains, and transductions that are mappingsfrom traces to traces with the causal restriction, viz., the output value at any time is determinedCHAPTER 1. MOTIVATION AND INTRODUCTION 8oniy by its input values up to that time. For example, a finite state automaton with an initialstate defines a transduction from input traces to state traces, and temporal integration is atypical transduction in continuous dynamics.We then develop the Constraint Net model on an abstract dynamics structure composed ofa multi-sorted set of trace spaces and a set of basic transductions: transliterations (memory-lesscombinational processes), transport delays and unit delays (sequential processes), and event-driven transductions. Event-driven transductions play an important role in this model, acting asties between continuous and discrete time components, or as synchronizers among asynchronouscomponents.Syntactically, a constraint net is a graph with two types of node: locations and transductions, and with a set of connections between locations and transductions. Locations aredepicted by circles, transductions by boxes and connections by arcs. A location is an input iffit is not connected to the output of any transduction. A constraint net is open if there is aninput location; it is otherwise closed.Semantically, a constraint net represents a set of equations, with locations as variables andtransductions as functions. The semantics of the constraint net, with each location denoting atrace, is the least solution of the set of equations.A complex system is generally composed of multiple components. We define a module asa constraint net with a set of locations as its interface. A constraint net can be composedhierarchically using modular and aggregation operators on modules. The semantics of a systemcan be obtained hierarchically from the semantics of its subsystems and their connections.For example, Equation 1.1 is denoted by an open constraint net, as shown in Figure 1.4 inwhich sin, cos, tan and * are transliterations, and f is a temporal integrator. A module canbe defined with locations v, , x, y, 0 as its interface.In general, we can model a control system as a module that can be further decomposed into ahierarchy of interactive modules. The higher levels are composed of event-driven transductionsand the lower levels are analog control components. Furthermore, the environment of the robotcan be modeled as a module as well. A robotic system (Figure 1.1) can be modeled as anintegration of a plant, a controller and an environment. Formally, the semantics (or behavior)of the system is the solution of the following equations:X = PLANT(U,Y), U = CONTROLLER(X,Y), Y = ENVIRONMENT(X).As we can see here, a robot, composed of a plant and a controller, is an open system, and arobotic system, composed of a robot and its environment, is a closed system.CHAPTER 1. MOTIVATION AND INTRODUCTION 9Figure 1.4: The constraint net of Equation 1.1We finally study the issue of behavior analysis for robotic systems. We define the conceptsof abstraction and refinement for time and domains based on homomorphism and quotientalgebra, and derive equivalence relations on dynamic systems.A semantic model for hybrid dynamic systems defines a formal semantics for real-timeprogramming that may involve hardware/software co-design and digital/analog hybrid computation. A formal semantics, in turn, supports the formal analysis of real-time embeddedsystems.1.4 Requirements Specification and Behavior VerificationA semantic model for a robotic system can be considered an executable specification that defines the underlying structure of the system, i.e., the organization and coordination of thecomponents. Even though a system can be modeled at different levels of abstraction, each component is local in terms of constraints on time and its input/output domains. A requirementsspecification, in contrast, imposes global constraints on a system’s behavior.Let us consider the car-like robot we introduced previously. We will design control systemsfor such a robot to perform the following tasks:1. Maze Trave1er traveling in a maze and trying to get out of the mazeThe environment of this system is a maze that is composed of various static obstacles. Arequirements specification for this robot is to get out of the maze.CHAPTER 1. MOTIVATION AND INTRODUCTION 102. Ball Shooter: tracking a moving ball and carrying the ball to a targetThe environment of this system is a moving ball, a target and a field with boundaries.A requirements specification for this robot is to eventually kick or carry the ball to thetarget.A requirements specification declares what a system should achieve, while an executablespecification shows how a system is implemented (at a certain level of abstraction). A formallanguage for requirements specification is essential for both formal verification and systematicsynthesis. Since robotic behaviors are inherently temporal, it is natural to adopt temporal logicas a language for requirements specification.We first develop a timed linear temporal logic (TLTL) as a specification language, in which“linear” stands for linear orders and “timed” indicates metric distances between time points.Let modal operators and 1J denote “eventually” and “always,” respectively. One possiblecontrol for the maze traveler is to make the robot move in a particular direction persistentlyin order to escape a maze of finite size. This property can be specified in TLTL as DMEwhere ME is a predicate for moving east, or < 6 and v > e for small 6 > 0 and e > 0;[>P is normally referred to as liveness or persistence. Kicking or carrying a ball to a targeteventually can be specified as K’DBT where BT is a predicate for the ball arriving at the target,or distance(Ball, Target) < e; DG is normally referred to as reachability or goal achievement.In addition, operators can be augmented with metric time so that real-time properties can bespecified. For instance, D(E—÷ TR) declares that any event (E) will be responded to (R)within time r.Even though TLTL can provide a formal specification, there is no general procedure forverifying the behavior of a system. An alternative to temporal logic for representing sequentialbehaviors is automata. If we take the behavior of a system as a language, then a specificationcan be represented as an automaton, and the verification checks the inclusion relation betweenthe behavior of the system and the language accepted by the automaton.We then develop timed V-automata, a generalization of (discrete) V-automata [MP871, forrequirements specification. V-automata have been proposed for the specification and verificationof concurrent systems; they are essentially finite automata that accept c-languages, i.e., setsof sequences of infinite length. We extend V-automata to timed V-automata to accept timeddiscrete/continuous traces.There are two reasons to adopt automata-type languages. First, automata provide graphical representations, which are more illuminating, and, in some cases, simpler than their texCHAPTER 1. MOTIVATION AND INTRODUCTION 11tual counterparts. The corresponding timed V-automata specification of DØME, DBT andD(E —* KR) are shown in Figure 1.5 (a), (b) and (c), respectively, where nodes are automaton-states and arcs are state transitions; 0 denotes a recurrent state, indicating a condition thesystem should satisfy periodically, and U denotes a stable state, indicating a “final condition”the system should satisfy.—iEREE —iE(c)Figure 1.5: Timed V-automata specificationSecond, automata facilitate a formal verification method— a set of sound and completeverification rules— based on a model checking technique and a stability analysis method. Givena constraint net model of a discrete time system, the set of verification rules can be used todeduce a set of state formulas that can be checked using an automatic or interactive theoremprover. If, in addition, the discrete time system is of a finite number of states, the set ofverification rules can be used to deduce an automatic verification algorithm that has polynomialtime complexity in both the size of the specification and the size of the system.1.5 Control Synthesis and Robotic ArchitectureThe problem of behavior verification in general is hard. However, a well-organized and structured system will simplify the problem of verification. Therefore, robotic architecture plays animportant role in both design and analysis.We first develop a general framework for the synthesis of control systems from requirements specification in timed V-automata. In this framework, constraint satisfaction is viewedas a dynamic process approaching the solution set of the given constraints asymptotically. Aconstraint solver is a constraint net whose semantics corresponds to a dynamic process of thistype. Constraint solvers can be systematically synthesized based on various constraint methods.li particular, continuous time constraint solvers are based on gradient methods and discretetime constraint solvers are based on relaxation algorithms in numerical computation. Controlsynthesis and behavior verification are coupled through requirements specification. While re(a) (b)CHAPTER 1. MOTIVATION AND INTRODUCTION 12quirements specification imposes constraints over the behavior of a system, the controller isdesigned as a set of embedded constraint solvers that, together with the dynamics of the plantand the environment, solve the constraints over time.A control system is a complex system. In this thesis, we advocate a modular and hierarchical robotic architecture. We study two types of hierarchy: composition hierarchy that isthe modular or compositional structure of a system, and interaction hierarchy that is the communication or interaction structure of a system. Furthermore, we propose a two-dimensionalstructure for the interaction hierarchy: abstraction hierarchy that reflects the granularity oftime and domain structures, and arbitration hierarchy that reflects constraint priorities.As a whole, a control system is designed as a set of embedded constraint solvers distributedover the two-dimensional interaction hierarchy. Constraint solvers at lower levels of the abstraction hierarchy are normally either continuous or discrete at fast and fixed sampling rates, whileconstraint solvers at higher levels are either event-driven or with noticeable computational delays. Constraint solvers at the same level of the abstraction hierarchy are coordinated throughvarious arbitrations, which form an arbitration hierarchy.1.6 How This Thesis Fits InThis thesis provides a foundation for the design of robotic systems and the analysis of roboticbehaviors. Robotic systems are integrated hybrid systems and robots are inteffigent real-timesystems. In this section, we illustrate how this thesis relates to these subjects.1.6.1 Integrated hybrid systemsIntegrated hybrid systems are systems consisting of a non-trivial mixture of discrete and continuous components, such as a controller realized by a combination of digital and analog circuits,a robot composed of a digital controller and a physical plant, or a robotic system consisting ofa computer-controlled robot coupled to a continuous environment. Integrated hybrid systemsare more general than traditional real-time systems; the former can be composed of continuoussubsystems in addition to discrete or event-controlled components. With the development ofcomputation, control and communication technologies, integrated hybrid systems will come toeveryday life, in such things as computer-controlled TVs, autonomous cars and smart buildings.Integrated hybrid systems engineering is a combination of computer engineering and control engineering. The life cycle for computer engineering includes specification, implementationand verification. The life cycle for control engineering includes modeling, design and analyCHAPTER 1. MOTIVATION AND INTRODUCTION 13sis. In practice, integrated hybrid systems require novel design principles and developmentenvironments for modeling, design and analysis, as well as specification, implementation andverification. From a theoretical point of view, integrated hybrid models, languages, algorithmsand programs propose brand new approaches to computation and control.Research and development in integrated hybrid systems have become very active for thelast two years. Typical commercial products for integrated modeling and simulation environments are Simulink [Incc] and SystemBuild [Incb]. Both Simulink and SystemBuild providegraphical modeling environments, simulation and animation tools, for discrete/continuous hybrid systems, as well as linear systems analysis libraries. Both systems support modularity andhierarchy with datafiow-, net- or circuit-like representations. Both systems have their advantages: Simulink is more flexible and simpler, while SystemBuild has more built-in functions.In addition, SystemBuild supports automatic code generation [Inca], which can greatly reducethe cost and time for developing real-time embedded control systems.Some research on languages of hybrid systems for modeling and simulation has also beenproposed: a typical example is SHSML: Standard Hybrid Systems Modeling Language [Tay92].SHSML is based mostly upon the conceptual definition of a hybrid system that underlies hybrid DSTOOL [GN92] and on the modeling and simulation environment provided by SIMNON[E1m77]. A system modeled by SHSML consists of continuous (continuous time and domain,e.g., differential equations), discrete (discrete time and continuous domain, e.g., difference equations) and logic (discrete time and domain) components. SHSML can be considered as anarchitecture definition language for software/hardware co-design.Some theoretical work on hybrid models and topologies has been carried out recently. Thereare two types of model: models for synchronous systems and models of hybrid automata.SIGNAL [BL9O] and LUSTRE [CPHP87] are based on the synchronous models derived fromthe Dynamic Network Processes model [KahT4], with the augmentation of clocks. Synchronousmodels can be considered as general models for discrete time and hybrid domain dynamicsystems. Phase transition systems [MMP91], event-driven hybrid systems [NK93aj and hybridautomata [ACHH93] are automata-based models in which states are differential equations,trajectories, or continuous activities. The theory of topological structures for hybrid domainshas been brought up [NK93a], so that continuity, stability and controllability of systems withhybrid domains can be further studied.Our work contributes to the research and development of integrated hybrid systems in thefollowing ways.CHAPTER 1. MOTIVATION AND INTRODUCTION 14First, Constraint Nets serve as a formal semantic model for hybrid dynamic systems; themathematical rigor underlies the foundation for both modeling and simulation. Just as withformal semantics for programming languages, formal semantics for modeling, control and simulation will not only bring unambiguousness and precision to existing real-time programminglanguages and simulation environments like Simulink and SystemBuild, but will also provideinsight into the design of new programming languages for hybrid systems.Second, unlike other efforts to combine discrete and continuous models, we begin by definingconcepts of dynamic systems on the abstraction that captures both discrete and continuous timeand domains. The Constraint Net model is a model of models, preserving the general structureof dynamic systems. Constraint Nets can be used not only for system design with modeling,control and simulation, but also for behavior analysis with refinement and abstraction.1.6.2 Intelligent real-time systemsIntelligent real-time systems are reactive as well as purposive systems, closely coupled withunstructured/unpredictable environments, such as robots that should promptly make correctdecisions in various situations, and accurately perform complex tasks in changing environments.Inteffigent real-time systems have attracted researchers from both the Artificial Intelligence (AT)and real-time control communities [Sch9l]. In the past, Al and control have focused on solvingdifferent problems with different interests and applications [DW91]. AT systems focus on high-level activity like planning, reasoning, and inferencing with facts and rules in knowledge base,while control systems involve sensing and acting in real time. Currently, there are two majortrends in the cross-fertilization of AT and control: one is to combine AT techniques (planning,knowledge and belief representation, symbolic processing, temporal and qualitative reasoning,inference rules, heuristic search, etc.) with control theory (linear and nonlinear control, adaptiveand fuzzy control, etc.), and the other is to experiment with reactive or situated systems. Fromthe Al point of view, the former is revisionary and the latter is revolutionary. The key differencesare the understanding of what is inteffigence and the methodology of how to realize intelligencein embedded real-time systems.In cognitive science, inteffigence is considered as the ability to plan, reason or apply knowledge to manipulate one’s environment. For robots, inteffigence reflects ways of acquiring, forming, storing and maintaining knowledge as well as planning and reasoning about actions toachieve desired goals. Much work has been done in Al on knowledge representation, planningand reasoning. However, it has been shown that domain-independent representation, planningCHAPTER 1. MOTIVATION AND INTRODUCTION 15and reasoning are difficult to fit in to a real-time framework. Many planning and reasoningproblems are computationally intractable [Cha87]. For both planning and reasoning, the morepowerful and general the knowledge and action representations are, the less feasible it is thatthese computations can be realized. For example, universal planning [Sch87], generating plansof mappings from situations to actions (reaction plans), and planning under uncertainty [Qi94],producing plans with maximum expected utilities or minimum expected cost, are in generalharder than planning action sequences. For any real applications, some compromise betweenthe complexity of plan representation and the complexity of planning must be achieved. Twotypical strategies have been studied: one is to adopt reactive planning, and the other is to apply any-time algorithms. Reactive planning {GL87, RK89] produces a partial planning strategygiven current states, so that the plan representation is simple, but planning and execution aretightly coupled to realize reactive and situated behaviors. Any-time algorithms [BD89, Bod9l]are algorithms producing results approaching the solution over time, so that a compromise canbe made between the accuracy of the results and the time for computation.In behavior science, real-time interaction with one’s environment is considered as the intrinsic characteristic of intelligence. Furthermore, such inteffigence is not from deliberate decision,but from distributed constraint satisfaction and cooperation among various components in thesystem. This view of intelligence is shared by many researchers in AT and psychology (Brooks[Bro9l], Meas {Mae89], Agre and Chapman [AC87j, Hewitt [Hew9lj, Minsky [Min86j, Beer[Bee9O], Braitenberg [Bra84]). Brooks and his colleagues did very interesting work on buildingartificial creatures {BCN88, Bro88, Con9Oj. Brooks [Bro86, BC86j proposed a robust, layeredcontrol system for mobile robots, called the subsumptiori architecture. Unlike the traditionaldecomposition of a mobile robot control system into functional modules, Brooks decomposeda mobile robot control system into task-achieving behaviors. Maes [Mae89] suggested that rational action selection could be modeled as an emergent property of an activation/inhibitiondynamics among modules. Similarly, Hewitt [Hew9lJ, Minsky [Min86] and researchers in Distributed AT [Huh87] argued that inteffigence comes from the interaction between multiple components and their environment. Agre and Chapman [AC88] claimed that pure planning andreasoning are not suitable for dealing with inconsistent, uncertain and immediate situations;rather, reaction and moment-to-moment improvisation play a central role in most activity.From the point of view of an experimental psychologist, Braitenberg [Bra84] studied variousincrementally complex life-like systems. Beer [Bee9O] performed a series of simulations of anartificial insect with adaptive behavior.CHAPTER 1. MOTIVATION AND INTRODUCTION 16Our work contributes to the research and development of intelligent real-time systems inthe following ways.First, by avoiding the controversial issues surrounding inteffigence, we focus on formal methods for specifying properties of behaviors and on systematic approaches to synthesizing controlsystems. Because there can be no rigorous definition of inteffigent or stupid behaviors, we usethe concept of desired properties of behaviors. Furthermore, behavior equivalence and systemrobustness are formalized and studied.Second, instead of advocating one particular type of implementation (knowledge-based orreaction-based) for intelligent real-time systems, we focus on general structures of complexsystems and principles for the organization of hybrid dynamic systems. Because ConstraintNets provide a unitary model for components with diversity in both time and domain structures(continuous, discrete or event-based time, and real, integer, logical, or symbolic variables), thebehavior of an overall system can be derived and analyzed.1.7 Thesis OutlineThis thesis consists of three major parts. Part I presents a mathematical structure of dynamics,the syntax and semantics of the Constraint Net model, and the method of behavior analysisbased on algebra and topology. Part II develops two languages, TLTL and timed V-automata,for requirements specification, and examines formal verification methods for timed V-automataspecification. Part III discusses a relation between behavior verification and control synthesisthrough requirements specification using constraint satisfaction, and proposes a robotic architecture with hierarchy and modularity. Each part starts with an introduction, and ends with asummary of our approaches and a survey of related work.Mathematical preliminaries on topology, algebra and analysis are presented whenever necessary; however, most of the proofs are given in Appendix A. A visual programming and simulation environment, ALERT— A Laboratory for Embedded Real-Time systems— has beendeveloped for modeling, synthesizing, simulating, and understanding various robotics systemsstudied in this research. ALERT and some simple examples are presented in Appendix B. Thecar-like robot is used as a running example throughout the thesis. Two more complex examples, an elevator system and a hydraulically actuated robot arm, are presented in AppendixC to further illustrate our approaches. A model estimation technique for the car-like robot isdiscussed in Appendix D.CHAPTER 1. MOTIVATION AND INTRODUCTION 171.8 A Guide to the ReaderWe assume that, by now, you have read this chapter, Motivation and Introduction. You alsohave an overall picture of the problems and our proposed solutions. In the rest of this thesiswe will systematically develop these solutions.We take an integrated approach towards modeling, specification, verification and controlsynthesis, each of which, nevertheless, is a research topic by itself.Those who are interested in real-time/hybrid models should start with Part I. Besides usingstandard techniques in denotational semantics like partial order topologies, we develop topological structures of time, domains and traces. Based on these topological structures, we develop,in series, the concepts of primitive and event-driven transductions, nets, modules, semantics andbehaviors. Even though the minimum background for understanding this part is elementary discrete mathematics (set, relation, function) and calculus (integrals and derivatives), knowledgeof dynamic systems, general topology, metric space and partial order would be an asset.Those who are interested in real-time specification/verification should continue onto PartII. The minimum materials from Part I for understanding Part II are topological structuresof time, domains and traces (Chapter 3), and general concepts of behaviors and requirementsspecification (Chapter 6). Besides predicate calculus and the first order logic, knowledge ofdynamic systems, temporal/modal logic and regular languages would be an asset.Those who are interested in planning and control should not miss Part III. The minimummaterials from Part I and Part II for understanding Part III are parameterized nets (Chapter4) and generalized V-automata (Chapter 10). Knowledge of nonlinear dynamics and constraintmethods would be an asset.Those who are interested in applications of the theory should finish (or start) with theappendixes, where the modeling and simulation environment is discussed, and the methodsdeveloped in this thesis are illustrated by examples.The problems of design and analysis are interesting and challenging enough to spend moretime on. We hope everyone, with every kind of background, will find something useful in thisthesis at every reading.Part ISemantic Model andBehavior Analysis18The Tao that can be taught is not the everlasting Tao.The Name that can be named is not the everlasting Name.That which has no name is the origin of heaven and earth.That which has a name is the Mother of all things.Tao Teh Ching, Lao TzuA system that can be modeled is not the system itself.A model that can be made is not the absolute model.That which has no model is the origin of a system.That which has a model is the understanding of the system.— Zhang Ying19Chapter 2IntroductionIn this chapter, we present an overview of Part I, Semantic Model and Behavior Analysis.There are four major chapters in Part I. Chapter 3 gives a topological structure of dynamics.Chapter 4 describes the Constraint Net model, its syntax and semantics. Chapter 5 illustratesthe modeling aspects of the Constraint Net model and discusses its computational power.Chapter 6 focuses on behavior analysis.2.1 Topological Structure of DynamicsOne important feature of this research is abstraction. The purpose of abstraction is for generalization. Hybrid systems are systems with possibly multiple data types and multiple timestructures. Instead of combining different models, we extract the commonalities shared byvarious models for dynamic systems.First, we develop a general structure of time, capturing linearity, metric and measure properties of time, i.e., for any two time points, there are two important attributes: order and metricdistance, and for any interval of time points, there is a measure. Discrete and continuous timecan be modeled by this structure uniformly. Two time structures may relate to each other interms of reference mapping.Second, we develop a general structure of domains that can be either simple or composite.Domains are associated with metrics capturing discreteness or density. They are also associatedwith partial orders characterizing definedness or information hierarchy.Third, we develop a general structure of traces that are mappings from time to domains.We further formalize event traces as a special kind of trace for modeling event-based time.Fourth, we define transductions as causal mappings from traces to traces. We furthercharacterize two types of transduction: primitive transductions and event-driven transductions.20CHAPTER 2. INTRODUCTION 21A primitive transduction is a functional composition of transliterations and delays for memory-less processes and sequential processes, respectively. An event-driven transduction is a primitivetransduction augmented with an event trace input that defines an event-based time structurefor the primitive transduction.Finally, we define a dynamics structure, based on a reference time structure and a domainstructure, as a pair consisting of a multi-sorted set of trace spaces and a set of primitive andevent-driven transductions.All structures are defined on two types of topology: partial order topology and metrictopology. The preliminary concepts of general topology, partial order and metric space aregiven first, following which all concepts are defined formally.2.2 The Constraint Net ModelWe start with the syntax of constraint nets. A constraint net is a bipartite graph, with twotypes of node: locations and transductions. A location is an input if it is not connected to theoutput of any transduction; it is otherwise an output. A module is a constraint net with a setof locations as its interface and with the rest of its locations as hidden locations. A complexmodule can be composed hierarchically from simple ones. Also a module can be considered asan abstraction of its net: hidden inputs capture nondeterminism, and hidden outputs captureinformation encapsulation.We then develop the semantics of constraint nets using continuous algebra. Locations denotetraces and transductions are causal mappings from traces to traces. A constraint net denotes aset of equations, each of which corresponds to a transduction. The semantics of a constraint netis the least solution of the set of equations. We further study the well-definedness of constraintnets and modules, and its relationship with algebraic loops. We finally introduce parameterizednets and limiting semantics for temporal integration.2.3 Modeling in Constraint NetsThe Constraint Net model (CN) is an abstraction of dataflow-like models. CN provides aunitary framework to model a hybrid system composed of components of different dynamics.We first define various event generators and synchronizers. Using event generators andsynchronizers, components of different time structures can be coordinated.CHAPTER 2. INTRODUCTION 22We then illustrate the modeling methodology with an example of a typical hybrid system, amaze traveler, whose overall system is composed of both discrete and continuous components.We finally explore the computational power of constraint nets, in terms of sequential computation and analog computation. We discover that a constraint net can model discrete sequentialcomputation in which the sequential order of a computation is controlled by events, and similarly, that it can model nondeterministic choices and time-out. We prove, for a simple domainstructure, that the Constraint Net model is as powerful as the Turing Machine model for sequential computation. We also establish, for analog computation, a relationship of smoothnon-hypertranscendental functions and constraint nets of continuous dynamics.2.4 Behavior AnalysisWe discuss the basic concepts of behavior analysis. Intuitively, the behavior of a system is the setof observable traces of the system. We characterize two important types of behavior: state-basedbehavior and time-invariant behavior. We then briefly discuss the following issues: requirementsspecification, robustness of parameterized nets with respect to requirements specification, andbehavioral complexity that is analogous to functional complexity in sequential computation.Since the Constraint Net model is developed on abstract time and domains, we can modeland analyze a system at different levels of abstraction. We first define the concepts of abstraction and refinement for time and domains, and then derive the concepts of abstraction andequivalence for behaviors.2.5 Summary and Related WorkPart I is the kernel and is considered as one of the major contributions of this thesis. It is the firsttime that a unitary and comprehensive model for discrete/continuous hybrid systems has beenproposed. The theory that supports the model is developed from algebra and topology. Eventhough similar techniques such as continuous algebra and fixpoint theory have been applied tothe semantics of sequential or concurrent programs, it is the first time that such techniques areapplied to the semantics of dynamic systems.Chapter 3Topological Structure of DynamicsIn this chapter, we present a topological structure of dynamics. We start with concepts ingeneral topology, then focus on two particular types of topology: partial order topology andmetric topology. Based on these two types of topology, we formalize time, domain and tracestructures. We then present transductions as causal mappings from traces to traces. Finally,we define abstract dynamics structures.3.1 General Topology, Partial Order and Metric SpaceIn this section, we summarize some mathematical preliminaries that will be used later. For amore comprehensive introduction, the reader is referred to other sources (e.g., [Gem9O, Hen8S,Vic89, MA86, War72, Roy88]).3.1.1 General topologyGeneral topology studies the limit-point concept based on which connectivity and continuitycan be defined.Definition 3.1.1 (Topology and Topological space) Let X be a set and 0 be an emptyset. A collection T of subsets of X is said to be a topology on X if the following axioms aresatisfied:• X E T and 0 E T.• If X1 E r,X2 E T, then X1 fl X2 E r.• If X, e T for all i E I, then UX e T, given an arbitrary index set I.(X, r) is called a topological space.23CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 24The members of a topology r are said to be r-open subsets of X, or merely open if no ambiguityarises. A subset S of X is closed if X — S is open. We will use X to denote topological space(X, T) if no ambiguity arises.Proposition 3.1.1 For any topology on X, X and 0 are both open and closed.Two topologies r1 and T2 on a set can be compared in the following sense: r1 is a finertopology than T2 If r1 T2.There are two extreme topologies on X. The coarsest topology is trivial topology in whichonly X and 0 are open and the finest topology is discrete topology in which all subsets of X areopen.Let x E X and N(x) be a T-open subset of X containing x, N(x) is called a neighborhoodof x w.r.t. T. A point x of X is a limit point of a subset S of X if every neighborhood of xalso contains a point of S distinct from x, i.e., VN(x), N(x) fl S — {x} 0.Topologies can also be defined in terms of limit points.Proposition 3.1.2 (1) A subset is closed if it includes all its limit points. (2) A topology istrivial if every point x is a limit point of any subset with elements distinct from x. A topologyis discrete if no point is a limit point of any subset.Now we define connectivity and continuity on topological spaces. A topological space isseparated if it is the union of two disjoint, non-empty open sets; it is otherwise connected.Proposition 3.1.3 A topological space is connected if the only sets that are both open andclosed are the empty set and the total set.Let (X, T) and (X’, T’) be topological spaces. A function f : X —* X’ is continuous if forany r’-open subset 5’ of X’, f—1(S’) = {xlf(x) E S’} is T-open.Proposition 3.1.4 (1) Continuous functions are closed under functional composition. (2) Afunction f : X — X’ is continuous, if x E X is a limit point of S C X implies that f(x) is apoint or a limit point of f(S) = {f(x)Ix E S}.It is natural to ask if there exists any smaller collection of subsets that can be used torepresent the open sets. The answer is affirmative, and the following definitions provide suchcollections.Definition 3.1.2 (Basis and Subbasis) A subset B of a topology r is said to be a basis forr if each member of T is the union of members of B. A subset S of T is said to be a subbasisfor T if the set B = {BIB is the intersection of finitely many members of S} is a basis for T.CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 25We can derive new topologies based on known ones. Subspace topology and product topology are two important types of derived topology.Proposition 3.1.5 Let (X, r) be a topological space, X’ C X and r’ = {WIW = X’ fl U, U eT}. The collection r’ is a topology on X’.We call r’ the subspace topology on X’, and (X’, T’) a .subspace of (X, T).Let {(X, T)}eI be a family of topological spaces and let x1X be the product set of {Xj}jEI.Let S = {xjVjIV = X for all but one i E I, and Vj E T for all i E I}. We call T the producttopology on xjX if $ is a subbasis for T. We call (xiX, T) the product space of {(X, Ti)}iEI.If X, = X with the same topology for all i E I, x1X is denoted by X’.Proposition 3.1.6 Let {X}i be a family of topological spaces and J be an arbitrary indexset. Then (x1X) = xiXl.A Hausdorff topologies is one with the property that for any two points, there are disjointneighborhoods. The trivial topology is non-Hausdorif and the discrete topology is Hausdorif.In the next two sections, we will introduce two important types of topology that are betweenthe two extremes: partial order topology and metric topology. We will see that partial ordertopologies in general are non-Hausdorif and metric topologies are Hausdorif.3.1.2 Partial orderA set and a partial order relation on the set define a partially ordered set, or simply, a partialorder.Definition 3.1.3 (Partial order) Let A be a set. A binary relation Ac A x A is calleda partial order relation if <_A is reflexive, anti-symmetric and transitive. (A, <A) is calleda partial order; it is called a linear order if, in addition, Va1,a2 e A, either a1 <A a2 ora2 A a1.For any partial order relation A, let A denote the inverse of A, viz., a1 >A a2 if a2 <A a1,and let <A (>A) denote the strict relation of A (A), viz., a1 <A a2 (ai >A a2) if a1 <A a2(a1 A a2) and a1 a2. We will use A to denote partial order (A, A) if no ambiguity arises.Definition 3.1.4 (Subpartial order) Let (A, A) be a partial order and A’ C A. A partialorder relation A’ C A’ x A’ is called the subpartial order relation on A’ if a1 A’ a2 whenevera1 <A a2. (A’, A’) is called a subpartial order of (A, A).CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 26Definition 3.1.5 (Product partial order) Let {A}EI be a set of partial orders and A =x1A. A partial order relation <_A C A x A is called the product partial order relation on Aif a <A a’ whenever a A a for all i E I. (A, <A) is called the product partial order of{(A, A)}ieI.A partial order may have a least element and/or a greatest element.Definition 3.1.6 (Least (Greatest) element) Let A be a partial order. An element A(TA) E A is a least (greatest) element in A if it satisfies LA<A a (TA A a) for every a inA.It follows from the antisymmetry of <A that least (greatest) elements, if they exist, are unique.Any set A can be extended to a flat partial order by augmenting a least element J-A A.Definition 3.1.7 (Flat partial order) A flat partial order, written A, is a set A augmentedwith a new element ±A, viz., A = AU {±A} such that a < a’ implies a = a’ or a =1AElement ..LA is the least element of A. Usuaily LA means undefined in A. With this augmentation, any partial function to A can be extended into a total function to A, i.e., f(a) =1A iff is not defined at a. In this thesis, functions mean total functions unless explicitly stated.A subset of a partial order may have a least upper bound and/or a greatest lower bound.Definition 3.1.8 (Least upper (Greatest lower) bound) Let A be a partial order, D C Aand a e A. Then a is an upper (lower) bound of D if d A a (d A a) for every d E D.Moreover, a is a least upper bound (lub) (greatest lower bound (glb)) of D if1. a is an upper (lower) bound of D and2. if d’ is an upper (lower) bound of D then a <A d’ (a A d’).It follows from the antisymmetry of A that least upper bounds (greatest lower bounds), ifthey exist, are unique. We use VA D (AA D) to denote the least upper (greatest lower) boundof D in A, when it exists. We wifi drop the subscript A if it is clear from context. if A isthe set of real numbers with arithmetic ordering, we use “sup” and “inf” to denote V and Arespectively. If D is finite, we may use “max” and “mm” to denote V and A respectively.One important kind of subset of a partial order is directed subset.Definition 3.1.9 (Directed subset) Let A be a partial order and D c A. D is directed ifD 0 and for all d1, d2 E D, the set {d1,d2} has an upper bound in D.CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 27A chain in a partial order A is a linearly ordered subset of A. A chain is a directed subset.One important kind of partial order is complete partial order.Definition 3.1.10 (Complete partial order (cpo)) A partial order A is complete if:1. it contains a least element, denoted ..LA, and2. every directed subset of A has a least upper bound in A.Following are two propositions related to cpos.Proposition 3.1.7 A flat partial order is a cpo.Proposition 3.1.8 The product of cpos is a cpo. Let {A}i be a set of cpos and A = x1A.The least element of A is J-A with (J-A) =-1-A , Vi e I. Let D be a directed subset of A. Theleast upper bound of D is VA D with (VA D) = VA D, Vi E I, where D is the projection of Donto its ith component, i.e., D = llD.A topology can be defined from a partial order.Definition 3.1.11 (Partial order topology) Let A be a partial order. A subset S of Ais open if (1) S is upward closed, i.e., a e S implies that Va’ A a, a’ E 5, and (2) S isinaccessible from any directed subset D of A, i.e., if VAD ES, then a ED, such that a E S.This collection of open sets on A forms the partial order topology of A.A partial order KA, A) is non-trivial if there exist two elements a, a’ in A such that a <A a’.Proposition 3.1.9 The partial order topology of a non-trivial partial order is non-HausdorffThe following two propositions declare the properties of continuous functions in partial ordertopologies.Proposition 3.1.10 Any continuous function is monotonic, i.e., if f: A —* A’ is continuous,then a1 A a2 implies f(ai) A’ f(a2).Proposition 3.1.11 Let A and A’ be two cpos. Then f A —f A’ is continuous if for everydirected subset D ç A,1. f(D) = {f(d)Id E D} is directed and2. f(VA D) = VA’ f(D).CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 283.1.3 Metric spaceMetric topology is the most direct generalization of the topology used for real numbers inanalysis.Definition 3.1.12 (Metric and Metric Space) Let X be a set and 7+ be the set of nonnegative real numbers. A function d: X x X R.+ is a metric on X if• d(x,y)—_d(y,x).• d(x,y) d(x,z)+d(z,y).• d(x,y)=Oiffx=y.(X, d) is called a metric space.Let (X, d) be a metric space, x E X and e be a positive real number. The spherical eneighborhood of x is {x’Id(x’, x) < e}, denoted N(x).Definition 3.1.13 (Metric topology) The metric topology of a metric space is a topologywith the set of spherical neighborhoods as a subbasis.Proposition 3.1.12 Metric topologies are Hausdorff.Another important concept used in analysis is measure. Let X be a set. A family a ofsubsets of X is a a-field on X if it contains the empty set, the complement in X of everyelement in a and the union of every denumerable subcollection. (X, a) is called a measurablespace.Definition 3.1.14 (Measure and Measure space) Let (X,a) be a measurable space. Afunction i : a —* 7+ U {oo} is a measure if ji(O) = 0, and for any denurnerable index set Jand any set of mutually disjoint elements {X3}j of a, t(ujX) = Ej(X). (X, a, ji) iscalled a measure space.If (X, T) is a topological space, then the smallest a-field containing T is called the Borel field ofsets, denoted Borel(X). A measure defined on Bore1(X) is called a Borel measure.Finishing up this section, we define the concept of limits. Given any linear order L andtopological space X, v : L — X is called a linear set of values. A limit of v is defined as ageneralization of a limit of a sequence.CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 29Definition 3.1.15 (Limit) Let X be a topological space and v : L —* X be a linear set ofvalues. A point vK e X is called a limit of v, written v —* v”, if for every neighborhood N(v*)of v’, 3l, V1 L lo,v(l) E N(v*).If L has a greatest element 10, then v —÷ v(lo). Therefore, the concept of limits is also ageneralization of the “final” value. We will use limi v(l) to denote the limit of v if it isunique.One important property of Hausdorif topologies is the uniqueness of limits.Proposition 3.1.13 If X is of a Hausdorff topology and v : L —* X is a linear set of values,then v — v and v —÷ v imply v — v.One important property of product topologies is the pointwiseness of limits.Proposition 3.1.14 If xjX: is of the product topology and v : L —* x1X is a linear set ofvalues, then v —+ v’ if v, —* v for all i E I.3.2 Time StructuresUnderstanding time is the key to understanding dynamics. We formalize time using an abstractstructure that captures its important aspects. A time structure, in general, can be consideredas a linearly ordered set with a start time point, an associated metric for “the distance betweenany two time points” and a measure for “the duration of an interval of time.”Definition 3.2.1 (Time structure) A time structure is a triple Kr, d, ) where• I’ is a linearly ordered set (T, ) with 0 as the least element;• (T, d) forms a metric space with d as a metric satisfying: for all to t1 < t2,d(to,t2)= d(to,t1)+ d(t1,t2),{tlm(t) < r} has a greatest element and {tlm(t) > T} has a least element for all 0 r <sup{m(t)It E T} where m(t) = d(0,t);• (T, a, t) forms a measure space with a as the Borel set of topological space (7, d) and ias a Borel measure satisfying [t([ti,t2)) < d(t1,t2)for all t1 < t2 where [t1,2) = {t1 <t < t2} and([ti,t))=([O,t2))—jt([O,t1).CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 30For simplicity, we will use T to refer to time structure (T, d, i) when no ambiguity arises. Formost applications, we have it([ti,t2)) = d(t1,t2). However, if T is an abstraction of anothertime structure, it is possible thatBt1,t2([))< d(t,t2). Discussions on time abstractionwill be found in Chapter 6, Behavior Analysis.A time structure T is infinite 1ff T has no greatest element and (T) = oo. T is discrete ifits metric topology is discrete. ‘T is continuous if its metric space is connected.For example, the set of natural numbers A[ and the set of nonnegative real numbers R, withd(t1,t2)= — t2 and1([0,t)) = t, are time structures. Al is discrete and ??+ is continuous.The set { 1 — In E .A1} with the metric d and the measure ii also defines a discrete timestructure. However, the sets {1— jn E .iV} U {1}, {0} U {In E .iV} and [0,1] U [2,3] withthe metric d and the measure form time structures neither discrete nor continuous. The setof rational numbers Q with the metric d and the measure does not form a time structure.Proposition 3.2.1 (1) For any time structure T, if T C T has an upper bound in T, T hasa least upper bound in T.(2) The following properties for a time structure are equivalent:(a) T is discrete.(b) Let (t1,2) = {tIti < t < t2}. For all t, if t is not the least element of T, then t’ < t,denoted pre(t), such that (t’, t) 0, and for all t, if t is not the greatest element of T,then t’ > t, denoted suc(t), such that (t, t’) = 0.(c) T is well-founded, i.e., Vt E ‘T, [0, t) is finite.(3) The following properties for a time structure are equivalent:(a) T is continuous.(b) 7 is dense, i.e., for all t1 < t2, there exists to such that t1 < to < t2.htuitively, discrete time is isomorphic to an ordered subset of natural numbers and continuoustime is isomorphic to a left-closed interval of a real line. Even though our definition of timestructures is general, discrete and continuous time structures are most commonly used.A time structure T,d,j) may be related to another time structure (7,dr,r), where(7., <r) is a linear order with 0,. as the least element, by a reference time mapping h : ‘ 7,.satisfying• the order among time points is preserved: t < t’ implies h(t) <,. h(t’),CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 31• the least element is preserved: h(O) =• the distance between two time points is preserved: d(t1,t2)= dr(h(ti), h(t2)), and• the measure on any finite time interval is preserved: tz({O, t)) = tr([Or, h(t))).7; is called a reference time of T, and T is called a sample time of 7;. For example, ifh : Al —+ fl is defined as h(n) n, R,+ is a reference time of .A1. For any time structure T, areference time of T is as “dense” as T. Furthermore, the reference relation is transitive:Proposition 3.2.2 If To is a reference time of T1 and T1 is a reference time of T, then T0 isa reference time of T2.3.3 Domain StructuresAs with time, we formalize domains as abstract structures so that discrete and continuousdomains are defined uniformly. A domain can be either simple or composite. Simple domainsdenote simple data types, such as reals, integers, Booleans and characters; composite domainsdenote structured data types, such as arrays, vectors, strings, objects, structures and records.Definition 3.3.1 (Simple domain) A simple domain is a pair (A U {!A}, dA) where A is aset, JA A means undefined in A, and dA is a metric on A.Let A = A U {IA}. For simplicity, we will use A to refer to simple domain (A, dA) when noambiguity arises. For example, let fl be the set of real numbers, 7 is a simple domain with aconnected metric space; let B = {O, 1}, B is a simple domain with a discrete topology on B.Any simple domain A is associated with a partial order relation <A. (A, x) is a flat partialorder with .LA as the least element. In addition, A is associated with a derived metric topology7- = TA U {A} where TA 18 the metric topology on A derived from the metric dA.Proposition 3.3.1 {±A} is not T-open. The only neighborhood of JA is A.A simple domain (A, dA) can also be represented as a triple (A, A, 7-) where <A is the partialorder relation and r is the derived metric topology.A domain is defined recursively based on simple domains.Definition 3.3.2 (Domain) (A, A, T), with <A as the partial order relation and T as thederived metric topology, is a domain if:CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 32• it is a simple domain; or• it is a composite domain, i.e., it is the product of a family of domains {(A, <As, r>}jisuch that (A, A) is the product partial order of the family of partial orders {(A, A)}eIand (A, r) is the product space of the family of topological spaces {(A, r)}ei.Note that there is no restriction on the index set I, which can be arbitrary (finite or infinite,countable or uncountable). For simplicity, we will use A to refer to domain (A, A, r) whenno ambiguity arises. For example, let n be a natural number, then is a composite domainwith n components; let Al be the set of natural numbers, then Al —f (or equivalently, ) isa composite domain with infinitely many components.Given a simple domain A, a value a E A is well-defined if a JA. Given a compositedomain x1A, a value a E x1A is well-defined ifF a is well-defined for all i E I. A value in adomain is undefined if it is the least element of the domain.Intuitively, for any domain, its partial order topology characterizes the information (ordefinedness) hierarchies of data and its derived metric topology characterizes the limit propertiesof data.Proposition 3.3.2 For any domain, its partial order topology is finer than its derived metrictopology, and both are non-HausdorffA signature is a syntactical structure of a multi-sorted set of data with associated functions.Definition 3.3.3 (Signature) Let (S,F) be a signature where S is a set of sorts and Fis a set of function symbols. F is equipped with a mapping type: F —* S’ x S where 5* denotesthe set of all finite tuples of S. For any f E F, type(f) is the type of f. We use f : —* s todenote f E F with type(f) = (s*,s).For example, the signature of Boolean algebra can be described as: = ({b}, {O,—, A, v}>with 0 :—* b, : b —* b, A: b,b—* b, and V : b,b —* b. Eb has one sort with a constant 0 (nullaryfunction), a unary function— and two binary functions A and V.A domain structure of some signature is defined as follows.Definition 3.3.4 (s-domain structure) Let = (5, F> be a signature. A s-domain structure A is a pair ({AS}SES, {fA}fEF) where for each s E 5, A3 is a domain of sort s, and foreach f : s —* s e F with s : I —* S and s E 5, fA : x1A3 —* A3 is a function denoted by f,which is continuous in the partial order topology.CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 33To be continuous on a domain in its partial order topology is not a real restriction on afunction. Strict functions are continuous functions in partial order topologies. A function isstrict w. r. t. an argument liT its output is undefined whenever its input of that argument isundefined. A function is strict iff it is strict w.r.t. all of its arguments.Given any partial or total function f: x1A —* A, a continuous function f: XJA, —* A canbe defined as:— f f(a) if a x1A,, and f(a) is defined,a1—i -I-A otherwise.We call f a strict extension of function f. We will also use f to denote its strict extensionif no ambiguity arises. For example, let E,. = ({r}, {O, +, .}) with 0 :—* r, + : r, r — r andr, r —÷ r. Then ({fl}, {O, +, }) is a Er-domain structure, where + and are strict extensionsof addition and multiplication on 7, respectively.However, not every extension of a function that is continuous should also be strict. Forexample, ({13}, {O, -‘, A, v}) is a Eb-domain structure where — A and V are negation, conjunctionand disjunction, respectively. Function V : 13 x 13 —* B is continuous but not strict, since V isan “or” logic satisfying 1 V x = 1 for all x e , thus, lvThe following propositions characterize the general properties of continuous functions onsimple domains.Proposition 3.3.3 (1) Function f : A —* A’ is continuous in the partial order topology if fis strict or constant. (2) If f : A —* A’ is continuous in the derived metric topology, then f iscontinuous in the partial order topology. (3) Function f: A —f A’ is continuous in the derivedmetric topology if f is continuous in the partial order topology and the restriction of f on Aand A’ is continuous in the metric topology, namely, for any open subset S of A’, f (5) fl Ais open.The properties of continuous functions in partial order topologies can be generalized tocomposite domains. A function f: xjA—b A is continuous w.r.t. an argument j, if function)a.f(a,a,)’ is continuous for all a E xI_{}A.Proposition 3.3.4 Let I be a finite index set. (1) Function f : x1A,, — A is continuous inthe partial order topology if f is continuous w.r.t. all i e I. (2) 1ff: XjA —* A is continuousin the derived metric topology, then f is continuous in the partial order topology. (3) Functionf : x 1J4 —* A is continuous in the derived metric topology if f is continuous in the partial1Ax.expr(z) is a lambda expression of a function f, equivalent to Vx, f(x) = czpr(x).CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 34order topology and the restriction of f on xiA and A is continuous in the product metrictopology, namely, for any open subset S of A, f1(S) fl xjA is open.A function is well-defined if its output is well-defined whenever its input is well-defined.Both well-definedness and strictness are closed under functional composition, and a functioncan be both well-defined and strict.For example, a widely used conditional function, cond: A x A x A’ x A’ —* A’, is defined asfollows:I -I-A’ ifx=±Aory=±Acond(x,y,u,v)= u else ifx=y (3.1)v otherwise.Function cond is continuous in the partial order topology; it is continuous in the derived metrictopology if A is of a discrete topology. Furthermore, it is well-defined and strict w.r.t. argumentsx and y.3.4 Traces and EventsIntuitively, a trace denotes changes of values over time. Formally, a mapping v : T —÷ A fromtime T to domain A is called a trace. A trace v is well-defined if v(t) is well-defined for allt e T. For example if T = fl+ and A = fl, v1 = At. sin(t) and v2 = At.e_t are well-definedtraces. A trace v is undefined 1ff v(t) is undefined for all t T.A trace provides complete information at every (finite) time point. Values at infinite timepoints are not represented explicitly, they can, however, be derived when limits are introduced.For example, lim sin(t) =J7 and limj...+ e = 0.Let A be a domain and v : L —* A be a linear set of values. A value v A is a limit ofv, written v —* v’, if vK is a limit of v in the derived metric topology of A. In the rest of thisthesis, limits defined on a domain will mean those in its derived metric topology. Limits of vmay not be unique. However, the set of limits of v has the following properties.Proposition 3.4.1 Let v : L —* A be a linear set of values. Then(1) v—*±A, and(2) v —* v and v —÷ v imply that either v = v or one of v and v is ±A.Proposition 3.4.2 Let v : £ —* A for A = xjA1. Then(1) v —* v iffv —* v for alli El, and(2) the set of limits {v*Iv v*} is a directed subset in (A, <A) and has a greatest element.CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 35The greatest limit of v, written lim v, is defined as the greatest element of the set of limitsof v, i.e., lim v = VA{v*Iv —* v*}. Note that the greatest limit of a linear set of values alwaysexists and is unique. We will call the greatest limit simply the limit if no ambiguity arises.The following two propositions capture two important properties of the limits.Proposition 3.4.3 Let v : L — A for A = x1A. Then (limv) = limv,Vi El.Proposition 3.4.4 Ifv1,v2 L —* A and vi(l) <Av2(l)for alli EL, thenlimv1Alimv2.Proposition 3.4.3 characterizes the composite property of the limits. Proposition 3.4.4 characterizes the monotonic property of the limits.Using the concept of the limits, we can complete a trace with its values at limit time points.Given a time structure 7, let T°° be the set of downward closed intervals, i.e., for any T e T°°,(1) T 0 and (2) t e T implies that for all ‘ t, t’ e T. A trace v : 7 —* A can be extendedto its completion v°° : 700 —k A as v°°(T) = lim vIT where vIT denotes the restriction of v ontoT. If T has a greatest element to, then v°°(T) = v(to). A trace completion provides valuesat infinite as well as at finite time points. Note that 7 E 700, for any trace v : 7 —÷ A,v00(T) = lim v can be considered as the “final” value. For simplicity, we will use v to refer toboth v and its completion v00 when no ambiguity arises.Let T< = {t’It’ < t}. Then T< E T°° whenever t> 0. We use pre(t) to denote both T.<and the greatest element of T<, if it exists.Let T<t_T {t’It’ < t,d(t,t’) r} for r > 0. Then Tt_T e T°° whenever m(t) T.Proposition 3.4.5 For any time structure 7, T<t_T has a greatest element whenever m(t) T.We use t — T to denote the greatest element of T<t_T when m(t) T.The set of all possible traces from a time structure to a domain, associated with a partialorder relation and a derived metric topology, forms a trace space.Definition 3.4.1 (Trace space) Given a time structure T and a domain (A, <A, r), the tracespace is a triple (AT, AT, ) where AT is the product set (the set of all functions from 7 toA), AT is the product partial order relation constructed from the partial order relation A,and F is the product topology constructed from the derived metric topology T.For simplicity, we will use AT to refer to trace space (AT, AT, F) when no ambiguity arises.A trace space is essentially a composite domain. Therefore, limits of a linear set of tracescan be defined accordingly. Given a linear set of traces V : L —+ AT, limits and the greatestCHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 36limit of V are defined as follows. A trace V” E AT is a limit of V, written V —÷ V, if V is alimit of V in the derived metric topology of AT. Similar to the properties of limits of a linearset of values, the properties of limits of a linear set of traces are as follows.Proposition 3.4.6 Let V : L —* AT for a linear order L and a trace space AT. Then(1) V —* V if V(t) —* V*(t) for all t e T, and(2) the set of limits {V*IV V’} is a directed subset in (AT, AT) and has a greatestelement.The greatest limit of V, written lim V, is defined as the greatest element of the set of limits ofV, limV = VAT{V*IV V}. We will call the greatest limit simply the limit if no ambiguityarises. Furthermore, the composite property of the limits holds as well.Proposition 3.4.7 Let V : L —* AT. Then (limV)(t) = limV(t),Vt E T.The concept of the limit of a linear set of traces wifi be used when we introduce limitingsemantics in the next chapter.A nonintermittent trace is a special type of trace defined as follows. A trace v : T —+ Ais nonintermittent if for any T e T°°, v(T) =‘A implies that VT’ D T, v(T’) =JA. A tracev : T — x1A is nonintermittent if v is nonintermittent for all i E I.A right-continuous trace is a special type of trace defined as follows. A trace v : T — Ais right-continuous at to if Vt > to, t —* to implies v(t) —* v(to); v is right-continuous if it isright-continuous at all t E T. A discrete-time trace is always right-continuous according to thisdefinition.An event trace is a nonintermittent and right-continuous trace whose domain is B. An eventtrace e : T —+ with e At. ..L generates a structure (Ta, de, l-Le) from (T, d,j)where:• ‘T C I’ is defined as = {O} U {t > OIe(t) e(t) e(pre(t))},• dedITXT,• Vt E Te, Ue([O,t)) =1t([O,t)), and ite(7e) = p(T) for T = {te(t)J43}.Proposition 3.4.8 For any time structure T and any event trace e, (?,de,e) is a discretesample time structure of 7’.For any event-based time, each transition point of the event trace defines a time point (Figure3.1).CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 37e(t)Figure 3.1: An event trace: each dot depicts a time pointThe set of all possible event traces on a reference time structure, associated with a partialorder relation and a derived metric topology, forms an event space.Definition 3.4.2 (Event space) An event space is a triple (8T, eT, F’) where T is a timestructure, eT cT is the set of all event traces on T, <r is the sub partial order relation of—Tand F is the subspace topology of F that is the derived metric topology of B3.5 TransductionsTransductions are mathematical models of general transformational processes. In this section,we first define general concepts of transductions, then discuss two types of basic transduction:transliterations and delays. Finally, we introduce event-driven transductions for constructingsystems with components of different time structures.3.5.1 General conceptsA transduction is a mapping from input traces to output traces that satisfies the causal relationship between its inputs and outputs, i.e., the output value at any time depends only oninputs up to that time. Formally, causality can be defined as follows.Definition 3.5.1 (Causality and Transduction) Given v1, v2 E AT and r E R+, v1 and V2are coincident up to T iffVt,m(t) < r,vi(t) = v2(t). A mapping F : AT —* ART’ from a tracespace to a trace space is causal if for any t’ E T’, F(vi)(t’) = F(v2)(t’) whenever v1 and v2are coincident up to m’(t’). A causal mapping on trace spaces is called a transduction.For instance, a state automaton with an initial state defines a transduction on a discrete timestructure; a temporal integration with a given initial value is a typical transduction on a continuous time structure. Just as nullary functions represent constants, nullary transductionsrepresent traces. Transductions are closed under functional composition.CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 38We characterize two classes of transduction: primitive transductions and event-driven transductions.3.5.2 Primitive transductionsPrimitive transductions are defined on a generic time structure T. Primitive transductions arefunctional compositions of two types of basic transduction: transliterations and delays.Definition 3.5.2 (Transliteration) A transliteration is a pointwise extension of a function.Formally, let f : A —p A’ be a function and T be a time structure. The pointwise extension off onto T is a mapping fT : AT A!T satisfying fT(v) = At.f(v(t)).By this definition, (f a g- = fT a ga-. We will also use f to denote transliteration fT if flOambiguity arises.Intuitively, a transliteration is a transformational process without memory or internal state,such as a combinational circuit. For example, let : x B—f B be a function definedas x y (-‘x) A y V x A (—‘y), i.e., an “exclusive or”. Then a pointwise extension of is atransliteration, functioning as the basic “or” logic in asynchronous event control [Sut89] (Figure3.2). We wifi discuss more on event logics in Chapter 5, Modeling in Constraint Nets.el ore2Figure 3.2: Event logic for “or”There are two types of delay: unit delays and transport delays.CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 39Definition 3.5.3 (Unit delay) Let A be a domain, v0 a well-defined value in A, and T atime structure. A unit delay (vo) : AT AT is a transduction defined asA fvo ift=OST(vO)(v) = At. sI v(pre(t)) otherwisewhere v0 is called the initial output value of the unit delay.A unit delay 6(vo) acts as a unit memory for data in domain A, given a discrete time structure.We will use tS(vo) to denote unit delay 54(vo) if no ambiguity arises.Unit delays may not be meaningful for non-discrete time structures.Definition 3.5.4 (Transport delay) Let A be a domain, v0 a well-defined value in A, T atime structure and T > 0. A transport delay 4(r)(vo) : AT AT is a transduction definedasAA/ — I v0 if m(t) < r— At.‘v(— T) otherwisewhere v0 is called the initial output value of the transport delay and 7 is called the time delay.We will use (r)(v0)to denote transport delay (r)(v0)if no ambiguity arises. Transportdelays are essential for modeling sequential behaviors in dynamic systems.3.5.3 Event-driven transductionsA primitive transduction maps traces to traces with the same time structure. A hybrid systemconsists of components of different time structures. In this section, we consider event-driventransductions, which are an important component of our model.We define sample and extension traces as follows. Let 7 be a reference time of T witha reference time mapping h. The sample trace of v : —* A onto T is a trace t : T —* AsatisfyingV = At.v(h(t)).The extension trace of v : T —* A onto i is a trace Y: 7 —* A satisfying——f V(h’(tr)) if t E T, r([Or, tr)) it([O, t)) or r([Or, tr)) <(T)j -I-A otherwisewhereh1(tr) = {tIhQ) r tr} E T°°.Sampling is a type of transduction whose output is a sample trace of its input. Extendingis a type of transduction whose output is an extension trace of its input.CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 40An event-driven transduction is a primitive transduction augmented with an extra inputwhich is an event trace; it operates at each event point and the output value holds between twoevents. The additional event trace input of an event-driven transduction is called the clock ofthe transduction. Intuitively, an event-driven transduction works as follows. First, the inputtrace with the reference time T is sampled onto the sample time 7 generated by the event tracee. Then, the primitive transduction is performed on 7. Finally, the output trace is extendedfrom T back to T.Definition 3.5.5 (Event-driven transduction) Let T be a time structure and FT : ATA’T a primitive transduction. Let CT be the set of all event traces on time structure T. Theevent-driven transduction of F is a mapping F CT x AT A” satisfying:—At. ±A’ if e = At. JFT(e,v) —( FT(V) otherwise.We will use F° to denote event-driven transduction F- if no ambiguity arises.3.6 Dynamics StructuresWith preliminaries established, we define an abstract structure of dynamics.Definition 3.6.1 (E-dynamics structure) Let E = (S, F) be a signature. Given a 2-domainstructure A and a time structure T, a s-dynamics structure D(’T, A) is pair (V, F) such that• V = {A}3sU CT where A is a trace space of sort s and CT is the event space;• F = FT U F- where F, is the set of basic transductions, including the set of transliterations {f}fEF, the set of unit delays and the set of transport delays{ (r)(v3)}3es,T>o,VEA,F is the set of event-driven transductions derived from theset of basic transductions, i.e., {F°F E FT}.Finishing up this chapter, let us explore the properties of dynamics structures.The following propositions establish the fact that the partial order of a trace space and thepartial order of an event space are cpos.Proposition 3.6.1 The partial order of a domain is a cpo.Proposition 3.6.2 The partial order of a trace space is a cpo.CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 41Proposition 3.6.3 The partial order of an event space is a cpo.The following propositions characterize the continuity of basic transductions in partial ordertopologies.Proposition 3.6.4 A transliteration fT : AT —* A!T on any time structure T is continuous iff : A —* A’ is continuous.Proposition 3.6.5 A unit delay on any discrete time structure is continuous.Proposition 3.6.6 A transport delay is continuous.The following proposition characterizes the continuity of event-driven transductions.Proposition 3.6.7 An event-driven transduction F° is continuous if its primitive transductionF on any discrete time structure is continuous.The following theorem concludes these properties.Theorem 3.6.1 (s-dynamics structure) Let A be a E-domain structure and T a time structure. The E-dynamics structure D(T, A) = (V, F) satisfies (1) V is a multi-sorted set of cposand (2) transliterations, transport delays and event-driven transductions in F are continuous inthe partial order topology. If, in addition, T is discrete, all transductions in F are continuousin the partial order topology.Transductions are functions. The well-definedness and strictness of a transduction is thewell-definedness and strictness of the function, respectively. The following propositions characterize well-defined and/or strict transductions in dynamics structures.Proposition 3.6.8 A transliteration fT is well-defined if function f is well-defined; fT isstrict w.r.t. an argument if f is strict w.r.t. the argument.Proposition 3.6.9 Any delay is not strict. A unit delay on any discrete time structure iswell-defined. A transport delay is well-defined.Proposition 3.6.10 An event-driven transduction F° is well-defined if F on any discrete timestructure is well-defined; F° is strict w.r.t. its event input, and F° is strict w.r.t. one of theother input arguments if F is strict w.r.t. the argument.CHAPTER 3. TOPOLOGICAL STRUCTURE OF DYNAMICS 42Event traces are noniiitermittent and right-continuous. We call a transduction nonintermittent if its output is nonintermittent whenever its input is nonintermittent. We call a transduction right-continuous if its output is right-continuous whenever its input is right-continuous.The following propositions characterize nonintermittent and/or right-continuous transductionsin dynamics structures.Proposition 3.6.11 A transliteration fT is right-continuous if f is continuous in the derivedmetric topology; fT with f : x 1A —> A is nonintermittent if f is strict, well-defined andcontinuous in the derived metric topology.Proposition 3.6.12 A delay is nonintermittent. A transport delay is right-continuous.Proposition 3.6.13 An event-driven transduction is right-continuous. An event-driven transduction F° is nonintermittent if F is nonintermittent.For example, the “event or” transduction (Figure 3.2) is well-defined and strict; it is alsoright-continuous and nonintermittent. “Event or” is a typical event synchronizer. In Chapter5, Modeling in Constraint Nets, we will define other event synchronizers that are all nonintermittent and right-continuous.We have presented a topological structure of dynamics by formalizing time, domains andtraces in topological spaces and by characterizing primitive and event-driven transductions.With such a topological structure, continuous/discrete time and domains can be representeduniformly, and hybrid dynamic systems can be studied in a unitary model.Chapter 4The Constraint Net ModelA hybrid dynamic system can have multiple sorts corresponding to different data types thatcan be numerical, symbolic or logical. It can have multiple components with different timestructures generated by different clocks, and clocks can be generated or synchronized.In this chapter, we present a formal model for hybrid dynamic systems, that we call Constraint Nets (CN). We first define the syntax of CN. We then provide a fixpoint semantics of CNusing the fixpoint theory of partial orders. Finally, we discuss parameterized CN and temporalintegration in CN.4.1 Syntax of Constraint NetsIn this section, we introduce the syntax of constraint nets and characterize the compositestructure and modularity of the model.4.1.1 Syntax and graphical representationA constraint net consists of a finite set of locations, a finite set of transductions and a finite setof connections.Definition 4.1.1 (Syntax) A constraint net is a triple CN = (Lc,Td,Cn), where Lc is afinite set of locations, each associated with a sort; Td is a finite set of labels of transductions,each with an output port and a set of input ports, and each port is associated with a sort; Cn isa set of connections between locations and ports of the same sort, with the following restrictions:(1) there is at most one output port connected to each location, (2) each port of a transductionconnects to a unique location and (3) no location is isolated.43CHAPTER 4. THE CONSTRAINT NET MODEL 44Intuitively, each location is of fixed sort; a location’s value typically changes over time. Alocation can be regarded as a wire, a channel, a variable, or a memory cell. Each transductionis a causal mapping from inputs to outputs over time, operating according to a certain referencetime or activated by external events. Connections relate locations with ports of transductions.A clock is a special kind of location connected to the event ports of event-driven transductions.A location I is an output location of a transduction F if 1 connects to the output port of F;1 is an input location of F 1ff 1 connects to an input port of F. A location is an output of theconstraint net if it is an output location of a transduction; it is otherwise an input. A constraintnet is open if there is an input location; it is otherwise closed. We use I(CN) and O(CN) todenote the set of input locations and the set of output locations, respectively, of a constraintnet CN.A constraint net is depicted by a bipartite graph where locations are depicted by circles,transductions by boxes and connections by arcs. For example, the graph in Figure 4.1, wheref is a transliteration and is a unit delay, depicts an open net. The net, with a discrete timestructure, models a state automaton: s(O) = o, s(n) = f(i(n — 1), s(n — 1)). The closed net° 1E1EH 6 (s0)Figure 4.1: The constraint net representing a state automatondepicted by the graph in Figure 4.2, with a continuous time structure, models a differentialequation . = f(s).S(SO)J-Figure 4.2: The constraint net representing . = f(s)4.1.2 Modules and compositionA system may be composed of subsystems. In order to capture the hierarchical compositionstructure of systems, we introduce subnets and modules.CHAPTER 4. THE CONSTRAINT NET MODEL 45Definition 4.1.2 (Subnet) A constraint net CN1 = (Lci,Tdi,Cni) is a subnet of CN2 =(Lc2,Td2,Cn2), written CN1 C CN2, if Lc1 C Lc2, Td1 C Td2, Cn1 C Cn2 and I(CN1) CI(CN2).Definition 4.1.3 (Module) A module is a triple (CN,I,O), also denoted CN(I,O), whereCN is a constraint net, I ç I(CN) and 0 ç O(CN) are subsets of the input and outputlocations of CN, respectively; I U 0 defines the interface of the module.A module CN(I, 0) is closed if I = 0; it is otherwise open. Locations in I(CN) — I are hiddeninputs and locations in O(CN)— 0 are hidden outputs. A module will be depicted by a boxwith rounded corners.We define three basic operations union, coalescence and hiding— that can be appliedto obtain a new module from existing ones.The union operation generates a new module by putting two modules side by side. Formally,let CN1 = (Lci, Td1Cni) and CN2 = (Lc2,Td2,Cn2) be two constraint nets, with Lc1 flLc2 =0 and Td1 fl Td2 = 0,’ then the union of CN,(I,, 0,) and CN2(1,02), written CN,(I,, 01)11CN2(1,0), is a new module CN(I,O) where CN = (Lc,Td,Cn) is a constraint net withLc = Lc, U Lc2, Td = Td, U Td2 and Cu = Cn, U Cn2, I U 0 defines its interface withI=11U2and 0 =Oiu02.The coalescence operation coalesces two locations in the interface of a module into one,with the restriction that at least one of these two locations is an input location. Formally,let CN (Lc,Td,Cn) be a constraint net, 1 e I and 1’ E I U 0 be of the same sort, thecoalescence of CN(I, 0) for 1 and 1’, denoted CN(I, O)/(l, 1’), is a new module CN’(I’, 0’)with CN’ = (Lc[l’/lj,Td,Cn[l’/l]), I’ = I — {l} and 0’ = 0, where X[v/x] denotes that x inX is replaced by v.The hiding operation deletes a location from the interface. Formally, let CN = (Lc, Td, Cm)be a constraint net and 1 I U 0, the hiding of CN(I, 0) for 1, denoted CN(I, O)\l, is a newmodule CN’(I’,O’) with CN’ = CN, I’ I— {l} and 0’ = 0— {l}.In addition, we define three combined operations: cascade connection, parallel connectionand feedback connection. The cascade connection connects two modules in series. The parallelconnection connects two modules in parallel. The feedback connection connects an output ofthe module to an input of its own.Figure 4.3 depicts the three operations. The formal definitions of these operations, in termsof basic operations, are as follows.‘Note that Td is a set of transduction labels, which can be different for the same transduction.CHAPTER 4. THE CONSTRAINT NET MODEL 46(DH)°0Cascade010ParallelCN2 CN2 —--4AFeedbackoI----Figure 4.3: Cascade, parallel and feedback connectionsCHAPTER 4. THE CONSTRAINT NET MODEL 47Let o E 01 and i2 E 12. A cascade connection of CN1(1,O) and CN2(1,02), denotedCN2(1,02) o CN1(1,Or), produces a new module CN(I, 0),CN(1, 0) = [(CN1(1,O) II CN2(1,02))/(i,ol)]\O1.Let i1 e I and i2 E 12. A parallel connection of CN1(1,0)and CN2(1,0),denotedCN1(Ii, O) + CN2(1,02), produces a new module CN(I, 0),CN(I, 0) = (CN11,O) CN2(1,02))/(ii, i2).Let i e I and o e 0. A feedback connection of CN(I, 0), denoted F(CN(I, 0)), producesa new module CN’(I’,O’),CN’(I’,O’) = [CN(I,0)/(i,o)]\o.The following relations hold for these syntactic operations.Proposition 4.1.1CN1(1,0) II CN2(1,02) = CN2(1,02)11 CN(1,Or).CN1(1,0) o (CN21,02) o CN3(1,03)) = (CN11,Oi) o CN2(1,02)) o CN3(1,03)if both sides are defined.CN1(Ii,0)+ (CN21,0)+ CN3(1,0))= (CN11,0)+ CN2(1,0))+ CN3(1,0)if both sides are defined.Proposition 4.1.2 Following are some properties of subnets:(1) CN1 and CN2 are subnets of CN1 CN2.(2) CN1 and CN2 are s’ubnets of CN1 + CN2.(3) CN1 is a subnet of CN2 o CN1, however, CN2 is not a subnet of CN2 o CN1.There are at least three reasons to introduce modules.First, modules facilitate hierarchical composition structures for complex systems. For example, we can create a state automaton module SA by selecting {i, s} or {i, s’} as the interfacefor the constraint net in Figure 4.1. An input/output automaton IOA can be constructed bycascading SA to a transliteration g as shown in Figure 4.4. IOA defines a transduction frominput traces to output traces.CHAPTER 4. THE CONSTRAINT NET MODEL 48Figure 4.4: An input/output automaton (* denotes either s or s’)Second, modules provide a flexible way to generate different systems from the same set ofcomponents. To illustrate this idea, let us again consider input/output automata. In general,an input/output automaton is a tuple I, S,.s0,f3, 0, f°) where I is the set of input values, S isthe set of states with E $ as the initial state, f3 : I x $ —* $ is a state transition function, 0is the set of output values and f0 is an output function. However, there are two ways to definean output function, corresponding to two types of input/output automata, f0 : I x $ —÷ 0for Mealy machines [Mea55] and f0 : S —* 0 for Moore machines [Moo56]. In a constraintnet model, a Mealy or Moore machine is derived by selecting different output locations as theinterface of its state automaton module. If we select {i, s’} as the interface of SA, then IOAis a Mealy machine with f5 = f and f0 = g o f. If we select {i, s} as the interface of SA, thenIOA is a Moore machine with f3 = f and f° = g.Third, modules capture the notion of abstraction through hidden locations. Hidden outputsencapsulate internal structures of a system. However, the role of hidden inputs is not soobvious. Consider again the state automaton in Figure 4.1. By hiding the only input locationi, we obtain a closed module representing a nondeterministic state transition system. Morespecifically, the state transition function f defines a state transition relation R S x 5, suchthat (s, s’) E R iff i e I, s’ = f(i, s), or equivalently, the set of next possible states of a state .sis {f(i, s)Ii E I}. In general, any module CN(I, 0) with I C I(CN) defines a nondeterministicsystem. Similar concepts have been explored in general systems theory [MT75]. We will discussmore on nondeterministic behaviors of modules in Chapter 6, Behavior Analysis. Furthermore,we can associate hidden locations with random distributions. Thus, while simpler than mostinherently nondeterministic models, the Constraint Net model can also incorporate probabilisticand stochastic analysis.4.2 Semantics of Constraint NetsWe have presented the syntactical structure of constraint nets, which is graphical and modular.However, syntax only serves as a mechanism for creating a model, the meaning of which is notCHAPTER 4. THE CONSTRAINT NET MODEL 49provided. There are many models with syntax similar to constraint nets (Petri Nets [Pet8lj forexample) that have totally different interpretations.Since transductions are mappings from traces to traces, a constraint net denotes a setof equations with locations as variables and transductions as functions; the semantics of theconstraint net should be a solution of the set of equations.A set of equations may have no solution, or exactly one solution, or more than one solution.For example, if x E fl, x = x — 2 has no solution, x = O.5x— 2 has one solution (—4), andx =— 2 has two solutions (—1 and 2). The fixpoint theory of partial orders has been appliedto provide denotational semantics for programming languages and models [Hen88]: a programor a model defines a function f and its semantics is the least solution of x = f(x), or the leastfixpoint of f.In this section, we will first present the fixpoint theory of partial orders and then apply thistheory to provide a fixpoint semantics for the Constraint Net model.4.2.1 Fixpoint theory of partial ordersA fixpoint of a function f can be considered as a solution of the equation x = f(x). The leastfixpoint is the least element in the fixpoint set.Definition 4.2.1 (Fixpoint and Least fixpoint) Let f : A —+ A be a function on a partialorder A. An element a e A is a fixpoint of f if a = f(a). It is the least fixpoint of f if, inaddition, a A a’ for every fixpoint a’ of f.Least fixpoints, if they exist, are unique. The least fixpoint of f will be denoted by t.f.The first fixpoint theorem is stated as follows.Theorem 4.2.1 (Fixpoint Theorem I) Let A be a cpo. Every continuous function f : A —÷A has a least fixpoint.We shall provide the proof of this theorem next, since the proof itself is to construct the leastfixpoint.Proof: Define x by induction on n:X= f(xfl.because x is the least element in A. Since f is monotonic (Proposition 3.1.10), wehave f(x) < f(x}), i.e., x} <x. Continuing this we have a chainCHAPTER 4. THE CONSTRAINT NET MODEL 50Since A is a cpo, this chain has a least upper bound VA{XITh> 0}, which we denote by Xf.Since f(xf) = VA{f(2))In 0} VA{XIfl 1} = x (Proposition 3.1.11), then xf is afixpoint of f.We now show that Xf is the least fixpoint. Suppose y is a fixpoint of f. We have: x < ybecause x is ±A. Furthermore, suppose x < y, then x1 f(x) < f(y) = y. Therefore< y for any k by induction. Thus, y is an upper bound for the chain {xIn 0}. Hence,Xf <.Therefore, for a continuous function f : A —* A, IL.f = VA{f(J-A)In 0}. CBy extending f to a function of two arguments, we have the second fixpoint theorem.Theorem 4.2.2 (Fixpoint Theorem II) Let A and A’ be two cpos. If f : A x A’ —f A’ isa continuous function, then there exists a unique continuous function t.f : A — A’, such thatfor all a e A, (,u.f)(a) is the least fixpoint of Ax.f(a, x), or equivalently, Va E A, (.f)(a) =f(a, (,u.f)(a)).The continuous function t.f: A —* A’ is called the least fixpoint of function f : A x A’ —* A’ orthe least solution of the equation y = f(x, y).Now we further investigate general properties of equations in complete partial orders.Proposition 4.2.1 Let I ç J be an index set. 1ff: x1A —* A is a continuous function, thenthe extension off, f’: xjA3 —* A satisfying f’(a) = f(a11), is a continuous function.Proposition 4.2.2 Let {fk : XjA3 —* Ak}keK be a family of continuous functions. Thenf: XjA3 —* XKAk with j(a)k = fk(a) is a continuous function.Proposition 4.2.3 If f : XjA, —* XKAk is a continuous function, K c J and I = J — K,then 1 has a least fixpoint[L.J: x1A —* XKAk.Proposition 4.2.4 Let X be a set of variables and 0 C X a set of output variables. Let {f0:x10A —* A0}o be a set of continuous functions. Then the set of equations {o=with : 1 —* X has a least solution.A set of equations can also be written as 6= f(, 6) where is a tuple of input variables and 6is a tuple of output variables. If f is continuous, then its least fixpoint is a continuous function,denoted t.j.CHAPTER 4. THE CONSTRAINT NET MODEL 514.2.2 Semantics of constraint netsIn this section, we define the fixpoint semantics of constraint nets. Let E = (5, F) be asignature and c e S be a special sort for clocks. A constraint net with signature E is a tripleCNE = (Lc, Td, Cm) where• each location 1 E Lc is associated with a sort .s E 5, the sort of location 1 is written as s;• each transduction F E Td is a basic transduction or an event-driven transduction, thesorts of the input and output ports of F are as follows:1. if F is a transliteration of a function f : s —f s E F, the sort of the output port is .sand the sort of the input port i is .s*(i);2. if F is a unit delay 6 or a transport delay , the sort of both input and outputports is 5;3. if F is an event-driven transduction, the sort of the event input port is c, the sortsof the other ports are the same as its primitive transduction.Let D(T, A) = (V, F) be a E-dynamics structure. CNE on (V, F) denotes a set of equations{o FO()}OEo(cN), such that for any output location o e O(CN),• F0 is a continuous transduction in F whose output port connects to o,• is the tuple of input locations of F0, i.e., the input port i of F0 connects to locationThe semantics of a constraint net is defined as follows.Definition 4.2.2 (Semantics) The semantics of a constraint net CN on a dynamics structure(V,F), denoted is the least solution of the set of equations {o = FO(x)}OEo(CN), giventhat F0 is a continuous transduction in F for all o e O(CN); it is a continuous transductionfrom the input trace space to the output trace space, i.e., CN : xI(cN)AE —* xo(cN)AT0.Given any set of output locations 0, the restriction of CN onto 0, denoted CN10xI(cN)A —+ x0A, is called the semantics of CN for 0. For example, the constraint net inFigure 4.1 denotes equations s’ = f(i, s) and s = (so)(s). Given a discrete time structure .A1,a domain T for inputs and a domain for states, the semantics for .s is F : —* suchthat F(v)(O)= and F(v)(n) = f(v(n — 1), F(v)(n — 1)).The nonintermittent and right-continuous transductions are closed under all types of composition.CHAPTER 4. THE CONSTRAINT NET MODEL 52Proposition 4.2.5 If a constraint net is composed of nonintermittent transductions, then itssemantics is nonintermittent. If a constraint net is composed of right-continuous transductions,then its semantics is right-continuous.The semantics of a subnet can be extended.Proposition 4.2.6 If CN’ is a subnet of CN, I{CN11IO(CN)() = CN’11(I(cNl)).4.2.3 Semantics of modulesWe have defined the semantics of a constraint net as a transduction. We now define thesemantics of a module as a set of transductions.Definition 4.2.3 (Semantics of modules) Given that the semantics of a constraint net CNis CN11 : xI(cN)A —* xo(cN)A, the semantics of a module CN(I, 0) is j[CN(I, 0)] ={F : x1A —* XOAQ}UEU where F(i) I{CN]io(u,i) and U C xI(cN)_IA is the set ofwell-defined hidden input traces.For example, if locations i and s’ in Figure 4.1 are hidden, the semantics of the module is a setof tracesThe semantics of a composite module can be derived from the semantics of its components.Proposition 4.2.7 Following are some properties associated with module operations:• Union: If CN(I,O) = CN1(Ii,Oi) CN2(1,0), thenI{CN(I, 0)] = CN1(I,Oi)11 x I{CN2(1,02)11.• Cascade connection: If CN(I,O) = CN2(1,0)o CN1(1,0), thenCN(I,O)] = {F2 o F1 IF1 e CN(I,O)],F e CN2(I,O)]}.• Parallel connection: If CN(I,O) = CN1(1,0)+ CN2(1,0), thenCN(I,O)]= {(F1,F2)1 E CN(I,O)],F2e CN2(I,O)]}where (Fi,F2)101)= Fi(i111) and (Fi,F2)102) =F2(i112).• Feedback connection: If CN’(I’, 0’) = .F(CN(I, 0)), then= {,u.FIF E CN(I,0)]}where .F is the the least fixpoint of F.CHAPTER 4. THE CONSTRAINT NET MODEL 53Now we discuss the well-definedness of systems. A constraint net CN is well-defined if itssemantics, transduction is well-defined. For example, the constraint net in Figure 4.1,given a well-defined function f and with a discrete time structure, is well-defined. A moduleis well-defined if all the transductions in its semantics are well-defined. If a constraint net iswell-defined, all its modules are well-defined.The well-definedness of modules is closed under some module operations.Proposition 4.2.8 IfCN1(1,°i) and CN2(1,02) are well-defined modules, then CN1(1,O)CN2(1,02), CN1(Ii, O)oCN2(1,02) and CN(Ii, Oi)+CN2(1,02) are well-defined modules.However, well-definedness is not closed under the feedback operation.There is a relationship between the well-definedness of a constraint net and the strictnessof transductions in the constraint net, which is derived from the following property of strictcontinuous functions.Proposition 4.2.9 Let A and A’ be two cpos. If f : A x A’ —* A’ is a strict continuousfunction w. r. t. its second argument, then the least fixpoint of f, or the least solution of theequation o = f(i, o), is undefined.For example, let +,. : 7?. x 7?. —* 7?. be strict extensions of + and •, respectively. Let +,.x —* be the corresponding transliterations. The least solution of x = O.5x + 2 onD(T, 7?.) is undefined, even though At.4 is a well-defined solution.In general, a net is not well-defined if there is an algebraic loop.Definition 4.2.4 (Algebraic loop) Let CN be a constraint net. A location 1 is strictlydependent on a location 1’ in CN, written 1 — 1’, if: (1) there is a transduction F in CN suchthat 1 is the output location of F, 1’ is an input location of F, and F is strict w.r.t. the inputport (indicating an input argument) that connects with 1’; or (2) al” : 1 — 1”, 1” - I’. CN hasan algebraic loop on a location 1 if 1 — 1.Proposition 4.2.10 A module CN(I, 0) is not well-defined if there is an output location 1 e 0such that CN has an algebraic loop on 1.A common strategy to break an algebraic loop is to insert a delay. For example, by insertinga unit delay ö(O) to the equation x = O.5x + 2, we have y = O.5x + 2,x = 6(O)(y). Let Albe the time structure. The semantics of the net for x is a sequence 0, 2, 3, 3.5,3.75,... andCHAPTER 4. THE CONSTRAINT NET MODEL 54lim x(n) = 4. Note that 4 is a solution of x = O.5x + 2 on R. In general, a well-definedsolution of x f(x) for a continuous function f can be computed via a relaxation method:x(n + 1) = f(x(n)) = f’(x(O)) if lim f(zo) is well-defined, and any relaxation methodcan be modeled as a state automaton in constraint nets. We will discuss this type of computationfurther in Part III.4.2.4 Parameterized netsIn this section, we introduce parameterized nets and discuss the limiting semantics of parameterized nets.A system may have qualitatively different properties with respect to different parameters. Aparameter is a variable in a transduction whose value does not change over time. For example,mass, friction coefficient, initial state, time delay, gain and threshold are typical parameters ofrobotic systems. Let CN be a constraint net and P be a set of parameters in CN. We useCN and CN’(I, 0) to denote a parameterized net and a parameterized module, respectively.Associated with each parameter p E P is a set of values D; xpD is called the parameterspace. The semantics of a parameterized net CN is defined as follows.Definition 4.2.5 (Semantics of parameterized nets) The semantics of a parameterized netCNN, denoted CN9, is a mapping from the parameter space to the set of transductions, i.e.,xpD—÷ (xf(cN)A —* xo(cN)AT0)such that for any parameter tuple v E xpD,CN9(v) = CN[v/P] where CN[v/P] denotes that each p e P in CN is replaced by itscorresponding value v(p).The semantics of a parameterized module CN(I, 0), denoted CN(I, O), is a function ofparameters as well: CN(I, O)(v) = CN(I, O)[v/P]].There are at least two reasons to introduce parameterized nets.First, a system can be modeled and analyzed against its parameters. A property of a systemmay change qualitatively when the value of its parameters changes from one to another. Forexample, let k be a gain parameter with Dk = R and y = kx + 2, x = 6(O)(y) be a net ondynamics structure D(.A/i). The semantics for x is a sequence 0,2,2k + 2 If Iki < 1,we have lim. x(n)= -; if Iki > 1, we have lim x(n) =J7. In general, lim f(xo)exists in R if f is a contractor [MA861, i.e., dk < 1, If(x)— f(y)I kx — yI. A qualitativeproperty is stable w.r.t. its parameter if the parameter region that supports the property isopen. In the previous example, the convergent property is stable since {klk e 1, kI < 1} isCHAPTER 4. THE CONSTRAINT NET MODEL 55open. Intuitively, a stable property means that a small change in the value of its parameterswill not cause a qualitative change of the property.Second, limiting semantics can be defined. Let P be a set of parameters, xpD be theparameter space, and x PD,, be a partial order relation. If (x pD, << PD,,) is a linear order, andCN is a closed parameterized net whose semantics is a mapping CN9 : xpD —*the limiting semantics of CN w.r.t. the parameter set F, written CN*, is defined as thelimit of the linear set of traces CN]1, i.e., I{CN* = lim[CN.Infinitesimal is an important parameter for limiting semantics. Let e be a parameter with= (0, 1) C R. Let <D be a partial order relation such that , c if e2 < e. (Dc, <Diis a linear order. The limiting semantics of CNe w.r.t.€ is lim€4CN9. We call such aparameter€ an infinitesimal. For example, let CN, with parameter € as an infinitesimal, be aclosed parameterized net denoting y = f(x),x = (e)(xo)(y) on D(R,). 1ff = )x.x, thenx = At.xo; if f = Ax.(—x) and x0 0, then x(t) =J for all t > 0.4.2.5 Temporal integrationSo far we have no definition for temporal integration, the most important type of transductionon continuous time structures. We now define temporal integration on vector spaces and providethe semantics of constraint nets with temporal integration using limiting semantics.A vector space [War72] is a set X associated with the functions sum and product: +X x X —* X and : 1?. x X —* X and with Ox E X satisfying the following conditions:x+y= y+x,(x+y)+z=x+(y+z),a(x + y) = ax + ay, (a + ,6)x = ax + 3x,a(/3z) = (a/3)x,x + ox = x,Ox = Ox, lx = x.Let E1x denote the sum of all elements in {x}€I. A topological vector space is a vector spacewith a topology such that + and are continuous functions.Let U be a vector space with functions + : U x U —÷ U and : 7?. x U —* U continuous inmetric topology. Temporal integration f(so) : UT — with an initial state E U can bedefined as follows.Let + and be strict extensions.Given that T is a discrete time structure, for all t > 0, pre(t) denotes the previous timepoint. Temporal integration is defined as follows:I ISo ift=Oj (so)(u) = At. Eo<i<({pre(t’), t’)) . u(pre(t’)) otherwise.CHAPTER 4. THE CONSTRAINT NET MODEL 56We can represent f(s0) as the least solution of the following equations = 6(so)(s)+dt.5(O)(u)wheredt_At10 ift=O— 1 i([pre(t),t)) otherwise.This equation can be represented by a constraint net that computes temporal integration ondiscrete time structures.Given that T is an arbitrary time structure, temporal integration is defined as follows: Let7 be a discrete sample time of T, generated by an event trace e with e = L(E)(O)(—e) foran infinitesimal €. Let mt30 (u, s) = (so)(s) + dt . 6(O)(’u). Temporal integration f(so) can becomputed by a module CN(u, s) where CN denotes the following two equations:s = mt30(e, u, s), e =with E> 0 as an infinitesimal.This definition can be considered as derived by the forward Euler method; however, we areinterested in semantics, rather than numerical simulation of differential equations.As an example, let us investigate the limiting semantics of the net in Figure 4.2 with Uas R, T as and f : —* where f = As.(—s) is a strict function. This closed net isrepresented by three equations:s = int30(e,u,s), e = (E)(0)(—ie), u = —s.The solution for e is:e — .0 if [J is even1 otherwise.The solution for s is the least solution of s = int3°0(e, —s, s). Following the proof of FixpointTheorem I, let s = At. J be the least element, then we have1 . o 00 15o ift<€= mt3 (e, —s , s ) = At.° I.. J otherwise,f o ift<Es2 = int30(e,—s1,s)—_At. 5O—E5O ifEt<2E( J otherwise,CHAPTER 4. THE CONSTRAINT NET MODEL 57ift<cif€<t<2e5k+1= int°0(e,—s’,s’) = At.(EL0—1)1Ce)so if ke t < (k + 1)eotherwise.Lets = V?+ {sk}. Then s = At.sLH’(t) is theleast solution of the equation .s = int°30(e, —s, s).The limiting semantics of the net for s is s = At. lim0s(t) =where k = Li i.e., s = At.(E0(—1)’)so = At.soe_t, which is the solution of . = —s.Some remarks follow about this semantics of constraint nets with temporal integration.First, limiting semantics only applies to a closed parameterized net and is not composite.For a constraint net with more than one temporal integrator, we will use a single infinitesimalfor all the temporal integrators.Second, temporal integration in constraint nets is defined on any time structure, discrete orcontinuous, and any vector space, numerical or symbolic.Third, in general, a set of differential equations can have no solution or more than onesolutions. The limiting semantics produces a unique solution in any case, which might notbe well-defined. For example, i = with x(O) = 0 on dynamics structure D(R,)has infinitely many solutions; two significant ones are x At.0 and x = At.t2. However, thelimiting semantics gives only x At.0. For another example, th = with x(0) = 0 on dynamicsstructure D(R,) has two normal solutions x = At./ and x = —At.v’. However, the limitingsemantics gives an undefined one x = At. .L. In the next chapter, we will come back to thisissue and discuss the conditions under which the constraint net produces the “correct” solution.We can also define three variations of temporal integration: (1) temporal integration withbounds, (2) temporal integration with reset, and (3) integration against another trace on domain7?.A bounded temporal integration, denoted f(m,M)(80) ensures that the output values at alltime points are between m and M, i.e., Vu,t,m jm,M>(80)(U)(t) M. We can realize thisrestriction by simply lettingint0 (u, s) = min(max(ö(so)(s) + dt . 6(0)(u), m), M)where “mm” and “max” are strict continuous extensions of conventional “mm” and “max,”respectively.A reset temporal integration, denoted fr(5) is a transduction of two arguments with thesecond argument as an event input. f,.(so)(u, c) sets the output value back to o whenever thereCHAPTER 4. THE CONSTRAINT NET MODEL 58is an event at c. A reset temporal integration can be realized as follows. Letint30(u,c,s) = cond(c,6(O)(c),(so)(s) + dt (O)(u),so)where cond is the conditional function defined in Equation 3.1. The reset temporal integration.fr(’5°) can be computed by a module CN({u, c}, s) where CN denotes the following twoequations:s = int°0(e, u, c, s), e =where e> 0 is an infinitesimal.A trace-based temporal integration, denoted f(so), is a transduction of two arguments withthe second argument as a trace on domain . j(so)(u, v), also denoted f(so)(u)d(v), integratesu against the changes of v. A trace-based temporal integration can be realized as follows. Letjut30 (u, v, s) = 6(so)(s) + dv ö(0)(u)whered _fo ift=OV— 1 v(t) — v(pre(t)) otherwise.The trace-based temporal integration f(so) can be computed by a module CN({u, v}, s) whereCN denotes the following two equations:s = int0(e,u,v,s), e =where E> 0 is an infinitesimal.4.3 SummaryWe have presented CN, a formal model for hybrid dynamic systems. The syntax of CN isgraphical and modular, and the semantics of CN is denotational and composite. The modularaspect of CN not only provides hierarchical structures of system composition, but also providesa simple and general concept for nondeterminism. The fixpoint semantics provides a rigorousand straightforward interpretation for the meaning of CN. Furthermore, parameterized nets andtemporal integration increase the representational power of CN. As a result, CN can be usedto model a discrete/continuous hybrid dynamic system with various event-driven components,while events can be generated and synchronized within the system. In the next chapter, we willfocus on some typical types of event computation and then discuss modeling aspects of CN viaexamples.Chapter 5Modeling in Constraint NetsA dynamic system is defined on a dynamics structure D(T, A) where T is a time structure andA is a domain structure; the time and domain structures can be either continuous or discrete.Table 5.1 shows examples of the four basic types of model for dynamic systems. We call adynamic system composed of components of more than one basic type a hybrid system.We have developed Constraint Nets (CN) as a formal model for hybrid dynamic systems.A hybrid dynamic system consists of modules with different time structures, with its domainstructure multi-sorted. A typical hybrid domain structure would include a continuous domainand a discrete or finite domain S, with associated functions. A typical reference time for ahybrid dynamic system is the set of nonnegative real numbers R+. Event-driven modules canbe associated with different clocks, characterizing different sample time structures generatedby event traces. An event trace can be either of fixed sampling rate, or created by some eventgenerator that responses to changes of its inputs. Multiple event traces can also be combined togenerate other event traces. Typical event interactions are “event or,” “event and,” and “eventselect” that can be defined in terms of event logics. With event logic modules, asynchronouscomponents can be coordinated.In this chapter, we first focus on some general issues on event control logics and typicalevent generators and synchronizers. We then illustrate constraint net modeling via an exampleTable 5.1: Basic types of model for dynamic systemsDynamic Systems Discrete Time Continuous TimeDiscrete Domain Finite State Machines Asynchronous CircuitsContinuous Domain Difference Equations Differential Equations59CHAPTER 5. MODELING IN CONSTRAINT NETS 60that characterizes the features of CN. Finally, we discuss the power of CN in terms of bothdiscrete and continuous computation.5.1 Event Generators and SynchronizersIntroducing event-driven transductions makes a simple and unitary model for arbitrary event-triggered components as well as for various components with fixed sampling rates. Furthermore,events can be generated and synchronized within the model. In this section, we discuss sometypical event generators and synchronizers for modeling, programming and design.5.1.1 Event generatorsAn event generator is a transduction whose output is an event trace. For example, e =(t8)(0)(’e) is an event generator whose output is an event trace of fixed sampling rate.There are event generators with its output capturing the changes of its input. For example, atransition is generated whenever a certain property becomes true.We introduce some basic modules that will be used mostly for event control.(a) (b) (c)Figure 5.1: Basic modules for event logicsLet cond be the conditional function defined in Equation 3.1.• Module NE(i, o) (Figure 5.1(a)) is composed of a unit delay and a transliteration newhere ne : B x B —* is defined as ne(x, y) = cond(x, y, 0, 1).• Module NE1(i,o) (Figure 5.1(b)) is the same as NE(i,o) except that ne is replaced bynel : B x —* , nel(x, y) = cond(x, y, 0, cond(x, 1,1,0)).• Module G(i, o) (Figure 5.1(c)) is composed of a unit delay and a transliteration g whereg :x B—f Ths defined as g(x,y)= cond(x,0,y,—’y).CHAPTER 5. MODELING IN CONSTRAINT NETS 61(As a matter of fact, both ne and g are , an “exclusive or”.) If the reference time is notdiscrete, unit delays in these modules are performed at a fast (relative to its inputs and/oroutputs) fixed sampling rate.Note that both NE and NE1 are nonintermittent and right-continuous. Furthermore, Gis an event generator, and any cascade connection to G is an event generator. For example,“rising transition” an event generator that generates an event whenever its input changesfrom 0 to 1 — is a cascade connection of NE1 to G, i.e., G o NE1.5.1.2 Event synchronizersAn event synchronizer is a transduction that maps event traces to new event traces. Forexample, “event or” (Figure 3.2) is an event synchronizer that merges events in its two inputtraces as long as no two events happen at the same time.Now let us consider “event and” (Figure 5.2), another important event synchronizer. Ther. — . —el ande2Figure 5.2: Event logic for “and”Muller C-element [Sut89] acts as the “and” for events: if both of its inputs are of the samevalue, the output and its next state are copies of that value, otherwise the output and its nextstate are unchanged. The Muller C-element can be modeled as a state automaton (Figure 4.1)with a state transition function mc : x x —f , mc(ij, i2, s) = cond(i1,i2,i1, s). The MullerC-element is a module with i1, i2 and s’ as the interface, i.e., a Mealy machine. We can verifythat the transduction of the Muller C-element is indeed nonintermittent and right-continuous;therefore, its output is an event trace as long as its inputs are event traces.CHAPTER 5. MODELING IN CONSTRAINT NETS 62We should also notice, according to the definition, that the Muller C-element works as“event and” only for inputs with the following properties:1. both inputs start at the same value (0 or 1), and2. the order of events in two inputs are paired such that exactly one event in each pair isproduced by one of its inputs.Only after an event takes place on both of its inputs will the output produce an event, i.e.,an event in the output corresponds to the second event in a pair of input events. The MullerC-element generalizes easily to three or more inputs. Such elements are also called rendezvouselements [Sut89).Although the absolute value (from 0 to 1, or 1 to 0) of a transition in a single event tracedoes not matter, the value relative to other related traces does matter. Thus, it is sometimesimportant to invert transition signals. We use the standard “and” logic symbol with a “C”inside it to represent Muller C-elements and “bubbles” on input or output ports to representinversions.“Event and” elements have been used to coordinate asynchronous events in distributedsystems [Sut89j. Consider a simple 1-buffered producer-consumer problem. Both producerand consumer are processes that repeat the following two steps: ask the synchronizer to grantpermission for an action (to produce or to consume), and then whenever the request is granted,do the action (the producer produces or the consumer consumes a product).In Figure 5.3, Ri is the request from the producer and R2 is the request from the consumer.We use clock Cl to grant the producer and clock C2 to grant the consumer. Assume that eitherproducing or consuming takes time T. Two negated Muller C-elements (with initial state 0)and two transport delays are used to synchronize events.Requests from Ri and R2 may arrive asynchronously. Given that Ri starts at 0 and R2starts at 1, we can check by hand that Cl generates a new event if there is a transition atRi and the buffer is empty (Cl = C2). C2 generates a new event if there is a transition atR2 and the buffer is full (Cl $ C2). hi Part II, we wifi provide formal specification languagesfor declaring desired properties of a given system and explore formal verification methods forchecking the correctness of the given system.“Event filter” is an event synchronizer that selects events from its two event inputs accordingto the value in its first input. Figure 5.4 is a module for an “event filter” element that iscomposed of basic modules NE and G as well as a transliteration f defined as f(b, x, y) =cond(b, 0, x, y).CHAPTER 5. MODELING IN CONSTRAINT NETS 63Figure 5.3: A producer-consumer event synchronizerFILTERFigure 5.4: An event filterCHAPTER 5. MODELING IN CONSTRAINT NETS 64Similarly, “event select” is an event synchronizer that steers events in its second input toone of two of its outputs according to the value in its first input. Figure 5.5 is a module for an“event select” element that is composed of basic modules NE and G as well as a transliterations defined as s(b,x) = cond(b,O,(x,O),(O,x)).Figure 5.5: An event selectFILTER (resp. SELECT) can be extended to three or more input (resp. output) eventtraces.In this way, we can also model all the event logic elements described in Sutherland’s paper[Sut89], such as “Switch,” “Event-Controlled Storage Element” (ECSE), “Toggle,” “Arbiter,”etc.5.2 Modeling Hybrid SystemsA robotic system is a hybrid system in general, which is an integration of a plant with continuousdynamics, a continuous/discrete hybrid controller, and a possibly changing environment (Figure1.1).Let us consider an example, a car-like maze traveler. Suppose a maze is composed of blocksof bounded size placed on an unbounded plane. A car-like robot with two touch sensors, forwardsensor SF and right-side sensor SR (Figure 5.6(a)), is required to traverse the maze from westto east (Figure 5.6(b)).As any robotic system, this system consists of a plant, a controller and an environment.The plant is the body of the car-like robot, which can move forward/backward by setting aspeed v and can make turns by steering two front wheels to some angle o. The environment isthe maze, and the controller connects sensor signals and motor commands (Figure 5.7).The plant of the robot has been modeled as a constraint net in Figure 1.2 on dynamicsstructure D(R+,). The environment can be modeled as a transliteration that maps anyI SELECTCHAPTER 5. MODELING IN CONSTRAINT NETSFigure 5.6: (a) The car-like robot (b) Traveling through a maze65(a) (b)Figure 5.7: The maze traveler robotic systemCHAPTER 5. MODELING IN CONSTRAINT NETS 66configuration of the car-like robot ((x, y, 0) e 7?. x 1?. x ) to sensor signals (SF, SR E overtime (continuously). If the robot is facing (or to the left of) a wall within some distance, theforward (or right) sensor SF (or SR) is on, i.e., SF = 1 (or SR = 1); otherwise it is off, i.e.,SF = 0 (or SR = 0).The simplest strategy for a robot to move out of a maze is to follow a wall with one side (e.g.,the right side) [Ad81]. Starting at any position with the correct heading 181 < 6 (e.g., east), therobot is always moving forward until it hits a wail (SF becomes on). Whenever it hits a wall,it turns left (0 = 8 + i-), with its right side against the wall, and moves forward. Whenever theright side is off the wall (SR becomes off) and the heading is not correct (10 — kI < 6, k> 0),it turns right (0 = 0— ), again with its right side against the wall, and moves forward,This strategy can be modeled as a transliteration that maps the heading of the car and thesensor signals (6, SF, SR) to a control signal c e {0, —1, 1} where 0 means “continuing in thecurrent direction,” —1 means “turning right” and 1 means “turning left:”0—kI<6,k>0:if SR =Othenc=—1elseif SF = 1 then c = 1else c =0I0I<6:if SF =lthenc=1else c =0We will see that (in Part II) if the car is not in a closed block and if there is always enoughspace for the robot to turn, the robot will move in the correct direction (lOt < 6) persistently.This strategy is made in discrete time, but without any fixed sampling rate, since it maynot be known how long the car takes to turn to the next direction, and how long before it hitsa wall or moves off a wall. Therefore, the strategy should be event-driven. There are threetypes of event: (1) 8 enters {(k—6,k+6)Ik= 0,1,2...}, (2) SF changes from 0 to 1 or (3)SR changes from 1 to 0. “Rising transition” elements are used to generate these events and“event or” elements are used to synchronize these events. An event generator (Figure 5.8(a))is created by combining these elements.As a result, the control circuit is composed of the event generator, the event-driven strategymodule and an actualizer (Figure 5.8(b)), which, for simplicity, is set to be v = 1 and o = c.Even though it is a simple hybrid system, in order for the system to work properly, we haveto consider the interface between discrete and continuous domains carefully.• The “event or” logic works correctly only when no two events happen at the same time.CHAPTER 5. MODELING IN CONSTRAINT NETS(a)(b)Figure 5.8: (a) Event generator (b) Control circuit67event ornegatlOflrising tranSitionGENERATORGET0RCrUAL1ZE1ICONTROLI’CIRCUITCHAPTER 5. MODELING IN CONSTRAINT NETS 68In this example, we assume that the sizes of the blocks and the spaces between the blocksare much larger than the size of the car.• The error angle 6 should be assigned based on the sizes of the blocks and the turningradius. Given that the steering angle a is 7r/4 and the length of the car is L, the turningradius R becomes L (since R = L/ tan a). Let the maximum size of blocks be M. Wehave 6 < L/M so that the car wifi not hit the right wall when it moves forward with someerror 6 in its heading.• The front and right sensor ranges are designed according to the the sizes of the blocks,the turning radius and the error angle. Let the turning radius be L and 6 < L/M. Ifthe initial distance from the right wall is L, the distance from the right wall will alwaysbe less than 2L when it moves forward with some error 6 in its heading. Therefore,suppose DF is the distance between the front of the car and the front wall, and DR isthe distance between the right side of the car and the right wall, we have SF = DF < Land SR = DR < 2L (so that SR will not be off because of error 6 in its heading).These problems seem particular to this special design and the solutions seem ad hoc. However,similar situations, such as choosing errors, thresholds, gains, sampling rates, etc., would beencountered in the design of every hybrid system. In Appendix C, we wifi study more examplesof hybrid system design and analysis. In Part III, we will design a more complex control systemfor the car-like robot.5.3 Power of Constraint NetsAny computational model is suitable for representing a certain type of computation. For example, Turing machines are used to represent sequential computation and analog circuits areused to represent parallel and continuous computation. The Constraint Net model (CN) is anabstraction of models for dynamic systems. Even though CN is inherently parallel, sequentialcomputation can also be modeled. In this section, we first focus on sequential computation inCN and then discuss continuous computation in CN.5.3.1 Sequential computationWe model any sequential computation as a module with an event input indicating the start ofa computation and an event output indicating the end of the computation (Figure 5.9). TheCHAPTER 5. MODELING IN CONSTRAINT NETS 69time duration between the start and the end of the computation is variable, depending on theinput data. We call such a module a sequential module.StEnd I IFigure 5.9: A sequential moduleA transliteration f is modeled as a sequential module with End = Start and Data_Out =f(Data_In), i.e., there is no time delay in a transliteration. A functional composition of twosequential computations is modeled as a cascade connection of the two sequential modules(Figure 5.10).EndFigure 5.10: A functional composition G o FLet g : A — A’ and h : x A x A’ —* A’ be functions. A recursive function f : x A —÷ A’based on g and h can be defined as f(O,x) g(x),f(n+ 1,x) = h(n,x,f(n,x))). Given thatg and h are computed by sequential modules G and H, respectively, a sequential module for fcan be constructed as follows.Let COUNTER be a module with two event inputs and one output on domain . The firstevent input resets the output to zero and the second event input increases the output valueby one. COUNTER({cl, c2}, n) (Figure 5.11) is composed of module NE (Figure 5.1(a)), twotransliterations suc and cond, and an event-driven unit delay 60(0), whereIJ-.&r ifn=JAr.suc(n) =I n + 1 otherwiseis a successor function.The sequential module for f (Figure 5.12) is composed of sequential modules G and H,modules COUNTER, FILTER and SELECT, and transliteration cond. Unit delays are alsoCHAPTER 5. MODELING IN CONSTRAINT NETS 70COUNTERFigure 5.11: An event counteradded to avoid algebraic loops. We can see that in order to compute f(n, x), the sequentialmodule G will be triggered initially and the sequential module H will be triggered up to n— 1times.A function f: A —* A is defined using the minimization operation on a function g : x AkTif:— f min{nlg(n, x) = 0} if the set is not empty“— 1 L,- otherwise.Thus, f(x) is defined as the smallest n for which g(n, x) = 0 if there is such an n; it is otherwiseundefined. Given that g is computed by a sequential module G, a sequential module for f canbe constructed as in Figure 5.13. If f(x) = n E .iV, the sequential module G will be triggeredn + 1 times, otherwise G will be triggered infinitely many times and there will be no eventgenerated in End.Therefore, given a set of basic functions and their sequential modules, the set of functionsclosed under functional composition, recursive schemes and minimization operations can becomputed by sequential modules. In fact, this set is large enough to include all the computablefunctions given a small set of basic functions. It is well known that the set of Turing computablefunctions is equal to the set of partial recursive functions. A function f is defined partialrecursively if [Yas7l]:• it is the constant 0, the successor function suc, or a projection function projj,projj(2i,...,xi,...,xn)xi;or• it is defined as a functional composition of functions defined partial-recursively; orCHAPTER 5. MODELING IN CONSTRAINT NETS 71S_>1I I I II (5OUNThRJ I:0___condOROFigure 5.12: A sequential module for a recursive functionCHAPTER 5. MODELING IN CONSTRAINT NETS 72• it is defined as a recursive function based on functions defined partial-recursively; or• it is defined using the minimization operation on a function defined partial-recursively.A function f is a partial recursive function if it equals a function that is defined partial-recursively.Theorem 5.3.1 Let E = ({n}, {O, suc, cond}) be a signature. A partial recursive functioncan be computed by a sequential module on En-dynamics structure D(A1, 3V) where )V denotesthe Y2-domain structure ({V}, {O, suc, cond}).Finishing up this section on sequential computation, we give two more examples used mostlyin concurrency and real-time models.• Internal choice A + B: either A or B will be computed. Figure 5.14 is a sequentialmodule for this scheme, where id is an event-driven transliteration of an identity functionid = Ax.x and location n is a hidden input with Boolean domain.Internal choices are often used for modeling nondeterminism in concurrent systems.• External choice C—÷ AID —* B: if an event in C comes before an event in D, A iscomputed, otherwise B is computed. Figure 5.15 is a sequential module for this scheme,Figure 5.13: A sequential module for the minimization operationCHAPTER 5. MODELING IN CONSTRAINT NETS 73idEndFigure 5.14: A sequential module for internal choice A + B:°ondFigure 5.15: A sequential module for external choice C—‘ A(D —f BCHAPTER 5. MODELING IN CONSTRAINT NETS 74where FIRST is a module that outputs 0 if an event in C comes first and 1 if an event inD comes first.Module FIRST (Figure 5.16) is composed of a transliteration cond for resetting the statewhenever there is an event in Start, a transliteration of state transition function f definedas f((c,d),(s,sd)) = (sVcA—isd,sdVdA—isC), and a transliteration of an output functiong defined as g((s,.5t)) = —‘se A 8d Note that events in c have higher priorities for thisdefinition of g, i.e., if events in c and d come at the same time, the event in c will beselected.Figure 5.16: The FIRST moduleExternal choices are often used for modeling time-out in real-time systems. For example,if C is a module that generates time-out events (Figure 5.17), C— AID —* B means thatif D generates an event before time-out, B will be executed, otherwise A will be executed.TIMEOUTFigure 5.17: The TIMEOUT module5.3.2 Analog computationWe have seen that the Constraint Net model (CN) can represent sequential computation aswell, by using events to coordinate the order of computation. However, in general, CN is usedCHAPTER 5. MODELING IN CONSTRAINT NETS 75for modeling computation over time, i.e., relationships between input traces and output traces.If a constraint net CN is closed, the semantics of CN is simply a trace, i.e., a function of time.Many functions that are not easy to model in sequential computation are easy to compute astraces. For example, .)t.Cekt is the solution of a constraint net x = f(C)(kx); At.(sin(t), cos(t))is the solution of a constraint net x = f(O)(y),y f(1)(—x). In the rest of this section,we will ask two questions. First, given a set of basic functions on 7, say + and , what isthe set of traces that can be represented as solutions of differential equations? Second, givendifferential equations modeled in constraint nets, what is the relationship between the semanticsof constraint nets and the solutions of the differential equations?The first question was answered by Shannon. Here we present a variation of the results in[Sha4l]. Let T = [to,t1] C R. A trace x : —+ fl can be obtained as a solution of a set ofdifferential equations composed of only + and , iff x = x1 can be written as:—13 (4— ‘V’. 4O 1 nXk— £k, 1,._,Xn) — 1where the i’s denote natural numbers. We use P’s to denote polynomial functions. The questionis then reduced to: what is the set of functions that can be written in Equation 5.1? It hasbeen shown [Sha4l] that this set is equal to the set of non-hypertranscendental functions.A function x = At.f(t) is non-hypertranscendental iff it can be written asP(t, x, i, , . . ., = iait0x1(th)%2()z3 . . . (x(n))+i = 0. (5.2)Proposition 5.3.1 [Sha4l] Equations 5.1 and 52 are equivalent, i.e., a function written inone form can be transformed into another.Most common analytic functions are non-hypertranscendental [Sha4l] such as exponentialand logarithmic, trigonometric and hyperbolic, Bessel functions, elliptic functions, probabilityfunctions, and solutions of an algebraic equation in terms of a parameter. Non-hypertranscendentalfunctions are also closed under various operations.Proposition 5.3.2 [Sha4l] If x = At.f(t) is non-hypertranscendental, then its derivative y =)t.f’(t), its integralz = At. j f(t)dt, and its inverse w = At.f’(t) are non-hypertranscendental.Proposition 5.3.3 [Sha4 1] Non-hypertranscendentalfunctions are closed under functional composition.The second question is that given a trace as a solution of a set of differential equations,can that trace be computed as the limiting semantics of the constraint net representing the setCHAPTER 5. MODELING IN CONSTRAINT NETS 76of differential equations? This question is further decomposed into two questions: first, doesthe constraint net have a well-defined limiting semantics? second, does the set of differentialequations have a unique solution? If the answers to both questions are positive, the trace canbe computed by the constraint net.Proposition 5.3.4 Given a constraint net of differential equations thk = fk(x), k = 1,. . . , nwith Zk(tO) e R. and fk : R’ —* R as partial or total functions, and given that all fk are smoothat (to), the limiting semantics of the constraint net, based on the forward Euler method, iswell-defined over = [t0,1] for some t1 > to. In particular, x = t. 0’t0)(t — to).if fk is a polynomial function, then fk is smooth over R7. if, in addition, the initial value foris well-defined, the limiting semantics of the constraint net is well-defined.It has been shown that a sufficient condition for differential equations= f(s) to havea unique solution is the Lipschitz condition [MA86]. The Lipschitz condition is defined asfollows. Given (R’, d) as a metric space, we say that f: R —÷ R7’ satisfies a Lipschitzcondition uniformly with respect to t E [to, t1] if there exists a number K> 0 such thatd(j(x(t)),j(y(t))) I(d((t),(t)) for all t E [t0,1].Let II2 = and d(x, ) = I — y1. If f is a linear function, i.e., j(x) = Ax,If((t)) — f(t))I2 IAII(t)— (t)I2, for all t. Therefore, linear functions always satisfy theLipschitz condition, and linear differential equations always have a unique solution.A more general result is as follows.Theorem 5.3.2 Let Er = ({r}, {+, .}) be a signature. A non-hypertranscendental functionthat is defined and smooth over a closed segment T = [to, t1] can be computed by a constraintnet of differential equations on Er-dynamics structure V(T, i), where denotes the Er-domainstructure ({}, {+, .})Chapter 6Behavior AnalysisWe have presented the Constraint Net model, its syntax and semantics, and its power in modeling dynamics and computation. In this chapter, we relate systems to their behaviors. We startwith some preliminaries in abstract algebra on equivalence and abstraction. We then present aformal definition of behaviors and discuss various properties of behaviors. Finally, we formalizethe concept of behavior abstraction at different levels of granularity, and the meaning of systemequivalence with respect to a certain type of abstraction.6.1 Abstraction, Quotient and HomomorphismThis section introduces some basic, but important, concepts in abstract algebra. These conceptsare related to the question of how to generate an abstraction of a given system.Intuitively, equivalence induces partitions, and partitions induce abstraction. An algebraicsystem is a set with an associated structure, i.e., a set of functions and relations. A structurethat is consistent with a partition can be abstracted to a quotient structure on the partition.An algebraic system A’ is a quotient of an algebraic system A if A’, with the quotient structure,is a partition of A. A quotient of an algebraic system can be considered as an abstraction of thealgebraic system. An algebraic system A is homomorphic to an algebraic system A’, if there isa surjective (onto) mapping from A to A’ that is consistent with the associated structure; it isisomorphic if the mapping has an inverse. On the other hand, a homomorphic mapping inducesa partition and a quotient structure. An algebraic system is homomorphic to its quotient.Given algebraic systems A and A’, if A is homomorphic to A’, A’ is isomorphic to the quotientof A induced by the homomorphic mapping. We present these concepts more formally in therest of this section.Equivalence relations are characterized as congruences. A binary relation—A over a set A77CHAPTER 6. BEHAVIOR ANALYSIS 78is a congruence if it is reflexive, transitive and symmetric.A congruence induces a partition. A partition of a set A induced by a congruence A,written A/A, is a set of sets {Aj such that (1) A = UA (2) Vi j,A fl A3 = 0 and (3)a1—A a2 and a1 E A imply a2 é A. We use [a] to denote the set that a belongs to. Intuitively,a partition of a set can be considered as an abstraction of the set; [a] is an abstraction of a.If a congruence is consistent with a function f, it is called an f-congruence. Let f: A —* A’be a function. A congruence over AUA’ is an f-congruence if a1 a2 implies f(ai) f(a2).Given f : A —* A’ and as f-congruence, an abstraction of f can be defined on the partitionof A and A’ induced by the f-congruence. Let f : A —* A’ be a function and be an fcongruence over A U A’. The quotient function of f w.r.t. , written f : A/ —* A’/, isdefined as f([a]) = [f(a)]. We also say that function f is abstractable w.r.t. when is anf-congruence.The concepts of abstraction and quotient structures can be extended to multi-sorted algebra.Let D = (5, F) be a signature and A be an arbitrary E-algebra. A >2-congruence on A is anS-sorted relation ,= satisfies1. for each s E 5, is a congruence on A3, and2. for any f : s1,...s —* .s E F and all a1, a E A31,. . ., a, a E A3, if a1 aç,..., anda a’ hold, then fA(ai,.. .,a,) fA(a,. . .,a). Namely, is anfr4-congruencefor all f E F.Given a >2-congruence on a >2-algebra A, we can define a quotient algebra A/ . Letbe a >2-congruence over a >2-algebra A. The quotient >2-algebra A/ of A is defined as= A3/ and for f : si,. . .,s —* se F, a1 E A31,. ..,a E A5,, fA/_([ai],. . .,[a,]) =[fA(ai,. . ., a,)]. The quotient >2-algebra A/ of A can be considered as an abstraction of Ainduced by the >2-congruence .The relationship between an algebra and its quotient algebras can be characterized byhomomorphism. In general, a homomorphism on >2-algebras is defined as follows. Let A, A’ betwo >2-algebras. A Y2-hornornorphism h: A — A’ is a family of surjective (onto) mappings h ={h3 : A3 —* A}3€s such that for each f: . .,s —*s E F and each a1 E A31,. ..,a E A3,,hs(fA(ai,. . ., a,)) = fA’(h31(a1),. ..,h3(a)). It is a >2-isomorphism if h is a bijection. If A’ isa quotient algebra of A, there exists a homomorphism h from A to A’ with h(a) = [a]. On theother hand, if there is a homomorphism Ii from A to A’, A’ is isomorphic to a quotient algebraof A. To see this, let us define a congruence h on A as follows: a1 h a2 if h(ai) = h(a2).CHAPTER 6. BEHAVIOR ANALYSIS 79Since h is a s-homomorphism from A to A’, h is an fAcongruence on A for any f E F.Therefore, A’ is isomorphic to the quotient algebra of A induced by h. And, A’, which isisomorphic to a quotient of A, is also considered as an abstraction of A.6.2 Behavior Analysis: General ConceptsNow we discuss the relationship between dynamic systems and their behaviors. Intuitively,the behavior of a dynamic system is the set of observable input/output traces of the system.Formally, let CN(I, 0) be a module. An input-output pair (i, o) is an observable trace ofCN(I, 0) if F E CN(I, O) such that o = F(i). The behavior of CN(I, 0) is the set of allobservable traces of CN(I,O). We will also use CN(I,O)] to denote the behavior of CN(I,O)if no ambiguity arises. We will use CN as an abbreviation of CN(I,O)] if I = I(CN) ando = O(CN). Two modules are equivalent, written CN1(I,0) CN2(I,0), if they have thesame behavior, i.e., CN1(I,O) = CN2(I,O). For example, two state transition modules areequivalent if they have the same initial state and the same state transition relation. A behaviorB is deterministic if for any pair of traces (i1, 01), (i2, 02) E B, i1 = i2 implies o = 02; itis otherwise nondeterministic. In general, a module CN(I, 0) will exhibit a nondeterministicbehavior if there are hidden inputs, i.e., I C I(CN).Two important types of behavior are state-based behavior and time-invariant behavior.State-based behavior is formalized as follows. Let B be a behavior. Given any time pointt e T, two traces v1,v2 B are coincident up tot, written v1 t v2, if Vt’ t, vi(t’) = v2(t’).Let [V]t= {vj’>Iv’ v} where VI>t denotes the restriction of v onto {t’ Tat’ > t}. B isstate-based if for all v1, v2 E B and t e T, vi(t) v2(t) implies [Vijt = [V2]t, i.e., the behaviorin the future is fully determined by the current snapshot.Time-invariant behavior is formalized as follows. Let B = {vlv : T —> A} be a behavior.For any a1,a2 E A, let a1 -< a2 if dv E B,t1 < t2 such that a1 = v(ti) and a2 = v(t2). B istime-invariant if-.< is transitive, i.e., -<is independent of time.A state automaton in Figure 4.1 exhibits a state-based and time-invariant behavior. However, an input/output automaton in Figure 4.4 may not exhibit a state-based and time-invariantbehavior. Any state-based and time-invariant behavior of discrete time corresponds to a statetransition system.A state transition system is a pair (5,.—+) where S is a set of states and —+ C S x S is atransition relation between two states. For any discrete time 7’, v : 7’ —* S is a trace of (5,—+)if Vt > 0, v(pre(t)) —÷ v(t). A behavior B corresponds to a state transition system (5, —*) if BCHAPTER 6. BEHAVIOR ANALYSIS 80is equal to the set of traces of (S, —*). State transition systems can be considered as a compactrepresentation of state-based and time-invariant behaviors.A requirements specification 7 for a system CN(I, 0) is a set of allowable input/outputtraces of the system: 1 C xjuoAT. CN(I, 0) satisfies a requirements specification 1, writtenCN(I, 0)] 1= R if CN(I, 0)] c R. With the formal definition of requirements specification,robustness and complexity can be formally defined.The robustness of systems is defined on parameterized ilets. A parameterized systemCN(I, 0) is less robust than CNr(I, 0) w.r.t. a requirements specification 7, writtenCNr(I,O) z CNr(I,O), if CNr(I,0)ji(v) ç R implies I[CNr(I,O)jI(v) C 7, for allv E xpD. Two parameterized systems CN1’(I, 0) and CNr(I, 0) are equivalent w.r.t. a requirements specification 7, written CNr(I, 0) cNr(I, 0), if CN(I, 0) : CNr(I, O)and CN’(I,O) CNr(I,O).Behavioral complexity is defined with respect to some kind of measurement on the size of adynamic system: the number of transductions, the number of delay elements, or the maximumnumber of delay elements in any path. Let ICNIm denote the size of CN w.r.t. measurement m.The complexity of behaviors satisfying 7 w.r.t. m, denoted I7im, is the minimum realizationof the dynamic systems satisfying 1?. w.r.t. m, i.e., 17?’Im = min{ICNIm}[cN(I,o)].Proposition 6.2.1 If R1 c 72, I1Im I2Im.In Part II, we will present two formal requirements specification languages and a formalmethod for behavior verification.6.3 Time and Domain AbstractionWe have introduced reference and sample time for modeling multiple time structures of a hybriddynamic system. Here we study another kind of mapping between two time structures, whichis for modeling dynamic systems at different levels of detail.A time structure (T, d, ) may be related to another time structure (T’, d’, ‘) by a homomorphic time mapping h : T —* T’ where h is a surjective partial or total function, orh : T —* T’ U {±} is a surjective function, such that• it is monotonic: t1 r t2 implies h(t1) T’ h(t2) if both sides are defined (L),• the least element is preserved: h(O) = 0’,• the metrics are preserved: m’(t’) = inf{m(t)Ih(t) =CHAPTER 6. BEHAVIOR ANALYSIS 81• it is continuous: for any open T’ C T’ in its metric topology, h’(T’) is open in its metrictopology, and• the measures are preserved: i’(T’) =T’ is an abstraction of T, and T is a refinement of T’. For example, let Ii : —f Al be apartial mapping with0 ift<1n elseifn<t<n+1.Function h is a homomorphic time mapping. Al is an abstraction of +, and 7+ is a refinementof Al.A domain A may be related to a domain A’ by a homomorphic domain mapping h: A —k A’where h is surjective and continuous in the derived metric topology. A’ is an abstraction of A,and A is a refinement of A’. For example, let h : —* S, where $ = {—1, 1}, be a mappingwith1—1 ifr<0h(x) = 1 if r > 0 (6.1)[ J.s ifr=0orr=J--i.Function h is a homomorphic domain mapping. S is an abstraction of 7, and 7 is a refinementof S.Let = (S, F) be a signature. A s-domain structure A may be related to a s-domainstructure A’ by a homomorphic domain structure mapping h = {h3 : A3—f A’3}€s where (1)A’3 is an abstraction of A3 for all s e S, and (2) h(fA(xi,. . .,x,)) = fA’(h(xi),.. .,h(x)) forall f F. A’ is an abstraction of A, and A is a refinement of A’.The condition for a homomorphic domain structure mapping is very strong, since the congruence induced by the mapping must be a s-congruence. For example, let r = ({“}, {+, .})and ({}, {+, .}) be a rdomain structure. The mapping defined in Function 6.1 is not ahomomorphic domain structure mapping, since h is not a +-congruence. For another example, let D = ({s}, {O, f, g}) be a signature with 0 :—* s, f : s —* s and g : s, s —* s, and({V}, {0, suc, +}) and ({}, {0, -‘, }) be s-domain structures. Let h : —f be a mappingwith1 0 ifniseven1 ifnisoddI. J ifn=Jr.Function Ii is a homomorphic domain structure mapping. ({}, {0, — }) is an abstraction of({V}, {0, suc, +}), and ({V}, {0, suc, +}) is a refinement of ({}, {0,—EI}).CHAPTER 6. BEHAVIOR ANALYSIS 82Because it is hard to satisfy the strong condition on homomorphic domain structure mappings for most domain structures, in many cases a weaker version of abstraction may apply. Socalled qualitative algebra/dynamics [Wd90, Wi191] in AT belong to this category. Let D = (S, F>be a signature. A s-domain structure A may be related to a E-domain structure A’ by a domain structure mapping h = {h8 : A3 —* A’S}3E where (1) A’8 is an abstraction of A3 for alls e S, and (2) fA’(xç,. . .,x) = AA,{h(f(x1,. . .,x))h(xi) = xç,. . .,h(x) = x} for allf e F. A’ is a qualitative domain structure of A, and A is a quantitative domain structure ofA’. We should point out here that the partial order structure for any domain is a semilattice,i.e., any two elements have a lower bound, and if A is a domain, the greatest lower bound AAis defined for any subset of A. This definition is similar to the definition in [Wi191], exceptthat we enforce continuity in domain mapping. For the previous example, let ({S}, {+, .}> bea rdomain structure, with + and . defined as:11 ifx=y=1x+y = —1 ifx=y=—1( Ls otherwise, and11 ifx=y=lorx=y=—1r.y = —1 ifx=1,y=—lorx=—1,y=1( L otherwise.The mapping h defined in Function 6.1 is a domain structure mapping. ({S}, {+, .}) is aqualitative domain structure of ({R}, {+, .}>, and ({}, {+, .}) is a quantitative domain structure of ({}, {+, .}). However, h is not a homomorphic domain structure mapping, sinceh(x + y) = h(x) + h(y) does not hold for all x, y e . Qualitative algebra, along with qualitative diagnosis and qualitative physics [Wd90], has been a major area in AT. In this thesis, wefocus only on abstraction with quotient structures.6.4 Behavior Abstraction and EquivalenceA trace is a function from a time structure to a domain. Given T’ as an abstraction time of Twith mapping hT and A’ as an abstraction domain of A with mapping hA, a trace v : T —÷ Ais abstractable to a trace v’ : ‘T’ —* A’ if hT(tl) = h’r(t2) J implies hA(v(tl)) = hA(v(t2)).The abstraction trace of v w.r.t. h = {hT,hA} is v’ = AhT(t).hA(v(t)). Two traces v1 andT —÷ A are equivalent w.r.t. h, written v1 h v2, if v2 and v2 are abstractable to thesame abstraction trace w.r.t. h. We should point out here that h is not a congruence since“-h is not reflexive (not every trace is abstractable). For example, let v1, v2 : —÷ R, withCHAPTER 6. BEHAVIOR ANALYSIS 83= )t. sin(irt) and v2 = .sign(vi) where sign : —* is a function defined as the sign of itsargument. Traces v1 and v2 are both abstractable to a trace v’ : .A1 —+ S, with v(O) = 1 andv’(n + 1) = —v’(n) (Figure 6.1).. .VftLuFigure 6.1: Equivalent traces and their abstractionConsider again the example of the car-like maze traveler. The heading trace of the car8 : —* (Figure 6.2(a)) can be abstracted to a discrete trace (Figure 6.2(b)). Notice thatthe “ambiguous directions” during the turnings are abstracted away.directionwestnortheast.0(b)Figure 6.2: The heading of a maze traveler and its abstractionCHAPTER 6. BEHAVIOR ANALYSIS 84Similar to the abstraction and equivalence defined for traces, abstraction and equivalencefor transductions are defined as follows. A transduction F A’ —÷ A is abstractable to atransduction F’ : A’’ —* A’ w.r.t. h = {h1,2}iffF(v) h2 F(w) whenever v Ch w. If thereis no input, an abstractable transduction reduces to an abstractable trace. The abstraction ofF w.r.t. h = {h1,2} is F’(hi(v)) =h2(F(v)). Two transductions F1 and F2 are equivalentw.r.t. h, written F1 h F2, if F1 and F2 are abstractable to the same abstraction transductionw.r.t. h.Abstraction and equivalence for behaviors are based on the abstraction and equivalence fortraces. A behavior B is abstractable w.r.t. h iff for all (i,o) E B, o is abstractable w.r.t. hwhenever i is abstractable w.r.t. h. If there is no input, an abstractable behavior reducesto the set of abstractable traces. The abstraction of B w.r.t. h is B’ = {(i’, o’)I(i, o) eB and i is abstractable}. Two behaviors are equivalent w.r.t. h, written B1 h B2, if B1and B2 are abstractable to the same abstraction behavior w.r.t. h. Two modules CN1(I,0)and CN2(I,O) are equivalent w.r.t. h, written CN1(I,O) h CN2(I,O), iff CN1(I,O)-‘hI{CN2(I,0)].We should notice that behavior abstraction may not preserve the property of being state-based or time-invariant. Now we investigate the abstractable condition of a state transitionsystem. A state transition system (S,—b) is abstractable w.r.t. a congruence on S if si2, —* s3 and 2 s imply that s e [82] such that i — s —f s3. Let (S/, —*) be astate transition system defined as [s1]—*[s2 if s e [si], s’ E [s2] such that s —÷ s’. If (S, __*>is abstractable w.r.t. , (S/, —*) is called the abstraction of (5, —*) w.r.t. ; otherwise, it iscalled the approximate abstraction of (5, —*) w.r.t. .Proposition 6.4.1 (1) If (5’,—‘) is an abstraction of (5, —÷), the behavior corresponding to(S’,—f’) is the abstraction of the behavior corresponding to (5,—÷). (2) If (S’, —*‘) is an approximate abstraction of (5, .—*), the behavior corresponding to (5’, -._*‘) is a superset of theabstraction of the behavior corresponding to (5, —*).6.5 SummaryWe have presented formal definitions of the behavior of a system and requirements specification,and a formal relationship between the behavior of a system and a requirements specification.Within this framework, the robustness of parameterized systems and the complexity of behaviors can be studied. We have also presented a systematic approach to the study of behaviorabstraction and equivalence using concepts from abstract algebra.Chapter 7Summary and Related WorkWe have presented a semantic model for hybrid dynamic systems modeling and behavior analysisin this modeling framework. In this chapter, we summarize the results of Part I and discusssome related work on models for dynamic systems.7.1 SummaryIn this section, we summarize the Constraint Net model for design and analysis in terms of itspower and limitations.7.1.1 PowerThe Constraint Net model is powerful in the following aspects.• Power of Abstraction: The Constraint Net model is based on the abstract notions of timeand domains. With this abstraction, both continuous and discrete time and domains canbe represented in a uniform framework. Given abstract structures of time and domains, anabstract structure of dynamics can be derived based on the abstract notion of traces andtransductions. Developed on abstract algebra and topology, a system can be representedat different levels of abstraction. Quotient and qualitative dynamics can be formalized,behavior abstraction and equivalence can be studied.• Power of Expression: The syntax of the Constraint Net model is graphical and modular,and its semantics is denotational and composite. Nondeterministic and stochastic systemscan be represented with hidden inputs. Parameterized systems and various forms oftemporal integration can be incorporated into the model.85CHAPTER 7. SUMMARY AND RELATED WORK 86• Power of Computation: The Constraint Net model is an abstraction and generalizationof datafiow-like models, so that hybrid systems systems with components in differentdomain and time structures can be modeled. Furthermore, both sequential computation and analog computation are special types of dynamic system that can be modeledwith a simple domain and time structure.7.1.2 LimitationsThe Constraint Net model is limited in the following sense.• Limitations of Abstraction: The Constraint Net model is based on the abstract notionof traces and transductions, while transductions are causal mappings from input tracesto output traces. Not every physical process can be considered as a transduction. Forexample, a frequency bandwidth ifiter is not a transduction, since the output at any timemay depend on the whole input trace. Furthermore, partial differential equations cannotbe modeled.• Limitations of Expression: The Constraint Net model is developed on the principles ofsimplicity and generality. There is no inherent notion of riondeterminism, which mustbe explicitly expressed by hidden inputs. There is no inherent notion of synchronizationfor communicating systems nor that of time-out for real-time systems, which must beexplicitly modeled by event generators and synchronizers. Sequential computation mustbe explicitly represented via event coordinations.• Limitations of Computation: We call our model Constraint Nets for two reasons. First,semantically, a constraint net is a set of equations, each of which imposes a constrainton traces. The semantics of a constraint net is the least solution of the set of equations.Second, we will see, in Part III, constraint satisfaction can be viewed as a dynamic processthat can be modeled by a constraint net. Such a constraint net may approach a stableequilibrium that is the solution set of the constraint satisfaction problem. However,not every constraint satisfaction problem can be solved using the Constraint Net model.Furthermore, since the semantics of a constraint net is the least solution of the equations,any constraint net with algebraic ioops may result in an undefined solution. From thecomputational point of view, algebraic loops represent infinite amount of computationin any instant of time. A well-defined constraint net performs only a finite amount ofcomputation in any instant of time.CHAPTER 7. SUMMARY AND RELATED WORK 877.2 Related WorkVarious models for concurrent and distributed systems [FF84] have been developed in the theory,Al and systems communities. Roughly speaking, these models can be characterized as belongingto one of the three categories: (1) Automata or State Transition Models, (2) CommunicatingProcesses or Multi-agent Architectures, and (3) Nets, Circuits or Dataflow Structures. Modelsin any of these forms can be equivalent in computational power (as with sequential models).The selection of models depends on applications. Typical criteria for model seletion are:• Simple and Uniform,• Modular and Composite,• Parallel or Concurrent,• Sequential or Synchronous,• Nondeterministic or Probabilistic.Some of these criteria are opposed to each other.Most of these models can be augmented with the notion of time for modeling real-timeand/or hybrid systems. There are also constraint-based models and biology-based models. Wesurvey some typical models in every category and their extensions to real-time and/or hybridmodels, then we discuss the relationship between the Constraint Net model and other existingmodels.7.2.1 Automata or state transition modelsAutomata or state transition models are typical for studying discrete event systems [Ho182],and most recently, for modeling hybrid systems [GNRR93]. However, for complex systems withmultiple components, global state description will cause the exponential growth of the numberof states. Nevertheless, modeling global transitions of a system is important for analyzing thesystem’s overall behavior. Although nondeterminism can be expressed by this type of modelinherently, automata or state transition models go to the extreme for simplicity and globalanalysis, with little concern for modularity and parallelism.Examples of this type of model are Mealy/Moore Machines and Statecharts. Various formsof timed and hybrid automata have been studied recently.CHAPTER 7. SUMMARY AND RELATED WORK 88Mealy/Moore MachinesMealy/Moore machines [Mea55, Moo56] are the simplest form of input/output transducer forevent control systems [CWG88]. Various adaptations can be made to particular domains. Forexample, Rosenschein [RK87, Ros89] proposed the situated-automata approach, which seeksto analyze knowledge in terms of relations between the states of a machine and the states ofits environment over time. This approach, in contrast to the interpreted-symbolic-structureapproach that has prevailed in AT for decades, provides a way of compromising between therepresentational power and real-time execution of AT systems. A situated automaton is in facta variation of a Moore machine {Moo56]. The Requirement State Machine (RSM) [JLHM91], aspecial form of Mealy machine {Mea55], has been proposed as a software requirement analysislanguage for real-time process-control systems.StatechartsThe Statechart method was introduced [HP85] as a visual formalism for specifying the behaviorof complex reactive systems. It describes a system’s behavior in terms of states, events andconditions, with combinations of the latter two causing the transitions between the former. Bothstates and transitions can be associated in various ways with output events, called activities,which can be triggered either by executing a transition or by entering, exiting, or simply beingin a state. A system’s inputs are thus the events and its outputs are the activities; their unioncomprises the interface set.Iii Statecharts, the exponential growth of states is avoided by defining higher-level states.States iii a Statechart can be repeatedly combined into higher-level states using AND and ORmodes of clustering.Timed and Hybrid AutomataMuch work has been done recently on introducing real-time concepts into formal models ofconcurrency [dHdR9l]. For example, Merritt et al. [MMT91] augmented the input-outputautomaton model with a notion of time that allows to reason about timed behaviors. Alurand Dill [AD91] developed the theory of timed automata to reason about timed behaviors.Henzinger et al. [HMP91b] incorporated time into an interleaving model of concurrency inwhich upper and lower bounds on time delay are associated with each transition. None of thesemodels, however, are able to represent continuous change.CHAPTER 7. SUMMARY AND RELATED WORK 89Some effort has been made recently to develop models for hybrid systems [GNRR93I, systemswith both discrete and continuous components. By generalizing timed transition systems tophase transition systems [MMP91, NS91], computation consist of alternating phases of discretetransitions and continuous activities. More specifically, Nerode and Kohn [NK93a] present amodel consisting of two automata: a digital control automaton and a plant automaton. Theplant automaton can be modeled as a state transition system over intervals. The inputs of aplant automaton are control signals and disturbances, while its states are the solutions of theset of differential equations of the plant for the given control signals and disturbances.7.2.2 Processes or multi-agent architecturesModels in this category represent a system with multiple processes or agents that communicatewith each other via channels or shared memories. In most cases, agents and channels canbe created dynamically and communication patterns are not fixed at run time. Modularity,compositionality, as well as nondeterminism are features of this type of model. This type ofmodel can be very complex with various communication and synchronization operators; bothparallel and sequential computation can be incorporated. Even though discrete time structurescan be added to these models, they are concurrent rather than real-time models.Examples of this type of model are algebraic processes, the Actor model and the cc family.Algebraic ProcessesMuch work has been done in algebraic processes. Typical models of this type are CSP and CCS.C.A.R. bare’s Communicating Sequential Processes (CSP) [Hoa85] is a model describing concurrent and distributed computation. A CSP program is a static set of explicit processes. Pairsof processes communicate by naming each other in input and output statements. Communication is nonbuffered and synchronous with unidirectional information flow. Guarded commandsare used to introduce indeterminacy. Some work has been done for specifying a robot controlsystem in CSP and formally verifying some properties [LD89]. However, it is hard to capturethe essential structure of an analog control system and the dynamics of robot manipulators inCSP.The work of George Milne and Robin Milner [MM79] is an attempt to describe a mathematical semantics for concurrent computation and communication. Their goal is a formal calculusof concurrent computation, much as the lambda calculus is a formal calculus of uniprocess computation. Their model, Calculus for Communicating Systems (CCS), has explicit processes thatCHAPTER 7. SUMMARY AND RELATED WORK 90communicate synchronously and bidirectionally over labeled channels. The number of processesand their communication connections can change dynamically. Syntactically, a system modeledby CCS is a fiowgraph with composition, restriction and relabeling. The semantics of CCS isbased on the theory of sets, powerdomains and fixpoint of continuous algebra. Though CCSallows the analysis of the temporal ordering of events, there is no way to specify the relativespeeds of events. Synchronous CCS (SCCS) has been studied by Milner [Mil83], in which eventsare synchronized by timesteps. Timed CCS (TCCS) has also been proposed [MT9O, MT91I asa tool for real-time analysis, which introduces wiffing-to-delay and forcing-to-delay operators.Many basic tools for communication protocol specification and verification are CCS-like languages [QAF89, At189]. Some more general work on the semantics of communicating processeshas been presented by Hennessy [Hen88]. His approach relies heavily on abstract algebra—D-algebras and the fixpoint theory of continuous functions— which shows that algebraic theoryis a powerful tool for programming semantics.ActorsThe Actor model was proposed by Hewitt for developing highly parallel machines and opensystems [Hew88]. The Actor model takes the theme of object-oriented computation seriouslyand to an extreme. In an Actor system, everything is an actor (object). Actors communicate bysending each other messages, which are themselves actors. Every actor has a script (program)and acquaintance (data, local storage). When a message arrives at an actor, the actor’s script isapplied to that message. Clinger [Ci81] gave a denotational semantics for an Actor-like systembased on powerdomains and fixpoint theory, and also defined a set of laws that are meant torestrict Actor systems to those that can be physically implemented. Agha [AghS5j further gavea structured operational semantics for an Actor language and discussed compositionality andabstraction from irrelevant detail.The Robot Schema (RS) Model is a variation of the Actor model, where a schema can beconsidered as a class of object. RS is a special model of computation for sensory-based robotprogramming [LA89]. RS is a typical concurrent object-oriented model, in which a schemais a general specification and a schema instance is a concurrent object. Each object can becreated and terminated by other objects. Therefore, a network is created and changed duringcomputation. Objects communicate with each other through input and output channels. Theconcept of 1S can be implemented via any concurrent object-oriented language [Zha89, Zha9O].However, the formal semantics of RS is very complicated, due to various interpretations of theCHAPTER 7. SUMMARY AND RELATED WORK 91composition, communication and nondeterminism. Furthermore, again, continuous dynamicscannot be represented in this model.The cc FamilySaraswat [Sar89] has developed a framework of concurrent constraint programming, that hecalled the cc Family. In this paradigm, computation emerges from the interaction of the concurrently executing agents that place, check and instantiate constraints on shared variables thatrange over some domain of discourse.Constraints are partial specifications of (possibly infinite) sets of values, and the agents mayeither collaborate or compute in placing constraints. The major form of concurrency control inthe system is through the notion of Atomic Tell and Blocking Ask. The former allows an agentto (instantaneously) place constraints only if they are consistent with the constraints that havealready been placed. The latter forces an agent to block when it checks a relationship that isnot yet known to hold.This paradigm is a generalization of research in concurrent logic programming languages[Sha87]. It has been shown that concurrent logic programming languages are good candidatesfor open systems [KM88] and for the simulation of robot behaviors [ZM92]. However, they arenot real-time languages, since their computation time is unpredictable.A timed extension of the cc family, timed cc, has been proposed [SJG94] in which real-timerequirements (such as time-out) can be expressed.7.2.3 Nets or dataflow structuresUnlike state transition models that represent flow of control, computation in datafiow structuresis data-driven. Unlike process-based systems in which processes and communication can becreated dynamically, operators and connections in dataflow models are fixed. The advantagesof a dataflow model are its inherent parallelism or concurrency, its locality (modularity), itsgraphical orientation, and most importantly, its generality and simplicity. Nondeterminismis inherent for interleaving concurrency models. However, neither sequential computation norsynchronization is explicitly represented.Examples of this type of model are Petri Nets, circuit models, communicating state machinesand operator nets.CHAPTER 7. SUMMARY AND RELATED WORK 92Petri NetsThe Petri Net model is a formal modeling technique that encodes the states of a dynamical system as the markings of tokens on a graph [Pet8l]. The graph is a bipartite, directed multigraphthat has two kinds of node, places and transitions, and arcs connect places and transitions.A marked Petri net is the association of a number with each place (the number of tokenson that place), which is not bounded but is always finite. A transition is enabled if every placeconnected to that transition with k arcs has at least k tokens. A transition may fire at anytime if it is enabled. When a transition fires, it moves tokens from its input places to its outputplaces. If multiple transitions are enabled at that time, it nondeterministically choose one tofire.The Petri Net model of a system can be used to prove properties such as mutual exclusion,liveness and reachability. Various extensions (for example, inhibition) of Petri Nets have beenproposed to make it Turing equivalent. The Time Petri Net model is a current area in PetriNet theory research [Pet86, BD91].Circuit ModelsCircuit models are a typical kind of datafiow model. There are digital circuit models andanalog circuit models. Analog circuits are basic systems for analog control. Analog circuitsmay include resistors, capacitors, amplifiers, differential or integral elements. Digital circuitsinclude synchronous and asynchronous models.Synchronous circuits (sequential circuits) are the building blocks of most digital computersystems. A synchronous circuit consists of a set of basic gates (e.g., and, or and not) andall the gates operate at the same sampling rate controlled by a single clock. The idea ofasynchronous circuits was demonstrated by Sutherland’s Turing Award paper “Micropipelines”[Sut89]. Sutherland discards the clocked-logic conceptual framework and thinks instead abouta different but equally simple form of control called transition signaling. The basic elementsof asynchronous circuits are the exclusive or Qcor) element that acts as the “or” element forevents, and the Muller C-element that acts as the “and” element for events. Asynchronouscircuits have advantages in hardware design, software and system development.Variations of circuit models have been adapted in AT. For example, the action network{Ni189] is composed of a forest of logical gates that select actions in response to sensory andstored data. The elementary unit of an action net implements a logical and gate.CHAPTER 7. SUMMARY AND RELATED WORK 93Communicating State MachinesCommunicating state machines are networks of state machines, each of which has a set of inputports and a set of output ports. Typical examples of this type are the the Augmented FiniteState Machine, the Extended State Machine, and temporal automata.The Augmented Finite State Machine (AFSM) {Bro88] was used as the model for the subsumption architecture. Each AFSM has a set of registers and a set of timers, or alarm clocks,connected to a conventional finite state machine that can control a combinatorial network fedby registers. Registers can be written by attaching input wires to them and receiving messagesfrom other machines. The arrival of a message, or the expiration of a timer, can trigger a changeof state in the interior finite state machine. The finite state machine can wait on some event,conditionally dispatch to one of two other states based on some combinational predicate on theregisters, or compute a combinatorial function of registers directing the result either back toone of the registers or to an output of the augmented finite state machine.The Extended State Machine (ESM) [0st89] is a framework for modeling systems composedof real-time discrete event processes. ESM can be used to model the processes and devices ofa plant, as well as the software tasks of controllers implemented as real-time software. EachESM description of a process will have a distinguished variable called an activity variable thatranges over a set of activities. In addition, an ESM may have a set of data variables to storenumerical or quantitative information. States in ESM refer to values of all the activities anddata variables. In addition, each ESM has a set of event labels, a set of communication channelsand a set of basic actions. The occurrence of an ESM event causes an instantaneous changefrom the current activity to some new activity, as well as causing a change in the values of thedata variables.The Temporal Automaton model [LS9O] is closer to datafiow models than to automata. Atemporal automaton has the characteristics of explicit representation of process time, symmetricrepresentation of a machine and of the environment in which it operates, the wiring together ofasynchronous automata, and the ability to aggregate individual machines to form one machineat a coarser level of granularity. Temporal automata are defined on entities and transductions.Entities associate time with data domains and transductions induce causal relationships betweenentities. Two temporal automata can be connected by wires to form a new temporal automaton.A temporal automaton with empty input entities defines a closed system, it otherwise definesa causal system.CHAPTER 7. SUMMARY AND RELATED WORK 94Operator NetsThe Operator Net model is a generalized deterministic datafiow model [Ash86]. A graphicallanguage is defined that is syntactically extremely simple and that is mainly uninterpreted, i.e.,using operator symbols rather than particular operators. This uninterpreted graphical languagecan then be interpreted in several different ways, by starting with different (continuous) sequencealgebras. A mathematical semantics is given by the fixpoint theory that is referred to as Kahn’sPrinciple [Kah74].Different possible sequence algebras form families, each of which is based on a differentcontinuous data algebra. If A is a data algebra, then 1(A) is a sequence algebra based onpointwise extensions of functions in A, and E(A) is an enlargement of 1(A) by the addition ofa set of continuous operators that are not pointwise based, e.g., next, merge, follow-by, etc.SIGNAL {BL9O] and LUSTRE [CPHP87] are specializations of the Operator Net model.Both of them augment the notion of clocks that are represented by streams of Booleans. Eachoperator can be associated with a clock such that the operator is performed at the clock’ssampling rate. This type of model can be considered as a general model for real-time systemsand for discrete time and hybrid domain dynamic systems.7.2.4 Constraint-based and biology-based modelsModels in this category are motivated by physical and biological natural systems. They are notmainly for providing the syntax or semantics of a programming language. Instead, they can beconsidered as philosophical or mathematical structures of natural systems.Most natural systems are constraint-based, following some natural laws or keeping certainrelationships. There are two types of relationship, dynamic or algebraic. Constraint-basedmodels explore relations rather than causalities.There are various biology-based models, such as neural nets and cerebellar models. Thecategorical theory of biological systems has also been proposed.Constraint-based ModelsThe constraint paradigm [Ste8O] is a model of computation in which values are deduced whenever possible, under the limitation that deductions must be local in a certain sense. One mayvisualize a constraint “program” as a network of devices connected by wires. Data values mayflow along the wires, and computation is performed by the devices. A device computes usingCHAPTER 7. SUMMARY AND RELATED WORK 95only locally available information and places newly derived values on other locally attachedwires. In this way computed values are propagated.An advantage of the constraint paradigm is that a single relationship can be used in morethan one direction. The connections to a device are not labeled as inputs and outputs; a devicewill compute with whatever values are available, and produce as many new values as it can. Adisadvantage is that it can only deal with very limited classes of constraint satisfaction problem.Differential (resp. difference) algebraic equations (DAE) can be considered as taking bothdynamic (causal) and algebraic (relational) constraints in one framework. In general, a dynamicsystem in continuous time (resp. discrete time) is a set of differential (resp. difference) algebraicequations:th = f(x, y) (resp. z((n + 1)6) = f(x(n6), y(n6))),y = g(x,y).Biology-based ModelsThe Neural Net model is motivated by the principle in physics, i.e., minimizing the energy of asystem. Such minimization is performed dynamically by changing the parameters of the system,that is parallel and distributed in general. A neural net can solve a constraint satisfactionproblem [RM86] if the energy function is defined according to the degree of satisfaction. Theadvantages of the Neural Net model for solving constraints are that it can solve soft constraintsand that it involves dynamics that is important in behavior simulation and animation [P1a89].The Cerebellar Model Arithmetic Computer (CMAC) is motivated by the structure andfunction of the various cells and fiber types in the cerebellum [A1b81]. CMAC is defined bya series of mappings, S —* M —* A —* F, where S is a set of input vectors, M is a set ofmossy fiber used to encode 5, A is a set of granule cells contacted by M, and P is a set ofoutputs. The overall mapping S —* P is a function that represents the causal relationshipbetween the input and the output. Feedback is introduced in the model so that the system canlearn. Furthermore, CMAC can simulate finite state automata, as well as compute integralsand other general functions. Hierarchical structures can be used for modeling complex systems.The categorical theory of biological systems was studied by mathematical biologists [Ros85J.Using the categorical theory, the dynamics of a composition system, quotient dynamics, andhierarchies can be studied formally and abstractly.CHAPTER 7. SUMMARY AND RELATED WORK 967.2.5 Relationships with the Constraint Net ModelA distinguished feature of the Constraint Net model (CN), comparing with all the existingmodels, is abstraction. CN is an abstraction and generalization of dataflow-like models. Withabstract time and domain structures, CN models dynamic systems with components of differentdynamics. It is the first time that the programming semantics techniques are applied to dynamicsystems modeling.Some important concepts in CN are influenced by Temporal Automata and Operator Nets.Comparing with Temporal Automata, CN is defined on more general and abstract structures oftime and domains, based on which, traces, event-driven as well as primitive transductions areformajized. In addition, CN has a more rigorous semantics based on fixpoint theory. Comparingwith Operator Nets, CN introduces reference time structures that can be continuous as well asdiscrete. In addition, events in event traces are transitions so that Sutherland’s event logic isadopted.CN is a net-oriented model, while a component in a net can be an automaton or a statetransition system. Processes or components in CN cannot be created or destroyed, and interconnections are fixed. However, such effects can be achieved by event-driven computation. CNcan model synchronous, asynchronous and analog circuits. Even though CN does not directlyrepresent synchronous communication and sequential computation, such mechanisms can begenerated by event synchronization using the event logic. The syntactic structure of CN issimilar to that of Petri Nets, i.e., a bipartite directed graph. However, the semantics of CNis for maximum parallelism, while the semantics of Petri Nets is for concurrency. CN is aninherently deterministic model, while nondeterminism can be captured by hidden inputs. CNcan efficiently model differential and difference equations, Neural Nets and CMAC. CN can alsosimulate constraint-based models, given the underlying dynamics that keeps the relationship asa stable state. Since CN is based on algebraic theory, homomorphism and quotient dynamicscan be studied under this model.In summary, the major contributions of CN are: (1) CN models asynchronous and synchronous components, as well as coordination among components with different time structures;(2) CN supports abstract data types and functions, as well as algebraic specification; (3) CNcan provide a programming semantics for the design and analysis of hybrid real-time embeddedsystems; (4) CN serves as a foundation for the specification and verification of hybrid systems.Part IIRequirements Specification andBehavior Verification97The way of human follows the way of earth.The way of earth follows the way of heaven.The way of heaven follows the way of Tao.The way of Tao follows the way of Nature.— Tao Teh Ching, Lao TzuImplementations follow algorithms.Algorithms follow specifications.Specifications follow ideas.Ideas follow the way of Nature.— Zhang Ying98Chapter 8IntroductionWe have developed a semantic model for dynamic systems. A model of a dynamic system represents the whole system as a set of components and their connections. However, the behaviorof the system is not explicitly represented, since most dynamic systems have no closed formsolutions at all. On the other hand, most design requirements can be expressed by qualitativeproperties and can be satisfied by many models. As a simple example, = —x is a model of adynamic system, which fortunately has a closed form solution: x = At.x0e_t. A requirementsspecification may simply be a limit property limt x(t) = 0. In this case, the model th = —xsatisfies the specification limt_ x(t) = 0. In Part II, we propose and answer the followingtwo questions: What is an appropriate requirements specification language? How to verify thebehavior of a system against certain requirements specification?In this chapter, we present an overview of Part II, Requirements Specification and BehaviorVerification. There are three major chapters in Part II. Chapter 9 develops timed linear temporal logic. Chapter 10 develops timed V-automata. Chapter 11 develops a formal method forensuring that the behavior of a system satisfies a timed V-automata specification.8.1 Timed Linear Temporal LogicSince we consider time as a linearly ordered set with a least element, linear temporal logic isthe simplest specification language for sequential (dynamic) behaviors.First, we develop a propositional linear temporal logic (PLTL). As with other temporallogics, we define the basic temporal operators ii and S; F1 U F2 indicates that F1 is true afterthe current time until F2 becomes true, and F1 $ F2 indicates that F1 is true up to the currenttime since F2 becomes true. From these basic operators, we further define K’ (eventually),D (always), Q (next), e (previous), etc. Unlike other temporal logics, PLTL is defined for99CHAPTER 8. INTRODUCTION 100arbitrary time structures, with discrete and continuous time as special instances.Second, we extend PLTL with two real-time operators UT (real-time until) and ST (real-timesince) where r > 0 is any positive real number. The resultant language is called a propositionaltimed linear temporal logic (PTLTL), where “timed” indicates the representation of metric ormeasure properties of time. From these two basic real-time operators, we further define otherreal-time operators such as KT (real-time eventually) and 0T (real-time always).Third, we define FTLTL, a first order TLTL. FTLTL is strongly typed, i.e., its domain isa multi-sorted s-algebra. Terms of FTLTL are defined on the signature E and predicates areassociated with types too. Furthermore, any global variable (variable whose value is a constantover time) can be quantified. RFTLTL, a restricted version of FTLTL, is also defined, in whichquantifiers are restricted to state formulas (formulas without temporal or real-time operators).FTLTL is strictly more powerful than RFTLTL, however, RFTLTL gains its advantage in thesimplicity of verification.Finally, we propose the concept of open state specification and briefly discuss the importanceand the use of open state specification.8.2 Timed V-automataAn alternative to linear temporal logic for representing sequential behaviors is automata. Consider an automaton as a language recognizer that accepts a set of traces. If a trace is acceptedby the automaton, the trace satisfies the specification defined by the automaton. The simplestautomata are finite state automata.First, we present discrete V-automata, adopted from the definition given by Manna andPnueli [MP871. Discrete V-automata are finite state automata accepting infinite sequences,i.e., traces of discrete time. V-automata have a graphical representation that is useful andilluminating. Furthermore, it has been shown [MP87] that discrete V-automata are strictlymore powerful than PLTL.Second, we extend discrete V-automata to discrete timed V-automata, by augmenting timebounds on automaton-states. With this augmentation, various types of real-time property canbe specified.Finally, we generalize discrete timed V-automata to timed V-automata. Timed V-automatacan accept traces of arbitrary time structures, with discrete and continuous time structures asspecial cases.CHAPTER 8. INTRODUCTION 1018.3 Behavior VerificationWe start with the concepts of behavior verification in general and the discussion of the theoremproving approach to verification in particular. The rest of the chapter focuses on verificationtechniques for timed V-automata specification.One of the important advantages of timed V-automata specification is that there exists aformal verification procedure. This verification procedure is derived from the integration of amodel checking technique and a stability analysis method.For verifying state-based and time-invariant behaviors of discrete time systems, we modifythe verification rules developed by Manna and Pnueli [MP87] in the following ways:• Ranking functions are replaced by Liapunov functions that generalize the functions forstability analysis in dynamic systems.• Verification rules for real-time bounds are augmented so that real-time properties can beverified.We apply the verification rules to the semi-automatic verification of constraint nets ondiscrete time structures. A verification of this type reduces to a set of first order state formulasthat can be checked by a theorem prover.We translate the verification rules into an algorithm for finite domain and discrete timedynamic systems. The algorithm has a polynomial time complexity in both the size of themodel and the size of the specification. With the concept of state transition abstraction, furthersavings in complexity can be explored.Finally, we generalize the verification rules so that behaviors with continuous as well asdiscrete time structures can be formally verified.8.4 Summary and Related WorkThe novelty in specification languages includes: a temporal logic defined on abstract time anddomains, a timed extension to finite automata, and a generalized version of finite automata thataccepts traces of continuous time. The novelty in behavior verification includes a semi-automaticverification method for discrete constraint nets, an efficient algorithm for finite domain systems,and a formal verification method for behaviors of hybrid systems.Chapter 9Timed Linear Temporal LogicTemporal logic provide a simple and precise specification for sequential behaviors [Eme9O].We develop timed linear temporal logic (TLTL) for specifying desired properties of systembehaviors, where “linear” refers to linearly ordered time structures and “timed” implies metricdistances. First we generalize the propositional linear temporal logic to specifying propertiesof arbitrary traces (instead of finite or infinite sequences). Then we augment real-time modaloperators so that real-time properties (e.g., real-time response) can be specified. Finally, wedevelop a first order TLTL for arbitrary time and domain structures.9.1 Propositional Linear Temporal Logic (PLTL)The simplest temporal logic is the propositional linear temporal logic (PLTL). In this section,we present a form of PLTL that can incorporate both discrete and continuous time, so thatproperties of arbitrary traces can be specified and reasoned about.9.1.1 PLTL: syntax and semanticsThe basic form of the propositional linear temporal logic (PLTL) is the classical propositionallogic extended with temporal operators. Formally, the syntax of the logic is defined as follows.Definition 9.1.1 (Syntax of PLTL) Let 4 be a set of propositions. The basic syntax can bedefined using BNF:F ::= false I F1 — F2 I F1UF2 I F1SFwhere p E is a proposition, —* is a logical connective denoting “implication,” U is a temporaloperator denoting “until” and S is a temporal operator denoting “since.”102CHAPTER 9. TIMED LINEAR TEMPORAL LOGIC 103We will use the convention that temporal operators have higher priorities than logical connectives, and unary connectives (operators) have higher priorities than binary connectives (operators).A frame of PLTL is a triple (T, A, V) where T is a time structure, A is a domain, andV: — 2A is an interpretation that assigns to each proposition p E a subset V(p) of A. Wewifi use a p or p(a) to denote a E V(p).A model of PLTL is a pair (F, v) where F = (T, A, V) is a frame and v : 7 —÷ A is a trace.Formally, the semantics of the logic is defined as follows.Definition 9.1.2 (Semantics of PLTL) Let F = (7, A, V) be a frame and (F, v) be a modelof PLTL. Let F be a PLTL formula. Then v H F denotes that v satisfies F at time t:• v false.• v=tpforpE iffv(t)=p.• vHF1 —* F2 iffy H F1 implies v H F2.• v H F1UF2 ifft’ > t,v F2 and Vt”, t < t” < t’,v H” F1.• v =tF18F2 ifft’ < t,v ‘ F2 and Vt”, t’ < t” < t,v H” F1.We will use v F to denote that v satisfies F initially, i.e., v =j F. F is valid over a frameF, if for any model (F, v), v F. F is valid, if for any frame F, F is valid over F. F issatisfiable over a frame F, if for some model (F, v), v=F. F is satisfiable, if for some frameF, F is satisfiable over F.9.1.2 PLTL: extensionsMore logical connectives and temporal operators can be defined using the basic logic connective —* and the basic temporal operators U and S.Some commonly used logical connectives are defined as follows:• Negation: -‘F F — false.• True: true -‘false.• Disjunction: F1 V F2 —‘F1 —* F2.• Conjunction: F1 A F2 -‘(F1 —* -‘F2).CHAPTER 9. TIMED LINEAR TEMPORAL LOGIC 104• Equivalence: F1€- F2 (F1 —÷ F2) A (F2 —* F1).Some commonly used temporal operators are defined as follows:• Eventually: F F V true U F.• Always: OF• Next: QFFUF.• Previous: eF F$F.• Wait: F1 ¾) F2 E OF1 V F1 A (F1 U F2) V F2.Various stronger and weaker variations of these temporal operators [Eme9O] can also be defined.The semantics of these logical connectives and temporal operators can be derived from theirdefinitions. Let F = (T, A, V) be a frame and (F, v) be a model of PLTL. Let F be an extendedPLTL formula:• v H -F if v t F.• v=true.• v=tFiVF2iffv=t iorv=tF• v=tFiAFiffv=tFi andy =F2.• v H F if t’ t, v ‘ F.• vtOFiffVt’t,vt,F.• v=OF ifft’ > t, Vt”,t < t” t’,v j=t” F.• v 8F if t’ < t, Vt”,t’ t” < t,v=“F.• v=F1WF2if Vt’> t, v H’ F1, or 3t’ > t, v Hi F2 and Vt”, t < t” < t’,v H” F1, orF2.We should note that the temporal operators Q and e are generalizations of the “next” and“previous” operators, respectively, from discrete to arbitrary time. However, —(QF) A —‘(Q--F)and -(eF) A -(e-F) are satisfiable, and QF —* Q(QF) and F e(eF) are valid, for anyframe with dense time.CHAPTER 9. TIMED LINEAR TEMPORAL LOGIC 105For the maze traveler example in Part I, let ME be a proposition denoting that the robotis moving east. A desired property of the maze traveler is DOME, i.e., moving east infinitelyoften, which ensures the escape of the robot from any finite maze, for the given design andenvironment.We can define some more abbreviations that are more convenient to use in many situations.• final Q true.• initial E e true.• rise(p) (-‘p A Qp) V (e-’p A p).• change(p) rise(p) V rise(—ip).• event(p) (-‘p A p) v (ep A —‘p).Some important properties of behaviors can be specified using PLTL.• Safety: If B is a proposition denoting a bad situation, D-iB.• Goal achievement: If G is a proposition denoting a final goal, 00G.• Persistence: If P is a proposition denoting a persistent condition, DOP.• Precedence Q!3R: Q happens before R, i.e. -‘RW(--iR A Q).• Interleaving QIR: Q and R interleave, i.e. D(R —* QBR) A D(Q —* RI3Q).Now we can formally specify desired properties of the producer-consumer circuit in Figure5.3. The first desired property is that producing precedes consuming, i.e.,event(C1) I3event(C2).The second desired property is that producing and consuming interleave, i.e.,event(C1) I event(C2).9.2 Propositional TLTLIn order to specify the metric properties of time, we develop Timed Linear Temporal Logic(TLTL). In this section, we introduce propositional TLTL (PTLTL), and in the next section,we present the first order TLTL (FTLTL).CHAPTER 9. TIMED LINEAR TEMPORAL LOGIC 106The basic syntax and semantics of PTLTL are the same as those of PLTL. In addition,we augment the basic form of PLTL with two real-time operators. Let r > 0 be a positivereal number, Tt+T = {t’lt < t’,d(t,t’) < T} and Tj_T = {t’It’ < t,d(t’,t) r}. Two real-timeoperators are defined as follows:• V F1UT2jif t’ E Tt+r, v =i F2 and Vt”, t < t” < t’, v =jn F1.• v =F1ST2if t’ E Tt_T, v t’ F2 and Vt”,t’ < t” <t,v u F1.Other real-time and temporal operators can be defined using the two basic real-time operators.• TF trueUTF.• DTF• ‘1TF true STF.• DTF -(K-’F).The semantics of these real-time operators can be derived as follows:• v I=t TF if t’ E Tt+T, v =t’ F.• v = DF if Vt’ E v =i F.• V H TF if t’ E Tt_T, V 1=t’ F.• v DTF iff Vt’ E v H’ F.With real-time operators, real-time properties can be specified, for example, real-time responsecan be specified as D(E —* KR).9.3 First Order TLTLWe present FTLTL and its restricted version RFTLTL. RFTLTL imposes a constraint thatquantifiers are associated only with state formulas (formulas without temporal and real-timeoperators).To define the syntax for FTLTL, we shall first define terms. Let = (S, F) be a signature,Xj be a set of trace variables, also called local variables, and Xg be a set of parameter variables,also called global variables. X = X1 U X9 is the set of S-sorted variables. The set of terms ofCHAPTER 9. TIMED LINEAR TEMPORAL LOGIC 107sort s e S induced by and X, denoted T(, X), is the least set of strings that satisfies oneof the following:• if x E X3, then xE T(,X)3,•ifxEXlflX,thenpre(x),x—TET(,X)fo T>0,• if f e F with type —* s, then f E T(E,X)3,• iff e F with type s —* s where s :1 —* S, then f(T) e T(,X)3where T :1 —* T(E,X)with T E T(2,X)*.Given = (S, F) as a signature, let ‘ be a set of S-sorted predicate symbols, such that foreach p e , the type of p is a tuple s : I —* S. The syntax of FTLTL can be defined given Dand .Definition 9.3.1 (Syntax of FTLTL) The basic syntax of FTLTL can be defined as:F::=where T8 e T(,X)3 is a term of sort s, p E is a predicate symbol with type s : I —* S,T : I —* T(, X) with T E T(, and x E Xg is a global variable.A frame of FTLTL is a triple (T, A, V) where T is a time structure, A is a Z-domainstructure and V is an interpretation that assigns to each predicate symbol p e a subset V(p)of x1A3,given that the type of p is s : I —* S.A model of FTLTL is a pair (F, a) where F = (T, A, V) is a frame and a = (al, ag) is avaluation for X = X1 U X9, i.e., Ug : Xg —* A and ai : X1 — (T —* A). By extending thevaluation a from variables to terms, we have a : T(F, X) —* (T — A), such that for any t E T:• a(x)(t) = ag(x) for any x e X9,• a(x)(t) = ai(x)(t), a(pre(x))(t) = ai(x)(pre(t)), a(x — r)(t) = ai(x)(t — r) for any x E X1,• a(f(T))(t) = fA(a(T)(t)) for any f E F.Definition 9.3.2 (Semantics of FTLTL) Let F = (T,A,V) be a frame and (F,a) be amodel of FTLTL. Let F be an FTLTL formula, a =j F denotes that a satisfies F at time t:• a Vzt false.CHAPTER 9. TIMED LINEAR TEMPORAL LOGIC 108• a H T3’ = T iffa(T81)(t) = a(T)(t).• a H p(T),p iffa(T)(t) E V(p).• a H F1 F2 if o H F1 implies a H F2.• a HF1UF2 ifft’ > t, a H’ F2 and Vt”,t < t” < t’,a H” F1.• o• HF18F2 fft’ < t, a H’ F2 and Vt”,t’ < t” < t,a H” F1.• a HF1UT2 ifft’ E a H’ F2 and Vt”,t < t” < t’,a H” F1.• a HF1ST2 ifft’ E Tt_T, a H’ F2 and Vt”,t’ < t” < t,a u F1.• a H xF, x E X3 if there is a value a in A3, a H F[a/x], where F[a/x] stands forsubstitution of x in F by a.We will use a=F to denote that a satisfies F initially, i.e., a F. F is valid over a frame F,if for any model (F, a), a F. F is valid, if any frame F, F is valid over F. F is satisfiableover a frame F, if for some model (F, a), a F. F is satisfiable, if for some frame F, F issatisfiable over F.Various logical connectives, temporal and real-time operators can be defined as for PTLTL.In addition, let V be the dual of , i.e., VxF -‘x-’F.If we restrict quantifiers to state formulas (formulas without temporal and real-time operators), we have RFTLTL, a restricted version of FTLTL. Formally, a state formula is definedaswhere T3 T(>2,X)3 is a term of sort s, p E 4 is a predicate symbol with type s” : I —*T : I—f T(F, X) with T T(F, X))3 and x e Xg. Let FV(F3)be the set of free variables inF3. A state formula F3 is a state proposition if FV(F3)C X1.A RFTLTL formula can be defined asF::=F3IF1—F2IFiUFFSUwhere F8 is any state formula.Every RFTLTL formula is also a FTLTL formula, but not vice versa. FTLTL is strictlymore expressive than RFTLTL. For example, limt x(t) = 0 can be expressed by FTLTL asVe, e> 0—f DcJxI < E. However, there is no equivalent RFTLTL formula.CHAPTER 9. TIMED LINEAR TEMPORAL LOGIC 109A RFTLTL formula with all free variables as local variables can be interpreted as a PTLTLformula, with domainx1As and state propositions. For example, we may use state propositionIl <ö A v> E to represent proposition ME, where 0 is the heading and v is the velocity of thecar.9.4 Open State SpecificationNow we discuss an important issue for requirements specification, the openness of state formulas.If F3 is a state formula and FV(FS) is the set of free variables in F3, let V(F3) be the set oftuples satisfying F3, i.e., V(F3) = {a : FV(FS) —* Ala 1= F3}.A state formula F3 is open (closed) in A if V(F3) is open (closed) in the derived metrictopology. The following properties are directly from the definition of general topology: (1)State formulas true and false are both open and closed; and (2) if F, F1, F2 are open (closed),then:• F1 V F is open (closed);• F1 A F2 is open (closed);• —F is closed (open);• xF is open (VxF is closed).We will further discuss the openness of state formulas in the next chapter. Now we considerthe meaning of open state formulas for the definedness of information. If a predicate p on X1A,is open, llV(p) is either a set of well-defined values or a total set. Extra attention should bepaid to this property. For example, let > on x 7 be defined as {(x, y)lx E 7, y E R, x> y};it is an open predicate that is true only on well-defined tuples 7 x R. Similarly, let < onR.xR.be defined as {(x,y)lx E R,y E fl,x < y}; it is a predicate neither open nor closed thatholds only on R x 1?. too. We should notice that for the domain 7 x 1, an obvious relationx > y -* —(x y) does not hold any more, since both L>J and ±fl<J are false.Open state specification is important for requirements specification. For example, for asafety requirements specification D—iB(x) where B is a predicate, B should be closed, so that-B is open. Otherwise, if B is open and -B is closed, an undefined value will satisfy the safetyproperty. That is usually not what safety means.Chapter 10Timed V-AutomataAn alternative to temporal logic for specifying sequential behaviors is automata. Considertraces as a generalization of (finite or infinite) sequences. A desired property of traces can bespecified by an automaton; a trace satisfies the specification iff the automaton accepts the trace.In this chapter, we develop extensions of V-automata, proposed by Manna and Pnueli {MP87]for the specification and verification of concurrent programs. We start with an introductionto basic V-automata that are defined for sequences, or traces with discrete time structures.Then, we augment discrete V-automata to discrete timed V-automata by specifying real-timeconstraints on automaton-states. Finally, we generalize discrete timed V-automata to timed Vautomata whose time structure can be arbitrary. The relationship between timed V-automataand TLTL will also be discussed.10.1 Discrete V-AutomataDiscrete V-automata are non-deterministic finite state automata over infinite sequences. Theseautomata were originally proposed as a formalism for the specification and verification of temporal properties of concurrent programs [MP87]. We briefly introduce discrete V-automata, butin the role of specifying discrete time traces rather than concurrent programs.Formally, a V-automaton is defined as follows.Definition 10.1.1 (Syntax of V-automata) A V-automaton A is a quintuple (Q, R, S, e, c)where Q is a finite set of automaton-states, R C Q is a set of recurrent states and S ç Q is aset of stable states. With each q E Q, we associate a state proposition e(q), which characterizesthe entry condition under which the automaton may start its activity in q. With each pairq, q’ E Q, we associate a state proposition c(q, q’), which characterizes the transition condition110CHAPTER 10. TIMED V-AUTOMATA 111under which the automaton may move from q to q’.R and S are the generalization of accepting states to the case of infinite inputs. We denote byB= Q — (R U 5) the set of non-accepting (bad) states.A V-automaton is called complete if the following requirements are met:• VqeQ e(q) is valid.• For every q E Q, Vq’Q c(q,q’) is valid.We will restrict ourselves to complete automata. This is not a substantial restriction, since anyautomaton can be transformed to a complete automaton by introducing an additional errorstate q E B, with the entry condition:e(qE)=-1( V e(q)),qeQ—{q}and the transition conditions:c(qE,qE) = truec(qE,q) = false for eachqEQ—{qE}c(q,qE)=—( \/ c(q,q’)) for each q E Q — {q}.q’EQ—{qE}Let T be a discrete time structure, A be a domain and v : T —f A be a trace. A runof A over v is a mapping r : T—f Q such that (1) v(O) e(r(O)); and (2) for all t > 0,v(t) = c(r(pre(t)), r(t)).A complete automaton guarantees that any discrete trace has a run over it, and that anypartial run1 can always be extended to a total run.If r is a run, let Inf(r) be the set of automaton-states appearing infinitely many times inr, i.e., Inf(r) = {qVtto t,r(t0) = q}. If T has a greatest element t0, Inf(r) = {r(to)}.Therefore, Inf(r) is a generalization of the “final value.”A run r is defined to be accepting if:1. Inf(r) n R 0, i.e., some of the states appearing infinitely many times in r belong to R,or2. Inf(r) C S, i.e., all the states appearing infinitely many times in r belong to S.‘Consider a run as a function.CHAPTER 10. TIMED V-AUTOMATA 112Definition 10.1.2 (Semantics of V-automata) A V-automaton A accepts a trace v, writtenv A, if all possible runs of A over v are accepting.One of the advantages of using automata as a specification language is its graphical representation. It is useful and illuminating to represent V-automata by diagrams. The basicconventions for such representations are the following:• The automaton-states are depicted by nodes in a directed graph.• Each initial automaton-state (e(q) false) is marked by a small arrow, an entry arc,pointing to it.• Arcs, drawn as arrows, connect some pairs of automaton-states.• Each recurrent state is depicted by a diamond shape inscribed within a circle.• Each stable state is depicted by a square inscribed within a circle.Nodes and arcs are labeled by state propositions. A node or an arc that is left unlabeled isconsidered to be labeled with true. The labels define the entry conditions and the transitionconditions of the associated automaton as follows.• Let q e Q be a node in the diagram corresponding to an initial automaton-state. If qis labeled by b and the entry arc is labeled by , the entry condition e(q) is given bye(q) = p A b. If there is no entry arc, e(q) = false.• Let q, q’ be two nodes in the diagram corresponding to automaton-states. If q’ is labeledby q5, and arcs from q to q’ are labeled by , i = 1 . . n, the transition condition c(q, q’)is given by c(q, q’)= (y V . . . V cp,) A &. If there is no arc from q to q’, c(q, q’) = false.A diagram representing an incomplete automaton is interpreted as a complete automatonby introducing an error state and associated entry and transition conditions.Some examples of V-automata are shown in Figure 10.1. Figure 10.1(a) accepts any tracethat satisfies—G only finitely many times, Figure 10.1(b) accepts any trace that never satisfiesB, and Figure 10.1(c) accepts any trace that will satisfy R in the finite future whenever itsatisfies E.Now we give a definition of open specification. A V-automata specification is open ifVq E RUS,e(q)is open and c(q’,q)is open for any q’ E Q. For discrete domains, open specification implies the well-definedness of accepting states; for continuous domains, open specificationCHAPTER 10. TIMED V-AUTOMATA 113-iRRE(b) (c)Figure 10.1: V-automata: (a) goal achievement (b) safety (c) bounded responseprovides a relaxed representation for asymptotic behaviors. For example, a relaxed representation for limt xQ) = 0 is an automaton in Figure 10.1 (a) with G Lxt < € for some €> 0.We will see that openness should be imposed for any useful requirements specification.V-automata may provide a more compact representation than TLTL. For example, the twodesired properties of the producer-consumer synchronizer, precedence and interleaving, can bespecified by one V-automaton in Figure 10.2 (a), where E(Ci) indicates there is an event in Ciand NE(Ci) indicates there is no event in Ci. E(Ci) and NE(Ci) can be represented as statepropositions as follows. Let Qi be the hidden location of the Muller C-element with outputlocation Ci, E(Ci) neq(Ci, Qi) and NE(Ci) eq(Ci, Qi) with both neq and eq open. Thepersistent property of the maze traveler can be represented by a V-automaton in Figure 10.2(b), meaning that the robot will persistently move east.NE(C1) A NE(C2) NE(C1) A NE(C2)ANEC2Q%NC1)AE(C2)(a) (b)Figure 10.2: The specification of (a) the producer-consumer problem (b) the maze travelerIt has been shown [MP87] that discrete V-automata have the same expressive power asBuchi automata [Tho9O] and the extended temporal logic (ETL) [Wo183], which are strictlymore powerful than the propositional linear temporal logic (PLTL) [Tho9O, Wo183].(a)CHAPTER 10. TIMED V-AUTOMATA 11410.2 Discrete Timed V-AutomataIn order to represent timeliness, we develop timed V-automata. Timed V-automata areautomata augmented with timed automaton-states and time bounds. Formally, a timed Vautomaton is defined as follows.Definition 10.2.1 (Syntax of timed V-automaton) A timed V-automaton TA is a triple(A,T,r) where A = (Q,R,S,e,c) is a V-automaton, T C Q is a set of timed automaton-statesand T : T U {bad} 7?, U {oo} is a time function.A V-automaton is a special timed V-automaton with T = 0 and r(bad) = cc. Graphically, aT-state is denoted by a nonnegative real number indicating its time bound. The conventionsfor complete V-automata are adopted for timed V-automata.Let v : T —* A be a trace. A run r of TA over v is a run of A over v; r is accepting for TAif1. r is accepting for A and2. r satisfies the time constraints, if I C T is an interval of T and q* : I—÷ Q is a segment ofrun r, i.e., q* = r11, let (q*) denote the measure of q* i.e., ,u(q*) = = EtEIu(t) sinceI is discrete. Furthermore, let (q*) denote the measure of bad automaton-states in q*,i.e., (q*) = EtEI,q*(t)EBII(t). Let Sg(q) be the set of segments of consecutive q’s in r,i.e., q* E Sg(q) implies Vt E I,q*(t) = q. Let BS be the set of segments of consecutive Band S-states in r, i.e., q* E BS implies Vt E I, q*(t) e B U S. The run r satisfies the timecondition if(a) (local time constraint) Vq e T,q* E Sg(q), p,(q*) T(q) and(b) (global time constraint) Vq* e BS, I(q*) <r(bad).Definition 10.2.2 (Semantics of timed V-automaton) A timed V-automaton TA acceptsa trace v, written v=TA, if all possible runs of TA over v are accepting.For example, the real-time response O(E —* R) is depicted by the timed V-automaton inFigure 10.3, meaning that any event will be responded to within time r (assuming d(t1,t2)=1t([ti,t2))).We should notice that timed V-automata are closed under conjunction and disjunction, butnot under complementation. Even though discrete V-automata are strictly more expressive thanPLTL, discrete timed V-automata and PTLTL are not strictly more expressive than each other,since PTLTL is closed under complementation.CHAPTER 10. TIMED V-AUTOMATA 115REFigure 10.3: Real-time response10.3 Timed V-AutomataNow we generalize discrete timed V-automata to timed V-automata that can accept generaltraces, with discrete time traces as special cases. The syntax and semantics of timed V-automataare the same as those of discrete timed V-automata, except for the definitions of runs andaccepting runs.The important concept of general runs is the generalization of the consecution condition.Let T be a time structure and t < oc denote that t is not the greatest element of T. Letv : —* A be a trace. A run of A over v is a trace r : —* Q satisfying1. Initiality: v(O) = e(r(O));2. Consectttion:• inductivity: Vt> O,q E Q,t’ < t,Vt”,t’ < t” < t,r(t”) = q and v(t) = c(r(t”),r(t))and• continuity: Vt < 00, q€Q,t’ > t,Vt”, t < t” < t’, r(t”) = q and v(t”) 1=c(r(t), r(t”)).When T is discrete, the two conditions in Consecution are reduced to one, i.e., Vt > 0, v(t) 1=c(r(pre(t)), r(t)); and if, in addition, A is complete, every trace has a run. However, if T is notdiscrete, even if A is complete, not every trace has a run. For example, a trace with infinitetransitions among Q within a finite interval has no run. A trace v is specifiable by A if thereis a run of A over v. For example, if T and A are [0, 11, trace v : T —* A with v = )t.t is notspecifiable by the automaton in Figure 10.4.The definition of accepting runs for V-automata is the same as that for discrete cases. Arun r is defined to be accepting for A if:1. Inf(r) fl R 0, i.e., some of the states appearing infinitely many times in r belong to R,orCHAPTER 10. TIMED V-AUTOMATA 116Figure 10.4: A generalized V-automaton2. Inf(r) C S, i.e., all the states appearing infinitely many times in r belong to S.We should notice that dense V-automata is no longer more powerful than PLTL, since the abilityof counting in automata {MPT1] is lost when time is dense. In other words, meaningful denseautomata are counter-free only, since for any transition between two automaton-states, there isa self-loop at one of the automaton-states.The definition of accepting runs for timed V-automata is similar to that for discrete cases,except for the measures of segments. If I ç T is an interval ofT and q* : I —* Q is a segment ofrun r, i.e., q* = r11, let pq*) denote the measure of q*, i.e., j(q*) = u(I)= J dt. Furthermore,let (q*) denote the measure of bad automaton-states in q* i.e., (q*) =where XB is the characterization function for set B. A run r is accepting for a timed Vautomaton if1. r is accepting for its V-automaton and2. r satisfies the time constraints. Let Sg(q) be the set of segments of consecutive q’s in r,i.e., q* E Sg(q) implies Vt e I, q*(t) = q. Let BS be the set of segments of consecutive Band S-states in r, i.e., q* E BS implies Vt E I, q*(t) E B U S. The run r satisfies the timecondition if(a) (local time constraint) Vq e T,q* E Sg(q), pq*) T(q) and(b) (global time constraint) Vq* E BS, JL(q*) T(bad).Timed V-automata are powerful enough to represent various temporal and timed propertiesof dynamic systems, such as persistence or liveness, goal achievement or reachability, safety andreal-time response. More importantly, there is a formal verification method based on a modelchecking technique and a stability analysis method.(1/2n, 1J(2n-1)](1/(2n+1),1/2n]Chapter 11Behavior VerificationWhile modeling focuses on the underlying structure of a system the organization and coordination of its components — requirements specification imposes global constraints on a system’sbehavior, and behavior verification checks the relationship between the behavior of a systemand a requirements specification. In this chapter, we first discuss general issues of behaviorverification, then focus on a formal verification method for timed V-automata specification.11.1 Behavior Verification: General IssuesWe have defined the behavior of a dynamic system as the set of observable input/output traces.Given B as the behavior of a dynamic system and fl as a requirements specification, the behaviorsatisfies requirements, written B 1= R if Vv E B, v = 7. The verification procedure is to certifythe relationship B fl for any given behavior B and requirements specification .It is not hard to see that there is no automatic verification procedure for behaviors ofdiscrete time and domain dynamic systems and TLTL specification in general. We have seenthat any partial recursive function f can be computed by a constraint net. And whether or notf is defined for an input value n (the halting problem) can be represented by a specificationD[(Dataln = n) A E(Start) —* E(End)], where E(X) indicates that there is an event at X.There are, as we will see, automatic verification procedures for discrete time and finite domaindynamic systems and PLTL specification.There are generally three methods for system verification: simulation, theorem provingand model checking. Simulation is a procedure of generating partial traces’ by executing themodel, and then checking the set of partial traces against its specification. However, simulation‘Note that time might be infinite.117CHAPTER 11. BEHAVIOR VERIFICATION 118is like program testing, which can oniy discover errors, but cannot guarantee correctness2.Boththeorem proving and model checking are formal methods for ensuring correctness.Theorem proving is based on syntactic deduction in a formal system. A formal system A isa pair KA, R) consisting of a set of axioms A and a set of rules R each of which has the formF1,. . ., F1 z F. A formula F is a theorem in A, written ‘A F, if (a) F is an axiom in A or (b)there exists a sequence of theorems F1,. . .,Fm, F such that either F: is an axiom or F can bederived from {F1,..., F_1} using a rule in R, namely, there is some F1,. . ., P1 = P such thatP=F: and {Pi,...,Pj}c{Fi,...,F:_i}.A frame F is axiomatizable if F can be captured by a formal system, also denoted by F, suchthat F is valid over the frame F if F- F, i.e., there is a sound and complete axiomatization.If we can represent a constraint net CN by a formula, also denoted by CN, in the formalsystem of the specification language F, the behavior of CN satisfies requirements 7?, writtenCN R, if HF CN —* ?. For example, a state automatons’ = f(i, s), s = 6(so)(s’) in Figure4.1 can also be represented by a FTLTL formula D(s’ = f(i, s)) A(s = so) A QD(s = pre(s’)).There are some inherent difficulties with the theorem proving approach. First, to be axiomatizable is a strong condition. In fact, according to Goedel’s incompleteness theorem, thereis no sound and complete axiomatization for any set as complex as natural numbers. Second,even the frame is axiomatizable, there might be no computable decision procedure for an infinite frame. Third, even for finite frames, the problem of checking the validity of a formula ishard in general.However, in many cases, a proof theoretic approach can assist the verification process. Onecan always have a set of sound axioms and rules describing the properties of the frame andthe logic [0st89, MP92]. With an interactive theorem prover like HOL— a higher order logictheorem prover developed by Cambridge University and SRI International one can addmore sound axioms and rules for any particular problem at hand. In addition, the reasoningmechanism of theorem proving based on natural deduction might be easier for human to follow.In conclusion, there are three levels of formal specification for the theorem proving approach:• frame specification: a set of axioms and rules of the temporal logic for the given timestructure, a set of axioms and rules characterizing s-domain structure, a set axioms andrules for the given set of predicates;• model specification: a set of formulas specifying the equations of a constraint net;2Symbolic simulation [BS87] is a different procedure that generates symbolic representations of behaviors.CHAPTER 11. BEHAVIOR VERIFICATION 119• requirements specification: a set of formulas specifying the desired temporal relations onthe interface of the module.We will not discuss further in this thesis the issues Oil the theorem proving approach, rather,in the rest of this chapter, we will focus on the model checking approach for timed V-automataspecification. Model checking is a formal procedure of verifying behaviors of models. Giventhe behavior of a system and a timed V-automaton, model checking is to certify the inclusionrelation between the behavior and the language accepted by the automaton.First, we develop a formal verification method for state-based and time-invariant behaviorsof discrete time, modified from Manna Pnueli’s verification rules [MP87]. Then, we apply themethod to construct a semi-automatic verification procedure for constraint nets with discretetime structures, and translate the verification rules into an automatic algorithm for finite domainsystems. Finally, we generalize the verification rules for behaviors of hybrid dynamic systems.11.2 Verification for Behaviors of Discrete Time SystemsManna & Pnueli [MP87] gave a formal method for checking the validity of a V-automataspecification over a concurrent program. We modify the method to verify state-based andtime-invariant behaviors of discrete time. First, we generalize ranking functions to Liapunovfunctions. Then, we augment timing functions to verify real-time behaviors.A state-based and time-invariant behavior B of discrete time corresponds to a state transition system (SB, —* with 0 denoting the initial set of states.We write n(s, s’) if .s —÷ s’, and {p}B{b} if the consecutive condition:p(s) A n(s, s’) —*is valid.Let A = (Q, R, S, e, c) be a V-automaton. A set of propositions {aq}qQ is called a set ofinvariants for B and A if• Initiality: Vq E Q, 0 A e(q) — aq.• Consecution: Vq, q’ E Q, {cq}B{c(q, q’)—cqi}.Proposition 11.2.1 Let {q}qQ be invariants for B and A. If r is a run of A over a tracev e B, then Vt e T, v(t) 1=CHAPTER 11. BEHAVIOR VERIFICATION 120Let {aq}qQ be a set of invariants for B and A. A set of partial functions {pq}qQ is calleda set of Liapunov functions for B and A if P : SB R,+ satisfies the following conditions:• Definedness: Vq E Q,aq = W.• Non-increase: Vq E S, q’ E Q, {aq A Pq w}B{c(q, q’) “ Pq’ w}.• Decrease: e> 0,Vq E B,q’ e Q,{aq Apq = w}B{c(q,q’)“— 11)The first two conditions are derived from [MP87]. The last condition generalizes the decreasecondition for ranking functions on discrete domains [MP87].Proposition 11.2.2 Let {q}qQ be a set of invariants for B and A and r be a run of A overa trace v E B. If {pq}qQ is a set of Liapunov functions for B and A, then• Pr(i)(V(t)) pr(pre(t))(V(pre(t))) when r(pre(t)) e S,• Pr(t)(h3(t))— pr(pre(t))(v(pre(t))) < —e when r(pre(t)) e B, and• if BS is the set of segments of consecutive B and S-states in r, then Vq* E BS, q* has afinite number of B-states.Let TA = (A, T, r). Corresponding to two types of time bound, we define two timingfunctions. Without loss of generality, we assume that the measurement of time is encoded inthe state transition system and let i : SB R+ be a function of time measure on states.Let {aq}qQ be a set of invariants for B and A. A set of partial functions is calleda set of local timing functions for B and TA if ‘yq : —* R.+ satisfies the following conditions:• Boundedness: Vq E T,oq * It 7q T(q).• Decrease: Vq E T,{aq A7q = WA = u}B{c(q,q)—* 7q — w —u}.A set of partial functions is called a set of global timing functions for B and TA ifSB —* R satisfies the following conditions:• Definedness: Vq E Q, 0q W, 7 = W.• Boundedness: Vq E B, 0q 7 T(bad).• Non-increase: Yq E S,q’ E Q,{aq A-y = w}B{c(q,q’) — w}.• Decrease: Vq E B,q’ E Q,{q A7 = wAIL = u}B{c(q,q’) —÷ — w —u}.CHAPTER 11. BEHAVIOR VERIFICATION 121Proposition 11.2.3 Let {aq}qQ be a set of invariants for B and A and r be a run of A overa trace v e B. If there exist local and global timing functions for B and TA, then• if Sg(q) is the set of segments of consecutive q ‘s in r, then Vq T, q* Sg(q), ,(q*) <T(q), and• if BS is the set of segments of consecutive B and S-states in r, then Vq* e BS, (q*) <r(bad).Following is the set of verification rules for a behavior B and a timed automaton TA =(A,T,r):(I) Associate with each automaton-state q E Q a state formula aq, such that {aq}qQ is aset of invariants for B and A.(L) Associate with each automaton-state q E Q a partial function í, such that {,oq}qQ is aset of Liapunov functions for B and A.(T) Associate with each timed automaton-state q e T a partial function 7q, such that {y}pis a set of local timing functions for B and TA. Associate with each automaton-state q E Qa partial function such that {‘y}qq is a set of global timing functions for B and TA.Theorem 11.2.1 For any state-based and time-invariant behavior B with an infinite timestructure and a complete timed V-automaton TA, the verification rules are sound and complete, i.e., B 1= TA if there exist a set of invariants, Liapunov functions and timing functions.We shall provide the proof of this theorem next, since the proof itself will be used later in theverification algorithm for behaviors of finite state systems.Proof: The construction of these rules guarantees the soundness of the verification method.For any trace v, there is a run because TA is complete. For any run r over v, if any automaton-state in R appears infinitely many times in r, r is accepting. Otherwise, there is a time pointto e T, the sub-sequence r on I = {t E TIt to}, denoted q* has only bad and stableautomaton-states. If there exist a set of invariants and a set of Liapunov functions, q* has onlya finite number of B-states. Since time is infinite, all the automaton-states appearing infinitelymany times in r belong to 5; so r is accepting too. Therefore, every trace is accepting for theautomaton. If there exists a set of local and global timing functions, every trace satisfies thetiming constraints.CHAPTER 11. BEHAVIOR VERIFICATION 122On the other hand, if TA is valid over B, then there exist a set of invariants, a set ofLiapunov functions, and a set of local and global timing functions that satisfy the requirements.The construction of invariants and functions will be used later for the verification algorithm.For any state .s and proposition a, we write cr(s) ifs = a. The invariants can be constructedas the fixpoint of the set of equations:aqi(s’) = (sq, s, crq(s) A n(s, s’) A c(q, q’)(s’)) V(0(s’) A e(q’)(s’)). (11.1)We can verify that {aq}qQ is a set of propositions over SB and satisfies the requirements ofinitiality and consecution. Furthermore, s aq if (q, .s) is a reachable pair for TA and B.Given the constructed invariants {aq}qQ, a set of Liapunov functions {pq}qQ and a set ofglobal timing functions can be constructed as follows:• Vq e R,s j= aq,let pq(s) = 0 and ‘y1(s) = 0.• Vq R, s aq, pq(S) and 7(s) are defined as follows. Construct a directed graphG (V,E), such that (q,s) E V if q R,s 1= a, and (q,s) —+ (q’,s’) in E if m(s,s’) Ac(q, q’)(s’). For any path p starting at (q, .s), let IPIB be the number of B-states in p and1uB(p) be the measure of B-states in p. Let pq(s) = sup{IpjBl and 7(s) = sup{1tB(p)}.We can verify that {pq}qQ is a set of Liapunov functions, and that is a set of globaltiming functions.Similarly, a set of local timing functions {y}’ can be constructed as follows. For allq e T, construct a directed graph G = (V, E), such that .s E V ifs a, and s —* s’ in Eif n(s, s’) A c(q, q)(s’). For any path p starting at .s, let p(p) be the measure of the path. Let7q(5) = sup{(p)}. We can verify that {y}p is a set of local timing functions. 0This verification method for behaviors of discrete time systems will be the basis of verification for behaviors of hybrid dynamic systems. On the other hand, many hybrid systems canbe verified at different levels of implementation. If a system has an event-driven component,we can verify, using this method, the discrete time behavior, where the time is generated byevents. For the maze traveler example, the persistent property — the robot moves to the eastinfinitely many times represented by the V-automaton in Figure 10.2 — can be verified at thestrategy level. We can construct a state transition system (5, —*) such that S is the set of configurations of the car and —* is the state transition relation derived from the strategy. Formally,let (x, y) e 1? x 1?. and 0 e 1?. be the position and the orientation of the car, respectively, and let(x, y, 0) —* (x’, y’, 0) if (x’, y’, 0’) is the configuration of the car at the next event according toCHAPTER 11. BEHAVIOR VERIFICATION 123the strategy. Associate with qo and q the state proposition -(101 < 6) and 101 < 6, respectively;qo and q are invariants. Associate with q a function p : 7 x fl x —÷ + such that p(x, y, 0)is the distance between the current configuration and the “desired” configuration with heading101 < 6. Associate with q a constant function 0. Given that the block sizes are finite, p and 0are are Liapunov functions for qo and qi, respectively. Therefore, the maze traveler controlledby the strategy will satisfy the desired property.11.2.1 Semi-automatic verificationNow we apply the verification rules to constraint nets with discrete time structures. Let CN =(Lc, Td, Cn) be a constraint net composed of transliterations and unit delays only. CN can berepresented by two sets of domain equations, each of the form i = 1, if l0 is an output locationof a unit delay with the input location 1, or lo = f(i,. . ., i,), if 10 is an output location of atransliteration f with the input location tuple (ii,. .. ‘in). For example, consider the producer-consumer circuit in Figure 5.3, and assume that any delay is unit (if not, it can be modeled bya finite number of unit delays), the domain equations for the control circuit are:Cl = mc(R1,—iQ2,Q1), C2 = mc(Q1,—iR2,Q2) (11.2)Q1’ = Cl, Q2’ = C2. (11.3)Let T be a discrete time structure and A be a domain structure. The behavior of CN ondynamics structure D(T, A) corresponds to a state transition system (S, _*) where (1) S CXLAl and s e S ilf for every equation of the form lo = f(ii,. . . ,in), s(io) = f(s(ii),.. . ,and (2) s —p .s’ iff for every equation of the form i = 1, s’(io) = s(i). However, the behavior ofCN can be verified without generating its state transition system.Let CN A{lo = f(i,. . . , i,)} and CNd A{1 = i}. Let ç and & be state formulas witha subset of Lc as local variables. We use [y]CN{bj to denote that the consistent condition:is valid, and {}CN{} to denote that the consecutive condition:ACNt A CNd A CN[l’/i] ‘ib[i’/l]is valid, where x’/x denotes the replacement of x by x’.Let 0 be a state formula imposing constraints on the set of initial states of CN. LetA = (Q,I1,S,e,c) be a V-automaton. A set of state propositions {ciq}qQ is called a set ofinvariants for CN and A ifCHAPTER 11. BEHAVIOR VERIFICATION 124• Initiality: Vq E Q, [0 A e(q)]CN[aq].• Consecution: Vq,q’ e Q,{üq}CN{c(q,q’) —*Let {aq}qQ be a set of invariants for CN and A. A set of partial functions {pq}qQ Scalled a set of Liapunov functions for CN and A if P : XLCAS —* R, satisfies the followingconditions:• Definedness: Vq E Q, [aq]CN[w,pq = w].• Non-increase: Vq E S, q’ E Q, {cq A Pq w}CN{c(q, q’) * Pq’ w}.• Decrease: d€> O,Vq E B,q’ e Q,{aq Aq = w}CN{c(q,q’) —* — W E.}Let TA = (A, T, T). Corresponding to two types of time bound, we define two timingfunctions. Without loss of generality, we assume that the measurement of time is encoded ina location and let i : XLA81 —* 7+ be a function of time measure. Let {ciq}qQ be a setof invariants for CN and A. A set of partial functions is called a set of local timingfunctions for B and TA if 7q : XLA3 7+ satisfies the following conditions:• Boundedness: Vq e T, [cq]CN[ii 7q <r(q)].• Decrease: Vq E T, {q A 7q = w A u = u}CN{c(q, q) * 7q — W —u}.A set of partial functions is called a set of global timing functions for CN and TA if7: XiA8 ÷ 7+ satisfies the following conditions:• Definedness: Vq e Q,[aq]CN[w,7 = w].• Boundedness: Vq E B, [Uq]CN[7 r(bad)].• Non-increase: Vq E S, q’ e Q, {aq A = w}CN{c(q, q’) — w}.• Decrease: VqE B,q’ e Q,{oqA7 = wAji=u}CN{c(q,q’) —*-y, —w —u}.We say that the verification method based on this set of rules is semi-automatic becausegiven the invariants, Liapunov functions and timing functions, the method is reduced to checkingthe validity of a set of formulas in the domain structure A. If there is a first order theoremprover for the domain structure A, the procedure can be done semi-automatically.Now we illustrate the verification method using an example. Some other examples are alsostudied [ZM94].CHAPTER 11. BEHAVIOR VERIFICATION 125A desired property of the asynchronous event controller has been expressed by the Vautomaton in Figure 10.2(a). The automaton is not complete. To make it complete, introduce an error state q with e(qE) = false,c(qE,qE) = true,c(qE,qI) = false, and letc(qo,qE) be (Qi =..L) V (Q2 =±) V (Cl =±) V (C2 =±) V neq(C2,Q2) and c(ql,qE) be(Qi =±) V (Q2 =±) V (Cl =1) V (C2 =±) V neq(C1,Q1). The domain equations of thecontroller have been expressed in Equations 11.2 and 11.3.Let the initial condition e be Qi Q2 = 0, Ri = 0, R2 = 1, and assume that values atRi and R2 are always well-defined. Let AEC denote the conjunction of domain equations in11.2 with -i(R1 =±) and -i(R2 =±), and AECd denote the conjunction of domain equations in11.3. Furthermore, let AEC denote the conjunction of all domain equations, AEC A AECd AAECt[l’/lJ.(I) Associate with qo,ql,qE the state propositions eq(Ci,C2), neq(C1,C2) and false, respectively. The following verification conditions are satisfied:• Initiality:qo : 0 A true A AEC —* eq(C1, C2).qi : 0 A false A AEC —f neq(C1,C2).q : 0 A false A AEC — false.• Consecution:(qo, qo) : eq(C1, C2) A AEC — (eq(C1’, Q1’) A eq(C2’, Q2’) —* eq(Ci’, C2’)).(qo, q) : eq(C1, C2) A AEC —* (rteq(C1’, Ql’) A eq(C2’, Q2’) —* neq(C1’, C2’)).(qo, q) : eq(Cl, C2) A AEC((Q1’ =±) V (Q2’ =±) V (Cl’ =±) V (C2’ =1) V rteq(C2’,Q2’) —* false).Therefore, eq(Cl, C2), neq(Cl, C2) and false are invariants for qo, qi and q, respectively.(L) Since qo, q E R and the invariant of q e B is false, any set of functions is a set ofLiapunov functions for qo, qi and q.Therefore, according to the verification rules, the behavior of the constraint net satisfies itsrequirements specification.CHAPTER 11. BEHAVIOR VERIFICATION 12611.2.2 Automatic verificationThe existence of the semi-automatic verification method for constraint nets presented in theprevious section does not necessarily imply the existence of an automatic procedure. First,the invariants, Liapunov functions and the timing functions are defined separately, and notautomatically generated. Second, there is, of course, no decision procedure for determining thevalidity of a first-order formula in general.However, for finite constraint nets— nets with finite domains— we can automate theverification process against a timed V-automata specification. Derived from the verificationrules, the algorithm consists of three phases:1. Invariant Generation,2. Boundedness and Global Timing, and3. Local Timing.Let CN = (Lc, Td, Cm) be a constraint net composed of transliterations and unit delays only.We write CN(s) if for every equation of the form 10 = f(l,. . . , l,), s(lo) = f(s(li),. . . ,and CN(s, s’) if CN(s), CN(s’), and for every equation of the form l = 1, .s’(lo) =Invariant generation is a process that produces all reachable pairs of (q, s), denoted a(q, s),where q e Q and s E XLA8. According to Equation 11.1, this fixpoint operation can beefficiently realized in two steps:1. Initiality: Generate a(q,s) if 0(s),e(q)(s),CN(s).2. Gonsecution: Generate a(q’, s’) if a(q, s), CN(s, .s’), c(q, q’)(s’).The algorithm is shown in Figure 11.1, where start(s) denotes 0(s).We write bstate(q, s) if a(q, s) and q E B, and sstate(q, s) if a(q, s) and q E S. Let (V, E) bethe state transition graph where V is the set of pairs (q, s) satisfying sstate(q, .s) or bstate(q, s),E is the set of transitions (q,s,q’,s’) between two states in V, (q,s,q’,s’) E E if CN(s,s’)and c(q, q’)(s’). Boundedness checks whether or not there is a loop consisting of bstate(q, s) inthe state transition graph. Global timing checks whether or not there is a path p in the statetransition graph whose time measure of bstate(q, s), denoted m(p), is greater than the timebound r(bad), denoted time(bad). The algorithm is shown in Figure 11.2.For each q E T let (V, E) be the state transition graph where V is the set of .s satisfyinga(q, s) and E is the set of transitions (s, s’) between two states in V, (s, .s’) e E if CN(s, s’) andCHAPTER 11. BEHAVIOR VERIFICATION 127Algorithm: Invariant GenerationQs =Rs = [];for all q, s do 1* Initiality *1if start(s) and e(q)(s) and CN(s){ Qs = [a(q, s)IQsJ;Rs = [a(q, s)IRs];}while Qs = [a(q, s)IQsl] do /* Consecution *1{NEts = 0;for all q’, s’ doif a(q, s) and CN(s, s’) and c(q, q’)(s’)and a(q’, s’) not in RsNEts = [a(q’, s’)INRs];Rs = append(Rs, NEts);Qs = append(Qsl, NEts);}Figure 11.1: The algorithm for invariant generationCHAPTER 11. BEHAVIOR VERIFICATION 128Algorithm: Boundedness and Global Timing1. 1* Generate state transition graph <V,E> */for all q in B dofor all s doif a(q, s) put bstate(q, s) in Vfor all q in S dofor all s doif a(q, s) put sstate(q, s) in Vfor all (q, s), (q’, s’) in V doif CN(s, s’) and c(q, q’)(s’)put (q, s, q’, s’) mE2. 1* Check the acyclicity of bstate */for all bstate(q s) in V dofor all path p starting from (q, s) doif p ends at (q, s) return false/* Check the time bound of bstate */for all bstate(q, s) in V dofor all path p starting from (q, s) doif m(p) > time(bad) return falsereturn trueFigure 11.2: The algorithm for boundedness and global timingCHAPTER 11. BEHAVIOR VERIFICATION 129c(q, q)(s’). Local timing checks whether or not there is a path p in the state transition graphwhose time measure, denoted m(p), is greater than the time bound T(q), denoted time(q). Thealgorithm is shown in Figure 11.3.Algorithm: Local Timingfor all q in T doif not ttest(q) return falsereturn truettest(q):1. 1* Generate state transition graph <V,E> */for all s doif a(q, s) put s in Vfor all s, s’ in V doif CN(s, s’) and c(q, q)(s’)put Cs, s’) in E2. 1* Check the longest path *1for all s in V with no input edges dofor all path p starting from s doif m(p) > time(q) or p has loop return falsereturn trueFigure 11.3: The algorithm for local timingThe complexity of the verification algorithm is obtained as follows. The invariant generationcan be done in polynomial time in IQI XLc 1A5j, which is the total number of (q,s) pairs. Foreach bstate(q, s), searching for a loop including bstate(q, s) or a longest bad state path startingat bstate(q, s) is linear in the number of transitions in the state transition graph, since each stateneeds to be visited only its outdegree number of times in the search algorithm. Therefore, bothchecking boundedness and global timing are polynomial in IQI XLc IA8. Similarly, checkinglocal timing is in polynomial in IQI XLc 1A31.As a result, the verification algorithm is polynomial in both the size of the model and thesize of the specification. This result seems a little surprising, since it is well-known [Eme9O] thatmodel checking for the linear propositional temporal logic is PSPACE-complete in the lengthof the formula. However, we should notice that, in the worst case, the size of a V-automatonmay be exponential in the length of its equivalent linear propositional temporal logic formula.CHAPTER 11. BEHAVIOR VERIFICATION 130On the other hand, for many system properties, such as safety, liveness, reachability andbounded response, V-automata do have size equivalent to the length of their correspondinglinear propositional temporal logic formulas. However, the number of automaton-states in thecomplement of a V-automaton may be exponential in the number of automaton-states in theoriginal V-automaton [Tho9O]. This suggests that we should choose the simpler V-automaton,A or -‘A, as a basis to verify finite systems.However, we should also notice that even though the complexity of the algorithm is polynomial in the size of the model, it is exponential in the number of local variables or locationsof the constraint net. In most cases, a property of a system is expressed by only a small subsetof locations, for example, locations in the interface of a module. If the algorithm can exploreonly this small portion of the system, there is an exponential savings in complexity.For a constraint net CN = (Lc, Td, Cn), let *LC denote the transition relation of CN, i.e.,i Lc 2 if CN(si, 82). For a subset of locations U C Lc, let —u denote the projected relation,i.e., s—* s’ if s2, = h(si) and s = h(s2), such that CN(si, 82), where h = )s.srj.U is an abstraction of the set of locations Lc for CN if (XLCASL,—Lc) is abstractable to(xuA8,—u). The following proposition provides an equivalent definition of this concept.Proposition 11.2.4 Given Lc as the set of locations and U c Lc, U is an abstraction of Lcif l{CN(U)]i is state-based and time-invariant.The following propositions underpin the application of this concept of abstraction.Proposition 11.2.5 If U is an abstraction of Lc, any property restricted on relations on Ucan be verified by exploring the abstraction transition system, (x uAs1,—+u).Proposition 11.2.6 If CN8 is a subnet of CN, the set of locations of CN3 is an abstraction.Proposition 11.2.7 The set of output locations of unit delays is an abstraction.Proposition 11.2.8 The set of input locations of unit delays is an abstraction.Proposition 11.2.9 If U is an abstraction andi c I(CN), UUI or U—I is still an abstraction.We have implemented the verification algorithm in Prolog, where the model is represented bythe initial state predicate start(s) and the state transition predicate cn(s, s’), the specificationis represented by the entry condition predicate e(q, s) and the consecution condition predicatec(q, q’, s). For simplicity, each state is assumed to take one unit time. Examples of the producerconsumer synchronizer, with an interleaving property, and an elevator system (in Appendix C),with a real-time response property, have been verified in this implementation.CHAPTER 11. BEHAVIOR VERIFICATION 13111.3 Verification for Behaviors of Hybrid Dynamic SystemsNow we generalize the verification rules for behaviors of hybrid dynamic systems.The set of verification rules is the same as that for behaviors of discrete time systems,however, the definitions of invariants, Liapunov functions and timing functions are generalized.For any trace v : —* A, let {y}v{’l)b} denote the validity of the following two consecutiveconditions:• {p}v{b}: for all t > 0, t’ < t,Vt”,t’ t” < t,v(t”) 1= cp implies v(t) b.• {ç}v{’}: for all t < oo, v(t) implies t’ > t,Vt”,t < t” < t’,v(t”) ib.If T is discrete, these two conditions are reduced to one, i.e., Vt > 0, v(pre(t)) 1= impliesv(t)Hb.Given B as a behavior, let 0 = {v(O)Iv E B} denote the set of initial values in B. LetA= (Q, R, S, e,c) be a V-automaton. A set of propositions {aq}qQ is called a set of invariantsfor B and A if• Initiality: Vq E Q, 0 A e(q) —• Consecution: Vv E B, Vq,q’ e Q,{crq}v{c(q,q’) —÷ ai}.Proposition 11.3.1 Let {q}qQ be invariants for B and A. If r is a run of A over v e B,Vt E T,v(t) 1= a,.().Without loss of generality, we assume that time is encoded in domain A by t : A —* T.Given that {aq}qQ is a set of invariants for B and A, a set of partial functions {pq}qQ : A —*fl is called a set of Liapunov functions for B and A if the following conditions are satisfied:• Definedness: Vq e Q, o —* w, = W.• Non-increase: Vv E B, Vq E S,q’ E Q,{aq Apq = w}v{c(q,q’).‘ Pq’ w}and Vq E Q, q’ E S,{cq A Pq = w}v+{c(q, q’) “ Pq’ w}.CHAPTER 11. BEHAVIOR VERIFICATION 132• Decrease: VvE B, e> 0, Vq E B,q’ E Q,{uqApq wAtt = t}v{c(q,q’)_* —wIL([, ))and Vq E Q,q’ E B,{aqApq = wAtt t}v+{c(q,q’) P’ —w —E}.i({ ))Proposition 11.3.2 Let {q}qQ be invariants for 13 andA and r be a run of A over a tracev e B. If {pq}qQ is a set of Liapunov functions for B and A, then• Pr(t2)(’13(t) < when Vt1 t < t2, r(t) E B U 5,• Pr(t2)(V( )_Pr;i)(v(tl))—E when t1 <t2 and Vt1 t t2, r(t) e B, and• if BS is the set of segments of consecutive B and S-states in r, then Vq* E B5,(q*) isfinite.Let TA = (A, T, r). Corresponding to two types of time bound, we define two timingfunctions. Let {oq}qEQ be invariants for B and A. A set of partial functions {7q}q2’ is calleda set of local timing functions for 13 and TA ill 7q : A —* R satisfies the following conditions:• Boundedness: Vv E B, Vq E Q,q’ E T,{uq}v{7q1 r(q’)}and Vq E T, q’ E Q,{aq A tc t A 7q = w}v{w z([t, t))}.• Decrease: Vv B, Vq e T, {cq A = WA t, = t}v{c(q, q) —* < —1}.A set of partial functions is called a set of global timing functions for B and TA ifA —* 7+ satisfies the following conditions:• Definedness: Vq E Q,Oq _+ = w.• Boundedness: Vq E B, aq —* -y r(bad).• Non-increase: Vv E B, Vq E 5, q’ E Q,{aq A = w}v{c(q, q’)—÷< w}and Vq E Q,q’ ES,{aq A = w}v{c(q, q’) —* <w}.CHAPTER 11. BEHAVIOR VERIFICATION 133• Decrease: Vv e B, Vq E B, q’ E Q,{qA = wAtt —_t}v{c(q,q’) —w <—1}and Vq e Q,q’ E B,— W{q A7 = w At = t}v+{c(q,q’) —1}.ILi , ci)Proposition 11.3.3 Let {q}qQ be invariants for B and A and r be a run of A over a tracev E B. If there exist local and global timing functions for B and TA, then• if Sg(q) is the set of segments of consecutive q ‘s in r, then Yq e T, q* E Sg(q), ,j(q*) <T(q), and• if BS is the set of segments of consecutive B and S-states in r, then Vq* e BS, p(q*) <r(bad).The following theorem is a generalization of the soundness and completeness of the set ofverification rules.Theorem 11.3.1 The verification rules (I), (L) and (T) are sound if the following conditionson B and TA are satisfied:• T is an infinite time structure.• All traces in B are specifiable by TA.The verification rules are complete if the following conditions on B and TA are satisfied:• {(v,r)Iv e B,r is a run over v} is time-invariant.• All transitions from R to non-R-states are left-closed, i.e., if r is a run, and there is atransition from a R-state to a B-state or a S-state at t, then r(t) B U S.The conditions for the completeness of the rules are imposed so as to be able to define Liapunovfunctions for a behavior and an automaton, as long as the behavior satisfies the automaton. Thesecond condition for completeness is always satisfied for traces with discrete time structures.More generally, the following proposition may apply.Proposition 11.3.4 All transitions from R to non-R-states are left-closed, if the followingconditions are satisfied:CHAPTER 11. BEHAVIOR VERIFICATION 134• TA is open and complete.• Vq e R, qi R and q E R, c(q, qi) A c(q, q) is not satisfiable.• All traces in B are right-continuous.This formal method has no practical use yet; we aim at understanding the concept ofbehavior verification for hybrid systems. In part III, we wifi discuss an important class ofbehavior with asymptotic properties. By characterizing certain types of hybrid system andproperty, we may obtain a semi-automatic verification method, similar to the one for discretetime systems. There is much more left to be explored than what we have already understood.Chapter 12Summary and Related WorkWe have developed two requirements specification languages, TLTL and timed V-automata, forrepresenting desired global properties of dynamic systems. We have also developed a set offormal verification rules for timed V-automata specification. In this chapter, we summarize theresults of Part II and discuss some related work on specification and verification.12.1 SummaryIn this section, we summarize the specification languages and the verification procedures, thendiscuss their power and limitations.12.1.1 SpecificationTimed Linear Temporal Logic (TLTL) has the following properties:• Simple properties of dynamic systems (such as safety, reachability and persistence) canbe specified.• Some metric or measure properties of dynamic systems (such as real-time response) canbe specified.• TLTL is defined for arbitrary time and domain structures; therefore, continuous as wellas discrete time dynamic systems can be specified in a unitary framework.Timed V-automata have the following properties:• They are a simple alternative, though not equivalent in expressive power, to TLTL.• They have a graphical representation.135CHAPTER 12. SUMMARY AND RELATED WORK 136• They are powerful enough to specify many important properties of sequential and timedbehaviors.• They are simple enough to have a formal verification procedure for behaviors of hybriddynamic systems, a semi-automatic verification procedure for discrete time systems, andan automatic verification procedure for discrete time and finite domain systems.12.1.2 VerificationThe verification procedures have the following properties:• A model checking technique and a stability analysis method are integrated.• The automatic algorithm derived from the verification rules has a polynomial time complexity in both the size of the model and the size of the specification.• The generalized verification rules can be used to formally verify behaviors of hybrid dynamic systems.12.1.3 Power and limitationsBoth TLTL and timed V-automata are powerful enough to specify various properties of sequential and timed behaviors. However, there are still many important behaviors that cannot bespecified in these languages, such as• energy minimization over time, i.e., mm IT Edt, where C is a function of states,• probabilistic or stochastic properties, and• timed properties on intervals.However, we should also point out that the power of specification and the simplicity of verification are in conflict with each other. The more powerful the specification language is, themore complex is the verification procedure. A compromise between these two should be madefor any application.Although most research in this area mixes modeling and specification languages, we claimthat two different kinds of language are necessary for specifying two different aspects of systemsand behaviors: composite structures and global functionalities. We have not yet worked onaxiomization for TLTL, since we focused on model checking, rather than theorem proving, forbehavior verificatioll.CHAPTER 12. SUMMARY AND RELATED WORK 13712.2 Related WorkVarious languages for specification, verification, and reasoning about concurrent, distributedand timed behaviors have been developed in the theory, AT and systems communities. Roughlyspeaking, these languages can be characterized as belonging to one of the three categories: (1)Automata, (2) Point Time Temporal Logics, and (3) Interval Time Temporal Logics. In anyof these languages, there are always two ways to introduce real-time (metric time). One is toembed metric time in modal operators, the other is to use an explicit time variable. Differentlanguages can have different expressive power; some of them may have no formal verificationprocedures at all.We survey some typical examples in every category, and discuss their relationships withTLTL and timed V-automata.12.2.1 Automata-based approachesAutomata play two kinds of role: as an input/output transducer modeling on-line computation(e.g., Mealy/Moore machines), or as a language recognizer (e.g., V-automata). We have surveyedsome related work on automata for modeling in Part I. Here we emphasize their roles forspecification and verification.The simplest form of an automata-based representation for sequential behaviors is Buchiautomata [Tho9O]. Buchi automata are finite state automata for defining -languages, languages consisting of infinite sequences. The expressive power of Buchi automata is the sameas that of V-automata [MP87]. In fact, a restricted version of V-automata is a dual of Buchiautomata [MP87].Timed Buchi Automata (TBA) has been proposed [AD9Oj to express constant bounds ontiming delays between system events. These automata accept languages of timed traces, tracesin which each event has an associated real-valued time of occurrence. A TBA is a Buchiautomaton associated with a finite set of (real-valued) clocks. A clock can be set to zerosimultaneously with any transition of the automaton. At any instant, the reading on a clockequals the time elapsed since the last time it was set. With each transition, there is an enablingcondition that compares the current values of clocks with time constants. TBAs are not closedunder complementation and it is undecidable whether the language of one automaton is asubset of the language of another. However, there exists a subclass represented by DeterministicTimed Muller Automata (DTMA) closed under all Boolean operations, and there is a decidablecomputation to check the subset relation for this class.CHAPTER 12. SUMMARY AND RELATED WORK 138Hybrid automata [ACHH93] can be viewed as a generalization of timed automata, in whichthe behavior of variables is governed in each state by a set of differential equations. The reachability problem is undecidable even for very restricted classes of hybrid automata. However,there exist semi-decision procedures for verifying safety properties of piecewise-linear hybridautomata, in which all variables change at constant rates.In both cases, explicit variables are introduced to reason about time bounds and changes.The extra time variables, however, will increase both the expressive power of the representationand the complexity of the verification.Similar developments along this line include timed Statecharts, timed transition systems,hybrid Statecharts and phase transition systems [MMP91], etc.State Transition Assertions (STA) developed by Gordon [Gor, 0or92] are variations of barelogic for real-time specification. A state transition assertion is a quadruple (A, B, F, Q) whereA, B are predicates on states, called state precondition and postcondition, respectively, F, Q arepredicates on state sequences, called input precondition and output postcondition, respectively.A machine M satisfies a state transition assertion (A, B, F, Q) as follows: if M is in a statesatisfying A and a sequence of inputs arrives that satisfies F, then a state satisfying B will bereached and the sequence of intermediate states will satisfy Q. Some laws for combining STAsare analogous to rules of Hoare logic.In contrast to state transition systems, where states and possible transitions are predefined,the situation calculus [MH69] defines states on the results of actions. Similar to most temporallogics, propositions and functions are interpreted over states (fluents in the situation calculus).Fluents at any state can be computed by frame axioms. The advantage of the situation calculus,namely, states with no structures, is also its disadvantage because of (1) the frame problem[MH69] and (2) the computation cost that may increase with time as the action list gets longerand longer.12.2.2 Point time temporal logicsThere are, in general, two kinds of point time temporal logic: linear time temporal logic andbranching time temporal logic. A model of a linear time temporal logic is a trace, and a modelof a branching time temporal logic is a tree.Computation Tree Logic (CTL) is a typical modal branching time temporal logic [Eme9O].In CTL, temporal operators occur only in pairs consisting of A (all paths) or E (exists somepath), followed by F (eventually), G (always), U (until) or X (next time). CTL has efficientCHAPTER 12. SUMMARY AND RELATED WORK 139model-checking algorithms, however, it loses some expressive power [Eme9O]. CTL has beenused for symbolic model checking of circuits [McM92].In the rest of this section, we will focus on linear time temporal logics and their timedextensions. There are two kinds of linear time temporal logic: modal logic in which temporaloperators are introduced, and the first order logic in which a special time variable is introduced.PLTL is a basic form of modal linear time temporal logic. It has been shown that modelchecking for PLTL is linear in the size of the model [LP85]. Various timed extensions are basedon PLTL. Again, there are two kinds of extension: real-time operators and time variables.The former is simpler and more elegant, but the latter can be more powerful. Temporal proofmethodologies for both explicit and implicit time have been studied [HIVIP91a].Extended Temporal Logic (ETL) [Wol83] is an extended linear (and discrete) time temporallogic, which is strictly more powerful than (discrete) PLTL and has the same expressive poweras Buchi Automata. ETL defines temporal operators generated by right-linear grammars, sothat (countable) properties such as evem(p) (p is true at even time points) can be specified,which, however, cannot be expressed in PLTL.Metric Temporal Logic (MTL) [MMP91] introduces various types of real-time operator,such as D< and where u is a nonnegative real number.Real Time Temporal Logic (RTTL) [0st89] is a first-order temporal logic, with one of thestate variables representing time. For instance, w1 A t = T —* ø(w2 A t < T + 4) may beread as: “if w1 is true at time T then w2 must happen before the clock reads T + 4,” whereT is a parameter (global variable). The problem with this specification language is that theunquantified global variables about time (T in the above example) may lead to opacity [AH89].Timed Propositional Temporal Logic (TPTL) [AH89] is the adoption of temporal operatorsas quantifiers over state variables; every modality binds a variable to the time(s) it refers to.For instance, “if w1 is true at time T then w2 must happen before the clock reads T + 4”can be represented as Da.(wj —÷ KDy.(w2 A y < x + 4)). A tableau-based decision procedurewas developed for TPTL. Introducing extra time variables increases the flexibility of expressingtime constraints, and simultaneously, the complexity of verification.The Temporal Logic of Actions (TLA) [Lam9l] is a logic for specifying and reasoning aboutconcurrent systems. Systems and their properties are represented in the same logic, so theassertion that a system meets its specification and the assertion that one system implementsanother are both expressed by logical implication. TLA introduces a concept called “action,”which is any boolean-valued expression from variables, primed variables and values. An actionCHAPTER 12. SUMMARY AND RELATED WORK 140represents a relation between old states and new states, where the unprimed variables refer tothe old state and the primed variables refer to the new state. TLA imposes some constraints forrepresenting actions such that action A can only appear in the form D[Ajj D(A V (f’ =where f is a state tuple. {Lam9l] shows that TLA is powerful enough for representing propertiessuch as liveness and fairness, with a simple set of axioms and rules for the proof system. A realtime version of TLA was proposed by introducing an explicit time variable now [Lam93].Most temporal logics are defined for discrete time systems, i.e., with models as state sequences. It was suggested [BKP86j that linear temporal logic with the time structure of the(non negative) real numbers provides a more abstract logic than that of the natural numbers.Temporal Logic of Reals (TLR) is a logic defined on dense time. For each trace v there exists adenumerable sequence 0 = to < t1 <t2 .. with t, —* oo such that v(t) is uniform in TLR withineach open interval (t,t÷1). The difference between TLR and discrete time temporal logics isthat there is no predetermined sampling rate. TLR would be best suited for asynchronous eventcontrol systems.Besides modal linear temporal logics, there are first order temporal logics. McDermott[McD9O] developed a first-order temporal logic, in which it is possible to name and prove thingsabout facts, events, plans, and world histories. In particular, the logic provides the analysis ofcausality, continuous change in quantities, the persistence of facts and the relationship betweentasks and actions. Shoham [Sho88, Sho87] generalized McDermott’s temporal logic and defineda clean syntax and semantics. Finer distinctions of fact/event/process trichotomy are allowedunder this framework.12.2.3 Interval time temporal logicsUnlike point time temporal logics, formulas of Interval Temporal Logics (ITL) are defined onintervals of state sequences. One distinguished advantage of ITL is that it can represent lengthsof intervals, and therefore it can represent time easily. ITL has been applied to multilevelreasoning about hardware properties [Mos85] such as delay and stability of digital circuits. ITLhas also been used for the specification of real-time systems [Ha190]. There are properties thatcan be represent by ITL but not by LTL. For instance, C(E —* Rwithin{time(r)whenS} is anITL formula {Hal9Oj representing that whenever E is true, R will be true within an intervalthat S holds for time T in total.The duration calculus [HZ91] is a kind of interval temporal logic defined on continuous timestructures. The duration calculus uses the integral of a predicate to formalize critical durationCHAPTER 12. SUMMARY AND RELATED WORK 141constraints. For example, “a bad situation cannot happen more often than 5 percent of thetime over any time interval” can be represented as D(f B 0.051) where 1 indicates the lengthof the interval. This property is hard to specify in a simple form of linear temporal logic.Besides modal interval temporal logics, there are first order interval temporal logics. Allen[All90] proposed a framework in which time is represented by intervals. The relationshipsbetween two time intervals are characterized (before, equal, meets, overlaps, during, starts,finishes) and the properties of facts (that hold in an interval), events (that occur over aninterval) and processes (that are occurring over an interval) are examined by logic axioms.Various types of action can be represented in this logic.12.2.4 Relationships with TLTL and timed V-automataTLTL is a powerful and simple specification language for sequential and timed behaviors. Unlikemost specification languages, it is based on abstract time and domain structures. For simplicity,TLTL introduces only two basic real-time operators UT and ST, while other real-time operatorscan be derived from these basic operators. TLTL is powerful enough to represent propertiessuch as “if w1 is true at time T then w2 must happen before the clock reads T + 4.” In fact,this property can be represented by FTLTL without real-time operators as VTO(w1A t = T —+Ow2 A t < T + 4)), or simply by PTLTL as C(w1 —* K’4w2). TLTL can be considered as ageneralization of TLR. However, there is no axiomization for TLTL yet, since any axiomizationis defined for a particular time structure. FTLTL is more expressive than TLA since termsof FTLTL can as well include pre(x) and x — r for any local variable x, and TLTL has norestriction on formulas with these variables.Timed V-automata are generalizations of V-automata to represent timed or continuous behaviors. A local timing constraint in (discrete) timed V-automata can also be specified in TBA.However, global timing constraints cannot be specified within TBA, since it is not possible tostop a clock except by resetting it. On the other hand, there are properties of timed behaviorsthat can be specified by TBA but cannot be specified by timed V-automata. Some intervaltime properties that are hard to represent in TLTL, are easy to represent in timed V-automata.For example, D(E—÷ Rwithin{time(T)whenS} can be specified in a timed V-automaton witha global time bound T. An example of this type of specification will be discussed in AppendixC.Part IIIControl Synthesis andRobotic Architecture142143Attain utmost emptiness.Maintain profound tranquility.All things are running concurrently,cycle follows cycle.Activity overcomes cold.Tranquility overcomes heat.Peace and quiet is the true path in the world.— Tao Teh Ching, Lao TzuAttain utmost stability.Maintain minimum energy.All things are running concurrently,cycle follows cycle.Constraints overcome chaos.Stability overcomes disturbance.Peace and quiet is the true path in the world.— Zhang YingChapter 13IntroductionWe have developed a semantic model for dynamic systems and two requirements specificationlanguages for dynamic behaviors. We have also developed a formal method for verifying thebehavior of a dynamic system against its requirements specification. Verification in generalis hard. However, a good design methodology can result in a well-structured system, which,in turn, may simplify the verification greatly. In Part III, we present a framework of controlsynthesis with a simple principle. We consider a robotic system as a constraint-based dynamicsystem and the robot controller as a regulator that, together with the dynamics of the plant andthe environment, solves the constraints on-line. We then propose a two-dimensional hierarchicalstructure for control systems.In this chapter, we present an overview of Part III, Control Synthesis and Robotic Architecture. There are three major chapters in Part III. Chapter 14 studies constraint-baseddynamic systems. Chapter 15 proposes a framework for control synthesis. Chapter 16 discussesstructures of control systems.13.1 Constraint-Based Dynamic SystemsWe view constraint satisfaction as a dynamic process that approaches the solution set of thegiven constraints asymptotically. Generalizing, we view a constraint-based dynamic system asa dynamic system that approaches the solution set of the given constraints persistently.We first introduce dynamic processes, stable equilibria and attractors. We then define Liapunov functions with respect to dynamic processes and stable states, and study the relationshipof a Liapunov function and the stability of a dynamic process.We consider a constraint solver as a constraint net whose behavior is a dynamic processthat is asymptotically stable at the solution set of the given constraints.144CHAPTER 13. INTRODUCTION 145We show that various discrete and continuous time constraint methods for solving discrete/continuous optimization and global consistency problems can be modeled in constraintnets and analyzed using Liapunov functions.We consider constraint-based dynamic systems as a generalization of constraint solvers,whose behaviors can be specified by V-automata.13.2 Control SynthesisWe define the problem of control synthesis as follows. Given a requirements specification andthe models of the plant and the environment, produce a model of the controller that, togetherwith the plant and the environment, satisfies the requirements specification.Control synthesis in general is hard. However, we show that there is a systematic approach tocontrol synthesis using constraint methods for constraint-based specification; typical constraint-based specification includes safety requirements, goal achievement and persistent properties.We illustrate, by two examples, that various control algorithms, from simple linear controlto complex nonlinear and adaptive control, can be synthesized and analyzed in this framework.13.3 Robotic ArchitectureAny complex system should have some kind of hierarchical structure. We consider here twokinds of hierarchy: composition hierarchy and interaction hierarchy. The interaction hierarchycan be further decomposed into a two-dimensional structure: abstraction hierarchy and arbitration hierarchy. The abstraction hierarchy characterizes the multiple levels of control strategyin a system; the arbitration hierarchy characterizes the priority of constraints to be satisfiedwithin the same abstraction level.13.4 Summary and Related WorkThe major contribution of this part includes a unified framework for constraint satisfactionand a unified framework for control synthesis based on a simple principle— on-line constraintsatisfaction or energy minimization. Hybrid control systems can be designed and analyzed inthis framework.Chapter 14Constraint-Based Dynamic SystemsIn this chapter, we start with the basic concepts of dynamic processes, equilibria and stability,then discuss two basic types of constraint solver, discrete state transitions and differentialstate integrations. Furthermore, we study some typical discrete and continuous time constraintmethods for both global consistency and optimization. Finally, we introduce constraint-baseddynamic systems.14.1 Asymptotic StabilityIn this section, we study properties of dynamic processes in metric space.Given a metric space (X, d), we can define the distance between a point and a set ofpoints as d(x,X*) = inf*cx*{d(x,x*)}. For x E X and e > 0, let Nc(x*) be the spherical E-neighborhood of x’ and for X C X, let N(X*) = Ux*ex* N€(x*) be the sphericalc-neighborhood of X*. A neighborhood of X” is strict 1ff it is a strict superset of X*.Let T be a time structure, X be a metric space, and v : T —* X be a function from time tothe metric space. We say v approaches a point x e X 1ff limt d(v(t), x*) = 0; v approachesa setX* C X if limtd(v(t),X*) = 0.Definition 14.1.1 A dynamic process is a mapping p : X — XT, satisfying the followingconditions:1. p(x)(O) = x,Vx E X,2. p is state-based, i.e., Vt, p(x)(t) = p(y)(t) implies that Vt’ t, p(x)(t’) = p(y)(t’).3. p is time-invariant, i.e., {p(x)Ix X} is a time-invariant behavior.146CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS 147Let (x) = {p(x)(t)It E T} and (X*) UXEx*p(x) for X C X. A point x” E Xis an equilibrium (or fixpoint) of a process p Hf Vt,p(x*)(t) x, or (x*) = {x*}. A setX” C X is an equilibrium of a process p if (X*) = X*. An equilibrium X* is stable {MT75]if V€5, (NS(X*)) C N6(X), i.e., g is continuous at X.A set X c X is an attractor [San9O] of a process p if there exists a strict neighborhoodN(X*) such that Vx E N(X*), p(x) approaches X*. The largest neighborhood of X” satisfyingthis property is called the attraction basin of X*. X is an attractor in the large if ‘v/x E X,p(x) approaches X, that is the attraction basin of X” is X. If X’ is an attractor (in the large)and X is a stable equilibrium, X’ is called an asymptotically stable equilibrium (in the large).Proposition 14.1.1 If{X}1are ((asymptotically) stable) equilibria, then U1 X, is an ((asymptotically) stable) equilibrium.Let (X, d) be a metric space, p : X —* XT be a dynamic process and X* C X. A Liapunovfunction for p and X* is a function V : —* 1, where 1 is a strict neighborhood of X*,satisfying:1. V is continuous, i.e., d(x,x’) —* 0 implies IV(x)— V(x’)I —* 0.2. V has its unique minimum within on X.3. Vx E f,Vt,V(p(x)(t)) < V(x).The following two theorems are analogous to the theorems of sound and complete verificationrules in Part II.Theorem 14.1.1 X’’ C X is a stable equilibrium of a process p if there exists a Liapunovfunction V for p and X*.Theorem 14.1.2 X* C X is an asymptotically stable equilibrium of a process p if there existsa Liapunov function V :— fl for p and X*, such that Vx E lim V(p(x)(t)) = V(X*).Furthermore, if Q = X, X* is an asymptotically stable equilibrium in the large.14.2 Constraint SolversWe view a constraint as a possibly implicit relation on a set of variables. The constraintsatisfaction problem is defined as follows. Given a set of variables V with the associated domains{ DV}VEV and a set of constraints {C}3€j each on a subset of the variables, i.e., C, C xv3DCHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS 148where Vj C V, find an explicit relation tuple x e xvD that satisfies all the given constraints,i.e., for all j e J, x1v, e C where xis denotes the restriction of x onto S C V. If C = {Cj}jEJis a set of constraints, we use sol(C) to denote the set of solutions, called the solution set.A constraint solver for a constraint satisfaction problem is a closed parameterized net whosebehavior is a dynamic process approaching the solution set of the constraints.Definition 14.2.1 (Constraint solver) A closed parameterized net CSV is a constraintsolver for a constraint satisfaction problem C on domain X = xvD if (1) the semanticsof CSV for V is a dynamic process GSV : X —* XT and (2) sol(C) is an asymptotically stable equilibrium of CSV. CSV solves C globally if sol(C) an asymptotically stable equilibriumof CSV in the large.Proposition 14.2.1 If a constraint solver CSV solves a set of constraints C on variables Vglobally, every equilibrium of CSVjj is a solution of C.As an application of the concept of robustness for parameterized nets, two constraint solversCS1 and CS2 for the set of constraints C can be compared as follows. CS1 is more robust thanCS2 if the attraction basin of sol(C) in CS1 is a superset of that in CS2.We discuss here two basic types of constraint solver: state transition systems for discretemethods and state integration systems for continuous methods.Let S be a set of states and f : S —* S be a state transition function. (5, f) forms astate transition system (S, —*) with s —÷ s’ if s’ = f(s). Such a state transition system can berepresented by a closed parameterized net with a transliteration f and a unit delay S(so) whereo is the initial state parameter. The semantic of this net on the discrete time structure .,V is adynamic process p: S —* S with p(so)(n) = ffl(s). A state s E S is an equilibrium of (5, f)if s = f(*)Proposition 14.2.2 If V : —* 7?. is a Liapunov function for (S,f) and 5* {5*I5*f(s*)} C 1, then V(f(x)) V(x),Vx E 2. In addition, if f is continuous and V(f(x)) <V(x), Vx i’ S, S’ is an asymptotically stable equilibrium.For continuous time structures and domains, integration is used to replace the unit delay. Astate integration system is a differential equation . = f(s) that can be represented by a closedparameterized net with a transliteration f and an integration f(so) where is the initial stateparameter (Figure 4.2). The semantic of this net on the continuous time structure 7?+ is adynamic process p : S —+ S with p(so) as the solution of . = f(s) and s(O) = A state.5 E S is an equilibrium of . = f(s) if f(s*) = 0.CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS 149Proposition 14.2.3 A set S = {5*If(5*) = O} C ! is an asymptotically stable equilibrium ofa state integration system if f is continuous at 5* and 5* is the unique minimum of— f f(s)dsin . If = S, S is an asymptotically stable equilibrium in the large.14.3 Constraint MethodsVarious constraint methods fit into our framework of constraint satisfaction. In this section, weexamine some typical constraint methods and their dynamic properties. We discuss two typesof constraint satisfaction problem, namely, global consistency and optimization, for linear,convex and nonlinear relations in n-dimensional Eucidean space (R, d), where d(x, y) =Ix—y = — y)2. Constraint methods for finite domain constraint satisfaction havebeen presented in [ZM93a, ZM93b].The problem of global consistency is to find a solution tuple that satisfies all the givenconstraints. The problem of unconstrained optimization is to minimize a function : —÷ 7.Global consistency corresponds to solving hard constraints and unconstrained optimizationcorresponds to solving soft constraints. A problem of the first kind can be translated into one ofthe second by introducing an energy function representing the degree of global consistency. Forexample, given a set of equations gj(x) = 0, i = 1 . . n, let ‘(x) =1wjg(x) where w > 0and = 1. If a constraint solver CS solves mint’g(x), CS solves g(x) = 0. Inequalityconstraints can be transformed into equality constraints. There are two approaches. Let gj(x) <o be an inequality constraint: the equivalent equality constraint is (i) max(0, gj(x)) 0 or (ii)gj(x) + z2 = 0 where z is introduced as an extra variable.Constrained optimization is a problem of solving (soft) constraints subject to the satisfactionof a set of hard constraints, or solving a constraint satisfaction problem within a subspacecharacterized by a set of hard constraints.There are two types of constraint method, discrete relaxation, which can be implementedas state transition systems, and differential optimization, which can be implemented as stateintegration systems. In the rest of this section, we demonstrate the use of both types ofconstraint method.14.3.1 Discrete methodsWe discuss here two typical discrete constraint methods, the projection method for globalconsistency, and Newton’s method for unconstrained optimization.CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS 150Projection methodThe projection method [GPR67] can be used for solving convex constraints. A function fR is convex if for any A e (0, 1), f(Ax + (1 — A)y) < Af(x) + (1 — A)f(y); it is strictlyconvex if the inequality is strict. A strictly convex function has a unique minimal point. Linearfunctions are convex, but not strictly convex. A quadratic function zTMx + cTx is convex if Mis semi-positive definite; it is strictly convex if M is positive definite. A set ft ç ‘R7’ is convexif for any A E (0, 1), x, y e ft implies Ax + (1 — A)y E ft. if g is a convex function, {xg(x) < 0}is a convex set.A projection of a point x to a set R in a metric space (X, d) is a point PR(X) E R, suchthat d(x, PR(x)) = d(x, R). Projections in the n-dimensional Eudidean space (R., d) sharethe following properties.Proposition 14.3.1 [GPR67] Let R C R7’ be closed and convex. The projection PR(x) of xto ft exists and is unique for every x, and (x — PR(x))T(y— PR(x)) <0 for any y E ft.Suppose we are given a system of convex and closed sets, {X}i, each representing aconstraint. The problem is to solve {Xjei, or to find fl1X. Let P(x) = Px1(x) be a projectionof x to a least satisfied set X1, i.e., d(x, X1) = maxi d(x, Xi). The projection method [GPR67Jfor this problem defines a state transition system (R, f) where f(x) = x + A(P(x) — x) for0< A <2.Let PM be a constraint net representing the projection method. The following theorem isderived from [GPR67J.Theorem 14.3.1 PM solves {X}€j globally if all the X ‘s are convex.The projection method can be used to solve a set of inequality constraints, i.e., X{ xg(x) <0}, where each gj is a convex function. Linear functions are convex. Therefore, theprojection method can be applied to a set of linear inequalities Ax b, where x = (x1,. . . , x,) ERT. Let A be the ith row of A. The projection of a point x to a half space Ax — b 0 isdefined asI x ifAx—b1<0P(x) =x — cAT otherwise —where c = (Aix— b)/IATI2. This reduces to the method described in [Agm54]. Without anymodification, this method can be also applied to a set of linear equalities, by simply replacingeach linear equality gj(x) = 0 with two linear inequalities: gj(x) 0 and —gj(x) 0.CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS 151There are various ways to modify this method for faster convergence. For instance, asimultaneous projection method is given in [CE82], in which f(x) = x + — x)where J c I is an index set of violated constraints, w3 > 0 and jjw3 = 1. A similar methodis given in [YM] in which f(x) = x + A(Ps(x) — x) where S = {xIjEJwjgj(x) 0}, with thesame assumption about J and wj. Furthermore, for a large set of inequalities, the problem canbe decomposed into a set of K subproblems with fk corresponding to the transition function ofthe kth subproblem. The whole problem can be solved by combining the results of {fi,. . . , fid.Newton’s methodNewton’s method [San9O] minimizes a second-order approximation of the given function, ateach iterative step. Let L.S = and J be the Jacobian of z6. At each step with currentpoint Newton’s method minimizes the function:= e(x(k)) +8T(x)(x — x) + (x — (k) )TJ(x(k))(x —Let = 0, we have:+ J(x’)(x — x(k)) = 0.The solution of the above equation becomes the next point, i.e.,(k+1) = — j_l(x(k))Newton’s method defines a state transition system (R7, f) where f(x) = x — J1(x)6(x).Let NM be a constraint net representing Newton’s method. The following theorem specifiesconditions under which NM solves the problem of local minimization of a function 8.Theorem 14.3.2 Let X* E R7 be the set of local minima of 8. NM solves the problem ifIJ(x*)I 0, Vx’ e X’. i.e., C is strictly convex at each local minimal point. NM solves theproblem globally if, in addition, C is convex.Here we assume that the Jacobian and its inverse are obtained off-line. Newton’s method canalso be used to solve a nonlinear equation g(x) = 0 by replacing i8 with g.For example, consider Newton’s method for solving x2 = 2. Newton’s method for solvingg(x) = 0 can be represented by a constraint net with domain equation: x’ = x—In ourexample, g(x) = x2 — 2, x — = + . NM solves x2 = 2 since g(x*) = 2x* 0 forboth x = and x = The attraction basin of is {xlx > 0} and the attraction basinof —/ is {xlx < 0}.CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS 15214.3.2 Continuous methodsWe discuss here some typical continuous constraint methods: the gradient method for unconstrained optimization, the penalty method and the Lagrange multiplier method for constrainedoptimization.Gradient methodThe gradient method [P1a89] is based on the gradient descent algorithm, where state variablesslide downhill in the direction opposed to the gradient. Formally, if the function to be minimizedis 8(x) where x = (x1,. . , x,,), then at any point, the vector that points in the direction ofmaximum increase oft is the gradient oft. Therefore, the following gradient descent equationsmodel the gradient method:= —k---, k, > 0. (14.1)Let 8 : R7 —* 1?. be a function. Let GM be a constraint net representing the gradientdescent equation (Equation 14.1). The following theorem specifies conditions under which GMsolves the problem of local minimization of 8.Theorem 14.3.3 Let X* be the set of local minima of 8. GM solves the problem if iscontinuous at X. GM solves the problem globally if, in addition, 8 is convex.Consider again the example of solving x2 = 2. Let 6(x) = (x2 — 2)2. Let the constraintsolver GM be i =—= —x(x2— 2). GM solves x2 = 2 since —x(x2— 2) is continuous. Theattraction basin of is {xlx> 0} and attraction basin of —‘/ is {xlx < 0}.Penalty and Lagrange multiplier methodsThe prototypical constrained optimization problem can be stated as [P1a89]: locally minimizef(x), subject to g(x) = 0, where g(x) 0 is a set of equations describing a manifold of thestate space. There are various methods for solving the constrained optimization problem. Herewe focus on methods derived from the gradient method. During constrained optimization, thestate x should be attracted to the manifold g(x) = 0 and slide along the manifold until itreaches the locally smallest value of f(x) on g(x) = 0.Different methods arise from the design of the energy function 8 for minimizing f(x) underconstraints gk(x) = 0 for k = 0. . . m. Let 8 be the energy function generated from theconstraints, i.e., 8(x) = f(x) + 8(x).CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS 153• Penalty Methods: The penalty method constructs an energy term that penalizes violationsof the constraints, i.e., (z) = E_0ckg(x).• Lagrange Multipliers: The Lagrange multiplier method introduces a Lagrange multiplierA for each constraint and A varies as long as its constraint is not satisfied, i.e., (x) =>2LoAkgk(x). In addition, there is a set of differential equations for A, i.e., Ak = gk(x).The advantage of the penalty method is its simplicity; however, the constrained optimizationproblem may not be solved with finite c. The advantage of the Lagrange multiplier method isits ability to satisfy the hard constraints.Let LM be a constraint net representing the Lagrange multiplier method. The followingtheorem specifies a condition under which LM solves the constrained optimization problemglobally.Theorem 14.3.4 Let A be a matrix where=+ If A is positivedefinite, LM solves the constrained optimization problem mm f(x) subject to gk(x) = 0 globally.Consider a simple example. Given a function f(x, y) = x2 + y2 to be minimized, subject toconstraint x + y — 1 = 0, it is easy to check that the solution to this problem is (0.5, 0.5). Theconstrained optimization based on the penalty method proceeds as follows: the energy functionis 8(x, y) = x2 + y2 + c(x + y — 1)2 where c is a constant. Using the gradient method, letdx= —0.5— = —(x + c(x + y — 1)),dy-—= —0.5--= —(y + c(x + y — 1)).The process is asymptotically stable at jy). When c —* oo, the state (x, y) approaches(0.5,0.5). The constraint optimization based on the Lagrange multipler method proceeds asfollows: the energy function is (x, y) = x2 + y2 + A(x + y — 1). Using the gradient method, letdx 08- = —h-- = —(2x + A),dy 88= —h--=—(2y + A).In additiondA-i-- = (x + y — 1).The process is asymptotically stable at (0.5, 0.5) in the large.CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS 15414.4 SummaryWe have presented here a framework for constraint satisfaction. Figure 14.1 illustrates theoverall approach. First, we view constraints as relations and constraint satisfaction as a dynamicmodeled byDynamic Process Constraint Net• specialized tois aConstraint Satisfaction models• . Constraint Solver(Constraint Method + Constraint)Figure 14.1: A framework for constraint satisfactionprocess of approaching the solution set of the constraints. Then, we explore the relationshipbetween constraint satisfaction and constraint nets through constraint solvers.Within this framework, constraint programming is seen as the creation of a constraint solverthat solves the set of constraints. A constraint solver “solves” a set of constraints in the followingsense (Figure 14.2). Given a constraint satisfaction problem C, and a discrete or continuous(time) constraint method, a constraint solver CS is generated. Starting from any initial statein the attraction basin of sol(C), CS will approach sol(C) asymptotically. In this framework,constraint programming is off-line and constraint satisfaction is on-line.We have also studied various continuous and discrete time constraint methods, which canbe realized by state integration systems and state transition systems, respectively.This framework for constraint satisfaction has two advantages. First, the definition of constraint solvers relaxes the condition of solving constraints from finite computation to asymptoticstability. For example, many relaxation methods with the local convergence property are infact “solvers” under this definition and many problems become “semi-computable” in this sense.This concept is very useful in practice and can be used for generalizing Turing computabilityfrom discrete domains to continuous domains. Second, dynamic constraints can be solved inthis framework as well. This characteristic will be important later in control synthesis.CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS 155(thnts (EtMethodBuildOff-lineRunOn-lineSt1eStat}Figure 14.2: Constraint solvers and constraint satisfactionCHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS 15614.5 Constraint-Based Dynamic SystemsGiven a set of constraints C on variables V, let C denote the assertion that is true on the eneighborhood of its solution set N(sol(C)) C xvD,,. Let A(C; D) stand for the V-automatonin Figure 14.3(a).(a) (b)Figure 14.3: Specification for (a) Constraint solver (b) Constraint-based dynamic systemProposition 14.5.1 A constraint solver CSV solves C if there exists an initial condition9 D sol(C) such that Ve> 0, CSv(9)] A(CE; 0). CS solves C globally when 0 = xvD.For example, let C be Ix—<€ or Ix + < E. In order to prove that Newton’s methodfor solving x2 = 2 satisfies A(C; 0), we do the following. Let 9 be x > 0.(I) Associate with automaton-state qo and q state propositions 0 A -C and 0 A C,respectively. It is easy to check that the following conditions are satisfied.• Initiality: q : 0 A -C —* 0 A -C and q : 0 A CE —* 0 A CE.• Consecution: Let f3 = + ).qo,qo : {0 A -iC}x’ = fs(x){,CE —+ 0 Aqo,q : {0 A _iCE}xI =f3(x){CE —* 0 A CE}.q,qo : {0 A CE}x! =f5(x){_,Cc —+ 9 A iCc}.qi,qi : {0 A C}x’ =f3(x){CE —* 0 A C6}.Therefore, 0 A —C6 and 0 A C6 are invariants for qo and qi, respectively.(L) Associate with automaton-state q and q a partial function p:—Ax f x2—2 ifIxIp 1 + p( + ) otherwise.CHAPTER 14. CONSTRAINT-BASED DYNAMIC SYSTEMS 157It is easy to check that they satisfy the definedness and non-increase conditions. Furthermore,since 0 A ,CE and x’ = f3(x) imply that p(x’) — p(x) < — min(1, EO) where eo = p(/ + e) —p(f3(.../ + e)), the decrease condition is satisfied. Therefore, it is a Liapunov function.According to the verification rules, Newton’s method for solving x2 = 2 satisfies A(Gc; D).We should notice the importance of open specification for the asymptotic goal achievementproperty; Newton’s method for solving x2 = 2 does not satisfy A(sol(C); 0).For another example, the gradient method for solving x2 = 2 satisfies the A(C; 0) for anye > 0 as well. To see this, let 0 be lxi > 0. Associate with automaton-state qo and q statepropositions 0 A _,Cc and 0 A C, which are invariants for qo and qi, respectively. Associatewith automaton-state q and q the function 8(x) = (x2 — 2)2. For any initial state x0 E 0,E(x) = —x2(x — 2)2 < —min(2,x)e4whenever x e 0 A _,Cc; 6 is a Liapunov function.However, when constraints are dynamic, approaching the solution set asymptotically is stilltoo stringent for a constraint satisfaction problem with disturbance and uncertainty in its datavariables over time. If we consider the solution set of a set of constraints as the “goal” for thesystem to achieve, a relaxed property for a constraint solver is to make the system approach thegoal persistently. In other words, if the system diverges from the goal by some disturbance, thesystem should always be able to be regulated back to its goal. We call a system GB constraint-based with respect to a set of constraints C, if there exists an initial condition 0 D sol(C)such that Ye > 0, GB(0) = A(GE; K>) where A(GE; K>) stands for the V-automaton in Figure14.3(b). In other words, a dynamic system is constraint-based if it approaches the solution setof the constraints persistently. Since cJK>G —÷ KDG, a constraint solver is a constraint-basedsystem as well.We may relax this condition further and define constraint-based systems with errors. We calla system GB constraint-based w.r.t. a set of constraints C with error 6, if Ye > 6, CB(0)]J j=A(G; K>); 6 is called the steady-state error of the system. Normally, steady-state errors arecaused by uncertainty and disturbance of the data variables.If A(C; 0) is considered as an open specification of a constraint-based computation for aclosed system, A(G’; K>) can been seen as an open specification of a constraint-based control foran open or embedded system.Chapter 15Control SynthesisGiven a constraint-based specification for a controller, the design of the controller is the synthesis of an embedded constraint solver that, together with the dynamics of the plant, solvesconstraints on-line. Various constraint methods can be applied to control synthesis under thisframework. More importantly, most constraint methods are associated with some type of Liapunov function, which can be directly used by the verification method. In this chapter, westart with general issues of control synthesis and then focus on constraint-based control designand analysis. Finally we illustrate this approach via examples.15.1 Control Synthesis: General IssuesA robotic system, in general, consists of a plant, a controller and an environment (Figure1.1). The robotic behavior is the set of observable robot/environment traces of the system.A requirements specification is a subset of all the possible robot/environment traces. Theproblem of control synthesis can be formalized as follows: Given a requirements specificationR, the model of the plant PLANT and the model of the environment ENVIRONMENT,synthesize a model of the controller CONTROLLER, such that= PLANT(U,Y), U = CONTROLLER(X,Y), Y = ENVIRONMENT(X)Both planning and control problems can be seen as instances of this formalization.The planning problem is a special case of the control synthesis problem, with the restrictionthat the controller is an 0-ary transduction (a trace), instead of a transduction in general, andthe requirements specification only imposes conditions on the “final state” of the system. Ifthe integration of the plant and the environment is a finite state automaton, with the control158CHAPTER 15. CONTROL SYNTHESIS 159output as the input, planning is the generation a path in the state transition graph, given theinitial state. The complexity of this problem is linear in the size of the state transition graph.This simple form of the planning problem can be considered as an open-loop control synthesis problem. It has been shown in control system theory (and in practice) that open-loopcontrol is not robust. A direct generalization is then synthesizing the controller to behaveas a transliteration, i.e., a reactive (universal) plan [Sch87]. Given that S is the space ofthe robot/environment state tuples and U is the set of possible control values, the number ofpossible reactive controllers will be lUll51.In general, requirements specification may impose other forms of constraints on traces. Forexample, safety and persistence are typical requirements, other than reachability, for dynamicsystems. Some aggregation evaluation of the system, such as the minimum overall energy, is alsoan important kind of specification. When uncertainty is concerned, minimum overall expectedcost is normally imposed as a constraint {Qi94].Approaching a final goal and minimizing a global function over time (for example, energy)can both be considered as constraints over traces; the former is a typical planning problemand the latter is a typical control problem. Planning and control have been studied as differentproblems over the years. The planning problem [DW91] is defined as using a model to formulatesequences of actions (or more generally, to composite descriptions of actions over time) toachieve a certain goal. The control problem [DW91] is considered as finding a policy to achievea goal or minimizing a functional. Planning is normally restricted to symbolic domains indiscrete time; while control is often for numerical domains, particularly n-dimensional Eucideanspaces, in either discrete or continuous time. The result of a planning problem (traditionally)is a trace (sequence) of inputs to a plailt for approaching a final goal; the solution to a controlproblem (closed-loop control) is a transduction from the sensor traces to the command tracesfor minimizing a required functional, such as time, energy, cost for approaching a goal. Searchalgorithms and theorem proving are basic techniques for planning; calculus of variations andoptimization are basic techniques for control. In our framework of control synthesis, planningand control can be studied together, and techniques developed for one problem may be usedfor the other.Control synthesis in general, like verification, is hard. Furthermore, there does not exist auniform algorithm for different control synthesis problems. In the rest of this chapter, we focuson a systematic approach to designing and analyzing constraint-based control systems.CHAPTER 15. CONTROL SYNTHESIS 16015.2 Constraint-Based ControlWe restrict requirements specification to constraint-based specification. Most robotic systemsare constraint-based, since physical limitations, environmental restrictions and task requirements can be specified as constraints. We have developed a framework of viewing constraintsatisfaction as a dynamic process. An important consequence of this framework is to be ableto design control systems as embedded constraint solvers. Such an embedded constraint solveris an open system with inputs as observable traces of the plant and the environment. Theembedded constraint solver together with the rest of the robotic system satisfies the desiredconstraint-based specification (Figure 15.1).Figure 15.1: Embedded constraint solversLet C be a set of constraints and CE be an c-neighborhood of sol(C). Typical types ofconstraint-based specification are:Build EmbeddedConstraint SolverInitial StateCHAPTER 15. CONTROL SYNTHESIS 161• safety requirement: EC6;• goal achievement: DC6;• persistence:The safety requirement is the strongest and the persistence is the weakest, since CC DCand K3CE — DKCE.Embedded constraint solvers can be either discrete or continuous according to the constraintmethods. Continuous solvers, based on energy functions, generalize potential functions. Discrete solvers, based on relaxation methods in numerical computation, are more flexible in manyapplications.The design of an energy function depends on the type of constraint. For goal achievement orpersistence constraints, the energy function defines the degree of satisfaction of the constraints;for safety constraints, the energy function defines the degree of satisfaction of the constraintswithin C and infinity outside of CE. For example, given a requirement specification DKGE withC defined as f(x) = 0, an energy function for this specification can bef2(x). If D(f(x) > 0)is required, an energy function can be max(— lii 0), i.e., if f(x) e, then 6(x) = 0, ifo < f(x) < e, then 6 > 0, and if f(x) —f 0, then 6(x) —÷ oo. Using these types of energyfunction, we have designed controllers for a two-link robot arm tracking targets (persistence)and/or avoiding obstacles (safety); details are presented in Appendix C.15.3 ExamplesVarious existing controllers, from simple linear control to complex nonlinear adaptive controlor potential field methods, can be derived and analyzed in this framework. We analyze twosimple examples here to illustrate the approach. The first is on the design and analysis of linearcontrollers, the second is on the design and analysis of a nonlinear controller for a car-like robot.15.3.1 Linear controlLinear controllers are most widely used in real systems. Even though there are many advancedcontrol strategies in theory, linear controllers are still the most robust and reliable ones.A linear proportional and derivative (PD) controller has the form u = ke + kdê where uis the control signal, e = Xd — x is the current error between the desired position xd and theactual position x, k is a proportional gain and kd is a derivative gain. A desired property for aPD controller can be øD(e < e). However, in many cases, we would also like to trade positionCHAPTER 15. CONTROL SYNTHESIS 162errors for low oscillation or frequency. A more appropriate property for a PD controller shouldbe KO(e2 + Aê2 < E) where A > 0 denotes a trade-off between position and velocity errors. IfA— 0, only position errors are taken into account.We can synthesize a PD controller using an energy function 8 = (e2+ Aê2). The controller,together with the dynamics of the plant, is to make 8 go to its minimum. Let E = eê + ,\èë =ê(e + Ae). If we let e + Àë = —ké for k > 0, we have E <0, a desired property for the controller.Therefore, we want —ë = (e + kê). In most cases, = 0, so = (e + kê). If the dynamicsof the plant is u = ‘ê, let u = (e + kE), which is a PD controller with k = and kd= .Thisdesign tells us that if A —* 0, then k, kd —* 00, and there will be possibly high oscillation sincethe constraint on è is neglected. A compromise between the position error and the oscillationfrequency should be made for any application.Furthermore, if the dynamics of the plant is u = mã, the PD controller u = (e + kê)will make S = (e2 + mAe2) go to its minimum. If the dynamics of the plant is not fullyknown, we can still get a good estimation of the control parameters. Since E e(e + Àë) =(Au—e)(e+Aë)/k, if Au and AIëI el, we have 0. Therefore, let A= max(lvilrnax)where lelmin is the steady state error, and IUlmax and Ilmax can be estimated even when thedynamics of the plant is unknown. If u can be estimated on-line, A can be adapted over time,and better performance can be achieved.We can design and analyze nontrivial control strategies using the same simple principle —on-line constraint satisfaction or energy minimization.15.3.2 Nonlinear controlLinear PD controllers are simple and easy to analyze. However, they may not fit on to systemswith complex nonlinear dynamics. Consider a tracking system for the car-like robot. Let vbe the velocity of the car and a be the current steering angle of the wheels; v and a can beconsidered as control inputs to the car. The dynamics of the car can be modeled by followingdifferential equations:= vcos(6), = vsin(8), Ô = v/Rwhere (x, y) is the position of the tail of the car, 0 is the heading direction and R = L/ tan(a) isthe turning radius given the length of the car L (Figure 1.2). A tracking problem for the car-likerobot is to design a controller, given a target trace and an actual trace of the configuration ofthe car up to the current time, produce the control inputs to the car so that the car tracks thetarget over time.CHAPTER 15. CONTROL SYNTHESIS 163If the target is constant (for example, parallel parking), the problem can be decomposedinto two subproblems: path planning and control. The path planning is to prodnce a set ofconsecutive circle and line segments that connect the current and the target configuration ofthe car (Figure 15.2). Although there are more complex tracking algorithms in practice {SM94],Figure 15.2: Path planningthe simplest tracking algorithm is as follows. For tracking on the line segments, set a = 0; andfor tracking on the circle segments, set a to be a nonzero constant (Left: + tan1 and Right:— tan1 ). In either case, the velocity can be set to a constant or to be controlled by a linearproportional controller.When the target is moving, the path planning can be either applied at a fixed sampling rateor event-driven, where an event indicates a substantial change of the target. However, there isa simple control strategy for tracking a dynamic target, so that the path planning problem canbe simplified, if not eliminated.Let C denote the constraint for the tracking problem: (x = xd) A (y = Yd) A (0 = Od).The desired property for tracking is persistence that can be expressed as DØCC. We define anenergy function for the controller as6 = (xj — x)2 +-(yd— y + (O — 0)2.The controller is designed to make 6 go to its minimum.Let p = fvdt be the length of the path. We haveL.v = j3, a = tan (—0).Using the gradient method, we would like to have96 . 86p=—k1--, 0=—k2--CHAPTER 15. CONTROL SYNTHESIS 164where and can be computed as follows:Ox Dy 08= kp(xci — x)— + k(yd — y)— + kt(Oci —whereOx th Dy. 08 8 tan(a)—=—=cos(8), —=—=sin(8),Op v Op v Op v LandOx Dy= kp(Xci — x) + k(yd — y) + kt(Od —0)whereOx . Dy.= —vsin(8), = vcos(8).Let d = /(xd — x)2 + (yd — y)2 and 0’ = tan’(yd — y,xd — x). The control law for thetracking problem is:V = ki[kpdcos(8’— 8) + kt(Od —0)tan(a)]a = tan’(k2(kvdsin(0’ — 0) + kt(Od — 8))).Now we are able to analyze the stability of this control law. We argue that the control lawis stable, since= _[kp(x — x)th + kp(yd — y)’+ kt(Od — 8)8]= — x)cos(9) + k(yd — y)sin(8) + kt(8d — O)tan(a)]V= ——V O.k1However, there are local minima or singularities. If 10’ — 01 = and 8d = 0 we get v = 0 evenwhen d 0. We can prove that they are the only singularities of this control law.Proposition 15.3.1 This control law satisfies the condition that v = 0 if(d 0 v 8’— 01 k) A(8d = 0).We have applied this control strategy to the soccer-playing robot car with high level targetgeneration and low level target tracking. For the real car, the throttles and steering angles arelimited to certain ranges, errors appear iii both sensing and control. Gains in the control laware any positive reals in theory but should be chosen for the best performance in the practice.The model of the car-like robot, with the dynamics of forces, frictions and mechanical delays,has been developed. Even though the development itself is not closely related to the contentof this thesis, the method may have a general interest for other applications. We describe thetheory behind this model estimation method in Appendix D.CHAPTER 15. CONTROL SYNTHESIS 16515.4 SummaryConstraint-based control synthesis and analysis provide a unitary framework for developingcontinuous/discrete hybrid control systems. However, we are not aiming either to subsume orto replace existing control theory, rather to formalize the underlying principles that are usedinformally in practice.Local minima and/or singularities are the major problem for this type of controller. Normally singularities can be avoided if a higher level control strategy is used to detect singularitiesand to produce a sequence of intermediate configurations between the actual and the targetconfigurations. Such a higher level control strategy becomes more important when the robot isembedded in a complex environment. In general, any complex robot control system should bedeveloped and organized hierarchically. In the rest of Part III, we will propose a hierarchicalrobotic architecture.Chapter 16Robotic ArchitectureWe propose two kinds of hierarchy in a robot control system: one is composition hierarchy,the other is interaction hierarchy. Both of these hierarchies should be used as systematicmechanisms for building, organizing and analyzing a complex system incrementally.The Constraint Net model supports composition hierarchies with modules, that has a setof inputs and outputs and performs a transduction from input traces to output traces. Thecomposition hierarchy characterizes the hierarchy of composing complex modules from simpleones. The composition hierarchy of a system has a tree structure, in which the root is the wholenet, and leaves are basic transductions. A complex module can be incrementally composed ofsimpler ones. A system can be tested and verified structurally.The interaction hierarchy imposes the hierarchy of interaction or communication betweenmodules. In the rest of this chapter, we focus on interaction hierarchies. We present a two-dimensional hierarchical structure, one is abstraction (or vertical) hierarchy and the other isarbitration (or horizontal) hierarchy.16.1 Abstraction HierarchyA control system, in general, is implemented in a vertical hierarchy [A1b81] (Figure 16.1) corresponding to a hierarchical abstraction of time and domains (Figure 16.1). The bottom levelsends control signals to various actuators, and at the same time, senses the state of actuators.Control signals flow down and the sensing signals flow up. Sensing signals from the environmentare distributed over levels. Each level is a black box that represents the causal relationship between the inputs and the outputs. The inputs consist of the control signals from the higherlevel, the sensing signals from the environment and the current states from the lower level. Theoutputs consist of the control signals to the lower level and the current states to the higher166CHAPTER 16. ROBOTIC ARCHITECTURE 167CONTROLLERTIME STRUCTURES—Figure 16.1: Abstraction hierarchyCHAPTER 16. ROBOTIC ARCHITECTURE 168level. Usually, the bottom level is implemented by analog circuits that function in continuousdynamics and the higher levels are realized by distributed computing networks.In our framework of control synthesis, constraints are specified at different levels on differentdomains, with the higher levels more abstract and the lower levels more plant-dependent. Forexample, a multi-joint arm can be specified by two levels: the low level on joint space and thehigh level on task space.A control system can be synthesized as a hierarchy of interactive embedded constraintsolvers, that form the abstraction hierarchy. Each abstraction level solves constraints on itsstate space and produces the input to the lower level. The higher levels are composed ofdigital/symbolic event-driven control derived from discrete constraint methods and the lowerlevels are analog control based on continuous constraint methods.16.2 Arbitration HierarchyVarious constraints at same level of the abstraction hierarchy may form a constraint hierarchy.For example, safety requirements may always have the highest priority for satisfaction andpersistence properties the lowest.In our framework of control synthesis, constraint solvers at the same level of the abstraction hierarchy are coordinated via various arbitrations to compromise among different kinds ofconstraint, which form the arbitration hierarchy. (Figure 16.2).Figure 16.2: Arbitration hierarchy (CS’s and A’s denote solvers and arbiters respectively)One type of arbitration can be modeled by the subsumption architecture [Bro86]. An outputof a module in a higher layer can be subsumed by an output of a module in a lower layer. Aninput of a module in a lower layer can be inhibited by an output of a module in a higher layer.CHAPTER 16. ROBOTIC ARCHITECTURE 169Some other forms of subsumption and inhibition mechanism have been proposed in terms ofcompound synapses in neural activities [Bee9Oj. There are two different interaction functions:gated synapses wherefg(Is,IG) = (U + IG)Isand modulated synapses wheref (1+I)Is ifIMOfm(IS,IM) Is/(1+IIMI) otherwise.We can define some other arbitration functions:• Subsume:LU_jL ifLO‘ ‘—U otherwise.• Conditional pass:ci—1 ifCOJc I—o otherwise.• Compromise:fw(I1,12) = w1 + w21, w1,w2 > O,w1 + w2 = 1.In most cases, arbitration functions are nonlinear.In general, multiple embedded constraint solvers are distributed and coordinated via variousarbiters, which implement constraint hierarchies with the subsumption architecture or withsome forms of compromise.We have developed a control system for a hydraulically actuated arm with a low level PDcontroller and a high level end-point tracking and obstacle avoidance. Obstacle avoidancehas a higher priority for satisfaction than end-point tracking. Both levels can be consideredas applications of constraint-based control. This control system is a typical example of ahierarchical control system. The model of the arm and the hydraulic actuators, and the jointlevel and end-point level control strategies are described in detail in Appendix C.We have also developed a modeling and simulation environment, called ALERT (A Laboratory for Embedded Real-Time systems), in which all the examples described in this thesishave been experimented. In addition to the existing linear and nonlinear modules, we developevent, logic and arbitration modules for constructing complex hybrid control systems. ALERTand some examples are presented in Appendix B.Chapter 17Summary and Related WorkWe have developed a systematic approach to control synthesis: a framework for constraint-basedcontrol and a framework for robotic architecture. In this chapter, we summarize this approachin terms of its power and limitations, and discuss some related work on constraint-based controland robotic architecture.17.1 SummaryIn this section, we summarize our framework for control synthesis and robotic architecture.17.1.1 PowerMost robotic systems are constraint-based dynamic systems. Systems with adaptivity andlearning exhibit this type of property as well. Constraint-based control synthesis provides asimple principle, on-line constraint satisfaction or energy minimization, that has been usedimplicitly in many existing control laws. With this framework, both discrete and continuouscontrol strategies can be derived and analyzed, and many existing constraint methods can beapplied to control. With this synthesis principle, verification can be simplified as well.17.1.2 LimitationsSimilar to the limitations of V-automata for representing dynamic behaviors, constraint-basedspecification cannot represent probabilistic or stochastic performance, or minimization of totalcost over time (for example, energy cost for control). Constraint-based control differs fromoptimal control: the former is an on-line optimization that uses on-line constraint satisfaction,and the latter is an off-line optimization that uses calculus of variations {Lue79, War72, NK93a].170CHAPTER 17. SUMMARY AND RELATED WORK 171Constraint-based control synthesis is a methodology, a framework or a concept for a systematic development of control systems, rather than a new technique for the automatic generationof control systems. We will work on automatic or semi-automatic control synthesis for specialclasses of system in the future.17.2 Related WorkMuch work has been done on control synthesis. In this section, we survey only the most relatedand influential work. We consider two classes of work: one is on control strategies and the otheris on control structures.17.2.1 Constraint-based controlEarly work on constraint-based control includes potential functions and the least constraintframework.Potential functions generalize the conceptions of potential fields and forces, so that intention and action are intrinsically bound together in the description of the robot’s task [Kod89].Potential functions are used in obstacle avoidance and target tracking in unstructured environments [Kha86]. Various control methods, from PD controllers to adaptive control and neuralnets, can be considered as applications of potential functions [KodS9].The least constraint framework was proposed [Pai89, Pai9l} to program robots with a highdegree of freedom in changing environments. In this framework, sensed and actuated variablesare related via a set of inequality or equality constraints, possibly changing over time. Constraints are satisfied at run time by a set of real-time constraint methods. This frameworkcan deal with redundancy and the partial specification of motion, at the same time supportingmodularity and parallelism.Some recent work on auction-based control [CR93] can be considered as constraint-basedcontrol with the objective as the minimization of standard deviation.To the best of our knowledge, there has been no research on formal requirements specificationfor control synthesis.CHAPTER 17. SUMMARY AND RELATED WORK 17217.2.2 Robotic architectureMuch work has been done on robot control structures. Our concept of a two-dimensionalinteraction hierarchy derives from the work done by Albus and Brooks.From the point of view of robotic systems design, Albus [Alb8l] studied the hierarchicalgoal-directed behavior and proposed the sensory-processing hierarchy. In this structure, high-level goals are decomposed through a succession of levels, each producing strings of more specificcommands to the next lower level. The bottom level generates the drive signals to the robot,such as joints and grippers. Each control level is a separate process with a limited scope ofresponsibility, independent of the details at other levels. Thus, such a structure provides afoundation for future modular, “plug compatible” hardware and software for robots and realtime sensory interactive control applications.Brooks [Bro86j proposed a robust layered control system for mobile robots, called the subsumption architecture, Unlike the traditional decomposition of a mobile robot control systeminto functional modules, Brooks decomposed a mobile robot control system into task-achievingbehaviors. Such a decomposition meets the requirements of multiple goals, multiple sensorsand robustness.Many real control systems use the concept of hierarchy. For example, Sahota and Mackworth[SM94] developed a hierarchical control structure for a soccer playing robot, with high levelbehavior bidding and path generation and low level path tracking. Zhao [Zha9l] developed asynthesis method for nonlinear control systems with high level path planning and navigationin phase spaces and low level path tracking using linear control.Nerode and Kohn [NK93b] proposed a multiple agent hybrid control architecture. The keycapabilities of the architecture are: reactive and adaptive mechanisms, distributed structureswith coordination, dynamic hierarchization, provable correctness and real-time response. Thecentral mechanism for providing these capabilities is an on-line restricted automated theoremprover associated with each agent. Extensibility and robustness are also considered in thisarchitecture. Some other work on hybrid control systems [GNRR93] has also been done recently.Part IVConclusions and Further Research173The greatest accomplishment seems unfinished,yet its applications are endless.The greatest fullness seems empty,yet its applications are never exhausted.— Tao Teh Ching, Lao TzuThe greatest conclusion seems stuttering,yet its implications are endless.The greatest future work seems crude,yet its fruits are never exhausted.— Zhang Ying174Chapter 18Conclusions and Further ResearchWe have taken an integrated approach to the design and analysis of robotic systems and behaviors by establishing a foundation for modeling, analyzing, specifying, verifying and synthesizingcomplex artifacts that interact with changing environments. We have developed a semantic model for hybrid dynamic systems, two languages for requirements specification, a formalmethod for behavior verification, and a systematic approach to control synthesis.In this chapter, we review what has been achieved in this research, and point out possibletopics for the future.18.1 ConclusionsWe have decomposed the problem of design and analysis into four phases: modeling, specification, synthesis and verification. We have developed formal methods for each individual phase,and the relationships among all the phases.First, we have developed a semantic model for hybrid dynamic systems, that we call Constraint Nets (CN). Based on abstract algebra and topology, we have represented both time anddomains in abstract forms, and uniformly formalized basic elements of dynamic systems in termsof traces and transductions. We have studied both primitive and event-driven transductions.CN is an abstraction and generalization of datafiow networks, while the behavior of a system(the semantics of a model) is formally obtained using the fixpoint theory of continuous algebra.In particular, CN models a dynamic system as a set of interconnected transductions, whilethe behavior of the system is the set of input/output traces of the system satisfying all therelationships imposed by the transductions. CN models a hybrid system using event-driventransductions, while the events are generated and synchronized within the system.175CHAPTER 18. CONCLUSIONS AND FURTHER RESEARCH 176The motivation for developing CN is for modeling hybrid dynamic systems. However, wehave shown that CN is as powerful as existing computational models so that both sequentialand analog computations can be modeled. In order to study system behaviors formally, wehave defined abstraction and equivalence of systems and behaviors using homomorphism andquotient algebra.Second, we have developed two languages, TLTL and timed V-automata, for requirementsspecification. TLTL is a linear temporal logic extended with real-time modal operators. TimedV-automata are nondeterministic finite state automata augmented with local and global timebounds. As with CN, both languages are defined on abstract time and domains.Third, we have developed a formal method, based on model checking and stability analysis,for behavior verification. This verification method is semi-automatic if the time structure isdiscrete, and is automatic, if, in addition, the domains are finite as well; the time complexityof the resulting verification algorithm is polynomial in both the size of the model and the sizeof the specification.Fourth, we have developed a systematic approach to control synthesis. In this approach,desired properties of behaviors are specified with various forms of constraints using timed Vautomata, such that the accepting automaton-states of the V-automata represent the neighborhoods of the solution set of the given constraints. Constraint-based control is then synthesizedas embedded constraint solvers that, together with the dynamics of the plant and the environment, solve the constraints on-line. For the purposes of both design and analysis, we advocatea two-dimensional hierarchical structure for control systems.As a whole, we have established a theoretical foundation for developing robotic systems andanalyzing robotic behaviors (Figure 18.1).PART IPART IIIMODELING REASONINGFigure 18.1: SummaryCHAPTER 18. CONCLUSIONS AND FURTHER RESEARCH 177The major contributions of this thesis are summarized as follows:• Constraint Nets for hybrid systems modeling and analysisCN possesses the essential properties of a desired model for robotic systems (modifiedfrom {LS9O]), namely:Real- Time: time is explicitly represented,Symmetrical: the dynamics of environments as well as the dynamics of plants andcontrol can be modeled,Hybrid: multiple time and domain structures are uniformly formalized,Hierarchical: multiple levels of abstraction are provided, andFormal: formal syntax and semantics are defined, and formal analysis is facilitated.• TLTL and timed V-automata for requirements specificationTLTL specifies discrete/continuous sequential/timed behaviors uniformly; timed V-automataprovide a simple alternative to TLTL, which is ifiuminating, and, in some cases, morepowerful.• a formal method for behavior verificationThis method applies to behaviors of hybrid systems in general, and is semi-automatic fordiscrete time systems and automatic for discrete time and finite domain systems.• constraint-based requirements specification and control synthesisThis approach proposes a general framework for control synthesis with a simple principle.Control synthesis and system verification are coupled via requirements specification.• an integrated approach to the design and analysis of robotic systems and behaviorsThis thesis decomposes the problems in the design and analysis of robotic systems andbehaviors, and focuses on the relationships among modeling, specification, synthesis andverification.CHAPTER 18. CONCLUSIONS AND FURTHER RESEARCH 17818.2 Further ResearchWe propose further research in both theory and practice.18.2.1 TheoryWe have proposed a foundation for the design and analysis of robotic systems and behaviors.There are more questions than answers; all we have done is to take the first step in a longjourney. Further work includes:• modeling and analyzing probabilistic and stochastic systems and behaviorsMany robotic systems cannot be modeled exactly, due to the lack of knowledge of, or tothe uncertainty in, the dynamics of the plant and the environment. It is important tomodel systems under uncertainty and to analyze their behaviors with probabilities.• more expressive specification languagesThere are behaviors that are not expressible using TLTL or timed V-automata, suchas maximizing global utilities and timed behaviors over intervals. Other specificationlanguages, with more expressive power and pertaining formal verification procedures, areyet to be explored. For example, we can extend time bounds on timed automaton-statesto both lower and upper bounds, while keeping the verification rules simple.• (semi-)automatic verification for special classes of hybrid systemThere are simple hybrid systems that have algorithmic verification [ACHH93]. More workalong this line can be done. For example, a finite automaton coupled to a linear continuoussystem is a special class of hybrid system that might have simpler verification procedures.• (semi-)automatic synthesis and analysis of controllers for special classes of systemFor finite domain systems, controllers can be synthesized automatically, though with ahigh complexity. For linear systems, stability can be analyzed semi-automatically. Morework along this line can be done. For example, it is possible to develop an algorithm thatcan (semi-)automatically synthesize and analyze a finite automaton that controls a linearcontinuous system.• more extensive study on behavior abstractionWe have provided the notion of behavior abstraction based on homomorphism. Othernotions of abstraction can be defined; for example, implication can be considered as aCHAPTER 18. CONCLUSIONS AND FURTHER RESEARCH 179type of abstraction where A —* B means B is an abstraction of A. (Under this definition,a requirements specification is an abstraction of the system model; a nondeterministicmodel is an abstraction of the deterministic system.) Given this notion of abstraction,the properties of behavior equivalence can be further studied.18.2.2 PracticeWe have already developed, based on our semantic model, a visual programming and simulationenvironment called ALERT: A Laboratory for Embedded Real-Time systems. Further workincludes:• a programming language with a real-time semanticsCN is an abstraction of datafiow models for hybrid systems, with abstract data types andabstract reference time. An instantiation of the data types and the reference time resultsin a programming language, which can be used for both modeling and programming(control). ALERT is such a language for modeling.• a specification and verification environment based on our methodsTimed V-automata have a graphical representation, which can be implemented on a graphical user interface. The formal verification method for discrete time systems can be implemented on an interactive theorem prover.• an integrated design and analysis environment for developing robotic systemsBoth CN and timed V-automata can be implemented on a graphical user interface, resulting in an integrated environment that facilitates both verification and simulation.• more extensive study on some real machines to uncover more design problemsThis thesis establishes a theoretical foundation for the problem of design and analysis,which, nevertheless, are abstracted from our experiences on real machines. Our researchalms, not to invent, but to understand, discover, formalize and solve new problems. Theguiding research principle is “from practice to theory, and from theory to practice.”Bibliography[AC87] P. E. Agre and D. Chapman. Pengi: An implementation of a theory of activity. InIJCA 1-87, pages 268—272, 1987.[AC88] P. E. Agre and D. Chapman. What are plans for? Technical Report A.I. Memo1050, MIT Al Lab, September 1988.[ACHH93] R. Alur, C. Courcoubetis, T. A. Henzinger, and P. Ho. Hybrid automata: Analgorithmic approach to the specification and verification of hybrid systems. In R. L.Grossman, A. Nerode, A. P. Ravn, and H. Rischel, editors, Hybrid Systems, number736 in Lecture Notes on Computer Science, pages 209 — 229. Springer-Verlag, 1993.[Ad81] H. Abelson and A. A. diSessa. Turtle Geometry: The Computer as a Medium forExploring Mathematics. MIT Press, 1981.[AD9O] R. Alur and D. Dill. Automata for modeling real-time systems. In M. S. Paterson,editor, ICALP9O: Automata, Languages and Programming, number 443 in LectureNotes on Computer Science, pages 322— 335. Springer-Verlag, 1990.[AD91I R. Alur and D. Dill. The theory of timed automata. In J.W. deBakker, C. Huizing,W.P. dePoever, and G. Rozenberg, editors, Real-Time: Theory in Practice, number600 in Lecture Notes on Computer Science, pages 45 — 73. Springer-Verlag, 1991.[Agh85] G. A. Agha. Actor: A model of concurrent computation in distributed systems.Technical Report 844, MIT Al LAB, 1985.[Agm54] S. Agmon. The relaxation method for linear inequalities. Canadian Journal ofMathematics, 6:382—392, 1954.[AH89] R. Alur and T. A. Henzinger. A really temporal logic. In 30th Annual Symposiumon Foundations of Computer Science, pages 164— 169, 1989.180BIBLIOGRAPHY 181[A1b81] J. S. Albus. Brains, Behavior, and Robotics. BYTE Publications, 1981.[A1190] J. F. Allen. Towards a general theory of action and time. In James Allen, JamesHendler, and Austin Tate, editors, Readings in Planning, pages 464— 479. MorganKaufmann Publishers Inc., 1990.[Ash86] E. A. Ashcroft. Datafiow and eduction: Data-driven and demand-driven distributedcomputation. In J. W. deBakker, W.P. deRoever, and G. Rozenberg, editors, Current Trends in Concurrency, number 224 in Lecture Notes on Computer Science,pages 1— 50. Springer-Verlag, 1986.[At189] M. Atlevi. SDT a real-time CASE tool for the CCITT specification languageSDL. In FORTE, pages 9 — 13, 1989.[BC86] R. A. Brooks and J. H. Conuell. Asynchronous distributed control system for amobile robot. SPIE Mobile Robots, 727, 1986.[BCN88] R. A. Brooks, J. H. Connell, and Peter Ning. Herbert: A second generation mobilerobot. Technical report, MIT AT Lab, January 1988. A. I. Memo 1016.[BD89] M. Boddy and T. Dean. Solving time-dependent planning problems. In IJCA 1-89,pages 979— 984, 1989.[BD91J B. Berthomien and M. Diaz. Modeling and verification of time dependent systemsusing Time Petri Nets. IEEE Transactions on Software Engineering, 17(3):259—273, March 1991.[Bee9O] R. II. Beer. Intelligence as Adaptive Behavior: An Experiment in ComputationalNeuroethology. Academic Press, 1990.[BKP86] H. Barringer, R. Kuiper, and A. Pnueli. A really abstract concurrent model and itstemporal logic. In Thirteenth Annual ACM Symposium on Principles of Programming Languages, 1986.[BL9OJ A. Benveniste and P. LeGuernic. Hybrid dynamical systems theory and the SIGNALlanguage. IEEE Transactions on Automatic Control, 35(5):535— 546, May 1990.[Bod9l] M. Boddy. Anytime problem solving using dynamic programming. In AAAI-91,pages 738 — 743, 1991.BIBLIOGRAPHY 182[Bra84] V. Braitenberg. Vehicles: Experiments in Synthetic Psychology. MIT Press, 1984.[Bro86] R. A. Brooks. A robust layered control system for a mobile robot. IEEE Journalof Robotics and Automation, RA-2(1), March 1986.[Bro88] R. A. Brooks. A robot that walks; emergent behaviors from a carefully evolvednetwork, September 1988.[Bro9l] R. A. Brooks. Inteffigence without representation. Artificial Intelligence, 47(1— 3),January 1991.[BS87] J. A. Brzozowski and C. J. Seger. A characterization of ternary simulation of gatenetworks. IEEE Transactions on Computers, 36(11), November 1987.[CE82] Y. Censor and T. Elfving. New method for linear inequalities. Linear Algebra andIts Applications, 42:199—211, 1982.[CR93] S. H. Clearwater and B. A. Huberman. Thermal markets for controlling buildingenvironments. Technical report, Dynamics of Computation Group, Xerox Palo AltoResearch Center, September 1993.[Cha87] D. Chapman. Planning for conjunctive goals. Artificial Intelligence, 32:333—377,1987.[Cli81] W. D. Clinger. Foundations of actor semantics. Technical Report 633, MIT ATLAB, May 1981.[Con9O] J. Connell. A Colony Architecture for an Artificial Creature. Academic Press, 1990.[CPHP87] P. Caspi, D. Pilaud, N. Halbwachs, and J. A. Plaice. LUSTRE: A declarativelanguage for programming synchronous systems. In ACM Proceedings on Principlesof Programming Languages, pages 178— 188, 1987.[Cra86] J. J. Craig. Introduction to Robotics. Addison-Wesley Publishing Company, Inc.,1986.[CWG88] P. E. Caines, S. Wang, and R. Greiner. Dyllamical (default) logic observers forfinite automata. In Conference on Information Sciences and Systems, Princeton,March 1988.BIBLIOGRAPHY 183[dHdR9l] J.W. deBakker, C. Huizing, W.P. dePoever, and G. Rozenberg, editors. Real-Time:Theory in Practice. Number 600 in Lecture Notes on Computer Science. Springer-Verlag, 1991.[DW91] T. Dean and M. Weilman. Planning and Control. Morgan Kaufman, 1991.{E1m77j H. Elmqvist. SIMNON — an interactive simulation program for nonlinear systems.In Proc. of Simulation 77, 1977.[Eme9O] E. Emerson. Temporal and modal logic. In Jan Van Leeuwen, editor, Handbook ofTheoretical Computer Science, volume B: Formal Models and Semantics. Elsevier,MIT Press, 1990.[FF84j R. E. Filman and D. P. Friedman. Coordinated Computing: : Tools and Techniquesfor Distributed Software. McGraw-Hill Book Company, 1984.{FT89] I. Foster and S. Taylor. Strand: New Concepts in Parallel Programming. PrenticeHall, 1989.{Gem9O] M. C. Gemignani. Elementary Topology. Dover Publications, Inc., 1990.[GL87] M. P. Georgeff and A. L. Lansky. Reactive reasoning and planning. In AAAI-87,pages 677 — 682, 1987.[GN92] J. Guckenheimer and A. Nerode. Simulation for hybrid systems and nonlinearcontrol. In Proc. IEEE Conference on Decision and Control, pages 2980—2981,December 1992.[GNRR93] R. L. Grossman, A. Nerode, A. P. Ravn, and H. Rischel, editors. Hybrid Systems.Number 736 in Lecture Notes on Computer Science. Springer-Verlag, 1993.[Gor] M. Gordon. A formal method for hard real-time programming, manuscript.[Gor92j M. Gordon. Verifying real-time programs: A case study. In J. Bowen, editor,Towards Verified Systems. 1992. To appear.[GPR67] L. G. Gubin, B. T. Polyak, and E. V. Raik. The method of projections for finding the common point of convex sets. U.S.S.R. Computational Mathematics andMathematical Physics, pages 1—24, 1967.BIBLIOGRAPHY 184[Ha190j R. Hale. Using temporal logic for prototyping: The design of a lift controller. InH.S.M. Zedan, editor, Real-Time Systems, Theory and Applications. Elsvier SciencePublishers B.V. (North-Holland), 1990.[Hen88] M. Hennessy. Algebraic Theory of Processes. MIT Press, 1988.[Hew88] C. Hewitt. Offices are open systems. In B.A. Huberman, editor, The Ecology ofComputation. Elsevier Science Publisher B .V. (North-Holland), 1988.[Hew9l] C. Hewitt. Open information systems semantics for DAI. Artificial Intelligence,47(1 — 3), January 1991.[HMP91a] T. A. Henzinger, Z. Marina, and A. Pnueli. Temporal proof methodologies. InProceedings of the 18th Annual ACM Symposium on Principles of ProgrammingLanguages, 1991.[HMP91b] T. A. Henzinger, Z. Manna, and A. Pnueli. Timed transition systems. In J.W.deBakker, C. Huizing, W.P. dePoever, and G. Rozenberg, editors, Real-Time: Theory in Practice, number 600 in Lecture Notes on Computer Science, pages 226—251.Springer-Verlag, 1991.[Hoa85] C.A.R. Hoare. Communicating Sequential Processes. Pretice-Hall, 1985.[Ho182] W. M. L. Holcombe. Algebraic Automata Theory. Cambridge University Press,1982.[HP85] D. Harel and A. Pnueli. On the development of reactive system. In K.R. Apt, editor,Logics and Models of Concurrent Systems. Springer-Verlag Beliui Heidelberg, 1985.[Hub88] B. A. Huberman. The ecology of computation. In B. A. Huberman, editor, TheEcology of Computation. Elsevier Science Publishers B.V.(North-Holland), 1988.[Huh87] M. N. Huhns, editor. Distributed Artificial Intelligence. Research Notes in ArtificialInteffigence. Pitman, London, 1987.[HZ91] M. R. Hansen and C. Zhou. Semantics and completeness of duration calculus. InJ.W. deBakker, C. Huizing, W.P. dePoever, and G. Rozenberg, editors, Real-Time:Theory in Practice, number 600 in Lecture Notes on Computer Science, pages 209— 225. Springer-Verlag, 1991.BIBLIOGRAPHY 185[Inca] Integrated Systems Inc. AutoCode User’s Guide.[Incb] Integrated Systems Inc. SystemBuild User’s Guide.[mcd The MathWorks Inc. Similink User’s Guide.[JLHM91] M. S. Jaffe, N. G. Leveson, M. P. E. Heimdahl, and B. E. Meihart. Softwarerequirements analysis for real-time process-control systems. IEEE Transactions onSoftware Engineering, 17(3):241— 257, March 1991.[Kah74] G. Kahn. The semantics of a simple language for parallel processing. In Proceedingsof IFIP Congress 74, pages 471 — 475, 1974.[Kha86] 0. Khatib. Real-time obstacle avoidance for manipulators and mobile robots. TheInternational Journal of Robotics Research, 5(1):90— 99, 1986.[Khi6l] G. F. Khilmi. Qualitative Methods in the Many Body Problem. Science PublishersInc. New York, 1961.[KM88] K. M. Kahn and M. S. Miller. Language design and open systems. In B. A. Huberman, editor, The Ecology of Computation. Elsevier Science Publishers B.V.(NorthHolland), 1988.[Kod89] D. E. Koditschek. Robot planning and control via potential functions. In J. Craig0. Khatib and T. Lozano-Perez, editors, The Robotic Review 1. MIT Press, 1989.[LA89] D. M. Lyons and M. A. Arbib. A formal model of computation for sensory-basedrobotics. IEEE Transactions on Robotics and Automation, 5(3):280— 293, June1989.[Lam9l] L. Lamport. The temporal logic of actions. Technical Report 79, Digital SystemsResearch Center, Palo Alto, California, December 1991.[Lam93] L. Lamport. Hybrid systems in tla+. In R. L. Grossman, A. Nerode, A. P. Ravn,and H. Rischel, editors, Hybrid Systems, number 736 in Lecture Notes on ComputerScience, pages 77 — 102. Springer-Verlag, 1993.[Lat9l] J. C. Latombe. Robot Motion Planning. Kluwer Academic Publishers, 1991.BIBLIOGRAPHY 186[LD89] Y.K.H. Lau and R.W. Daniel. A csp model for distributed control software design. Technical Report OUEL 1789/89, Robotics Research Group, Department ofEngineering Science, University of Oxford, 1989.[LP85] 0. Lichtenstein and A. Pnueli. Checking that finit-state concurrent programs satisfytheir linear specification. In Proc. 12th Ann. ACM Sym. on Principles of Programming Languages, pages 97 — 107, 1985.[LS9O] J. Lavignon and Y. Shoham. Temporal automata. Technical Report STAN-CS-90-1325, Robotics Laboratory, Computer Science Department, Stanford University,Stanford, CA 94305, 1990.[Lue79] D. G. Luenberger. Introduction to Dynamic Systems: Theory, Models and Applications. John Wiley & Sons, 1979.{MA86] E. G. Manes and M. A. Arbib. Algebraic Approaches to Program Semantics.Springer-Verlag, 1986.[Mae89] P. Maes. The dynamics of action selection. In IJCA 1-89, Detroit, 1989.[McD9O] D. McDermott. A temporal logic for reasoning about processes and plans. In JamesAllen, James Hendler, and Austin Tate, editors, Readings in Planning, pages 436 —463. Morgan Kaufmann Publishers Inc., 1990.[McM92J Kenneth L. McMillan. Symbolic model checking. Technical Report CMU-CS-92-131,Department of Computer Science, Carnegie Mellon, 1992.[Mea55] G. H. Mealy. A method for synthesizing sequential circuits. Bell Sys. Tech. Journal,34:1045— 1079, 1955.{MH69] J. McCarthy and P.J. Hayes. Some philosophical problems from the standpoint ofartificial inteffigence. In B. Meltzer and D. Micliie, editors, Machine Intelligence 4,pages 463—502. Edinburgh University Press, 1969.{Mi183] R. Milner. Calculi for synchrony and asynchrony. Theoretical Computer Science,25:267— 310, 1983.[Min86] M. Minsky. The Society of the Mind. Simon and Schuster, New York, 1986.BIBLIOGRAPHY 187{MM79] G. Milne and R. Mimer. Concurrent processes and their syntax. JACM, (2):302—321, April 1979.[MMP91] 0. Maler, Z. Manna, and A. Pnueli. From timed to hybrid systems. In J.W. deBakker, C. Huizing, W.P. dePoever, and G. Rozenberg, editors, Real-Time: Theoryin Practice, number 600 in Lecture Notes on Computer Science, pages 448 — 484Springer-Verlag, 1991.{MMT91] M. Merritt, F. Modugno, and M.R. Tuttle. Time-constrained automata. In J.C.M.Baeten and J.F. Groote, editors, CONCUR-91, number 527 in Lecture Notes onComputer Science, pages 393— 407. Springer-Verlag, 1991.[Moo56j E. F. Moore. Gedanken-experiments on sequential machines. In C.E. Shannon andJ. McCarthy, editors, Automata Studies. Princeton University Press, 1956.{Mos85] B. Moszkowski. A temporal logic for multilevel reasoning about hardware. Computer, 18(2), February 1985.[MP71] R. McNaughton and S. Papert. Counter-Free Automata. MIT Press, 1971.[MP87] Z. Manna and A. Pnueli. Specification and verification of concurrent programsby V-automata. In Proc. 14th Ann. ACM Symp. on Principles of ProgrammingLanguages, pages 1—12, 1987.[MP92] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems.Springer-Verlag, 1992.[MT75) M. D. Mesarovic and Y. Takahara. General Systems Theory: Mathematical Foundations. Academic Press, 1975.[MT9O] F. Moller and C. Tofts. A temporal calculus of communicating systems. In J.C.M.Baeten and J.W. Kiop, editors, CONCUR-90, number 458 in Lecture Notes onComputer Science, pages 401— 415. Springer-Verlag, 1990.[MT91] F. Moller and C. Tofts. Relating processes with respect to speed. In J.C.M. Baetenand J.F. Groote, editors, CONCUR-91, number 527 in Lecture Notes on ComputerScience. Springer-Verlag, 1991.BIBLIOGRAPHY 188[Ni189] N. Nilsson. Action networks. In J. Tenenberg et. al, editor, Proceedings from theRochester Planning workshop: From Formal System to Practical Systems, Universityof Rochester, New York, 1989.[NK93a] A. Nerode and W. Kohn. Models for hybrid systems: Automata, topologies, controllability, observability. In R. L. Grossman, A. Nerode, A. P. Ravn, and H. Rischel,editors, Hybrid Systems, number 736 in Lecture Notes on Computer Science, pages317— 356. Springer-Verlag, 1993.[NK93b] A. Nerode and W. Kohn. Multiple agent hybrid control architecture. In R. L.Grossman, A. Nerode, A. P. Ravn, and H. Rischel, editors, Hybrid Systems, number736 in Lecture Notes on Computer Science. Springer-Verlag, 1993.[NS91] X. Nicoffin and J. Sifakis. From ATP to timed graphs and hybrid systems. InJ.W. deBakker, C. Huizing, W.P. dePoever, and G. Rozenberg, editors, Real-Time:Theory in Practice, number 600 in Lecture Notes on Computer Science, pages 549— 572. Springer-Verlag, 1991.[0st89] J. S. Ostroff. Temporal Logic For Real-Time Systems. John Wiley Sons Inc.,1989.[Pai89] D. K. Pai. Programming parallel distributed control for complex systems. In IEEEInternational Symposium on Intelligent Control, pages 426— 432, 1989.[Pai9l] D. K. Pai. Least constraint: A framework for the control of complex mechanicalsystems. In Proceedings of American Control Conference, pages 426 — 432, Boston,1991.{Pet8l] J. L. Peterson. Petri-Net Theory and the Modeling of Systems. Prentice-Hail, Inc.,Englewood Cliffs, 1981.[Pet86] C. A. Petri. “Forgotten topics” of net theory. In W. Brauer, W. Reisig, andC. Rozenberg, editors, Petri Nets: Applications and Relationships to Other Modelsof Concurrency, number 255 in Lecture Notes on Computer Science, pages 500 —514. Springer-Verlag, 1986.[P1a89] J. Platt. Constraint methods for neural networks and computer graphics. Technical Report Caltech-CS-TR-89-07, Department of Computer Science, CaliforniaInstitute of Technology, 1989.BIBLIOGRAPHY 189[QAF89] J. Quemada, A. Azcorra, and D. Frutos. A timed calulus for lotos. In FORTE89,pages 245 — 263, 1989.[Qi94] R. Qi. Decision graphs: Algorithms and applications to influence diagram evaluationand high-level path planning under uncertainty, 1994. Ph.D. thesis, forthcoming.[RK87] S. J. Rosenschein and L. P. Kaelbling. The synthesis of digital machines with provable epistemic properties. Technical Report Technical Note 412, SRI International,April 1987.[RK89} S. J. Rosenschein and L. P. Kaelbling. Integrating planning and reactive control,1989.[RM86] D. E. Rumelhart and J. L. McClelland, editors. Parallel Distributed Processing—Exploration in the Microstructure of Cognition. MIT Press, 1986.[Ros85] R. Rosen, editor. Theoretical Biology and Complexity. Academic Press, Inc., 1985.[Ros89] S. J. Rosenschein. Synthesizing information—tracking automata from environmentdescription. In First International Conference on Reasoning and Knowledge Representation, Toronoto, pages 386— 393, 1989.[Roy88] H. L. Royden. Real Analysis, 3rd edition. Macmillan Publishing Company, 1988.[San9O] J. T. Sandfur. Discrete Dynamical Systems: Theory and Applications. ClarendonPress, 1990.[Sar891 V. Saraswat. Concurrent constraint programming languages. Technical report,Computer Science Department, Carnegie—Mellon University, 1989. Ph. D. thesis.[Sch87] M. J. Schoppers. Universal plans for reactive robots in unpredictable environments.In IJCA 1-87, pages 1039—1046, 1987.[Sch9l] M. Schoppers, editor. Communications of ACM. ACM, August 1991. SpecialSection on Real-Time Knowledge-Based Control Systems.[SDLS9OI N. Sepehri, G.A.M. Dumont, P.D. Lawrence, and F. Sassani. Cascade control ofhydraulically actuated manipulators. Robotica, 8:207— 216, 1990.[Sha4l] C. E. Shannon. Mathematical theory of the differential analyzer. Journal of Mathematics and Physics, 20:337— 354, 1941.BIBLIOGRAPHY 190[Sha87] E. Shapiro, editor. Concurrent Prolog. MIT press, 1987.[Sho87] Y. Shoham. Temporal logics in ai: Semantical and ontological considerations. Artificial Intelligence, 33:89—104, 1987.[Sho88] Y. Shoham. Reasoning about Change. MIT Press, 1988.[Shu88] N. C. Shu. Visual Programming. Van Nostrand Reinhold Company Inc., 1988.[SJG94] V. Saraswat, R. Jagadeesan, and V. Gupta. Programming in timed concurrentconstraint languages. In B. Mayoh, E. Tyugu, and J. Penjam, editors, ConstraintProgramming, NATO Advanced Science Institute Series, Series F: Computer AndSystem Sciences. 1994.[SM94] M. Sahota and A. K. Mackworth. Can the situated robot play soccer. In 199Canadian Artificial Intelligence, Banff, Alberta, May 1994.[Ste8O] Jr. G. L. Steele. The definition and implementation of a computer programminglanguage based on constraints. Technical Report AI-TR-595, MIT Al Lab, August1980.{Sut89] I. E. Sutherland. Micropipeline. Communication of ACM, 32(6):720— 738, June1989.[Tay92] J. H. Taylor. Software requirements specification for modeling design, development,and evaluation of distributed, hybrid, inteffigent contol. Technical. report, OdysseyResearch Associates, Ithaca, NY, April 1992.[Tho9Ol W. Thomas. Automata on infinite objects. In Jan Van Leeuwen, editor, Handbookof Theoretical Computer Science. MIT Press, 1990.[Vic89) S. Vickers. Topology via Logic. Cambridge University Press, 1989.[War72] J. Warga. Optimal Control of Differential and Functional Equations. AcademicPress, 1972.[Wd90] D. S. Weld and J. deKleer, editors. Qualitative Reasoning About Physical Systems.Morgan Kaufmann Publishers, Inc., 1990.BIBLIOGRAPHY 191[Wil9lj B. C. Wiffiams. A theory of interactions: Unifying qualitative and quantitive algebraic reasoning: Extended report. Technical Report P91-00127, SSL-91-03, PaloAlto Research Center, 1991.[Wol83] P. Wolper. Temporal logic can be more expressive. Information and Control, 56:72— 99, 1983.[Yas7l] A. Yasuhara. Recursive Function Theory and Logic. Academic Press, 1971.[YM] K. Yang and K. G. Murty. New iterative methods for linear inequalities. Unpublished.[Zha89] Y. Zhang. Transputer-based behavioral module for multi-sensory robot control. InMike Reeve and Steven Ericsson Zenith, editors, Parallel Processing and ArtificialIntelligence, Communication Process Architecture. Wiley, 1989.[Zha9O] Y. Zhang. Object oriented modeling for sensor-guided real-time robot control. InAlan S. Wagner, editor, Transputer Research and Applications 3. lOS Press, 1990.[Zha9l] F. Zhao. Phase space navigator: Towards automating control synthesis in phasespaces for nonlinear control systems. In Proc. of the 3rd IFAC International workshop on Artificial Intelligence in Real Time Control. Pergamon Press, 1991.[ZM92] Y. Zhang and A. K. Mackworth. Modeling behavioral dynamics in discrete roboticsystems with logical concurrent objects. In S.G. Tzafestas and J.C. Gentina, editors,Robotics and Flexible Manufacturing Systems. Elsevier Science Publishers B.V.,1992.[ZM93a] Y. Zhang and A. K. Mackworth. Constraint programming in constraint nets. InFirst Workshop on Principles and Practice of Constraint Programming, pages 303—312, 1993. A revised version will appear in a book with the same title in MIT Press,1995.[ZM93b] Y. Zhang and A. K. Mackworth. Parallel and distributed constraint satisfaction:Complexity, algorithms and experiments. In Laveen N. Kanal, editor, Parallel Processing for Artificial Intelligence. Elsevier/North Holland, 1993.[ZM94] Y. Zhang and A. K. Mackworth. Will the robot do the right thing? In Proc.Artificial Intelligence 9, pages 255 — 262, Banif, Alberta, May 1994.Part VAppendixes192Appendix AProofs of TheoremsIn this appendix, we prove all the propositions and theorems in this thesis.A.1 Topological Structure of DynamicsProposition 3.1.1 For any topology on X, X and 0 are both open and closed.Proof: X (0) is closed since 0 (X) is open. JProposition 3.1.2 (1) A subset is closed if it includes all its limit points. (2) A topologyis trivial if every point x is a limit point of any subset with elements distinct from x. A topology is discrete if no point is a limit point of any subset.Proof: (1) If a subset S of X is closed, X— S is open and there is no point in X— S that is alimit point of S. If there is no point in X— S that is a limit point of 5, S is closed, since if Sis not closed, X— S is not open. If X— S is not open, there is at least one point in X— S thatis a limit point of 5, otherwise every point in X— S has a neighborhood in X— 5, thus X— Sis open.(2) If a topology is trivial, any point has only one neighborhood, the total set. If everypoint x is a limit point of any subset with elements distinct from x, the topology is trivial sinceotherwise there is an open set S C X and no point in S is a limit point of X— 5, contradiction.If a topology is discrete, any point is a neighborhood of itself, thus cannot be a limit point ofany subset. If no point is a limit point of any subset, the topology is discrete since otherwisethere is a point that is not open, which is a limit point of the total set, contradiction. 0Proposition 3.1.3 A topological space is connected if the only sets that are both open andclosed are the empty set and the total set.193APPENDIX A. PROOFS OF THEOREMS 194Proof: If there is 0 C X’ C X that is both open and closed, both X’ and X — X’ are non-emptyopen sets. Therefore, X is separated. 0Proposition 3.1.4 (1) Continuous functions are closed under functional composition. (2)A function f : X —* X’ is continuous, if x E X is a limit point of S C X implies that f(x) isa point or a limit point of f(S) = {f(x)Ix e S}.Proof: The first property is deduced directly from the definition of continuous functions. Thesecond property is deduced from an equivalent definition of continuous functions, i.e., a functionis continuous if the inverse image of any closed subset is closed, and from the property that aclosed subset includes all its limit points. 0Proposition 3.1.5 Let(X,r) be a topological space, X’ C X andr’ = {WW X’nU,U E r}.The collection r’ is a topology on X’.Proof: Deduced from the definition of topology. 0Proposition 3.1.6 Let {X}j be a family of topological spaces and J be an arbitrary index set. Then (xiX3)= x1X’.Proof: xj(xjX) and Xi(xjX3)are isomorphic. 0Proposition 3.1.7 A flat partial order is a cpo.Proof: LA is the least element and every directed subset is a chain with a greatest element. 0Proposition 3.1.8 The product of cpos is a cpo. Let A x1A. The least element of Ais ±A with (IA)1 =!A,Vi el. Let D be a directed subset of A. The least upper bound of D isVA D with (VA D), = VA D,Vi E I, where D is the projection of D onto its ith component,i.e., D = llD.Proof: According to the definition of least elements and least upper bounds. 0Proposition 3.1.9 The partial order topology of a non-trivial partial order is non-HausdorffProof: For any a <A a’, every neighborhood of a includes a’. 0Proposition 3.1.10 Any continuous function is monotonic, i.e., if f : A —* A’ is continuous, then a1 A a2 implies f(ai) A’ f(a2).APPENDIX A. PROOFS OF THEOREMS 195Proof: Suppose f(ai) A’ f(a2), there is an open set S ç A’ including f(ai) but not f(a2).Therefore, f(S) ç A is an open set including a1 but not a2. So a1 a2. 0Proposition 3.1.11 Let A and A’ be two cpos. Then f : A — A’ is continuous if for every directed subset D ç A,1. f(D) = {f(d)Id E D} is directed and. f(VA D) = VA’ f(D).Proof: The only if part: If f is continuous, f is monotonic (Proposition 3.1.10). Therefore, if dis an upper bound of d1 and d2, f(d) is an upper bound of f(d1) and f(d2). Therefore, if D isdirected, then f(D) is directed and f(\/A D) A’ VA’ f(D). We now prove that f(VA D) A’VA’ f(D). If f(V D) A’ VA’ f(D), there is an open set S ç A’ including f(VA D) butnot VA’ f(D). Therefore, f(S) C A is an open set including VA D but not any d E D,contradicting to the definition of open sets in partial order topologies.The if part: If conditions (1) and (2) are satisfied, f is moiiotonic. Therefore, for any upwardclosed set 5, f’(S) is also upward closed. Since f(VA B) = VA’ f(D), if S is inaccessible fromany directed subset f(D), then f—1(S) is inaccessible from any directed subset B. Therefore,f is continuous since for any open set S, f’(S) is open. 0Proposition 3.1.12 Metric topologies are Hausdorff.Proof: Given any two elements x, x’ with 1 = d(x, x’), N1/2(x) flN1/2(x’) = 0. 0Proposition 3.1.13 If X is of a Hausdorff topology and v : L — X is a linear set of values, then v —* v and v —* v imply v = v.Proof: If v v, There exist N(v’) and N(v) such that N(v) fl N(v) = 0. Since v —*and v —÷ v, there is l, for all 1 L 1, v(l) E N(v) fl N(v), contradiction. 0Proposition 3.1.14 If xiX is of the product topology and v : L —* x1X is a linear setof values, then v —* v” if v — v for all i E I.Proof: If v —* v, then v —* v for all i E I since for every neighborhood in the subbasis,Ni(v*)= {xiVjfor all j i,Vj = X3}, there is l, for all I L 10, v(l) e N(v*). If v —+ v forall i e I, then v —> v since every neighborhood N(v*) is the union of a set of neighborhood inthe basis and for every neighborhood in the basis NJ(v*)= {xjVIfor all i J,V, = X} withAPPENDIX A. PROOFS OF THEOREMS 196a finite subset J c I, there is to, for all 1 >L 10, v(l) é N(v*). UProposition 3.2.1 (1) For any time structure T, if T C T has an upper bound in T, Thas a least upper bound in T.(2) The following properties for a time structure are equivalent:(a) T is discrete.(b) Let (t1,2) = {tIti < t < t2}. For all t, if t is not the least element of T, then t’ < t,denoted pre(t), such that (t’, t) = 0, and for all t, if t is not the greatest element of T,then 3t’ > t, denoted s’uc(t), such that (t, t’) = 0.(c) T is well-founded, i.e., Vt E T, [0, t) is finite.(3) The following properties for a time structure are equivalent:(a) T is continuous.(b) T is dense, i.e., for all t1 < t2, there exists to such that t1 < to < t2.Proof: (1) For any T C Twith an upper bound t e T,let r = inf{m(t)It is an upper bound of T}.Since T is a time structure, {tlm(t) r} has a greatest element to. Since T C {tlm(t) < r}, tois the least upper bound of T.(2) (a) —* (b): For any t, t is not the least element ofT, let r = sup{m(t’)It’ < t}. Since T isa time structure, {t’Im(t’) < r} has a greatest element, denoted t0. Since T is discrete, to < t.However, (to, t) = 0. For any t, t is not the greatest element of T, let r inf{m(t’)It’ > t}.Since T is a time structure, {t’Im(t’) > T} has a least element, denoted to. Since ‘T is discrete,to > t. However, (t,to) = 0.(b) —* (a): Every point has a neighborhood including no other points but itself. So everypoint is an open (or closed) set. Therefore, ‘T is of discrete metric topology.(b) —* (c): If T is not well-founded, there is t e T, [0, t) is infinite. Therefore, T ={suc(O)In E .iV} C [O,t) C T. According to (1), to = VT e T. However there is no t < tosuch that (t, to) = 0, contradiction.(c) —* (b): For any t > 0, there exists t’ < t, (t’,t) = 0 since [0,t) is finite. For any t, t isnot the greatest element, there exists t’ > t, (t, t’) = 0 since otherwise for any t’ > t, [0, t’) isinfinite.APPENDIX A. PROOFS OF THEOREMS 197(3) (a) — (b) (Not Dense —* Not Continuous): If T is not dense, there exist t and t2 suchthat (ti, t2) = 0. Then T is separated (or not continuous) since T is the union of two disjoint,non-empty open sets {tlm(t) < m(t1)+d(t1,t2)/2)} and {tlm(t) > m(t2)— d(t1,t2)/2}.(b) —* (a) (Not Continuous—+ Not Dense): If T is not continuous, T is the union oftwo disjoint, non-empty open (or closed) sets T1 and T2. Let r1 = sup{m(t)It e T1} andT2 = inf{m(t)It E T2}. Since T is a time structure, {tlm(t) < Ti} has a greatest element t1and {tlm(t) > 2} has a least element t2. Since T1 and T2 are closed, t1 E T1 and t2 E T2.Therefore, (ti,t2) = 0. DProposition 3.2.2 If To is a reference time of T1 and Ti is a reference time of 7, thenT0 is a reference time of T2.Proof: According to the definition of a reference time structure. DProposition 3.3.1 {±A} is not r-open. The only neighborhood of LA is A.Proof: According to the definition of topology. DProposition 3.3.2 For any domain, its partial order topology is finer than its derived metrictopology, and both are non-Hausdorff.Proof: Trivial. UProposition 3.3.3 (1) Function f : A —* A’ is continuous in the partial order topology iff is strict or constant. (2) If f: A —* A’ is continuous in the derived metric topology, then f iscontinuous in the partial order topology. (3) Function f : A —÷ A7 is continuous in the derivedmetric topology if f is continuous in the partial order topology and the restriction of f on Aand A’ is continuous in the metric topology, namely, for any open subset S of A’, f (5) n Ais open.Proof: (1) If f is strict or a constant, f is continuous. If f is continuous and f is not strict, fis constant since ±A< a implies that f(±A) = f(a) for any a if f(±A) --A’(2) If f is continuous in the derived metric topology, f is strict or constant, since ‘A is alimit point of any {a} and f(±A) is a point or a limit point of {f(a)}.(3) If f is strict or constant, and the restriction off on A and A’ is continuous in the metrictopology, then f is continuous in the derived metric topology, since for any open set S of A7,f’(S) is open. If f is continuous in the derived metric topology, f is strict or constant, sinceAPPENDIX A. PROOFS OF THEOREMS 198in either case, the restriction of f on A and A’ must also be continuous. 0Proposition 3.3.4 Let I be a finite index set. (1) Function f : xjA: —* A is continuousin the partial order topology if f is continuous w.r.t. all i e I. (2) If f : xjA —+ A iscontinuous in the derived metric topology, then f is continuous in the partial order topology.(3) Function f : x iJ4 — is continuous in the derived metric topology if f is continuous inthe partial order topology and the restriction off on x1A and A is continuous in the productmetric topology, namely, for any open subset S of A, f(S) fl xA is open.Proof: (1) Let I = {1, 2}. If a function f : A1 x A2 —* A is continuous, it is right continuous since VA f(a, D) = f(a, VA2 D). Similarly, it is left continuous. On the other hand, if fis both left and right coiltinuous, f(VA, xA2 D) = .f(VA, D1,VA2 D2) VA f(T)1,VA2 D2)VA f(D1,D2) = V f(D) (Hen88]). I can be extended to any finite index set.(2) If f : x1A —* T is continuous in the derived metric topology, f is continuous in thederived metric space w.r.t. any argument i E I, f is continuous in the partial order w.r.t. anyargument i e I (Proposition 3.3.3 (2)), f is continuous in the partial order (Proposition 3.3.4(1)).(3) If f is strict or constant, and the restriction of f on x1A and A is continuous in themetric topology, f is continuous in the derived metric topology, since for any open set S of A,f’(S) is open.If f is continuous in the derived metric topology, f is strict or constant w.r.t. argument ifor all i E I. In either case, the restriction of f on x1A, and A must also be continuous, sincefor any open set S of A, either f(S) C xA or the projection onto the i-th argument is Ajfor any i. Therefore, f(S) fl xiA,, is open. 0Proposition 3.4.1 Let v : L —* A be a linear set of values. Then(1) v—*±A, and(2) v —* v and v —÷ v imply that either v = v or one of v and v is.LA.Proof: (1) The only neighborhood of A is A. Therefore, v(l) e N(±A) for all 1. (2) If vthen one of them must be ±A, since the metric topology is Hausdorif with unique limits (Proposition 3.1.12, Proposition 3.1.13). 0Proposition 3.4.2 Let v : L —* A for A = x1A. Then(1) v —* v iffv —+ v for alli el, andAPPENDIX A. PROOFS OF THEOREMS 199(2) the set of limits {v*Iv v} is a directed subset in (A, A) and has a greatest element.Proof: (1) follows from Proposition 3.1.14. (2) If v : L — A, then {v*Iv —÷ v*} has a greatestelement. If the set of limits of v : L —* A has a greatest element v,, then the set of limits ofv : L — x1A has a greatest element vK with (v*) v for all i E I. 0Proposition 3.4.3 Let v : L — A for A x1A. Then (limv) = limv1,Vi El.Proof: (VA D) = VA, D where D: = llD.Proposition 3.4.4 Ifv1,v2 : L —* A and v1(l) A v2(l) for alll E L, then limv1 A limv2.Proof: If A is fiat, v J-A implies that v J-A. If A is a product, lim v <_A lim v,. Therefore, limv A limv. 0Proposition 3.4.5 For any time structure T, T<j_T has a greatest element whenever m(t) > T.Proof: (1) T<_ = {t’It’ < t, d(t, t’) r} = {t’It’ < t, m(t’) m(t) — r} = {t’Im(t’) < m(t) — T}since r > 0. If m(t) T, then 0 m(t) — r < sup m(T). Since T is a time structure, T<_has a greatest element. 0Proposition 3.4.6 Let V : L —* AT for a linear order L and a trace space AT. Then(1) V —* V” iffV(t) V(t) for ailt E T, and(2) the set of limits {V*IV V’} is a directed subset in (AT, AT) and has a greatestelement.Proof: Similar to the proof of Proposition 3.4.2. 0Proposition 3.4.7 Let V : L — AT. Then (limV)(t) = limV(t),Vt E T.Proof: Similar to the proof of Proposition 3.4.3. 0Proposition 3.4.8 For any time structure T and any event trace e, (T,de,ie) is a discretesample time structure of T.Proof: For any te E T and 0 < T < supm(7), let Te = {tIm(t) < r,t E 2} andT = UtETJtIt t}. If T has no greatest element, T has no greatest element. Furthermore, e(T) is not defined, otherwise to E T,e is constant on {t > to,t E T} and to wouldbe an upper bound of Te in Te. However, if e(T) is not defined, there will be no te E 7 withm(te) > r, since e is noninterrnittent. Therefore, for any te E T, and 0 r < sup m(T),APPENDIX A. PROOFS OF THEOREMS 200Te {tIm(t) T,t E 7} has a greatest element.For any te E Te and 0 T < sup m(Te), let Te— {tIm(t) 7-,t’6 e 7} and T =UtleETe{tlt t’e}. Let T = inf{m(t)It T} and to be the least element of {tlm(t) r’}. IfTe has no least element, e(to) is not defined since e is right-continuous. However, since e isalso non-intermittent, e(t) is not defined Vt > to, contradiction. Therefore, for any te E 7 and0< T < sup m(Te), T = {tjm(t) r,t e 7} has a least element.Therefore, Te is a time structure.For any te E ‘Te, te > 0, let pre(te) = {tIt, < te,t E 7} and T = UtEpre(te){tIt < t’}. Ifpre(te) has no greatest element, T has no greatest element. Furthermore, e(T) is not defined,otherwise to E T, e is constant on {tlt> to, t E T} and to would be an upper bound of pre(te)in 7. However, if e(T) is not defined, e(te) will not be defined since e is nonintermittent.Therefore, pre(te) has a greatest element.For any te E e, t is not the greatest element of ‘J, let SuC(te) = {tIt > te,t e 7} andT = UtESUC(t){tIt t}. Let T = inf{m(t)It e T} and to be the least element of {tlm(t) r}.If suc(t) has no least element, e(to) is not defined since e is right-continuous. However, sincee is also non-intermittent, e(t) is not defined Vt > to, contradiction. Therefore, .sUC(te) has aleast element.Therefore 7 is discrete. 0Proposition 3.6.1 The partial order of a domain is a cpo.Proof: A flat partial order is a cpo. The product partial order of cpos is a cpo. 0Proposition 3.6.2 The partial order of a trace space is a cpo.Proof: The product partial order of cpos is a cpo. 0Proposition 3.6.3 The partial order of an event space is a cpo.Proof: We first prove that the subpartial order with the set of nonintermittent and right-continuous traces of a trace space is a cpo.Let v c T be the set of nonintermittent and right-continuous traces on a simple domain.The least element in V is ?t. ±A. The least upper bound of a directed subset D of V isVv D = At. VD(t), which is also in V for the following reasons: First, according to Proposition3.4.4, (Vv D)(T) VD(T), if (Vv D)(T) is -LA, d(T) is ..LA for all d E D. Second, for anyt é T, if (Vv D)(t) -LA, (Vv D) is right-continuous at t; if (Vv D)(t) = a E A, there is d E D,APPENDIX A. PROOFS OF THEOREMS 201d(t) = a. Since d is right-continuous at t, (Vv D) is right-continuous at t.Because of the composite properties of nonintermittent traces and limits, nonintermitteiitand right-continuous traces are closed under least upper bounds for traces on composite domainsas well.Therefore, the partial order of an event space is a cpo. CProposition 3.6.4 A transliteration fT : AT —* A!T on any time structure T is coritinuous if f: A —+ A’ is continuous.Proof: Let D AT be directed, and v’ be the least upper bound of D. We will prove thatfT(VAT D) = VAIT fT(D), i.e., for any t, fT(v*)(t) = (VA,T fT(D))(t).fr(v*)(t) = f(v*(t))= f(V{v(t)I e D})A= V{f(v(t))Iv D} since f is continuousA’= V{fT(v)(t)Iv E D} V fT(D)(t).A’ AfTCProposition 3.6.5 A unit delay on any discrete time structure is continuous.Proof: Let D c AT be directed and v be the least upper bound of D. Since T is discrete,pre(t) has a greatest element, which is denoted by pre(t).Af I vO if t = 0TVOAV Jt)=v*(pre(t))= VA{v(pre(t))Iv D} otherwise= V{4(vo)(v)(t)Iv E D}A= (V (vo)(D))(t).ATCProposition 3.6.6 A transport delay is continuous.Proof: Similar to the proof of Proposition 3.6.5. Since T is a time structure, for any r > 0,t — r has a greatest element when m(t)> T. CProposition 3.6.7 An event-driven transduction F° is continuous if its primitive transductionF on any discrete time structure is continuous.APPENDIX A. PROOFS OF THEOREMS 202Proof: First, we prove sampling and extending are continuous. Let T be a time structure and Trbe a reference time structure of T with a reference time mapping h. Sampling is a transductionST,Tr : ATT —* AT. We prove that it is continuous.Let D c ATr be directed and v be the least upper bound of D. Let i be ST,TT(V).(t) = v*(h(t)) = V{vhtIv e D} = V{(t)Iv e D} = (V{Iv e D})(t).A A ATTherefore, VATr D = VATP-..Similarly, extending is continuous since h’(tr) = {tlm(t) mr(tr)} has a greatest elementif t E ‘T,ILr([Or,tr)) t([O,t)) or ,i,.([O,t)) < U(T).The proof is divided into two steps. First, F° is continuous w.r.t. the second argument if Fis continuous on discrete time structures, since any event-based time is discrete, both samplingand extending are continuous, and continuity is closed under functional composition. Second,F° is continuous w.r.t the first argument. Therefore, according to Proposition 3.3.4 (1), F° iscontinuous.Now we prove that it is continuous w.r.t. the first argument. Let T be any time structureand v E AT be fixed. For any directed subset D of8T, D is a chain. According to the definition,F(D, v) is a chain too, i.e., a directed subset. Furthermore, for any t if (VeT D)(t) LB, thereis d E D such that for all t’ < t,d(t’) = (VCTD)(t’), i.e., VA,TF(D,v)> F(VeTD,v). Onthe other hand, F is monotonic w.r.t. the first argument, i.e., VAIT F(D, v) F-(VET D, v).Therefore, VAsT Fq-(D, v) = F(VCT D, v), it is continuous w.r.t. the first argument. 0Theorem 3.6.1 Let A be a 2-domain structure and T a time structure. The E-dynamicsstructure D(T, A) = (V, F) satisfies (1) V is a multi-sorted set of cpos and (2) transliterations,transport delays and event-driven transductions in F are continuous in the partial order topology. If, in addition, T is discrete, all transductions in F are continuous in the partial ordertopology.Proof: Follows from Propositions 3.6.1— 3.6.7. 0Proposition 3.6.8 A transliteration fT is well-defined if function f is well-defined; fT isstrict w.r.t. an argument if f is strict w.r.t. the argument.Proof: According to the definitions of well-definedness and strictness. 0Proposition 3.6.9 Any delay is not strict. A unit delay on any discrete time structure isAPPENDIX A. PROOFS OF THEOREMS 203well-defined. A transport delay is well-defined.Proof: According to the definitions of well-definedness and strictness. 0Proposition 3.6.10 An event-driven transduction F° is well-defined if F on any discretetime structure is well-defined; F° is strict w.r.t. its event input, and F° is strict w.r.t. one ofthe other input arguments if F is strict w. r. t. the argument.Proof: Event-based time is discrete, and sampling and extending are well-defined. 0Proposition 3.6.11 A transliteration fT is right-continuous if f is continuous in the derived metric topology; Jr with f : xi —* A is noninterrnittent if f is strict, well-defined andcontinuous in the derived metric topology.Proof: For any neighborhood N(f(v(t))), there is a neighborhood N(v(t)), such that x éN(v(t)) implies f(x) e N(f(v(t))). For any neighborhood N(v(t)), there is T = (t,t’), t” e Timplies v(t”) E N(v(t)). Therefore, for neighborhood N(f(v(t))), there is T = (t, t’), t” E Timplies f(v(t”)) E N(f(v(t))).If J is strict and well-defined, v(t) is well-defined implies that fT(v)(t) is well-defined, v(t) isnot well-defined implies that for all t’ t fT(v)(t’) is undefined. If, in addition, J is continuousin the derived metric topology, lim VT 1S well-defined implies that lim f(v)IT is well-defined,lim VT is not well-defined implies that lim f(V)1T is undefined. 0Proposition 3.6.12 A delay is nonintermittent. A transport delay is right-continuous.Proof: The output of a delay is nonintermittent if its input is nonintermittent.The output of a transport delay is right-continuous if its input is right-continuolls. 0Proposition 3.6.13 An event-driven transduction is right-continuous. An event-driven transduction F° is nonintermittent if F is nonintermittent.Proof: Any trace on a discrete time structure is right-continuous. Any extension of a discretetime trace is right-continuous.Both sampling and extending are nonintermittent and nonintermittent transductions areclosed under functional composition. 0APPENDIX A. PROOFS OF THEOREMS 204A.2 The Constraint Net ModelProposition 4.1.1CN1(1,Oi) CN2(1,02) = CN2(1,02)11 CN(1,Or).CN1(1,0)o (CN21,0)o CN3(1,0))= (CN11,0)o CN2(1,0))o CN3(1,0)if both sides are defined.CN1(1,Oi) + (CN21,0)+ CN3(1,0))= (CN11,0i) + CN2(1,0))+ CN3(1,0)if both sides are defined.Proof: According to the definition of basic and combined operations. 0Proposition 4.1.2 Following are some properties of subnets:(1) CN1 and CN2 are subnets of CN1 CN2.(2) CN1 and CN2 are subnets of GN1 + CN2.(3) CN1 is a subnet of CN2 a CN1, however, CN2 is not a subnet of CN2 a CN1.Proof: According to the definition of basic and combined operations. 0Theorem 4.2.2 Let A and A’ be two cpos. If f : A x A’ —÷ A’ is a continuous function,then there exists a unique continuous function .f: A —* A’, such that for all a E A, (JL.f)(a)is the least fixpoint of fa : A’ —* A’, where fa Ax.f(a, x), or equivalently, Va e A, (.f)(a) =f(a, (u.f)(a)).Proof: Let F°(a) = f(a, ±A’) and F’’(a) = f(a, Fv(a)). Since is continuous, it is continuous w.r.t. the second argument. A continuous function in any partial order is also monotonic.Therefore,F°(a) A’ F’(a) A’ F2(a)... A’ Fk(a) <.Let .f(a) = VA,{F’(a)Ik> 0}. Clearly .f(a) is the least fixpoint of fa : A’ A’.Next we prove that.f is continuous. Clearly for every k, Fk is continuous since f iscontinuous and continuity is closed under functional composition. Therefore, for any directedsubset D of A,t.f(V D) = V{F’(V D)lk 0}A A’ A= V{V{Fk(D)}Ik 0}A’ A’APPENDIX A. PROOFS OF THEOREMS 205= V{V{Fk(a)Ik 0}Ia E D}A’ A’= V.f(D).A’CProposition 4.2.1 Let I c J be an index set. If f : xjA — A is a continuous function,then the extension off, f’: XjA3 —* A satisfying f’(a) = f(a11), is a continuous function.Proof: According to the definitions of continuous functions and product topologies. CProposition 4.2.2 Let {fk : XjA3 —* Ak}keK be a family of continuous functions. ThenJ: XjA3— XKAk with j(a)k = fk(a) is a continuous function.Proof: According to the definitions of continuous functions and product topologies. CProposition 4.2.3 If f: xjA —* XKAk is a continuous function, K C J and I = J — K,then J has a least fixpoint i.J: x1A —* XKAk.Proof: According to Fixpoint Theorem II. CProposition 4.2.4 Let X be a set of variables and 0 C X a set of output variables. Let{ f° : x10A —* AO}OEO be a set of continuous functions. Then the set of equations {o =fo(x)}oeo with : I —* X has a least solution.Proof: Derived from Proposition 4.2.1, 4.2.2 and 4.2.3. CProposition 4.2.5 If a constraint net is composed of nonintermittent transductions, then itssemantics is nonintermittent. If a constraint net is composed of right-continuous transductions,then its semantics is right-continuous.Proof: Both nonintermittent and right-continuous transductions are closed under least upperbounds. CIf CN’ is a subnet of CN, CN1o(cNl)() =Proof: Trivial. CProposition 4.2.7 Following are some properties associated with module operations:APPENDIX A. PROOFS OF THEOREMS 206• Union: If CN(I,O) = CN1(Ii,0) CN2(1,0), thenCN(I,O) = CN1(I,Ox CN2(I,O).• Cascade connection: If GN(I,O) = CN2(1,0)o CN1(Ii,0) thenCN(I,O) = {F2 o F1IF e CNi(Ii,Oi)],F2E CN2(I,O)}.• Parallel connection: If CN(I,O) CN1(1,0)+ CN2(1,0), thenCN(I,O)] = {(Fi,F2)1F E CN1(I,O),F2E [CN2(1,0)fl.• Feedback connection: If CN’(I’,O’) = F(CN(I,O)), then= {.FIF e CN(I,O)]}where ,u.F is the the least fixpoint of F.Proof: According to the definition of the semantics of modules. 0Proposition 4.2.8 IfCN1(I,O) and CN2(1,02) are well-defined modules, then CN1(1,O)CN2(1,02), CN1(1O)oCN2(1,02) and CN1(Ii, Oi) +CN2(1,02) are well-defined modules.Proof: According to the definition of the well-definedness of modules. UProposition 4.2.9 Let A and A’ be two cpos. If f : A x A’ —* A’ is a strict continuousfunction w.r.t. its second argument, then the least fixpoint of f, or the least solution of theequation o = f(i, o), is undefined.Proof: u.f = Ax. J-A’. 0Proposition 4.2.10 A module GN(I, 0) is not well-defined if there is an output location1 0 such that CN has an algebraic loop on 1.Proof: If I —* 1, 1 results in an undefined trace. However, the inverse is not true. If there existsa not well-defined transduction, the net may not be well-defined either. UAPPENDIX A. PROOFS OF THEOREMS 207A.3 Modeling in Constraint NetsTheorem 5.3.1 Let Y2 = ({n}, {0, suc, cond}) be a signature. A partial recursive functioncan be computed by a sequential module in En-dynamics structure D(.A[, V) where denotesthe En-domain structure ({V}, {0, .suc, cond}).Proof: For any partial recursive function f, there is a sequential module CN defined on thegiven dynamics structure. If f(x) is defined, for any start event, there is an end event indicatingthe completion of the computation. ciProposition 5.3.1 [Sha4l] Equations 5.1 and 5.2 are equivalent, i.e., a function written inone form can be transformed into another.Proof: Refer to [Sha4l]. Differentiate Equations 5.1 n — 1 times we have a total of n2 equations,from which we my eliminate the n2 — 1 variables x2, th2,. . . , x; .. .; x,, ó,.. . , x.Equation 5.2 can be written as Equations 5.1 as follows. Differentiate both sides w.r.t. twe obtainop o op..____—0Ot Ox Ox Ox’and= _++ +•••+ 8x(71)1) = PiQ,x,a,...,x(’))—- 2(t,x,ã,..8x()Let x1 ,X2 = ,. . = x(’),xfl+2 = x(n+1). We have22thfl+i — Xfl+2Xn+2 = xoPi(t,xi,x,..th0 xgP(t,x1,x2..whereOP2 OP2 OP2 OP2P2(t,xi,x,. = —--— + ----—x + --——x3 ...+ Xn-f-2.ut vX1 uX2 ux0Proposition 5.3.2 [Sha4l] If x = )t.f(t) is non-hypertranscendental, then its derivative y =)it.f’(t), its integralz = At. j f(t)dt, and its inverse iii = At.f’(t) are non-hypertranscendental.Proof: Refer to [Sha4l]. 0APPENDIX A. PROOFS OF THEOREMS 208Proposition 5.3.3 [Sha4ll Non-hypertranscendentalfunctions are closed under functional corn-position.Proof: Refer to [Sha4l]. 0Proposition 5.3.4 Given a constraint net of differential equations thk = fk(x), k = 1, . . ,with Xk(tO) e R and fk : flfl —* 1?. as partial or total functions, and given that all fk are smoothat (to), the limiting semantics of the constraint net, based on the forward Euler method, iswell-defined overT = [t0,1] for some t1 > to. In particular, x = At.E0 jt0)(t —Proof: If all fk are smooth, x()(to) exists, the semantics results in a Taylor expansion. 0Theorem 5.3.2 Let ,. = ‘({r}, {+,.}) be a signature. A non-hypertranscendental functionthat is defined and smooth over a closed segment T = [to, t1] can be computed by a constraintnet of differential equations in 2-dynamics structure D(T, fl), where 1?. denotes the Y2r-dornainstructure ({}, {+, .})Proof: A non-hypertranscendental function that is defined and smooth over a closed segmentT = [to, ti] can be written as Equations 5.1 with x(to) well-defined. Therefore, the constraint net has a well-defined solution. On the other hand, for any polynomial function P,P(x) — P(y) = (x — y)P’(x,y) and P’(x,y) is a polynomial that is bounded in any closed interval. Therefore, Lipschitz condition is satisfied. 0A.4 Behavior AnalysisProposition 6.2.1 If n1 C n2, mum 72Im.Proof: Trivial. 0Proposition 6.4.1 (1) If (S’, _*‘) is an abstraction of (S, —*), the behavior correspondingto (S’, —*‘) is the abstraction of the behavior corresponding to (S,—+). (2) If (S’, —*‘) is anapproximate abstraction of (S,—f), the behavior corresponding to (S’, —*‘) is a superset of theabstraction of the behavior corresponding to (S, —*).Proof: Trivial. 0APPENDIX A. PROOFS OF THEOREMS 209A.5 Behavior VerificationProposition 11.2.1 Let {q}qQ be invariants for B and A. If r is a run of A over a tracev E B, then Vt E T,v(t) a,.().Proof: For any trace v, v(O) is an initial state, therefore, v(O) 0. In addition, r is a run,v(O) 1= e(r(O)). Therefore, v(O) e(r(O))A0. Since e(r(O))AO —* ar(o), we have v(O)Assume that v(pre(t)) ar(pre(t)). Therefore, v(t) c(r(pre(t)), r(t)) —* u,. sincen(v(pre(t)),v(t)). In addition, v(t) c(r(pre(t)),r(t)). Therefore, v(t)Use the induction principle for well-founded sets, v(t) cr(t) for all t. JProposition 11.2.2 Let {crq}qQ be a set of invariants for B and A and r be a run of Aover a trace v E B. If {pq}qQ is a set of Liapunov functions for B and A, then• Pr(t)(t’(t)) pr(pre(t))(v(pre(t))) when r(pre(t)) e 5,• Pr(t)(’’(t)) — pr(pre(t))(v(pre(t))) —e when r(pre(t)) e B, and• if BS is the set of segments of consecutive B and S-states in r, Vq* e BS, q* has a finitenumber of B-states.Proof: According to the conditions of Liapunov functions. DProposition 11.2.3 Let {aq}qQ be a set of invariants for B and A and r be a run of Aover a trace v E B. If there exist local and global timing functions for B and TA, then• if Sg(q) is the set of segments of consecutive q’s in r, Vq E T,q* E Sg(q), j(q*)and• if BS is the set of segments of consecutive B and S-states in r, Vq* e B5,,u(q*) <r(bad).Proof: Let s, i = 1 . . n be a sequence of q-states. Since7q(52) — 7q(Si) —t(s1)7q(83)— 7q(82) —,u(s2)7q(Sn)— 7q(5n_i) —(s_)APPENDIX A. PROOFS OF THEOREMS 210we have7q(Sn)— 7q(5i) —:‘(s).Since psn) 7q(sn) and 7q(si) < T(q), we have ip(sj) < r(q).Let s, i = 1 . . n be a sub-sequence of B-states in a BS segment. Since— 7(’) —p(si)— 72(82) —[‘(52)— ‘(s) (5n)and7’i(S’.) 7,(5+i)we have—(s’) < —Ei(s).Since 7(S) < T(bad) and 7,(s) > 0, we haveE1[’(s) < r(bad). 0Proposition 11.2.4 Given Lc as the set of locations and U c Lc, U is an abstraction ofLc if CN(U) is state-based and time-invariant.Proof: Trivial. 0Proposition 11.2.5 If U is an abstraction of Lc, any property restricted on relations on Ucan be verified by exploring the subspace transition system, (xuA31—÷LJ).Proof: s’1—u s’ —*u ... —+j s if s 2 Lc ... Lc S. 0Proposition 11.2.6 If CN8 is a subnet of CN, the set of locations of CN8 is an abstraction.Proof: CN3 can be considered as an independent subsystem, viz. h(si) = h(s2), i *Lc s andS2 Lc ‘2 imply that h(sç) = h(s). According to the definition, the set of locations of CN3 isan abstraction. 0Proposition 11.2.7 The set of output locations of unit delays is an abstraction.Proof: The set of output locations of unit delays induces a state transition system. 0APPENDIX A. PROOFS OF THEOREMS 211Proposition 11.2.8 The set of input locations of unit delays is an abstraction.Proof: The set of input locations of unit delays induces a state transition system. DProposition 11.2.9 If U is an abstraction and I c I(CN), U U I or U — I is still an abstraction.Proof: Add or delete an input location does not change the property of abstraction. 0Proposition 11.3.1 Let {aq}qEQ be invariants for 13 and A. If r is a run of A over v E B,Vt E T,v(t)Proof: In order to prove this proposition, we shall introduce a variation of the method of continuous induction [Khi6l]. A property I’ is inductive on a time structure T uT for all to E ‘T,F is satisfied at all t < to implies that F is satisfied at to. F is continuous if F is satisfied ata non-greatest element t e T implies that t’ > t, Vt < t” < t’, F is satisfied at t”. Note thatwhen T is discrete, any property is continuous. The theorem of continuous induction [Khi6l]says:Theorem A.5.1 If the property F is inductive and continuous on a time structure T and F issatisfied at 0, F is satisfied at all t e T.We prove that the property v(t) 1= ar(t) is satisfied at 0 and is both inductive and continuouson any time structure T.• Initiality: Since v(0) 0 and v(0) e(r(0)), we have v(0) 1= 0 A e(r(0)). According tothe Initiality condition of invariants, we have v(0) ar(O).• Inductivity: Suppose v(t)= r(t) is saisfied at 0 < t < to. Since r is a run over v,q e Q and tç < to,Vt,t < t < t0, r(t) = q and v(to) c(q,r(to)). According tothe Consecution condition of the invariants, t’ < to,Vt,t t < to, v(t) j= aq impliesv(to) 1= c(q,r(to)) r(to) Therefore, Vt,max(t,t) t < to, r(t) = q, v(t) Qq(assumption), v(to) 1= c(q,rQo)) —+ cx() and v(to) = c(q,r(to)). Thus, v(to) 1= aT(0).• Continuity: Suppose v(to) ar(to). Since r is a run over v, q E Q and t’1 > to,Vt,t0 <t < t, r(t) = q and v(t) 1= c(r(to), q). According to the Consecution condition ofthe invariants, t’2 > to, Vt, to < t < t, v(to) ar(to) implies v(t) c(r(to), q)q• Therefore, Vt,t0 < t < min(t,t), r(t) = q, v(to) 1= 0r(t) (assumption), v(t)c(r(to),q) — c and v(t) = c(r(to),q). Thus, Vt,t0 < t < min(tç,t), v(t) 1=APPENDIX A. PROOFS OF THEOREMS 212CTheorem A.5.1Proof: We call a time point t E T regular if F is satisfied at all t’, 0 t’ t. Let T denote theset of all regular time points. T is not empty since F is satisfied at 0. We prove the theoremby contradiction, i.e., assume that F is not satisfied at all t e T. Therefore, T C T is boundedabove; let to = V T E T be the least upper bound of T (to exists according to Proposition3.2.1). Since to is the least upper bound, it follows that F is satisfied at all t, 0 <t < to. SinceF is inductive, it is satisfied at time to. Therefore, to E T.Since T C T, to is not the greatest element in T. Let T’ = {tlt > to}. There are two cases:(1) if T’ has a least element t’, since F is inductive, t’ E T is a regular time point. (2) otherwise,for any t’ e T’, {tIto < t <t’} 0. Since F is also continuous, we can find a t’ e T’ such that 1’is satisfied at all T” {tlto < t < t’}. Therefore, t is a regular time point Vt e T”. Both casescontradict the fact that to is the least upper bound of the set T. CProposition 11.3.2 Let {crq}qQ be invariants for B and A and r be a run of A over atrace v E B. If {pq}qQ is a set of Liapunov functions for B and A, then• Pr(t2)(t’(t2)) < Prt1)(V(ti)) when Vt1 t t2, r(t) e B U 5,• Pr(t)(V(t2)_Pr;;i)(V(tI))< —e when t1 <t2 and Vt1 t < t2, r(t) E B, and• if BS is the set of segments of consecutive B and S-states in r, then Vq* e BS, [L(q*) isfinite.Proof: For any run r over v and for any segments q* of r with only bad and stable states, pon q* is nonincreasing, i.e., let I be the time interval of q*, for any t1 < t2 E I, Pr(ti)(V(tl))Pr(t2)(V(t), and the decreasing speed at the bad states is no less than e. Let m be the upperbound of {Pr(t)(t’(t))It E I}. Since Pq : 0, (q*) m/E < cc. CProposition 11.3.3 Let {aq}qQ be invariants for B and A and r be a run of A over atrace v e B. If there exist local and global timing functions for B and TA, then• if Sg(q) is the set of segments of consecutive q ‘s in r, then Vq E T, q* e Sg(q), p,(q*) <r(q), and• if BS is the set of segments of consecutive B and S-states in r, then Vq* e BS, p,(q*) <r(bad).APPENDIX A. PROOFS OF THEOREMS 213Proof: Similar to the proofs of Proposition 11.2.3 and Proposition 11.3.2. 0Theorem 11.3.1 The verification rules (I), (L) and (T) are sound if the following conditionsof B and TA are satisfied:• T is an infinite time structure.• All traces in B are specifiable by TA.The verification rules are complete if the following conditions of B and TA are satisfied:• {(v, r)Iv E B, r is a run over v} is time-invariant.• All transitions from R to non-R-states are left-closed, i.e., if r is a run, and there is atransition from a R-state to a B-state or a S state at t, then r(t) e B U S. (For discretetime structures, this condition is always satisfied.)Proof: Soundness is derived from Propositions 11.3.1, 11.3.2 and 11.3.3. For any trace v, thereis a run since v is specifiable by TA. For any run r over v, if any automaton-state in R appearsinfinitely many times in r, r is accepting. Otherwise there is a time point to, the sub-sequencer on I = {t E TIt t0}, denoted q* has only bad and stable automaton-states. If thereexist a set of invariants and a set of Liapunov functions, (q*) is finite. Since time is infinite,all the automaton-states appearing infinitely many times in r belong to 5; r is accepting too.Therefore, every trace is accepting for the automaton. If there exists a set of local and globaltiming functions, every trace satisfies the timing constraints.On the other hand, if TA is valid over B, there exist a set of invariants, a set of Liapunovfunctions, and a set of local and global timing functions that satisfy the requirements.The set of invariants can be constructed as follows: VsVq, s €q if the pair (q, s) isreachable, i.e., r, v, t, r(t) = q A v(t) = s. We shall prove that {oq}qq is a set of invariants.• Initiality: if 0(s) A e(q)(s), r, v, r(O) = q and v(O) = s. Therefore, s=crq.• Inductivity: Vv,t, if t’ < t,Vt’ t” < t, r,r(t”) = q (v(t”) 1= aq), then r, t’0 <t,Vt t” < t, r(t”) = q. If v(t) c(q,q’), then r(t) = q’, i.e., v(t) q’ Therefore,v(t) = c(q,q’) — Qql.• Continuity: Vv, t, if r, r(t) = q (v(t) 1= c), and t’ > tq’, Vt’ < t” < t, v(t”) c(q, q’),Vt’ < t” < t, r(t”) = q’. Therefore, t’ > t, Vt’ < t” < t, c(q, q’) —* r, r(t”) = q’.APPENDIX A. PROOFS OF THEOREMS 214Given the above constructed invariants, a set of Liapunov functions can be constructed asfollows:• VqERands=cq,letpq(s)=O.• Vq i’ R and s = cq, the Liapunov function is defined as follows. For any r, v, t withr(t) = q and v(t) s, let q* be a segment of r with only bad and stable states startingat q, and t(q*) be the measure of B-states in q*• Let pq(S) be the longest such measurefor all r, v, t with r(t) = q and v(t) = s, i.e., pq(S) =We shall prove that {pq}qQ is a set of Liapunov functions and global timing functions. Forq, q’ R, let (q, s) -< (q’, s’) if r, v, t < t’, Vt < t” < t’, r(t”) 0 R, r(t) q, v(t) = sand r(t’) = q and v(t’) = s’. Since {(v, r)} is time-invariant, - is transitive. Therefore,(q,s) - (q’,s’) implles pq(s) pqI(s’).• Definedness: Vq e Q, s = Qq, P is defined at s.• Non-increase: Vv E B, Vq E S, q’ E R,{aq Aq = w}v{c(q,q’) —* Pq’ w}is trivially satisfied. Vq E S, q’ E B U S,{q Apq = w}v{c(q,q’).‘ Pq’ w}is satisfied since (q, s) -.< (q’, s’).Vv E B, Vq E B U S,q’ ES,{aq A Pq = w}v+{c(q, q’) —* Pq’ w}is satisfied since (q, s) -.< (q’, s’). Vq e 1?, q’ e 5, c(q, q’) is false since all transitions fromR to non-R-states are left-closed.• Decrease: Vv E B, Vq e B,q’ E Q,{Uq A = w A t = t}v{c(q, q’) ‘- —1}.C))Vq E R,q’ E B,{aqApq = wAtt =t}v{c(q,q’) W <1}t([t, ))is trivially satisfied since c(q, q’) is false. Vq E B U 5, q’ E B,{q A P = w A t = t}v{c(q, q’) ;!Liit, c))APPENDIX A. PROOFS OF THEOREMS 215The local timing functions can be defined similarly. CProposition 11.4.4 All transitions from R to non-R-states are left-closed, if the followingconditions are satisfied:• TA is open and complete.• Vq E R, qi R and q E R, c(q, qi) A c(q, q) is not satisfiable.• All traces in B are right-continuous.Proof: Since TA is open, Vq e Q,q’ E R, c(q,q’) is open. Therefore, Vq E Q,VqRc(q,q’) isopen. Since Vq E R, qi R and q E R, c(q,qi) A c(q,q2) is not satisfiable, (VqIERc(q,q’)) A(Vq’EBUS c(q, q’)) is not satisfiable. Since TA is complete, Vq’ER c(q, q’) and Vq’EBUS c(q, q’) arecomplementary. Therefore, Vq’R c(q, q’) is closed. Since all traces in B are right-continuous,for all v, t, if t is a limit point to the right time points T, v(t) is a point or a limit point of v(T).If t’ > t, Vt < t” < 1’, v(t”) E Vq’R c(q, q’), v(t) E Vq’R c(q, q’). Therefore, all transitionsfrom R to non-R-states are left-closed. CA.6 Constraint-Based Dynamic SystemsProposition 14.1.1 If {X}EI are ((asymptotically) stable) equilibria, then U1 X is an ((asymptotically) stable) equilibrium.Proof: Trivial. CTheorem 14.1.1 X C X is a stable equilibrium of a process p if there exists a Liapunovfunction V for p and X*.Proof: If there exists a Liapunov function V, X C X is a stable equilibrium. First of all,X” is an equilibrium since V takes the unique minimum at X*. Suppose IZ is the domainof V. Given any e, let e’ e such that N’(X*) ç Q. Let y be the minimum over theboundary of Nd’(X*); y > V(X*) since X’ is the unique minimum. Because V is continuous, there exists a s-neighborhood NS(X*) such that Vx E NS(X*),V(x) < ‘y. Therefore,(Ns(X*)) C N’(X*) C NE(x*).If X* C Xis a stable equilibrium of a process p, let V(x) = supx,E(x){d(x,X*)}. We have(1) V(X*) = 0 since X is an equilibrium, (2) V(p(x)(t)) < V(x) since (p(x)(t)) c (x),APPENDIX A. PROOFS OF THEOREMS 216and (3) V is continuous since X is stable. 0Theorem 14.1.2 X’ C X is an asymptotically stable equilibrium of a process p if there existsa Liapunov function V :— 7?. for p and X*, such that Vx e Q,lim V(p(x)(t)) = V(X*).Furthermore, if f X, X is an asymptotically stable equilibrium in the large.Proof: Since X is the unique minimum in 2, p(x) approaches X, Vx E 1. Given V defined asthe same as that in the previous proof, if X* is an asymptotically stable equilibrium, V(p(x)(t))approaches V(X*). 0Proposition 14.2.1 If a constraint solver CSV solves a set of constraints C on variablesV globally, every equilibrium of CSV is a solution of C.Proof: Trivial. 0Proposition 14.2.2 If V : —* 7?. is a Liapunov function for (S,f) and S =f(s*)} C Z, then V(f(x)) < V(x),Vx e f2. In addition, if f is continuous and V(f(x)) <V(x), Vx S, S is an asymptotically stable equilibrium.Proof: If lim,0V(f”(s)) = e> V(S*), let X = {sIV(s) < e} D S’, ffl(s) approaches X. 1ffis continuous, however, fn(s) approaches f(X) C X and lim_+ V(f’(s)) < c, contradiction.0Proposition 14.2.3 A set S = {s*If(s*) = O} C is an asymptotically stable equilibrium ofa state integration system if f is continuous at 8* and $* is the unique minimum of— f f(s)dsin 1. If 2 = 8, S is an asymptotically stable equilibrium in the large.Proof: Let V(s) =— f f(s)ds be defined on a neighborhood of S*. V is a Liapunov functionfor . = f(s) and S* since v(s) = —f2(s) < 0. Furthermore, V(s) < 0,Vs S’ since f(s) 0. 0Proposition 14.3.1 Let R C 7?.’ be closed and convex. The projection PR(x) of x to Rexists and is unique for every x, and (x — PR(x))T(y— PR(x)) <0 for any y e R.Proof: Refer to [GPR67}. 0Theorem 14.3.1 PM solves {X}EJ globally if all the X: ‘S are convex.Proof: Let X* = fliX be the solution set of the problem. First of all, it is easy to see that ife X’ is a solution, then x = f(x*) i.e., x is an equilibrium. Moreover, we can prove thatAPPENDIX A. PROOFS OF THEOREMS 217I f(x) — x x — x*I for any x and x E X as follows.If(x) - x*12 = Ix + A(P(x) - x) - x*12= Ix — x*I2 +A2IP(x) — x12 + 2A(x — x*)T(P(x) — x)= Ix — x*12 + (2— 2A)IP(x)— x12 + 2(P(x) — x)T(p(x) —Ix — x*12 — A(2— A)IP(x)— xI2 according to Proposition 14.3.1Ix_x*12 sinceO<A<2.Therefore, let V(x) = d(x,X*), we have V(f(x)) < V(x). Thus, X* is stable.Furthermore, lf”(x) — x is nonincreasing and bounded below. Therefore, lf”(x) — x*I hasa limit and max d(f’(x), X) approaches 0. According to [GPR67], limk_+ d(f’(x), X*) 0,since fl” is finite dimensional. As a result, limk V(f’(x)) = 0 = V(Xj. Thus, X* is anasymptotically stable equilibrium of PM in the large, i.e., PM solves the problem globally. 0Theorem 14.3.2 Let X* E R. be the set of local minima of 6. NM solves the problem ifIJ(x*)l 0, Vx’ E X. i.e., 6 is strictly convex at each local minimal point. NM solves theproblem globally if, in addition, 8 is convex.Proof: First, we prove that Vx* E X”, x = f(x*) and IJ(x*)I $ 0 implies that x” is asymptotically stable. Let R be the Jacobian of f. It is easy to check that IR(x*)I = 0. There existsa neighborhood of x, NE(x*), for any x E N(x*), If(x) — f(x*)I Ax — x’ for 0 < A < 1.Therefore, limk Ifk(x)_x*I 0 and x is asymptotically stable. Therefore, X is an asymptotically stable equilibrium. If 6 is convex, x” is the unique minimal point, which is an attractorin the large. 0Theorem 14.3.3 Let X* be the set of local minima of 8. GM solves the problem if iscontinuous at X’. GM solves the problem globally if, in addition, 6 is convex.Proof: According to Proposition 14.2.3, a local minimum is an asymptotically stable equilibrium. A set of local minima is also an asymptotically stable equilibrium. If 6 is convex, X isthe unique minimal set, which is an attractor in the large. 0Theorem 14.3.4 Let A be a matrix where=+ >0Ak If A is positivedefinite, LM solves the constrained optimization problem mm f(x) subject to gk(x) = 0 globally.APPENDIX A. PROOFS OF THEOREMS 218Proof: LetV(x) = +It has been shown in [P1a89] that=Therefore, V is a Liapunov function. DProposition 14.5.1 A constraint solver CSV solves C if there exists an initial condition0 D sol(C) such that VE> 0, CS”(O) 1= A(Ce; ). CS solves C globally when 0 = xvD.Proof: According to the definition of constraint solvers, CSV solves C, if CSV]j is asymptotically stable at sol(C), i.e., 0 D sol(C), Vx e 0, CS9(x) approaches sol(C) asymptotically.In other word, for any e, 3t0, Vt to, CS9(x)(t) E C. Therefore, CS9(x) e A(C; 0) forallxEO.On the other hand, if {CS9(x) E A(C; 0) for any € > 0, I{CS9(x) approaches sol(C)asymptotically. Therefore, CSV solves C. 0A.7 Control SynthesisProposition 15.3.1 This control law satisfies the condition that v = 0 if(d = 0 V 18’— 01 = k) A0d = 0).Proof: According to the control law for a, v = 0 implies Od = 0. According to the control lawfor v, v = 0 implies dcos(8’ — 0) = 0. 0Appendix BALERTWe have developed a visual programming and simulation environment called ALERT (A Laboratory for Embedded Real-Time Systems) based on the Constraint Net model. In this appendix,we first describe the current version of ALERT, then give some simple examples to illustratethe process of analysis.B.1 Visual Programming with Constraint NetsVisual Programming means the use of meaningful graphic representations in the process ofprogramming [Shu88]. Visual programming has gained momentum in recent years primarilybecause the faffing cost of graphical-related hardware and software has made it feasible to usepictures as a means of communicating with computers. CN has inherent graphical tokens andthe characteristics of hierarchy, which make it an ideal model for visual programming.CN is a generalization of models for dynamic systems. As a first step, we have developedALERT on Simulink [Incc]. Simulink, based on Matlab, is a visual programming and simulationenvironment for both continuous and discrete dynamic systems.Each Simulink window consists of five pop-up menus: File ( open and save files), Edit (cut,copy and paste graphical tokens), Options (group, mask, flip or rotate modules), Simulation(start, pause, and parameters for simulations) and Style (color, font and position).Simulink provides various built-in modules such as linear and nonlinear transductions. Inaddition, it provides test signals, output viewing windows, and various signal analysis tools.Programming in Simulink is simply by choosing a set of modules from the given libraries,setting up parameters and making connections. A system can be developed hierarchicallyby group and mask operations. On the other hand, a module can be opened by an unmaskoperation and then be modified accordingly.219APPENDIX B. ALERT 220Even though Simulink supports the integration of discrete and continuous modeling, theinternal semantics is different from that of CN. Instead of holding values between samplingpoints (as does the semantics of Constraint Nets), Simulink assumes linear interpolation. Furthermore, Simulink does not support event-driven transductions, which are the most importantaspect of CN.However, Simulink is a flexible open environment so that new modules can be added easilyusing Matlab functions and programs. We have extended Simulink with various event-driventransductions and event logics, as weli as with various arbitrations. In particular, we have addedfour new libraries to Simulink (see Figure B.1); they are logics, events, arbiters and solvers.EJ ALERTj. File Edit 9ptions Simulation StyleLogics Events Arbiters SolversSources Sinks Discrete Linear Nonlinear Connections Extrapz:Figure B.l: ALERTThe basic functionalities of these new libraries are:• Logics: This library (Figure B.2) includes various event logics, such as event synchronization elements, “ifip-flop,” etc.• Events: This library (Figure B.3) includes an event generator and various event-driventransductions.APPENDIX B. ALERT 2211J LogicsEile Edit ptions Simulation Style Code1Dft4>+*-Jfr.. Negation TriggerLogic AND Logic OR Event OR Flip—Flop+4r*+RMuller—C Neyated Event Switch ECSEMuiier— Cg:zz:Figure B.2: Logic modules1J EventsFile Edit ptions Simulation Style Code1J1 JiJ SA )1OLDE*Transition State Automaton Event Holderevent PTranstF tPWE tESA. Transliteration Event—Drivensampler ni e ay State Automatonpzz::Figure B.3: Eveut modulesAPPENDIX B. ALERT 222• Arbiters: This library includes various arbiters so that arbitration hierarchies can beconstructed.• Solvers: This library includes constraint solvers with various constraint methods (whereconstraints can be given by functions defined in Matlab).B.2 Simulation and AnimationA robotic system is a complex dynamic system in general; it is nonlinear in the following sense:• the dynamics of the plant or the environment is nonlinear for any realistic modeling,• the control is nonlinear if we model event-driven transductions or arbitration hierarchies.For a nonlinear system, the behavior of the system is unpredictable in general, and parametersof the system (e.g., latencies and sampling rates) play an important role in the overall behaviors.ALERT is an integrated environment for modeling, programming and analyzing roboticsystems. Such an environment is important for building a system with a certain degree of“correctness.” Even though a real system’s behavior can not be guaranteed in advance, themore accurate the model is, the more information can be obtained in the simulation. On theother hand, the more robust the control is, the more relaxed the accuracy of the model can be.ALERT provides an environment for simulation that, in general, is the only approach toanalyzing nonlinear dynamic systems. Visualization can be added to the current version ofALERT, using Matlab plot functions. Animation can be done either on-line in Simulink, whichis slow, or by saving the traces and down-loading to an SGI machine.Now we present two simple examples to illustrate the use of ALERT.In the first example, we analyze the effect of latencies on stability (Figure B .4). The solutionof th = —kx is x(t) x0e’, which is asymptotically stable at state 0. If we assume latency6 for signal x, the solution of = —k(x— 6) is not trivial, and it may become unstable at 0.For this simple equation, we are able to analyze the solution by hand [Hub88]. Let e be asolution. We have _Ae_t = _ke_)(t_S), i.e., A = ke6. Since min{ } = 6ke, for any realnumber A, we have 6ke < 1, i.e., 6k 1/e. If 6k > 1/e, A must be a complex number, andtherefore the solution has oscillation. In general, for a stable system, if latency is introduced,it may become unstable (Figure B.5, B.6).In the second example, we show that the sampling of data can cause unstability too (FigureB.7). For the same system, let the sampling rate be 6. We have = —kiZ where u(6n) = x(6n)for any integer n. The solution is not stable if Ii — 6k > 1, i.e., 6k > 2 (Figure B.8, B.9).APPENDIX B. ALERT 223delayFile Edit 2ptions Simulation Style ja-------Figure B.4: Circuit with latencyAuto—scale storageGraph ScopeFigure B.5: Latency with 8k = 0.25APPENDIX B. ALERT 224Figure B.6: Latency with 6k = 2samplingFile Edit pptions Simulation StyleFigure B.7: Circuit with samplingAPPENDIX B. ALERT 225Figure B.8: Sampling with 6k = 0.25Figure B.9: Sampling with 6k = 2APPENDIX B. ALERT 226In general, parameters like k and 6 play important roles in control systems design: Ic is theparameter for the speed control, and 6 is introduced by unavoidable computation and devicelatency, or the digital sampling rate. For instance, if 6 is known, we may choose Ic to achievefast convergence yet maintaining stability.B.3 The Maze TravelerWe conclude this appendix with the maze traveler example.Figure B.lO depicts the overall structure of the system. Figure B.ll shows the animationwindow. The model and the controller of the car are given in Figures B.12 and B.13, respectively.The event generator is depicted in Figure B.14.v_ill mazetFile Et9pDons Suia&n le Code j.. ..Figure B.lO: The overall structure of the maze traveler systemAPPENDIX B. ALERT 227iaki Time: 41.6 iiib ijFigure B.11: Animation of the maze travelerAPPENDIX B. ALERT 228IJ TruckFile Edit Qptions Simulation Style::::Figure B.12: The car modelI• Control:File Edit 2ptions Simulation Style Code1—i1Constant VL:J:JZZJsensor D em uxcontrolFigure B.13: The control moduleAPPENDIX B. ALERT 229ill eventFile Edit Qptions Simulation Style CodetThmIjJjj insrScopeFigure B.14: The event moduleAppendix CExamples of Design and AnalysisWe present in this appendix two complete examples of the design and analysis of robotic systemsand behaviors. One is an hydraulically actuated robot arm and the other is an elevator system.C.1 Modeling and Control of an Hydraulically Actuated ArmFigure C.1 depicts a two-link robot arm. For simplicity, we assume that the mass distributionof the two-link arm is extremely simple: All mass exists as a point mass at the distal end ofeach link.Yxm1Figure C.1: A two-link arm230APPENDIX C. EXAMPLES OF DESIGN AND ANALYSIS 231The dynamics of the arm is modeled by the following equations [Cra86]:= [(m1 + m2)l? + m2l + 2m1lcos(02)]Ol + [m2l + m21cos(62)]0—2m21sin(62)0i02 — m21sin(62)0 + (m1 + m2)gli sin(01)+ m2glsin(0i + 62),= [m2l+ m21cos(62)]Ô + m2lÔ + m21sin(62)81+ m2g12sin(6i + 62).For simplicity, we further assume m1 = m2 = m and l = 12 = 1. Let d1 = 9 and d2 = 62, thearm model is a set of equations with state variables 01, 62, d1 and d2:x = [Ti + m12 sin(62)Ô + 2m1 sin(62)002— 2mlg sin(S1)— mlgsin(61+ 62)—(1 + cos(62))(T — ml2sin(6)Ô — mlgsin(61+ 62))]/(1 + sin2(6))di = x/m12d2 = [T2 — m12 sin(62)Ô— mlg sin(0i + 02) — (1 + cos(62))x]/m101 = d102 = d2where m and 1 are parameters.The joints of the arm are actuated by hydraulic actuators [SDLS9O]. Valves are devicesthat control the fluid power. The most widely used valve is the sliding valve with spooi typeconstruction. The inputs required to model such a valve are the spool displacement (—0.5 <X, < 0.5), the supply pressure (P8), the return presure (Pres) and the lines pressure (P andP0). The governing nonlinear equations are:Q — f KVXV/PSU, — P if X, > 0— 1 KvXv/Pjn—.Pres if Xv < 0,Q — f I(VXV./PSUJ — P0ut if X > 0Out—KvXv”Pout Pres if Xv < 0,where K,, is a parameter, andVmn — Dm0),POut = (DmÔ—where Dm is the volumetric displacement of the hydraulic motor and is the hydraulic compliance. The torque generated by the controller is:T = Dm(Pjn—APPENDIX C. EXAMPLES OF DESIGN AND ANALYSIS 232Assume that the low level controller for a hydraulically actuated joint is a simple PD controlthat produces a spool displacement X, given 0, 0 and Oj:X = B[(0 — 0) — A8]We select A and B by experiment, given the set of other parameters.After we get a stable PD controller for joint tracking, a high level controller for end-pointtracking is then developed as follows. Let (x, y) be the coordinate of the end-point of the arm.The constraints for the end-point tracking are x = Xd and y = Yd where (xd, yd> is the desiredposition. Let 6 = (xd — x)2 + (yd—y)2 be the energy function. We haveOx Oy---= (xd-x)--+(yd-y)06 Ox Oy——= (xd—x)-—+(yd—y)—002 002 802wherex = lcos(0i)+lcos(0i+02)y = lsin(0i)+lsiri(0i+0Ox—= —lsin(0i)—lsin(0j+02= lcos(0i)+lcos(0i+0)= —lsm(Oi+02)UU20y= lcos(0i+02)(J02Using the gradient method, we have:06= -k.Then we use 8d as the input to the low level PD controller. We can consider this end-pointtracking controller as a variation of the transpose Jacobian controller [Cra86].Similarly, a high level controller for avoiding obstacles is developed as follows. Let (x0, Yo)be the coordinate of the obstacle and 6(d) = max(— ln(d2/m),0) where m is the minimumdistance between the obstacle and the arm. Let the energy function for avoiding the obstaclebe:6 = 6(d31)+ 6(d11) + 6(d32) + 6(d12)APPENDIX C. EXAMPLES OF DESIGN AND ANALYSIS 233whered1 = (x0 — lcos(0i))2+ (Yo — lsin(01))2Idzil = ly0cos(8i)—x0sin(0i)ld2 = (x0— lcos(0i) — lcos(0i + 62)) + (Yo — lsin(6i) — lsin(0i + 02))1d2 = I( — lsin(61))cos(0 + 02)— (x0 — lcos(Oi))sin(Oi + 02)1The obstacle avoiding controller is then designed using the gradient method.We can combine these two high level controllers with some arbiters, such as the subsumefunction, to make the obstacle avoiding control have a higher priority.The models of the high level controllers and the PD controller as well as the models of thearm and the hydraulic actuator are all developed in ALERT; both simulation and animationare supported.C.2 Modeling and Verification of an Elevator SystemA simple elevator system for an n-floor building consists of one elevator. Inside the elevatorthere is a board with n floor buttons, each associated with one floor. Outside the elevatorthere are two direction buttons for service call on each floor, except the first floor and the topfloor where only one button is needed (see Figure C.2). Any button can be pushed at anyFloor Buttons Direction Buttons(inside elevator) (outside elevator)0 Floor 3( (iV’ Floor 2Floor 1Figure C.2: The interface of a simple 3-floor elevatortime. After being pushed, a floor button will be on until the elevator stops at the floor, anda direction button will be on until the elevator stops at the floor and is going to move at thesame direction. (Note that a more complex elevator has open and close door buttons, alarm oremergency buttons which, for simplicity, we will not model.) The atomic actions of an elevatorAPPENDIX C. EXAMPLES OF DESIGN AND ANALYSIS 234consist of move-up or move-down one floor, serve-a-floor (stop at the floor, open and close thedoor) and stay-idle. The complete elevator system consists of ELEVATOR BODY, ELEVATORCONTROL and USER INTERFACE as shown in Figure C.3.[ ELEVATOR_______BEtos [LCONTROL J INTRRFACEELEVATORL BODY JFigure C.3: The complete elevator systemC.2.1 Discrete modeling and verificationFirst we present a discrete model of the elevator system, in which each atomic action takessome finite time.The elevator body is modeled by a transliteration aild a unit delay:I min(f+1,n) ifcc=upnf . max(f— 1, 1) if cc = downI f otherwise.f’ = nfwhere cc is the current command from the controller with domain {up, down, serve, idie}, andf, nf are the current and next floor numbers, respectively, with domain {1, 2,. . ., n}.The command from the controller is modeled as a function of the current floor number, thecurrent request state and the last control state. Let the request state be a tuple (ub, db, fb)where ub, db, fb E {O, 1}’ with ub(n) = 0 and db(l) = 0; let the last control state be is withdomain {up, down, idie}. Let ur, dr E {0, 1} denote the up and down requests, respectively, i.e.,• ur indicates whether or not there is a request for the elevator to go up:ur = ub(f) V (ub(i) V db(i) V fb(i)).i>f• dr indicates whether or not there is a request for the elevator to go down:dr= db(f)V(ub(i)Vdb(i)Vfb(i)).i<fAPPENDIX C. EXAMPLES OF DESIGN AND ANALYSIS 235The current control state cs is determined as follows:I up ifurA(isdownV-idr)cs down if (-ur A f> 1) V (dr A Is = down)idle otherwiseis’ = Cs.In English, if there is a request for the elevator to go up and either the last state is up or thereis no request to go down, the elevator will be iii the up state; if there is no request to go upand the elevator is not at the first floor, or the last state is down and there is a request to godown, then the elevator will be in the down state; otherwise the elevator will be idle, that is,the elevator will be parked at the first floor if there are no more requests.Let cr indicate whether or not there is a request for the elevator to stop and serve thecurrent floor:cr — f db(f) V fb(f) if CS down— 1 ub(f) V fb(f) otherwise.In English, if there is an internal request to arrive at this floor or there is an external requestto go in the same direction as the elevator, there is a request at this floor.The current command can be defined as follows:I serve if CrCC =CS otherwise.In English, if there is a request at this floor, the elevator will stop to serve the floor (open thedoor, let passengers go in and out, then close the door), otherwise the elevator will pass thisfloor without stopping.Furthermore, the request state (ub, db, fb) is determined based on two factors: the user’sinput and the internal reset when a request has been served. Let s denotes u, d or f, we havesb = isb V (—irsb A lsb)lsb’ = sbwhere isb, rsb and lsb are the user’s input, the reset and the last request state, respectively.The reset state rsb indicates which requests have been served:rsb’ = csbcub(i)= (f = i) A (cc = serve) A (cs = up)cdb(i)= (f = i) A (CC = serve) A (Cs = down)b(i)= (f = i) A (CC = serve)APPENDIX C. EXAMPLES OF DESIGN AND ANALYSIS 236We have implemented the discrete model of the elevator system in Strand88 [FT89], aconcurrent logic programming language. It is easy to simulate discrete time constraint nets inStrand88, since both transliterations and unit delays can be represented:‘/.f(+in,-out) is a function. fT(+intrace, -out_trace) is a transliteration.fT([IIIs], OS) :— f(I, 0), OS : [OlOs], fT(Is, Os).Y.delay(+init, +intrace, -out_trace)delayClnit, In, Out) :- Out [Initlln].where a trace is represented as an infinite list.A well-designed elevator system should guarantee that any request will be served withinsome bounded time. We can specify such requirements in timed V-automata, and show thatthe constraint net model of the elevator system satisfies the timed V-automaton specification.There are three kinds of request: to go to a particular floor after entering the elevator, orto go up or down when waiting for the elevator. Following are some examples of the statepropositions.• 112 : (fb(2) = 1) A (cfb(2) = 0) denotes that “there is a request to go to the second floor.”• 112S: cfb(2) = 1 denotes that “the request to go to the second floor is served.”• RU2 : (nb(2) = 1) A (cub(2) = 0) denotes that “there is a request to go up at the secondfloor.”• RU2S: cub(2) = 1 denotes that “the request to go up at the second floor is served.”Bounded time responses “the request to go to the second floor will be served in finite time”and “the request to go up at the second floor will be served in finite time” are represented asFigure C.4 (a) and (b), respectively.Let 7 be associated with qo in Figure C.4 (a) and 11 be associated with in Figure C.4(b). The two timed V-automata specify the properties: “the request to go to the second floorwill be served within 7 time units” and “the request to go up to the second floor will be servedwithin 11 time units,” respectively.These specifications can be checked using the verification algorithm. If ii = 4, the statetransition graphs of the elevator system with respect to the specifications in Figure C.4 (a) and(b) are shown in Figure C.5 (a) and (b), respectively, where the dotted transitions are disabledin our control strategy and the number associated with the state indicates the length of theAPPENDIX C. EXAMPLES OF DESIGN AND ANALYSIS 2371 R2S 1 R2 RU2S RU2( R2S RU2S_Fqo R2 qO RU2 q\R2 9 R2 RU2 1RU2(a) (b)Figure C.4: Specifications of real-time response(4,down,serve) (4,down,serve)4state=(f,cs,cc)8(3,up,up) 5 - 3 (4,down,down) (3,up,up) 9- 7 (4,down,down)(3,up,serve) 6 2 (3,down,serve) (3,up,serve) 10 6 (3,down,serve)(2,up,up) 7 (3,down,down) (2,up,up) n 5 (3,down,down)(2uPserve) ‘- .downserve)-- 4 (2,down,serve)(1,up,up) 3 (2,down,down) (1,up,up) 0 3 (2,down,down)2(1,up,serve) (1 ,up,serve)(a)Figure C.5: State transition graphsAPPENDIX C. EXAMPLES OF DESIGN AND ANALYSIS 238longest path from the state to the desired states, if there are no self-loop transitions. If theuser is not allowed to issue a new request when the same request has just been served, thesespecifications will be satisfied. If, however, no such a restriction is imposed, an elevator maystop at a floor forever; therefore, these specifications will not be satisfied.A more realistic specification for the elevator system is that any request should be servedwithin bounded time of motion. Such a specification cannot be expressed by TLTL, however,it can be expressed by a timed V-automaton. For example, “the elevator will serve the secondfloor within 4 unit time of motion” can be depicted by the timed V-automaton in Figure C.6,with MV (cc serve), S2 : (f = 2) A (cc = serve), SN2 (f 2) V (cc = serve) andFigure C.6: A more realistic specificationT(bad) = 4. If n = 4, and fb(2) 1 initially, the specification can be satisfied. This examplehas been verified by the verification procedure written in Prolog.C.2.2 Continuous modeling and verificationIn the previous modeling of the elevator system, atomic actions are primitives. Now we shallmodel how these actions are carried out by the low level control system, which is realized as ananalog controller. Furthermore, the user’s request can come at any time on a continuous timeline. A continuous model of the elevator system should be developed for the design of the lowlevel control system and for the analysis of the overall behavior of the system.First of all, the plant of the elevator is modeled by a second order differential equationfollowing the Newton’s LawqO qiF-Kh=hAPPENDIX C. EXAMPLES OF DESIGN AND ANALYSIS 239where F is the motor force, K is the friction coefficient and h is the height of the elevator.We assume that the mass is 1 since it can be scaled by F and K. We ignore gravity since weassume that it can be added to F to compensate the effect.A low level PD controller is then designed to produce the force to the elevator, given theaction command (up, down or stop) and the height trace:IF0 ifupF= —F0 if down( K,d3 — Kh if stopwhere d3 is the distance between the current height and the desired height of the elevator. Letthe height of each floor be H and the current floor of the elevator be f. We have f = [h/H] + 1and d3= (f — 1)H — h where [x] indicates the closest integer of x.We use the control strategy developed for the discrete model as a high level control. However,this control strategy is activated by events generated from the user interface or within theelevator itself. There are three basic types of event: (1) a user pushes a button at the elevator’sidle state, (2) the elevator becomes close to a floor (d8 < 15cm, for instance) and (3) a user’srequest has been served (it takes 5s to serve a request, for instance). The “event or” of thesethree events triggers the high level controller to produce a new output. Furthermore, bothuser’s requests and the internal reset are processed at a fast sampling rate (O.ls, for instance).We have verified that the high level control strategy satisfies the desired properties. Now wehave to guarantee that the low level control system does the right thing, i.e., accomplishes everygoal that the high level strategy sets. Basically, we have to choose F0, I( and K. Supposethat the friction coefficient K is 1, the height of each floor is 2m, and the elevator is said tobe at a floor when d3 15cm. One basic request is that if a stop command is issued when theelevator is crossing a floor, the elevator will remain at the floor as long as the command doesnot change.We choose F0 to be 0.5 50 that both the maximum velocity and acceleration will be 0.5,and it takes at least 4s to move up or down a floor. We choose K = 0.5/0.15 = 3.3 so thatthe initial acceleration for stop will be no larger than 0.5. Finally, we choose K large enoughso that the elevator will not over-shoot. In this case K = 10. We have modeled and simulatedthis complete elevator system in ALERT, and found that the system works correctly.Appendix DModel Estimation for the CarWe present here a method of model estimation for the car-like robot. We have modeled theplant of the car-like robot using the following set of equations:tanax=vcos(8), y=vsm(6), 8=vLwhere (x, y, 0) is the configuration tuple of the car, v and a are the control inputs to the car.However, for a real car, the velocity v is controlled by the gas throttle g3 and the turning anglea has its inherent mechanical delay. This two effects can be modeled by the following twoequations:— Jo ifgs<gmandv=OV—kggs— kv otherwise,= ka(ada)so that g3 and aj are the real control inputs to the car and g, kg, k and ka are parametersto be estimated.The minimum static gas g is easy to estimate, by simply increasing the gas throttle of thestopped car until the car moves.Parameter estimation for a dynamic system with equation= k1(k2—x)can proceed as follows. Start with z = 0, the system will asymptotically approach x = k2.Suppose x can be sensed within error E. Then let k2 = x(t) as soon as Ix(t) — x(t + T)I e forall 7 > 0. Then k1 can be estimated as follows. Let y = x — k2. The solution of = —k1y isy = yoe_d1t. Since 110 = k2 and y = , we have k1 = ln()/t.240APPENDIX D. MODEL ESTIMATION FOR THE CAR 241The gain factor kg and the friction coefficient k can be estimated by the above procedure.By apply a constant throttle g8 > g to a initially stopped car, we have ‘b = kv(kgg8/kv— v).For example, if g3 = 0.2, v —* 50 and € = 2, we have k = 3/t and kg 750/t.The delay factor ka can be estimated similarly, except that o has to be sensed via 0. Sinceô = tancr) dO= CO)do. We first apply a constant g8 to a car until it moves in a constantvelocity; then, at time to, we apply a constant ad until IÔ(t) — Ô(t + r)I € for all T > 0. Wehave ka = ln(L)/(t — to) = ln(COS’)LC)/(t — to). For example, if v = 50, a = r/5, L = 12and € = 2, we have ka 1/(t — to).We can also apply different g3 and a to the car and average the results.IndexV-automata Constraint, 147Accepting run, 115 Constraint method, 149Complete, 111 Gradient method, 152Discrete Lagrange Multiplier method, 153Accepting run, 111 Newton’s method, 151Run, 111 Penalty method, 153Open, 112 Projection method, 150Semantics, 112 Constraint netSpecifiable, 115 Closed, 44Syntax, 110 Connection, 43Input location, 44Abstractable behavior, 84 Input port, 43Abstractable function, 78 Limiting semantics, 55Abstractable state transition system, 84 Location, 43Abstractable trace, 82 Open, 44Abstractable transduction, 84 Output location, 44Abstraction, 78 Output port, 43Behavior, 84 Semantics, 51Domain, 81 Subnet, 45Domain structure, 81 Syntax, 43State transition system, 84 Transduction, 43Time, 81 Constraint programming, 154Trace, 82 Constraint satisfaction problem, 147Transduction, 84 Constrained optimization, 149Algebraic loop, 53 Global consistency, 149Algebraic system, 77 Solution set, 148Unconstrained optimization, 149Behavior, 79Constraint solver, 148Deterministic, 79Nondeterministic, 79 Embedded, 160State-based, 79 State integration system, 148State transition system, 148Time-invariant, 79Control problem, 159Complexity of behaviors, 80 Tracking problem, 162Congruence Control synthesis, 158Function congruence, 78Domain, 31Structure congruence, 78242INDEX 243Composite, 32Simple, 31Domain equation, 123Domain structure, 32Domain structure mapping, 82Dynamic process, 146Attraction basin, 147Attractor, 147Equilibrium, 147Stable equilibrium, 147Liapunov function, 147Dynamic system, 3Constraint-based dynamic system, 157Hybrid dynamic system, 59Integrated hybrid system, 12Inteffigent real-time system, 14Dynamics, 3Dynamics structure, 40Event space, 37Trace space, 35Equivalent behavior, 84Equivalent system, 79Equivalent system with abstraction, 84Equivalent traces, 82Equivalent transduction, 84Formal system, 118FTLTLFrame, 107Model, 107Semantics, 107Syntax, 107Term, 106Valid/Satisfiable, 108Valid/Satisfiable over a frame, 108FunctionFixpoint, 49Least, 49HierarchyComposition hierarchy, 166Interaction hierarchy, 166Abstraction hierarchy, 168Arbitration hierarchy, 168Homomorphic domain mapping, 81Homomorphic domain structure mapping, 81Homomorphic time mapping, 80Homomorphism, 78Isomorphism, 78Interpretation, 103Measurable space, 28Measure, 28Borel, 28Measure space, 28Metric, 28Module, 45Closed, 45Hidden input, 45Hidden output, 45Interface, 45Open, 45Semantics, 52Sequential module, 69Module operationCascade connection, 45Coalescence, 45Feedback connection, 45Hiding, 45Parallel connection, 45Union, 45Parameter, 54Parameterized module, 54Parameterized net, 54Partial order, 25Complete, 27Directed subset, 26Chain, 27Flat, 26Greatest element, 26Greatest lower bound (glb), 26Least element, 26Least upper bound (lub), 26Linear, 25Lower bound, 26INDEX 244Product partial order, 26 Sort, 32Subpartial order, 25 State transition system, 79Upper bound, 26 Steady-state error, 157Planning problem, 159 Strict extension, 33PLTL Strict function, 33Frame, 103 Strict transduction, 41Model, 103 System, 3Semantics, 103Syntax, 102 Temporal integration, 55Valid/Satisfiable, 103 Bounded, 57Valid/Satisfiable over a frame, 103 Reset, 57Trace-based, 58Qualitative domain structure, 82 Time structure, 29Quantitative domain structure, 82 Continuous, 30Quotient algebra, 78 Discrete, 30Quotient function, 78 Infinite, 30Reference time, 31Refinement Reference time mapping, 30Domain, 81 Sample time, 31Domain structure, 81 Timed V-automatonTime, 81 Accepting run, 116Relation DiscreteCongruence, 78 Accepting run, 114Partition, 78 Run, 114Partial order relation, 25 Semantics, 114Requirements specification, 80 Syntax, 114Persistence, 5 TLTLReachability, 5 Real-time operator, 106Safety, 5 Temporal operator, 102RFTLTL Topological space, 23State formula, 108 Connected, 24Open, 109 Continuous function, 24State proposition, 108 Metric space, 28Syntax, 108 Product space, 25Robotic behavior, 2 Separated, 24Robotic system, 2 Subspace, 25Controller, 3 Topology, 23Environment, 3 Basis, 24Plant, 3 Closed set, 24Robustness of systems, 80 Derived metric, 31Greatest limit, 35, 36Signature, 32Limit, 34, 36Function symbol, 32Discrete, 24Mapping type, 32Finer, 24INDEX 245Hausdorif, 25 Global timing function, 120, 124, 132Limit, 29 Invariant, 119, 123, 131Limit point, 24 Liapunov function, 120, 124, 131Metric, 28 Local timing function, 120, 124, 132Spherical neighborhood, 28Neighborhood, 24 Well-defined constraint net, 53Strict, 146 Well-defined function, 34Open set, 24 Well-defined module, 53Partial order, 27 Well-defined trace, 34Product, 25 Well-defined transduction, 41Subbasis, 24 Well-defined value, 32Subspace, 25Trivial, 24Trace, 34Completion, 35Event trace, 36Extension trace, 39Nonintermittent, 36Right-continuous, 36Sample trace, 39Transduction, 37Basic, 38Transliteration, 38Transport delay, 39Unit delay, 39Event generator, 60Event synchronizer, 61Event-driven, 40Clock, 40Extending, 39Nonintermittent, 42Primitive, 38Right-continuous, 42Sampling, 39Undefined trace, 34Undefined value, 32Vector space, 55Topological, 55Verification, 117Model checking approach, 119Theorem proving approach, 118Verification rules, 121
- Library Home /
- Search Collections /
- Open Collections /
- Browse Collections /
- UBC Theses and Dissertations /
- A foundation for the design and analysis of robotic...
Open Collections
UBC Theses and Dissertations
Featured Collection
UBC Theses and Dissertations
A foundation for the design and analysis of robotic systems and behaviors Zhang, Zhenhai 1994
pdf
Page Metadata
Item Metadata
Title | A foundation for the design and analysis of robotic systems and behaviors |
Creator |
Zhang, Zhenhai |
Date Issued | 1994 |
Description | Robots are generally composed of electromechanical parts with multiple sensors and actuators. The overall behavior of a robot emerges from coordination among its various parts and interaction with its environment. Developing intelligent, reliable, robust and safe robots, or real-time embedded systems, has become a focus of interest in recent years. In this thesis, we establish a foundation for modeling, specifying and verifying discrete/continuous hybrid systems and take an integrated approach to the design and analysis of robotic systems and behaviors. A robotic system in general is a hybrid dynamic system, consisting of continuous, discrete and event-driven components. We develop a semantic model for dynamic systems, that we call Constraint Nets (CN). CN introduces an abstraction and a unitary framework to model discrete/continuous hybrid systems. CN provides aggregation operators to model a complex system hierarchically. CN supports multiple levels of abstraction, based on abstract algebra and topology, to model and analyze a system at different levels of detail. CN, because of its rigorous foundation, can be used to define programming semantics of real-time languages for control systems. While modeling focuses on the underlying structure of a system — the organization and coordination of its components — requirements specification imposes global constraints on a system’s behavior, and behavior verification ensures the correctness of the behavior with respect to its requirements specification. We develop a timed linear temporal logic and timed Ʋ-automata to specify timed as well as sequential behaviors. We develop a formal verification method for timed V-automata specification, by combining a generalized model checking technique for automata with a generalized stability analysis method for dynamic systems. A good design methodology can simplify the verification of a robotic system. We develop a systematic approach to control synthesis from requirements specification, by exploring a relation between constraint satisfaction and dynamic systems using constraint methods. With this approach, control synthesis and behavior verification are coupled through requirements specification. To model, synthesize, simulate, and understand various robotic systems we have studied in this research, we develop a visual programming and simulation environment that we call ALERT: A Laboratory for Embedded Real-Time systems. |
Extent | 5120973 bytes |
Genre |
Thesis/Dissertation |
Type |
Text |
FileFormat | application/pdf |
Language | eng |
Date Available | 2009-04-15 |
Provider | Vancouver : University of British Columbia Library |
Rights | For non-commercial purposes only, such as research, private study and education. Additional conditions apply, see Terms of Use https://open.library.ubc.ca/terms_of_use. |
DOI | 10.14288/1.0051644 |
URI | http://hdl.handle.net/2429/7195 |
Degree |
Doctor of Philosophy - PhD |
Program |
Computer Science |
Affiliation |
Science, Faculty of Computer Science, Department of |
Degree Grantor | University of British Columbia |
GraduationDate | 1994-11 |
Campus |
UBCV |
Scholarly Level | Graduate |
AggregatedSourceRepository | DSpace |
Download
- Media
- 831-ubc_1994-954191.pdf [ 4.88MB ]
- Metadata
- JSON: 831-1.0051644.json
- JSON-LD: 831-1.0051644-ld.json
- RDF/XML (Pretty): 831-1.0051644-rdf.xml
- RDF/JSON: 831-1.0051644-rdf.json
- Turtle: 831-1.0051644-turtle.txt
- N-Triples: 831-1.0051644-rdf-ntriples.txt
- Original Record: 831-1.0051644-source.json
- Full Text
- 831-1.0051644-fulltext.txt
- Citation
- 831-1.0051644.ris
Full Text
Cite
Citation Scheme:
Usage Statistics
Share
Embed
Customize your widget with the following options, then copy and paste the code below into the HTML
of your page to embed this item in your website.
<div id="ubcOpenCollectionsWidgetDisplay">
<script id="ubcOpenCollectionsWidget"
src="{[{embed.src}]}"
data-item="{[{embed.item}]}"
data-collection="{[{embed.collection}]}"
data-metadata="{[{embed.showMetadata}]}"
data-width="{[{embed.width}]}"
async >
</script>
</div>
Our image viewer uses the IIIF 2.0 standard.
To load this item in other compatible viewers, use this url:
https://iiif.library.ubc.ca/presentation/dsp.831.1-0051644/manifest