A Refinement Based Approach to Hybrid Systems: Hybrid Event-B - PowerPoint PPT Presentation

A Refinement Based Approach to Hybrid Systems: Hybrid Event-B Richard Banach School of Computer Science, University of Manchester, UK

Contents 1. Discrete Event-B Basics 2. Example 3. Proof Obligations 4. Refinement in Event-B 5. Example, ctd. 6. Proof Obligations, ctd. 7. Principles for Hybrid Event-B 8. Formal Semantics (Sketch) 9. Examples 10. More Proof Obligations 11. Conclusions Banach A Refinement Based Approach to Hybrid Systems 2

1. Discrete Event-B Basics Event-B is a simplification of the Classical B-Method that was one of the earliest ‘full process’ top-down development methodologies. A typical Event-B model has the following characteristics: • static contexts • commands – guards (no preconditions) • commands – actions (deterministic, nondeterministic) • invariants Straightforward trace style semantics, policed by proof obligations. • intended for industrial application Banach A Refinement Based Approach to Hybrid Systems 3

2. Example MACHINE Nodes CONTEXT NCtx SEES NCtx SETS NSet VARIABLES nod CONSTANTS aa , bb , cc , dd INVARIANTS AXIOMS nod ∈ P ( NSet ) NSet = { aa , bb , cc , dd } EVENTS END INITIALISATION STATUS ordinary BEGIN nod := ∅ END AddNode STATUS ordinary ANY n WHERE n ∈ NSet − nod THEN nod := nod ∪ { n } END END Banach A Refinement Based Approach to Hybrid Systems 4

3. Proof Obligations Event-B machines are defined to be consistent when the POs are provable. • initialisation feasibility ∃ u ′ • Init A ( u ′ ) • invariant establishment Init A ( u ′ ) ⇒ I ( u ′ ) • event feasibility I ( u ) ∧ grd MoEvA ( u , i ) ⇒ ( ∃ u ′ • BApred MoEvA ( u , i , u ′ )) • invariant preservation I ( u ) ∧ grd MoEvA ( u , i ) ∧ BApred MoEvA ( u , i , u ′ ) ⇒ I ( u ′ ) Banach A Refinement Based Approach to Hybrid Systems 5

4. Refinement in Event-B Top-down development in Event-B is achieved via refinement. • add detail • restrict nondeterminism • new events, convergence • nontrivial retrieve relations via joint invariants Refinement notion policed by proof obligations. Banach A Refinement Based Approach to Hybrid Systems 6

5. Example, ctd. MACHINE Nodes MACHINE Edges REFINES Nodes SEES NCtx SEES NCtx VARIABLES nod VARIABLES nod , edg INVARIANTS INVARIANTS nod ∈ P ( NSet ) nod ∈ P ( NSet ) edg ∈ P ( NSet × NSet ) edg ⊆ nod × nod EVENTS EVENTS INITIALISATION INITIALISATION STATUS ordinary STATUS ordinary BEGIN nod := ∅ END BEGIN nod := ∅ END AddNode AddNode STATUS ordinary STATUS ordinary ANY n REFINES AddNode WHERE n ∈ NSet − nod ANY n THEN nod := nod ∪ { n } WHERE n ∈ NSet − nod THEN nod := nod ∪ { n } END END END AddEdge STATUS convergent ANY n , m WHERE { n , m } ⊆ nod n �→ m ∈ NSet × NSet − edg THEN edg := edg ∪ { n �→ m } END VARIANT card ( NSet × NSet − edg ) END Banach A Refinement Based Approach to Hybrid Systems 7

6. Proof Obligations, ctd. Event-B refinements are defined to be consistent when the POs are provable. • initialisation feasibility ∃ w ′ • Init C ( w ′ ) • initialisation relative consistency Init C ( w ′ ) ⇒ ( ∃ u ′ • Init A ( u ′ ) ∧ K ( u ′ , w ′ )) • relative event feasibility ∃ u • K ( u , w ) ∧ grd MoEvC ( w , k ) ⇒ ( ∃ w ′ • BApred MoEvC ( w , k , w ′ )) • guard strengthening I ( u ) ∧ K ( u , w ) ∧ grd MoEvC ( w , k ) ⇒ ( ∃ i • grd MoEvA ( u , i )) Banach A Refinement Based Approach to Hybrid Systems 8

6. Proof Obligations, ctd. ... • joint invariant preservation I ( u ) ∧ K ( u , w ) ∧ grd MoEvC ( w , k ) ∧ BApred MoEvC ( w , k , w ′ ) ⇒ ( ∃ i , u ′ • BApred MoEvA ( u , i , u ′ ) ∧ K ( u ′ , w ′ )) • new events, joint invariant preservation: ‘new events refine skip ’ I ( u ) ∧ K ( u , w ) ∧ grd MoEvC ( w , k ) ∧ BApred MoEvC ( w , k , w ′ ) ⇒ K ( u , w ′ ) • new events, convergence BApred NewEvC ( w , k , w ′ ) ⇒ V ( w ′ ) < V ( w ) • old and new events, relative deadlock freedom (using witness) I ( u ) ∧ K ( u , w ) ∧ ( ∃ u ′ , w ′ • W ( i , k , u , u ′ , w , w ′ )) ∧ [ grd MoEvA 1 ( u , i ) ∨ grd MoEvA 2 ( u , i ) ∨ . . . ∨ grd MoEvAN ( u , i ) ] ⇒ grd MoEvC 1 ( w , k ) ∨ grd MoEvC 2 ( w , k ) ∨ . . . ∨ grd MoEvCM ( w , k ) Banach A Refinement Based Approach to Hybrid Systems 9

7. Principles for Hybrid Event-B Discrete Event-B has no time. Need to incorporate time. • In Hybrid Event-B, time is R + say, read-only. Discrete Event-B has no continuous behaviour. Need to incorporate this. • In Hybrid Event-B, distinguish between mode events and pliant events. • Demand that in Hybrid Event-B, pliant transitions interleave mode transitions of discrete Event-B. Preemption semantics. • Demand usual differentiability, Lipschitz, measurability properties of pliant events. • Demand usual Zeno, c` adl` ag properties of pliant transitions. Banach A Refinement Based Approach to Hybrid Systems 10

7. Principles for Hybrid Event-B ... Mode event decorated with semantic interpretation: MoEv MoEv ANY − → ANY − → i i u , − → u , − → WHERE grd ( − → WHERE grd ( − → i ) i ) u , − → i , ← − u , − → THEN u := E ( − → THEN u : | BApred ( − → u ′ ) i ) END END Left limits for before-values, right limits for after-values. Banach A Refinement Based Approach to Hybrid Systems 11

7. Principles for Hybrid Event-B ... ... Refinement. • In Hybrid Event-B, time moves at the same rate in all models of a refinement chain. Gives tight abstract/concrete coupling. PliEvA 2 MoEvA 1 MoEvA 3 MoEvA 2 PliEvA 1 PliEvC 2.1 PliEvC 2.2 PliEvC 2.3 PliEvC 1 MoEvC 1 MoEvC 2 MoEvC 3 MoEvC 2.1 MoEvC 2.2 Banach A Refinement Based Approach to Hybrid Systems 12

8. Formal Semantics (Sketch) [1] Initialise. (Mode event.) i := 0 [2a] choose an enabled pliant event from each machine that has one. (Consistency.) or else [2b] choose a pliant continuation for each machine that has one. (Consistency.) or else [2b] choose a constant behaviour for each remaining variable. [3] find maximal mutually consistent solution on [ t i . . . t new ). [4] find earliest mode event preemption point in ( t i . . . t new ), if there is one. (If not, finite or infinite termination). [5] implement mode event preemption; i ++ ; discard solution in ( t i . . . t new ). [6] goto [2] . Semantics is a set of behaviours over [ t 0 . . . t final ), or void . Banach A Refinement Based Approach to Hybrid Systems 13

9. Examples – 1 MACHINE HyEvBMch ... ... TIME t PliEvDE CLOCK clk STATUS pliant PLIANT x INIT iv ( x ) VARIABLES u WHEN grd ( u ) INVARIANTS ANY i x ∈ R WHERE BDApred ( x , i , t ) u ∈ . . . SOLVE D x = φ ( x , i , t ) EVENTS END INITIALISATION PliEvNA STATUS ordinary STATUS pliant WHEN t = 0 INIT iv ( x ) THEN clk := 1 WHEN grd ( u ) u := u 0 ANY i x := x 0 THEN x : | BDApred ( x , i , t ) END END ... ... END Banach A Refinement Based Approach to Hybrid Systems 14

9. Examples ... – 2 MACHINE ExUp ... ... IncD TIME t WHEN t ∈ N ∧ CLOCK clk t ∈ { 1 . . . 9 } PLIANT x THEN skip VARIABLES md END INVARIANTS Stop md ∈ { stat , dyn } STATUS ordinary t ∈ [0 . . . ∞ ) x ∈ [0 . . . 10] WHEN t = 10 THEN md := stat EVENTS INITIALISATION END STATUS ordinary FINAL STATUS pliant final WHEN t = 0 THEN md := dyn WHEN clk = 11 x := 0 THEN skip clk := 1 END END END IncPLi STATUS pliant WHEN md = dyn SOLVE D x = 1 END ... ... Banach A Refinement Based Approach to Hybrid Systems 15

9. Examples ... – 2 MACHINE ExUpR ... ... REFINES ExUp IncD TIME t WHEN t ∈ N ∧ CLOCK clk t ∈ { 1 . . . 9 } PLIANT w THEN w := w + 1 VARIABLES md END INVARIANTS Stop md ∈ { stat , dyn } STATUS ordinary t ∈ [0 . . . ∞ ) REFINES Stop w ∈ [0 . . . 10] WHEN t = 10 w = ⌊ x ⌋ THEN md := stat EVENTS w := w + 1 INITIALISATION END STATUS ordinary FINAL REFINES INITIALISATION STATUS pliant final WHEN t = 0 REFINES FINAL THEN md := dyn WHEN clk = 11 w := 0 THEN skip clk := 1 END END END IncPLi STATUS pliant REFINES IncPLi WHEN md = dyn THEN skip END ... ... Banach A Refinement Based Approach to Hybrid Systems 16

9. Examples ... ... – 3 MACHINE ExUpQuadR ... ... REFINES ExUpQuad IncD TIME t STATUS ordinary PLIANT x VARIABLES md WHEN t ∈ N ∧ INVARIANTS t ∈ { 1 . . . 2 } md ∈ { stat , dyn } THEN skip t ∈ [0 . . . ∞ ) END x ∈ [0 . . . 9] EVENTS Stop INITIALISATION STATUS ordinary STATUS ordinary REFINES Stop REFINES INITIALISATION WHEN t = 3 WHEN t = 0 THEN md := stat THEN md := dyn END x := 0 END IncPLi FINAL STATUS pliant STATUS pliant final REFINES IncPLi WHEN md = dyn WHEN t = 3 SOLVE D x = 2 t THEN skip END END ... ... END Banach A Refinement Based Approach to Hybrid Systems 17