Logical Foundations of Cyber-Physical Systems Andr Platzer Andr - PowerPoint PPT Presentation

09: Reactions & Delays Logical Foundations of Cyber-Physical Systems André Platzer Logical Foundations of Cyber-Physical Systems André Platzer André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 1 / 17

Outline Learning Objectives 1 Delays in Control 2 The Impact of Delays on Event Detection Cartesian Demon Model-Predictive Control Basics Design-by-Invariant Controlling the Control Points Sequencing and Prioritizing Reactions Time-Triggered Verification 3 Summary André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 2 / 17

Outline Learning Objectives 1 Delays in Control 2 The Impact of Delays on Event Detection Cartesian Demon Model-Predictive Control Basics Design-by-Invariant Controlling the Control Points Sequencing and Prioritizing Reactions Time-Triggered Verification 3 Summary André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 2 / 17

Learning Objectives Reactions & Delays using loop invariants design time-triggered control design-by-invariant CT M&C CPS modeling CPS semantics of time-triggered control designing controls operational effect time-triggered control finding control constraints reaction delays model-predictive control discrete sensing André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 3 / 17

Outline Learning Objectives 1 Delays in Control 2 The Impact of Delays on Event Detection Cartesian Demon Model-Predictive Control Basics Design-by-Invariant Controlling the Control Points Sequencing and Prioritizing Reactions Time-Triggered Verification 3 Summary André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 3 / 17

Quantum’s Ping-Pong Proof Invariants Proposition (Quantum can play ping-pong safely) 0 ≤ x ∧ x ≤ 5 ∧ v ≤ 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ∧ f ≥ 0 → ( { x ′ = v , v ′ = − g & x ≥ 0 ∧ x ≤ 5 }∪{ x ′ = v , v ′ = − g & x ≥ 5 } ); �� � ∗ � if ( x = 0 ) v := − cv elseif ( 4 ≤ x ≤ 5 ∧ v ≥ 0 ) v := − fv ( 0 ≤ x ≤ 5 ) @invariant ( 0 ≤ x ≤ 5 ∧ ( x = 5 → v ≤ 0 )) Proof André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 4 / 17

Quantum’s Ping-Pong Proof Invariants Proposition (Quantum can play ping-pong safely) 0 ≤ x ∧ x ≤ 5 ∧ v ≤ 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ∧ f ≥ 0 → ( { x ′ = v , v ′ = − g & x ≥ 0 ∧ x ≤ 5 }∪{ x ′ = v , v ′ = − g & x ≥ 5 } ); �� � ∗ � if ( x = 0 ) v := − cv elseif ( 4 ≤ x ≤ 5 ∧ v ≥ 0 ) v := − fv ( 0 ≤ x ≤ 5 ) @invariant ( 0 ≤ x ≤ 5 ∧ ( x = 5 → v ≤ 0 )) Proof Just can’t implement . . . André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 4 / 17

Physical vs. Controller Events Physical vs. Controller Events Justifiable: Physical events (on ground x = 0) 1 Justifiable: Physical evolution domains (above ground x ≥ 0) 2 Questionable: Controller evolution domain ( x ≤ 5) 3 Unlike physics, controllers won’t run all the time. Just fairly often. 4 Controllers cannot sense and compute all the time. 5 If you expect the world to change for your controller’s sake, you may be in for a surprise. André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 5 / 17

Back to the Drawing Desk: Quantum the Ping-Pong Ball Conjecture (Quantum can play ping-pong safely) 0 ≤ x ∧ x ≤ 5 ∧ v ≤ 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ∧ f ≥ 0 → { x ′ = v , v ′ = − g & x ≥ 0 } ; �� � ∗ � if ( x = 0 ) v := − cv elseif ( 4 ≤ x ≤ 5 ∧ v ≥ 0 ) v := − fv ( 0 ≤ x ≤ 5 ) Ask René Descartes Proof? André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 6 / 17

Back to the Drawing Desk: Quantum the Ping-Pong Ball Conjecture (Quantum can play ping-pong safely) 0 ≤ x ∧ x ≤ 5 ∧ v ≤ 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ∧ f ≥ 0 → { x ′ = v , v ′ = − g & x ≥ 0 } ; �� � ∗ � if ( x = 0 ) v := − cv elseif ( 4 ≤ x ≤ 5 ∧ v ≥ 0 ) v := − fv ( 0 ≤ x ≤ 5 ) Ask René Descartes who says no! Proof? Could miss if-then event André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 6 / 17

Back to the Drawing Desk: Quantum the Ping-Pong Ball Conjecture (Quantum can play ping-pong safely) 0 ≤ x ∧ x ≤ 5 ∧ v ≤ 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ∧ f ≥ 0 → { x ′ = v , v ′ = − g & x ≥ 0 ∧ t ≤ 1 } ; �� � ∗ � if ( x = 0 ) v := − cv elseif ( 4 ≤ x ≤ 5 ∧ v ≥ 0 ) v := − fv ( 0 ≤ x ≤ 5 ) Proof? André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 6 / 17

Back to the Drawing Desk: Quantum the Ping-Pong Ball Conjecture (Quantum can play ping-pong safely) 0 ≤ x ∧ x ≤ 5 ∧ v ≤ 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ∧ f ≥ 0 → { x ′ = v , v ′ = − g , t ′ = 1 & x ≥ 0 ∧ t ≤ 1 } ; �� � ∗ � if ( x = 0 ) v := − cv elseif ( 4 ≤ x ≤ 5 ∧ v ≥ 0 ) v := − fv ( 0 ≤ x ≤ 5 ) Proof? André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 6 / 17

Back to the Drawing Desk: Quantum the Ping-Pong Ball Conjecture (Quantum can play ping-pong safely) 0 ≤ x ∧ x ≤ 5 ∧ v ≤ 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ∧ f ≥ 0 → t := 0 ; { x ′ = v , v ′ = − g , t ′ = 1 & x ≥ 0 ∧ t ≤ 1 } ; �� � ∗ � if ( x = 0 ) v := − cv elseif ( 4 ≤ x ≤ 5 ∧ v ≥ 0 ) v := − fv ( 0 ≤ x ≤ 5 ) Ask René Descartes Proof? Wind up a clock André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 6 / 17

Quantum the Time-triggered Ping-Pong Ball Conjecture (Quantum can play ping-pong safely) 0 ≤ x ∧ x ≤ 5 ∧ v ≤ 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ∧ f ≥ 0 → �� if ( x = 0 ) v := − cv elseif ( 4 ≤ x ≤ 5 ∧ v ≥ 0 ) v := − fv ; t := 0 ; { x ′ = v , v ′ = − g , t ′ = 1 & x ≥ 0 ∧ t ≤ 1 } � ∗ � ( 0 ≤ x ≤ 5 ) Ask René Descartes Proof? Control action before physics André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 7 / 17

Quantum the Time-triggered Ping-Pong Ball Conjecture (Quantum can play ping-pong safely) 0 ≤ x ∧ x ≤ 5 ∧ v ≤ 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ∧ f ≥ 0 → �� if ( x = 0 ) v := − cv elseif ( 4 ≤ x ≤ 5 ∧ v ≥ 0 ) v := − fv ; t := 0 ; { x ′ = v , v ′ = − g , t ′ = 1 & x ≥ 0 ∧ t ≤ 1 } � ∗ � ( 0 ≤ x ≤ 5 ) Ask René Descartes Proof? Could act early or late André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 8 / 17

Quantum the Time-triggered Ping-Pong Ball Conjecture (Quantum can play ping-pong safely) 0 ≤ x ∧ x ≤ 5 ∧ v ≤ 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ∧ f ≥ 0 → �� if ( x = 0 ) v := − cv elseif ( 4 ≤ x ≤ 5 ∧ v ≥ 0 ) v := − fv ; t := 0 ; { x ′ = v , v ′ = − g , t ′ = 1 & x ≥ 0 ∧ t ≤ 1 } � ∗ � ( 0 ≤ x ≤ 5 ) Ask René Descartes who says no! Proof? Could miss event off control cycle André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 8 / 17

Delays May Miss Events Delays vs. Events Periodically/frequently monitor for an event with a polling frequency / 1 reaction time. Delays may make the controller miss events. 2 Discrepancy between event-triggered idea vs. real time-triggered 3 implementation. Issues indicate poor event abstraction. 4 Slow controllers monitoring small regions of a fast moving system. 5 Controller needs to be aware of its own delay. 6 André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 9 / 17

Cartesian Doubt: Descartes’s Cartesian Demon 1641 Outwit the Cartesian Demon Skeptical about the truth of all beliefs until justification has been found. André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 10 / 17

Quantum the Time-triggered Ping-Pong Ball Conjecture (Quantum can play ping-pong safely) 0 ≤ x ∧ x ≤ 5 ∧ v ≤ 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ∧ f ≥ 0 → �� if ( x = 0 ) v := − cv elseif ( 4 ≤ x ≤ 5 ∧ v ≥ 0 ) v := − fv ; t := 0 ; { x ′ = v , v ′ = − g , t ′ = 1 & x ≥ 0 ∧ t ≤ 1 } � ∗ � ( 0 ≤ x ≤ 5 ) Ask René Descartes who says no! Proof? Could miss event off control cycle André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 11 / 17

Quantum the Time-triggered Ping-Pong Ball Conjecture (Quantum can play ping-pong safely) 0 ≤ x ∧ x ≤ 5 ∧ v ≤ 0 ∧ g = 1 ∧ 1 ≥ c ≥ 0 ∧ f ≥ 0 → �� if ( x = 0 ) v := − cv elseif ( x > 5 1 2 − v ∧ v ≥ 0 ) v := − fv ; t := 0 ; { x ′ = v , v ′ = − g , t ′ = 1 & x ≥ 0 ∧ t ≤ 1 } � ∗ � ( 0 ≤ x ≤ 5 ) Ask René Descartes Proof? predict 1s: x + v − g 2 > 5 André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 11 / 17

Quantum the Time-triggered Ping-Pong Ball Conjecture (Quantum can play ping-pong safely) 0 ≤ x ∧ x ≤ 5 ∧ v ≤ 0 ∧ g = 1 ∧ 1 ≥ c ≥ 0 ∧ f ≥ 0 → �� if ( x = 0 ) v := − cv elseif ( x > 5 1 2 − v ∧ v ≥ 0 ) v := − fv ; t := 0 ; { x ′ = v , v ′ = − g , t ′ = 1 & x ≥ 0 ∧ t ≤ 1 } � ∗ � ( 0 ≤ x ≤ 5 ) Ask René Descartes who says no! Proof? Safe after 1 s but not until then All depends on sampling André Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 11 / 17