26 September 2003 U. Buy -- SEES 2003

Sidestepping verification complexity with supervisory

control

Ugo BuyDepartment of Computer Science

Houshang DarabiDepartment of Mechanical and Industrial Engineering

University of Illinois at Chicago

26 September 2003 U. Buy -- SEES 2003 2

Outline• Background• P-invariant-based mutex enforcement• Net unfolding• Assessment

26 September 2003 U. Buy -- SEES 2003 3

Acknowledgements

• Panos Antsaklis, Michael Lemmon, Univ. of Notre Dame

• Starthis Corporation, Rosemont, Illinois• NIST/ATP program• Graduate students Bharat Sundararaman and

Vikram Venepally

26 September 2003 U. Buy -- SEES 2003 4

Background• Supervisory control methods for discrete event

systems (DES)— Enforcing concurrency and real-time properties

of embedded systems— Model DES with Finite Automata (FA) or Petri

nets— Add controller that enforces desired properties

to system model• Supervisory control vs. verification

— Potential benefits of supervisory control— Likely obstacles to widespread applicability

26 September 2003 U. Buy -- SEES 2003 5

Definitions• Discrete Event System (DES) is characterized by:

1. Discrete state set2. Event-driven state transitions

• Supervisory controller of a DES:— Given controlled system (a DES) and

correctness property,— supervisor restricts DES behaviors in such a way

that combined system will satisfy the property• Observable and controllable events

26 September 2003 U. Buy -- SEES 2003 6

Why Supervisory Control?• Some SC methods for DES are much more tractable

than verification algorithms• Promising methods:

1. P-invariant-based supervisors (mutex properties)2. Unfolding of Petri nets (deadlock, RT deadlines)

• Caveat:—System must be sufficiently observable,

controllable to permit supervisor definition

26 September 2003 U. Buy -- SEES 2003 7

Why Petri nets?1. Support tractable supervisory control algorithms

• P-invariants and net unfoldings• Automata-based supervisors usually intractable

2. Widely used in some embedded applications• Sequential Function Charts (SFCs) widely used

in manufacturing applications— Part of IEC 61131 standard— Supported by Matlab, RSLogix 5000

26 September 2003 U. Buy -- SEES 2003 8

Petri nets• Ordinary Petri net: Bipartite, directed graph

N=(P,T,F,m0) With: node sets P and T,

arc set F, andinitial marking m0

• Supervisory control problem: Given controlled net N and property P, generate subnet S (supervisor) that restricts N behaviors to satisfy P

26 September 2003 U. Buy -- SEES 2003 9

Enforcing Mutex Constraints• Exploit property of Petri net P-invariants

— Place subset such that weighted sum of tokens in subset is constant in all reachable net markings

— Computed by finding integer solutions x to invariant equation involving incidence matrix D of Petri net:

x·D = 0

26 September 2003 U. Buy -- SEES 2003 10

Examples of P-invariants

t1 t2

t3

t4 t5

p2p1 p3

p4p5

p6

p7

P-invariants:

{ p1, p4 }{ p2, p5, p7}{ p1, p2, p4, p5, p7 }…(unit coefficients)

26 September 2003 U. Buy -- SEES 2003 11

P-invariant based supervisorsMethod (Yamalidou et al. 96)1. Specify mutex properties as linear inequalities on

reachable markings of controlled netl1,1·m1 + l1,2·m2 + l1,3·m3 + … <= b1

l2,1·m1 + l2,2·m2 + l2,3·m3 + … <= b2

…lk,1·m1 + lk,2·m2 + lk,3·m3 + … <= bk

2. Treat constraints matrix as invariant equation, find Petri net (controller) satisfying P-invariant

26 September 2003 U. Buy -- SEES 2003 12

Supervisor synthesis

• Supervisor net defined by simple matrix

multiplicationDC = – L ·D

— L is matrix of mutex constraints— D is incidence matrix of controlled net

• Supervisor net will have k places, zero transitions— k is number of mutex constraints

• Supervisor will be maximally permissive

26 September 2003 U. Buy -- SEES 2003 13

Example of supervisor generation• The readers and writers example without mutex:

• Mutex constraints:p6 + p9 + p10 <≤ 1

p7 + p9 + p10 <≤ 1

p8 + p9 + p10 <≤ 1

26 September 2003 U. Buy -- SEES 2003 14

Example (cont’d)

• The readers and writers example with supervisor:

26 September 2003 U. Buy -- SEES 2003 15

Advantages of Mutex Supervisors

• Complexity proportional to D (aka controlled system) and L (constraints)— Overall complexity polynomial for broad class of

mutex constraints• Supervisors generated are small (no transitions)• Maximally permissive supervisors

26 September 2003 U. Buy -- SEES 2003 16

Limitations of Mutex Supervisors

• Cannot guarantee net liveness (e.g., freedom from deadlock)

• Open issues:— Integration with other supervisors— Priorities on mutex enforcement policy— Empirical evaluation of constraint size

26 September 2003 U. Buy -- SEES 2003 17

Unfolding Petri nets• Transform net into acyclic net capturing repetitive

bevahiors of original net• Unfolding appeal:

— Capture causal relationship on transition firing— Identify choice points— Identify fundamental execution paths

• History of net unfolding— McMillan 92, Esparza et al. 02, He and Lemmon

02, Semenov and Yakovlev 96 (time Petri nets)

26 September 2003 U. Buy -- SEES 2003 18

Net unfolding: Definitions• Node x in net N precedes node y if there is path

from x to y in N— Write x<y

• Node x in conflict with y if N contains paths diverging immediately after a place p and leading to x and y— Write x#y

• Node x in self-conflict if N contains paths diverging immediately after a place p and leading to x— Write x#x

26 September 2003 U. Buy -- SEES 2003 19

Unfolding untimed netsGiven net N, unfolding of N is a net U subject such

that: 1. Nodes in U are mapped to nodes in N 2. Each place in U has at most one input transition3. Net U is acyclic4. No U node is in self conflict5. Completeness property: Every reachable marking

of N is in U

26 September 2003 U. Buy -- SEES 2003 20

Example of unfolding

The original net:t1 t2

t8t7

t3 t4

t5 t6

p2p1 p3

p4p5

p6

p7 p8

p9

26 September 2003 U. Buy -- SEES 2003 21

Example of unfolding

t1 t2

t7

t3 t4

t5 t6

p2p1 p3

p4p5 p6

p7

p9

p2’

p9’

p5’

p9” p9’”

t5’ t6’p8 p7’ p8’

t3’ t4’

p1’ p3’p2’’

t8

The unfolded net:

26 September 2003 U. Buy -- SEES 2003 22

Applications of unfolding

• Enforcing freedom from deadlock (He and Lemmon 02)— Deadlocks detected directly in unfolding— Eliminate deadlocks by dynamically disabling

transition that causes deadlock• Enforcing compliance with real-time deadlines

(Buy and Darabi 03)— Latency of transition t: upper bound on the

delay between the firing of t and the time when a target transition can be fired

26 September 2003 U. Buy -- SEES 2003 23

A New Programming Paradigm?1. Design/Code concurrent system without paying

attention to correctness properties2. Submit system description and property

specification to supervisor generator3. Generator adds supervisor to original system4. Allegedly, a very long shot…

26 September 2003 U. Buy -- SEES 2003 24

Future work1. Integration of supervisors for different properties2. Refine properties enforced3. System, property specifications