# Cyber-Physical Systems

#### Laura Nenzi

Università degli Studi di Trieste Il Semestre 2019

#### Lecture 3: Concurrent Modeling

[Many Slides due to J. Deshmukh, Toyota]

# **Functional Components**

- 1. *Classical* model of computation: Functional or Transformational Programs
  - Start from a given input,
  - Produce a certain output and then terminate
  - Desired functionality can be described by a mathematical function
  - Emphasis is on data computation

# Reactive Components

- 2. Reactive Programs:
  - It maintains and internal state
  - Continuously interact with the environment at a rate decided by the environment
  - Emphasis is on system-environment interaction; e.g. airline autopilot, mail-servers, etc.

# Synchronous Models

All components execute in a sequence of rounds in lock-step



Example:

- Components in a digital hardware circuit with a central global clock
- Fixed-step Simulation Models of Discrete Components in Simulink

# Synchronous languages

Benefit: system design is simpler if we use a simple round-based computation

Challenge: How do we ensure synchronous execution when components may execute on different hardware?

#### Simple Representation of a Synchronous Component



# Simplest synchronous component: delay

 $(Boolean = \{ 0, 1 \})$ 

- Input variable: in of type Boolean
- Output variable: out of type Boolean
- State variable: x of type Boolean, initialized to 0
- In each round, component updates output from the state and state from input



# Execution of "Delay"

- Initialize state to 0
- Repeatedly execute rounds
- In each round:
  - Choose value for input (provided from environment, e.g. by user)
  - Execute update code



$$0 \xrightarrow{1/0} 1 \xrightarrow{1/1} 1 \xrightarrow{0/1} 0 \xrightarrow{0/0} 0 \xrightarrow{1/0} 1 \xrightarrow{0} 1$$

# Synchrony hypothesis

- Time needed to execute update is negligible compared to arrival times between consecutive inputs
- Synchronous execution is a *logical abstraction* 
  - Execution time of update code is 0
  - Production of outputs, updates to state and arrival of inputs happen instantaneously
- With multiple components, assume all execute synchronously and simultaneously
- Burden on design-time to validate hypothesis

# Let's Formalize an SRC

#### SRC is defined as a tuple: (I, O, X, U), where:

| Symbol | Designation            | Examples                                                         |
|--------|------------------------|------------------------------------------------------------------|
| Ι      | Set of Inputs          | { in}                                                            |
| X      | Set of State Variables | { <i>x</i> }                                                     |
| 0      | Set of Outputs         | {out}                                                            |
| U      | Set of Updates         | $\begin{array}{l} out \coloneqq x \\ x \coloneqq in \end{array}$ |

# Semantics of updates & initialization

- Let the set of input, output, and state values be  $Q_I$ ,  $Q_O$ ,  $Q_X$
- Semantics of the initialization function:
  - > At time/round 0, maps the state variables to some specified value (or values) in  $Q_X$
- Semantics of the update function (some sequence of conditionals and assignments):
  - ► A set R of transitions where each transition is of the form: q → q', where q is the old value of the state variables, q' is the new value of the state variables, i is the value of the input in that round, and o is the value of the output
  - ► *R* is a subset of  $Q_X \times Q_I \times Q_O \times Q_X$

# What are the $Q_I$ , $Q_O$ , $Q_X$ for these SRCs?



 $Q_I = \{0,1\}, Q_X = int \times \{0,1\}, Q_O = int$ 

# Transitions for Delay



# Composition of Synchronous Components



Delay sequentially composed with Delay

### Composition of Synchronous Components



# What does this model achieve?



end

exceeds the number of '1' inputs it has seen by 2, at any point in its execution, then the warn output becomes 1

# Deterministic Component

- An SRC is deterministic if:
  - It has a single initial state
  - Updates ensure that for every state q and input i, there is a unique state q' and output o such that (q, i, o, q') is a transition
- Determinism means for same input sequence, you get same state/output sequence every single time
- Note:
  - Nondeterminism is useful for modeling uncertainty/unknown and compactness



It is not the same as probabilistic/random choice!

#### Extended State Machines

Commonly used to describe behavior of MBD models



#### Extended State Machines

Does this ESM remind you of something?



### Component Switch: What does this do?

| had proce  |                                                |  |
|------------|------------------------------------------------|--|
| bool press | int x := 0                                     |  |
|            | bool q := 0                                    |  |
|            | switch (q)                                     |  |
|            | case 0: if (press==1) q:= 1                    |  |
|            | case 1: if (press==0) & (x < 10)               |  |
|            | q:=1; x:= x+1                                  |  |
|            | elseif (press==1) or ( x >= 10)<br>q:=0; x:= 0 |  |
|            | end                                            |  |
|            | end                                            |  |
|            |                                                |  |

#### ESM corresponding to Switch SRC



### ESM notation



- Implicit variable called "mode" that is a *discrete* state variable over some finite enumeration. Here: {on, off}
- SRC transition may correspond to mode-switch
  - Each mode-switch has guard/update. Example:
    - ▶ Guard: (press==0) & (x<10) and
    - Update: x:= x+1

#### ESM execution

| $int x \coloneqq 0$         | Start in mode off; initial state =<br>(off,0) |                                                                                                               |                                                                                                             |
|-----------------------------|-----------------------------------------------|---------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------|
| (press==0)? off (press==1)? | Sample executions:                            | $(off, 0) \ \downarrow 0 \ (off, 0) \ \downarrow 1 \ (on, 0)$                                                 | $(off, 0) \ \downarrow 0 \ (off, 0) \ \downarrow 1 \ (on, 0)$                                               |
| (D(PSS = 1)) O((X - 10))    | ==0) & (x<10) ?<br>= x + 1                    | (on, 0)<br>$\downarrow 0$<br>(on, 1)<br>$\vdots$<br>$\downarrow 0$<br>(on, 10)<br>$\downarrow 0$<br>(of f, 0) | (on, 0)<br>$\downarrow 0$<br>(on, 1)<br>$\vdots$<br>$\downarrow 0$<br>(on, 5)<br>$\downarrow 1$<br>(off, 0) |

#### ESM transitions could be nondeterministic!



# Event-triggered Components

- What to do if we want some components to *not* participate in some rounds?
- Event is a special input/output variable, which can be absent or present
- Event variable has value only if it is present
- Syntax:

| e?  | True if e is present                 |  |
|-----|--------------------------------------|--|
| e!a | e gets the value of the assignment a |  |

# **Event-triggered** Copy



# Event-triggered Components

No need to execute in a round where triggering events are absent



#### Finite-state Components

Component is finite state if all variables are over finite types



# FSM Software Tools

- Statecharts (Harel, 1987), a notation for concurrent composition of hierarchical FSMs, has influenced many of these tools.
- One of the first tools supporting the Statecharts notation is STATEMATE (Harel et al., 1990), which subse- quently evolved into Rational Rhapsody, sold by IBM.
- Almost every software engineering tool that provides UML (unified modeling language) capabilities (Booch et al., 1998).
- SyncCharts (André, 1996) is a particularly nice variant in that it borrows the rigorous semantics of Esterel (Berry and Gonthier, 1992) for composition of concurrent FSMs.
- LabVIEW supports a variant of Statecharts that can operate within dataflow diagrams
- Simulink with its Stateflow extension supports a variant that can operate within continuous-time models.

# Cruise Controller Example



### Sensors

- Rotation Sensor: Wheel speed sensor or vehicle speed sensor
- Type of a tachometer
- Counts number of rotations per second and as the wheel radius is known, can compute the linear speed of the car



- The ABS wheel speed sensor generates a small electrical pulse whenever a tooth on the tone ring moves through the magnetic field of the pick up coil
- Continuous rotation of the tone ring produces an AC current whose frequency – measured in Hertz – is proportional to wheel speed

(From Porter and Chester Institute slides on Google Image Search)

#### Actuator



ThrottleController is an actuator that gets a force/torque required to adjust the throttle plate which leads to tracking the desired speed

#### Decomposing CruiseController further



## MeasureSpeed SRC



MeasureSpeed SRC

#### Asynchronous Components

# Asynchrony

- Synchrony: All components execute in a sequence of rounds in lock-step
- Asynchrony: No lock-step computation!
- Natural model for networked, distributed communicating components executing independently and at possibly different speeds
- As there is no central, global clock, explicit coordination is required between components
- Examples:
  - Processes in distributed computation, multiple threads in any modern OS
  - Interrupt-driven processing

#### Asynchronous Reactive Component Example



## Asynchronous Reactive Component



- Input channel in of type bool
- Output channel out of type bool
- State variable x of type bool+Ø. The value Ø indicates empty or null.
- x initialized to Ø
- Input task T<sub>in</sub> reads input value into x
- Output task T<sub>out</sub> produces output if x is not empty

#### Asynchronous Reactive Component Execution

- Execution Model: In each step only one task is executed
- Task can be executed only if it is enabled (i.e. if its guard condition is true)
- If multiple guard conditions are true, one task is nondeterministically executed

Sample execution:

$$\emptyset \xrightarrow[T_{in}]{in?0} 0 \xrightarrow[T_{out}]{out!0} \emptyset \xrightarrow[T_{in}]{in?1} 1 \xrightarrow[T_{in}]{in?0} 0 \xrightarrow[T_{out}]{out!0} \emptyset$$

bool  
in  

$$T_{in}: x := in$$

$$T_{out}:$$

$$x \neq \emptyset \rightarrow \{ \text{ out } := x;$$

$$x := \emptyset \}$$

**Buffer** 

## Example: Asynchrony + Nondeterminism

- ARC may have no inputs or outputs, just internal tasks
  - Update may have no guards
- In each step, execute  $T_x$  or  $T_y$
- Sample execution:

$$(0,0) \underset{T_{y}}{\rightarrow} (0,1) \underset{T_{y}}{\rightarrow} (0,2) \underset{T_{x}}{\rightarrow} (1,2) \underset{T_{y}}{\rightarrow} (1,3)$$

#### Interleaved model of concurrency



## Asynchronous Process/Reactive Component

bool  
in  

$$T_{in}: x := in$$
  
 $T_{out}:$   
 $x \neq \emptyset \rightarrow \{ \text{out} := x;$   
 $x := \emptyset \}$   
bool  
out

- Set of input channels: I
  - ESM representation: in?v, where v is the value to be received
- Set of output channels: O
  - ESM representation: out!v, where v is the value to be written
  - Set of state variables X
  - Initialization Init which maps state variables to initial values

#### Updates are different from SRCs!

**Input Task** defines updates of the form:  $\mathbf{G} \rightarrow \mathbf{x} := \mathbf{E}(\mathbf{X}, \mathbf{in})$ 

- Guard condition G: some expression over only state variables X; input task can be executed only if G is true
- For each in in I, we associate a read-set (X U {in}): variables that can appear in E for input task associated with in (rationale: can read value on in only if that task is enabled)
- Any state variable can appear in the LHS of the assignment
- Defines a set of input actions of the form:  $q \xrightarrow{in?v} q'$ 
  - where q is value of state variables before update, and q satisfies G
  - ▶ value of state variables after update is  $q' = E(X \mapsto q, in \mapsto v)$

#### Updates are different from SRCs!

**Output Task**: defines updates of the form:  $\mathbf{G} \rightarrow \mathbf{out} := \mathbf{E}(\mathbf{X})$ 

- Guard condition G: some expression over only variables in X; output task can be executed only if G is true
- For each out in O, we associate a write-set {out}: variables that appear on LHS of the assignment
- Any expression containing only state variables can appear in E

out!v

- Defines an output action of the form  $q \rightarrow q'$ 
  - where q is value of state variables before update, and q satisfies G
  - value of state variables after update is q'
  - value v is output on channel out

#### Updates are different from SRCs!

**Internal Task**: defines updates of the form:  $\mathbf{G} \rightarrow \mathbf{x} := \mathbf{E}(\mathbf{X})$ 

- Guard condition G: some expression over only variables in X; internal task can be executed only if G is true
- Any expression containing only state variables can appear in E, only state variables appear on LHS
- Defines an internal action of the form  $q \rightarrow q'$ 
  - where q is value of state variables before update, and q satisfies G
  - value of state variables after update is q'
  - No input is read or output is produced!

## Asynchronous Merge: Sequence of Actions



Asynchronous Processes can also be represented with extended state machines

#### Composing Asynchronous Processes



Parallel composition: Inputs, Outputs, States and Initialization similar to the synchronous case

Input consumption needs to be synchronized with output production for the 'temp' variable

# Composed DoubleBuffer



- Defining  $P_1 \mid P_2$
- In each step only 1 task executes
- If y is an output channel of  $P_1$ and input channel of  $P_2$ :
- A<sub>1</sub>: output task for P<sub>1</sub> with code: G<sub>1</sub> $\rightarrow$  U<sub>1</sub>
- A<sub>2</sub>: input task for P<sub>2</sub> with code:  $G_2 \rightarrow U_2$ 
  - Composition has output task for y with code:  $G_1 \wedge G_2 \rightarrow U_1; U_2$

# Blocking vs. Non-blocking Synchronization



- Task T<sub>out</sub> of P1 can *produce* a value on the output only if P2 has an input task that is enabled to *consume* the value with some input task
- In this example, once x becomes odd, P2 cannot consume (no enabled input task) and it **blocks** communication
- Process is **non-blocking** on channel in if at least one guarded update corresponding to input task for in is enabled
- Process is non-blocking if for every input channel, the disjunction of all guards corresponding to input tasks for that channel is valid or the Boolean formula 1 (true).

### Deadlocks

- Common error in asynchronous designs
- Caused by each process waiting for another process to execute a task, but no task is enabled

