# Cyber-Physical Systems 

Laura Nenzi<br>Università degli Studi di Trieste<br>II Semestre 2019

## Lecture 3: Concurrent Modeling

## Functional Components

1. Classical model of computation: Functional or Transformational Programs

- Start from a given input,
- Produce a certain output and then terminate
- Desired functionality can be described by a mathematical function
- Emphasis is on data computation


## Reactive Components

## 2. Reactive Programs:

- It maintains and internal state
- Continuously interact with the environment at a rate decided by the environment
- Emphasis is on system-environment interaction; e.g. airline autopilot, mail-servers, etc.


## Synchronous Models

All components execute in a sequence of rounds in lock-step

## Example:



- Components in a digital hardware circuit with a central global clock
- Fixed-step Simulation Models of Discrete Components in Simulink


## Synchronous languages

- Benefit: system design is simpler if we use a simple round-based computation
- Challenge: How do we ensure synchronous execution when components may execute on different hardware?


## Simple Representation of a Synchronous Component



## Simplest synchronous component: delay

(Boolean $=\{0,1\}$ )

- Input variable: in of type Boolean
- Output variable: out of type Boolean
- State variable: x of type Boolean, initialized to 0
- In each round, component updates output from the state and state from
 input


## Execution of "Delay"

- Initialize state to 0
- Repeatedly execute rounds
- In each round:
- Choose value for input (provided from environment, e.g. by user)
- Execute update code


$$
0 \xrightarrow{1 / 0} 1 \xrightarrow{1 / 1} 1 \xrightarrow{0 / 1} 0 \xrightarrow{0 / 0} 0 \xrightarrow{1 / 0} 1
$$

## Synchrony hypothesis

- Time needed to execute update is negligible compared to arrival times between consecutive inputs
- Synchronous execution is a logical abstraction
- Execution time of update code is 0
- Production of outputs, updates to state and arrival of inputs happen instantaneously
- With multiple components, assume all execute synchronously and simultaneously
- Burden on design-time to validate hypothesis


## Let's Formalize an SRC

- SRC is defined as a tuple: $(I, O, X, U)$, where:

| Symbol | Designation | Examples |
| :---: | :--- | :--- |
| $I$ | Set of Inputs | $\{$ in $\}$ |
| $X$ | Set of State Variables | $\{x\}$ |
| $O$ | Set of Outputs | $\{$ out $\}$ |
| $U$ | Set of Updates | out $:=x$ <br> $x:=$ in |

## Semantics of updates \& initialization

- Let the set of input, output, and state values be $Q_{I}, Q_{O}, Q_{X}$
- Semantics of the initialization function:
- At time/round 0, maps the state variables to some specified value (or values) in $Q_{X}$
- Semantics of the update function (some sequence of conditionals and assignments):
- A set $R$ of transitions where each transition is of the form: $q \xrightarrow{i / o} q^{\prime}$, where $q$ is the old value of the state variables, $q^{\prime}$ is the new value of the state variables, $i$ is the value of the input in that round, and $o$ is the value of the output
$-R$ is a subset of $Q_{X} \times Q_{I} \times Q_{O} \times Q_{X}$


## What are the $Q_{I}, Q_{O}, Q_{X}$ for these SRCs?



## Transitions for Delay



## Composition of Synchronous Components



## Composition of Synchronous Components


$\rightarrow$ Delay 1
$\rightarrow$ Delay 2
bool out ${ }_{2}$

Observe:

1) $\mathrm{in}_{2}$ is the same as out $_{1}$ in every round
2) Ignoring first 2 rounds, outputs of $d 2$ are the inputs to d1 delayed by 2 rounds

## What does this model achieve?

If number of ' 0 ' inputs seen by the first component exceeds the number of ' 1 ' inputs it has seen by 2 , at any point in its execution, then the warn output becomes 1
d := 0;
end

## Deterministic Component

- An SRC is deterministic if:
- It has a single initial state
- Updates ensure that for every state $q$ and input $i$, there is a unique state $q^{\prime}$ and output $o$ such that $\left(q, i, o, q^{\prime}\right)$ is a transition
- Determinism means for same input sequence, you get same state/output sequence every single time
- Note:
- Nondeterminism is useful for modeling uncertainty/unknown and compactness

- It is not the same as probabilistic/random choice!


## Extended State Machines

- Commonly used to describe behavior of MBD models



## Extended State Machines

D Does this ESM remind you of something?


## Component Switch: What does this do?



## ESM corresponding to Switch SRC

$$
\begin{aligned}
\mathrm{q} & =0: \text { off } \\
& =1: \text { on }
\end{aligned}
$$


(press $==0) \&(x<10)$ ?
$\rightarrow \mathrm{x}:=\mathrm{x}+1$

## ESM notation

(press==1) \& $(x \geq 10)$ ? on $\quad($ press $==0) \&(x<10)$ ?

$$
\rightarrow \mathrm{x}:=0
$$

- Implicit variable called "mode" that is a discrete state variable over some finite enumeration. Here: \{on, off $\}$
- SRC transition may correspond to mode-switch
- Each mode-switch has guard/update. Example:

$$
\rightarrow \mathrm{x}:=\mathrm{x}+1
$$

- Guard: (press==0) \& (x<10) and
- Update: $\mathrm{x}:=\mathrm{x}+1$


## ESM execution



- Start in mode off; initial state $=$ (off,0)
- Sample executions:

| $(o f f, 0)$ | $(o f f, 0)$ |
| :---: | :---: |
| $\downarrow 0$ | $\downarrow 0$ |
| $(o f f, 0)$ | $(o f f, 0)$ |
| $\downarrow 1$ | $\downarrow 1$ |
| $(o n, 0)$ | $(o n, 0)$ |
| $\downarrow 0$ | $\downarrow 0$ |
| $(o n, 1)$ | $(o n, 1)$ |
| $\vdots$ | $\vdots$ |
| $\downarrow 0$ | $\downarrow 0$ |
| $(o n, 10)$ | $(o n, 5)$ |
| $\downarrow 0$ | $\downarrow 1$ |
| $(o f f, 0)$ | $(o f f, 0)$ |

## ESM transitions could be nondeterministic!



## Event-triggered Components

- What to do if we want some components to not participate in some rounds?
- Event is a special input/output variable, which can be absent or present
- Event variable has value only if it is present
- Syntax:

| $\mathbf{e} \boldsymbol{?}$ | True if e is present |
| :--- | :--- |
| $\mathbf{e}!\mathbf{a}$ | e gets the value of the assignment a |

## Event-triggered Copy



## Event-triggered Components

- No need to execute in a round where triggering events are absent



## Finite-state Components

Component is finite state if all variables are over finite types


$\xrightarrow{\text { bool in }}$| out $:=y ;$ <br> if $(z==0)$ <br> bool $z:=0$ |
| :--- |
| int $y:=y+1$ |
| $z:=$ in $y:=y-1$ |$\quad$ int out

## FSM Software Tools

- Statecharts (Harel, 1987), a notation for concurrent composition of hierarchical FSMs, has influenced many of these tools.
- One of the first tools supporting the Statecharts notation is STATEMATE (Harel et al., 1990), which subse-quently evolved into Rational Rhapsody, sold by IBM.
- Almost every software engineering tool that provides UML (unified modeling language) capabilities (Booch et al., 1998).
- SyncCharts (Andre' , 1996) is a particularly nice variant in that it borrows the rigorous semantics of Esterel (Berry and Gonthier, 1992) for composition of concurrent FSMs.
- LabVIEW supports a variant of Statecharts that can operate within dataflow diagrams
- Simulink with its Stateflow extension supports a variant that can operate within continuous-time models.


## Cruise Controller Example



## Sensors

- Rotation Sensor: Wheel speed sensor or vehicle speed sensor
- Type of a tachometer
- Counts number of rotations per second and as the wheel radius is known, can compute the linear speed of the car

(From Porter and Chester Institute slides on Google Image Search)


## Actuator



- ThrottleController is an actuator that gets a force/torque required to adjust the throttle plate which leads to tracking the desired speed


## Decomposing CruiseController further



## MeasureSpeed SRC



Asynchronous Components

## Asynchrony

- Synchrony: All components execute in a sequence of rounds in lock-step
- Asynchrony: No lock-step computation!
- Natural model for networked, distributed communicating components executing independently and at possibly different speeds
- As there is no central, global clock, explicit coordination is required between components
- Examples:
- Processes in distributed computation, multiple threads in any modern OS
- Interrupt-driven processing


## Asynchronous Reactive Component Example



## Asynchronous Reactive Component



- Input channel in of type bool
- Output channel out of type bool
- State variable $\times$ of type bool $+\emptyset$. The value $\emptyset$ indicates empty or null.
- x initialized to $\emptyset$
- Input task $\mathrm{T}_{\text {in }}$ reads input value into x
- Output task $\mathrm{T}_{\text {out }}$ produces output if x is not empty


## Asynchronous Reactive Component Execution

- Execution Model: In each step only one task is executed
- Task can be executed only if it is enabled (i.e. if its guard condition is true)
- If multiple guard conditions are true, one task is nondeterministically executed
- Sample execution:

$$
\emptyset \underset{\mathrm{T}_{\text {in }}}{\text { in?0 }} 0 \underset{\mathrm{~T}_{\text {out }}}{\text { out!0 }} \emptyset \underset{\mathrm{T}_{\text {in }}}{\text { in?1 }} 1 \underset{\mathrm{~T}_{\text {in }}}{\text { in?0 }} 0 \underset{\mathrm{~T}_{\text {out }}}{\text { out!0 }} \emptyset
$$



Buffer

## Example: Asynchrony + Nondeterminism

 ARC may have no inputs or outputs, just internal tasks - Update may have no guards
$\Rightarrow$ In each step, execute $T_{x}$ or $T_{y}$ Sample execution:

$$
(0,0) \underset{\mathrm{T}_{\mathrm{y}}}{\overrightarrow{2}}(0,1) \underset{\mathrm{T}_{\mathrm{y}}}{\overrightarrow{\mathrm{t}}}(0,2) \underset{\mathrm{T}_{\mathrm{x}}}{(1,2) \underset{\mathrm{T}_{\mathrm{y}}}{\overrightarrow{2}}(1,3)}
$$



- Interleaved model of concurrency


## Asynchronous Process/Reactive Component

| $\operatorname{bool}_{\emptyset} \mathrm{x}:=\varnothing$ |
| :---: |
| $\begin{aligned} & \mathrm{T}_{\text {in }}: \mathrm{x}:=\text { in } \\ & \mathrm{T}_{\text {out }}: \\ & \mathrm{x} \neq \emptyset \rightarrow\{\text { out }:=\mathrm{x} ; \\ & \\ & \quad \mathrm{x}:=\emptyset\} \end{aligned}$ |
|  |  |
|  |  |
|  |  |

- Set of input channels: I
- ESM representation: in?v, where $v$ is the value to be received
- Set of output channels: O
- ESM representation: out!v, where $v$ is the value to be written
- Set of state variables X
- Initialization Init which maps state variables to initial values


## Updates are different from SRCs!

Input Task defines updates of the form: $\mathbf{G} \rightarrow \mathbf{x : =} \mathbf{E}(\mathbf{X}, \mathbf{i n})$

- Guard condition G: some expression over only state variables $X$; input task can be executed only if $G$ is true
- For each in in I, we associate a read-set ( $\mathrm{X} \cup\{$ in\}): variables that can appear in E for input task associated with in (rationale: can read value on in only if that task is enabled)
- Any state variable can appear in the LHS of the assignment

D Defines a set of input actions of the form: $q \xrightarrow{\text { in?v }} q^{\prime}$

- where $q$ is value of state variables before update, and $q$ satisfies $G$
- value of state variables after update is $\mathrm{q}^{\prime}=\mathrm{E}(\mathrm{X} \mapsto \mathrm{q}, \mathrm{in} \mapsto \mathrm{V})$


## Updates are different from SRCs!

Output Task: defines updates of the form: $\mathbf{G} \rightarrow$ out $:=\mathbf{E}(\mathbf{X})$

- Guard condition G: some expression over only variables in X; output task can be executed only if G is true
- For each out in O , we associate a write-set \{out\}: variables that appear on LHS of the assignment
- Any expression containing only state variables can appear in E

D Defines an output action of the form $\mathrm{q} \xrightarrow{\text { out!v }} \mathrm{q}^{\prime}$

- where $q$ is value of state variables before update, and $q$ satisfies $G$
- value of state variables after update is $\mathrm{q}^{\prime}$
- value v is output on channel out


## Updates are different from SRCs!

Internal Task: defines updates of the form: $\mathbf{G} \rightarrow \mathbf{x}:=\mathbf{E ( X )}$

- Guard condition G: some expression over only variables in X; internal task can be executed only if $G$ is true
- Any expression containing only state variables can appear in E, only state variables appear on LHS
- Defines an internal action of the form $\mathrm{q} \xrightarrow{\varepsilon} \mathrm{q}^{\prime}$
- where $q$ is value of state variables before update, and $q$ satisfies $G$
- value of state variables after update is $q^{\prime}$
- No input is read or output is produced!


## Asynchronous Merge: Sequence of Actions



Asynchronous Processes can also be represented with extended state machines

## Composing Asynchronous Processes



- Parallel composition: Inputs, Outputs, States and Initialization similar to the synchronous case
- Input consumption needs to be synchronized with output production for the 'temp' variable


## Composed DoubleBuffer

## Buffer

|  | bool $_{\varnothing} \mathrm{X}_{1}:=\varnothing$ | bool $_{\varnothing} \mathrm{x}_{2}:=\emptyset$ |
| :---: | :---: | :---: |
| in | $\begin{aligned} & \mathrm{T}_{\text {in } 1}: \mathrm{x}_{1}:=\text { in } \\ & \mathrm{T}_{\text {out } 1}: \\ & \mathrm{x}_{1} \neq \emptyset \rightarrow\left\{\text { temp }:=\mathrm{x}_{1} ;\right. \\ &;:=\emptyset\} \end{aligned}$ | $\begin{aligned} & \mathrm{T}_{\text {in } 2}: \mathrm{x}_{2}:=\text { temp } \\ & \mathrm{T}_{\text {out2 } 2}: \\ & \mathrm{x}_{2} \neq \emptyset \rightarrow\left\{\text { out }:=\mathrm{x}_{2} ;\right. \\ & \left.\mathrm{x}_{2}:=\emptyset\right\} \end{aligned}$ |



Defining $P_{1} \mid P_{2}$
In each step only 1 task executes

- If y is an output channel of $\mathrm{P}_{1}$ and input channel of $P_{2}$ :
- $A_{1}$ : output task for $P_{1}$ with code: $\mathrm{G}_{1} \rightarrow \mathrm{U}_{1}$
- $A_{2}$ : input task for $P_{2}$ with code: $\mathrm{G}_{2} \rightarrow \mathrm{U}_{2}$
- Composition has output task for y with code: $\mathrm{G}_{1} \wedge \mathrm{G}_{2} \rightarrow \mathrm{U}_{1} ; \mathrm{U}_{2}$


## Blocking vs. Non-blocking Synchronization

- Task $\mathrm{T}_{\text {out }}$ of P1 can produce a value on the output only if P 2 has an input task that is enabled to consume the value with some input task


P2

How do you make P2 non-blocking?

- In this example, once x becomes odd, P 2 cannot consume (no enabled input task) and it blocks communication
- Process is non-blocking on channel in if at least one guarded update corresponding to input task for in is enabled
- Process is non-blocking if for every input channel, the disjunction of all guards corresponding to input tasks for that channel is valid or the Boolean formula 1 (true).


## Deadlocks

- Common error in asynchronous designs
- Caused by each process waiting for another process to execute a task, but no task is enabled


