# Cyber-Physical Systems

Laura Nenzi

Università degli Studi di Trieste
Il Semestre 2020

Lecture 3: Concurrent Modeling

### Difference Equation



$$\mathbf{x}(k+1) = G(\mathbf{x}(k), \mathbf{u}(k))$$

# Difference Equation

real  $-\pi \le \theta \le \pi$ 

 $\mathbf{x}_1\left(0\right) = 0$  $x_2(0) = 0$ 

 $\theta$  (0) = 0

 $x_1^+ = x_1 + d \sin(\theta) u_1$   $x_2^+ = x_2 + d \cos(\theta) u_1$ 

 $\theta^+ = \theta + c u_2$ 

 $y = \theta$ 

 $u_1, u_2$ force, angular speed

$$\mathbf{x}(k+1) = G(\mathbf{x}(k), \mathbf{u}(k))$$

### Functional Components

- Classical model of computation: Functional or Transformational Programs
  - Start from a given input,
  - ▶ Produce a certain output and then **terminate**
  - Desired functionality can be described by a mathematical function
  - ► Emphasis is on data computation

### Reactive Components

#### 2. Reactive Programs:

- It maintains and internal state
- Continuously interact with the environment at a rate decided by the environment
- ► Emphasis is on system-environment interaction; e.g. airline autopilot, mail-servers, etc.

# Synchronous Models

All components execute in a sequence of rounds in lock-step



- Components in a digital hardware circuit with a central global clock
- Fixed-step Simulation Models of Discrete Components in Simulink



# Synchronous languages

Benefit: system design is simpler if we use a simple round-based computation

Challenge: How do we ensure synchronous execution when components may execute on different hardware?

#### Simple Representation of a Synchronous Component



### Simplest synchronous component: delay

(Boolean =  $\{0, 1\}$ )

- Input variable: in of type Boolean
- Output variable: out of type Boolean
- State variable: x of type Boolean, initialized to 0
- In each round, component updates output from the state and state from input



# Execution of "Delay"

- Initialize state to 0
- Repeatedly execute rounds
- In each round:
  - Choose value for input (provided from environment, e.g. by user)
  - Execute update code



$$0 \xrightarrow{1/0} 1 \xrightarrow{1/1} 1 \xrightarrow{0/1} 0 \xrightarrow{0/0} 0 \xrightarrow{1/0} 1 \qquad \longrightarrow$$

# Synchrony hypothesis

Time needed to execute update is negligible compared to arrival times between consecutive inputs

- Synchronous execution is a logical abstraction
  - Execution time of update code is 0
  - Production of outputs, updates to state and arrival of inputs happen instantaneously
- With multiple components, assume all execute synchronously and simultaneously

#### Let's Formalize an SRC

SRC is defined as a tuple:  $(Q_I, Q_x, Q_o, [[init]], [[react]])$ , where:

| Symbol    | Designation            | Examples                           |
|-----------|------------------------|------------------------------------|
| $Q_I$     | Set of Inputs          | $\{bool\ in\}$                     |
| $Q_X$     | Set of State Variables | $\{bool\ x\ \}$                    |
| $Q_o$     | Set of Outputs         | {bool out}                         |
| [[init]]  | Set of initial States  | $x \coloneqq 0$                    |
| [[react]] | Set of Updates         | $out \coloneqq x$ $x \coloneqq in$ |

### Semantics of updates & initialization

- Let the set of input, output, and state values be  $Q_I$ ,  $Q_O$ ,  $Q_X$
- Semantics of the initialization function:
  - ightharpoonup At time/round 0, maps the state variables to some specified value (or values) in  $Q_X$
- Semantics of the update function (some sequence of conditionals and assignments):
  - A set R of transitions where each transition is of the form:  $q \stackrel{i/o}{\to} q'$ , where q is the old value of the state variables, q' is the new value of the state variables, i is the value of the input in that round, and o is the value of the output
  - ightharpoonup R is a subset of  $Q_X \times Q_I \times Q_O \times Q_X$

# What are the $Q_I$ , $Q_O$ , $Q_X$ for these SRCs?



# Transitions for Delay



# Composition of Synchronous Components



Delay sequentially composed with Delay

# Composition of Synchronous Components



#### What does this model achieve?



### Deterministic Component

- An SRC is deterministic if:
  - ► It has a single initial state
  - ▶ Updates ensure that for every state q and input i, there is a unique state q' and output o such that (q, i, o, q') is a transition
- Determinism means for same input sequence, you get same state/output sequence every single time
- Note:
  - Nondeterminism is useful for modeling uncertainty/unknown and compactness



It is not the same as probabilistic/random choice!

#### Extended State Machines

Commonly used to describe behavior of MBD models



#### Extended State Machines

Does this ESM remind you of something?



### Component Switch: What does this do?



### ESM corresponding to Switch SRC



#### ESM notation



- Implicit variable called "mode" that is a *discrete* state variable over some finite enumeration. Here: {on, off}
- SRC transition may correspond to mode-switch
- Each mode-switch has guard/update. Example:
  - ► Guard: (press==0) & (x<10) and
  - ▶ Update: x:= x+1

#### ESM execution



ple executions: 
$$(off,0) (off,0) (off,0)$$

 $\downarrow 0$ 

(off,0)

↓ 1

(off,0)

#### ESM transitions could be nondeterministic!



# **Event-triggered Components**

- What to do if we want some components to not participate in some rounds?
- Event is a special input/output variable, which can be absent or present

- Event variable has value only if it is present
- Syntax:

| e?  | True if e is present                 |  |
|-----|--------------------------------------|--|
| e!a | e gets the value of the assignment a |  |

# **Event-triggered Copy**



### **Event-triggered Components**

No need to execute in a round where triggering events are absent



#### Finite-state Components

Component is finite state if all variables are over finite types



# Cruise Controller Example



#### Sensors

- Rotation Sensor: Wheel speed sensor or vehicle speed sensor
- Type of a tachometer
- Counts number of rotations per second and as the wheel radius is known, can compute the linear speed of the car



(From Porter and Chester Institute slides on Google Image Search)

#### Actuator



ThrottleController is an actuator that gets a force/torque required to adjust the throttle plate which leads to tracking the desired speed

# Decomposing CruiseController further



### MeasureSpeed SRC



**Asynchronous Components** 

# Asynchrony

- Synchrony: All components execute in a sequence of rounds in lock-step
- Asynchrony: No lock-step computation!
- Natural model for networked, distributed communicating components executing independently and at possibly different speeds
- As there is no central, global clock, explicit coordination is required between components
- Examples:
  - Processes in distributed computation, multiple threads in any modern OS
  - Interrupt-driven processing

# Asynchronous Reactive Component Example



### Asynchronous Reactive Component



- Input channel in of type bool
- Output channel out of type bool
- State variable x of type bool+Ø. The value Ø indicates empty or null.
- x initialized to Ø
- Input task T<sub>in</sub> reads input value into x
- Output task T<sub>out</sub> produces output if x is not empty

#### Asynchronous Reactive Component Execution

- Execution Model: In each step only one task is executed
- Task can be executed only if it is enabled (i.e. if its guard condition is true)
- If multiple guard conditions are true, one task is nondeterministically executed
- Sample execution:

$$\emptyset \xrightarrow[T_{in}]{\text{in?0}} 0 \xrightarrow[T_{out}]{\text{out!0}} \emptyset \xrightarrow[T_{in}]{\text{in?1}} 1 \xrightarrow[T_{in}]{\text{in?0}} 0 \xrightarrow[T_{out}]{\text{out!0}} \emptyset$$



# Example: Asynchrony + Nondeterminism

int 
$$x := 0$$
,  $y := 0$ 

$$T_{y}$$
: x := x+1

$$T_x$$
: x := x+1  
 $T_y$ : y:= y+1

- ARC may have no inputs or outputs, just internal tasks
  - Update may have no guards
- In each step, execute  $T_x$  or  $T_v$
- Sample execution:

$$(0,0) \underset{T_y}{\rightarrow} (0,1) \underset{T_y}{\rightarrow} (0,2) \underset{T_x}{\rightarrow} (1,2) \underset{T_y}{\rightarrow} (1,3)$$

Interleaved model of concurrency



# Asynchronous Process/Reactive Component



- Set of input channels: I
  - ► ESM representation: in?v, where v is the value to be received
- Set of output channels: O
  - ► ESM representation: out!v, where v is the value to be written
- Set of state variables X
- Initialization Init which maps state variables to initial values

#### Updates are different from SRCs!

**Input Task** defines updates of the form:  $G \rightarrow x := E(X,in)$ 

- Guard condition G: some expression over only state variables X; input task can be executed only if G is true
- For each in in I, we associate a read-set (X U {in}): variables that can appear in E for input task associated with in (rationale: can read value on in only if that task is enabled)
- ▶ Defines a set of input actions of the form:  $q \xrightarrow{\ln rv} q'$ 
  - where q is value of state variables before update, and q satisfies G
  - ▶ value of state variables after update is  $q' = E(X \mapsto q, in \mapsto v)$

#### Updates are different from SRCs!

Output Task: defines updates of the form:  $G \rightarrow out := E(X)$ 

- Guard condition G: some expression over only variables in X; output task can be executed only if G is true
- Any expression containing only state variables can appear in E
- ► Defines an output action of the form  $q \xrightarrow{out: v} q'$ 
  - where q is value of state variables before update, and q satisfies G
  - value of state variables after update is q'
  - value v is output on channel out

### Updates are different from SRCs!

**Internal Task**: defines updates of the form:  $G \rightarrow x := E(X)$ 

- Guard condition G: some expression over only variables in X; internal task can be executed only if G is true
- Any expression containing only state variables can appear in E, only state variables appear on LHS
- $\triangleright$  Defines an internal action of the form  $q \stackrel{\varepsilon}{\rightarrow} q'$ 
  - where q is value of state variables before update, and q satisfies G
  - value of state variables after update is q'
  - ▶ No input is read or output is produced!

### Asynchronous Example



Asynchronous Processes can also be represented with extended state machines

# Composing Asynchronous Processes



Parallel composition: Inputs, Outputs, States and Initialization similar to the synchronous case

Input consumption needs to be synchronized with output production for the 'temp' variable

#### Composed DoubleBuffer



- Defining P<sub>1</sub> | P<sub>2</sub>
- In each step only 1 task executes
- ► If y is an output channel of P<sub>1</sub> and input channel of P<sub>2</sub>:
- A<sub>1</sub>: output task for P<sub>1</sub> with code:  $G_1 \rightarrow U_1$
- A<sub>2</sub>: input task for P<sub>2</sub> with code:  $G_2 \rightarrow U_2$
- Composition has output task for y with code:  $G_1 \wedge G_2 \rightarrow U_1; U_2$

# Blocking vs. Non-blocking Synchronization



How do you make P2 non-blocking?

- Task T<sub>out</sub> of P1 can *produce* a value on the output only if P2 has an input task that is enabled to *consume* the value with some input task
- In this example, once x becomes odd, P2 cannot consume (no enabled input task) and it **blocks** communication
- Process is non-blocking on channel in if at least one guarded update corresponding to input task for in is enabled
- Process is **non-blocking** if for every input channel, the disjunction of all guards corresponding to input tasks for that channel is *valid* or the Boolean formula 1 (true).

#### Deadlocks

- Common error in asynchronous designs
- Caused by each process waiting for another process to execute a task, but no task is enabled

