# Artificial Intelligence for Cyber-Physical Systems

#### Laura Nenzi

Università degli Studi di Trieste I Semestre 2024

#### Lecture 2: Modeling (Introduction) Concurrent Modeling

[Many Slides due to J. Deshmukh, Toyota]

### Cyber-Physical System (CPS)

Combination of physical (environment / plant / process / system) with a cyber (computation / software / code) components potentially networked and tightly interconnected



# Model-based Design Approach



Validation : "Are you building the right thing?"

Verification : "Are you building it right?"

#### Model-based Design Approach

MBD languages are often visual and block-diagram based, e.g. Simulink





#### **Functional Components**

- 1. *Classical* model of computation: Functional or Transformational Programs
  - Start from a given input,
  - Produce a certain output and then terminate
  - Desired functionality can be described by a mathematical function
  - Emphasis is on data computation

#### **Reactive Components**

- 2. Reactive Programs:
  - It maintains and internal state
  - Continuously interact with the environment at a rate decided by the environment
  - Emphasis is on system-environment interaction; e.g. airline autopilot, mail-servers, etc.

#### Models of Computation: Timing

What's the notion of time in the model?

Real-time or Logical time-steps of execution?

What time do different components in the model use?

- Single global clock for full synchronization?
- Different clocks in each component?
- What level of granularity do we need in time?
  - Discrete time-steps or Continuous dense time?

#### Reactive Component

Most convenient model of computation for an (Autonomous) CPS is a reactive and concurrent model of computation.



An autonomous CPS can be viewed as a **network of components** that communicate either **synchronously** or **asynchronously**.

#### Models: abstractions of CPS

Examples of type of modeling for CPS components:

- > Modeling physical phenomena (dynamical systems) differential equation
- Feedback control systems time-domain modeling
- > Modeling modal behavior FSMs, hybrid automata, ...
- > Modeling sensors and actuators models that help with calibration, noise elimination,
- Modeling hardware and software capture concurrency, timing, …
- Modeling networks latencies, error rates, packet loss,

# Models of Computation

- Synchronous Model of Computation
- Asynchronous Model of Computation
- Timed Models
  - Like Asynchronous models, but with explicit time information
  - Can make use of global time for coordination
- Continuous-time models/Dynamical system models
  - Like Synchronous, but time evolves continuously
- Hybrid Dynamical Models

#### Synchronous Models

# Synchronous Models

All components execute in a sequence of rounds in lock-step



#### Example:

- Components in a digital hardware circuit with a central global clock
- Fixed-step Simulation Models of Discrete Components in Simulink

### Synchronous languages

Benefit: system design is simpler if we use a simple round-based computation

Challenge: How do we ensure synchronous execution when components may execute on different hardware?

#### Simple Representation of a Synchronous Component



Component

#### Simplest synchronous component: delay

 $(Boolean = \{ 0, 1 \})$ 

- Input variable: in of type Boolean
- Output variable: out of type Boolean
- State variable: x of type Boolean, initialized to 0
- In each round, component updates output from the state and state from input



# Execution of "Delay"

- Initialize state to 0
- Repeatedly execute rounds
- In each round:
  - Choose value for input (provided from environment, e.g. by user)
  - Execute update code



$$0 \xrightarrow{1/0} 1 \xrightarrow{1/1} 1 \xrightarrow{0/1} 0 \xrightarrow{0/0} 0 \xrightarrow{1/0} 1 \xrightarrow{0} 1$$

## Synchrony hypothesis

- Time needed to execute update is negligible compared to arrival times between consecutive inputs
- Synchronous execution is a *logical abstraction* 
  - Execution time of update code is 0
  - Production of outputs, updates to state and arrival of inputs happen instantaneously
- With multiple components, assume all execute synchronously and simultaneously

#### Let's Formalize an SRC (Synchronous Reactive Component)

SRC is defined as a tuple:  $(Q_I, Q_x, Q_o, [[init]], [[react]])$ , where:

| Symbol    | Designation            | Examples                                                         |
|-----------|------------------------|------------------------------------------------------------------|
| $Q_I$     | Set of Inputs          | {bool <i>in</i> }                                                |
| $Q_X$     | Set of State Variables | {bool x }                                                        |
| $Q_o$     | Set of Outputs         | {bool out}                                                       |
| [[init]]  | Set of initial States  | $x \coloneqq 0$                                                  |
| [[react]] | Set of Updates         | $\begin{array}{l} out \coloneqq x \\ x \coloneqq in \end{array}$ |

#### Semantics of updates & initialization

- Let the set of input, output, and state values be  $Q_I, Q_O, Q_X$
- Semantics of the initialization function [[init]]:
  - At time/round 0, maps the state variables to some specified value (or values) in  $Q_X$
- Semantics of the update function [[react]] (some sequence of conditionals and assignments):
  - ► A set R of transitions where each transition is of the form: q → q', where q is the old value of the state variables, q' is the new value of the state variables, i is the value of the input in that round, and o is the value of the output
  - ► *R* is a subset of  $Q_X \times Q_I \times Q_O \times Q_X$

#### Transitions for Delay



# What are the $Q_I$ , $Q_O$ , $Q_X$ for these SRCs?



 $Q_I = \{0,1\}, Q_X = int \times \{0,1\}, Q_O = int$ 

#### Composition of Synchronous Components



Delay sequentially composed with Delay

#### Composition of Synchronous Components



#### What does this model achieve?



If number of '0' inputs seen by the first component exceeds the number of '1' inputs it has seen by 2, at any point in its execution, then the 'warn' light becomes high If this happens again, the 'error' light becomes high

### Deterministic Component

- An SRC is deterministic if:
  - It has a single initial state
  - Updates ensure that for every state q and input i, there is a unique state q' and output o such that (q, i, o, q') is a transition
- Determinism means for same input sequence, you get same state/output sequence every single time
- Note:
  - Nondeterminism is useful for modeling uncertainty/unknown and compactness



It is not the same as probabilistic/random choice!

# Event-triggered Components

- What to do if we want some components to *not* participate in some rounds?
- Event is a special input/output variable, which can be absent or present
- Event variable has value only if it is present
- Syntax:

| e?  | True if e is present                 |
|-----|--------------------------------------|
| e!a | e gets the value of the assignment a |

# **Event-triggered** Copy



### Event-triggered ClockedCopy



#### Event-triggered Components

No need to execute in a round where triggering events are absent



#### Extended State Machines

Commonly used to describe behavior of MBD models



#### Extended State Machines

Does this ESM remind you of something?



#### Component Switch: What does this do?



#### ESM corresponding to Switch SRC



#### ESM notation



- Implicit variable called "mode" that is a *discrete* state variable over some finite enumeration. Here: {on, off}
- SRC transition may correspond to mode-switch
  - Each mode-switch has guard/update. Example:
    - ▶ Guard: (press==0) & (x<10) and
    - Update: x:= x+1

#### ESM execution

 $\operatorname{int} x \coloneqq 0$ 

Start in mode off; initial state = (off,0)
 Sample executions:

 (off,0)
 (off,0)
 (off,0)

| (press==0)? off (press==1)?                                                                                                                                                                                                                                                                                                                                                                                                                                           | ( <i>off</i> ,0) | ( <i>off</i> ,0) |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------|------------------|
| (press==0)? off (press==1)?                                                                                                                                                                                                                                                                                                                                                                                                                                           | $\downarrow 0$   | $\downarrow 0$   |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | (off, 0)         | (off, 0)         |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | ↓ 1              | ↓ 1              |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | ( <i>on</i> , 0) | (on, 0)          |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | $\downarrow 0$   | $\downarrow 0$   |
| (press==0) & (x<10)                                                                                                                                                                                                                                                                                                                                                                                                                                                   | ( <i>on</i> , 1) | (on, 1)          |
| D      S   =   D     X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D    X   =   D     X   =   D     X   =   D    X | •                | •                |
| $ \begin{array}{c} (x = 1) \\ \rightarrow x \\ \end{array} \coloneqq 0 \end{array} \qquad \qquad$                                                                                                                                                                                                                                                     | $\downarrow 0$   | $\downarrow 0$   |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | (on, 10)         | ( <i>on</i> , 5) |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | $\downarrow 0$   | $\downarrow 1$   |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | (off, 0)         | (off, 0)         |

#### ESM transitions could be nondeterministic!



#### Finite-state Components

Component is finite state if all variables are over finite types



# Finite State Machine

- A FSM is a tuple  $\{S, Q_I, Q_O, update, s_0\}$  where:
- *S* is a finite set of states;
- $Q_I$  is a set of input valuations;
- $Q_0$  is a set of output valuations;
- $update: S \times Q_I \rightarrow S \times Q_O$  is an update function, mapping a state and an input valuation to a next state and an output valuation;
- $s_0$  is the initial state.

# Extended Finite State Machine

- A EFSM is a tuple { $S, Q_I, Q_O, V, update, s_0$ } where:
- *S* is a finite set of states;
- $Q_I$  is a set of input valuations;
- $Q_0$  is a set of output valuations;
- V is a set of variables;
- $update: S \times Q_I \times V \rightarrow S \times V \times Q_O$  is an update function, mapping a state and an input valuation to a next state and an output valuation;
- $s_0$  is the initial state.

# Non-deterministic Finite State Machine

A non-deterministic FSM is a tuple  $\{S, Q_I, Q_O, possibleUpdate, s_0\}$  where:

- *S* is a finite set of states;
- $Q_I$  is a set of input valuations;
- $Q_O$  is a set of output valuations;

• *possibleUpdate*:  $S \times Q_I \rightarrow 2^{\{S \times Q_O\}}$  is an is an update relation, mapping a state and an input valuation to a *set of possible* (next state, output valuation) pairs;

•  $s_0$  is the initial state.

# Mealy machines and Moore machine

The state machines we describe here are known as **Mealy machines**, named after George H. Mealy, a Bell Labs engineer who published a description of these machines in 1955 (Mealy, 1955). Mealy machines are characterized by producing outputs when a transition is taken.

An alternative, known as a **Moore machine**, produces outputs when the machine is in a state, rather than when a transition is taken. That is, the output is defined by the current state rather than by the current transition. Moore machines are named after Edward F. Moore, another Bell Labs engineer who described them in a 1956 paper (Moore, 1956).

#### Ex: Parking Finite State Machine

- Try to define the FSM of a car park, where a car can arrive or depart, and you have a maximum number of slots equal to M.
- Hint: the modes are the number of occupied slots

#### Parking Finite State Machine



#### Parking Finite State Machine



#### Parking Extended State Machine

Consider a system that counts the number of cars that enter and leave a parking garage in order to keep track of how many cars are in the garage at any time.



# Cruise Controller Example



#### Sensors

- Rotation Sensor: Wheel speed sensor or vehicle speed sensor
- Type of a tachometer
- Counts number of rotations per second and as the wheel radius is known, can compute the linear speed of the car



- The ABS wheel speed sensor generates a small electrical pulse whenever a tooth on the tone ring moves through the magnetic field of the pick up coil
- Continuous rotation of the tone ring produces an AC current whose frequency – measured in Hertz – is proportional to wheel speed

(From Porter and Chester Institute slides on Google Image Search)

#### Actuator



ThrottleController is an actuator that gets a force/torque required to adjust the throttle plate which leads to tracking the desired speed

#### Decomposing CruiseController further



#### MeasureSpeed SRC



MeasureSpeed SRC

#### Synchronous components: summary

- Synchronous dataflow languages used to model synchronous components
   Scade-suite from Esterel Technologies: used in many avionics' applications
- Benefit: system design is simpler
- Challenge: How do we ensure synchronous execution when components may execute on different hardware?



#### Thermostat FSM



It could be event triggered, like the garage counter, in which case it will react whenever a *temperature* input is provided. Alternatively, it could be time triggered, meaning that it reacts at regular time intervals

#### Asynchronous Components

# Asynchrony

- Synchrony: All components execute in a sequence of rounds in lock-step
- Asynchrony: No lock-step computation!
- Natural model for networked, distributed communicating components executing independently and at possibly different speeds
- As there is no central, global clock, explicit coordination is required between components
- Examples:
  - Processes in distributed computation, multiple threads in any modern OS
  - Interrupt-driven processing

# Asynchronous Reactive Component



- Input channel in of type bool
- Output channel out of type bool
- State variable x of type bool+Ø. The value Ø indicates empty or null.
- x initialized to Ø
- Input task T<sub>in</sub> reads input value into x
- Output task T<sub>out</sub> produces output if x is not empty

#### Asynchronous Reactive Component Example



#### Asynchronous Reactive Component Execution

- Execution Model: In each step only one task is executed
- Task can be executed only if it is enabled (i.e. if its guard condition is true)
- If multiple guard conditions are true, one task is nondeterministically executed

Sample execution:

$$\emptyset \xrightarrow[T_{in}]{in?0} 0 \xrightarrow[T_{out}]{out!0} \emptyset \xrightarrow[T_{in}]{in?1} 1 \xrightarrow[T_{in}]{in?0} 0 \xrightarrow[T_{out}]{out!0} \emptyset$$

bool  
in  

$$T_{in}: x := in$$

$$T_{out}:$$

$$x \neq \emptyset \rightarrow \{ \text{ out } := x;$$

$$x := \emptyset \}$$

**Buffer** 

# Example: Asynchrony + Nondeterminism

- ARC may have no inputs or outputs, just internal tasks
  - Update may have no guards
- In each step, execute  $T_x$  or  $T_y$
- Sample execution:

$$(0,0) \underset{T_{y}}{\rightarrow} (0,1) \underset{T_{y}}{\rightarrow} (0,2) \underset{T_{x}}{\rightarrow} (1,2) \underset{T_{y}}{\rightarrow} (1,3)$$

#### Interleaved model of concurrency



# Asynchronous Process/Reactive Component

bool  
in  

$$T_{in}: x := in$$
  
 $T_{out}:$   
 $x \neq \emptyset \rightarrow \{ \text{out} := x;$   
 $x := \emptyset \}$   
bool  
out

- Set of input channels: I
  - ESM representation: in?v, where v is the value to be received
- Set of output channels: O
  - ESM representation: out!v, where v is the value to be written
  - Set of state variables X
  - Initialization Init which maps state variables to initial values

#### Updates are different from SRCs!

**Input Task** defines updates of the form:  $\mathbf{G} \rightarrow \mathbf{x} := \mathbf{E}(\mathbf{X}, \mathbf{in})$ 

- Guard condition G: some expression over only state variables X; input task can be executed only if G is true
- For each in in I, we associate a read-set (X U {in}): variables that can appear in E for input task associated with in (rationale: can read value on in only if that task is enabled)
- Defines a set of input actions of the form: q → q'
   where q is value of state variables before update, and q satisfies G
   value of state variables after update is q' = E(X→q, in→v)

# Updates are different from SRCs!

**Output Task**: defines updates of the form:  $\mathbf{G} \rightarrow \mathbf{out} := \mathbf{E}(\mathbf{X})$ 

- Guard condition G: some expression over only variables in X; output task can be executed only if G is true
- Any expression containing only state variables can appear in E
- Defines an output action of the form  $q \xrightarrow{out!v} q'$ 
  - where q is value of state variables before update, and q satisfies G
  - value of state variables after update is q'
  - value v is output on channel out

#### Updates are different from SRCs!

**Internal Task**: defines updates of the form:  $\mathbf{G} \rightarrow \mathbf{x} := \mathbf{E}(\mathbf{X})$ 

- Guard condition G: some expression over only variables in X; internal task can be executed only if G is true
- Any expression containing only state variables can appear in E, only state variables appear on LHS
- Defines an internal action of the form  $q \rightarrow q'$ 
  - where q is value of state variables before update, and q satisfies G
  - value of state variables after update is q'
  - No input is read or output is produced!

#### Asynchronous Example



Asynchronous Processes can also be represented with extended state machines

# Asynchronous Merge: Sequence of Actions



Asynchronous Processes can also be represented with extended state machines

#### Composing Asynchronous Processes



Parallel composition: Inputs, Outputs, States and Initialization similar to the synchronous case

Input consumption needs to be synchronized with output production for the 'temp' variable

# Composed DoubleBuffer



Defining  $P_1 | P_2$ 

- In each step only 1 task executes
- If y is an output channel of P<sub>1</sub> and input channel of P<sub>2</sub>:
- Output task for  $P_1:G_1 \rightarrow U_1$
- Input task for  $P_2:G_2 \rightarrow U_2$
- Composition has output task for y with code:  $G_1 \land G_2 \rightarrow U_1; U_2$

# Output Hiding

Hiding ouput y: achieved by removing y from the set of output channels and turning each output task associated with the channel y into an internal task by declaring y to be a local variable



# Blocking vs. Non-blocking Synchronization



- Task T<sub>out</sub> of P1 can *produce* a value on the output only if P2 has an input task that is enabled to *consume* the value with some input task
- In this example, once x becomes odd, P2 cannot consume (no enabled input task) and it **blocks** communication
- Process is non-blocking on channel in for a state s if at least one guarded update corresponding to input task for in is enabled in the state s
- Process is non-blocking if it is non-blocking in every channel and for every states.

#### Blocking vs. Non-blocking Synchronization in Merge



#### Blocking vs. Non-blocking Synchronization in Merge



An input on the channel  $in_1$ cannot be processed if the queue  $x_1$  is full, and thus the producer of outputs on the channel  $in_1$  has to wait until this queue becomes non-full

# Deadlocks

- Common error in asynchronous designs
- Caused by each process waiting for another process to execute a task, but no task is enabled



# Deadlocks

- Common error in asynchronous designs
- Caused by each process waiting for another process to execute a task, but no task is enabled

