CSE 522
Model-based Development (1)
Computer Science & Engineering Department
Arizona State University
Tempe, AZ 85287
Dr. Yann-Hang Lee
yhlee@asu.edu
(480) 727-7507
Some of the slides were based on lectures by
Lee & Seshia (UC Berkeley) and Fainekos (ASU)
Modeling, Design, Analysis
 Modeling is the process of
gaining a deeper understanding
of a system through imitation.
Models specify what a system does.
 Design is the structured creation of
artifacts. It specifies how a system
does what it does. This includes
optimization.
 Analysis is the process of gaining a deeper understanding of a
system through dissection. It specifies why a system does what
it does (or fails to do what a model says it should do).
2
What is Modeling?
 A mathematical model in the form of a set of
definitions and mathematical formulas.
 Use mathematical objects to describe the (dynamical or static)
properties and behavior of the system
 Developing insight about a system, process, or artifact
through imitation.
 The artifact that imitates the system, process, or artifact of
interest.
 Mathematical models can help us
 understand the system behavior
 predict the system behavior
 analyze the system behavior
 identify system parameters
3
What is Model-Based Design?
 Create a mathematical model of all the parts of the
embedded system
 Physical world
 Control system
 Software environment
 Hardware platform
 Network
 Sensors and actuators
 Construct the implementation from the model
 Construction may be automated, like a compiler
 More commonly, portions are automatically constructed
4
When is a Design of a System “Correct”?
 A design is correct when it meets its specification
(requirements) in its operating environment
 “A design without specification cannot be right or wrong, it
can only be surprising!”
 Simply running a few tests is not enough!
 Many embedded systems are deployed in safety-critical
applications (avionics, automotive, medical, …)
Specification, Verification, and Control
Specification
A mathematical statement of the design objective (desired
properties of the system)
Verification
Synthesis
Does the designed system
achieve its objective in the
operating environment?
Given an incomplete design,
synthesize a strategy to complete
the system so that it achieves its
objective in the operating
environment
Model-Based Design: Verification
Use error trace information to revise model/spec.
Model
Design Tool
Verify:
Does model satisfy spec.?
No
Specification
Need a mathematical way to write models and specifications
so that a verification algorithm can process it
Model-Based Design: Synthesis
Partial
Description of
the Model
Automatic Model
Synthesis Tool
Specification
Automatic code
synthesis for
specific platform
Need a mathematical way to write models and specifications
so that an algorithm can process it
System Models
 Representation (i.e. variables, time)
 state space and control function
 Continuous System
 continuous dynamics
 differential equations
 Discrete System (FSM)
 in a sequence of discrete steps
 difference equations
 Hybrid System
 digital controller (thermostat)
 with both continuous and discrete dynamic behavior
9
Continuous Models
 Ordinary differential equations, Laplace
transforms, feedback control systems,
stability analysis, robustness analysis,
…
10
Modeling a Simple Suspension (SS1)
x1
car body
m1
Outputs: x1, x2, dx1/dt, dx2/dt
shock
absorbers
c1
k1
m2
x2
coil springs
axles
(all combined)
Input
k2
tires
xroad
m1 x1  c1  x1  x2   k1  x1  x2   0
m2 x2  c1 x1  x2   k1 x1  x2   k2 x2  xroad t 
Modeling a Simple Suspension (SS1)
 Recall: let us set
v1  x1
v2  x 2
 Then
and
z  Az  Bx road
 0
 0
 k
1
A  
 m1
 k1

 m2
0
1
0
0
k1
c
 1
m1
m1
k  k  c1
 1 2
m2
m2
 x1   x1 
x  x 
z   2   2
 x1   v1 
   
 x2   v2 
where
0 
1 
c1

m1 
c 
 1
m2 
 0 
 0 
 
B 0 
 k2 
m 
 2
Actor Model of a Continuous System
 Example: integrator:
(integradtion)
x
x
Block
y
1/s
y(t)=x0+0tx(τ)dτ
(differentiation)
(our simple suspension system)
d/dt
(SS1)
x
 Continuous-time signal:
 Continuous-time actor:
y=dx/dt
xroad
z
Discrete Systems
 Example: count the number of cars that enter and
leave a parking garage:
 Pure signal:
 Discrete actor:
Discrete Time Signals
Consider a signal x : R +  {absent} x R, where R is some
range and let T be the points in time that it is present
T = {t  R + | x(t)  absent}.
Then, x is discrete if there exists 1-1 function f : T  N
which is order preserving.
The system is
event triggered.
present
absent
t
up : N +  {absent, present}
Garage Counter Finite State Machine
 A garage has a finite space 
state space = {0,1,2,…M}
declaration of inputs
and outputs
the arrow denotes
the initial state
states
down is present
up is absent
FSM Notation
state
initial state
transition
self loop
 “guard / action”
 A guard is a predicate (a boolean-valued expression) that evaluates
to true when the transition should be taken
 The transition is enabled
Formal Definition of FSM
 An FSM (finite state automaton) is a 5-tuple
(states, inputs, outputs, update, initialstate)
where
 States is a finite set of states
 Inputs is a set of input valuations
 Outputs is a set of output valuations
 update : States x Inputs  States x Outputs is an update
function, mapping a state and input valuation to a next state
and an output valuation
 initialState is the initial state
Garage Counter Mathematical Model
The picture above defines
the update function.
Garage Counter Mathematical Model
update : States x Inputs  States x Outputs
(s+1,s+1) if s<M and i(up)=present and i(down) = absent
update(s,i) =
(s-1,s-1)
if s>0 and i(up)=absent and i(down) = present
(s,absent) otherwise
FSM Execution
 The dynamics of a discrete system can be described by a
sequence of reactions

We ignore how much time has passed between each reaction
 For each reaction the FSM moves from the current state to
the next state

s : N  S is the state of FSM for each reaction
 We can number the visited states (0 for the initial)
 Input & output valuations
x : N  Inputs and y : N  Ouputs
 The FSM dynamics are
(s(n+1),y(n)) = update(s(n),x(n))
FSM Behavior
 Each port p, for each reaction will take a value from
Vp{absent}, generating a sequence (or function)
sp : N  Vp {absent}
 Behavior: the assignment of signals to each input port such
that an output sequence can be produced


Observable trace ((xi, yi))iN
Execution trace ((xi, si, yi))iN
 The set of all behaviors of an FSM M is called the language
of M and it is denoted by L(M)
22
Garage Counter: Behavior
Behavior:
sup = (present, absent, present, absent, present, …)
sdown = (present, absent, absent, present, absent, …)
scount = (absent, absent, 1, 0, 1, …)
Note if scount was something else, then this might not
have been a behavior of the system.
Extended State Machines
 A default transition is enabled if no non-default transition is
enabled and it either has no guard or the guard is true.
 Extended state machines augment the FSM model with
variables that may be read or written.
Question: What is the size of the state space?
Definitions
 Stuttering transition: Implicit default transition that is
enabled when inputs are absent and that produces absent
outputs.
 Receptiveness: For any input values, some transition is
enabled. Our structure together with the implicit default
transition ensures that our FSMs are receptive.
 Determinism: In every state, for all input values, exactly
one (possibly implicit) transition is enabled, i.e. next
possible state is uniquely determined.
 Non-deterministic: If for any state of a state machine,
there are two distinct transitions with guards that can
evaluate to true in the same reaction.
Example: Nondeterministic FSM
 Nondeterministic model of pedestrians arriving at a
crosswalk:
 Formally, the update function is replaced by a function
Behaviors and Traces
 FSM behavior is a sequence of (non-stuttering) steps.
 A trace is the record of inputs, states,
and outputs in a behavior.
 A computation tree is a graphical
representation of all
possible traces.
 FSMs are suitable for formal
analysis. For example, safety
analysis might show that some unsafe
state is not reachable.
Uses of Nondeterminism
 Modeling unknown aspects of the environment or system
 Such as: how the environment changes the iRobot’s orientation
 Hiding detail in a specification of the system
 We will see an example of this later
 More compact than deterministic FSMs
 For a fixed input sequence:
 A deterministic system exhibits a single behavior
 A non-deterministic system exhibits a set of behaviors
...
...
...
...
What we will be able to do with FSMs
 FSMs provide:
 A way to represent the system for:
 Mathematical analysis
 So that a computer program can manipulate it
 A way to model the environment of a system.
 A way to represent what the system must do and must not do
– its specification.
 A way to check whether the system satisfies its specification
in its operating environment.
Example from Industry: Engine Control
Source: Delphi Automotive
Systems (2001)
Traffic Light Controller
 When does a reaction occur
 time-triggered model -- if one reaction per second
 event-triggered model -- when any input is present