Synthesis equivalence of triples

This working paper describes a framework for compositional supervisor synthesis, which is applicable to all discrete event systems modelled as a set of deterministic automata. Compositional synthesis exploits the modular structure of the input model, and therefore works best for models consisting of a large number of small automata. State-space explosion is mitigated by the use of abstraction to simplify individual components, and the property of synthesis equivalence guarantees that the final synthesis result is the same as it would have been for the non-abstracted model. The working paper describes synthesis equivalent abstractions and shows their use in an algorithm to compute supervisors efficiently. The algorithm has been implemented in the DES software tool Supremica and successfully computes modular supervisors, even for systems with more than 1014 reachable states, in less than 30 seconds

An algorithm for weak synthesis observation equivalence for compositional supervisor synthesis

This paper proposes an algorithm to simplify automata in such a way that compositional synthesis results are preserved in every possible context. It relaxes some requirements of synthesis observation equivalence from previous work, so that better abstractions can be obtained. The paper describes the algorithm, adapted from known bisimulation equivalence algorithms, for the improved abstraction method. The algorithm has been implemented in the DES software tool Supremica and has been used to compute modular supervisors for several large benchmark examples. It successfully computes modular supervisors for systems with more than 1012 reachable states

SYNTHESIS EQUIVALENCE OF TRIPLES

This working paper describes a framework for compositional supervisor synthesis, which is applicable to all discrete event systems modelled as a set of deterministic automata. Compositional synthesis exploits the modular structure of the input model, and therefore works best for models consisting of a large number of small automata. The state-space explosion is mitigated by the use of abstraction to simplify individual components, and the property of synthesis equivalence guarantees that the final synthesis result is the same as it would have been for the non-abstracted model. The working paper describes synthesis equivalent abstractions and shows their use in an algorithm to efficiently compute supervisors. The algorithm has been implemented in the DES software tool Supremica and successfully computes nonblocking modular supervisors, even for systems with more than 1014 reachable states, in less than 30 seconds

Formal Verification of Intersection Safety for Automated Driving

We build on our recent work on formalization of responsibility-sensitive safety (RSS) and present the first formal framework that enables mathematical proofs of the safety of control strategies in intersection scenarios. Intersection scenarios are challenging due to the complex interaction between vehicles; to cope with it, we extend the program logic dFHL in the previous work and introduce a novel formalism of hybrid control flow graphs on which our algorithm can automatically discover an RSS condition that ensures safety. An RSS condition thus discovered is experimentally evaluated; we observe that it is safe (as our safety proof says) and is not overly conservative.Comment: To appear in ITSC 2023. With appendices. 9 pages, 5 figures, 1 tabl

On Compositional Approaches for Discrete Event Systems Verification and Synthesis

Over the past decades, human dependability on technical devices has rapidly increased.Many activities of such devices can be described by sequences of events,where the occurrence of an event causes the system to go from one state to another.This is elegantly modelled by state machines. Systems that are modelledin this way are referred to as discrete event systems. Usually, these systems arehighly complex, and appear in settings that are safety critical, where small failuresmay result in huge financial and/or human losses. Having a control functionis one way to guarantee system correctness.The work presented in this thesis concerns verification and synthesis of suchsystems using the supervisory control theory proposed by Ramadge and Wonham. Supervisory control theory provides a general framework to automaticallycalculate control functions for discrete event systems. Given a model of thesystem, the plant to be controlled, and a specification of the desired behaviour,it is possible to automatically compute, i.e. synthesise, a supervisor that ensuresthat the specification is satisfied.Usually, systems are modular and consist of several components interactingwith each other. Calculating a supervisor for such a system in the straightforwardway involves constructing the complete model of the considered system, whichmay lead to the inherent complexity problem known as the state-space explosionproblem. This problem occurs as the number of states grows exponentially withthe number of components, which makes it intractable to examine the globalstates of a system due to lack of memory and time.One way to alleviate the state-space explosion problem is to use a compositionalapproach. A compositional approach exploits the modular structure of asystem to reduce the size of the model. This thesis mainly focuses on developingabstraction methods for the compositional approach in a way that the finalverification and synthesis results are the same as it would have been for the nonabstractedsystem. The algorithms have been implemented in the discrete eventsystem software tool Supremica and have been applied to verify and computememory efficient supervisors for several large industrial models

Modular and Safe Event-Driven Programming

Asynchronous event-driven systems are ubiquitous across domains such as device drivers, distributed systems, and robotics. These systems are notoriously hard to get right as the programmer needs to reason about numerous control paths resulting from the complex interleaving of events (or messages) and failures. Unsurprisingly, it is easy to introduce subtle errors while attempting to fill in gaps between high-level system specifications and their concrete implementations.This dissertation proposes new methods for programming safe event-driven asynchronous systems.In the first part of the thesis, we present ModP, a modular programming framework for compositional programming and testing of event-driven asynchronous systems.The ModP module system supports a novel theory of compositional refinement for assume-guarantee reasoning of dynamic event-driven asynchronous systems. We build a complex distributed systems software stack using ModP.Our results demonstrate that compositional reasoning can help scale model-checking (both explicit and symbolic) to large distributed systems.ModP is transforming the way asynchronous software is built at Microsoft and Amazon Web Services (AWS). Microsoft uses ModP for implementing safe device drivers and other software in the Windows kernel.AWS uses ModP for compositional model checking of complex distributed systems. While ModP simplifies analysis of such systems, the state space of industrial-scale systems remains extremely large.In the second part of this thesis, we present scalable verification and systematic testing approaches to further mitigate this state-space explosion problem.First, we introduce the concept of a delaying explorer to perform prioritized exploration of the behaviors of an asynchronous reactive program. A delaying explorer stratifies the search space using a custom strategy (tailored towards finding bugs faster), and a delay operation that allows deviation from that strategy. We show that prioritized search with a delaying explorer performs significantly better than existing approaches for finding bugs in asynchronous programs.Next, we consider the challenge of verifying time-synchronized systems; these are almost-synchronous systems as they are neither completely asynchronous nor synchronous.We introduce approximate synchrony, a sound and tunable abstraction for verification of almost-synchronous systems. We show how approximate synchrony can be used for verification of both time-synchronization protocols and applications running on top of them.Moreover, we show how approximate synchrony also provides a useful strategy to guide state-space exploration during model-checking.Using approximate synchrony and implementing it as a delaying explorer, we were able to verify the correctness of the IEEE 1588 distributed time-synchronization protocol and, in the process, uncovered a bug in the protocol that was well appreciated by the standards committee.In the final part of this thesis, we consider the challenge of programming a special class of event-driven asynchronous systems -- safe autonomous robotics systems.Our approach towards achieving assured autonomy for robotics systems consists of two parts: (1) a high-level programming language for implementing and validating the reactive robotics software stack; and (2) an integrated runtime assurance system to ensure that the assumptions used during design-time validation of the high-level software hold at runtime.Combining high-level programming language and model-checking with runtime assurance helps us bridge the gap between design-time software validation that makes assumptions about the untrusted components (e.g., low-level controllers), and the physical world, and the actual execution of the software on a real robotic platform in the physical world. We implemented our approach as DRONA, a programming framework for building safe robotics systems.We used DRONA for building a distributed mobile robotics system and deployed it on real drone platforms. Our results demonstrate that DRONA (with the runtime-assurance capabilities) enables programmers to build an autonomous robotics software stack with formal safety guarantees.To summarize, this thesis contributes new theory and tools to the areas of programming languages, verification, systematic testing, and runtime assurance for programming safe asynchronous event-driven across the domains of fault-tolerant distributed systems and safe autonomous robotics systems

On Compositional Approaches for Discrete Event Systems Verification and Synthesis

Over the past decades, human dependability on technical devices has rapidly increased.Many activities of such devices can be described by sequences of events,where the occurrence of an event causes the system to go from one state to another.This is elegantly modelled by state machines. Systems that are modelledin this way are referred to as discrete event systems. Usually, these systems arehighly complex, and appear in settings that are safety critical, where small failuresmay result in huge financial and/or human losses. Having a control functionis one way to guarantee system correctness.The work presented in this thesis concerns verification and synthesis of suchsystems using the supervisory control theory proposed by Ramadge and Wonham. Supervisory control theory provides a general framework to automaticallycalculate control functions for discrete event systems. Given a model of thesystem, the plant to be controlled, and a specification of the desired behaviour,it is possible to automatically compute, i.e. synthesise, a supervisor that ensuresthat the specification is satisfied.Usually, systems are modular and consist of several components interactingwith each other. Calculating a supervisor for such a system in the straightforwardway involves constructing the complete model of the considered system, whichmay lead to the inherent complexity problem known as the state-space explosionproblem. This problem occurs as the number of states grows exponentially withthe number of components, which makes it intractable to examine the globalstates of a system due to lack of memory and time.One way to alleviate the state-space explosion problem is to use a compositionalapproach. A compositional approach exploits the modular structure of asystem to reduce the size of the model. This thesis mainly focuses on developingabstraction methods for the compositional approach in a way that the finalverification and synthesis results are the same as it would have been for the nonabstractedsystem. The algorithms have been implemented in the discrete eventsystem software tool Supremica and have been applied to verify and computememory efficient supervisors for several large industrial models

Modelling and analyzing adaptive self-assembling strategies with Maude

Building adaptive systems with predictable emergent behavior is a challenging task and it is becoming a critical need. The research community has accepted the challenge by introducing approaches of various nature: from software architectures, to programming paradigms, to analysis techniques. We recently proposed a conceptual framework for adaptation centered around the role of control data. In this paper we show that it can be naturally realized in a reflective logical language like Maude by using the Reflective Russian Dolls model. Moreover, we exploit this model to specify, validate and analyse a prominent example of adaptive system: robot swarms equipped with self-assembly strategies. The analysis exploits the statistical model checker PVeStA

Supervisory Control of Extended Finite Automata Using Transition Projection

A limitation of the Ramadge and Wonham (RW) framework for the supervisory control theory is the explicit state representation using finite automata, often resulting in complex and unintelligible models. Extended finite automata (EFAs), i.e., deterministic finite automata extended with variables, provide compact state representation and then make the control logic transparent through logic expressions of the variables. A challenge with this new control framework is to exploit the rich control structure established in RW's framework. This paper studies the decentralized control structure with EFAs. To reduce the computational complexity, the controller is synthesized based on model abstraction of subsystems, which means that the global model of the entire system is unnecessary. Sufficient conditions are presented to guarantee that the decentralized supervisors result in maximally permissive and nonblocking control to the entire system