### Systematic development of hybrid systems

*Thomas Stauner*

#### Abstract

To summarize the previous paragraphs, the availability of formal hybrid de- 3Note that even if the state-transition logic builds upon the event mechanism of an underlying operating system, it can nevertheless only react in dependence of the clock rate given by the digital hardware. scription techniques and supporting methods for them pushes the point at which systematic development can begin to the beginning of the analysis phase. (Systematic development here means development with mathematically precise documentation.) For those system components which can be implemented in a digital or analog manner, a partitioning into discrete-time and continuous-time submodels can be postponed to subsequent development phases. A separation of state-transition logic and (discrete-time) control laws can even be avoided completely. In any case, a development process with hybrid description techniques allows us to obtain greater confidence in the model before a partitioning. Namely, testing and model-checking techniques can be used to analyze requirements and formal refinement techniques can be used to guarantee the traceability of these requirements. By postponing implementation-related questions, changing requirements can be taken into account more easily. Thus, errors made in the initial development phases can be found earlier which in turn makes them cheaper to correct. 2.2 Supporting Techniques Developed in the Thesis Description techniques. [Sta01] contributes to the development process outlined above in several ways. It proposes the formal hybrid description technique HyCharts, which supports modular specification of hybrid systems (cf. Section 3). HyCharts resemble the notation introduced in the software engineering method for real-time object-oriented systems (ROOM) [SGW94], but extend it to the description of hybrid and continuous behavior. ROOM is one basis for the ongoing standardization of the UML [Gro00] dialect for realtime systems, UML-RT. As in ROOM and in agreeance with the UML's concept of different system views, HyCharts consist of two subnotations: HyACharts for the specification of system architecture and HySCharts for the specification of component behavior. The main application area for HyCharts ranges from requirements specification to the design phase. For the discrete-time models which are derived from HyCharts and which occur in these later development phases, DiCharts are introduced. They exactly correspond to HyCharts but use an underlying discrete-time execution model. In particular, they allow us to closely couple state-transition logic and discrete-time control laws. Refinement. As far as potential unexpected effects are concerned, a highly critical step in the transition from the analysis phase to design and implementation is to move from a mixed discrete-event/continuous-time model to a discrete-time model, which enables efficient implementation. The thesis therefore elaborates methods which guide this transition to discrete-time models while maintaining vital classes of properties of the initial model (cf. Section 4). An important characteristic of these methods is that they help to make assumptions about the environment explicit. Since they result in constraints on the sampling rate, they can also be used to verify the adequacy of sampling rates present in legacy components or in components developed by third parties w.r.t. a given environment model. Furthermore, the thesis also outlines how models can be partitioned into discretetime and remaining continuous-time and hybrid subsystems, which is useful if a separate development process is intended to be pursued for subsystems that are supposed to be implemented in analog, digital or mixed-signal hardware. Refinement techniques for architecture and automata diagrams in the style of those in Thomas Stauner [Sch98] which do not affect the time model are also considered in the thesis. Properties. Obviously, for meaningful refinement techniques it is necessary to examine which classes of properties they maintain. Hence, the thesis studies and classifies typical properties that hybrid systems have to obey (cf. Section 5). This provides a deeper insight into the characteristics of hybrid systems and is also used to make relationships to control theory and computer science explicit. As an addition to the general definitions for properties of hybrid systems which is given in the thesis, the thesis outlines proof methods for some of them and explains why certain classes of properties have not received much attention in computer science so far. 3 HyCharts - Specification of Hybrid Behavior In this section we present the basic ideas of HyCharts, the visual, modular specification technique for hybrid systems proposed in [Sta01]. Based on a simple and powerful computation model for hybrid systems and with a collection of operators on hierarchic graphs, which captures the syntax of the visual notations, as tool-set, [Sta01] defines HyCharts by following the ideas in [GSB98]: They consist of two different relational interpretations of hierarchic graphs, an additive one and a multiplicative one. Under the additive interpretation the graphs are called HySCharts and under the multiplicative one they are called HyACharts. HySCharts are a visual representation of hybrid, hierarchic state transition diagrams. They model the control-flow within hybrid components. HyACharts are a visual representation of hybrid data-flow graphs (or architecture graphs). They model the data-flow between the components of a hybrid system and allow the designer to compose components in a modular way. The behavior of these components can be described by using HySCharts or by any technique from system theory that can be given a compatible semantics, including differential equations. Simple syntactic transformations, corresponding to macro expansion, lead from the graphical notation used by the designer to a hierarchic graph whose semantics results from the respective interpretation of the graph. For HyACharts, the syntactic transformation is trivial and applying the multiplicative interpretation to the resulting graph yields the semantics of a component. For HySCharts, transformation is more complex. Here, two transformations are necessary, one to extract the discrete dynamics from the diagram and one to extract the analog dynamics. For the analog dynamics, a time-extended variant of the additive interpretation yields its semantics. For the discrete dynamics, the additive interpretation directly yields its semantics. The coupling of the analog and the discrete dynamics is formalized in the hybrid computation model. The algebra-based semantics which maps graphs to relations has three main advantages. First, up to (rather simple) syntactic transformations, it corresponds almost one-to-one with the visual notation used by software engineers. Second, as shown in [GBSS98], it comes equipped with a set of graph equations (algebra) which define how to (visually) transform components in a semantics preserving way. As a result, the algebra may be used by engineers both for optimizations and to check the equivalence of different components. Third, similarly to [Bro97], it comes equipped with a very simple notion of refinement and its associated compositional refinement rules. This is an essential prerequisite for proving that a successively modified implementation meets its original specification. For the description of discrete-time components the thesis moreover introduces DiCharts as the discrete-time counterpart to HyCharts. Here the same hierarchic graph framework can be used, since the framework can be defined with the time model as a free parameter. 4 Refinement In this section we explain the refinement notion used in the thesis and outline the thesis' results on understanding time-discretization as refinement. Notion of Refinement. Before we introduce the refinement notion used in [Sta01], we have to define the mathematical model of components in HyCharts. In a hybrid system the data-flow between components may be continuous (think of analog devices), so we take the non-negative real numbers as the abstract time axis. The data exchanged along a Ê $\cdot $channel with type over time defines a mapping . We call such a mapping a \frac{3}{4} Ê $\cdot $dense communication history (or dense stream). On the level of semantics the behavior of a component can be completely described by an input/output relation, i.e. by a relation between the histories of its input channels and the histories of its output channels. For input channel type and output channel type , the type of is .4 Á Ç \'Ê Á $μ\textcent $\'Ê Ç $μ\cdot \cdot $Relations are used instead of functions, because this allows us to express nondeterminism. The relations must be total in the input histories, i.e. for every input history an output history must exist which is related to the input history by the relation. Furthermore, we assume that the relations are causal, i.e. that they are defined such that the data occurring in the output histories up to time only depends on the input history received up to . Ø Ø We define refinement on basis of set inclusion. For two relations and , is a refinement of iff holds. If and are components, i.e. if they are input/output relations over dense streams, refinement of by means that the behavior of is contained in that of . Thus, may only be more precise than . Every behavior \' Ó$μ$\frac{3}{4} also is a possible behavior of . Properties which constrain all possible behaviors of a system clearly are maintained by refinement. As the thesis shows, some further important classes of properties are also maintained by this refinement notion (cf. Section 5). Refinement and Time. Moving from an abstract model based on a continuous time scale to implementation amounts to changing to a discrete-time execution scheme for those components in the model which are implemented on (or in) digital hardware. Such discretetime execution usually is desired for large parts of a hybrid system. In order to ensure that vital properties of the abstract model are satisfied in the implementation oriented discretetime model, the change of the execution scheme must be performed in a controlled way. Therefore, the thesis identifies conditions under which the transition from continuous-time to discrete-time is a formal refinement. 4Note that and may be tuples of inputs and outputs. Á Ç Thomas Stauner The most interesting step in the transition from HyACharts with components operating in continuous-time to HyACharts containing subcomponents that operate in discrete-time is the time-discretization of primitive components specified with HySCharts. This timediscretization causes two kinds of effects. First, discrete transitions cannot be taken at the ideal point in time when they become enabled for the first time, but can only be taken with some delay at the next sampling instant when they are still enabled. Second, the time-discrete component can not permanently compute output histories from control laws and the input, but it can only compute new output at sampling instants. Between the sampling instants, the output history must be extrapolated, usually to a step function. This leads to further deviations between the ideal continuous-time output and the output constructed from a discrete-time signal. As the used refinement notion only allows to reduce the amount of non-determinism in a component, time-discretization can only be understood as refinement if the abstract component already contained tolerances within which all its produced behaviors lie. A discrete-time refinement of a component must then ensure that all its behaviors also satisfy the specified tolerances. As a main result, the thesis provides methods to systematically derive a discrete-time refinement of components specified with HySCharts. The methods require various knowledge about the dynamics of the input a component receives. The minimum time between events, Lipschitz constants and possible errors associated with continuous periods of evolution are typically needed. For the discretization of a HySChart's analog part the thesis explains how methods from numerical mathematics and control theory can be employed. For the time-discretization of the state-transition logic specified with a HySChart, the thesis shows how to systematically derive constaints on the sampling rate for the discrete-time refinement from the tolerances allowed in the abstract model and the dynamics of the input the component receives. 5 Properties of Hybrid Systems Developing hybrid systems as well as designing formal methods, such as validation and refinement techniques for them requires a deeper understanding of their essential properties. Therefore, the thesis studies and classifies important properties of hybrid systems, and formalizes their relationship to properties usually considered in computer science. As a further result, proof methods for some of these properties (stability and attraction) are provided and related to abstraction in computer science.

Full Text: PDF