Teaching Cyber-Physical Systems: A Programming Approach Kerstin Bauer and Klaus Schneider Department of Computer Science University of Kaiserslautern, Germany

ABSTRACT

1.

One major problem for the design of cyber-physical systems is the understanding of problems that can arise from the interaction of discrete and continuous behaviors, i.e., the behaviors of hybrid systems whose discrete states enable attached differential equations. Tools like Simulink, Labview, Scicos, and Dymola are powerful choices for the simulation of such systems. However, the modeling capabilities of these tools are limited to a composition of given blackbox modules, so that they miss the notion of typical programs. To make use of algorithmic models, we recently proposed an extension of the synchronous programming language Quartz to model, simulate, and verify cyber-physical systems. We developed an operational semantics of this language that formally specifies a simulator, and we also defined a translation to hybrid state transition systems for the formal verification of these systems.

In general, a cyber-physical system is a system whose physical parts are tightly integrated with its embedded computer systems. Typically, the embedded computer systems have discrete behaviors, and the physical parts have analog behaviors that are determined by the laws of physics, and hence, the entire behavior of cyber-physical systems is a combination of discrete and continuous behaviors. In general, the discrete dynamics of a cyber-physical system can be represented by a finite state transition system and its continuous dynamics can be represented by a set of differential equations attached to each discrete state. Such systems frequently occur in complex engineering fields like embedded system design, robotics, automotive industries, and avionics. Since many cyber-physical systems are used in safety-critical applications, there is a crucial need for modeling, simulation, and verification.

In this paper, we describe how our Quartz language and the related Averest toolset can be used for teaching cyberphysical systems. We present the concept of an introductory course for modeling, simulation, and verification of these systems in a Master program in Computer Science. The goal of the lecture is to provide a broad overview to introduce the students to the main research areas in this field. Besides a theoretical foundation, we emphasize the combination of lecture courses with practical exercises using our Averest tools for simulation and verification. This way, we show our students several effects that may occur in the design of cyber-physical systems like zeno behaviors, urgent transitions, real-time requirements, etc.

Tools and Languages. Although the modeling and analysis of cyber-physical systems is of growing importance in industry, only a few languages and tools are available (see [8] for a still valid survey). Moreover, the languages of most of these tools have either no formal semantics, are restricted to very special subclasses of cyber-physical systems like rectangular automata, or they approximate the continuous behavior by a discrete behavior. In particular, tools for verification like PHAVer and HyTech focus on the continuous dynamics of the cyber-physical system and are quite weak in the description of discrete behaviors. Their lack of typical program statements and data types often requires an explicit enumeration of the discrete state space resulting in a huge state space explosion. Tools for simulation that became popular in industry like MATLAB/Simulink or the analog mixed signal (AMS) extensions of hardware description languages like SystemC-AMS suffer from the lack of a formal semantics [15, 6], and are therefore questionable for the use of formal verification.

Categories and Subject Descriptors K.3.2 [Computers and Education]: Computer and Information Science Education

INTRODUCTION

General Terms Cyber-Physical Systems; Modeling and Verification

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. WESE ’12, Tampere, Finland Copyright 2012 ACM 978-1-4503-1765-8...$15.00

Recently, a new language for modeling, simulation, and verification of cyber-physical systems has been developed in our research group [2]. This language is an extension of the synchronous language Quartz [13] that is derived from the Esterel language [7, 5, 4]. Originating from a programming language for discrete systems, there is a rich set of data types, and many statements for expressing discrete behaviors in a convenient way. In particular, generic statements and module hierarchies allow one to describe large generic systems in a concise way. Thus, the modeling capabilities

of hybrid Quartz are in many cases better than in comparable languages. Like Quartz, also the extension to cyberphysical systems has a precise formal semantics that defines unique behaviors for given input traces. For this reason, the language lends itself well for formal verification. In particular, hybrid Quartz programs can be translated to equivalent symbolic transition relations, and thus provide a sound basis for formal verification. The determinism of the language is also very important for simulation, since it allows one to reproduce once observed behaviors. Cyber-physical Systems in Education. The difficulty of teaching cyber-physical systems is mainly due to the interdisciplinary nature of the topic: Cyber-physical systems combine control theory, calculus, real-time embedded systems, verification of infinite state systems, and many other fields of computer science, mathematics, physics, and electrical/mechanical engineering. Because of this reason, even introductory courses to cyber-physical systems require a relatively broad knowledge in these areas. In addition to the broad knowledge that the students must already have, another problem we identify for teaching cyberphysical systems is the choice of tools and languages to be used in practical exercises. Many tools only focus on a small aspect of the many topics concerning cyber-physical systems, and while other tools fail when combining continuous dynamics with complex discrete dynamics such as given by interactions between a discrete finite-state controller and its physical environment. Thus, tools are either engineered to run simulations in an industrial setting or to be used for special academic research topics like formal verification. Both kinds of tools are not a good choice in the context of education when one wants to address various topics like modeling, simulation, and formal verification in a single course. In this paper, we therefore propose the use of our hybrid Quartz language supported by our Averest1 tools for teaching cyber-physical systems. Our aim is to teach modeling, simulation, and formal verification with both theoretical and practical exercises. To that end, we present an introductory course for cyber-physical systems together with corresponding exercises built upon the Quartz language and the Averest tools.

2.

THE HYBRID QUARTZ LANGUAGE

In the following, we give a brief overview over the synchronous language Quartz, its hybrid extension for modeling cyber-physical systems and the Averest toolset.

2.1

The Synchronous Language Quartz

Quartz [13] is a synchronous language that is derived from the Esterel language [7, 4, 5]. The execution of a Quartz program is defined by so-called micro and macro steps, where a macro step consists of finitely many micro steps whose maximal number is known at compile time. Macro steps correspond to reactions of reactive systems, and micro steps correspond with atomic actions like assignments of the program that implements these reactions. Variables of a synchronous program are synchronously updated between macro steps so that the execution of the micro steps within the 1

See http://www.averest.org

macro steps is done in the same variable environment of their macro step. This synchronous update is important for avoiding data races, and therefore to ensure determinism. The language offers many data types like booleans, bitvectors, signed and unsigned integers that may be bounded or unbounded, real numbers (in contrast to floats!), as well as compound data types like arrays and tuples. Modules are declared with an interface that determines inputs and outputs, and a body statement that may use additional local variables. In the following, we list some of the possible statements to describe the examples given in this paper. A complete definition of the language is found in [13] for the discrete case, and in [2] for the hybrid extension. Provided that S, S1 , and S2 are statements, ` is a location variable, x is a variable, σ is a boolean expression, and α is a type, then the following are statements: • • • • • • • •

x = τ and next(x) = τ (assignments) assume(ϕ) and assert(ϕ) (assumptions and assertions) ` : pause (start/end of macro step) S1 ; S2 (sequence) S1 k S2 (synchronous concurrency) if(σ) S1 else S2 (conditional) do S while(σ) (loops) {α S} (local variable)

The pause statement defines a control flow location ` – a boolean variable that is true iff the control flow is currently at ` : pause. Since all other statements are executed in zero time, the control flow only rests at these positions in the program, and thus the possible (discrete) control flow states are the subsets of the set of locations. There are two variants of assignments that both evaluate the right-hand side τ in the current macro step: Immediate assignments x = τ transfer the value of τ to the left-hand side x immediately, while delayed assignments next(x) = τ assign this value only in the next macro step. If the value of a variable is neither determined by assignments of the current nor of the previous macro step, a default value is used according to the declaration of the variable. To this end, declarations of variables consist of a storage class in addition to their type. There are two storage classes, namely mem and event that select the previous value (mem variables) or a default value (event variables) in case no assignment determines the value of a variable. In addition to the statements known from other imperative languages (conditionals, sequences and loops), Quartz offers synchronous concurrency S1 k S2 and sophisticated preemption and suspension statements (not shown in the above list) as well as many further statements like generic statements to allow comfortable descriptions of parameterized systems. Clearly, there is also the possibility to store modules in packages so that they can be called in other modules to support the re-use in the form known from software libraries.

2.2

The Hybrid Extension of Quartz

While time in synchronous languages is given in the abstract form of macro steps, cyber-physical systems require the consideration of physical time. In order to combine these

Program Statement `1 : pause x = 0.0; `2 , `02 :flow{drv(x)=1.0) Extended Finite State Machine

(Verilog) and software synthesis (C), there is also a translation to the language Modelica, thus it is also possible to use simulators for the Modelica language2 .

3. `02

1 >=

) (x

t on ¬c

`1

x=0

drv(x) =1)

cont(x)>=1

`2

Figure 1: The Flow Statement

inherently different concepts of time, the transition between discrete states (i.e. a macro step) is endowed by a continuous transition that takes place between the immediate and delayed assignments of the macro step. During the continuous transition, which consumes physical time, variables of the new storage class hybrid change their values according to the new flow assignments x ← τ or drv(x) ← τ (that equate variable x or its derivation on time drv(x) with the expression τ ). The continuous transition of the macro step starts with the variable environment determined by the immediate assignments as initial values. In order to distinguish between the ‘discrete’/initial value and the value during the continuous transitions, a new operator cont(x) is introduced: x always refers to the discrete value of a variable, whereas cont(x) refers to the (changing) value during the continuous evolution. For memorized and event variables, x and cont(x) always coincide as these variables do not change during continuous evolutions. The continuous actions x