Hervé Marchand

Synthesis of Discrete-Event Controllers Based on the SignalEnvironment

In this paper, we present the integration of controller synthesis techniques in the SIGNAL environmentthrough the description of a tool dedicated to the incrementalconstruction of reactive controllers. The plant is specifiedin SIGNAL and the control synthesis is performed ona logical abstraction of this program, named polynomial dynamicalsystem (PDS) over ℤ/3ℤ{−1,0,+1}. The control of the plant is performedby restricting the controllable input values with respect tothe control objectives. These restrictions are obtained by incorporatingnew algebraic equations into the initial system. This theorysets the basis for the verification and the controller synthesistool, SIGNAL. Moreover, we present a tool developedaround the SIGNAL environment allowing the visualizationof the synthesized controller by an interactive simulation ofthe controlled system. In a first stage, the user specifies in SIGNAL both the physical model and the control objectivesto be ensured. A second stage is performed by the SIGNAL compiler which translates the initial SIGNAL programinto a PDS, and the control objectives in terms of polynomialrelations/operations. The controller is then synthesized using SIGNAL. The result is a controller coded by a polynomialand then by a Ternary Decision Diagram (TDD). Finally, in a thirdstage, the obtained controller and some simulation processesare automatically included in the initial SIGNAL program.It is then sufficient for the user to compile the resulting SIGNAL program which generates executable code ready for simulation.Different academic examples are used to illustrate the applicationof the tool.

Supervision patterns in discrete event systems diagnosis

In this paper, we are interested in the diagnosis of discrete event systems modeled by finite transition systems. We propose a model of supervision patterns general enough to capture past occurrences of particular trajectories of the system. Modeling the diagnosis objective by a supervision pattern allows us to generalize the properties to be diagnosed and to render them independent of the description of the system. We first formally define the diagnosis problem in this context. We then derive techniques for the construction of a diagnoser and for the verification of the diagnosability based on standard operations on transition systems. We show that these techniques are general enough to express and solve in a unified way a broad class of diagnosis problems found in the literature, e.g. diagnosing permanent faults, multiple faults, fault sequences and some problems of intermittent faults

Contracts for modular discrete controller synthesis

We describe the extension of a reactive programming language with a behavioral contract construct. It is dedicated to the programming of reactive control of applications in embedded systems, and involves principles of the supervisory control of discrete event systems. Our contribution is in a language approach where modular discrete controller synthesis (DCS) is integrated, and it is concretized in the encapsulation of DCS into a compilation process. From transition system specifications of possible behaviors, DCS automatically produces controllers that make the controlled system satisfy the property given as objective. Our language features and compiling technique provide correctness-by-construction in that sense, and enhance reliability and verifiability. Our application domain is adaptive and reconfigurable systems: closed-loop adaptation mechanisms enable flexible execution of functionalities w.r.t. changing resource and environment conditions. Our language can serve programming such adaption controllers. This paper particularly describes the compilation of the language. We present a method for the modular application of discrete controller synthesis on synchronous programs, and its integration in the BZR language. We consider structured programs, as a composition of nodes, and first apply DCS on particular nodes of the program, in order to reduce the complexity of the controller computation; then, we allow the abstraction of parts of the program for this computation; and finally, we show how to recompose the different controllers computed from different abstractions for their correct co-execution with the initial program. Our work is illustrated with examples, and we present quantitative results about its implementation.

A Protocol for Loosely Time-Triggered Architectures

A distributed real-time control system has a time-triggered nature, just because the physical system for control is bound to physics. Loosely Time-Triggered Architectures (LTTA) are a weaker form of the strictly synchronous Time-Triggered Architecture proposed by Kopetz, in which the different periodic clocks are not synchronized, and thus may suffer from relative offset or jitter.We propose a protocol that ensures a coherent system of logical clocks on the top of LTTA, and we provide several proofs for it, both manual and automatic, based on synchronous languages and associated model checkers. We briefly discuss how this can be used for correct deployment of synchronous designs on an LTTA.

Supervisory Control for Opacity

In the field of computer security, a problem that received little attention so far is the enforcement of confidentiality properties by supervisory control. Given a critical system <i>G</i> that may leak confidential information, the problem consists in designing a controller <i>C</i>, possibly disabling occurrences of a fixed subset of events of <i>G</i>, so that the closed-loop system <i>G</i>/<i>C</i> does not leak confidential information. We consider this problem in the case where <i>G</i> is a finite transition system with set of events ¿ and an inquisitive user, called the adversary, observes a subset ¿<i>a</i> of ¿. The confidential information is the fact (when it is true) that the trace of the execution of <i>G</i> on ¿* belongs to a regular set <i>S</i> ¿ ¿*, called the secret. The secret <i>S</i> is said to be opaque w.r.t. <i>G</i> (respectively, <i>G</i>/<i>C</i>) and ¿<i>a</i> if the adversary cannot safely infer this fact from the trace of the execution of <i>G</i> (respectively, <i>G</i>/<i>C</i>) on ¿<i>a</i>*. In the converse case, the secret can be disclosed. We present an effective algorithm for computing the most permissive controller <i>C</i> such that <i>S</i> is opaque w.r.t. <i>G</i>/<i>C</i> and ¿<i>a</i> . This algorithm subsumes two earlier algorithms working under the strong assumption that the alphabet ¿<i>a</i> of the adversary and the set of events that the controller can disable are comparable.

Synthesis of opaque systems with static and dynamic masks

Opacity is a security property formalizing the absence of secret information leakage and we address in this paper the problem of synthesizing opaque systems. A secret predicate S over the runs of a system G is opaque to an external user having partial observability over G, if s/he can never infer from the observation of a run of G that the run belongs to S. We choose to control the observability of events by adding a device, called a mask, between the system G and the users. We first investigate the case of static partial observability where the set of events the user can observe is fixed a priori by a static mask. In this context, we show that checking whether a system is opaque is PSPACE-complete, which implies that computing an optimal static mask ensuring opacity is also a PSPACE-complete problem. Next, we introduce dynamic partial observability where the set of events the user can observe changes over time and is chosen by a dynamic mask. We show how to check that a system is opaque w.r.t. to a dynamic mask and also address the corresponding synthesis problem: given a system G and secret states S, compute the set of dynamic masks under which S is opaque. Our main result is that the set of such masks can be finitely represented and can be computed in EXPTIME and this is a lower bound. Finally we also address the problem of computing an optimal mask.

Opacity enforcing control synthesis

Given a finite transition system and a regular predicate, we address the problem of computing a controller enforcing the opacity of the predicate against an attacker (that partially observes the system), supposedly trying to push the system to reveal the predicate. Assuming that the controller can only control a subset of the events it observes (possibly different from the ones of the attacker), we show that an optimal control always exists and provide sufficient conditions under which it is regular and effectively computable. These conditions rely on the inclusion relationships between the observable alphabets of the attacker and the controller and the controllable alphabet.

Predictability of sequence patterns in discrete event systems

Abstract The problem of predicting the occurrences of a pattern in a partially-observed discrete-event system is studied. The system is modeled by a labeled transition system. The pattern is a set of event sequences modeled by a finite-state automaton. The occurrences of the pattern are predictable if it is possible to infer about any occurrence of the pattern before the pattern is completely executed by the system. A novel off-line algorithm to verify the property of predictability is presented. The verification is polynomial in the number of states of the system. An on-line algorithm to track the execution of the pattern during the operation of the system is also presented. This algorithm is based on the use of a diagnoser automaton.

Modular and decentralized supervisory control of concurrent discrete event systems using reduced system models

This paper investigates the supervisor synthesis for concurrent systems based on reduced system models with the intention of complexity reduction. It is assumed that the expected behavior (specification) is given on a subset of the system alphabet, and the system behavior is reduced to this alphabet. Supervisors are computed for each reduced subsystem employing the modular approach in Komenda et al. (2005) and the decentralized approach in Lee and Wong (2002). Depending on the chosen architecture, we provide sufficient conditions for the consistent implementation of the reduced supervisors for the original system

Test Cases Generation for Nondeterministic Real-Time Systems

We study the generation of test cases for nondeterministic real-time systems. We define a class of Determinizable Timed Automata (DTA), in order to specify the system under test. The principle of our test method consists of two steps. In Step 1, we express the problem in a non-real-time form, by transforming a DTA into an equivalent finite state automaton. The latter uses two additional types of events, Set and Exp. In Step 2, we adapt a non-real-time test generation method.