DISTRIBUTED STOCHASTIC HYBRID SYSTEMS

DISTRIBUTED STOCHASTIC HYBRID SYSTEMS Manuela L. Bujorianu ∗ Marius C. Bujorianu ∗∗ Savi Maharaj ∗∗∗ ∗ Department of Engineering University of Cambridge Cambridge, CB2 1PZ, UK Email: lmb56@eng.cam.ac.uk ∗∗ Computing Laboratory University of Kent Canterbury CT2 7NF, UK Email M.C.Bujorianu@kent.ac.uk ∗∗∗ Department of Computing Science and Mathematics University of Stirling Stirling, FK9 7LA, UK Email: savi@cs.stir.ac.uk Abstract: We consider a theoretical, but very general mathematical model of control systems, namely stochastic hybrid systems. Then we study how to define concurrency for these systems. Copyright c 2005 IFAC Keywords: distributed, stochastic, hybrid systems; process algebra. 1. INTRODUCTION Almost 90% of control systems consists of software. The complex communication inherent to control system development requires new languages and methodologies. Nowadays, distribution becomes inherent in control systems. In particular, hybrid systems are no exception (Simsek, T. et al., 2003). In this setting, distribution may present additional aspects, in comparison with the case of discrete systems. Distribution may be present in control, execution (which may have stochastic features), communication or parallelism. Moreover, many concepts specific to distributed systems do not always admit a smooth translation into the continuous case. Many times the definition of this concept strongly depends on the continuous mathematics employed to describe the systems. In distributed hybrid systems, interaction is very complex especially because of the continuous/ discrete aspects involved. Recent developments in computer science and hybrid systems have identified the need for proper treatment of interaction in continuous systems. For embedded systems CSPbased approaches define interaction grounded on a solid tradition. Hybrid extensions of processalgebra (Vereijken, J.J., 1995) are doing the same role for hybrid systems. The limitations of all these approaches consist of the necessity to define the interactions using the intrinsic language of continuous processes. This necessity is generated by the fact that continuous aspects can not be neglected in the context of concurrent hybrid systems. The distributed systems considered until now are discrete concurrent systems enriched with some continuous features. In this work we make an attempt to define parallelism and communication for stochastic hybrid systems, in a very general setting. We use the model introduced in (Bujorianu, M.L., 2004; Bujorianu, M.L. and Lygeros, J., 2004a) (and further developed in ( Bujorianu, M.L. and Lygeros, J., 2004b)), namely GSHS (general stochastic hybrid systems). It generalizes the most used models of stochastic hybrid systems used in control engineering. The stochastic features of the model make this attempt difficult. From a computer science perspective our approach uses a mixture of ACP (Algebra of Communicating Processes) developed by Bergstra and Klop (Baeten, J.C.M and Weijland, W.P., 1990) and Robin Miner’s CCS techniques. Parallelism is introduced in an axiomatic manner as in the ACP tradition. Communication is based on dually labelled transitions (where duality means sent/received transitions or active/passive transitions). Communication takes place as a handshake between dually labelled transitions. We introduce the concept of distributed stochastic hybrid systems (DSHS) as an automata formalism for compositional specifications of GSHS. A DSHS can be thought of as an automaton representation of a GSHS, with an extra possibility to interact with other processes via so-called passive transitions (which are discrete transitions). This concept is a generalization of the so-called communicating piecewise deterministic Markov processes developed in (Strubbe, S.N. et al., 2003), because the underlying model used is more general. Section 2 starts by motivating this work (subsection 2.1), then the DSHS model is formally defined (subsection 2.2). After that, the parallel operator and the communication between DSHS models are defined in subsection 2.3. The partial conclusions of this experiment are sketched in the last section. 2. DISTRIBUTED STOCHASTIC HYBRID SYSTEMS 2.1 Motivation Hybrid systems are used as a paradigm for modelling embedded systems, recorded in Air Traffic Management (ATM), with safety critical performance requirements. Embedded systems of this type have to operate in an uncertain and often adversarial environment. Stochastic analysis and control of hybrid systems is therefore essential to study and improve the performance of ATM systems in the presence of uncertainty. The problem of safety analysis is addressed from the perspective of the current centralized ATM systems, where aircraft are prescribed to follow certain flight plans, and all flights are controlled by an Air Traffic Controller (ATC) from gate to gate. In the context of ATM, different safety relevant operation cases might occur as follows: vertical crossings; overtake manoeuvres in unmanaged airspace; ATC sector transitions; missed approaches (see (Pola, G. et al., 2003) for a detailed presentation), aircraft-to-aircraft conflict and aircraft-to-airspace conflict. For example, the ATCs are responsible for maintaining a sufficiently large distance between aircraft to avoid dangerous situations and ultimately collisions, by issuing trajectory specifications to the pilots. Separation assurance forms a major part of the current ATC workload. If the level of automation in the ATM process increases, some of the separation assurance tasks can be transferred to the automated system. One approach for doing this is to rely on conflict detection and resolution (CDR) strategies to assist ATC. These strategies try to predict the trajectories of aircraft within managed airspace, analyse these trajectories in order to decide if there is a substantial possibility of loss of separation (conflict detection) and, if there is, issue advisories to the ATC and/ or pilots on how to resolve the problem (conflict resolution). The model for predicticting the aircraft future position should incorporate the information on the aircraft flight plan, the aircraft dynamics, the flight management systems. Each aircraft has to follow a flight plan, which typically consists of airways (straight lines between given way points traveled at constant speed). The aircraft actual motion might deviate from the planned motion because of different sources of uncertainty. We assume that wind is the main source of uncertainty on the aircraft actual dynamics. The hybrid nature of the model is due to the change in the dynamics when a way-point is reached. The stochastic component is due to the wind described by a random field, which is used to model the spatial correlation between the wind perturbation to the aircraft motion. The use of GSHS to describe the aircraft dynamics has some advantages. Explicitly, because these models allow stochastic features both in the continuous dynamics and in the discrete transitions, they can be instantiated in different ways. GSHS, as a ‘unifying’ model, encompasses almost all the models already proposed to deal with different safety critical situations recorded in ATM (piecewise deterministic Markov Processes, switching diffusions, etc. (See (Pola, G. et al., 2003) for an overview). Therefore, techniques and tools specific to GSHS might be employed in order to deal with all the cases of interest. The conclusion is that these safety critical situations can be treated unitary in the modelling framework of GSHS. In real life, distribution is present in many various ways. Finding its adequate definition in a specific context is often a difficult task. In ATM systems one can easily discover that centralised control coexists with many (semi) autonomic behaviours. This situation is not very common for discrete systems. Moreover, what can be logically seen as centralised control is distributed from a physical point of view. In example analysis, where space aspects are important, one might need a distributed model. Simultaneous executions in ATM are, ob- viously everywhere. From a continuous mathematics viewpoint parallelism (simultaneous executions) can be easily modelled essentially because of the lack of interaction. Basically, the Cartesian product of two (continuous) processes can be interpreted as their simultaneous execution. On the other hand, the interaction is an important feature of these systems. This feature means possible collaboration of multiple agents (both human and non-human). Pilots talk to controllers and sometimes one with each other. Embedded controllers usually control components that interact and are aware of each other existence. Due to the distributed nature of air traffic management, even advanced engineering design approaches have proven to fall short. It is quite relevant to know that in the USA this has already led to the involvement of distributed control theorists and stochastic analysis in air traffic management studies. Taking in account the above considerations about the features of the ATM systems, a further development which we make in this paper is to enrich the GSHS model with two capabilities: compositionality and communication. The result is what we have called distributed stochastic hybrid systems (DSHS). In ATM , these models can illustrate architectures for handling conflicts between multiple aircraft, while maintaining the situational awareness of human operators. The DSHS modelling, designed on the skeleton of GSHS, constitutes the appropriate framework within which the CDR problems can be easily solved. Formally, the elements of (i) are defined as follows: • Q is a countable set of locations. • d : Q → N is a map giving for each location the dimension of the continuous state space in that location. • m : Q → N is a map giving the dimension of the Weiner processes that govern the evolution of the continuous state. • X : Q → Rd(.) maps each q ∈ Q into an open subset X (q) = X q of Rd(q) ; this means that for each q ∈ Q, X q is the mode (the invariant set) associated to the location q. Let us denote by X the whole space, X = ∪{(q, X q )|q ∈ Q}. We also define the boundary set ∂X q := X q \X q of X q and the boundary of the whole space ∂X = ∪{(q, ∂X q )|q ∈ Q}. The continuous motion parameters from (ii) are given as follows: • f : X → Rd(.) is a vector field and σ : X → Rd(·)×m(·) is a X (·) -valued matrix. For all q ∈ Q, the functions f q : X q → Rd(q) and σ q : X q → Rd(q)×m(q) are bounded and Lipschitz continuous and the continuous motions is governed by the following stochastic differential equation (SDE): dx(t) = f q (x(t))dt + σ q (x(t))dWt where (Wt , t ≥ 0) is an m(q)-dimensional standard Wiener process in a complete probability space. The active transitions of (iii) are given as follows: 2.2 Model Description In this section we introduce the DSHS formalism. First we formally define its structure and after we give an algorithm which describes its executions. Definition 1. A DSHS, denoted by DH, is a collection ((Q, d, m, X ), (f, σ), L, A, P ) where (i) (Q, d, m, X ) describes the state space, which is countable union of open sets from an euclidean space (modes), each one corresponding to a discrete location. Note that the dimension of embedding euclidean space might be different for different locations. (ii) (f, σ) gives the continuous dynamics between jumps of the continuous state within the locations. (iii) L is the set of labels. (iv) A are the set of active transitions. These are the union of the boundary-hit transitions B and the spontaneous transitions S. The boundaryhit transitions B depend on the transition-choice function C. • B is the set of boundary-hit transitions (forced transitions). Each element b ∈ B is a quadruple (q, l, q ′ , Rb ) where q is the origin location, l is the label of the jump, q ′ is the target location, and Rb is the reset map of the jump, i.e. for each x ∈ ∂X q with C(b, q, x) > 0 (see next item) and for all ′ Borel sets A of X q the quantity Rb (x, A) is the probability to jump in the set A when the transition b is taken from the boundary state x. • The function C : B × Q × ∂X → [0, 1] is defined such that for all q ∈ Q, all x ∈ ∂X q , and all b ∈ B, which are outgoing transitions of q, the quantity C(b, q, x) is the probability of executing a boundary-hit transition b.PIn rest, C takes the zero value. Moreover, b∈Bq→ C(b, l, x) = 1 where Bq→ is the set of all elements of B that are outgoing transitions of q. • S is the set of spontaneous transitions. Each element s ∈ S is a pentuple (q, l, q ′ , Rs , λ), where q is the origin location, l is the label of the jump, q ′ is the target location, Rs is the reset map of the jump, and λ is the jump rate (it determines the rate of process jumping). The passive transitions of (iv) are given as follows: • P is the set of passive transitions. Each element p ∈ P is a quadruple (q, l, q ′ , Rp ), where q is the origin location, l is the label of the jump, q ′ is the target location, and Rp is the reset map of the jump. The passive transitions play a role in communication with the outside world. A general stochastic hybrid system (GSHS) can be defined in a similar way as DSHS. The only difference is that the discrete transitions do not have labels and there is no choice function defined on the boundary. A realization of a DSHS given by the definition 1, generates a stochastic process. The above remark and the structure of a DSHS assure that this process is a GSHS. We will refer to this process as the associated GSHS to the given DSHS. In this context, a DSHS execution can be defined as a sample path of this stochastic process. For the generation of the DSHS executions we assume that no communication takes place, therefore the passive transitions do not play any role in the generation of executions. To eliminate pathological solutions that take an infinite number of discrete transitions in a finite amount of time (known as Zeno solutions) we assume that for each location q ∈ Q the number of outgoing transitions is finite. ing to τ q0 causes a jump at time τ q0 before the boundary is reached. Remark 1. The above discussions show that the first jump time (corresponding to the diffusion path ω q0 ) is a minimum of n0 + 1 stopping times (the first boundary hitting time and the stopping times given by the Poisson probability distributions corresponding to the n0 outgoing spontaneous transitions from X q0 ). A boundary-hit transition at time τ b from the boundary state xτ b (ω q0 ) ∈ ∂X q0 is executed as follows. It could be the case that multiple boundary-hit transitions are active in state xτ b (ω q0 ), therefore we use the choice function C to choose one of the active transitions. A transition b ∈ Bq0 → is taken according to the probability measure determined by C(·, q0 , xτ b ). Then b = (q0, lb , qb′ , Rb ) is the transition which takes place. The post-jump location is qb′ and the continuous ′ state after the jump is x′ ∈ X qb which is drawn according to the reset measure Rb (·, xτ b ). From the new hybrid state (qb′ , x′ ) at time τ b , the above recipe can be repeated to continue the execution. A spontaneous transitions s = (q0, ls , qs′ , Rs ) at time τ q0 from the continuous state xτ q0 (ω q0 ) ∈ X q0 is taken as follows. The target location is qs′ is governed by the probability measure Rs (xτ q0 (ω q0 ), ·). Starting with the new location (qs′ , x′ ) we can repeat the recipe given above to continue the execution. The executions of the DSHS can be thought of as being generated by the following algorithm. Execution of a DSHS We assume that an initial hybrid state (q0 , x0 ) is given. The continuous dynamics in the mode X q0 is determined by the stochastic differential equation (SDE) with q replaced by q0 . Let ω q0 be an arbitrary diffusion sample path starting in x0 . Suppose that ω q0 reaches the boundary ∂X q0 at time τ b and suppose that location q0 has n0 outgoing spontaneous transitions. During the continuous motion, for every outgoing spontaneous transition, a Poisson type process is activated. This can generate a jump to another hybrid state. The probability density functions R tof these processes is equal to λi (xt (ω q0 )) exp(− 0 λi (xt (ω q0 ))), where λi is the jump rate of the i-th outgoing spontaneous transition si . Let define τ q0 (ω q0 ) := min i=1..n0 τ i (ω q0 ) where τ i is the jump time corresponding to the i-th outgoing spontaneous transition si (given by the Poisson probability distribution). There are two possibilities: 1. If τ b < τ q0 , the boundary is reached before any spontaneous transition is about to be executed, which means that a forced transition is executed at time τ b ; 2. If τ q0 < τ b , the spontaneous transition correspond- Algorithm. Generation of DSHS Executions. set T = 0 select X-valued random variable x b repeat set q = X −1 (b x), nq the number of spontaneous transitions from X q set xt as solution of (SDE) with initial condition equal to x b select ω q a sample path for the process (xt ) with the start point x b select R+ -valued random variable Sb such that b q ) = min(τ 1 (ωq ), ...τ nq (ω q ), τ b (ω q )) where S(ω τ i is jump time of the i-th outgoing spont. tr. τ b is first hitting time of boundary ∂X q select the transition t = q ′ q ′ associated to Sb select X q -valued r.v. x b according to Rt (., xSb) where x1 ∈ ∂X q1 in case r1, r2, and x1 ∈ X q1 ′ (for the cases left) and x2 ∈ X q1 ; (8) the transition map λ for cases r3 and r4 is given by set T = T + Sb until true λ(x1 , x2 ) = λ1 (x1 ) 2.3 Parallelism and Communication of DSHS ′ for all x1 ∈ X q1 and x2 ∈ X q1 ; (9) the choice function C should be specified for any q = (q1 , q2 ) ∈ Q and any b : (q1 , q2 ) 7→ (q1′ , q2′ ) ∈ B. It is clear that b has been derived from one of the following cases: In this section we introduce a composition operator || on the set of DSHS. In the DSHS framework, communication takes places by means of the passive transitions. The execution of an active transition is always independent on the environment. In a context with two composed DSHS, one of DSHS can execute a passive transition with label l if and only if at the same time the other DSHS executes an active event with label l. l,R l,R b 11 q1′ , q2 9, q2 = q2′ , c1 : q1 7→ b 12 q1′ , q2 → q2′ , c2 : q1 7→ b 23 q2′ , q1 9, q1 = q1′ , c3 : q2 7→ b l,R,λ Notations. We write q 7→ q ′ , q → q ′ , q ❀ q ′ to denote the existence of respectively boundaryhit, passive and spontaneous transitions from q to q ′ with label l, reset map R and, in the case of spontaneous transition, jump rate λ. Parallelism The parallel composition of two DSHS is defined as follows: Definition 2. Given two given DSHS DHi = ((Qi , di , mi , Xi ), (fi , σ i ), Li , Ai , Pi ), i = 1, 2; the parallel composition DH = DH1 ||DH2 is the collection ((Q, d, m, X , f, σ), L, B, C, S, P ) whose components are defined as following: 24 q2′ , q1 → q1′ c4 : q2 7→ Then for all (x1 , x2 ) ∈ ∂X (q) the function is defined as   C1 (b1i , q1 , x1 ); if α, (ci)i=1,2 C(b, a, (x1 , x2 )) = C2 (b2i , q2 , x2 ); if β, (ci)i=3,4  undef ined; if γ α ⇔ (x1 , x2 ) ∈ ∂X × X q2 ; β ⇔ (x1 , x2 ) ∈ X q1 × ∂X q2 ; γ ⇔ (x1 , x2 ) ∈ ∂X q1 × ∂X q2 . and C takes the zero value in rest. Communication The meaning of the parallel composition of two DSHS can be express as follows. (1) Q = Q1 × Q2 ; (2) d : Q → N such that d(q1 , q2 ) = d1 (q1 ) + d2 (q2 ); (3) m = m1 + m2 ; (4) X : Q → Rd(.) such that X (q1 , q2 ) = X1 (q1 )× X2 (q2 );    q1  σ f q1 (q1 ,q2 ) ; and σ = (5) f (q1 ,q2 ) = σ q2 f q2 (6) b ∈ B, s ∈ S and p ∈ P if b, m and p can be derived from the rules r1 till r6 defined below, and r1’ till r6’ which are the mirrored versions of r1 till r6. l,R1 l,R2 l,R1 l q1 7→ q1′ , q2 9 q1 7→ q1′ , q2 → q2′ r1. l,R r3. (q1 , q2 ) 7→ (q1′ , q2 ) l,R1 ,λ1 l q1 ❀ q1′ , q2 9 r5. (q1 , q2 ) ❀ (q1′ , q2 ) l,R1 l q1 → q1′ , q2 9 l,R,λ l,R r2. r4. r6. l,R (q1 , q2 ) 7→ (q1′ , q2′ ) l,R2 l,R1 ,λ1 q1 ❀ q1′ , q2 → q2′ l,R,λ (q1 , q2 ) ❀ (q1′ , q2′ ) l,R2 l,R1 q1 → q1′ , q2 → q2′ l,R (q1 , q2 ) → (q1′ , q2 ) (q1 , q2 ) → (q1′ , q2′ ) (7) R, the reset map is given as the product measure, namely in case r1, r3, r5 R ((x1 , x2 ), ·) = R1 (x1 , ·) ⊗ 1x2 and in the case r2, r4, r6 R ((x1 , x2 ), ·) = R1 (x1 , ·) ⊗ R2 (x2 , ·) • If one agent is able to execute an active event and the other agent does not have a matching passive event, then the active agent executes the transition and while the second agent stays in the same location (rules r1, r1’, r3, r3’). • If contrary, the first agent can execute an active transition and the second agent has a matching passive transition, then both agents execute respectively the active and passive transition at the same time (rules r2, r2’, r4, r4’). • If the first agent has a passive transition with label l and the second agent has no passive transition with label l, then the composed system has a passive transition with label l outgoing from the joint location, which gives the possibility to interact with other systems, in an other composition context (rules r5, r5’). • If both agents have a passive transition with the same label, then the composed system also has a passive transition with this label. The implication of this fact is that both agents can execute the passive transitions at the same time in another composition context where a third agent executes an active transition with the same label (rules r6, r6’). communication takes place via some discrete transitions. A state (x1 , x2 ) is called a double boundary state if both x1 and x2 are boundary points. From the communication point of view, the next step will be to introduce the communication for the continuous part of the DSHS. However, this further development is not straightforward. Introducing the possibility for two agents to have communication between their continuous and discrete parts, the resulted composed agent might not be an DSHS. This is why we have to find out at least sufficient conditions to ensure that the parallel composition of two agents (when they have ‘continuous and discrete communication’) is well defined. The choice function C is undefined for the double boundary states. In the composed system execution, these points play a role only when the two components reach their boundary at exactly the same time τ b . It is not clear what to do in such a situation. Two boundary-hit transitions should be executed at the same time. It might exist the possibility that the two transitions have different labels and then a simultaneous execution of these transitions gives problems from compositionality point of view: If a third agent has both labels available in passive transitions, which passive transition should be chosen? However, for many composed systems these problems would not be present because the probability that two separate agents reach their boundary at exactly the same time is zero. We leave the choice of what to do in double boundary states open and we say that the composed DSHS is undefined on the double boundary states. Because the reset maps are not defined for the double boundary states, the boundary-hit transitions are not defined for these states. The choice function C from the definition 2, being defined by using the choice functions C1 , C2 of the components, meets the conditions imposed to the choice function from the definition 1 of DSHS. From the definition 2 and the remarks 2.3, 2.3, it results that the parallel composition DH of the two DSHS DH1 and DH2 is a DSHS which is undefined on double boundary states. This underspecification can not be seen as a shortcoming of the parallel composition. It follows naturally from the fact that a parallel execution of two DSHS brings forth cases where a choice has to be made. This choice can be made by the parallel operator (when the composition would result in a DSHS), but it might be better to leave this choice open because it is possible to depend on the situation or the kind of application which choice is more appropriate. 3. CONCLUSIONS In this paper, we present a distributed version of one of the most general unifying models of hybrid systems. Distribution in this paper means parallelism and communication. A parallel composition operator for DSHS is defined à la ACP. Communication is defined in CCS style and it takes place via some discrete transitions called passive transitions. The REFERENCES Bujorianu, M.L. and Lygeros, J. (2004a). General stochastic hybrid systems. In: IEEE Mediterranean Conference on Control and Automation, MED’04. Bujorianu, M.L. and Lygeros, J. (2004b). General stochastic hybrid systems: Modelling and optimal control. In: 43thIEEE Conference in Decision and Control, CDC’04. Baeten, J.C.M and Weijland, W.P. (1990). Process Algebra. Cambridge University Press. Bujorianu, M.L. (2004). Extended stochastic hybrid systems. In: Hybrid Systems: Computation and Control (R. Alur and G. Pappas, Eds.). pp. 234–249. Number 2993 In: LNCS. Springer Verlag. Pola, G., Bujorianu, M.L., Lygeros, J. and Di Benedetto, M. D. (2003). Stochastic hybrid models: An overview with applications to air traffic management. In: Conference on Analysis and Design of Hybrid System. Simsek, T., Sousa, G. and Varaiya, P. (2003). Communication and control of distributed hybrid systems. In: American Control Conference. Strubbe, S.N., Julius, A.A. and van der Schaft, A. J. (2003). Communicating piecewise deterministic markov processes. In: Conference on Analysis and Design of Hybrid System. Vereijken, J.J. (1995). A process algebra for hybrid systems. In: The Second European Workshop on Real-Time and Hybrid Systems.