Model-based Verification for Automatic Synthesis of Real-time Controllers Extended Abstract

We have developed a novel technique for automatically synthesizing hard real-time reactive controllers using model-checking verification. Our algorithm builds a controller incrementally, using a timed automaton model to check each partial controller for correctness. The verification model captures both the controller design and the semantics of its execution environment. If the controller is found to be incorrect, information from the verification system is used to direct the search for improvements. This paper describes how our controller synthesis process uses verification, and explains in detail how we model the execution of the real time subsystem of the CIRCA intelligent control architecture. We are developing autonomous, flexible control systems for mission-critical applications such as Unmanned Aerial Vehicles (UAVs) and deep space probes. These applications require hybrid real-time control systems, capable of effectively managing both discrete and continuous controllable parameters to maintain system safety and achieve system goals. Using the CIRCA architecture for adaptive real-time control systems (Musliner, Durfee, & Shin 1993; 1995; Musliner et al. 1999), these controllers are synthesized automatically and dynamically, on-line, while the platform is operating. Unlike many other intelligent control systems, CIRCA’s automatically-generated control plans have strong temporal semantics and provide safety guarantees, ensuring that the controlled system will avoid all forms of mission-critical failure. CIRCA uses model-checking techniques for timed automata (Alur 1998; Yovine 1998) as an integral part of its controller synthesis algorithm. CIRCA’s Controller Synthesis Module (CSM) incrementally builds a hard real time reactive controller from a description of the processes in its environment, the control actions available and a set of goal states. To do this, the Controller Synthesis Module must build a model of the controller it is constructing that is faithful to its execution semantics, and use this model to verify that the controller will function safely in its environment.