Alberto L. Sangiovanni-Vincentelli

• PhD
• Chair at University of California, Berkeley

Contract-based design is a method to facilitate modular design of systems. While there has been substantial progress on the theory of contracts, there has been less progress on practical algorithms for the algebraic operations in the theory. In this paper, we present 1) principles to implement a contract-based design tool at scale and 2) Pacti, a t...

We explore the challenges and opportunities of shifting industrial control software from dedicated hardware to bare-metal servers or cloud computing platforms using off the shelf technologies. In particular, we demonstrate that executing time-critical applications on cloud platforms is viable based on a series of dedicated latency tests targeting r...

Identifying the change point of a system’s health status is important. Indeed, a change point usually signifies an incipient fault under development. The One-Class Support Vector Machine (OC-SVM) is a popular machine learning model for anomaly detection that could be used for identifying change points; however, it is sometimes difficult to obtain a...

Deep neural networks have been shown to lack robustness to small input perturbations. The process of generating the perturbations that expose the lack of robustness of neural networks is known as adversarial input generation. This process depends on the goals and capabilities of the adversary, In this paper, we propose a unifying formalization of t...

We present a machine learning approach to the solution of chance constrained optimizations in the context of voltage regulation problems in power system operation. The novelty of our approach resides in approximating the feasible region of uncertainty with an ellipsoid. We formulate this problem using a learning model similar to Support Vector Mach...

We consider the problem of extracting safe environments and controllers for reach-avoid objectives for systems with known state and control spaces, but unknown dynamics. In a given environment, a common approach is to synthesize a controller from an abstraction or a model of the system (potentially learned from data). However, in many situations, t...

It is important to identify the change point of a system's health status, which usually signifies an incipient fault under development. The One-Class Support Vector Machine (OC-SVM) is a popular machine learning model for anomaly detection and hence could be used for identifying change points; however, it is sometimes difficult to obtain a good OC-...

Early detection of incipient faults is of vital importance to reducing maintenance costs, saving energy, and enhancing occupant comfort in buildings. Popular supervised learning models such as deep neural networks are considered promising due to their ability to directly learn from labeled fault data; however, it is known that the performance of su...

This paper describes a component-based concurrent model of computation for reactive systems. The components in this model, featuring ports and hierarchy, are called reactors. The model leverages a semantic notion of time, an event scheduler, and a synchronous-reactive style of communication to achieve determinism. Reactors enable a programming mode...

We propose a measure and a metric on the sets of infinite traces generated by a set of atomic propositions. To compute these quantities, we first map properties to subsets of the real numbers and then take the Lebesgue measure of the resulting sets. We analyze how this measure is computed for Linear Temporal Logic (LTL) formulas. An implementation...

Cyber-physical systems of today are generating large volumes of time-series data. As manual inspection of such data is not tractable, the need for learning methods to help discover logical structure in the data has increased. We propose a logic-based framework that allows domain-specific knowledge to be embedded into formulas in a parametric logica...

Synthesis from component libraries is the problem of building a network of components from a given library, such that the network realizes a given specification. This problem is undecidable in general. It becomes decidable if we impose a bound on the number of chosen components. However, the bounded problem remains computationally hard and brute-fo...

We present a novel framework for augmenting data sets for machine learning based on counterexamples. Counterexamples are misclassified examples that have important properties for retraining and improving the model. Key components of our framework include a \textit{counterexample generator}, which produces data items that are misclassified by the mo...

We address the design space exploration of wireless networks to jointly select topology and component sizing. We formulate the exploration problem as an optimized mapping problem, where network elements are associated with components from pre-defined libraries to minimize a cost function under correctness guarantees. We express a rich set of system...

We present a novel framework for augmenting data sets for machine learning based on counterexamples. Counterexamples are misclassified examples that have important properties for retraining and improving the model. Key components of our framework include a counterexample generator, which produces data items that are misclassified by the model and e...

We propose a new paradigm for time-series learning where users implicitly specify families of signal shapes by choosing monotonic parameterized signal predicates. These families of predicates (also called specifications) can be seen as infinite Boolean feature vectors, that are able to leverage a user's domain expertise and have the property that a...

With an increasing use of data-driven models to control robotic systems, it has become important to develop a methodology for validating such models before they can be deployed to design a controller for the actual system. Specifically, it must be ensured that the controller designed for an abstract or learned model would perform as expected on the...

With an increasing use of data-driven models to control robotic systems, it has become important to develop a methodology for validating such models before they can be deployed to design a controller for the actual system. Specifically, it must be ensured that the controller designed for an abstract or learned model would perform as expected on the...

This paper presents the MDE process in use at Elettronica SpA (ELT) for the development of complex embedded systems integrating software and firmware. The process is based on the adoption of SysML as the system-level modeling language and the use of Simulink for the refinement of selected subsystems. Implementations are generated automatically for...

We introduce a scalable observer architecture, which can efficiently estimate the states of a discrete-time linear-time-invariant system whose sensors are manipulated by an attacker, and is robust to measurement noise. Given an upper bound on the number of attacked sensors, we build on previous results on necessary and sufficient conditions for sta...

Motivated by the synthesis of controllers from high-level temporal specifications, we present two algorithms to compute dominant strategies for continuous two-player zero-sum games based on the Counter-Example Guided Inductive Synthesis (CEGIS) paradigm. In CEGIS, we iteratively propose candidate dominant strategies and find counterexamples. For sc...

We develop an assume-guarantee contract framework for the design of cyber-physical systems, modeled as closed-loop control systems, under probabilistic requirements. We use a variant of signal temporal logic, namely, Stochastic Signal Temporal Logic (StSTL) to specify system behaviors as well as contract assumptions and guarantees, thus enabling au...

We present a framework to systematically analyze convolutional neural networks (CNNs) used in classification of cars in autonomous vehicles. Our analysis procedure comprises an image generator that produces synthetic pictures by sampling in a lower dimension image modification subspace and a suite of visualization tools. The image generator produce...

We address the problem of synthesizing reactive controllers for cyber-physical systems subject to Signal Temporal Logic (STL) specifications in the presence of adversarial inputs. Given a finite horizon, we define a reactive hierarchy of control problems that differ in the degree of information available to the system about the adversary's actions...

We present ArchEx, a framework for cyber-physical system architecture exploration. We formulate the exploration problem as a mapping problem, where "virtual" components are mapped into "real" components from pre-defined libraries to minimize an objective function while guaranteeing that system requirements are satisfied. ArchEx leverages an extensi...

As personal fabrication becomes increasingly accessible and popular, a larger number of makers, many without formal training, are dabbling in embedded and electronics design. However, existing general-purpose, board-level circuit design techniques do not share desirable properties of modern software development, like rich abstraction layers and aut...

We develop an assume-guarantee contract framework for the design of cyber-physical systems, modeled as closed-loop control systems, under probabilistic requirements. We use a variant of signal temporal logic, namely, Stochastic Signal Temporal Logic (StSTL) to specify system behaviors as well as contract assumptions and guarantees, thus enabling au...

Synthesis from component libraries is the problem of building a network of components from a given library, such that the network realizes a given specification. This problem is undecidable in general. It becomes decidable if we impose a bound on the number of chosen components. However, the bounded problem remains computationally hard and brute-fo...

We address the problem of determining the satisfiability of a Boolean combination of convex constraints over the real numbers, which is common in the context of hybrid system verification and control. We first show that a special type of logic formulas, termed monotone Satisfiability Mod-ulo Convex (SMC) formulas, is the most general class of formu...

Leveraging on a comprehensive analysis of cyber-physical systems (CPSs) in Europe, this chapter presents overall findings focusing on (1) a characterization of CPS, (2) opportunities and challenges in representative CPS application domains, and (3) recommendations for action resulting from a cross-domain analysis. The characterization enables a hig...

We address the problem of diagnosing and repairing specifications for hybrid systems, formalized in signal temporal logic (STL). Our focus is on automatic synthesis of controllers from specifications using model predictive control. We build on recent approaches that reduce the controller synthesis problem to solving one or more mixed integer linear...

Buildings are the result of a complex integration of multi-physics subsystems. Besides the obvious civil engineering infrastructure, thermal, electrical, mechanical, control, communication and computing subsystems must co-exist and be operated so that the overall operation is smooth and efficient. This is particularly important for commercial build...

As the complexities of automotive systems increase, designing a system is a difficult task that cannot be done manually. In this paper, we propose an algorithm for weight minimization of wires used for connecting electronic devices in a system. The wire routing problem is formulated as a Steiner tree problem with capacity constraints, and the locat...

The special issue of Scanning the Issue provides an overview of and a perspective on the evolution of electronic design automation (EDA) and offers a perspective on some of the principal avenues of future development. Research in EDA has a rich history of attacking intractable problems with the goal of developing algorithms that are effective in pr...

Education and training face several challenges as our society is evolving to become increasingly dependent on Cyber-Physical Systems (CPS). We present and discuss how education is impacted, leveraging mainly a cross-domain investigation of CPS challenges of the EU CyPhERS project. In particular, the investigation revealed challenges that go beyond...

The realization of complex, cyber-physical “systems of systems” can substantially benefit from model-based hierarchical and compositional methodologies to make their design possible let alone optimal. In this paper, we introduce the methodology being developed within the industrial Cyber-Physical (iCyPhy) research consortium, which addresses the co...

We introduce a platform-based design methodology that uses contracts to specify and abstract the components of a cyber-physical system (CPS), and provide formal support to the entire CPS design flow. The design is carried out as a sequence of refinement steps from a high-level specification to an implementation built out of a library of components...

We address the problem of estimating the state of a differentially flat system from measurements that may be corrupted by an adversarial attack. In cyber-physical systems, malicious attacks can directly compromise the system's sensors or manipulate the communication between sensors and controllers. We consider attacks that only corrupt a subset of...

We address the problem of detecting and mitigating the effect of malicious attacks on the sensors of a linear dynamical system. We develop a novel, efficient algorithm that uses a Satisfiability Modulo Theory approach to isolate the compromised sensors and estimate the system state despite the presence of the attack, thus harnessing the intrinsic c...

Recent innovations in technological fields like embedded computing, communication, sensors and actuators, and informatics and control have enabled the implementation of complex systems that are able to control and coordinate physical and organizational processes on a local and a global scale via the use of information and communication technology....

We present an industrial case study in automotive control of significant complexity: The new common-rail fuel-injection system for Diesel engines developed by Magneti Marelli Powertrain. In this system, an inlet metering valve, inserted before the High Pressure (HP) pump, regulates the fuel flow that supplies the common rail according to the engine...

A controller for a non-deterministic hybrid plant must ensure that the closed-loop system meets some requirement, regardless of what the plant does. When the plant is viewed as an adversary, controller synthesis becomes the task of solving a two-person game to find the system configurations from which the controller wins. For hybrid systems, the mo...

We present a mathematical programming-based method for model predictive control of discrete-time cyber-physical systems subject to signal temporal logic (STL) speci-fications. We describe the use of STL to specify a wide range of properties of these systems, including safety, response and bounded liveness. For synthesis, we encode STL specification...

Contract-based design is emerging as a unifying compositional paradigm for the specification, design and verification of large-scale complex systems. Different contract frameworks are currently available, but we lack a clear understanding of the relations between them. In this paper, we investigate the relation between interface theories (specifica...

We address the problem of synthesizing control strategies for Ellipsoidal Markov Decision Processes (EMDP), i.e., MDPs whose transition probabilities are expressed using ellipsoidal uncertainty sets. The synthesized strategy aims to maximize the total expected reward of the EMDP, constrained to a specification expressed in Probabilistic Computation...

As the design complexity of cyber-physical systems continues to grow, modeling the system at higher abstraction levels with formal models of computation is increasingly appealing since it enables early design verification and analysis. One of the most important aspects in system modeling and analysis is timing. However, it is very challenging to an...

We present the tools, metamodels and code generation techniques in use at Elettronica SpA for the development of communication adapters for software and firmware systems from heterogeneous models. The process start from a SysML system model, developed according to the platform-based design (PBD) paradigm, in which a functional model of the system i...

Commercial buildings have inherent flexibility in how their HVAC systems consume electricity. We investigate how to take advantage of this flexibility. We first propose a means to define and quantify the flexibility of a commercial building. We then propose a contractual framework that could be used by the building operator and the utility to decla...

We first demonstrate that the demand-side flexi-bility of the Heating Ventilation and Air Conditioning (HVAC) system of a typical commercial building can be exploited for providing frequency regulation service to the power grid using at-scale experiments. We then show how this flexibility in power consumption of building HVAC system can be leverage...

Given a global specification contract and a system described by a composition of contracts, system verification reduces to checking that the composite contract refines the specification contract, i.e. that any implementation of the composite contract implements the specification contract and is able to operate in any environment admitted by it. Con...

Aircraft Electric Power Systems (EPS) route power from generators to vital avionic loads by configuring a set of electronic control switches denoted as contactors. In this paper, we address the problem of designing a hierarchical optimal control strategy for the EPS contactors in the presence of system faults. We first formalize the system connecti...

Model-based control of building energy offers an attractive way to minimize energy consumption in buildings. Model-based controllers require mathematical models that can accurately pre-dict the behavior of the system. For buildings, specifically, these models are difficult to obtain due to highly time varying, and nonlinear nature of building dynam...

Real-Time Calculus (RTC) is a modular performance analysis framework for real-time embedded systems. It can be used to compute the worst-case and best-case response times of tasks with general activation patterns and configurations, such as pipelines of tasks that are connected via finite buffers. In this paper, we extend the existing RTC framework...

Cyber-physical systems combine a cyber side (computing and networking) with a physical side (mechanical, electrical, and chemical processes). In many cases, the cyber component controls the physical side using sensors and actuators that observe the physical system and actuate the controls. Such systems present the biggest challenges as well as the...

The design of complex analog interfaces would largely benefit from model-based development and compositional methods to improve the quality of its final result. However, analog circuit behaviors are so tightly intertwined with their environment that: 1) abstractions needed for model-based design are often not accurate, thus making it difficult to a...

This paper deals with the problem of robust model predic-tive control of an uncertain linearized model of a building en-velope and HVAC system. Uncertainty of the model is due to the imperfect predictions of internal and external heat gains of the building. The Open-Loop prediction formulation of the Ro-bust Model Predictive Control (OL-RMPC) is kn...

We present an industrial model-driven engineering process for the design and development of complex distributed embedded systems. We outline the main steps in the process and the evaluation of its use in the context of a radar application. We show the methods and tools that have been developed to allow interoperability among requirements management...

Finite automata and their languages are well-studied topics since the early development of computation theory. Traditional implementations of automata manipulations are based on explicit state representation, and are limited to automata with a few thousand states. The manipulation of automata became more practical with the advent of efficient symbo...

Finding winning strategies of some combinatorial games, such as the NIM game, tic-tae-toe, etc., can be formulated as solving the unknown component problem. Therefore, BALM can be used to synthesize winning strategies of these combinatorial games. The strategy we take is to describe the dynamics and the state of the game in the fixed component. The...

An important application coming from discrete control theory is the so-called model matching problem. It asks to design a controller M B so that the composition of a plant M A with the controller M B matches a given model M C (see the controller’s topology in Fig. 1.1e). Versions of the problem where the closed-loop system is required to be simulat...

A challenging problem is to take a larger FSM given as a netlist, e.g., in BLIF-MV or BLIF format, and then focus on a window, partitioning the netlist into two parts – all nodes inside the window and all nodes outside the window. The nodes inside the window can be viewed as a separate FSM and the nodes outside the window as its fixed environment....

The problem of finding an unknown component in a network of components in order to satisfy a global system specification was addressed. Abstract language equations of the type A ∙ X ⊆ C and A ◇X ⊆ C were investigated, where ∙ and ◇are operators of language composition. The most general solution was computed and various types of constrained solution...

In the following, we use the term transition to refer to a directed arc of an STG, which enables the movement of an automaton from the current state to the next state. The transition predicate indicates when the transition is enabled. A transition predicate is an arbitrary Boolean function in terms of the inputs. In some cases, this function is jus...

In many cases, hard computational problems can be reformulated using decomposition and partitioning, which can lead to computational advantages. An example is image computation, which is a core computation in formal verification. In its simplest form, the image of a set of states is computed using the formula: $$\begin{array}{rcl} Img(ns) = {\exist...

We have seen how language equations can be solved by manipulating automata or FSMs, and that a largest solution can be obtained in terms of a deterministic automaton. If the solution is required as a finite state machine, then the solution can be made prefix-closed and (input)-progressive. At this point, we have the largest (non-deterministic, in g...

In this chapter, we illustrate some of the basic automata operations using small examples so that the results can be plotted with reasonable readability. All of the examples were computed using BALM commands and the BALM plot command, plot_aut, to display the automata graphically.

The technology drivers causing the change in delivery of complex systems are the pervasive use of electronic control units, and consequently of communication networks, and the blurring of distinctions between software, firmware, hardware and multi-physics systems. These drivers are creating the possibility for placing vastly more functionality into...

Hierarchical Timing Language (HTL) is a coordination language for distributed, hard real-time applications. HTL is a hierarchical extension of Giotto and, like its predecessor, based on the logical execution time (LET) paradigm of real-time programming. Giotto is compiled into code for a virtual machine, called the Embedded Machine (or E machine)....

This paper focuses on the challenges of modeling cyber-physical systems (CPSs) that arise from the intrinsic heterogeneity, concurrency, and sensitivity to timing of such systems. It uses a portion of an aircraft vehicle management system (VMS), specifically the fuel management subsystem, to illustrate the challenges, and then discusses technologie...

The Problem of the Unknown Component: Theory and Applications addresses the issue of designing a component that, combined with a known part of a system, conforms to an overall specification. The authors tackle this problem by solving abstract equations over a language. The most general solutions are studied when both synchronous and parallel compos...

Supervisory control is an important area of discrete control theory that received a growing attention since the seminal work of Ramadge and Wonham (see, for example [119, 77, 78, 8, 25]). In this chapter we apply the techniques for language equation solving to supervisory control problems, taking into account that methods for language equation solv...

An alphabet is a finite set of symbols. The set of all finite strings over a fixed alphabet X is denoted by X ⋆. X ⋆ includes the empty string ε. A subset L⊆X ⋆ is called a language over alphabet X.

This book contains 18 chapters organized in four parts along with the synopsis and conclusion. Each chapter is ended by a section of problems, that vary from testing the reader’s grasp of the theory, to laboratory exercises with the software BALM, up to more open-ended problems at the level of a class project. This makes the book suitable also for...

Sequential synthesis offers a collection of problems that can be modeled by FSM equations under synchronous composition. Some have been addressed in the past with various techniques in different logic synthesis applications. In place of designing a huge monolithic FSM and then optimizing it by state reduction and encoding, it is convenient to work...

Suppose that we consider sequential synthesis problems where the objective is to find a strategy, implementable as a finite state machine (FSM), which guides a system to a given subset of states where at least one state is accepting and keeps it in that subset (e.g., the subset may include a winning state for a game, or a set of states with some de...

An infinite word over an alphabet A, or ω-word, is an infinite sequence of symbols of A. A ω is the set of ω-words on A. An ω-language on A is a subset of A ω. Moreover, A ∞ = A ⋆ ∪A ω. An ω-word may be written as \(\alpha = \alpha (0)\alpha (1)\ldots \), where α(i) ∈ A for every i ≥ 0; if n ≤ m, \(\alpha (n,m) = \alpha (n)\ldots \alpha (m - 1)\alp...

There is a long history of resynthesizing an FSM, given its surrounding environment. Much of the work was modeled after results for combinational networks. Thus input sequential don’t cares and output sequential don’t cares were defined in analogy to satisfiability and observability don’t cares. For example, input sequential don’t cares were define...

We address the problem of testing a component embedded within a modular system [131], a.k.a. as the problem of testing in context or embedded testing. When solving this problem, the modular system may be represented by two communicating machines: the embedded component machine, and the context machine that models the remaining part of the system an...

This chapter addresses the problem of resynthesizing the component FSMs of a network of FSMs; we will discuss both a global approach and a local (windowing) approach. It will turn out that sometimes it is more effective to solve a system of equations instead of a single equation; therefore we will introduce systems of equations over FSMs. The motiv...

A finite state machine (FSM) is a 5-tuple M = ⟨S, I, O, T, r⟩ where S represents the finite state space, I represents the finite input space, O represents the finite output space and T ⊆ I ×S ×S ×O is the transition relation. On input i, the FSM at present state p may transit to next state n and produce output o iff (i, p, n, o) ∈ T. State r ∈ S re...

A systematic investigation is presented about the robust- ness of logic synthesis tools to equivalence-preserving trans- formations of the input Verilog le. We have developed a framework that: 1) parses Verilog behavioral models into an abstract syntax tree; 2) generates random equivalence-pre- serving transformations on the syntax tree, and; 3) wr...

A significant challenge in today's electronic design is designing complex, high-performance, "reliable" systems out of available components that are often "unreliable", their behavior being affected by uncertainties or stochastic fluctuations. The problem is to guide the design process towards robustness, i.e., making the design insensitive to para...

The specific root causes of the design problems that are haunting system companies such as automotive and avionics companies are complex and relate to a number of issues ranging from design processes and relationships with different departments of the same company and with suppliers to incomplete requirement specification and testing. The issue is...

FlexRay is a new high-bandwidth communication protocol for the automotive domain, providing support for the transmission of time-critical periodic frames in a static segment and priority-based scheduling of event-triggered frames in a dynamic segment. The design of a system scheduling with communication over the FlexRay static segment is not an eas...

An energy-efficient, reliable and timely data transmission is essential for wireless sensor networks (WSNs) employed in scenarios where plant information must be available for control applications. To reach a maximum efficiency, cross layer interaction is a major design paradigm to exploit the complex interaction among the layers of the protocol st...

A hierarchical control architecture for balancing comfort and energy consumption in buildings is presented. The control design is based on a simplified, yet accurate model of the temper-ature within each room of the building. The model is validated against real measurements. The control architecture comprises a first level that regulates low level...

Automotive electrical/electronic (E/E) architectures need to be evaluated and selected based on the estimated performance of the functions deployed on them before the details of these functions are known. End-to-end delays of controls must be estimated using incomplete and aggregate information on the computation and communication load for ECUs and...

We consider a set of control tasks that must be executed on distributed platforms so that end-to-end latencies are within deadlines. We investigate how to allocate tasks to nodes, pack signals to messages, allocate messages to buses, and assign priorities to tasks and messages, so that the design is extensible and robust with respect to changes in...

Model-based design methodologies are gaining attention in the industrial community because of the possibility of early and efficient functional validation and formal verification of properties at high levels of abstraction. The advantages of validating the design using high-level models can be lost entirely if errors and modifications that are not...