Formal Methods Module II: Model Checking Ch. 09: Timed and Hybrid Systems

(1)

Formal Methods Module II: Model Checking Ch. 09: Timed and Hybrid Systems

Roberto Sebastiani

DISI, Università di Trento, Italy – roberto.sebastiani@unitn.it URL: http://disi.unitn.it/rseba/DIDATTICA/fm2021/

Teaching assistant:Giuseppe Spallitta– giuseppe.spallitta@unitn.it

M.S. in Computer Science, Mathematics, & Artificial Intelligence Systems Academic year 2020-2021

last update: Thursday 27^thMay, 2021, 13:27

Copyright notice: some material (text, figures) displayed in these slides is courtesy of R. Alur, M. Benerecetti, A. Cimatti, M. Di Natale, P. Pandya, M. Pistore, M. Roveri, C. Tinelli, and S.Tonetta, who detain its copyright. Some exampes displayed in these slides are taken from [Clarke, Grunberg & Peled, “Model Checking”, MIT Press], and their copyright is

detained by the authors. All the other material is copyrighted by Roberto Sebastiani. Every commercial use of this material is strictly forbidden by the copyright laws without the authorization of the authors. No copy of these slides can be

displayed in public without containing this copyright notice.

(2)

Outline

1

Motivations

2

Timed systems: Modeling and Semantics Timed automata

3

Symbolic Reachability for Timed Systems Making the state space finite

Region automata Zone automata

4

Hybrid Systems: Modeling and Semantics Hybrid automata

5

Symbolic Reachability for Hybrid Systems Multi-Rate and Rectangular Hybrid Automata Linear Hybrid Automata

6

Exercises

2 / 101

(3)

Outline

1

Motivations

2

Timed systems: Modeling and Semantics Timed automata

3

Symbolic Reachability for Timed Systems Making the state space finite

Region automata Zone automata

4

Hybrid Systems: Modeling and Semantics Hybrid automata

5

Symbolic Reachability for Hybrid Systems Multi-Rate and Rectangular Hybrid Automata Linear Hybrid Automata

6

Exercises

(4)

Acknowledgments

Thanks for providing material to:

Rajeev Alur & colleagues (Penn University) Paritosh Pandya (IIT Bombay)

Andrea Mattioli, Yusi Ramadian (Univ. Trento) Marco Di Natale (Scuola Superiore S.Anna, Italy)

Disclaimer

very introductory very-partial coverage

mostly computer-science centric

4 / 101

(5)

Hybrid Modeling

Hybrid machines = State machines + Dynamic Systems

(6)

Hybrid Modeling: Examples

Automotive Applications Vehicle Coordination Protocols

Interacting Autonomous Robots

Bio-molecular Regulatory Networks

6 / 101

(7)

Hybrid Modeling: Examples

Automotive Applications Vehicle Coordination Protocols

Interacting Autonomous Robots

Bio-molecular Regulatory

Networks

(8)

Hybrid Modeling: Examples

Automotive Applications Vehicle Coordination Protocols

Interacting Autonomous Robots

Bio-molecular Regulatory Networks

6 / 101

(9)

Hybrid Modeling: Examples

Automotive Applications Vehicle Coordination Protocols

Interacting Autonomous Robots

Bio-molecular Regulatory

Networks

(10)

Outline

1

Motivations

2

Timed systems: Modeling and Semantics Timed automata

3

Symbolic Reachability for Timed Systems Making the state space finite

Region automata Zone automata

4

Hybrid Systems: Modeling and Semantics Hybrid automata

5

Symbolic Reachability for Hybrid Systems Multi-Rate and Rectangular Hybrid Automata Linear Hybrid Automata

6

Exercises

7 / 101

(11)

Outline

1

Motivations

2

Timed systems: Modeling and Semantics Timed automata

3

Symbolic Reachability for Timed Systems Making the state space finite

Region automata Zone automata

4

Hybrid Systems: Modeling and Semantics Hybrid automata

5

Symbolic Reachability for Hybrid Systems Multi-Rate and Rectangular Hybrid Automata Linear Hybrid Automata

6

Exercises

(12)

Timed Automata

9 / 101

(13)

Example: Simple light control

Requirement:

if Off and press is issued once, then the light switches on;

if Off and press is issued twice quickly, then the light gets brighter;

if Light/Bright and press is issued once, then the light switches off;

=⇒ Cannot be achieved with standard automata

(14)

Example: Simple light control

Solution: add real-valued clock x x reset at first press

if next press before x reaches 3 time units, then the light will get brighter;

otherwise the light is turned off

10 / 101

(15)

Modeling: timing constraints

Finite graph + finite set of (real-valued) clocks

Vertexes are locations Time can elapse there Constraints (invariants) Edges are switches

Subject to constraints Reset clocks

Meaning of clock value: time elapsed since the last time it was reset.

(16)

Timed Automata

Locations l

₁

, l

₂

, ... (like in standard automata) discrete part of the state

may be implemented by discrete variables

Switches (discrete transitions like in standard aut.) Labels, aka events, actions,... (like in standard aut.)

used for synchronization Clocks: x, y,... ∈ Q

⁺

value: time elapsed since the last time it was reset Guards: (x ./ C) s.t. ./ ∈ {≤, <, ≥, >}, C ∈ N

set of clock comparisons against integers bounds constrain the execution of the switch

Resets (x := 0)

set of clock assignments to 0

Invariants: (x ./ C) s.t. ./ ∈ {≤, <, ≥, >}, C ∈ N set of clock comparisons against integers bounds ensure progress

a l1

l2

12 / 101

(17)

Timed Automata

Locations l

₁

, l

₂

, ... (like in standard automata) discrete part of the state

may be implemented by discrete variables

Switches (discrete transitions like in standard aut.) Labels, aka events, actions,... (like in standard aut.)

used for synchronization Clocks : x, y,... ∈ Q

⁺

value: time elapsed since the last time it was reset Guards : (x ./ C) s.t. ./ ∈ {≤, <, ≥, >}, C ∈ N

set of clock comparisons against integers bounds constrain the execution of the switch

Resets (x := 0)

set of clock assignments to 0

Invariants: (x ./ C) s.t. ./ ∈ {≤, <, ≥, >}, C ∈ N set of clock comparisons against integers bounds ensure progress

(x ≥ 4) (y ≤ 2) a

y := 0 l1

l2

(18)

Timed Automata

Locations l

₁

, l

₂

, ... (like in standard automata) discrete part of the state

may be implemented by discrete variables

Switches (discrete transitions like in standard aut.) Labels, aka events, actions,... (like in standard aut.)

used for synchronization Clocks: x, y,... ∈ Q

⁺

value: time elapsed since the last time it was reset Guards: (x ./ C) s.t. ./ ∈ {≤, <, ≥, >}, C ∈ N

set of clock comparisons against integers bounds constrain the execution of the switch

Resets (x := 0)

set of clock assignments to 0

Invariants : (x ./ C) s.t. ./ ∈ {≤, <, ≥, >}, C ∈ N set of clock comparisons against integers bounds ensure progress

(x ≥ 4) (y ≤ 2) a

y := 0 l1

(x ≤ 5)

l2

(x > 4) (y ≤ 3)

12 / 101

(19)

Timed Automata: States and Transitions

State: hl

_i

, x , y i hl

₁

, 4, 7i: OK!

hl

₂

, 2, 4i: not OK! (violates invariant in l

₂

) Switch: hl

_i

, x , y i −→ hl

^a j

, x

⁰

, y

⁰

i

hl

₁

, 4.5, 2i −→ hl

^a ₂

, 4.5, 0i: OK!

hl

₁

, 6, 2i −→ hl

^a ₂

, 6, 0i: not OK! (violates invar. in l

₁

) hl

₁

, 3, 2i −→ hl

^a ₂

, 3, 0i: not OK! (violates guard &

invar. in l

₂

)

hl

₁

, 4.5, 2i −→ hl

^a ₂

, 4.5, 2i: not OK! (violates reset) hl

₁

, 4, 2i −→ hl

^a ₂

, 4, 0i: not OK! (violates invar. in l

₂

)

Wait (time elapse): hl

_i

, x , y i −→ hl

^δ _i

, x + δ, y + δi hl

₁

, 3, 0i −→ hl

² ₁

, 5, 2i: OK!

hl

₁

, 3, 0i −→ hl

³ ₁

, 6, 3i: not OK! (violates invar. in l

1

)

(x ≥ 4) (y ≤ 2) a

y := 0 l1

(x ≤ 5)

l2

(x > 4) (y ≤ 3)

(20)

Timed Automata: Formal Syntax

Timed Automaton hL, L

⁰

, Σ, X , Φ(X ), E i L: Set of locations

L

⁰

⊆ L: Set of initial locations Σ: Set of labels

X : Set of clocks Φ(X ): Set of invariants

E ⊆ L × Σ × Φ(X ) × 2

^X

× L: Set of switches A switch hl, a, ϕ, λ, l

⁰

i s.t.

l : source location a: label

ϕ: clock constraints λ ⊆ X : clocks to be reset l

⁰

: target location

(x ≥ 4) (y ≤ 2) a

y := 0 l1

(x ≤ 5)

l2

(x > 4) (y ≤ 3)

14 / 101

(21)

Clock constraints and clock interpretations

Grammar of clock constraints:

ϕ ::= x ≤ C | x < C | x ≥ C | x > C | ϕ ∧ ϕ s.t. C positive integer values.

=⇒ allow only comparison of a clock with a constant

clock interpretation: ν

X = hx , y , zi, ν = h1.0, 1.5, 0i clock interpretation ν after δ time: ν + δ

δ = 0.2, ν + δ = h1.2, 1.7, 0.2i clock interpretation ν after reset λ: ν[λ]

λ = {y }, ν[y := 0] = h1.0, 0, 0i

A state for a timed automaton is a pair hl, νi, where l is a location and ν is a clock interpretation

(x ≥ 4) (y ≤ 2) a

y := 0 l1

(x ≤ 5)

l2

(x > 4) (y ≤ 3)

(22)

Remark: why integer constants in clock constraints?

The constant in clock constraints are assumed to be integer w.l.o.g.:

if rationals, multiply them for their greatest common denominator, and change the time unit accordingly

in practice, multiply by 10

^k

(resp 2

^k

), k being the number of precision digits (resp. bits), and change the time unit accordingly Ex: 1.345, 0.78, 102.32 seconds

=⇒ 1, 345, 780, 102, 320 milliseconds

16 / 101

(23)

Example

clocks {x , y } can be set/reset independently x is reset to 0 from s

₀

to s

₁

on a

switches b and c happen within 1 time-unit from a because of constraints in s

₁

and s

₂

delay between b and the following d is > 2

no explicit bounds on time difference between event c − d

(24)

Timed Automata: Semantics

Semantics of A defined in terms of a (infinite) transition system S

_A ^def

= hQ, Q

⁰

, →, Σi

Q: {hl, νi} s.t. l location and ν clock evaluation Q

⁰

: {hl, νi} s.t. l ∈ L

⁰

location and ν(X ) = 0

→:

state change due to location switch state change due to time elapse Σ : set of labels of Σ ∪ Q

⁺

18 / 101

(25)

State change in transition system

Initial State

hq, 0i

Initial state

(26)

State change in transition system

Time elapse

hq, 0i −→ hq, 1.2i

^1.2

state change due to elapse of time

19 / 101

(27)

State change in transition system

Time Elapse, Switch and their Concatenation hq, 0i −→ hq, 1.2i

^1.2

−→ hq

^a ⁰

, 1.2i ”wait δ; switch;”

=⇒ hq, 0i

^1.2+a

−→ hq

⁰

, 1.2i ”wait δ and switch;”

(28)

State change in transition system

Time Elapse, Switch and their Concatenation hq, 0i −→ hq, 1.2i

^1.2

−→ hq

^a ⁰

, 1.2i ”wait δ; switch;”

=⇒ hq, 0i

^1.2+a

−→ hq

⁰

, 1.2i ”wait δ and switch;”

19 / 101

(29)

Example

push push

click

Switch may be turned on whenever at least 2 time units has elapsed since last “turn off”

Light automatically switches off after 9 time units.

Example execution

hoff , 0, 0i −→ hoff , 3.5, 3.5i

^3.5

−→ hon, 0, 0i

^push

−→ hon, 3.14, 3.14i

^3.14

push

−→ hon, 0, 3.14i −→ hon, 3, 6.14i

³

−→ hon, 5.86, 9i

^2.86

−→ hoff , 0, 9i

^click

(30)

Remark: Non-Zenoness

Beware of Zeno! (paradox)

When the invariant is violated some edge must be enabled

Automata should admit the possibility of time to diverge

21 / 101

(31)

Combination of Timed Automata

Complex system = product of interacting systems Let A

₁^def

= hL

₁

, L

⁰₁

, Σ

₁

, X

₁

, Φ

₁

(X

₁

), E

₁

i,

A

₂^def

= hL

₂

, L

⁰₂

, Σ

₂

, X

₂

, Φ

₂

(X

₂

), E

₂

i Product: A

₁

||A

₂^def

=

hL

₁

× L

₂

, L

⁰₁

× L

⁰₂

, Σ

₁

∪ Σ

₂

, X

₁

∪ X

₂

, Φ

₁

(X

₁

) ∪ Φ

₂

(X

₂

), E

₁

||E

₂

i Transition iff:

Label a belongs to both alphabets =⇒ synchronized

blocking synchronization: a-labeled switches cannot be shot alone Label a only in the alphabet of A

₁

=⇒ asynchronized

Label a only in the alphabet of A

₂

=⇒ asynchronized

(32)

Transition Product

Σ

1

def

= {a, b}

Σ

₂^def

= {a, c}

23 / 101

(33)

Transition Product: Example

(34)

Example: Train-gate controller [Alur CAV’99]

Desired property: G(s

₂

→ t

₂

)

25 / 101

(35)

Train-gate controller: Product

(36)

Outline

1

Motivations

2

Timed systems: Modeling and Semantics Timed automata

3

Symbolic Reachability for Timed Systems Making the state space finite

Region automata Zone automata

4

Hybrid Systems: Modeling and Semantics Hybrid automata

5

Symbolic Reachability for Hybrid Systems Multi-Rate and Rectangular Hybrid Automata Linear Hybrid Automata

6

Exercises

27 / 101

(37)

Outline

1

Motivations

2

Timed systems: Modeling and Semantics Timed automata

3

Symbolic Reachability for Timed Systems Making the state space finite

Region automata Zone automata

4

Hybrid Systems: Modeling and Semantics Hybrid automata

5

Symbolic Reachability for Hybrid Systems Multi-Rate and Rectangular Hybrid Automata Linear Hybrid Automata

6

Exercises

(38)

Reachability Analysis

Verification of safety requirement: reachability problem

Input: a timed automaton A and a set of target locations L

^F

⊆ L Problem: Determining whether L

^F

is reachable in a timed automaton A

A location l of A is reachable if some state q with location component l is a reachable state of the transition system S

_A

29 / 101

(39)

Timed/hybrid Systems: problem

Problem

The system S

_A

associated to A has infinitely-many states & symbols.

Is finite state analysis possible?

Is reachability problem decidable?

(40)

Idea: Finite Partitioning

Goal

Partition the state space into finitely-many equivalence classes, so that equivalent states exhibit (bi)similar behaviors

31 / 101

(41)

Reachability analysis

(42)

Timed Vs Time-Abstract Relations

Idea

Infinite transition system associated with a timed/hybrid automaton A:

S

_A

: Labels on continuous steps are delays in Q

⁺

U

_A

(time-abstract): actual delays are suppressed

=⇒ all continuous steps have same label

from ”wait δ and switch” to ”wait (sometime) and switch”

33 / 101

(43)

Time-abstract transition system U _A

U

_A

(time-abstract): actual delays are suppressed Only change due to location switch stated explicitly Cut system to finitely many labels

U

_A

(instead of S

_A

) allows for capturing untimed properties (e.g., reachability, safety)

Example

A: (“wait δ; switch;”)

hl

0

, 0, 0i −→ hl

^1.2 0

, 1.2, 1.2i −→ hl

^a 1

, 0, 1.2i −→ hl

^0.7 1

, 0.7, 1.9i −→

^b

hl

2

, 0.7, 0i

S

_A

: (“wait δ and switch;”)

hl

0

, 0, 0i

^1.2+a

−→ hl

1

, 0, 1.2i

^0.7+b

−→ hl

2

, 0.7, 0i

U

_A

: (“wait (sometime) and switch;”)

hl

₀

, 0, 0i −→ hl

^a ₁

, 0, 1.2i −→ hl

^b ₂

, 0.7, 0i

(44)

Stable quotients

Idea: Collapse states which are equivalent modulo “wait & switch”

Cut to finitely many states Stable equivalence relation

Quotient of U

_A

= transition system [U

_A

]

35 / 101

(45)

L ^F -sensitive equivalence relation

All equivalent states in a class belong to either L

^F

or not L

^F

E.g.: states with different labels cannot be equivalent

(46)

Stable Quotient: Intuitive example

Task: plan trip from DISI to VR train station

“take the next #5 bus to TN train station and then the 6pm train to VR”

Constraints:

It is 5.18pm

Train to VR leaves at TN train station at 6.00pm it takes 3 minutes to walk from DISI to BUS stop Bus #5 passes 5.20pm or at 5.40pm

Bus #5 takes 15 minutes to TN train station

it takes 2 minutes to walk from BUS stop to TN train station Time-Abstract plan (U

A

):

“walk to bus stop; take 5.40 #5 bus to TN train-station stop;

walk to train station; take the 6pm train to VR”

Actual (implicit) plan (A):

“wait δ

1

; walk to bus stop; wait δ

2

; take 5.40 #5 bus to TN train-station stop;

wait δ

3

at bus stop; walk to train station; wait δ

4

; take the 6pm train to VR”

where δ

1

+ δ

2

= 19min and δ

3

+ δ

4

= 3min

All executions with distinct values of δi are bisimilar

37 / 101

(47)

Outline

1

Motivations

2

Timed systems: Modeling and Semantics Timed automata

3

Symbolic Reachability for Timed Systems Making the state space finite

Region automata Zone automata

4

Hybrid Systems: Modeling and Semantics Hybrid automata

5

Symbolic Reachability for Hybrid Systems Multi-Rate and Rectangular Hybrid Automata Linear Hybrid Automata

6

Exercises

(48)

Region Equivalence over clock interpretation

Preliminary definitions & terminology Given a clock x :

bxc is the integral part of x (ex: b3.7c = 3) fr(x) is the fractional part of x (ex: fr(3.7) = 0.7)

C

_x

is the maximum constant occurring in clock constraints x ./ C

x

Region Equivalence: ν ∼ = ν

⁰

Given a timed automaton A, two clock interpretations ν, ν

⁰

are region equivalent (ν ∼ = ν

⁰

) iff all the following conditions hold:

C1: For every clock x , either bν(x)c = bν

⁰

(x )c or bν(x)c, bν

⁰

(x )c ≥ C

x

C2: For every clock pair x , y s.t. ν(x ), ν

⁰

(x ) ≤ C

_x

and ν(y ), ν

⁰

(y ) ≤ C

y

,

fr(ν(x)) ≤ fr(ν(y)) iff fr(ν

⁰

(x)) ≤ fr(ν

⁰

(y)) C3: For every clock x s.t. ν(x ), ν

⁰

(x ) ≤ C

x

fr(ν(x)) = 0 iff fr(ν

⁰

(x)) = 0

39 / 101

(49)

Conditions: C1 + C2 + C3

C_x

x y

C_y

1 2 3 4

1 2 3

0

C1:

For every clock x , either

bν(x)c = bν⁰(x )c

or

bν(x)c, bν⁰(x )c ≥ Cx

C2:

For every clock pair x , y s.t. ν(x ), ν

⁰

(x ) ≤ C

x

and ν(y ), ν

⁰

(y ) ≤ C

y

,

fr(ν(x)) ≤ fr(ν(y)) iff fr(ν⁰(x)) ≤ fr(ν⁰(y))

C3:

For every clock x s.t. ν(x ), ν

⁰

(x ) ≤ C

x

,

fr(ν(x)) = 0 iff fr(ν⁰(x)) = 0

(50)

Conditions: C1 + C2 + C3

C_x

x y

C_y

1 2 3 4

1 2 3

0

C1:

For every clock x , either

or

C2:

For every clock pair x , y s.t. ν(x ), ν

⁰

(x ) ≤ C

x

and ν(y ), ν

⁰

(y ) ≤ C

y

,

C3:

For every clock x s.t. ν(x ), ν

⁰

(x ) ≤ C

x

,

fr(ν(x)) = 0 iff fr(ν⁰(x)) = 0

40 / 101

(51)

Conditions: C1 + C2 + C3

C_x

x y

C_y

1 2 3 4

1 2 3

0

C1:

For every clock x , either

or

C2:

For every clock pair x , y s.t. ν(x ), ν

⁰

(x ) ≤ C

x

and ν(y ), ν

⁰

(y ) ≤ C

y

,

C3:

For every clock x s.t. ν(x ), ν

⁰

(x ) ≤ C

x

,

fr(ν(x)) = 0 iff fr(ν⁰(x)) = 0

(52)

Conditions: C1 + C2 + C3

C_x

x y

C_y

1 2 3 4

1 2 3

0

C1:

For every clock x , either

or

C2:

For every clock pair x , y s.t. ν(x ), ν

⁰

(x ) ≤ C

x

and ν(y ), ν

⁰

(y ) ≤ C

y

,

C3:

For every clock x s.t. ν(x ), ν

⁰

(x ) ≤ C

x

,

fr(ν(x)) = 0 iff fr(ν⁰(x)) = 0

40 / 101

(53)

Regions, intuitive idea:

C_x

x y

C_y

1 2 3 4

1 2 3

0

Intuition: ν ∼ = ν

⁰

iff they satisfy the same set of constraints in the form

x

_i

< c, x

_i

> c, x

_i

= c, x

_i

− x

_j

< c, x

_i

− x

_j

> c, x

_i

− x

_j

= c

s.t. c ≤ C

_x_i

(54)

Region Operations

42 / 101

(55)

Properties of Regions

The region equivalence relation ∼ = is a time-abstract bisimulation:

Action transitions: if ν ∼ = µ and hl, νi −→ hl

^a ⁰

, ν

⁰

i for some l

⁰

, ν

⁰

, then there exists µ

⁰

s.t. ν

⁰

∼ = µ

⁰

and hl, µi −→ hl

^a ⁰

, µ

⁰

i

Wait transitions: if ν ∼ = µ,

then for every δ ∈ Q

⁺

there exists δ

⁰

∈ Q

⁺

s.t. ν + δ ∼ = µ + δ

⁰

=⇒ If ν ∼ = µ, then hl, νi and hl, µi satisfy the same temporal-logic

formulas

(56)

Time-abstract Bisimulation in Regions

C

_x

x y

C

_y

1 2 3 4

1 2 3

0

44 / 101

(57)

Time-abstract Bisimulation in Regions

C

_x

x y

C

_y

1 2 3 4

1 2 3

0

(58)

Time-abstract Bisimulation in Regions

C

_x

x y

C

_y

1 2 3 4

1 2 3

0

44 / 101

(59)

Time-abstract Bisimulation in Regions

C

_x

x y

C

_y

1 2 3 4

1 2 3

0

(60)

Time-abstract Bisimulation in Regions

C

_x

x y

C

_y

1 2 3 4

1 2 3

0

44 / 101

(61)

Time-abstract Bisimulation in Regions

C

_x

x y

C

_y

1 2 3 4

1 2 3

0

(62)

Time-abstract Bisimulation in Regions

C

_x

x y

C

_y

1 2 3 4

1 2 3

0

44 / 101

(63)

Time-abstract Bisimulation in Regions

C

_x

x y

C

_y

1 2 3 4

1 2 3

0

(64)

Time-abstract Bisimulation in Regions

C

_x

x y

C

_y

1 2 3 4

1 2 3

0

44 / 101

(65)

Time-abstract Bisimulation in Regions

C

_x

x y

C

_y

1 2 3 4

1 2 3

0

(66)

Time-abstract Bisimulation in Regions

C

_x

x y

C

_y

1 2 3 4

1 2 3

0

44 / 101

(67)

Time-abstract Bisimulation in Regions

C

_x

x y

C

_y

1 2 3 4

1 2 3

0

(68)

Time-abstract Bisimulation in Regions

C

_x

x y

C

_y

1 2 3 4

1 2 3

0

44 / 101

(69)

Time-abstract Bisimulation in Regions

C

_x

x y

C

_y

1 2 3 4

1 2 3

0

(70)

Time-abstract Bisimulation in Regions

C

_x

x y

C

_y

1 2 3 4

1 2 3

0

44 / 101

(71)

Time-abstract Bisimulation in Regions

C

_x

x y

C

_y

1 2 3 4

1 2 3

0

(72)

Time-abstract Bisimulation in Regions

C

_x

x y

C

_y

1 2 3 4

1 2 3

0

44 / 101

(73)

Number of Clock Regions

Clock region: equivalence class of clock interpretations Number of clock regions upper-bounded by

k ! · 2

^k

· Π

_{x ∈X}

(2 · C

x

+ 2), s.t. k

^def

= ||X ||

finite!

exponential in the number of clocks grows with the values of C

_x

Example

2 clocks x,y, C

x

= 2, C

y

= 1 8 open regions

14 open line segments 6 corner points

=⇒ 28 regions

< 2 · 2

²

· (2 · 2 + 2) · (2 · 1 + 2) = 192

(74)

Region automaton

Equivalent states = identical location + ∼ =-equivalent evaluations Equivalent Classes (regions): finite, stable, L

^F

-sensitive

R(A): Region automaton of A

States: hl, r (A)i s.t. r (A) regions of A

=⇒ Finite state automaton!

Reachability problem hA, L

^F

i =⇒ Reachability problem hR(A), L

^F

i

=⇒ Reachability in timed automata reduced to that in finite automata!

46 / 101

(75)

Example: Region graph of a simple timed automata

May be further reduced (e.g., collapsing B, C, D into one state)

(76)

Complexity of Reasoning with Timed Automata

Reachability in Timed Automata Decidable!

Linear with number of locations Exponential in the number of clocks Grows with the values of C

_x

Overall, PSPACE-Complete

Language-containment with Timed Automata Undecidable!

48 / 101

(77)

Outline

1

Motivations

2

Timed systems: Modeling and Semantics Timed automata

3

Symbolic Reachability for Timed Systems Making the state space finite

Region automata Zone automata

4

Hybrid Systems: Modeling and Semantics Hybrid automata

5

Symbolic Reachability for Hybrid Systems Multi-Rate and Rectangular Hybrid Automata Linear Hybrid Automata

6

Exercises

(78)

Zone Automata

Collapse regions by convex unions of clock regions

Clock Zone ϕ: set/conjunction of clock constraints in the form (x

_i

./ c), (x

_i

− x

_j

./ c) , ./ ∈ {>, <, =, ≥, ≤}, c ∈ Z

ϕ is a convex set in the k-dimensional euclidean space possibly unbounded

=⇒ Contains all possible relationship for all clock value in a set Symbolic state: hl, ϕi

l: location ϕ: clock zone

x y

50 / 101

(79)

Zone Automata

Definition: Zone Automaton

Given a Timed Automaton A

^def

= hL, L

⁰

, Σ, X , Φ(X ), E i,

the Zone Automaton Z(A) is a transition system hQ, Q

⁰

, Σ, →i s.t.

Q: set of all symbolic states of A (a symbolic state is hl, ϕi) Q

⁰^def

= {hl, [X := 0]i | l ∈ L

⁰

}

Σ: set of labels/events in A

→: set of “wait&switch” symbolic transitions, in the form:

hl, ϕi −→ hl

^a ⁰

, succ(ϕ, e)i

succ(ϕ, e): successor of ϕ after (waiting and) executing the switch e

^def

= hl, a, ψ, λ, l

⁰

i

succ(hl, ϕi, e)

^def

= hl

⁰

, succ(ϕ, e)i

(80)

Zone Automata: Symbolic Transitions

Definition: succ(ϕ, e)

Let e

^def

= hl, a, ψ, λ, l

⁰

i, and φ, φ

⁰

the invariants in l, l

⁰

Then

succ(ϕ, e)

^def

= (((ϕ ∧ φ)⇑ ∧φ) ∧ ψ)[λ := 0]

∧: standard conjunction/intersection

⇑: projection to infinity: ψ⇑

^def

= {ν + δ | ν ∈ ψ, δ ∈ [0, +∞)}

[λ := 0]: reset projection: ψ[λ := 0]

^def

= {ν[λ := 0] | ν ∈ ψ}

note: ϕ is considered “immediately before entering l”

52 / 101

(81)

Zone Automata: Symbolic Transitions (cont.)

Initial zone: values before entering the location

Intersection with invariant φ: values allowed to enter the location

Projection to infinity: values allowed to enter the location, after waiting unbounded time Intersection with invariant φ: values allowed to enter the location, after waiting a legal amount of time

Intersection with guard ψ: values allowed to enter the location, after waiting a legal amount of time, from which the switch can be shot

Reset projection λ: values ..., after reset

=⇒ Final!

succ(ϕ, e) =

^def

(((ϕ ∧ φ)⇑ ∧φ) ∧ ψ)[λ := 0]

(82)

Zone Automata: Symbolic Transitions (cont.)

Initial zone: values before entering the location

Intersection with invariant φ: values allowed to enter the location

Projection to infinity: values allowed to enter the location, after waiting unbounded time Intersection with invariant φ: values allowed to enter the location, after waiting a legal amount of time

Intersection with guard ψ: values allowed to enter the location, after waiting a legal amount of time, from which the switch can be shot

Reset projection λ: values ..., after reset

=⇒ Final!

ϕ

succ(ϕ, e) =

^def

(((ϕ ∧ φ)⇑ ∧φ) ∧ ψ)[λ := 0]

53 / 101

(83)

Zone Automata: Symbolic Transitions (cont.)

Initial zone: values before entering the location

Intersection with invariant φ: values allowed

to enter the location

Projection to infinity: values allowed to enter the location, after waiting unbounded time Intersection with invariant φ: values allowed to enter the location, after waiting a legal amount of time

Intersection with guard ψ: values allowed to enter the location, after waiting a legal amount of time, from which the switch can be shot

Reset projection λ: values ..., after reset

=⇒ Final!

ϕ φ

succ(ϕ, e) =

^def

(((ϕ ∧ φ) ⇑ ∧φ) ∧ ψ)[λ := 0]

(84)

Zone Automata: Symbolic Transitions (cont.)

Initial zone: values before entering the location

Intersection with invariant φ: values allowed to enter the location

Projection to infinity: values allowed to enter the location, after waiting unbounded time Intersection with invariant φ: values allowed to enter the location, after waiting a legal amount of time

Intersection with guard ψ: values allowed to enter the location, after waiting a legal amount of time, from which the switch can be shot

Reset projection λ: values ..., after reset

=⇒ Final!

succ(ϕ, e) =

^def

(((ϕ ∧ φ) ⇑ ∧φ) ∧ ψ)[λ := 0]

53 / 101

(85)

Zone Automata: Symbolic Transitions (cont.)

Initial zone: values before entering the location

Intersection with invariant φ: values allowed to enter the location

Projection to infinity: values allowed to enter the location, after waiting unbounded time Intersection with invariant φ: values allowed to enter the location, after waiting a legal amount of time

Intersection with guard ψ: values allowed to enter the location, after waiting a legal amount of time, from which the switch can be shot

Reset projection λ: values ..., after reset

=⇒ Final!

succ(ϕ, e) =

^def

(((ϕ ∧ φ)⇑ ∧φ) ∧ ψ)[λ := 0]

(86)

Zone Automata: Symbolic Transitions (cont.)

Initial zone: values before entering the location

Intersection with invariant φ: values allowed to enter the location

Projection to infinity: values allowed to enter the location, after waiting unbounded time Intersection with invariant φ: values allowed

to enter the location, after waiting a legal amount of time

Intersection with guard ψ: values allowed to enter the location, after waiting a legal amount of time, from which the switch can be shot

Reset projection λ: values ..., after reset

=⇒ Final!

φ

succ(ϕ, e) =

^def

(((ϕ ∧ φ)⇑ ∧φ) ∧ ψ)[λ := 0]

53 / 101

(87)

Zone Automata: Symbolic Transitions (cont.)

Initial zone: values before entering the location

Intersection with invariant φ: values allowed to enter the location

Projection to infinity: values allowed to enter the location, after waiting unbounded time Intersection with invariant φ: values allowed to enter the location, after waiting a legal amount of time

Intersection with guard ψ: values allowed to enter the location, after waiting a legal amount of time, from which the switch can be shot

Reset projection λ: values ..., after reset

=⇒ Final!

succ(ϕ, e) =

^def

(((ϕ ∧ φ)⇑ ∧φ) ∧ ψ)[λ := 0]

(88)

Zone Automata: Symbolic Transitions (cont.)

Initial zone: values before entering the location

Intersection with invariant φ: values allowed to enter the location

Projection to infinity: values allowed to enter the location, after waiting unbounded time Intersection with invariant φ: values allowed to enter the location, after waiting a legal amount of time

Intersection with guard ψ: values allowed to

enter the location, after waiting a legal amount of time, from which the switch can be shot

Reset projection λ: values ..., after reset

=⇒ Final!

ψ

succ(ϕ, e) =

^def

(((ϕ ∧ φ)⇑ ∧φ) ∧ ψ)[λ := 0]

53 / 101

(89)

Zone Automata: Symbolic Transitions (cont.)

Initial zone: values before entering the location

Intersection with invariant φ: values allowed to enter the location

Projection to infinity: values allowed to enter the location, after waiting unbounded time Intersection with invariant φ: values allowed to enter the location, after waiting a legal amount of time

Intersection with guard ψ: values allowed to enter the location, after waiting a legal amount of time, from which the switch can be shot

Reset projection λ: values ..., after reset

=⇒ Final!

succ(ϕ, e) =

^def

(((ϕ ∧ φ)⇑ ∧φ) ∧ ψ)[λ := 0]

(90)

Zone Automata: Symbolic Transitions (cont.)

Initial zone: values before entering the location

Intersection with invariant φ: values allowed to enter the location

Projection to infinity: values allowed to enter the location, after waiting unbounded time Intersection with invariant φ: values allowed to enter the location, after waiting a legal amount of time

Intersection with guard ψ: values allowed to enter the location, after waiting a legal amount of time, from which the switch can be shot

Reset projection λ: values ..., after reset

=⇒ Final!

succ(ϕ, e) =

^def

(((ϕ ∧ φ)⇑ ∧φ) ∧ ψ)[λ := 0]

53 / 101

(91)

Zone Automata: Symbolic Transitions (cont.)

Initial zone: values before entering the location

Intersection with invariant φ: values allowed to enter the location

Projection to infinity: values allowed to enter the location, after waiting unbounded time Intersection with invariant φ: values allowed to enter the location, after waiting a legal amount of time

Intersection with guard ψ: values allowed to enter the location, after waiting a legal amount of time, from which the switch can be shot

Reset projection λ: values ..., after reset

=⇒ Final!

succ(ϕ, e) =

^def

(((ϕ ∧ φ)⇑ ∧φ) ∧ ψ)[λ := 0]

(92)

Zone Automata: Symbolic Transitions (cont.)

Initial zone: values before entering the location

Intersection with invariant φ: values allowed to enter the location

Projection to infinity: values allowed to enter the location, after waiting unbounded time Intersection with invariant φ: values allowed to enter the location, after waiting a legal amount of time

Intersection with guard ψ: values allowed to enter the location, after waiting a legal amount of time, from which the switch can be shot

Reset projection λ: values ..., after reset

=⇒ Final!

succ(ϕ, e) =

^def

(((ϕ ∧ φ)⇑ ∧φ) ∧ ψ)[λ := 0]

53 / 101

(93)

Example: Zone Automata, Symbolic Transitions

Initial zone: (x ≥ 0) ∧ (x ≤ 2) ∧

(y ≥ 0) ∧ (y ≤ 3) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2)

Intersection with invariant φ : (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (x ≤ 2) ∧ (y ≥ 1) ∧ (y ≤ 3) ∧ (y − x ≤ 2)

Projection to infinity:

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2)

Intersection with invariant φ: (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with guard ψ : (y ≥ 4)

=⇒ (y ≥ 4) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Reset projection λ

^def

= {y := 0}

=⇒ (x ≥ 2) ∧ (x ≤ 6) ∧ (y ≥ 0) ∧ (y ≤ 0)

=⇒ Final!

(94)

Example: Zone Automata, Symbolic Transitions

Initial zone: (x ≥ 0) ∧ (x ≤ 2) ∧

(y ≥ 0) ∧ (y ≤ 3) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with invariant φ : (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (x ≤ 2) ∧ (y ≥ 1) ∧ (y ≤ 3) ∧ (y − x ≤ 2)

Projection to infinity:

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2)

Intersection with invariant φ: (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with guard ψ : (y ≥ 4)

=⇒ (y ≥ 4) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Reset projection λ

^def

= {y := 0}

=⇒ (x ≥ 2) ∧ (x ≤ 6) ∧ (y ≥ 0) ∧ (y ≤ 0)

=⇒ Final!

ϕ

54 / 101

(95)

Example: Zone Automata, Symbolic Transitions

Initial zone: (x ≥ 0) ∧ (x ≤ 2) ∧

(y ≥ 0) ∧ (y ≤ 3) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with invariant φ : (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (x ≤ 2) ∧ (y ≥ 1) ∧ (y ≤ 3) ∧ (y − x ≤ 2)

Projection to infinity:

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2)

Intersection with invariant φ: (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with guard ψ : (y ≥ 4)

=⇒ (y ≥ 4) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Reset projection λ

^def

= {y := 0}

=⇒ (x ≥ 2) ∧ (x ≤ 6) ∧ (y ≥ 0) ∧ (y ≤ 0)

=⇒ Final!

ϕ φ

(96)

Example: Zone Automata, Symbolic Transitions

Initial zone: (x ≥ 0) ∧ (x ≤ 2) ∧

(y ≥ 0) ∧ (y ≤ 3) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with invariant φ : (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (x ≤ 2) ∧ (y ≥ 1) ∧ (y ≤ 3) ∧ (y − x ≤ 2)

Projection to infinity:

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2)

Intersection with invariant φ: (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with guard ψ : (y ≥ 4)

=⇒ (y ≥ 4) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Reset projection λ

^def

= {y := 0}

=⇒ (x ≥ 2) ∧ (x ≤ 6) ∧ (y ≥ 0) ∧ (y ≤ 0)

=⇒ Final!

54 / 101

(97)

Example: Zone Automata, Symbolic Transitions

Initial zone: (x ≥ 0) ∧ (x ≤ 2) ∧

(y ≥ 0) ∧ (y ≤ 3) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with invariant φ : (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (x ≤ 2) ∧ (y ≥ 1) ∧ (y ≤ 3) ∧ (y − x ≤ 2)

Projection to infinity:

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2)

Intersection with invariant φ: (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with guard ψ : (y ≥ 4)

=⇒ (y ≥ 4) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Reset projection λ

^def

= {y := 0}

=⇒ (x ≥ 2) ∧ (x ≤ 6) ∧ (y ≥ 0) ∧ (y ≤ 0)

=⇒ Final!

(98)

Example: Zone Automata, Symbolic Transitions

Initial zone: (x ≥ 0) ∧ (x ≤ 2) ∧

(y ≥ 0) ∧ (y ≤ 3) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with invariant φ : (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (x ≤ 2) ∧ (y ≥ 1) ∧ (y ≤ 3) ∧ (y − x ≤ 2)

Projection to infinity:

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2)

Intersection with invariant φ: (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2)

Intersection with guard ψ : (y ≥ 4)

=⇒ (y ≥ 4) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Reset projection λ

^def

= {y := 0}

=⇒ (x ≥ 2) ∧ (x ≤ 6) ∧ (y ≥ 0) ∧ (y ≤ 0)

=⇒ Final!

φ

54 / 101

(99)

Example: Zone Automata, Symbolic Transitions

Initial zone: (x ≥ 0) ∧ (x ≤ 2) ∧

(y ≥ 0) ∧ (y ≤ 3) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with invariant φ : (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (x ≤ 2) ∧ (y ≥ 1) ∧ (y ≤ 3) ∧ (y − x ≤ 2)

Projection to infinity:

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2)

Intersection with invariant φ: (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with guard ψ : (y ≥ 4)

=⇒ (y ≥ 4) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Reset projection λ

^def

= {y := 0}

=⇒ (x ≥ 2) ∧ (x ≤ 6) ∧ (y ≥ 0) ∧ (y ≤ 0)

=⇒ Final!

(100)

Example: Zone Automata, Symbolic Transitions

Initial zone: (x ≥ 0) ∧ (x ≤ 2) ∧

(y ≥ 0) ∧ (y ≤ 3) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with invariant φ : (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (x ≤ 2) ∧ (y ≥ 1) ∧ (y ≤ 3) ∧ (y − x ≤ 2)

Projection to infinity:

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2)

Intersection with invariant φ: (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with guard ψ : (y ≥ 4)

=⇒ (y ≥ 4) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2)

Reset projection λ

^def

= {y := 0}

=⇒ (x ≥ 2) ∧ (x ≤ 6) ∧ (y ≥ 0) ∧ (y ≤ 0)

=⇒ Final!

ψ

54 / 101

(101)

Example: Zone Automata, Symbolic Transitions

Initial zone: (x ≥ 0) ∧ (x ≤ 2) ∧

(y ≥ 0) ∧ (y ≤ 3) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with invariant φ : (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (x ≤ 2) ∧ (y ≥ 1) ∧ (y ≤ 3) ∧ (y − x ≤ 2)

Projection to infinity:

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2)

Intersection with invariant φ: (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with guard ψ : (y ≥ 4)

=⇒ (y ≥ 4) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Reset projection λ

^def

= {y := 0}

=⇒ (x ≥ 2) ∧ (x ≤ 6) ∧ (y ≥ 0) ∧ (y ≤ 0)

=⇒ Final!

(102)

Example: Zone Automata, Symbolic Transitions

Initial zone: (x ≥ 0) ∧ (x ≤ 2) ∧

(y ≥ 0) ∧ (y ≤ 3) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with invariant φ : (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (x ≤ 2) ∧ (y ≥ 1) ∧ (y ≤ 3) ∧ (y − x ≤ 2)

Projection to infinity:

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2)

Intersection with invariant φ: (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with guard ψ : (y ≥ 4)

=⇒ (y ≥ 4) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Reset projection λ

^def

= {y := 0}

=⇒ (x ≥ 2) ∧ (x ≤ 6) ∧ (y ≥ 0) ∧ (y ≤ 0)

=⇒ Final!

54 / 101

(103)

Example: Zone Automata, Symbolic Transitions

Initial zone: (x ≥ 0) ∧ (x ≤ 2) ∧

(y ≥ 0) ∧ (y ≤ 3) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with invariant φ : (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (x ≤ 2) ∧ (y ≥ 1) ∧ (y ≤ 3) ∧ (y − x ≤ 2)

Projection to infinity:

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2)

Intersection with invariant φ: (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with guard ψ : (y ≥ 4)

=⇒ (y ≥ 4) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Reset projection λ

^def

= {y := 0}

=⇒ (x ≥ 2) ∧ (x ≤ 6) ∧ (y ≥ 0) ∧ (y ≤ 0)

=⇒ Final!

(104)

Example: Zone Automata, Symbolic Transitions

Initial zone: (x ≥ 0) ∧ (x ≤ 2) ∧

(y ≥ 0) ∧ (y ≤ 3) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with invariant φ : (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (x ≤ 2) ∧ (y ≥ 1) ∧ (y ≤ 3) ∧ (y − x ≤ 2)

Projection to infinity:

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2)

Intersection with invariant φ: (y ≥ 1) ∧ (y ≤ 5)

=⇒ (x ≥ 0) ∧ (y ≥ 1) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Intersection with guard ψ : (y ≥ 4)

=⇒ (y ≥ 4) ∧ (y ≤ 5) ∧ (y − x ≥ −1) ∧ (y − x ≤ 2) Reset projection λ

^def

= {y := 0}

=⇒ (x ≥ 2) ∧ (x ≤ 6) ∧ (y ≥ 0) ∧ (y ≤ 0)

=⇒ Final!

54 / 101

(105)

Remark on succ(ϕ, e)

In the above definition of succ(ϕ, e), ϕ is considered

“immediately before entering l”:

succ(ϕ, e)

^def

= (((ϕ ∧ φ)⇑ ∧φ) ∧ ψ)[λ := 0]

Alternative definition of succ(ϕ, e), ϕ is considered “immediately after entering l”:

succ(ϕ, e)

^def

= (((ϕ⇑ ∧φ) ∧ ψ)[λ := 0] ∧ φ

⁰

)

no initial intersection with the invariant φ of source location l

(here ϕ is assumed to be already the result of such intersection)

final intersection with the invariant φ

⁰

of target location l

⁰

(106)

Symbolic Reachability Analysis

1: function Reachable (A, L

^F

) // A

^def

= hL, L

⁰

, Σ, X , Φ(X ), E i

2: Reachable = ∅

3: Frontier = {hl

_i

, {X = 0}i | l

_i

∈ L

⁰

}

4: while (Frontier 6= ∅) do

5: extract hl, ϕi from Frontier

6: if (l ∈ L

^F

and ϕ 6= ⊥) then

7: return True

8: end if

9: if (6 ∃ hl, ϕ

⁰

i ∈ Reachable s.t. ϕ ⊆ ϕ

⁰

) then

10: add hl, ϕi to Reachable

11: for e ∈ outcoming(l) do

12: add succ(ϕ, e) to Frontier

13: end for

14: end if

15: end while

16: return False

56 / 101

(107)

Canonical Data-structures for Zones: DBMs

Difference-bound Matrices (DBMs) Matrix representation of constraints

bounds on a single clock differences between 2 clocks

Reduced form computed by all-pairs shortest path algorithm (e.g. Floyd-Warshall)

Reduced DBM is canonical:

equivalent sets of constraints produce the same reduced DBM Operations s.a reset, time-successor, inclusion, intersection are efficient

=⇒ Popular choice in timed-automata-based tools

(108)

Difference-bound matrices, DBMs

DBM: matrix (k + 1) × (k + 1), k being the number of clocks added an implicit fake variable x

₀^def

= 0 s.t. x

_i

./ c =⇒ x

_i

− x

₀

./ c each element is a pair (value,{0, 1}), s.t “{0, 1}” means “{<, ≤}”

Example:

(0 ≤ x

1

) ∧(0 < x

2

) ∧(x

1

< 2) ∧(x

2

< 1) ∧(x

1

− x

2

≥ 0)

(x0− x1≤ 0) ∧(x0− x2<0) ∧(x1− x0<2) ∧(x2− x0<1) ∧(x2− x1≤ 0)

58 / 101

(109)

Difference-bound matrices, DBMs

DBM: matrix (k + 1) × (k + 1), k being the number of clocks added an implicit fake variable x

₀^def

= 0 s.t. x

_i

./ c =⇒ x

_i

− x

₀

./ c each element is a pair (value,{0, 1}), s.t “{0, 1}” means “{<, ≤}”

Example:

(0 ≤ x

1

) ∧(0 < x

2

) ∧(x

1

< 2) ∧(x

2

< 1) ∧(x

1

− x

2

≥ 0)

(x0− x1≤ 0) ∧(x0− x2<0) ∧(x1− x0<2) ∧(x2− x0<1) ∧(x2− x1≤ 0)

(110)

Difference-bound matrices, DBMs

DBM: matrix (k + 1) × (k + 1), k being the number of clocks added an implicit fake variable x

₀^def

= 0 s.t. x

_i

./ c =⇒ x

_i

− x

₀

./ c each element is a pair (value,{0, 1}), s.t “{0, 1}” means “{<, ≤}”

Example:

(0 ≤ x

1

) ∧(0 < x

2

) ∧(x

1

< 2) ∧(x

2

< 1) ∧(x

1

− x

2

≥ 0) (x

0

− x

1

≤ 0) ∧(x

0

− x

2

< 0) ∧(x

1

− x

0

< 2) ∧(x

2

− x

0

< 1) ∧(x

2

− x

1

≤ 0)

58 / 101

(111)

Difference-bound matrices, DBMs

DBM: matrix (k + 1) × (k + 1), k being the number of clocks added an implicit fake variable x

₀^def

= 0 s.t. x

_i

./ c =⇒ x

_i

− x

₀

./ c each element is a pair (value,{0, 1}), s.t “{0, 1}” means “{<, ≤}”

Example:

(0 ≤ x

1

) ∧(0 < x

2

) ∧(x

1

< 2) ∧(x

2

< 1) ∧(x

1

− x

2

≥ 0)

(x0− x1≤ 0)

∧(x

0− x2<0)

∧(x

1

− x

0

< 2) ∧(x

2

− x

0

< 1) ∧(x

2− x1≤ 0)

(112)

Difference-bound matrices, DBMs (cont.)

Use all-pairs shortest paths, check DBM

idea: given x

_i

− x

_j

./ c, x

_i

− x

_k

./ c

₁

and x

_k

− x

_j

./ c

₂

s.t.

./∈ {≤, <},

then c is updated with c

₁

+ c

₂

if c

₁

+ c

₂

< c

Satisfiable (no negative loops) =⇒ a non-empty clock zone Canonical: matrices with tightest possible constraints Canonical DBMs represent clock zones:

equivalent sets of constraints ⇐⇒ same reduced DBM

59 / 101

(113)

Canonical Data-structures for Zones: DBMs

(114)

Complexity Issues

In theory:

Zone automaton might be exponentially bigger than the region automaton

In practice:

Fewer reachable vertices =⇒ performances much improved

61 / 101

(115)

Timed Automata: summary

Only continuous variables are timers

Invariants and Guards: x ./ const, ./∈ {<, >, ≤, ≥}

Actions: x:=0

Reachability is decidable

Clustering of regions into zones desirable in practice Tools: Uppaal, Kronos, RED ...

Symbolic representation: matrices

(116)

Decidable Problems with Timed Automata

Model checking branching-time properties of timed automata Reachability in rectangular automata

Timed bisimilarity: are two given timed automata bisimilar?

Optimization: Compute shortest paths (e.g. minimum time reachability) in timed automata with costs on locations and edges Controller synthesis: Computing winning strategies in timed automata with controllable and uncontrollable transitions

63 / 101

(117)

Outline

1

Motivations

2

Timed systems: Modeling and Semantics Timed automata

3

Symbolic Reachability for Timed Systems Making the state space finite

Region automata Zone automata

4

Hybrid Systems: Modeling and Semantics Hybrid automata

5

Symbolic Reachability for Hybrid Systems Multi-Rate and Rectangular Hybrid Automata Linear Hybrid Automata

6