Download presentation

Presentation is loading. Please wait.

Published byJessica Ellis Modified about 1 year ago

1
Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly on the work and slides by Rajeev Alur, with further contributions from: Andrea Mattioli, Paritosh Pandya, Yusi Ramadian

2
Trends in Model-Based Design Emerging notations: UML,Stateflow Visual, Hierarchical, Object oriented Simulation, code generation Steady progress in model checking tools Control design employs tools (Matlab…) Opportunities to influence design tools Typically, semantics is not formal Typically, only simulation is supported ….

3
Model Checker Advantages Automated formal verification, Effective debugging tool Increasing industrial success In-house groups: Intel, Microsoft, Lucent, Motorola… Commercial model checkers: FormalCheck by Cadence Obstacles Scalability is still a problem (about 500 state vars) Effective use requires great expertise model temporal property yes error-trace A great success story for CS theory impacting practice (see 2007 Turing award), and a vibrant area of research

4
Hybrid Modeling State machines off on + Dynamical systems dx=kx x<70 dx=-k’x x>60 x>68 x<63 (notation: “dx” abbreviation of “dx/dt”)

5
Automotive Applications

6
Coordination Protocols

7
Interacting Autonomous Robots

8
Physics-based Animation

9
Biomolecular Regulatory Networks

10
Overview 1. Timed systems: Modeling and Semantics Timed automata 2. Symbolic Reachability Analysis for Timed Systems Making the state space finite Region automata Zone automata 3.Hybrid Systems: Modeling and Semantics Hybrid automata 4.Symbolic Reachability Analysis for Hybrid Systems Linear Hybrid Automata Approximations of reachable sets

11
Acknowledgements Thanks for providing slides & material to: Rajeev Alur & colleagues (Penn University) Paritosh Pandya (IIT Bombay) Andrea Mattioli, Yusi Ramadian (Univ. Trento) Disclaimer: Very introductive Only very-partial coverage Mostly computer-science centric

12
Part 1. Timed Systems: Modeling and Semantics

13
Outline: Part 1 Timed Automata

14
Timed Automata

15
OffLightBright Press? WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off. Simple Light Control

16
OffLightBright Solution: Add real-valued clock x X:=0 X<=3 X>3 Press? Adding continuous variables and constraints to state machines

17
Modeling : timing constraints FFinite graph + finite set of (real-valued) clocks vvertices locations TTime can elapse CConstraint ( invariant ) eedges switches RReset a clock CConstraints MMeaning of a clock value: time elapsed since the last time it was reset.

18
Timed Automata n m a Clocks: x, y x 3 x := 0 Guard Boolean combination of comparisons with integer bounds Reset Action performed on clocks ( n, x=2.4, y= ) ( n, x=3.5, y= ) wait(1.1) 2 kinds of transitions: ( n, x=2.4, y= ) ( m, x=0, y= ) a State ( location, x=v, y=u ) where v,u are in R Action used for synchronization

19
n m a Clocks: x, y x 3 x := 0 Transitions ( n, x=2.4, y= ) ( n, x=3.5, y= ) wait(1.1) ( n, x=2.4, y= ) wait(3.2) x<=5 y<=10 Location Invariants g1 g2 g3 g4 Invariants ensure progress!! Adding Invariants

20
Timed Automata: Formal Syntax timed automaton A = –L = locations; = initial locations –∑ = labels –X = clocks –I = Invariants – = set of switches (edges) a switch = s, s’ = locations a = label φ = clock constraints = clocks to be reset

21
Clock constraints and clock interpretations Set of clock constraints grammar : only allow comparison of a clock and a constant clock interpretation ν : X={x,y,z}, ν(X) = {1.0, 1.5, 0} = clock interpretation after δ time ν(X)+δ = {1.2, 1.7, 0.2} = assigns 0 to each x Y Y={y,z}; ={1.0, 0, 0}

22
Example Clocks { x, y }, can be re/set independently x is reset to 0 from s 0 to s 1 on a switch c happens within 1 time-unit from a because of constraints in s 1 and s 2 delay between b and the following d is >2 no explicit bounds on time difference between event a-b or c -d location switch invariant

23
Semantics Semantics of A defined in terms of a (infinite) transition system S A =, s.t.: –Q = {(s, ν)} –Q 0 = {(s, ν)} where s L 0 and ν(x)=0 – → : State change due to elapse of time State change due to a location switch –∑ = set of labels of A

24
State change in transition system (q,0) Initial state

25
State change in transition system (q,0) (q,1.2) = state change due to elapse of time

26
State change in transition system (q,0) (q,1.2) (q’,1.2) = state change due to a location switch q q and q q’ = q q’

27
Example: Light Switch Switch may be turned on whenever at least 2 time units has elapsed since last “turn off” Light automatically switches off after 9 time units. push click

28
Example: Light Switch (cont.) push click

29
Remark : non-zenoness 1.When the invariant is violated some edge must be enabled 2.Automaton should admit the possibility of time to diverge

30
Combination of systems Complex system = product of interacting transition systems S1= and S2= Product = S1||S2 = Transition iff : i.Label a belongs to both alphabets synchronized (synchronization is blocking: an a-labeled switch cannot be shot singularly) ii.Label a only in the alphabet of S1 asynchronized iii.Label a only in the alphabet of S2 asynchronized

31
Transition product ∑ 1 = {a, b} ∑ 2 = {a, c}

32
Train – gate controller Desired property: AG(s2 -> t2)

33
Product Construction x≤5 z≤1x:=0,z:=0 x>2 y:=0, z=1

34
Part 2. Symbolic Reachability Analysis for Timed Systems

35
Outline: Part 2 Reachability analysis Making the state space finite Region automata Zone automata

36
Reachability Analysis Verification of safety requirement: reachability problem Input: a time-automaton A and a set of target locations Determining whether L F is reachable in a timed automaton A Location s of A is reachable if some state q with location component s is a reachable state of the transition system S A

37
Timed/hybrid Systems: problem Is finite state analysis possible? Is reachability problem decidable? The transition system S A associated to A has infinitely-many states & symbols:

38
Idea: Finite Partitioning Goal: To partition state-space into finitely many equivalence classes so that equivalent states exhibit similar behaviors

39
Reachability analysis SASA Time-abstract automaton Region Automaton Time abstraction Finite set of actions Infinite set of states. Quotient Both states and actions are finite sets Timed Automaton Semantics Regions Infinite set of actions Infinite set of states.

40
Outline: Part 2 Reachability Analysis Making the state space finite Region automata Zone automata

41
Timed Vs Time-Abstract Relations Transition system associated with a timed/hybrid automaton A: S A : Labels on continuous steps are delays in R Actual delays are suppressed (all continuous steps have same label): Time-abstract U A

42
Time-abstract transition system U A Only change due to location switch stated explicitly Cut system to finitely many labels U A (instead of S A ) allows for capturing untimed properties (e.g., reachability, safety)

43
Stable quotients Cut to finitely many states Collapse equivalent states Stable equivalence relation Quotient of U A = transition system [U A ]~ Stable according to the transition

44
L F -sensitive equivalence relation Equivalence relation ~ = L F -sensitive All equivalent states in a class belong to either L F or not L F

45
Outline: Part 2 Reachability Analysis Making the state space finite Region Automata Zone automata

46
Region Equivalence over clock interpretation x = 3.7 –Integral part : = 3.0 –Fractional part = fr(ν(x)) = 0.7 iff 1.For all x, the integral part is the same or both exceed c x pict. pict. (c x : max constant x is compared to) 2.For all x, y with ν(x) ≤ c x and ν(y) ≤ c y, fr(ν(x)) ≤ fr(ν(y)) iff fr(ν’(x)) ≤ fr(ν’(y)) pict.pict. 3.For all x, ν(x) ≤ c x,fr(ν(x)) =0 iff fr(ν’(x)) =0 pict pict next

47
Constraint 1 = = 1 back For all x, the integral part is the same or both exceed cx

48
Constraint 2 (fr(v(x)),fr(v(y))) (fr(v’(x)),fr(v’(y))) back For all x, y with ν(x) ≤ cx and ν(y) ≤ cy, fr(ν(x)) ≤ fr(ν(y)) iff fr(ν’(x)) ≤ fr(ν’(y)) (fr(v(x)) = fr(v(y)))

49
Constraint 3 fr(ν(x)) =0 fr(ν’(x)) =0 back For all x, ν(x) ≤ cx,fr(ν(x)) =0 iff fr(ν’(x)) =0

50
Clock region: equivalence class of clock interpretation finite Max number of regions = –(k is the number of clocks) Number of clock regions exponential in the encoding of the clock constraints Clock regions 2 clocks x, y. cx = 2, cy = 1 8 open regions 14 open line segments 6 corner points

51
Regions, intuitive idea: Finite partitioning of state space x y Definition An equivalence class (i.e. a region) in fact there is only a finite number of regions!! w w’ iff they satisfy the same set of constraints of the form x i < c, x i = c, x i – x j < c, x i –x j =c for c <= largest const relevant to x i Alur, Dill, 90

52
Region Operations x y An equivalence class (i.e. a region) Successor regions, Succ(r) r Reset regions {y}r {x}r

53
Properties of Regions The region equivalence relation is a time-abstract bisimulation: –Action transitions: If w v and (l,w) -a-> (l’,w’) for some w’, then v’ w’ s.t. (l,v) -a-> (l’,v’) –Delay transitions: If w v then for all real numbers d, there exists d’ s.t. w+d v+d’ If w v then (l,w) and (l,v) satisfy the same temporal logic formulas

54
Region automaton Equivalent states = identical location + region-equivalent clock Classes = finite, stable, L F -sensitive Region automaton of A = R(A) –Q = equivalence classes of (s, ν) Reachability problem (A, L F ) search R(A)

55
Region graph of a simple timed automata

56
Complexity of reachability Linear with number of locations Exponential with number of clocks Exponential in the encoding of constants PSPACE-complete

57
Outline: Part 2 Reachability Analysis Making the state space finite Region Automata Zone Automata

58
Zone automata Collapse regions by convex unions of clock regions Clock zone φ = set of clock constraints x-y≤c, x-y c,x≥c φ = convex set in the k-dimensional euclidean space Contains all possible relationship for all clock value in a set

59
Zones: symbolic representation State (s, x=3.2, y=2.5 ) x y x y Symbolic state (set of states ) (s, ) Zone: conjunction of x-y≤c, x-y

60
Zone automaton Z(A) is a transition system s.t. –Q = zone of A; Zone = (s, φ) –Q 0 = (s,[X:=0]), for every initial location s of A –∑ = set of labels or events – → = ((s, φ), a, (s’,succ(φ, e))) succ (φ, e) = clock interpretation after executing e

61
Symbolic transition succ (φ, e) = 1.^ = intersection 2. = interpretation for 3. = interpretation closure under the three operations still a convex set Φ fulfill invariant of state s still fulfill invariant of state s after time elapsefulfill the time constraint of switch e

62
Symbolic Transitions n m x>3 y:=0 x y delays to x y x y conjuncts to x y projects to 1<=x<=4 1<=y<=3 1<=x, 1<=y -2<=x-y<=3 3

63
Canonical Data-structures for Zones: Difference-bound Matrices Matrix representation of constraints (bounds on a single clock or difference betn 2 clocks) Reduced form obtained by running all-pairs shortest path algorithm Reduced DBM is canonical Operations such as reset, time-successor, inclusion, intersection are efficient Popular choice in timed-automata-based tools

64
Difference-bound matrices (DBM) k clocks = (k +1) x (k +1) matrix D Example : D 0i = lower bound D i0 = upper bound D ij = upper bound of x i and x j difference i,j: (c,1) Xi-Xj ≤ c i,j:(c,0) Xi-Xj < c i,j: ∞ absence of bound

65
Difference-bound matrices (DBM) Upper bound of x i - x l = sum of the upper bounds of x i - x j and x j – x l Use all-pairs shortest paths, check DBM Satisfiable Canonical –Satisfiable = a nonempty clock zone –Canonical= Matrices with tightest possible constraints Canonical Dbms represent clock zones

66
x<=1 y-x<=2 z-y<=2 z<=9 x<=1 y-x<=2 z-y<=2 z<=9 x<=1 y-x<=2 y<=3 z-y<=2 z<=7 x<=1 y-x<=2 y<=3 z-y<=2 z<=7 D1 D2 When are two sets of constraints equivalent? x x 0 y z Shortest Path Closure Shortest Path Closure 0 y z x y z x y z Graph Canonical Data-structures for Zones: Difference Bounded Matrices

67
Complexity Theoretically : –Zone automaton may be exponentially bigger than the region automaton Practically : –Fewer reachable vertices performances much improved

68
Implementation Verification problem : –Input = timed automaton A i –Process = searching R(|| i A i ) or Z(|| i A i ) BDD-based engine (preferably for region construction) On-the-fly enumerative search (preferably for zone construction)

69
Timed Automata: summary Only continuous variables are timers Invariants and Guards: x =const Actions: x:=0 Reachability is decidable Clustering of regions into zones desirable in practice Tools: Uppaal, Kronos, RED … Symbolic representation: matrices Techniques to construct timed abstractions of general hybrid systems

70
Decidable Problems Model checking branching-time properties of timed automata Reachability in rectangular automata Timed bisimilarity: are two given timed automata bisimilar? Optimization: Compute shortest paths (e.g. minimum time reachability) in timed automata with costs on locations and edges Controller synthesis: Computing winning strategies in timed automata with controllable and uncontrollable transitions

71
Part 3. Hybrid Systems: Modeling and Semantics

72
Outline: Part 3 Hybrid Automata

73
Hybrid Automata

74
l l’l’ jump transformation edge guard continuous dynamics initial condition invariant: hybrid automaton may remain in l as long as X Inv(l) X Inv(l’) dX Flow(l’) X Inv(l) dX Flow(l) X Init(l) e : g(X) 0 J(X, X’) locations or modes (discrete states)

75
mode select integrator m(t) xdot(t) flow constraints x(t) jump mapping initial condition e(t) threshold-driven discrete dynamics x(t) e(t) m(t) cont. state discrete state discrete event F1 F2 F3 1S1S X0X0 JeJe e(t) JeJe jump dynamics cont. state discrete state discrete event discrete dynamics Switched Dynamic Systems F1F1 F2F2 F3F3 1S1S continuous dynamics

76
Hybrid Automata Set L of locations, and set E of edges Set X of k continuous variables State space: L X R k, Region: subset of R k For each location l, Initial states: region Init(l) Invariant: region Inv(l) Continuous dynamics: dX in Flow(l)(X) For each edge e from location l to location l’ Guard: region Guard(e) Update relation “Jump” over R k X R k Synchronization labels (communication information)

77
(Finite) Executions of Hybrid Automata State: (l, x) such that x satisfies Inv(l) Initialization: (l,x) s.t. x satisfies Init(l) Two types of state updates Discrete switches: (l,x) –a-> (l’,x’) if there is an a- labeled edge e from l to l’ s.t. x satisfies Guard(e) and (x,x’) satisfies update relation Jump(e) Continuous flows: (l,x) –f-> (l,x’) where f is a continuous function from [0, ] s.t. f(0)=x, f( )=x’, and for all t<= , f(t) satisfies Inv(l) and df(t) satisfies Flow(l)(f(t))

78
Example of (linear) Hybrid Automaton Gate for a railroad controller Open h = 90 dh = 0 lowering h >= 0 -10

79
Part 4. Symbolic Reachability Analysis for Hybrid Systems

80
Outline: Part 4 Symbolic Reachability Analysis Linear Hybrid Automata (HyTech) Polyhedral Flow-pipe Approximations (CheckMate)

81
Standard Reachability Problem Model variables X ={x1, … xn} Each var is of finite type, say, boolean Initialization: I(X) condition over X Update: T(X,X’) How new vars X’ are related to old vars X as a result of executing one step of the program Target set: F(X) Computational problem: Can F be satisfied starting with I by repeatedly applying T ? Graph Search problem

82
General Symbolic Solution Data type: region to represent state-sets R:=I(X) Repeat If R intersects F report “yes” Else if R contains Image(R) report “no” Else R := R union Image(R) Image(R): Set of successors of states in R Termination may or may not be guaranteed

83
Symbolic Representations Necessary operations on Regions Union Intersection Negation Projection Renaming Equality/containment test Emptiness test Different choices for different classes BDDs for boolean variables in hardware verification Size of representation as opposed to number of states

84
Reachability for Hybrid Systems Same algorithm works in principle What’s a suitable representation of regions? Region: subset of R k Main problem: handling continuous dynamics Precise solutions available for restricted continuous dynamics Timed automata Linear hybrid automata Even for linear systems, over-approximations of reachable set needed

85
Reachability Analysis for Dynamical Systems Goal: Given an initial region, compute whether a bad state can be reached Key step is to compute Reach(X) for a given set X under dx/dt = f(x) (hereafter dx = f(x) for short) X Reach(X)

86
Outline: Part 4 Symbolic Reachability Analysis Linear Hybrid Automata (HyTech) Polyhedral Flow-pipe Approximations (CheckMate)

87
Multi-rate Automata Modest extension of timed automata Dynamics of the form dx = const (rate of a clock is same in all locations) Guards and invariants: x const Resets: x := const Simple translation to timed automata that gives time-abstract bisimilar system by scaling dx = 2 dy = 3 x>5 and y <1 du = 1 dv = 1 u>5/2 and v <1/3

88
Rectangular Automata Interesting extension of timed automata Dynamics of the form dx in const interval (rate-bounds of a clock same in all locations) Guards/invariants/resets as before Translation to multi-rate automata that gives time-abstract language-equiv system dx in [2,3] x>5 x<2 dx m = 2 dx M = 3 x M >5, x m :=5 x m <2, x M :=2 Puri, Henzinger, 95

89
Linear Hybrid Automata Invariants and guards: linear (Ax <= b) Actions: linear transforms (x’:= Ax) Dynamics: time-invarint, state-independent specified by a convex polytope constraining rates E.g. 2 < x <= 3, x = y Tools: HyTech Symbolic representation: Polyhedra Methodology: abstract dynamics by differential inclusions bounding rates

90
Example LHA Gate for a railroad controller Open h = 90 dh = 0 lowering h >= 0 -10

91
Reachability Computation Basic element: (location l, polyhedron p) Set of visited states: a list of (l,p) pairs Key steps: Compute “discrete” successors of (l,p) Compute “continuous” successor of (l,p) Check if p intersects with “bad” region Check if newly found p is covered by already visited polyhedra p1,…, pk (expensive!)

92
Computing Discrete Successors Discrete successor of (l,p) Intersect p with g (result r is a polyhedron) Apply linear transformation A to r (result r’ is a polyhedron) Intersect r’ with the invariant of l’ (result r” is a polyhedron) Successor is (l’,r”) ll’ g(x)-> x := a(x)

93
Computing Time Successor x y x y (3,2) (1,4) Rate Polytope (1,4) (3,2)p Reach(p) Thm: If initial set p, invariant I, and rate constraint r, are polyhedra, then set of reachable states is a polyhedron (and computable) Basically, apply extremal rates to vertices of p

94
Summary: Linear Hybrid Automata HyTech implements this strategy Core computation: manipulation of polyhedra Bottlenecks proliferation of polyhedra (unions) computing with higher dimensional polyhedra Many case studies (active structure control, Philips audio control protocol, steam boiler…)

95
Outline: Part 4 Symbolic Reachability Analysis Linear Hybrid Automata (HyTech) Polyhedral Flow-pipe Approximations (CheckMate)

96
Beyond LHA Exact computation with polyhedra is limiting. If dynamics is dX=AX, and P is a polyhedron, Reach(P) is not a polyehdron Solutions: Approximate Reach(P) with an enclosing convex polyhedron: Checkmate (Krogh) Approximate Reach(P) with an enclosing (non-convex) orthogonal polyhedron: d/dt (Dang/Maler) Level sets method (Greenstreet, Tomlin) Use ellipsoids for representation of sets (Kurzhanski)

97
Polyhedral Flow Pipe Approximations X0X0 t1t1 t2t2 t3t3 t4t4 t5t5 t6t6 t7t7 t8t8 t9t9 divide R [0,T] (X 0 ) into [t k,t k+1 ] segments enclose each segment with a convex polytope R M [0,T] (X 0 ) = union of polytopes

98
Wrapping Hyperplanes Around a Set S c4c4 c3c3 c2c2 c1c1 Step 1: Choose normal vectors, c 1,...,c m

99
S c4c4 c3c3 c2c2 c1c1 Step 2: Compute optimal d in Cx d, C T = [c 1... c m ]: d i = max c i T x x S Wrapping Hyperplanes Around a Set

100
Wrapping a Flow Pipe Segment Given normal vectors c i, we wrap R [tk,tk+1] (X 0 ) in a polytope by solving for each i Optimization problem is solved by embedding simulation into objective function computation d i = max c i T x(t,x 0 ) x o,t s.t. x 0 X 0 t [t k,t k+1 ]

101
Improvements for Linear Systems x = Ax x(t, x 0 ) = e At x 0 No longer need to embed simulation into optimization Flow pipe segment computation depends only on time step t A segment can be obtained by applying e At to another segment of the same t

102
Example: Van der Pol Equation Van der Pol Equation Uniform time step t k = 0.5 Initial Set

103
Summary: Flow Pipe Approximation Applies in arbitrary dimensions Approximation error doesn't grow with time Estimation error (Hausdorff distance) can be made arbitrarily small with t < and size of X 0 < Integrated into a complete verification tool (CheckMate)

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google