Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly.

Similar presentations


Presentation on theme: "Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly."— Presentation transcript:

1 Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly on the work and slides by Rajeev Alur, with further contributions from: Andrea Mattioli, Paritosh Pandya, Yusi Ramadian

2 Trends in Model-Based Design  Emerging notations: UML,Stateflow Visual, Hierarchical, Object oriented Simulation, code generation  Steady progress in model checking tools  Control design employs tools (Matlab…)  Opportunities to influence design tools Typically, semantics is not formal Typically, only simulation is supported ….

3 Model Checker Advantages Automated formal verification, Effective debugging tool Increasing industrial success In-house groups: Intel, Microsoft, Lucent, Motorola… Commercial model checkers: FormalCheck by Cadence Obstacles Scalability is still a problem (about 500 state vars) Effective use requires great expertise model temporal property yes error-trace A great success story for CS theory impacting practice (see 2007 Turing award), and a vibrant area of research

4 Hybrid Modeling State machines off on + Dynamical systems dx=kx x<70 dx=-k’x x>60 x>68 x<63 (notation: “dx” abbreviation of “dx/dt”)

5 Automotive Applications

6 Coordination Protocols

7 Interacting Autonomous Robots

8 Physics-based Animation

9 Biomolecular Regulatory Networks

10 Overview 1. Timed systems: Modeling and Semantics Timed automata 2. Symbolic Reachability Analysis for Timed Systems Making the state space finite Region automata Zone automata 3.Hybrid Systems: Modeling and Semantics Hybrid automata 4.Symbolic Reachability Analysis for Hybrid Systems Linear Hybrid Automata Approximations of reachable sets

11 Acknowledgements  Thanks for providing slides & material to: Rajeev Alur & colleagues (Penn University) Paritosh Pandya (IIT Bombay) Andrea Mattioli, Yusi Ramadian (Univ. Trento)  Disclaimer: Very introductive Only very-partial coverage Mostly computer-science centric

12 Part 1. Timed Systems: Modeling and Semantics

13 Outline: Part 1  Timed Automata

14 Timed Automata

15 OffLightBright Press? WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off. Simple Light Control

16 OffLightBright Solution: Add real-valued clock x X:=0 X<=3 X>3 Press? Adding continuous variables and constraints to state machines

17 Modeling : timing constraints FFinite graph + finite set of (real-valued) clocks vvertices  locations TTime can elapse CConstraint ( invariant ) eedges  switches RReset a clock CConstraints MMeaning of a clock value: time elapsed since the last time it was reset.

18 Timed Automata n m a Clocks: x, y x 3 x := 0 Guard Boolean combination of comparisons with integer bounds Reset Action performed on clocks ( n, x=2.4, y= ) ( n, x=3.5, y= ) wait(1.1) 2 kinds of transitions: ( n, x=2.4, y= ) ( m, x=0, y= ) a State ( location, x=v, y=u ) where v,u are in R Action used for synchronization

19 n m a Clocks: x, y x 3 x := 0 Transitions ( n, x=2.4, y= ) ( n, x=3.5, y= ) wait(1.1) ( n, x=2.4, y= ) wait(3.2) x<=5 y<=10 Location Invariants g1 g2 g3 g4 Invariants ensure progress!! Adding Invariants

20 Timed Automata: Formal Syntax timed automaton A = –L = locations; = initial locations –∑ = labels –X = clocks –I = Invariants – = set of switches (edges) a switch = s, s’ = locations a = label φ = clock constraints = clocks to be reset

21 Clock constraints and clock interpretations Set of clock constraints grammar :  only allow comparison of a clock and a constant clock interpretation ν : X={x,y,z}, ν(X) = {1.0, 1.5, 0} = clock interpretation after δ time ν(X)+δ = {1.2, 1.7, 0.2} = assigns 0 to each x Y Y={y,z}; ={1.0, 0, 0}

22 Example  Clocks { x, y }, can be re/set independently  x is reset to 0 from s 0 to s 1 on a  switch c happens within 1 time-unit from a because of constraints in s 1 and s 2  delay between b and the following d is >2  no explicit bounds on time difference between event a-b or c -d location switch invariant

23 Semantics Semantics of A defined in terms of a (infinite) transition system S A =, s.t.: –Q = {(s, ν)} –Q 0 = {(s, ν)} where s L 0 and ν(x)=0 – → : State change due to elapse of time State change due to a location switch –∑ = set of labels of A

24 State change in transition system (q,0) Initial state

25 State change in transition system (q,0) (q,1.2) = state change due to elapse of time

26 State change in transition system (q,0) (q,1.2) (q’,1.2) = state change due to a location switch q q and q q’ = q q’

27 Example: Light Switch Switch may be turned on whenever at least 2 time units has elapsed since last “turn off” Light automatically switches off after 9 time units. push click

28 Example: Light Switch (cont.) push click

29 Remark : non-zenoness 1.When the invariant is violated some edge must be enabled 2.Automaton should admit the possibility of time to diverge

30 Combination of systems Complex system = product of interacting transition systems S1= and S2= Product = S1||S2 = Transition iff : i.Label a belongs to both alphabets  synchronized (synchronization is blocking: an a-labeled switch cannot be shot singularly) ii.Label a only in the alphabet of S1  asynchronized iii.Label a only in the alphabet of S2  asynchronized

31 Transition product ∑ 1 = {a, b} ∑ 2 = {a, c}

32 Train – gate controller Desired property: AG(s2 -> t2)

33 Product Construction x≤5 z≤1x:=0,z:=0 x>2 y:=0, z=1

34 Part 2. Symbolic Reachability Analysis for Timed Systems

35 Outline: Part 2  Reachability analysis  Making the state space finite  Region automata  Zone automata

36 Reachability Analysis Verification of safety requirement: reachability problem Input: a time-automaton A and a set of target locations Determining whether L F is reachable in a timed automaton A Location s of A is reachable if some state q with location component s is a reachable state of the transition system S A

37 Timed/hybrid Systems: problem Is finite state analysis possible? Is reachability problem decidable? The transition system S A associated to A has infinitely-many states & symbols:

38 Idea: Finite Partitioning Goal: To partition state-space into finitely many equivalence classes so that equivalent states exhibit similar behaviors

39 Reachability analysis SASA Time-abstract automaton Region Automaton Time abstraction Finite set of actions Infinite set of states. Quotient Both states and actions are finite sets Timed Automaton Semantics Regions Infinite set of actions Infinite set of states.

40 Outline: Part 2 Reachability Analysis  Making the state space finite  Region automata  Zone automata

41 Timed Vs Time-Abstract Relations Transition system associated with a timed/hybrid automaton A: S A : Labels on continuous steps are delays in R Actual delays are suppressed (all continuous steps have same label): Time-abstract U A

42 Time-abstract transition system U A Only change due to location switch stated explicitly Cut system to finitely many labels U A (instead of S A ) allows for capturing untimed properties (e.g., reachability, safety)

43 Stable quotients Cut to finitely many states Collapse equivalent states Stable equivalence relation  Quotient of U A = transition system [U A ]~ Stable according to the transition

44 L F -sensitive equivalence relation Equivalence relation ~ = L F -sensitive All equivalent states in a class belong to either L F or not L F

45 Outline: Part 2 Reachability Analysis Making the state space finite  Region Automata  Zone automata

46 Region Equivalence over clock interpretation x = 3.7 –Integral part : = 3.0 –Fractional part = fr(ν(x)) = 0.7 iff 1.For all x, the integral part is the same or both exceed c x pict. pict. (c x : max constant x is compared to) 2.For all x, y with ν(x) ≤ c x and ν(y) ≤ c y, fr(ν(x)) ≤ fr(ν(y)) iff fr(ν’(x)) ≤ fr(ν’(y)) pict.pict. 3.For all x, ν(x) ≤ c x,fr(ν(x)) =0 iff fr(ν’(x)) =0 pict pict next

47 Constraint 1 = = 1 back For all x, the integral part is the same or both exceed cx

48 Constraint 2 (fr(v(x)),fr(v(y))) (fr(v’(x)),fr(v’(y))) back For all x, y with ν(x) ≤ cx and ν(y) ≤ cy, fr(ν(x)) ≤ fr(ν(y)) iff fr(ν’(x)) ≤ fr(ν’(y)) (fr(v(x)) = fr(v(y)))

49 Constraint 3 fr(ν(x)) =0 fr(ν’(x)) =0 back For all x, ν(x) ≤ cx,fr(ν(x)) =0 iff fr(ν’(x)) =0

50 Clock region: equivalence class of clock interpretation  finite Max number of regions = –(k is the number of clocks) Number of clock regions exponential in the encoding of the clock constraints Clock regions 2 clocks x, y. cx = 2, cy = 1 8 open regions 14 open line segments 6 corner points

51 Regions, intuitive idea: Finite partitioning of state space x y Definition An equivalence class (i.e. a region) in fact there is only a finite number of regions!! w  w’ iff they satisfy the same set of constraints of the form x i < c, x i = c, x i – x j < c, x i –x j =c for c <= largest const relevant to x i Alur, Dill, 90

52 Region Operations x y An equivalence class (i.e. a region) Successor regions, Succ(r) r Reset regions {y}r {x}r

53 Properties of Regions  The region equivalence relation  is a time-abstract bisimulation: –Action transitions: If w  v and (l,w) -a-> (l’,w’) for some w’, then  v’  w’ s.t. (l,v) -a-> (l’,v’) –Delay transitions: If w  v then for all real numbers d, there exists d’ s.t. w+d  v+d’  If w  v then (l,w) and (l,v) satisfy the same temporal logic formulas

54 Region automaton Equivalent states = identical location + region-equivalent clock Classes = finite, stable, L F -sensitive Region automaton of A = R(A) –Q = equivalence classes of (s, ν) Reachability problem (A, L F )  search R(A)

55 Region graph of a simple timed automata

56 Complexity of reachability Linear with number of locations Exponential with number of clocks Exponential in the encoding of constants  PSPACE-complete

57 Outline: Part 2 Reachability Analysis Making the state space finite Region Automata  Zone Automata

58 Zone automata Collapse regions by convex unions of clock regions Clock zone φ = set of clock constraints x-y≤c, x-y c,x≥c φ = convex set in the k-dimensional euclidean space  Contains all possible relationship for all clock value in a set

59 Zones: symbolic representation State (s, x=3.2, y=2.5 ) x y x y Symbolic state (set of states ) (s, ) Zone: conjunction of x-y≤c, x-y

60 Zone automaton Z(A) is a transition system s.t. –Q = zone of A; Zone = (s, φ) –Q 0 = (s,[X:=0]), for every initial location s of A –∑ = set of labels or events – → = ((s, φ), a, (s’,succ(φ, e))) succ (φ, e) = clock interpretation after executing e

61 Symbolic transition succ (φ, e) = 1.^ = intersection 2. = interpretation for 3. = interpretation closure under the three operations  still a convex set Φ fulfill invariant of state s still fulfill invariant of state s after time elapsefulfill the time constraint of switch e

62 Symbolic Transitions n m x>3 y:=0 x y delays to x y x y conjuncts to x y projects to 1<=x<=4 1<=y<=3 1<=x, 1<=y -2<=x-y<=3 3

63 Canonical Data-structures for Zones: Difference-bound Matrices  Matrix representation of constraints (bounds on a single clock or difference betn 2 clocks)  Reduced form obtained by running all-pairs shortest path algorithm  Reduced DBM is canonical  Operations such as reset, time-successor, inclusion, intersection are efficient  Popular choice in timed-automata-based tools

64 Difference-bound matrices (DBM) k clocks = (k +1) x (k +1) matrix D Example : D 0i = lower bound D i0 = upper bound D ij = upper bound of x i and x j difference i,j: (c,1)  Xi-Xj ≤ c i,j:(c,0)  Xi-Xj < c i,j: ∞  absence of bound

65 Difference-bound matrices (DBM) Upper bound of x i - x l = sum of the upper bounds of x i - x j and x j – x l Use all-pairs shortest paths, check DBM Satisfiable  Canonical –Satisfiable = a nonempty clock zone –Canonical= Matrices with tightest possible constraints Canonical Dbms represent clock zones

66 x<=1 y-x<=2 z-y<=2 z<=9 x<=1 y-x<=2 z-y<=2 z<=9 x<=1 y-x<=2 y<=3 z-y<=2 z<=7 x<=1 y-x<=2 y<=3 z-y<=2 z<=7 D1 D2 When are two sets of constraints equivalent? x x 0 y z Shortest Path Closure Shortest Path Closure 0 y z x y z x y z Graph Canonical Data-structures for Zones: Difference Bounded Matrices

67 Complexity Theoretically : –Zone automaton may be exponentially bigger than the region automaton Practically : –Fewer reachable vertices  performances much improved

68 Implementation Verification problem : –Input = timed automaton A i –Process = searching R(|| i A i ) or Z(|| i A i ) BDD-based engine (preferably for region construction) On-the-fly enumerative search (preferably for zone construction)

69 Timed Automata: summary  Only continuous variables are timers  Invariants and Guards: x =const  Actions: x:=0  Reachability is decidable  Clustering of regions into zones desirable in practice  Tools: Uppaal, Kronos, RED …  Symbolic representation: matrices  Techniques to construct timed abstractions of general hybrid systems

70 Decidable Problems  Model checking branching-time properties of timed automata  Reachability in rectangular automata  Timed bisimilarity: are two given timed automata bisimilar?  Optimization: Compute shortest paths (e.g. minimum time reachability) in timed automata with costs on locations and edges  Controller synthesis: Computing winning strategies in timed automata with controllable and uncontrollable transitions

71 Part 3. Hybrid Systems: Modeling and Semantics

72 Outline: Part 3  Hybrid Automata

73 Hybrid Automata

74 l l’l’ jump transformation edge guard continuous dynamics initial condition invariant: hybrid automaton may remain in l as long as X  Inv(l) X  Inv(l’) dX  Flow(l’) X  Inv(l) dX  Flow(l) X  Init(l) e : g(X)  0 J(X, X’) locations or modes (discrete states)

75 mode select integrator m(t) xdot(t) flow constraints x(t) jump mapping initial condition e(t) threshold-driven discrete dynamics x(t) e(t) m(t) cont. state discrete state discrete event F1 F2 F3 1S1S X0X0 JeJe e(t) JeJe jump dynamics cont. state discrete state discrete event discrete dynamics Switched Dynamic Systems F1F1 F2F2 F3F3 1S1S continuous dynamics

76 Hybrid Automata  Set L of locations, and set E of edges  Set X of k continuous variables  State space: L X R k, Region: subset of R k  For each location l, Initial states: region Init(l) Invariant: region Inv(l) Continuous dynamics: dX in Flow(l)(X)  For each edge e from location l to location l’ Guard: region Guard(e) Update relation “Jump” over R k X R k Synchronization labels (communication information)

77 (Finite) Executions of Hybrid Automata  State: (l, x) such that x satisfies Inv(l)  Initialization: (l,x) s.t. x satisfies Init(l)  Two types of state updates  Discrete switches: (l,x) –a-> (l’,x’) if there is an a- labeled edge e from l to l’ s.t. x satisfies Guard(e) and (x,x’) satisfies update relation Jump(e)  Continuous flows: (l,x) –f-> (l,x’) where f is a continuous function from [0,  ] s.t. f(0)=x, f(  )=x’, and for all t<= , f(t) satisfies Inv(l) and df(t) satisfies Flow(l)(f(t))

78 Example of (linear) Hybrid Automaton Gate for a railroad controller Open h = 90 dh = 0 lowering h >= 0 -10

79 Part 4. Symbolic Reachability Analysis for Hybrid Systems

80 Outline: Part 4  Symbolic Reachability Analysis  Linear Hybrid Automata (HyTech)  Polyhedral Flow-pipe Approximations (CheckMate)

81 Standard Reachability Problem Model variables X ={x1, … xn} Each var is of finite type, say, boolean Initialization: I(X) condition over X Update: T(X,X’) How new vars X’ are related to old vars X as a result of executing one step of the program Target set: F(X) Computational problem: Can F be satisfied starting with I by repeatedly applying T ? Graph Search problem

82 General Symbolic Solution Data type: region to represent state-sets R:=I(X) Repeat If R intersects F report “yes” Else if R contains Image(R) report “no” Else R := R union Image(R) Image(R): Set of successors of states in R Termination may or may not be guaranteed

83 Symbolic Representations  Necessary operations on Regions Union Intersection Negation Projection Renaming Equality/containment test Emptiness test  Different choices for different classes BDDs for boolean variables in hardware verification Size of representation as opposed to number of states

84 Reachability for Hybrid Systems  Same algorithm works in principle  What’s a suitable representation of regions? Region: subset of R k Main problem: handling continuous dynamics  Precise solutions available for restricted continuous dynamics Timed automata Linear hybrid automata  Even for linear systems, over-approximations of reachable set needed

85 Reachability Analysis for Dynamical Systems  Goal: Given an initial region, compute whether a bad state can be reached  Key step is to compute Reach(X) for a given set X under dx/dt = f(x) (hereafter dx = f(x) for short) X Reach(X)

86 Outline: Part 4 Symbolic Reachability Analysis  Linear Hybrid Automata (HyTech)  Polyhedral Flow-pipe Approximations (CheckMate)

87 Multi-rate Automata  Modest extension of timed automata Dynamics of the form dx = const (rate of a clock is same in all locations) Guards and invariants: x const Resets: x := const  Simple translation to timed automata that gives time-abstract bisimilar system by scaling dx = 2 dy = 3 x>5 and y <1 du = 1 dv = 1 u>5/2 and v <1/3

88 Rectangular Automata  Interesting extension of timed automata Dynamics of the form dx in const interval (rate-bounds of a clock same in all locations) Guards/invariants/resets as before  Translation to multi-rate automata that gives time-abstract language-equiv system dx in [2,3] x>5 x<2 dx m = 2 dx M = 3 x M >5, x m :=5 x m <2, x M :=2 Puri, Henzinger, 95

89 Linear Hybrid Automata  Invariants and guards: linear (Ax <= b)  Actions: linear transforms (x’:= Ax)  Dynamics: time-invarint, state-independent specified by a convex polytope constraining rates E.g. 2 < x <= 3, x = y  Tools: HyTech  Symbolic representation: Polyhedra  Methodology: abstract dynamics by differential inclusions bounding rates

90 Example LHA Gate for a railroad controller Open h = 90 dh = 0 lowering h >= 0 -10

91 Reachability Computation Basic element: (location l, polyhedron p) Set of visited states: a list of (l,p) pairs Key steps:  Compute “discrete” successors of (l,p)  Compute “continuous” successor of (l,p)  Check if p intersects with “bad” region  Check if newly found p is covered by already visited polyhedra p1,…, pk (expensive!)

92 Computing Discrete Successors Discrete successor of (l,p)  Intersect p with g (result r is a polyhedron)  Apply linear transformation A to r (result r’ is a polyhedron)  Intersect r’ with the invariant of l’ (result r” is a polyhedron)  Successor is (l’,r”) ll’ g(x)-> x := a(x)

93 Computing Time Successor x y x y (3,2) (1,4) Rate Polytope (1,4) (3,2)p Reach(p)  Thm: If initial set p, invariant I, and rate constraint r, are polyhedra, then set of reachable states is a polyhedron (and computable)  Basically, apply extremal rates to vertices of p

94 Summary: Linear Hybrid Automata  HyTech implements this strategy  Core computation: manipulation of polyhedra  Bottlenecks  proliferation of polyhedra (unions)  computing with higher dimensional polyhedra  Many case studies (active structure control, Philips audio control protocol, steam boiler…)

95 Outline: Part 4 Symbolic Reachability Analysis Linear Hybrid Automata (HyTech)  Polyhedral Flow-pipe Approximations (CheckMate)

96 Beyond LHA  Exact computation with polyhedra is limiting.  If dynamics is dX=AX, and P is a polyhedron, Reach(P) is not a polyehdron  Solutions:  Approximate Reach(P) with an enclosing convex polyhedron: Checkmate (Krogh)  Approximate Reach(P) with an enclosing (non-convex) orthogonal polyhedron: d/dt (Dang/Maler)  Level sets method (Greenstreet, Tomlin)  Use ellipsoids for representation of sets (Kurzhanski)

97 Polyhedral Flow Pipe Approximations X0X0 t1t1 t2t2 t3t3 t4t4 t5t5 t6t6 t7t7 t8t8 t9t9 divide R [0,T] (X 0 ) into [t k,t k+1 ] segments enclose each segment with a convex polytope R M [0,T] (X 0 ) = union of polytopes

98 Wrapping Hyperplanes Around a Set S c4c4 c3c3 c2c2 c1c1 Step 1: Choose normal vectors, c 1,...,c m

99 S c4c4 c3c3 c2c2 c1c1 Step 2: Compute optimal d in Cx  d, C T = [c 1... c m ]: d i = max c i T x x  S Wrapping Hyperplanes Around a Set

100 Wrapping a Flow Pipe Segment Given normal vectors c i, we wrap R [tk,tk+1] (X 0 ) in a polytope by solving for each i Optimization problem is solved by embedding simulation into objective function computation d i = max c i T x(t,x 0 ) x o,t s.t. x 0  X 0 t  [t k,t k+1 ]

101 Improvements for Linear Systems  x = Ax  x(t, x 0 ) = e At x 0  No longer need to embed simulation into optimization  Flow pipe segment computation depends only on time step  t  A segment can be obtained by applying e At to another segment of the same  t

102 Example: Van der Pol Equation Van der Pol Equation Uniform time step  t k = 0.5 Initial Set

103 Summary: Flow Pipe Approximation Applies in arbitrary dimensions Approximation error doesn't grow with time Estimation error (Hausdorff distance) can be made arbitrarily small with  t <  and size of X 0 <  Integrated into a complete verification tool (CheckMate)


Download ppt "Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly."

Similar presentations


Ads by Google