Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Symbolic Approach to Hybrid Systems Tom Henzinger University of California, Berkeley.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The Symbolic Approach to Hybrid Systems Tom Henzinger University of California, Berkeley."— Presentation transcript:

1 The Symbolic Approach to Hybrid Systems Tom Henzinger University of California, Berkeley

2 Discrete (transition) system

3 Continuous (dynamical) system Q = R n

4 Discrete (transition) system Continuous (dynamical) system Hybrid system jumps flows Q = R n

5 Discrete (transition) system Continuous (dynamical) system Hybrid system jumps flows Q = R n -nondeterministic -time abstract

6 A Thermostat States x  R temperature h  { on, off }heat

7 A Thermostat States x  R temperature h  { on, off }heat Flows f 1 Y h = on  x' = K  (H-x) f 2 Y h = off  x' = -K  x invariants

8 A Thermostat States x  R temperature h  { on, off }heat Flows f 1 Y h = on  x' = K  (H-x) f 2 Y h = off  x' = -K  x Jumps j 1 Y h = on  h := off j 2 Y h = off  h := on guards

9 j1j1 j2j2 h = on h = off f1f1 f2f2 x

10 A Thermostat States x  R temperature h  { on, off }heat t  R timer Flows f 1 Y h = on  t  U  x' = K  (H-x); t' := 1 f 2 Y h = off  t  U  x' = -K  x; t' := 1 Jumps j 1 Y h = on  t  L  h := off; t' := 0 j 2 Y h = off  t  L  h := on; t' := 0

11 A Thermostat States x  R temperature h  { on, off }heat t  R timer Flows f 1 Y h = on  t  U  x' = K  (H-x); t' = 1 f 2 Y h = off  t  U  x' = -K  x; t' = 1 Jumps j 1 Y h = on  t  L  h := off; t := 0 j 2 Y h = off  t  L  h := on; t := 0

12 A Thermostat States x  R temperature h  { on, off }heat t  R timer Flows f 1 Y h = on  t  U  x' = K  (H-x); t' = 1 f 2 Y h = off  t  U  x' = -K  x; t' = 1 Jumps j 1 Y h = on  t  L  h := off; t := 0 j 2 Y h = off  t  L  h := on; t := 0

13 x t x t LU h = on h = off f1f1

14 x t x t LU h = on h = off j1j1 f1f1

15 x t x t LU h = on h = off j1j1 f1f1 f2f2

16 x t x t LU h = on h = off j1j1 j2j2 f1f1 f2f2

17 x t x t LU h = on h = off j1j1 j2j2 f1f1 f2f2

18 x t LU Step 1: Discretize f2f2

19 Transition System Qset of states  set of actions post: Q    2 Q successor function

20 Transition System Qset of states  set of actions post: Q    2 Q successor function Thermostat Q = R 2  { on, off }  = { f 1, f 2, j 1, j 2 } post ( x, t, on, j 1 ) = { (x, 0, off) }if t  L  if t < L {

21 Transition System Qset of states  set of actions post: Q    2 Q successor function Thermostat Q = R 2  { on, off }  = { f 1, f 2, j 1, j 2 } post ( x, t, on, j 1 ) = post ( x, t, on, f 1 ) = { (x, 0, off) }if t  L  if t < L { { infinite set if t U

22 x t x t LU h = on h = off R Step 2: Lift

23 x t x t LU h = on h = off R post(R,f 2 ) Step 2: Lift

24 x t x t LU h = on h = off R post(R,f 2 ) post( post(R,f 2 ), j 2 ) Step 2: Lift

25 Lifted Transition System Q  post: 2 Q    2 Q post(R,  ) =  q  Q post(q,  )

26 Lifted Transition System Q  post: 2 Q    2 Q post(R,  ) =  q  Q post(q,  ) pre: 2 Q    2 Q pre(R,  ) =  q  Q pre(q,  )

27 x t x t LU h = on h = off R

28 x t x t LU h = on h = off R pre(R,f 2 )

29 x t x t LU h = on h = off R pre(R,f 2 ) pre( pre(R,f 2 ), j 2 )

30 x t x t LU h = on h = off Step 3: Observe 0 < x < 1 3 < x < 4 2 < x < 3 1 < x < 2

31 Observed Transition System Q  pre, post: 2 Q    2 Q A = { a 1, a 2, a 3, … }set of observations Q a3a3 a2a2 a1a1

32 Observed Transition System Q  pre, post: 2 Q    2 Q A set of observations Thermostat A = { on, off } [ { x = c, c < x < c+1 | c  Z }

33 Symbolic Transition System Q  pre, post A  = { R 1, R 2, … } set of regions R i  Q 1. A   2. pre, post:      computable 3. Å :  2   \ :  2   computable  :  2  { t, f } Region algebra:

34 Symbolic Transition System 1. Local computation: Region Operations Compute pre, post, Å, \, and  on regions in . 2. Global computation: Symbolic Semi-Algorithms Starting from the observations in A, compute new regions in  by applying the operations pre, post, Å, \, and .

35 Region Algebra If -Q is the valuations for a set X:Vals of typed variables, -the effect of transitions can be expressed using Ops on Vals, -the first-order theory FO(Vals,Ops) admits quantifier elimination, then the quantifier-free fragment ZO(Vals,Ops) is a region algebra. This is because each pre and post operation is a quantifier elimination: pre(R(X)) = (  X) (Trans(X,X)  R(X))

36 Q = B m  R n Invariants and guards: boolean and linear constraints, e.g. a  (3x 1 + x 2  7) Flows: rectangular differential inclusions, e.g. x' 1  [1,2] Jumps: boolean and linear constraints, e.g. x 2 := 2x 1 + x 2 +1 Example: Polyhedral Hybrid Automata

37 Q = B m  R n Invariants and guards: boolean and linear constraints, e.g. a  (3x 1 + x 2  7) Flows: rectangular differential inclusions, e.g. x' 1  [1,2] Jumps: boolean and linear constraints, e.g. x 2 := 2x 1 + x 2 +1 A = set of boolean valuations and integral polyhedra in R n Example: Polyhedral Hybrid Automata

38 Q = B m  R n Invariants and guards: boolean and linear constraints, e.g. a  (3x 1 + x 2  7) Flows: rectangular differential inclusions, e.g. x' 1  [1,2] Jumps: boolean and linear constraints, e.g. x 2 := 2x 1 + x 2 +1 A = set of boolean valuations and integral polyhedra in R n  = set of boolean valuations and rational polyhedra in R n x = … ZO(Q, ,+) Example: Polyhedral Hybrid Automata

39 FO(Q, ,+) admits quantifier elimination, hence ZO(Q, ,+) is a region algebra. Jump j: Y x 1  x 2  x 2 := 2x 1 -1 pre( 1  x 1  x 2  2, j ) = (  x 1, x 2 ) ( x 1  x 2  x 1 = x 1  x 2 = 2x 1 -1  1  x 1  x 2  2) Example: Polyhedral Hybrid Automata

40 Jump j: Y x 1  x 2  x 2 := 2x 1 -1 pre( 1  x 1  x 2  2, j ) = (  x 1, x 2 ) ( x 1  x 2  x 1 = x 1  x 2 = 2x 1 -1  1  x 1  x 2  2) = x 1  x 2  1  x 1  2x 1 -1  2 = x 1  x 2  1  x 1  3/2 Example: Polyhedral Hybrid Automata FO(Q, ,+) admits quantifier elimination, hence ZO(Q, ,+) is a region algebra.

41 x1x1 x2x2 R

42 x1x1 x2x2 R pre(R,j)

43 Flow f: Y x 1  x 2  x' 1  [1,2]; x' 2 = 1 pre( 1  x 1  x 2  2, f ) = (  1  k 1  2) (    0) (1  x 1 + k 1   x 2 +   2  (  0     ) ( x 1 + k 1   x 2 +  )) Example: Polyhedral Hybrid Automata

44 Flow f: Y x 1  x 2  x' 1  [1,2]; x' 2 = 1 pre( 1  x 1  x 2  2, f ) = (  1  k 1  2) (    0) (1  x 1 + k 1   x 2 +   2  (  0     ) ( x 1 + k 1   x 2 +  )) = (    0) (   d 1  2  ) (1  x 1 +d 1  x 2 +   2  x 1  x 2  x 1 +d 1  x 2 +  ) convex guards Example: Polyhedral Hybrid Automata

45 Flow f: Y x 1  x 2  x' 1  [1,2]; x' 2 = 1 pre( 1  x 1  x 2  2, f ) = (  1  k 1  2) (    0) (1  x 1 + k 1   x 2 +   2  (  0     ) ( x 1 + k 1   x 2 +  )) = (    0) (   d 1  2  ) (1  x 1 +d 1  x 2 +   2  x 1  x 2  x 1 +d 1  x 2 +  ) = (    0) ( x 1  x 2  1  x 1 +2   1  x 2 +  2) = x 1  x 2  x 2  2  2 x 2  x 1 +3 convex guards Example: Polyhedral Hybrid Automata

46 x1x1 x2x2 R pre(R,f) f

47 x y

48 far x’  [-50,-40] x  1000 near x’  [-50,-30] x  0 past x’  [30,50] x  100 x = 1000 x = 0 x = 100  x :  [2000,  ) app! exit! app exit train x: initialized rectangular variable

49 up y’ = 9 open y’ = 0 raise lower gate y: uninitialized singular variable y  90 y = 90 down y’ = -9 closed y’ = 0 y  0 y = 0 raise?lower?raise? lower?

50 t’ = 1 t   t := 0 app? lower! t’ = 1 t   t := 0 exit? raise! appexit idle controller raiselower t: clock variable  : design parameter

51 Properties Safety:   ( x  10  loc[gate] = closed ) “on all trajectories, always” For which values of  is this true?

52 Safety:   ( x  10  loc[gate] = closed ) Liveness:     ( loc[gate] = open ) “on all trajectories, eventually” Properties

53 Safety:   ( x  10  loc[gate] = closed ) Liveness:     ( loc[gate] = open ) Real time:   z := 0. ( z’ = 1    ( loc[gate] = open  z  60 )) clock variable Properties

54 Safety:   ( x  10  loc[gate] = closed ) Liveness:     ( loc[gate] = open ) Real time:   z := 0. ( z’ = 1    ( loc[gate] = open  z  60 )) Nonzeno:   z := 0. ( z’ = 1    ( z = 1 )) “on some trajectory, eventually” Properties

55 A Zeno System y x left x’ = 1 y’ = -2 y  5 right x’ = -2 y’ = 1 x  5 y = 5 x = 5

56 y x left x’ = 1 y’ = -2 y  5 right x’ = -2 y’ = 1 x  5 y = 5 x = 5 x y t A Zeno System

57 Model Checker ModelProperty Condition under which the model satisfies the property, or error trajectory Collection of polyhedral hybrid automata Safety or liveness or real time or nonzeno HyTech

58 Model Checking for Safety Bm  RnBm  Rn initial states unsafe states ?

59 initial states unsafe states Bm  RnBm  Rn Model Checking for Safety

60 initial states unsafe states Bm  RnBm  Rn Model Checking for Safety

61 initial states unsafe states unsafe parameter values Bm  RnBm  Rn Model Checking for Safety

62 initial states unsafe states unsafe parameter values This is guaranteed to terminate if all variables are initialized (e.g. clocks). Bm  RnBm  Rn Model Checking for Safety

63 The Result

64 Applications of HyTech and Derivations: polyhedral overapproximation of dynamics -automotive engine control [Wong-Toi et al.] -chemical plant control [Preussig et al.] -flight control [Honeywell; Rockwell-Collins] -air traffic control [Tomlin et al.] -robot control [Corbett et al.] Successor Tools: 1. More expressive region algebras, e.g. FO( R, ,+,  ) still permits quantifier elimination [Pappas et al.] 2. More robust approximations, e.g. ellipsoid instead of polyhedral regions [Varaiya et al.] 3. Abstract region operations, e.g. interval numerical methods [HyperTech]; also [Krogh et al.][Maler et al.]

65 Symbolic Semi-Algorithms Starting from the observations in A, compute new regions in  by applying the operations pre, post, Å, \, and . Termination?

66 Four Verification Questions V1:Reachability   b Is an invariant always true?   unsafe

67 Four Verification Questions V1:Reachability   b Is an invariant always true?   unsafe V2:Repeated Reachability   b Linear temporal logic (LTL) Liveness   unfair

68 Four Verification Questions V1:Reachability   b Is an invariant always true?   unsafe V2:Repeated Reachability   b Linear temporal logic (LTL) Liveness   unfair V3:Nested Reachability   (b    b 1    b 2 ) Half branching temporal logic (  CTL,  CTL)

69 Four Verification Questions V1:Reachability   b Is an invariant always true?   unsafe V2:Repeated Reachability   b Linear temporal logic (LTL) Liveness   unfair V3:Nested Reachability   (b    b 1    b 2 ) Half branching temporal logic (  CTL,  CTL) V4:Negated Reachability   (b    c) Full branching temporal logic (CTL) Nonzenoness   (tick    tick)

70 V1: Symbolic Reachability a    b Given a,b  A, is there a trajectory from a to b? a b initial statesunsafe states

71 V1: Symbolic Reachability a    b Given a,b  A, is there a trajectory from a to b? a b pre(b) =   pre(b,  ) b [ pre(b)

72 V1: Symbolic Reachability a    b Given a,b  A, is there a trajectory from a to b? a b b [ pre(b) b [ pre(b) [ pre 2 (b)

73 V1: Symbolic Reachability a    b Given a,b  A, is there a trajectory from a to b? a b...  b b b [ pre(b) b [ pre(b) [ pre 2 (b)

74 a V1: Symbolic Reachability a    b Given a,b  A, is there a trajectory from a to b? b...  b b b [ pre(b) b [ pre(b) [ pre 2 (b)

75 a V1: Symbolic Reachability a    b Given a,b  A, is there a trajectory from a to b? b...  b b 1. pre, [,  2. Å a b [ pre(b) b [ pre(b) [ pre 2 (b)

76 V2: Symbolic Repeated Reachability a    b Given a,b  A, is there an infinite trajectory from a that visits b infinitely often? b a

77 V2: Symbolic Repeated Reachability a    b Given a,b  A, is there an infinite trajectory from a that visits b infinitely often? b a R 1 =   pre(b)... pre(b) pre(b) [ pre 2 (b)

78 V2: Symbolic Repeated Reachability a    b Given a,b  A, is there an infinite trajectory from a that visits b infinitely often? b a R 1 =   pre(b)

79 V2: Symbolic Repeated Reachability a    b Given a,b  A, is there an infinite trajectory from a that visits b infinitely often? b a R 2 =   pre(b  R 1 ) R 1 =   pre(b)

80 V2: Symbolic Repeated Reachability a    b Given a,b  A, is there an infinite trajectory from a that visits b infinitely often? b a R 2 =   pre(b  R 1 ) R 1 =   pre(b) R 3 =   pre(b  R 2 )

81 V2: Symbolic Repeated Reachability a    b Given a,b  A, is there an infinite trajectory from a that visits b infinitely often? b a...   b

82 V2: Symbolic Repeated Reachability a    b Given a,b  A, is there an infinite trajectory from a that visits b infinitely often? b a...   b

83 V2: Symbolic Repeated Reachability a    b Given a,b  A, is there an infinite trajectory from a that visits b infinitely often? b a...   b 1. pre, [,  2. Å a, Å b

84 V3: Symbolic Nested Reachability a    (b    b 1    b 2 ) b1b1 b2b2 b a

85 V3: Symbolic Nested Reachability a    (b    b 1    b 2 ) b1b1 b2b2   b 1 b a

86 V3: Symbolic Nested Reachability a    (b    b 1    b 2 ) b1b1 b2b2   b 1   b 2 b a

87 V3: Symbolic Nested Reachability a    (b    b 1    b 2 ) b1b1 b2b2   b 1   b 2 b a

88 V3: Symbolic Nested Reachability a    (b    b 1    b 2 ) b1b1 b2b2   b 1   b 2 b a   (b    b 1    b 2 )

89 V3: Symbolic Nested Reachability a    (b    b 1    b 2 ) b1b1 b2b2   b 1   b 2 b a   (b    b 1    b 2 )

90 V3: Symbolic Nested Reachability a    (b    b 1    b 2 ) b1b1 b2b2   b 1   b 2 b a   (b    b 1    b 2 ) 1. pre, [,  2. Å

91 V4: Symbolic Negated Reachability a    (b    c) Given a,b,c  A, can every trajectory from a to b be extended to c? a b c

92 V4: Symbolic Negated Reachability a    (b    c) Given a,b,c  A, can every trajectory from a to b be extended to c? a b c   c

93 V4: Symbolic Negated Reachability a    (b    c) Given a,b,c  A, can every trajectory from a to b be extended to c? a b c   c b    c

94 V4: Symbolic Negated Reachability a    (b    c) Given a,b,c  A, can every trajectory from a to b be extended to c? a b c   c   (b    c)

95 V4: Symbolic Negated Reachability a    (b    c) Given a,b,c  A, can every trajectory from a to b be extended to c? a b c   c   (b    c) a    (b    c)

96 V4: Symbolic Negated Reachability a    (b    c) Given a,b,c  A, can every trajectory from a to b be extended to c? a b c   c   (b    c) 1. pre, [,  2. Å 3. \

97 Four Symbolic Semi-Algorithms A1: Close A under pre  0 := A for i=1,2,3,… do  i :=  i-1 [ { pre(R) | R  i } [ { R 1 Å R 2 | R 1,R 2  i } [ { R 1 \ R 2 | R 1,R 2  i } until  i =  i-1

98 Four Symbolic Semi-Algorithms A1: Close A under pre A2:Close A under pre, Å a  0 := A for i=1,2,3,… do  i :=  i-1 [ { pre(R) | R  i } [ { R Å a | R  i Æ a 2A } [ { R 1 \ R 2 | until  i =  i-1

99 Four Symbolic Semi-Algorithms A1: Close A under pre A2:Close A under pre, Å a A3: Close A under pre, Å  0 := A for i=1,2,3,… do  i :=  i-1 [ { pre(R) | R  i } [ { R 1 Å R 2 | R 1,R 2  i } [ { R 1 \ R 2 | R 1,R 2  i } until  i =  i-1

100 Four Symbolic Semi-Algorithms A1: Close A under pre A2:Close A under pre, Å a A3: Close A under pre, Å A4:Close A under pre, Å, \  0 := A for i=1,2,3,… do  i :=  i-1 [ { pre(R) | R  i } [ { R 1 Å R 2 | R 1,R 2  i } [ { R 1 \ R 2 | R 1,R 2  i } until  i =  i-1

101 Four Symbolic Semi-Algorithms A1: Close A under pre A2:Close A under pre, Å a A3: Close A under pre, Å A4:Close A under pre, Å, \ A k terminates (1  k  4)  symbolic model checking of V k terminates.

102 Four State Equivalences E1:Reach Equivalence q 1  1 q 2 iffif a  A can be reached from q 1 in d steps, then a can be reached from q 2 in d steps, and vice versa.

103 Four State Equivalences E1:Reach Equivalence E2:Trace Equivalence q 1  2 q 2 iffif every finite trace from q 1 is a finite trace from q 2, and vice versa.

104 a a b b a a b b a a

105 a a b b a a b b a a 1 1

106 a a b b a a b b a a 1 1 2 2

107 a a b b a a b b a a 1 1 2 2 pre(a Å pre(a))

108 Four State Equivalences E1:Reach Equivalence E2:Trace Equivalence E3:Similarity q 1  3 q 2 iffif q 1 simulates q 2, and vice versa.

109 q 1 is simulated by q 2 iff there is a simulation relation S such that 1. S(q 1,q 2 ) 2. if S(p,q) then a. ( 8 a 2A ) (p 2 a iff q 2 a) b. ( 8 p') ( if p 2 pre(p') then ( 9 q') (q 2 pre(q') Æ S(p',q')))

110 a b a b a a a a b a a

111 a b a b a a a a b a 2 2 a

112 a b a b a a a a b a 2 2 3 3 a

113 a b a b a a a a b a 2 2 3 3 a pre(pre(a) Å pre(b))

114 Four State Equivalences E1:Reach Equivalence E2:Trace Equivalence E3:Similarity E4:Bisimilarity q 1  4 q 2 iffif q 1 simulates q 2 via a symmetric simulation relation (this is called a bisimulation relation).

115 a b a b a a ab a a

116 a b a b a a ab a 3 3 a

117 a b a b a a ab a 3 3 4 4 a

118 a b a b a a ab a 3 3 4 4 a : pre( : pre(a))

119 Specification Logics: V1Reachability (Safety) V2Linear Temporal Logic (Liveness) V3Existential/Universal Branching Temporal Logic V4Branching Temporal Logic (Nonzenoness) State Equivalences: E1Reach Equivalence E2Trace Equivalence E3Similarity E4Bisimilarity Symbolic Semi-Algorithms: A1Closure under pre A2Closure under pre, Å a A3Closure under pre, Å A4Closure under pre, Å, \

120 AkAk VkVk EkEk model checks induces Symbolic Semi-Algorithm State Equivalence k = 1,2,3,4 Specification Logic computes

121 AkAk VkVk EkEk model checks induces Symbolic Semi-Algorithm State Equivalence k = 1,2,3,4 q 1  k q 2 iff for all formulas  of V k, q 1 ²  iff q 2 ²  If E k has finite index, then V k can be model-checked on finite quotient. Specification Logic computes

122 AkAk VkVk EkEk model checks induces Symbolic Semi-Algorithm State Equivalence k = 1,2,3,4 q 1  k q 2 iff for all formulas  of V k, q 1 ²  iff q 2 ²  If E k has finite index, then V k can be model-checked on finite quotient. All regions definable by formulas of V k are generated by A k. A k terminates iff symbolic model checking terminates for all formulas of V k. Specification Logic computes

123 AkAk VkVk EkEk model checks computesinduces Symbolic Semi-Algorithm State Equivalence k = 1,2,3,4 q 1  k q 2 iff for all regions R computed by A k, q 1  R iff q 2  R A k terminates iff E k has finite index. q 1  k q 2 iff for all formulas  of V k, q 1 ²  iff q 2 ²  If E k has finite index, then V k can be model-checked on finite quotient. All regions definable by formulas of V k are generated by A k. A k terminates iff symbolic model checking terminates for all formulas of V k. Specification Logic

124 Four Classes of Symbolic Transition Systems STS1:pre closure terminates  Finite reach equiv  Safety (   ) decidable Well-structured transition systems of Abdulla, Finkel et al. STS2:(pre, Å a) closure terminates  Finite trace equiv  Liveness (LTL) decidable Initialized rectangular hybrid automata STS3:(pre, Å ) closure terminates  Finite similarity  Existential/universal branching (  CTL,  CTL) decidable 2D initialized rectangular hybrid automata STS4:(pre, Å, \ ) closure terminates  Finite bisimilarity  Nonzenoness (CTL) decidable Initialized singular (e.g. timed) hybrid automata

125 Four Classes of Symbolic Transition Systems STS1:pre closure terminates  Finite reach equiv  Safety (   ) decidable Well-structured transition systems of Abdulla, Finkel et al. STS2:(pre, Å a) closure terminates  Finite trace equiv  Liveness (LTL) decidable Initialized rectangular hybrid automata STS3:(pre, Å ) closure terminates  Finite similarity  Existential/universal branching (  CTL,  CTL) decidable 2D initialized rectangular hybrid automata STS4:(pre, Å, \ ) closure terminates  Finite bisimilarity  Nonzenoness (CTL) decidable Initialized singular hybrid automata

126 Example: Singular Hybrid Automata Q = B m  R n Invariants and guards: integral bounds, e.g. x 1 < 7  1  x 2  2 Flows: constant slopes, e.g.x' 1 = 1; x' 2 = 2 Jumps: integral assignments, e.g. x 1 := 0; x 2 := 5 A = { x i = c, c < x i < c+1 | 1  i  n, c  N, c < c max }

127 (c max,c max ) (0,0) x1x1 x2x2

128 (c max,c max ) (0,0) x1x1 x2x2 3<x 1 <4  x 2 =4 x 1 =3  x 2 =3 1<x 1 <2  2<x 2 <3

129 Example: Singular Hybrid Automata Q = B m  R n Invariants and guards: integral bounds, e.g. x 1 < 7  1  x 2  2 Flows: constant slopes, e.g.x' 1 = 1; x' 2 = 2 Jumps: integral assignments, e.g. x 1 := 0; x 2 := 5 A = { x i = c, c < x i < c+1 | 1  i  n, c  N, c < c max } Initialized: assignment when slope changes.

130 Special Case: Timed Automata Q = B m  R n Invariants and guards: integral bounds, e.g. x 1 < 7  1  x 2  2 Flows: clocks, e.g.x' 1 = 1; x' 2 = 1 Jumps: integral assignments, e.g. x 1 := 0; x 2 := 5 A = { x i = c, c < x i < c+1 | 1  i  n, c  N, c < c max } Always initialized.

131 f: x 1 ' = 1; x 2 ' = 1 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1

132 f j2j2 j1j1

133 f j2j2 j1j1

134 f j2j2 j1j1 pre(R,f) R

135 f: x 1 ' = 1; x 2 ' = 1 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1

136 (c max,c max ) (0,0) x1x1 x2x2 f: x 1 ' = 1; x 2 ' = 1 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 Finite bisimulation.

137 f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1

138 f j2j2 j1j1 pre(R,f) R

139 f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 pre(R',j 2 ) R'

140 f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 R" pre(R",j)

141 (c max,c max ) (0,0) x1x1 x2x2 f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 j2j2 j1j1 Finite bisimulation. f

142 f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 Observation, invariant, or guard: x 1 >x 2

143 f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 Observation, invariant, or guard: x 1 >x 2

144 f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 Observation, invariant, or guard: x 1 >x 2 R pre(R,f)

145 f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 Observation, invariant, or guard: x 1 >x 2 R' pre(R,j 2 )

146 f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 Observation, invariant, or guard: x 1 >x 2

147 f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 Observation, invariant, or guard: x 1 >x 2

148 f: x 1 ' = 1; x 2 ' = 2 j 1 : x 1 := 0 j 2 : x 2 := 0 f j2j2 j1j1 Infinite bisimulation. Observation, invariant, or guard: x 1 >x 2

149 Example: Rectangular Hybrid Automata Q = B m  R n Invariants and guards: integral bounds, e.g. x 1 < 7  1  x 2  2 Flows: bounded slopes, e.g.x' 1  [1,2]; x' 2 = 1 Jumps: integral assignments, e.g. x 1 := 0; x 2 := 5 A = { x i = c, c < x i < c+1 | 1  i  n, c  N, c < c max } Initialized: assignment when slope bounds change.

150 j2j2 j1j1 f: x 1 '  [1,2]; x 2 '  [1,2] j 1 : x 1 := 0 j 2 : x 2 := 0 f

151 j2j2 j1j1 pre(R,f) R f: x 1 '  [1,2]; x 2 '  [1,2] j 1 : x 1 := 0 j 2 : x 2 := 0 f

152 f j2j2 j1j1 pre(R',f) R'

153 f: x 1 '  [1,2]; x 2 '  [1,2] j 1 : x 1 := 0 j 2 : x 2 := 0 j2j2 j1j1 R"pre(R",j 1 ) f

154 f: x 1 '  [1,2]; x 2 '  [1,2] j 1 : x 1 := 0 j 2 : x 2 := 0 j2j2 j1j1 f R3R3 pre(R 3,j 2 )

155 f: x 1 '  [1,2]; x 2 '  [1,2] j 1 : x 1 := 0 j 2 : x 2 := 0 j2j2 j1j1 f

156 j2j2 j1j1 f Infinite bisimulation.

157 j2j2 j1j1 pre(R,f) R f: x 1 '  [1,2]; x 2 '  [1,2] j 1 : x 1 := 0 j 2 : x 2 := 0 f  pre(R,f)

158 j2j2 j1j1 f: x 1 '  [1,2]; x 2 '  [1,2] j 1 : x 1 := 0 j 2 : x 2 := 0 f

159 j2j2 j1j1 f

160 j2j2 j1j1 f

161 j2j2 j1j1 f

162 j2j2 j1j1 f

163 j2j2 j1j1 f

164 j2j2 j1j1 f

165 j2j2 j1j1 f

166 j2j2 j1j1 f

167 j2j2 j1j1 f

168 j2j2 j1j1 f

169 (c max,c max ) (0,0) x1x1 x2x2 j2j2 j1j1 Finite simulation. f: x 1 '  [1,2]; x 2 '  [1,2] j 1 : x 1 := 0 j 2 : x 2 := 0 f

170 Summary 1. Separate local (region algebra) from global (symbolic semi-algorithms) concerns 2. Appeal to quantifier elimination for the computability of region operations (e.g. polyhedral hybrid systems) 3. Appeal to finite abstractions for the termination of symbolic semi-algorithms (e.g. rectangular hybrid systems)

Download ppt "The Symbolic Approach to Hybrid Systems Tom Henzinger University of California, Berkeley."

Similar presentations

Model Checking Base on Interoplation

Model Checking Base on Interoplation
Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Timed Automata Rajeev Alur University of Pennsylvania www.cis.upenn.edu/~alur/ SFM-RT, Bertinoro, Sept 2004.

Timed Automata Rajeev Alur University of Pennsylvania SFM-RT, Bertinoro, Sept 2004.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
François Fages MPRI Bio-info 2005 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraint Programming.

François Fages MPRI Bio-info 2005 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraint Programming.
François Fages MPRI Bio-info 2007 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraint Programming.

François Fages MPRI Bio-info 2007 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraint Programming.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Hybrid System Verification Synchronous Workshop 2003 A New Verification Algorithm for Planar Differential Inclusions Gordon Pace University of Malta December.

Hybrid System Verification Synchronous Workshop 2003 A New Verification Algorithm for Planar Differential Inclusions Gordon Pace University of Malta December.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.

Timed Automata.
Introduction to Uppaal ITV Multiprogramming & Real-Time Systems Anders P. Ravn Aalborg University May 2009.

Introduction to Uppaal ITV Multiprogramming & Real-Time Systems Anders P. Ravn Aalborg University May 2009.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Similar presentations

Ads by Google