Symbolic Model Checking for Rectangular Hybrid Automata

1
Symbolic Model Checking for Rectangular Hybrid
Automata

• Thomas A. Henzinger and Rupak Majumdar
• University of California, Berkeley

2
Introduction

• Hybrid automata mathematically model systems with
  mixed discrete-continuous dynamics.

3
Rectangular Hybrid Automata

• Rectangular hybrid automata constrain the
  continuous dynamics to the form
• a lt dx/dt lt b
• for each variable x, and for each location.
• Guards, invariants, and resets are also
  rectangular.
• Can locally approximate general dynamics.
• A maximal class for which decidability results
  are possible.
• Relaxation of restrictions cause undecidability
  for reachability.

4
Rectangular Automaton
5
LTL Model Checking

• Trace equivalence is finite HKPV95
• The proof is reductive for every rectangular
  automaton, there exists a timed automaton that
• forward simulates it, and
• is backward simulated by it.
• Not a direct symbolic computation method.
• The dimension doubles.
• Never implemented.

6
HyTech

• The tool HyTech HHWT97 implements symbolic
  operators on hybrid automata.
• However, there are no termination guarantees.

7
Overview

• Symbolic transition systems
• Symbolic algorithms
• A symbolic characterization of trace equivalence
• Symbolic model checking for LTL
• Symbolic algorithms for rectangular automata

8
Transition Systems

• Q set of states
• S set of actions
• post Q X S ? 2Q successor function
• P p1, p2, , pn set of observations,
  pi ? Q

post(q0,a0) q1, q2 post(q0,a1) q2
9
Transition Systems

• Q (possibly infinite) set of states
• S set of actions
• Pp1, p2, , pn set of observations,pi ? Q
• Lift the post operator to sets Post 2Q X S ? 2Q
• Also define the pre operator Pre 2Q X S ? 2Q
• We write Pre(R) U??? Pre(R, ?)

10
Transition Systems

• Reachability Given an observation pi and an
  observation pf, is there a trajectory from pi to
  pf?
• Repeated reachability Visit an observation
  infinitely often.

pf
pi
Post(pi)
11
Symbolic Regions

• Require some finite representation of sets of
  states Symbolic Regions
• Sets of states represented in some constraint
  system
• Observables are represented
• Operators Pre, Post, boolean operations
  computable
• Example
• BDDs
• Linear constraints 1 lt x lt 2 3lt y lt 7

12
Symbolic Transition Systems

• Q, S, Pre/Post, P
• R R1, R2, symbolic region algebra
• such that
• P ? R
• Pre/Post R X ? ? R computable
• Or, And, Diff R X R ? R computable
• Empty R ? bool computable
• Member Q X R ? bool computable
• A symbolic (semi)algorithm
• starts from regions in P and
• computes regions in R by applying Pre, Post, And,
  and Diff.

13
Example Polyhedral Hybrid Systems

• States Q Rn
• Guards
• Flows
• Jumps
• observations P Set of integral polyhedra in Rn
• symbolic regions R Set of rational polyhedra in
  Rn

2x4 lt6 1lt dx/dt lt2 dy/dt lt dx/dt x 4xy
defined by linear constraints
Posttime(H)
H
H
Postjump(H)
14
Symbolic SemiAlgorithms

• Algorithm A1 Close P under Pre, And, Diff
• Algorithm A2 Close P under Pre, And with
  observables.

S0 P for i 1,2, do Si Si-1 ?
Pre(R) R? Si-1 ? And(R1, R2)
R1,R2 ? Si-1? Diff(R1, R2) R1, R2 ?
Si-1 until Si Si-1
15
Symbolic Semi Algorithms

• Algorithm A1 Close P under Pre, And, Diff
• Algorithm A2 Close P under Pre, And with
  observables.

S0 P for i 1,2, do Si Si-1 ?
Pre(R) R? Si-1 ? And(R1, R2) R1?
Si-1 R2 ?P until Si Si-1
16
State Equivalences and Logics

• State Equivalences
• E1 Bisimilarity
• E2 Trace equivalence
• Logics
• L1 The mu calculus
• L2 The guarded fragment of the mu calculus
  EmersonJutlaSistla93

? p ?p X ??? ??? ?O? ?O? ?X.? ?X.?
? p ?p X p?? ??? ?O? ?X.? ?X.?
17
Symbolic semi algorithm
Logic
model checks
Li
Ai
computes
induces
Ei
State equivalence
States s and t are Ei equivalent iff for all
regions R generated by Ai, s?R iff t?R
Ai terminates on a STS iff Ei is of finite index
18
Symbolic semi algorithm
Logic
model checks
Li
Ai
computes
induces
Ei
State equivalence
States s and t are Ei equivalent iff for all
formulas ? of Li, s sat ? iff t sat ?
If Ei has finite index, then Li can be model
checked on the finite quotient
19
Symbolic semi algorithm
Logic
model checks
Li
Ai
computes
induces
Ei
State equivalence
All regions definable by formulas in Li are
generated by Ai
If Ai terminates, then Li can be model checked
20
A Termination Criterion for A2

• Theorem 1 The algorithm A2 terminates on a STS
  iff STS has a trace equivalence relation of
  finite index.
• Idea of Proof
• We show that A2 terminates iff the equivalence
  induced by L2 (the guarded fragment of the mu
  calculus) has finite index.
• L2 is equally expressive as ?-regular properties.
• Thus, the equivalence induced by L2 is trace
  equivalence. EmersonJutlaSistla93

21
Symbolic Model Checking of Hybrid Automata

• Timed automata have a finite bisimilarity
• relation AlurDill94.
• A1 terminates.
• Symbolic L1 model checking terminates.
• Rectangular hybrid automata have a trace
  equivalence relation of finite index.
• Symbolic semi algorithm A2 terminates on
  rectangular hybrid automata.
• Symbolic L2 model checking terminates for
  rectangular hybrid automata.

22
Symbolic LTL Model Checking

• Mu calculus based algorithm for LTL model
  checking
• Convert LTL formula ? to a Buchi automaton
  (tableau construction), and then to a formula in
  the guarded mu calculus
• Symbolically evaluate the formula using Pre, and
  And with observables.
• Corollary If the algorithm A2 terminates on a
  STS, then mu calculus based symbolic LTL model
  checking terminates on STS.

23
Symbolic LTL Model Checking

• Product automaton based algorithm for LTL model
  checkingClarkeGrumbergLong94 and others
• LTL formula ? --gt Buchi automaton (tableau
  construction).
• Take the product of the transition system with
  the automaton.
• Symbolically evaluate a formula expressing that
  the resulting product automaton is nonempty.
• Proposition If the algorithm A2 terminates on a
  STS, then product automaton based symbolic LTL
  model checking terminates on STS.

24
Symbolic LTL Model Checking

• Moreover, the algorithms are equivalent in a
  strong sense
• Every region computed in the mu calculus based
  approach is also computed by the product
  automaton based approach, and conversely.

25
Symbolic LTL Model Checkingof Rectangular Hybrid
Automata

• Corollary
• Symbolic L2 model checking,
• mu calculus based algorithm for symbolic LTL
  model checking, and
• product automaton based symbolic LTL model
  checking
• all terminate for rectangular hybrid automata.
• HyTech guaranteed to terminate for
• rectangular automata and LTL objectives.

26
Conclusions

• General symbolic method for LTL model checking
• Guaranteed to terminate if the system has a
  finite trace equivalence.
• Symbolic LTL verification terminates for
  rectangular hybrid automata.
• HyTech is guaranteed to terminate.
• Generalizations for LTL control of symbolic
  (game) transition systems deAlfaroHenzingerM00.

27
Thats all Folks
28
Transition Systems

• For the thermostat
• Q on, off, delay1, delay2X R2
• S high, low, turnon, turnoff, time
• P on, off, delay1, delay2
• post((on, x, z), high) (delay1, x, 0) if x3
• emptyset if xlt3
• etc.

29
Transition Systems

• Repeated reachability Visit an observation
  infinitely often.

. . .
R3
pi
R2
pf
R1