Introduction to Formal Methods for SW and HW Development, 2006 13 Timed and Hybrid Systems: Formal M

1
Introduction to Formal Methods for SW and HW
Development, 2006 13 - Timed and Hybrid
SystemsFormal Modeling and Verification
Roberto Sebastiani Based mostly on the work and
slides by Rajeev Alur, with further contributions
from Andrea Mattioli, Paritosh Pandya, Yusi
Ramadian
2
Trends in Model-Based Design

• Emerging notations UML,Stateflow
• Visual, Hierarchical, Object oriented
• Simulation, code generation
• Steady progress in model checking tools
• Control design employs tools (Matlab)
• Opportunities to influence design tools
• Typically, semantics is not formal
• Typically, only simulation is supported
• .

3
Model Checker
model
yes
temporal property
error-trace

• Advantages
• Automated formal verification, Effective
  debugging tool
• Increasing industrial success
• In-house groups Intel, Microsoft, Lucent,
  Motorola
• Commercial model checkers FormalCheck by Cadence
• Obstacles
• Scalability is still a problem (about 500 state
  vars)
• Effective use requires great expertise

A great success story for CS theory impacting
practice, and a vibrant area of research
4
Hybrid Modeling
(notation dx abbreviation of dx/dt)
5
Automotive Applications
6
Coordination Protocols
7
Interacting Autonomous Robots
8
Physics-based Animation
9
Biomolecular Regulatory Networks
10
Overview

• Modeling and Semantics
• Timed automata,
• Hybrid automata
• Symbolic Reachability Analysis for Timed Systems
• Making the state space finite
• Region automata
• Zone automata
• Symbolic Reachability Analysis for Hybrid Systems
• Linear Hybrid Automata
• Approximations of reachable sets

11
Acknowledgements

• Thanks for providing slides material to
• Rajeev Alur colleagues (Penn University)
• Paritosh Pandya (IIT Bombay)
• Andrea Mattioli, Yusi Ramadian (Univ. Trento)
• Disclaimer
• Very introductive
• Only very-partial coverage
• Mostly computer-science centric

12
Part 1. Modeling and Semantics
13
Outline Part 1

• Timed Automata
• Hybrid Automata

14
Timed Automata
15
Simple Light Control
Press?
Off
Light
Bright
Press?
Press?
Press?
WANT if press is issued twice quickly then
the light will get brighter otherwise the light
is turned off.
16
Simple Light Control
Press?
Xlt3
Off
Light
Bright
X0
Press?
Press?
Xgt3
Press?
Solution Add real-valued clock x
Adding continuous variables and constraints to
state machines
17
Modeling timing constraints

• Finite graph finite set of (real-valued) clocks
• vertices ? locations
• Time can elapse
• Constraint ( invariant )
• edges ? switches
• Reset a clock
• Constraints
• Reading a clock time elapsed since the last time
  it was reset.

18
Timed Automata
Clocks x, y
n
Guard Boolean combination of comparisons
with integer bounds
Reset Action performed on clocks
Action used for synchronization
xlt5 ygt3
State ( location , xv , yu ) where v,u are
in R
a
x 0
m
19
Adding Invariants
n
Clocks x, y
xlt5
Transitions
xlt5 ygt3
wait(3.2)
Location Invariants
( n , x2.4 , y3.1415 )

a
wait(1.1)
( n , x2.4 , y3.1415 )
( n , x3.5 , y4.2415 )
x 0
m
ylt10
g4
g1
g3
Invariants ensure progress!!
g2
20
Timed Automata Formal Syntax

• timed automaton A
• L locations initial locations
• ? labels
• X clocks
• I Invariants
• set of
  switches (edges)
• a switch
• s, s locations
• a label
• f clock constraints
• clocks to be reset

21
Clock constraints and clock interpretations

• Set of clock constraints grammar
• ? only allow comparison of a clock and a constant
• clock interpretation ?
• Xx,y,z , ?(X) 1.0, 1.5, 0
• clock interpretation after d time
• ?(X)d 1.2, 1.7, 0.2
• assigns 0 to each x Y
• Yy,z 1.0, 0, 0

22
Example
location
switch
invariant

• Clocks x , y , can be re/set independently
• x is reset to 0 from s0 to s1 on a
• switch c happens within 1 time-unit from a
  because of constraints in s1 and s2
• delay between b and the following d is gt2
• no explicit bounds on time difference between
  event a-b or c -d

23
Semantics

• Semantics of A defined by means of a transition
  system SA lt Q,Q0, ?, ? gt
• Q (s, ?)
• Q0 (s, ?) where s L0 A and ?(x)0
• ?
• State change due to elapse of time
• State change due to a location switch
• ? set of labels of A

24
State change in transition system

• (q,0)
• Initial state

25
State change in transition system

• (q,0) (q,1.2)
• state change due to elapse of time

26
State change in transition system

• (q,0) (q,1.2) (q,1.2)
• state change due to a location switch
• q q and q q q
  q

27
Example Light Switch
push

• Switch may be turned on whenever at least 2 time
  units has elapsed since last turn off
• Light automatically switches off after 9 time
  units.

push
click
28
Example Light Switch (cont.)
push
push
click
29
Remark non-zenoness

• When the invariant is violated some edge must be
  enabled
• Automaton should admit the possibility of time to
  diverge

30
Combination of systems

• Complex system product of interacting
  transition systems
• S1 and S2
• Product S1S2
• Transition iff
• There exist a same label ? synchronized
• There exist unique label for S1 ? asynchronized
• There exist unique label for S2 ? asynchronized

31
Transition product

• ?1 a, b
• ?2 a, c

32
Train gate controller
33
Product Construction
x5 z1
x0,z0
xgt2
y0, z1
34
Outline Part 1

• Timed Automata
• Hybrid Automata

35
Hybrid Automata
36
Hybrid Automata
l
X ? Inv(l) dX ? Flow(l)
e g(X)?0
l
J(X, X)
X ? Inv(l) dX ? Flow(l)
X ? Init(l)
37
Switched Dynamic Systems
38
Hybrid Automata

• Set L of of locations, and set E of edges
• Set X of k continuous variables
• State space L X Rk, Region subset of Rk
• For each location l,
• Initial states region Init(l)
• Invariant region Inv(l)
• Continuous dynamics dX in Flow(l)(X)
• For each edge e from location l to location l
• Guard region Guard(e)
• Update relation over Rk X Rk
• Synchronization labels (communication
  information)

39
(Finite) Executions of Hybrid Automata

• State (l, x) such that x satisfies Inv(l)
• Initialization (l,x) s.t. x satisfies Init(l)
• Two types of state updates
• Discrete switches (l,x) a-gt (l,x) if there
  is an a-labeled edge e from l to l s.t. x
  satisfies Guard(e) and (x,x) satisfies update
  relation Jump(e)
• Continuous flows (l,x) f-gt (l,x) where f is a
  continuous function from 0,d s.t. f(0)x,
  f(d)x, and for all tltd, f(t) satisfies Inv(l)
  and df(t) satisfies Flow(l)(f(t))

40
Example of (linear) Hybrid AutomatonGate for a
railroad controller
h 90
Open h 90 dh 0
lowering h gt 0 -10ltdh lt-9
?lower
?lower
h 90
h 0
?raise
closed h 0 dh 0
raising h lt 90 8lt dh lt10
?raise
41
Part 2. Symbolic Reachability Analysis for Timed
Systems
42
Outline Part 2

• Reachability analysis
• Making the state space finite
• Region automata
• Zone automata

43
Reachability Analysis

• Verification of safety requirement reachability
  problem
• Input a time-automaton A and a set of target
  locations
• Determining whether LF is reachable in a timed
  automaton A
• Location s of A is reachable if some state q with
  location component s is a reachable state of the
  transition system SA

44
Timed/hybrid Systems problem
The transition system SA associated to A has
infinitely-many states symbols
Is finite state analysis possible? Is
reachability problem decidable?
45
Idea Finite Partitioning
Goal To partition state-space into finitely many
equivalence classes so that equivalent states
exhibit similar behaviors
46
Reachability analysis
Infinite set of actions Infinite set of states.
SA
Timed Automaton
Semantics
Time abstraction
Finite set of actions Infinite set of states.
Time-abstract automaton
Regions
Quotient
Region Automaton
Both states and actions are finite sets
47
Outline Part 2

• Reachability Analysis
• Making the state space finite
• Region automata
• Zone automata

48
Timed Vs Time-Abstract Relations

• Transition system associated with a timed/hybrid
  automaton A
• SA Labels on continuous steps are delays in R
• Actual delays are suppressed (all continuous
  steps have same label) Time-abstract UA

49
Time-abstract transition system UA

• Only change due to location switch stated
  explicitly
• Cut system to finitely many labels
• UA(instead of SA) allows for capturing untimed
  properties (e.g., reachability, safety)

50
Stable quotients
Stable according to the transition

• Cut to finitely many states
• Collapse equivalent states
• Stable
• equivalence
• relation ?
• Quotient of UA transition system UA

51
LF-sensitive equivalence relation

• Equivalence relation LF-sensitive
• All equivalent states in a class belong to either
  LF or not LF

52
Outline Part 2

• Reachability Analysis
• Making the state space finite
• Region Automata
• Zone automata

53
Region Equivalence over clock interpretation

• x 3.7
• Integral part 3.0
• Fractional part fr(?(x)) 0.7
• iff
• For all x, the integral part is the same or both
  exceed cx pict.
• (cx max constant x is compared to)
• For all x, y with ?(x) cx and ?(y) cy,
  fr(?(x)) fr(?(y)) iff fr(?(x)) fr(?(y))
  pict.
• For all x, ?(x) cx,fr(?(x)) 0 iff fr(?(x)) 0
  pict

next
54
Constraint 1
For all x, the integral part is the same or both
exceed cx
1
back
55
Constraint 2
For all x, y with ?(x) cx and ?(y) cy,
fr(?(x)) fr(?(y)) iff fr(?(x)) fr(?(y))
(fr(v(x)) fr(v(y)))
(fr(v(x)) ,fr(v(y)))
(fr(v(x)) ,fr(v(y)))
back
56
Constraint 3
For all x, ?(x) cx,fr(?(x)) 0 iff fr(?(x)) 0
fr(?(x)) 0
fr(?(x)) 0
back
57
Clock regions

• 2 clocks x, y. cx 2, cy 1
• 8 open regions
• 14 open line segments
• 6 corner points

• Clock region equivalence class of clock
  interpretation ? finite
• Max number of regions
• Number of clock regions exponential in the
  encoding of the clock constraints

58
Regions, intuitive ideaFinite partitioning of
state space
Alur, Dill, 90
Definition
y
w _at_ w iff they satisfy the same set of
constraints of the form xi lt c, xi c, xi xj lt
c, xi xj c for c lt largest const relevant to
xi
2
1
x
1
2
3
An equivalence class (i.e. a region) in fact
there is only a finite number of regions!!
59
Region Operations
y
2
1
r
xr
yr
Successor regions, Succ(r)
x
1
2
3
Reset regions
An equivalence class (i.e. a region)
60
Properties of Regions

• The region equivalence relation _at_ is a
  time-abstract bisimulation
• Action transitions If w _at_ v and (l,w) -a-gt
  (l,w) for some w, then v _at_ w s.t. (l,v)
  -a-gt (l,v)
• Delay transitions If w _at_ v then for all real
  numbers d, there exists d s.t. wd _at_ vd
• If w _at_ v then (l,w) and (l,v) satisfy the same
  temporal logic formulas

61
Region automaton

• Equivalent states identical location region
  equivalent clock
• Classes finite, stable, LF-sensitive
• Region automaton of A R(A)
• Q equivalence classes of (s, ?)
• Reachability problem (A, LF) ? search R(A)

62
Region graph of a simple timed automata
63
RegionsFinite partitioning of state space
Alur, Dill, 90
Definition
y
w _at_ w iff they satisfy the same set of
constraints of the form xi lt c, xi c, xi xj lt
c, xi xj c for c lt largest const relevant to
xi
2
1
x
1
2
3
An equivalence class (i.e. a region) in fact
there is only a finite number of regions!!
64
Region Operations
y
2
1
r
xr
yr
Successor regions, Succ(r)
x
1
2
3
Reset regions
An equivalence class (i.e. a region)
65
Complexity of reachability

• Linear with number of locations
• Exponential with number of clocks
• Exponential in the encoding of constants
• PSPACE-complete

66
Outline Part 2

• Reachability Analysis
• Making the state space finite
• Region Automata
• Zone Automata

67
Zone automata

• Collapse regions by convex unions of clock
  regions
• Clock zone f set of clock constraints x-yc,
  x-yltc,xltc,xc,xc,xgtc,xc
• f convex set in the k-dimensional euclidean
  space
• ? Contains all possible relationship for all
  clock value in a set

68
Zones symbolic representation
Symbolic state (set of states) (s,
)
State (s, x3.2, y2.5 )
Zone conjunction of x-yc, x-yltc, xltc,xc,xc,xgtc
,xc
69
Zone automaton

• Z(A) is a transition system lt Q,Q0,?, ? gt s.t.
• Q zone of A Zone (s, f)
• Q0 (s,X0), for every initial location s of
  A
• ? set of labels or events
• ? ((s, f), a, (s,succ(f, e)))
• succ (f, e) clock interpretation after
  executing e

70
Symbolic transition

• succ (f, e)
• intersection
• interpretation for
• interpretation
• closure under the three operations ? still a
  convex set

F fulfill invariant of state s
still fulfill invariant of state s after time
elapse
fulfill the time constraint of switch e
71
Symbolic Transitions
1ltx, 1lty -2ltx-ylt3
1ltxlt4 1ltylt3
y
y
delays to
n
x
x
xgt3
3ltx, 1lty -2ltx-ylt3
y
y
conjuncts to
x
x
y0
3ltx, y0
projects to
m
Thus (n,1ltxlt4,1ltylt3) gt (m,3ltx, y0)
72
Canonical Data-structures for Zones
Difference-bound Matrices

• Matrix representation of constraints (bounds on
  a single clock or difference betn 2 clocks)
• Reduced form obtained by running all-pairs
  shortest path algorithm
• Reduced DBM is canonical
• Operations such as reset, time-successor,
  inclusion, intersection are efficient
• Popular choice in timed-automata-based tools

73
Difference-bound matrices (DBM)

• k clocks (k 1) x (k 1) matrix D
• Example

D0i lower bound
Di0 upper bound
Dij upper bound of xi and xj difference

• (c,1) ? c
• (c,0) ? lt c
• 8 ? absence of bound

74
Difference-bound matrices (DBM)

• Upper bound of xi - xl sum of the upper bounds
  of xi - xj and xj xl
• Use all-pairs shortest paths, check DBM
• Satisfiable ? Canonical
• Satisfiable a nonempty clock zone
• Canonical Matrices with tightest possible
  constraints
• Canonical Dbms represent clock zones

75
Canonical Data-structures for Zones Difference
Bounded Matrices
When are two sets of constraints equivalent?
xlt1 y-xlt2 z-ylt2 zlt9
D1
D2
xlt1 y-xlt2 ylt3 z-ylt2 zlt7
76
Complexity

• Theoretically
• Zone automaton may be exponentially bigger than
  the region automaton
• Practically
• Fewer reachable vertices
• ? performances much improved

77
Implementation

• Verification problem
• Input timed automaton Ai
• Process searching R(iAi) or Z(iAi)
• BDD-based engine (preferably for region
  construction)
• On-the-fly enumerative search (preferably for
  zone construction)

78
Timed Automata summary

• Only continuous variables are timers
• Invariants and Guards xltconst, xgtconst
• Actions x0
• Reachability is decidable
• Clustering of regions into zones desirable in
  practice
• Tools Uppaal, Kronos, RED
• Symbolic representation matrices
• Techniques to construct timed abstractions of
  general hybrid systems

79
Decidable Problems

• Model checking branching-time properties of
  timed automata
• Reachability in rectangular automata
• Timed bisimilarity are two given timed automata
  bisimilar?
• Optimization Compute shortest paths (e.g.
  minimum time reachability) in timed automata with
  costs on locations and edges
• Controller synthesis Computing winning
  strategies in timed automata with controllable
  and uncontrollable transitions

80
Part 3. Symbolic Reachability Analysis for
Hybrid Systems
81
Outline Part 3

• Symbolic Reachability Analysis
• Linear Hybrid Automata (HyTech)
• Polyhedral Flow-pipe Approximations (CheckMate)

82
Standard Reachability Problem

• Model variables X x1, xn
• Each var is of finite type, say, boolean
• Initialization I(X) condition over X
• Update T(X,X)
• How new vars X are related to old vars X as a
  result of executing one step of the program
• Target set F(X)
• Computational problem
• Can F be satisfied starting with I by repeatedly
  applying T ?
• Graph Search problem

83
General Symbolic Solution

• Data type region to represent state-sets
• RI(X)
• Repeat
• If R intersects F report yes
• Else if R contains Image(R) report no
• Else R R union Image(R)
• Image(R) Set of successors of states in R
• Termination may or may not be guaranteed

84
Symbolic Representations

• Necessary operations on Regions
• Union
• Intersection
• Negation
• Projection
• Renaming
• Equality/containment test
• Emptiness test
• Different choices for different classes
• BDDs for boolean variables in hardware
  verification
• Size of representation as opposed to number of
  states

85
Reachability for Hybrid Systems

• Same algorithm works in principle
• Whats a suitable representation of regions?
• Region subset of Rk
• Main problem handling continuous dynamics
• Precise solutions available for restricted
  continuous dynamics
• Timed automata
• Linear hybrid automata
• Even for linear systems, over-approximations of
  reachable set needed

86
Reachability Analysis for Dynamical Systems

• Goal Given an initial region, compute whether a
  bad state can be reached
• Key step is to compute Reach(X) for a given set
  X under dx/dt f(x) (hereafter dx f(x) for
  short)

87
Outline Part 3

• Symbolic Reachability Analysis
• Linear Hybrid Automata (HyTech)
• Polyhedral Flow-pipe Approximations (CheckMate)

88
Multi-rate Automata

• Modest extension of timed automata
• Dynamics of the form dx const (rate of a clock
  is same in all locations)
• Guards and invariants x lt const, x gt const
• Resets x const
• Simple translation to timed automata that gives
  time-abstract bisimilar system by scaling

89
Rectangular Automata
Puri, Henzinger, 95

• Interesting extension of timed automata
• Dynamics of the form dx in const interval
  (rate-bounds of a clock same in all locations)
• Guards/invariants/resets as before
• Translation to multi-rate automata that gives
  time-abstract language-equiv system

90
Linear Hybrid Automata

• Invariants and guards linear (Ax lt b)
• Actions linear transforms (x Ax)
• Dynamics time-invarint, state-independent
• specified by a convex polytope constraining
  rates
• E.g. 2 lt x lt 3, x y
• Tools HyTech
• Symbolic representation Polyhedra
• Methodology abstract dynamics by differential
  inclusions bounding rates

91
Example LHAGate for a railroad controller
h 90
Open h 90 dh 0
lowering h gt 0 -10ltdh lt-9
?lower
?lower
h 90
h 0
?raise
closed h 0 dh 0
raising h lt 90 8lt dh lt10
?raise
92
Reachability Computation

• Basic element (location l, polyhedron p)
• Set of visited states a list of (l,p) pairs
• Key steps
• Compute discrete successors of (l,p)
• Compute continuous successor of (l,p)
• Check if p intersects with bad region
• Check if newly found p is covered by already
  visited polyhedra p1,, pk (expensive!)

93
Computing Discrete Successors
g(x)-gt x a(x)
l
l

• Discrete successor of (l,p)
• Intersect p with g (result r is a polyhedron)
• Apply linear transformation a to r (result r is
  a polyhedron)
• Successor is (l,r)

94
Computing Time Successor
y
(1,4)
(1,4)
Reach(p)
(3,2)
(3,2)
p
x
Rate Polytope

• Thm If initial set p, invariant I, and rate
  constraint r, are polyhedra, then set of
  reachable states is a polyhedron (and computable)
• Basically, apply extremal rates to vertices of p

95
Summary Linear Hybrid Automata

• HyTech implements this strategy
• Core computation manipulation of polyhedra
• Bottlenecks
• proliferation of polyhedra (unions)
• computing with higher dimensional polyhedra
• Many case studies (active structure control,
  Philips audio control protocol, steam boiler)

96
Outline Part 3

• Symbolic Reachability Analysis
• Linear Hybrid Automata (HyTech)
• Polyhedral Flow-pipe Approximations (CheckMate)

97
Beyond LHA

• Exact computation with polyhedra is limiting.
• If dynamics is dXAX, and P is a polyhedron,
  Reach(P) is not a polyehdron
• Solutions
• Approximate Reach(P) with an enclosing convex
  polyhedron Checkmate (Krogh)
• Approximate Reach(P) with an enclosing
  (non-convex) orthogonal polyhedron d/dt
  (Dang/Maler)
• Level sets method (Greenstreet, Tomlin)
• Use ellipsoids for representation of sets
  (Kurzhanski)

98
Polyhedral Flow Pipe Approximations
X0

• RM0,T(X0) union of polytopes

99
Wrapping Hyperplanes Around a Set
c2
Step 1 Choose normal vectors, c1,...,cm
c1
S
c3
c4
100
Wrapping Hyperplanes Around a Set
Step 2 Compute optimal d in Cx ? d, CT c1
... cm
c2
c1
di max ciTx x?S
S
c3
c4
101
Wrapping a Flow Pipe Segment

• Given normal vectors ci, we wrap Rtk,tk1(X0)
  in a polytope by solving for each i

di max ciTx(t,x0) xo,t
s.t. x0?X0 t ?tk,tk1
Optimization problem is solved by embedding
simulation into objective function computation
102
Improvements for Linear Systems

• x Ax ? x(t, x0) eAtx0
• No longer need to embed simulation into
  optimization
• Flow pipe segment computation depends only on
  time step ?t
• A segment can be obtained by applying eAt to
  another segment of the same ?t

103
Example Van der Pol Equation
Van der Pol Equation
Initial Set
Uniform time step Dtk 0.5
104
Summary Flow Pipe Approximation

• Applies in arbitrary dimensions
• Approximation error doesn't grow with time
• Estimation error (Hausdorff distance) can be made
  arbitrarily small with Dt lt d and size of X0 lt d
• Integrated into a complete verification tool
  (CheckMate)