cyber-physical systems timed automataschulzef/2015-06-05... · 3 types of clock regions: vertices,...
Post on 10-May-2020
6 Views
Preview:
TRANSCRIPT
Cyber-Physical Systems – Timed Automata
Matthias Althoff
TU Munchen
05. June 2015
Matthias Althoff Timed Automata 05. June 2015 1 / 22
Overview
Overview
Timed Automata
Modeling
Runs of timed automata
Verification of timed automata
Timed automata are already hybrid systems since time is real-valued.
Matthias Althoff Timed Automata 05. June 2015 2 / 22
Modeling of Timed Automata
Why include time into finite state automata?
In finite state automata, only the sequence of events is important, notthe time when it happens.
In most engineering applications, timing is crucial, e.g.
time when a railway signal is changed,coordination and timing of production processes,scheduling of unmanned subway trains, etc.
In some cases, wrong timing can lead to catastrophic events, e.g.
the system might become unstable,a different event sequence is generated,a deadlock is created, etc.
Matthias Althoff Timed Automata 05. June 2015 3 / 22
Modeling of Timed Automata
Timed events
Time sequence
We introduce a time sequence
τ = t1, t2, t3, . . .
where ti ≤ ti+1 and ∀t ∈ R ∃i ≥ 1 such that ti > t (time progresses).
Timed event
We refer to a pair (ei , ti ) as a timed event, where ei is the event occurring at timeti .
Timed sequence
We refer to a sequence of timed events
(
(e1, t1), (e2, t2), (e3, t3), . . .)
as a timed sequence.
Matthias Althoff Timed Automata 05. June 2015 4 / 22
Modeling of Timed Automata
Timed Automata
Timed automata describe the dynamics of systems that can be described by afinite set of states zi and clocks ci ∈ R+
0 . Starting from an initial state z(t0),initial clock values ci(t0), and a timed input sequence
u =(
(u(t0), t0), (u(t1), t1), (u(t2), t2), . . .)
a finite state automaton creates a timed output sequence
y =(
(y(t0), t0), (y(t1), t1), (y(t2), t2), . . .)
,
where it is not required that the times ti and ti are synchronized.
For simplification we use the notation u(k), y(k) instead of u(tk ), y(tk).
Static timed automata y(tk ) = g(u(tk)) have synchronized inputs andoutputs and can as well be described by finite state automata.
u Finite stateautomaton
y
Matthias Althoff Timed Automata 05. June 2015 5 / 22
Modeling of Timed Automata
Syntax of Timed Automata
Definition
A timed automaton TA is a tuple (ordered set):
TA = (Z, C,U ,Y,T, g,h, z0),
where z0 is the initial state,
Z = {z1, . . . , zn} set of statesC = {c1, . . . , cn}, ci ∈ R+
0 set of clocksU = {u1, . . . , up} set of input symbols (input alphabet)Y = {y1, . . . , yq} set of output symbols (output alphabet)T ⊆ Z × U × Z × Y set of transitionsg : T → P(C) guard functionh : T× C → C jump function
There exist many variations of definitions of timed automata in theliterature.
Matthias Althoff Timed Automata 05. June 2015 6 / 22
Modeling of Timed Automata
Semantics of Timed Automata
Our definition of a timed automaton has the following semantics:
Initially (t = t0) all clocks have the value 0 (∀i : ci (t0) = 0) if notspecified differently.
Clock values progress: ∀i : ci = 1.
As soon as the vector of clocks c is within a guard set g(z , u, z ′, y) ofa transition (z , u) → (z ′, y), the corresponding transition is activated.
As soon as the input event u of an activated transition occurs, thetransition is taken and the output event y is generated.
After a transition is taken, the jump function resets the clock values:
c ′ = h(
(z , u, z ′, y), c)
, hi =
{
ci , if i /∈ r(
(z , u, z ′, y))
0, if i ∈ r(
(z , u, z ′, y))
and r : T → N is a clock reset function.
Matthias Althoff Timed Automata 05. June 2015 7 / 22
Modeling of Timed Automata
Timed Automaton of a Production Plant
machining
station M1
machining
station M2
robot
picking area
W1
W2
W1
conveyor
belt
A conveyor belt transportsworkpieces W1 and W2, whereW1 can only be machined by M1
and W2 only by M2.
The workpieces are transportedto the machining stations via arobot from where they areautomatically forwarded.
If the robot is not available, theworkpieces continue theirjourney on the conveyor belt.
The robot should only transporta workpiece to a machiningstation if it is idle.
The robot waits at M1 or M2.Matthias Althoff Timed Automata 05. June 2015 8 / 22
Modeling of Timed Automata
Production Plant as Timed Automaton
no actionz1
T1z2
T2z3
M1z4
M2z5
M1, T2
z6
M2, T1
z7
M1, M2
z8
u1c3 := 0
u2c3 := 0
c3 = 10c1 := 0
c3 = 10c2 := 0
u2c3 := 0
u1c3 := 0
c3 = 10c2 := 0
c3 = 10c1 := 0
c2 = 30 c1 = 20
c1 = 20 c2 = 30
c1 = 20 c2 = 30
Parameters/Events:
Transport time (machingstation → picking area →maching station): 10 [s]
Machining time in M1:20 [s]
Machining time in M2:30 [s]
Input events:
u1: W1 in picking areau2: W2 in picking area
Abbreviations for states:
Mi= Wi in Mi ,
Ti= Wi is transported.
Matthias Althoff Timed Automata 05. June 2015 9 / 22
Modeling of Timed Automata
Timed Automaton of the Production Plant (I)
We first introduce the empty event ǫ. The empty event occurs as soon asa guard region is entered.
Initial state: z(0) = z1
Set of states: Z = {z1, z2, . . . , z8}
Set of clocks: C = {c1, c2, c3}
Input symbols: U = {u1, u2, ǫ}
Output symbols: Y = {ǫ}
Set of transitions: T ={
(z1, u1, z2, ǫ), (z1, u2, z3, ǫ), (z2, ǫ, z4, ǫ),(z3, ǫ, z5, ǫ), (z4, u2, z6, ǫ), (z5, u1, z7, ǫ), (z6, ǫ, z8, ǫ), (z7, ǫ, z8, ǫ),(z8, ǫ, z4, ǫ), (z8, ǫ, z5, ǫ), (z4, ǫ, z1, ǫ), (z5, ǫ, z1, ǫ), (z7, ǫ, z2, ǫ),(z6, ǫ, z3, ǫ)
}
Continued on the next slide...
Matthias Althoff Timed Automata 05. June 2015 10 / 22
Modeling of Timed Automata
Timed Automaton of the Production Plant (II)
guard sets:
g(
(z1, u1, z2, ǫ))
= {c ∈ (R+0 )
3}
g(
(z1, u2, z3, ǫ, ))
= {c ∈ (R+0 )
3}
g(
(z2, ǫ, z4, ǫ))
= {c ∈ (R+0 )
3|c3 = 10}
g(
(z3, ǫ, z5, ǫ))
= {c ∈ (R+0 )
3|c3 = 10}
......
jump functions specified by reset functions:
r(
(z1, u1, z2, ǫ))
= {3}
r(
(z1, u2, z3, ǫ))
= {3}
r(
(z2, ǫ, z4, ǫ))
= {1}
r(
(z3, ǫ, z5, ǫ))
= {2}
......
Matthias Althoff Timed Automata 05. June 2015 11 / 22
Runs of Timed Automata
Run of the Timed Automaton
The timed input sequence (u1, 1), (u2, 12), (u1, 33) results in the statesequence
(z1, 0)c = [0, 0, 0]
→(z2, 1)
c = [1, 1, 0]→
(z4, 11)c = [0, 11, 10]
→(z6, 12)
c = [1, 12, 0]
→(z8, 22)
c = [11, 0, 10]→
(z5, 31)c = [20, 9, 19]
→(z7, 33)
c = [22, 11, 0]
For the timed input sequence (u1, 1), (u1, 3) the timed automaton isnot specified. One can assume that undefined input events cause aself transition, resulting in the state sequence
(z1, 0)c = [0, 0, 0]
→(z2, 1)
c = [1, 1, 0]→
(z2, 3)c = [3, 3, 2]
→(z4, 11)
c = [0, 11, 10]
Matthias Althoff Timed Automata 05. June 2015 12 / 22
Verification of Timed Automata
Reachability Analysis of Timed Automata
An important analysis technique for timed automata is the computation ofreachable states, which are a subset of Z × C. Reachable sets are obtainedby considering all possible clock values and all possible input events at alltimes.
The concept of reachability is best introduced by direct applying it to anexample:
z1 z2 z3
u2
c2 := 0u1
c1 < 1
u1
c2 > 2, c1 := 0
The initial discrete state is z(0) = z1 and the initial clock values are{c |c1 = 0, c2 ∈ R+
0 }.
Matthias Althoff Timed Automata 05. June 2015 13 / 22
Verification of Timed Automata
Reachability Analysis of the Example (Step 1 and 2)
Step 1: location z1
c2
c1
initial set
reachableclock values
Step 2: location z2
c2
c1
guard set
reachable states outside theguard set stay in z2 forever
1
initial set
In contrast to the reachable set of finite state automata, the reachable setis no longer countable due to the real-valued clocks.
Matthias Althoff Timed Automata 05. June 2015 14 / 22
Verification of Timed Automata
Reachability Analysis of the Example (Step 3 and 4)
Step 3: location z3
c2
c1
guard set
2
1
initialset
Step 4: location z1
c2
c1
initial set
2
previously
reached set
In location z1 no new regions are reached so that the reachability analysisis complete and terminates.
Matthias Althoff Timed Automata 05. June 2015 15 / 22
Verification of Timed Automata
Simulating Timed Automata by Finite State Automata
Under certain restrictions of the guard sets, a timed automaton can besimulated by a finite state automaton.
Those restrictions also make the question decidable whether a certainstate can be visited infinitely often, see R. Alur and D. L. Dill: A Theoryof Timed Automata, Theoretical Computer Science 126 (1994), pages183-235.
Guard restrictions for decidable timed automata
Given a value ξ ∈ Q+0 (nonnegative rational number) and a clock value ci ,
clock constraints δ are constructed inductively using the Backus-Naur formas
δ ::= ci ≤ ξ|ξ ≤ ci |¬δ|δ1 ∧ δ2
Note that a timed automaton is undecidable when ξ ∈ R+0 .
Matthias Althoff Timed Automata 05. June 2015 16 / 22
Verification of Timed Automata
Clock Regions
The restriction ξ ∈ Q+0 makes it possible to use clock regions to represent
reachable sets in a standardized way.
To standardize the clock regions, we multiply all clock bounds ξi withthe least common multiple (kleinstes gemeinsames Vielfache) of eachdenominator of all ξi , such that all clock constraints become integers.This is only possible since ξi ∈ Q+
0 !
We introduce the largest clock constraint value
ξi = max(ξ(1)i , ξ
(2)i , . . . , ξ
(pi )i ) of each clock ci .
Since we only allow one to use the symbols ≤,¬ and ∧ for clock constraints, we only require3 types of clock regions:
Vertices,open faces (the vertices are excluded),open regions (the faces and vertices areexcluded) represented by simplices(n-dimensional triangles).
vertex
face
Matthias Althoff Timed Automata 05. June 2015 17 / 22
Verification of Timed Automata
Clock Regions of the Previous Example
c2
c11
1
2
f1 f2
f3 f4 f5
f6 f7
f8 f9 f10
f11 f12
f13 f14
r1
r2
r3
r4
r5
r6
r7 r8
We have ξ = [1, 2]T and all values ξi arealready integers.
6 vertices
14 faces (in 2D: line segments):f1, . . . , f14
8 regions (in 2D: triangles):r1, . . . , r8
Matthias Althoff Timed Automata 05. June 2015 18 / 22
Verification of Timed Automata
Simulating Finite State Automaton (I)
Instead of providing an algorithm for constructing a simulating finite stateautomaton, we demonstrate the technique by an example from R. Alur and D. L.Dill: A Theory of Timed Automata, Theoretical Computer Science 126 (1994),pages 183-235:
z0 z1
z2
z3
a, c1 > 0
c2 := 0
b, c2 = 1 c, c1 < 1
c, c1 < 1
a, c2 < 1
c2 := 0
d , c1 > 1
c2
c11
1
f1 f2
f3 f4 f5
f6 f7f8 f9
r1
r2
r3
r4 r5
ξ = [1, 1]T
Matthias Althoff Timed Automata 05. June 2015 19 / 22
Verification of Timed Automata
Simulating Finite State Automaton (II)
z0
c1 = 0c2 = 0
z1
0 < c1 < 1c2 = 0
z1
c1 = 1c2 = 0
z1
c1 > 1c2 = 0
z2
c1 > 1c2 = 1
z3
c1 < 10 < c2 < c1
z3
c1 > 10 < c2 < 1
z3
c1 > 1c2 = 1
z3
c1 > 1c2 > 1
a a a
a a a a
b
b
b
c
d
d
d
d
d
d d
d
Matthias Althoff Timed Automata 05. June 2015 20 / 22
Verification of Timed Automata
Simulating Finite State Automaton (III)
The transition from z2 to z3 is impossible.
The finite state automaton has two absorbing set of states, i.e. statesfrom which one can never escape: z2, c ∈ (R+
0 )2 and
z2, c1 > 1, c2 > 1.
The simulating finite state automaton makes it possible to use ModelChecking algorithms as introduced earlier.
Further reading
R. Alur and D. L. Dill: A Theory of Timed Automata, TheoreticalComputer Science 126 (1994), pages 183-235.
C. G. Cassandras and S. Lafortune: Introduction to Discrete Eventsystems, Springer (2008), chap. 5.
Matthias Althoff Timed Automata 05. June 2015 21 / 22
Verification of Timed Automata
Conclusions
Timed automata add the crucial aspect of timing constraints to finitestate automata.
Timed automata produce a timed output sequence for a given timedinput sequence.
Reachability analysis makes it possible to analyze all possiblebehaviors of timed automata.
When guard regions are restricted to expressions including ≤, ¬, ∧and rational numbers, the timed automata can be simulated by afinite state automaton.
Matthias Althoff Timed Automata 05. June 2015 22 / 22
top related