CS5270 Lecture 4 1

Timed Automata I

CS 5270 Lecture 4

CS5270 Lecture 4 2

Where we were…

• RT systems– Modelling vs synthesis, hard vs soft, RT

architectures

• The real-time computing environment– Temporal accuracy, clocks– TTP – time triggered protocols

• Scheduling– Preemption, feasibility, schedulability– RMS, priority inversion, PCP

CS5270 Lecture 4 3

Where we are going…

• Formal basis for Uppaal:– Detailed study of a basis for efficient real-time

analysis/model checkingTransition systems, Automata, Model checkingTimed transition systems,Zones/regions (efficient timed systems)

• This will all take time… perhaps 4/5 weeks

CS5270 Lecture 4 4

The immediate road map

• State transition systems – some definitions – parallel composition

• Timed transition systems – formal definition– parallel composition– Reduction of a TTS (which has possibly infinite states and

actions) to a finite TS by quotienting… (takes time)

• Efficiency in TTS– Regions– zones

• Automata and safety properties

CS5270 Lecture 4 5

The long distance road map

• Local road map, and then…

– Verification of temporal propertiesLTL and CTL temporal/modal logicThe verification setting

– CTL model checkingDefinition of CTLKripke structuresDefinition of the modelling relationModel checking algorithm for CTL

– TCTL model checkingDefinition of TCTLModel checking for TCTL

CS5270 Lecture 4 6

Transition Systems Vs Automata

• Automata = Transition system +

accepting conditions.

• Transition systems ---- State spaces,

dynamics

• Automata ----- Languages,

Properties

CS5270 Lecture 4 7

Example

Resource ManagerReq

Release

Grant

CS5270 Lecture 4 8

Example

FR W

Bad

Req

Release

BU Grant

crash

Example

Bad

Req

Release

Grant

crash Any sequence over

{Req, Grant, Release} as allowed by the automaton.

Rq G Rl Rq G allowed.

Rq G Rl Cr not wanted!

CS5270 Lecture 4 10

Example

Bad

Req

Release

Grant

crashAny sequence over

{Req, Grant, Release} as allowed by the automaton ?

CS5270 Lecture 4 11

Example

Bad

Req

Release

Grant

crash Any sequence that ends with Release (except for the null string)

CS5270 Lecture 4 12

Transition Systems

• A Simple model of dynamic systems.

• Discrete time

• States

• Transitions

• Initial state(s).

• No accepting states.

CS5270 Lecture 4 13

Example

CH

On-heat On-ac

OKOK

Off-acOff-heat

CS5270 Lecture 4 14

Signal Flow

TemperatureAC-motor

Heater-motor

CS5270 Lecture 4 15

Example

CH

On-heat On-ac

OKOK

Off-heatOff-ac

CS5270 Lecture 4 16

Example

CH

On-heat On-ac

OKOK

Off-acOff-heat

State

Example

CH

On-heat On-ac

OKOK

Off-acOff-heat

State

OK Transition

Example

CH

On-heat On-ac

OKOK

Off-acOff-heat

State

a TransitionOff-ac Action

CH

On-heat On-ac

OKOK

Off-acOff-heat

State

OK TransitionOff-ac Action

Initial State

CS5270 Lecture 4 20

S4

S5

S6

S1

S2

S3

CH

On-heat On-ac

OKOK

Off-acOff-heat

S0

PATH – S4 on-heat S5 OK S6 off-heat S0 ? S1 ….

Non- Paths: S5 off-heat S6 off-heat S0

S1 on-ac S5 OK S6….

CS5270 Lecture 4 21

S4

S5

S6

S1

S2

S3

CH

On-heat On-ac

OKOK

Off-acOff-heat

S0

PATH – S4 S5 S6 S0 S1 ….

Run ---- Path starting from an initial state

----- S0 S1 S2 S3 S0 S1 ….

CS5270 Lecture 4 22

Transition Systems

• TS = (S, Act, !, Sin) --- Transition System– S --- States– Act --- A set of actions– ! µ S £ Act £ S ---- Transition Relation– Sin µ S ---- Initial states

• Often:– S and Act are finite sets.– Sin has only one element.– The transition relation is deterministic.

CS5270 Lecture 4 23

Deterministic Transition Systems

• TS = (S, Act, , Sin) --- Transition System

• (s, a, s’)

– s s’a

CS5270 Lecture 4 24

Transition Systems• TS = (S, Act, !, Sin) --- Transition System

S4

S5

S6

S1

S2

S3

C HOn-heat

On-ac

OKOKOff-acOff-heat

S0

S = ?

CS5270 Lecture 4 25

Transition Systems• TS = (S, Act, !, Sin) --- Transition System

S4

S5

S6

S1

S2

S3

C HOn-heat

On-ac

OKOKOff-acOff-heat

S0

S = { S0, S1, S2, …,S6}

CS5270 Lecture 4 26

Transition Systems• TS = (S, Act, !, Sin) --- Transition System

S4

S5

S6

S1

S2

S3

C HOn-heat

On-ac

OKOKOff-acOff-heat

S0

Act = ?

CS5270 Lecture 4 27

Transition Systems• TS = (S, Act, !, Sin) --- Transition System

S4

S5

S6

S1

S2

S3

C HOn-heat

On-ac

OKOKOff-acOff-heat

S0

Act = {C, On-heat, H, on-ac,..}

CS5270 Lecture 4 28

Transition Systems• TS = (S, Act, !, Sin) --- Transition System

S4

S5

S6

S1

S2

S3

C HOn-heat

On-ac

OKOKOff-acOff-heat

S0

= ?

CS5270 Lecture 4 29

Transition Systems• TS = (S, Act, !, Sin) --- Transition System

S4

S5

S6

S1

S2

S3

C HOn-heat

On-ac

OKOKOff-acOff-heat

S0

= { (S0, H, S1), (S0, C, S4),….}

CS5270 Lecture 4 30

Transition Systems• TS = (S, Act, !, Sin) --- Transition System

S4

S5

S6

S1

S2

S3

C HOn-heat

On-ac

OKOKOff-acOff-heat

S0

Sin = ?

CS5270 Lecture 4 31

Transition Systems• TS = (S, Act, !, Sin) --- Transition System

S4

S5

S6

S1

S2

S3

C HOn-heat

On-ac

OKOKOff-acOff-heat

S0

Sin = {S0}

CS5270 Lecture 4 32

Deterministic Transition Systems

s

s1 s2

a a

s as1 s a

s2AND IMPLIES s1 = s2

Non-determinism is useful for getting succinct specifications.

Abstractions (hiding details) give rise to non-determinism.

CS5270 Lecture 4 33

Non-Determinism

Arrive at Junction

Toss Coin

H T

Turn-left Turn-right

CS5270 Lecture 4 34

Non-Determinism

Arrive at Junction

Toss Coin

H T

Turn-left Turn-right

CS5270 Lecture 4 35

Non-Determinism

Arrive at Junction

Toss Coin

H T

Turn-left Turn-right

Toss Coin

CS5270 Lecture 4 36

Non-Determinism

Arrive at Junction

Toss Coin

Turn-left Turn-right

Toss Coin

CS5270 Lecture 4 37

S4

S5

S6

S1

S2

S3

CH

On-heat On-ac

OKOK

Off-acOff-heat

S0

PATH – S4 S5 S6 S0 S1 ….

Run ---- Path starting from an initial state

----- S0 S1 S2 S3 S0 S1 ….

CS5270 Lecture 4 38

Computations

• TS = (S, Act, , Sin)

• Behaviors can also be defined as action sequences:– Computations, traces,…

• s0 s1 s2 ……. sn ---- run.

• s0 a1 s1 a2 s2 ….sn-1 an sn

• si si+1

• a1 a2 a3 ….an is a computation.

ai

CS5270 Lecture 4 39

S4

S5

S6

S1

S2

S3

CH

On-heat On-ac

OKOK

Off-acOff-heat

S0

Run ----- S0 S1 S2 S3

Computation ----- ?

CS5270 Lecture 4 40

S4

S5

S6

S1

S2

S3

CH

On-heat On-ac

OKOK

Off-acOff-heat

S0

Run ----- S0 S1 S2 S3 S0

Computation ----- H On-ac OK off-ac

CS5270 Lecture 4 41

Behaviors (Linear Time)

• The behavior of a transition system is:– Its set of runs.– Its set of computations.

• Does the behavior of TS have the desired property?– Does every computation (run) of the transition

system have the desired property?– In no computation, C is immediately followed

by On-Ac.

CS5270 Lecture 4 42

Behaviors

• Properties:– Is there a run leading to deadlock?

s0 ---------------> s s0 2 Sin

No action is enabled at s

– Is the state s reachable (via a run) ?– Is there a bad state which is reachable?

• Often TS is presented implicitly!– For example, as a network of smaller

transition systems.

CS5270 Lecture 4 43

The Verification Setting

TS

Behavior of TS Check for property !

SystemModel extraction

Semantics

The Verification Setting

TS

Behavior of TS

System

Property = Temporal logic formula

YES ! NO !

Model-Checker Models of

CS5270 Lecture 4 45

S4

S5

S6

S1

S2

S3

C HOn-heat On-ac

OKOKOff-acOff-

heat

S0

Temperature Controller

CS5270 Lecture 4 46

S4

S5

S6

S1

S2

S3

C HOn-heat On-ac

OKOKOff-acOff-

heat

S0

It is often convenient to consider both finite and infinite computations!

S4

S5

S6

S1

S2

S3

C HOn-heat On-ac

OKOKOff-acOff-

heat

S0

Property : every (finite) computation that ends with “on-heat” can be extended to a computation that ends with “off-heat”

CS5270 Lecture 4 48

Linear time Vs. Branching time

• Linear time – The (flat) set of computations.

• Branching time– The tree of computations– How computations branch off is kept track of.

CS5270 Lecture 4 49

Linear time Vs. Branching time

• LTL (Linear time temporal logic).

• CTL (Computation tree logic)

• These two logics are incomparable.

• LTL – SPIN (Bell Labs, G. Holtzmann)

• CTL – SMV (Clarke, McMillan, CMU- Cadence Lab)

CS5270 Lecture 4 50

Network of Transition Systems

• In general, the system will contain multiple components.

• The components will coordinate by communication.– Send/receive messages (asynchronous)– Perform common actions together

(synchronous, hand-shake). hand-shake is usually a convenient abstraction.

CS5270 Lecture 4 51

Finite State Automata

• Finite State Automata (FSAs) are a basic computational model.

• FSAs = Regular Languages

= Temporal Logics.• Starting point for many system design

methodologies.– SDL, UML, POLIS,…

• Verification tools (SPIN, SMV) available.

CS5270 Lecture 4 52

A Railway System

CS5270 Lecture 4 53

The Gate/Train TS – graph view

open

close

Fin-Close

approach

brakeproceed

proceed

Gate Train

left

CS5270 Lecture 4 54

The Gate Controller TS

approach

close

Fin-Close proceed

left

open

CS5270 Lecture 4 55

The Signal Space

Gate

GateController

open

close

Fin-close

Fin-Close

approach

left

open

close

proceed

CS5270 Lecture 4 56

Transition system

• To model the entire system, construct the parallel composition:

Gate ║ Train ║ Controller

(This is another TS)

CS5270 Lecture 4 57

Parallel composition…

Parallel Composition

open

close proceedleft

approach

proceed

brake

approach

close

Fin-Close proceed

open

Enabled actions ?

Parallel Composition

open

closeleft

approach

proceed

brake

approach

close

Fin-Close proceed

open

Enabled actions ?

proceed

Fin-Close

Parallel Composition

open

closeleft

approach

proceed

brake

approach

close

Fin-Close proceed

open

Enabled actions ?

proceed

Fin-Close

Parallel Composition

open

closeleft

approach

proceed

brake

approach

close

Fin-Close proceed

open

Enabled actions ?

proceed

Fin-Close

Parallel Composition

open

closeleft

approach

proceed

brake

approach

close

Fin-Close proceed

open

Enabled actions ?

proceed

Fin-Close

left

Parallel Composition

open

closeleft

approach

proceed

brake

approach

close

Fin-Close proceed

open

Enabled actions ?

proceed

Fin-Close

left

Parallel Composition

open

closeleft

approach

proceed

brake

approach

close

Fin-Close proceed

open

Enabled actions ?

proceed

Fin-Close

left

Parallel Composition

g0

open

closeleft

t0

t1

approach

proceed

Brake

GC0

GC1

approach

close

Fin-Close proceed

open

proceed

Fin-Close

left

CS5270 Lecture 4 66

Parallel Composition

TS = TrainTS || Gate-ControllerTS || GateTS

s = (t, GC, g) A state of TS

(g0, t0, GC0) (g0, t1, GC1)approach

t0 t1 (TRAIN)approach

GC1 (Gate-Controller)approachGC0

CS5270 Lecture 4 67

State Space Explosion

• TS = TS1 || TS2 … || TSn

• TS is presented implicitly!– Fix a communication convention

– Present TS1, TS2,…, TSn

• We wish to analyze TS and often implement TS.• But constructing TS first explicitly is often

hopeless.

• |TSi| = 10 n = 6 – |TS| = ? (worst case)

CS5270 Lecture 4 68

Timed Transition Systems

• Timed Transition Systems = Transition Systems + Clock Variables.• Clock variables.

– Used to record the passage of (real) time.– Act like Timers.– Can be read.– Transitions constrained (guarded) by current

values of clock variables.– Can be reset to 0 during a transition.

CS5270 Lecture 4 69

Using Clock Variables

Hot On-ac OK

Off-ac

Spec. : Turn off ac if the temperature is OK or 5 units of time has elapsed since turning it on.

CS5270 Lecture 4 70

Using Clock Variables

Hot On-ac; x OK

Off-ac

Spec. : Turn off ac if the temperature is OK or 5 units of time has elapsed since turning it on.

x 5 Off-ac

CS5270 Lecture 4 71

Using Clock Variables

Hot On-ac; x OK

Off-acx 5Off-ac

Clock variable x is set to 0.

On-ac ; x

is short form for:

On-ac ; x := 0

CS5270 Lecture 4 72

Using Clock Variables

Hot On-ac; x OK

Off-acx 5Off-ac

Clock variable x is used to form a guard:

x 5

CS5270 Lecture 4 73

Using Clock Variables

Hot On-ac OK

Off-ac

Spec. :

Turn off ac if the temperature is OK or 5 units of time has elapsed since turning it on.

Turn on ac within 3 time units after receiving Hot signal.

CS5270 Lecture 4 74

Using Clock Variables

Hot; y On-ac; x OK

Off-acx 5Off-ac

Spec. :

Turn off ac if the temperature is OK or 5 units of time has elapsed since turning it on.

Turn on ac within 3 time units after receiving Hot signal.

y ≤ 3

CS5270 Lecture 4 75

Using Clock Variables

Hot; y On-ac; x OK

Off-acx 5Off-ac

y ≤ 3

Three components:

Action on-ac

Reset x

Guard y ≤ 3

CS5270 Lecture 4 76

Using Clock Variables

Hot; y On-ac; x OK

Off-acx 5Off-ac

y ≤ 3

Do we need two clocks?

CS5270 Lecture 4 77

Using Clock Variables

Hot; x On-ac; x OK

Off-acx 5Off-ac

x ≤ 3

Do we need two clocks? NO!

78

Timed Transitions

a ; X

g

a, an action

X, a set of clock variables; the clock variables set to 0.

g, a guard; a predicate based on the values of the clock variables.

g :: = x ≤ c | x c | x c | x c | g1 g2

x CL

CL ---- The set of clock variables used by the model.

c ----- A rational number (integer)

CS5270 Lecture 4 79

State Invariants

• A clock constraint is associated with each state: state invariant– The system can stay in the state only as long

as the state’s invariant is not violated.

• For time points which violate the invariant one expects an output transition to be enabled.– Otherwise a time deadlock.

The progress of time is blocked (in the model!).

CS5270 Lecture 4 80

State Invariants

x ≤ 2a ; x b

CS5270 Lecture 4 81

State Invariants

x ≤ 2a ; x b

a ; x bx > 2

SAME AS ?

CS5270 Lecture 4 82

State Invariants

x ≤ 2a ; x b

x > 3

At (s1, x = 2.4) the behavior is undefined!

s0s1 s2

CS5270 Lecture 4 83

State Invariants

g

g1 g2 g3

At all “times” g OR g1 OR g2 OR g3 is satisfied.

If more than one output transition is enabled, the choice is made non-deterministically.

CS5270 Lecture 4 84

Timed Transition systems and automata

• How do we model real time systems?

• How do we specify (real time) behavioral properties?

• How do verify behavioral properties?

• What is the behavior of a timed transition system?