cyber-physical systems timed automataschulzef/2015-06-05... · 3 types of clock regions: vertices,...

Cyber-Physical Systems – Timed Automata

Matthias Althoff

TU Munchen

05. June 2015

Matthias Althoff Timed Automata 05. June 2015 1 / 22

Overview

Overview

Timed Automata

Modeling

Runs of timed automata

Verification of timed automata

Timed automata are already hybrid systems since time is real-valued.


Modeling of Timed Automata

Why include time into finite state automata?

In finite state automata, only the sequence of events is important, notthe time when it happens.

In most engineering applications, timing is crucial, e.g.

time when a railway signal is changed,coordination and timing of production processes,scheduling of unmanned subway trains, etc.

In some cases, wrong timing can lead to catastrophic events, e.g.

the system might become unstable,a different event sequence is generated,a deadlock is created, etc.



Timed events

Time sequence

We introduce a time sequence

τ = t1, t2, t3, . . .

where ti ≤ ti+1 and ∀t ∈ R ∃i ≥ 1 such that ti > t (time progresses).

Timed event

We refer to a pair (ei , ti ) as a timed event, where ei is the event occurring at timeti .

Timed sequence

We refer to a sequence of timed events

(

(e1, t1), (e2, t2), (e3, t3), . . .)

as a timed sequence.



Timed Automata

Timed automata describe the dynamics of systems that can be described by afinite set of states zi and clocks ci ∈ R+

0 . Starting from an initial state z(t0),initial clock values ci(t0), and a timed input sequence

u =(

(u(t0), t0), (u(t1), t1), (u(t2), t2), . . .)

a finite state automaton creates a timed output sequence

y =(

(y(t0), t0), (y(t1), t1), (y(t2), t2), . . .)

,

where it is not required that the times ti and ti are synchronized.

For simplification we use the notation u(k), y(k) instead of u(tk ), y(tk).

Static timed automata y(tk ) = g(u(tk)) have synchronized inputs andoutputs and can as well be described by finite state automata.

u Finite stateautomaton

y



Syntax of Timed Automata

Definition

A timed automaton TA is a tuple (ordered set):

TA = (Z, C,U ,Y,T, g,h, z0),

where z0 is the initial state,

Z = {z1, . . . , zn} set of statesC = {c1, . . . , cn}, ci ∈ R+

0 set of clocksU = {u1, . . . , up} set of input symbols (input alphabet)Y = {y1, . . . , yq} set of output symbols (output alphabet)T ⊆ Z × U × Z × Y set of transitionsg : T → P(C) guard functionh : T× C → C jump function

There exist many variations of definitions of timed automata in theliterature.



Semantics of Timed Automata

Our definition of a timed automaton has the following semantics:

Initially (t = t0) all clocks have the value 0 (∀i : ci (t0) = 0) if notspecified differently.

Clock values progress: ∀i : ci = 1.

As soon as the vector of clocks c is within a guard set g(z , u, z ′, y) ofa transition (z , u) → (z ′, y), the corresponding transition is activated.

As soon as the input event u of an activated transition occurs, thetransition is taken and the output event y is generated.

After a transition is taken, the jump function resets the clock values:

c ′ = h(

(z , u, z ′, y), c)

, hi =

{

ci , if i /∈ r(

(z , u, z ′, y))

0, if i ∈ r(

(z , u, z ′, y))

and r : T → N is a clock reset function.



Timed Automaton of a Production Plant

machining

station M1

machining

station M2

robot

picking area

W1

W2

W1

conveyor

belt

A conveyor belt transportsworkpieces W1 and W2, whereW1 can only be machined by M1

and W2 only by M2.

The workpieces are transportedto the machining stations via arobot from where they areautomatically forwarded.

If the robot is not available, theworkpieces continue theirjourney on the conveyor belt.

The robot should only transporta workpiece to a machiningstation if it is idle.

The robot waits at M1 or M2.Matthias Althoff Timed Automata 05. June 2015 8 / 22


Production Plant as Timed Automaton

no actionz1

T1z2

T2z3

M1z4

M2z5

M1, T2

z6

M2, T1

z7

M1, M2

z8

u1c3 := 0

u2c3 := 0

c3 = 10c1 := 0

c3 = 10c2 := 0

u2c3 := 0

u1c3 := 0

c3 = 10c2 := 0

c3 = 10c1 := 0

c2 = 30 c1 = 20

c1 = 20 c2 = 30

c1 = 20 c2 = 30

Parameters/Events:

Transport time (machingstation → picking area →maching station): 10 [s]

Machining time in M1:20 [s]

Machining time in M2:30 [s]

Input events:

u1: W1 in picking areau2: W2 in picking area

Abbreviations for states:

Mi= Wi in Mi ,

Ti= Wi is transported.



Timed Automaton of the Production Plant (I)

We first introduce the empty event ǫ. The empty event occurs as soon asa guard region is entered.

Initial state: z(0) = z1

Set of states: Z = {z1, z2, . . . , z8}

Set of clocks: C = {c1, c2, c3}

Input symbols: U = {u1, u2, ǫ}

Output symbols: Y = {ǫ}

Set of transitions: T ={

(z1, u1, z2, ǫ), (z1, u2, z3, ǫ), (z2, ǫ, z4, ǫ),(z3, ǫ, z5, ǫ), (z4, u2, z6, ǫ), (z5, u1, z7, ǫ), (z6, ǫ, z8, ǫ), (z7, ǫ, z8, ǫ),(z8, ǫ, z4, ǫ), (z8, ǫ, z5, ǫ), (z4, ǫ, z1, ǫ), (z5, ǫ, z1, ǫ), (z7, ǫ, z2, ǫ),(z6, ǫ, z3, ǫ)

}

Continued on the next slide...



Timed Automaton of the Production Plant (II)

guard sets:

g(

(z1, u1, z2, ǫ))

= {c ∈ (R+0 )

3}

g(

(z1, u2, z3, ǫ, ))

= {c ∈ (R+0 )

3}

g(

(z2, ǫ, z4, ǫ))

= {c ∈ (R+0 )

3|c3 = 10}

g(

(z3, ǫ, z5, ǫ))

= {c ∈ (R+0 )

3|c3 = 10}

......

jump functions specified by reset functions:

r(

(z1, u1, z2, ǫ))

= {3}

r(

(z1, u2, z3, ǫ))

= {3}

r(

(z2, ǫ, z4, ǫ))

= {1}

r(

(z3, ǫ, z5, ǫ))

= {2}

......


Runs of Timed Automata

Run of the Timed Automaton

The timed input sequence (u1, 1), (u2, 12), (u1, 33) results in the statesequence

(z1, 0)c = [0, 0, 0]

→(z2, 1)

c = [1, 1, 0]→

(z4, 11)c = [0, 11, 10]

→(z6, 12)

c = [1, 12, 0]

→(z8, 22)

c = [11, 0, 10]→

(z5, 31)c = [20, 9, 19]

→(z7, 33)

c = [22, 11, 0]

For the timed input sequence (u1, 1), (u1, 3) the timed automaton isnot specified. One can assume that undefined input events cause aself transition, resulting in the state sequence

(z1, 0)c = [0, 0, 0]

→(z2, 1)

c = [1, 1, 0]→

(z2, 3)c = [3, 3, 2]

→(z4, 11)

c = [0, 11, 10]


Verification of Timed Automata

Reachability Analysis of Timed Automata

An important analysis technique for timed automata is the computation ofreachable states, which are a subset of Z × C. Reachable sets are obtainedby considering all possible clock values and all possible input events at alltimes.

The concept of reachability is best introduced by direct applying it to anexample:

z1 z2 z3

u2

c2 := 0u1

c1 < 1

u1

c2 > 2, c1 := 0

The initial discrete state is z(0) = z1 and the initial clock values are{c |c1 = 0, c2 ∈ R+

0 }.



Reachability Analysis of the Example (Step 1 and 2)

Step 1: location z1

c2

c1

initial set

reachableclock values

Step 2: location z2

c2

c1

guard set

reachable states outside theguard set stay in z2 forever

1

initial set

In contrast to the reachable set of finite state automata, the reachable setis no longer countable due to the real-valued clocks.



Reachability Analysis of the Example (Step 3 and 4)

Step 3: location z3

c2

c1

guard set

2

1

initialset

Step 4: location z1

c2

c1

initial set

2

previously

reached set

In location z1 no new regions are reached so that the reachability analysisis complete and terminates.



Simulating Timed Automata by Finite State Automata

Under certain restrictions of the guard sets, a timed automaton can besimulated by a finite state automaton.

Those restrictions also make the question decidable whether a certainstate can be visited infinitely often, see R. Alur and D. L. Dill: A Theoryof Timed Automata, Theoretical Computer Science 126 (1994), pages183-235.

Guard restrictions for decidable timed automata

Given a value ξ ∈ Q+0 (nonnegative rational number) and a clock value ci ,

clock constraints δ are constructed inductively using the Backus-Naur formas

δ ::= ci ≤ ξ|ξ ≤ ci |¬δ|δ1 ∧ δ2

Note that a timed automaton is undecidable when ξ ∈ R+0 .



Clock Regions

The restriction ξ ∈ Q+0 makes it possible to use clock regions to represent

reachable sets in a standardized way.

To standardize the clock regions, we multiply all clock bounds ξi withthe least common multiple (kleinstes gemeinsames Vielfache) of eachdenominator of all ξi , such that all clock constraints become integers.This is only possible since ξi ∈ Q+

0 !

We introduce the largest clock constraint value

ξi = max(ξ(1)i , ξ

(2)i , . . . , ξ

(pi )i ) of each clock ci .

Since we only allow one to use the symbols ≤,¬ and ∧ for clock constraints, we only require3 types of clock regions:

Vertices,open faces (the vertices are excluded),open regions (the faces and vertices areexcluded) represented by simplices(n-dimensional triangles).

vertex

face



Clock Regions of the Previous Example

c2

c11

1

2

f1 f2

f3 f4 f5

f6 f7

f8 f9 f10

f11 f12

f13 f14

r1

r2

r3

r4

r5

r6

r7 r8

We have ξ = [1, 2]T and all values ξi arealready integers.

6 vertices

14 faces (in 2D: line segments):f1, . . . , f14

8 regions (in 2D: triangles):r1, . . . , r8



Simulating Finite State Automaton (I)

Instead of providing an algorithm for constructing a simulating finite stateautomaton, we demonstrate the technique by an example from R. Alur and D. L.Dill: A Theory of Timed Automata, Theoretical Computer Science 126 (1994),pages 183-235:

z0 z1

z2

z3

a, c1 > 0

c2 := 0

b, c2 = 1 c, c1 < 1

c, c1 < 1

a, c2 < 1

c2 := 0

d , c1 > 1

c2

c11

1

f1 f2

f3 f4 f5

f6 f7f8 f9

r1

r2

r3

r4 r5

ξ = [1, 1]T



Simulating Finite State Automaton (II)

z0

c1 = 0c2 = 0

z1

0 < c1 < 1c2 = 0

z1

c1 = 1c2 = 0

z1

c1 > 1c2 = 0

z2

c1 > 1c2 = 1

z3

c1 < 10 < c2 < c1

z3

c1 > 10 < c2 < 1

z3

c1 > 1c2 = 1

z3

c1 > 1c2 > 1

a a a

a a a a

b

b

b

c

d

d

d

d

d

d d

d



Simulating Finite State Automaton (III)

The transition from z2 to z3 is impossible.

The finite state automaton has two absorbing set of states, i.e. statesfrom which one can never escape: z2, c ∈ (R+

0 )2 and

z2, c1 > 1, c2 > 1.

The simulating finite state automaton makes it possible to use ModelChecking algorithms as introduced earlier.

Further reading

R. Alur and D. L. Dill: A Theory of Timed Automata, TheoreticalComputer Science 126 (1994), pages 183-235.

C. G. Cassandras and S. Lafortune: Introduction to Discrete Eventsystems, Springer (2008), chap. 5.



Conclusions

Timed automata add the crucial aspect of timing constraints to finitestate automata.

Timed automata produce a timed output sequence for a given timedinput sequence.

Reachability analysis makes it possible to analyze all possiblebehaviors of timed automata.

When guard regions are restricted to expressions including ≤, ¬, ∧and rational numbers, the timed automata can be simulated by afinite state automaton.


cyber-physical systems timed automataschulzef/2015-06-05... · 3 types of clock regions: vertices,...

Documents