![Page 1: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/1.jpg)
Introduction to Formal Methods for SW and HW Development
11 - Timed and Hybrid Systems:Formal Modeling and Verification
Roberto Sebastiani
Based mostly on the work and slides by Rajeev Alur,with further contributions from:
Andrea Mattioli, Paritosh Pandya, Yusi Ramadian
![Page 2: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/2.jpg)
Trends in Model-Based Design
Emerging notations: UML,Stateflow
Visual, Hierarchical, Object oriented Simulation, code generation
Steady progress in model checking tools
Control design employs tools (Matlab…)
Opportunities to influence design tools
Typically, semantics is not formal Typically, only simulation is supported ….
![Page 3: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/3.jpg)
Model Checker
AdvantagesAutomated formal verification, Effective debugging tool
Increasing industrial successIn-house groups: Intel, Microsoft, Lucent, Motorola…Commercial model checkers: FormalCheck by Cadence
ObstaclesScalability is still a problem (about 500 state vars)Effective use requires great expertise
model
temporalproperty
yes
error-trace
A great success story for CS theory impacting practice (see 2007 Turing award), and a vibrant area of research
![Page 4: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/4.jpg)
Hybrid Modeling
State machines
offon
+ Dynamical systems
dx=kxx<70
dx=-k’xx>60
x>68
x<63
(notation: “dx” abbreviation of “dx/dt”)
![Page 5: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/5.jpg)
Automotive Applications
![Page 6: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/6.jpg)
Coordination Protocols
![Page 7: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/7.jpg)
Interacting Autonomous Robots
![Page 8: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/8.jpg)
Physics-based Animation
![Page 9: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/9.jpg)
Biomolecular Regulatory Networks
![Page 10: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/10.jpg)
Overview
1. Timed systems: Modeling and Semantics Timed automata
2. Symbolic Reachability Analysis for Timed SystemsMaking the state space finite Region automataZone automata
3. Hybrid Systems: Modeling and Semantics Hybrid automata
4. Symbolic Reachability Analysis for Hybrid SystemsLinear Hybrid AutomataApproximations of reachable sets
![Page 11: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/11.jpg)
Acknowledgements
Thanks for providing slides & material to:
Rajeev Alur & colleagues (Penn University)
Paritosh Pandya (IIT Bombay)
Andrea Mattioli, Yusi Ramadian (Univ. Trento)
Disclaimer:Very introductive
Only very-partial coverage
Mostly computer-science centric
![Page 12: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/12.jpg)
Part 1. Timed Systems:
Modeling and Semantics
![Page 13: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/13.jpg)
Outline: Part 1
Timed Automata
![Page 14: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/14.jpg)
Timed Automata
![Page 15: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/15.jpg)
Off Light BrightPress? Press?
Press?
Press?
WANT: if press is issued twice quickly then the light will get brighter; otherwise the light is turned off.
Simple Light Control
![Page 16: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/16.jpg)
Simple Light Control
Off Light Bright
Solution: Add real-valued clock x
X:=0X<=3
X>3
Press? Press?
Press?
Press?
Adding continuous variables and constraints to state machines
![Page 17: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/17.jpg)
Modeling : timing constraints
Finite graph + finite set of (real-valued) clocks
vertices locations Time can elapse Constraint ( invariant )
edges switches Reset a clock Constraints
Meaning of a clock value: time elapsed since the last time it was reset.
![Page 18: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/18.jpg)
Timed Automata
n
m
a
Clocks: x, y
x<=5 & y>3
x := 0
Guard Boolean combination of comparisons withinteger bounds
ResetAction performed on clocks
( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )
wait(1.1)
2 kinds of transitions:
( n , x=2.4 , y=3.1415 ) ( m , x=0 , y=3.1415 )
a
State ( location , x=v , y=u ) where v,u are in R
Actionused
for synchronization
![Page 19: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/19.jpg)
n
m
a
Clocks: x, y
x<=5 & y>3
x := 0
Transitions
( n , x=2.4 , y=3.1415 ) ( n , x=3.5 , y=4.2415 )
wait(1.1)
( n , x=2.4 , y=3.1415 )
wait(3.2)
x<=5
y<=10
LocationInvariants
g1g2 g3
g4
Invariants ensure progress!!
Adding Invariants
![Page 20: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/20.jpg)
Timed Automata: Formal Syntax
• timed automaton A =– L = locations; = initial locations– ∑ = labels– X = clocks– I = Invariants– = set of switches (edges)
a switch = • s, s’ = locations• a = label• φ = clock constraints• = clocks to be reset
EIXLL ,,,,, 0 LL 0
LXLE X 2',,,, sas
X
![Page 21: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/21.jpg)
Clock constraints and clock interpretations
• Set of clock constraints grammar :
only allow comparison of a clock and a constant
• clock interpretation ν :X={x,y,z} , ν(X) = {1.0, 1.5, 0}
• = clock interpretation after δ timeν(X)+δ = {1.2, 1.7, 0.2}
• = assigns 0 to each x YY={y,z}; ={1.0, 0, 0}
21||||: xccxxccx
]0:[ Y]0:[ Y
![Page 22: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/22.jpg)
Example
Clocks { x , y }, can be re/set independently
x is reset to 0 from s0 to s1 on a switch c happens within 1 time-unit
from a because of constraints in s1 and s2
delay between b and the following d is >2
no explicit bounds on time difference between event a-b or c -d
locationswitch
invariant
![Page 23: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/23.jpg)
Semantics
• Semantics of A defined in terms of a (infinite) transition system SA = < Q,Q0, →, ∑ >, s.t.:– Q = {(s, ν)}– Q0 = {(s, ν)} where s L0 and ν(x)=0– → :
• State change due to elapse of time• State change due to a location switch
– ∑ = set of labels of A
![Page 24: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/24.jpg)
State change in transition system
qx<2 q'
a
(q,0)
• (q,0)• Initial state
![Page 25: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/25.jpg)
State change in transition system
• (q,0) (q,1.2)= state change due to elapse of time
qx<2 q'
a
(q,1.2)
2.1
![Page 26: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/26.jpg)
State change in transition system
qx<2 q'
a
(q’,1.2)
• (q,0) (q,1.2) (q’,1.2)= state change due to a location switch• q q and q q’ = q
q’
a 2.1
a a2.1 2.1
![Page 27: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/27.jpg)
Example: Light Switch
• Switch may be turned on whenever at least 2 time units has elapsed since last “turn off”
• Light automatically switches off after 9 time units.
push
pushclick
9y
![Page 28: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/28.jpg)
Example: Light Switch (cont.)
...)9,0,()9),3(9,(
)3,3,(),0,(
),()0,(
)5.3,()0,(
)3(93
5.3
yxoffyxon
yxonyxon
yxonyxon
yxoffyxoff
click
push
push
push
pushclick
9y
![Page 29: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/29.jpg)
Remark : non-zenoness
1. When the invariant is violated some edge must be enabled
2. Automaton should admit the possibility of time to diverge
px<1
px<1
X=1
q
![Page 30: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/30.jpg)
Combination of systems• Complex system = product of
interacting transition systems• S1= and S2=• Product = S1||S2 = • Transition iff :
i. Label a belongs to both alphabets synchronized(synchronization is blocking: an a-labeled switch cannot be
shot singularly)
ii. Label a only in the alphabet of S1 asynchronized
iii. Label a only in the alphabet of S2 asynchronized
1111011 ,,,,, EIXLL 2222
022 ,,,,, EIXLL
EIIXXLLLL ,,,,, 21212102
0121
![Page 31: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/31.jpg)
Transition product
• ∑1 = {a, b}
• ∑2 = {a, c}
p1,q1p1',q1'
a
p1 p1'a
q1 q1'a
p2 p2'b
q2
q2 q2'c
p3
p2,q2p2',q2
b
p3,q2p3,q2'
c
![Page 32: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/32.jpg)
Train – gate controller
• Desired property: AG(s2 -> t2)
![Page 33: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/33.jpg)
Product Construction
s0,t0,u0
approach
s1,t0,u1
in
s2,t0,u1
out
s3,t0,u1
s1,t1,u0
in
s2,t1,u0
out
s3,t1,u0
exit
s0,t1,u2
lower lower lower
s1,t2,u0
in
s2,t2,u0
out
s3,t2,u0
exit
s0,t2,u0
down down down down
raise
s0,t3,u0
s3,t3,u1
s2,t3,u1
out
s1,t3,u1
in
approach
up
up
up
up
s0,t0,u0
approach
s1,t0,u1
in
s2,t0,u1
out
s3,t0,u1
s1,t1,u0
in
s2,t1,u0
out
s3,t1,u0
exit
s0,t1,u2
lower lower lower
s1,t2,u0
in
s2,t2,u0
out
s3,t2,u0
exit
s0,t2,u0
down down down down
raise
s0,t3,u0
s3,t3,u1
s2,t3,u1
out
s1,t3,u1
in
approach
up
up
up
upx≤5 z≤1x:=0,z:=0 x>2
y:=0, z=1
![Page 34: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/34.jpg)
Part 2. Symbolic Reachability
Analysis for Timed Systems
![Page 35: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/35.jpg)
Outline: Part 2
Reachability analysisMaking the state space finiteRegion automataZone automata
![Page 36: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/36.jpg)
Reachability Analysis
• Verification of safety requirement: reachability problem
• Input: a time-automaton A and a set of target locations
• Determining whether LF is reachable in a timed automaton A
• Location s of A is reachable if some state q with location component s is a reachable state of the transition system SA
LLF
![Page 37: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/37.jpg)
Timed/hybrid Systems: problem
Is finite state analysis possible?Is reachability problem decidable?
The transition system SA associated to A has infinitely-many states & symbols:
![Page 38: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/38.jpg)
Idea: Finite Partitioning
Goal: To partition state-space into finitely many equivalence classes so that equivalent states exhibit similar behaviors
![Page 39: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/39.jpg)
Reachability analysis
SA
Time-abstractautomaton
RegionAutomaton
Time abstraction
Finite set of actions
Infinite set of states.
Quotient
Both states and actions are finite sets
Timed AutomatonSemantics
Regions
Infinite set of actions
Infinite set of states.
![Page 40: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/40.jpg)
Outline: Part 2
Reachability Analysis Making the state space finite Region automata Zone automata
![Page 41: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/41.jpg)
Timed Vs Time-Abstract Relations
Transition system associated with a timed/hybrid automaton A:• SA: Labels on continuous steps are delays in
R• Actual delays are suppressed (all continuous
steps have same label): Time-abstract UA
![Page 42: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/42.jpg)
Time-abstract transition system UA
• Only change due to location switch stated explicitly
• Cut system to finitely many labels• UA(instead of SA) allows for capturing untimed
properties (e.g., reachability, safety)
)0,7.0,()9.1,7.0,()2.1,0,()2.1,2.1,()0,0,( 21
7.0
10
2.1
0 sssssba
)0,7.0,()2.1,0,()0,0,( 210 sssba
![Page 43: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/43.jpg)
Stable quotients
• Cut to finitely many states• Collapse equivalent states• Stable
equivalence relation
• Quotient of UA = transition system [UA]~
q q'
a
u u'
a
q ~ u q' ~ u’
Stable according to the transition
![Page 44: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/44.jpg)
LF-sensitive equivalence relation
• Equivalence relation ~ = LF-sensitive• All equivalent states in a class belong to
either LF or not LF
q q'
u u'
v v'
a
c
b
LF
not LFa'
c'
b'
![Page 45: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/45.jpg)
Outline: Part 2
Reachability Analysis Making the state space finite Region Automata Zone automata
![Page 46: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/46.jpg)
Region Equivalence over clock interpretation
• x = 3.7– Integral part : = 3.0– Fractional part = fr(ν(x)) = 0.7
• iff1. For all x, the integral part is the same or
both exceed cx pict. (cx : max constant x is compared to)
2. For all x, y with ν(x) ≤ cx and ν(y) ≤ cy, fr(ν(x)) ≤ fr(ν(y)) iff fr(ν’(x)) ≤ fr(ν’(y)) pict.
3. For all x, ν(x) ≤ cx,fr(ν(x)) =0 iff fr(ν’(x)) =0 pict
'
)(x
next
![Page 47: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/47.jpg)
Constraint 1
0 1 2
1
y
x0 1 2
1
y
x
)(' x= = 1 )(x
back
For all x, the integral part is the same or both exceed cx
![Page 48: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/48.jpg)
Constraint 20 1 2
0 1 2
1
y
x0 1 2
1
y
x0 1 2
1
y
x
fr(v(x)) =fr(v(x))
0 1 2
1
y
x
fr(v(x)) =fr(v(x))
(fr(v(x)) ,fr(v(y)))
(fr(v’(x)) ,fr(v’(y)))
back
For all x, y with ν(x) ≤ cx and ν(y) ≤ cy, fr(ν(x)) ≤ fr(ν(y)) iff fr(ν’(x)) ≤ fr(ν’(y))
(fr(v(x)) = fr(v(y)))
![Page 49: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/49.jpg)
Constraint 3
0 1 2
1
y
x
fr(ν(x)) =0
fr(ν’(x)) =0
back
For all x, ν(x) ≤ cx,fr(ν(x)) =0 iff fr(ν’(x)) =0
![Page 50: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/50.jpg)
• Clock region: equivalence class of clock interpretation finite
• Max number of regions =– (k is the number of clocks)
• Number of clock regions exponential in the encoding of the clock constraints
Clock regions
Xx xk ck )22(2!
0 1 2
1
y
x0 1 2
1
y
x0 1 2
1
y
x0 1 2
1
y
x0 1 2
1
y
x0 1 2
1
y
x
2 clocks x, y. cx = 2, cy = 1 • 8 open regions• 14 open line segments • 6 corner points
![Page 51: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/51.jpg)
Regions, intuitive idea:Finite partitioning of state space
x
y Definition
An equivalence class (i.e. a region)in fact there is only a finite number of regions!!
1 2 3
1
2
w @ w’ iff they satisfy the same set of constraints of the formxi < c, xi = c, xi – xj < c, xi –xj =cfor c <= largest const relevant to xi
Alur, Dill, 90
![Page 52: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/52.jpg)
Region Operations
x
y
An equivalence class (i.e. a region)
Successor regions, Succ(r)
r
1 2 3
1
2
Resetregions
{y}r
{x}r
![Page 53: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/53.jpg)
Properties of Regions
The region equivalence relation @ is a time-abstract bisimulation:– Action transitions: If w @ v and (l,w) -a->
(l’,w’) for some w’, then $ v’ @ w’ s.t. (l,v) -a-> (l’,v’)
– Delay transitions: If w @ v then for all real numbers d, there exists d’ s.t. w+d @ v+d’
If w @ v then (l,w) and (l,v) satisfy the same temporal logic formulas
![Page 54: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/54.jpg)
Region automaton
• Equivalent states = identical location + region-equivalent clock
• Classes = finite, stable, LF-sensitive• Region automaton of A = R(A)
– Q = equivalence classes of (s, ν)• Reachability problem (A, LF) search
R(A)
![Page 55: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/55.jpg)
Region graph of a simple timed automata
![Page 56: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/56.jpg)
Complexity of reachability
• Linear with number of locations• Exponential with number of clocks• Exponential in the encoding of
constantsPSPACE-complete
![Page 57: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/57.jpg)
Outline: Part 2
Reachability Analysis Making the state space finite Region Automata Zone Automata
![Page 58: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/58.jpg)
Zone automata
• Collapse regions by convex unions of clock regions
• Clock zone φ = set of clock constraints x-y≤c, x-y<c,x<c,x≤c,x=c,x>c,x≥c
• φ = convex set in the k-dimensional euclidean space Contains all possible relationship for all clock value in a set
![Page 59: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/59.jpg)
Zones: symbolic representation
State(s, x=3.2, y=2.5 )
x
y
x
y
Symbolic state (set of states)(s, )
Zone:conjunction ofx-y≤c, x-y<c,x<c,x≤c,x=c,x>c,x≥c
3y4,1x1 ££££
![Page 60: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/60.jpg)
Zone automaton
• Z(A) is a transition system < Q,Q0,∑, → > s.t. – Q = zone of A; Zone = (s, φ)– Q0 = (s,[X:=0]), for every initial location s of
A– ∑ = set of labels or events– → = ((s, φ), a, (s’,succ(φ, e)))
• succ (φ, e) = clock interpretation after executing e
![Page 61: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/61.jpg)
Symbolic transition
• succ (φ, e) =
1. ^ = intersection2. = interpretation for3. = interpretation • closure under the three operations still a
convex set
]0:[ ]0:[
]0:)[)()))(((( sIsI
Φ fulfill invariant of state s
still fulfill invariant of state s after time elapse fulfill the time constraint of switch e
![Page 62: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/62.jpg)
Symbolic Transitions
n
m
x>3
y:=0
x
ydelays to
x
y
x
y conjuncts to
x
y
projects to
1<=x<=41<=y<=3
1<=x, 1<=y-2<=x-y<=3
3<x, 1<=y-2<=x-y<=3
3<x, y=0
Thus (n,1<=x<=4,1<=y<=3) ==> (m,3<x, y=0)
![Page 63: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/63.jpg)
Canonical Data-structures for Zones: Difference-bound
Matrices Matrix representation of constraints
(bounds on a single clock or difference betn 2 clocks)
Reduced form obtained by running all-pairs shortest path algorithm
Reduced DBM is canonical Operations such as reset, time-successor,
inclusion, intersection are efficient Popular choice in timed-automata-based
tools
![Page 64: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/64.jpg)
Difference-bound matrices (DBM)
• k clocks = (k +1) x (k +1) matrix D• Example :
D0i = lower bound
Di0 = upper bound
)0()10()20( 2121 xxxx
Dij = upper bound of xi and xj difference
• i,j: (c,1) Xi-Xj ≤ c
• i,j:(c,0) Xi-Xj < c
• i,j: ∞ absence of bound
![Page 65: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/65.jpg)
Difference-bound matrices (DBM)
• Upper bound of xi - xl = sum of the upper bounds of xi - xj and xj – xl
• Use all-pairs shortest paths, check DBM Satisfiable Canonical – Satisfiable = a nonempty clock zone – Canonical= Matrices with tightest possible constraints
• Canonical Dbms represent clock zones
![Page 66: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/66.jpg)
x<=1y-x<=2z-y<=2z<=9
x<=1y-x<=2z-y<=2z<=9
x<=1y-x<=2y<=3z-y<=2z<=7
x<=1y-x<=2y<=3z-y<=2z<=7
D1
D2
When are two sets of constraints equivalent?
x x
0 y
z
1 2
29
ShortestPath
Closure
ShortestPath
Closure
0 y
z
1 2
25
0
x
y
z
1 2
27
0
x
y
z
1 2
25
3
3 3
Graph
Graph
Canonical Data-structures for Zones:Difference Bounded Matrices
![Page 67: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/67.jpg)
Complexity
• Theoretically :– Zone automaton may be
exponentially bigger than the region automaton
• Practically : – Fewer reachable vertices performances much improved
![Page 68: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/68.jpg)
Implementation
• Verification problem :– Input = timed automaton Ai
– Process = searching R(||iAi) or Z(||iAi) • BDD-based engine (preferably for region
construction)• On-the-fly enumerative search
(preferably for zone construction)
![Page 69: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/69.jpg)
Timed Automata: summary
Only continuous variables are timers Invariants and Guards: x<const,
x>=const Actions: x:=0 Reachability is decidable Clustering of regions into zones desirable
in practice Tools: Uppaal, Kronos, RED … Symbolic representation: matrices Techniques to construct timed
abstractions of general hybrid systems
![Page 70: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/70.jpg)
Decidable Problems
Model checking branching-time properties of timed automata
Reachability in rectangular automata Timed bisimilarity: are two given timed
automata bisimilar? Optimization: Compute shortest paths
(e.g. minimum time reachability) in timed automata with costs on locations and edges
Controller synthesis: Computing winning strategies in timed automata with controllable and uncontrollable transitions
![Page 71: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/71.jpg)
Part 3. Hybrid Systems:
Modeling and Semantics
![Page 72: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/72.jpg)
Outline: Part 3
Hybrid Automata
![Page 73: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/73.jpg)
Hybrid Automata
![Page 74: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/74.jpg)
Hybrid Automata
l
l’
jump transformation
edge guard
continuous dynamicsinitial condition
invariant: hybrid automaton may remain in l as long as X Inv(l)
X Inv(l’)
dX Flow(l’)
X Inv(l)
dX Flow(l) X Init(l)
e : g(X)0
J(X, X’)
locations or modes (discrete states)
![Page 75: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/75.jpg)
modeselect
integrator
m(t)
xdot(t)
flow constraints
x(t)
x(t)
jump mapping
initial condition
e(t)
threshold-drivendiscrete dynamics
x(t)e(t)
m(t)
cont. state
discrete state
discrete event
F1
F2
F31S
X0
Je
e(t)
Je
jump dynamics
cont. state
discrete state
discrete event
discrete dynamics
Switched Dynamic Systems
F1
F2
F3
1S
continuous dynamics
![Page 76: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/76.jpg)
Hybrid Automata
Set L of locations, and set E of edges Set X of k continuous variables State space: L X Rk, Region: subset of Rk
For each location l, Initial states: region Init(l)
Invariant: region Inv(l)
Continuous dynamics: dX in Flow(l)(X) For each edge e from location l to location l’
Guard: region Guard(e)
Update relation “Jump” over Rk X Rk
Synchronization labels (communication information)
![Page 77: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/77.jpg)
(Finite) Executions of Hybrid Automata
State: (l, x) such that x satisfies Inv(l) Initialization: (l,x) s.t. x satisfies Init(l) Two types of state updates Discrete switches: (l,x) –a-> (l’,x’) if there is
an a-labeled edge e from l to l’ s.t. x satisfies Guard(e) and (x,x’) satisfies update relation Jump(e)
Continuous flows: (l,x) –f-> (l,x’) where f is a continuous function from [0,d] s.t. f(0)=x, f(d)=x’, and for all t<=d, f(t) satisfies Inv(l) and df(t) satisfies Flow(l)(f(t))
![Page 78: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/78.jpg)
Example of (linear) Hybrid Automaton
Gate for a railroad controller
Openh = 90dh = 0
loweringh >= 0
-10<dh <-9
raisingh <= 90
8< dh <10
closedh = 0
dh = 0
h = 90 ?lower
?lower
?raise
?raise
h = 90 h = 0
![Page 79: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/79.jpg)
Part 4. Symbolic Reachability
Analysis for Hybrid Systems
![Page 80: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/80.jpg)
Outline: Part 4
Symbolic Reachability Analysis Linear Hybrid Automata (HyTech) Polyhedral Flow-pipe
Approximations (CheckMate)
![Page 81: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/81.jpg)
Standard Reachability Problem
Model variables X ={x1, … xn} Each var is of finite type, say, boolean
Initialization: I(X) condition over XUpdate: T(X,X’)
How new vars X’ are related to old vars X as a result of executing one step of the program
Target set: F(X)Computational problem:
Can F be satisfied starting with I by repeatedly applying T ?
Graph Search problem
![Page 82: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/82.jpg)
General Symbolic SolutionData type: region to represent state-setsR:=I(X)Repeat
If R intersects F report “yes”Else if R contains Image(R) report “no”Else R := R union Image(R)
Image(R): Set of successors of states in RTermination may or may not be guaranteed
![Page 83: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/83.jpg)
Symbolic Representations
Necessary operations on RegionsUnion
Intersection
Negation
Projection
Renaming
Equality/containment test
Emptiness test
Different choices for different classesBDDs for boolean variables in hardware
verification
Size of representation as opposed to number of states
![Page 84: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/84.jpg)
Reachability for Hybrid Systems
Same algorithm works in principle What’s a suitable representation of
regions? Region: subset of Rk
Main problem: handling continuous dynamics
Precise solutions available for restricted continuous dynamics
Timed automata Linear hybrid automata
Even for linear systems, over-approximations of reachable set needed
![Page 85: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/85.jpg)
Reachability Analysis for Dynamical Systems
Goal: Given an initial region, compute whether a bad state can be reached
Key step is to compute Reach(X) for a given set X under dx/dt = f(x) (hereafter dx = f(x) for short)
X
Reach(X)
![Page 86: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/86.jpg)
Outline: Part 4
Symbolic Reachability Analysis Linear Hybrid Automata (HyTech) Polyhedral Flow-pipe
Approximations (CheckMate)
![Page 87: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/87.jpg)
Multi-rate Automata
Modest extension of timed automata• Dynamics of the form dx = const (rate of a
clock is same in all locations) • Guards and invariants: x < const, x > const• Resets: x := const
Simple translation to timed automata that gives time-abstract bisimilar system by scaling
dx = 2dy = 3
x>5 and y <1
du = 1dv = 1
u>5/2 and v <1/3
![Page 88: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/88.jpg)
Rectangular Automata
Interesting extension of timed automata• Dynamics of the form dx in const
interval (rate-bounds of a clock same in all locations)
• Guards/invariants/resets as before Translation to multi-rate automata that
gives time-abstract language-equiv systemdx in
[2,3]
x>5
x<2 dxm = 2dxM = 3
xM>5, xm:=5
xm<2, xM:=2
Puri, Henzinger, 95
![Page 89: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/89.jpg)
Linear Hybrid Automata
Invariants and guards: linear (Ax <= b) Actions: linear transforms (x’:= Ax) Dynamics: time-invarint, state-
independentspecified by a convex polytope constraining ratesE.g. 2 < x <= 3, x = y
Tools: HyTech Symbolic representation: Polyhedra Methodology: abstract dynamics by
differential inclusions bounding rates
![Page 90: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/90.jpg)
Example LHAGate for a railroad controller
Openh = 90dh = 0
loweringh >= 0
-10<dh <-9
raisingh <= 90
8< dh <10
closedh = 0
dh = 0
h = 90 ?lower
?lower
?raise
?raise
h = 90 h = 0
![Page 91: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/91.jpg)
Reachability ComputationBasic element: (location l, polyhedron p)Set of visited states: a list of (l,p) pairsKey steps: Compute “discrete” successors of (l,p) Compute “continuous” successor of (l,p) Check if p intersects with “bad” region Check if newly found p is covered by
already visited polyhedra p1,…, pk (expensive!)
![Page 92: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/92.jpg)
Computing Discrete Successors
Discrete successor of (l,p) Intersect p with g (result r is a polyhedron) Apply linear transformation A to r (result r’
is a polyhedron) Intersect r’ with the invariant of l’ (result r”
is a polyhedron) Successor is (l’,r”)
l l’g(x)-> x := a(x)
![Page 93: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/93.jpg)
Computing Time Successor
x
y
x
y
(3,2)
(1,4)
Rate Polytope
(1,4)
(3,2)p
Reach(p)
Thm: If initial set p, invariant I, and rate constraint r, are polyhedra, then set of reachable states is a polyhedron (and computable)
Basically, apply extremal rates to vertices of p
![Page 94: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/94.jpg)
Summary: Linear Hybrid Automata
HyTech implements this strategy Core computation: manipulation of
polyhedra Bottlenecks
proliferation of polyhedra (unions) computing with higher dimensional polyhedra
Many case studies (active structure control, Philips audio control protocol, steam boiler…)
![Page 95: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/95.jpg)
Outline: Part 4
Symbolic Reachability Analysis Linear Hybrid Automata (HyTech) Polyhedral Flow-pipe
Approximations (CheckMate)
![Page 96: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/96.jpg)
Beyond LHA
Exact computation with polyhedra is limiting. If dynamics is dX=AX, and P is a polyhedron,
Reach(P) is not a polyehdron Solutions:
Approximate Reach(P) with an enclosing convex polyhedron: Checkmate (Krogh)
Approximate Reach(P) with an enclosing (non-convex) orthogonal polyhedron: d/dt (Dang/Maler)
Level sets method (Greenstreet, Tomlin) Use ellipsoids for representation of sets
(Kurzhanski)
![Page 97: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/97.jpg)
Polyhedral Flow Pipe Approximations
X0
t1
t2
t3
t4
t5t6 t7
t8
t9
• divide R[0,T](X0) into [tk,tk+1] segments
• enclose each segment with a convex polytope
• RM[0,T](X0) = union of polytopes
![Page 98: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/98.jpg)
Wrapping Hyperplanes Around a Set
S
c4
c3
c2c1
Step 1:Choose normal vectors, c1,...,cm
![Page 99: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/99.jpg)
S
c4
c3
c2
c1
Step 2:Compute optimal d in Cx d, CT = [c1 ... cm]:
di = max ciTx
xS
Wrapping Hyperplanes Around a Set
![Page 100: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/100.jpg)
Wrapping a Flow Pipe Segment
Given normal vectors ci, we wrap R[tk,tk+1]
(X0) in a polytope by solving for each i
Optimization problem is solved by embedding simulation into objective function computation
di = max ciTx(t,x0)
xo,t
s.t. x0X0
t [tk,tk+1]
![Page 101: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/101.jpg)
Improvements for Linear Systems
x = Ax x(t, x0) = eAtx0
No longer need to embed simulation into optimization
Flow pipe segment computation depends only on time step t
A segment can be obtained by applying eAt to another segment of the same t
)(ˆ)(ˆ0],0[0],[ XReXR t
Atttt
![Page 102: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/102.jpg)
Example: Van der Pol Equation
X x x0 1 20 8 1 0 { . , }
. ( )
x x
x x x x1 2
2 12
2 10 2 1
Van der Pol Equation
Uniform time stepDtk = 0.5
Initial Set
![Page 103: Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649cc55503460f9498e37b/html5/thumbnails/103.jpg)
Summary: Flow Pipe Approximation
• Applies in arbitrary dimensions• Approximation error doesn't grow
with time• Estimation error (Hausdorff
distance) can be made arbitrarily small with Dt < d and size of X0 < d
• Integrated into a complete verification tool (CheckMate)