Krishna S., Umang Mathur, Ashutosh Trivedi – 1 of 28
Weak Singular Hybrid AutomataFormal Modeling and Verification for Cyber-Physical Systems
Krishna S. Umang Mathur Ashutosh Trivedi
Department of Computer Science and Engineering
IIT Bombay, Mumbai, India
January 18, 2014
Krishna S., Umang Mathur, Ashutosh Trivedi – 2 of 28
Cyber-Physical Systems (CPS)
Medical Devices Avionics
EnergyAutomobile
Krishna S., Umang Mathur, Ashutosh Trivedi – 3 of 28
Verification/Synthesis with Hybrid Automata
– Introduced by Alur et al. to model hybrid systems
– Dynamics of physical variables are gives as ordinary differential equations
– Quite expressive, but undecidable verification (reachability) problems
– Decidable subclasses exists, e.g.– Initialized Rectangular Hybrid automata (Henzinger et al.),– Hybrid Automata with Strong Resets (Bouyer et al.),– Piecewise constant derivative systems (Asarin, Maler, and Pnueli),– Multi-Mode Systems (Alur, Trivedi, Wojtczak)
– Tool support: HyTECH, PHAVer
x1 = 0x2 = 0m0
x1 = 2x2 = 2m1
1 < x2 < 3
x1 = −2x2 = −2m2
2 ≤ x1 < 6
x1 = −1x2 = −1m3
x1 < 0, a, {x2}
x2 > 0, b x1 < 22, c
d
e
Figure: A Hybrid Automata
Krishna S., Umang Mathur, Ashutosh Trivedi – 4 of 28
Introduction
Green Scheduling
Weak Singular Hybrid AutomataSyntax and SemanticsReachability and SchedulabilityTemporal Logic Model CheckingExtending WSHA
Summary
Krishna S., Umang Mathur, Ashutosh Trivedi – 5 of 28
Peak Demand Reduction in Energy Usage
1. Absence of bulk energy storage technology
2. Base-load vs peaking power plants
3. Energy peaks are expensive:– For environment (peaking power plants are typically
fossil-fueled )– For energy providers– For customers (peak power pricing)
4. Energy peaks are often avoidable:– Extreme weather and energy peaks– Heating, Ventilation, and Air-conditioning (HVAC)
Units
5. Load-balancing methods:– Load shedding– Load shifting– Green scheduling
Krishna S., Umang Mathur, Ashutosh Trivedi – 6 of 28
Green Scheduling
Zones \ HVAC Units Modes HIGH LOW OFFX (Temp. Change Rate/ Energy Usage) -2/3 -1/2 2/0.2Y (Temp. Change Rate/ Energy Usage) -2/3 -1/2 3/0.2
– Assume that comfortable temperature range is 65oF to 70oF .
– Energy is extremely expensive if peak demand dips above 4 units in a billingperiod
Problem
Find an “implementable” switching schedule that keeps the temperatures withincomfort zone and peak usage within 4 units?
Krishna S., Umang Mathur, Ashutosh Trivedi – 6 of 28
Green Scheduling
Zones \ HVAC Units Modes HIGH LOW OFFX (Temp. Change Rate/ Energy Usage) -2/3 -1/2 2/0.2Y (Temp. Change Rate/ Energy Usage) -2/3 -1/2 3/0.2
– Assume that comfortable temperature range is 65oF to 70oF .
– Energy is extremely expensive if peak demand dips above 4 units in a billingperiod
Problem
Find an “implementable” switching schedule that keeps the temperatures withincomfort zone and peak usage within 4 units?
Krishna S., Umang Mathur, Ashutosh Trivedi – 7 of 28
Green Scheduling: Contd
x = −2y = 3
m1
x = −1y = −1
m2
x = −1y = 3
m3
x = 2y = −2
m4
x = 2y = −1
m5
x = 2y = 3
m6
Safe Schedulability Problem
Does there exist a switching schedule using these modes such that the temperaturesof all zones stays in comfortable region?
Krishna S., Umang Mathur, Ashutosh Trivedi – 8 of 28
Multi-mode Systems: Safe Schedulability
x = −2y = 3
m1
x = −1y = −1
m2
x = −1y = 3
m3
x = 2y = −2
m4
x = 2y = −1
m5
x = 2y = 3
m6
Safe set: x ∈ [65, 70], y ∈ [65, 70]
6868
xy
s0
6767
s1
(m2, 1) 6670
s2
(m3, 1) 6868
s3
(m4, 1) 6767
s4
(m2, 1) · · ·
Krishna S., Umang Mathur, Ashutosh Trivedi – 8 of 28
Multi-mode Systems: Safe Schedulability
x = −2y = 3
m1
x = −1y = −1
m2
x = −1y = 3
m3
x = 2y = −2
m4
x = 2y = −1
m5
x = 2y = 3
m6
Safe set: x ∈ [65, 70], y ∈ [65, 70]
6868
xy
s0
6767
s1
(m2, 1)
6670
s2
(m3, 1) 6868
s3
(m4, 1) 6767
s4
(m2, 1) · · ·
Krishna S., Umang Mathur, Ashutosh Trivedi – 8 of 28
Multi-mode Systems: Safe Schedulability
x = −2y = 3
m1
x = −1y = −1
m2
x = −1y = 3
m3
x = 2y = −2
m4
x = 2y = −1
m5
x = 2y = 3
m6
Safe set: x ∈ [65, 70], y ∈ [65, 70]
6868
xy
s0
6767
s1
(m2, 1) 6670
s2
(m3, 1)
6868
s3
(m4, 1) 6767
s4
(m2, 1) · · ·
Krishna S., Umang Mathur, Ashutosh Trivedi – 8 of 28
Multi-mode Systems: Safe Schedulability
x = −2y = 3
m1
x = −1y = −1
m2
x = −1y = 3
m3
x = 2y = −2
m4
x = 2y = −1
m5
x = 2y = 3
m6
Safe set: x ∈ [65, 70], y ∈ [65, 70]
6868
xy
s0
6767
s1
(m2, 1) 6670
s2
(m3, 1) 6868
s3
(m4, 1)
6767
s4
(m2, 1) · · ·
Krishna S., Umang Mathur, Ashutosh Trivedi – 8 of 28
Multi-mode Systems: Safe Schedulability
x = −2y = 3
m1
x = −1y = −1
m2
x = −1y = 3
m3
x = 2y = −2
m4
x = 2y = −1
m5
x = 2y = 3
m6
Safe set: x ∈ [65, 70], y ∈ [65, 70]
6868
xy
s0
6767
s1
(m2, 1) 6670
s2
(m3, 1) 6868
s3
(m4, 1) 6767
s4
(m2, 1) · · ·
Krishna S., Umang Mathur, Ashutosh Trivedi – 8 of 28
Multi-mode Systems: Safe Schedulability
x = −2y = 3
m1
x = −1y = −1
m2
x = −1y = 3
m3
x = 2y = −2
m4
x = 2y = −1
m5
x = 2y = 3
m6
Safe set: x ∈ [65, 70], y ∈ [65, 70]
6868
xy
s0
6767
s1
(m2, 1) 6670
s2
(m3, 1) 6868
s3
(m4, 1) 6767
s4
(m2, 1) · · ·
Krishna S., Umang Mathur, Ashutosh Trivedi – 9 of 28
Multi-mode Systems: Zeno schedule
x = −2y = 3
m1
x = −1y = −1
m2
x = −1y = 3
m3
x = 2y = −2
m4
x = 2y = −1
m5
x = 2y = 3
m6
Safe set: x ∈ [65, 70], y ∈ [65, 70]
6868
xy
s0
6868
s1
(m2, 0) 6868
s2
(m3, 0) 6868
s3
(m4, 0) 6868
s4
(m2, 0) · · ·
Zeno Schedule
Krishna S., Umang Mathur, Ashutosh Trivedi – 10 of 28
Multi-mode Systems: Zeno schedule
x = −2y = 3
m1
x = −1y = −1
m2
x = −1y = 3
m3
x = 2y = −2
m4
x = 2y = −1
m5
x = 2y = 3
m6
Safe set: x ∈ [65, 70], y ∈ [65, 70]
6868
xy
s0
6767
s1
(m2, 1) 66.568.5
s2
(m3,12) 67
68
s3
(m4,14) 66.875
67.875
s4
(m2,18) · · ·
Zeno Schedule
Krishna S., Umang Mathur, Ashutosh Trivedi – 11 of 28
Definition
Definition (Constant-Rate Multi-Mode Systems: MMS)
A MMS is a tuple H = (M,n,R) where
– M is a finite nonempty set of modes,
– n is the number of continuous variables,
– R : M → Rn gives for each mode the rate vector,
– S ⊆ Rn is a bounded convex set of safe states.
Safe Schedulability Problem
Given a multi-mode system and a starting state, decide whether there exists anon-Zeno safe schedule.
Safe Reachability Problem
Given a multi-mode system, a starting state and a target state, decide whether thereexists a safe schedule from starting state to target state.
Krishna S., Umang Mathur, Ashutosh Trivedi – 12 of 28
Key Results
Theorem (Alur et. al)
Safe schedulability can be solved in polynomial time.
Theorem (Alur et. al)
Safe reachability problem can be solved in polynomial time if both starting andtarget states are in the interior of safety set.
Both the problems essentially boil down to solving a linear program polynomial insize of the inputs.
Krishna S., Umang Mathur, Ashutosh Trivedi – 13 of 28
Safe Schedulability Problem: Geometry
x = −2y = 3
m1
x = −1y = −1
m2
x = −1y = 3
m3
x = 2y = −2
m4
x = 2y = −1
m5
x = 2y = 3
m6
Safe set: x ∈ [65, 70], y ∈ [65, 70]
m1
(−2, 3)
m4
(2,−2)
m6
(2, 3)
m2
(−1,−1)
m3
(−1, 3)
m5
(2,−1)
Krishna S., Umang Mathur, Ashutosh Trivedi – 14 of 28
Safe Schedulability Problem: Geometry
s1
m6m3
m1
m2
m4
m5
Krishna S., Umang Mathur, Ashutosh Trivedi – 14 of 28
Safe Schedulability Problem: Geometry
s1
m6m3
m1
m2
m4
m5
Krishna S., Umang Mathur, Ashutosh Trivedi – 14 of 28
Safe Schedulability Problem: Geometry
s1
m6m3
m1
m2
m4
m5
Krishna S., Umang Mathur, Ashutosh Trivedi – 14 of 28
Safe Schedulability Problem: Geometry
s1
m6m3
m1
m2
m4
m5
s2
Krishna S., Umang Mathur, Ashutosh Trivedi – 15 of 28
Safe Schedulability Problem: Interior Case
Theorem
Assume that the starting state lies in the interior of the safety set.A safe non-Zeno schedule exists if and only if
|M|Xi=1
R(i) · fi = 0
|M|Xi=1
fi = 1.
for some f1, f2, . . . , f|M| ≥ 0.Moreover, such a schedule is periodic.
Krishna S., Umang Mathur, Ashutosh Trivedi – 16 of 28
Reachability Problem: Geometry
s1
m6m3
m1
m2
m4
m5
s5
Krishna S., Umang Mathur, Ashutosh Trivedi – 16 of 28
Reachability Problem: Geometry
s2
m6m3
m1
m2
m4
m5
s3
s1
s5
Krishna S., Umang Mathur, Ashutosh Trivedi – 17 of 28
Safe Reachability Problem
Theorem
Assume that the starting state s0 and the target state st lie in the interior of thesafety set.A safe schedule exists from s0 to st exists if and only if
s0 +
|M|Xi=1
R(i) · ti = st
for some t1, t2, . . . , t|M| ≥ 0.
Krishna S., Umang Mathur, Ashutosh Trivedi – 18 of 28
Thumb Rules: Schedulability
The following is feasible:
|M|Xi=1
R(i) · fi = 0 and
|M|Xi=1
fi = 1
Or, the following in infeasible:
(v1, v2, . . . , vn)·R(i) > 0 for all modes i.
m1
(−2, 3)
m4
(2,−2)
m6
(2, 3)
m2
(−1,−1)
m3
(−1, 3)
m5
(2,−1)
Krishna S., Umang Mathur, Ashutosh Trivedi – 18 of 28
Thumb Rules: Schedulability
The following is feasible:
|M|Xi=1
R(i) · fi = 0 and
|M|Xi=1
fi = 1
Or, the following in infeasible:
(v1, v2, . . . , vn)·R(i) > 0 for all modes i.
m1
(−2, 3)
m4
(2,−2)
m6
(2, 3)
m3
(−1, 3)
m5
(2,−1)
Krishna S., Umang Mathur, Ashutosh Trivedi – 19 of 28
Thumb Rules: Reachability
The following is feasible:
s0 +
|M|Xi=1
R(i) · ti = sts0
st
R1
R2
Krishna S., Umang Mathur, Ashutosh Trivedi – 20 of 28
Introduction
Green Scheduling
Weak Singular Hybrid AutomataSyntax and SemanticsReachability and SchedulabilityTemporal Logic Model CheckingExtending WSHA
Summary
Krishna S., Umang Mathur, Ashutosh Trivedi – 21 of 28
Motivation
Weak Singular Hybrid Automata
– Singular hybrid automata with an ordering on the states
– States with same order form a multimode system
– Decidable reachability (NP-complete), schedulability (NP-Complete), and LTLmodel-checking (PSPACE-complete) problems
Krishna S., Umang Mathur, Ashutosh Trivedi – 22 of 28
Syntax of WSHA
A weak singular hybrid automaton is a tuple H = (M,M0,Σ, X,∆, I, F ) where
– M is a finite set of control modes and M0 ⊆M ,
– Σ is a finite set of actions,
– X is an (ordered) set of variables,
– ∆ ⊆M × poly(X)× Σ× 2X ×M is the transition relation,
– I : M → poly(X) is the mode-invariant function, and
– F : M → Q|X| is the mode-dependent flow function characterizing the rate ofeach variable in each mode.
Function % : M → N assigning ranks to the modes such that
– for every transition (m,G, a,R,m′) ∈ ∆, %(m) ≤ %(m′), and
– for every rank i the set of modes with rank i– has a common safety set Si which is a bounded and open polytope (problems
with boundaries)– is strongly connected with no resets or guards
Krishna S., Umang Mathur, Ashutosh Trivedi – 22 of 28
Syntax of WSHA
A weak singular hybrid automaton is a tuple H = (M,M0,Σ, X,∆, I, F ) where
– M is a finite set of control modes and M0 ⊆M ,
– Σ is a finite set of actions,
– X is an (ordered) set of variables,
– ∆ ⊆M × poly(X)× Σ× 2X ×M is the transition relation,
– I : M → poly(X) is the mode-invariant function, and
– F : M → Q|X| is the mode-dependent flow function characterizing the rate ofeach variable in each mode.
Function % : M → N assigning ranks to the modes such that
– for every transition (m,G, a,R,m′) ∈ ∆, %(m) ≤ %(m′), and
– for every rank i the set of modes with rank i– has a common safety set Si which is a bounded and open polytope (problems
with boundaries)– is strongly connected with no resets or guards
Krishna S., Umang Mathur, Ashutosh Trivedi – 23 of 28
Semantics of WSHA
– A configuration (m, ν) and a timed action (t, a)
– A transition ((m, ν)(t, a)(m′, ν′))– time elapse of t in mode m starting from ν, followed by discrete step a– guards, resets, invariants
– A run is a sequence of transitions (m0, ν0)(t1, a1)(m1, ν1)(t2, a2) · · ·
– Type Γ(r) of a finite run r = 〈(m0, ν0), (t1, a1), (m1, ν1), . . . , (mk, νk)〉 is asequence 〈n0, b1, n1, . . . , bp, np〉 defined as:
Γ(r) =
(〈%(m0)〉 if r = 〈(m0, ν0)〉Γ(r′)⊕ (a, %(m)) if r = r′ :: 〈(t, a), (m, ν)〉,
– Any run (finite/infinite) will only have a finite run type: there are only finitelymany connected components, all sharing a partial order
Krishna S., Umang Mathur, Ashutosh Trivedi – 23 of 28
Semantics of WSHA
– A configuration (m, ν) and a timed action (t, a)
– A transition ((m, ν)(t, a)(m′, ν′))– time elapse of t in mode m starting from ν, followed by discrete step a– guards, resets, invariants
– A run is a sequence of transitions (m0, ν0)(t1, a1)(m1, ν1)(t2, a2) · · ·
– Type Γ(r) of a finite run r = 〈(m0, ν0), (t1, a1), (m1, ν1), . . . , (mk, νk)〉 is asequence 〈n0, b1, n1, . . . , bp, np〉 defined as:
Γ(r) =
(〈%(m0)〉 if r = 〈(m0, ν0)〉Γ(r′)⊕ (a, %(m)) if r = r′ :: 〈(t, a), (m, ν)〉,
– Any run (finite/infinite) will only have a finite run type: there are only finitelymany connected components, all sharing a partial order
Krishna S., Umang Mathur, Ashutosh Trivedi – 23 of 28
Semantics of WSHA
– A configuration (m, ν) and a timed action (t, a)
– A transition ((m, ν)(t, a)(m′, ν′))– time elapse of t in mode m starting from ν, followed by discrete step a– guards, resets, invariants
– A run is a sequence of transitions (m0, ν0)(t1, a1)(m1, ν1)(t2, a2) · · ·
– Type Γ(r) of a finite run r = 〈(m0, ν0), (t1, a1), (m1, ν1), . . . , (mk, νk)〉 is asequence 〈n0, b1, n1, . . . , bp, np〉 defined as:
Γ(r) =
(〈%(m0)〉 if r = 〈(m0, ν0)〉Γ(r′)⊕ (a, %(m)) if r = r′ :: 〈(t, a), (m, ν)〉,
– Any run (finite/infinite) will only have a finite run type: there are only finitelymany connected components, all sharing a partial order
Krishna S., Umang Mathur, Ashutosh Trivedi – 24 of 28
Reachability and Schedulability
Theorem
The reachability and schedulability problems for weak singular hybrid automata areNP-complete.
– NP-Membership:– All run-types are polynomial in size of the WSHA.– Checking whether a run type σ = 〈n0, b1, n1, . . . , bp, np〉 is reachable/schedulable
amounts to checking the feasibility of a linear program (νni , ν′ni∈ R|X| and
tmi ∈ R≥0 are variables):
ν0 = νn0
ν′np∈ T
νni , ν′ni
∈ SMnifor all 0 ≤ i ≤ p
νni ∈ G(bi) for all 0 < i ≤ pνni+1 (j) = 0 for all xj ∈ R(bi+1)
and 0 < i ≤ pνni+1 (j) = ν′ni
(j) for allxj 6∈ R(bi+1)
and 0 < i ≤ p
ν′ni= νni +
Xm∈Mni
F (m) · tmi
for all 0 ≤ i ≤ ptmi ≥ 0 for all 0 ≤ i ≤ p and m ∈Mni
ν0 = νn0
νni , ν′ni
∈ SMnifor all 0 ≤ i ≤ p
νni ∈ G(bi) for all 0 < i ≤ pνni+1 (j) = 0 for all xj ∈ R(bi+1) and 0 < i ≤ p
νni+1 (j) = ν′ni(j) for all xj 6∈ R(bi+1) and 0 < i ≤ p
ν′ni= νni +
Xm∈Mni
F (m) · tmi for all 0 ≤ i ≤ p
tmi ≥ 0 for all 0 ≤ i ≤ p and m ∈Mni
~0 =X
m∈Mnp
F (m) · tmp
1 =X
m∈Mnp
tmp
Krishna S., Umang Mathur, Ashutosh Trivedi – 24 of 28
Reachability and Schedulability
Theorem
The reachability and schedulability problems for weak singular hybrid automata areNP-complete.
– NP-Membership:
– All run-types are polynomial in size of the WSHA.– Checking whether a run type σ = 〈n0, b1, n1, . . . , bp, np〉 is reachable/schedulable
amounts to checking the feasibility of a linear program (νni , ν′ni∈ R|X| and
tmi ∈ R≥0 are variables):
ν0 = νn0
ν′np∈ T
νni , ν′ni
∈ SMnifor all 0 ≤ i ≤ p
νni ∈ G(bi) for all 0 < i ≤ pνni+1 (j) = 0 for all xj ∈ R(bi+1)
and 0 < i ≤ pνni+1 (j) = ν′ni
(j) for allxj 6∈ R(bi+1)
and 0 < i ≤ p
ν′ni= νni +
Xm∈Mni
F (m) · tmi
for all 0 ≤ i ≤ ptmi ≥ 0 for all 0 ≤ i ≤ p and m ∈Mni
ν0 = νn0
νni , ν′ni
∈ SMnifor all 0 ≤ i ≤ p
νni ∈ G(bi) for all 0 < i ≤ pνni+1 (j) = 0 for all xj ∈ R(bi+1) and 0 < i ≤ p
νni+1 (j) = ν′ni(j) for all xj 6∈ R(bi+1) and 0 < i ≤ p
ν′ni= νni +
Xm∈Mni
F (m) · tmi for all 0 ≤ i ≤ p
tmi ≥ 0 for all 0 ≤ i ≤ p and m ∈Mni
~0 =X
m∈Mnp
F (m) · tmp
1 =X
m∈Mnp
tmp
Krishna S., Umang Mathur, Ashutosh Trivedi – 24 of 28
Reachability and Schedulability
Theorem
The reachability and schedulability problems for weak singular hybrid automata areNP-complete.
– NP-Membership:– All run-types are polynomial in size of the WSHA.
– Checking whether a run type σ = 〈n0, b1, n1, . . . , bp, np〉 is reachable/schedulable
amounts to checking the feasibility of a linear program (νni , ν′ni∈ R|X| and
tmi ∈ R≥0 are variables):
ν0 = νn0
ν′np∈ T
νni , ν′ni
∈ SMnifor all 0 ≤ i ≤ p
νni ∈ G(bi) for all 0 < i ≤ pνni+1 (j) = 0 for all xj ∈ R(bi+1)
and 0 < i ≤ pνni+1 (j) = ν′ni
(j) for allxj 6∈ R(bi+1)
and 0 < i ≤ p
ν′ni= νni +
Xm∈Mni
F (m) · tmi
for all 0 ≤ i ≤ ptmi ≥ 0 for all 0 ≤ i ≤ p and m ∈Mni
ν0 = νn0
νni , ν′ni
∈ SMnifor all 0 ≤ i ≤ p
νni ∈ G(bi) for all 0 < i ≤ pνni+1 (j) = 0 for all xj ∈ R(bi+1) and 0 < i ≤ p
νni+1 (j) = ν′ni(j) for all xj 6∈ R(bi+1) and 0 < i ≤ p
ν′ni= νni +
Xm∈Mni
F (m) · tmi for all 0 ≤ i ≤ p
tmi ≥ 0 for all 0 ≤ i ≤ p and m ∈Mni
~0 =X
m∈Mnp
F (m) · tmp
1 =X
m∈Mnp
tmp
Krishna S., Umang Mathur, Ashutosh Trivedi – 24 of 28
Reachability and Schedulability
Theorem
The reachability and schedulability problems for weak singular hybrid automata areNP-complete.
– NP-Membership:– All run-types are polynomial in size of the WSHA.– Checking whether a run type σ = 〈n0, b1, n1, . . . , bp, np〉 is reachable/schedulable
amounts to checking the feasibility of a linear program (νni , ν′ni∈ R|X| and
tmi ∈ R≥0 are variables):
ν0 = νn0
ν′np∈ T
νni , ν′ni
∈ SMnifor all 0 ≤ i ≤ p
νni ∈ G(bi) for all 0 < i ≤ pνni+1 (j) = 0 for all xj ∈ R(bi+1)
and 0 < i ≤ pνni+1 (j) = ν′ni
(j) for allxj 6∈ R(bi+1)
and 0 < i ≤ p
ν′ni= νni +
Xm∈Mni
F (m) · tmi
for all 0 ≤ i ≤ ptmi ≥ 0 for all 0 ≤ i ≤ p and m ∈Mni
ν0 = νn0
νni , ν′ni
∈ SMnifor all 0 ≤ i ≤ p
νni ∈ G(bi) for all 0 < i ≤ pνni+1 (j) = 0 for all xj ∈ R(bi+1) and 0 < i ≤ p
νni+1 (j) = ν′ni(j) for all xj 6∈ R(bi+1) and 0 < i ≤ p
ν′ni= νni +
Xm∈Mni
F (m) · tmi for all 0 ≤ i ≤ p
tmi ≥ 0 for all 0 ≤ i ≤ p and m ∈Mni
~0 =X
m∈Mnp
F (m) · tmp
1 =X
m∈Mnp
tmp
Krishna S., Umang Mathur, Ashutosh Trivedi – 24 of 28
Reachability and Schedulability
Theorem
The reachability and schedulability problems for weak singular hybrid automata areNP-complete.
– NP-Membership:– All run-types are polynomial in size of the WSHA.– Checking whether a run type σ = 〈n0, b1, n1, . . . , bp, np〉 is reachable/schedulable
amounts to checking the feasibility of a linear program (νni , ν′ni∈ R|X| and
tmi ∈ R≥0 are variables):
ν0 = νn0
ν′np∈ T
νni , ν′ni
∈ SMnifor all 0 ≤ i ≤ p
νni ∈ G(bi) for all 0 < i ≤ pνni+1 (j) = 0 for all xj ∈ R(bi+1)
and 0 < i ≤ pνni+1 (j) = ν′ni
(j) for allxj 6∈ R(bi+1)
and 0 < i ≤ p
ν′ni= νni +
Xm∈Mni
F (m) · tmi
for all 0 ≤ i ≤ ptmi ≥ 0 for all 0 ≤ i ≤ p and m ∈Mni
ν0 = νn0
νni , ν′ni
∈ SMnifor all 0 ≤ i ≤ p
νni ∈ G(bi) for all 0 < i ≤ pνni+1 (j) = 0 for all xj ∈ R(bi+1) and 0 < i ≤ p
νni+1 (j) = ν′ni(j) for all xj 6∈ R(bi+1) and 0 < i ≤ p
ν′ni= νni +
Xm∈Mni
F (m) · tmi for all 0 ≤ i ≤ p
tmi ≥ 0 for all 0 ≤ i ≤ p and m ∈Mni
~0 =X
m∈Mnp
F (m) · tmp
1 =X
m∈Mnp
tmp
Krishna S., Umang Mathur, Ashutosh Trivedi – 24 of 28
Reachability and Schedulability
Theorem
The reachability and schedulability problems for weak singular hybrid automata areNP-complete.
– NP-Membership:– All run-types are polynomial in size of the WSHA.– Checking whether a run type σ = 〈n0, b1, n1, . . . , bp, np〉 is reachable/schedulable
amounts to checking the feasibility of a linear program (νni , ν′ni∈ R|X| and
tmi ∈ R≥0 are variables):
ν0 = νn0
ν′np∈ T
νni , ν′ni
∈ SMnifor all 0 ≤ i ≤ p
νni ∈ G(bi) for all 0 < i ≤ pνni+1 (j) = 0 for all xj ∈ R(bi+1)
and 0 < i ≤ pνni+1 (j) = ν′ni
(j) for allxj 6∈ R(bi+1)
and 0 < i ≤ p
ν′ni= νni +
Xm∈Mni
F (m) · tmi
for all 0 ≤ i ≤ ptmi ≥ 0 for all 0 ≤ i ≤ p and m ∈Mni
ν0 = νn0
νni , ν′ni
∈ SMnifor all 0 ≤ i ≤ p
νni ∈ G(bi) for all 0 < i ≤ pνni+1 (j) = 0 for all xj ∈ R(bi+1) and 0 < i ≤ p
νni+1 (j) = ν′ni(j) for all xj 6∈ R(bi+1) and 0 < i ≤ p
ν′ni= νni +
Xm∈Mni
F (m) · tmi for all 0 ≤ i ≤ p
tmi ≥ 0 for all 0 ≤ i ≤ p and m ∈Mni
~0 =X
m∈Mnp
F (m) · tmp
1 =X
m∈Mnp
tmp
Krishna S., Umang Mathur, Ashutosh Trivedi – 25 of 28
Reachability and Schedulability (contd.)
– NP Hardness:
Reduction from Subset-sum problem (Reachability) .
m0
(1, 1, 2,−3, 0, 0)
m1
(0,−1, 0, 0, 1, 1)
m3
(0, 0,−2, 0, 2, 1)
m5
(0, 0, 0, 3,−3, 1)
m2
(0,−1, 0, 0, 0, 0)
m4
(0, 0,−2, 0, 0, 0)
m6
(0, 0, 0, 3, 0, 0)
Figure: Constructed WSHA for set {1, 2,−3}
– Schedulability: Reachability to the last strongly connected component andmulti-mode scheduling there
Krishna S., Umang Mathur, Ashutosh Trivedi – 25 of 28
Reachability and Schedulability (contd.)
– NP Hardness:Reduction from Subset-sum problem (Reachability) .
m0
(1, 1, 2,−3, 0, 0)
m1
(0,−1, 0, 0, 1, 1)
m3
(0, 0,−2, 0, 2, 1)
m5
(0, 0, 0, 3,−3, 1)
m2
(0,−1, 0, 0, 0, 0)
m4
(0, 0,−2, 0, 0, 0)
m6
(0, 0, 0, 3, 0, 0)
Figure: Constructed WSHA for set {1, 2,−3}
– Schedulability: Reachability to the last strongly connected component andmulti-mode scheduling there
Krishna S., Umang Mathur, Ashutosh Trivedi – 25 of 28
Reachability and Schedulability (contd.)
– NP Hardness:Reduction from Subset-sum problem (Reachability) .
m0
(1, 1, 2,−3, 0, 0)
m1
(0,−1, 0, 0, 1, 1)
m3
(0, 0,−2, 0, 2, 1)
m5
(0, 0, 0, 3,−3, 1)
m2
(0,−1, 0, 0, 0, 0)
m4
(0, 0,−2, 0, 0, 0)
m6
(0, 0, 0, 3, 0, 0)
Figure: Constructed WSHA for set {1, 2,−3}
– Schedulability: Reachability to the last strongly connected component andmulti-mode scheduling there
Krishna S., Umang Mathur, Ashutosh Trivedi – 25 of 28
Reachability and Schedulability (contd.)
– NP Hardness:Reduction from Subset-sum problem (Reachability) .
m0
(1, 1, 2,−3, 0, 0)
m1
(0,−1, 0, 0, 1, 1)
m3
(0, 0,−2, 0, 2, 1)
m5
(0, 0, 0, 3,−3, 1)
m2
(0,−1, 0, 0, 0, 0)
m4
(0, 0,−2, 0, 0, 0)
m6
(0, 0, 0, 3, 0, 0)
Figure: Constructed WSHA for set {1, 2,−3}
– Schedulability: Reachability to the last strongly connected component andmulti-mode scheduling there
Krishna S., Umang Mathur, Ashutosh Trivedi – 26 of 28
Temporal Logic Model Checking
LTL Model Checking: Just the best !
Theorem
The LTL model-checking problem for WSHA is PSPACE-complete.
– LTL property φ → Buchi automata A¬φ– Product of a weak SHA H and A¬φ remains WSHA (since variables occur only
in the WSHA).
– Standard polynomial space algorithm can be used.
– PSPACE-hardness of the problem follows from PSPACE-completeness of LTLmodel checking over finite automata
CTL Model Checking: Not so easy !
Theorem
CTL model checking of weak SHAs with two clock variables is PSPACE-hard.
– Polynomial reduction from subset-sum games
– Decidability: still open
Krishna S., Umang Mathur, Ashutosh Trivedi – 26 of 28
Temporal Logic Model Checking
LTL Model Checking: Just the best !
Theorem
The LTL model-checking problem for WSHA is PSPACE-complete.
– LTL property φ → Buchi automata A¬φ– Product of a weak SHA H and A¬φ remains WSHA (since variables occur only
in the WSHA).
– Standard polynomial space algorithm can be used.
– PSPACE-hardness of the problem follows from PSPACE-completeness of LTLmodel checking over finite automata
CTL Model Checking: Not so easy !
Theorem
CTL model checking of weak SHAs with two clock variables is PSPACE-hard.
– Polynomial reduction from subset-sum games
– Decidability: still open
Krishna S., Umang Mathur, Ashutosh Trivedi – 26 of 28
Temporal Logic Model Checking
LTL Model Checking: Just the best !
Theorem
The LTL model-checking problem for WSHA is PSPACE-complete.
– LTL property φ → Buchi automata A¬φ– Product of a weak SHA H and A¬φ remains WSHA (since variables occur only
in the WSHA).
– Standard polynomial space algorithm can be used.
– PSPACE-hardness of the problem follows from PSPACE-completeness of LTLmodel checking over finite automata
CTL Model Checking: Not so easy !
Theorem
CTL model checking of weak SHAs with two clock variables is PSPACE-hard.
– Polynomial reduction from subset-sum games
– Decidability: still open
Krishna S., Umang Mathur, Ashutosh Trivedi – 26 of 28
Temporal Logic Model Checking
LTL Model Checking: Just the best !
Theorem
The LTL model-checking problem for WSHA is PSPACE-complete.
– LTL property φ → Buchi automata A¬φ– Product of a weak SHA H and A¬φ remains WSHA (since variables occur only
in the WSHA).
– Standard polynomial space algorithm can be used.
– PSPACE-hardness of the problem follows from PSPACE-completeness of LTLmodel checking over finite automata
CTL Model Checking: Not so easy !
Theorem
CTL model checking of weak SHAs with two clock variables is PSPACE-hard.
– Polynomial reduction from subset-sum games
– Decidability: still open
Krishna S., Umang Mathur, Ashutosh Trivedi – 27 of 28
WSHAs are JUST Decidable
WSHA is on the forefronts of decidability. Tweaking the model in the hope toimprove expressiveness can lead to undecidability !
Theorem
The reachability problem is undecidable for three variable WSHAs with discreteupdates.
Theorem
The reachability problem is undecidable for CMS with three variables and oneunrestricted clock.
Krishna S., Umang Mathur, Ashutosh Trivedi – 27 of 28
WSHAs are JUST Decidable
WSHA is on the forefronts of decidability. Tweaking the model in the hope toimprove expressiveness can lead to undecidability !
Theorem
The reachability problem is undecidable for three variable WSHAs with discreteupdates.
Theorem
The reachability problem is undecidable for CMS with three variables and oneunrestricted clock.
Krishna S., Umang Mathur, Ashutosh Trivedi – 27 of 28
WSHAs are JUST Decidable
WSHA is on the forefronts of decidability. Tweaking the model in the hope toimprove expressiveness can lead to undecidability !
Theorem
The reachability problem is undecidable for three variable WSHAs with discreteupdates.
Theorem
The reachability problem is undecidable for CMS with three variables and oneunrestricted clock.
Krishna S., Umang Mathur, Ashutosh Trivedi – 28 of 28
Summary and Future Work
– WSHAs as a subclass of Hybrid automata.
– Efficient model : Reachability, Schedulability and LTL Model Checking areDecidable
– Slight extensions can lead to undecidability in results
– Future work– Decidability of CTL Model Checking for this problem is still unsolved– Games on WSHA and restrictions on WSHA– CEGAR framework : Approximate modeling of arbitrary SHA using WSHA.
Krishna S., Umang Mathur, Ashutosh Trivedi – 28 of 28
Summary and Future Work
– WSHAs as a subclass of Hybrid automata.
– Efficient model : Reachability, Schedulability and LTL Model Checking areDecidable
– Slight extensions can lead to undecidability in results
– Future work– Decidability of CTL Model Checking for this problem is still unsolved– Games on WSHA and restrictions on WSHA– CEGAR framework : Approximate modeling of arbitrary SHA using WSHA.
Krishna S., Umang Mathur, Ashutosh Trivedi – 28 of 28
Summary and Future Work
– WSHAs as a subclass of Hybrid automata.
– Efficient model : Reachability, Schedulability and LTL Model Checking areDecidable
– Slight extensions can lead to undecidability in results
– Future work– Decidability of CTL Model Checking for this problem is still unsolved– Games on WSHA and restrictions on WSHA– CEGAR framework : Approximate modeling of arbitrary SHA using WSHA.
Krishna S., Umang Mathur, Ashutosh Trivedi – 28 of 28
Summary and Future Work
– WSHAs as a subclass of Hybrid automata.
– Efficient model : Reachability, Schedulability and LTL Model Checking areDecidable
– Slight extensions can lead to undecidability in results
– Future work– Decidability of CTL Model Checking for this problem is still unsolved– Games on WSHA and restrictions on WSHA– CEGAR framework : Approximate modeling of arbitrary SHA using WSHA.