Action and Predicate Safety of Hybrid Processes

Pieter CuijpersMichel Reniers

Overview• HyPA• Process representations• Two levels of abstraction• Specification of Safety• Congruence• Safety analysis of hybrid processes• Conclusions

HyPA termination deadlockactiondiscrete actioncflow clause (V|Pred) d >> P, b >> Pre-initialization clause [V|Pred] P Palternative compositionP Psequential compositionP P, P Pdisrupt P || P, P P, P Pparallel compositionH(P), Pred(P)encapsulation

Hybrid automaton representation

Xi ci jJ(i) dj >> actionj Xj

HA iI d’i >> Xi

ci

d1

d2

Constitutive hybrid process repr.

Xi (jJ(i) dj >> cj) Xi

(jJ’(i) bj >> actionj) Xi

CHP ||iI Xi

State-space representation(Linear hybrid process definition)

Xi jJ(i) dj >>

jJ’(i) dj >> actionj Xj

jJ’’(i) dj >> cj Xj

SSR Xinit

Two levels of abstraction

• On the lowest level of abstraction, HyPA is aimed at giving different representations of the same system.

• At a higher level of abstraction,HyPA can also be used to analyse, for example, safety properties.

Two levels of abstractionRobust Bisimilarity

Initially stateless bisimilarity=

X Y implies X = Y

Robust bisimilarity

x x x y y x

x (y z) (x y) zx x x

x x (y z) (x y) z (x y) z (x z) (y z)

x y x y y x x

x (y z) (x y) z (x y) z (x z) (y z)d >> (x y) (d >> x) (d >> y)H(x y) H(x) H(y)

etc. etc. etc.

Initially stateless bisimilarity

d >> action x = d >> action d! >> x

d >> c x = d >> c (d D(c))! >> x

Specification of Safety

Safety for actions X = H(X)

Safety for predicatesX = Pred(X)

Congruence

X [x|x+ = 0] >> a1 a2Y [x|x+ = 0] >> a1 [x- = 0]

>> a2Z [x|x+ = 1] >> a3

X = YX || Z Y || Z

Predicate safety of a state-space repr.

When do we have SSR = Pred(SSR) ?

Predicate safety of a state-space repr.Create a re-initialization for every recursion variable, signifying its reachable set.

[true] = Rinit

(Ri dj)! Rj for all i and all jJ’(i)

(Ri dj D(cj))! Rj for all i and all jJ’’(i)

Predicate safety of a state-space repr.When do we have Ri >> Xi = Pred(Ri >> Xi),

and especiallySSR [true] >> Xinit =

Pred([true] >> Xinit) Pred(SSR) ?

Predicate safety of a state-space repr.

Ri >> Xi Ri >> (jJ(i) dj >>

jJ’(i) dj >> actionj Xj

jJ’’(i) dj >> cj Xj)

Predicate safety of a state-space repr.

Ri >> Xi jJ(i) (Ri dj) >>

jJ’(i) (Ri dj) >> actionj Xj

jJ’’(i) (Ri dj) >> cj Xj

Predicate safety of a state-space repr.

Ri >> Xi = jJ(i) (Ri dj) >>

jJ’(i) (Ri dj) >> actionj (Rj >> Xj)

jJ’’(i) (Ri dj) >> cj (Rj >> Xj)

Predicate safety of a state-space repr.

Pred(Ri >> Xi) Pred (Ri >> (jJ(i) dj >>

jJ’(i) dj >> actionj Xj

jJ’’(i) dj >> cj Xj))

Predicate safety of a state-space repr.Pred(Ri >> Xi) Pred (jJ(i) (Ri dj) >>

jJ’(i) (Ri dj) >> actionj Xj

jJ’’(i) (Ri dj) >> cj Xj)

Predicate safety of a state-space repr.Pred(Ri >> Xi) = Pred (jJ(i) (Ri dj) >>

jJ’(i) (Ri dj) >> actionj (Rj >> Xj)

jJ’’(i) (Ri dj) >> cj (Rj >> Xj) )

Predicate safety of a state-space repr.Pred(Ri >> Xi) = jJ(i) Pred ((Ri dj) >> )

jJ’(i) Pred ((Ri dj) >> actionj )

Pred (Rj >> Xj )

jJ’’(i) Pred ((Ri dj) >> cj ) Pred (Rj >> Xj )

Predicate safety of a state-space repr.Assuming safety of the following processes:

Pred ((Ri dj) >> ) = (Ri dj) >>

Pred ((Ri dj) >> actionj ) = (Ri dj) >> actionj

Pred ((Ri dj) >> cj )= (Ri dj) >> cj

Predicate safety of a state-space repr.Assuming safety of the following processes:

Pred ((Ri dj) >> actionj ) = (Ri dj) >> actionj

Pred ((Ri dj) >> cj )= (Ri dj) >> cj

Predicate safety of a state-space repr.Pred(Ri >> Xi) = jJ(i) (Ri dj) >>

jJ’(i) (Ri dj) >> actionj Pred (Rj >> Xj )

jJ’’(i) (Ri dj) >> cj Pred (Rj >> Xj )

Predicate safety of a state-space repr.So Ri >> Xi and Pred(Ri >> Xi) are both solutions of the state space definition:

Yi = jJ(i) (Ri dj) >> jJ’(i) (Ri dj) >> actionj Pred (Yi) jJ’’(i) (Ri dj) >> cj Pred (Yi )

Predicate safety of a state-space repr.Thus Ri >> Xi = Pred(Ri >> Xi) and henceSSR = Pred(SSR).

Conclusions

• Different model representations.• Analysis at the cost of congruence ||• Safety of state space representations

depends on safety of sub-processes.• Termination of analysis method is a

problem• Calculation of reachable sets is a problem

Future research

• For CHP we have congruence ||• Termination using predicate

abstraction• Calculation/approximation of

reachable sets• Algebraic specification of other

properties