Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
University of Illinoisat Urbana-Champaign
Lecture6:ReachabilityAnalysisofTimedandHybridAutomata
SayanMitra
SpecialClassesofHybridAutomata– TimedAutomataß
– RectangularInitializedHA
– RectangularHA
– LinearHA
– NonlinearHA
ClocksandClockConstraints[Alur andDill1991]
• Aclockvariable𝑥 isacontinuous(analog)variableoftyperealsuchthatalonganytrajectory𝜏 ofx,forallt∈ 𝜏. 𝑑𝑜𝑚, 𝜏 𝑡 ⌈𝑥 = 𝑡.
• Thatis,�� = 1
• ForasetXofclockvariables,thesetΦ(X)ofintegralclockconstraintsareexpressionsdefinedbythesyntax:g::=x≤ 𝑞 𝑥 ≥ 𝑞 ¬𝑔|𝑔M ∧ 𝑔Pwhere𝑥 ∈ 𝑋𝑎𝑛𝑑𝑞 ∈ ℤ
• Examples:x=10;x∈ [2,5);truearevalidclockconstraints• Semanticsofclockconstraints[𝑔]
IntegralTimedAutomata[Alur andDill1991]
Definition.AintegraltimedautomatonisaHIOA𝓐 =⟨𝑉, 𝑄, Θ, 𝐴, 𝒟,𝒯⟩ where
V=X∪ 𝑙 ,where𝑋 isasetofnclocksand𝑙 isadiscretestatevariableoffinitetypeŁAisafinitesetofactions𝒟isasetoftransitionssuchthat
TheguardsaredescribedbyclockconstraingsΦ(𝑋)𝑥, 𝑙 − 𝑎 → 𝑥t, 𝑙t implieseither𝑥t = 𝑥 or𝑥 = 0
𝒯 setofclocktrajectoriesfortheclockvariablesinX
Example:LightswitchautomatonSwitch
variablesinternalx,y:Real:=0,loc:{on,off}:=off
transitionsinternalpush
prex≥ 2effifloc =offtheny:=0fi;x:=0;loc :=on
internalpopprey=15/\ loc =offeff x:=0
trajectoriesinvariantloc =on\/loc =offstopwheny=15/\ loc =offevolve d(x)=1;d(y)=1
DescriptionSwitchcanbeturnedonwheneveratleast2timeunitshaveelapsedsincethelastturnoff.Switchesoffautomatically15timeunitsafterthelaston.
ControlState(Location)ReachabilityProblem
• GivenanITA,checkifaparticularlocationisreachablefromtheinitialstates
• Thisproblemisdecidable• Keyidea:– ConstructaFiniteStateMachinethatisatime-abstractbisimilar totheITA
– CheckreachabilityofFSM
ASimulationRelationwithafinitequotient
Whentwostatesx1andx2inQbehaveidentically?• x1. 𝑙𝑜𝑐 = x2.𝑙𝑜𝑐and• x1andx2satisfythesamesetofclockconstraints
– Foreachclock𝑦 int(x1.𝑦) = int(x2.𝑦) orint(x1.𝑦) ≥ 𝑐𝒜Nandint(x2.𝑦) ≥𝑐𝒜N.(𝑐𝒜Nisthemaxiumclockguard of𝑦)
– Foreachclock𝑦 withx1.𝑦 ≤ 𝑐𝒜N,frac(x1.𝑦) = 0iff frac(x2.𝑦) = 0– Foranytwoclocks𝑦 and𝑧 withx1.𝑦 ≤ 𝑐𝒜N andx1.𝑧 ≤ 𝑐𝒜O,frac(x1.𝑦)≤ frac(x1.𝑧)iff frac(x2.𝑦)≤ frac(x2.𝑧)
Lemma. Thisisaequivalencerelation onQ
ThepartitionofQinducedbythisrelationisarecalledclockregionsLectureSlidesbySayanMitra
RegionAutomaton
• ITA(clockconstants)definestheclockregions
• Nowweaddthe“appropriatetransitions”betweentheregionstocreateafiniteautomatonwhichgivesatimeabstractbisimulation oftheITAwithrespecttocontrolstatereachability– Timesuccessors:Considertwoclockregions𝛾and𝛾t,wesaythat𝛾t isatimesuccessorof𝛾 ifthereexitsatrajectoryofITAstartingfrom𝛾 thatendsin𝛾’
– Discretetransitions:SameastheITA
|X|!2|X|∏ (2𝑐𝒜O + 2)�O∈Q
CorrespondingFA
Drasticallyincreasingwiththenumberofclocks
ClocksandRational ClockConstraints
• Aclockvariablexisacontinuous(analog)variableoftyperealsuchthatalonganytrajectory𝜏 ofx,forallt∈𝜏. 𝑑𝑜𝑚, 𝜏 ↓ 𝑥 𝑡 = 𝑡.
• ForasetXofclockvariables,thesetΦ(X)ofintegral clockconstraintsareexpressionsdefinedbythesyntax:g::=x≤ 𝑞 𝑥 ≥ 𝑞 ¬𝑔|𝑔M ∧ 𝑔Pwhere𝑥 ∈ 𝑋𝑎𝑛𝑑𝑞 ∈ ℚ
• Examples:x=10.125;x∈ [2.99,5);truearevalidrationalclockconstraints
• Semanticsofclockconstraints[𝑔]
Step1.RationalTimedAutomata
• Definition.Arational timedautomatonisaHA𝓐 =⟨𝑉, 𝑄, Θ, 𝐴, 𝒟,𝒯⟩ where– V=X∪ 𝑙𝑜𝑐 ,where𝑋 isasetofnclocksand𝑙 isadiscretestatevariableoffinitetypeŁ
– Aisafiniteset– 𝒟isasetoftransitionssuchthat
• TheguardsaredescribedbyrationalclockconstraingsΦ(𝑋)• 𝑥, 𝑙 − 𝑎 → 𝑥t, 𝑙t implieseither𝑥t = 𝑥 or𝑥 = 0
– 𝒯 setofclocktrajectoriesfortheclockvariablesinX
Example:RationalLightswitchSwitchcanbeturnedonwheneveratleast2.25timeunitshaveelapsedsincethelastturnofforon.Switchesoffautomatically15.5timeunitsafterthelaston.
automatonSwitchinternalpush;popvariablesinternalx,y:Real:=0,loc:{on,off}:=offtransitionspushprex>=2.25effifloc =ontheny:=0fi;x:=0;loc :=off
popprey=15.5∧ loc =offeffx:=0
trajectoriesinvariantloc =on∨ loc =offstopwheny=15.5∧ loc =offevolve d(x)=1;d(y)=1
ControlState(Location)ReachabilityProblem
• GivenanRTA,checkifaparticularlocationisreachablefromtheinitialstates
• Isproblemdecidable?• Yes• Keyidea:– ConstructaITAthatistime-abstractbisimilar tothegivenRTA
– CheckCSRforITA
ConstructionofITAfromRTA• Multiplyallrationalconstantsbya
factorqthatmakethemintegral• Maked(x)=qforalltheclocks
• RTASwitchisbisimilar toITAIswitch
• SimulationrelationRisgivenby• (u,s)∈ 𝑅iff u.x =4s.x andu.y =4s.y
automatonISwitchinternalpush;popvariablesinternalx,y:Real:=0,loc:{on,off}:=off
transitionspushprex>=9effifloc =ontheny:=0fi;x:=0;loc :=offpopprey=62∧ loc =offeffx:=0
trajectoriesinvariantloc =on∨ loc =offstopwheny=62∧ loc =offevolve d(x)=4;d(y)=4
Step2.Multi-RateAutomaton
• Definition.Amultirate automatonis𝓐 =⟨𝑉, 𝑄, Θ, 𝐴, 𝒟,𝒯⟩where– V=X∪ 𝑙𝑜𝑐 ,where𝑋 isasetofncontinuousvariables and𝑙𝑜𝑐 isadiscretestatevariableoffinitetypeŁ
– Aisafinitesetofactions– 𝒟isasetoftransitionssuchthat
• TheguardsaredescribedbyrationalclockconstraingsΦ(𝑋)• 𝑥, 𝑙 − 𝑎 → 𝑥t, 𝑙t implieseither𝑥t = 𝑐𝑜𝑟𝑥t = 𝑥
– 𝒯 setoftrajectoriessuchthatforeachvariable𝑥 ∈ 𝑋∃𝑘𝑠𝑢𝑐ℎ𝑡ℎ𝑎𝑡𝜏 ∈ 𝒯, 𝑡 ∈ 𝜏. 𝑑𝑜𝑚
𝜏 𝑡 . 𝑥 = 𝜏 0 . 𝑥 + 𝑘𝑡
ControlState(Location)ReachabilityProblem
• GivenanMRA,checkifaparticularlocationisreachablefromtheinitialstates
• Isproblemisdecidable?Yes• Keyidea:– ConstructaRTAthatisbisimilar tothegivenMRA
Example:Multi-ratetorationalTA
Step3.RectangularHADefinition.Anrectangularhybridautomaton(RHA)isaHA𝓐 = ⟨𝑉, 𝐴, 𝒯, 𝒟⟩where
– V=X∪ 𝑙𝑜𝑐 ,whereXisasetofncontinuousvariables and𝑙𝑜𝑐 isadiscretestatevariableoffinitetypeŁ
– Aisafiniteset– 𝒯 =∪ℓ 𝒯ℓ setoftrajectoriesforX
• Foreach𝜏 ∈ 𝒯ℓ, 𝑥 ∈ 𝑋 either(i)𝑑 𝑥 = 𝑘ℓ or(ii)𝑑 𝑥 ∈ 𝑘ℓM, 𝑘ℓP• Equivalently,(i)𝜏 𝑡 ⌈𝑥 = 𝜏(0)⌈𝑥 + 𝑘ℓ𝑡
(ii)𝜏(0)⌈𝑥 + 𝑘ℓM𝑡 ≤ 𝜏 𝑡 ⌈𝑥 ≤ 𝜏(0)⌈𝑥 + 𝑘ℓP𝑡– 𝒟isasetoftransitionssuchthat
• Guardsaredescribedbyrationalclockconstraings• 𝑥, 𝑙 →G 𝑥t, 𝑙t implies𝑥t = 𝑥𝑜𝑟𝑥t ∈ [𝑐M, 𝑐P]
CSRDecidableforRHA?
• GivenanRHA,checkifaparticularlocationisreachablefromtheinitialstates?
• Isthisproblemdecidable?No– [Henz95] ThomasHenzinger,PeterKopke,AnujPuri,andPravin
Varaiya.What'sDecidableAboutHybridAutomata?.JournalofComputerandSystemSciences,pages373–382.ACMPress,1995.
– CSRforRHAreductiontoHaltingproblemfor2countermachines– Haltingproblemfor2CMknowntobeundecidable– Reductioninnextlecture
Step4.InitializedRectangularHADefinition.Aninitializedrectangularhybridautomaton(IRHA)isaRHA𝓐where
– V=X∪ 𝑙𝑜𝑐 ,where Xisasetofncontinuousvariables and 𝑙𝑜𝑐 isadiscretestatevariableoffinitetypeŁ
– Aisafiniteset– 𝒯 =∪ℓ 𝒯ℓ setoftrajectoriesforX
• Foreach𝜏 ∈ 𝒯ℓ, 𝑥 ∈ 𝑋 either(i)𝑑 𝑥 = 𝑘ℓ or(ii)𝑑 𝑥 ∈ 𝑘ℓM, 𝑘ℓP• Equivalently,(i)𝜏 𝑡 ⌈𝑥 = 𝜏(0)⌈𝑥 + 𝑘ℓ𝑡
(ii)𝜏(0)⌈𝑥 + 𝑘ℓM𝑡 ≤ 𝜏 𝑡 ⌈𝑥 ≤ 𝜏(0)⌈𝑥 + 𝑘ℓP𝑡– 𝒟isasetoftransitionssuchthat
• Guardsaredescribedbyrationalclockconstraings• 𝑥, 𝑙 →G 𝑥t, 𝑙t impliesifdynamicschangesfromℓ toℓ′ then𝑥t ∈[𝑐M, 𝑐P],otherwise𝑥t = 𝑥
Example:RectangularInitializedHA
1
𝑑 𝑥M = kM𝑑 𝑥P = kP
2
𝑑 𝑥M = k′M𝑑 𝑥P = kP
3
𝑑 𝑥M ∈ [𝑎, 𝑏]𝑑 𝑥P = kS
Pre𝑥M ≥ 𝐺 ∧ 𝑥P ≤ 𝐺 Eff𝑥M ≔ 0
BothPre𝑥M, 𝑥P havetobereset
Eff𝑥M, 𝑥P ∈ [𝑐, 𝑑]
CSRDecidableforIRHA?
• GivenanIRHA,checkifaparticularlocationisreachablefromtheinitialstates
• Isthisproblemdecidable?Yes• Keyidea:– Constructa2n-dimensionalinitializedmulti-rateautomatonthatisbisimilar tothegivenIRHA
– ConstructaITAthatisbisimilar totheSingularTA
Spliteveryvariableintotwovariables---trackingtheupperandlowerbounds
IRHA MRA
𝑥 𝑥ℓ ;𝑥'
Evolve:𝑑(𝑥) ∈ [𝑎M, 𝑏M] Evolve:𝑑 𝑥ℓ = 𝑎M;𝑑 𝑥' = 𝑏M
Eff:𝑥t ∈ [𝑎M, 𝑏M] Eff:𝑥ℓ= 𝑎M; 𝑥' =𝑏M
𝑥t = 𝑐 𝑥ℓ= 𝑥' = 𝑐
Guard:𝑥 ≥ 5 𝑥í ≥ 5
𝑥í < 5 ∧ 𝑥' ≥ 5 Eff𝑥í = 5
ExampleIRHA
v1�� ∈ 1,3
�� ∈ [−3, −2]
v2�� ∈ −4,−2 �� ∈ [−3,−2]
𝑐 ≔ 0; 𝑑 ≔ 1
𝑐 ≤ 5 ∧ 𝑑 ≤ −3𝑐 ≔ 4
v3�� ∈ −4,−2 �� ∈ [1,2]
𝑑 ≤ −5𝑑 ≔ −4
v4�� ∈ 1,3 �� ∈ [1,2]
𝑐 ≥ −3 ∧ 𝑑 ≤ −2𝑐 ∈ [−1,−2]
𝑐 ≥ 0 ∧ 𝑑 ≤2𝑑 ≔ 1
InitializedSingularHAv1
𝑐í = 1𝑐' = 3𝑑í = −3𝑑' = −2
v2𝑐í = −4𝑐' = −2𝑑í = −3𝑑' = −2
𝑐í , 𝑐' ≔ 0; 𝑑í, 𝑑' ≔ 1
v3𝑐í = −4𝑐' = −2𝑑í = 1𝑑' = 2
v4𝑐í = 1𝑐' = 3𝑑í = 1𝑑' = 2
Transitions
5
v1𝑐í = 1𝑐' = 3𝑑í = −3𝑑' = −2
𝑐í ≤ 5𝑐í, 𝑐' ≔ 4
-3
𝑐í𝑐'
𝑑'
𝑑í
𝑑' ≤ −3 noreset𝑑' > −3 ∧ 𝑑í ≤ −3𝑑' ≔-3
InitializedSingularHAv1
𝑐í = 1𝑐' = 3𝑑í = −3𝑑' = −2
v2𝑐í = −4𝑐' = −2𝑑í = −3𝑑' = −2
𝑐í , 𝑐' ≔ 0; 𝑑í, 𝑑' ≔ 1
𝑐í ≤ 5 ∧ 𝑑' ≤ −3𝑐í, 𝑐' ≔ 4
𝑐í ≤ 5 ∧ 𝑑í ≤ −3 ∧ 𝑑' > −3𝑐í, 𝑐' ≔ 4𝑑' ≔ −3
v3𝑐í = −4𝑐' = −2𝑑í = 1𝑑' = 2
𝑑í ≤ −5𝑑í𝑑' ≔ −4
v4𝑐í = 1𝑐' = 3𝑑í = 1𝑑' = 2
𝑐' ≥ −3 ∧ 𝑑' ≤ −2𝑐í ≔ −2𝑐' ≔ −1
𝑐' ≥ −3 ∧ 𝑑í ≤ −2 ∧ 𝑑' > −2𝑐í ≔ −2𝑐' ≔ −1𝑑' − 2
𝑐í ≥ 0 ∧ 𝑑í ≤2𝑑í, 𝑑' ≔ 1
𝑐í < 0 ∧ 𝑐' ≥ 0 ∧ 𝑑í ≤2𝑐í ≔ 0𝑑í, 𝑑' ≔ 1
Canthisbefurthergeneralized?
• ForinitializedRectangularHA,controlstatereachabilityisdecidable– Canwedroptheinitializationrestriction?• No,problembecomesundecidable
– Canwedroptherectangularrestriction?• No,problembecomesundecidable
– Tuneininaweek
Datastructuresforrepresentingsets
• Hyperrectangles– gM; gP = 𝑥 ∈ 𝑅É x − gM V
≤ gP − gM V} = ΠY[𝑔MY, 𝑔PY]
• Polyhedra• Zonotopes• Ellipsoids• Supportfunctions
Verificationintools
ReachabilityComputationwithpolyhedra
• Asetofstatesisrepresentedbydisjunctionoflinearinequalities– 𝑙𝑜𝑐 = 𝑙M ∧ 𝐴M𝑥 ≤ 𝑏M ∨
𝑙𝑜𝑐 = 𝑙P ∧ 𝐴P𝑥 ≤ 𝑏P ∨⋯
• Post(,)computationperformedsymbolicallyusingquantifiereliminationPortionofNavigationbenchmark
𝑥t = 𝑘 → 𝑃𝑜𝑠𝑡 𝑎M, 𝑎P = ∃𝑡 𝑎M + 𝑘𝑡, 𝑎P + 𝑘𝑡 = [𝑎M,∞]thestateisreachableifthereexistsatimewhenwereachit.
Summary• ITA:(very)Restrictedclassofhybridautomata– Clocks,integerconstraints– Noclockcomparison,linear
• ControlstatereachabilitywithAlur-Dill’salgorithm(regionautomatonconstruction)
• Rationalcoefficients• Multirate Automata• InitializedRectangularHybridAutomata• HyTech,PHAVer usepolyhedralreachabilitycomputations
Summary• ITA:(very)Restrictedclassofhybridautomata
– Clocks,integerconstraints– Noclockcomparison,linear
• Controlstatereachability
• Alur-Dill’salgorithm– Constructfinitebisimulation (regionautomaton)– Ideaistolumptogetherstatesthatbehavesimilarlyandreduce
thesizeofthemodel
• UPPAALmodelcheckerbasedonsimilarmodeloftimedautomata