Soutenance d’habilitation
“From Qualitative to Quantitative Analysisof Timed Systems”
Patricia Bouyer
January 12, 2009
1/48
Introduction
Outline
1. Introduction
2. Reachability analysis in timed automata
3. Model-checking timed temporal logics
4. Modelling resources in timed systemsOptimizing resourcesManaging resources
5. Probabilistic analysis of timed automata
6. Summary and perspectives
2/48
Introduction
Context: verification of timed systems
What are timed systems?
What we want to avoid
; Verification by model-checking
system:
⇒
property:
G (request→F grant)model-checking
algorithm
yes/no
3/48
Introduction
Context: verification of timed systems
What are timed systems?
What we want to avoid; Verification by model-checking
system:
⇒
property:
G (request→F grant)model-checking
algorithm
yes/no
3/48
Introduction
Context: verification of timed systems
What are timed systems?
What we want to avoid
; Verification by model-checking
system:
⇒
property:
G (request→F grant)model-checking
algorithm
yes/no
3/48
Introduction
Context: verification of timed systems
What are timed systems?What we want to avoid
Ariane 5, 1996
Atlanta airport, 2008
Mars climate obs., 1998
Blackout, 2003
Radiotherapy in Toulouse, 2007
Bug Pentium, 1994
; Verification by model-checking
system:
⇒
property:
G (request→F grant)model-checking
algorithm
yes/no
3/48
Introduction
Context: verification of timed systems
What are timed systems?
What we want to avoid
; Verification by model-checking
system:
⇒
property:
G (request→F grant)model-checking
algorithm
yes/no
3/48
Introduction
A running example
4/48
Introduction
A running example: natural questions
Can I reach Pontivy from Oxford?
What is the minimal time to reach Pontivy fromOxford?
What is the minimal fuel consumption to reachPontivy from Oxford?
Can I use my computer all the way?
How likely will I visit Paris and for how long?
...
4/48
Introduction
A first model of the system
Oxford
Pontivy
Dover
Calais
Paris
London
Stansted
Nantes
Poole
St Malo
5/48
Introduction
Can I reach Pontivy from Oxford?
Oxford
Pontivy
Dover
Calais
Paris
London
Stansted
Nantes
Poole
St Malo
This is a reachability question in a finite graph: Yes, I can!
5/48
Introduction
A second model of the system
Oxford
Pontivy
Dover
Calais
Paris
London
Stansted
Nantes
Poole
St Malo
x :=0
106x612
146x615x :=0
276x630
x :=0
96x612
x :=0
216x624
x=27x :=0
x=3
x :=0176
x621
x :=0
36x6
6
x :=0
276x6
32
36x6
6x :=0
x=24
x :=0
96x615
x :=0
x=13
x :=0
126x615
x=17
x :=0
x=6
x :=0
126x614
6/48
Introduction
How long will that take?
Oxford
Pontivy
Dover
Calais
Paris
London
Stansted
Nantes
Poole
St Malo
x :=0
106x612
146x615x :=0
276x630
x :=0
96x612
x :=0
216x624
x=27x :=0
x=3
x :=0176
x621
x :=0
36x6
6
x :=0
276x6
32
36x6
6x :=0
x=24
x :=0
96x615
x :=0
x=13
x :=0
126x615
x=17
x :=0
x=6
x :=0
126x614
It is a reachability (and optimization) questionin a timed automaton: at least 350mn = 5h50mn!
6/48
Introduction
The timed automaton model: an example
safe alarm
repairing
failsafe
problem, x :=0
repair
, x615
y :=0
delayed, y :=0
156x616
repair
26y∧x656
y :=0
done, 226y625
safe
23−→ safeproblem−−−−−→ alarm
15.6−−→ alarmdelayed−−−−−→ failsafe
x 0
23 0 15.6 15.6 ···
y 0
23 23 38.6 0
failsafe2.3−−→ failsafe
repair−−−−→ repairing22.1−−→ repairing
done−−−→ safe
··· 15.6 17.9 17.9 40 40
0 2.3 0 22.1 22.1
7/48
Introduction
The timed automaton model: an example
safe alarm
repairing
failsafe
problem, x :=0
repair
, x615
y :=0
delayed, y :=0
156x616
repair
26y∧x656
y :=0
done, 226y625
safe
23−→ safeproblem−−−−−→ alarm
15.6−−→ alarmdelayed−−−−−→ failsafe
x 0
23 0 15.6 15.6 ···
y 0
23 23 38.6 0
failsafe2.3−−→ failsafe
repair−−−−→ repairing22.1−−→ repairing
done−−−→ safe
··· 15.6 17.9 17.9 40 40
0 2.3 0 22.1 22.1
7/48
Introduction
The timed automaton model: an example
safe alarm
repairing
failsafe
problem, x :=0
repair
, x615
y :=0
delayed, y :=0
156x616
repair
26y∧x656
y :=0
done, 226y625
safe23−→ safe
problem−−−−−→ alarm15.6−−→ alarm
delayed−−−−−→ failsafe
x 0 23
0 15.6 15.6 ···
y 0 23
23 38.6 0
failsafe2.3−−→ failsafe
repair−−−−→ repairing22.1−−→ repairing
done−−−→ safe
··· 15.6 17.9 17.9 40 40
0 2.3 0 22.1 22.1
7/48
Introduction
The timed automaton model: an example
safe alarm
repairing
failsafe
problem, x :=0
repair
, x615
y :=0
delayed, y :=0
156x616
repair
26y∧x656
y :=0
done, 226y625
safe23−→ safe
problem−−−−−→ alarm
15.6−−→ alarmdelayed−−−−−→ failsafe
x 0 23 0
15.6 15.6 ···
y 0 23 23
38.6 0
failsafe2.3−−→ failsafe
repair−−−−→ repairing22.1−−→ repairing
done−−−→ safe
··· 15.6 17.9 17.9 40 40
0 2.3 0 22.1 22.1
7/48
Introduction
The timed automaton model: an example
safe alarm
repairing
failsafe
problem, x :=0
repair
, x615
y :=0
delayed, y :=0
156x616
repair
26y∧x656
y :=0
done, 226y625
safe23−→ safe
problem−−−−−→ alarm15.6−−→ alarm
delayed−−−−−→ failsafe
x 0 23 0 15.6
15.6 ···
y 0 23 23 38.6
0
failsafe2.3−−→ failsafe
repair−−−−→ repairing22.1−−→ repairing
done−−−→ safe
··· 15.6 17.9 17.9 40 40
0 2.3 0 22.1 22.1
7/48
Introduction
The timed automaton model: an example
safe alarm
repairing
failsafe
problem, x :=0
repair
, x615
y :=0
delayed, y :=0
156x616
repair
26y∧x656
y :=0
done, 226y625
safe23−→ safe
problem−−−−−→ alarm15.6−−→ alarm
delayed−−−−−→ failsafe
x 0 23 0 15.6 15.6 ···
y 0 23 23 38.6 0
failsafe
2.3−−→ failsaferepair−−−−→ repairing
22.1−−→ repairingdone−−−→ safe
··· 15.6
17.9 17.9 40 40
0
2.3 0 22.1 22.1
7/48
Introduction
The timed automaton model: an example
safe alarm
repairing
failsafe
problem, x :=0
repair
, x615
y :=0
delayed, y :=0
156x616
repair
26y∧x656
y :=0
done, 226y625
safe23−→ safe
problem−−−−−→ alarm15.6−−→ alarm
delayed−−−−−→ failsafe
x 0 23 0 15.6 15.6 ···
y 0 23 23 38.6 0
failsafe2.3−−→ failsafe
repair−−−−→ repairing22.1−−→ repairing
done−−−→ safe
··· 15.6 17.9
17.9 40 40
0 2.3
0 22.1 22.1
7/48
Introduction
The timed automaton model: an example
safe alarm
repairing
failsafe
problem, x :=0
repair
, x615
y :=0
delayed, y :=0
156x616
repair
26y∧x656
y :=0
done, 226y625
safe23−→ safe
problem−−−−−→ alarm15.6−−→ alarm
delayed−−−−−→ failsafe
x 0 23 0 15.6 15.6 ···
y 0 23 23 38.6 0
failsafe2.3−−→ failsafe
repair−−−−→ repairing
22.1−−→ repairingdone−−−→ safe
··· 15.6 17.9 17.9
40 40
0 2.3 0
22.1 22.1
7/48
Introduction
The timed automaton model: an example
safe alarm
repairing
failsafe
problem, x :=0
repair
, x615
y :=0
delayed, y :=0
156x616
repair
26y∧x656
y :=0
done, 226y625
safe23−→ safe
problem−−−−−→ alarm15.6−−→ alarm
delayed−−−−−→ failsafe
x 0 23 0 15.6 15.6 ···
y 0 23 23 38.6 0
failsafe2.3−−→ failsafe
repair−−−−→ repairing22.1−−→ repairing
done−−−→ safe
··· 15.6 17.9 17.9 40
40
0 2.3 0 22.1
22.1
7/48
Introduction
The timed automaton model: an example
safe alarm
repairing
failsafe
problem, x :=0
repair
, x615
y :=0
delayed, y :=0
156x616
repair
26y∧x656
y :=0
done, 226y625
safe23−→ safe
problem−−−−−→ alarm15.6−−→ alarm
delayed−−−−−→ failsafe
x 0 23 0 15.6 15.6 ···
y 0 23 23 38.6 0
failsafe2.3−−→ failsafe
repair−−−−→ repairing22.1−−→ repairing
done−−−→ safe
··· 15.6 17.9 17.9 40 40
0 2.3 0 22.1 22.1
7/48
Introduction
Basics of timed automata
[AD90] Alur, Dill. Automata for modeling real-time systems (ICALP’90).[AD94] Alur, Dill. A theory of timed automata (Theoretical Computer Science).
Theorem [AD90,AD94]
The reachability problem is decidable (and PSPACE-complete) in timedautomata.
timed automaton
finite bisimulation
large (but finite) automaton(region automaton)
8/48
Introduction
Basics of timed automata
[AD90] Alur, Dill. Automata for modeling real-time systems (ICALP’90).[AD94] Alur, Dill. A theory of timed automata (Theoretical Computer Science).
Theorem [AD90,AD94]
The reachability problem is decidable (and PSPACE-complete) in timedautomata.
timed automaton
finite bisimulation
large (but finite) automaton(region automaton)
8/48
Introduction
Outline
1. Introduction
2. Reachability analysis in timed automata
3. Model-checking timed temporal logics
4. Modelling resources in timed systemsOptimizing resourcesManaging resources
5. Probabilistic analysis of timed automata
6. Summary and perspectives
9/48
Reachability analysis in timed automata
Outline
1. Introduction
2. Reachability analysis in timed automata
3. Model-checking timed temporal logics
4. Modelling resources in timed systemsOptimizing resourcesManaging resources
5. Probabilistic analysis of timed automata
6. Summary and perspectives
10/48
Reachability analysis in timed automata
What about the practice?
the region automaton is never computed
instead, symbolic computations are performed using zones
Example of a zone
Z = (x1 > 3) ∧ (x2 6 5) ∧ (x1 − x2 6 4)
x2
x13
5
x1−x2=4
x0 x1 x2
x0
x1
x2
∞ −3 ∞∞ ∞ 45 ∞ ∞
11/48
Reachability analysis in timed automata
What about the practice?
the region automaton is never computed
instead, symbolic computations are performed using zones
Example of a zone
Z = (x1 > 3) ∧ (x2 6 5) ∧ (x1 − x2 6 4)
x2
x13
5
x1−x2=4
94
2
x0 x1 x2
x0
x1
x2
0 −3 09 0 45 2 0
11/48
Reachability analysis in timed automata
Backward computation
Final
Init
, the backward computation always terminates!
12/48
Reachability analysis in timed automata
Backward computation
Final
Init
, the backward computation always terminates!
12/48
Reachability analysis in timed automata
Backward computation
Final
Init
, the backward computation always terminates!
12/48
Reachability analysis in timed automata
Backward computation
Final
Init
, the backward computation always terminates!
12/48
Reachability analysis in timed automata
Backward computation
Final
Init
, the backward computation always terminates!
12/48
Reachability analysis in timed automata
Backward computation
Final
Init
, the backward computation always terminates!
12/48
Reachability analysis in timed automata
Forward computation
Init
Final
/ the forward computation may not terminate...
; abstractions need to be used, that ensure termination...
13/48
Reachability analysis in timed automata
Forward computation
Init
Final
/ the forward computation may not terminate...
; abstractions need to be used, that ensure termination...
13/48
Reachability analysis in timed automata
Forward computation
Init
Final
/ the forward computation may not terminate...
; abstractions need to be used, that ensure termination...
13/48
Reachability analysis in timed automata
Forward computation
Init
Final
/ the forward computation may not terminate...
; abstractions need to be used, that ensure termination...
13/48
Reachability analysis in timed automata
Forward computation
Init
Final
/ the forward computation may not terminate...
; abstractions need to be used, that ensure termination...
13/48
Reachability analysis in timed automata
Forward computation
Init
Final
/ the forward computation may not terminate...
; abstractions need to be used, that ensure termination...
13/48
Reachability analysis in timed automata
Forward computation
Init
Final
/ the forward computation may not terminate...; abstractions need to be used, that ensure termination...
13/48
Reachability analysis in timed automata
An abstraction: the extrapolation operator
3
x2
x1
5
2
Z
4 9
0 −3 09 0 45 2 0
0 −2 0∞ 0 ∞∞ 2 0
Extra2
14/48
Reachability analysis in timed automata
An abstraction: the extrapolation operator
Extra2(Z)
x2
x1
Z
2
2
0 −3 09 0 45 2 0
0 −2 0∞ 0 ∞∞ 2 0
Extra2
14/48
Reachability analysis in timed automata
Results
[Bou03] Bouyer. Untameable Timed Automata! (STACS’03).[Bou04] Bouyer. Forward Analysis of Updatable Timed Automata (Formal Methods in System Design).
Abug
x363
x1,x3:=0
x2=3
x2:=0
x1=2,x1:=0
x2=2,x2:=0
x1=2,x1:=0
x2=2
x2:=0
x1=3
x1:=0
x2>x1+2
x4<x3+2
Theorem [Bou03,Bou04]
In Abug, any extrapolation operator is incorrect!
The extrapolation operator is correct in diagonal-free timedautomata.
15/48
Reachability analysis in timed automata
Results
[Bou03] Bouyer. Untameable Timed Automata! (STACS’03).[Bou04] Bouyer. Forward Analysis of Updatable Timed Automata (Formal Methods in System Design).
Abug
x363
x1,x3:=0
x2=3
x2:=0
x1=2,x1:=0
x2=2,x2:=0
x1=2,x1:=0
x2=2
x2:=0
x1=3
x1:=0
x2>x1+2
x4<x3+2
Theorem [Bou03,Bou04]
In Abug, any extrapolation operator is incorrect!
The extrapolation operator is correct in diagonal-free timedautomata.
15/48
Reachability analysis in timed automata
Results
[Bou03] Bouyer. Untameable Timed Automata! (STACS’03).[Bou04] Bouyer. Forward Analysis of Updatable Timed Automata (Formal Methods in System Design).
Abug
x363
x1,x3:=0
x2=3
x2:=0
x1=2,x1:=0
x2=2,x2:=0
x1=2,x1:=0
x2=2
x2:=0
x1=3
x1:=0
x2>x1+2
x4<x3+2
Theorem [Bou03,Bou04]
In Abug, any extrapolation operator is incorrect!
The extrapolation operator is correct in diagonal-free timedautomata.
15/48
Reachability analysis in timed automata
Improving further
[BBFL03] Behrmann, Bouyer, Fleury, Larsen. Static Guard Analysis in Timed Automata Verification (TACAS’03).[BBLP04] Behrmann, Bouyer, Larsen, Pelanek. Lower and Upper Bounds in Zone Based Abstractions of Timed Automata (TACAS’04).[BBLP06] Behrmann, Bouyer, Larsen, Pelanek. Lower and Upper Bounds in Zone-Based Abstractions of Timed Automata (International
Journal on Software Tools for Technology Transfer).
the extrapolation operator can be made coarser:
local extrapolation constants [BBFL03];distinguish between lower- and upper-bounded contraints
[BBLP03,BBLP06]
; has leaded to a practical improvement in of up to 20%!
Since then...
further improvement due to better data structure manipulations...
... but no further algorithmic improvement!
16/48
Reachability analysis in timed automata
Improving further
[BBFL03] Behrmann, Bouyer, Fleury, Larsen. Static Guard Analysis in Timed Automata Verification (TACAS’03).[BBLP04] Behrmann, Bouyer, Larsen, Pelanek. Lower and Upper Bounds in Zone Based Abstractions of Timed Automata (TACAS’04).[BBLP06] Behrmann, Bouyer, Larsen, Pelanek. Lower and Upper Bounds in Zone-Based Abstractions of Timed Automata (International
Journal on Software Tools for Technology Transfer).
the extrapolation operator can be made coarser:
local extrapolation constants [BBFL03];distinguish between lower- and upper-bounded contraints
[BBLP03,BBLP06]
; has leaded to a practical improvement in of up to 20%!
Since then...
further improvement due to better data structure manipulations...
... but no further algorithmic improvement!
16/48
Model-checking timed temporal logics
Outline
1. Introduction
2. Reachability analysis in timed automata
3. Model-checking timed temporal logics
4. Modelling resources in timed systemsOptimizing resourcesManaging resources
5. Probabilistic analysis of timed automata
6. Summary and perspectives
17/48
Model-checking timed temporal logics
MotivationChecking reachability properties may not be enough:
basically only safety properties can be verified [ABBL98,ABBL03]
what about liveness properties?
And other properties?
“the monkey will eventually write the complete works of Shakespeare”
“every request is eventually granted”
“the machine produces 56 items per day until it needs to be repaired”
Need for specification languages expressing timing constraints...
“the airbag inflates no more than 56ms after the car crashes”
; critical property
“the reponse time of the memory circuit is no more than 10−12s”
; performance, quality of service
... and for algorithms to verify those properties.
We will focus on timed extensions of LTL [Pnu77]
18/48
Model-checking timed temporal logics
Motivation
[ABBL98] Aceto, Bouyer, Burgueno, Larsen. The power of reachability testing for timed automata (FSTTCS’98).[ABBL03] Aceto, Bouyer, Burgueno, Larsen. The power of reachability testing for timed automata (Theoretical Computer Science).
Checking reachability properties may not be enough:
basically only safety properties can be verified [ABBL98,ABBL03]
what about liveness properties?
And other properties?
“the monkey will eventually write the complete works of Shakespeare”
“every request is eventually granted”
“the machine produces 56 items per day until it needs to be repaired”
Need for specification languages expressing timing constraints...
“the airbag inflates no more than 56ms after the car crashes”
; critical property
“the reponse time of the memory circuit is no more than 10−12s”
; performance, quality of service
... and for algorithms to verify those properties.
We will focus on timed extensions of LTL [Pnu77]
18/48
Model-checking timed temporal logics
MotivationChecking reachability properties may not be enough:
basically only safety properties can be verified [ABBL98,ABBL03]what about liveness properties?
And other properties?
“the monkey will eventually write the complete works of Shakespeare”
“every request is eventually granted”
“the machine produces 56 items per day until it needs to be repaired”
Need for specification languages expressing timing constraints...
“the airbag inflates no more than 56ms after the car crashes”
; critical property
“the reponse time of the memory circuit is no more than 10−12s”
; performance, quality of service
... and for algorithms to verify those properties.
We will focus on timed extensions of LTL [Pnu77]
18/48
Model-checking timed temporal logics
MotivationChecking reachability properties may not be enough:
basically only safety properties can be verified [ABBL98,ABBL03]what about liveness properties?
And other properties?
“the monkey will eventually write the complete works of Shakespeare”
“every request is eventually granted”
“the machine produces 56 items per day until it needs to be repaired”
Need for specification languages expressing timing constraints...
“the airbag inflates no more than 56ms after the car crashes”
; critical property
“the reponse time of the memory circuit is no more than 10−12s”
; performance, quality of service
... and for algorithms to verify those properties.
We will focus on timed extensions of LTL [Pnu77]
18/48
Model-checking timed temporal logics
MotivationChecking reachability properties may not be enough:
basically only safety properties can be verified [ABBL98,ABBL03]what about liveness properties? And other properties?
“the monkey will eventually write the complete works of Shakespeare”
“every request is eventually granted”
“the machine produces 56 items per day until it needs to be repaired”
Need for specification languages expressing timing constraints...
“the airbag inflates no more than 56ms after the car crashes”
; critical property
“the reponse time of the memory circuit is no more than 10−12s”
; performance, quality of service
... and for algorithms to verify those properties.
We will focus on timed extensions of LTL [Pnu77]
18/48
Model-checking timed temporal logics
MotivationChecking reachability properties may not be enough:
basically only safety properties can be verified [ABBL98,ABBL03]what about liveness properties? And other properties?
“the monkey will eventually write the complete works of Shakespeare”
“every request is eventually granted”
“the machine produces 56 items per day until it needs to be repaired”
Need for specification languages expressing timing constraints...
“the airbag inflates no more than 56ms after the car crashes”
; critical property
“the reponse time of the memory circuit is no more than 10−12s”
; performance, quality of service
... and for algorithms to verify those properties.
We will focus on timed extensions of LTL [Pnu77]
18/48
Model-checking timed temporal logics
MotivationChecking reachability properties may not be enough:
basically only safety properties can be verified [ABBL98,ABBL03]what about liveness properties? And other properties?
“the monkey will eventually write the complete works of Shakespeare”
“every request is eventually granted”
“the machine produces 56 items per day until it needs to be repaired”
Need for specification languages expressing timing constraints...
“the airbag inflates no more than 56ms after the car crashes”
; critical property
“the reponse time of the memory circuit is no more than 10−12s”
; performance, quality of service
... and for algorithms to verify those properties.
We will focus on timed extensions of LTL [Pnu77]
18/48
Model-checking timed temporal logics
MotivationChecking reachability properties may not be enough:
basically only safety properties can be verified [ABBL98,ABBL03]what about liveness properties? And other properties?
“the monkey will eventually write the complete works of Shakespeare”
“every request is eventually granted”
“the machine produces 56 items per day until it needs to be repaired”
Need for specification languages expressing timing constraints...
“the airbag inflates no more than 56ms after the car crashes”
; critical property
“the reponse time of the memory circuit is no more than 10−12s”
; performance, quality of service
... and for algorithms to verify those properties.
We will focus on timed extensions of LTL [Pnu77]
18/48
Model-checking timed temporal logics
Motivation
[Pnu77] Pnueli. The temporal logic of programs (FoCS’77).
Checking reachability properties may not be enough:
basically only safety properties can be verified [ABBL98,ABBL03]what about liveness properties? And other properties?
“the monkey will eventually write the complete works of Shakespeare”
“every request is eventually granted”
“the machine produces 56 items per day until it needs to be repaired”
Need for specification languages expressing timing constraints...
“the airbag inflates no more than 56ms after the car crashes”
; critical property
“the reponse time of the memory circuit is no more than 10−12s”
; performance, quality of service
... and for algorithms to verify those properties.
We will focus on timed extensions of LTL [Pnu77]
18/48
Model-checking timed temporal logics
Motivation
[Pnu77] Pnueli. The temporal logic of programs (FoCS’77).
Checking reachability properties may not be enough:
basically only safety properties can be verified [ABBL98,ABBL03]what about liveness properties? And other properties?
“the monkey will eventually write the complete works of Shakespeare”
“every request is eventually granted”
“the machine produces 56 items per day until it needs to be repaired”
Need for specification languages expressing timing constraints...
“the airbag inflates no more than 56ms after the car crashes”
; critical property
“the reponse time of the memory circuit is no more than 10−12s”
; performance, quality of service
... and for algorithms to verify those properties.
We will focus on timed extensions of LTL [Pnu77]
18/48
Model-checking timed temporal logics
Two classical timed extensions of LTL: MTL and TPTL
[Koy90] Koymans. Specifying real-time properties with Metric Temporal Logic (Real-Time Systems).
[AH89] Alur, Henzinger. A really temporal logic (FoCS’89).
MTL (Metric Temporal Logic) [Koy90]
ψ = G (request→ F61 grant)
19/48
Model-checking timed temporal logics
Two classical timed extensions of LTL: MTL and TPTL
[Koy90] Koymans. Specifying real-time properties with Metric Temporal Logic (Real-Time Systems).
[AH89] Alur, Henzinger. A really temporal logic (FoCS’89).
MTL (Metric Temporal Logic) [Koy90]
ψ = G (request→ F61 grant)
0 1 2 3 4|= ψ
61
61
61
19/48
Model-checking timed temporal logics
Two classical timed extensions of LTL: MTL and TPTL
[Koy90] Koymans. Specifying real-time properties with Metric Temporal Logic (Real-Time Systems).
[AH89] Alur, Henzinger. A really temporal logic (FoCS’89).
MTL (Metric Temporal Logic) [Koy90]
ψ = G (request→ F61 grant)
0 1 2 3 4|= ψ
61
61
61
0 1 2 3 46|= ψ
[0,1]
19/48
Model-checking timed temporal logics
Two classical timed extensions of LTL: MTL and TPTL
[Koy90] Koymans. Specifying real-time properties with Metric Temporal Logic (Real-Time Systems).
[AH89] Alur, Henzinger. A really temporal logic (FoCS’89).
MTL (Metric Temporal Logic) [Koy90]
ψ = G (request→ F61 grant)
19/48
Model-checking timed temporal logics
Two classical timed extensions of LTL: MTL and TPTL
[Koy90] Koymans. Specifying real-time properties with Metric Temporal Logic (Real-Time Systems).[AH89] Alur, Henzinger. A really temporal logic (FoCS’89).
MTL (Metric Temporal Logic) [Koy90]
ψ = G (request→ F61 grant)
TPTL (Timed Propositional Temporal Logic) [AH89]
19/48
Model-checking timed temporal logics
Two classical timed extensions of LTL: MTL and TPTL
[Koy90] Koymans. Specifying real-time properties with Metric Temporal Logic (Real-Time Systems).[AH89] Alur, Henzinger. A really temporal logic (FoCS’89).
MTL (Metric Temporal Logic) [Koy90]
ψ = G (request→ F61 grant)
TPTL (Timed Propositional Temporal Logic) [AH89]
ψ ≡ G (request→ x · F (grant ∧ (x 6 1)))
19/48
Model-checking timed temporal logics
Two classical timed extensions of LTL: MTL and TPTL
[Koy90] Koymans. Specifying real-time properties with Metric Temporal Logic (Real-Time Systems).[AH89] Alur, Henzinger. A really temporal logic (FoCS’89).
MTL (Metric Temporal Logic) [Koy90]
ψ = G (request→ F61 grant)
TPTL (Timed Propositional Temporal Logic) [AH89]
ψ ≡ G (request→ x · F (grant ∧ (x 6 1)))
ϕ = G (request→ x · F (ack ∧ F (grant ∧ x 6 2)))
19/48
Model-checking timed temporal logics
Two classical timed extensions of LTL: MTL and TPTL
[Koy90] Koymans. Specifying real-time properties with Metric Temporal Logic (Real-Time Systems).[AH89] Alur, Henzinger. A really temporal logic (FoCS’89).
MTL (Metric Temporal Logic) [Koy90]
ψ = G (request→ F61 grant)
TPTL (Timed Propositional Temporal Logic) [AH89]
ψ ≡ G (request→ x · F (grant ∧ (x 6 1)))
ϕ = G (request→ x · F (ack ∧ F (grant ∧ x 6 2)))
0 1 2 3 4|= ϕ
62 62
19/48
Model-checking timed temporal logics
Two classical timed extensions of LTL: MTL and TPTL
[Koy90] Koymans. Specifying real-time properties with Metric Temporal Logic (Real-Time Systems).[AH89] Alur, Henzinger. A really temporal logic (FoCS’89).
MTL (Metric Temporal Logic) [Koy90]
ψ = G (request→ F61 grant)
TPTL (Timed Propositional Temporal Logic) [AH89]
ψ ≡ G (request→ x · F (grant ∧ (x 6 1)))
ϕ = G (request→ x · F (ack ∧ F (grant ∧ x 6 2)))
0 1 2 3 4|= ϕ
62 62
0 1 2 3 46|= ϕ
62
19/48
Model-checking timed temporal logics
Expressiveness of these logics
Conjecture (Alur & Henzinger, since 1990)
TPTL is strictly more expressive than MTL, and the TPTL formula
ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))
cannot be expressed in MTL.
However...
0 1 2
F=1 •
61
ϕ ≡
G • →
F61 • ∧ F[1,2] •
∨
F61 ( • ∧ F61 • )∨
F61 ( F61 • ∧ F=1 • )
20/48
Model-checking timed temporal logics
Expressiveness of these logics
Conjecture (Alur & Henzinger, since 1990)
TPTL is strictly more expressive than MTL, and the TPTL formula
ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))
cannot be expressed in MTL.
However...
0 1 2
F=1 •
61
ϕ ≡ G • →
F61 • ∧ F[1,2] •∨
F61 ( • ∧ F61 • )∨
F61 ( F61 • ∧ F=1 • )
20/48
Model-checking timed temporal logics
Expressiveness of these logics
Conjecture (Alur & Henzinger, since 1990)
TPTL is strictly more expressive than MTL, and the TPTL formula
ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))
cannot be expressed in MTL.
However...
0 1 2
F=1 •
61
ϕ ≡ G • →
F61 • ∧ F[1,2] •
∨
F61 ( • ∧ F61 • )∨
F61 ( F61 • ∧ F=1 • )
20/48
Model-checking timed temporal logics
Expressiveness of these logics
Conjecture (Alur & Henzinger, since 1990)
TPTL is strictly more expressive than MTL, and the TPTL formula
ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))
cannot be expressed in MTL.
However...
0 1 2
F=1 •
61
ϕ ≡ G • →
F61 • ∧ F[1,2] •
∨
F61 ( • ∧ F61 • )
∨
F61 ( F61 • ∧ F=1 • )
20/48
Model-checking timed temporal logics
Expressiveness of these logics
Conjecture (Alur & Henzinger, since 1990)
TPTL is strictly more expressive than MTL, and the TPTL formula
ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))
cannot be expressed in MTL.
However...
0 1 2
F=1 •
61
ϕ ≡ G • →
F61 • ∧ F[1,2] •
∨
F61 ( • ∧ F61 • )∨
F61 ( F61 • ∧ F=1 • )
20/48
Model-checking timed temporal logics
Expressiveness of these logics
Conjecture (Alur & Henzinger, since 1990)
TPTL is strictly more expressive than MTL, and the TPTL formula
ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))
cannot be expressed in MTL.
However...
0 1 2
F=1 •
61
ϕ ≡ G • →
F61 • ∧ F[1,2] •
∨
F61 ( • ∧ F61 • )∨
F61 ( F61 • ∧ F=1 • )
20/48
Model-checking timed temporal logics
Expressiveness of these logics
Conjecture (Alur & Henzinger, since 1990)
TPTL is strictly more expressive than MTL, and the TPTL formula
ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))
cannot be expressed in MTL.
However...
0 1 2
F=1 •
61
ϕ ≡ G • →
F61 • ∧ F[1,2] •
∨
F61 ( • ∧ F61 • )∨
F61 ( F61 • ∧ F=1 • )
20/48
Model-checking timed temporal logics
Expressiveness of these logics
Conjecture (Alur & Henzinger, since 1990)
TPTL is strictly more expressive than MTL, and the TPTL formula
ϕ = G (• → x · F (• ∧ F (• ∧ x 6 2)))
cannot be expressed in MTL.
However...
0 1 2
F=1 •
61
ϕ ≡ G • →
F61 • ∧ F[1,2] •
∨
F61 ( • ∧ F61 • )∨
F61 ( F61 • ∧ F=1 • )
20/48
Model-checking timed temporal logics
Expressiveness results
[BCM05] Bouyer, Chevalier, Markey. On the expressiveness of TPTL and MTL (FSTTCS’05).
Theorem [BCM05]
The conjecture is correct: TPTL is strictly more expressive than MTL.
Also, MTL+Past is strictly more expressive than MTL.
The formulas
x · F (• ∧ (x 6 1) ∧G ((x 6 1) → ¬•)) ∈ TPTLF=1 (¬•S •) ∈ MTL+Past
cannot be expressed in MTL.
0 1
21/48
Model-checking timed temporal logics
Expressiveness results
[Kam68] Kamp. Tense logic and the theory of linear order (PhD UCLA).[GPSS80] Gabbay, Pnueli, Shelah, Stavi. On the temporal analysis of fairness (POPL’80).[BCM05] Bouyer, Chevalier, Markey. On the expressiveness of TPTL and MTL (FSTTCS’05).
Theorem [BCM05]
The conjecture is correct: TPTL is strictly more expressive than MTL.Also, MTL+Past is strictly more expressive than MTL.
Recall: LTL+Past and LTL are equally expressive [Kam68,GPSS80].
The formulas
x · F (• ∧ (x 6 1) ∧G ((x 6 1) → ¬•)) ∈ TPTLF=1 (¬•S •) ∈ MTL+Past
cannot be expressed in MTL.
0 1
21/48
Model-checking timed temporal logics
Expressiveness results
[BCM05] Bouyer, Chevalier, Markey. On the expressiveness of TPTL and MTL (FSTTCS’05).
Theorem [BCM05]
The conjecture is correct: TPTL is strictly more expressive than MTL.Also, MTL+Past is strictly more expressive than MTL.
The formulas
x · F (• ∧ (x 6 1) ∧G ((x 6 1) → ¬•)) ∈ TPTLF=1 (¬•S •) ∈ MTL+Past
cannot be expressed in MTL.
0 1
21/48
Model-checking timed temporal logics
Expressiveness results
[BCM05] Bouyer, Chevalier, Markey. On the expressiveness of TPTL and MTL (FSTTCS’05).
Theorem [BCM05]
The conjecture is correct: TPTL is strictly more expressive than MTL.Also, MTL+Past is strictly more expressive than MTL.
The formulas
x · F (• ∧ (x 6 1) ∧G ((x 6 1) → ¬•)) ∈ TPTLF=1 (¬•S •) ∈ MTL+Past
cannot be expressed in MTL.
0 1
21/48
Model-checking timed temporal logics
Back to the model-checking problem
G (request→F grant)model-checking
algorithm
yes/no
timed
autom
aton MTLTPTL formula
Theorem [AH94,AFH96,OW06...]
The model-checking problem is (mostly) undecidable...
Can be rather easily explained using channel machines...
... and more tractable fragments need be defined!
22/48
Model-checking timed temporal logics
Back to the model-checking problem
G (request→F grant)model-checking
algorithm
yes/no
timed
autom
aton
MTLTPTL formula
Theorem [AH94,AFH96,OW06...]
The model-checking problem is (mostly) undecidable...
Can be rather easily explained using channel machines...
... and more tractable fragments need be defined!
22/48
Model-checking timed temporal logics
Back to the model-checking problem
G (request→F grant)model-checking
algorithm
yes/no
timed
autom
aton MTLTPTL formula
Theorem [AH94,AFH96,OW06...]
The model-checking problem is (mostly) undecidable...
Can be rather easily explained using channel machines...
... and more tractable fragments need be defined!
22/48
Model-checking timed temporal logics
Back to the model-checking problem
[AH94] Alur, Henzinger. A really temporal logic (Journal of the ACM).[AFH96] Alur, Feder, Henzinger. The benefits of relaxing unctuality (Journal of the ACM).[OW06] Ouaknine, Worrell. On Metric Temporal Logic and faulty Turing machines (FoSSaCS’06).
G (request→F grant)model-checking
algorithm
yes/no
timed
autom
aton MTLTPTL formula
Theorem [AH94,AFH96,OW06...]
The model-checking problem is (mostly) undecidable...
Can be rather easily explained using channel machines...
... and more tractable fragments need be defined!
22/48
Model-checking timed temporal logics
Back to the model-checking problem
[AH94] Alur, Henzinger. A really temporal logic (Journal of the ACM).[AFH96] Alur, Feder, Henzinger. The benefits of relaxing unctuality (Journal of the ACM).[OW06] Ouaknine, Worrell. On Metric Temporal Logic and faulty Turing machines (FoSSaCS’06).
G (request→F grant)model-checking
algorithm
yes/no
timed
autom
aton MTLTPTL formula
Theorem [AH94,AFH96,OW06...]
The model-checking problem is (mostly) undecidable...
Can be rather easily explained using channel machines...
... and more tractable fragments need be defined!
22/48
Model-checking timed temporal logics
Back to the model-checking problem
[AH94] Alur, Henzinger. A really temporal logic (Journal of the ACM).[AFH96] Alur, Feder, Henzinger. The benefits of relaxing unctuality (Journal of the ACM).[OW06] Ouaknine, Worrell. On Metric Temporal Logic and faulty Turing machines (FoSSaCS’06).
G (request→F grant)model-checking
algorithm
yes/no
timed
autom
aton MTLTPTL formula
Theorem [AH94,AFH96,OW06...]
The model-checking problem is (mostly) undecidable...
Can be rather easily explained using channel machines...
... and more tractable fragments need be defined!
22/48
Model-checking timed temporal logics
The quest for tractable fragments of MTL
MTL
LTL
MITL
Safety-MTL
Bounded-MTL
coFlat-MTLLTL
coFlat-MTLMITL
23/48
Model-checking timed temporal logics
The quest for tractable fragments of MTL
[AFH96] Alur, Feder, Henzinger. The benefits of relaxing unctuality (Journal of the ACM).
MTL
LTL
MITL
Safety-MTL
Bounded-MTL
coFlat-MTLLTL
coFlat-MTLMITL
MITL [AFH96]: ban punctuality
G (• → F62 •) is in MITLG (• → F=1 •) is not in MITL
23/48
Model-checking timed temporal logics
The quest for tractable fragments of MTL
[AFH96] Alur, Feder, Henzinger. The benefits of relaxing unctuality (Journal of the ACM).
MTL
LTL
MITL
Safety-MTL
Bounded-MTL
coFlat-MTLLTL
coFlat-MTLMITL
MITL [AFH96]: ban punctuality
timed regularityverification in exponential space
23/48
Model-checking timed temporal logics
The quest for tractable fragments of MTL
[OW05] Ouaknine, Worrell. On the decidability of Metric Temporal Logic (LICS’05).
MTL
LTL
MITL
Safety-MTL
Bounded-MTL
coFlat-MTLLTL
coFlat-MTLMITL
Safety-MTL [OW05]: restrict to safety properties
G (• → F62 •) is in Safety-MTLG (• → F •) is not in Safety-MTL
23/48
Model-checking timed temporal logics
The quest for tractable fragments of MTL
[OW05] Ouaknine, Worrell. On the decidability of Metric Temporal Logic (LICS’05).[OW08] Ouaknine, Worrell. Some recent results in Metric Temporal Logic (FORMATS’08).
MTL
LTL
MITL
Safety-MTL
Bounded-MTL
coFlat-MTLLTL
coFlat-MTLMITL
Safety-MTL [OW05]: restrict to safety properties
only finite counter-examples need be looked forverification using alternating timed automatadecidable, but non-primitive recursive [OW08]
23/48
Model-checking timed temporal logics
The quest for tractable fragments of MTL
[BMOW07] Bouyer, Markey, Ouaknine, Worrell. The cost of punctuality (LICS’07).
MTL
LTL
MITL
Safety-MTL
Bounded-MTL
coFlat-MTLLTL
coFlat-MTLMITL
Bounded-MTL [BMOW07]: restrict to bounded future
G65 (• → F62 •) is in Bounded-MTLG (• → F62 •) is not in Bounded-MTL
23/48
Model-checking timed temporal logics
The quest for tractable fragments of MTL
[BMOW07] Bouyer, Markey, Ouaknine, Worrell. The cost of punctuality (LICS’07).
MTL
LTL
MITL
Safety-MTL
Bounded-MTL
coFlat-MTLLTL
coFlat-MTLMITL
Bounded-MTL [BMOW07]: restrict to bounded future
expresses non-regular propertiesonly time-bounded prefixes need to be verifiedverification in exponential space
23/48
Model-checking timed temporal logics
The quest for tractable fragments of MTL
[BMOW07] Bouyer, Markey, Ouaknine, Worrell. The cost of punctuality (LICS’07).
MTL
LTL
MITL
Safety-MTL
Bounded-MTL
coFlat-MTLLTL
coFlat-MTLMITL
coFlat-MTLLTL [BMOW07]: a flatness condition on the formula
G (• → F=1 •) is in coFlat-MTLLTL
FG61 • is not in coFlat-MTLLTL
23/48
Model-checking timed temporal logics
The quest for tractable fragments of MTL
[BMOW07] Bouyer, Markey, Ouaknine, Worrell. The cost of punctuality (LICS’07).
MTL
LTL
MITL
Safety-MTL
Bounded-MTL
coFlat-MTLLTL
coFlat-MTLMITL
coFlat-MTLLTL [BMOW07]: a flatness condition on the formula
expresses non-regular propertiesonly counter-examples of the following form need to be looked for:
LTL LTL LTL LTL
hardhardhardhard
verification in exponential space
23/48
Model-checking timed temporal logics
The quest for tractable fragments of MTL
[BMOW08] Bouyer, Markey, Ouaknine, Worrell. On expressiveness and complexity in real-time model checking (ICALP’08).
MTL
LTL
MITL
Safety-MTL
Bounded-MTL
coFlat-MTLLTL
coFlat-MTLMITL
coFlat-MTLMITL [BMOW08]: a flatness condition on the formula
FG61 • is in coFlat-MTLMITL
FG=1 • is not in coFlat-MTLMITL
23/48
Model-checking timed temporal logics
The quest for tractable fragments of MTL
[BMOW08] Bouyer, Markey, Ouaknine, Worrell. On expressiveness and complexity in real-time model checking (ICALP’08).
MTL
LTL
MITL
Safety-MTL
Bounded-MTL
coFlat-MTLLTL
coFlat-MTLMITL
coFlat-MTLMITL [BMOW08]: a flatness condition on the formula
only counter-examples of the following form need to be looked for:
non-punctual non-punctual non-punctual non-punctual
punctualpunctualpunctualpunctual
the largest (known) fragment for which...... verification in exponential space!
23/48
Model-checking timed temporal logics
The quest for tractable fragments of MTL
MTL
LTL
MITL
Safety-MTL
Bounded-MTL
coFlat-MTLLTL
coFlat-MTLMITL
non-tractable
tractable
23/48
Model-checking timed temporal logics
The quest for tractable fragments of MTL
MTL
LTL
MITL
Safety-MTL
Bounded-MTL
coFlat-MTLLTL
coFlat-MTLMITL
PSPACE-c.
undec./NPR
EXPSPACE-c.
23/48
Model-checking timed temporal logics
The quest for tractable fragments of MTL
MTL
LTL
MITL
Safety-MTL
Bounded-MTL
coFlat-MTLLTL
coFlat-MTLMITL
PSPACE-c.
undec./NPR
EXPSPACE-c.
Algorithmics needs now to be worked out!
23/48
Modelling resources in timed systems
Outline
1. Introduction
2. Reachability analysis in timed automata
3. Model-checking timed temporal logics
4. Modelling resources in timed systemsOptimizing resourcesManaging resources
5. Probabilistic analysis of timed automata
6. Summary and perspectives
24/48
Modelling resources in timed systems
Motivation
System resources might be relevant and even crucial information
energy consumption,memory usage,price to pay,bandwidth,...
; timed automata are not powerful enough!
A possible solution: use hybrid automata
Theorem [HKPV95]
The reachability problem is undecidable in hybrid automata.
An alternative: weighted/priced timed automata [ALP01,BFH+01]
; hybrid variables do not constrain the system
25/48
Modelling resources in timed systems
Motivation
System resources might be relevant and even crucial information
energy consumption,memory usage,price to pay,bandwidth,...
; timed automata are not powerful enough!
A possible solution: use hybrid automata
Theorem [HKPV95]
The reachability problem is undecidable in hybrid automata.
An alternative: weighted/priced timed automata [ALP01,BFH+01]
; hybrid variables do not constrain the system
25/48
Modelling resources in timed systems
Motivation
System resources might be relevant and even crucial information
energy consumption,memory usage,price to pay,bandwidth,...
; timed automata are not powerful enough!
A possible solution: use hybrid automata
Theorem [HKPV95]
The reachability problem is undecidable in hybrid automata.
An alternative: weighted/priced timed automata [ALP01,BFH+01]
; hybrid variables do not constrain the system
25/48
Modelling resources in timed systems
Motivation
System resources might be relevant and even crucial information
energy consumption,memory usage,price to pay,bandwidth,...
; timed automata are not powerful enough!
A possible solution: use hybrid automata
Theorem [HKPV95]
The reachability problem is undecidable in hybrid automata.
An alternative: weighted/priced timed automata [ALP01,BFH+01]
; hybrid variables do not constrain the system
25/48
Modelling resources in timed systems
Motivation
System resources might be relevant and even crucial informationenergy consumption,memory usage,price to pay,bandwidth,...
; timed automata are not powerful enough!
A possible solution: use hybrid automata
The thermostat example
Off
T=−0.5T
(T>18)
On
T=2.25−0.5T
(T622)
T619
T>21
22
18
21
19
2 4 6 8 10 time
Theorem [HKPV95]
The reachability problem is undecidable in hybrid automata.
An alternative: weighted/priced timed automata [ALP01,BFH+01]
; hybrid variables do not constrain the system
25/48
Modelling resources in timed systems
Motivation
System resources might be relevant and even crucial informationenergy consumption,memory usage,price to pay,bandwidth,...
; timed automata are not powerful enough!
A possible solution: use hybrid automata
The thermostat example
Off
T=−0.5T
(T>18)
On
T=2.25−0.5T
(T622)
T619
T>21
22
18
21
19
2 4 6 8 10 time
Theorem [HKPV95]
The reachability problem is undecidable in hybrid automata.
An alternative: weighted/priced timed automata [ALP01,BFH+01]
; hybrid variables do not constrain the system
25/48
Modelling resources in timed systems
Motivation
[HKPV95] Henzinger, Kopke, Puri, Varaiya. What’s decidable wbout hybrid automata? (SToC’95).
System resources might be relevant and even crucial information
energy consumption,memory usage,price to pay,bandwidth,...
; timed automata are not powerful enough!
A possible solution: use hybrid automata
Theorem [HKPV95]
The reachability problem is undecidable in hybrid automata.
An alternative: weighted/priced timed automata [ALP01,BFH+01]
; hybrid variables do not constrain the system
25/48
Modelling resources in timed systems
Motivation
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).
System resources might be relevant and even crucial information
energy consumption,memory usage,price to pay,bandwidth,...
; timed automata are not powerful enough!
A possible solution: use hybrid automata
Theorem [HKPV95]
The reachability problem is undecidable in hybrid automata.
An alternative: weighted/priced timed automata [ALP01,BFH+01]
; hybrid variables do not constrain the system
25/48
Optimizing resources
A third model of the system
Oxford
Pontivy
Dover
Calais
Paris+2
London +2
Stansted
Nantes
Poole
St Malo
+3
+3
+3
+3
+3
+3
+3
+3
+2
+2
+7
+1
+2
x :=0
106x612
146x615x :=0
276x630
x :=0
96x612
x :=0
216x624
x=27x :=0
x=3
x :=0176
x621
x :=0
36x6
6
x :=0
276x6
32
36x6
6x :=0
x=24
x :=0
96x615
x :=0
x=13
x :=0
126x615
x=17
x :=0
x=6
x :=0
126x614
26/48
Optimizing resources
How much fuel will I use?
Oxford
Pontivy
Dover
Calais
Paris+2
London +2
Stansted
Nantes
Poole
St Malo
+3
+3
+3
+3
+3
+3
+3
+3
+2
+2
+7
+1
+2
x :=0
106x612
146x615x :=0
276x630
x :=0
96x612
x :=0
216x624
x=27x :=0
x=3
x :=0176
x621
x :=0
36x6
6
x :=0
276x6
32
36x6
6x :=0
x=24
x :=0
96x615
x :=0
x=13
x :=0
126x615
x=17
x :=0
x=6
x :=0
126x614
It is a quantitative (optimization) questionin a weighted timed automaton: at least 68 anti-planet units!
26/48
Optimizing resources
Weighted/priced timed automata [ALP01,BFH+01]
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
x=2,c+1
x=2,c+7
27/48
Optimizing resources
Weighted/priced timed automata [ALP01,BFH+01]
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
x=2,c+1
x=2,c+7
`01.3−−→ `0
c−−→ `1u−−→ `3
0.7−−−→ `3c−−→ ,
x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7
cost : 6.5 + 0 + 0 + 0.7 + 7 = 14.2
27/48
Optimizing resources
Weighted/priced timed automata [ALP01,BFH+01]
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
x=2,c+1
x=2,c+7
`01.3−−→ `0
c−−→ `1u−−→ `3
0.7−−−→ `3c−−→ ,
x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7
cost :
6.5 + 0 + 0 + 0.7 + 7 = 14.2
27/48
Optimizing resources
Weighted/priced timed automata [ALP01,BFH+01]
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
x=2,c+1
x=2,c+7
`01.3−−→ `0
c−−→ `1u−−→ `3
0.7−−−→ `3c−−→ ,
x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7
cost : 6.5
+ 0 + 0 + 0.7 + 7 = 14.2
27/48
Optimizing resources
Weighted/priced timed automata [ALP01,BFH+01]
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
x=2,c+1
x=2,c+7
`01.3−−→ `0
c−−→ `1u−−→ `3
0.7−−−→ `3c−−→ ,
x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7
cost : 6.5 + 0
+ 0 + 0.7 + 7 = 14.2
27/48
Optimizing resources
Weighted/priced timed automata [ALP01,BFH+01]
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
x=2,c+1
x=2,c+7
`01.3−−→ `0
c−−→ `1u−−→ `3
0.7−−−→ `3c−−→ ,
x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7
cost : 6.5 + 0 + 0
+ 0.7 + 7 = 14.2
27/48
Optimizing resources
Weighted/priced timed automata [ALP01,BFH+01]
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
x=2,c+1
x=2,c+7
`01.3−−→ `0
c−−→ `1u−−→ `3
0.7−−−→ `3c−−→ ,
x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7
cost : 6.5 + 0 + 0 + 0.7
+ 7 = 14.2
27/48
Optimizing resources
Weighted/priced timed automata [ALP01,BFH+01]
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
x=2,c+1
x=2,c+7
`01.3−−→ `0
c−−→ `1u−−→ `3
0.7−−−→ `3c−−→ ,
x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7
cost : 6.5 + 0 + 0 + 0.7 + 7
= 14.2
27/48
Optimizing resources
Weighted/priced timed automata [ALP01,BFH+01]
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
x=2,c+1
x=2,c+7
`01.3−−→ `0
c−−→ `1u−−→ `3
0.7−−−→ `3c−−→ ,
x 0 1.3 1.3 1.3 2y 0 1.3 0 0 0.7
cost : 6.5 + 0 + 0 + 0.7 + 7 = 14.2
27/48
Optimizing resources
Weighted/priced timed automata [ALP01,BFH+01]
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
x=2,c+1
x=2,c+7
Question: what is the optimal cost for reaching,?
inf06t62
min (
5t + 10(2− t) + 1
, 5t + (2− t) + 7 ) = 9
; strategy: leave immediately `0, go to `3, and wait there 2 t.u.
27/48
Optimizing resources
Weighted/priced timed automata [ALP01,BFH+01]
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
x=2,c+1
x=2,c+7
Question: what is the optimal cost for reaching,?
inf06t62
min (
5t + 10(2− t) + 1
, 5t + (2− t) + 7 ) = 9
; strategy: leave immediately `0, go to `3, and wait there 2 t.u.
27/48
Optimizing resources
Weighted/priced timed automata [ALP01,BFH+01]
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
x=2,c+1
x=2,c+7
Question: what is the optimal cost for reaching,?
inf06t62
min (
5t + 10(2− t) + 1 , 5t + (2− t) + 7
) = 9
; strategy: leave immediately `0, go to `3, and wait there 2 t.u.
27/48
Optimizing resources
Weighted/priced timed automata [ALP01,BFH+01]
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
x=2,c+1
x=2,c+7
Question: what is the optimal cost for reaching,?
inf06t62
min ( 5t + 10(2− t) + 1 , 5t + (2− t) + 7 )
= 9
; strategy: leave immediately `0, go to `3, and wait there 2 t.u.
27/48
Optimizing resources
Weighted/priced timed automata [ALP01,BFH+01]
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
x=2,c+1
x=2,c+7
Question: what is the optimal cost for reaching,?
inf06t62
min ( 5t + 10(2− t) + 1 , 5t + (2− t) + 7 ) = 9
; strategy: leave immediately `0, go to `3, and wait there 2 t.u.
27/48
Optimizing resources
Weighted/priced timed automata [ALP01,BFH+01]
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
x=2,c+1
x=2,c+7
Question: what is the optimal cost for reaching,?
inf06t62
min ( 5t + 10(2− t) + 1 , 5t + (2− t) + 7 ) = 9
; strategy: leave immediately `0, go to `3, and wait there 2 t.u.
27/48
Optimizing resources
Optimization problems in weighted timed automata
[ALP01] Alur, La Torre, Pappas. Optimal paths in weighted timed automata (HSCC’01).[BFH+01] Behrmann, Fehnker, Hune, Larsen, Pettersson, Romijn, Vaandrager. Minimum-cost reachability in priced timed automata (HSCC’01).[BBBR07] Bouyer, Brihaye, Bruyere, Raskin. On the optimal reachability problem (Formal Methods in System Design).
Theorem [ALP01,BFH+01,BBBR07]
The optimal reachability problem is decidable (and PSPACE-complete) in(weighted) timed automata.
Theorem [BBL04,BBL08]
The optimal mean-cost problem is decidable (and PSPACE-complete) in(weighted) timed automata.
; In both cases, the corner-point abstraction can be used
(a refinement of the region automaton)
28/48
Optimizing resources
Optimization problems in weighted timed automata
[BBL04] Bouyer, Brinksma, Larsen. Staying alive as cheaply as possible (HSCC’04).[BBL08] Bouyer, Brinksma, Larsen. Optimal infinite scheduling for multi-priced timed automata (Formal Methods in System Design).
Theorem [ALP01,BFH+01,BBBR07]
The optimal reachability problem is decidable (and PSPACE-complete) in(weighted) timed automata.
Theorem [BBL04,BBL08]
The optimal mean-cost problem is decidable (and PSPACE-complete) in(weighted) timed automata.
; In both cases, the corner-point abstraction can be used
(a refinement of the region automaton)
28/48
Optimizing resources
Optimization problems in weighted timed automata
[BBL04] Bouyer, Brinksma, Larsen. Staying alive as cheaply as possible (HSCC’04).[BBL08] Bouyer, Brinksma, Larsen. Optimal infinite scheduling for multi-priced timed automata (Formal Methods in System Design).
Theorem [ALP01,BFH+01,BBBR07]
The optimal reachability problem is decidable (and PSPACE-complete) in(weighted) timed automata.
Theorem [BBL04,BBL08]
The optimal mean-cost problem is decidable (and PSPACE-complete) in(weighted) timed automata.
; In both cases, the corner-point abstraction can be used
(a refinement of the region automaton)
28/48
Optimizing resources
What if an unexpected event happens?
Oxford
Pontivy
Dover
Calais
Paris+2
London +2
Stansted
Nantes
Poole
St Malo
+3
+3
+3
+3
+3
+3
+3
+3
+2
+2
+7
+1
+2
x :=0
106x612
146x615x :=0
276x630
x :=0
96x612
x :=0
216x624
x=27x :=0
x=3
x :=0176
x621
x :=0
36x6
6
x :=0
276x6
32
36x6
6x :=0
x=24
x :=0
96x615
x :=0
x=13
x :=0
126x615
x=17
x :=0
x=6
x :=0
126x614
Flightcancelled!
On strike!!!
; modelled as timed games
29/48
Optimizing resources
What if an unexpected event happens?
Oxford
Pontivy
Dover
Calais
Paris+2
London +2
Stansted
Nantes
Poole
St Malo
+3
+3
+3
+3
+3
+3
+3
+3
+2
+2
+7
+1
+2
x :=0
106x612
146x615x :=0
276x630
x :=0
96x612
x :=0
216x624
x=27x :=0
x=3
x :=0176
x621
x :=0
36x6
6
x :=0
276x6
32
36x6
6x :=0
x=24
x :=0
96x615
x :=0
x=13
x :=0
126x615
x=17
x :=0
x=6
x :=0
126x614
Flightcancelled!
On strike!!!
; modelled as timed games
29/48
Optimizing resources
What if an unexpected event happens?
Oxford
Pontivy
Dover
Calais
Paris+2
London +2
Stansted
Nantes
Poole
St Malo
+3
+3
+3
+3
+3
+3
+3
+3
+2
+2
+7
+1
+2
x :=0
106x612
146x615x :=0
276x630
x :=0
96x612
x :=0
216x624
x=27x :=0
x=3
x :=0176
x621
x :=0
36x6
6
x :=0
276x6
32
36x6
6x :=0
x=24
x :=0
96x615
x :=0
x=13
x :=0
126x615
x=17
x :=0
x=6
x :=0
126x614
Flightcancelled!
On strike!!!
; modelled as timed games
29/48
Optimizing resources
Weighted timed games
`0 `1
(y=0)
`2
`3
,x62,c,y :=0
u
u
u
u
x=2,c
x=2,c
Question: what is the optimal cost we can ensure while reaching,?
inf06t62
max (
5t + 10(2− t) + 1
, 5t + (2− t) + 7 ) = 14 +1
3
; strategy: wait in `0, and when t = 43 , go to `1
30/48
Optimizing resources
Weighted timed games
`0 `1
(y=0)
`2
`3
,x62,c,y :=0
u
u
u
u
x=2,c
x=2,c
Question: what is the optimal cost we can ensure while reaching,?
inf06t62
max (
5t + 10(2− t) + 1
, 5t + (2− t) + 7 ) = 14 +1
3
; strategy: wait in `0, and when t = 43 , go to `1
30/48
Optimizing resources
Weighted timed games
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
u
u
x=2,c+1
x=2,c+7
Question: what is the optimal cost we can ensure while reaching,?
inf06t62
max (
5t + 10(2− t) + 1
, 5t + (2− t) + 7 ) = 14 +1
3
; strategy: wait in `0, and when t = 43 , go to `1
30/48
Optimizing resources
Weighted timed games
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
u
u
x=2,c+1
x=2,c+7
Question: what is the optimal cost we can ensure while reaching,?
inf06t62
max (
5t + 10(2− t) + 1
, 5t + (2− t) + 7 ) = 14 +1
3
; strategy: wait in `0, and when t = 43 , go to `1
30/48
Optimizing resources
Weighted timed games
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
u
u
x=2,c+1
x=2,c+7
Question: what is the optimal cost we can ensure while reaching,?
inf06t62
max (
5t + 10(2− t) + 1
, 5t + (2− t) + 7 ) = 14 +1
3
; strategy: wait in `0, and when t = 43 , go to `1
30/48
Optimizing resources
Weighted timed games
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
u
u
x=2,c+1
x=2,c+7
Question: what is the optimal cost we can ensure while reaching,?
inf06t62
max (
5t + 10(2− t) + 1 , 5t + (2− t) + 7
) = 14 +1
3
; strategy: wait in `0, and when t = 43 , go to `1
30/48
Optimizing resources
Weighted timed games
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
u
u
x=2,c+1
x=2,c+7
Question: what is the optimal cost we can ensure while reaching,?
inf06t62
max ( 5t + 10(2− t) + 1 , 5t + (2− t) + 7 )
= 14 +1
3
; strategy: wait in `0, and when t = 43 , go to `1
30/48
Optimizing resources
Weighted timed games
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
u
u
x=2,c+1
x=2,c+7
Question: what is the optimal cost we can ensure while reaching,?
inf06t62
max ( 5t + 10(2− t) + 1 , 5t + (2− t) + 7 ) = 14 +1
3
; strategy: wait in `0, and when t = 43 , go to `1
30/48
Optimizing resources
Weighted timed games
`0
+5
`1
(y=0)
`2
+10
`3
+1
,x62,c,y :=0
u
u
u
u
x=2,c+1
x=2,c+7
Question: what is the optimal cost we can ensure while reaching,?
inf06t62
max ( 5t + 10(2− t) + 1 , 5t + (2− t) + 7 ) = 14 +1
3
; strategy: wait in `0, and when t = 43 , go to `1
30/48
Optimizing resources
Optimal reachability in weighted timed games
[LMM02] La Torre, Mukhopadhyay, Murano. Optimal-reachability and control for acyclic weighted timed automata (TCS@02).[ABM04] Alur, Bernardsky, Madhusudan. Optimal reachability in weighted timed games (ICALP’04).[BCFL04] Bouyer, Cassez, Fleury, Larsen. Optimal strategies in priced timed game automata (FSTTCS’04).
This topic has been fairly hot these last couple of years...e.g. [LMM02,ABM04,BCFL04]
Theorem [BBR05,BBM06]
Optimal timed games are undecidable, as soon as automata have threeclocks or more.
Theorem [BLMR06]
Turn-based optimal timed games are decidable in 3EXPTIME whenautomata have a single clock. They are PTIME-hard.
31/48
Optimizing resources
Optimal reachability in weighted timed games
[BBR05] Brihaye, Bruyere, Raskin. On optimal timed strategies (FORMATS’05).[BBM06] Bouyer, Brihaye, Markey. Improved undecidability results on weighted timed automata (Information Processing Letters).
This topic has been fairly hot these last couple of years...e.g. [LMM02,ABM04,BCFL04]
Theorem [BBR05,BBM06]
Optimal timed games are undecidable, as soon as automata have threeclocks or more.
Theorem [BLMR06]
Turn-based optimal timed games are decidable in 3EXPTIME whenautomata have a single clock. They are PTIME-hard.
31/48
Optimizing resources
Optimal reachability in weighted timed games
[BBR05] Brihaye, Bruyere, Raskin. On optimal timed strategies (FORMATS’05).[BBM06] Bouyer, Brihaye, Markey. Improved undecidability results on weighted timed automata (Information Processing Letters).[BLMR06] Bouyer, Larsen, Markey, Rasmussen. Almost-optimal strategies in one-clock priced timed automata (FSTTCS’06).
This topic has been fairly hot these last couple of years...e.g. [LMM02,ABM04,BCFL04]
Theorem [BBR05,BBM06]
Optimal timed games are undecidable, as soon as automata have threeclocks or more.
Theorem [BLMR06]
Turn-based optimal timed games are decidable in 3EXPTIME whenautomata have a single clock. They are PTIME-hard.
31/48
Managing resources
A fourth model of the system
Oxford+5
Pontivy+5
Dover−2
Calais−2
Paris0
London +5
Stansted +5
Nantes +5
Poole−2
St Malo−2
−2
−2
−2
−2
−2
−2
−2
−2
+5
+5
−2
−2
−2
x :=0
106x612
146x615x :=0
276x630
x :=0
96x612
x :=0
216x624
x=27x :=0
x=3
x :=0176
x621
x :=0
36x6
6
x :=0
276x6
32
36x6
6x :=0
x=24
x :=0
96x615
x :=0
x=13
x :=0
126x615
x=17
x :=0
x=6
x :=0
126x614
32/48
Managing resources
Can I work with my computer all the way?
Oxford+5
Pontivy+5
Dover−2
Calais−2
Paris0
London +5
Stansted +5
Nantes +5
Poole−2
St Malo−2
−2
−2
−2
−2
−2
−2
−2
−2
+5
+5
−2
−2
−2
x :=0
106x612
146x615x :=0
276x630
x :=0
96x612
x :=0
216x624
x=27x :=0
x=3
x :=0176
x621
x :=0
36x6
6
x :=0
276x6
32
36x6
6x :=0
x=24
x :=0
96x615
x :=0
x=13
x :=0
126x615
x=17
x :=0
x=6
x :=0
126x614
batterycharge
40
20
2 13 16.5 22.3 45 56 60.4
32/48
Managing resources
Can I work with my computer all the way?
Oxford+5
Pontivy+5
Dover−2
Calais−2
Paris0
London +5
Stansted +5
Nantes +5
Poole−2
St Malo−2
−2
−2
−2
−2
−2
−2
−2
−2
+5
+5
−2
−2
−2
x :=0
106x612
146x615x :=0
276x630
x :=0
96x612
x :=0
216x624
x=27x :=0
x=3
x :=0176
x621
x :=0
36x6
6
x :=0
276x6
32
36x6
6x :=0
x=24
x :=0
96x615
x :=0
x=13
x :=0
126x615
x=17
x :=0
x=6
x :=0
126x614
batterycharge
40
20
2 13 16.5 22.3 45 56 60.432/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
Lower-bound problem: can we stay above 0?
Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?
33/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
00
1
2
3
4
1
Lower-bound problem: can we stay above 0?
Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?
33/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
00
1
2
3
4
1
Lower-bound problem: can we stay above 0?
Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?
33/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
00
1
2
3
4
1
Lower-bound problem: can we stay above 0?
Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?
33/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
00
1
2
3
4
1
Lower-bound problem: can we stay above 0?
Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?
33/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
00
1
2
3
4
1
Lower-bound problem: can we stay above 0?
Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?
33/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
00
1
2
3
4
1
Lower-bound problem: can we stay above 0?
Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?
33/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
00
1
2
3
4
1
Lower-bound problemLower-upper-bound problem: can we stay within bounds?
Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?
33/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
00
1
2
3
4
1
Lower-bound problemLower-upper-bound problem: can we stay within bounds?
Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?
33/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
00
1
2
3
4
1
Lower-bound problemLower-upper-bound problem: can we stay within bounds?
Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?
33/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
00
1
2
3
4
1
Lower-bound problemLower-upper-bound problem: can we stay within bounds?
Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?
33/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
00
1
2
3
4
1
Lower-bound problemLower-upper-bound problem: can we stay within bounds?
Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?
33/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
00
1
2
3
4
1
Lower-bound problemLower-upper-bound problem: can we stay within bounds?
Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?
33/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
00
1
2
3
4
1
Lower-bound problemLower-upper-bound problem: can we stay within bounds?
Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?
33/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
00
1
2
3
4
1lost!
Lower-bound problemLower-upper-bound problem: can we stay within bounds?
Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?
33/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
00
1
2
3
4
1
Lower-bound problemLower-upper-bound problem: can we stay within bounds?
Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?
33/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
00
1
2
3
4
1
Lower-bound problemLower-upper-bound problem: can we stay within bounds?
Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?
33/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
00
1
2
3
4
1lost!
Lower-bound problemLower-upper-bound problem: can we stay within bounds?
Lower-weak-upper-bound problem: can we “weakly” stay withinbounds?
33/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
00
1
2
3
4
1
Lower-bound problemLower-upper-bound problemLower-weak-upper-bound problem: can we “weakly” stay withinbounds?
33/48
Managing resources
An example of resource management
`0
−3
`1
+6
`2
−6
x=1x :=0
Globally (x61)
00
1
2
3
4
1
Lower–bound problem ; L
Lower-upper-bound problem ; L+U
Lower-weak-upper-bound problem ; L+W
33/48
Managing resources
Only partial results so far [BFLMS08]
[BFLMS08] Bouyer, Fahrenberg, Larsen, Markey, Srba. Infinite runs in weighted timed automata with energy constraints (FORMATS’08).
0 clock!
L
L+W
L+U
exist. problem univ. problem games
∈ PTIME ∈ PTIME∈ UP ∩ co-UP
PTIME-hard
∈ PTIME ∈ PTIME∈ NP ∩ co-NP
PTIME-hard
∈ PSPACE
NP-hard∈ PTIME EXPTIME-c.
34/48
Managing resources
Only partial results so far [BFLMS08]
[BFLMS08] Bouyer, Fahrenberg, Larsen, Markey, Srba. Infinite runs in weighted timed automata with energy constraints (FORMATS’08).
1 clock
L
L+W
L+U
exist. problem univ. problem games
∈ PTIME ∈ PTIME ?
∈ PTIME ∈ PTIME ?
? ? undecidable
34/48
Managing resources
Only partial results so far [BFLMS08]
[BFLMS08] Bouyer, Fahrenberg, Larsen, Markey, Srba. Infinite runs in weighted timed automata with energy constraints (FORMATS’08).
n clocks
L
L+W
L+U
exist. problem univ. problem games
? ? ?
? ? ?
? ? undecidable
34/48
Managing resources
Single-clock L+U-games
TheoremThe single-clock L+U-games are undecidable.
We encode the behaviour of a two-counter machine:
each instruction is encoded as a module;
the values c1 and c2 of the counters are encoded by the energy level
e = 5− 1
2c1 · 3c2
when entering the corresponding module.
There is an infinite execution in the two-counter machine iff there is astrategy in the single-clock timed game under which the energy levelremains between 0 and 5.
; We present a generic constructionfor incrementing/decrementing the counters.
35/48
Managing resources
Single-clock L+U-games
TheoremThe single-clock L+U-games are undecidable.
We encode the behaviour of a two-counter machine:
each instruction is encoded as a module;
the values c1 and c2 of the counters are encoded by the energy level
e = 5− 1
2c1 · 3c2
when entering the corresponding module.
There is an infinite execution in the two-counter machine iff there is astrategy in the single-clock timed game under which the energy levelremains between 0 and 5.
; We present a generic constructionfor incrementing/decrementing the counters.
35/48
Managing resources
Single-clock L+U-games
TheoremThe single-clock L+U-games are undecidable.
We encode the behaviour of a two-counter machine:
each instruction is encoded as a module;
the values c1 and c2 of the counters are encoded by the energy level
e = 5− 1
2c1 · 3c2
when entering the corresponding module.
There is an infinite execution in the two-counter machine iff there is astrategy in the single-clock timed game under which the energy levelremains between 0 and 5.
; We present a generic constructionfor incrementing/decrementing the counters.
35/48
Managing resources
Single-clock L+U-games
TheoremThe single-clock L+U-games are undecidable.
We encode the behaviour of a two-counter machine:
each instruction is encoded as a module;
the values c1 and c2 of the counters are encoded by the energy level
e = 5− 1
2c1 · 3c2
when entering the corresponding module.
There is an infinite execution in the two-counter machine iff there is astrategy in the single-clock timed game under which the energy levelremains between 0 and 5.
; We present a generic constructionfor incrementing/decrementing the counters.
35/48
Managing resources
Generic module for incrementing/decrementing
m
−6
m1
−6
+5
module ok
m2
+30
m3
+30
−5
module ok
n
−αx :=0
x :=0
x=1
x=1
x :=0
x=1
energy
x0 1
5−e
5−e6
5−αe6
α=3: increment c1
α=2: increment c2
α=12: decrement c1
α=18: decrement c2
36/48
Managing resources
Generic module for incrementing/decrementing
m
−6
m1
−6
+5
module ok
m2
+30
m3
+30
−5
module ok
n
−αx :=0
x :=0
x=1
x=1
x :=0
x=1
energy
x0 1
5−e
5−e6
5−αe6
α=3: increment c1
α=2: increment c2
α=12: decrement c1
α=18: decrement c2
36/48
Managing resources
Generic module for incrementing/decrementing
m
−6
m1
−6
+5
module ok
m2
+30
m3
+30
−5
module ok
n
−αx :=0
x :=0
x=1
x=1
x :=0
x=1
energy
x0 1
5−e
5−e6
5−αe6
α=3: increment c1
α=2: increment c2
α=12: decrement c1
α=18: decrement c2
36/48
Managing resources
Generic module for incrementing/decrementing
m
−6
m1
−6
+5
module ok
m2
+30
m3
+30
−5
module ok
n
−αx :=0
x :=0
x=1
x=1
x :=0
x=1
energy
x0 1
5−e
5−e6
5−αe6
α=3: increment c1
α=2: increment c2
α=12: decrement c1
α=18: decrement c2
36/48
Managing resources
Generic module for incrementing/decrementing
m
−6
m1
−6
+5
module ok
m2
+30
m3
+30
−5
module ok
n
−αx :=0
x :=0
x=1
x=1
x :=0
x=1
energy
x0 1
5−e
5−e6
5−αe6
α=3: increment c1
α=2: increment c2
α=12: decrement c1
α=18: decrement c2
36/48
Managing resources
Generic module for incrementing/decrementing
m
−6
m1
−6
+5
module ok
m2
+30
m3
+30
−5
module ok
n
−αx :=0
x :=0
x=1
x=1
x :=0
x=1
energy
x0 1
5−e
5−e6
5−αe6
α=3: increment c1
α=2: increment c2
α=12: decrement c1
α=18: decrement c2
36/48
Managing resources
Generic module for incrementing/decrementing
m
−6
m1
−6
+5
module ok
m2
+30
m3
+30
−5
module ok
n
−αx :=0
x :=0
x=1
x=1
x :=0
x=1
energy
x0 1
5−e
5−e6
5−αe6
α=3: increment c1
α=2: increment c2
α=12: decrement c1
α=18: decrement c2
36/48
Managing resources
Generic module for incrementing/decrementing
m
−6
m1
−6
+5
module ok
m2
+30
m3
+30
−5
module ok
n
−αx :=0
x :=0
x=1
x=1
x :=0
x=1
energy
x0 1
5−e
5−e6
5−αe6
α=3: increment c1
α=2: increment c2
α=12: decrement c1
α=18: decrement c2
36/48
Managing resources
Partial conclusion and perspectives
Weighted timed automata, an interesting model for representingresources in timed systems
, some optimization problems are (fully) decidable(with a reasonable complexity)
; algorithmics needs to be further developed
/ many problems are undecidable in general(we did not mention the model-checking problem, but it is mostly undecidable)
restriction of the underlying timed automaton to one clock anddevelopment of specific algorithmsdevelopment of approximation schemes
Many open problems to be solved, e.g. in resource management
Compute equilibria in weighted timed games; towards a theory of timed games
37/48
Managing resources
Partial conclusion and perspectives
Weighted timed automata, an interesting model for representingresources in timed systems
, some optimization problems are (fully) decidable(with a reasonable complexity)
; algorithmics needs to be further developed
/ many problems are undecidable in general(we did not mention the model-checking problem, but it is mostly undecidable)
restriction of the underlying timed automaton to one clock anddevelopment of specific algorithmsdevelopment of approximation schemes
Many open problems to be solved, e.g. in resource management
Compute equilibria in weighted timed games; towards a theory of timed games
37/48
Managing resources
Partial conclusion and perspectives
Weighted timed automata, an interesting model for representingresources in timed systems
, some optimization problems are (fully) decidable(with a reasonable complexity)
; algorithmics needs to be further developed
/ many problems are undecidable in general(we did not mention the model-checking problem, but it is mostly undecidable)
restriction of the underlying timed automaton to one clock anddevelopment of specific algorithmsdevelopment of approximation schemes
Many open problems to be solved, e.g. in resource management
Compute equilibria in weighted timed games; towards a theory of timed games
37/48
Managing resources
Partial conclusion and perspectives
Weighted timed automata, an interesting model for representingresources in timed systems
, some optimization problems are (fully) decidable(with a reasonable complexity)
; algorithmics needs to be further developed
/ many problems are undecidable in general(we did not mention the model-checking problem, but it is mostly undecidable)
restriction of the underlying timed automaton to one clock anddevelopment of specific algorithmsdevelopment of approximation schemes
Many open problems to be solved, e.g. in resource management
Compute equilibria in weighted timed games; towards a theory of timed games
37/48
Managing resources
Partial conclusion and perspectives
Weighted timed automata, an interesting model for representingresources in timed systems
, some optimization problems are (fully) decidable(with a reasonable complexity)
; algorithmics needs to be further developed
/ many problems are undecidable in general(we did not mention the model-checking problem, but it is mostly undecidable)
restriction of the underlying timed automaton to one clock anddevelopment of specific algorithms
development of approximation schemes
Many open problems to be solved, e.g. in resource management
Compute equilibria in weighted timed games; towards a theory of timed games
37/48
Managing resources
Partial conclusion and perspectives
Weighted timed automata, an interesting model for representingresources in timed systems
, some optimization problems are (fully) decidable(with a reasonable complexity)
; algorithmics needs to be further developed
/ many problems are undecidable in general(we did not mention the model-checking problem, but it is mostly undecidable)
restriction of the underlying timed automaton to one clock anddevelopment of specific algorithmsdevelopment of approximation schemes
Many open problems to be solved, e.g. in resource management
Compute equilibria in weighted timed games; towards a theory of timed games
37/48
Managing resources
Partial conclusion and perspectives
Weighted timed automata, an interesting model for representingresources in timed systems
, some optimization problems are (fully) decidable(with a reasonable complexity)
; algorithmics needs to be further developed
/ many problems are undecidable in general(we did not mention the model-checking problem, but it is mostly undecidable)
restriction of the underlying timed automaton to one clock anddevelopment of specific algorithmsdevelopment of approximation schemes
Many open problems to be solved, e.g. in resource management
Compute equilibria in weighted timed games; towards a theory of timed games
37/48
Managing resources
Partial conclusion and perspectives
Weighted timed automata, an interesting model for representingresources in timed systems
, some optimization problems are (fully) decidable(with a reasonable complexity)
; algorithmics needs to be further developed
/ many problems are undecidable in general(we did not mention the model-checking problem, but it is mostly undecidable)
restriction of the underlying timed automaton to one clock anddevelopment of specific algorithmsdevelopment of approximation schemes
Many open problems to be solved, e.g. in resource management
Compute equilibria in weighted timed games; towards a theory of timed games
37/48
Probabilistic analysis of timed automata
Outline
1. Introduction
2. Reachability analysis in timed automata
3. Model-checking timed temporal logics
4. Modelling resources in timed systemsOptimizing resourcesManaging resources
5. Probabilistic analysis of timed automata
6. Summary and perspectives
38/48
Probabilistic analysis of timed automata
Motivation
The goal
Define a (meaningful) measure on runs of timed automata that will tellus how likely properties are satisfied.
In the running example: “how likely will I visit Paris?”
“how long should I expect be waiting in Paris?”
A relaxed semantics for timed automata
removes behaviours that are unlikely to happen and could unfairlyviolate/validate a propertyrelaxes (some of the) assumptions made in timed automata, like theinfinite precision of the clocksrelated works include implementability issues, robust semantics, etc.
A new timed and probabilistic model
models a purely probabilistic environmentrelated models include continuous-time Markov chains, andprobabilistic timed automata
39/48
Probabilistic analysis of timed automata
Motivation
The goal
Define a (meaningful) measure on runs of timed automata that will tellus how likely properties are satisfied.
In the running example: “how likely will I visit Paris?”
“how long should I expect be waiting in Paris?”
A relaxed semantics for timed automata
removes behaviours that are unlikely to happen and could unfairlyviolate/validate a propertyrelaxes (some of the) assumptions made in timed automata, like theinfinite precision of the clocksrelated works include implementability issues, robust semantics, etc.
A new timed and probabilistic model
models a purely probabilistic environmentrelated models include continuous-time Markov chains, andprobabilistic timed automata
39/48
Probabilistic analysis of timed automata
Motivation
The goal
Define a (meaningful) measure on runs of timed automata that will tellus how likely properties are satisfied.
In the running example: “how likely will I visit Paris?”
“how long should I expect be waiting in Paris?”
A relaxed semantics for timed automata
removes behaviours that are unlikely to happen and could unfairlyviolate/validate a propertyrelaxes (some of the) assumptions made in timed automata, like theinfinite precision of the clocksrelated works include implementability issues, robust semantics, etc.
A new timed and probabilistic model
models a purely probabilistic environmentrelated models include continuous-time Markov chains, andprobabilistic timed automata
39/48
Probabilistic analysis of timed automata
Motivation
The goal
Define a (meaningful) measure on runs of timed automata that will tellus how likely properties are satisfied.
In the running example: “how likely will I visit Paris?”
“how long should I expect be waiting in Paris?”
A relaxed semantics for timed automata
removes behaviours that are unlikely to happen and could unfairlyviolate/validate a propertyrelaxes (some of the) assumptions made in timed automata, like theinfinite precision of the clocksrelated works include implementability issues, robust semantics, etc.
A new timed and probabilistic model
models a purely probabilistic environmentrelated models include continuous-time Markov chains, andprobabilistic timed automata
39/48
Probabilistic analysis of timed automata
Methodology
Rough idea
Build a stochastic process based on a timed automaton by randomizingall possible evolutions of the system.
We put (continuous) distributions over delays...
... and discrete distributions over transitions.
; this naturally defines a probability measure P over sets of runs.
P(A |= ϕ
)measures “how likely A satisfies ϕ”
Two natural questions:
; decide whether P(A |= ϕ
)= 1 (qualitative question)
; compute (an approximation of) P(A |= ϕ
)(quantitative question)
40/48
Probabilistic analysis of timed automata
Methodology
Rough idea
Build a stochastic process based on a timed automaton by randomizingall possible evolutions of the system.
We put (continuous) distributions over delays...
... and discrete distributions over transitions.
; this naturally defines a probability measure P over sets of runs.
P(A |= ϕ
)measures “how likely A satisfies ϕ”
Two natural questions:
; decide whether P(A |= ϕ
)= 1 (qualitative question)
; compute (an approximation of) P(A |= ϕ
)(quantitative question)
40/48
Probabilistic analysis of timed automata
Methodology
Rough idea
Build a stochastic process based on a timed automaton by randomizingall possible evolutions of the system.
We put (continuous) distributions over delays...
... and discrete distributions over transitions.
; this naturally defines a probability measure P over sets of runs.
P(A |= ϕ
)measures “how likely A satisfies ϕ”
Two natural questions:
; decide whether P(A |= ϕ
)= 1 (qualitative question)
; compute (an approximation of) P(A |= ϕ
)(quantitative question)
40/48
Probabilistic analysis of timed automata
Methodology
Rough idea
Build a stochastic process based on a timed automaton by randomizingall possible evolutions of the system.
We put (continuous) distributions over delays...
... and discrete distributions over transitions.
; this naturally defines a probability measure P over sets of runs.
P(A |= ϕ
)measures “how likely A satisfies ϕ”
Two natural questions:
; decide whether P(A |= ϕ
)= 1 (qualitative question)
; compute (an approximation of) P(A |= ϕ
)(quantitative question)
40/48
Probabilistic analysis of timed automata
Methodology
Rough idea
Build a stochastic process based on a timed automaton by randomizingall possible evolutions of the system.
We put (continuous) distributions over delays...
... and discrete distributions over transitions.
; this naturally defines a probability measure P over sets of runs.
P(A |= ϕ
)measures “how likely A satisfies ϕ”
Two natural questions:
; decide whether P(A |= ϕ
)= 1 (qualitative question)
; compute (an approximation of) P(A |= ϕ
)(quantitative question)
40/48
Probabilistic analysis of timed automata
Methodology
Rough idea
Build a stochastic process based on a timed automaton by randomizingall possible evolutions of the system.
We put (continuous) distributions over delays...
... and discrete distributions over transitions.
; this naturally defines a probability measure P over sets of runs.
P(A |= ϕ
)measures “how likely A satisfies ϕ”
Two natural questions:
; decide whether P(A |= ϕ
)= 1 (qualitative question)
; compute (an approximation of) P(A |= ϕ
)(quantitative question)
40/48
Probabilistic analysis of timed automata
Methodology
Rough idea
Build a stochastic process based on a timed automaton by randomizingall possible evolutions of the system.
We put (continuous) distributions over delays...
... and discrete distributions over transitions.
; this naturally defines a probability measure P over sets of runs.
P(A |= ϕ
)measures “how likely A satisfies ϕ”
Two natural questions:
; decide whether P(A |= ϕ
)= 1 (qualitative question)
; compute (an approximation of) P(A |= ϕ
)(quantitative question)
40/48
Probabilistic analysis of timed automata
An example
`0
(x61)
`1 `2
(x61)
`3
(x61)
e2, x61
e3, x=1
e4, x>3, x :=0
e5, x61
e6, x=0
e1, x61 e7, x61
A 6|= G (• ⇒ F •) but P(A |= G (• ⇒ F •)
)= 1
Indeed, almost surely, paths are of the form e∗1 e2
(e4e5
)ω
41/48
Probabilistic analysis of timed automata
An example
`0
(x61)
`1 `2
(x61)
`3
(x61)
e2, x61
e3, x=1
e4, x>3, x :=0
e5, x61
e6, x=0
e1, x61 e7, x61
A 6|= G (• ⇒ F •)
but P(A |= G (• ⇒ F •)
)= 1
Indeed, almost surely, paths are of the form e∗1 e2
(e4e5
)ω
41/48
Probabilistic analysis of timed automata
An example
`0
(x61)
`1 `2
(x61)
`3
(x61)
e2, x61
e3, x=1
e4, x>3, x :=0
e5, x61
e6, x=0
e1, x61 e7, x61
A 6|= G (• ⇒ F •) but P(A |= G (• ⇒ F •)
)= 1
Indeed, almost surely, paths are of the form e∗1 e2
(e4e5
)ω
41/48
Probabilistic analysis of timed automata
An example
`0
(x61)
`1 `2
(x61)
`3
(x61)
e2, x61
e3, x=1
e4, x>3, x :=0
e5, x61
e6, x=0
e1, x61 e7, x61
A 6|= G (• ⇒ F •) but P(A |= G (• ⇒ F •)
)= 1
Indeed, almost surely, paths are of the form e∗1 e2
(e4e5
)ω
41/48
Probabilistic analysis of timed automata
The classical region automaton
`0,0
`0,(0,1)
`0,1
`1,0
`1,(0,1)
`1,1
`2,0 `3,0
`3,(0,1)
`3,1
e1
e1
e1
e1
e1
e1
e2
e2
e2e2
e2
e2
e3
e4
e 4
e 4
e5
e5
e 5
e6
e7
e7
e7
e7
e7
e1
... viewed as a finite Markov chain MC (A)
Proposition
For single-clock timed automata,
P(A |= ϕ
)= 1 iff P
(MC (A) |= ϕ
)= 1
(this is independent of the choice of the distributions...)
42/48
Probabilistic analysis of timed automata
The pruned region automaton
`0,0
`0,(0,1)
`0,1
`1,0
`1,(0,1)
`1,1
`2,0 `3,0
`3,(0,1)
`3,1
e1
e1
e1
e1
e1
e1
e2
e2
e2
e2
e2
e2
e3
e4
e 4
e 4
e5
e5
e 5
e6
e7
e7
e7
e7
e7
e1
... viewed as a finite Markov chain MC (A)
Proposition
For single-clock timed automata,
P(A |= ϕ
)= 1 iff P
(MC (A) |= ϕ
)= 1
(this is independent of the choice of the distributions...)
42/48
Probabilistic analysis of timed automata
The pruned region automaton
`0,0
`0,(0,1)
`0,1
`1,0
`1,(0,1)
`1,1
`2,0
`3,0
`3,(0,1)
`3,1
e1
e1
e1
e1
e1
e1
e2
e2
e2
e2
e2
e2
e3
e4
e 4
e 4
e5
e5
e 5
e6
e7
e7
e7
e7
e7
e1
... viewed as a finite Markov chain MC (A)
Proposition
For single-clock timed automata,
P(A |= ϕ
)= 1 iff P
(MC (A) |= ϕ
)= 1
(this is independent of the choice of the distributions...)
42/48
Probabilistic analysis of timed automata
The pruned region automaton
`0,0
`0,(0,1)
`0,1
`1,0
`1,(0,1)
`1,1
`2,0
`3,0
`3,(0,1)
`3,1
e1
e1
e1
e1
e1
e1
e2
e2
e2
e2
e2
e2
e3
e4
e 4
e 4
e5
e5
e 5
e6
e7
e7
e7
e7
e7
e1
... viewed as a finite Markov chain MC (A)
Proposition
For single-clock timed automata,
P(A |= ϕ
)= 1 iff P
(MC (A) |= ϕ
)= 1
(this is independent of the choice of the distributions...)
42/48
Probabilistic analysis of timed automata
The pruned region automaton
`0,0
`0,(0,1)
`0,1
`1,0
`1,(0,1)
`1,1
`2,0
`3,0
`3,(0,1)
`3,1
e1
e1
e1
e1
e1
e1
e2
e2
e2
e2
e2
e2
e3
e4
e 4
e 4
e5
e5
e 5
e6
e7
e7
e7
e7
e7
e1
... viewed as a finite Markov chain MC (A)
Proposition
For single-clock timed automata,
P(A |= ϕ
)= 1 iff P
(MC (A) |= ϕ
)= 1
(this is independent of the choice of the distributions...)
42/48
Probabilistic analysis of timed automata
Probabilistic model-checking
[BBBBG08] Baier, Bertrand, Bouyer, Brihaye, Großer. Almost-sure model checking of infinite paths in one-clock timed automata (LICS’08).[BBBM08] Bertrand, Bouyer, Brihaye, Markey. Quantitative model-checking of one-clock timed automata under probabilistic semantics (QEST’08).
Theorem [BBBBG08]
For single-clock timed automata, the almost-sure model-checking
of LTL is PSPACE-complete;
of ω-regular properties is NLOGSPACE-complete;
of the non-zenoness property is in NLOGSPACE.
Theorem [BBBM08]
In single-clock timed automata, we can compute (an approximation of)the probability of satisfying an LTL/ω-regular property (for exponentialdistributions).
; none of these results extend to two-clock timed automata...
43/48
Probabilistic analysis of timed automata
Probabilistic model-checking
[BBBBG08] Baier, Bertrand, Bouyer, Brihaye, Großer. Almost-sure model checking of infinite paths in one-clock timed automata (LICS’08).[BBBM08] Bertrand, Bouyer, Brihaye, Markey. Quantitative model-checking of one-clock timed automata under probabilistic semantics (QEST’08).
Theorem [BBBBG08]
For single-clock timed automata, the almost-sure model-checking
of LTL is PSPACE-complete;
of ω-regular properties is NLOGSPACE-complete;
of the non-zenoness property is in NLOGSPACE.
Theorem [BBBM08]
In single-clock timed automata, we can compute (an approximation of)the probability of satisfying an LTL/ω-regular property (for exponentialdistributions).
; none of these results extend to two-clock timed automata...
43/48
Probabilistic analysis of timed automata
Probabilistic model-checking
[BBBBG08] Baier, Bertrand, Bouyer, Brihaye, Großer. Almost-sure model checking of infinite paths in one-clock timed automata (LICS’08).[BBBM08] Bertrand, Bouyer, Brihaye, Markey. Quantitative model-checking of one-clock timed automata under probabilistic semantics (QEST’08).
Theorem [BBBBG08]
For single-clock timed automata, the almost-sure model-checking
of LTL is PSPACE-complete;
of ω-regular properties is NLOGSPACE-complete;
of the non-zenoness property is in NLOGSPACE.
Theorem [BBBM08]
In single-clock timed automata, we can compute (an approximation of)the probability of satisfying an LTL/ω-regular property (for exponentialdistributions).
; none of these results extend to two-clock timed automata...
43/48
Probabilistic analysis of timed automata
Perspectives
Further study this timed and probabilistic model
timed automata with an arbitrary number of clocks(hint: restrict the distributions)model-checking timed properties like those in MTL
measurability of MTL propertiescan we get a better complexity than NPR?
performance analysis (expected time, mean waiting time, etc.)(this model, a 1
2-player model, generalizes continuous-time Markov chains)
Study the 1 12 - and 2 1
2 -player models(to model non-determinism and interaction)
preliminary result: quantitative model-checking of the 2 12-player
model is undecidable
Design an irrefutable example
44/48
Probabilistic analysis of timed automata
Perspectives
Further study this timed and probabilistic model
timed automata with an arbitrary number of clocks(hint: restrict the distributions)model-checking timed properties like those in MTL
measurability of MTL propertiescan we get a better complexity than NPR?
performance analysis (expected time, mean waiting time, etc.)(this model, a 1
2-player model, generalizes continuous-time Markov chains)
Study the 1 12 - and 2 1
2 -player models(to model non-determinism and interaction)
preliminary result: quantitative model-checking of the 2 12-player
model is undecidable
Design an irrefutable example
44/48
Probabilistic analysis of timed automata
Perspectives
Further study this timed and probabilistic model
timed automata with an arbitrary number of clocks(hint: restrict the distributions)model-checking timed properties like those in MTL
measurability of MTL propertiescan we get a better complexity than NPR?
performance analysis (expected time, mean waiting time, etc.)(this model, a 1
2-player model, generalizes continuous-time Markov chains)
Study the 1 12 - and 2 1
2 -player models(to model non-determinism and interaction)
preliminary result: quantitative model-checking of the 2 12-player
model is undecidable
Design an irrefutable example
44/48
Summary and perspectives
Outline
1. Introduction
2. Reachability analysis in timed automata
3. Model-checking timed temporal logics
4. Modelling resources in timed systemsOptimizing resourcesManaging resources
5. Probabilistic analysis of timed automata
6. Summary and perspectives
45/48
Summary and perspectives
Summary
A progressive lift from qualitative to quantitative considerations:
quantitativeverification
qualitativeverification
untimedproperties
timedproperties
resource-basedproperties
Reachability(2.)
Timed prop.(3.)
Resources(4.)
Proba. analysisof LTL (5.)
46/48
Summary and perspectives
Summary
A progressive lift from qualitative to quantitative considerations:
quantitativeverification
qualitativeverification
untimedproperties
timedproperties
resource-basedproperties
Reachability(2.)
Timed prop.(3.)
Resources(4.)
Proba. analysisof LTL (5.)
46/48
Summary and perspectives
Perspectives
Modelling resources in timed systems
study further the resource management problem
develop approximation schemes(undecidability relies on the infinite precision of the system)
compute equilibria
Probabilities and timed automata
investigate further the 12 -player model
model with several clocks(hint: restrict the allowed distributions)
quantitative properties (time and resources)performance analysis: expected time, etc.
add non-determinism and interaction (1 12 - and 2 1
2 -player models)(preliminary results: undecidability rather far away...)
design an irrefutable example
47/48
Summary and perspectives
Perspectives
Modelling resources in timed systems
study further the resource management problem
develop approximation schemes(undecidability relies on the infinite precision of the system)
compute equilibria
Probabilities and timed automata
investigate further the 12 -player model
model with several clocks(hint: restrict the allowed distributions)
quantitative properties (time and resources)performance analysis: expected time, etc.
add non-determinism and interaction (1 12 - and 2 1
2 -player models)(preliminary results: undecidability rather far away...)
design an irrefutable example
47/48
Summary and perspectives
Perspectives
[BMR08] Bouyer, Markey, Reynier. Robust analysis of timed automata via channel machines (FoSSaCS’08).
Adequation of timed models to timed systems
Two main approaches: relaxed satisfactionrobust satisfaction
Relaxed satisfaction: cf probabilities and timed automata
Robust satisfaction:
develop further the purely channel-machine approach of [BMR08]synthesize systems that are robustly correct by constructionfurther think of other notions of robustness
48/48
Summary and perspectives
Perspectives
[BMR08] Bouyer, Markey, Reynier. Robust analysis of timed automata via channel machines (FoSSaCS’08).
Adequation of timed models to timed systems
Two main approaches: relaxed satisfactionrobust satisfaction
Relaxed satisfaction: cf probabilities and timed automata
Robust satisfaction:
develop further the purely channel-machine approach of [BMR08]synthesize systems that are robustly correct by constructionfurther think of other notions of robustness
48/48
Summary and perspectives
Perspectives
[BMR08] Bouyer, Markey, Reynier. Robust analysis of timed automata via channel machines (FoSSaCS’08).
Adequation of timed models to timed systems
Two main approaches: relaxed satisfactionrobust satisfaction
Relaxed satisfaction: cf probabilities and timed automata
Robust satisfaction:
develop further the purely channel-machine approach of [BMR08]synthesize systems that are robustly correct by constructionfurther think of other notions of robustness
48/48