hybrid sys slides
TRANSCRIPT
-
8/12/2019 Hybrid Sys Slides
1/61
Prof. Pallab Dasgupta
Dept. of Computer Science & Engineering
Indian Institute of Technology, Kharagpur
Formal Analysis of Hybrid Systems
-
8/12/2019 Hybrid Sys Slides
2/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
A Model for Hybrid System
A hybrid system H= (Loc, Var, Lab, Edg, Act, Inv) Consists of six components:
1. A f in ite set Locof vertices called locations.
2. A f in ite set Varof real valued variables. We write Vfor the set of valuations. A valuation is a funct ion that assigns a real-value
(x) R to each variable x Var. A state is a pair(, ) consisting of a location Loc and a valuation V.
3. A f in ite set Labof synchronizationlabels.
Lab necessarily contains the stutter label , i.e.Lab.
-
8/12/2019 Hybrid Sys Slides
3/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
4. A f in ite set Edgof edges called transitions.
Each transiti on e = (, a,, ) consists of : A source locat ion Loc, A target location Loc, A synchronization label a Lab A transi tion relation V2
For each location Locthere is a set ConVarof controlled variables and astutter transition of the form (, , IDcon, ), where (, ) Idconi f f for allvariables x Var, either x Conor (x) = (x).
The transition e is enabled in a state (, )if for some valuation V, ( , ) . The state (, )is then said to be a transition successorof (, ).
A Model for Hybrid System
-
8/12/2019 Hybrid Sys Slides
4/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta 4
5. A labeling function Actthat assigns to each location Loc a set of activities. Each activity is a function from the nonnegative reals R0 to V. The activities of each location are time-invariant.
6. A
labeling function Invthat assigns to each location Loc an invariantInv() V.
The system may stay at a location only if the location invariant is true; that is,some discrete transiti on must be taken before the invariant becomes false.
The hybrid system His time-deterministicif for every location Loc and everyvaluation V, there is at most one activity fAct() with f(0) =. The activi ty f,then, is denoted by [].
A Model for Hybrid System
-
8/12/2019 Hybrid Sys Slides
5/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta 5
The runs of a hybrid system
The state of a hybrid system can change in two ways:
By a discreteand instantaneoustransition that changes both the control location and the
values of the variables according the transition relation;
By a timedelaythat changes only the values of the variables according to the activities of
the current location.
-
8/12/2019 Hybrid Sys Slides
6/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
A run of the hybr id system H, then, is a fini te or infini te sequence
of s tatesi= (i, i) nonnegative reals tiR0and activities fAct(i), such that for alli0:
1. fi(0) = i2. For all 0 t ti, fi(t) Inv(i)3. The state i+1 is a transition successor o f the state
The state i is called a time successor of the state I ; The statei+1 is called a successorof i. We write [H] for the set of runs of the hybrid system H.
6
....: 22
1
1
t
f2
t
f10
t
0f0
The runs of a hybrid system
))(,(' iiii tf=
-
8/12/2019 Hybrid Sys Slides
7/61Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Hybrid systems as transit ion systems
With the hybrid system H, we associate the labeled transiti on system H= (, Lab" R0
, ), when the step relation is the union of the following two: The transition-step relationsa, fora Lab,
The time-step relations t, fo r t R0
7
''
'''
,,
,,,,,
a
InvEdga
tf Invtftt00fActf a ,, . ''
-
8/12/2019 Hybrid Sys Slides
8/61Indian Insti tute of Technology Kharagpur Pallab Dasgupta
The stutter transitions ensure that the transiti on system His reflexive. For all states , ,, , Where = (, v) and for all tR0 ,
It follows that for every hybrid systems, the set of runs is closed under prefixes,
suffixes, stuttering, and fusion [HNSY94].
For time-deterministic hybrid systems, Time can progress by the amount tR0 fromthe state (, v) if this is permitted by the invariant of location ; that is :
We can rewrite the time-step rule for time-deterministic systems as :
8
'' ,, a''t''tf lab.aiffActf
[ ]( ) [ ]( ) ( ) Invtvttvtcp '' .t0iff
[ ] [ ] tvv tvtcpt ,,
Hybrid systems as transit ion systems
-
8/12/2019 Hybrid Sys Slides
9/61Indian Insti tute of Technology Kharagpur Pallab Dasgupta 9
Example: Thermostat
When the heater is off , the temperature:
When the heater is on:
The resulting time-deterministic hybrid system is shown below:
Ktetx =
KtKt e1hetx
-
8/12/2019 Hybrid Sys Slides
10/61Indian Insti tute of Technology Kharagpur Pallab Dasgupta
The Parallel composition of hybrid systems
Let H1=(Loc1Var, Lab1, Edg1, Act1, Inv1) and H2=(Loc2Var, Lab2, Edg2, Act2, Inv2) be two
hybrid systems over a common set Varof variables.
Let it be so that whenever H1performs a discrete transition with the synchronization
label a Lab1 Lab2, then so does H2.
The product H1xH2 is the hybrid system (Loc1xLoc1 , Var, Lab1ULab2, Edg, Act, Inv)
such that:
((1 ,2), a, , (1,2 ) Edgif f1) (1, a1, 1, 1) Edg1 and (2, a2, 2, 2) Edg22) Either a1= a2= a; ora1 Lab2and a2= ; ora1= and a2 Lab1,3) = 1 2;
Act(1 ,2) = Act1(1) Act2(2)
Inv(1 ,2) = Inv1(1) Inv2(2)
10
-
8/12/2019 Hybrid Sys Slides
11/61Indian Insti tute of Technology Kharagpur Pallab Dasgupta
It follows that all runs of the product system are runs of both component systems:
The product of two time-deterministic hybrid systems is also time-deterministic.
11
[ ] [ ] [ ] [ ]22Loc2111Loc21 HHHandHHH
The Parallel composition of hybrid systems
-
8/12/2019 Hybrid Sys Slides
12/61Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Linear Hybrid Systems
A linear termover the set Varof variables is li near combination of the variables in Var
with integer coefficients.
A linearformula over Varis a boolean combination of inequalities between linear terms
over Var.
The time-determinist ic hybrid system H = (Loc Var, Lab, Edg, Act, Inv) is linear if its
activities, invariants, and transiti on relations can be defined by linear expressions over
the set Varof variables:
1. For al l locat ions Loc , the activitiesAct() are defined by a set of differential equations ofthe form , one for each variable x Var, where kx is an integer constant: for allvaluation v V, variables x Var, and nonnegative reals tR0 .
12
xkx=.
[ ]( ) ( ) tvx += xkxvt
-
8/12/2019 Hybrid Sys Slides
13/61Indian Insti tute of Technology Kharagpur Pallab Dasgupta
2. For al l locat ion Loc the invariant Inv() is defined by a linear formula over Var.
3. For al l transi tions e Edgthe transition relation is defined by a guarded set ofnondeterministic assignments.
Here, the guard is a linear formula, and both interval boundaries xand xare linear termsfor each variable x Var:
13
viffInvv
[ ]{ }.Varx|,: = xxx
xx vxv'Var.vxviffvv ',
Linear Hybrid Systems
-
8/12/2019 Hybrid Sys Slides
14/61Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Special cases of linear hybrid systems
If Act(.x) = 0 for each location Locthen xis a discrete variable. A discrete systemis a linear hybrid system all of whose variables are discrete.
A discrete variable x is a proposit ion if (e, x) {0, 1} for each transition e Edg.Afinite-state systemis a linear hybr id system all of whose variables are proposit ion.
If Act(.x) = 1for each location and (e, x) {0, x} for each transition e, then xis aclock. Thus:
1) The value of a clock increases uniformly wi th time, and
2) A discrete transi ti on either resets a clock to 0, or leaves it unchanged.
A timed automationis a linear hybrid system all of whose variables are propositions
or clocks, and the linear expressions are boolean combinations of inequalities of a
particular form.
14
-
8/12/2019 Hybrid Sys Slides
15/61Indian Insti tute of Technology Kharagpur Pallab Dasgupta
If there is a nonzero integer constant k such that Act(, x) = kfor each location and (e, x) {0, x} for each transition e, then xis a skewed clock. A multirate timedsystemis a linear hybrid system all of whose variables are propositions and skewed
clocks. An n-ratetimed system is a multirate timed system whose skewed clocks
proceed at n different rates.
If Act(, x) {0, 1} for each location and (e, x) {0, x} for each transition e, then xisan integrator. It is basically a clock that is typically used to measure accumulated
durations. An integrator systemis linear hybr id system all of whose variables are
propositions and integrators.
15
Special cases of linear hybrid systems
-
8/12/2019 Hybrid Sys Slides
16/61Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Examples of Linear Hybrid Systems
16
A Water-level monitor :
-
8/12/2019 Hybrid Sys Slides
17/61Indian Insti tute of Technology Kharagpur Pallab Dasgupta
A leaking gas burner:
17
Examples of Linear Hybrid Systems
-
8/12/2019 Hybrid Sys Slides
18/61Indian Insti tute of Technology Kharagpur Pallab Dasgupta
A temperature control system:
18
Examples of Linear Hybrid Systems
-
8/12/2019 Hybrid Sys Slides
19/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
A game of b il li ards:
19
Examples of Linear Hybrid Systems
-
8/12/2019 Hybrid Sys Slides
20/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta 20
Game of bil liards, movement of the grey ball:
Examples of Linear Hybrid Systems
-
8/12/2019 Hybrid Sys Slides
21/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta 21
Example
Sample program:
int i=0
do {
assert( i 10]
[i10]i=i+2;
[i
-
8/12/2019 Hybrid Sys Slides
22/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta 22
Concrete Interpretation Sample program:int i=0
do {
assert( i 10]
[i10]i=i+2;
[i10]
[i10]
i=i+2;
[i10]
[i10]i=i+2;
[i
-
8/12/2019 Hybrid Sys Slides
23/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta 23
Abstract Interpretation Sample program:int i=0
do {
assert( i 10]
[i10]i=i+2;
[i10]
[i10]
i=i+2;
[i10]
[i10]i=i+2;
[i
-
8/12/2019 Hybrid Sys Slides
24/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
The Reachability Problem for Linear Hybrid Systems
Let and are two states of a hybrid system H.
The state is reachable from the state , written * if there is a run of Hthatstarts in and ends in .
The reachability question asks, then, if * f or two given states and of ahybrid system H.
The verification of invariance properties is equivalent to the reachability question: a set
R of states is an invariant of the hybrid system Hiff no state in - R is reachablefrom an initial state of H.
24
-
8/12/2019 Hybrid Sys Slides
25/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
A decidability result
A l inear hybrid system is simpleif all linear atoms in location invariabts and transition
guards are of the form x k or kx, for a variable xVarand an integer constant k. For multirate timed systems the simplicity condition prohibits the comparison of
skewed clocks with di fferent rates.
Theorem 3.1: The reachability problem is decidable for simple multirate timed
systems.
25
-
8/12/2019 Hybrid Sys Slides
26/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Two Undecidability results
Theorem 3.2: The reachability problem is undecidable for 2-rate timed systems.
Theorem 3.3: The reachability problem is undecidable for simple integrator systems.
26
-
8/12/2019 Hybrid Sys Slides
27/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
The verif ication of Linear Hybrid Systems
Forward Analysis : Preliminary Definitions
Given a location Locand a set of valuations P V, the forward time closure ofPat is theset of valuations that are reachable from some valuation vP.
Thus for all valuation v , There exist a valuation vPand a nonnegative realtR0 such that (, v) (, v )
Given transition e= (, a, , ) and a set of valuation P V, the post condition poste[P] of Pwithrespect to eis the set of valuations that are reachable from some valuation vPby executing thetransition e;
Thus for all valuations v poste[P], there exists a valuation vP such that (, v)a(, v)
27
P
[ ]( ) [ ]( )ttvPv vv'tcpPv.RtV,viff' 0 =
P
[ ] ' v'v,PV.vviffPpostv e
-
8/12/2019 Hybrid Sys Slides
28/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
A set of states is called a region.
Given a set P V of valuations, by (, P) we denote the region{(, v) | v P}.
We write (, v) (, P) iffv P. For a region ,
28
( ) R,LocR =
R,Loc
R
=
[ ]( )
[ ]( )
RREdgee
e',
post,'post=
=
The verif. of Lin. Hyb. Sys.: Forward Analysis
-
8/12/2019 Hybrid Sys Slides
29/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta 29
A symbolic run of the linear hybrid system His a finite or infinite sequence
: (0, P0) (1, P1) (i, Pi) of regions such that for all i 0, there exists of transitions eifrom i to i +1 and
The symbolic run a represents the set of all runs of the form
such that (i, vi) (i, Pi) for all i 0.
iiei PpostP =+1
( ) ( ) ...,, 10 1100tt
vv
The verif. of Lin. Hyb. Sys.: Forward Analysis
-
8/12/2019 Hybrid Sys Slides
30/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Given a region I the reachable region of Iis theset of all states that are reachable from states in I:
Proposition 4.1:Let be a region of the linear
hybrid system H. The reachable region
is the least fixpoint of the equation.
or equivalently, for all locations Loc, the set Rof valuationsis the least fixpoint of the set of equations:
.
30
The verif. of Lin. Hyb. Sys.: Forward Analysis
( ) *I
( ) *'.'* IiffI ( )
II Loc ,=
( ) ( )
RI Loc ,* =
[ ]XpostIX =
( )[ ]
','
XpostIX eEdge =
=
-
8/12/2019 Hybrid Sys Slides
31/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Lemma 4.1: For all linear hybrid systems H, if P V is a linearset of valuations, then for all locations Locand transitionse Edg, both and poste[P]are linear sets of valuations.
By Lemma 4.1, if Ris a linear region, then so are both and
poste[R]
31
P
R
The verif. of Lin. Hyb. Sys.: Forward Analysis
Example Forward Analysis: The leaking gas
-
8/12/2019 Hybrid Sys Slides
32/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta 32
Example, Forward Analysis: The leaking gas
burner
. . . Contd.
Recap:
Example Forward Analysis: The leaking gas
-
8/12/2019 Hybrid Sys Slides
33/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Let Ibe the set of in itial states defined by the linear formula
The set of reachable states is characterized by the least fixpoint of the two
equations
which can be iteratively computed as
33
( )01 ===== zyxpcI
( )*I
[ ]12)1,2(1
0 postzyx ====
( )[ ] 212,12 postfalse=
[ ]
1,2)1,2(1,1,1 = iii post
[ ]21,1)1,2(1,2,2
= iii post
Example, Forward Analysis: The leaking gas
burner
-
8/12/2019 Hybrid Sys Slides
34/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Backward Analysis
Given a location Locand a set of valuation P V the backward t ime closure PofP at is the set of valuations from which i t is possible to reach some valuation v Pby letting time progress:
Thus for all valuations v P, there exist a valuation v P and a nonnegative realt R0 such that (,v)t (,v) .
Given a transition e =(, a, , ) and a set of valuation P V, the precondition pree[P] ofP with respect to e is the set of valuation f rom which it is possib le to reach a valuation
v P by executing the transition e:
34
[ ] [ ] tvtcpPvtvvRviffPv 0 ''.'
[ ] ' v,v'PV.vviffPprev e
-
8/12/2019 Hybrid Sys Slides
35/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Thus, for all valuation vPree[P], there exists a valuation v P such that(,v)a (,v)
The backward time closure and the precondit ion can be naturally extended to regions:
for R =Loc (, R),
Given a region R , the initial region (* R) of R is the set of all states fromwhich a state in R is reachable:
Notice that R (* R).
35
RRLoc
,
= [ ] [ ] RpreRpre eEdge ,,' =
'*R.'iffR *
-
8/12/2019 Hybrid Sys Slides
36/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Proposition 4.2 Let R =Loc (, R) be a region of the linear hybrid systemH. The ini tial region I = Loc (, I) is the list fixpoint of the equation.
Or equivalently, for all locations Loc , the set I of valuations is theleast fixpoint of the set.
Lemma 4.2 For all linear hybrid systems H, if P V is a linear set ofvaluations, then for all locations Loc and transitions eEdg, both Pand pree[P] are linear sets of valuations.
36
[ ]XpreRX
[ ]
XpreRX eEdge
'',
E l B k d l i
-
8/12/2019 Hybrid Sys Slides
37/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Example: Backward analysis
The region R defined by the linear formula
Should be not reachable from the set I of ini tial states defined by the linear formula
The set (* R) of states from which it is possible to reach a state in R is characterizedby the least fixpoint of the two equations.
Which can be iteratively computed as:
37
yz2060yR > 0zyx1pcI =
[ ]12211
preyz2060y , [ ]
21122preyz2060y ,
[ ]11i221i1
pre ,,, [ ]
21i112i2pre ,,,
f f S
-
8/12/2019 Hybrid Sys Slides
38/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
The verif. of Lin. Hyb. Sys.: Approximate Analysis
We compute upper approximations of the sets
of states which are reachable from the initial states I(forward analysis)
of states from which the region Ris reachable (backward analysis)
For forward analysis, the set Xof reachable states at location is given by proposition4.1 as:
Two problems arise in the practical resolution of such a system: Handling disjunctions of systems of linear inequalities; for ins tance there is no easy way
for deciding if a union of polyhedra is included into another.
The fixpoint computation may involve infinite iteration.
38
( )*I
( )R*
( )[ ]
'
,'
XpostIXe
Edge =
=
Th if f Li H b S A i t A l i
-
8/12/2019 Hybrid Sys Slides
39/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
An approximate solut ion to these problems is provided by abst ract in terpretat ion
techniques.
Union of polyhedra is approximated by their convex hull. Let denote the convex hull
operator:
The system of equations becomes:
To enforce the convergence of iterations, we apply Cousot's widening technique .
39
( ) [ ]{ }1,0,'',|'1' += PxPxxxPP
( )
[ ]
'',
XpostIX eEdge
=
=
The verif. of Lin. Hyb. Sys.: Approximate Analysis
-
8/12/2019 Hybrid Sys Slides
40/61
-
8/12/2019 Hybrid Sys Slides
41/61
Th if f Li H b S A i t A l i
-
8/12/2019 Hybrid Sys Slides
42/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Approximat ion Operators:
42
The verif. of Lin. Hyb. Sys.: Approximate Analysis
Example, Approximate Analysis: The leaking gas
-
8/12/2019 Hybrid Sys Slides
43/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
p , pp y g g
burner
With Idefined by I= (pc= 1 x= y= z= 0), we have withand (choosing location 1 as the only widening location):
43
( ) 21* XXI =
21iXX nii ,,lim =
[ ]1
1n
212
1n
1
n
1 Xpost0zyxXX ,
[ ]2
n
121
n
2 XpostX ,
Analysis of Leaking Gas Burner
-
8/12/2019 Hybrid Sys Slides
44/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Analysis of Leaking Gas Burner
44
Source: [Gonnord, Halbwachs, LNCS 4134] Combining widening and acceleration in linear relation analysis.
Step-1: Leaking location reached with {t=l=0}, and as time elapses we get the
polyhedron {0t = l 10} (Region (1) in Fig. 2.a)
Analysis of Leaking Gas Burner
-
8/12/2019 Hybrid Sys Slides
45/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Analysis of Leaking Gas Burner
45
Source: [Gonnord, Halbwachs, LNCS 4134] Combining widening and acceleration in linear relation analysis.
Step-2: Non-leaking location is reached wi th {0t = l 10}. As time elapses, weget {0 l 10, t l }. (Region (2) in Fig. 2.b)
Analysis of Leaking Gas Burner
-
8/12/2019 Hybrid Sys Slides
46/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Analysis of Leaking Gas Burner
46
Source: [Gonnord, Halbwachs, LNCS 4134] Combining widening and acceleration in linear relation analysis.
Step-3: We go back to leaking location with {0 l 10, t l+50 }, (Region (3) in Fig. 2.c)Convex hull wi th {t = l =0 } gives {0 l 10, t 6l }, (Region (4) in Fig. 2.c)
Analysis of Leaking Gas Burner
-
8/12/2019 Hybrid Sys Slides
47/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Analysis of Leaking Gas Burner
47
Source: [Gonnord, Halbwachs, LNCS 4134] Combining widening and acceleration in linear relation analysis.
Step-3 (contd): Time passage yields {0 l20, t l, t 6l 50 }. Now standardwidening yields {0 lt, t 6l 50 }. (Region (5) in Fig. 2.c)
-
8/12/2019 Hybrid Sys Slides
48/61
Minimization
-
8/12/2019 Hybrid Sys Slides
49/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
The partition respects the region RFif for every region R , R RFor R RF=
Our objective is to construct the coarsest b isimulation that respects a given region RF,
provided there is a finite bisimulation that respects RF.
The function split[](R) splits the region R into subsets that are more stable withrespect to :
49
[ ]( ) { }{ } [ ] ,'"'."if','
otherwise: RRRRpreRRRRR
RRsplit =
=
Minimization
-
8/12/2019 Hybrid Sys Slides
50/61
Model Checking
-
8/12/2019 Hybrid Sys Slides
51/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Model Checking
Timed computation tree logic :
Let Cbe a set of clocksnot in Var; that is C Var= .
A state predicate is a linear formula over the set VarCof variables.
The formulas of TCTL, then, are defined by the following grammar, where is a statepredicate and z C.
The formal is closed if all occurrences of a clock z Care within the scope of a resetquantifier z.
51
::= | | 1 2 | z. | 1 2 | 1 2
-
8/12/2019 Hybrid Sys Slides
52/61
-
8/12/2019 Hybrid Sys Slides
53/61
Timed Computation Tree Logic
-
8/12/2019 Hybrid Sys Slides
54/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Timed Computation Tree Logic
Let be a run of the linear hybrid system H, with i =(i,i) for alli0: A pos it ion of is a pair (i, t) consisting of a nonnegative integer iand a
nonnegative real t ti. The posi tion of are ordered lexicographically; that is , (i, t) (j, t) iff i
-
8/12/2019 Hybrid Sys Slides
55/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Timed Computation Tree Logic
The extended state(, ) satisfies the TCTL-formula ,denoted (, ) if :
55
Let be a closed formula of TCTL. We write if (, ) for all clockvaluations .
The Linear hybrid system Hsatisfies , denoted H , if all states of Hsatisfy .
The model-checking algorithm
-
8/12/2019 Hybrid Sys Slides
56/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
The model-checking algorithm
The Characteristic set of is the set of states that satisfy . Given a closed TCTL-formula , a model-checking algori thm computes
the characteristic set Defini tion of binary next or single step until operator :
Given two regions R, R , the region R R is the set of states that havea successor R such that all states between and are contained in R R :
I.e., ( ,) (R R) iff:
I.e., the operator is a single-step until operator.
For a linear formula , we extend the tcp operator such that
56
'',.'',',,,'',' RRtvtt0vvRtRv t0
[ ][ ]( ) [ ]( ) ( )( )'.'0ifftcp Invtvtttv
-
8/12/2019 Hybrid Sys Slides
57/61
The model-checking algorithm
-
8/12/2019 Hybrid Sys Slides
58/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
The model checking algorithm
Let Rand R be the characteristic sets of the two TCTL-formulas and ,respectively. The characteristi c set of the formula can be iteratively computedas i Ri with
R0 = R, and For all i0, Ri+1 = Ri(R Ri)
To check if the TCTL-formula is an invariant of H, we check i f the set of in itial states
is contained in the characteristic set of the formula . This characteristi c set can
be iteratively computed as i Ri with R0 = , and for all i0, Ri+1 = Ri (true Ri)
The real-time response property asserting that a given event occurs within a certain
time bound is expressed in TCTL by a formula of the form c , whosecharacteristic set can be iteratively computed as i Ri[z : = 0] with
R0 = z > c, and For all i0, Ri+1 = Ri((R) Ri),
where R = and z C58
Example: the temperature control system
-
8/12/2019 Hybrid Sys Slides
59/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
Example: the temperature control system
System requirement: Maintain the temperature of the coolant between m and M.
If temperature rises to M and cannot decrease because no rod is available, a complete
shutdown is required.
Will the system ever reach the shutdown state?
59
Example: the temperature control system
-
8/12/2019 Hybrid Sys Slides
60/61
Indian Insti tute of Technology Kharagpur Pallab Dasgupta
TCTL formula stating that state 3 (shutdown) is always unreachable:
(pc = 0 M x1 T x2 T ) (pc= 3)
60
Example: the temperature control system
-
8/12/2019 Hybrid Sys Slides
61/61
Thank you very much!!