robustness and implementability of timed automata

Robustness and Robustness and Implementability of Timed Implementability of Timed

AutomataAutomata

Martin De WulfMartin De Wulf

Laurent DoyenLaurent Doyen

Nicolas MarkeyNicolas Markey

Jean-François RaskinJean-François Raskin

Centre Fédéré en Vérification

FORMATS-FTRTFT 2004 – Sep 24FORMATS-FTRTFT 2004 – Sep 24thth - Grenoble - Grenoble

MotivationMotivation

• Embedded Controllers… are difficult to develop (concurrency, real-time, continuous environment, ...).

… are safety critical.

Use formal models + Verification:

Timed Automata andReachability Analysis

Timed Automata

closed guard

reset

Location

Transition

2a

0:a

2b

0:b

1:a0:b

A

Clocks: {a,b}

ObjectivesObjectives

• From a verified model, generate (automatically) a correct implementation

• Using classical formalism (e.g. timed automata)

• …but interpreting the model in a way that guarantees the transfer of the properties from model to implementation3x

Robustness and ImplentationRobustness and Implentation

Model

•Perfect continuous clocks

•Instantaneous synchronisations

•Reaction time = 0

•Digital clocks

•Delayed synchronisations

•Reaction time > 0

Implementation

vs.

Correct model

Correct implementatio

n

??

Timed Automata: SemanticsTimed Automata: Semantics

Classical

Perfect clocks

Rate:

Guard:

1/ dtdx

][ iff | gvgv

Imprecise clocks

Rate:

Guard:

]1,1[/ dtdx

][ iff | gvgv

],[][ babxa ],[][ babxa

00][A Enlarge

dvs.

][A

Shortcut:

0][:][ AA 0][:][ AA

From Model to ImplementationFrom Model to Implementation

>0 Reach([A´]) Bad =

Timed automaton A is implementable [DDR04] if

Reach([A]) Bad =

Timed automaton A is correct if

which is equivalent to

>0 Reach([A´]) Bad =

RobustnessRobustness

No ! (see example)

•Is it always the case that ?

>0 Reach([A]) = Reach([A])

•How to compute ?

>0 Reach([A])

• [Pur98] gives an algorithm for

>0 Reach([A])

• We show that >0 Reach([A]) = >0 Reach([A])

An example showing thatAn example showing that

Reach([A]) >0 Reach([A])

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2

ExampleExample

2a

0:a

2b

0:b

a

b

10

1

2

2

1:a0:b

Classical Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Classical Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Classical Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Classical Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Classical Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Classical Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2

AReach

Classical Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2

Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2

2

Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2

3

Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2

4

Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2

)12( k

Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2

k2

Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Enlarged Semantics

ExampleExample

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Enlarged Semantics

ExampleExample

Reach([A])

2a

0:a

2b

0:b

1:a0:b

a

b

10

1

2

2 Enlarged Semantics

ExampleExample

>0 Reach([A])

When 0

Enlarged Semantics

a

b

10

1

2

2

Classical Semantics

vs.

ExampleExample

a10

1

2

2

b

>0 Reach([A])Reach([A])

00

a

b

10

1

2

2

•Black cycles are reachable

•Blue cycles are not !

Classical semantics [A]

Enlarged semantics

•One blue cycle is reachable

•By repeating this cycle with Δ>0, the entire regions are reachable !

ExampleExample

[A]

Cycles in Timed AutomataCycles in Timed Automata

Algortihm [Pur98] is based on this observation:

•It just adds the cycles to reachable states

•Until no more cycle is accessible

Hence, the implementability problem

is decidable ! (and PSPACE-complete)

Given a timed automaton A, determine whether there exists Δ>0 such that Reach([A]) Bad =

Open questionsOpen questions

• Maximize Δ such that

• Decide whether there exists Δ such that

• Find a practical algorithm for

• And many others…

Reach([A]) Bad =

>0 Reach([A])

UntimedLang([A]) = UntimedLang([A])

ReferencesReferences

• [DDR04] M. De Wulf, L. Doyen, J.-F. Raskin. Almost ASAP Semantics: From Timed Model to Timed Implementation. LNCS 2993, HSCC 2004.

• [Pur98] A. Puri. Dynamical Properties of Timed Automata. FTRTFT 1998.

Model-based developmentModel-based development

• Make a model of the environment:Env

• Make clear the control objective: Bad

• Make a model of the control strategy:ControllerModel

• Verify:Does Env || ControllerModel avoid

Bad ?• Good, but after ?