Hybrid Sys Slides

8/12/2019 Hybrid Sys Slides

1/61

Prof. Pallab Dasgupta

Dept. of Computer Science & Engineering

Indian Institute of Technology, Kharagpur

Formal Analysis of Hybrid Systems


2/61

Indian Insti tute of Technology Kharagpur Pallab Dasgupta

A Model for Hybrid System

A hybrid system H= (Loc, Var, Lab, Edg, Act, Inv) Consists of six components:

1. A f in ite set Locof vertices called locations.

2. A f in ite set Varof real valued variables. We write Vfor the set of valuations. A valuation is a funct ion that assigns a real-value

(x) R to each variable x Var. A state is a pair(, ) consisting of a location Loc and a valuation V.

3. A f in ite set Labof synchronizationlabels.

Lab necessarily contains the stutter label , i.e.Lab.


3/61


4. A f in ite set Edgof edges called transitions.

Each transiti on e = (, a,, ) consists of : A source locat ion Loc, A target location Loc, A synchronization label a Lab A transi tion relation V2

For each location Locthere is a set ConVarof controlled variables and astutter transition of the form (, , IDcon, ), where (, ) Idconi f f for allvariables x Var, either x Conor (x) = (x).

The transition e is enabled in a state (, )if for some valuation V, ( , ) . The state (, )is then said to be a transition successorof (, ).



4/61

Indian Insti tute of Technology Kharagpur Pallab Dasgupta 4

5. A labeling function Actthat assigns to each location Loc a set of activities. Each activity is a function from the nonnegative reals R0 to V. The activities of each location are time-invariant.

6. A

labeling function Invthat assigns to each location Loc an invariantInv() V.

The system may stay at a location only if the location invariant is true; that is,some discrete transiti on must be taken before the invariant becomes false.

The hybrid system His time-deterministicif for every location Loc and everyvaluation V, there is at most one activity fAct() with f(0) =. The activi ty f,then, is denoted by [].



5/61


The runs of a hybrid system

The state of a hybrid system can change in two ways:

By a discreteand instantaneoustransition that changes both the control location and the

values of the variables according the transition relation;

By a timedelaythat changes only the values of the variables according to the activities of

the current location.


6/61


A run of the hybr id system H, then, is a fini te or infini te sequence

of s tatesi= (i, i) nonnegative reals tiR0and activities fAct(i), such that for alli0:

1. fi(0) = i2. For all 0 t ti, fi(t) Inv(i)3. The state i+1 is a transition successor o f the state

The state i is called a time successor of the state I ; The statei+1 is called a successorof i. We write [H] for the set of runs of the hybrid system H.

6

....: 22

1

1

t

f2

t

f10

t

0f0

The runs of a hybrid system

))(,(' iiii tf=


7/61Indian Insti tute of Technology Kharagpur Pallab Dasgupta

Hybrid systems as transit ion systems

With the hybrid system H, we associate the labeled transiti on system H= (, Lab" R0

, ), when the step relation is the union of the following two: The transition-step relationsa, fora Lab,

The time-step relations t, fo r t R0

7

''

'''

,,

,,,,,

a

InvEdga

tf Invtftt00fActf a ,, . ''



The stutter transitions ensure that the transiti on system His reflexive. For all states , ,, , Where = (, v) and for all tR0 ,

It follows that for every hybrid systems, the set of runs is closed under prefixes,

suffixes, stuttering, and fusion [HNSY94].

For time-deterministic hybrid systems, Time can progress by the amount tR0 fromthe state (, v) if this is permitted by the invariant of location ; that is :

We can rewrite the time-step rule for time-deterministic systems as :

8

'' ,, a''t''tf lab.aiffActf

[ ]( ) [ ]( ) ( ) Invtvttvtcp '' .t0iff

[ ] [ ] tvv tvtcpt ,,

Hybrid systems as transit ion systems


9/61Indian Insti tute of Technology Kharagpur Pallab Dasgupta 9

Example: Thermostat

When the heater is off , the temperature:

When the heater is on:

The resulting time-deterministic hybrid system is shown below:

Ktetx =

KtKt e1hetx



The Parallel composition of hybrid systems

Let H1=(Loc1Var, Lab1, Edg1, Act1, Inv1) and H2=(Loc2Var, Lab2, Edg2, Act2, Inv2) be two

hybrid systems over a common set Varof variables.

Let it be so that whenever H1performs a discrete transition with the synchronization

label a Lab1 Lab2, then so does H2.

The product H1xH2 is the hybrid system (Loc1xLoc1 , Var, Lab1ULab2, Edg, Act, Inv)

such that:

((1 ,2), a, , (1,2 ) Edgif f1) (1, a1, 1, 1) Edg1 and (2, a2, 2, 2) Edg22) Either a1= a2= a; ora1 Lab2and a2= ; ora1= and a2 Lab1,3) = 1 2;

Act(1 ,2) = Act1(1) Act2(2)

Inv(1 ,2) = Inv1(1) Inv2(2)

10



It follows that all runs of the product system are runs of both component systems:

The product of two time-deterministic hybrid systems is also time-deterministic.

11

[ ] [ ] [ ] [ ]22Loc2111Loc21 HHHandHHH

The Parallel composition of hybrid systems



Linear Hybrid Systems

A linear termover the set Varof variables is li near combination of the variables in Var

with integer coefficients.

A linearformula over Varis a boolean combination of inequalities between linear terms

over Var.

The time-determinist ic hybrid system H = (Loc Var, Lab, Edg, Act, Inv) is linear if its

activities, invariants, and transiti on relations can be defined by linear expressions over

the set Varof variables:

1. For al l locat ions Loc , the activitiesAct() are defined by a set of differential equations ofthe form , one for each variable x Var, where kx is an integer constant: for allvaluation v V, variables x Var, and nonnegative reals tR0 .

12

xkx=.

[ ]( ) ( ) tvx += xkxvt



2. For al l locat ion Loc the invariant Inv() is defined by a linear formula over Var.

3. For al l transi tions e Edgthe transition relation is defined by a guarded set ofnondeterministic assignments.

Here, the guard is a linear formula, and both interval boundaries xand xare linear termsfor each variable x Var:

13

viffInvv

[ ]{ }.Varx|,: = xxx

xx vxv'Var.vxviffvv ',

Linear Hybrid Systems



Special cases of linear hybrid systems

If Act(.x) = 0 for each location Locthen xis a discrete variable. A discrete systemis a linear hybrid system all of whose variables are discrete.

A discrete variable x is a proposit ion if (e, x) {0, 1} for each transition e Edg.Afinite-state systemis a linear hybr id system all of whose variables are proposit ion.

If Act(.x) = 1for each location and (e, x) {0, x} for each transition e, then xis aclock. Thus:

1) The value of a clock increases uniformly wi th time, and

2) A discrete transi ti on either resets a clock to 0, or leaves it unchanged.

A timed automationis a linear hybrid system all of whose variables are propositions

or clocks, and the linear expressions are boolean combinations of inequalities of a

particular form.

14



If there is a nonzero integer constant k such that Act(, x) = kfor each location and (e, x) {0, x} for each transition e, then xis a skewed clock. A multirate timedsystemis a linear hybrid system all of whose variables are propositions and skewed

clocks. An n-ratetimed system is a multirate timed system whose skewed clocks

proceed at n different rates.

If Act(, x) {0, 1} for each location and (e, x) {0, x} for each transition e, then xisan integrator. It is basically a clock that is typically used to measure accumulated

durations. An integrator systemis linear hybr id system all of whose variables are

propositions and integrators.

15

Special cases of linear hybrid systems



Examples of Linear Hybrid Systems

16

A Water-level monitor :



A leaking gas burner:

17




A temperature control system:

18



19/61


A game of b il li ards:

19



20/61


Game of bil liards, movement of the grey ball:



21/61


Example

Sample program:

int i=0

do {

assert( i 10]

[i10]i=i+2;

[i


22/61


Concrete Interpretation Sample program:int i=0

do {

assert( i 10]

[i10]i=i+2;

[i10]

[i10]

i=i+2;

[i10]

[i10]i=i+2;

[i


23/61


Abstract Interpretation Sample program:int i=0

do {

assert( i 10]

[i10]i=i+2;

[i10]

[i10]

i=i+2;

[i10]

[i10]i=i+2;

[i


24/61


The Reachability Problem for Linear Hybrid Systems

Let and are two states of a hybrid system H.

The state is reachable from the state , written * if there is a run of Hthatstarts in and ends in .

The reachability question asks, then, if * f or two given states and of ahybrid system H.

The verification of invariance properties is equivalent to the reachability question: a set

R of states is an invariant of the hybrid system Hiff no state in - R is reachablefrom an initial state of H.

24


25/61


A decidability result

A l inear hybrid system is simpleif all linear atoms in location invariabts and transition

guards are of the form x k or kx, for a variable xVarand an integer constant k. For multirate timed systems the simplicity condition prohibits the comparison of

skewed clocks with di fferent rates.

Theorem 3.1: The reachability problem is decidable for simple multirate timed

systems.

25


26/61


Two Undecidability results

Theorem 3.2: The reachability problem is undecidable for 2-rate timed systems.

Theorem 3.3: The reachability problem is undecidable for simple integrator systems.

26


27/61


The verif ication of Linear Hybrid Systems

Forward Analysis : Preliminary Definitions

Given a location Locand a set of valuations P V, the forward time closure ofPat is theset of valuations that are reachable from some valuation vP.

Thus for all valuation v , There exist a valuation vPand a nonnegative realtR0 such that (, v) (, v )

Given transition e= (, a, , ) and a set of valuation P V, the post condition poste[P] of Pwithrespect to eis the set of valuations that are reachable from some valuation vPby executing thetransition e;

Thus for all valuations v poste[P], there exists a valuation vP such that (, v)a(, v)

27

P

[ ]( ) [ ]( )ttvPv vv'tcpPv.RtV,viff' 0 =

P

[ ] ' v'v,PV.vviffPpostv e


28/61


A set of states is called a region.

Given a set P V of valuations, by (, P) we denote the region{(, v) | v P}.

We write (, v) (, P) iffv P. For a region ,

28

( ) R,LocR =

R,Loc

R

=

[ ]( )

[ ]( )

RREdgee

e',

post,'post=

=

The verif. of Lin. Hyb. Sys.: Forward Analysis


29/61


A symbolic run of the linear hybrid system His a finite or infinite sequence

: (0, P0) (1, P1) (i, Pi) of regions such that for all i 0, there exists of transitions eifrom i to i +1 and

The symbolic run a represents the set of all runs of the form

such that (i, vi) (i, Pi) for all i 0.

iiei PpostP =+1

( ) ( ) ...,, 10 1100tt

vv



30/61


Given a region I the reachable region of Iis theset of all states that are reachable from states in I:

Proposition 4.1:Let be a region of the linear

hybrid system H. The reachable region

is the least fixpoint of the equation.

or equivalently, for all locations Loc, the set Rof valuationsis the least fixpoint of the set of equations:

.

30


( ) *I

( ) *'.'* IiffI ( )

II Loc ,=

( ) ( )

RI Loc ,* =

[ ]XpostIX =

( )[ ]

','

XpostIX eEdge =

=


31/61


Lemma 4.1: For all linear hybrid systems H, if P V is a linearset of valuations, then for all locations Locand transitionse Edg, both and poste[P]are linear sets of valuations.

By Lemma 4.1, if Ris a linear region, then so are both and

poste[R]

31

P

R


Example Forward Analysis: The leaking gas


32/61


Example, Forward Analysis: The leaking gas

burner

. . . Contd.

Recap:

Example Forward Analysis: The leaking gas


33/61


Let Ibe the set of in itial states defined by the linear formula

The set of reachable states is characterized by the least fixpoint of the two

equations

which can be iteratively computed as

33

( )01 ===== zyxpcI

( )*I

[ ]12)1,2(1

0 postzyx ====

( )[ ] 212,12 postfalse=

[ ]

1,2)1,2(1,1,1 = iii post

[ ]21,1)1,2(1,2,2

= iii post

Example, Forward Analysis: The leaking gas

burner


34/61


Backward Analysis

Given a location Locand a set of valuation P V the backward t ime closure PofP at is the set of valuations from which i t is possible to reach some valuation v Pby letting time progress:

Thus for all valuations v P, there exist a valuation v P and a nonnegative realt R0 such that (,v)t (,v) .

Given a transition e =(, a, , ) and a set of valuation P V, the precondition pree[P] ofP with respect to e is the set of valuation f rom which it is possib le to reach a valuation

v P by executing the transition e:

34

[ ] [ ] tvtcpPvtvvRviffPv 0 ''.'

[ ] ' v,v'PV.vviffPprev e


35/61


Thus, for all valuation vPree[P], there exists a valuation v P such that(,v)a (,v)

The backward time closure and the precondit ion can be naturally extended to regions:

for R =Loc (, R),

Given a region R , the initial region (* R) of R is the set of all states fromwhich a state in R is reachable:

Notice that R (* R).

35

RRLoc

,

= [ ] [ ] RpreRpre eEdge ,,' =

'*R.'iffR *


36/61


Proposition 4.2 Let R =Loc (, R) be a region of the linear hybrid systemH. The ini tial region I = Loc (, I) is the list fixpoint of the equation.

Or equivalently, for all locations Loc , the set I of valuations is theleast fixpoint of the set.

Lemma 4.2 For all linear hybrid systems H, if P V is a linear set ofvaluations, then for all locations Loc and transitions eEdg, both Pand pree[P] are linear sets of valuations.

36

[ ]XpreRX

[ ]

XpreRX eEdge

'',

E l B k d l i


37/61


Example: Backward analysis

The region R defined by the linear formula

Should be not reachable from the set I of ini tial states defined by the linear formula

The set (* R) of states from which it is possible to reach a state in R is characterizedby the least fixpoint of the two equations.

Which can be iteratively computed as:

37

yz2060yR > 0zyx1pcI =

[ ]12211

preyz2060y , [ ]

21122preyz2060y ,

[ ]11i221i1

pre ,,, [ ]

21i112i2pre ,,,

f f S


38/61


The verif. of Lin. Hyb. Sys.: Approximate Analysis

We compute upper approximations of the sets

of states which are reachable from the initial states I(forward analysis)

of states from which the region Ris reachable (backward analysis)

For forward analysis, the set Xof reachable states at location is given by proposition4.1 as:

Two problems arise in the practical resolution of such a system: Handling disjunctions of systems of linear inequalities; for ins tance there is no easy way

for deciding if a union of polyhedra is included into another.

The fixpoint computation may involve infinite iteration.

38

( )*I

( )R*

( )[ ]

'

,'

XpostIXe

Edge =

=

Th if f Li H b S A i t A l i


39/61


An approximate solut ion to these problems is provided by abst ract in terpretat ion

techniques.

Union of polyhedra is approximated by their convex hull. Let denote the convex hull

operator:

The system of equations becomes:

To enforce the convergence of iterations, we apply Cousot's widening technique .

39

( ) [ ]{ }1,0,'',|'1' += PxPxxxPP

( )

[ ]

'',

XpostIX eEdge

=

=



40/61


41/61

Th if f Li H b S A i t A l i


42/61


Approximat ion Operators:

42


Example, Approximate Analysis: The leaking gas


43/61


p , pp y g g

burner

With Idefined by I= (pc= 1 x= y= z= 0), we have withand (choosing location 1 as the only widening location):

43

( ) 21* XXI =

21iXX nii ,,lim =

[ ]1

1n

212

1n

1

n

1 Xpost0zyxXX ,

[ ]2

n

121

n

2 XpostX ,

Analysis of Leaking Gas Burner


44/61



44

Source: [Gonnord, Halbwachs, LNCS 4134] Combining widening and acceleration in linear relation analysis.

Step-1: Leaking location reached with {t=l=0}, and as time elapses we get the

polyhedron {0t = l 10} (Region (1) in Fig. 2.a)



45/61



45


Step-2: Non-leaking location is reached wi th {0t = l 10}. As time elapses, weget {0 l 10, t l }. (Region (2) in Fig. 2.b)



46/61



46


Step-3: We go back to leaking location with {0 l 10, t l+50 }, (Region (3) in Fig. 2.c)Convex hull wi th {t = l =0 } gives {0 l 10, t 6l }, (Region (4) in Fig. 2.c)



47/61



47


Step-3 (contd): Time passage yields {0 l20, t l, t 6l 50 }. Now standardwidening yields {0 lt, t 6l 50 }. (Region (5) in Fig. 2.c)


48/61

Minimization


49/61


The partition respects the region RFif for every region R , R RFor R RF=

Our objective is to construct the coarsest b isimulation that respects a given region RF,

provided there is a finite bisimulation that respects RF.

The function split[](R) splits the region R into subsets that are more stable withrespect to :

49

[ ]( ) { }{ } [ ] ,'"'."if','

otherwise: RRRRpreRRRRR

RRsplit =

=

Minimization


50/61

Model Checking


51/61


Model Checking

Timed computation tree logic :

Let Cbe a set of clocksnot in Var; that is C Var= .

A state predicate is a linear formula over the set VarCof variables.

The formulas of TCTL, then, are defined by the following grammar, where is a statepredicate and z C.

The formal is closed if all occurrences of a clock z Care within the scope of a resetquantifier z.

51

::= | | 1 2 | z. | 1 2 | 1 2


52/61


53/61

Timed Computation Tree Logic


54/61



Let be a run of the linear hybrid system H, with i =(i,i) for alli0: A pos it ion of is a pair (i, t) consisting of a nonnegative integer iand a

nonnegative real t ti. The posi tion of are ordered lexicographically; that is , (i, t) (j, t) iff i


55/61



The extended state(, ) satisfies the TCTL-formula ,denoted (, ) if :

55

Let be a closed formula of TCTL. We write if (, ) for all clockvaluations .

The Linear hybrid system Hsatisfies , denoted H , if all states of Hsatisfy .

The model-checking algorithm


56/61



The Characteristic set of is the set of states that satisfy . Given a closed TCTL-formula , a model-checking algori thm computes

the characteristic set Defini tion of binary next or single step until operator :

Given two regions R, R , the region R R is the set of states that havea successor R such that all states between and are contained in R R :

I.e., ( ,) (R R) iff:

I.e., the operator is a single-step until operator.

For a linear formula , we extend the tcp operator such that

56

'',.'',',,,'',' RRtvtt0vvRtRv t0

[ ][ ]( ) [ ]( ) ( )( )'.'0ifftcp Invtvtttv


57/61



58/61


The model checking algorithm

Let Rand R be the characteristic sets of the two TCTL-formulas and ,respectively. The characteristi c set of the formula can be iteratively computedas i Ri with

R0 = R, and For all i0, Ri+1 = Ri(R Ri)

To check if the TCTL-formula is an invariant of H, we check i f the set of in itial states

is contained in the characteristic set of the formula . This characteristi c set can

be iteratively computed as i Ri with R0 = , and for all i0, Ri+1 = Ri (true Ri)

The real-time response property asserting that a given event occurs within a certain

time bound is expressed in TCTL by a formula of the form c , whosecharacteristic set can be iteratively computed as i Ri[z : = 0] with

R0 = z > c, and For all i0, Ri+1 = Ri((R) Ri),

where R = and z C58

Example: the temperature control system


59/61



System requirement: Maintain the temperature of the coolant between m and M.

If temperature rises to M and cannot decrease because no rod is available, a complete

shutdown is required.

Will the system ever reach the shutdown state?

59



60/61


TCTL formula stating that state 3 (shutdown) is always unreachable:

(pc = 0 M x1 T x2 T ) (pc= 3)

60



61/61

Thank you very much!!

Documents

Hybrid Sys Slides