Tom Henzinger University of California, Berkeley

The Symbolic Approach to

Hybrid Systems

Tom Henzinger

University of California, Berkeley

Discrete (transition) system


Continuous (dynamical) system

Q = Rn



Hybrid system

jumps flows

Q = Rn



Hybrid system

jumps flows

Q = Rn

-nondeterministic -time abstract

A Thermostat

States

x R temperatureh { on, off } heat

A Thermostat

States


Flows

f1 Y h = on x' = K(H-x) f2 Y h = off x' = -Kx

invariants

A Thermostat

States


Flows

f1 Y h = on x' = K(H-x) f2 Y h = off x' = -Kx

Jumps

j1 Y h = on h := off j2 Y h = off h := on

guards

j1 j2

h = on

h = off

f1

f2

x

A Thermostat

States

x R temperatureh { on, off } heatt R timer

Flows

f1 Y h = on t U x' = K(H-x); t' := 1 f2 Y h = off t U x' = -Kx; t' := 1

Jumps

j1 Y h = on t L h := off; t' := 0 j2 Y h = off t L h := on; t' := 0

A Thermostat

States


Flows

f1 Y h = on t U x' = K(H-x); t' = 1 f2 Y h = off t U x' = -Kx; t' = 1

Jumps

j1 Y h = on t L h := off; t := 0 j2 Y h = off t L h := on; t := 0

A Thermostat

States


Flows

f1 Y h = on t U x' = K(H-x); t' = 1 f2 Y h = off t U x' = -Kx; t' = 1

Jumps

j1 Y h = on t L h := off; t := 0 j2 Y h = off t L h := on; t := 0

x

t

x

tL U

h = on

h = off

f1

x

t

x

tL U

h = on

h = off

j1

f1

x

t

x

tL U

h = on

h = off

j1

f1

f2

x

t

x

tL U

h = on

h = off

j1

j2

f1

f2

x

t

x

tL U

h = on

h = off

j1

j2

f1

f2

x

tL U

h = off

Step 1: Discretize

f2

Transition System

Q set of states set of actions post: Q 2Q successor function

Transition System


Thermostat

Q = R2 { on, off } = { f1, f2, j1, j2 }

post ( x, t, on, j1) ={ (x, 0, off) } if t L

if t < L

{

Transition System


Thermostat

Q = R2 { on, off } = { f1, f2, j1, j2 }

post ( x, t, on, j1) =

post ( x, t, on, f1) =

{ (x, 0, off) } if t L if t

< L

{

{infinite set if t < U { (x, 0, on) }

if t = U if t > U

x

t

x

tL U

h = on

h = off

R

Step 2: Lift

x

t

x

tL U

h = on

h = off

R

post(R,f2)

Step 2: Lift

x

t

x

tL U

h = on

h = off

R

post(R,f2)

post( post(R,f2), j2)

Step 2: Lift

Lifted Transition System

Q post: 2Q 2Q post(R,) = qQ post(q,)

Lifted Transition System

Q post: 2Q 2Q post(R,) = qQ post(q,) pre: 2Q 2Q pre(R,) = qQ pre(q,)

x

t

x

tL U

h = on

h = offR

x

t

x

tL U

h = on

h = offR

pre(R,f2)

x

t

x

tL U

h = on

h = offR

pre(R,f2)

pre( pre(R,f2), j2)

x

t

x

tL U

h = on

h = off

Step 3: Observe

0 < x < 1

3 < x < 4

2 < x < 3

1 < x < 2

Observed Transition System

Q pre, post: 2Q 2Q A = { a1, a2, a3, … } set of observations

Q

a3a2

a1

Observed Transition System

Q pre, post: 2Q 2Q A set of observations

Thermostat

A = { on, off } [ { x = c, c < x < c+1 | c Z }

Symbolic Transition System

Q pre, post A = { R1, R2, … }

set of regions Ri Q

1. A

2. pre, post: computable

3. Å : 2 \ : 2 computable

: 2 { t, f }

Region algebra:

Symbolic Transition System

1. Local computation: Region Operations

Compute pre, post, Å , \ , and on regions in .

2. Global computation: Symbolic Semi-Algorithms

Starting from the observations in A, compute new regions in by applying the operations pre, post, Å , \ , and .

Region Algebra

If -Q is the valuations for a set X:Vals of typed variables, -the effect of transitions can be expressed using Ops on Vals, -the first-order theory FO(Vals,Ops) admits quantifier elimination,

then the quantifier-free fragment ZO(Vals,Ops) is a region algebra.

This is because each pre and post operation is a quantifier elimination:

pre(R(X)) = (X) (Trans(X,X) R(X))

Q = Bm Rn

Invariants and guards: boolean and linear constraints, e.g. a

(3x1 + x2 7)

Flows: rectangular differential inclusions, e.g. x'1 [1,2] Jumps: boolean and linear constraints, e.g. x2 := 2x1 + x2 +1

Example: Polyhedral Hybrid Automata

Q = Bm Rn


(3x1 + x2 7)


A = set of boolean valuations and integral polyhedra in Rn


Q = Bm Rn


(3x1 + x2 7)


A = set of boolean valuations and integral polyhedra in Rn

= set of boolean valuations and rational polyhedra in Rn x = … ZO(Q,,+)


FO(Q,,+) admits quantifier elimination, hence ZO(Q,,+) is a region algebra.

Jump j: Y x1 x2 x2 := 2x1-1

pre( 1 x1 x2 2, j ) = ( x1, x2) (x1 x2 x1 = x1 x2 = 2x1-1 1 x1 x2 2)


Jump j: Y x1 x2 x2 := 2x1-1

pre( 1 x1 x2 2, j ) = ( x1, x2) (x1 x2 x1 = x1 x2 = 2x1-1 1 x1 x2 2) = x1 x2 1 x1 2x1-1 2

= x1 x2 1 x1 3/2


FO(Q,,+) admits quantifier elimination, hence ZO(Q,,+) is a region algebra.

x1

x2

R

x1

x2

R

pre(R,j)

Flow f: Y x1 x2 x'1 [1,2]; x'2 = 1

pre( 1 x1 x2 2, f ) = ( 1 k1 2) ( 0)

(1 x1+k1 x2+ 2 ( 0 ) (x1+k1 x2+))


Flow f: Y x1 x2 x'1 [1,2]; x'2 = 1

pre( 1 x1 x2 2, f ) = ( 1 k1 2) ( 0)

(1 x1+k1 x2+ 2 ( 0 ) (x1+k1 x2+)) = ( 0) ( d1 2) (1 x1+d1 x2+ 2 x1 x2 x1+d1 x2+)

convex guards


Flow f: Y x1 x2 x'1 [1,2]; x'2 = 1

pre( 1 x1 x2 2, f ) = ( 1 k1 2) ( 0)

(1 x1+k1 x2+ 2 ( 0 ) (x1+k1 x2+)) = ( 0) ( d1 2) (1 x1+d1 x2+ 2 x1 x2 x1+d1 x2+) = ( 0) (x1 x2 1 x1+2 1 x2+ 2) = x1 x2 x2 2 2x2 x1+3 convex guards


x1

x2

R

pre(R,f)

f

x

y

far

x’[-50,-40]x 1000

near

x’[-50,-30]x 0

pastx’[30,50]

x 100

x = 1000

x = 0x = 100 x : [2000,)

app!

exit!

app

exit

train

x: initialized rectangular variable

upy’ = 9

open

y’ = 0raise

lower

gate

y: uninitialized singular variable

y 90

y = 90

downy’ = -9

closedy’ = 0

y 0

y = 0

raise? lower? raise?

lower?

t’ = 1t

t := 0

app?

lower!

t’ = 1t

t := 0

exit?

raise!

app exit

idle

controller

raiselower

t: clock variable : design parameter

Properties

Safety: ( x 10 loc[gate] = closed )

“on all trajectories, always”

For which values of is this true?


Liveness: ( loc[gate] = open )

“on all trajectories, eventually”

Properties



Real time: z := 0. ( z’ = 1 ( loc[gate] = open z

60 ))

clock variable

Properties



Real time: z := 0. ( z’ = 1 ( loc[gate] = open

z 60 ))

Nonzeno: z := 0. ( z’ = 1 ( z = 1 ))

“on some trajectory, eventually”

Properties

A Zeno System

yx

leftx’ = 1y’ = -2y 5

rightx’ = -2y’ = 1x 5

y = 5

x = 5

yx

leftx’ = 1y’ = -2y 5

rightx’ = -2y’ = 1x 5

y = 5

x = 5

x

y

t

A Zeno System

Model Checker

Model Property

Condition under which the model satisfies the property, or error trajectory

Collection of polyhedral

hybrid automata

Safety or liveness or real time or

nonzeno

HyTech

Model Checking for Safety

Bm Rn

initial states

unsafe states

?

initial states

unsafe states

Bm Rn


initial states

unsafe states

Bm Rn


initial states

unsafe states

unsafe parameter values

Bm Rn


initial states

unsafe states

unsafe parameter values

This is guaranteed to terminate if all variables are initialized (e.g. clocks).

Bm Rn


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =Hy T ech : sy mb o lic mo d el ch eck er fo r emb ed d ed sy stemsVersio n 1 .0 4 1 0 /1 5 /9 6F o r mo re in fo : email: h y tech @eecs.b erk eley.ed u h ttp ://www.eecs.b erk eley.ed u /~ tah /Hy T ech= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = S ettin g o u tp u t lev el to 1C h eck in g au to mato n g ate WAR NING: lo cn erro r o f au to mato n g ate h as n o o u tg o in g tran sitio n sC h eck in g au to mato n co n tro llerC h eck in g au to mato n trainC o mp o sin g au to mata * *Iteratio n : 0Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : far.id le.o p en y = 9 0 & x > = 1 0 0 0Iteratio n : 1Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : n ear.ab o u t_ to _ lo wer.o p en y = 9 0 & t < = alp h a & x + 3 0 t < = 1 0 0 0 & x + 5 0 t > = 1 0 0 0 & x > = 0Iteratio n : 2Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : p ast.ab o u t_ to _ lo wer.o p en y = 9 0 & t < = alp h a & x > = 0 & 5 0 t > = x + 1 0 0 0 & 3 0 t < = x + 1 0 0 0 & x < = 1 0 0L o catio n : n ear.ab o u t_ to _ lo wer.erro r y = 9 0 & t < = alp h a & x < = 1 0 & x + 5 0 t > = 1 0 0 0 & x > = 0 & x + 3 0 t < = 1 0 0 0L o catio n : n ear.id le.d o wn t < = alp h a & x > = 0 & 9 x + 4 5 0 t > = 5 0 y + 4 5 0 0 & y < = 9 0 & 3 x + 9 0 t < = 1 0 y + 2 1 0 0 & y > = 0 & t> = 0Iteratio n : 3Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : p ast.ab o u t_ to _ lo wer.erro r y = 9 0 & t < = alp h a & x > = 0 & 5 0 t > = x + 1 0 0 0 & 3 0 t < = x + 1 0 0 0 & x < = 1 0 0L o catio n : p ast.id le.d o wn t < = alp h a & x < = 1 0 0 & 4 5 0 t > = 9 x + 5 0 y + 4 5 0 0 & y < = 9 0 & t > = 2 0 & 3 x + 1 0 y > = 9 0 0 & 9 0 t< = 3 x + 1 0 y + 2 1 0 0| t < = alp h a & y > = 0 & x > = 0 & 9 0 t < = 3 x + 1 0 y + 2 1 0 0 & 9 x + 5 0 y < = 4 5 0 0 & 3 t < = 1 0 0 & 4 5 0 t> = 9 x + 5 0 y + 4 5 0 0 & x < = 1 0 0L o catio n : n ear.id le.erro r t < = alp h a & y < = 9 0 & x > = 0 & 3 x + 9 0 t < = 1 0 y + 2 1 0 0 & 4 5 t > = 5 y + 4 4 1 & x < = 1 0 & y > = 0L o catio n : n ear.id le.clo sed y = 0 & t < = alp h a & t > = 0 & x > = 0 & x + 3 0 t < = 7 0 0L o catio n : far.ab o u t_ to _ raise.o p en y = 9 0 & x > = 1 0 0 0 & alp h a > = 2 2 & x + 5 0 t > = 2 0 0 0 & t > = 0 & t < = alp h aIteratio n : 4Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : p ast.id le.erro r t < = alp h a & y > = 8 7 & 9 t < = y + 2 1 3 & 3 x + 1 0 y > = 9 0 0 & 9 0 t < = 3 x + 1 0 y + 2 1 0 0 & x < = 1 0 0 &3 t > = 6 0 & y < = 9 0| t < = alp h a & 9 t > = y + 9 0 & x > = 0 & y < = 9 0 & y > = 0 & 9 0 t < = 3 x + 1 0 y + 2 1 0 0 & x < = 1 0 0 & 9 t< = y + 2 1 3 & 3 t < = 1 0 0| t < = alp h a & 9 t < = y + 2 1 0 & y < = 9 0 & x > = 0 & 4 5 t > = 5 y + 4 4 1 & y > = 0 & x < = 1 0 0L o catio n : p ast.id le.clo sed y = 0 & t < = alp h a & 3 0 t < = x + 7 0 0 & x < = 1 0 0 & x > = 0 & 3 t > = 3 0| y = 0 & t < = alp h a & t > = 0 & x > = 0 & 3 t < = 7 0 & x < = 1 0 0L o catio n : far.ab o u t_ to _ raise.erro r y = 9 0 & x > = 1 0 0 0 & alp h a > = 2 2 & x + 5 0 t > = 2 0 0 0 & t > = 0 & t < = alp h aL o catio n : far.ab o u t_ to _ raise.d o wn x + 5 0 t > = 2 0 0 0 & 9 alp h a > = y + 9 t + 1 0 8 & t > = 0 & y + 9 t < = 9 0 & alp h a > = 2 0 & y > = 0 & y + 9 t> = 6 0| x + 5 0 t > = 2 0 0 0 & 9 alp h a > = y + 9 t + 1 0 8 & y > = 0 & t > = 0 & y + 9 t < = 7 2Iteratio n : 5Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : n ear.ab o u t_ to _ lo wer.erro r y = 9 0 & alp h a > = 2 2 & x > = 0 & x + 5 0 t > = 1 0 0 0 & x + 3 0 t < = 1 0 0 0 & t < = alp h aL o catio n : far.ab o u t_ to _ raise.erro r x + 5 0 t > = 2 0 0 0 & y < = 9 0 & t > = 0 & 4 5 alp h a > = 5 y + 4 4 1 & 5 t < = 5 alp h a & y > = 0 & x > = 1 0 0 0L o catio n : far.ab o u t_ to _ raise.clo sed y = 0 & t < = alp h a & x + 5 0 t > = 2 0 0 0 & t > = 0 & x > = 1 0 0 0| y = 0 & alp h a > = 1 2 & t > = 0 & x + 5 0 t > = 2 0 0 0 & t < = alp h a & x > = 1 0 0 0L o catio n : far.id le.u p y < = 9 0 & 9 x + 5 0 y + 4 5 0 t > = 1 8 0 0 0 & t < = 1 0 & alp h a > = t + 1 2 & 9 x + 5 0 y + 9 0 0 t > = 2 1 0 0 0 & y +9 t > = 6 0 & y > = 0 & alp h a > = 2 0 & t > = 0| alp h a > = t + 1 2 & 9 x + 5 0 y + 4 5 0 t > = 1 8 0 0 0 & y > = 0 & t > = 0 & t < = 8 & y < = 9 0Iteratio n : 6Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : n ear.ab o u t_ to _ lo wer.erro r t < = alp h a & y > = 0 & x > = 0 & alp h a > = 2 0 & x + 5 0 t > = 1 0 0 0 & x + 3 0 t < = 1 0 0 0 & y < = 9 0L o catio n : n ear.ab o u t_ to _ lo wer.clo sed y = 0 & alp h a > = 2 0 & x + 5 0 t > = 1 0 0 0 & x > = 0 & t < = alp h a & x + 3 0 t < = 1 0 0 0L o catio n : n ear.ab o u t_ to _ lo wer.u p x = 1 0 0 0 & y = 9 0 & t = 0 & alp h a > = 2 2L o catio n : far.id le.u p t < = alp h a & 9 x + 5 0 y + 4 5 0 t > = 1 8 0 0 0 & y > = 0 & t > = 0 & y < = 9 0 & x > = 1 0 0 0| alp h a > = 1 2 & 9 x + 5 0 y + 4 5 0 t > = 1 8 0 0 0 & t > = 0 & y > = 0 & t < = alp h a & y < = 9 0 & x > = 1 0 0 0Iteratio n : 7Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : p ast.ab o u t_ to _ lo wer.erro r t < = alp h a & y > = 0 & 5 0 t > = x + 1 0 0 0 & x > = 0 & 3 0 t < = x + 1 0 0 0 & y < = 9 0 & x < = 1 0 0L o catio n : p ast.ab o u t_ to _ lo wer.clo sed y = 0 & t < = alp h a & x > = 0 & 3 0 t < = x + 1 0 0 0 & x < = 1 0 0 & 1 5 0 t > = 3 x + 3 0 0 0L o catio n : n ear.ab o u t_ to _ lo wer.u p y + 9 alp h a > = 9 t + 1 8 0 & y < = 9 0 & x + 3 0 t < = 1 0 0 0 & x + 5 0 t > = 1 0 0 0 & 9 t < = y| y < = 9 0 & x + 3 0 t < = 1 0 0 0 & alp h a > = 1 2 & x + 5 0 t > = 1 0 0 0 & y + 9 alp h a > = 9 t + 1 8 0 & 9 t < = yL o catio n : n ear.id le.clo sed y = 0 & x > = 0 & x + 3 0 t < = 1 0 0 0 & t < = alp h a & 3 alp h a > = 6 0 & 3 t > = 0Iteratio n : 8Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : p ast.id le.clo sed y = 0 & t < = alp h a & 3 0 t < = x + 1 0 0 0 & x < = 1 0 0 & x > = 0 & 3 t > = 6 0| y = 0 & t < = alp h a & alp h a > = 2 0 & x > = 0 & x < = 1 0 0 & t > = 0 & 3 t < = 1 0 0L o catio n : n ear.id le.d o wn y > = 0 & t > = 0 & 3 x + 1 8 0 t < = 1 0 y + 3 0 0 0 & x + 3 0 t < = 1 0 0 0 & 3 x + 1 8 0 t < = 1 0 y + 9 0 alp h a + 1 2 0 0 & t < = 1 0 & 9 x + 4 5 0 t > = 5 0 y + 4 5 0 0 & alp h a > = t + 1 0 & y < = 9 0| y > = 0 & 3 x + 1 8 0 t < = 1 0 y + 9 0 alp h a + 1 2 0 0 & t > = 0 & x + 3 0 t < = 1 0 0 0 & 3 x + 1 8 0 t < = 1 0 y + 3 0 0 0 & t < = 1 0 & y < = 9 0 & 9 x + 4 5 0 t > = 5 0 y + 4 5 0 0 & alp h a > = t + 1 0 & alp h a > = 1 2Iteratio n : 9Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : n ear.id le.clo sed y = 0 & t > = 0 & alp h a > = t + 1 0 & x + 6 0 t < = 3 0 alp h a + 4 0 0 & t < = 1 0 & x + 6 0 t < = 1 0 0 0 & x > = 0| y = 0 & x + 6 0 t < = 3 0 alp h a + 4 0 0 & t > = 0 & alp h a > = 1 2 & x + 6 0 t < = 1 0 0 0 & alp h a > = t + 1 0 & x> = 0 & t < = 1 0Nu mb er o f iteratio n s req u ired fo r reach ab ility : 1 0 C o n d itio n s u n d er wh ich sy stem v io lates safety req u iremen t 5 alp h a > = 4 9 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =Max memo ry u sed = 1 0 7 2 k ilo b y tes = 1 .0 5 MB T ime sp en t = 0 .2 6 u + 0 .0 4 s = 0 .3 0 sec to tal= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =H y T ech : sy m b o lic m o d el ch eck er fo r em b ed d ed sy stem sV ersio n 1 .0 4 1 0 /1 5 /9 6F o r m o re in fo : em ail: h y tech @eecs.b erk eley.ed u h ttp ://w w w .eecs.b erk eley.ed u /~ tah /H y T ech= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = S ettin g o u tp u t lev el to 1C h eck in g au to m ato n g ate WA R N IN G : lo cn erro r o f au to m ato n g ate h as n o o u tg o in g tran sitio n sC h eck in g au to m ato n co n tro llerC h eck in g au to m ato n trainC o m p o sin g au to m ata * *Iteratio n : 0U sin g th is n ew ly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : far.id le.o p en y = 9 0 & x > = 1 0 0 0Iteratio n : 1U sin g th is n ew ly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : n ear.ab o u t_ to _ lo w er.o p en y = 9 0 & t < = alp h a & x + 3 0 t < = 1 0 0 0 & x + 5 0 t > = 1 0 0 0 & x > = 0Iteratio n : 2U sin g th is n ew ly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : p ast.ab o u t_ to _ lo w er.o p en y = 9 0 & t < = alp h a & x > = 0 & 5 0 t > = x + 1 0 0 0 & 3 0 t < = x + 1 0 0 0 & x < = 1 0 0L o catio n : n ear.ab o u t_ to _ lo w er.erro r y = 9 0 & t < = alp h a & x < = 1 0 & x + 5 0 t > = 1 0 0 0 & x > = 0 & x + 3 0 t < = 1 0 0 0L o catio n : n ear.id le.d o w n t < = alp h a & x > = 0 & 9 x + 4 5 0 t > = 5 0 y + 4 5 0 0 & y < = 9 0 & 3 x + 9 0 t < = 1 0 y + 2 1 0 0 & y > = 0 & t > = 0Iteratio n : 3U sin g th is n ew ly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : p ast.ab o u t_ to _ lo w er.erro r y = 9 0 & t < = alp h a & x > = 0 & 5 0 t > = x + 1 0 0 0 & 3 0 t < = x + 1 0 0 0 & x < = 1 0 0L o catio n : p ast.id le.d o w n t < = alp h a & x < = 1 0 0 & 4 5 0 t > = 9 x + 5 0 y + 4 5 0 0 & y < = 9 0 & t > = 2 0 & 3 x + 1 0 y > = 9 0 0 & 9 0 t < = 3 x +1 0 y + 2 1 0 0| t < = alp h a & y > = 0 & x > = 0 & 9 0 t < = 3 x + 1 0 y + 2 1 0 0 & 9 x + 5 0 y < = 4 5 0 0 & 3 t < = 1 0 0 & 4 5 0 t > = 9 x +5 0 y + 4 5 0 0 & x < = 1 0 0L o catio n : n ear.id le.erro r t < = alp h a & y < = 9 0 & x > = 0 & 3 x + 9 0 t < = 1 0 y + 2 1 0 0 & 4 5 t > = 5 y + 4 4 1 & x < = 1 0 & y > = 0L o catio n : n ear.id le.clo sed y = 0 & t < = alp h a & t > = 0 & x > = 0 & x + 3 0 t < = 7 0 0L o catio n : far.ab o u t_ to _ raise.o p en y = 9 0 & x > = 1 0 0 0 & alp h a > = 2 2 & x + 5 0 t > = 2 0 0 0 & t > = 0 & t < = alp h aIteratio n : 4U sin g th is n ew ly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : p ast.id le.erro r t < = alp h a & y > = 8 7 & 9 t < = y + 2 1 3 & 3 x + 1 0 y > = 9 0 0 & 9 0 t < = 3 x + 1 0 y + 2 1 0 0 & x < = 1 0 0 & 3 t > =6 0 & y < = 9 0| t < = alp h a & 9 t > = y + 9 0 & x > = 0 & y < = 9 0 & y > = 0 & 9 0 t < = 3 x + 1 0 y + 2 1 0 0 & x < = 1 0 0 & 9 t < = y +2 1 3 & 3 t < = 1 0 0| t < = alp h a & 9 t < = y + 2 1 0 & y < = 9 0 & x > = 0 & 4 5 t > = 5 y + 4 4 1 & y > = 0 & x < = 1 0 0L o catio n : p ast.id le.clo sed y = 0 & t < = alp h a & 3 0 t < = x + 7 0 0 & x < = 1 0 0 & x > = 0 & 3 t > = 3 0| y = 0 & t < = alp h a & t > = 0 & x > = 0 & 3 t < = 7 0 & x < = 1 0 0L o catio n : far.ab o u t_ to _ raise.erro r y = 9 0 & x > = 1 0 0 0 & alp h a > = 2 2 & x + 5 0 t > = 2 0 0 0 & t > = 0 & t < = alp h aL o catio n : far.ab o u t_ to _ raise.d o w n x + 5 0 t > = 2 0 0 0 & 9 alp h a > = y + 9 t + 1 0 8 & t > = 0 & y + 9 t < = 9 0 & alp h a > = 2 0 & y > = 0 & y + 9 t > = 6 0| x + 5 0 t > = 2 0 0 0 & 9 alp h a > = y + 9 t + 1 0 8 & y > = 0 & t > = 0 & y + 9 t < = 7 2Iteratio n : 5U sin g th is n ew ly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : n ear.ab o u t_ to _ lo w er.erro r y = 9 0 & alp h a > = 2 2 & x > = 0 & x + 5 0 t > = 1 0 0 0 & x + 3 0 t < = 1 0 0 0 & t < = alp h aL o catio n : far.ab o u t_ to _ raise.erro r x + 5 0 t > = 2 0 0 0 & y < = 9 0 & t > = 0 & 4 5 alp h a > = 5 y + 4 4 1 & 5 t < = 5 alp h a & y > = 0 & x > = 1 0 0 0L o catio n : far.ab o u t_ to _ raise.clo sed y = 0 & t < = alp h a & x + 5 0 t > = 2 0 0 0 & t > = 0 & x > = 1 0 0 0| y = 0 & alp h a > = 1 2 & t > = 0 & x + 5 0 t > = 2 0 0 0 & t < = alp h a & x > = 1 0 0 0L o catio n : far.id le.u p y < = 9 0 & 9 x + 5 0 y + 4 5 0 t > = 1 8 0 0 0 & t < = 1 0 & alp h a > = t + 1 2 & 9 x + 5 0 y + 9 0 0 t > = 2 1 0 0 0 & y + 9 t > =6 0 & y > = 0 & alp h a > = 2 0 & t > = 0| alp h a > = t + 1 2 & 9 x + 5 0 y + 4 5 0 t > = 1 8 0 0 0 & y > = 0 & t > = 0 & t < = 8 & y < = 9 0Iteratio n : 6U sin g th is n ew ly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : n ear.ab o u t_ to _ lo w er.erro r t < = alp h a & y > = 0 & x > = 0 & alp h a > = 2 0 & x + 5 0 t > = 1 0 0 0 & x + 3 0 t < = 1 0 0 0 & y < = 9 0L o catio n : n ear.ab o u t_ to _ lo w er.clo sed y = 0 & alp h a > = 2 0 & x + 5 0 t > = 1 0 0 0 & x > = 0 & t < = alp h a & x + 3 0 t < = 1 0 0 0L o catio n : n ear.ab o u t_ to _ lo w er.u p x = 1 0 0 0 & y = 9 0 & t = 0 & alp h a > = 2 2L o catio n : far.id le.u p t < = alp h a & 9 x + 5 0 y + 4 5 0 t > = 1 8 0 0 0 & y > = 0 & t > = 0 & y < = 9 0 & x > = 1 0 0 0| alp h a > = 1 2 & 9 x + 5 0 y + 4 5 0 t > = 1 8 0 0 0 & t > = 0 & y > = 0 & t < = alp h a & y < = 9 0 & x > = 1 0 0 0Iteratio n : 7U sin g th is n ew ly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : p ast.ab o u t_ to _ lo w er.erro r t < = alp h a & y > = 0 & 5 0 t > = x + 1 0 0 0 & x > = 0 & 3 0 t < = x + 1 0 0 0 & y < = 9 0 & x < = 1 0 0L o catio n : p ast.ab o u t_ to _ lo w er.clo sed y = 0 & t < = alp h a & x > = 0 & 3 0 t < = x + 1 0 0 0 & x < = 1 0 0 & 1 5 0 t > = 3 x + 3 0 0 0L o catio n : n ear.ab o u t_ to _ lo w er.u p y + 9 alp h a > = 9 t + 1 8 0 & y < = 9 0 & x + 3 0 t < = 1 0 0 0 & x + 5 0 t > = 1 0 0 0 & 9 t < = y| y < = 9 0 & x + 3 0 t < = 1 0 0 0 & alp h a > = 1 2 & x + 5 0 t > = 1 0 0 0 & y + 9 alp h a > = 9 t + 1 8 0 & 9 t < = yL o catio n : n ear.id le.clo sed y = 0 & x > = 0 & x + 3 0 t < = 1 0 0 0 & t < = alp h a & 3 alp h a > = 6 0 & 3 t > = 0Iteratio n : 8U sin g th is n ew ly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : p ast.id le.clo sed y = 0 & t < = alp h a & 3 0 t < = x + 1 0 0 0 & x < = 1 0 0 & x > = 0 & 3 t > = 6 0| y = 0 & t < = alp h a & alp h a > = 2 0 & x > = 0 & x < = 1 0 0 & t > = 0 & 3 t < = 1 0 0L o catio n : n ear.id le.d o w n y > = 0 & t > = 0 & 3 x + 1 8 0 t < = 1 0 y + 3 0 0 0 & x + 3 0 t < = 1 0 0 0 & 3 x + 1 8 0 t < = 1 0 y + 9 0 alp h a + 1 2 0 0 & t < =1 0 & 9 x + 4 5 0 t > = 5 0 y + 4 5 0 0 & alp h a > = t + 1 0 & y < = 9 0| y > = 0 & 3 x + 1 8 0 t < = 1 0 y + 9 0 alp h a + 1 2 0 0 & t > = 0 & x + 3 0 t < = 1 0 0 0 & 3 x + 1 8 0 t < = 1 0 y + 3 0 0 0 & t < =1 0 & y < = 9 0 & 9 x + 4 5 0 t > = 5 0 y + 4 5 0 0 & alp h a > = t + 1 0 & alp h a > = 1 2Iteratio n : 9U sin g th is n ew ly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : n ear.id le.clo sed y = 0 & t > = 0 & alp h a > = t + 1 0 & x + 6 0 t < = 3 0 alp h a + 4 0 0 & t < = 1 0 & x + 6 0 t < = 1 0 0 0 & x > = 0| y = 0 & x + 6 0 t < = 3 0 alp h a + 4 0 0 & t > = 0 & alp h a > = 1 2 & x + 6 0 t < = 1 0 0 0 & alp h a > = t + 1 0 & x > = 0 &t < = 1 0N u m b er o f iteratio n s req u ired fo r reach ab ility : 1 0 C o n d itio n s u n d er w h ich sy stem v io lates safety req u irem en t 5 alp h a > = 4 9 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =Max m em o ry u sed = 1 0 7 2 k ilo b y tes = 1 .0 5 MB T im e sp en t = 0 .2 6 u + 0 .0 4 s = 0 .3 0 sec to tal= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

The Result

hytech-out.cgi

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =Hy T ech : sy mb o lic mo d el ch eck er fo r emb ed d ed sy stemsVersio n 1 .0 4 1 0 /1 5 /9 6F o r mo re in fo : email: h y tech @eecs.b erk eley.ed u h ttp ://www.eecs.b erk eley.ed u /~ tah /Hy T ech= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = S ettin g o u tp u t lev el to 1C h eck in g au to mato n g ate WAR NING: lo cn erro r o f au to mato n g ate h as n o o u tg o in g tran sitio n sC h eck in g au to mato n co n tro llerC h eck in g au to mato n trainC o mp o sin g au to mata * *Iteratio n : 0Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : far.id le.o p en y = 9 0 & x > = 1 0 0 0Iteratio n : 1Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : n ear.ab o u t_ to _ lo wer.o p en y = 9 0 & t < = alp h a & x + 3 0 t < = 1 0 0 0 & x + 5 0 t > = 1 0 0 0 & x > = 0Iteratio n : 2Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : p ast.ab o u t_ to _ lo wer.o p en y = 9 0 & t < = alp h a & x > = 0 & 5 0 t > = x + 1 0 0 0 & 3 0 t < = x + 1 0 0 0 & x < = 1 0 0L o catio n : n ear.ab o u t_ to _ lo wer.erro r y = 9 0 & t < = alp h a & x < = 1 0 & x + 5 0 t > = 1 0 0 0 & x > = 0 & x + 3 0 t < = 1 0 0 0L o catio n : n ear.id le.d o wn t < = alp h a & x > = 0 & 9 x + 4 5 0 t > = 5 0 y + 4 5 0 0 & y < = 9 0 & 3 x + 9 0 t < = 1 0 y + 2 1 0 0 & y > = 0 & t> = 0Iteratio n : 3Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : p ast.ab o u t_ to _ lo wer.erro r y = 9 0 & t < = alp h a & x > = 0 & 5 0 t > = x + 1 0 0 0 & 3 0 t < = x + 1 0 0 0 & x < = 1 0 0L o catio n : p ast.id le.d o wn t < = alp h a & x < = 1 0 0 & 4 5 0 t > = 9 x + 5 0 y + 4 5 0 0 & y < = 9 0 & t > = 2 0 & 3 x + 1 0 y > = 9 0 0 & 9 0 t< = 3 x + 1 0 y + 2 1 0 0| t < = alp h a & y > = 0 & x > = 0 & 9 0 t < = 3 x + 1 0 y + 2 1 0 0 & 9 x + 5 0 y < = 4 5 0 0 & 3 t < = 1 0 0 & 4 5 0 t> = 9 x + 5 0 y + 4 5 0 0 & x < = 1 0 0L o catio n : n ear.id le.erro r t < = alp h a & y < = 9 0 & x > = 0 & 3 x + 9 0 t < = 1 0 y + 2 1 0 0 & 4 5 t > = 5 y + 4 4 1 & x < = 1 0 & y > = 0L o catio n : n ear.id le.clo sed y = 0 & t < = alp h a & t > = 0 & x > = 0 & x + 3 0 t < = 7 0 0L o catio n : far.ab o u t_ to _ raise.o p en y = 9 0 & x > = 1 0 0 0 & alp h a > = 2 2 & x + 5 0 t > = 2 0 0 0 & t > = 0 & t < = alp h aIteratio n : 4Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : p ast.id le.erro r t < = alp h a & y > = 8 7 & 9 t < = y + 2 1 3 & 3 x + 1 0 y > = 9 0 0 & 9 0 t < = 3 x + 1 0 y + 2 1 0 0 & x < = 1 0 0 &3 t > = 6 0 & y < = 9 0| t < = alp h a & 9 t > = y + 9 0 & x > = 0 & y < = 9 0 & y > = 0 & 9 0 t < = 3 x + 1 0 y + 2 1 0 0 & x < = 1 0 0 & 9 t< = y + 2 1 3 & 3 t < = 1 0 0| t < = alp h a & 9 t < = y + 2 1 0 & y < = 9 0 & x > = 0 & 4 5 t > = 5 y + 4 4 1 & y > = 0 & x < = 1 0 0L o catio n : p ast.id le.clo sed y = 0 & t < = alp h a & 3 0 t < = x + 7 0 0 & x < = 1 0 0 & x > = 0 & 3 t > = 3 0| y = 0 & t < = alp h a & t > = 0 & x > = 0 & 3 t < = 7 0 & x < = 1 0 0L o catio n : far.ab o u t_ to _ raise.erro r y = 9 0 & x > = 1 0 0 0 & alp h a > = 2 2 & x + 5 0 t > = 2 0 0 0 & t > = 0 & t < = alp h aL o catio n : far.ab o u t_ to _ raise.d o wn x + 5 0 t > = 2 0 0 0 & 9 alp h a > = y + 9 t + 1 0 8 & t > = 0 & y + 9 t < = 9 0 & alp h a > = 2 0 & y > = 0 & y + 9 t> = 6 0| x + 5 0 t > = 2 0 0 0 & 9 alp h a > = y + 9 t + 1 0 8 & y > = 0 & t > = 0 & y + 9 t < = 7 2Iteratio n : 5Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : n ear.ab o u t_ to _ lo wer.erro r y = 9 0 & alp h a > = 2 2 & x > = 0 & x + 5 0 t > = 1 0 0 0 & x + 3 0 t < = 1 0 0 0 & t < = alp h aL o catio n : far.ab o u t_ to _ raise.erro r x + 5 0 t > = 2 0 0 0 & y < = 9 0 & t > = 0 & 4 5 alp h a > = 5 y + 4 4 1 & 5 t < = 5 alp h a & y > = 0 & x > = 1 0 0 0L o catio n : far.ab o u t_ to _ raise.clo sed y = 0 & t < = alp h a & x + 5 0 t > = 2 0 0 0 & t > = 0 & x > = 1 0 0 0| y = 0 & alp h a > = 1 2 & t > = 0 & x + 5 0 t > = 2 0 0 0 & t < = alp h a & x > = 1 0 0 0L o catio n : far.id le.u p y < = 9 0 & 9 x + 5 0 y + 4 5 0 t > = 1 8 0 0 0 & t < = 1 0 & alp h a > = t + 1 2 & 9 x + 5 0 y + 9 0 0 t > = 2 1 0 0 0 & y +9 t > = 6 0 & y > = 0 & alp h a > = 2 0 & t > = 0| alp h a > = t + 1 2 & 9 x + 5 0 y + 4 5 0 t > = 1 8 0 0 0 & y > = 0 & t > = 0 & t < = 8 & y < = 9 0Iteratio n : 6Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : n ear.ab o u t_ to _ lo wer.erro r t < = alp h a & y > = 0 & x > = 0 & alp h a > = 2 0 & x + 5 0 t > = 1 0 0 0 & x + 3 0 t < = 1 0 0 0 & y < = 9 0L o catio n : n ear.ab o u t_ to _ lo wer.clo sed y = 0 & alp h a > = 2 0 & x + 5 0 t > = 1 0 0 0 & x > = 0 & t < = alp h a & x + 3 0 t < = 1 0 0 0L o catio n : n ear.ab o u t_ to _ lo wer.u p x = 1 0 0 0 & y = 9 0 & t = 0 & alp h a > = 2 2L o catio n : far.id le.u p t < = alp h a & 9 x + 5 0 y + 4 5 0 t > = 1 8 0 0 0 & y > = 0 & t > = 0 & y < = 9 0 & x > = 1 0 0 0| alp h a > = 1 2 & 9 x + 5 0 y + 4 5 0 t > = 1 8 0 0 0 & t > = 0 & y > = 0 & t < = alp h a & y < = 9 0 & x > = 1 0 0 0Iteratio n : 7Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : p ast.ab o u t_ to _ lo wer.erro r t < = alp h a & y > = 0 & 5 0 t > = x + 1 0 0 0 & x > = 0 & 3 0 t < = x + 1 0 0 0 & y < = 9 0 & x < = 1 0 0L o catio n : p ast.ab o u t_ to _ lo wer.clo sed y = 0 & t < = alp h a & x > = 0 & 3 0 t < = x + 1 0 0 0 & x < = 1 0 0 & 1 5 0 t > = 3 x + 3 0 0 0L o catio n : n ear.ab o u t_ to _ lo wer.u p y + 9 alp h a > = 9 t + 1 8 0 & y < = 9 0 & x + 3 0 t < = 1 0 0 0 & x + 5 0 t > = 1 0 0 0 & 9 t < = y| y < = 9 0 & x + 3 0 t < = 1 0 0 0 & alp h a > = 1 2 & x + 5 0 t > = 1 0 0 0 & y + 9 alp h a > = 9 t + 1 8 0 & 9 t < = yL o catio n : n ear.id le.clo sed y = 0 & x > = 0 & x + 3 0 t < = 1 0 0 0 & t < = alp h a & 3 alp h a > = 6 0 & 3 t > = 0Iteratio n : 8Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : p ast.id le.clo sed y = 0 & t < = alp h a & 3 0 t < = x + 1 0 0 0 & x < = 1 0 0 & x > = 0 & 3 t > = 6 0| y = 0 & t < = alp h a & alp h a > = 2 0 & x > = 0 & x < = 1 0 0 & t > = 0 & 3 t < = 1 0 0L o catio n : n ear.id le.d o wn y > = 0 & t > = 0 & 3 x + 1 8 0 t < = 1 0 y + 3 0 0 0 & x + 3 0 t < = 1 0 0 0 & 3 x + 1 8 0 t < = 1 0 y + 9 0 alp h a + 1 2 0 0 & t < = 1 0 & 9 x + 4 5 0 t > = 5 0 y + 4 5 0 0 & alp h a > = t + 1 0 & y < = 9 0| y > = 0 & 3 x + 1 8 0 t < = 1 0 y + 9 0 alp h a + 1 2 0 0 & t > = 0 & x + 3 0 t < = 1 0 0 0 & 3 x + 1 8 0 t < = 1 0 y + 3 0 0 0 & t < = 1 0 & y < = 9 0 & 9 x + 4 5 0 t > = 5 0 y + 4 5 0 0 & alp h a > = t + 1 0 & alp h a > = 1 2Iteratio n : 9Usin g th is n ewly reach ed list = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =L o catio n : n ear.id le.clo sed y = 0 & t > = 0 & alp h a > = t + 1 0 & x + 6 0 t < = 3 0 alp h a + 4 0 0 & t < = 1 0 & x + 6 0 t < = 1 0 0 0 & x > = 0| y = 0 & x + 6 0 t < = 3 0 alp h a + 4 0 0 & t > = 0 & alp h a > = 1 2 & x + 6 0 t < = 1 0 0 0 & alp h a > = t + 1 0 & x> = 0 & t < = 1 0Nu mb er o f iteratio n s req u ired fo r reach ab ility : 1 0 C o n d itio n s u n d er wh ich sy stem v io lates safety req u iremen t 5 alp h a > = 4 9 = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =Max memo ry u sed = 1 0 7 2 k ilo b y tes = 1 .0 5 MB T ime sp en t = 0 .2 6 u + 0 .0 4 s = 0 .3 0 sec to tal= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

Applications of HyTech and Derivations: polyhedral overapproximation of dynamics

-automotive engine control [Wong-Toi et al.] -chemical plant control [Preussig et al.] -flight control [Honeywell; Rockwell-Collins]

-air traffic control [Tomlin et al.] -robot control [Corbett et al.]

Successor Tools:

1. More expressive region algebras, e.g. FO(R,,+,) still permits quantifier elimination [Pappas et al.]

2. More robust approximations, e.g. ellipsoid instead of polyhedral regions [Varaiya et al.]

3. Abstract region operations, e.g. interval numerical methods [HyperTech]; also [Krogh et al.][Maler et al.]

Symbolic Semi-Algorithms

Starting from the observations in A, compute new regions in by applying the operations pre, post, Å , \ , and .

Termination?

Four Verification Questions

V1: Reachability bIs an invariant always true? unsafe



V2: Repeated Reachability b Linear temporal logic (LTL)

Liveness unfair




Liveness unfair

V3: Nested Reachability (b b1 b2)Half branching temporal logic (CTL, CTL)




Liveness unfair

V3: Nested Reachability (b b1 b2)Half branching temporal logic (CTL, CTL)

V4: Negated Reachability (b c)Full branching temporal logic (CTL)

Nonzenoness (tick tick)

V1: Symbolic Reachability

a b

Given a,bA, is there a trajectory from a to b?

ab

initial states unsafe states


a b


ab

pre(b) = pre(b,)

b [ pre(b)


a b


abb

[ pre(b)

b [ pre(b) [ pre2(b)


a b


ab

. . .

bb

[ pre(b)


a


a b


b

. . .

bb

[ pre(b)


a


a b


b

. . .

b

1. pre, [ , 2. Å a

b [ pre(b)


V2: Symbolic Repeated Reachability

a b

Given a,bA, is there an infinite trajectory from a that visits b infinitely often?

b

a


a b


b

a

R1 = pre(b)

. . .pre(b)

pre(b) [ pre2(b)


a b


b

a

R1 = pre(b)


a b


b

a R2 = pre(bR1)

R1 = pre(b)


a b


b

a R2 = pre(bR1)

R1 = pre(b)

R3 = pre(bR2)


a b


b

a

... b


a b


b

a

... b


a b


b

a

... b

1. pre, [ , 2. Å a, Å b

V3: Symbolic Nested Reachability

a (b b1 b2)

b1

b2

b

a


a (b b1 b2)

b1

b2

b1

b

a


a (b b1 b2)

b1

b2

b1

b2

b

a


a (b b1 b2)

b1

b2

b1

b2

b

a


a (b b1 b2)

b1

b2

b1

b2

b

a

(b b1 b2)


a (b b1 b2)

b1

b2

b1

b2

b

a

(b b1 b2)


a (b b1 b2)

b1

b2

b1

b2

b

a

(b b1 b2)

1. pre, [ , 2. Å

V4: Symbolic Negated Reachability

a (b c)

Given a,b,cA, can every trajectory from a to b be extended to c?

ab

c


a (b c)


ab

c

c


a (b c)


ab

c

c

b c


a (b c)


ab

c

c

(b c)


a (b c)


ab

c

c

(b c)

a (b c)


a (b c)


ab

c

c

(b c)

1. pre, [ , 2. Å 3. \

Four Symbolic Semi-Algorithms

A1: Close A under pre

0 := A for i=1,2,3,… do i := i-1 [ { pre(R) | Ri }

[ { R1 Å R2 | R1,R2i } [ { R1\ R2 | R1,R2i }

until i = i-1



A2: Close A under pre, Å a


[ { R Å a | Ri Æ a2A} [ { R1\ R2 | until i = i-1




A3: Close A under pre, Å


[ { R1 Å R2 | R1,R2i } [ { R1\ R2 | R1,R2i }

until i = i-1





A4: Close A under pre, Å , \


[ { R1 Å R2 | R1,R2i } [ { R1\ R2 | R1,R2i }

until i = i-1





A4: Close A under pre, Å , \

Ak terminates (1 k 4) symbolic model checking of Vk

terminates.

Four State Equivalences

E1: Reach Equivalence

q1 1 q2 iff if aA can be reached from q1 in d steps, then a can be reached from q2 in d steps, and vice versa.



E2: Trace Equivalence

q1 2 q2 iff if every finite trace from q1 is a

finite trace from q2, and vice versa.

a

a

b

b

a

a

b

b

a

a

a

a

b

b

a

a

b

b

a

a 1

a

a

b

b

a

a

b

b

a

a 1

2

a

a

b

b

a

a

b

b

a

a 1

2

pre(a Å pre(a))




E3: Similarity q1 3 q2 iff if q1 simulates q2,

and vice versa.

q1 is simulated by q2

iff

there is a simulation relation S such that

1. S(q1,q2)

2. if S(p,q) then

a. (8 a2A) (p2 a iff q2 a)

b. (8 p') ( if p2 pre(p') then (9 q') (q2 pre(q') Æ S(p',q')))

a

b

a

b

a

a

a

a

b

a

a

a

b

a

b

a

a

a

a

b

a 2

a

a

b

a

b

a

a

a

a

b

a 2

3

a

a

b

a

b

a

a

a

a

b

a 2

3

a

pre(pre(a) Å pre(b))




E3: Similarity

E4: Bisimilarity

q1 4 q2 iff if q1 simulates q2 via a symmetric simulation relation (this is called a bisimulation relation).

a

b

a

b

a

a

a b

a

a

a

b

a

b

a

a

a b

a 3

a

a

b

a

b

a

a

a b

a 3

4

a

a

b

a

b

a

a

a b

a 3

4

a

: pre(: pre(a))

Specification Logics:

V1 Reachability (Safety)V2 Linear Temporal Logic (Liveness) V3 Existential/Universal Branching Temporal

Logic V4 Branching Temporal Logic (Nonzenoness)

State Equivalences:

E1 Reach EquivalenceE2 Trace EquivalenceE3 SimilarityE4 Bisimilarity

Symbolic Semi-Algorithms:

A1 Closure under preA2 Closure under pre, Å a

A3 Closure under pre, ÅA4 Closure under pre, Å , \

Ak Vk

Ek

model checks

induces

Symbolic Semi-

Algorithm

State Equivalence

k = 1,2,3,4

Specification Logic

computes

Ak Vk

Ek

model checks

induces

Symbolic Semi-

Algorithm

State Equivalence

k = 1,2,3,4

q1 k q2 iff for all formulas of Vk, q1 ² iff q2 ² If Ek has finite index, then Vk can be model-checked on finite quotient.

Specification Logic

computes

Ak Vk

Ek

model checks

induces

Symbolic Semi-

Algorithm

State Equivalence

k = 1,2,3,4


All regions definable by formulas of Vk are generated by Ak.

Ak terminates iff symbolic model checking terminates for all formulas of Vk.

Specification Logic

computes

Ak Vk

Ek

model checks

computes induces

Symbolic Semi-

Algorithm

State Equivalence

k = 1,2,3,4

q1 k q2 iff for all regions R computed by Ak, q1R iff q2RAk terminates iff Ek has finite index.


All regions definable by formulas of Vk are generated by Ak.

Ak terminates iff symbolic model checking terminates for all formulas of Vk.

Specification Logic

Four Classes of Symbolic Transition Systems

STS1: pre closure terminates Finite reach equiv Safety () decidable

Well-structured transition systems of Abdulla, Finkel et al.

STS2: (pre, Å a) closure terminates Finite trace equiv Liveness (LTL) decidable

Initialized rectangular hybrid automata

STS3: (pre, Å ) closure terminates Finite similarity Existential/universal branching (CTL, CTL) decidable

2D initialized rectangular hybrid automata

STS4: (pre, Å , \ ) closure terminates Finite bisimilarity Nonzenoness (CTL) decidable

Initialized singular (e.g. timed) hybrid automata

Four Classes of Symbolic Transition Systems

STS1: pre closure terminates Finite reach equiv Safety () decidable

Well-structured transition systems of Abdulla, Finkel et al.

STS2: (pre, Å a) closure terminates Finite trace equiv Liveness (LTL) decidable

Initialized rectangular hybrid automata

STS3: (pre, Å ) closure terminates Finite similarity Existential/universal branching (CTL, CTL) decidable

2D initialized rectangular hybrid automata

STS4: (pre, Å , \ ) closure terminates Finite bisimilarity Nonzenoness (CTL) decidable

Initialized singular hybrid automata

Example: Singular Hybrid Automata

Q = Bm Rn

Invariants and guards: integral bounds, e.g. x1 < 7 1

x2 2

Flows: constant slopes, e.g. x'1 = 1; x'2 = 2 Jumps: integral assignments, e.g. x1 := 0; x2 := 5A = { xi = c, c < xi < c+1 | 1 i n, c N, c < cmax }

(cmax,cmax)

(0,0) x1

x2

(cmax,cmax)

(0,0) x1

x2

3<x1<4 x2=4

x1=3 x2=3

1<x1<2 2<x2<3

Example: Singular Hybrid Automata

Q = Bm Rn


x2 2

Flows: constant slopes, e.g. x'1 = 1; x'2 = 2 Jumps: integral assignments, e.g. x1 := 0; x2 := 5A = { xi = c, c < xi < c+1 | 1 i n, c N, c < cmax }

Initialized: assignment when slope changes.

Special Case: Timed Automata

Q = Bm Rn


x2 2

Flows: clocks, e.g. x'1 = 1; x'2 = 1 Jumps: integral assignments, e.g. x1 := 0; x2 := 5A = { xi = c, c < xi < c+1 | 1 i n, c N, c < cmax }

Always initialized.

f: x1' = 1; x2' = 1 j1: x1 := 0 j2: x2 := 0f

j2j1

f: x1' = 1; x2' = 1 j1: x1 := 0 j2: x2 := 0f

j2j1

f: x1' = 1; x2' = 1 j1: x1 := 0 j2: x2 := 0f

j2j1

f: x1' = 1; x2' = 1 j1: x1 := 0 j2: x2 := 0f

j2j1

pre(R,f)

R

f: x1' = 1; x2' = 1 j1: x1 := 0 j2: x2 := 0f

j2j1

(cmax,cmax)

(0,0) x1

x2

f: x1' = 1; x2' = 1 j1: x1 := 0 j2: x2 := 0f

j2j1

Finite bisimulation.

f: x1' = 1; x2' = 2 j1: x1 := 0 j2: x2 := 0f

j2j1

f: x1' = 1; x2' = 2 j1: x1 := 0 j2: x2 := 0f

j2j1

pre(R,f)

R

f: x1' = 1; x2' = 2 j1: x1 := 0 j2: x2 := 0f

j2j1

pre(R',j2)

R'

f: x1' = 1; x2' = 2 j1: x1 := 0 j2: x2 := 0f

j2j1 R"

pre(R",j)

(cmax,cmax)

(0,0) x1

x2

f: x1' = 1; x2' = 2 j1: x1 := 0 j2: x2 := 0

j2j1

Finite bisimulation.

f

f: x1' = 1; x2' = 2 j1: x1 := 0 j2: x2 := 0f

j2j1

Observation, invariant, or guard:

x1>x2

f: x1' = 1; x2' = 2 j1: x1 := 0 j2: x2 := 0f

j2j1


x1>x2

f: x1' = 1; x2' = 2 j1: x1 := 0 j2: x2 := 0f

j2j1


x1>x2

R

pre(R,f)

f: x1' = 1; x2' = 2 j1: x1 := 0 j2: x2 := 0f

j2j1


x1>x2

R'

pre(R,j2)

f: x1' = 1; x2' = 2 j1: x1 := 0 j2: x2 := 0f

j2j1


x1>x2

f: x1' = 1; x2' = 2 j1: x1 := 0 j2: x2 := 0f

j2j1


x1>x2

f: x1' = 1; x2' = 2 j1: x1 := 0 j2: x2 := 0f

j2j1

Infinite bisimulation.


x1>x2

Example: Rectangular Hybrid Automata

Q = Bm Rn


x2 2

Flows: bounded slopes, e.g. x'1 [1,2]; x'2 = 1 Jumps: integral assignments, e.g. x1 := 0; x2 := 5A = { xi = c, c < xi < c+1 | 1 i n, c N, c < cmax }

Initialized: assignment when slope bounds change.

j2j1

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

f

j2j1

pre(R,f)

R

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

f

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

f

j2j1

pre(R',f)R'

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

j2j1

R" pre(R",j1)

f

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

j2j1

f

R3

pre(R3,j2)

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

j2j1

f

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

j2j1

f

Infinite bisimulation.

j2j1

pre(R,f)

R

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

f

pre(R,f)

j2j1

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

f

j2j1

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

f

j2j1

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

f

j2j1

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

f

j2j1

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

f

j2j1

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

f

j2j1

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

f

j2j1

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

f

j2j1

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

f

j2j1

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

f

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

j2j1

f

(cmax,cmax)

(0,0) x1

x2

j2j1

Finite simulation.

f: x1'[1,2]; x2'[1,2] j1: x1 := 0 j2: x2 := 0

f

Summary

1. Separate local (region algebra) from global (symbolic semi-algorithms) concerns

2. Appeal to quantifier elimination for the computability of region operations

(e.g. polyhedral hybrid systems)

3. Appeal to finite abstractions for the termination of symbolic semi-algorithms (e.g. rectangular hybrid systems)

Documents

Tom Henzinger University of California, Berkeley