Weak Singular Hybrid Automata - Umang Mathurumathur3.web.engr.illinois.edu/documents/slides/WSHA-presentation.pdfWeak Singular Hybrid Automata Formal Modeling and Veri cation for Cyber-Physical

Krishna S., Umang Mathur, Ashutosh Trivedi – 1 of 28

Weak Singular Hybrid AutomataFormal Modeling and Verification for Cyber-Physical Systems

Krishna S. Umang Mathur Ashutosh Trivedi

Department of Computer Science and Engineering

IIT Bombay, Mumbai, India

January 18, 2014


Cyber-Physical Systems (CPS)

Medical Devices Avionics

EnergyAutomobile


Verification/Synthesis with Hybrid Automata

– Introduced by Alur et al. to model hybrid systems

– Dynamics of physical variables are gives as ordinary differential equations

– Quite expressive, but undecidable verification (reachability) problems

– Decidable subclasses exists, e.g.– Initialized Rectangular Hybrid automata (Henzinger et al.),– Hybrid Automata with Strong Resets (Bouyer et al.),– Piecewise constant derivative systems (Asarin, Maler, and Pnueli),– Multi-Mode Systems (Alur, Trivedi, Wojtczak)

– Tool support: HyTECH, PHAVer

x1 = 0x2 = 0m0

x1 = 2x2 = 2m1

1 < x2 < 3

x1 = −2x2 = −2m2

2 ≤ x1 < 6

x1 = −1x2 = −1m3

x1 < 0, a, {x2}

x2 > 0, b x1 < 22, c

d

e

Figure: A Hybrid Automata


Introduction

Green Scheduling

Weak Singular Hybrid AutomataSyntax and SemanticsReachability and SchedulabilityTemporal Logic Model CheckingExtending WSHA

Summary


Peak Demand Reduction in Energy Usage

1. Absence of bulk energy storage technology

2. Base-load vs peaking power plants

3. Energy peaks are expensive:– For environment (peaking power plants are typically

fossil-fueled )– For energy providers– For customers (peak power pricing)

4. Energy peaks are often avoidable:– Extreme weather and energy peaks– Heating, Ventilation, and Air-conditioning (HVAC)

Units

5. Load-balancing methods:– Load shedding– Load shifting– Green scheduling


Green Scheduling

Zones \ HVAC Units Modes HIGH LOW OFFX (Temp. Change Rate/ Energy Usage) -2/3 -1/2 2/0.2Y (Temp. Change Rate/ Energy Usage) -2/3 -1/2 3/0.2

– Assume that comfortable temperature range is 65oF to 70oF .

– Energy is extremely expensive if peak demand dips above 4 units in a billingperiod

Problem

Find an “implementable” switching schedule that keeps the temperatures withincomfort zone and peak usage within 4 units?


Green Scheduling

Zones \ HVAC Units Modes HIGH LOW OFFX (Temp. Change Rate/ Energy Usage) -2/3 -1/2 2/0.2Y (Temp. Change Rate/ Energy Usage) -2/3 -1/2 3/0.2

– Assume that comfortable temperature range is 65oF to 70oF .

– Energy is extremely expensive if peak demand dips above 4 units in a billingperiod

Problem

Find an “implementable” switching schedule that keeps the temperatures withincomfort zone and peak usage within 4 units?


Green Scheduling: Contd

x = −2y = 3

m1

x = −1y = −1

m2

x = −1y = 3

m3

x = 2y = −2

m4

x = 2y = −1

m5

x = 2y = 3

m6

Safe Schedulability Problem

Does there exist a switching schedule using these modes such that the temperaturesof all zones stays in comfortable region?


Multi-mode Systems: Safe Schedulability

x = −2y = 3

m1

x = −1y = −1

m2

x = −1y = 3

m3

x = 2y = −2

m4

x = 2y = −1

m5

x = 2y = 3

m6

Safe set: x ∈ [65, 70], y ∈ [65, 70]

6868

xy

s0

6767

s1

(m2, 1) 6670

s2

(m3, 1) 6868

s3

(m4, 1) 6767

s4

(m2, 1) · · ·



x = −2y = 3

m1

x = −1y = −1

m2

x = −1y = 3

m3

x = 2y = −2

m4

x = 2y = −1

m5

x = 2y = 3

m6

Safe set: x ∈ [65, 70], y ∈ [65, 70]

6868

xy

s0

6767

s1

(m2, 1)

6670

s2

(m3, 1) 6868

s3

(m4, 1) 6767

s4

(m2, 1) · · ·



x = −2y = 3

m1

x = −1y = −1

m2

x = −1y = 3

m3

x = 2y = −2

m4

x = 2y = −1

m5

x = 2y = 3

m6

Safe set: x ∈ [65, 70], y ∈ [65, 70]

6868

xy

s0

6767

s1

(m2, 1) 6670

s2

(m3, 1)

6868

s3

(m4, 1) 6767

s4

(m2, 1) · · ·



x = −2y = 3

m1

x = −1y = −1

m2

x = −1y = 3

m3

x = 2y = −2

m4

x = 2y = −1

m5

x = 2y = 3

m6

Safe set: x ∈ [65, 70], y ∈ [65, 70]

6868

xy

s0

6767

s1

(m2, 1) 6670

s2

(m3, 1) 6868

s3

(m4, 1)

6767

s4

(m2, 1) · · ·



x = −2y = 3

m1

x = −1y = −1

m2

x = −1y = 3

m3

x = 2y = −2

m4

x = 2y = −1

m5

x = 2y = 3

m6

Safe set: x ∈ [65, 70], y ∈ [65, 70]

6868

xy

s0

6767

s1

(m2, 1) 6670

s2

(m3, 1) 6868

s3

(m4, 1) 6767

s4

(m2, 1) · · ·



x = −2y = 3

m1

x = −1y = −1

m2

x = −1y = 3

m3

x = 2y = −2

m4

x = 2y = −1

m5

x = 2y = 3

m6

Safe set: x ∈ [65, 70], y ∈ [65, 70]

6868

xy

s0

6767

s1

(m2, 1) 6670

s2

(m3, 1) 6868

s3

(m4, 1) 6767

s4

(m2, 1) · · ·


Multi-mode Systems: Zeno schedule

x = −2y = 3

m1

x = −1y = −1

m2

x = −1y = 3

m3

x = 2y = −2

m4

x = 2y = −1

m5

x = 2y = 3

m6

Safe set: x ∈ [65, 70], y ∈ [65, 70]

6868

xy

s0

6868

s1

(m2, 0) 6868

s2

(m3, 0) 6868

s3

(m4, 0) 6868

s4

(m2, 0) · · ·

Zeno Schedule


Multi-mode Systems: Zeno schedule

x = −2y = 3

m1

x = −1y = −1

m2

x = −1y = 3

m3

x = 2y = −2

m4

x = 2y = −1

m5

x = 2y = 3

m6

Safe set: x ∈ [65, 70], y ∈ [65, 70]

6868

xy

s0

6767

s1

(m2, 1) 66.568.5

s2

(m3,12) 67

68

s3

(m4,14) 66.875

67.875

s4

(m2,18) · · ·

Zeno Schedule


Definition

Definition (Constant-Rate Multi-Mode Systems: MMS)

A MMS is a tuple H = (M,n,R) where

– M is a finite nonempty set of modes,

– n is the number of continuous variables,

– R : M → Rn gives for each mode the rate vector,

– S ⊆ Rn is a bounded convex set of safe states.

Safe Schedulability Problem

Given a multi-mode system and a starting state, decide whether there exists anon-Zeno safe schedule.

Safe Reachability Problem

Given a multi-mode system, a starting state and a target state, decide whether thereexists a safe schedule from starting state to target state.


Key Results

Theorem (Alur et. al)

Safe schedulability can be solved in polynomial time.

Theorem (Alur et. al)

Safe reachability problem can be solved in polynomial time if both starting andtarget states are in the interior of safety set.

Both the problems essentially boil down to solving a linear program polynomial insize of the inputs.


Safe Schedulability Problem: Geometry

x = −2y = 3

m1

x = −1y = −1

m2

x = −1y = 3

m3

x = 2y = −2

m4

x = 2y = −1

m5

x = 2y = 3

m6

Safe set: x ∈ [65, 70], y ∈ [65, 70]

m1

(−2, 3)

m4

(2,−2)

m6

(2, 3)

m2

(−1,−1)

m3

(−1, 3)

m5

(2,−1)



s1

m6m3

m1

m2

m4

m5



s1

m6m3

m1

m2

m4

m5



s1

m6m3

m1

m2

m4

m5



s1

m6m3

m1

m2

m4

m5

s2


Safe Schedulability Problem: Interior Case

Theorem

Assume that the starting state lies in the interior of the safety set.A safe non-Zeno schedule exists if and only if

|M|Xi=1

R(i) · fi = 0

|M|Xi=1

fi = 1.

for some f1, f2, . . . , f|M| ≥ 0.Moreover, such a schedule is periodic.


Reachability Problem: Geometry

s1

m6m3

m1

m2

m4

m5

s5


Reachability Problem: Geometry

s2

m6m3

m1

m2

m4

m5

s3

s1

s5


Safe Reachability Problem

Theorem

Assume that the starting state s0 and the target state st lie in the interior of thesafety set.A safe schedule exists from s0 to st exists if and only if

s0 +

|M|Xi=1

R(i) · ti = st

for some t1, t2, . . . , t|M| ≥ 0.


Thumb Rules: Schedulability

The following is feasible:

|M|Xi=1

R(i) · fi = 0 and

|M|Xi=1

fi = 1

Or, the following in infeasible:

(v1, v2, . . . , vn)·R(i) > 0 for all modes i.

m1

(−2, 3)

m4

(2,−2)

m6

(2, 3)

m2

(−1,−1)

m3

(−1, 3)

m5

(2,−1)


Thumb Rules: Schedulability


|M|Xi=1

R(i) · fi = 0 and

|M|Xi=1

fi = 1

Or, the following in infeasible:

(v1, v2, . . . , vn)·R(i) > 0 for all modes i.

m1

(−2, 3)

m4

(2,−2)

m6

(2, 3)

m3

(−1, 3)

m5

(2,−1)


Thumb Rules: Reachability


s0 +

|M|Xi=1

R(i) · ti = sts0

st

R1

R2


Introduction

Green Scheduling

Weak Singular Hybrid AutomataSyntax and SemanticsReachability and SchedulabilityTemporal Logic Model CheckingExtending WSHA

Summary


Motivation

Weak Singular Hybrid Automata

– Singular hybrid automata with an ordering on the states

– States with same order form a multimode system

– Decidable reachability (NP-complete), schedulability (NP-Complete), and LTLmodel-checking (PSPACE-complete) problems


Syntax of WSHA

A weak singular hybrid automaton is a tuple H = (M,M0,Σ, X,∆, I, F ) where

– M is a finite set of control modes and M0 ⊆M ,

– Σ is a finite set of actions,

– X is an (ordered) set of variables,

– ∆ ⊆M × poly(X)× Σ× 2X ×M is the transition relation,

– I : M → poly(X) is the mode-invariant function, and

– F : M → Q|X| is the mode-dependent flow function characterizing the rate ofeach variable in each mode.

Function % : M → N assigning ranks to the modes such that

– for every transition (m,G, a,R,m′) ∈ ∆, %(m) ≤ %(m′), and

– for every rank i the set of modes with rank i– has a common safety set Si which is a bounded and open polytope (problems

with boundaries)– is strongly connected with no resets or guards


Syntax of WSHA

A weak singular hybrid automaton is a tuple H = (M,M0,Σ, X,∆, I, F ) where

– M is a finite set of control modes and M0 ⊆M ,

– Σ is a finite set of actions,

– X is an (ordered) set of variables,

– ∆ ⊆M × poly(X)× Σ× 2X ×M is the transition relation,

– I : M → poly(X) is the mode-invariant function, and

– F : M → Q|X| is the mode-dependent flow function characterizing the rate ofeach variable in each mode.

Function % : M → N assigning ranks to the modes such that

– for every transition (m,G, a,R,m′) ∈ ∆, %(m) ≤ %(m′), and

– for every rank i the set of modes with rank i– has a common safety set Si which is a bounded and open polytope (problems

with boundaries)– is strongly connected with no resets or guards


Semantics of WSHA

– A configuration (m, ν) and a timed action (t, a)

– A transition ((m, ν)(t, a)(m′, ν′))– time elapse of t in mode m starting from ν, followed by discrete step a– guards, resets, invariants

– A run is a sequence of transitions (m0, ν0)(t1, a1)(m1, ν1)(t2, a2) · · ·

– Type Γ(r) of a finite run r = 〈(m0, ν0), (t1, a1), (m1, ν1), . . . , (mk, νk)〉 is asequence 〈n0, b1, n1, . . . , bp, np〉 defined as:

Γ(r) =

(〈%(m0)〉 if r = 〈(m0, ν0)〉Γ(r′)⊕ (a, %(m)) if r = r′ :: 〈(t, a), (m, ν)〉,

– Any run (finite/infinite) will only have a finite run type: there are only finitelymany connected components, all sharing a partial order


Semantics of WSHA





Γ(r) =




Semantics of WSHA





Γ(r) =




Reachability and Schedulability

Theorem

The reachability and schedulability problems for weak singular hybrid automata areNP-complete.

– NP-Membership:– All run-types are polynomial in size of the WSHA.– Checking whether a run type σ = 〈n0, b1, n1, . . . , bp, np〉 is reachable/schedulable

amounts to checking the feasibility of a linear program (νni , ν′ni∈ R|X| and

tmi ∈ R≥0 are variables):

ν0 = νn0

ν′np∈ T

νni , ν′ni

∈ SMnifor all 0 ≤ i ≤ p

νni ∈ G(bi) for all 0 < i ≤ pνni+1 (j) = 0 for all xj ∈ R(bi+1)

and 0 < i ≤ pνni+1 (j) = ν′ni

(j) for allxj 6∈ R(bi+1)

and 0 < i ≤ p

ν′ni= νni +

Xm∈Mni

F (m) · tmi

for all 0 ≤ i ≤ ptmi ≥ 0 for all 0 ≤ i ≤ p and m ∈Mni

ν0 = νn0

νni , ν′ni


νni ∈ G(bi) for all 0 < i ≤ pνni+1 (j) = 0 for all xj ∈ R(bi+1) and 0 < i ≤ p

νni+1 (j) = ν′ni(j) for all xj 6∈ R(bi+1) and 0 < i ≤ p

ν′ni= νni +

Xm∈Mni

F (m) · tmi for all 0 ≤ i ≤ p

tmi ≥ 0 for all 0 ≤ i ≤ p and m ∈Mni

~0 =X

m∈Mnp

F (m) · tmp

1 =X

m∈Mnp

tmp



Theorem


– NP-Membership:

– All run-types are polynomial in size of the WSHA.– Checking whether a run type σ = 〈n0, b1, n1, . . . , bp, np〉 is reachable/schedulable



ν0 = νn0

ν′np∈ T

νni , ν′ni





and 0 < i ≤ p

ν′ni= νni +

Xm∈Mni

F (m) · tmi


ν0 = νn0

νni , ν′ni




ν′ni= νni +

Xm∈Mni



~0 =X

m∈Mnp

F (m) · tmp

1 =X

m∈Mnp

tmp



Theorem


– NP-Membership:– All run-types are polynomial in size of the WSHA.

– Checking whether a run type σ = 〈n0, b1, n1, . . . , bp, np〉 is reachable/schedulable



ν0 = νn0

ν′np∈ T

νni , ν′ni





and 0 < i ≤ p

ν′ni= νni +

Xm∈Mni

F (m) · tmi


ν0 = νn0

νni , ν′ni




ν′ni= νni +

Xm∈Mni



~0 =X

m∈Mnp

F (m) · tmp

1 =X

m∈Mnp

tmp



Theorem





ν0 = νn0

ν′np∈ T

νni , ν′ni





and 0 < i ≤ p

ν′ni= νni +

Xm∈Mni

F (m) · tmi


ν0 = νn0

νni , ν′ni




ν′ni= νni +

Xm∈Mni



~0 =X

m∈Mnp

F (m) · tmp

1 =X

m∈Mnp

tmp



Theorem





ν0 = νn0

ν′np∈ T

νni , ν′ni





and 0 < i ≤ p

ν′ni= νni +

Xm∈Mni

F (m) · tmi


ν0 = νn0

νni , ν′ni




ν′ni= νni +

Xm∈Mni



~0 =X

m∈Mnp

F (m) · tmp

1 =X

m∈Mnp

tmp



Theorem





ν0 = νn0

ν′np∈ T

νni , ν′ni





and 0 < i ≤ p

ν′ni= νni +

Xm∈Mni

F (m) · tmi


ν0 = νn0

νni , ν′ni




ν′ni= νni +

Xm∈Mni



~0 =X

m∈Mnp

F (m) · tmp

1 =X

m∈Mnp

tmp


Reachability and Schedulability (contd.)

– NP Hardness:

Reduction from Subset-sum problem (Reachability) .

m0

(1, 1, 2,−3, 0, 0)

m1

(0,−1, 0, 0, 1, 1)

m3

(0, 0,−2, 0, 2, 1)

m5

(0, 0, 0, 3,−3, 1)

m2

(0,−1, 0, 0, 0, 0)

m4

(0, 0,−2, 0, 0, 0)

m6

(0, 0, 0, 3, 0, 0)

Figure: Constructed WSHA for set {1, 2,−3}

– Schedulability: Reachability to the last strongly connected component andmulti-mode scheduling there



– NP Hardness:Reduction from Subset-sum problem (Reachability) .

m0

(1, 1, 2,−3, 0, 0)

m1

(0,−1, 0, 0, 1, 1)

m3

(0, 0,−2, 0, 2, 1)

m5

(0, 0, 0, 3,−3, 1)

m2

(0,−1, 0, 0, 0, 0)

m4

(0, 0,−2, 0, 0, 0)

m6

(0, 0, 0, 3, 0, 0)






m0

(1, 1, 2,−3, 0, 0)

m1

(0,−1, 0, 0, 1, 1)

m3

(0, 0,−2, 0, 2, 1)

m5

(0, 0, 0, 3,−3, 1)

m2

(0,−1, 0, 0, 0, 0)

m4

(0, 0,−2, 0, 0, 0)

m6

(0, 0, 0, 3, 0, 0)






m0

(1, 1, 2,−3, 0, 0)

m1

(0,−1, 0, 0, 1, 1)

m3

(0, 0,−2, 0, 2, 1)

m5

(0, 0, 0, 3,−3, 1)

m2

(0,−1, 0, 0, 0, 0)

m4

(0, 0,−2, 0, 0, 0)

m6

(0, 0, 0, 3, 0, 0)




Temporal Logic Model Checking

LTL Model Checking: Just the best !

Theorem

The LTL model-checking problem for WSHA is PSPACE-complete.

– LTL property φ → Buchi automata A¬φ– Product of a weak SHA H and A¬φ remains WSHA (since variables occur only

in the WSHA).

– Standard polynomial space algorithm can be used.

– PSPACE-hardness of the problem follows from PSPACE-completeness of LTLmodel checking over finite automata

CTL Model Checking: Not so easy !

Theorem

CTL model checking of weak SHAs with two clock variables is PSPACE-hard.

– Polynomial reduction from subset-sum games

– Decidability: still open




Theorem



in the WSHA).




Theorem







Theorem



in the WSHA).




Theorem







Theorem



in the WSHA).




Theorem





WSHAs are JUST Decidable

WSHA is on the forefronts of decidability. Tweaking the model in the hope toimprove expressiveness can lead to undecidability !

Theorem

The reachability problem is undecidable for three variable WSHAs with discreteupdates.

Theorem

The reachability problem is undecidable for CMS with three variables and oneunrestricted clock.




Theorem


Theorem





Theorem


Theorem



Summary and Future Work

– WSHAs as a subclass of Hybrid automata.

– Efficient model : Reachability, Schedulability and LTL Model Checking areDecidable

– Slight extensions can lead to undecidability in results

– Future work– Decidability of CTL Model Checking for this problem is still unsolved– Games on WSHA and restrictions on WSHA– CEGAR framework : Approximate modeling of arbitrary SHA using WSHA.



















Documents

Weak Singular Hybrid Automata - Umang Mathurumathur3.web.engr.illinois.edu/documents/slides/WSHA-presentation.pdfWeak Singular Hybrid Automata Formal Modeling and Veri cation for Cyber-Physical