robustness and implementability of timed automata
DESCRIPTION
Robustness and Implementability of Timed Automata. FORMATS-FTRTFT 2004 – Sep 24 th - Grenoble. Martin De Wulf Laurent Doyen Nicolas Markey Jean-François Raskin. Centre Fédéré en Vérification. Use formal models + Verification:. Timed Automata and Reachability Analysis. Motivation. - PowerPoint PPT PresentationTRANSCRIPT
Robustness and Robustness and Implementability of Timed Implementability of Timed
AutomataAutomata
Martin De WulfMartin De Wulf
Laurent DoyenLaurent Doyen
Nicolas MarkeyNicolas Markey
Jean-François RaskinJean-François Raskin
Centre Fédéré en Vérification
FORMATS-FTRTFT 2004 – Sep 24FORMATS-FTRTFT 2004 – Sep 24thth - Grenoble - Grenoble
MotivationMotivation
• Embedded Controllers… are difficult to develop (concurrency, real-time, continuous environment, ...).
… are safety critical.
Use formal models + Verification:
Timed Automata andReachability Analysis
Timed Automata
closed guard
reset
Location
Transition
2a
0:a
2b
0:b
1:a0:b
A
Clocks: {a,b}
ObjectivesObjectives
• From a verified model, generate (automatically) a correct implementation
• Using classical formalism (e.g. timed automata)
• …but interpreting the model in a way that guarantees the transfer of the properties from model to implementation3x
Robustness and ImplentationRobustness and Implentation
Model
•Perfect continuous clocks
•Instantaneous synchronisations
•Reaction time = 0
•Digital clocks
•Delayed synchronisations
•Reaction time > 0
Implementation
vs.
Correct model
Correct implementatio
n
??
Timed Automata: SemanticsTimed Automata: Semantics
Classical
Perfect clocks
Rate:
Guard:
1/ dtdx
][ iff | gvgv
Imprecise clocks
Rate:
Guard:
]1,1[/ dtdx
][ iff | gvgv
],[][ babxa ],[][ babxa
00][A Enlarge
dvs.
][A
Shortcut:
0][:][ AA 0][:][ AA
From Model to ImplementationFrom Model to Implementation
>0 Reach([A´]) Bad =
Timed automaton A is implementable [DDR04] if
Reach([A]) Bad =
Timed automaton A is correct if
which is equivalent to
>0 Reach([A´]) Bad =
RobustnessRobustness
No ! (see example)
•Is it always the case that ?
>0 Reach([A]) = Reach([A])
•How to compute ?
>0 Reach([A])
• [Pur98] gives an algorithm for
>0 Reach([A])
• We show that >0 Reach([A]) = >0 Reach([A])
An example showing thatAn example showing that
Reach([A]) >0 Reach([A])
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2
ExampleExample
2a
0:a
2b
0:b
a
b
10
1
2
2
1:a0:b
Classical Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Classical Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Classical Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Classical Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Classical Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Classical Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2
AReach
Classical Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2
Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2
2
Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2
3
Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2
4
Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2
)12( k
Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2
k2
Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
Reach([A])
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
>0 Reach([A])
When 0
Enlarged Semantics
a
b
10
1
2
2
Classical Semantics
vs.
ExampleExample
a10
1
2
2
b
>0 Reach([A])Reach([A])
00
a
b
10
1
2
2
•Black cycles are reachable
•Blue cycles are not !
Classical semantics [A]
Enlarged semantics
•One blue cycle is reachable
•By repeating this cycle with Δ>0, the entire regions are reachable !
ExampleExample
[A]
Cycles in Timed AutomataCycles in Timed Automata
Algortihm [Pur98] is based on this observation:
•It just adds the cycles to reachable states
•Until no more cycle is accessible
Hence, the implementability problem
is decidable ! (and PSPACE-complete)
Given a timed automaton A, determine whether there exists Δ>0 such that Reach([A]) Bad =
Open questionsOpen questions
• Maximize Δ such that
• Decide whether there exists Δ such that
• Find a practical algorithm for
• And many others…
Reach([A]) Bad =
>0 Reach([A])
UntimedLang([A]) = UntimedLang([A])
ReferencesReferences
• [DDR04] M. De Wulf, L. Doyen, J.-F. Raskin. Almost ASAP Semantics: From Timed Model to Timed Implementation. LNCS 2993, HSCC 2004.
• [Pur98] A. Puri. Dynamical Properties of Timed Automata. FTRTFT 1998.
Model-based developmentModel-based development
• Make a model of the environment:Env
• Make clear the control objective: Bad
• Make a model of the control strategy:ControllerModel
• Verify:Does Env || ControllerModel avoid
Bad ?• Good, but after ?