1212 /k Action and Predicate Safety of Hybrid Processes Pieter Cuijpers Michel Reniers

1212 /k Overview HyPA Process representations Two levels of abstraction Specification of Safety Congruence Safety analysis of hybrid processes Conclusions

1212 /k HyPA  termination  deadlock actiondiscrete action cflow clause (V|Pred) d >> P, b >> Pre-initialization clause [V|Pred] P  Palternative composition P  Psequential composition P  P, P  Pdisrupt P || P, P  P, P  Pparallel composition  H (P),  Pred (P)encapsulation

1212 /k Hybrid automaton representation X i  c i   j  J(i) d j >> action j  X j HA   i  I d’ i >> X i cici d1d1 d2d2

1212 /k Constitutive hybrid process repr. X i  (  j  J(i) d j >> c j )  X i  (  j  J’(i) b j >> action j )  X i CHP  || i  I X i

1212 /k State-space representation (Linear hybrid process definition) X i   j  J(i) d j >>    j  J’(i) d j >> action j  X j   j  J’’(i) d j >> c j  X j SSR  X init

1212 /k Two levels of abstraction On the lowest level of abstraction, HyPA is aimed at giving different representations of the same system. At a higher level of abstraction, HyPA can also be used to analyse, for example, safety properties.

1212 /k Two levels of abstraction Robust Bisimilarity  Initially stateless bisimilarity= X  Y implies X = Y

1212 /k Robust bisimilarity x    x x  y  y  x x  (y  z)  (x  y)  z x      x  x   x   x  (y  z)  (x  y)  z (x  y)  z  (x  z)  (y  z) x  y  x  y  y   x     x   x  (y  z)  (x  y)  z (x  y)  z  (x  z)  (y  z) d >> (x  y)  (d >> x)  (d >> y)  H (x  y)   H (x)   H (y) etc. etc. etc.

1212 /k Initially stateless bisimilarity d >> action  x=d >> action  d ! >> x d >> c  x=d >> c  (d  D(c)) ! >> x

1212 /k Specification of Safety Safety for actionsX=  H (X) Safety for predicatesX=  Pred (X)

1212 /k Congruence X  [x|x + = 0] >> a1  a2 Y  [x|x + = 0] >> a1  [x - = 0] >> a2 Z  [x|x + = 1] >> a3 X=Y X || Z  Y || Z

1212 /k Predicate safety of a state-space repr. When do we have SSR =  Pred (SSR) ?

1212 /k Predicate safety of a state-space repr. Create a re-initialization for every recursion variable, signifying its reachable set. [true]=R init (R i  d j ) !  R j for all i and all j  J’(i) (R i  d j  D(c j )) !  R j for all i and all j  J’’(i)

1212 /k Predicate safety of a state-space repr. When do we have R i >> X i =  Pred (R i >> X i ), and especially SSR  [true] >> X init =  Pred ([true] >> X init )   Pred (SSR) ?

1212 /k Predicate safety of a state-space repr. R i >> X i  R i >> (  j  J(i) d j >>    j  J’(i) d j >> action j  X j   j  J’’(i) d j >> c j  X j )

1212 /k Predicate safety of a state-space repr. R i >> X i   j  J(i) (R i  d j ) >>    j  J’(i) (R i  d j ) >> action j  X j   j  J’’(i) (R i  d j ) >> c j  X j

1212 /k Predicate safety of a state-space repr. R i >> X i =  j  J(i) (R i  d j ) >>    j  J’(i) (R i  d j ) >> action j  (R j >> X j )   j  J’’(i) (R i  d j ) >> c j  (R j >> X j )

1212 /k Predicate safety of a state-space repr.  Pred (R i >> X i )  Pred ( R i >> (  j  J(i) d j >>    j  J’(i) d j >> action j  X j   j  J’’(i) d j >> c j  X j ))

1212 /k Predicate safety of a state-space repr.  Pred (R i >> X i )  Pred (  j  J(i) (R i  d j ) >>    j  J’(i) (R i  d j ) >> action j  X j   j  J’’(i) (R i  d j ) >> c j  X j )

1212 /k Predicate safety of a state-space repr.  Pred (R i >> X i )=  Pred (  j  J(i) (R i  d j ) >>    j  J’(i) (R i  d j ) >> action j  (R j >> X j )   j  J’’(i) (R i  d j ) >> c j  (R j >> X j ) )

1212 /k Predicate safety of a state-space repr.  Pred (R i >> X i )=  j  J(i)  Pred ( (R i  d j ) >>  )   j  J’(i)  Pred ( (R i  d j ) >> action j )   Pred ( R j >> X j )   j  J’’(i)  Pred ( (R i  d j ) >> c j )   Pred ( R j >> X j )

1212 /k Predicate safety of a state-space repr. Assuming safety of the following processes:  Pred ( (R i  d j ) >>  ) =(R i  d j ) >>   Pred ( (R i  d j ) >> action j ) =(R i  d j ) >> action j  Pred ( (R i  d j ) >> c j )= (R i  d j ) >> c j

1212 /k Predicate safety of a state-space repr. Assuming safety of the following processes:  Pred ( (R i  d j ) >> action j ) =(R i  d j ) >> action j  Pred ( (R i  d j ) >> c j )= (R i  d j ) >> c j

1212 /k Predicate safety of a state-space repr.  Pred (R i >> X i )=  j  J(i) (R i  d j ) >>    j  J’(i) (R i  d j ) >> action j   Pred ( R j >> X j )   j  J’’(i) (R i  d j ) >> c j   Pred ( R j >> X j )

1212 /k Predicate safety of a state-space repr. So R i >> X i and  Pred (R i >> X i ) are both solutions of the state space definition: Y i =  j  J(i) (R i  d j ) >>    j  J’(i) (R i  d j ) >> action j   Pred (Y i )   j  J’’(i) (R i  d j ) >> c j   Pred (Y i )

1212 /k Predicate safety of a state-space repr. Thus R i >> X i =  Pred (R i >> X i ) and hence SSR =  Pred (SSR).

1212 /k Conclusions Different model representations. Analysis at the cost of congruence || Safety of state space representations depends on safety of sub-processes. Termination of analysis method is a problem Calculation of reachable sets is a problem

1212 /k Future research For CHP we have congruence || Termination using predicate abstraction Calculation/approximation of reachable sets Algebraic specification of other properties