Download presentation
Presentation is loading. Please wait.
1
Robustness and Implementability of Timed Automata
FORMATS-FTRTFT 2004 – Sep 24th - Grenoble Martin De Wulf Laurent Doyen Nicolas Markey Jean-François Raskin Centre Fédéré en Vérification
2
Motivation Embedded Controllers
… are difficult to develop (concurrency, real-time, continuous environment, ...). … are safety critical. Use formal models + Verification: Timed Automata and Reachability Analysis
3
Timed Automata Location closed guard Transition reset Clocks: {a,b}
4
Objectives From a verified model, generate (automatically) a correct implementation Using classical formalism (e.g. timed automata) …but interpreting the model in a way that guarantees the transfer of the properties from model to implementation
5
Robustness and Implentation
Model vs. Implementation Perfect continuous clocks Instantaneous synchronisations Reaction time = 0 Digital clocks Delayed synchronisations Reaction time > 0 Correct model Correct implementation ?
6
Timed Automata: Semantics
Enlarged vs. Classical Perfect clocks Rate: Guard: Imprecise clocks Rate: Guard: Shortcut:
7
From Model to Implementation
Reach([A]) Bad = Timed automaton A is correct if >0 Reach([A´]) Bad = Timed automaton A is implementable [DDR04] if which is equivalent to >0 Reach([A´]) Bad =
8
Robustness >0 Reach([A]) = Reach([A]) >0 Reach([A])
Is it always the case that ? >0 Reach([A]) = Reach([A]) No ! (see example) How to compute ? >0 Reach([A]) [Pur98] gives an algorithm for >0 Reach([A]) We show that >0 Reach([A]) = >0 Reach([A])
![Robustness >0 Reach([A]) = Reach([A]) >0 Reach([A])](http://slideplayer.com./slide/16063800/88/images/8/Robustness+%EF%83%87%EF%81%84%3E0+Reach%28%5BA%5D%EF%81%84%29+%3D+Reach%28%5BA%5D%29+%EF%83%87%EF%81%84%3E0+Reach%28%5BA%5D%EF%81%84%29.jpg "Is it always the case that >0 Reach([A]) = Reach([A]) No ! (see example) How to compute >0 Reach([A]) [Pur98] gives an algorithm for. >0 Reach([A]) We show that. >0 Reach([A]) = >0 Reach([A])")
9
An example showing that
Reach([A]) >0 Reach([A])
10
Example
11
Example Classical Semantics
12
Example Classical Semantics
13
Example Classical Semantics
14
Example Classical Semantics
15
Example Classical Semantics
16
Example Classical Semantics
17
Example Classical Semantics
18
Example Enlarged Semantics
19
Example Enlarged Semantics
20
Example Enlarged Semantics
21
Example Enlarged Semantics
22
Example Enlarged Semantics
23
Example Enlarged Semantics
24
Example Enlarged Semantics
25
Example Enlarged Semantics
26
Example Enlarged Semantics
27
Example Enlarged Semantics
28
Example Enlarged Semantics
29
Example Enlarged Semantics
30
Example Enlarged Semantics
31
Example Enlarged Semantics
32
Example Enlarged Semantics
33
Example Enlarged Semantics
34
Example Enlarged Semantics
35
Example Enlarged Semantics
36
Example Enlarged Semantics
37
Example Enlarged Semantics
38
Example Enlarged Semantics Reach([A])
![Example Enlarged Semantics Reach([A])](http://slideplayer.com./slide/16063800/88/images/38/Example+Enlarged+Semantics+Reach%28%5BA%5D%EF%81%84%29.jpg "Example Enlarged Semantics Reach([A])")
39
Example Enlarged Semantics When >0 Reach([A])
![Example Enlarged Semantics When >0 Reach([A])](http://slideplayer.com./slide/16063800/88/images/39/Example+Enlarged+Semantics+When+%EF%83%87%EF%81%84%3E0+Reach%28%5BA%5D%EF%81%84%29.jpg "Example Enlarged Semantics When >0 Reach([A])")
40
Example >0 Reach([A]) Classical Semantics vs. Enlarged Semantics
![Example >0 Reach([A]) Classical Semantics vs. Enlarged Semantics](http://slideplayer.com./slide/16063800/88/images/40/Example+%EF%83%87%EF%81%84%3E0+Reach%28%5BA%5D%EF%81%84%29+Classical+Semantics+vs.+Enlarged+Semantics.jpg "Example >0 Reach([A]) Classical Semantics vs. Enlarged Semantics")
41
Example Classical semantics [A] Black cycles are reachable
Blue cycles are not ! Enlarged semantics [A] One blue cycle is reachable By repeating this cycle with Δ>0, the entire regions are reachable !
![Example Classical semantics [A] Black cycles are reachable](http://slideplayer.com./slide/16063800/88/images/41/Example+Classical+semantics+%5BA%5D+Black+cycles+are+reachable.jpg "Blue cycles are not ! Enlarged semantics. [A] One blue cycle is reachable. By repeating this cycle with Δ>0, the entire regions are reachable !")
42
Cycles in Timed Automata
Algortihm [Pur98] is based on this observation: It just adds the cycles to reachable states Until no more cycle is accessible Hence, the implementability problem Given a timed automaton A, determine whether there exists Δ>0 such that Reach([A]) Bad = is decidable ! (and PSPACE-complete)
43
Open questions >0 Reach([A]) Maximize Δ such that
Decide whether there exists Δ such that Find a practical algorithm for And many others… Reach([A]) Bad = UntimedLang([A]) = UntimedLang([A]) >0 Reach([A])
![Open questions >0 Reach([A]) Maximize Δ such that](http://slideplayer.com./slide/16063800/88/images/43/Open+questions+%EF%83%87%EF%81%84%3E0+Reach%28%5BA%5D%EF%81%84%29+Maximize+%CE%94+such+that.jpg "Decide whether there exists Δ such that. Find a practical algorithm for. And many others… Reach([A]) Bad = UntimedLang([A]) = UntimedLang([A]) >0 Reach([A])")
44
References [DDR04] M. De Wulf, L. Doyen, J.-F. Raskin. Almost ASAP Semantics: From Timed Model to Timed Implementation. LNCS 2993, HSCC 2004. [Pur98] A. Puri. Dynamical Properties of Timed Automata. FTRTFT 1998.
![References [DDR04] M. De Wulf, L. Doyen, J.-F. Raskin. Almost ASAP Semantics: From Timed Model to Timed Implementation. LNCS 2993, HSCC](http://slideplayer.com./slide/16063800/88/images/44/References+%5BDDR04%5D+M.+De+Wulf%2C+L.+Doyen%2C+J.-F.+Raskin.+Almost+ASAP+Semantics%3A+From+Timed+Model+to+Timed+Implementation.+LNCS+2993%2C+HSCC.jpg "[Pur98] A. Puri. Dynamical Properties of Timed Automata. FTRTFT")
45
Model-based development
Make a model of the environment: Env Make clear the control objective: Bad Make a model of the control strategy: ControllerModel Verify: Does Env || ControllerModel avoid Bad ? Good, but after ?
Similar presentations
