Robust Controller Synthesis in Timed Automata

Size: px

Start display at page:

Download "Robust Controller Synthesis in Timed Automata"

Rafe Scott
5 years ago
Views:

1 Robust Controller Synthesis in Timed Automata Ocan Sankur LSV, ENS Cachan & CNRS Joint with Patricia Bouyer, Nicolas Markey, Pierre-Alain Reynier. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

2 Timed Automata and Non-determinism A timed automaton x 2, a, x := 0 x = 1, y := 0 l 0 l 1 l 2 y 2, b, y := 0 Runs y x Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

3 Timed Automata and Non-determinism A timed automaton x 2, a, x := 0 x = 1, y := 0 l 0 l 1 l 2 y 2, b, y := 0 Runs y x Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

4 Timed Automata and Non-determinism A timed automaton x 2, a, x := 0 x = 1, y := 0 l 0 l 1 l 2 y 2, b, y := 0 Runs y x Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

5 Timed Automata and Non-determinism A timed automaton x 2, a, x := 0 x = 1, y := 0 l 0 l 1 l 2 y 2, b, y := 0 Runs y x Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

6 Timed Automata and Non-determinism A timed automaton x 2, a, x := 0 x = 1, y := 0 l 0 l 1 l 2 y 2, b, y := 0 Runs y x Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

7 Timed Automata and Non-determinism A timed automaton x 2, a, x := 0 x = 1, y := 0 l 0 l 1 l 2 y 2, b, y := 0 Runs y x Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

8 Controller Synthesis Given a non-deterministic system, and a specification, compute a strategy to control the system. The system under the strategy is deterministic. an implementation. y 2 1 Example: at any state (l 1, x, y), delay 2 x 2 i.e. half way through the guard x Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

9 Controller Synthesis Given a non-deterministic system, and a specification, compute a strategy to control the system. The system under the strategy is deterministic. an implementation. y 2 1 Example: at any state (l 1, x, y), delay 2 x 2 i.e. half way through the guard x Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

10 Controller Synthesis Given a non-deterministic system, and a specification, compute a strategy to control the system. The system under the strategy is deterministic. an implementation. y 2 1 Example: at any state (l 1, x, y), delay 2 x 2 i.e. half way through the guard x Theorem [Alur & Dill 1994] Computing strategies for Büchi objectives in timed automata is PSPACE-complete. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

11 Robustness in Strategies 1. However exact timings cannot be ensured in real-time systems. So the strategy ( x delay 2 x ) 2 cannot be implemented exactly. Is any strategy valid under an error interval? Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

12 Robustness in Strategies 1. However exact timings cannot be ensured in real-time systems. So the strategy ( x delay 2 x ) 2 cannot be implemented exactly. y In our example, one can show that x is increasing during consecutive visits to l 2, and the guard is x x Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

13 Robustness in Strategies 1. However exact timings cannot be ensured in real-time systems. So the strategy ( x delay 2 x ) 2 cannot be implemented exactly. y In our example, one can show that x is increasing during consecutive visits to l 2, and the guard is x x Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

14 Robustness in Strategies 1. However exact timings cannot be ensured in real-time systems. So the strategy ( x delay 2 x ) 2 cannot be implemented exactly. y In our example, one can show that x is increasing during consecutive visits to l 2, and the guard is x x Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

15 Robustness in Strategies 1. However exact timings cannot be ensured in real-time systems. So the strategy ( x delay 2 x ) 2 cannot be implemented exactly. y In our example, one can show that x is increasing during consecutive visits to l 2, and the guard is x x Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

16 Robustness in Strategies 1. However exact timings cannot be ensured in real-time systems. So the strategy ( x delay 2 x ) 2 cannot be implemented exactly. y In our example, one can show that x is increasing during consecutive visits to l 2, and the guard is x x 2. Strategies may require arbitrary precision. Required delays converge here. When x is closed to 2, no additional delay is supported. Run is theoretically infinite, but it is actually blocking. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

17 Robustness in Strategies (2) Some strategies in timed automata are not realistic, and may require high precision, and can cause convergence. Goal: Develop a theory of robust strategies that tolerate error and avoid convergence. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

18 Robustness in Strategies (2) (Conservative) Perturbation Game: Controller vs Environment. Given A and δ > 0, define G(A) as a game as follows. At any state (l, ν), 1 Controller chooses a delay d δ, and an edge l g,r l, such that ν + d + ɛ = g for all ɛ [ δ, δ]. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

19 Robustness in Strategies (2) (Conservative) Perturbation Game: Controller vs Environment. Given A and δ > 0, define G(A) as a game as follows. At any state (l, ν), 1 Controller chooses a delay d δ, and an edge l g,r l, such that ν + d + ɛ = g for all ɛ [ δ, δ]. 2 Environment chooses ɛ [ δ, +δ], Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

20 Robustness in Strategies (2) (Conservative) Perturbation Game: Controller vs Environment. Given A and δ > 0, define G(A) as a game as follows. At any state (l, ν), 1 Controller chooses a delay d δ, and an edge l g,r l, such that ν + d + ɛ = g for all ɛ [ δ, δ]. 2 Environment chooses ɛ [ δ, +δ], 3 New state is (l, (ν + d + ɛ)[r 0]). Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

21 Robustness in Strategies (2) (Conservative) Perturbation Game: Controller vs Environment. Given A and δ > 0, define G(A) as a game as follows. At any state (l, ν), 1 Controller chooses a delay d δ, and an edge l g,r l, such that ν + d + ɛ = g for all ɛ [ δ, δ]. 2 Environment chooses ɛ [ δ, +δ], 3 New state is (l, (ν + d + ɛ)[r 0]). 1<x<2 y:=0 Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

22 Robustness in Strategies (2) (Conservative) Perturbation Game: Controller vs Environment. Given A and δ > 0, define G(A) as a game as follows. At any state (l, ν), 1 Controller chooses a delay d δ, and an edge l g,r l, such that ν + d + ɛ = g for all ɛ [ δ, δ]. 2 Environment chooses ɛ [ δ, +δ], 3 New state is (l, (ν + d + ɛ)[r 0]). 1<x<2 y:=0 Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

23 Robustness in Strategies (2) (Conservative) Perturbation Game: Controller vs Environment. Given A and δ > 0, define G(A) as a game as follows. At any state (l, ν), 1 Controller chooses a delay d δ, and an edge l g,r l, such that ν + d + ɛ = g for all ɛ [ δ, δ]. 2 Environment chooses ɛ [ δ, +δ], 3 New state is (l, (ν + d + ɛ)[r 0]). 1<x<2 y:=0 Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

24 Robustness in Strategies (2) (Conservative) Perturbation Game: Controller vs Environment. Given A and δ > 0, define G(A) as a game as follows. At any state (l, ν), 1 Controller chooses a delay d δ, and an edge l g,r l, such that ν + d + ɛ = g for all ɛ [ δ, δ]. 2 Environment chooses ɛ [ δ, +δ], 3 New state is (l, (ν + d + ɛ)[r 0]). 1<x<2 y:=0 Previous work: Chatterjee, Henzinger, Prabhu 2008: for fixed δ > 0. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

25 Main Result: Parameterized Robust Control Parameterized robust control Given a timed automaton A, and a Büchi condition φ, decide whether for small enough δ > 0, G(A) satisfies φ. A strategy for δ is valid for all 0 < δ < δ. The problem consists in finding cycles that do not become blocked (converge). Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

26 Main Result: Parameterized Robust Control Parameterized robust control Given a timed automaton A, and a Büchi condition φ, decide whether for small enough δ > 0, G(A) satisfies φ. A strategy for δ is valid for all 0 < δ < δ. The problem consists in finding cycles that do not become blocked (converge). Convergence: Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

27 Main Result: Parameterized Robust Control Parameterized robust control Given a timed automaton A, and a Büchi condition φ, decide whether for small enough δ > 0, G(A) satisfies φ. A strategy for δ is valid for all 0 < δ < δ. The problem consists in finding cycles that do not become blocked (converge). Convergence: Environment can force the play inside a half-space. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

28 Main Result: Parameterized Robust Control Parameterized robust control Given a timed automaton A, and a Büchi condition φ, decide whether for small enough δ > 0, G(A) satisfies φ. A strategy for δ is valid for all 0 < δ < δ. The problem consists in finding cycles that do not become blocked (converge). No Convergence: No such constraining half-spaces. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

29 Main Result: Parameterized Robust Control Parameterized robust control Given a timed automaton A, and a Büchi condition φ, decide whether for small enough δ > 0, G(A) satisfies φ. A strategy for δ is valid for all 0 < δ < δ. The problem consists in finding cycles that do not become blocked (converge). Theorem Parameterized robust control is PSPACE-complete. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

30 Main Result: Parameterized Robust Control Parameterized robust control Given a timed automaton A, and a Büchi condition φ, decide whether for small enough δ > 0, G(A) satisfies φ. A strategy for δ is valid for all 0 < δ < δ. The problem consists in finding cycles that do not become blocked (converge). Theorem Parameterized robust control is PSPACE-complete. Robustly controllable there exists a reachable forgetful cycle. If all states are accepting, then Thick timed automata are exactly those that are robustly controllable. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

31 Reachability in Timed Automata Runs of timed automata can be characterized by runs visiting only the vertices of regions. given the topological closure of the guards. 2 y x Orbit Graph The orbit graph of a cycle on regions is a graph where: - nodes are the vertices of the region. - there is an edge a b, if b is reachable from a along the path. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

32 A cycle is called forgetful if it is strongly connected (Asarin & Basset 2011) Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22 Orbit Graph Example x 2, a, x := 0 x = 1, y := 0 l 0 l 1 l 2 y 2, b, y := y l 1 a 2 1 y l y l 2 b y 2 1 l y l x x x x x

33 Reachability with Orbit Graphs λ 2 λ 1 ν λ 3 For any valuation ν, write ν = λ v, a convex combination of the vertices. Theorem [Puri 2000], [Asarin & Basset 2011] Given a path, and valuation λ v, λ v λ v λ is computed by distributing each λ v to its successors following a probability distribution. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

34 Reachability with Orbit Graphs (1 p q)λ 1 λ 2 ν pλ 1 qλ 1 λ 3 For any valuation ν, write ν = λ v, a convex combination of the vertices. Theorem [Puri 2000], [Asarin & Basset 2011] Given a path, and valuation λ v, λ v λ v λ is computed by distributing each λ v to its successors following a probability distribution. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

35 Reachability with Orbit Graphs λ 2 λ 1 ν λ 3 For any valuation ν, write ν = λ v, a convex combination of the vertices. Theorem [Puri 2000], [Asarin & Basset 2011] Given a path, and valuation λ v, λ v λ v λ is computed by distributing each λ v to its successors following a probability distribution. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

36 Reachability with Orbit Graphs 2λ 2 /3 λ 1 /2 + λ 2 /3 ν λ 3 + λ 1 /2 For any valuation ν, write ν = λ v, a convex combination of the vertices. Theorem [Puri 2000], [Asarin & Basset 2011] Given a path, and valuation λ v, λ v λ v λ is computed by distributing each λ v to its successors following a probability distribution. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

37 Proof 1: When There is an Accepting Forgetful Cycle Show that Controller can win. Claim: If π is a forgetful cycle, then the folded orbit graph of π n is a complete graph for some n 1. In the rest, the graph of π is complete. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

38 Proof 1: When There is an Accepting Forgetful Cycle Show that Controller can win. Claim: If π is a forgetful cycle, then the folded orbit graph of π n is a complete graph for some n 1. In the rest, the graph of π is complete. Claim: If π is has a complete f.o.g., then (ν, ν ) r s, ν ν. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

39 Proof 1: When There is an Accepting Forgetful Cycle Show that Controller can win. Claim: If π is a forgetful cycle, then the folded orbit graph of π n is a complete graph for some n 1. In the rest, the graph of π is complete. Claim: If π is has a complete f.o.g., then (ν, ν ) r s, ν ν. ν ν Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

40 Proof 1: There is an Accepting Forgetful Cycle Controller s strategy: try to come back at the middle of the region. Without perturbations, this is possible by hypothesis: Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

41 Proof 1: There is an Accepting Forgetful Cycle Controller s strategy: try to come back at the middle of the region. Without perturbations, this is possible by hypothesis: Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

42 Proof 1: There is an Accepting Forgetful Cycle Controller s strategy: try to come back at the middle of the region. Without perturbations, this is possible by hypothesis: Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

43 Proof 1: There is an Accepting Forgetful Cycle Controller s strategy: try to come back at the middle of the region. Without perturbations, this is possible by hypothesis: Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

44 Proof 1: There is an Accepting Forgetful Cycle Controller s strategy: try to come back at the middle of the region. Without perturbations, this is possible by hypothesis: Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

45 Proof 1: There is an Accepting Forgetful Cycle Controller s strategy: try to come back at the middle of the region. Without perturbations, this is possible by hypothesis: Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

46 Proof 1: There is an Accepting Forgetful Cycle Under perturbations, we need the controllable predecessors of a subset. δ Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

47 Proof 1: There is an Accepting Forgetful Cycle Under perturbations, we need the controllable predecessors of a subset. δ 2δ Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

48 Proof 1: There is an Accepting Forgetful Cycle Under perturbations, we need the controllable predecessors of a subset. 3δ δ 2δ Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

49 Proof 1: There is an Accepting Forgetful Cycle Under perturbations, we need the controllable predecessors of a subset. 3δ δ 2δ 2δ Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

50 Proof 1: There is an Accepting Forgetful Cycle Under perturbations, we need the controllable predecessors of a subset. 3δ δ 2δ 2δ Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

51 Proof 1: There is an Accepting Forgetful Cycle Under perturbations, we need the controllable predecessors of a subset. lδ 3δ δ kδ 2δ 2δ Each red-blue set is a shrinking of a gray zone. The shrunk DBM data structure can be used to compute / represent these sets, where computations hold for all small enough δ > 0. S., Bouyer, Markey. Shrinking Timed Automata. FSTTCS 11. Bouyer, Markey, S. Robust Reachability in Timed Automata: A Game-Based Approach. ICALP 12. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

52 Case: There is an Accepting Forgetful Cycle A δ B δ Computations with shrunk DBMs hold for all δ [0, δ 0 ], for some δ 0 > 0. Here, for any δ > 0, from A δ, Controller can ensure reaching B δ. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

53 Case: There is an Accepting Forgetful Cycle A δ B δ Computations with shrunk DBMs hold for all δ [0, δ 0 ], for some δ 0 > 0. Here, for any δ > 0, from A δ, Controller can ensure reaching B δ. Claim 1: For (computable) small enough δ > 0, A δ, B δ. Claim 2: For (computable) small enough δ > 0, B δ A δ. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

54 Case: There is an Accepting Forgetful Cycle A δ B δ Computations with shrunk DBMs hold for all δ [0, δ 0 ], for some δ 0 > 0. Here, for any δ > 0, from A δ, Controller can ensure reaching B δ. Claim 1: For (computable) small enough δ > 0, A δ, B δ. Claim 2: For (computable) small enough δ > 0, B δ A δ. Controller ends in A δ at each iteration, so it can repeat its strategy. Controller wins! Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

55 Proof 2: Only Non-Forgetful Cycles Show that if all cycles are non-forgetful, Controller looses. If accepting for Büchi, then for some strategy, some cycle is repeated infinitely often. Assume there are only non-forgetful cycles. We will show a contradiction (proof idea). Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

56 Proof 2: Only Non-Forgetful Cycles A non-forgetful cycle always has an initial component I. Lemma [Asarin & Basset 2011] If λ v λ v, then v I λ v v I λ v. This quantitiy is nonincreasing along an infinite repetition of the cycle. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

57 Proof 2: Only Non-Forgetful Cycles A non-forgetful cycle always has an initial component I. λ 2 v I λv = c λ 1 λ 3 Lemma [Asarin & Basset 2011] If λ v λ v, then v I λ v v I λ v. This quantitiy is nonincreasing along an infinite repetition of the cycle. Proof: Each λ v is the sum of the predecessors of v multiplied by a probability. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

58 Proof 2: Only Non-Forgetful Cycles A non-forgetful cycle always has an initial component I. λ 2 /2 v I λv = c λ 1 /2 + λ 2 /2 λ 3 + λ 1 /2 Lemma [Asarin & Basset 2011] If λ v λ v, then v I λ v v I λ v. This quantitiy is nonincreasing along an infinite repetition of the cycle. Proof: Each λ v is the sum of the predecessors of v multiplied by a probability. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

59 Case: Only Non-Forgetful Cycles Lemma Environment has a strategy to ensure, for any λ v λ v, v I λ v v I λ v ɛ. ɛ Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

60 Case: Only Non-Forgetful Cycles Lemma Environment has a strategy to ensure, for any λ v λ v, v I λ v v I λ v ɛ. λ 2 ɛ λ 1 ɛ λ 3 ɛ Claim 1: Environment can enforce λ v ɛ for all v. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

61 Case: Only Non-Forgetful Cycles Lemma Environment has a strategy to ensure, for any λ v λ v, v I λ v v I λ v ɛ. λ 2 ɛ λ 1 ɛ λ 3 ɛ Claim 1: Environment can enforce λ v ɛ for all v. Claim 2: There exists some edge leaving I. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

62 Case: Only Non-Forgetful Cycles Lemma Environment has a strategy to ensure, for any λ v λ v, v I λ v v I λ v ɛ. λ 2 ɛ λ 1 ɛ ɛ λ 3 ɛ Claim 1: Environment can enforce λ v ɛ for all v. Claim 2: There exists some edge leaving I. Claim 3: Environment can enforce edge probabilities ɛ. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

63 Case: Only Non-Forgetful Cycles Lemma Environment has a strategy to ensure, for any λ v λ v, v I λ v v I λ v ɛ. λ 2 ɛ λ 1 ɛ ɛ λ 3 ɛ It follows: The sum v I is decreased by at least ɛ at each iteration. But 0 v I 1, contradiction (no infinite run along this region). Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

64 Algorithm Robust Controller Synthesis Algorithm Given a timed automaton A, - Guess a cycle of length at most exponential in the region automaton, - Compute the folded orbit graph (on-the-fly) and check whether it is forgetful. - Accept if it is, reject otherwise. (If there is a forgetful cycle, there is one of at most exponential length.) Once a forgetful lasso is found, one can compute the maximal δ and a winning strategy in time polynomial in the length of the lasso, using results from the shrinking papers. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

65 Algorithm Robust Controller Synthesis Algorithm Given a timed automaton A, - Guess a cycle of length at most exponential in the region automaton, - Compute the folded orbit graph (on-the-fly) and check whether it is forgetful. - Accept if it is, reject otherwise. (If there is a forgetful cycle, there is one of at most exponential length.) Once a forgetful lasso is found, one can compute the maximal δ and a winning strategy in time polynomial in the length of the lasso, using results from the shrinking papers. The problem is PSPACE-complete. Same complexity as non-emptiness in the standard semantics. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

66 Conclusion A Game semantics for modelling perturbations disables punctual moves, and too precise strategies. Thin timed automata do become blocking under some perturbation strategies. Robust control thickness (along accepting lassos). Winning strategies can be computed by δ-parameterized data structures. One can compute symbolically, and adjust δ later. Timed games Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

67 Excess-Perturbation Game Let A be a timed automaton and δ > 0. Excess Perturbation Game: Controller vs Environment. At any state (l, ν), Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

68 Excess-Perturbation Game Let A be a timed automaton and δ > 0. Excess Perturbation Game: Controller vs Environment. At any state (l, ν), 1 Controller chooses a delay d δ, and an edge l g,r l, such that ν + d = g, Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

69 Excess-Perturbation Game Let A be a timed automaton and δ > 0. Excess Perturbation Game: Controller vs Environment. At any state (l, ν), 1 Controller chooses a delay d δ, and an edge l g,r l, such that ν + d = g, 2 Environment chooses d [d δ, d + δ], (we can have d = g) Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

70 Excess-Perturbation Game Let A be a timed automaton and δ > 0. Excess Perturbation Game: Controller vs Environment. At any state (l, ν), 1 Controller chooses a delay d δ, and an edge l g,r l, such that ν + d = g, 2 Environment chooses d [d δ, d + δ], (we can have d = g) 3 New state is (l, (ν + d )[R 0]). Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

71 Excess-Perturbation Game Let A be a timed automaton and δ > 0. Excess Perturbation Game: Controller vs Environment. At any state (l, ν), 1 Controller chooses a delay d δ, and an edge l g,r l, such that ν + d = g, 2 Environment chooses d [d δ, d + δ], (we can have d = g) 3 New state is (l, (ν + d )[R 0]). For δ > 0, x=y=1 y:=0 ν 0 Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

72 Excess-Perturbation Game Let A be a timed automaton and δ > 0. Excess Perturbation Game: Controller vs Environment. At any state (l, ν), 1 Controller chooses a delay d δ, and an edge l g,r l, such that ν + d = g, 2 Environment chooses d [d δ, d + δ], (we can have d = g) 3 New state is (l, (ν + d )[R 0]). For δ > 0, x=y=1 y:=0 ν 0 ν 0 Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

73 Excess-Perturbation Game Let A be a timed automaton and δ > 0. Excess Perturbation Game: Controller vs Environment. At any state (l, ν), 1 Controller chooses a delay d δ, and an edge l g,r l, such that ν + d = g, 2 Environment chooses d [d δ, d + δ], (we can have d = g) 3 New state is (l, (ν + d )[R 0]). For δ > 0, x=y=1 y:=0 ν 0 ν 0 Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

74 Excess-Perturbation Game - 2 Excess Perturbation Semantics The model is often simpler: one can use equalities, not think about error intervals. A synthesized strategy takes into account additional behaviors. vs Conservative Perturbation Semantics The model already contains intervals for timing constraints. No additional behavior is expected. The problem is convergence: the synthesized strategy must ensure liveness. Pick one... Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

75 Reachability in Excess-Perturbation Game (Parameterized) Robust Reachability Given a timed automaton A and target location l, Does there exist δ 0 > 0, such that Controller has a strategy reaching l in the excess semantics for all δ [0, δ 0 )? Main result Robust reachability in excess semantics is EXPTIME-complete. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

76 EXPTIME-hardness Usual semantics in TA can encode reachability in linearly bounded Turing machines (PSPACE-complete). Robust semantics in TA can encode reachability in alternating linearly bounded Turing machines (EXPTIME-complete). The encoding is similar as in the PSPACE-hardness proofs for TA. Alternation: simulated by the perturbating player x, y := 0 x = 1, y := 0 x = 2, y 1 x = 2, y < 1 Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

77 Conclusion The excess-perturbation game semantics is harder: reachability is EXPTIME-complete. NB: Convergence is not a problem for reachability (finite runs). General timed games in both semantics. Zone-based algorithms, efficient implementations. Ocan Sankur (ENS Cachan) Robust Control in Timed Automata February 18, / 22

Robust Reachability in Timed Automata: A Game-based Approach

Robust Reachability in Timed Automata: A Game-based Approach Patricia Bouyer, Nicolas Markey, and Ocan Sankur LSV, CNRS & ENS Cachan, France. {bouyer,markey,sankur}@lsv.ens-cachan.fr Abstract. Reachability