Recent results on Timed Systems

Size: px

Start display at page:

Download "Recent results on Timed Systems"

Piers Baker
5 years ago
Views:

1 Recent results on Timed Systems Time Petri Nets and Timed Automata Béatrice Bérard LAMSADE Université Paris-Dauphine & CNRS Based on joint work with F. Cassez, S. Haddad, D. Lime, O.H. Roux VECoS 08, July 2nd /28

2 System General context Communication protocol Automated System... Formal specification, Algorithm, source code... Properties Reachability Response time... 2/28

3 System General context Communication protocol Automated System... Modelling expressiveness, concision Models Formal specification, Algorithm, source code... Properties Reachability Response time... Formulas or models 2/28

4 System General context Communication protocol Automated System... Modelling expressiveness, concision Models Formal specification, Algorithm, source code... Properties Reachability Response time... Formulas or models Verification Control Equivalence 2/28

5 System Communication protocol Automated System... General context Timed Models Modelling expressiveness, concision Models Formal specification, Algorithm, source code... Properties Reachability Response time... Timed Logics Formulas or models Verification Control Equivalence 2/28

6 Why add time? The gas burner example [ACHH93] The gas burner may leak and : each time leaking is detected, it is repaired or stopped in less than 1s two leaking periods are separated by at least 30s stop Leaking Not leaking start Is it possible that the gas burner leaks during a time greater than 1 20 of the global time after the first 60s? Timed features are needed in the model and in the properties: Instead of observing a sequence of events a 1 a 2... observe a sequence of alternating events and delays: a 1 d 1 a 2 d /28

7 Why add time? The gas burner example [ACHH93] The gas burner may leak and : each time leaking is detected, it is repaired or stopped in less than 1s two leaking periods are separated by at least 30s stop Leaking Not leaking start Is it possible that the gas burner leaks during a time greater than 1 20 of the global time after the first 60s? Timed features are needed in the model and in the properties: Instead of observing a sequence of events a 1 a 2... observe a sequence of alternating events and delays: a 1 d 1 a 2 d /28

8 Outline Timed Models Comparing timed automata and time Petri nets Conclusion 4/28

9 Outline Timed Models Comparing timed automata and time Petri nets Conclusion 5/28

10 Timed models and their semantics A Timed Model is obtained from a classical one by introducing delay transitions, with a dense or discrete time: either by adding clocks or (a particular case) by associating firing intervals with transitions. Semantics: a Timed Transition System Act alphabet of actions, T = (S, s 0, E) transition system S set of configurations, s0 initial configuration, E S Act S contains action transitions: s a s, instantaneous execution of a delay transitions: s d s, time elapsing for d time units. 6/28

11 Timed models and their semantics A Timed Model is obtained from a classical one by introducing delay transitions, with a dense or discrete time: either by adding clocks or (a particular case) by associating firing intervals with transitions. Semantics: a Timed Transition System Act alphabet of actions, T time domain contained in R 0, T = (S, s 0, E) timed transition system S set of configurations, s0 initial configuration, E S (Act T) S contains action transitions: s a s, instantaneous execution of a delay transitions: s d s, time elapsing for d time units. 6/28

12 Adding clocks: timed automata a variation of [Alur Dill 1990] The gas burner as a timed automaton each time leaking is detected, it is repaired or stopped in less than 1s two leaking periods are separated by at least 30s Leaking x 1 x 1, stop, x := 0 x 30, start, x := 0 Not leaking x is a real valued clock, invariant x 1 is associated with state Leaking, x 30 and x 1 are guards and x := 0 is a reset. Configuration: (q, v) where q {L, NL} and v a value of clock x. An execution: (L, [0]) 0.3 (L, [0.3]) stop (NL, [0]) 35 (NL, [35]) start (L, [0]) Not expressive enough for the property: Is it possible that the gas burner leaks during a time greater than 1 of the global time after the first 60s? 20 7/28

13 Adding clocks: timed automata a variation of [Alur Dill 1990] The gas burner as a timed automaton each time leaking is detected, it is repaired or stopped in less than 1s two leaking periods are separated by at least 30s Leaking x 1 x 1, stop, x := 0 x 30, start, x := 0 Not leaking x is a real valued clock, invariant x 1 is associated with state Leaking, x 30 and x 1 are guards and x := 0 is a reset. Configuration: (q, v) where q {L, NL} and v a value of clock x. An execution: (L, [0]) 0.3 (L, [0.3]) stop (NL, [0]) 35 (NL, [35]) start (L, [0]) Not expressive enough for the property: Is it possible that the gas burner leaks during a time greater than 1 of the global time after the first 60s? 20 7/28

14 Adding clocks: timed automata a variation of [Alur Dill 1990] The gas burner as a timed automaton each time leaking is detected, it is repaired or stopped in less than 1s two leaking periods are separated by at least 30s Leaking x 1 x 1, stop, x := 0 x 30, start, x := 0 Not leaking x is a real valued clock, invariant x 1 is associated with state Leaking, x 30 and x 1 are guards and x := 0 is a reset. Configuration: (q, v) where q {L, NL} and v a value of clock x. An execution: (L, [0]) 0.3 (L, [0.3]) stop (NL, [0]) 35 (NL, [35]) start (L, [0]) Not expressive enough for the property: Is it possible that the gas burner leaks during a time greater than 1 of the global time after the first 60s? 20 7/28

15 Adding clocks: timed automata a variation of [Alur Dill 1990] The gas burner as a timed automaton each time leaking is detected, it is repaired or stopped in less than 1s two leaking periods are separated by at least 30s Leaking x 1 x 1, stop, x := 0 x 30, start, x := 0 Not leaking x is a real valued clock, invariant x 1 is associated with state Leaking, x 30 and x 1 are guards and x := 0 is a reset. Configuration: (q, v) where q {L, NL} and v a value of clock x. An execution: (L, [0]) 0.3 (L, [0.3]) stop (NL, [0]) 35 (NL, [35]) start (L, [0]) Not expressive enough for the property: Is it possible that the gas burner leaks during a time greater than 1 of the global time after the first 60s? 20 7/28

16 Adding clocks: timed automata a variation of [Alur Dill 1990] The gas burner as a timed automaton each time leaking is detected, it is repaired or stopped in less than 1s two leaking periods are separated by at least 30s Leaking x 1 x 1, stop, x := 0 x 30, start, x := 0 Not leaking x is a real valued clock, invariant x 1 is associated with state Leaking, x 30 and x 1 are guards and x := 0 is a reset. Configuration: (q, v) where q {L, NL} and v a value of clock x. An execution: (L, [0]) 0.3 (L, [0.3]) stop (NL, [0]) 35 (NL, [35]) start (L, [0]) Not expressive enough for the property: Is it possible that the gas burner leaks during a time greater than 1 of the global time after the first 60s? 20 7/28

17 Semantics of timed automata A geometric view with two clocks x et y x 2, x := 0 y = 1, y := 0 x = 0, y = 2 y 2 x 1 x := 0 y 2, y := 0 8/28

18 Semantics of timed automata A geometric view with two clocks x et y x 2, x := 0 y = 1, y := 0 x = 0, y = 2 y 2 x 1 x := 0 y 2, y := 0 y x 8/28

19 Semantics of timed automata A geometric view with two clocks x et y x 2, x := 0 y = 1, y := 0 x = 0, y = 2 y 2 x 1 x := 0 y 2, y := 0 y x 8/28

20 Semantics of timed automata A geometric view with two clocks x et y x 2, x := 0 y = 1, y := 0 x = 0, y = 2 y 2 x 1 x := 0 y 2, y := 0 y x [ 0 0 ] [ ] [ y:=0 1 0 ] 8/28

21 Semantics of timed automata A geometric view with two clocks x et y x 2, x := 0 y = 1, y := 0 x = 0, y = 2 y 2 x 1 x := 0 y 2, y := 0 y x [ 0 0 ] [ ] [ y:=0 1 0 ] 0.5 [ ] 8/28

22 Semantics of timed automata A geometric view with two clocks x et y x 2, x := 0 y = 1, y := 0 x = 0, y = 2 y 2 x 1 x := 0 y 2, y := 0 y x [ 0 0 ] [ ] [ y:=0 1 0 ] 0.5 [ ] [ x:= ] 8/28

23 Semantics of timed automata A geometric view with two clocks x et y x 2, x := 0 y = 1, y := 0 x = 0, y = 2 y 2 x 1 x := 0 y 2, y := 0 y x [ 0 0 ] [ ] [ y:=0 1 0 ] 0.5 [ ] [ x:= ] 8/28

24 Semantics of timed automata A geometric view with two clocks x et y x 2, x := 0 y = 1, y := 0 x = 0, y = 2 y 2 x 1 x := 0 y 2, y := 0 y x [ 0 0 ] [ ] [ y:=0 1 0 ] 0.5 [ ] [ x:= ] 8/28

25 Semantics of timed automata A geometric view with two clocks x et y x 2, x := 0 y = 1, y := 0 x = 0, y = 2 y 2 x 1 x := 0 y 2, y := 0 y x [ 0 0 ] [ ] [ y:=0 1 0 ] 0.5 [ ] [ x:= ] 8/28

26 Adding time intervals on transitions Example : Time Petri Nets [Merlin 1974] Server t 2, b, [2, 2] (maintenance)... Clients t 1, a, [1, + [ (service) Configuration: (M, v) for a marking M and a transition valuation v Markings : M 0 = (2, 1), M 1 = (1, 1), M 2 = (1, 0) Valuation of transition t: time elapsed since t was last enabled, if t is not enabled. Classical semantics: when a firing occurs, an enabled transition is newly enabled if it was disabled after the token consumption or if it is the transition fired. An execution: (M 0,[0,0]) 1.3 (M 0,[1.3,1.3]) a (M 1,[0,0]) 2 (M 1,[2,2]) b (M 2,[, ]) 9/28

27 Adding time intervals on transitions Example : Time Petri Nets [Merlin 1974] Server t 2, b, [2, 2] (maintenance)... Clients t 1, a, [1, + [ (service) Configuration: (M, v) for a marking M and a transition valuation v Markings : M 0 = (2, 1), M 1 = (1, 1), M 2 = (1, 0) Valuation of transition t: time elapsed since t was last enabled, if t is not enabled. Classical semantics: when a firing occurs, an enabled transition is newly enabled if it was disabled after the token consumption or if it is the transition fired. An execution: (M 0,[0,0]) 1.3 (M 0,[1.3,1.3]) a (M 1,[0,0]) 2 (M 1,[2,2]) b (M 2,[, ]) 9/28

28 Adding time intervals on transitions Example : Time Petri Nets [Merlin 1974] Server t 2, b, [2, 2] (maintenance)... Clients t 1, a, [1, + [ (service) Configuration: (M, v) for a marking M and a transition valuation v Markings : M 0 = (2, 1), M 1 = (1, 1), M 2 = (1, 0) Valuation of transition t: time elapsed since t was last enabled, if t is not enabled. Classical semantics: when a firing occurs, an enabled transition is newly enabled if it was disabled after the token consumption or if it is the transition fired. An execution: (M 0,[0,0]) 1.3 (M 0,[1.3,1.3]) a (M 1,[0,0]) 2 (M 1,[2,2]) b (M 2,[, ]) 9/28

29 Adding time intervals on transitions Example : Time Petri Nets [Merlin 1974] Server t 2, b, [2, 2] (maintenance)... Clients t 1, a, [1, + [ (service) Configuration: (M, v) for a marking M and a transition valuation v Markings : M 0 = (2, 1), M 1 = (1, 1), M 2 = (1, 0) Valuation of transition t: time elapsed since t was last enabled, if t is not enabled. Classical semantics: when a firing occurs, an enabled transition is newly enabled if it was disabled after the token consumption or if it is the transition fired. An execution: (M 0,[0,0]) 1.3 (M 0,[1.3,1.3]) a (M 1,[0,0]) 2 (M 1,[2,2]) b (M 2,[, ]) 9/28

30 Other timed models and timed logics The gas burner as a linear hybrid automaton Leaking x 1 ẏ = 1 x 1, stop, x := 0 x 30, start, x := 0 Not leaking ẏ = 0 Add a stopwatch y and a clock z which are never reset and use these variables in a CTL-like formula: AG(z 60 20y z) the gas burner always leaks during a time less than or equal to 1 20 of the global time after the first 60s. Timed temporal logics have been defined to extend Linear Temporal Logic LTL and Computational Tree Logic CTL. 10/28

31 Other timed models and timed logics The gas burner as a linear hybrid automaton Leaking x 1 ẏ = 1 x 1, stop, x := 0 x 30, start, x := 0 Not leaking ẏ = 0 Add a stopwatch y and a clock z which are never reset and use these variables in a CTL-like formula: AG(z 60 20y z) the gas burner always leaks during a time less than or equal to 1 20 of the global time after the first 60s. Timed temporal logics have been defined to extend Linear Temporal Logic LTL and Computational Tree Logic CTL. 10/28

32 Other timed models and timed logics The gas burner as a linear hybrid automaton Leaking x 1 ẏ = 1 x 1, stop, x := 0 x 30, start, x := 0 Not leaking ẏ = 0 Add a stopwatch y and a clock z which are never reset and use these variables in a CTL-like formula: AG(z 60 20y z) the gas burner always leaks during a time less than or equal to 1 20 of the global time after the first 60s. Timed temporal logics have been defined to extend Linear Temporal Logic LTL and Computational Tree Logic CTL. 10/28

33 Verification is often not possible Reachability of a control state is undecidable for linear hybrid automata [Alur et al. 1995]. but can sometimes be done Reachability of a control state for timed automata is PSPACE-complete [Alur, Dill 1990]. Several tools have been developed and applied to case studies, in spite of the high complexity:... Kronos and UppAal for timed automata HCMC and HyTech for linear hybrid automata (semi-algorithms) TSMV for automata with duration (discrete time) Romeo and TINA, for time Petri nets 11/28

34 Verification is often not possible Reachability of a control state is undecidable for linear hybrid automata [Alur et al. 1995]. but can sometimes be done Reachability of a control state for timed automata is PSPACE-complete [Alur, Dill 1990]. Several tools have been developed and applied to case studies, in spite of the high complexity:... Kronos and UppAal for timed automata HCMC and HyTech for linear hybrid automata (semi-algorithms) TSMV for automata with duration (discrete time) Romeo and TINA, for time Petri nets 11/28

35 Verification is often not possible Reachability of a control state is undecidable for linear hybrid automata [Alur et al. 1995]. but can sometimes be done Reachability of a control state for timed automata is PSPACE-complete [Alur, Dill 1990]. Several tools have been developed and applied to case studies, in spite of the high complexity:... Kronos and UppAal for timed automata HCMC and HyTech for linear hybrid automata (semi-algorithms) TSMV for automata with duration (discrete time) Romeo and TINA, for time Petri nets 11/28

36 Outline Timed Models Comparing timed automata and time Petri nets Conclusion 12/28

37 Which equivalence relation? between two timed transition systems T 1 = (S 1, s 0 1, E 1 ) and T 2 = (S 2, s 0 2, E 2 ) Language equivalence T 1 and T 2 are language-equivalent if they accept the same sets of timed observation sequences (with respect to accepting conditions). Weak timed bisimulation With an alphabet Act containing an internal action ε, the systems T 1 and T 2 are weaky timed bisimilar if there is an equivalence relation on S 1 S 2 such that s 0 1 and s 0 2 are equivalent and: 13/28

38 Which equivalence relation? between two timed transition systems T 1 = (S 1, s 0 1, E 1 ) and T 2 = (S 2, s 0 2, E 2 ) Language equivalence T 1 and T 2 are language-equivalent if they accept the same sets of timed observation sequences (with respect to accepting conditions). Weak timed bisimulation With an alphabet Act containing an internal action ε, the systems T 1 and T 2 are weaky timed bisimilar if there is an equivalence relation on S 1 S 2 such that s 0 1 and s 0 2 are equivalent and: if s a 1 s 1 s 2 13/28

39 Which equivalence relation? between two timed transition systems T 1 = (S 1, s 0 1, E 1 ) and T 2 = (S 2, s 0 2, E 2 ) Language equivalence T 1 and T 2 are language-equivalent if they accept the same sets of timed observation sequences (with respect to accepting conditions). Weak timed bisimulation With an alphabet Act containing an internal action ε, the systems T 1 and T 2 are weaky timed bisimilar if there is an equivalence relation on S 1 S 2 such that s 0 1 and s 0 2 are equivalent and: if s 1 a s 1 then s 2 ε s 2 ε ε ε... a... 13/28

40 Which equivalence relation? between two timed transition systems T 1 = (S 1, s 0 1, E 1 ) and T 2 = (S 2, s 0 2, E 2 ) Language equivalence T 1 and T 2 are language-equivalent if they accept the same sets of timed observation sequences (with respect to accepting conditions). Weak timed bisimulation With an alphabet Act containing an internal action ε, the systems T 1 and T 2 are weaky timed bisimilar if there is an equivalence relation on S 1 S 2 such that s 0 1 and s 0 2 are equivalent and: if s 1 a s 1 if s 1 d s 1 then s 2 ε s 2 ε s 2 ε ε... a... 13/28

41 Which equivalence relation? between two timed transition systems T 1 = (S 1, s 0 1, E 1 ) and T 2 = (S 2, s 0 2, E 2 ) Language equivalence T 1 and T 2 are language-equivalent if they accept the same sets of timed observation sequences (with respect to accepting conditions). Weak timed bisimulation With an alphabet Act containing an internal action ε, the systems T 1 and T 2 are weaky timed bisimilar if there is an equivalence relation on S 1 S 2 such that s 0 1 and s 0 2 are equivalent and: if s 1 a s 1 if s 1 d s 1 then s 2 ε s 2 ε then s 2 d 1 s d 2 k ε ε... a... ε ε... d 2... with Σd i = d 13/28

42 Which equivalence relation? between two timed transition systems T 1 = (S 1, s 0 1, E 1 ) and T 2 = (S 2, s 0 2, E 2 ) Language equivalence T 1 and T 2 are language-equivalent if they accept the same sets of timed observation sequences (with respect to accepting conditions). Weak timed bisimulation With an alphabet Act containing an internal action ε, the systems T 1 and T 2 are weaky timed bisimilar if there is an equivalence relation on S 1 S 2 such that s 0 1 and s 0 2 are equivalent and: if s 1 a s 1 if s 1 d s 1 then s 2 ε s 2 ε then s 2 d 1 s d 2 k ε ε... a... and vice versa. ε ε... d 2... with Σd i = d 13/28

43 A global view of timed transition systems Discrete part Control states/transitions Timed part Valuations Discrete part: TPNs are more expressive than TA Unbounded TPNs can represent an infinite number of discrete states. Timed part: TA are more expressive than TPNs In TPNs, transitions are controlled by a single clock, clock reset is associated with newly enabled transitions, lazy behaviour in not possible. For weak timed bisimilarity Bounded-TPN W TA [Cassez, Roux 2004] (and Bounded-TPN TPN). 14/28

44 A global view of timed transition systems Discrete part Control states/transitions Timed part Valuations Discrete part: TPNs are more expressive than TA Unbounded TPNs can represent an infinite number of discrete states. Timed part: TA are more expressive than TPNs In TPNs, transitions are controlled by a single clock, clock reset is associated with newly enabled transitions, lazy behaviour in not possible. For weak timed bisimilarity Bounded-TPN W TA [Cassez, Roux 2004] (and Bounded-TPN TPN). 14/28

45 A global view of timed transition systems Discrete part Control states/transitions Timed part Valuations Discrete part: TPNs are more expressive than TA Unbounded TPNs can represent an infinite number of discrete states. Timed part: TA are more expressive than TPNs In TPNs, transitions are controlled by a single clock, clock reset is associated with newly enabled transitions, lazy behaviour in not possible. For weak timed bisimilarity Bounded-TPN W TA [Cassez, Roux 2004] (and Bounded-TPN TPN). 14/28

46 Back to semantics A timing property of TPNs Time elapsing does not disable transition firing. For the following TA, there is no (weakly timed) bisimilar TPN [BCHLR 2005]. x 1, a Three questions: Investigate the power of reset (memory policy) in TPNs : when should a transition be newly enabled? What about comparing the models with language equivalence? What is the maximal subclass of TA for which there exists a bisimilar TPN? 15/28

47 Back to semantics A timing property of TPNs Time elapsing does not disable transition firing. For the following TA, there is no (weakly timed) bisimilar TPN [BCHLR 2005]. x 1, a Three questions: Investigate the power of reset (memory policy) in TPNs : when should a transition be newly enabled? What about comparing the models with language equivalence? What is the maximal subclass of TA for which there exists a bisimilar TPN? 15/28

48 Reset in TPNs (1) We consider three semantics For a transition enabled after a firing: Intermediate (classical) semantics (I): the transition is newly enabled if it was disabled after the consuming step or if it is the fired transition. Atomic semantics (A): the transition is newly enabled if it was disabled before the firing or if it is the fired transition. Persistent atomic semantics (PA): the transition is newly enabled if it was disabled before the firing. 16/28

49 Reset in TPNs (1) We consider three semantics For a transition enabled after a firing: Intermediate (classical) semantics (I): the transition is newly enabled if it was disabled after the consuming step or if it is the fired transition. Atomic semantics (A): the transition is newly enabled if it was disabled before the firing or if it is the fired transition. Persistent atomic semantics (PA): the transition is newly enabled if it was disabled before the firing. p 2 t 2, b, [2, 2] p 1 t 1, a, [1, + [ 16/28

50 Reset in TPNs (1) We consider three semantics For a transition enabled after a firing: Intermediate (classical) semantics (I): the transition is newly enabled if it was disabled after the consuming step or if it is the fired transition. Atomic semantics (A): the transition is newly enabled if it was disabled before the firing or if it is the fired transition. Persistent atomic semantics (PA): the transition is newly enabled if it was disabled before the firing. p 2 t 2, b, [2, 2] (2p 1 + p 2,[0,0]) 1.3 (2p 1 + p 2,[1.3,1.3]) a p 1 t 1, a, [1, + [ 16/28

51 Reset in TPNs (1) We consider three semantics For a transition enabled after a firing: Intermediate (classical) semantics (I): the transition is newly enabled if it was disabled after the consuming step or if it is the fired transition. Atomic semantics (A): the transition is newly enabled if it was disabled before the firing or if it is the fired transition. Persistent atomic semantics (PA): the transition is newly enabled if it was disabled before the firing. p 2 t 2, b, [2, 2] (2p 1 + p 2,[0,0]) 1.3 (2p 1 + p 2,[1.3,1.3]) a p 1 t 1, a, [1, + [ (I): (p 1 + p 2,[0,0]) 2 (p 1 + p 2,[2,2]) (A): (p 1 + p 2,[0,1.3]) 0.7 (p 1 + p 2,[0.7,2]) b (p 1,[, ]) (PA):(p 1 + p 2,[1.3,1.3]) a (p 2,[,1.3]) 16/28

52 Reset in TPNs (2) Why alternative semantics? (PA) is closer to the semantics of TA (A) or (PA) are sometimes more convenient than (I): p Component t, c, I Observer t 1, a, I 1 t 2, b, I 2 For e.g. instantaneous multicast, (PA) is more convenient than (A) or (I): diffusion source clients t, d, [1, 1] 17/28

53 Reset in TPNs: results (PA) semantics is the most expressive [BCHLR ATVA 2005] TPN(I) W TPN (A) W TPN (PA) (PA) is strictly more expressive than (A): TPN(A) < W TPN (PA). For the following TPN with (PA) semantics, there is no bisimlar TPN with (A) semantics. t, ε, [0, 1[ For Bounded-TPNs with upper-closed intervals, the three semantics are equivalent: for any such net in TPN (PA), there exists a net in TPN (I) which is bisimilar. 18/28

54 Comparing with language equivalence TPNs and TA are equally expressive [BCHLR FORMATS 2005] Proof Bounded-TPN = L TA It consists in the construction of a TPN accepting the same language as a given timed automaton A, and involves constructions of subnets encoding atomic constraints and clock reset. A transition e : q 1 g,a,r q 2, with g = g 1 g 2, is simulated by a subnet of the form: 19/28

55 Comparing with language equivalence TPNs and TA are equally expressive [BCHLR FORMATS 2005] Proof Bounded-TPN = L TA It consists in the construction of a TPN accepting the same language as a given timed automaton A, and involves constructions of subnets encoding atomic constraints and clock reset. A transition e : q 1 g,a,r q 2, with g = g 1 g 2, is simulated by a subnet of the form: 19/28

56 Comparing with language equivalence TPNs and TA are equally expressive [BCHLR FORMATS 2005] Proof Bounded-TPN = L TA It consists in the construction of a TPN accepting the same language as a given timed automaton A, and involves constructions of subnets encoding atomic constraints and clock reset. A transition e : q 1 g,a,r q 2, with g = g 1 g 2, is simulated by a subnet of the form: P q1 t e, a, [0, [ r 1 r n endr, ε, [0, 0] P q2 N g1 N reset N g2 19/28

57 Characterisation of TA bisimilar to TPNs Find TA wb the maximal subclass of TA for which there is a bisimilar TPN The characterisation is expressed with topological properties of the region automaton, used for analysis of a timed automaton. 20/28

58 Characterisation of TA bisimilar to TPNs Find TA wb the maximal subclass of TA for which there is a bisimilar TPN The characterisation is expressed with topological properties of the region automaton, used for analysis of a timed automaton. 20/28

59 Characterisation of TA bisimilar to TPNs Find TA wb the maximal subclass of TA for which there is a bisimilar TPN The characterisation is expressed with topological properties of the region automaton, used for analysis of a timed automaton. Timed automaton Discrete part Control states/transitions Timed part Valuations 20/28

60 Characterisation of TA bisimilar to TPNs Find TA wb the maximal subclass of TA for which there is a bisimilar TPN The characterisation is expressed with topological properties of the region automaton, used for analysis of a timed automaton. Timed automaton Discrete part Control states/transitions Timed part Valuations Quotient Abstract time 20/28

61 Characterisation of TA bisimilar to TPNs Find TA wb the maximal subclass of TA for which there is a bisimilar TPN The characterisation is expressed with topological properties of the region automaton, used for analysis of a timed automaton. Timed automaton Discrete part Control states/transitions Timed part Valuations Quotient Region automaton Discrete part Control states/transitions Abstract time 20/28

62 Quotient: a geometric view with two clocks x and y and maximal constant m = 2 y x 21/28

63 Quotient: a geometric view with two clocks x and y and maximal constant m = 2 y x Equivalent valuations satisfy the same constraints x k 21/28

64 Quotient: a geometric view with two clocks x and y and maximal constant m = 2 y x Equivalent valuations satisfy the same constraints x k Equivalent valuations respect time elapsing 21/28

65 Quotient: a geometric view with two clocks x and y and maximal constant m = 2 y x Equivalent valuations satisfy the same constraints x k Equivalent valuations respect time elapsing 21/28

66 Quotient: a geometric view with two clocks x and y and maximal constant m = 2 y x Equivalent valuations satisfy the same constraints x k Equivalent valuations respect time elapsing 21/28

67 Quotient: a geometric view with two clocks x and y and maximal constant m = 2 y x Equivalent valuations satisfy the same constraints x k Equivalent valuations respect time elapsing 21/28

68 Quotient: a geometric view with two clocks x and y and maximal constant m = 2 y 2 region R defined by I x =]0; 1[, I y =]1; 2[ frac(x) > frac(y) x Equivalent valuations satisfy the same constraints x k Equivalent valuations respect time elapsing 21/28

69 Quotient: a geometric view with two clocks x and y and maximal constant m = 2 y 2 region R defined by I x =]0; 1[, I y =]1; 2[ frac(x) > frac(y) 1 R Time successor of R I x = [1; 1], I y =]1; 2[ x Equivalent valuations satisfy the same constraints x k Equivalent valuations respect time elapsing 21/28

70 Quotient: a geometric view with two clocks x and y and maximal constant m = 2 y 2 region R defined by I x =]0; 1[, I y =]1; 2[ frac(x) > frac(y) 1 R Time successor of R I x = [1; 1], I y =]1; 2[ x Equivalent valuations satisfy the same constraints x k Equivalent valuations respect time elapsing 21/28

71 Quotient: a geometric view with two clocks x and y and maximal constant m = 2 y 2 region R defined by I x =]0; 1[, I y =]1; 2[ frac(x) > frac(y) 1 R Time successor of R I x = [1; 1], I y =]1; 2[ x Equivalent valuations satisfy the same constraints x k Equivalent valuations respect time elapsing 21/28

72 Quotient: a geometric view with two clocks x and y and maximal constant m = 2 y 2 region R defined by I x =]0; 1[, I y =]1; 2[ frac(x) > frac(y) 1 R Time successor of R I x = [1; 1], I y =]1; 2[ x Equivalent valuations satisfy the same constraints x k Equivalent valuations respect time elapsing 21/28

73 Quotient: a geometric view with two clocks x and y and maximal constant m = 2 y 2 region R defined by I x =]0; 1[, I y =]1; 2[ frac(x) > frac(y) 1 R Time successor of R I x = [1; 1], I y =]1; 2[ x Equivalent valuations satisfy the same constraints x k Equivalent valuations respect time elapsing 21/28

74 Quotient: a geometric view with two clocks x and y and maximal constant m = 2 y 2 region R defined by I x =]0; 1[, I y =]1; 2[ frac(x) > frac(y) 1 R Time successor of R I x = [1; 1], I y =]1; 2[ x Equivalent valuations satisfy the same constraints x k Equivalent valuations respect time elapsing 21/28

75 Quotient: a geometric view with two clocks x and y and maximal constant m = 2 y 2 region R defined by I x =]0; 1[, I y =]1; 2[ frac(x) > frac(y) 1 R Time successor of R I x = [1; 1], I y =]1; 2[ x Action successor of R with y := 0 I x =]0; 1[, I y = [0; 0] Equivalent valuations satisfy the same constraints x k Equivalent valuations respect time elapsing 21/28

76 Region automaton: example q 0 x 1 x 1, a, y := 0 q 1 x 1 x 1, y = 0, b q 2 22/28

77 Region automaton: example q 0 x 1 x 1, a, y := 0 q 1 x 1 x 1, y = 0, b q 2 y x 22/28

78 Region automaton: example q 0 x 1 x 1, a, y := 0 q 1 x 1 x 1, y = 0, b q 2 y 1 q x q 0 q 0 22/28

79 Region automaton: example q 0 x 1 x 1, a, y := 0 q 1 x 1 x 1, y = 0, b q 2 y q 0 a q x q 0 a q 1 q 0 a q 1 22/28

80 Region automaton: example q 0 x 1 x 1, a, y := 0 q 1 x 1 x 1, y = 0, b q 2 y q 0 a q 1 q 1 q x q 0 a q 1 q 1 q 1 q 0 a q 1 b q 2 22/28

81 The maximal subclass TA wb contains all timed automata where transitions have a unique label and: (a) if R is reachable then 23/28

82 The maximal subclass TA wb contains all timed automata where transitions have a unique label and: (a) if R is reachable then for all R s.t. R closure(r) R is reachable 23/28

83 The maximal subclass TA wb contains all timed automata where transitions have a unique label and: (a) (b) e if R is reachable then for all R s.t. R closure(r) R is reachable if R is reachable and R e 23/28

84 The maximal subclass TA wb contains all timed automata where transitions have a unique label and: (a) if R is reachable then for all R s.t. R closure(r) R is reachable (b) e if R is reachable and R e then min(r) e e 23/28

85 The maximal subclass TA wb contains all timed automata where transitions have a unique label and: (a) if R is reachable then for all R s.t. R closure(r) R is reachable (b) e if R is reachable and R e then min(r) e e (c) if R is reachable and min(r) e then e 23/28

86 The maximal subclass TA wb contains all timed automata where transitions have a unique label and: (a) if R is reachable then for all R s.t. R closure(r) R is reachable (b) e if R is reachable and R e then min(r) e e (c) e if R is reachable and min(r) e then for all R s.t. R closure(r) R e e 23/28

87 The maximal subclass TA wb (cont.) Sketch of the proof For a timed automaton A in TAwb, conditions (a), (b) and (c) hold in (a variant of) the region automaton. For a TPN N with rational constants i/g, weakly timed bisimilar to A, we consider a region automaton R(g, ), based on an infinite grid with granularity g. We prove an extended property called uniform bisimulation, which implies conditions (a), (b), (c) for R(g, ). The conditions are then lifted from R(g, ) to R(1, ) and then to some R(1,K). Conversely, if conditions (a), (b) and (c) hold for a timed automaton A then we can build: a TPN N with integer constants and size exponential w.r.t. the size of A, a TPN N with rational constants and size linear w.r.t. the size of A. 24/28

88 The maximal subclass TA wb (cont.) Sketch of the proof For a timed automaton A in TAwb, conditions (a), (b) and (c) hold in (a variant of) the region automaton. For a TPN N with rational constants i/g, weakly timed bisimilar to A, we consider a region automaton R(g, ), based on an infinite grid with granularity g. We prove an extended property called uniform bisimulation, which implies conditions (a), (b), (c) for R(g, ). The conditions are then lifted from R(g, ) to R(1, ) and then to some R(1,K). Conversely, if conditions (a), (b) and (c) hold for a timed automaton A then we can build: a TPN N with integer constants and size exponential w.r.t. the size of A, a TPN N with rational constants and size linear w.r.t. the size of A. 24/28

89 Illustration of second construction 25/28

90 Outline Timed Models Comparing timed automata and time Petri nets Conclusion 26/28

91 Conclusion Comparing Time Petri nets and Timed Automata can be useful for practical purposes: the tools developed for both models are available via translation, provides a better view of the behaviour of timed models, creates a fruitful relation between the two communities. Perspectives compare unfolding techniques for nets of timed automata and time Petri nets (work in progress in the DOTS project), study control problems and game theory for timed models, specify non-interference and covert channel detection for timed systems, consider other quantitative extensions with costs or probabilities. 27/28

92 Conclusion Comparing Time Petri nets and Timed Automata can be useful for practical purposes: the tools developed for both models are available via translation, provides a better view of the behaviour of timed models, creates a fruitful relation between the two communities. Perspectives compare unfolding techniques for nets of timed automata and time Petri nets (work in progress in the DOTS project), study control problems and game theory for timed models, specify non-interference and covert channel detection for timed systems, consider other quantitative extensions with costs or probabilities. 27/28

93 Thank you 28/28

Comparison of Different Semantics for Time Petri Nets

Comparison of Different Semantics for Time Petri Nets B. Bérard 1, F. Cassez 2, S. Haddad 1, Didier Lime 3, O.H. Roux 2 1 LAMSADE, Paris, France E-mail: {beatrice.berard serge.haddad}@lamsade.dauphine.fr