Timed Automata. Chapter Clocks and clock constraints Clock variables and clock constraints

Size: px

Start display at page:

Download "Timed Automata. Chapter Clocks and clock constraints Clock variables and clock constraints"

Pearl Berry
5 years ago
Views:

1 Chapter 10 Timed Automata In the previous chapter, we have discussed a temporal logic where time was a discrete entities. A time unit was one application of the transition relation of an LTS. We could express statements like the elevator never moves with opened doors or that the elevator eventually serves floor 5. In LTL, we cannot express the property that the elevator shall server floor 5 within 5 minutes. For many systems, their correctness not only depend on the results but also on when these results are produced. We call such systems Real-Time Systems. The Theory of Timed Automata has been developed to reason about such real-time systems. Note that this chapter introduces definitions. Examples can be found in the slides presented during the lectures Clocks and clock constraints Clock variables and clock constraints The main feature of the theory of Timed Automata is to introduce the notion of a clock. A clock is a real-valued variable. This means that in the context of Timed Automata, time is represented by a dense set. Time is a continuous entity. The intuition behind clocks is that all clocks in a system increase at the same rate. The only operations possible on a clock are (1) read the value of the clock and (2) reset the clock to 0. Intuitively, a clock represents the amount of time elapsed since the last reset of the clock (see Figure 10.1) Formally, a clock c simply is a non-negative real number, that is, c 2 R +. To express conditions over clocks, clock constraints are used. A clock constraint can be used in a location. In that case, it is called a location invariant. The intuition is that time is allowed to progress in the location as long as the invariant holds. When the invariant does not hold, the location must be left. When a clock constraint is used on a transition, it is called a guard. The intuition is that a transition is available as long as the guard holds. When the guard evaluates to false, the transition cannot be taken. We first define the set of valid clock constraints. Later we will come back to the semantics 67

2 68 CHAPTER 10. TIMED AUTOMATA Figure 10.1: A clock that is regularly reset. of invariants and guards. Definition (Clock constraints) A clock constraint over set C of clocks is formed according to the grammar: g ::= x<c x apple c x>c x c g ^ g where c 2 N. Let B(C) denote the set of clock constraints over C. Notes: 1. Clock constraints are often written in abbreviated form. For instance, consider a clock x, the constraint x apple 5 ^ x 3 will be written 3 apple x apple 5. The same holds for equality. Instead of writing x apple 5 ^ x 5, we shall write x == It is possible to also specify the difference between clocks at the price of a slightly more complex theory. In this chapter we will only treat the simpler theory. Clock constraints with clock differences have the form x y op c where op 2{<, apple,>, } and c 2 N. 3. The restriction to natural numbers is to ensure decidability of the reachability problem, that is, deciding whether a state is reachable. This decidability is not affected if we allow the rationals. It is possible to convert each rational in a clock constraint to a natural number by suitable scaling. In general, we can multiply each constant by the least common multiple of denominators of all constants appearing in all clock constraints Semantics for clock constraints In the previous sub-section, we define the syntax for clock constraints. In this subsection, we define their semantics, that is, when is a clock constraint true. Two concepts are needed for this:

3 10.2. TIMED AUTOMATA a clock valuation that will give the value of each clock; and 2. a satisfaction relation that will define for which valuation a given clock constraint is true. We first define a clock valuation: Definition (Clock valuation) A clock valution for a set of clock variables C is a function : C!IR + that assigns to each clock x 2Cits current value (x). We shall define the set of all possible valuations over a set of clocks C by Eval(C). We can now define the satisfaction relation for clock constraints. Definition (Satisfaction relation for clock constraints) Given a set of clocks C, a clock x 2C, a clock valuation 2 Eval(C), a natural number c 2 IN and clocks guards, 0 2B(C), the satisfaction relation for clock constraints = Eval(C) B(C) is defined as follows: = x<c iff (x) <c = x apple c iff (x) apple c = iff 6 = = ^ 0 iff = and = 0 To represent the update of clocks, we shall write + d that represents the clock valuation where all clocks have increased by some non-negative real number d. That is, ( + d)(x) = (x)+d for all clocks x 2C. When all clocks are equal to a constant value C, we shall write C to denote the clock valuation (x) =C for all clocks in C. Example For clock valuation =[x = 2,y = 22], valuation =[x = ,y = ] Timed Automata Definition Definition (Timed Automaton) A timed automaton is a tuple: TA =(Loc, Loc 0, Act, C,!, Inv, AP, L) where: 1. Loc is a finite set of locations; 2. Loc 0 is a finite set of initial locations; 3. Act is a finite set of actions; 4. C is a finite set of clocks; 5.! Loc Act B(C) 2 C Loc is a transition relation;

4 70 CHAPTER 10. TIMED AUTOMATA 6. inv : Loc!B(C) is an invariant assignment function; 7. AP is a finite set of atomic propositions; 8. L : Loc! 2 AP is a labelling function for the locations. B(TA) denote the set of clock constraints occurring in guards and invariants of TA.,, Regarding transitions, we shall write l! l 0 for (l,,,, l 0 ) 2!, where is an action in Act, is a clock guard in B(C), and Cis a set of clocks to be reset to Timed LTS semantics The semantics of a Timed Automaton is given by a Timed Transition System, which is a Labelled Transition Systems where actions are extended with delays. Definition (Transition systems semantics for a timed automaton) Given a timed automaton TA =(Loc, Loc 0, Act, C,!, Inv, AP, L), the transition system TS(TA)= (S, Act 0,! 0,I,AP 0,L 0 ) is defined as follows: S=Loc Eval(C) Act 0 = Act [ IR + I = {(l 0, ) l 0 2 Loc 0 ^8x 2C. (x) =0} AP 0 = AP [B(C) L 0 ((l, )) = L(l) [{ 2B(C) = } transition relation! 0 is defined by the following two rules: 1. discrete transition (l, )! 0 (l 0, 0 ) if the following four conditions hold: (a) there exists a transition l,,! l 0 in TA (b) = (c) 0 = [! 0] (d) 0 = Inv(l 0 ) 2. delay transition (l, ) d! 0 (l, + d) if the following condition holds: (a) + d = Inv(l) This means that a TA can take a discrete transition if the clock guard is true and after resetting all clocks specified on the transition the location invariant of the target invariant holds. A TA can take a delay transition if the amount of delay is such that the location invariant is maintained. Otherwise, delaying is not allowed. Note that any Timed Transition System has the following properties:

5 10.3. TIME DIVERGENCE, TIMELOCK, AND ZENO 71 Null delay It is always possible to delay for 0 time units. That is, the following transition is always present: (l, ) 0! (l, ) Time additivity There are uncountably many ways to let time pass: s d1+d2! s 0 if and only if s d1! s 00 d 2! s 0 Time determinism There is exactly one state reached after a given delay: {s 0 s d! s 0 } =1 Remark It is important to notice that executing an action occurs in zero time. Time is only increased on delay transition Time divergence, timelock, and Zeno The semantics of a Timed Automaton is given by a transition system with uncountably many states and transitions. The paths of this transition system represent possible behaviours of the timed automaton. Because of the infinite and dense structure of the state space, not all behaviours are realistic. We will see that some unrealistic behaviours are flaws in models and can be avoided. Some other behaviours are intrinsic characteristics of a dense set. These unrealistic behaviours cannot be avoided Time divergence The notion of time divergence applies to a path. A path is time divergent if the sum of the delays over this path is infinite. In contrast, time convergence identifies a path for which the sum of the delays are bounded by some natural numbers. Consider the following sequence: 1 2, 3 4, 7 8, This sequence corresponds to the following infinite sum: 1X i=0 i which is known to converge to 1. Now consider a clock x and a location l with the following invariant Inv(l) =x apple 1. There is nothing in the theory of timed automata that precludes the execution where time increase according to the sequence below. That is, the following is a execution fragment in location l: (l, 0)(l, 1 2 )(l, 7 15 )(l, 8 16 )...

6 72 CHAPTER 10. TIMED AUTOMATA Such a path is called time convergent as time over this path will never increase about a constant, in that case, the natural number 1. Such paths are unrealistic behaviours but cannot be avoided in the theory. When analysing Timed Automata we will always ignore time convergent paths and only consider time divergent ones, that is, paths for which time can always make progress. To formalise the notion of time divergence we first define a function computing the time elapsed on a path. Definition (Elapsed time on a path) Given a timed automaton TA with actions in Act, we define function ExecTime : Act [ IR +! IR + as follows: ( 0 if 2 Act ExecTime( ) = d if = d 2 IR + For an infinite execution = s 0 0! s 1 1! s 2... with i 2 Act [ IR +, we define the elapsed time over this fragment is defined as follows: ExecTime( ) = 1X ExecTime( i ) i=0 For the path induced by execution we define: ExecTime( ) =ExecTime( ) We can now formulate a precise definition of time divergence: Definition (Time divergence) An infinite path fragment is time divergent if and only if ExecTime( ) =1. Otherwise, the path fragment is time convergent. We now define the set of time divergent paths for a given state of the transition system obtained from a timed automaton. Definition (Time divergent set of paths) Given a state s of the transition system TS(TA), we define the set of time divergent paths as follows: Paths div (s) ={ 2 Paths(s) ExecTime( ) =1} Note that time convergent paths cannot be avoided. In practice, such path are simply ignored, that is, an invariant holds in a state if and only if it holds for all time divergent paths starting in that state Timelock A state contains a timelock is there exist no time divergent paths starting from that state. Definition (Timelock) Given a state s of TS(TA), s has a timelock if and only if Paths div (s) =;. ATA is timelock-free if and only if no state in Reach(TS(TA)) has a timelock.

7 10.4. PARALLEL COMPOSITION 73 In contrast to time convergent paths that cannot be avoided, timelocks are flaws in models and must be avoided Zeno In the theory of Timed Automata, actions occur in zero time. This means, that nothing precludes executions of infinitely many actions in finite time. That is, a timed automaton may have time convergent paths with an infinite number of actions. Definition (Zeno path) An infinite path of a transition system TS(TA) is zeno if and only it is time convergent and the number of actions executed along is infinite. Definition (Nonzeno timed automaton) A timed automaton TA is nonzeno if and only if all initial states of TS(TA) have no zeno paths Parallel composition To model complex systems, a good approach is to first build simple blocks. Second, these basic blocks are composed to form a more complex system. We consider the composition of timed automata using handshaking communications. The idea is to define a set of handshaking actions, called H. Two timed automata communicate via H by performing actions in H together. That is, the two timed automata need to synchronise on all actions in H. For actions outside H, each automaton evolves independently of the other automaton. Formally, this composition is defined as follows: Definition (Handshaking for timed automata) Given two timed automata TA 1 = (Loc 1, Loc 0,1, Act 1, C 1,! 1, Inv 1, AP 1, L 1 ) and TA 2 =(Loc 2, Loc 0,2, Act 2, C 2,! 2, Inv 2, AP 2, L 2 ), such that AP 1 \ AP 2 = ; and C 1 \C 2 = ;. We define the set of handshaking actions: H Act 1 \ Act 2 and the parallel composition of TA 1 and TA 2 via H as TA 1 H TA 2 = (Loc 1 Loc 2, Loc 0,1 Loc 0,2, Act 1 [ Act 2, C 1 [C 2,!, Inv, AP 1 [ AP 2,L) where L((l 1,l 1 )) = L 1 (l 1 ) [ L 2 (l 2 ) Inv((l 1,l 2 )) = Inv(l 1 ) ^ Inv(l 2 ) and the transition relation! is defined by the following rules: for 2 H l 1, 1, 1! 1 l 1 ^ l 2, 2, 2! 2 l 2 (l 1,l 2 ), 1^ 2, 1[ 2! (l 1,l 2 )

8 74 CHAPTER 10. TIMED AUTOMATA for 62 H l 1,,! 1 l 1 (l 1,l 2 ),,! (l 1,l 2 ) and l 2,,! 2 l 2 (l 1,l 2 ),,! (l 1,l 2 ) Composition can only take place between two compatible timed automata. Two timed automata are compatible is they have disjoints sets of atomic propositions (AP 1 \ AP 2 = ;) and clock variables (C 1 \C 2 = ;). The invariants of the resulting timed automaton is the pairwise conjunction of each location invariant. The same holds for the atomic propositions. For any action in the set of handshaking actions, the transition for this action is guarded by the conjunction of the clock guards and the set of the clocks to be reset is the union of each reset set Conclusion This chapter introduced the main definitions of the theory of Timed Automata. Clock variables and clock constraints are introduced to specify constraints on the time at which actions may occur. Introducing time brings about the issue of time convergence, that is, paths may only allow time to increase up to a given bound. Such time convergent paths cannot be avoided and have to be ignored in the analysis. In contrast, timelocks occur in state without any time divergent path. Timelocks are flaws and must be avoided. The same holds for zeno paths. A path is zeno when it is time convergent and has infinitely many actions. Finally, we defined composition rules to combine two timed automata using a set of handshaking actions Exercises See instructions 4 and 5 on the course website jschmalt/ teaching/2ix20/2ix20.html.

Linear Temporal Logic (LTL)

Chapter 9 Linear Temporal Logic (LTL) This chapter introduces the Linear Temporal Logic (LTL) to reason about state properties of Labelled Transition Systems defined in the previous chapter. We will first