Timed Automata. Chapter Clocks and clock constraints Clock variables and clock constraints

Similar documents
Linear Temporal Logic (LTL)

The algorithmic analysis of hybrid system

T Reactive Systems: Temporal Logic LTL

Timed Automata VINO 2011

Lecture 11: Timed Automata

Real-Time Systems. Lecture 10: Timed Automata Dr. Bernd Westphal. Albert-Ludwigs-Universität Freiburg, Germany main

Lecture 16: Computation Tree Logic (CTL)

Timo Latvala. February 4, 2004

Verification and Control of Partially Observable Probabilistic Systems

Models for Efficient Timed Verification

Week 4 solutions. March 21, From the left hand side formula we obtain ϕ ψ = ϕ ψ = We transform the left hand side formula as follows.

Time(d) Petri Net. Serge Haddad. Petri Nets 2016, June 20th LSV ENS Cachan, Université Paris-Saclay & CNRS & INRIA

for System Modeling, Analysis, and Optimization

Abstracting real-valued parameters in parameterised boolean equation systems

arxiv: v1 [cs.lo] 17 Jun 2014

Logic Model Checking

Modeling and Analysis of Hybrid Systems

CDS 270 (Fall 09) - Lecture Notes for Assignment 8.

Recent results on Timed Systems

Alan Bundy. Automated Reasoning LTL Model Checking

Time and Timed Petri Nets

Discrete abstractions of hybrid systems for verification

Chapter 4: Computation tree logic

Decidability Results for Probabilistic Hybrid Automata

Visibly Linear Dynamic Logic

Undecidability Results for Timed Automata with Silent Transitions

Computer-Aided Program Design

An Introduction to Hybrid Systems Modeling

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

From Liveness to Promptness

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

Complexity Issues in Automated Addition of Time-Bounded Liveness Properties 1

Chapter 3: Linear temporal logic

Lecture 2 Automata Theory

MODEL CHECKING TIMED SAFETY INSTRUMENTED SYSTEMS

Transition Systems and Linear-Time Properties

Model for reactive systems/software

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Lecture 2 Automata Theory

Safety and Liveness Properties

Spiking Neural Networks as Timed Automata

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Temporal Logic Model Checking

Software Verification

Trading Infinite Memory for Uniform Randomness in Timed Games

LTL is Closed Under Topological Closure

Automatic Verification of Real-time Systems with Discrete Probability Distributions

Real-Time Systems. Lecture 15: The Universality Problem for TBA Dr. Bernd Westphal. Albert-Ludwigs-Universität Freiburg, Germany

Modelling Real-Time Systems. Henrik Ejersbo Jensen Aalborg University

Time-abstracting Bisimulation for Probabilistic Timed Automata

Dense-Timed Pushdown Automata

Saarland University Faculty of Natural Sciences and Technology I Department of Computer Science. Bachelor Thesis. From Uppaal To Slab.

Complexity Issues in Automated Addition of Time-Bounded Liveness Properties 1

Classes and conversions

Part I. Principles and Techniques

Lecture 6: Reachability Analysis of Timed and Hybrid Automata

Topics in Verification AZADEH FARZAN FALL 2017

Bridging the Semantic Gap Between Heterogeneous Modeling Formalisms and FMI

A Automatic Synthesis of Switching Controllers for Linear Hybrid Systems: Reachability Control

Chapter 6: Computation Tree Logic

Hybrid systems and computer science a short tutorial

Synthesis weakness of standard approach. Rational Synthesis

Automata-Theoretic Model Checking of Reactive Systems

The State Explosion Problem

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

Overview. overview / 357

Zone-Based Reachability Analysis of Dense-Timed Pushdown Automata

Interval Temporal Logics over Strongly Discrete Linear Orders: the Complete Picture

Serge Haddad Mathieu Sassolas. Verification on Interrupt Timed Automata. Research Report LSV-09-16

Theoretical Foundations of the UML

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Verification of Polynomial Interrupt Timed Automata

Modeling and Analysis of Hybrid Systems


Probabilistic Model Checking of Deadline Properties in the IEEE 1394 FireWire Root Contention Protocol 1

Formally Correct Monitors for Hybrid Automata. Verimag Research Report n o TR

Linear-Time Logic. Hao Zheng

Clock Matrix Diagrams

Automata-theoretic Decision of Timed Games

Alternating-Time Temporal Logic

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

TIMED automata, introduced by Alur and Dill in [3], have

Weak Alternating Timed Automata

An introduction to Uppaal and Timed Automata MVP5 1

Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication

Alternating Time Temporal Logics*

Bridging the Semantic Gap Between Heterogeneous Modeling Formalisms and FMI

A Proof System for Timed Automata

Detecting Synchronisation of Biological Oscillators by Model Checking

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

A Decidable Class of Planar Linear Hybrid Systems

Task Automata: Schedulability, Decidability and Undecidability

Timo Latvala. March 7, 2004

Timed Test Generation Based on Timed Temporal Logic

COMPILING REAL-TIME SCENARIOS INTO A TIMED AUTOMATON*

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

EECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization

Automata on Infinite words and LTL Model Checking

Modeling & Control of Hybrid Systems. Chapter 7 Model Checking and Timed Automata

Transcription:

Chapter 10 Timed Automata In the previous chapter, we have discussed a temporal logic where time was a discrete entities. A time unit was one application of the transition relation of an LTS. We could express statements like the elevator never moves with opened doors or that the elevator eventually serves floor 5. In LTL, we cannot express the property that the elevator shall server floor 5 within 5 minutes. For many systems, their correctness not only depend on the results but also on when these results are produced. We call such systems Real-Time Systems. The Theory of Timed Automata has been developed to reason about such real-time systems. Note that this chapter introduces definitions. Examples can be found in the slides presented during the lectures. 10.1 Clocks and clock constraints 10.1.1 Clock variables and clock constraints The main feature of the theory of Timed Automata is to introduce the notion of a clock. A clock is a real-valued variable. This means that in the context of Timed Automata, time is represented by a dense set. Time is a continuous entity. The intuition behind clocks is that all clocks in a system increase at the same rate. The only operations possible on a clock are (1) read the value of the clock and (2) reset the clock to 0. Intuitively, a clock represents the amount of time elapsed since the last reset of the clock (see Figure 10.1) Formally, a clock c simply is a non-negative real number, that is, c 2 R +. To express conditions over clocks, clock constraints are used. A clock constraint can be used in a location. In that case, it is called a location invariant. The intuition is that time is allowed to progress in the location as long as the invariant holds. When the invariant does not hold, the location must be left. When a clock constraint is used on a transition, it is called a guard. The intuition is that a transition is available as long as the guard holds. When the guard evaluates to false, the transition cannot be taken. We first define the set of valid clock constraints. Later we will come back to the semantics 67

68 CHAPTER 10. TIMED AUTOMATA Figure 10.1: A clock that is regularly reset. of invariants and guards. Definition 10.1.1. (Clock constraints) A clock constraint over set C of clocks is formed according to the grammar: g ::= x<c x apple c x>c x c g ^ g where c 2 N. Let B(C) denote the set of clock constraints over C. Notes: 1. Clock constraints are often written in abbreviated form. For instance, consider a clock x, the constraint x apple 5 ^ x 3 will be written 3 apple x apple 5. The same holds for equality. Instead of writing x apple 5 ^ x 5, we shall write x == 5. 2. It is possible to also specify the difference between clocks at the price of a slightly more complex theory. In this chapter we will only treat the simpler theory. Clock constraints with clock differences have the form x y op c where op 2{<, apple,>, } and c 2 N. 3. The restriction to natural numbers is to ensure decidability of the reachability problem, that is, deciding whether a state is reachable. This decidability is not affected if we allow the rationals. It is possible to convert each rational in a clock constraint to a natural number by suitable scaling. In general, we can multiply each constant by the least common multiple of denominators of all constants appearing in all clock constraints. 10.1.2 Semantics for clock constraints In the previous sub-section, we define the syntax for clock constraints. In this subsection, we define their semantics, that is, when is a clock constraint true. Two concepts are needed for this:

10.2. TIMED AUTOMATA 69 1. a clock valuation that will give the value of each clock; and 2. a satisfaction relation that will define for which valuation a given clock constraint is true. We first define a clock valuation: Definition 10.1.2. (Clock valuation) A clock valution for a set of clock variables C is a function : C!IR + that assigns to each clock x 2Cits current value (x). We shall define the set of all possible valuations over a set of clocks C by Eval(C). We can now define the satisfaction relation for clock constraints. Definition 10.1.3. (Satisfaction relation for clock constraints) Given a set of clocks C, a clock x 2C, a clock valuation 2 Eval(C), a natural number c 2 IN and clocks guards, 0 2B(C), the satisfaction relation for clock constraints = Eval(C) B(C) is defined as follows: = x<c iff (x) <c = x apple c iff (x) apple c = iff 6 = = ^ 0 iff = and = 0 To represent the update of clocks, we shall write + d that represents the clock valuation where all clocks have increased by some non-negative real number d. That is, ( + d)(x) = (x)+d for all clocks x 2C. When all clocks are equal to a constant value C, we shall write C to denote the clock valuation (x) =C for all clocks in C. Example 10.1.4. For clock valuation =[x = 2,y = 22], valuation + 1 6 =[x = 2 + 1 6,y = 22 + 1 6 ]. 10.2 Timed Automata 10.2.1 Definition Definition 10.2.1. (Timed Automaton) A timed automaton is a tuple: TA =(Loc, Loc 0, Act, C,!, Inv, AP, L) where: 1. Loc is a finite set of locations; 2. Loc 0 is a finite set of initial locations; 3. Act is a finite set of actions; 4. C is a finite set of clocks; 5.! Loc Act B(C) 2 C Loc is a transition relation;

70 CHAPTER 10. TIMED AUTOMATA 6. inv : Loc!B(C) is an invariant assignment function; 7. AP is a finite set of atomic propositions; 8. L : Loc! 2 AP is a labelling function for the locations. B(TA) denote the set of clock constraints occurring in guards and invariants of TA.,, Regarding transitions, we shall write l! l 0 for (l,,,, l 0 ) 2!, where is an action in Act, is a clock guard in B(C), and Cis a set of clocks to be reset to 0. 10.2.2 Timed LTS semantics The semantics of a Timed Automaton is given by a Timed Transition System, which is a Labelled Transition Systems where actions are extended with delays. Definition 10.2.2. (Transition systems semantics for a timed automaton) Given a timed automaton TA =(Loc, Loc 0, Act, C,!, Inv, AP, L), the transition system TS(TA)= (S, Act 0,! 0,I,AP 0,L 0 ) is defined as follows: S=Loc Eval(C) Act 0 = Act [ IR + I = {(l 0, ) l 0 2 Loc 0 ^8x 2C. (x) =0} AP 0 = AP [B(C) L 0 ((l, )) = L(l) [{ 2B(C) = } transition relation! 0 is defined by the following two rules: 1. discrete transition (l, )! 0 (l 0, 0 ) if the following four conditions hold: (a) there exists a transition l,,! l 0 in TA (b) = (c) 0 = [! 0] (d) 0 = Inv(l 0 ) 2. delay transition (l, ) d! 0 (l, + d) if the following condition holds: (a) + d = Inv(l) This means that a TA can take a discrete transition if the clock guard is true and after resetting all clocks specified on the transition the location invariant of the target invariant holds. A TA can take a delay transition if the amount of delay is such that the location invariant is maintained. Otherwise, delaying is not allowed. Note that any Timed Transition System has the following properties:

10.3. TIME DIVERGENCE, TIMELOCK, AND ZENO 71 Null delay It is always possible to delay for 0 time units. That is, the following transition is always present: (l, ) 0! (l, ) Time additivity There are uncountably many ways to let time pass: s d1+d2! s 0 if and only if s d1! s 00 d 2! s 0 Time determinism There is exactly one state reached after a given delay: {s 0 s d! s 0 } =1 Remark It is important to notice that executing an action occurs in zero time. Time is only increased on delay transition. 10.3 Time divergence, timelock, and Zeno The semantics of a Timed Automaton is given by a transition system with uncountably many states and transitions. The paths of this transition system represent possible behaviours of the timed automaton. Because of the infinite and dense structure of the state space, not all behaviours are realistic. We will see that some unrealistic behaviours are flaws in models and can be avoided. Some other behaviours are intrinsic characteristics of a dense set. These unrealistic behaviours cannot be avoided. 10.3.1 Time divergence The notion of time divergence applies to a path. A path is time divergent if the sum of the delays over this path is infinite. In contrast, time convergence identifies a path for which the sum of the delays are bounded by some natural numbers. Consider the following sequence: 1 2, 3 4, 7 8, 15 16... This sequence corresponds to the following infinite sum: 1X i=0 i+1 1 2 which is known to converge to 1. Now consider a clock x and a location l with the following invariant Inv(l) =x apple 1. There is nothing in the theory of timed automata that precludes the execution where time increase according to the sequence below. That is, the following is a execution fragment in location l: (l, 0)(l, 1 2 )(l, 7 15 )(l, 8 16 )...

72 CHAPTER 10. TIMED AUTOMATA Such a path is called time convergent as time over this path will never increase about a constant, in that case, the natural number 1. Such paths are unrealistic behaviours but cannot be avoided in the theory. When analysing Timed Automata we will always ignore time convergent paths and only consider time divergent ones, that is, paths for which time can always make progress. To formalise the notion of time divergence we first define a function computing the time elapsed on a path. Definition 10.3.1. (Elapsed time on a path) Given a timed automaton TA with actions in Act, we define function ExecTime : Act [ IR +! IR + as follows: ( 0 if 2 Act ExecTime( ) = d if = d 2 IR + For an infinite execution = s 0 0! s 1 1! s 2... with i 2 Act [ IR +, we define the elapsed time over this fragment is defined as follows: ExecTime( ) = 1X ExecTime( i ) i=0 For the path induced by execution we define: ExecTime( ) =ExecTime( ) We can now formulate a precise definition of time divergence: Definition 10.3.2. (Time divergence) An infinite path fragment is time divergent if and only if ExecTime( ) =1. Otherwise, the path fragment is time convergent. We now define the set of time divergent paths for a given state of the transition system obtained from a timed automaton. Definition 10.3.3. (Time divergent set of paths) Given a state s of the transition system TS(TA), we define the set of time divergent paths as follows: Paths div (s) ={ 2 Paths(s) ExecTime( ) =1} Note that time convergent paths cannot be avoided. In practice, such path are simply ignored, that is, an invariant holds in a state if and only if it holds for all time divergent paths starting in that state. 10.3.2 Timelock A state contains a timelock is there exist no time divergent paths starting from that state. Definition 10.3.4. (Timelock) Given a state s of TS(TA), s has a timelock if and only if Paths div (s) =;. ATA is timelock-free if and only if no state in Reach(TS(TA)) has a timelock.

10.4. PARALLEL COMPOSITION 73 In contrast to time convergent paths that cannot be avoided, timelocks are flaws in models and must be avoided. 10.3.3 Zeno In the theory of Timed Automata, actions occur in zero time. This means, that nothing precludes executions of infinitely many actions in finite time. That is, a timed automaton may have time convergent paths with an infinite number of actions. Definition 10.3.5. (Zeno path) An infinite path of a transition system TS(TA) is zeno if and only it is time convergent and the number of actions executed along is infinite. Definition 10.3.6. (Nonzeno timed automaton) A timed automaton TA is nonzeno if and only if all initial states of TS(TA) have no zeno paths. 10.4 Parallel composition To model complex systems, a good approach is to first build simple blocks. Second, these basic blocks are composed to form a more complex system. We consider the composition of timed automata using handshaking communications. The idea is to define a set of handshaking actions, called H. Two timed automata communicate via H by performing actions in H together. That is, the two timed automata need to synchronise on all actions in H. For actions outside H, each automaton evolves independently of the other automaton. Formally, this composition is defined as follows: Definition 10.4.1. (Handshaking for timed automata) Given two timed automata TA 1 = (Loc 1, Loc 0,1, Act 1, C 1,! 1, Inv 1, AP 1, L 1 ) and TA 2 =(Loc 2, Loc 0,2, Act 2, C 2,! 2, Inv 2, AP 2, L 2 ), such that AP 1 \ AP 2 = ; and C 1 \C 2 = ;. We define the set of handshaking actions: H Act 1 \ Act 2 and the parallel composition of TA 1 and TA 2 via H as TA 1 H TA 2 = (Loc 1 Loc 2, Loc 0,1 Loc 0,2, Act 1 [ Act 2, C 1 [C 2,!, Inv, AP 1 [ AP 2,L) where L((l 1,l 1 )) = L 1 (l 1 ) [ L 2 (l 2 ) Inv((l 1,l 2 )) = Inv(l 1 ) ^ Inv(l 2 ) and the transition relation! is defined by the following rules: for 2 H l 1, 1, 1! 1 l 1 ^ l 2, 2, 2! 2 l 2 (l 1,l 2 ), 1^ 2, 1[ 2! (l 1,l 2 )

74 CHAPTER 10. TIMED AUTOMATA for 62 H l 1,,! 1 l 1 (l 1,l 2 ),,! (l 1,l 2 ) and l 2,,! 2 l 2 (l 1,l 2 ),,! (l 1,l 2 ) Composition can only take place between two compatible timed automata. Two timed automata are compatible is they have disjoints sets of atomic propositions (AP 1 \ AP 2 = ;) and clock variables (C 1 \C 2 = ;). The invariants of the resulting timed automaton is the pairwise conjunction of each location invariant. The same holds for the atomic propositions. For any action in the set of handshaking actions, the transition for this action is guarded by the conjunction of the clock guards and the set of the clocks to be reset is the union of each reset set. 10.5 Conclusion This chapter introduced the main definitions of the theory of Timed Automata. Clock variables and clock constraints are introduced to specify constraints on the time at which actions may occur. Introducing time brings about the issue of time convergence, that is, paths may only allow time to increase up to a given bound. Such time convergent paths cannot be avoided and have to be ignored in the analysis. In contrast, timelocks occur in state without any time divergent path. Timelocks are flaws and must be avoided. The same holds for zeno paths. A path is zeno when it is time convergent and has infinitely many actions. Finally, we defined composition rules to combine two timed automata using a set of handshaking actions. 10.6 Exercises See instructions 4 and 5 on the course website http://www.win.tue.nl/ jschmalt/ teaching/2ix20/2ix20.html.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback