Evelyn Neame. Syllable timed Fence imageStr Stress timed 2 (Grant, 2000)
Robustness and Implementability of Timed Automata
-
Upload
avye-summers -
Category
Documents
-
view
38 -
download
3
description
Transcript of Robustness and Implementability of Timed Automata
Robustness and Robustness and Implementability of Timed Implementability of Timed
AutomataAutomata
Martin De WulfMartin De Wulf
Laurent DoyenLaurent Doyen
Nicolas MarkeyNicolas Markey
Jean-François RaskinJean-François Raskin
Centre Fédéré en Vérification
FORMATS-FTRTFT 2004 – Sep 24FORMATS-FTRTFT 2004 – Sep 24thth - Grenoble - Grenoble
MotivationMotivation
• Embedded Controllers… are difficult to develop (concurrency, real-time, continuous environment, ...).
… are safety critical.
Use formal models + Verification:
Timed Automata andReachability Analysis
Timed Automata
closed guard
reset
Location
Transition
2a
0:a
2b
0:b
1:a0:b
A
Clocks: {a,b}
ObjectivesObjectives
• From a verified model, generate (automatically) a correct implementation
• Using classical formalism (e.g. timed automata)
• …but interpreting the model in a way that guarantees the transfer of the properties from model to implementation3x
Robustness and ImplentationRobustness and Implentation
Model
•Perfect continuous clocks
•Instantaneous synchronisations
•Reaction time = 0
•Digital clocks
•Delayed synchronisations
•Reaction time > 0
Implementation
vs.
Correct model
Correct implementatio
n
??
Timed Automata: SemanticsTimed Automata: Semantics
Classical
Perfect clocks
Rate:
Guard:
1/ dtdx
][ iff | gvgv
Imprecise clocks
Rate:
Guard:
]1,1[/ dtdx
][ iff | gvgv
],[][ babxa ],[][ babxa
00][A Enlarge
dvs.
][A
Shortcut:
0][:][ AA 0][:][ AA
From Model to ImplementationFrom Model to Implementation
>0 Reach([A´]) Bad =
Timed automaton A is implementable [DDR04] if
Reach([A]) Bad =
Timed automaton A is correct if
which is equivalent to
>0 Reach([A´]) Bad =
RobustnessRobustness
No ! (see example)
•Is it always the case that ?
>0 Reach([A]) = Reach([A])
•How to compute ?
>0 Reach([A])
• [Pur98] gives an algorithm for
>0 Reach([A])
• We show that >0 Reach([A]) = >0 Reach([A])
An example showing thatAn example showing that
Reach([A]) >0 Reach([A])
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2
ExampleExample
2a
0:a
2b
0:b
a
b
10
1
2
2
1:a0:b
Classical Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Classical Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Classical Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Classical Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Classical Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Classical Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2
AReach
Classical Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2
Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2
2
Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2
3
Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2
4
Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2
)12( k
Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2
k2
Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
Reach([A])
2a
0:a
2b
0:b
1:a0:b
a
b
10
1
2
2 Enlarged Semantics
ExampleExample
>0 Reach([A])
When 0
Enlarged Semantics
a
b
10
1
2
2
Classical Semantics
vs.
ExampleExample
a10
1
2
2
b
>0 Reach([A])Reach([A])
00
a
b
10
1
2
2
•Black cycles are reachable
•Blue cycles are not !
Classical semantics [A]
Enlarged semantics
•One blue cycle is reachable
•By repeating this cycle with Δ>0, the entire regions are reachable !
ExampleExample
[A]
Cycles in Timed AutomataCycles in Timed Automata
Algortihm [Pur98] is based on this observation:
•It just adds the cycles to reachable states
•Until no more cycle is accessible
Hence, the implementability problem
is decidable ! (and PSPACE-complete)
Given a timed automaton A, determine whether there exists Δ>0 such that Reach([A]) Bad =
Open questionsOpen questions
• Maximize Δ such that
• Decide whether there exists Δ such that
• Find a practical algorithm for
• And many others…
Reach([A]) Bad =
>0 Reach([A])
UntimedLang([A]) = UntimedLang([A])
ReferencesReferences
• [DDR04] M. De Wulf, L. Doyen, J.-F. Raskin. Almost ASAP Semantics: From Timed Model to Timed Implementation. LNCS 2993, HSCC 2004.
• [Pur98] A. Puri. Dynamical Properties of Timed Automata. FTRTFT 1998.
Model-based developmentModel-based development
• Make a model of the environment:Env
• Make clear the control objective: Bad
• Make a model of the control strategy:ControllerModel
• Verify:Does Env || ControllerModel avoid
Bad ?• Good, but after ?