1 / 45

Robustness and Implementability of Timed Automata

Robustness and Implementability of Timed Automata. FORMATS-FTRTFT 2004 – Sep 24 th - Grenoble. Martin De Wulf Laurent Doyen Nicolas Markey Jean-François Raskin. Centre Fédéré en Vérification. Use formal models + Verification:. Timed Automata and Reachability Analysis. Motivation.

avye-summers
Download Presentation

Robustness and Implementability of Timed Automata

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Robustness and Implementability of Timed Automata FORMATS-FTRTFT 2004 – Sep 24th - Grenoble Martin De Wulf Laurent Doyen Nicolas Markey Jean-François Raskin Centre Fédéré en Vérification

  2. Use formal models + Verification: Timed Automata andReachability Analysis Motivation • Embedded Controllers … are difficult to develop (concurrency, real-time, continuous environment, ...). … are safety critical.

  3. Location closed guard reset Transition Timed Automata Clocks: {a,b}

  4. Objectives • From a verified model, generate (automatically) a correct implementation • Using classical formalism (e.g. timed automata) • …but interpreting the model in a way that guarantees the transfer of the properties from model to implementation

  5. ? Correct model Correct implementation Robustness and Implentation Model vs. Implementation • Perfect continuous clocks • Instantaneous synchronisations • Reaction time = 0 • Digital clocks • Delayed synchronisations • Reaction time > 0

  6. vs. Enlarged Shortcut: Timed Automata: Semantics Classical • Perfect clocks • Rate: • Guard: • Imprecise clocks • Rate: • Guard:

  7. Timed automaton A is correct if Reach([A])  Bad =  Timed automaton A is implementable [DDR04] if >0 Reach([A´])  Bad =  which is equivalent to >0 Reach([A´])  Bad =  From Model to Implementation

  8. >0 Reach([A]) = Reach([A]) • Is it always the case that ? >0 Reach([A]) • How to compute ? >0 Reach([A]) • [Pur98] gives an algorithm for >0 Reach([A]) = >0 Reach([A]) • We show that Robustness No ! (see example)

  9. An example showing that Reach([A])  >0 Reach([A])

  10. Example

  11. Example Classical Semantics

  12. Example Classical Semantics

  13. Example Classical Semantics

  14. Example Classical Semantics

  15. Example Classical Semantics

  16. Example Classical Semantics

  17. Example Classical Semantics

  18. Example Enlarged Semantics

  19. Example Enlarged Semantics

  20. Example Enlarged Semantics

  21. Example Enlarged Semantics

  22. Example Enlarged Semantics

  23. Example Enlarged Semantics

  24. Example Enlarged Semantics

  25. Example Enlarged Semantics

  26. Example Enlarged Semantics

  27. Example Enlarged Semantics

  28. Example Enlarged Semantics

  29. Example Enlarged Semantics

  30. Example Enlarged Semantics

  31. Example Enlarged Semantics

  32. Example Enlarged Semantics

  33. Example Enlarged Semantics

  34. Example Enlarged Semantics

  35. Example Enlarged Semantics

  36. Example Enlarged Semantics

  37. Example Enlarged Semantics

  38. Example Enlarged Semantics Reach([A])

  39. Example Enlarged Semantics When >0 Reach([A])

  40. Example vs. Classical Semantics Enlarged Semantics >0 Reach([A]) Reach([A])

  41. Example Classical semantics [A] • Black cycles are reachable • Blue cycles are not ! [A] Enlarged semantics • One blue cycle is reachable • By repeating this cycle with Δ>0, the entire regions are reachable !

  42. Given a timed automaton A, determine whether there exists Δ>0 such that Reach([A])  Bad =  Cycles in Timed Automata • Algortihm [Pur98] is based on this observation: • It just adds the cycles to reachable states • Until no more cycle is accessible Hence, the implementability problem is decidable ! (and PSPACE-complete)

  43. Open questions • Maximize Δ such that • Decide whether there exists Δ such that • Find a practical algorithm for • And many others… Reach([A])  Bad =  UntimedLang([A]) = UntimedLang([A]) >0 Reach([A])

  44. References • [DDR04] M. De Wulf, L. Doyen, J.-F. Raskin. Almost ASAP Semantics: From Timed Model to Timed Implementation. LNCS 2993, HSCC 2004. • [Pur98] A. Puri. Dynamical Properties of Timed Automata. FTRTFT 1998.

  45. Model-based development • Make a model of the environment:Env • Make clear the control objective: Bad • Make a model of the control strategy:ControllerModel • Verify: Does Env ||ControllerModel avoid Bad ? • Good, but after ?

More Related