230 likes | 405 Views
Hybrid Automata Specification Formalism for Real-Time Systems Hybrid = { Discrete + Continuous } Behaviors. Ref. Thomas A. Henzinger, The Theory of Hybrid Automata, Proc. of 11 th Annual IEEE Symp. on Logic in Computer Science (LICS’96), pp 278-292, 1996. Hybrid automata.
E N D
Hybrid Automata Specification Formalism for Real-Time Systems Hybrid = { Discrete + Continuous } Behaviors Ref. Thomas A. Henzinger, The Theory of Hybrid Automata, Proc. of 11th Annual IEEE Symp. on Logic in Computer Science (LICS’96), pp 278-292, 1996
Hybrid automata • H = X, , G=(V,E), VL=(init, inv, flow), EL=(ET, EC) • X = {x1,…xn} - finite set of real-numbered variables. • x∂ - the derivatives of x during continuous change. • x’ - values at the conclusion of discrete change. • - finite set of events (atomic entities) • G - directed multi-graph (control graph): V - control modes, E - control switches. • VL-mode labeling functions: • init: V {predicates overx} -- defines initial condition • inv: V {predicates overx} -- defines invariant condition • flow: V {predicates overx,x∂} -- defines continuous evolvement. • EL – switch labeling functions • ET: E -- assigns a transition event to each edge. • EC: E {predicates overx,x’} -- defines discrete transition condition.
Hybrid automata: Heated Room indicates ‘init’ predicate ‘init’ not specified means ‘false’ when T’ not explicitly specifiedthen T’=T is implicitly assumed T={T} - - T - temperature. = {heat-on, heat-off} G= ({OFF,ON}, { e1=(OFF,ON), e2=(ON,OFF) } LOFF = { init(OFF) = (T=20), inv(OFF) = (T>17), flow(OFF) = (T∂=-0.1T)} LON = { init(ON) = false, inv(ON) = (T<=22), flow(ON) = (T∂=5-0.1T)} ET(e1) = heat-on, EC(e1) = (T<19) T’=T ET(e2) = heat-off, EC(e2) = (T>21) T’=T
Semantics of Hybrid automata Infinite-state where executions consist of discrete changed, solely. Hybrid Automata Transition Systems Finite-state where executions are interleaving of continuous and discrete changes. Traces (behaviors)
Transition System • Labeled transition system is: • S = Q, Q0, A, • where: • Q – set of states (possibly infinite) • Q0Q - subset of initial states. • A - set A of labels (possibly infinite) • (QAQ) - transition relation
Timed Transition System of an Hybrid Automaton • H = X, , G=(V,E), VL=(init, inv, flow), ET,EC • is interpreted by: • STH =Q, Q0, A, • where: • Q (VRn) s.t. Q = { (v,ū) | [X:=ū]= inv(v) }- recall X = {x1,…xn}:Rn • Q0 = { (v,ū) | [X:=ū] | inv(v) init(v) } • A = R0 • = R • = { ((v,ū),, (v’,ū’)) | e=(v,v’)E, ET(e)=, [X:=ū, X’:=ū’] |EC(e) } • R= { ((v,ū),,(v’,ū’)) | v=v’ & fD1. f:[0,]Rn and f’:(0,)Rn - f(0)=ū and f()=ū’ - t. 0<t<: [X:=f(t)] |inv(v), [X:=f(t), X∂:=f’(t)] |flow(v) } where: ū Rn, , R0 , D1is the set of differential functions
Timed Transition System of an Hybrid Automaton (exm.) • STH =Q, Q0, A, • Q = { (OFF,T) | T>17 } { (ON,T) | T22 } • Q0 = { (OFF,20) } • A = {heat-on, heat-off} R0 • = { ((OFF,T),,(ON,T)) | 17<T<19 } { ((ON,T),,(OFF,T)) | 21<T22 } R ={ ((OFF,T),, (OFF,T’)) | 17<T”T22, =|((T-T’)/0.05)½| } { ((ON,T),, (ON,T’)) | 17<TT’22, =g(T,T’) } f(t)=-0.05t2+c, 17<c22 f(t)= 0.05t2+5t+c, 17<c22
Time Abstract Transition System of an Hybrid Automaton • The time-abstract transition system of • H = X, , G=(V,E), VL=(init, inv, flow), ET,EC • is: • SAH =Q, Q0, B, • where: • Q (VRn) s.t. Q = { (v,ū) | [X:=ū]= inv(v) } • Q0 = { (v,ū) | [X:=ū] | inv(v) init(v) } • B = {} s.t. • = { ((v,ū),,(v’,ū’)) | e=(v,v’)E, ET(e)=, [X:=ū, X’:=ū’] |EC(e) } { ((v,ū),, (v’,ū’)) | . ((v,ū),,(v’,ū’))} where: , R0 As in STH According to definition of in STH
Behavior of Transition System • For a transition system S =Q, Q0, A, : • A trajectory of S is a - finite or infinite – sequence of pairs ai,qii1 such • that q0Q0 and (qi-1,ai,qi)fori1. • A live transition system(S,L) is a pair consisting of a labeled transition • system S and a set L of infinite trajectories of S. • The set L is machine-closed for S if every finite trajectory of S is a prefix of • some trajectory in L. • For live transition system (S,L) and trajectory ai,qii1L, the corresponding • sequence (ai)i1 is called a trace of (S,L). Similar for finite trajectories in S.
Timed Semantics of Hybrid Automata • H = X, , G=(V,E), VL=(init, inv, flow), ET,EC STH=Q, Q0, A, • Associate with each transition of STH a durationin R0: • - for ((v,ū),, (v’,ū’))the duration is 0. • - for ((v,ū),,(v,ū’))Rthe duration is . • An infinite trajectory ai,qii1 of STHdiverges if di, i=1..diverges, • where di is the duration of the transition (qi-1,ai,qi). • Let LTH be the set of divergent trajectories of STH. H is non-zeno if LTH • is machine-closed for STH. • Each trace of the live transition system (STH,LTH) is called a timed-trace of H. • The timed semantics of H is the set of timed-traces of H
Abstract Semantics of Hybrid Automata • H = X, , G=(V,E), VL=(init, inv, flow), ET, EC • STH=Q, Q0, A, • SAH=Q, Q0, B, • An infinite trajectory bi,qii1 of SAHdiverges if there is a diverging • trajectory ai,qii1 of STHsuch that aibi and ai=bi for every ai. • Let LAH be the set of divergent trajectories of SAH. H is non-zeno if LAH • is machine-closed for SAH. • Each trace of the live transition system (STH,LAH) is called a trace of H. • The abstract semantics of H is the set of traces of H
Composition of Hybrid Automata: Heated System Exm. controller Heater Heated space
Composition of Hybrid Automata • H1 STH1=Q1, Q01, A1, 1, H2 STH2=Q2, Q02, A2, 2, • H1H2 STH1H2 • where: STH1H2 = STH1STH2 • where: STH1STH2 = Q1Q2, Q01Q02,A, • where: • ● ((q1,q2),a,(q’1,q’2)) for a2 • iff: - a12 and (q1,a,q’1)1, (q2,a,q’2)2 • or - a12 and (q1,a,q’1)1, (q2,0,q’2)2 • or - a21 and (q1,0,q’1)1, (q2,a,q’2)2 • ((q1,q2),,(q’1,q’2)) for >0 iff: (q1,,q’1)1, (q2,,q’2)2 • ●A = { a |((q1,q2),a,(q’1,q’2)) } { |((q1,q2),,(q’1,q’2)) } • SAH1H2 is derived fromSTH1H2 (in general SAH1H2 SAH1SAH2) The composition of two non-zeno hybrid automata is not necessarily non-zeno.
T – distance from gate K – reaction delay Controller Train y - gate position () Gate
A train on a circular track, (2-5)Km long, with a gate. • T - distance of the train from the gate (Initially T5Km, and T (train speed) is • between 40m/s and 50m/s. • 1000 meters from the gate, the train issues an approach event and may • slow down to 30m/s. • 100 meters past the gate, the train issues an eTit event. • The variableclk is a clock for measuring elapsed time. • When an approach event is received at the gate controller, it issues close_cmd • event within K seconds (K is a symbolic constant that represents the • reaction delay of the controller), and when an eTit event is received, the • controller issues open_cmd event also within K seconds. • y - position of the gate in degrees. Initially, the gate is open (y = 90). When • close_cmd event is received, the gate starts closing at the rate of 9 degrees per • second, and when open_cmd event is received, the gate starts opening at the • same rate.
Train Controller Gate
Verification Procedures for Hybrid Automata • Reachability - given a control mode v of H, is there a trajectory of STH (SAH) • that visits a state of the form (v,T)?. • Emptiness - is there a divergent trajectory of STH (SAH)?. • Timed trace inclusion - given H1 and H2, is every timed trace of H1 also a • timed trace of H2. • Time-abstract trace inclusion - given H1 and H2, is every time-abstract trace • of H1 also a time-abstract trace of H2. • Remarks: • Reachability can be reduced to finitary time-abstract trace inclusion, • Emptiness can be reduced to time-abstract trace inclusion. • Finitary trace inclusion can be reduced to trace inclusion.
Composition of Hybrid Automata: principles • Given hybrid automata H1, H2, we define the parallel composition H1||H2. • In principle, H1, H2 interact via joint events: • if a12 then H1, H2 must synchronize on a-transitions, • if a1-2 then each a-transition of H1synchronizes with a 0-duration time • transition of H2, and vice versa. • For each real >0, a -duration time-transition of H1 must synchronize with • a -duration time-transition of H2. A=11such that isan associative partial function for each aA, ((q1,q2),a,(q’1,q’2)) iff(q1,a1,q’1)1, (q2,a2,q’2)2 such that(q1,a1,q’1)(q2,a2,q’2)=a
PRE/POSTransition System • Labeled transition system is: • S = Q, Q0, A, • where: • Q – set of states (possibly infinite) • Q0Q - subset of initial states. • A - set A of labels (possibly infinite) • (QAQ) - transition relation A subset RQ is called a region. Given a region R and a label aA: - posta(R) = { q’ | qR s.t. (q,a,q’) } - a-successors - prea(R) = { q’ | qR s.t. (q’,a,q) } - a-predecessors
Hybrid automata: “idle” events designates change of variable values; not eTplicitly specified if not used outside (system environment) T={T} - temperature. = {}– idle event G= ({OFF,ON}, { e1=(OFF,ON), e2=(ON,OFF) } init(OFF) = (T=20) inv(OFF) = (T>17), inv(ON) = (T<=22) flow(OFF) = (T∂=-0.1T), flow(ON) = (T∂=5-0.1T) ET(e1) = , ET(e2) = EC(e1) = (T<19), EC(e2) = (T>21) vertices with no init label are considered to be labeld by false. if T” not explicitly specifiedthen T”=T is implicitly assumed