Robustness and Implementability of Timed Automata

1
Robustness and Implementability of Timed Automata
FORMATS-FTRTFT 2004 Sep 24th - Grenoble

• Martin De Wulf
• Laurent Doyen
• Nicolas Markey
• Jean-François Raskin

Centre Fédéré en Vérification
2
Motivation

• Embedded Controllers
• are difficult to develop (concurrency,
  real-time, continuous environment, ...).
• are safety critical.

3
Timed Automata
Clocks a,b
4
Objectives

• From a verified model, generate (automatically) a
  correct implementation
• Using classical formalism (e.g. timed automata)
• but interpreting the model in a way that
  guarantees the transfer of the properties from
  model to implementation

5
Robustness and Implentation
Model
vs.
Implementation

• Perfect continuous clocks
• Instantaneous synchronisations
• Reaction time 0

• Digital clocks
• Delayed synchronisations
• Reaction time gt 0

6
Timed Automata Semantics
Classical
Perfect clocks Rate Guard
Imprecise clocks Rate Guard
7
From Model to Implementation
8
Robustness
No ! (see example)
9
An example showing that
Reach(A) ? ??gt0 Reach(A?)
10
Example
11
Example
Classical Semantics
12
Example
Classical Semantics
13
Example
Classical Semantics
14
Example
Classical Semantics
15
Example
Classical Semantics
16
Example
Classical Semantics
17
Example
Classical Semantics
18
Example
Enlarged Semantics
19
Example
Enlarged Semantics
20
Example
Enlarged Semantics
21
Example
Enlarged Semantics
22
Example
Enlarged Semantics
23
Example
Enlarged Semantics
24
Example
Enlarged Semantics
25
Example
Enlarged Semantics
26
Example
Enlarged Semantics
27
Example
Enlarged Semantics
28
Example
Enlarged Semantics
29
Example
Enlarged Semantics
30
Example
Enlarged Semantics
31
Example
Enlarged Semantics
32
Example
Enlarged Semantics
33
Example
Enlarged Semantics
34
Example
Enlarged Semantics
35
Example
Enlarged Semantics
36
Example
Enlarged Semantics
37
Example
Enlarged Semantics
38
Example
Enlarged Semantics
Reach(A?)
39
Example
Enlarged Semantics
When
??gt0 Reach(A?)
40
Example
vs.
Enlarged Semantics
Classical Semantics
??gt0 Reach(A?)
Reach(A)
41
Example
Classical semantics A

• Black cycles are reachable
• Blue cycles are not !

A?
Enlarged semantics

• One blue cycle is reachable
• By repeating this cycle with ?gt0, the entire
  regions are reachable !

42
Cycles in Timed Automata

• Algortihm Pur98 is based on this observation
• It just adds the cycles to reachable states
• Until no more cycle is accessible

Hence, the implementability problem
is decidable ! (and PSPACE-complete)
43
Open questions

• Maximize ? such that
• Decide whether there exists ? such that
• Find a practical algorithm for
• And many others

Reach(A?) ? Bad ?
UntimedLang(A?) UntimedLang(A)
??gt0 Reach(A?)
44
References

• DDR04 M. De Wulf, L. Doyen, J.-F. Raskin.
  Almost ASAP Semantics From Timed Model to Timed
  Implementation. LNCS 2993, HSCC 2004.
• Pur98 A. Puri. Dynamical Properties of Timed
  Automata. FTRTFT 1998.

45
Model-based development

• Make a model of the environment Env
• Make clear the control objective Bad
• Make a model of the control strategy Contro
  llerModel
• Verify Does Env ControllerModel avoid Bad ?
• Good, but after ?