A Uniform Approach to Three-Valued Semantics for -Calculus on Abstractions of Hybrid...

A Uniform Approach to Three-ValuedSemantics for µ-Calculus on Abstractions of

Hybrid Automata(Haifa Verification Conference 2008)

K. Bauer, R. Gentilini, and K. Schneider

University of Kaiserslautern

October 28, 2008

Motivation

General Framework

SpecializationsMay/Must AbstractionsDBB-Abstractions

Conclusions

Overview

1. Preliminaries and Motivation

2. Generic Semantics for Lµ on Abstractions of HybridAutomata

I Generic Preservation Result

3. SpecializationsI May-/Must AbstractionsI DBB AbstractionsI Monotonicity Issues

4. Conclusions and Future Work

, A Uniform Approach to Three-Valued Semantics for µ-Calculus on Abstractions of Hybrid Automata


Motivation

General Framework


Conclusions

Hybrid Automata (HA)

A hybrid automaton consists of

I Graph with finitely many locations

I Finitely many continuous variables changing valuewithin a location according to differential rules

I Initial Conditions, Location invariants,guards and resets for discrete transitions

Example: (Heating controller)

off on

I Heating is off: temperature x falls with x = −0.1I Heating is on: temperature x rises with x = 5



Motivation

General Framework


Conclusions







x = −0.1off

x = 5on




Motivation

General Framework


Conclusions







x > 18x = −0.1

offx = 20

x < 24x = 5

on

x > 22, x′ = x

x < 20, x′ = x




Motivation

General Framework


Conclusions

Decidability Results

Problem: (Decidability vs Expressiveness)

I In general, hybrid automata are undecidable w.r.t.reachability

I Decidability results only exist, when discrete and/orcontinuous dynamics are highly restricted

Example:

ITimed automata are de-cidable

xi = 1 xi = 1

x′i = xi

x′i ∈ [ai, bi]

I

Adding skewed clocksmakes timed automataundecidable

xi = ci,l xi = ci,l

x′i = xi

x′i ∈ [ai, bi]

⇒ Approximative techniques are needed



Motivation

General Framework


Conclusions

Goal and Perspective

Goal:Developing a framework for the automated reasoning onhybrid automata outside the decidability realm, featuring:

I combined overapprox./underapprox. analysis⇒ safety certication + counterexamples

I ability to both prove and disprove reactive systemproperties expressed in Lµ.

Method:

I Three-valued generic semantics for Lµ ‘adaptable’ toproper abstraction frameworks

I Specialization of the generic semantics to differenttypes of abstractions providing over-/underapprox.

I DBB abstractionsI Modal abstractions



Motivation

General Framework


Conclusions

3-Valued Lµ on HA-Abstractions

I A = 〈R,R0,δ→, e→〉 abstraction of H encoding over-

and underapproximation of the runs in H

I AP finite set of atomic propositions

I R a partition w.r.t. lAP : Q→ 2AP

Definition: (Lµ for generic HA-Abstractions)

I φ ∈ AP : JφK(r) ={

1 φ ∈ lAP (r)0 φ /∈ lAP (r)

I J¬φK := ¬3 JφKJφ ∨ ψK := JφK ∨3 JψK, Jφ ∧ ψK := JφK ∧3 JψK

I Parametrized modal operatorsF ∈ {〈δ〉φ, 〈e〉φ, [δ]φ, [e]φ,E(φUψ), A(φUψ)}:

I JFK(r) = 1⇒ ∀ x ∈ r : JFKH(x) = 1I JFK(r) = 0⇒ ∀ x ∈ r : JFKH(x) = 0



Motivation

General Framework


Conclusions

3-Valued Lµ on HA-Abstractions

I A = 〈R,R0,δ→, e→〉 abstraction of H encoding over-

and underapproximation of the runs in H

I AP finite set of atomic propositions

I R a partition w.r.t. lAP : Q→ 2AP

Definition: (Lµ for generic HA Abstractions)

I Fixpoints: Let σ ∈ {µ, ν}JσZ.φK := JapxkσZ.φK satisfying

I k is the smallest index withJapxk(σZ.φ)K = Japxk+1(σZ.φ)K

A � φ :⇔ ∀r ∈ R0 : JφK(r) = 1A 2 φ :⇔ ∃r ∈ R0 : JφK(r) = 0



Motivation

General Framework


Conclusions

Preservation Results

Theorem: (Preservation)Let H be a hybrid automaton and A be an abstraction ofH. Then for all φ ∈ Lµ:

I JφK(r) = 1⇒ ∀ x ∈ r : JφKH(x) = 1I JφK(r) = 0⇒ ∀ x ∈ r : JφKH(x) = 0

Proof: (Sketch)By structural induction:

I boolean operators: obvious

I modal operators: by assumption

I fixpoint operators:JσZ.φK = Japxk(σZ.φ)K for some k ∈ N⇒ structural induction + monotonicity of fixpointsyield the claim



Motivation

General Framework


Conclusions

May/Must Abstractions

General Idea:Adapt ideas for may/must transitions from discrete systems

may must

Definition:Let A = 〈R,R0,

δ→, e→〉 be an abstraction. Then,

I All transitions in A are may-transitions

I rδ→must r

′ if all x ∈ r have a direct succ. x x′ ∈ r′I r

e→must r′ if all x ∈ r have a succ. x

e→ x′ ∈ r′

Lemma:Amust ≤S TH ≤S A∗

(A∗ uses the transitive closureδ∗→ of

δ→)



Motivation

General Framework


Conclusions

Semantics Completion on May/Must Abs.

Semantics Completion of 3-valued Lµ on May/MustAbstractions:

Definition:Let A be a may/must abstraction. Then:

I J〈δ〉φK(r) =

1 ∃r δ→must r

′ : r′ satisfies φ

0 @r δ∗→ r′ : r′ satisfies φ⊥ else

I J〈e〉φK(r) =

1 ∃r e→must r

′ : r′ satisfies φ

0 @r e→ r′ : r′ satisfies φ⊥ else

I a ∈ {e, δ}: J[a]φK = J¬(〈a〉¬φ)K



Motivation

General Framework


Conclusions

Semantics Completion on May/Must Abs.

Semantics Completion of 3-valued Lµ on May/MustAbstractions:

Definition:Let A be a may/must abstraction. Then:

I JE(φUψ)K(r) =

1 ∃r must r

′ satisfying φUψ0 ∀ may-paths φUψ can be

disproven⊥ else

I JA(φUψ)K(r) =

1 all may-paths satisfy φUψ0 ∃r must r

′ not satisfyingφUψ

⊥ else



Motivation

General Framework


Conclusions

Preservation for May/Must Abs.

Corollary: (Preservation)Let H be a hybrid automaton and A be a may/mustabstraction of H. Then for all φ ∈ Lµ:

I A � φ⇒ H � φ

I A 2 φ⇒ H 2 φ

Remark:May/must abstractions do not provide monotonicity results



Motivation

General Framework


Conclusions

Example: Heating Controller

x > 18x = −0.1

offx = 20

x < 24x = 5

on

x > 22, x′ = x

x < 20, x′ = x

µ-calculus formula: φ := µZ.(on× [22, 24]) ∨ ♦Z

Abstraction:(20,24)

off

δmust

20off

δmust(19.5,20)off

δmust

δ

(18,19.5]off

δmust

δmust

[22,24)on

emust

[19,22)on δmust

emuste

δmust

(18,19)on δmust

e

δmust



Motivation

General Framework


Conclusions


x > 18x = −0.1

offx = 20

x < 24x = 5

on

x > 22, x′ = x

x < 20, x′ = x


Abstraction:A �3 φ = 1⇒ H � φ = 1

(20,24)off

δmust

20off

δmust(19.5,20)off

δmust

δ

(18,19.5]off

δmust

δmust

[22,24)on

emust

[19,22)on δmust

emuste

δmust

(18,19)on δmust

e

δmust



Motivation

General Framework


Conclusions


x > 18x = −0.1

offx = 20

x < 24x = 5

on

x > 22, x′ = x

x < 20, x′ = x


Refinement:(20,24)

off

δmust

20off

δmust(19.5,20)off

δmust

δ

(18,19.5]off

δmust

δmust

[22,24)on

emust

[19.7,22)on δmust

e

δmust

[19,19.7)on δmust

ee

δmust

(18,19)on δmust

e

δmust



Motivation

General Framework


Conclusions


x > 18x = −0.1

offx = 20

x < 24x = 5

on

x > 22, x′ = x

x < 20, x′ = x


Refinement:A �3 φ =⊥ (20,24)

off

δmust

20off

δmust(19.5,20)off

δmust

δ

(18,19.5]off

δmust

δmust

[22,24)on

emust

[19.7,22)on δmust

e

δmust

[19,19.7)on δmust

ee

δmust

(18,19)on δmust

e

δmust



Motivation

General Framework


Conclusions

DBB-Abstractions

Definition: (Discrete Bounded Bisimulation)Let H be a hybrid automaton with state space Q. Let Pbe a partition of Q.

≡0∈ Q×Q is the max. relation on Q s.t. for all p ≡0 q:

I [p]P = [q]P and p ∈ Q0 iff q ∈ Q0

I ∀p δ→ p′∃q′ : p′ ≡0 q′ ∧ q

δ→ q′

∀q δ→ p′∃p′ : p′ ≡0 q′ ∧ p

δ→ p′[p]0 [p′]0

δmust



Motivation

General Framework


Conclusions

DBB-Abstractions

Definition: (Discrete Bounded Bisimulation)Let H be a hybrid automaton with state space Q. Let Pbe a partition of Q.

≡n∈ Q×Q is the max. relation on Q s.t. for all p ≡n q:

I p ≡n−1 q

I ∀p δ→ p′∃q′ : p′ ≡n q′ ∧ qδ→ q′

∀q δ→ p′∃p′ : p′ ≡n q′ ∧ pδ→ p′

[p]n [p′]nδmust

I ∀p e→ p′∃q′ : p′ ≡n−1 q′ ∧ q e→ q′

∀q e→ q′∃p′ : p′ ≡n−1 q′ ∧ p e→ p′

[p]n [p′]n[p′]n−1

emay

emust

The relation ≡n is called n-DBB equivalence.



Motivation

General Framework


Conclusions

Semantics Completion on DBB-Abs.

Semantics Completion of three-valued Lµ:

Definition:Let H≡n be an n-DBB abstraction. Then:

I J〈δ〉φK≡n([x]≡n) = 1 iff

I ∃[x]≡nδ→ [x′]≡n : [x′]≡n satisfies φ

J〈δ〉φK≡n([x]≡n) = 0 iff

I @[x]≡nδ∗→ [x′]≡n : [x′]≡n satisfies φ

J〈δ〉φK≡n([x]≡n) =⊥ else

I J[δ]φK≡n = J¬(〈δ〉¬φ)K≡n



Motivation

General Framework


Conclusions




I J〈e〉φK≡n([x]≡n) = 1 iff

I ∃[x]≡ne→ [x′]≡n : [x′]≡n−1 satisfies φ

J〈e〉φK≡n([x]≡n) = 0 iff

I @[x]≡ne→ [x′]≡n : [x′]≡n−1 satisfies φ

J〈e〉φK≡n([x]≡n) =⊥ else

I J[e]φK≡n = J¬(〈e〉¬φ)K≡n



Motivation

General Framework


Conclusions




I For JE(φUψ)K≡n:JE(φUψ)K≡n([x]≡n) = 1 iff

I ∃[x]≡nδ∗

[x′]≡n satisfying φUψ in H≡nor

I ∃[x]≡nδ∗

[x′]≡ne→ [x′′]≡n satisfying φ on the first

part and [x′′]≡n−1 satisfying E(φUψ)JE(φUψ)K≡n([x]≡n) = 0 iff

I ∀ paths in H≡n φUψ can be disproven

JE(φUψ)K≡n([x]≡n) =⊥ otherwise



Motivation

General Framework


Conclusions




I For JA(φUψ)K≡n:JA(φUψ)K≡n([x]≡n) = 1 iff

I all paths in H≡n starting in [x]≡n satisfy φUψ

JA(φUψ)K≡n([x]≡n) = 0 iff

I ∃[x]≡nδ∗

[x′]≡n not satisfying φUψ in H≡n or

I ∃[x]≡nδ∗

[x′]≡ne→ [x′′]≡n satisfying φ on the first

part and [x′′]≡n−1 not satisfying AφUψ

JA(φUψ)K≡n([x]≡n) =⊥ otherwise



Motivation

General Framework


Conclusions

Preservation Results for DBB-Abs.

Corollary: (Preservation)Let H be a hybrid automaton and H≡n be an n-DBBabstraction of H. Then for all φ ∈ Lµ:

I H≡n � φ⇒ H � φ

I H≡n 2 φ⇒ H 2 φ

Theorem: (Monotonicity)Let H≡n and H≡k, n > k, be DBB abstractions. Then forall φ ∈ Lµ and all x in the state space of H:

I JφK≡k([x]≡k) = 1⇒ JφK≡n([x]≡n) = 1I JφK≡k([x]≡k) = 0⇒ JφK≡n([x]≡n) = 0



Motivation

General Framework


Conclusions

Example: Waterlevel Controller

y ≤ 10x = 1y = 1shut

x1 ≥ 0x = −1y = −2

open

x = 0

y = 10

µ-calculus formula:φ = µZ.r ∨ ♦Zr = shut× [0, 6]× {10}

1-DBB Abstraction:

10 xr2

6

y

r1

r4

r3

shut

10 x6s1 s2

s5

y open

r2 r3δ s5δ s2e

e

r4

ee



Motivation

General Framework


Conclusions


y ≤ 10x = 1y = 1shut

x1 ≥ 0x = −1y = −2

open

x = 0

y = 10


1-DBB Abstraction: A �3 φ =⊥10 x

r26

y

r1

r4

r3

shut

10 x6s1 s2

s5

y open

r2 r3δ s5e s2δ

e

r4

ee



Motivation

General Framework


Conclusions


y ≤ 10x = 1y = 1shut

x1 ≥ 0x = −1y = −2

open

x = 0

y = 10


2-DBB Abstraction:

x

y

r1

r4

r3

r2

r6

r5

r7

shut

x

x

t1t2 t3 t4

t5

t6t7

t8

open

r7 r4δ r6δ t8e t5δ t4δ

e

t3

δ

t2t6 δt7 δr5 er3 δr2 δ

e

e



Motivation

General Framework


Conclusions


y ≤ 10x = 1y = 1shut

x1 ≥ 0x = −1y = −2

open

x = 0

y = 10


2-DBB Abstraction: A �3 φ = 0⇒ H � φ = 0

x

y

r1

r4

r3

r2

r6

r5

r7

shut

x

x

t1t2 t3 t4

t5

t6t7

t8

open

r7 r4δ r6δ t8e t5δ t4δ

e

t3

δ

t2t6 δt7 δr5 er3 δr2 δ

e

e



Motivation

General Framework


Conclusions

Conclusions and Future Work

Conclusions:

I A parametrized three-valued interpretation of Lµ hasbeen developed

I Preservation results have been proved⇒ Safety certification + counterexamples

I Different applications for the general framework havebeen provided:

I May/must abstractionsI DBB abstractions

Future Work

I Development of a three-valued model-checking toolfor hybrid automata

I Property driven abstraction refinementsI ...



Motivation

General Framework


Conclusions



Motivation

General Framework


Conclusions

The U-Operator on Hybrid Automata

Discrete time frameworks: U-Operator redundant

I E(φUψ) = µZ.ψ ∨ φ ∧ ♦ZI A(φUψ) = µZ.ψ ∨ φ ∧�Z

Continuous time frameworks: U-operator not redundant

Example:

x = 1x = 0

φ := E(x < 2)U(x = 3)

ψ := µZ.(x = 3) ∨ (x < 2) ∧ ♦Z

Lemma:In the setting of hybrid automata the language Lµ with thetemporal operators E(φUψ) and A(φUψ) is strictly moreexpressive than Lµ without these operators.



Motivation

General Framework


Conclusions





Example:

x = 1x = 0

φ := E(x < 2)U(x = 3)ψ := µZ.(x = 3) ∨ (x < 2) ∧ ♦Z

x

0 1 2 3




Motivation

General Framework


Conclusions





Example:

x = 1x = 0

φ := E(x < 2)U(x = 3)

ψ := µZ.(x = 3) ∨ (x < 2) ∧ ♦Z

x

0 1 2 3




Motivation

General Framework


Conclusions





Example:

x = 1x = 0

φ := E(x < 2)U(x = 3)ψ := µZ.(x = 3) ∨ (x < 2) ∧ ♦Z

x

0 1 2 3




Motivation

General Framework


Conclusions

Redundancy of U on Abstractions

Let the modal operator 〈δ〉 satisfy:

I J〈δ〉φK(r) = 1⇔ a direct successor of r satisfies φ (*)

Theorem: (Redundancy)Let H be a hybrid automaton and A be an abstraction ofH satisfying (*). Then for all φ, ψ ∈ Lµ:

1. A � µZ.ψ ∨ φ ∧ ♦Z ⇒ H � E(φUψ)A 2 µZ.ψ ∨ φ ∧ ♦Z ⇒ H 2 E(φUψ)

2. A � µZ.ψ ∨ φ ∧�Z ⇒ H � A(φUψ)A 2 µZ.ψ ∨ φ ∧�Z ⇒ H 2 A(φUψ)

Corollary:

I For may/must abstractions the U-operator isredundant

I For DBB-abstractions the U-operator is redundant



A Uniform Approach to Three-Valued Semantics for -Calculus on Abstractions of Hybrid...

Documents

Transcript of A Uniform Approach to Three-Valued Semantics for -Calculus on Abstractions of Hybrid...