ACI Scurit Informatique CORTOS CORTOS = Control and Observation of - - PowerPoint PPT Presentation

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

ACI «Sécurité Informatique» CORTOS

◮ CORTOS = Control and Observation of Real-Time Open Systems ◮ Participants: LSV + VERIMAG + IRCCyN ◮ Web: http://www.lsv.ens-cachan.fr/aci-cortos/

Thèmes du projet

◮ Algorithmes de synthèse de contrôleur ◮ Observation et détection de fautes ◮ Logiques pour exprimer le contrôle ◮ Contrôle optimal

Session Invitée

1 Introduction au contrôle des systèmes temps-réel 2 Observation partielle des systèmes temporisés 3 Implémentabilité des automates temporisés MSR’05 (Autrans, France) Control of Timed Systems 1 / 32

Control of Timed Systems

• K. Altisen1, P. Bouyer2, T. Cachat3, F. Cassez4, G. Gardey4

1VERIMAG

Grenoble

2LSV

Cachan

3LIAFA

Paris

4IRCCyN

Nantes MSR’05 October 2005, Autrans, France

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Outline of the talk

◮

Verification & Control

◮

Control of Finite Automata

◮

Timed Game Automata

◮

Symbolic Algorithms for Timed Game Automata

◮

Conclusion

MSR’05 (Autrans, France) Control of Timed Systems 3 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Outline of the talk

◮

Verification & Control

◮

Control of Finite Automata

◮

Timed Game Automata

◮

Symbolic Algorithms for Timed Game Automata

◮

Conclusion

MSR’05 (Autrans, France) Control of Timed Systems 3 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Outline of the talk

◮

Verification & Control

◮

Control of Finite Automata

◮

Timed Game Automata

◮

Symbolic Algorithms for Timed Game Automata

◮

Conclusion

MSR’05 (Autrans, France) Control of Timed Systems 3 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Outline of the talk

◮

Verification & Control

◮

Control of Finite Automata

◮

Timed Game Automata

◮

Symbolic Algorithms for Timed Game Automata

◮

Conclusion

MSR’05 (Autrans, France) Control of Timed Systems 3 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Outline of the talk

◮

Verification & Control

◮

Control of Finite Automata

◮

Timed Game Automata

◮

Symbolic Algorithms for Timed Game Automata

◮

Conclusion

MSR’05 (Autrans, France) Control of Timed Systems 3 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Outline

◮

Verification & Control

◮

Control of Finite Automata

◮

Timed Game Automata

◮

Symbolic Algorithms for Timed Game Automata

◮

Conclusion

MSR’05 (Autrans, France) Control of Timed Systems 4 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Verification and Control

MSR’05 (Autrans, France) Control of Timed Systems 5 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Verification and Control

Does the system meet the specification ?

MSR’05 (Autrans, France) Control of Timed Systems 5 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Verification and Control

Does the system meet the specification ?

S

Modelling

(not bad)

φ | =

MSR’05 (Autrans, France) Control of Timed Systems 5 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Verification and Control

Does the system meet the specification ?

S

Modelling

(not bad)

φ | =

Model Checking Problem

Does the closed system S satisfy φ ?

MSR’05 (Autrans, France) Control of Timed Systems 5 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Verification and Control

Can we enforce the system to meet the specification ?

MSR’05 (Autrans, France) Control of Timed Systems 5 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Verification and Control

Can we enforce the system to meet the specification ?

S

Modelling

c (not bad)

φ

MSR’05 (Autrans, France) Control of Timed Systems 5 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Verification and Control

Can we enforce the system to meet the specification ?

S

Modelling

c (not bad)

φ

Control Problem

Can the open system S be restricted to satisfy φ ? Is there a Controller C s.t. (S C) | = φ ?

MSR’05 (Autrans, France) Control of Timed Systems 5 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Verification and Control

Can we enforce the system to meet the specification ?

S

Modelling

c (not bad)

φ | = C

• c

Control Problem

Can the open system S be restricted to satisfy φ ? Is there a Controller C s.t. (S C) | = φ ?

MSR’05 (Autrans, France) Control of Timed Systems 5 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Control of Discrete Event Systems

ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d e u

◮ Introduced by Ramadge & Wonham [Ramadge, 87] ◮ Discrete Event System = Finite Automaton with

Controllable (Actc) and Uncontrollable (Actu) actions

◮ Example of Control Objective: “avoid state Bad” ◮ Means: disable some controllable transitions at the right time

Ramadge & Wonham Theory is based on Language Theory [Ramadge, 89, Thistle, 94]

MSR’05 (Autrans, France) Control of Timed Systems 6 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Control and Game

ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d e u Open System = 2-player game, Controller (C) vs Environment (E)

◮ Controller does Actc moves, Environment does Actu moves ◮ Control Objective = Winning condition on the game

“Avoid bad states” (safety) or “Enforce good states” (reachability)

◮ Control Problem: find a strategy for the controller to win the game ◮ Various types of game models for C and E

◮ Finite or pushdown or counter automata . . . ◮ Timed or hybrid automata MSR’05 (Autrans, France) Control of Timed Systems 7 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Control and Game

ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d e u Open System = 2-player game, Controller (C) vs Environment (E)

◮ Controller does Actc moves, Environment does Actu moves ◮ Control Objective = Winning condition on the game

“Avoid bad states” (safety) or “Enforce good states” (reachability)

◮ Control Problem: find a strategy for the controller to win the game ◮ Various types of game models for C and E

◮ Finite or pushdown or counter automata . . . ◮ Timed or hybrid automata MSR’05 (Autrans, France) Control of Timed Systems 7 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Control and Game

ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d e u Open System = 2-player game, Controller (C) vs Environment (E)

◮ Controller does Actc moves, Environment does Actu moves ◮ Control Objective = Winning condition on the game

“Avoid bad states” (safety) or “Enforce good states” (reachability)

◮ Control Problem: find a strategy for the controller to win the game ◮ Various types of game models for C and E

◮ Finite or pushdown or counter automata . . . ◮ Timed or hybrid automata MSR’05 (Autrans, France) Control of Timed Systems 7 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Control and Game

ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d e u Open System = 2-player game, Controller (C) vs Environment (E)

◮ Controller does Actc moves, Environment does Actu moves ◮ Control Objective = Winning condition on the game

“Avoid bad states” (safety) or “Enforce good states” (reachability)

◮ Control Problem: find a strategy for the controller to win the game ◮ Various types of game models for C and E

◮ Finite or pushdown or counter automata . . . ◮ Timed or hybrid automata MSR’05 (Autrans, France) Control of Timed Systems 7 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Control and Game

ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d e u Open System = 2-player game, Controller (C) vs Environment (E)

◮ Controller does Actc moves, Environment does Actu moves ◮ Control Objective = Winning condition on the game

“Avoid bad states” (safety) or “Enforce good states” (reachability)

◮ Control Problem: find a strategy for the controller to win the game ◮ Various types of game models for C and E

◮ Finite or pushdown or counter automata . . . ◮ Timed or hybrid automata MSR’05 (Autrans, France) Control of Timed Systems 7 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Control and Game

ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d e u Open System = 2-player game, Controller (C) vs Environment (E)

◮ Controller does Actc moves, Environment does Actu moves ◮ Control Objective = Winning condition on the game

“Avoid bad states” (safety) or “Enforce good states” (reachability)

◮ Control Problem: find a strategy for the controller to win the game ◮ Various types of game models for C and E

◮ Finite or pushdown or counter automata . . . ◮ Timed or hybrid automata MSR’05 (Autrans, France) Control of Timed Systems 7 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Control and Game

ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d e u Open System = 2-player game, Controller (C) vs Environment (E)

◮ Controller does Actc moves, Environment does Actu moves ◮ Control Objective = Winning condition on the game

“Avoid bad states” (safety) or “Enforce good states” (reachability)

◮ Control Problem: find a strategy for the controller to win the game ◮ Various types of game models for C and E

◮ Finite or pushdown or counter automata . . . ◮ Timed or hybrid automata MSR’05 (Autrans, France) Control of Timed Systems 7 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Control and Game

ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d e u Open System = 2-player game, Controller (C) vs Environment (E)

◮ Controller does Actc moves, Environment does Actu moves ◮ Control Objective = Winning condition on the game

“Avoid bad states” (safety) or “Enforce good states” (reachability)

◮ Control Problem: find a strategy for the controller to win the game ◮ Various types of game models for C and E

◮ Finite or pushdown or counter automata . . . ◮ Timed or hybrid automata MSR’05 (Autrans, France) Control of Timed Systems 7 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Problems of Interest

Verification Problem (or Model Checking Problem)

Input: a model of the closed system S and a property ϕ Problem: Does S satisfy ϕ ?

Control Problem (CP)

Input: a model of the open system (game) G and a property ϕ Problem: Is there a controller (strategy) C s.t. (C G) satisfy ϕ ?

Control Synthesis Problem (CSP)

Input: a model of the open system (game) G and a property ϕ Problem: If the answer to the CP(G, ϕ) is “yes”, can we effectively compute a witness controller ?

MSR’05 (Autrans, France) Control of Timed Systems 8 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Problems of Interest

Verification Problem (or Model Checking Problem)

Input: a model of the closed system S and a property ϕ Problem: Does S satisfy ϕ ?

Control Problem (CP)

Input: a model of the open system (game) G and a property ϕ Problem: Is there a controller (strategy) C s.t. (C G) satisfy ϕ ?

Control Synthesis Problem (CSP)

Input: a model of the open system (game) G and a property ϕ Problem: If the answer to the CP(G, ϕ) is “yes”, can we effectively compute a witness controller ?

MSR’05 (Autrans, France) Control of Timed Systems 8 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Problems of Interest

Verification Problem (or Model Checking Problem)

Input: a model of the closed system S and a property ϕ Problem: Does S satisfy ϕ ?

Control Problem (CP)

Input: a model of the open system (game) G and a property ϕ Problem: Is there a controller (strategy) C s.t. (C G) satisfy ϕ ?

Control Synthesis Problem (CSP)

Input: a model of the open system (game) G and a property ϕ Problem: If the answer to the CP(G, ϕ) is “yes”, can we effectively compute a witness controller ?

MSR’05 (Autrans, France) Control of Timed Systems 8 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Problems of Interest

Verification Problem (or Model Checking Problem)

Input: a model of the closed system S and a property ϕ Problem: Does S satisfy ϕ ?

Control Problem (CP)

Input: a model of the open system (game) G and a property ϕ Problem: Is there a controller (strategy) C s.t. (C G) satisfy ϕ ?

Control Synthesis Problem (CSP)

Input: a model of the open system (game) G and a property ϕ Problem: If the answer to the CP(G, ϕ) is “yes”, can we effectively compute a witness controller ?

MSR’05 (Autrans, France) Control of Timed Systems 8 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Outline

◮

Verification & Control

◮

Control of Finite Automata

◮

Timed Game Automata

◮

Symbolic Algorithms for Timed Game Automata

◮

Conclusion

MSR’05 (Autrans, France) Control of Timed Systems 9 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Game Automata, Strategies & Winning States

Game Automaton ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d e d u

Strategy

◮ A strategy f gives for each finite run the controllable action to take.

We assume full observability of the system

MSR’05 (Autrans, France) Control of Timed Systems 10 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Game Automata, Strategies & Winning States

Game Automaton ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d e d u

Strategy

◮ A strategy f gives for each finite run the controllable action to take.

We assume full observability of the system

MSR’05 (Autrans, France) Control of Timed Systems 10 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Game Automata, Strategies & Winning States

Game Automaton ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d e d u

Strategy

◮ A strategy f gives for each finite run the controllable action to take.

We assume full observability of the system

Example of Strategies:

f (ℓ0) = a f (ℓ0

a

− → ℓ1) = c f (ℓ0

a

− → ℓ1

u

− → ℓ2) = b f (ℓ0

a

− → ℓ1

u

− → ℓ2

b

− → ℓ0

a

− → ℓ1) = e f ′(· · · ℓ0) = a f ′(· · · ℓ1) = c f ′(· · · ℓ2) = b f ′(· · · ℓ3) = d

MSR’05 (Autrans, France) Control of Timed Systems 10 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Game Automata, Strategies & Winning States

Game Automaton ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d e d u

Strategy

◮ A strategy f gives for each finite run the controllable action to take.

We assume full observability of the system

Example of Strategies:

f (ℓ0) = a f (ℓ0

a

− → ℓ1) = c f (ℓ0

a

− → ℓ1

u

− → ℓ2) = b f (ℓ0

a

− → ℓ1

u

− → ℓ2

b

− → ℓ0

a

− → ℓ1) = e f ′(· · · ℓ0) = a f ′(· · · ℓ1) = c f ′(· · · ℓ2) = b f ′(· · · ℓ3) = d

MSR’05 (Autrans, France) Control of Timed Systems 10 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Game Automata, Strategies & Winning States

Game Automaton ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d e d u

Strategy

◮ A strategy f gives for each finite run the controllable action to take.

We assume full observability of the system

◮ A strategy restricts the set of runs of the system.

from a state s it generates of subset of the runs of the initial game

MSR’05 (Autrans, France) Control of Timed Systems 10 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Game Automata, Strategies & Winning States

Game Automaton ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d e d u

Strategy

◮ A strategy f gives for each finite run the controllable action to take.

We assume full observability of the system

◮ A strategy restricts the set of runs of the system.

from a state s it generates of subset of the runs of the initial game

◮ A strategy is winning if it generates only good runs.

MSR’05 (Autrans, France) Control of Timed Systems 10 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Game Automata, Strategies & Winning States

Game Automaton ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d e d u

Strategy

◮ A strategy f gives for each finite run the controllable action to take.

We assume full observability of the system

◮ A strategy restricts the set of runs of the system.

from a state s it generates of subset of the runs of the initial game

◮ A strategy is winning if it generates only good runs.

Winning States

A state s is winning if there exists a winning strategy from s.

MSR’05 (Autrans, France) Control of Timed Systems 10 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Controllable Predecessors

ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d d e u

MSR’05 (Autrans, France) Control of Timed Systems 11 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Controllable Predecessors

ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d d e u π(X) = states from which one can enforce X with a controllable action π(X) = PredActc(X) \ PredActu(X)

MSR’05 (Autrans, France) Control of Timed Systems 11 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Controllable Predecessors

ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d d e u π(X) = states from which one can enforce X with a controllable action π(X) = PredActc(X) \ PredActu(X) π(X) X X

• ∃c ∈ Actc

not (∃u ∈ Actu)

MSR’05 (Autrans, France) Control of Timed Systems 11 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Controllable Predecessors

ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d d e u π(X) = states from which one can enforce X with a controllable action π(X) = PredActc(X) \ PredActu(X)

Some Values of the π Operator

◮ π({ℓ3}) = ∅ ◮ π({ℓ1}) = {ℓ0} ◮ π({ℓ0, ℓ1}) = {ℓ0, ℓ2} ◮ π({ℓ0, ℓ1, ℓ2}) = {ℓ0, ℓ1, ℓ2}

MSR’05 (Autrans, France) Control of Timed Systems 11 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Controllable Predecessors

ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d d e u π(X) = states from which one can enforce X with a controllable action A Fixpoint Characterization of Winning States:

1 let ϕ be a set of safe (good) states and G a game 2 let W ∗ be the greatest fixpoint of h(X) = ϕ ∩ π(X) 3 W ∗ is the set of winning states for (G, ϕ) MSR’05 (Autrans, France) Control of Timed Systems 11 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Controllable Predecessors

ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d d e u π(X) = states from which one can enforce X with a controllable action A Fixpoint Characterization of Winning States:

1 let ϕ be a set of safe (good) states and G a game 2 let W ∗ be the greatest fixpoint of h(X) = ϕ ∩ π(X) 3 W ∗ is the set of winning states for (G, ϕ) MSR’05 (Autrans, France) Control of Timed Systems 11 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Controllable Predecessors

ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d d e u π(X) = states from which one can enforce X with a controllable action A Fixpoint Characterization of Winning States:

1 let ϕ be a set of safe (good) states and G a game 2 let W ∗ be the greatest fixpoint of h(X) = ϕ ∩ π(X) 3 W ∗ is the set of winning states for (G, ϕ) MSR’05 (Autrans, France) Control of Timed Systems 11 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Controllable Predecessors

ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d d e u π(X) = states from which one can enforce X with a controllable action A Fixpoint Characterization of Winning States:

1 let ϕ be a set of safe (good) states and G a game 2 let W ∗ be the greatest fixpoint of h(X) = ϕ ∩ π(X) 3 W ∗ is the set of winning states for (G, ϕ) MSR’05 (Autrans, France) Control of Timed Systems 11 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Controllable Predecessors

ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d d e u π(X) = states from which one can enforce X with a controllable action A Fixpoint Characterization of Winning States:

1 let ϕ be a set of safe (good) states and G a game 2 let W ∗ be the greatest fixpoint of h(X) = ϕ ∩ π(X) 3 W ∗ is the set of winning states for (G, ϕ)

◮ CP: check that ℓ0 ∈ W ∗

MSR’05 (Autrans, France) Control of Timed Systems 11 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Controllable Predecessors

ℓ0 ℓ1 ℓ2 ℓ3 Bad a u c b d d e u π(X) = states from which one can enforce X with a controllable action A Fixpoint Characterization of Winning States:

1 let ϕ be a set of safe (good) states and G a game 2 let W ∗ be the greatest fixpoint of h(X) = ϕ ∩ π(X) 3 W ∗ is the set of winning states for (G, ϕ)

◮ CP: check that ℓ0 ∈ W ∗ ◮ CSP: Given W ∗ and G, we can build a winning strategy

MSR’05 (Autrans, France) Control of Timed Systems 11 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Results for Finite Games

Given G a finite game, ϕ a control objective

Theorem (Positional Strategies are Sufficient)

Positional (or memoryless) strategies suffice to win ω-regular games. The number of states of C is ≤ number of states of G.

MSR’05 (Autrans, France) Control of Timed Systems 12 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Results for Finite Games

Given G a finite game, ϕ a control objective The fixpoint computation of W ∗ terminates

Theorem (Positional Strategies are Sufficient)

Positional (or memoryless) strategies suffice to win ω-regular games. The number of states of C is ≤ number of states of G.

MSR’05 (Autrans, France) Control of Timed Systems 12 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Results for Finite Games

Given G a finite game, ϕ a control objective

Theorem (CP is Decidable)

CP is decidable for ω-regular objectives.

Theorem (Positional Strategies are Sufficient)

Positional (or memoryless) strategies suffice to win ω-regular games. The number of states of C is ≤ number of states of G.

MSR’05 (Autrans, France) Control of Timed Systems 12 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Results for Finite Games

Given G a finite game, ϕ a control objective

Theorem (CP is Decidable)

CP is decidable for ω-regular objectives.

Theorem (Effectiveness of CSP)

Strategy synthesis is effective. We can build a finite automaton (controller) C that specifies a winning strategy.

Theorem (Positional Strategies are Sufficient)

Positional (or memoryless) strategies suffice to win ω-regular games. The number of states of C is ≤ number of states of G.

MSR’05 (Autrans, France) Control of Timed Systems 12 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Results for Finite Games

Given G a finite game, ϕ a control objective

Theorem (CP is Decidable)

CP is decidable for ω-regular objectives.

Theorem (Effectiveness of CSP)

Strategy synthesis is effective. We can build a finite automaton (controller) C that specifies a winning strategy.

Theorem (Positional Strategies are Sufficient)

Positional (or memoryless) strategies suffice to win ω-regular games. The number of states of C is ≤ number of states of G. Add Dense Time ... CP and CSP ?

MSR’05 (Autrans, France) Control of Timed Systems 12 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Outline

◮

Verification & Control

◮

Control of Finite Automata

◮

Timed Game Automata

◮

Symbolic Algorithms for Timed Game Automata

◮

Conclusion

MSR’05 (Autrans, France) Control of Timed Systems 13 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Automata [Alur & Dill’94]

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2;u x > 3;u Runs = sequence of discrete and time steps ρ1 : (ℓ0, 0)

1.55

− − − → (ℓ0, 1.55)

c1

− − → (ℓ1, 1.55)

1.67

− − − → (ℓ1, 3.22)

u

− → (Bad, 3.22) ρ2 : (ℓ0, 0)

1.1

− − → (ℓ0, 1.1)

c1

− − → (ℓ1, 1.1)

2.1

− − → (ℓ1, 3.2)

c2

− − → (ℓ2, 3.2)

0.1

− − → (ℓ2, 3.3)

u

− → (ℓ0, 0) · · · · · · · · ·

MSR’05 (Autrans, France) Control of Timed Systems 14 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Automata [Alur & Dill’94]

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2;u x > 3;u Runs = sequence of discrete and time steps ρ1 : (ℓ0, 0)

1.55

− − − → (ℓ0, 1.55)

c1

− − → (ℓ1, 1.55)

1.67

− − − → (ℓ1, 3.22)

u

− → (Bad, 3.22) ρ2 : (ℓ0, 0)

1.1

− − → (ℓ0, 1.1)

c1

− − → (ℓ1, 1.1)

2.1

− − → (ℓ1, 3.2)

c2

− − → (ℓ2, 3.2)

0.1

− − → (ℓ2, 3.3)

u

− → (ℓ0, 0) · · · · · · · · ·

MSR’05 (Autrans, France) Control of Timed Systems 14 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Automata [Alur & Dill’94]

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2;u x > 3;u Runs = sequence of discrete and time steps ρ1 : (ℓ0, 0)

1.55

− − − → (ℓ0, 1.55)

c1

− − → (ℓ1, 1.55)

1.67

− − − → (ℓ1, 3.22)

u

− → (Bad, 3.22) ρ2 : (ℓ0, 0)

1.1

− − → (ℓ0, 1.1)

c1

− − → (ℓ1, 1.1)

2.1

− − → (ℓ1, 3.2)

c2

− − → (ℓ2, 3.2)

0.1

− − → (ℓ2, 3.3)

u

− → (ℓ0, 0) · · · · · · · · ·

MSR’05 (Autrans, France) Control of Timed Systems 14 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Automata [Alur & Dill’94]

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2;u x > 3;u Runs = sequence of discrete and time steps ρ1 : (ℓ0, 0)

1.55

− − − → (ℓ0, 1.55)

c1

− − → (ℓ1, 1.55)

1.67

− − − → (ℓ1, 3.22)

u

− → (Bad, 3.22) ρ2 : (ℓ0, 0)

1.1

− − → (ℓ0, 1.1)

c1

− − → (ℓ1, 1.1)

2.1

− − → (ℓ1, 3.2)

c2

− − → (ℓ2, 3.2)

0.1

− − → (ℓ2, 3.3)

u

− → (ℓ0, 0) · · · · · · · · ·

MSR’05 (Autrans, France) Control of Timed Systems 14 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Automata [Alur & Dill’94]

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2;u x > 3;u Runs = sequence of discrete and time steps ρ1 : (ℓ0, 0)

1.55

− − − → (ℓ0, 1.55)

c1

− − → (ℓ1, 1.55)

1.67

− − − → (ℓ1, 3.22)

u

− → (Bad, 3.22) ρ2 : (ℓ0, 0)

1.1

− − → (ℓ0, 1.1)

c1

− − → (ℓ1, 1.1)

2.1

− − → (ℓ1, 3.2)

c2

− − → (ℓ2, 3.2)

0.1

− − → (ℓ2, 3.3)

u

− → (ℓ0, 0) · · · · · · · · ·

MSR’05 (Autrans, France) Control of Timed Systems 14 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Automata [Alur & Dill’94]

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2;u x > 3;u Runs = sequence of discrete and time steps ρ1 : (ℓ0, 0)

1.55

− − − → (ℓ0, 1.55)

c1

− − → (ℓ1, 1.55)

1.67

− − − → (ℓ1, 3.22)

u

− → (Bad, 3.22) ρ2 : (ℓ0, 0)

1.1

− − → (ℓ0, 1.1)

c1

− − → (ℓ1, 1.1)

2.1

− − → (ℓ1, 3.2)

c2

− − → (ℓ2, 3.2)

0.1

− − → (ℓ2, 3.3)

u

− → (ℓ0, 0) · · · · · · · · ·

MSR’05 (Autrans, France) Control of Timed Systems 14 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Automata [Alur & Dill’94]

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2;u x > 3;u Runs = sequence of discrete and time steps ρ1 : (ℓ0, 0)

1.55

− − − → (ℓ0, 1.55)

c1

− − → (ℓ1, 1.55)

1.67

− − − → (ℓ1, 3.22)

u

− → (Bad, 3.22) ρ2 : (ℓ0, 0)

1.1

− − → (ℓ0, 1.1)

c1

− − → (ℓ1, 1.1)

2.1

− − → (ℓ1, 3.2)

c2

− − → (ℓ2, 3.2)

0.1

− − → (ℓ2, 3.3)

u

− → (ℓ0, 0) · · · · · · · · ·

MSR’05 (Autrans, France) Control of Timed Systems 14 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Automata [Alur & Dill’94]

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2;u x > 3;u Runs = sequence of discrete and time steps ρ1 : (ℓ0, 0)

1.55

− − − → (ℓ0, 1.55)

c1

− − → (ℓ1, 1.55)

1.67

− − − → (ℓ1, 3.22)

u

− → (Bad, 3.22) ρ2 : (ℓ0, 0)

1.1

− − → (ℓ0, 1.1)

c1

− − → (ℓ1, 1.1)

2.1

− − → (ℓ1, 3.2)

c2

− − → (ℓ2, 3.2)

0.1

− − → (ℓ2, 3.3)

u

− → (ℓ0, 0) · · · · · · · · ·

MSR’05 (Autrans, France) Control of Timed Systems 14 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Automata [Alur & Dill’94]

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2;u x > 3;u Runs = sequence of discrete and time steps ρ1 : (ℓ0, 0)

1.55

− − − → (ℓ0, 1.55)

c1

− − → (ℓ1, 1.55)

1.67

− − − → (ℓ1, 3.22)

u

− → (Bad, 3.22) ρ2 : (ℓ0, 0)

1.1

− − → (ℓ0, 1.1)

c1

− − → (ℓ1, 1.1)

2.1

− − → (ℓ1, 3.2)

c2

− − → (ℓ2, 3.2)

0.1

− − → (ℓ2, 3.3)

u

− → (ℓ0, 0) · · · · · · · · ·

MSR’05 (Autrans, France) Control of Timed Systems 14 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Automata [Alur & Dill’94]

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2;u x > 3;u Runs = sequence of discrete and time steps ρ1 : (ℓ0, 0)

1.55

− − − → (ℓ0, 1.55)

c1

− − → (ℓ1, 1.55)

1.67

− − − → (ℓ1, 3.22)

u

− → (Bad, 3.22) ρ2 : (ℓ0, 0)

1.1

− − → (ℓ0, 1.1)

c1

− − → (ℓ1, 1.1)

2.1

− − → (ℓ1, 3.2)

c2

− − → (ℓ2, 3.2)

0.1

− − → (ℓ2, 3.3)

u

− → (ℓ0, 0) · · · · · · · · ·

MSR’05 (Autrans, France) Control of Timed Systems 14 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Automata [Alur & Dill’94]

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2;u x > 3;u Runs = sequence of discrete and time steps ρ1 : (ℓ0, 0)

1.55

− − − → (ℓ0, 1.55)

c1

− − → (ℓ1, 1.55)

1.67

− − − → (ℓ1, 3.22)

u

− → (Bad, 3.22) ρ2 : (ℓ0, 0)

1.1

− − → (ℓ0, 1.1)

c1

− − → (ℓ1, 1.1)

2.1

− − → (ℓ1, 3.2)

c2

− − → (ℓ2, 3.2)

0.1

− − → (ℓ2, 3.3)

u

− → (ℓ0, 0) · · · · · · · · ·

MSR’05 (Autrans, France) Control of Timed Systems 14 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Automata [Alur & Dill’94]

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2;u x > 3;u Runs = sequence of discrete and time steps ρ1 : (ℓ0, 0)

1.55

− − − → (ℓ0, 1.55)

c1

− − → (ℓ1, 1.55)

1.67

− − − → (ℓ1, 3.22)

u

− → (Bad, 3.22) ρ2 : (ℓ0, 0)

1.1

− − → (ℓ0, 1.1)

c1

− − → (ℓ1, 1.1)

2.1

− − → (ℓ1, 3.2)

c2

− − → (ℓ2, 3.2)

0.1

− − → (ℓ2, 3.3)

u

− → (ℓ0, 0) · · · · · · · · ·

MSR’05 (Autrans, France) Control of Timed Systems 14 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Automata [Alur & Dill’94]

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2;u x > 3;u Runs = sequence of discrete and time steps ρ1 : (ℓ0, 0)

1.55

− − − → (ℓ0, 1.55)

c1

− − → (ℓ1, 1.55)

1.67

− − − → (ℓ1, 3.22)

u

− → (Bad, 3.22) ρ2 : (ℓ0, 0)

1.1

− − → (ℓ0, 1.1)

c1

− − → (ℓ1, 1.1)

2.1

− − → (ℓ1, 3.2)

c2

− − → (ℓ2, 3.2)

0.1

− − → (ℓ2, 3.3)

u

− → (ℓ0, 0) · · · · · · · · ·

MSR’05 (Autrans, France) Control of Timed Systems 14 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Automata [Alur & Dill’94]

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2;u x > 3;u Runs = sequence of discrete and time steps ρ1 : (ℓ0, 0)

1.55

− − − → (ℓ0, 1.55)

c1

− − → (ℓ1, 1.55)

1.67

− − − → (ℓ1, 3.22)

u

− → (Bad, 3.22) ρ2 : (ℓ0, 0)

1.1

− − → (ℓ0, 1.1)

c1

− − → (ℓ1, 1.1)

2.1

− − → (ℓ1, 3.2)

c2

− − → (ℓ2, 3.2)

0.1

− − → (ℓ2, 3.3)

u

− → (ℓ0, 0) · · · · · · · · ·

MSR’05 (Autrans, France) Control of Timed Systems 14 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Automata [Alur & Dill’94]

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2;u x > 3;u Runs = sequence of discrete and time steps ρ1 : (ℓ0, 0)

1.55

− − − → (ℓ0, 1.55)

c1

− − → (ℓ1, 1.55)

1.67

− − − → (ℓ1, 3.22)

u

− → (Bad, 3.22) ρ2 : (ℓ0, 0)

1.1

− − → (ℓ0, 1.1)

c1

− − → (ℓ1, 1.1)

2.1

− − → (ℓ1, 3.2)

c2

− − → (ℓ2, 3.2)

0.1

− − → (ℓ2, 3.3)

u

− → (ℓ0, 0) · · · · · · · · ·

MSR’05 (Autrans, France) Control of Timed Systems 14 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Game Automata

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

◮ Introduced by Maler, Pnueli, Sifakis [Maler, 95] ◮ The controller continuously observes the system

time elapsing and discrete moves are observable

◮ It has the choice between two types of moves:

◮ “do nothing” ◮ “do a controllable action” (among the ones that are possible)

◮ It can stop time from elapsing by taking a controllable move

MSR’05 (Autrans, France) Control of Timed Systems 15 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Game Automata

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

◮ Introduced by Maler, Pnueli, Sifakis [Maler, 95] ◮ The controller continuously observes the system

time elapsing and discrete moves are observable

◮ It has the choice between two types of moves:

◮ “do nothing” ◮ “do a controllable action” (among the ones that are possible)

◮ It can stop time from elapsing by taking a controllable move

MSR’05 (Autrans, France) Control of Timed Systems 15 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Game Automata

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

◮ Introduced by Maler, Pnueli, Sifakis [Maler, 95] ◮ The controller continuously observes the system

time elapsing and discrete moves are observable

◮ It has the choice between two types of moves:

◮ “do nothing” ◮ “do a controllable action” (among the ones that are possible)

◮ It can stop time from elapsing by taking a controllable move

MSR’05 (Autrans, France) Control of Timed Systems 15 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Game Automata

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

◮ Introduced by Maler, Pnueli, Sifakis [Maler, 95] ◮ The controller continuously observes the system

time elapsing and discrete moves are observable

◮ It has the choice between two types of moves:

◮ “do nothing” ◮ “do a controllable action” (among the ones that are possible)

◮ It can stop time from elapsing by taking a controllable move

MSR’05 (Autrans, France) Control of Timed Systems 15 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Game Automata

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

◮ Introduced by Maler, Pnueli, Sifakis [Maler, 95] ◮ The controller continuously observes the system

time elapsing and discrete moves are observable

◮ It has the choice between two types of moves:

◮ “do nothing” ◮ “do a controllable action” (among the ones that are possible)

◮ It can stop time from elapsing by taking a controllable move

MSR’05 (Autrans, France) Control of Timed Systems 15 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Game Automata

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

◮ Introduced by Maler, Pnueli, Sifakis [Maler, 95] ◮ The controller continuously observes the system

time elapsing and discrete moves are observable

◮ It has the choice between two types of moves:

◮ “do nothing” ◮ “do a controllable action” (among the ones that are possible)

◮ It can stop time from elapsing by taking a controllable move

MSR’05 (Autrans, France) Control of Timed Systems 15 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Timed Game Automata

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

◮ Introduced by Maler, Pnueli, Sifakis [Maler, 95] ◮ The controller continuously observes the system

time elapsing and discrete moves are observable

◮ It has the choice between two types of moves:

◮ “do nothing” ◮ “do a controllable action” (among the ones that are possible)

◮ It can stop time from elapsing by taking a controllable move

MSR’05 (Autrans, France) Control of Timed Systems 15 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

How to Deal with Dense-Time ?

◮ Infinite state systems

Symbolic representation of states

◮ A strategy (or controller) can choose to wait

Add a special wait action

◮ Dense time · · · the controller can be unfair

◮ block time ◮ do infinitely many actions in a bounded time ◮ do arbitrarily closed (in time) discrete actions

Implementation Issues

MSR’05 (Autrans, France) Control of Timed Systems 16 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

How to Deal with Dense-Time ?

◮ Infinite state systems

Symbolic representation of states

◮ A strategy (or controller) can choose to wait

Add a special wait action

◮ Dense time · · · the controller can be unfair

◮ block time ◮ do infinitely many actions in a bounded time ◮ do arbitrarily closed (in time) discrete actions

Implementation Issues

MSR’05 (Autrans, France) Control of Timed Systems 16 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

How to Deal with Dense-Time ?

◮ Infinite state systems

Symbolic representation of states

◮ A strategy (or controller) can choose to wait

Add a special wait action

◮ Dense time · · · the controller can be unfair

◮ block time ◮ do infinitely many actions in a bounded time ◮ do arbitrarily closed (in time) discrete actions

Implementation Issues

MSR’05 (Autrans, France) Control of Timed Systems 16 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

How to Deal with Dense-Time ?

◮ Infinite state systems

Symbolic representation of states

◮ A strategy (or controller) can choose to wait

Add a special wait action

◮ Dense time · · · the controller can be unfair

◮ block time ◮ do infinitely many actions in a bounded time ◮ do arbitrarily closed (in time) discrete actions

Implementation Issues

MSR’05 (Autrans, France) Control of Timed Systems 16 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

How to Deal with Dense-Time ?

◮ Infinite state systems

Symbolic representation of states

◮ A strategy (or controller) can choose to wait

Add a special wait action

◮ Dense time · · · the controller can be unfair

◮ block time ◮ do infinitely many actions in a bounded time ◮ do arbitrarily closed (in time) discrete actions

Implementation Issues

MSR’05 (Autrans, France) Control of Timed Systems 16 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

How to Deal with Dense-Time ?

◮ Infinite state systems

Symbolic representation of states

◮ A strategy (or controller) can choose to wait

Add a special wait action

◮ Dense time · · · the controller can be unfair

◮ block time ◮ do infinitely many actions in a bounded time ◮ do arbitrarily closed (in time) discrete actions

Implementation Issues

MSR’05 (Autrans, France) Control of Timed Systems 16 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

How to Deal with Dense-Time ?

◮ Infinite state systems

Symbolic representation of states

◮ A strategy (or controller) can choose to wait

Add a special wait action

◮ Dense time · · · the controller can be unfair

◮ block time ◮ do infinitely many actions in a bounded time ◮ do arbitrarily closed (in time) discrete actions

Implementation Issues

MSR’05 (Autrans, France) Control of Timed Systems 16 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

How to Deal with Dense-Time ?

◮ Infinite state systems

Symbolic representation of states

◮ A strategy (or controller) can choose to wait

Add a special wait action

◮ Dense time · · · the controller can be unfair

◮ block time ◮ do infinitely many actions in a bounded time ◮ do arbitrarily closed (in time) discrete actions

Implementation Issues

MSR’05 (Autrans, France) Control of Timed Systems 16 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

How to Deal with Dense-Time ?

◮ Infinite state systems

Symbolic representation of states

◮ A strategy (or controller) can choose to wait

Add a special wait action

◮ Dense time · · · the controller can be unfair

◮ block time ◮ do infinitely many actions in a bounded time ◮ do arbitrarily closed (in time) discrete actions

Implementation Issues

MSR’05 (Autrans, France) Control of Timed Systems 16 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

The strategy f : “Always wait as long as the system permits”

ρ1 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

0.5

− − → (ℓ1, 4.5)

u

− → (Bad, 4.5) ρ2 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

1.0

− − → (ℓ1, 5)

c2

− − → (ℓ2, 5)

c3

− − → (ℓ0, 0) · · ·

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

The strategy f : “Always wait as long as the system permits”

ρ1 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

0.5

− − → (ℓ1, 4.5)

u

− → (Bad, 4.5) ρ2 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

1.0

− − → (ℓ1, 5)

c2

− − → (ℓ2, 5)

c3

− − → (ℓ0, 0) · · ·

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

The strategy f : “Always wait as long as the system permits”

ρ1 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

0.5

− − → (ℓ1, 4.5)

u

− → (Bad, 4.5) ρ2 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

1.0

− − → (ℓ1, 5)

c2

− − → (ℓ2, 5)

c3

− − → (ℓ0, 0) · · ·

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

The strategy f : “Always wait as long as the system permits”

ρ1 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

0.5

− − → (ℓ1, 4.5)

u

− → (Bad, 4.5) ρ2 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

1.0

− − → (ℓ1, 5)

c2

− − → (ℓ2, 5)

c3

− − → (ℓ0, 0) · · ·

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

The strategy f : “Always wait as long as the system permits”

ρ1 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

0.5

− − → (ℓ1, 4.5)

u

− → (Bad, 4.5) ρ2 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

1.0

− − → (ℓ1, 5)

c2

− − → (ℓ2, 5)

c3

− − → (ℓ0, 0) · · ·

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

The strategy f : “Always wait as long as the system permits”

ρ1 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

0.5

− − → (ℓ1, 4.5)

u

− → (Bad, 4.5) ρ2 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

1.0

− − → (ℓ1, 5)

c2

− − → (ℓ2, 5)

c3

− − → (ℓ0, 0) · · ·

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

The strategy f : “Always wait as long as the system permits”

ρ1 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

0.5

− − → (ℓ1, 4.5)

u

− → (Bad, 4.5) ρ2 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

1.0

− − → (ℓ1, 5)

c2

− − → (ℓ2, 5)

c3

− − → (ℓ0, 0) · · ·

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

The strategy f : “Always wait as long as the system permits”

ρ1 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

0.5

− − → (ℓ1, 4.5)

u

− → (Bad, 4.5) ρ2 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

1.0

− − → (ℓ1, 5)

c2

− − → (ℓ2, 5)

c3

− − → (ℓ0, 0) · · ·

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

The strategy f : “Always wait as long as the system permits”

ρ1 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

0.5

− − → (ℓ1, 4.5)

u

− → (Bad, 4.5) ρ2 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

1.0

− − → (ℓ1, 5)

c2

− − → (ℓ2, 5)

c3

− − → (ℓ0, 0) · · ·

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

The strategy f : “Always wait as long as the system permits”

ρ1 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

0.5

− − → (ℓ1, 4.5)

u

− → (Bad, 4.5) ρ2 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

1.0

− − → (ℓ1, 5)

c2

− − → (ℓ2, 5)

c3

− − → (ℓ0, 0) · · ·

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

The strategy f : “Always wait as long as the system permits”

ρ1 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

0.5

− − → (ℓ1, 4.5)

u

− → (Bad, 4.5) ρ2 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

1.0

− − → (ℓ1, 5)

c2

− − → (ℓ2, 5)

c3

− − → (ℓ0, 0) · · ·

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

The strategy f : “Always wait as long as the system permits”

ρ1 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

0.5

− − → (ℓ1, 4.5)

u

− → (Bad, 4.5) ρ2 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

1.0

− − → (ℓ1, 5)

c2

− − → (ℓ2, 5)

c3

− − → (ℓ0, 0) · · ·

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

The strategy f : “Always wait as long as the system permits”

ρ1 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

0.5

− − → (ℓ1, 4.5)

u

− → (Bad, 4.5) ρ2 : (ℓ0, 0)

4

− → (ℓ0, 4)

c1

− − → (ℓ1, 4)

1.0

− − → (ℓ1, 5)

c2

− − → (ℓ2, 5)

c3

− − → (ℓ0, 0) · · ·

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

A winning strategy f ′

in ℓ0 at x = 2 do c1; in ℓ1 at x = 2.5 do c2; in ℓ2 at x = 4 do c3 ρ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

A winning strategy f ′

in ℓ0 at x = 2 do c1; in ℓ1 at x = 2.5 do c2; in ℓ2 at x = 4 do c3 ρ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

A winning strategy f ′

in ℓ0 at x = 2 do c1; in ℓ1 at x = 2.5 do c2; in ℓ2 at x = 4 do c3 ρ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

A winning strategy f ′

in ℓ0 at x = 2 do c1; in ℓ1 at x = 2.5 do c2; in ℓ2 at x = 4 do c3 ρ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

A winning strategy f ′

in ℓ0 at x = 2 do c1; in ℓ1 at x = 2.5 do c2; in ℓ2 at x = 4 do c3 ρ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

0.5

− − → (ℓ1, 2.5)

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

A winning strategy f ′

in ℓ0 at x = 2 do c1; in ℓ1 at x = 2.5 do c2; in ℓ2 at x = 4 do c3 ρ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

0.5

− − → (ℓ1, 2.5)

c2

− − → (ℓ2, 2.5)

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

A winning strategy f ′

in ℓ0 at x = 2 do c1; in ℓ1 at x = 2.5 do c2; in ℓ2 at x = 4 do c3 ρ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

0.5

− − → (ℓ1, 2.5)

c2

− − → (ℓ2, 2.5)

1.5

− − → (ℓ2, 4)

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

A winning strategy f ′

in ℓ0 at x = 2 do c1; in ℓ1 at x = 2.5 do c2; in ℓ2 at x = 4 do c3 ρ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

0.5

− − → (ℓ1, 2.5)

c2

− − → (ℓ2, 2.5)

1.5

− − → (ℓ2, 4)

c3

− − → (ℓ0, 0)

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

A winning strategy f ′

in ℓ0 at x = 2 do c1; in ℓ1 at x = 2.5 do c2; in ℓ2 at x = 4 do c3 ρ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

0.5

− − → (ℓ1, 2.5)

c2

− − → (ℓ2, 2.5)

1.5

− − → (ℓ2, 4)

c3

− − → (ℓ0, 0) · · ·

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u u

A winning strategy f ′

in ℓ0 at x = 2 do c1; in ℓ1 at x = 2.5 do c2; in ℓ2 at x = 4 do c3 ρ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u u

A winning strategy f ′

in ℓ0 at x = 2 do c1; in ℓ1 at x = 2.5 do c2; in ℓ2 at x = 4 do c3 ρ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

u at δ≤0.5

− − − − − − → (ℓ2, 2 + δ)

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u u

A winning strategy f ′

in ℓ0 at x = 2 do c1; in ℓ1 at x = 2.5 do c2; in ℓ2 at x = 4 do c3 ρ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

u at δ≤0.5

− − − − − − → (ℓ2, 2 + δ)

c3 at 2−δ

− − − − − − → (ℓ0, 0) · · ·

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u u

A winning strategy f ′

in ℓ0 at x = 2 do c1; in ℓ1 at x = 2.5 do c2; in ℓ2 at x = 4 do c3 ρ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

u at δ≤0.5

− − − − − − → (ℓ2, 2 + δ)

c3 at 2−δ

− − − − − − → (ℓ0, 0) · · · ρ′ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u u

A winning strategy f ′

in ℓ0 at x = 2 do c1; in ℓ1 at x = 2.5 do c2; in ℓ2 at x = 4 do c3 ρ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

u at δ≤0.5

− − − − − − → (ℓ2, 2 + δ)

c3 at 2−δ

− − − − − − → (ℓ0, 0) · · · ρ′ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

0.5

− − → (ℓ1, 2.5)

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u u

A winning strategy f ′

in ℓ0 at x = 2 do c1; in ℓ1 at x = 2.5 do c2; in ℓ2 at x = 4 do c3 ρ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

u at δ≤0.5

− − − − − − → (ℓ2, 2 + δ)

c3 at 2−δ

− − − − − − → (ℓ0, 0) · · · ρ′ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

0.5

− − → (ℓ1, 2.5)

c2

− − → (ℓ2, 2.5)

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u u

A winning strategy f ′

in ℓ0 at x = 2 do c1; in ℓ1 at x = 2.5 do c2; in ℓ2 at x = 4 do c3 ρ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

u at δ≤0.5

− − − − − − → (ℓ2, 2 + δ)

c3 at 2−δ

− − − − − − → (ℓ0, 0) · · · ρ′ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

0.5

− − → (ℓ1, 2.5)

c2

− − → (ℓ2, 2.5)

1.5

− − → (ℓ2, 4)

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u u

A winning strategy f ′

in ℓ0 at x = 2 do c1; in ℓ1 at x = 2.5 do c2; in ℓ2 at x = 4 do c3 ρ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

u at δ≤0.5

− − − − − − → (ℓ2, 2 + δ)

c3 at 2−δ

− − − − − − → (ℓ0, 0) · · · ρ′ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

0.5

− − → (ℓ1, 2.5)

c2

− − → (ℓ2, 2.5)

1.5

− − → (ℓ2, 4)

c3

− − → (ℓ0, 0) · · ·

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u u

A winning strategy f ′

in ℓ0 at x = 2 do c1; in ℓ1 at x = 2.5 do c2; in ℓ2 at x = 4 do c3 ρ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

u at δ≤0.5

− − − − − − → (ℓ2, 2 + δ)

c3 at 2−δ

− − − − − − → (ℓ0, 0) · · · ρ′ : (ℓ0, 0)

2

− → (ℓ0, 2)

c1

− − → (ℓ1, 2)

0.5

− − → (ℓ1, 2.5)

c2

− − → (ℓ2, 2.5)

1.5

− − → (ℓ2, 4)

c3

− − → (ℓ0, 0) · · ·

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Strategies and Winning States

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u u

The Strategy f ′ as a Timed Automaton

z := 0 K0 [z ≤ 2] K1 z = 2; c1 [z ≤ 2.5] K2 z = 2.5 c2 [z ≤ 4] z = 4;c3 u u u

MSR’05 (Autrans, France) Control of Timed Systems 17 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Outline

◮

Verification & Control

◮

Control of Finite Automata

◮

Timed Game Automata

◮

Symbolic Algorithms for Timed Game Automata

◮

Conclusion

MSR’05 (Autrans, France) Control of Timed Systems 18 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Symbolic States

◮ Q = L × RClock ≥0

a the set of states of the TGA q = (ℓ, v) ∈ Q

◮ Discrete predecessors of X ⊆ Q by an action a:

Preda(X) = {q ∈ Q | q

a

− − → q′ and q′ ∈ X}

◮ Time predecessors of X ⊆ Q:

Predδ(X) = {q ∈ Q | ∃t ≥ 0 | q

t

− − → q′ and q′ ∈ X}

◮ Zone = conjunction of triangular constraints

x − y < 3, x ≥ 2 ∧ 1 < y − x < 2

◮ State predicate (SP) P = ∪i∈[1..n](ℓji , Zi), ℓi ∈ L, Zi is a zone

(ℓ1, 2 ≤ x < 4) or (ℓ0, x < 1 ∧ y − x ≥ 2) or (ℓ0, x ≤ 2) ∪ (ℓ2, x > 0)

Effectiveness of Preda and Predδ

If P is a SP then Preda(P), Predδ(P) are SP and can be computed

• effectively. (There is a symbolic version of Preda and Predδ.)

MSR’05 (Autrans, France) Control of Timed Systems 19 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Symbolic States

◮ Q = L × RClock ≥0

a the set of states of the TGA q = (ℓ, v) ∈ Q

◮ Discrete predecessors of X ⊆ Q by an action a:

Preda(X) = {q ∈ Q | q

a

− − → q′ and q′ ∈ X}

◮ Time predecessors of X ⊆ Q:

Predδ(X) = {q ∈ Q | ∃t ≥ 0 | q

t

− − → q′ and q′ ∈ X}

◮ Zone = conjunction of triangular constraints

x − y < 3, x ≥ 2 ∧ 1 < y − x < 2

◮ State predicate (SP) P = ∪i∈[1..n](ℓji , Zi), ℓi ∈ L, Zi is a zone

(ℓ1, 2 ≤ x < 4) or (ℓ0, x < 1 ∧ y − x ≥ 2) or (ℓ0, x ≤ 2) ∪ (ℓ2, x > 0)

Effectiveness of Preda and Predδ

If P is a SP then Preda(P), Predδ(P) are SP and can be computed

• effectively. (There is a symbolic version of Preda and Predδ.)

MSR’05 (Autrans, France) Control of Timed Systems 19 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Symbolic States

◮ Q = L × RClock ≥0

a the set of states of the TGA q = (ℓ, v) ∈ Q

◮ Discrete predecessors of X ⊆ Q by an action a:

Preda(X) = {q ∈ Q | q

a

− − → q′ and q′ ∈ X}

◮ Time predecessors of X ⊆ Q:

Predδ(X) = {q ∈ Q | ∃t ≥ 0 | q

t

− − → q′ and q′ ∈ X}

◮ Zone = conjunction of triangular constraints

x − y < 3, x ≥ 2 ∧ 1 < y − x < 2

◮ State predicate (SP) P = ∪i∈[1..n](ℓji , Zi), ℓi ∈ L, Zi is a zone

(ℓ1, 2 ≤ x < 4) or (ℓ0, x < 1 ∧ y − x ≥ 2) or (ℓ0, x ≤ 2) ∪ (ℓ2, x > 0)

Effectiveness of Preda and Predδ

If P is a SP then Preda(P), Predδ(P) are SP and can be computed

• effectively. (There is a symbolic version of Preda and Predδ.)

MSR’05 (Autrans, France) Control of Timed Systems 19 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Symbolic States

◮ Q = L × RClock ≥0

a the set of states of the TGA q = (ℓ, v) ∈ Q

◮ Discrete predecessors of X ⊆ Q by an action a:

Preda(X) = {q ∈ Q | q

a

− − → q′ and q′ ∈ X}

◮ Time predecessors of X ⊆ Q:

Predδ(X) = {q ∈ Q | ∃t ≥ 0 | q

t

− − → q′ and q′ ∈ X}

◮ Zone = conjunction of triangular constraints

x − y < 3, x ≥ 2 ∧ 1 < y − x < 2

◮ State predicate (SP) P = ∪i∈[1..n](ℓji , Zi), ℓi ∈ L, Zi is a zone

(ℓ1, 2 ≤ x < 4) or (ℓ0, x < 1 ∧ y − x ≥ 2) or (ℓ0, x ≤ 2) ∪ (ℓ2, x > 0)

Effectiveness of Preda and Predδ

If P is a SP then Preda(P), Predδ(P) are SP and can be computed

• effectively. (There is a symbolic version of Preda and Predδ.)

MSR’05 (Autrans, France) Control of Timed Systems 19 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Symbolic States

◮ Q = L × RClock ≥0

a the set of states of the TGA q = (ℓ, v) ∈ Q

◮ Discrete predecessors of X ⊆ Q by an action a:

Preda(X) = {q ∈ Q | q

a

− − → q′ and q′ ∈ X}

◮ Time predecessors of X ⊆ Q:

Predδ(X) = {q ∈ Q | ∃t ≥ 0 | q

t

− − → q′ and q′ ∈ X}

◮ Zone = conjunction of triangular constraints

x − y < 3, x ≥ 2 ∧ 1 < y − x < 2

◮ State predicate (SP) P = ∪i∈[1..n](ℓji , Zi), ℓi ∈ L, Zi is a zone

(ℓ1, 2 ≤ x < 4) or (ℓ0, x < 1 ∧ y − x ≥ 2) or (ℓ0, x ≤ 2) ∪ (ℓ2, x > 0)

Effectiveness of Preda and Predδ

If P is a SP then Preda(P), Predδ(P) are SP and can be computed

• effectively. (There is a symbolic version of Preda and Predδ.)

MSR’05 (Autrans, France) Control of Timed Systems 19 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Symbolic States

◮ Q = L × RClock ≥0

a the set of states of the TGA q = (ℓ, v) ∈ Q

◮ Discrete predecessors of X ⊆ Q by an action a:

Preda(X) = {q ∈ Q | q

a

− − → q′ and q′ ∈ X}

◮ Time predecessors of X ⊆ Q:

Predδ(X) = {q ∈ Q | ∃t ≥ 0 | q

t

− − → q′ and q′ ∈ X}

◮ Zone = conjunction of triangular constraints

x − y < 3, x ≥ 2 ∧ 1 < y − x < 2

◮ State predicate (SP) P = ∪i∈[1..n](ℓji , Zi), ℓi ∈ L, Zi is a zone

(ℓ1, 2 ≤ x < 4) or (ℓ0, x < 1 ∧ y − x ≥ 2) or (ℓ0, x ≤ 2) ∪ (ℓ2, x > 0)

Effectiveness of Preda and Predδ

If P is a SP then Preda(P), Predδ(P) are SP and can be computed

• effectively. (There is a symbolic version of Preda and Predδ.)

MSR’05 (Autrans, France) Control of Timed Systems 19 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Symbolic Computation For Timed Games

X is a state predicate

◮ cPred(X) = c∈Actc Predc(X)

uPred(X) =

u∈Actu Predu(X)

cPred and uPred are effectively computable

◮ Predδ(X, Y ): Time controllable predecessors of X avoiding Y :

q q′ ∈ X Predδ(X, Y ) is effectively computable for state predicates X, Y

◮ Controllable Predecessors Operator:

πδ(X) = Predδ

• cPred(X), uPred(X)
• πδ(X) is effectively computable for state predicate X.

MSR’05 (Autrans, France) Control of Timed Systems 20 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Symbolic Computation For Timed Games

X is a state predicate

◮ cPred(X) = c∈Actc Predc(X)

uPred(X) =

u∈Actu Predu(X)

cPred and uPred are effectively computable

◮ Predδ(X, Y ): Time controllable predecessors of X avoiding Y :

q q′ ∈ X Predδ(X, Y ) is effectively computable for state predicates X, Y

◮ Controllable Predecessors Operator:

πδ(X) = Predδ

• cPred(X), uPred(X)
• πδ(X) is effectively computable for state predicate X.

MSR’05 (Autrans, France) Control of Timed Systems 20 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Symbolic Computation For Timed Games

X is a state predicate

◮ cPred(X) = c∈Actc Predc(X)

uPred(X) =

u∈Actu Predu(X)

cPred and uPred are effectively computable

◮ Predδ(X, Y ): Time controllable predecessors of X avoiding Y :

q q′ ∈ X Predδ(X, Y ) is effectively computable for state predicates X, Y

◮ Controllable Predecessors Operator:

πδ(X) = Predδ

• cPred(X), uPred(X)
• πδ(X) is effectively computable for state predicate X.

MSR’05 (Autrans, France) Control of Timed Systems 20 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Symbolic Computation For Timed Games

X is a state predicate

◮ cPred(X) = c∈Actc Predc(X)

uPred(X) =

u∈Actu Predu(X)

cPred and uPred are effectively computable

◮ Predδ(X, Y ): Time controllable predecessors of X avoiding Y :

q q′ ∈ X t Predδ(X, Y ) is effectively computable for state predicates X, Y

◮ Controllable Predecessors Operator:

πδ(X) = Predδ

• cPred(X), uPred(X)
• πδ(X) is effectively computable for state predicate X.

MSR’05 (Autrans, France) Control of Timed Systems 20 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Symbolic Computation For Timed Games

X is a state predicate

◮ cPred(X) = c∈Actc Predc(X)

uPred(X) =

u∈Actu Predu(X)

cPred and uPred are effectively computable

◮ Predδ(X, Y ): Time controllable predecessors of X avoiding Y :

q q′ ∈ X Y u X t′ t − t′ Predδ(X, Y ) is effectively computable for state predicates X, Y

◮ Controllable Predecessors Operator:

πδ(X) = Predδ

• cPred(X), uPred(X)
• πδ(X) is effectively computable for state predicate X.

MSR’05 (Autrans, France) Control of Timed Systems 20 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Symbolic Computation For Timed Games

X is a state predicate

◮ cPred(X) = c∈Actc Predc(X)

uPred(X) =

u∈Actu Predu(X)

cPred and uPred are effectively computable

◮ Predδ(X, Y ): Time controllable predecessors of X avoiding Y :

q q′ ∈ X Y u X t′ t − t′ Predδ(X, Y ) is effectively computable for state predicates X, Y

◮ Controllable Predecessors Operator:

πδ(X) = Predδ

• cPred(X), uPred(X)
• πδ(X) is effectively computable for state predicate X.

MSR’05 (Autrans, France) Control of Timed Systems 20 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Symbolic Computation For Timed Games

X is a state predicate

◮ cPred(X) = c∈Actc Predc(X)

uPred(X) =

u∈Actu Predu(X)

cPred and uPred are effectively computable

◮ Predδ(X, Y ): Time controllable predecessors of X avoiding Y :

q q′ ∈ X Y u X t′ t − t′ Predδ(X, Y ) is effectively computable for state predicates X, Y

◮ Controllable Predecessors Operator:

πδ(X) = Predδ

• cPred(X), uPred(X)
• πδ(X) is effectively computable for state predicate X.

MSR’05 (Autrans, France) Control of Timed Systems 20 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Symbolic Computation For Timed Games

X is a state predicate

◮ cPred(X) = c∈Actc Predc(X)

uPred(X) =

u∈Actu Predu(X)

cPred and uPred are effectively computable

◮ Predδ(X, Y ): Time controllable predecessors of X avoiding Y :

q q′ ∈ X Y u X t′ t − t′ Predδ(X, Y ) is effectively computable for state predicates X, Y

◮ Controllable Predecessors Operator:

πδ(X) = Predδ

• cPred(X), uPred(X)
• πδ(X) is effectively computable for state predicate X.

MSR’05 (Autrans, France) Control of Timed Systems 20 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Solving CP and CSP for Safety Timed Games

Symbolic Algorithm for Safety Timed Games

1 let ϕ be a State Predicate, G a timed game 2 let W ∗ be the greatest fixpoint of h(X) = ϕ ∩ πδ(X) 3 W ∗ is the set of winning states for (G, ϕ) MSR’05 (Autrans, France) Control of Timed Systems 21 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Solving CP and CSP for Safety Timed Games

Symbolic Algorithm for Safety Timed Games

1 let ϕ be a State Predicate, G a timed game 2 let W ∗ be the greatest fixpoint of h(X) = ϕ ∩ πδ(X) 3 W ∗ is the set of winning states for (G, ϕ)

◮ CP: check that (ℓ0, 0) ∈ W ∗ ◮ CSP: by def. of πδ there is a strategy

MSR’05 (Autrans, France) Control of Timed Systems 21 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Solving CP and CSP for Safety Timed Games

Symbolic Algorithm for Safety Timed Games

1 let ϕ be a State Predicate, G a timed game 2 let W ∗ be the greatest fixpoint of h(X) = ϕ ∩ πδ(X) 3 W ∗ is the set of winning states for (G, ϕ)

Theorem (Termination [Maler, 95, De Alfaro, 01])

The iterative computation of W ∗ terminates for (G, ϕ) with G a timed game automaton ϕ a ω-regular control objective.

MSR’05 (Autrans, France) Control of Timed Systems 21 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Solving CP and CSP for Safety Timed Games

Symbolic Algorithm for Safety Timed Games

1 let ϕ be a State Predicate, G a timed game 2 let W ∗ be the greatest fixpoint of h(X) = ϕ ∩ πδ(X) 3 W ∗ is the set of winning states for (G, ϕ)

Theorem (Termination [Maler, 95, De Alfaro, 01])

The iterative computation of W ∗ terminates for (G, ϕ) with G a timed game automaton ϕ a ω-regular control objective.

Theorem (Decidability of CP [Maler, 95, De Alfaro, 01])

The (Safety) Control Problem is decidable for Timed Game Automata.

MSR’05 (Autrans, France) Control of Timed Systems 21 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Solving CP and CSP for Safety Timed Games

Symbolic Algorithm for Safety Timed Games

1 let ϕ be a State Predicate, G a timed game 2 let W ∗ be the greatest fixpoint of h(X) = ϕ ∩ πδ(X) 3 W ∗ is the set of winning states for (G, ϕ)

Theorem (Termination [Maler, 95, De Alfaro, 01])

The iterative computation of W ∗ terminates for (G, ϕ) with G a timed game automaton ϕ a ω-regular control objective.

Theorem (Decidability of CP [Maler, 95, De Alfaro, 01])

The (Safety) Control Problem is decidable for Timed Game Automata.

Theorem (Effectiveness of CSP)

If (ℓ0, 0) ∈ W ∗ we can compute a positional winning strategy.

MSR’05 (Autrans, France) Control of Timed Systems 21 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

• —•—•—•—•

1 2 3 4

• —•—•—•—•—•

1 2 3 4 5

• —•—•—•—•—•

1 2 3 4 5

Skip MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

• —•—•—•—•

1 2 3 4

• —•—•—•—•—•

1 2 3 4 5

• —•—•—•—•—•

1 2 3 4 5

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

• —•—•—•—•

1 2 3 4

• —•—•—•—•—•

1 2 3 4 5

• —•—•—•—•—•

1 2 3 4 5

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

• —•—•—•—•

1 2 3 4

• —•—•—•—•—•

1 2 3 4 5

• —•—•—•—•—•

1 2 3 4 5

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

• —•—•—•—•

1 2 3 4

• —•—•—•—•—•

1 2 3 4 5

• —•—•—•—•—•

1 2 3 4 5

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

• —•—•—•—•

1 2 3 4

• —•—•—•—•—•

1 2 3 4 5

• —•—•—•—•—•

1 2 3 4 5

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

• —•—•—•—•

1 2 3 4

• —•—•—•—•—•

1 2 3 4 5

• —•—•—•—•—•

1 2 3 4 5

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

• —•—•—•—•

1 2 3 4

• —•—•—•—•—•

1 2 3 4 5

• —•—•—•—•—•

1 2 3 4 5

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

• —•—•—•—•

1 2 3 4

• —•—•—•—•—•

1 2 3 4 5

• —•—•—•—•—•

1 2 3 4 5

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

• —•—•—•—•

1 2 3 4

• —•—•—•—•—•

1 2 3 4 5

• —•—•—•—•—•

1 2 3 4 5

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

• —•—•—•—•

1 2 3 4

• —•—•—•—•—•

1 2 3 4 5

• —•—•—•—•—•

1 2 3 4 5

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

• —•—•—•—•

1 2 3 4

• —•—•—•—•—•

1 2 3 4 5

• —•—•—•—•—•

1 2 3 4 5

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u

• —•—•—•—•

1 2 3 4

• —•—•—•—•—•

1 2 3 4 5

• —•—•—•—•—•

1 2 3 4 5

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u (ℓ0, 0 ≤ x ≤ 3) (ℓ1, 0 ≤ x ≤ 3) (ℓ2, 2 ≤ x ≤ 5) z := 0

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u (ℓ0, 0 ≤ x ≤ 3) (ℓ1, 0 ≤ x ≤ 3) (ℓ2, 2 ≤ x ≤ 5) z := 0 K0 [z ≤ 3]

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u (ℓ0, 0 ≤ x ≤ 3) (ℓ1, 0 ≤ x ≤ 3) (ℓ2, 2 ≤ x ≤ 5) z := 0 K0 [z ≤ 3] K1 [z ≤ 3]

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u (ℓ0, 0 ≤ x ≤ 3) (ℓ1, 0 ≤ x ≤ 3) (ℓ2, 2 ≤ x ≤ 5) z := 0 K0 [z ≤ 3] K1 [z ≤ 3] K2 [2 ≤ z ≤ 5]

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u (ℓ0, 0 ≤ x ≤ 3) (ℓ1, 0 ≤ x ≤ 3) (ℓ2, 2 ≤ x ≤ 5) z := 0 K0 [z ≤ 3] K1 [z ≤ 3] K2 [2 ≤ z ≤ 5] z ≤ 3; c1

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u (ℓ0, 0 ≤ x ≤ 3) (ℓ1, 0 ≤ x ≤ 3) (ℓ2, 2 ≤ x ≤ 5) z := 0 K0 [z ≤ 3] K1 [z ≤ 3] K2 [2 ≤ z ≤ 5] z ≤ 3; c1 c2 z ≥ 2

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u (ℓ0, 0 ≤ x ≤ 3) (ℓ1, 0 ≤ x ≤ 3) (ℓ2, 2 ≤ x ≤ 5) z := 0 K0 [z ≤ 3] K1 [z ≤ 3] K2 [2 ≤ z ≤ 5] z ≤ 3; c1 c2 z ≥ 2 c3; z := 0

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u (ℓ0, 0 ≤ x ≤ 3) (ℓ1, 0 ≤ x ≤ 3) (ℓ2, 2 ≤ x ≤ 5) z := 0 K0 [z ≤ 3] K1 [z ≤ 3] K2 [2 ≤ z ≤ 5] z ≤ 3; c1 c2 z ≥ 2 c3; z := 0 u u u

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Example of Computation

x := 0 ℓ0 [x ≤ 4] ℓ1 [x ≤ 5] ℓ2 [x ≤ 5] Bad x ≤ 4; c1 c2 c3; x := 0 x < 2; u x > 3;u z := 0 K0 [z ≤ 3] K1 [z ≤ 3] K2 [2 ≤ z ≤ 5] z ≤ 3; c1 c2 z ≥ 2 c3; z := 0 u u u The Most Liberal Controller

MSR’05 (Autrans, France) Control of Timed Systems 22 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Problems with Dense-Time Control (I)

x := 0 y := 0 ℓ0 Bad y > 0 c; y := 0 x ≥ 1;u The System The Controller is Zeno !!!

MSR’05 (Autrans, France) Control of Timed Systems 23 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Problems with Dense-Time Control (I)

x := 0 y := 0 ℓ0 Bad y > 0 c; y := 0 x ≥ 1;u The System x′ = 0 y′ := 0 K0 y′ > 0 ∧ x′ < 1 c ; y′ := 0 The Controller The Controller is Zeno !!!

MSR’05 (Autrans, France) Control of Timed Systems 23 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Problems with Dense-Time Control (I)

x := 0 y := 0 ℓ0 Bad y > 0 c; y := 0 x ≥ 1;u The System x′ = 0 y′ := 0 K0 y′ > 0 ∧ x′ < 1 c ; y′ := 0 The Controller The Controller is Zeno !!!

MSR’05 (Autrans, France) Control of Timed Systems 23 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Problems with Dense-Time Control (II)

x :=]0, 1[ y := 0 [x ≤ 2] ℓ0 ℓ1 ℓ2 Bad x = 1 x := 0 a y = 1 z := 0 b z > 0 y := 0 c d; x ≥ 1 d x ≥ 1

◮ Let δi : time spent in ℓ2 on loop i ◮ The controller must ensure: i=+∞ i=0

δi < x0 − y0 The Controller is Non-Zeno but not Implementable !!!

MSR’05 (Autrans, France) Control of Timed Systems 24 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Problems with Dense-Time Control (II)

x :=]0, 1[ y := 0 [x ≤ 2∧x ≤ 1] ℓ0 ℓ1 [y ≤ 1] ℓ2 [x < 1] Bad x = 1 x := 0 a y = 1∧x < 1 z := 0 b z > 0 y := 0 c d; x ≥ 1 d x ≥ 1

◮ Let δi : time spent in ℓ2 on loop i ◮ The controller must ensure: i=+∞ i=0

δi < x0 − y0 The Controller is Non-Zeno but not Implementable !!!

MSR’05 (Autrans, France) Control of Timed Systems 24 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Problems with Dense-Time Control (II)

x :=]0, 1[ y := 0 [x ≤ 2∧x ≤ 1] ℓ0 ℓ1 [y ≤ 1] ℓ2 [x < 1] Bad x = 1 x := 0 a y = 1∧x < 1 z := 0 b z > 0 y := 0 c d; x ≥ 1 d x ≥ 1

◮ Let δi : time spent in ℓ2 on loop i ◮ The controller must ensure: i=+∞ i=0

δi < x0 − y0 The Controller is Non-Zeno but not Implementable !!!

MSR’05 (Autrans, France) Control of Timed Systems 24 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Problems with Dense-Time Control (II)

x :=]0, 1[ y := 0 [x ≤ 2∧x ≤ 1] ℓ0 ℓ1 [y ≤ 1] ℓ2 [x < 1] Bad x = 1 x := 0 a y = 1∧x < 1 z := 0 b z > 0 y := 0 c d; x ≥ 1 d x ≥ 1

◮ Let δi : time spent in ℓ2 on loop i ◮ The controller must ensure: i=+∞ i=0

δi < x0 − y0 The Controller is Non-Zeno but not Implementable !!!

MSR’05 (Autrans, France) Control of Timed Systems 24 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Problems with Dense-Time Control (II)

x :=]0, 1[ y := 0 [x ≤ 2∧x ≤ 1] ℓ0 ℓ1 [y ≤ 1] ℓ2 [x < 1] Bad x = 1 x := 0 a y = 1∧x < 1 z := 0 b z > 0 y := 0 c d; x ≥ 1 d x ≥ 1

◮ Let δi : time spent in ℓ2 on loop i ◮ The controller must ensure: i=+∞ i=0

δi < x0 − y0 The Controller is Non-Zeno but not Implementable !!!

MSR’05 (Autrans, France) Control of Timed Systems 24 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Outline

◮

Verification & Control

◮

Control of Finite Automata

◮

Timed Game Automata

◮

Symbolic Algorithms for Timed Game Automata

◮

Conclusion

MSR’05 (Autrans, France) Control of Timed Systems 25 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

Partial Conclusion

Assumptions:

◮ Timed systems with full observation ◮ Ideal controller that operates in dense-time

Results:

◮ Control Problem is decidable for ω-regular objectives ◮ Control Synthesis Problem is effective ◮ Positional (or Memoryless) strategies are sufficient

Advanced Topics:

◮ Partial Observability

Patricia

◮ Implementation

Karine

MSR’05 (Autrans, France) Control of Timed Systems 26 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

References

• R. Alur and D. Dill.

A theory of timed automata. Theoretical Computer Science B, 126:183–235, 1994. Luca De Alfaro, Thomas A. Henzinger, and Rupak Majumdar. Symbolic algorithms for infinite-state games. In Proc. 12th International Conference on Concurrency Theory (CONCUR’01), volume 2154 of LNCS, pages 536–550. Springer, 2001. Eugene Asarin, Oded Maler, Amir Pnueli, and Joseph Sifakis. Controller synthesis for timed automata. In Proc. IFAC Symposium on System Structure and Control, pages 469–474. Elsevier Science, 1998. Andrà c Arnold, Aymeric Vincent, and Igor Walukiewicz. Games for synthesis of controllers with partial observation. Theoretical Computer Science, 303(1):7–34,2003.

MSR’05 (Autrans, France) Control of Timed Systems 27 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

References (cont.)

J.R. Büchi and L.H. Landweber. Solving sequential conditions by finite-state operators.

• Trans. of the AMS; 138:295–311.

Franck Cassez, Thomas A. Henzinger, and Jean-François Raskin. A comparison of control problems for timed and hybrid systems. In Proc. 5th Int. Workshop on Hybrid Systems: Computation and Control (HSCC’02), volume 2289 of LNCS, pages 134–148. Springer, 2002. Oded Maler, Amir Pnueli, and Joseph Sifakis. On the synthesis of discrete controllers for timed systems. In Proc. 12th Annual Symposium on Theoretical Aspects of Computer Science (STACS’95), volume 900, pages 229–242. Springer, 1995.

MSR’05 (Autrans, France) Control of Timed Systems 28 / 32

Verification & Control Discrete Games Timed Games Symbolic Algorithms Conclusion

References (cont.)

P.J. Ramadge and W.M. Wonham. Supervisory control of a class of discrete event processes. SIAM J. of Control and Optimization, 25:206–230, 1987 P.J. Ramadge and W.M. Wonham. The control of discrete event processes.

• Proc. of IEEE, 77:81–98, 1989

J.G. Thistle and W.M. Wonham. Control of infinite behavior of finite automata. SIAM J. of Control and Optimization, 32:1075–1097, 1994

MSR’05 (Autrans, France) Control of Timed Systems 29 / 32

Timed Automata [Alur & Dill’94]

A Timed Automaton A is a tuple (L, ℓ0, Act, X, inv, − →) where:

◮ L is a finite set of locations ◮ ℓ0 is the initial location ◮ X is a finite set of clocks ◮ Act is a finite set of actions ◮ −

→ is a set of transitions of the form ℓ

g , a , R

− − − − → ℓ′ with:

◮ ℓ, ℓ′ ∈ L, ◮ a ∈ Act ◮ a guard g which is a clock constraint over X ◮ a reset set R which is the set of clocks to be reset to 0

Clock constraints are boolean combinations of x ∼ k with x ∈ C and k ∈ Z and ∼∈ {≤, <}.

Back MSR’05 (Autrans, France) Control of Timed Systems 30 / 32

Semantics of Timed Automata

Let A = (L, ℓ0, Act, X, inv, − →) be a Timed Automaton. A state (ℓ, v) of A is in L × RX

≥0

The semantics of A is a Timed Transition System SA = (Q, q0, Act ∪ R≥0, − →) with:

◮ Q = L × RX ≥0 ◮ q0 = (ℓ0, 0) ◮ −

→ consists in: discrete transition: (ℓ, v)

a

→ (ℓ′, v′) ⇐ ⇒        ∃ ℓ

g , a , r

− − − − → ℓ′ ∈ A v | = g v′ = v[r ← 0] v′ | = inv(ℓ′) delay transition: (ℓ, v) d → (ℓ, v + d) ⇐ ⇒ d ∈ R≥0 ∧ v + d | = inv(ℓ)

Back MSR’05 (Autrans, France) Control of Timed Systems 31 / 32

Definition (Outcome in Timed Games)

Let G = (L, ℓ0, Act, X, E, inv) be a TGA and f a strategy over G. The

• utcome Outcome((ℓ, v), f ) of f from configuration (ℓ, v) in G is the

subset of Runs((ℓ, v), G) defined inductively by:

◮ (ℓ, v) ∈ Outcome((ℓ, v), f ), ◮ if ρ ∈ Outcome((ℓ, v), f ) then ρ′ = ρ e

− − → (ℓ′, v′) ∈ Outcome((ℓ, v), f ) if ρ′ ∈ Runs((ℓ, v), G) and one of the following three conditions hold:

1

e ∈ Actu,

2

e ∈ Actc and e = f (ρ),

3

e ∈ R≥0 and ∀0 ≤ e′ < e, ∃(ℓ′′, v ′′) ∈ (L × RX

≥0) s.t. last(ρ) e′

− − → (ℓ′′, v ′′) ∧ f (ρ

e′

− − → (ℓ′′, v ′′)) = λ.

◮ an infinite run ρ is in ∈ Outcome((ℓ, v), f ) if all the finite prefixes of ρ

are in Outcome((ℓ, v), f ).

MSR’05 (Autrans, France) Control of Timed Systems 32 / 32