Modelling and Verification Timed Automata: A Formalism for Real-time - - PowerPoint PPT Presentation

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph

Modelling and Verification

Timed Automata: A Formalism for Real-time Systems Labelled transition systems with time Timed automata Timed and untimed bisimilarity Timed and untimed language equivalence Region graph and the reachability problem Networks of timed automata Model checking of timed automata

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Definition Describing Timed Transition Systems

Need for Introducing Time Features

Timeouts in protocols:

In CCS timeouts were modelled using nondeterminism. Enough to prove that the protocol is safe. Maybe too abstract for certain questions (What is the average time to deliver the message?).

Many real-life systems depend on timing:

Real-time controllers (production lines, computers in cars, railway crossings). Embedded systems (mobile phones, remote controllers, digital watch). ...

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Definition Describing Timed Transition Systems

Labelled Transition Systems with Time

Timed (labelled) transition system (TLTS) TLTS is a triple (Proc, Act, {

a

− →| a ∈ Act}) where Proc is a set of states (or processes), Act = N ∪ R≥0 is a set of actions (consisting of labels and time-elapsing steps), and for every a ∈ Act,

a

− → ⊆ Proc × Proc is a binary relation on states called the transition relation. We write s

a

− → s′ if a ∈ N and (s, s′) ∈

a

− →, and s

d

− → s′ if d ∈ R≥0 and (s, s′) ∈ d − →.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Definition Describing Timed Transition Systems

How Can One Describe Timed Transition Systems?

Syntax unknown entity − → Semantics known entity CCS − → Labelled Transition Systems ??? − → Timed Transition Systems Timed Automata [Alur, Dill’90] Finite-state automata equipped with clocks.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Definition Describing Timed Transition Systems

How Can One Describe Timed Transition Systems?

Syntax unknown entity − → Semantics known entity CCS − → Labelled Transition Systems ??? − → Timed Transition Systems Timed Automata [Alur, Dill’90] Finite-state automata equipped with clocks.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Definition Describing Timed Transition Systems

How Can One Describe Timed Transition Systems?

Syntax unknown entity − → Semantics known entity CCS − → Labelled Transition Systems ??? − → Timed Transition Systems Timed Automata [Alur, Dill’90] Finite-state automata equipped with clocks.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Definition Describing Timed Transition Systems

How Can One Describe Timed Transition Systems?

Syntax unknown entity − → Semantics known entity CCS − → Labelled Transition Systems ??? − → Timed Transition Systems Timed Automata [Alur, Dill’90] Finite-state automata equipped with clocks.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

Example: Light switch

• Off

press x:=0

• Light

press x≤1.4

• press

x>1.4

• Bright

press

• Timed Automata: A Formalism for Real-time Systems

Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

Definition of TA: Clock Constraints

Let C = {x, y, . . .} be a finite set of clocks. Set B(C) of clock constraints over C B(C) is defined by the following abstract syntax g, g1, g2 ::= x ∼ n | x − y ∼ n | g1 ∧ g2 where x, y ∈ C are clocks, n ∈ N and ∼∈ {≤, <, =, >, ≥}. Example: x ≤ 3 ∧ y > 0 ∧ y − x = 2

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

Clock Valuation

Clock valuation Clock valuation v is a function v : C → R≥0. Let v be a clock valuation. Then v + d is a clock valuation for any d ∈ R≥0 and it is defined by (v + d)(x) = v(x) + d for all x ∈ C v[r] is a clock valuation for any r ⊆ C and it is defined by v[r](x) = if x ∈ r v(x)

• therwise.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

Clock Valuation

Clock valuation Clock valuation v is a function v : C → R≥0. Let v be a clock valuation. Then v + d is a clock valuation for any d ∈ R≥0 and it is defined by (v + d)(x) = v(x) + d for all x ∈ C v[r] is a clock valuation for any r ⊆ C and it is defined by v[r](x) = if x ∈ r v(x)

• therwise.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

Evaluation of Clock Constraints

Evaluation of clock constraints (v | = g) v | = x < n iff v(x) < n v | = x ≤ n iff v(x) ≤ n v | = x = n iff v(x) = n . . . v | = x − y < n iff v(x) − v(y) < n v | = x − y ≤ n iff v(x) − v(y) ≤ n . . . v | = g1 ∧ g2 iff v | = g1 and v | = g2

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

Syntax of Timed Automata

Definition A timed automaton over a set of clocks C and a set of labels N is a tuple (L, ℓ0, E, I) where L is a finite set of locations ℓ0 ∈ L is the initial location E ⊆ L × B(C) × N × 2C × L is the set of edges I : L → B(C) assigns invariants to locations. We usually write ℓ

g,a,r

− → ℓ′ whenever (ℓ, g, a, r, ℓ′) ∈ E.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

Example: Hammer

• free

start x:=0, y:=0

• busy

done y≥5

• hit

x≥1 x:=0

• Timed Automata: A Formalism for Real-time Systems

Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

Semantics of Timed Automata

Let A = (L, ℓ0, E, I) be a timed automaton. Timed transition system generated by A T(A) = (Proc, Act, {

a

− →| a ∈ Act}) where Proc is the collection of states of the form (ℓ, v) where ℓ is a location and v a valuation such that v | = I(ℓ), Act = N ∪ R≥0 and − → is defined as follows: (ℓ, v)

a

− → (ℓ′, v′) if there is (ℓ

g,a,r

− → ℓ′) ∈ E s.t. v | = g and v′ = v[r] (ℓ, v)

d

− → (ℓ, v + d) for all d ∈ R≥0 s.t. v | = I(ℓ) and v + d | = I(ℓ)

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

A timed automaton and a fragment of its associated TLTS

x ≤ 2

• ℓ0

a x≤1 x:=0

• (ℓ0, [x = 0])

0.6 a

• (ℓ0, [x = 0.6])

0.4 a

• (ℓ0, [x = 1])

0.3 a

• (ℓ0, [x = 1.3])

0.7 (ℓ0, [x = 2])

• Timed Automata: A Formalism for Real-time Systems

Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Clock Constraints and Valuation Definition of Timed Automata Semantics of Timed Automata

Example: A small jobshop

Can you give a fragment of its associated TLTS?

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Definition Example

Networks of Timed Automata

Timed Automata in Parallel

• a!
• a?
• Intuition in CCS

(a.Nil | a.Nil) {a} Let C be a set of clocks and Chan a set of channels. We let Act = N ∪ R≥0 where N = {c! | c ∈ Chan} ∪ {c? | c ∈ Chan} ∪ {τ}. Let Ai = (Li, ℓi

0, Ei, Ii) be timed automata for 1 ≤ i ≤ n.

Networks of Timed Automata We call A = A1|A2| · · · |An a network of timed automata.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Definition Example

Networks of Timed Automata

Timed Automata in Parallel

• a!
• a?
• Intuition in CCS

(a.Nil | a.Nil) {a} Let C be a set of clocks and Chan a set of channels. We let Act = N ∪ R≥0 where N = {c! | c ∈ Chan} ∪ {c? | c ∈ Chan} ∪ {τ}. Let Ai = (Li, ℓi

0, Ei, Ii) be timed automata for 1 ≤ i ≤ n.

Networks of Timed Automata We call A = A1|A2| · · · |An a network of timed automata.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Definition Example

Example: Hammer, Worker, Nail

H:

• free

start? x:=0, y:=0

• busy

done? y≥5

• hit!

x≥1 x:=0

• W:
• rest

start! z:=0

• work

done! z≥10

• z ≤ 60

N:

• up

hit?

• half

hit?

• down

τ

• Timed Automata: A Formalism for Real-time Systems

Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Definition Example

Example: Hammer, Worker, Nail

H:

• free

start? x:=0, y:=0

• busy

done? y≥5

• hit!

x≥1 x:=0

• W:
• rest

start! z:=0

• work

done! z≥10

• z ≤ 60

N:

• up

hit?

• half

hit?

• down

τ

• Timed Automata: A Formalism for Real-time Systems

Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Definition Example

Example: Hammer, Worker, Nail

H:

• free

start? x:=0, y:=0

• busy

done? y≥5

• hit!

x≥1 x:=0

• W:
• rest

start! z:=0

• work

done! z≥10

• z ≤ 60

N:

• up

hit?

• half

hit?

• down

τ

• Timed Automata: A Formalism for Real-time Systems

Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Definition Example

Timed Transition System Generated by A = A1| · · · |An

T(A) = (Proc, Act, {

a

− →| a ∈ Act}) where Proc is the subset of (L1 × L2 × · · · × Ln) × (C → R≥0) consisting of states of the form ((ℓ1, ℓ2, . . . , ℓn), v) where ℓi is a location in Ai and v a clock valuation such that v | =

k

Ik(ℓk), Act = {τ} ∪ R≥0, and − → is defined as follows: ((ℓ1, . . . , ℓi, . . . , ℓn), v)

τ

− → ((ℓ1, . . . , ℓ′

i, . . . , ℓn), v′) if there is

(ℓi

g,τ,r

− → ℓ′

i) ∈ Ei s.t. v |

= g and v′ = v[r] and v′ | = Ii(ℓ′

i) ∧ k=i

Ik(ℓk) ((ℓ1, . . . , ℓn), v)

d

− → ((ℓ1, . . . , ℓn), v + d) for all d ∈ R≥0 s.t. v | =

k

Ik(ℓk) and v + d | =

k

Ik(ℓk)

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Definition Example

Continuation

((ℓ1, . . . , ℓi, . . . , ℓj, . . . , ℓn), v)

τ

− → ((ℓ1, . . . , ℓ′

i, . . . , ℓ′ j, . . . , ℓn), v′)

if i = j and there are (ℓi

gi,a!,ri

− → ℓ′

i) ∈ Ei and (ℓj gj,a?,rj

− → ℓ′

j) ∈ Ej s.t.

v | = gi ∧ gj and v′ = v[ri ∪ rj] and v′ | = Ii(ℓ′

i) ∧ Ij(ℓ′ j) ∧ k=i,j

Ik(ℓk)

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Definition Example

The light switch and a fast user

• Off

press? x:=0

• Light

press? x≤14

• press?

x>14

• Bright

press?

• y ≤ 0
• U

press! y:=0

• U’

press! y=3 y:=0

• y ≤ 3

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Definition Example

A fragment of the TLTS for the previous network

(Off, U)

τ

(Light, U′)

3

(Light, U′)

τ

(Bright, U′)

3

• (Off, U′)

τ

• (Off, U′)

3

• (Bright, U′)

τ

• Timed Automata: A Formalism for Real-time Systems

Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Definition Example

The lazy Worker and his demanding Employer

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence Logical Properties in UPPAAL

Timed Bisimilarity

Let A1 and A2 be timed automata. Timed Bisimilarity We say that A1 and A2 are timed bisimilar iff the transition systems T(A1) and T(A2) generated by A1 and A2 are strongly bisimilar. Remark: both

a

− → for a ∈ N and

d

− → for d ∈ R≥0 are considered as normal (visible) transitions.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence Logical Properties in UPPAAL

Example of Timed Bisimilar Automata

• A

a x=1

• A’

a x=1 x:=0

• B

a x≤2 x:=0

• B’

a x≤1

• C
• C’

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence Logical Properties in UPPAAL

Example of Timed Non-Bisimilar Automata

• A

a x≤1 x:=0

• A’

a x≤2 x:=0

• B

a x≤3

• B’

a x≤3

• C
• C’

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence Logical Properties in UPPAAL

Untimed Bisimilarity

Let A1 and A2 be timed automata. Let ǫ be a new (fresh) action. Untimed Bisimilarity We say that A1 and A2 are untimed bisimilar iff the transition systems T(A1) and T(A2) generated by A1 and A2 where every transition of the form

d

− → for d ∈ R≥0 is replaced with

ǫ

− → are strongly bisimilar. Remark:

a

− → for a ∈ N is treated as a visible transition, while

d

− → for d ∈ R≥0 are all labelled by a single visible action

ǫ

− →. Corollary Any two timed bisimilar automata are also untimed bisimilar.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence Logical Properties in UPPAAL

Untimed Bisimilarity

Let A1 and A2 be timed automata. Let ǫ be a new (fresh) action. Untimed Bisimilarity We say that A1 and A2 are untimed bisimilar iff the transition systems T(A1) and T(A2) generated by A1 and A2 where every transition of the form

d

− → for d ∈ R≥0 is replaced with

ǫ

− → are strongly bisimilar. Remark:

a

− → for a ∈ N is treated as a visible transition, while

d

− → for d ∈ R≥0 are all labelled by a single visible action

ǫ

− →. Corollary Any two timed bisimilar automata are also untimed bisimilar.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence Logical Properties in UPPAAL

Timed Non-Bisimilar but Untimed Bisimilar Automata

• A

a x≤1 x:=0

• A’

a x≤2 x:=0

• B

a x≤3

• B’

a x≤3

• C
• C’

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence Logical Properties in UPPAAL

Decidability of Timed and Untimed Bisimilarity

Theorem [Cerans’92] Timed bisimilarity for timed automata is decidable in EXPTIME (deterministic exponential time). Theorem [Larsen, Wang’93] Untimed bisimilarity for timed automata is decidable in EXPTIME (deterministic exponential time).

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence Logical Properties in UPPAAL

Decidability of Timed and Untimed Bisimilarity

Theorem [Cerans’92] Timed bisimilarity for timed automata is decidable in EXPTIME (deterministic exponential time). Theorem [Larsen, Wang’93] Untimed bisimilarity for timed automata is decidable in EXPTIME (deterministic exponential time).

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence Logical Properties in UPPAAL

Timed Traces

Let A = (L, ℓ0, E, I) be a timed automaton over a set of clocks C and a set of labels N. Timed Traces A sequence (t1, a1)(t2, a2)(t3, a3) . . . where ti ∈ R≥0 and ai ∈ N is called a timed trace of A iff there is a transition sequence (ℓ0, v0)

d1

− → .

a1

− → .

d2

− → .

a2

− → .

d3

− → .

a3

− → . . . in A such that v0(x) = 0 for all x ∈ C and ti = ti−1 + di where t0 = 0. Intuition: ti is the absolute time (time-stamp) when ai happened since the start of the automaton A.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence Logical Properties in UPPAAL

Timed and Untimed Language Equivalence

The set of all timed traces of an automaton A is denoted by L(A) and called the timed language of A. Theorem [Alur, Courcoubetis, Dill, Henzinger’94] Timed language equivalence (the problem whether L(A1) = L(A2) for given timed automata A1 and A2) is undecidable. We say that a1a2a3 . . . is an untimed trace of A iff there exist t1, t2, t3, . . . ∈ R≥0 such that (t1, a1)(t2, a2)(t3, a3) . . . is a timed trace of A. Theorem [Alur, Dill’94] Untimed language equivalence for timed automata is decidable.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence Logical Properties in UPPAAL

Timed and Untimed Language Equivalence

The set of all timed traces of an automaton A is denoted by L(A) and called the timed language of A. Theorem [Alur, Courcoubetis, Dill, Henzinger’94] Timed language equivalence (the problem whether L(A1) = L(A2) for given timed automata A1 and A2) is undecidable. We say that a1a2a3 . . . is an untimed trace of A iff there exist t1, t2, t3, . . . ∈ R≥0 such that (t1, a1)(t2, a2)(t3, a3) . . . is a timed trace of A. Theorem [Alur, Dill’94] Untimed language equivalence for timed automata is decidable.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Timed Bisimilarity Untimed Bisimilarity Timed and Untimed Language Equivalence Logical Properties in UPPAAL

Logic for Timed Automata in UPPAAL

Let φ and ψ be local properties (checkable locally in a given state). Example: (H.busy ∧ W.rest ∧ 20 ≤ z ≤ 30) UPPAAL can check the following formulae (subset of TCTL) A[]φ — invariantly φ Eφ — possibly φ Aφ — always eventually φ E[]φ — potentially always φ φ –> ψ — φ always leads to ψ

• same as A[](φ =

⇒ Aψ)

• Legend:

A and E are so called path quantifiers, and [] and quantify over states of a selected path.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Automatic Verification of Timed Automata

Fact Even very simple timed automata generate timed transition systems with infinitely (even uncountably) many reachable states. Question Is any automatic verification approach (like bisimilarity checking, model checking or reachability analysis) possible at all? Answer Yes, using region graph techniques. Key idea: infinitely many clock valuations can be partitioned into finitely many equivalence classes.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Automatic Verification of Timed Automata

Fact Even very simple timed automata generate timed transition systems with infinitely (even uncountably) many reachable states. Question Is any automatic verification approach (like bisimilarity checking, model checking or reachability analysis) possible at all? Answer Yes, using region graph techniques. Key idea: infinitely many clock valuations can be partitioned into finitely many equivalence classes.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Automatic Verification of Timed Automata

Fact Even very simple timed automata generate timed transition systems with infinitely (even uncountably) many reachable states. Question Is any automatic verification approach (like bisimilarity checking, model checking or reachability analysis) possible at all? Answer Yes, using region graph techniques. Key idea: infinitely many clock valuations can be partitioned into finitely many equivalence classes.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Preliminaries

Let d ∈ R≥0. Then let ⌊d⌋ be the integer part of d, and let frac(d) be the fractional part of d. Any d ∈ R≥0 can be now written as d = ⌊d⌋ + frac(d). Example: ⌊2.345⌋ = 2 and frac(2.345) = 0.345. Let A be a timed automaton and x ∈ C be a clock. We define cx ∈ N as the largest constant with which the clock x is ever compared either in the guards or in the invariants present in A.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Preliminaries

Let d ∈ R≥0. Then let ⌊d⌋ be the integer part of d, and let frac(d) be the fractional part of d. Any d ∈ R≥0 can be now written as d = ⌊d⌋ + frac(d). Example: ⌊2.345⌋ = 2 and frac(2.345) = 0.345. Let A be a timed automaton and x ∈ C be a clock. We define cx ∈ N as the largest constant with which the clock x is ever compared either in the guards or in the invariants present in A.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Intuition

Let v, v′ : C → R≥0 be clock valuations. Let ∼ denote untimed bisimilarity of timed transition systems. Our Aim Define an equivalence relation ≡ over clock valuations such that

1 v ≡ v′ implies (ℓ, v) ∼ (ℓ, v′) for any location ℓ 2 ≡ has only finitely many equivalence classes. Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Clock (Region) Equivalence

Equivalence Relation on Clock Valuations Clock valuations v and v′ are equivalent (v ≡ v′) iff

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Clock (Region) Equivalence

Equivalence Relation on Clock Valuations Clock valuations v and v′ are equivalent (v ≡ v′) iff

1 for all x ∈ C such that v(x) ≤ cx or v′(x) ≤ cx we have

⌊v(x)⌋ = ⌊v′(x)⌋

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Clock (Region) Equivalence

Equivalence Relation on Clock Valuations Clock valuations v and v′ are equivalent (v ≡ v′) iff

1 for all x ∈ C such that v(x) ≤ cx or v′(x) ≤ cx we have

⌊v(x)⌋ = ⌊v′(x)⌋

2 for all x ∈ C such that v(x) ≤ cx we have

frac(v(x)) = 0 iff frac(v′(x)) = 0

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Clock (Region) Equivalence

Equivalence Relation on Clock Valuations Clock valuations v and v′ are equivalent (v ≡ v′) iff

1 for all x ∈ C such that v(x) ≤ cx or v′(x) ≤ cx we have

⌊v(x)⌋ = ⌊v′(x)⌋

2 for all x ∈ C such that v(x) ≤ cx we have

frac(v(x)) = 0 iff frac(v′(x)) = 0

3 for all x, y ∈ C such that v(x) ≤ cx and v(y) ≤ cy we have

frac(v(x)) ≤ frac(v(y)) iff frac(v′(x)) ≤ frac(v′(y))

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Regions

Let v be a clock valuation. The ≡-equivalence class represented by v is denoted by [v] and defined by [v] = {v′ | v′ ≡ v}. Definition of a Region An ≡-equivalence class [v] represented by some clock valuation v is called a region. Theorem For every location ℓ and any two valuations v and v′ from the same region (v ≡ v′) it holds that (ℓ, v) ∼ (ℓ, v′) where ∼ stands for untimed bisimilarity.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Regions

Let v be a clock valuation. The ≡-equivalence class represented by v is denoted by [v] and defined by [v] = {v′ | v′ ≡ v}. Definition of a Region An ≡-equivalence class [v] represented by some clock valuation v is called a region. Theorem For every location ℓ and any two valuations v and v′ from the same region (v ≡ v′) it holds that (ℓ, v) ∼ (ℓ, v′) where ∼ stands for untimed bisimilarity.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Symbolic States and Region Graph

state (ℓ, v)

• symbolic state (ℓ, [v])

Note: v ≡ v′ implies that (ℓ, [v]) = (ℓ, [v′]). Region Graph Region graph of a timed automaton A is an unlabelled (and untimed) transition system where states are symbolic states = ⇒ on symbolic states is defined as follows: (ℓ, [v]) = ⇒ (ℓ′, [v′]) iff (ℓ, v)

a

− → (ℓ′, v′) for some label a (ℓ, [v]) = ⇒ (ℓ, [v′]) iff (ℓ, v)

d

− → (ℓ, v′) for some d ∈ R≥0 Fact A region graph of any timed automaton is finite.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Symbolic States and Region Graph

state (ℓ, v)

• symbolic state (ℓ, [v])

Note: v ≡ v′ implies that (ℓ, [v]) = (ℓ, [v′]). Region Graph Region graph of a timed automaton A is an unlabelled (and untimed) transition system where states are symbolic states = ⇒ on symbolic states is defined as follows: (ℓ, [v]) = ⇒ (ℓ′, [v′]) iff (ℓ, v)

a

− → (ℓ′, v′) for some label a (ℓ, [v]) = ⇒ (ℓ, [v′]) iff (ℓ, v)

d

− → (ℓ, v′) for some d ∈ R≥0 Fact A region graph of any timed automaton is finite.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Partitioning of the valuations for a simple timed automaton

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Symbolic exploration of the simple timed automaton

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Application of Region Graphs to Reachability

We write (ℓ, v) − → (ℓ′, v′) whenever (ℓ, v)

a

− → (ℓ′, v′) for some label a, or (ℓ, v)

d

− → (ℓ′, v′) for some d ∈ R≥0. Reachability Problem for Timed Automata Instance (input): Automaton A = (L, ℓ0, E, I) and a state (ℓ, v). Question: Is it true that (ℓ0, v0) − →∗ (ℓ, v) (where v0(x) = 0 for all x ∈ C)? Reduction of Timed Automata Reachability to Region Graphs Reachability for timed automata is decidable because (ℓ0, v0) − →∗ (ℓ, v) in a timed automaton if and only if (ℓ0, [v0]) = ⇒∗ (ℓ, [v]) in its (finite) region graph.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Application of Region Graphs to Reachability

We write (ℓ, v) − → (ℓ′, v′) whenever (ℓ, v)

a

− → (ℓ′, v′) for some label a, or (ℓ, v)

d

− → (ℓ′, v′) for some d ∈ R≥0. Reachability Problem for Timed Automata Instance (input): Automaton A = (L, ℓ0, E, I) and a state (ℓ, v). Question: Is it true that (ℓ0, v0) − →∗ (ℓ, v) (where v0(x) = 0 for all x ∈ C)? Reduction of Timed Automata Reachability to Region Graphs Reachability for timed automata is decidable because (ℓ0, v0) − →∗ (ℓ, v) in a timed automaton if and only if (ℓ0, [v0]) = ⇒∗ (ℓ, [v]) in its (finite) region graph.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Applicability of Region Graphs

Pros Region graphs provide a natural abstraction which enables to prove decidability of e.g. reachability timed and untimed bisimilarity untimed language equivalence and language emptiness. Cons Region graphs have too large state spaces. State explosion is exponential in the number of clocks the maximal constants appearing in the guards.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Applicability of Region Graphs

Pros Region graphs provide a natural abstraction which enables to prove decidability of e.g. reachability timed and untimed bisimilarity untimed language equivalence and language emptiness. Cons Region graphs have too large state spaces. State explosion is exponential in the number of clocks the maximal constants appearing in the guards.

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Zones and Zone Graphs

Zones provide a more efficient representation of symbolic state

• spaces. A number of regions can be described by one zone.

Zone A zone is described by a clock constraint g ∈ B(C). [g] = {v | v | = g} Region Graphs symbolic state: (ℓ, [v]) where v is a clock valuation Zone Graphs symbolic state: (ℓ, [g]) where g is a clock constraint A zone is usually represented (and stored in the memory) as DBM (Difference Bound Matrix).

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Zones and Zone Graphs

Zones provide a more efficient representation of symbolic state

• spaces. A number of regions can be described by one zone.

Zone A zone is described by a clock constraint g ∈ B(C). [g] = {v | v | = g} Region Graphs symbolic state: (ℓ, [v]) where v is a clock valuation Zone Graphs symbolic state: (ℓ, [g]) where g is a clock constraint A zone is usually represented (and stored in the memory) as DBM (Difference Bound Matrix).

Timed Automata: A Formalism for Real-time Systems Modelling and Verification

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Motivation Intuition Clock Equivalence Region Graph Zones and Zone Graphs

Zones and Zone Graphs

Zones provide a more efficient representation of symbolic state

• spaces. A number of regions can be described by one zone.

Zone A zone is described by a clock constraint g ∈ B(C). [g] = {v | v | = g} Region Graphs symbolic state: (ℓ, [v]) where v is a clock valuation Zone Graphs symbolic state: (ℓ, [g]) where g is a clock constraint A zone is usually represented (and stored in the memory) as DBM (Difference Bound Matrix).

Timed Automata: A Formalism for Real-time Systems Modelling and Verification