Weak Singular Hybrid Automata Formal Modeling and Verification for - - PowerPoint PPT Presentation

Krishna S., Umang Mathur, Ashutosh Trivedi – 1 of 28

Weak Singular Hybrid Automata

Formal Modeling and Verification for Cyber-Physical Systems Krishna S. Umang Mathur Ashutosh Trivedi

Department of Computer Science and Engineering IIT Bombay, Mumbai, India

January 18, 2014

Krishna S., Umang Mathur, Ashutosh Trivedi – 2 of 28

Cyber-Physical Systems (CPS)

Medical Devices Avionics Energy Automobile

Krishna S., Umang Mathur, Ashutosh Trivedi – 3 of 28

Verification/Synthesis with Hybrid Automata

– Introduced by Alur et al. to model hybrid systems – Dynamics of physical variables are gives as ordinary differential equations – Quite expressive, but undecidable verification (reachability) problems – Decidable subclasses exists, e.g.

– Initialized Rectangular Hybrid automata (Henzinger et al.), – Hybrid Automata with Strong Resets (Bouyer et al.), – Piecewise constant derivative systems (Asarin, Maler, and Pnueli), – Multi-Mode Systems (Alur, Trivedi, Wojtczak)

– Tool support: HyTECH, PHAVer

˙ x1 = 0 ˙ x2 = 0 m0 ˙ x1 = 2 ˙ x2 = 2 m1 1 < x2 < 3 ˙ x1 = −2 ˙ x2 = −2 m2 2 ≤ x1 < 6 ˙ x1 = −1 ˙ x2 = −1 m3 x1 < 0, a, {x2} x2 > 0, b x1 < 22, c d e

Figure: A Hybrid Automata

Krishna S., Umang Mathur, Ashutosh Trivedi – 4 of 28

Introduction Green Scheduling Weak Singular Hybrid Automata Syntax and Semantics Reachability and Schedulability Temporal Logic Model Checking Extending WSHA Summary

Krishna S., Umang Mathur, Ashutosh Trivedi – 5 of 28

Peak Demand Reduction in Energy Usage

• 1. Absence of bulk energy storage technology
• 2. Base-load vs peaking power plants
• 3. Energy peaks are expensive:

– For environment (peaking power plants are typically fossil-fueled ) – For energy providers – For customers (peak power pricing)

• 4. Energy peaks are often avoidable:

– Extreme weather and energy peaks – Heating, Ventilation, and Air-conditioning (HVAC) Units

• 5. Load-balancing methods:

– Load shedding – Load shifting – Green scheduling

Krishna S., Umang Mathur, Ashutosh Trivedi – 6 of 28

Green Scheduling

Zones \ HVAC Units Modes HIGH LOW OFF X (Temp. Change Rate/ Energy Usage)

• 2/3
• 1/2

2/0.2 Y (Temp. Change Rate/ Energy Usage)

• 2/3
• 1/2

3/0.2 – Assume that comfortable temperature range is 65oF to 70oF. – Energy is extremely expensive if peak demand dips above 4 units in a billing period

Krishna S., Umang Mathur, Ashutosh Trivedi – 6 of 28

Green Scheduling

Zones \ HVAC Units Modes HIGH LOW OFF X (Temp. Change Rate/ Energy Usage)

• 2/3
• 1/2

2/0.2 Y (Temp. Change Rate/ Energy Usage)

• 2/3
• 1/2

3/0.2 – Assume that comfortable temperature range is 65oF to 70oF. – Energy is extremely expensive if peak demand dips above 4 units in a billing period

Problem

Find an “implementable” switching schedule that keeps the temperatures within comfort zone and peak usage within 4 units?

Krishna S., Umang Mathur, Ashutosh Trivedi – 7 of 28

Green Scheduling: Contd

˙ x = −2 ˙ y = 3 m1 ˙ x = −1 ˙ y = −1 m2 ˙ x = −1 ˙ y = 3 m3 ˙ x = 2 ˙ y = −2 m4 ˙ x = 2 ˙ y = −1 m5 ˙ x = 2 ˙ y = 3 m6

Safe Schedulability Problem

Does there exist a switching schedule using these modes such that the temperatures

• f all zones stays in comfortable region?

Krishna S., Umang Mathur, Ashutosh Trivedi – 8 of 28

Multi-mode Systems: Safe Schedulability

˙ x = −2 ˙ y = 3 m1 ˙ x = −1 ˙ y = −1 m2 ˙ x = −1 ˙ y = 3 m3 ˙ x = 2 ˙ y = −2 m4 ˙ x = 2 ˙ y = −1 m5 ˙ x = 2 ˙ y = 3 m6

Safe set: x ∈ [65, 70], y ∈ [65, 70] 68 68 x y s0

Krishna S., Umang Mathur, Ashutosh Trivedi – 8 of 28

Multi-mode Systems: Safe Schedulability

˙ x = −2 ˙ y = 3 m1 ˙ x = −1 ˙ y = −1 m2 ˙ x = −1 ˙ y = 3 m3 ˙ x = 2 ˙ y = −2 m4 ˙ x = 2 ˙ y = −1 m5 ˙ x = 2 ˙ y = 3 m6

Safe set: x ∈ [65, 70], y ∈ [65, 70] 68 68 x y s0 67 67 s1 (m2, 1)

Krishna S., Umang Mathur, Ashutosh Trivedi – 8 of 28

Multi-mode Systems: Safe Schedulability

˙ x = −2 ˙ y = 3 m1 ˙ x = −1 ˙ y = −1 m2 ˙ x = −1 ˙ y = 3 m3 ˙ x = 2 ˙ y = −2 m4 ˙ x = 2 ˙ y = −1 m5 ˙ x = 2 ˙ y = 3 m6

Safe set: x ∈ [65, 70], y ∈ [65, 70] 68 68 x y s0 67 67 s1 (m2, 1) 66 70 s2 (m3, 1)

Krishna S., Umang Mathur, Ashutosh Trivedi – 8 of 28

Multi-mode Systems: Safe Schedulability

˙ x = −2 ˙ y = 3 m1 ˙ x = −1 ˙ y = −1 m2 ˙ x = −1 ˙ y = 3 m3 ˙ x = 2 ˙ y = −2 m4 ˙ x = 2 ˙ y = −1 m5 ˙ x = 2 ˙ y = 3 m6

Safe set: x ∈ [65, 70], y ∈ [65, 70] 68 68 x y s0 67 67 s1 (m2, 1) 66 70 s2 (m3, 1) 68 68 s3 (m4, 1)

Krishna S., Umang Mathur, Ashutosh Trivedi – 8 of 28

Multi-mode Systems: Safe Schedulability

˙ x = −2 ˙ y = 3 m1 ˙ x = −1 ˙ y = −1 m2 ˙ x = −1 ˙ y = 3 m3 ˙ x = 2 ˙ y = −2 m4 ˙ x = 2 ˙ y = −1 m5 ˙ x = 2 ˙ y = 3 m6

Safe set: x ∈ [65, 70], y ∈ [65, 70] 68 68 x y s0 67 67 s1 (m2, 1) 66 70 s2 (m3, 1) 68 68 s3 (m4, 1) 67 67 s4 (m2, 1) · · ·

Krishna S., Umang Mathur, Ashutosh Trivedi – 8 of 28

Multi-mode Systems: Safe Schedulability

˙ x = −2 ˙ y = 3 m1 ˙ x = −1 ˙ y = −1 m2 ˙ x = −1 ˙ y = 3 m3 ˙ x = 2 ˙ y = −2 m4 ˙ x = 2 ˙ y = −1 m5 ˙ x = 2 ˙ y = 3 m6

Safe set: x ∈ [65, 70], y ∈ [65, 70] 68 68 x y s0 67 67 s1 (m2, 1) 66 70 s2 (m3, 1) 68 68 s3 (m4, 1) 67 67 s4 (m2, 1) · · ·

Krishna S., Umang Mathur, Ashutosh Trivedi – 9 of 28

Multi-mode Systems: Zeno schedule

˙ x = −2 ˙ y = 3 m1 ˙ x = −1 ˙ y = −1 m2 ˙ x = −1 ˙ y = 3 m3 ˙ x = 2 ˙ y = −2 m4 ˙ x = 2 ˙ y = −1 m5 ˙ x = 2 ˙ y = 3 m6

Safe set: x ∈ [65, 70], y ∈ [65, 70] 68 68 x y s0 68 68 s1 (m2, 0) 68 68 s2 (m3, 0) 68 68 s3 (m4, 0) 68 68 s4 (m2, 0) · · · Zeno Schedule

Krishna S., Umang Mathur, Ashutosh Trivedi – 10 of 28

Multi-mode Systems: Zeno schedule

˙ x = −2 ˙ y = 3 m1 ˙ x = −1 ˙ y = −1 m2 ˙ x = −1 ˙ y = 3 m3 ˙ x = 2 ˙ y = −2 m4 ˙ x = 2 ˙ y = −1 m5 ˙ x = 2 ˙ y = 3 m6

Safe set: x ∈ [65, 70], y ∈ [65, 70] 68 68 x y s0 67 67 s1 (m2, 1) 66.5 68.5 s2 (m3, 1

2)

67 68 s3 (m4, 1

4)

66.875 67.875 s4 (m2, 1

8)

· · · Zeno Schedule

Krishna S., Umang Mathur, Ashutosh Trivedi – 11 of 28

Definition

Definition (Constant-Rate Multi-Mode Systems: MMS)

A MMS is a tuple H = (M, n, R) where – M is a finite nonempty set of modes, – n is the number of continuous variables, – R : M → Rn gives for each mode the rate vector, – S ⊆ Rn is a bounded convex set of safe states.

Safe Schedulability Problem

Given a multi-mode system and a starting state, decide whether there exists a non-Zeno safe schedule.

Safe Reachability Problem

Given a multi-mode system, a starting state and a target state, decide whether there exists a safe schedule from starting state to target state.

Krishna S., Umang Mathur, Ashutosh Trivedi – 12 of 28

Key Results

Theorem (Alur et. al)

Safe schedulability can be solved in polynomial time.

Theorem (Alur et. al)

Safe reachability problem can be solved in polynomial time if both starting and target states are in the interior of safety set. Both the problems essentially boil down to solving a linear program polynomial in size of the inputs.

Krishna S., Umang Mathur, Ashutosh Trivedi – 13 of 28

Safe Schedulability Problem: Geometry

˙ x = −2 ˙ y = 3 m1 ˙ x = −1 ˙ y = −1 m2 ˙ x = −1 ˙ y = 3 m3 ˙ x = 2 ˙ y = −2 m4 ˙ x = 2 ˙ y = −1 m5 ˙ x = 2 ˙ y = 3 m6

Safe set: x ∈ [65, 70], y ∈ [65, 70]

m1 (−2, 3) m4 (2, −2) m6 (2, 3) m2 (−1, −1) m3 (−1, 3) m5 (2, −1)

Krishna S., Umang Mathur, Ashutosh Trivedi – 14 of 28

Safe Schedulability Problem: Geometry

s1

m6 m3 m1 m2 m4 m5

Krishna S., Umang Mathur, Ashutosh Trivedi – 14 of 28

Safe Schedulability Problem: Geometry

s1

m6 m3 m1 m2 m4 m5

Krishna S., Umang Mathur, Ashutosh Trivedi – 14 of 28

Safe Schedulability Problem: Geometry

s1

m6 m3 m1 m2 m4 m5

Krishna S., Umang Mathur, Ashutosh Trivedi – 14 of 28

Safe Schedulability Problem: Geometry

s1

m6 m3 m1 m2 m4 m5

s2

Krishna S., Umang Mathur, Ashutosh Trivedi – 15 of 28

Safe Schedulability Problem: Interior Case

Theorem

Assume that the starting state lies in the interior of the safety set. A safe non-Zeno schedule exists if and only if

|M|

X

i=1

R(i) · fi =

|M|

X

i=1

fi = 1. for some f1, f2, . . . , f|M| ≥ 0. Moreover, such a schedule is periodic.

Krishna S., Umang Mathur, Ashutosh Trivedi – 16 of 28

Reachability Problem: Geometry

s1

m6 m3 m1 m2 m4 m5

s5

Krishna S., Umang Mathur, Ashutosh Trivedi – 16 of 28

Reachability Problem: Geometry

s2

m6 m3 m1 m2 m4 m5

s3 s1 s5

Krishna S., Umang Mathur, Ashutosh Trivedi – 17 of 28

Safe Reachability Problem

Theorem

Assume that the starting state s0 and the target state st lie in the interior of the safety set. A safe schedule exists from s0 to st exists if and only if s0 +

|M|

X

i=1

R(i) · ti = st for some t1, t2, . . . , t|M| ≥ 0.

Krishna S., Umang Mathur, Ashutosh Trivedi – 18 of 28

Thumb Rules: Schedulability

The following is feasible:

|M|

X

i=1

R(i) · fi = 0 and

|M|

X

i=1

fi = 1 Or, the following in infeasible: (v1, v2, . . . , vn)·R(i) > 0 for all modes i.

m1 (−2, 3) m4 (2, −2) m6 (2, 3) m2 (−1, −1) m3 (−1, 3) m5 (2, −1)

Krishna S., Umang Mathur, Ashutosh Trivedi – 18 of 28

Thumb Rules: Schedulability

The following is feasible:

|M|

X

i=1

R(i) · fi = 0 and

|M|

X

i=1

fi = 1 Or, the following in infeasible: (v1, v2, . . . , vn)·R(i) > 0 for all modes i.

m1 (−2, 3) m4 (2, −2) m6 (2, 3) m3 (−1, 3) m5 (2, −1)

Krishna S., Umang Mathur, Ashutosh Trivedi – 19 of 28

Thumb Rules: Reachability

The following is feasible: s0 +

|M|

X

i=1

R(i) · ti = st

s0 st R1 R2

Krishna S., Umang Mathur, Ashutosh Trivedi – 20 of 28

Introduction Green Scheduling Weak Singular Hybrid Automata Syntax and Semantics Reachability and Schedulability Temporal Logic Model Checking Extending WSHA Summary

Krishna S., Umang Mathur, Ashutosh Trivedi – 21 of 28

Motivation

Weak Singular Hybrid Automata

– Singular hybrid automata with an ordering on the states – States with same order form a multimode system – Decidable reachability (NP-complete), schedulability (NP-Complete), and LTL model-checking (PSPACE-complete) problems

Krishna S., Umang Mathur, Ashutosh Trivedi – 22 of 28

Syntax of WSHA

A weak singular hybrid automaton is a tuple H = (M, M0, Σ, X, ∆, I, F) where – M is a finite set of control modes and M0 ⊆ M, – Σ is a finite set of actions, – X is an (ordered) set of variables, – ∆ ⊆ M × poly(X) × Σ × 2X × M is the transition relation, – I : M → poly(X) is the mode-invariant function, and – F : M → Q|X| is the mode-dependent flow function characterizing the rate of each variable in each mode.

Krishna S., Umang Mathur, Ashutosh Trivedi – 22 of 28

Syntax of WSHA

A weak singular hybrid automaton is a tuple H = (M, M0, Σ, X, ∆, I, F) where – M is a finite set of control modes and M0 ⊆ M, – Σ is a finite set of actions, – X is an (ordered) set of variables, – ∆ ⊆ M × poly(X) × Σ × 2X × M is the transition relation, – I : M → poly(X) is the mode-invariant function, and – F : M → Q|X| is the mode-dependent flow function characterizing the rate of each variable in each mode. Function ̺ : M → N assigning ranks to the modes such that – for every transition (m, G, a, R, m′) ∈ ∆, ̺(m) ≤ ̺(m′), and – for every rank i the set of modes with rank i

– has a common safety set Si which is a bounded and open polytope (problems with boundaries) – is strongly connected with no resets or guards

Krishna S., Umang Mathur, Ashutosh Trivedi – 23 of 28

Semantics of WSHA

– A configuration (m, ν) and a timed action (t, a) – A transition ((m, ν)(t, a)(m′, ν′))

– time elapse of t in mode m starting from ν, followed by discrete step a – guards, resets, invariants

– A run is a sequence of transitions (m0, ν0)(t1, a1)(m1, ν1)(t2, a2) · · ·

Krishna S., Umang Mathur, Ashutosh Trivedi – 23 of 28

Semantics of WSHA

– A configuration (m, ν) and a timed action (t, a) – A transition ((m, ν)(t, a)(m′, ν′))

– time elapse of t in mode m starting from ν, followed by discrete step a – guards, resets, invariants

– A run is a sequence of transitions (m0, ν0)(t1, a1)(m1, ν1)(t2, a2) · · · – Type Γ(r) of a finite run r = (m0, ν0), (t1, a1), (m1, ν1), . . . , (mk, νk) is a sequence n0, b1, n1, . . . , bp, np defined as: Γ(r) = ( ̺(m0) if r = (m0, ν0) Γ(r′) ⊕ (a, ̺(m)) if r = r′ :: (t, a), (m, ν),

Krishna S., Umang Mathur, Ashutosh Trivedi – 23 of 28

Semantics of WSHA

– A configuration (m, ν) and a timed action (t, a) – A transition ((m, ν)(t, a)(m′, ν′))

– time elapse of t in mode m starting from ν, followed by discrete step a – guards, resets, invariants

– A run is a sequence of transitions (m0, ν0)(t1, a1)(m1, ν1)(t2, a2) · · · – Type Γ(r) of a finite run r = (m0, ν0), (t1, a1), (m1, ν1), . . . , (mk, νk) is a sequence n0, b1, n1, . . . , bp, np defined as: Γ(r) = ( ̺(m0) if r = (m0, ν0) Γ(r′) ⊕ (a, ̺(m)) if r = r′ :: (t, a), (m, ν), – Any run (finite/infinite) will only have a finite run type: there are only finitely many connected components, all sharing a partial order

Krishna S., Umang Mathur, Ashutosh Trivedi – 24 of 28

Reachability and Schedulability

Theorem

The reachability and schedulability problems for weak singular hybrid automata are NP-complete.

Krishna S., Umang Mathur, Ashutosh Trivedi – 24 of 28

Reachability and Schedulability

Theorem

The reachability and schedulability problems for weak singular hybrid automata are NP-complete. – NP-Membership:

Krishna S., Umang Mathur, Ashutosh Trivedi – 24 of 28

Reachability and Schedulability

Theorem

The reachability and schedulability problems for weak singular hybrid automata are NP-complete. – NP-Membership:

– All run-types are polynomial in size of the WSHA.

Krishna S., Umang Mathur, Ashutosh Trivedi – 24 of 28

Reachability and Schedulability

Theorem

The reachability and schedulability problems for weak singular hybrid automata are NP-complete. – NP-Membership:

– All run-types are polynomial in size of the WSHA. – Checking whether a run type σ = n0, b1, n1, . . . , bp, np is reachable/schedulable amounts to checking the feasibility of a linear program (νni, ν′

ni ∈ R|X| and

tm

i

∈ R≥0 are variables):

Krishna S., Umang Mathur, Ashutosh Trivedi – 24 of 28

Reachability and Schedulability

Theorem

The reachability and schedulability problems for weak singular hybrid automata are NP-complete. – NP-Membership:

– All run-types are polynomial in size of the WSHA. – Checking whether a run type σ = n0, b1, n1, . . . , bp, np is reachable/schedulable amounts to checking the feasibility of a linear program (νni, ν′

ni ∈ R|X| and

tm

i

∈ R≥0 are variables):

ν0 = νn0 ν′

np

∈ T νni, ν′

ni

∈ SMni for all 0 ≤ i ≤ p νni ∈ G(bi) for all 0 < i ≤ p νni+1(j) = 0 for all xj ∈ R(bi+1) and 0 < i ≤ p νni+1(j) = ν′

ni(j) for allxj ∈ R(bi+1)

and 0 < i ≤ p ν′

ni

= νni + X

m∈Mni

F(m) · tm

i

for all 0 ≤ i ≤ p tm

i

≥ 0 for all 0 ≤ i ≤ p and m ∈ Mni

Krishna S., Umang Mathur, Ashutosh Trivedi – 24 of 28

Reachability and Schedulability

Theorem

The reachability and schedulability problems for weak singular hybrid automata are NP-complete. – NP-Membership:

– All run-types are polynomial in size of the WSHA. – Checking whether a run type σ = n0, b1, n1, . . . , bp, np is reachable/schedulable amounts to checking the feasibility of a linear program (νni, ν′

ni ∈ R|X| and

tm

i

∈ R≥0 are variables):

ν0 = νn0 ν′

np

∈ T νni, ν′

ni

∈ SMni for all 0 ≤ i ≤ p νni ∈ G(bi) for all 0 < i ≤ p νni+1(j) = 0 for all xj ∈ R(bi+1) and 0 < i ≤ p νni+1(j) = ν′

ni(j) for allxj ∈ R(bi+1)

and 0 < i ≤ p ν′

ni

= νni + X

m∈Mni

F(m) · tm

i

for all 0 ≤ i ≤ p tm

i

≥ 0 for all 0 ≤ i ≤ p and m ∈ Mni ν0 = νn0 νni, ν′

ni

∈ SMni for all 0 ≤ i ≤ p νni ∈ G(bi) for all 0 < i ≤ p νni+1(j) = 0 for all xj ∈ R(bi+1) and 0 < i ≤ p νni+1(j) = ν′

ni(j) for all xj ∈ R(bi+1) and 0 < i ≤ p

ν′

ni

= νni + X

m∈Mni

F(m) · tm

i

for all 0 ≤ i ≤ p tm

i

≥ 0 for all 0 ≤ i ≤ p and m ∈ Mni

• =

X

m∈Mnp

F(m) · tm

p

1 = X

m∈Mnp

tm

p

Krishna S., Umang Mathur, Ashutosh Trivedi – 25 of 28

Reachability and Schedulability (contd.)

– NP Hardness:

Krishna S., Umang Mathur, Ashutosh Trivedi – 25 of 28

Reachability and Schedulability (contd.)

– NP Hardness:Reduction from Subset-sum problem (Reachability) .

Krishna S., Umang Mathur, Ashutosh Trivedi – 25 of 28

Reachability and Schedulability (contd.)

– NP Hardness:Reduction from Subset-sum problem (Reachability) .

m0 (1, 1, 2, −3, 0, 0) m1 (0, −1, 0, 0, 1, 1) m3 (0, 0, −2, 0, 2, 1) m5 (0, 0, 0, 3, −3, 1) m2 (0, −1, 0, 0, 0, 0) m4 (0, 0, −2, 0, 0, 0) m6 (0, 0, 0, 3, 0, 0)

Figure: Constructed WSHA for set {1, 2, −3}

Krishna S., Umang Mathur, Ashutosh Trivedi – 25 of 28

Reachability and Schedulability (contd.)

– NP Hardness:Reduction from Subset-sum problem (Reachability) .

m0 (1, 1, 2, −3, 0, 0) m1 (0, −1, 0, 0, 1, 1) m3 (0, 0, −2, 0, 2, 1) m5 (0, 0, 0, 3, −3, 1) m2 (0, −1, 0, 0, 0, 0) m4 (0, 0, −2, 0, 0, 0) m6 (0, 0, 0, 3, 0, 0)

Figure: Constructed WSHA for set {1, 2, −3}

– Schedulability: Reachability to the last strongly connected component and multi-mode scheduling there

Krishna S., Umang Mathur, Ashutosh Trivedi – 26 of 28

Temporal Logic Model Checking

LTL Model Checking: Just the best !

Theorem

The LTL model-checking problem for WSHA is PSPACE-complete.

Krishna S., Umang Mathur, Ashutosh Trivedi – 26 of 28

Temporal Logic Model Checking

LTL Model Checking: Just the best !

Theorem

The LTL model-checking problem for WSHA is PSPACE-complete. – LTL property φ → B¨ uchi automata A¬φ – Product of a weak SHA H and A¬φ remains WSHA (since variables occur only in the WSHA). – Standard polynomial space algorithm can be used. – PSPACE-hardness of the problem follows from PSPACE-completeness of LTL model checking over finite automata

Krishna S., Umang Mathur, Ashutosh Trivedi – 26 of 28

Temporal Logic Model Checking

LTL Model Checking: Just the best !

Theorem

The LTL model-checking problem for WSHA is PSPACE-complete. – LTL property φ → B¨ uchi automata A¬φ – Product of a weak SHA H and A¬φ remains WSHA (since variables occur only in the WSHA). – Standard polynomial space algorithm can be used. – PSPACE-hardness of the problem follows from PSPACE-completeness of LTL model checking over finite automata CTL Model Checking: Not so easy !

Theorem

CTL model checking of weak SHAs with two clock variables is PSPACE-hard.

Krishna S., Umang Mathur, Ashutosh Trivedi – 26 of 28

Temporal Logic Model Checking

LTL Model Checking: Just the best !

Theorem

The LTL model-checking problem for WSHA is PSPACE-complete. – LTL property φ → B¨ uchi automata A¬φ – Product of a weak SHA H and A¬φ remains WSHA (since variables occur only in the WSHA). – Standard polynomial space algorithm can be used. – PSPACE-hardness of the problem follows from PSPACE-completeness of LTL model checking over finite automata CTL Model Checking: Not so easy !

Theorem

CTL model checking of weak SHAs with two clock variables is PSPACE-hard. – Polynomial reduction from subset-sum games – Decidability: still open

Krishna S., Umang Mathur, Ashutosh Trivedi – 27 of 28

WSHAs are JUST Decidable

WSHA is on the forefronts of decidability. Tweaking the model in the hope to improve expressiveness can lead to undecidability !

Krishna S., Umang Mathur, Ashutosh Trivedi – 27 of 28

WSHAs are JUST Decidable

WSHA is on the forefronts of decidability. Tweaking the model in the hope to improve expressiveness can lead to undecidability !

Theorem

The reachability problem is undecidable for three variable WSHAs with discrete updates.

Krishna S., Umang Mathur, Ashutosh Trivedi – 27 of 28

WSHAs are JUST Decidable

WSHA is on the forefronts of decidability. Tweaking the model in the hope to improve expressiveness can lead to undecidability !

Theorem

The reachability problem is undecidable for three variable WSHAs with discrete updates.

Theorem

The reachability problem is undecidable for CMS with three variables and one unrestricted clock.

Krishna S., Umang Mathur, Ashutosh Trivedi – 28 of 28

Summary and Future Work

– WSHAs as a subclass of Hybrid automata.

Krishna S., Umang Mathur, Ashutosh Trivedi – 28 of 28

Summary and Future Work

– WSHAs as a subclass of Hybrid automata. – Efficient model : Reachability, Schedulability and LTL Model Checking are Decidable

Krishna S., Umang Mathur, Ashutosh Trivedi – 28 of 28

Summary and Future Work

– WSHAs as a subclass of Hybrid automata. – Efficient model : Reachability, Schedulability and LTL Model Checking are Decidable – Slight extensions can lead to undecidability in results

Krishna S., Umang Mathur, Ashutosh Trivedi – 28 of 28

Summary and Future Work

– WSHAs as a subclass of Hybrid automata. – Efficient model : Reachability, Schedulability and LTL Model Checking are Decidable – Slight extensions can lead to undecidability in results – Future work

– Decidability of CTL Model Checking for this problem is still unsolved – Games on WSHA and restrictions on WSHA – CEGAR framework : Approximate modeling of arbitrary SHA using WSHA.