Reachability analysis
Sayan MitraVerifying cyberphysical systems
Next few lecturesFocus on specific classes of hybrid automata for which safety properties (invariants) can be verified completely automaticallyβ Finite state machinesβ Alur-Dillβs Timed Automata[1] (Today)β Rectangular initializaed hybrid automataβ Linear hybrid automataβ β¦
We will introduce abstractions: Simplifying or approximating one automaton A with another automaton B
[1] Rajeev Alur et al. The Algorithmic Analysis ofHybrid Systems. Theoretical Computer Science, volume 138, pages 3-34, 1995.
Today
β’ Finite state machinesβ’ Algorithmic analysis of (Alur-Dillβs) Timed Automata[1]
β A restricted class of what we call hybrid automata in this course with only clock variables
[1] Rajeev Alur and David L. Dill. A theory of timed automata. Theoretical Computer Science, 126:183-235, 1994.
Reachability of Finite Automata
An finite automaton is a tuple π = β¨π, Q!, πβ© whereβ’ π is a finite set of statesβ’ π! β π is the set of initial or start statesβ’ π β πΓπ is the set of transitionsAn execution of π is an alternating sequence of states and actions πΌ = π!π"π# β¦π$such that:
1. π! β Q! 2. β π in the sequence, π", π"#$ β πA state π is reachable if there exists an execution πΌsuch that πΌ. ππ π‘ππ‘π = π$ = π
Reachability in finite state machines
π πππβπ Ξ : set of states reachable from Ξ by automaton π
An invariant is a set of states I such that π πππβπ β πΌ
How to check whether π is reachable ?
Q: All states e.g. πΌ&
Invariant e.g. πΌ!
π πππβπ(π")
πΈπ
Reachability as graph searchQ1. Given π, is a state π β π reachable? Define a graph πΊπ = β¨π, πΈβ© where
π = ππΈ = π, π! π β π!}
Q2. Does there exist a path in πΊπ from any state in Ξ to π’ ?
Perform Depth First or Breadth First Search on πΊπ from π!
Time complexity of BFS π(| π | + π·|Space complexity is π(| π |)
Nondeterministic reachabilityInput: G = (V, E), π", π β ππ βΆ= |π|vcurrent := choose π"If vcurrent β π return ββyesβElse For i = 1 to π:
vnext := choose VIf (vcurrent, vnext) βE breakIf vnext β T return ββyesβvcurrent := vnext
Return ββnoβ
Requires only O(log |Q|) bits of memoryUsing Savitchβs construction we get a deterministic algorithm that uses O(log2|Q|) bits
Adding Clocks and Clock Constraints
β’ A clock variable x is a continuous (analog) variable of type real such that along any trajectory π of x, for all t β π. πππ, π β π₯ π‘ = π‘.
β’ For a set X of clock variables, the set Ξ¦(X) of integral clock constraints are expressions defined by the syntax:
g ::= x β€ π π₯ β₯ π Β¬ π | π# β§ π$where π₯ β π πππ π β β€
β’ Examples: x = 10; x β [2, 5); true are valid clock constraintsβ’ What do clock constraints look like?
β’ Semantics of clock constraints [π]
Integral Timed Automata
Definition. A integral timed automaton is a HIOA π =β¨π, Ξ, π΄, π, π―β© where β V = X βͺ π , π is a set of n clocks and π is a discrete state
variable of finite type πΏ; stata space π£ππ π ΓπΏβ A is a finite set β π is a set of transitions such that
β’ The guards are described by clock constraings Ξ¦(π)β’ π₯, π β π β π₯", π" implies either π₯" = π₯ or π₯ = 0
β π― set of clock trajectories for the clock variables in X
Example: Light switchMath Formulationautomaton Switch
variablesinternal x, y:Real := 0, loc: {on,off} := off
transitionsinternal push
pre x β₯ 2eff if loc = on then x := 0
else x,y := 0; loc := offinternal pop
pre y = 15 /\ loc = offeff x := 0
trajectoriesinvariant loc = off => y β€ 15 evolve d(x) = 1; d(y) = 1
DescriptionSwitch can be turned on whenever at least 2 time units have elapsed since the last turn on. Switches off automatically 15 time units after the last on.
Timed Automaton application in Web Services (WS)
Modelling and Verification of Web Services Business Activity Protocol Anders P. Ravn, Jiri Srba, and Saleem Vighio, RV 2010
WS-Coordination describes a framework for coordinating transactional web services
Network protocol described in state tables
600+ lines of C-like code in the protocol model
Modeled and Verified using the UPPAAL tool
Analysis considers different channel models
The main safety property: protocol does not enter invalid state
Property violated in all but the FIFO channel model
Control State (mode) Reachability Problem
β’ Given an ITA π, check if a particular (mode) control state πβ β πΏ is reachable from the initial states
β’ Why is mode reachability good enough even if we are interested in checking reachability of πβ β π£ππ π ?
Model Reachability of Integral Timed Automata is Decidable [Alur Dill 94]
That is, there is an algorithm that takes in π, πβ and terminates with the correct answer.
Key idea: β Construct a finite automaton π΅ that is a time-abstract
bisimilar to the given ITA πβ That is, FA π΅ behaves identically to ITA π w.r.t. control state
reachability, but does not preserve timing information
β Check reachability of FA π΅
An equivalence relation with a finite quotient
Under what conditions do two states x1 and x2 of the automaton π behave identically with respect to control state reachability (CSR)?
When do they satisfy the same set of clock constraints? When would they continue to satisfy the same set of clock constraints?
An equivalence relation with a finite quotient
Under what conditions do two states x1 and x2 of the automaton πbehave identically with respect to mode reachability ?
When do they satisfy the same set of clock constraints? When would they continue to satisfy the same set of clock constraints?
x1. πππ = x2.πππ and x1 and x2 satisfy the same set of clock constraints
For each clock π¦ int(x1.π¦) = int(x2.π¦) or int(x1.π¦) β₯ ππ$ and int(x2.π¦) β₯ππ$. (ππ$ is the maxium clock guard of π¦)For each clock π¦ with x1.π¦ β€ ππ$, frac(x1.π¦) = 0 iff frac(x2.π¦) = 0For any two clocks π¦ and π§ with x1.π¦ β€ ππ$ and x1.π§ β€ ππ%, frac(x1.π¦) β€frac(x1.π§) iff frac(x2.π¦) β€ frac(x2.π§)
Lemma. This is an equivalence relation on val(V) the states of π
The partition of val(V) induced by this relation is are called clock regions
Region automaton R(π)Given an ITA π = β¨π, Ξ, π, π―β©, we construct the corresponding Region Automaton R π = π&, Ξ&, π·& .(i) R(π) visits the same set of modes (but does not have timing
information) and (ii) R(π) is finite state machine. β’ ITA (clock constants) defines a set of clock regions, say Cπ. The set of
states π& = πΆπΓπΏβ’ π' β πis the set of states contain initial set Ξ of πβ’ π·:We add the transitions between π (regions)
β Time successors: Consider two clock regions πΎ and πΎ!, we say that πΎ! is a time successor of πΎ if there exits a trajectory of ITA starting from πΎ that ends in πΎβ
β Discrete transitions: Same as the ITA
Theorem. A mode of ITA π is reachable iff it is also reachable in R π .(we say that R π is time abstract bisimilar to π)
Special Classes of Hybrid Automata
β Finite Automataβ Integral Timed Automata Γβ Rational time automataβ Multirate automataβ Rectangular Initialized HA
β Rectangular HA
β Linear HA
β Nonlinear HALecture Slides by Sayan Mitra
ACM NEWS: In Space, No One Can Fix Your Sign Errors--- Paul Cheng & Peter Carian
15,000 satellite launches planned for the decade5.3% satellites are lost in the first year, 42% of those in first 2 monthsMost common cause sign errors: SW/HW parameter used the wrong wayβ’ fitting acceleration sensors the wrong wayβ’ wrong usage of negative instead of positive
parameters β’ switching current in wrong direction in a circuit β’ inverting the orientation of the electromagnets
used for positioning
Genesis (2001) forcapturing particles fromthe solar wind, poundedinto the Utah desertunbraked because apencil-eraser-sizeddeceleration sensor wasmounted upside-down.
Clocks and Rational Clock Constraints
β’ A clock variable x is a continuous (analog) variable of type real such that along any trajectory π of x, for all t β π. πππ, π β π₯ π‘ = π‘.
β’ For a set X of clock variables, the set Ξ¦(X) of rational clock constraints are expressions defined by the syntax:
g ::= x β€ π π₯ β₯ π Β¬ π | π# β§ π$where π₯ β π πππ π β β
β’ Examples: x = 10.125; x β [2.99, 5); true are valid rational clock constraints
β’ Semantics of clock constraints [π]
Lecture Slides by Sayan [email protected]
Step 1. Rational Timed Automata
Definition. A rational timed automaton is a HA π = β¨π, Ξ, π΄, π, π―β© where β V = X βͺ πππ , where π is a set of n clocks and π is a
discrete state variable of finite type Εβ A is a finite set β π is a set of transitions such that
β’ The guards are described by rational clock constraings Ξ¦(π)β’ π₯, π β π β π₯!, π! implies either π₯! = π₯ or π₯ = 0
β π― set of clock trajectories for the clock variables in X
Lecture Slides by Sayan [email protected]
Example: Rational Light switchSwitch can be turned on whenever at least 2.25 time units have elapsed since the last turn off or on. Switches off automatically 15.5 time units after the last on.
automaton Switchinternal push; pop
variablesinternal x, y:Real := 0, loc:{on,off} := off
transitionspush
pre x >=2.25eff if loc = on then y := 0 fi; x := 0; loc := off
poppre y = 15.5 β§ loc = offeff x := 0
trajectoriesinvariant loc = on β¨ loc = offstop when y = 15.5 β§ loc = offevolve d(x) = 1; d(y) = 1
Lecture Slides by Sayan [email protected]
Control State (Location) Reachability Problem
β’ Given an RTA, check if a particular mode is reachable from the initial states
β’ Is problem decidable? β’ Yesβ’ Key idea: β Construct a ITA that has exactly same mode
reachability behavior as the given RTA (timing behavior may be different)
β Check mode reachability for ITA
Lecture Slides by Sayan [email protected]
Construction of ITA from RTAβ’ Multiply all rational constants by a factor
q that make them integralβ’ Make d(x) = q for all the clocks
β’ RTA Switch reaches the same control locations as the ITA Iswitch
β’ Simulation relation R is given by β’ (u,s) β π iff u.x = 4 s.x and u.y = 4 s.y
automaton ISwitchinternal push; popvariables
internal x, y:Real := 0, loc:{on,off} := offtransitions
pushpre x >= 9eff if loc = on then y := 0 fi; x := 0; loc := off
poppre y = 62 β§ loc = offeff x := 0
trajectoriesinvariant loc = on β¨ loc = offstop when y = 62 β§ loc = offevolve d(x) = 4; d(y) = 4
Lecture Slides by Sayan [email protected]
Step 2. Multi-Rate Automaton
β’ Definition. A multirate automaton is π = β¨π, π, Ξ, π΄, π, π―β©where β V = X βͺ πππ , where π is a set of n continuous variables and πππ
is a discrete state variable of finite type Εβ A is a finite set of actionsβ π is a set of transitions such that
β’ The guards are described by rational clock constraings Ξ¦(π)β’ π₯, π β π β π₯", π" implies either π₯" = π ππ π₯" = π₯
β π― set of trajectories such that for each variable π₯ β π βπ π π’πβ π‘βππ‘ π β π―, π‘ β π. πππ
π π‘ . π₯ = π 0 . π₯ + π π‘
Lecture Slides by Sayan [email protected]
Control State (Location) Reachability Problem
β’ Given an MRA, check if a particular location is reachable from the initial states
β’ Is problem is decidable? Yesβ’ Key idea: β Construct a RTA that is bisimilar to the given MRA
Lecture Slides by Sayan [email protected]
Step 3. Rectangular HADefinition. A rectangular hybrid automaton (RHA) is a HA π = β¨π, π΄, π―, πβ©where
β V = X βͺ πππ , where X is a set of n continuous variables and πππ is a discrete state variable of finite type Ε
β A is a finite set β π― =βͺβ π―β set of trajectories for X
β’ For each π β π―β, π₯ β π either (i) π π₯ = πβ or (ii) π π₯ β πβ! , πβ)β’ Equivalently, (i) π π‘ βπ₯ = π(0)βπ₯ + πβπ‘
(ii) π(0)βπ₯ + πβ!π‘ β€ π π‘ βπ₯ β€ π(0)βπ₯ + πβ)π‘β π is a set of transitions such that
β’ Guards are described by rational clock constraings β’ π₯, π β* π₯", π" implies π₯" = π₯ πππ₯" β [π!, π)]
Lecture Slides by Sayan [email protected]
CSR Decidable for RHA?
β’ Given an RHA, check if a particular location is reachable from the initial states?
β’ Is this problem decidable? No β [Henz95] Thomas Henzinger, Peter Kopke, Anuj Puri, and Pravin Varaiya.
What's Decidable About Hybrid Automata?. Journal of Computer and System Sciences, pages 373β382. ACM Press, 1995.
β CSR for RHA reduction to Halting problem for 2 counter machinesβ Halting problem for 2CM known to be undecidableβ Reduction in next lecture
Lecture Slides by Sayan [email protected]
Step 4. Initialized Rectangular HADefinition. An initialized rectangular hybrid automaton (IRHA) is a RHA π where
β V = X βͺ πππ , where X is a set of n continuous variables and πππ is a discrete state variable of finite type Ε
β A is a finite setβ π― =βͺβ π―β set of trajectories for X
β’ For each π β π―β, π₯ β π either (i) π π₯ = πβ or (ii) π π₯ β πβ! , πβ)β’ Equivalently, (i) π π‘ βπ₯ = π(0)βπ₯ + πβπ‘
(ii) π(0)βπ₯ + πβ!π‘ β€ π π‘ βπ₯ β€ π(0)βπ₯ + πβ)π‘β π is a set of transitions such that
β’ Guards are described by rational clock constraings β’ π₯, π β* π₯", π" implies if dynamics changes from β to ββ² then π₯" β[π!, π)], otherwise π₯" = π₯
Lecture Slides by Sayan [email protected]
Example: Rectangular Initialized HA
1
π π₯" = k"π π₯# = k#
2
π π₯" = kβ²"π π₯# = k#
3
π π₯" β [π, π]π π₯# = k$
Pre π₯" β₯ πΊ β§ π₯# β€ πΊ Eff π₯" β0
Both Pre π₯", π₯# have to be reset
Eff π₯", π₯# β [π, π]
Lecture Slides by Sayan [email protected]
CSR Decidable for IRHA?
β’ Given an IRHA, check if a particular location is reachable from the initial states
β’ Is this problem decidable? Yesβ’ Key idea: β Construct a 2n-dimensional initialized multi-rate
automaton that is bisimilar to the given IRHAβ Construct a ITA that is bisimilar to the Singular TA
Lecture Slides by Sayan [email protected]
From IRHA to Singular HA conversion
For every variable create two variables---tracking the upper and lower bounds
IRHA MRA
π₯ π₯β ; π₯#
Evolve: π(π₯) β [π$, π$] Evolve: π π₯β = π$; π π₯# = π$
Eff: π₯% β [π$, π$] Eff: π₯β= π$; π₯# = π$
π₯% = π π₯β= π₯# = π
Guard: π₯ β₯ 5 π₯& β₯ 5
π₯& < 5 β§ π₯# β₯ 5 Eff π₯& = 5
Lecture Slides by Sayan [email protected]
Example IRHA
v1οΏ½οΏ½ β 1,3
οΏ½οΏ½ β [β3,β2]
v2οΏ½οΏ½ β β4,β2οΏ½οΏ½ β [β3,β2]
π β 0; π β 1
π β€ 5 β§ π β€ β3π β 4
v3οΏ½οΏ½ β β4,β2οΏ½οΏ½ β [1,2]
π β€ β5π β β4
v4οΏ½οΏ½ β 1,3οΏ½οΏ½ β [1,2]
π β₯ β3 β§ π β€ β2π β [β1,β2]
π β₯ 0 β§ π β€2π β 1
Lecture Slides by Sayan [email protected]
Initialized Singular HA
v1π% = 1π& = 3π% = β3π& = β2
v2π% = β4
π& = β2π% = β3π& = β2
π) , π* β 0; π) , π* β 1
v3π) = β4
π* = β2π) = 1π* = 2
v4π) = 1
π* = 3π) = 1π* = 2
Lecture Slides by Sayan [email protected]
Transitions
5
v1π% = 1π& = 3π% = β3π& = β2
π) β€ 5π) , π* β 4
-3
π)
π*
π*π)
π* β€ β3 noresetπ* > β3 β§ π) β€ β3 π* β-3
Lecture Slides by Sayan [email protected]
Initialized Singular HAv1π% = 1π& = 3π% = β3π& = β2
v2π% = β4
π& = β2π% = β3π& = β2
π) , π* β 0; π) , π* β 1
π& β€ 5 β§ π# β€ β3π& , π# β 4
π& β€ 5 β§ π& β€ β3 β§ π# > β3π& , π# β 4 π# β β3
v3π) = β4
π* = β2π) = 1π* = 2
π) β€ β5π)π* β β4
v4π) = 1
π* = 3π) = 1π* = 2
π# β₯ β3 β§ π# β€ β2π& β β2π# β β1
π# β₯ β3 β§ π& β€ β2 β§ π# > β2π& β β2π# β β1 π# β 2
π) β₯ 0 β§ π) β€2π) , π* β 1
π& < 0 β§ π# β₯ 0 β§ π& β€2π& β 0π& , π# β 1
Lecture Slides by Sayan [email protected]
Can this be further generalized ?
β’ For initialized Rectangular HA, control state reachability is decidableβ Can we drop the initialization restriction?β’ No, problem becomes undecidable (next time)
β Can we drop the rectangular restriction?β’ No, problem becomes undecidable
Lecture Slides by Sayan [email protected]
Data structures critical for reachability
β’ Hyperrectanglesβ g!; g) = π₯ β π + x β g!
'β€ g) β g!
'} = Ξ ,[π!,, π),]
β’ Polyhedraβ’ Zonotopes [Girard 2005]β’ Ellipsoids [Kurzhanskiy 2001]β’ Support functions [Guernic et al. 2009]β’ Generalized star set [Duggirala and Viswanathan 2018]
Lecture Slides by Sayan [email protected]
C2E2 generated safety certificate for a given user model
Unsafe region
Reach set
Verify no collision with uncertainties: speeds in [70, 85] mph and acceleration range of NPC
For a different user model C2E2 finds a corner case
counter-example visualized
Verify no collision with uncertainties like speeds in [70, 85] mph and bigger acceleration range of NPC
SAYAN MITRA @Mitrasayn
Data structures: rectangles and ellipsoids
g12
g11
g21
g22
[[g11, g12]] [[g11, g12]]οΏ½ [[g21, g22]]
= [[g11 + g12, g21 + g22]]
[[g11, g12]]οΏ½ [[t.g1, t.g2]]
[[c1, Q]] [[Ac1, AQAT ]][[c1, Q1]]οΏ½ [[c2, Q2]] 6= [[c3, Q3]]
Zonotopes and polytopes
[[A, b]]
[[g1, . . . , gk]] [[β (g1, t), . . . , β (gk, t)]]
g1
g2
gk
c1 g1
g2
[[c1, hg1, g2i]]οΏ½ [[c2, hg01, g02i]]= [[c1 + c2, hg1, g01, g2, g02i]]
[[c1, hg1, g2i]] [[Ac1, hAg1, Ag2i]]
Takeaway messages
β’ For restricted classes of HA, e.g., ITA, IRHA, Control state reachability is decidable (Alur-Dill)
β’ The problem becomes undecidable for RHA (Henzinger et al.)β Important message to re-focus on relaxed problemβ Bounded time, approximate reachability
β’ Many tools and successful applications using iterative Post computations
β’ Choice of data-structure critical for practicalperformance
Lecture Slides by Sayan [email protected]