DISCRETE ABSTRACTIONS OF HYBRID SYSTEMS

Comment

Report 1 Downloads 127 Views

DISCRETE ABSTRACTIONS OF HYBRID SYSTEMS RAJEEV ALUR, TOM HENZINGER, GERARDO LAFFERRIERE, AND GEORGE J. PAPPAS Abstract. A hybrid system is a dynamical system with both discrete and continuous state changes. For analysis purposes, it is often useful to abstract a system in a way that preserves the properties being analyzed while hiding the details that are of no interest. We show that interesting classes of hybrid systems can be abstracted to purely discrete systems while preserving all properties that are de nable in temporal logic. The classes that permit discrete abstractions fall into two categories. Either the continuous dynamics must be severely restricted, as is the case for timed and rectangular hybrid systems, or the discrete dynamics must be severely restricted, as is the case for o-minimal hybrid systems. In this paper, we survey and unify the main results in both areas.

1. Introduction Hybrid systems combine both digital and analog components, in a way that is useful for the analysis and design of distributed, embedded control systems. Hybrid systems have been used as mathematical models for many important applications, such as automated highway systems, air trac management systems, manufacturing systems, robotics, real time communication networks, and real time circuits. Their wide applicability has inspired a great deal of research from both control theory and theoretical computer science [1, 2, 7, 9, 10, 14, 16, 25, 34]. Many of the above motivating applications are safety critical, and require guarantees of safe operation. Given a hybrid model of the system, and a desired speci cation, like avoiding a region of the state space, formal analysis attempts to prove that the system satis es the speci cation. The formal analysis of large scale systems is typically a very dicult process due to the complexity and scale of the system. This makes the use of computational or algorithmic approaches to the analysis of hybrid systems very desirable, whenever possible. One of the main issues in algorithmic analysis of hybrid systems is decidability, since it guarantees that the analysis will terminate in a nite number of steps. A useful and successful way to show that a class of analysis problems is decidable, is the process of abstraction. Given a hybrid system and some desired property, one extracts a nite, discrete system while preserving the property of interest, and hiding irrelevant details. This is achieved by constructing suitable, nite and computable partitions of the state space of the hybrid system. By obtaining discrete abstractions which are nite, and 1

2

R. ALUR, T. HENZINGER, G. LAFFERRIERE, AND G. PAPPAS

preserve all properties of interest, analysis can be equivalently performed on the nite system, which is guaranteed to terminate. In this paper, we focus on discrete abstractions of hybrid systems along with the properties they preserve. We show that there are many interesting classes of hybrid systems which can be abstracted by nite systems for analysis purposes. The properties that are preserved in this abstraction process are de nable in temporal logic, and in particular, Linear Temporal Logic (LTL), and Computational Tree Logic (CTL). Preserving LTL properties leads to special partitions of the state space given by language equivalence relations, whereas CTL properties are abstracted by bisimulations. Similar concepts and constructions, but from hierarchical control perspective, may be found in [12, 28, 29]. There are, however, immediate obstacles due to undecidability. For example, in [18], it was shown that checking reachability for a very simple class of two-slope, hybrid automata is undecidable. These type of results immediately imply that more general classes of hybrid systems cannot have nite bisimulations or language equivalence quotients. Therefore, our search for discrete abstractions of hybrid systems is limited by this result. Given this limit, we show that the classes of hybrid systems that can be abstracted fall in two classes. In the rst class, the continuous behavior of the hybrid system must be restricted, as in the case of timed automata [6], xed slope automata [4], multirate automata [5, 26], and rectangular automata [18, 32]. In the second class, the discrete behavior of the hybrid system must be restricted, as in the case of order-minimal hybrid systems [19, 21, 22]. In this paper, we present in a uni ed way all these results which collectively de ne a very tight boundary between decidable and undecidable hybrid systems. We do not focus on complexity issues or the implementation of these algorithms by veri cation tools like Kronos [13], Cospan [8], Upaal [24], and HyTech [17]. More speci cally, in Section 2, we review the notion of language equivalence and bisimulations of transition systems, along with the temporal logics whose properties they preserve, namely Linear Temporal Logic and Computational Tree Logic. In Section 3, after a general de nition of hybrid systems, we de ne various classes of hybrid systems, like timed and rectangular automata. We immediately then present some negative undecidability results, which force us to apply the framework of Section 2 on hybrid systems with either simple continuous dynamics (Section 4), or simple discrete dynamics (Section 5). Finally, Section 6 contains a brief summary, whereas Appendix A contains a brief introduction to mathematical logic. 2. Transition Systems Transition systems should be thought of as abstract graph models, possibly with an in nite number of states or transitions. In fact, transition systems are abstract enough to include both nite state machines and dierential equations.

DISCRETE ABSTRACTIONS OF HYBRID SYSTEMS

3

De nition 2.1 (Transition Systems). A transition system T = (Q; ; !; QO ) consists of: A set Q of states, An alphabet of events, A transition relation ! Q Q, and A set QO Q of initial states. It is customary to denote a transition (q1 ; ; q2 ) as q1 ! q2. The transition system is nite if the cardinality of Q is nite, and it is in nite otherwise. The transition system T is deadlock free, if for q0 . every state q 2 Q, there exists a state q0 2 Q and an event 2 such that q !

Example 2.2. To see the generality of transition systems, consider the simple dierential equation x_ = f (x) where x 2 Rn . The dierential equation de nes a transition system whose state space is t Rn , has event alphabet = R, and the transition relation x1 ! x2, for t 2 R, means that there exists a solution of the dierential equation with x(0) = x1 and x(t) = x2 .

A region is a subset P Q. Given 2 , we de ne Pre (P ) and Post (P ) of a region P as (2.1) Pre (P ) = fq 2 Q j 9p 2 P and q ! pg (2.2) Post (P ) = fq 2 Q j 9p 2 P and p ! qg Thus Pre (P ) is the set of states that can reach P with event , and Post (P ) is the set of states that can be reached from states in P with event . The set of states that can reach P , or can be reached by P in one step by any event is (2.3) Pre(P ) = fq 2 Q j 9 2 9p 2 P and q ! pg qg (2.4) Post(P ) = fq 2 Q j 9 2 9p 2 P and p ! The set of states that are reachable from P in two steps is simply Post(Post(P )) and is denoted Post2(P ). In general, Posti (P ) consists of states that are reachable from P in i steps. Prei(P ) is de ned similarly. Then (2.5)

Pre (P ) =

(2.6)

Post(P ) =

[

i2N

[

i2N

Prei (P ) Posti(P )

are simply the set of states that are backward and forward reachable from P . In particular, Post (QO ) is the set of reachable states of the transition system T , and is denoted by Reach(T ). A problem that is of great interest for transition systems is the reachability problem.

Problem 2.3 (Reachability Problem). Given a transition system T = (Q; ; !; QO ) and a region QF Q, is Reach(T ) \ QF 6= ; ?

4

R. ALUR, T. HENZINGER, G. LAFFERRIERE, AND G. PAPPAS

If the set QF encodes an undesirable or unsafe region of the state space, then reachability corresponds to verifying that the system is safe. In this paper, we are interested in computational approaches to the solution of the reachability problem. The following algorithm computes the reachable space until either QF is reached, or no more reachable states are added.

Algorithm 1 (Forward Reachability Algorithm) initialization: R := QO while true do if R \ QF =6 ; return unsafe ; STOP if Post(R) R return safe ; STOP else R := R [ Post(R) end while

A backward reachability algorithm which starts with QF and checks whether Pre (QF ) \ QO 6= ; can be similarly constructed. Whereas the reachability problem checks whether we can reach a region of the state space, the invariant veri cation problem checks whether all system trajectories remain inside a set.

Problem 2.4 (Invariant Veri cation Problem). Given a transition system T = (Q; ; !; QO ) and a region QF Q, is Reach(T ) QF ? Checking whether all trajectories of T with remain inside a set QF is equivalent to checking whether Reach(T ) intersects nontrivially the complement of QF . Therefore, the invariant veri cation problem can be checked using the forward reachability algorithm. Such algorithmic approaches to checking system properties are guaranteed to terminate if the state space of the transition system is nite, since in the worst case they can only add a nite number of states. If the state space is in nite, then there is, in general, no guarantee that such computations will terminate after a nite number of steps. The reachability algorithm, for example, could continue adding states forever without ever reaching QF . In this paper, our goal is to nd classes of in nite state transition systems whose analysis can be performed on equivalent but nite transition systems. This is accomplished by constructing suitable quotients or discrete abstractions of the original system in the sense that they preserve the properties of interest while omitting detail. In addition to reachability and invariants, the desired system speci cation may require more detailed system properties. For example, one may wish to encode the requirement that a system failure is eventually followed by a return to the normal mode of operation. More abstractly, if the transition system visits a region Q1 , encoding a failure, then eventually it will reach a region Q2 , encoding normal operation. Such properties can be encoded as formulas in temporal logic [30]. In the sequel,

DISCRETE ABSTRACTIONS OF HYBRID SYSTEMS

5

after de ning the notion of quotient transition systems, two equivalence relations, language equivalence and bisimulations, are considered along with two popular temporal logics, Linear Temporal Logic (LTL), and Computational Tree Logic (CTL), whose properties they preserve. Given an equivalence relation Q Q on the state space, the de nition of quotient transition system T= is natural. Let Q= denote the quotient space, that is, the set of equivalence classes. For a region P , we denote by P= the collection of all equivalence classes which intersect P . Given an equivalence relation on Q, we call a set a -block if it is a union of equivalence classes. The Q transition relation ! on the quotient space is de ned as follows: for Q1 ,Q2 2 Q= , Q1 ! 2 i there exist q1 2 Q1 and q2 2 Q2 such that q1 ! q2 . The quotient transition system is then T= = (Q= ; ; ! ; Q0 = ). 2.1. Language equivalence preserves linear temporal properties. Let q 2 Q be a state of the transition system T = (Q; ; !; Q0 ). Let be a nite set of atomic propositions or formulas1 , and let j= Q be the satisfaction relation. Therefore , (q; ) 2j= means that state q satis es atomic formula , which will be denoted from now on by q j= . Given an atomic formula , let J K = fq 2 Q j q j= g be the set of states that satisfy . Given state q 2 Q, let q = f 2 j q j= g be the set of all atomic formulas that are satis ed by q. A trajectory generated from a state q is an in nite sequence q0 0 q1 1 q2 : : : with q0 = q and for all i i 2 N , we have that qi ! qi+1. Every such trajectory de nes the word q0 0q1 1q2 : : : The set of all words that are generated from q is denoted by L(q), and called the language generated by q. The set of all words generated by all initial states q0 2 QO is called the language of the transition system T and is denoted by L(T ). A relation L on the state space is called a language equivalence if whenever p L q then L(p) = L(q). The resulting equivalence relation partitions the state space and gives rise to the language equivalence quotient transition system T= L = (Q= L ; ; !L ; Q0 = L ). It is of great interest to nd out what properties are preserved by language equivalence quotients. Linear temporal logic is the rst temporal logic we consider, since it is closely related to language equivalence.

De nition 2.5 (Linear Temporal Logic Syntax). The formulas of Linear Temporal Logic (LTL) are de ned inductively as follows:

Atomic Propositions Every atomic formula is a formula. Formulas If 1 and 2 are formulas, then the following are also formulas 1 _ 2 1

:1

1

A basic review of mathematical logic can be found in Appendix A

1 U 2

6

R. ALUR, T. HENZINGER, G. LAFFERRIERE, AND G. PAPPAS

The semantics of LTL formulas are interpreted over trajectories generated by the transition system T . Consider a trajectory s = q0 0 q1 1 q2 : : : generated by q0 . The satisfaction of an atomic proposition by a trajectory s at position i 2 N , denoted by (s; i) j=s (and which should not be confused with j= which tells us whether a state satis es an atomic proposition), can checked by evaluating whether qi j= . We can then recursively de ne semantics for any LTL formula as follows:

(s; i) j=s 1 _ 2 if either (s; i) j=s 1 or (s; i) j=s 2 (s; i) j=s :1 if (s; i) 6j=s 1 (s; i) j=s 1 if (s; i + 1) j= 1 (s; i) j=s 1U 2 if there is an j i such that (s; j ) j=s 2 and for all i k < j we have (s; k) j=s 1 A trajectory s satis es an LTL formula if (s; 0) j=s . From : and _, which stand for negation and disjunction respectively, we can also de ne conjunction ^, implication !, and equivalence $. The temporal operators and U are called the next and until operators. The 1 formula is true at q0 0 q1 1 q2 : : : i the formula 1 holds for q1 1 q2 : : : . Using the next and until operators, we can also de ne the following temporal operators in LTL:

Eventually : 3 = True U Always : 2 = :3: Wait-for : 1U 2 _ 21 Therefore, 3 encodes properties that are eventually true, whereas 2 encodes properties that are always true. For example, if is an atomic proposition encoding an unsafe region, then reachability can be simply expressed as 2:. The more elaborate requirement that visiting region J1 K is eventually followed by visiting region J2 K, is expressed by the formula 2(1 ! 32 ). The LTL formula 23 is true for trajectories that satisfy in nitely often, whereas a trajectory satis es 32 if is eventually true for all states. Having de ned when a formula is satis ed by a trajectory generated by an arbitrary state q 2 Q, we can de ne when a transition system satis es an LTL formula .

Problem 2.6 (LTL Model Checking). Given a transition system T and an LTL formula , determine whether every trajectory in L(T ) satis es .

Since reachability is expressed by an LTL formula, it is immediate that Problems 2.3 and 2.4 are contained in Problem 2.6. Notice that Problem 2.6 does not allow us to check possibility, for example that some, but not all, trajectories generated by an initial state satisfy an LTL formula . Given the de nition of language equivalence, the following theorem should come as no surprise.

DISCRETE ABSTRACTIONS OF HYBRID SYSTEMS

7

Theorem 2.7 (Language equivalence preserves LTL properties). Let T be a transition system with a language equivalence quotient L. Then T satis es the LTL formula if and only if T= L satis es .

Therefore, given a transition system T and an LTL formula , we can equivalently perform the model checking problem on T= L . In general, language equivalence quotients are not nite. In addition, there is no algorithm to compute the language equivalence quotient. If, however, we are given such a nite quotient, then using the above theorem, LTL model checking for transition system T can be equivalently performed on the nite transition system T= L . 2.2. Bisimilarity preserves branching temporal properties. We now de ne a dierent partition of the state space along with the class of properties it preserves.

De nition 2.8 (Bisimulation). Let T = (Q; ; !; QO ) be a transition system. The equivalence relation B is a bisimulation of T i for all states p and q, if p B q then For every atomic proposition 2 , q satis es i p satis es For every 2 if p ! p0 then there exists q0 such that q ! q0 and p0 B q0 If B is a bisimulation, then transition systems T and T= B are called bisimilar. A bisimulation is called nite if the quotient space is nite.

Equivalently, the crucial property of bisimulations is that for any 2 and any equivalence class P1 2 Q= , Pre (P1 ) is a union of equivalence classes. Therefore, if P1 , P2 2 Q= , then Pre (P1 ) \ P2 is either the empty set or all of P2 . Computational Tree Logic (CTL), whose syntax is de ned next, is a temporal logic that is closely associated with bisimulations. Notice that contrary to LTL, CTL formulas contain existential quanti ers in their syntax. This will allow us to nest quanti ers and express possibility requirements.

De nition 2.9 (Computational Tree Logic Syntax). The formulas of Computational Tree Logic (CTL) are de ned inductively as follows:

Atomic Propositions Every atomic proposition is a formula. Formulas If 1 and 2 are formulas, then the following are also formulas 1 _ 2 :1 9 1 921 1 9U 2 The dierence between the semantics of LTL and CTL is that in LTL one interprets formulas over trajectories, whereas in CTL, due to the existential quanti er, one interprets formulas in the possible tree of trajectories. More precisely, the state q0 satis es the atomic formula if q0 j= , and the semantics of CTL formulas are then de ned as

8

R. ALUR, T. HENZINGER, G. LAFFERRIERE, AND G. PAPPAS

q0 j= 1 _ 2 if either q0 j= 1 or q0 j= 2 q0 j= :1 if q0 6j= 1 q0 j= 9 1 if there exist q1 2 Q, 2 , with q0 ! q1 and q1 j= 1 . q0 j= 921 if there exists a trajectory q00q1 : : : generated by q0 such that for all i 0 we have qi j= 1 q0 j= 1 9U 2 if there exists a trajectory q00q1 : : : qi such that qi j= 2 and for all 0 j < i we have qj j= 1 As in LTL, we can de ne ^, !, and $ from : and _. Furthermore, we can de ne the following

additional temporal operators.

Inevitably Next : 8 = :9 : Possibly Eventually : 93 = True 9U Inevitably Always : 82 = :93: Inevitably Waiting For : 18W 2 = :((:1 )9U:(1 _ 2 )) Inevitably : 83 = :92: Inevitably Until: 1 8U 2 = 1 8W 2 ^ 832 Possibly-Waiting-for : 19W 2 = 1 9U 2 _ 921 As in LTL, reachability can also be captured in CTL by the formula 82. The CTL formula 8293 encodes the requirement that from every reachable state there must exist a trajectory leading to a state where is satis ed.

Problem 2.10 (CTL Model Checking). Given a transition system T and a CTL formula , determine whether all initial states q0 2 Q0 satisfy . As in LTL model checking, Problems 2.3 and 2.4 are contained in Problem 2.10. The following theorem shows that bisimulations preserve CTL properties.

Theorem 2.11 (Bisimulation preserves CTL properties). Let T be a transition system with a bisimilarity quotient B , and let be a CTL formula. Then T satis es if and only if T= B satis es .

Therefore, CTL model checking for T can be performed equivalently on T= B . In general, it is easier to compute bisimulations than language equivalence quotients. In particular, for nite T , computing T= B can be performed in polynomial time, while computing T= L is PSPACEcomplete. Bisimulations can be computed using the following algorithm. If the algorithm terminates after a nite number of steps, then the resulting quotient transition system is the coarsest nite bisimulation. Assume without loss of generality that is a nite set of propositions that partitions the state space Q.

DISCRETE ABSTRACTIONS OF HYBRID SYSTEMS

9

Algorithm 2 (Bisimulation Algorithm) initialization: Q= B = fJK j 2 g while 9 P ,P 0 2 Q= B and 2 such that ; 6= P \ Pre (P 0 ) 6= P do set P1 = P \ Pre (P 0 ), P2 = P n Pre (P 0) re ne Q= B = (Q= B nfP g) [ fP1 ; P2 g end while In order to show that CTL model checking is decidable, it suces to show that the bisimulation algorithm terminates, and that each step of the algorithm is computable or eective. This means that we must be able to represent sets symbolically, perform boolean operations, check emptiness of a set, and compute Pre (P ) for any 2 . In general, the properties expressed in LTL and CTL are incomparable. For example the LTL formula 32 cannot be expressed in CTL, whereas the CTL formula 8293 has no counterpart in LTL. Therefore, LTL is useful in expressing (temporal) properties along a given trajectory, whereas CTL is useful in expressing possibility. Even though LTL and CTL are incomparable, they are both sublogics of CTL , a much more expressive temporal logic that can express both possibility as well as linear temporal properties. Furthermore, bisimulations preserve all properties expressed in CTL . Therefore bisimulations preserve not only CTL properties according to Theorem 2.11, but also all LTL properties, as opposed to language equivalence quotients which preserve only LTL properties. Therefore, bisimulations are ner partitions than language equivalence, and thus much harder to nd. 3. Hybrid Systems In this section, we apply the framework presented in Section 2 to transition systems generated by hybrid systems. We then immediately present various barriers for obtaining nite discrete abstractions for general hybrid systems, by showing classes of hybrid systems whose reachability problem is undecidable. We start with a de nition of hybrid systems.

De nition 3.1 (Hybrid Systems). A hybrid system is a tuple H = (X; X0 ; F; Inv; R) where X = XD Rn is the state space with XD = fq1 ; : : : ; qng, X0 X is the set of initial states, F : XD Rn ?! 2Rn assigns to each discrete location q 2 XD a dierential inclusion x_ 2 F (q; x), Inv : XD ?! 2Rn assigns to each discrete location an invariant set Inv(q) Rn , and R X X is a relation capturing the discrete jumps.

10

R. ALUR, T. HENZINGER, G. LAFFERRIERE, AND G. PAPPAS

The elements of XD are the discrete states whereas x 2 Rn is the continuous state. States of the hybrid system H are thus of the form (q; x) with q 2 XD and x 2 Rn . The set of initial states associated with discrete state q is denoted by

Init(q) = fx 2 Rn j (q; x) 2 X0 g Hybrid systems are typically represented as graphs with vertices XD , and edges E de ned by

E = f(q; q0 ) 2 XD XD j (q; x; q0 ; x0 ) 2 R for some x; x0 2 Rn g With each edge e = (q; q0 ) 2 E we associate a guard set de ned as

Guard(e) = fx 2 Inv(q) j (q; x; q0 ; x0) 2 R for some x0 2 Rn g and the set valued reset map

Reset(e; x) = fx0 2 Inv(q0 ) j (q; x; q0 ; x0 ) 2 Rg Trajectories of the hybrid system H originate at any (q; x) 2 X0 and consist of concatenations of either continuous evolutions or discrete jumps. Continuous evolutions keep the discrete component of the state constant, and the continuous part evolves according to the dierential inclusion x_ 2 F (q; x) as long as x(t) remains inside the invariant set Inv(q). If x(t) exits Inv(q), then a discrete transition is forced. If, during the continuous evolution, it happens that x(t) 2 Guard(e) for some e = (q; q0 ) 2 E , then edge e is enabled. The state of the hybrid system may then instantaneously jump from (q; x) to any (q0 ; x0 ) with x0 2 Reset(e; x), and the continuous component of the trajectory then evolves according to the inclusion x_ 2 F (q0 ; x). In this paper, we assume that our hybrid system is non-blocking, that is from every state either a continuous evolution or a discrete jump is possible. Furthermore, even though De nition 3.1 places no well-posedness conditions on the class of hybrid systems we consider, the results presented in this paper will assume strong restrictions regarding the class of sets and ows allowed.

Example 3.2. Figure 1 is a graphical illustration of a special class of hybrid systems, called timed

automata, which are nite state machines coupled with continuous clock variables. It consists of two discrete modes q1 and q2 , and two continuous states x and y which always evolve in R under the dierential equation x_ = 1 and y_ = 1. Therefore x and y simply measure time. The initial state of the system is (q1 ; x = 0; y = 0) and the invariant sets associated with discrete states q1 and q2 are x < 5 and y < 10 respectively. There are two edges, e1 = (q1 ; q2 ) and e2 = (q2 ; q1). The guard of e1 is the set x > 4 and the reset map is R(e1 ; x; y) = (10; 3), whereas the guard and reset of e2 are y > 9 and R(e2 ; x; y) = (x; 0) respectively. Notice that the identity map on the x variable on the e2 edge is suppressed from Figure 1. A simple reachability speci cation may require that the timed automaton never enters the region f(q; x; y) 2 XD R2 j q = q2 ^ x > 7 ^ y < 6g.

DISCRETE ABSTRACTIONS OF HYBRID SYSTEMS

11

x=0 y=0 q

1

.x = 1 .y = 1

x>4

x = 10 y = 3

y>9

y=0

x

Recommend Documents

Using Abstractions for the Verification of Linear Hybrid Systems

SYMBOLIC ABSTRACTIONS OF NETWORKED CONTROL SYSTEMS

Computation of discrete abstractions of arbitrary memory span for ...