Robustness issues in timed models Nicolas Markey LSV, CNRS & - PowerPoint PPT Presentation

From models to implementations the continuous-time semantics is a mathematical idealization it assumes zero-delay transitions; it assumes infinite precision of the clocks; it assumes immediate communication between systems. Example (Strict timing constraints) r :=0 r :=0 P id r ==0 r = id x id :=0 x id :=0 x id :=0 x id > 2 x id ≤ 2 r := id When P 1 and P 2 run in parallel (sharing variable r ), the state where both of them are in is not reachable. This property is lost when x id > 2 is replaced with x id ≥ 2.

From models to implementations the continuous-time semantics is a mathematical idealization it assumes zero-delay transitions; it assumes infinite precision of the clocks; it assumes immediate communication between systems. Parametrized semantics parametrized discrete-time semantics: Does there exists a time step δ ( sampling rate ) under which the system behaves correctly?

From models to implementations the continuous-time semantics is a mathematical idealization it assumes zero-delay transitions; it assumes infinite precision of the clocks; it assumes immediate communication between systems. Parametrized semantics parametrized discrete-time semantics: Does there exists a time step δ ( sampling rate ) under which the system behaves correctly? reachability is undecidable [CHR02] � untimed-language inclusion is decidable [AKY10] �

From models to implementations the continuous-time semantics is a mathematical idealization it assumes zero-delay transitions; it assumes infinite precision of the clocks; it assumes immediate communication between systems. Parametrized semantics parametrized discrete-time semantics: Does there exists a time step δ ( sampling rate ) under which the system behaves correctly? reachability is undecidable [CHR02] � untimed-language inclusion is decidable [AKY10] � parametrized continuous-time semantics: Does the system behave correctly under continuous- time semantics with imprecisions up to some δ ?

Outline of the talk Discrete time vs. dense time 1 From models to implementations 2 Checking robust safety 3 Enlarging clock constraints Shrinking clock constraints Checking robust controllability 4 Parametrized perturbations Permissive strategies Conclusions and future works 5

Enlarged semantics for timed automata a transition can be taken at any time in [ t − δ ; t + δ ] .

Enlarged semantics for timed automata a transition can be taken at any time in [ t − δ ; t + δ ] . Example y 3 2 1 x 0 1 2 3 x ≤ 2 , x :=0 x =0 ∧ y ≥ 2 x =1 y :=0 y ≥ 2 , y :=0

Enlarged semantics for timed automata a transition can be taken at any time in [ t − δ ; t + δ ] . Example y y 3 3 2 2 1 1 x x 0 1 2 3 0 1 2 3 x ≤ 2+ δ, x :=0 x ∈ [1 − δ, 1+ δ ] x ≤ δ ∧ y ≥ 2 − δ y :=0 y ≥ 2 − δ, y :=0

Enlarged semantics for timed automata a transition can be taken at any time in [ t − δ ; t + δ ] . Example y y 3 3 2 2 1 1 x x 0 1 2 3 0 1 2 3 x ≤ 2+ δ, x :=0 x ∈ [1 − δ, 1+ δ ] x ≤ δ ∧ y ≥ 2 − δ y :=0 y ≥ 2 − δ, y :=0

Enlarged semantics for timed automata a transition can be taken at any time in [ t − δ ; t + δ ] . Example y y 3 3 2 2 1 1 x x 0 1 2 3 0 1 2 3 x ≤ 2+ δ, x :=0 x ∈ [1 − δ, 1+ δ ] x ≤ δ ∧ y ≥ 2 − δ y :=0 y ≥ 2 − δ, y :=0

Enlarged semantics for timed automata a transition can be taken at any time in [ t − δ ; t + δ ] . Example y y 3 3 2 2 1 1 x x 0 1 2 3 0 1 2 3 x ≤ 2+ δ, x :=0 x ∈ [1 − δ, 1+ δ ] x ≤ δ ∧ y ≥ 2 − δ y :=0 y ≥ 2 − δ, y :=0

Enlarged semantics for timed automata a transition can be taken at any time in [ t − δ ; t + δ ] . Example y y 3 3 2 2 1 1 x x 0 1 2 3 0 1 2 3 x ≤ 2+ δ, x :=0 x ∈ [1 − δ, 1+ δ ] x ≤ δ ∧ y ≥ 2 − δ y :=0 y ≥ 2 − δ, y :=0

Enlarged semantics for timed automata a transition can be taken at any time in [ t − δ ; t + δ ] . Example y y 3 3 2 2 1 1 x x 0 1 2 3 0 1 2 3 x ≤ 2+ δ, x :=0 x ∈ [1 − δ, 1+ δ ] x ≤ δ ∧ y ≥ 2 − δ y :=0 y ≥ 2 − δ, y :=0

Enlarged semantics for timed automata a transition can be taken at any time in [ t − δ ; t + δ ] . Example y y 3 3 2 2 1 1 x x 0 1 2 3 0 1 2 3 x ≤ 2+ δ, x :=0 x ∈ [1 − δ, 1+ δ ] x ≤ δ ∧ y ≥ 2 − δ y :=0 y ≥ 2 − δ, y :=0

Enlarged semantics for timed automata a transition can be taken at any time in [ t − δ ; t + δ ] . Example y y 3 3 2 2 1 1 x x 0 1 2 3 0 1 2 3 x ≤ 2+ δ, x :=0 x ∈ [1 − δ, 1+ δ ] x ≤ δ ∧ y ≥ 2 − δ y :=0 y ≥ 2 − δ, y :=0

Enlarged semantics for timed automata a transition can be taken at any time in [ t − δ ; t + δ ] . Example y y 3 3 2 2 1 1 x x 0 1 2 3 0 1 2 3 x ≤ 2+ δ, x :=0 x ∈ [1 − δ, 1+ δ ] x ≤ δ ∧ y ≥ 2 − δ y :=0 y ≥ 2 − δ, y :=0

Enlarged semantics for timed automata a transition can be taken at any time in [ t − δ ; t + δ ] . Example y y 3 3 2 2 1 1 x x 0 1 2 3 0 1 2 3 x ≤ 2+ δ, x :=0 x ∈ [1 − δ, 1+ δ ] x ≤ δ ∧ y ≥ 2 − δ y :=0 y ≥ 2 − δ, y :=0

Enlarged semantics for timed automata a transition can be taken at any time in [ t − δ ; t + δ ] . Example y y 3 3 2 2 1 1 x x 0 1 2 3 0 1 2 3 x ≤ 2+ δ, x :=0 x ∈ [1 − δ, 1+ δ ] x ≤ δ ∧ y ≥ 2 − δ y :=0 y ≥ 2 − δ, y :=0

Enlarged semantics for timed automata a transition can be taken at any time in [ t − δ ; t + δ ] . Example y y 3 3 2 2 1 1 x x 0 1 2 3 0 1 2 3 x ≤ 2+ δ, x :=0 x ∈ [1 − δ, 1+ δ ] x ≤ δ ∧ y ≥ 2 − δ y :=0 y ≥ 2 − δ, y :=0

Enlarged semantics for timed automata a transition can be taken at any time in [ t − δ ; t + δ ] . Example y y 3 3 2 2 1 1 x x 0 1 2 3 0 1 2 3 Theorem ([Pur98,DDMR04]) Parametrized robust safety is decidable.

Extended region automaton For any location ℓ and any two regions r and r ′ , if r ∩ r ′ � = ∅ and ( ℓ, r ′ ) belongs to an SCC of R ( A ), γ → ( ℓ, r ′ ). then we add a transition ( ℓ, r ) − y 3 2 1 x 0 1 2 3

Extended region automaton For any location ℓ and any two regions r and r ′ , if r ∩ r ′ � = ∅ and ( ℓ, r ′ ) belongs to an SCC of R ( A ), γ → ( ℓ, r ′ ). then we add a transition ( ℓ, r ) − y 3 2 1 x 0 1 2 3

Extended region automaton For any location ℓ and any two regions r and r ′ , if r ∩ r ′ � = ∅ and ( ℓ, r ′ ) belongs to an SCC of R ( A ), γ → ( ℓ, r ′ ). then we add a transition ( ℓ, r ) − y 3 2 1 x 0 1 2 3

Extended region automaton For any location ℓ and any two regions r and r ′ , if r ∩ r ′ � = ∅ and ( ℓ, r ′ ) belongs to an SCC of R ( A ), γ → ( ℓ, r ′ ). then we add a transition ( ℓ, r ) − y 3 2 γ 1 x 0 1 2 3

Extended region automaton For any location ℓ and any two regions r and r ′ , if r ∩ r ′ � = ∅ and ( ℓ, r ′ ) belongs to an SCC of R ( A ), γ → ( ℓ, r ′ ). then we add a transition ( ℓ, r ) − y 3 2 γ 1 x 0 1 2 3

Extended region automaton For any location ℓ and any two regions r and r ′ , if r ∩ r ′ � = ∅ and ( ℓ, r ′ ) belongs to an SCC of R ( A ), γ → ( ℓ, r ′ ). then we add a transition ( ℓ, r ) − y 3 2 γ 1 x 0 1 2 3

Shrinking timing constraints Counteracting guard enlargement Shrinking turns constraints [ a , b ] into [ a + δ, b − δ ] . In particular, punctual constraints become empty.

Shrinking timing constraints Counteracting guard enlargement Shrinking turns constraints [ a , b ] into [ a + δ, b − δ ] . In particular, punctual constraints become empty. Definition A timed automaton is shrinkable if, for some δ > 0, its shrunk automaton (time-abstract) simulates the original automaton. Theorem ([SBM11]) Shrinkability is decidable in EXPTIME .

Shrinking timing constraints Counteracting guard enlargement Shrinking turns constraints [ a , b ] into [ a + δ, b − δ ] . In particular, punctual constraints become empty. Definition A timed automaton is shrinkable if, for some δ > 0, its shrunk automaton (time-abstract) simulates the original automaton. Theorem ([SBM11]) Shrinkability is decidable in EXPTIME . Main tools: parametrized shrunk DBMs max-plus fixpoint equations

Shrinking timing constraints Counteracting guard enlargement Shrinking turns constraints [ a , b ] into [ a + δ, b − δ ] . In particular, punctual constraints become empty. Definition A timed automaton is shrinkable if, for some δ > 0, its shrunk automaton (time-abstract) simulates the original automaton. Theorem ([SBM11]) Shrinkability is decidable in EXPTIME . � prototype tool: http://www.lsv.ens-cachan.fr/Software/shrinktech/

Shrinking timing constraints Example 2 − k 1 δ ≤ x ≤ 4 − k 2 δ x ≤ 2 − k 5 δ 2 − k 3 δ ≤ y ≤ 4 − k 4 δ y :=0

Shrinking timing constraints Example 2 − k 1 δ ≤ x ≤ 4 − k 2 δ x ≤ 2 − k 5 δ 2 − k 3 δ ≤ y ≤ 4 − k 4 δ y :=0 k 4 δ     k 1 δ k 2 δ     ⊆ Unreset y  Pre time            k 3 δ k 5 δ

Shrinking timing constraints Example 2 − k 1 δ ≤ x ≤ 4 − k 2 δ x ≤ 2 − k 5 δ 2 − k 3 δ ≤ y ≤ 4 − k 4 δ y :=0     ⊆ Unreset y       k 5 δ ( k 2 + k 3 ) δ

Shrinking timing constraints Example 2 − k 1 δ ≤ x ≤ 4 − k 2 δ x ≤ 2 − k 5 δ 2 − k 3 δ ≤ y ≤ 4 − k 4 δ y :=0 ⊆ k 5 δ ( k 2 + k 3 ) δ

Shrinking timing constraints Example 2 − k 1 δ ≤ x ≤ 4 − k 2 δ x ≤ 2 − k 5 δ 2 − k 3 δ ≤ y ≤ 4 − k 4 δ y :=0 ⊆ k 5 δ ( k 2 + k 3 ) δ k 5 = max( k 5 , k 2 + k 3 ) �

Outline of the talk Discrete time vs. dense time 1 From models to implementations 2 Checking robust safety 3 Enlarging clock constraints Shrinking clock constraints Checking robust controllability 4 Parametrized perturbations Permissive strategies Conclusions and future works 5

Game-based approach to robustness Solving robust reachability Player 1 proposes a delay d and a transition t ; transition t is taken after some delay in [ d − δ, d + δ ] chosen by Player 2.

Game-based approach to robustness Solving robust reachability Player 1 proposes a delay d and a transition t ; transition t is taken after some delay in [ d − δ, d + δ ] chosen by Player 2. Consider a transition with guard x ≤ 3 ∧ y ≥ 1: loose semantics strict semantics d d δ y =1 y =1 δ x =3 x =3

Game-based approach to robustness Solving robust reachability Player 1 proposes a delay d and a transition t ; transition t is taken after some delay in [ d − δ, d + δ ] chosen by Player 2. Theorem ([BMS12,SBMR13]) Robust reachability is EXPTIME -complete in the loose semantics. Robust reachability and repeated reachability are PSPACE -complete in the strict semantics.

Shrunk DBMs for the loose semantics Extend the region automaton into a 2-player turn-based game x = y = 1 y := 0

Shrunk DBMs for the loose semantics Extend the region automaton into a 2-player turn-based game r ′ 0 x = y = 1 y := 0 r 0 r 1 r 2 r 3 r 1 , s 1 r 0 r ′ r 2 , s 2 0 r 3 , s 3

Orbit graphs for the strict semantics x ≤ 2 , x :=0 1 < x < 2 ℓ 0 ℓ 1 ℓ 2 y :=0 y ≥ 2 , y :=0 ℓ 1 ℓ 1 ℓ 2 ℓ 2 ℓ 1 ℓ 1 y y y y y y 2 2 e 1 2 2 e 2 2 2 ∆ ∆ ∆ 1 1 1 1 1 1 x x x x x x 0 1 2 0 1 2 0 1 2 0 1 2 0 1 2 0 1 2

Orbit graphs for the strict semantics

Orbit graphs for the strict semantics Definition A cycle π is forgetful if its orbit graph is strongly connected. A cycle π is aperiodic if π k is forgetful, for all k .

Orbit graphs for the strict semantics Definition A cycle π is forgetful if its orbit graph is strongly connected. A cycle π is aperiodic if π k is forgetful, for all k . Theorem The automaton is robustly controllable if, and only if, it has a reachable aperiodic cycle.

Synthesizing permissive strategies Permissive strategies Permissive strategies can propose several moves rather than a single one.

Synthesizing permissive strategies Permissive strategies Permissive strategies can propose several moves rather than a single one. In the untimed setting... [BDMR09, BMOU11] 5 b � 6 0 1 1 a c 2 0 � 8 d 1

Synthesizing permissive strategies Permissive strategies Permissive strategies can propose several moves rather than a single one. In the untimed setting... [BDMR09, BMOU11] 5 b a � 6 0 1 1 b c d a c 2 0 � � � � b 8 d 1 � �

Synthesizing permissive strategies Permissive strategies Permissive strategies can propose several moves rather than a single one. In the untimed setting... [BDMR09, BMOU11] 5 b a � 6 0 1 1 1 b c d a c 2 0 � 6 � � � b 8 d 1 6 � �

Synthesizing permissive strategies Permissive strategies Permissive strategies can propose several moves rather than a single one. In the timed setting... Permissive strategies propose intervals of delays. Our setting: the penalty assigned to interval [ a , b ] is 1 / ( b − a ).

Synthesizing permissive strategies Permissive strategies Permissive strategies can propose several moves rather than a single one. In the timed setting... a , x ≥ 2 � ℓ 0 a , x < 2 b , x ≤ 1 � ℓ 1 b , x := 0 a , x ≤ 2 ℓ 2

Synthesizing permissive strategies Permissive strategies Permissive strategies can propose several moves rather than a single one. In the timed setting... a , x ≥ 2 � ℓ 0 Possible (memoryless) strategy: in ℓ 0 , play ( a , [0 , 2)); a , x < 2 in ℓ 1 : b , x ≤ 1 � ℓ 1 if x ≤ 1, play ( b , [0 , 1 − x ]); otherwise, play ( a , [0 , 2 − x ]); b , x := 0 a , x ≤ 2 in ℓ 2 , play ( b , [0 , + ∞ )) ℓ 2

Synthesizing permissive strategies Permissive strategies Permissive strategies can propose several moves rather than a single one. In the timed setting... a , x ≥ 2 � ℓ 0 Possible (memoryless) strategy: in ℓ 0 , play ( a , [0 , 2)); a , x < 2 in ℓ 1 : b , x ≤ 1 � ℓ 1 if x ≤ 1, play ( b , [0 , 1 − x ]); otherwise, play ( a , [0 , 2 − x ]); b , x := 0 a , x ≤ 2 in ℓ 2 , play ( b , [0 , + ∞ )) penalty = + ∞ � ℓ 2

Synthesizing permissive strategies Permissive strategies Permissive strategies can propose several moves rather than a single one. In the timed setting... a , x ≥ 2 � ℓ 0 Possible (memoryless) strategy: in ℓ 0 , play ( a , [0 , 1]); a , x < 2 in ℓ 1 : b , x ≤ 1 � ℓ 1 if x = 0, play ( b , [0 , 1]); otherwise, play ( a , [0 , 2 − x ]); b , x := 0 a , x ≤ 2 in ℓ 2 , play ( b , [0 , + ∞ )) ℓ 2

Synthesizing permissive strategies Permissive strategies Permissive strategies can propose several moves rather than a single one. In the timed setting... a , x ≥ 2 � ℓ 0 Possible (memoryless) strategy: in ℓ 0 , play ( a , [0 , 1]); a , x < 2 in ℓ 1 : b , x ≤ 1 � ℓ 1 if x = 0, play ( b , [0 , 1]); otherwise, play ( a , [0 , 2 − x ]); b , x := 0 a , x ≤ 2 in ℓ 2 , play ( b , [0 , + ∞ )) penalty = 1 � ℓ 2

Synthesizing permissive strategies Permissive strategies Permissive strategies can propose several moves rather than a single one. In the timed setting... Theorem For one-clock timed games: Memoryless optimal-penalty strategies exist. They can be computed in polynomial time.

Outline of the talk Discrete time vs. dense time 1 From models to implementations 2 Checking robust safety 3 Enlarging clock constraints Shrinking clock constraints Checking robust controllability 4 Parametrized perturbations Permissive strategies Conclusions and future works 5