From Timed Automata
to Stochastic Hybrid Games
Kim G. Larsen
Aalborg University, DENMARK
Model Checking, Performance Analysis,
Optimization, Synthesis, and Machine Learning
CISS –Center For Embedded Software Systems
Regional ICT Center (2002- )
3 research groups Computer Science Control Theory Hardware Wireless Communication
20 Employed 25 Associated 20 PhD Students 70 Industrial projects 10 Elite-students
ARTIST Design ARTEMIS / ECSEL ... ...
Kim G. Larsen [2]TU Graz, May 2017
From ES to CPS
TU Graz, May 2017 Kim Larsen [3]
New Foundation
Discrete Models
(Boolean correctness)
Quantitive Models(time, resources,
probabilistic, stochastic,
continuous,..)
(Quantitative correctness)Stochasticity
Real Time
Resources
Hybrid
Discrete
Model Checking
TOOL
System Description
Requirement
YesPrototypes
Executable CodeTest sequences
No!Debugging Information
A( req ) A} grant)
A( req ) A}t<30s grant)
A( req ) A}t<30s , p>0.90 grant)
A( req ) A}t<30s,c<5$ grant)
Kim Larsen [4]TU Graz, May 2017
Time Cost Probability
TOOL
System Description
Requirement
YesControl Strategy
No!Debugging Information
A( req ) A} grant)
A( req ) A}t<30s grant)
A( req ) A}t<30s,c<5$ grant)
Synthesis
TU Graz, May 2017 Kim Larsen [5]
Time Cost Probability?
A( req ) A}t<30s , p>0.90 grant)
Origin of UPPAAL
TU Graz, May 2017 Kim Larsen [6]
TAUCCS & Modal Transition Systems
Refinements
Modal Mu-Calculus
Explicit State Representation
Prolog
EPSILONTCCS
Timed Refinements
Timed Mu-Calculus
Regions
Prolog<
1989
1993UPPAAL
Timed Automata
TCTL
Zones
C++ & Java
1995
2007
UP4ALL
2013
CAV Award
2016
Grundfos Prize
UPPAAL Model Checker
Editor
Simulator
VerifierPerformance
Analyses
Discrete Control
Concurrency
Continuous Aspects
Stochasticity
Timing Constraints
Resources
TU Graz, May 2017 Kim Larsen [7]
UPPAAL (1995- )
Kim Larsen [8]TU Graz, May 2017
UPPAAL Tool Suit
TU Graz, May 2017 Kim Larsen [9]
TRON
CLASSIC
TIGA
CORA
ECDAR
SMC
Optimization
Synthesis
Component
Testing
PerformanceAnalysis
Verification
STRATEGOOptimal Synthesis
1995
2001
2005
2011
2014
2010
2004
Topics
Timed Automata Decidability (regions) Symbolic Verification (zones)
Priced Timed Automata Decidability (priced regions) Symbolic Verification (priced zones)
Stochastic Timed Automata Stochastic Semantics Statistical Model Checking Stochastic Hybrid Automata
Timed Games & Interfaces Strategies, Symbolic Synthesis Refinement
Stochastic Priced Timed Games Strategies Symbolic Synthesis (zones) Stochastic Strategies Reinforcement Learning
TU Graz, May 2017 Kim Larsen [10]
TRON
CLASSIC
TIGA
CORA
ECDAR
SMC
Optimization
Synthesis
Component
Testing
PerformanceAnalysis
Verification
STRATEGOOptimal Synthesis
1995
2001
2005
2011
2014
2010
2004
people.cs.aau.dk/~kgl/GRAZ17/
TU Graz, May 2017 Kim Larsen [11]
Timed Automata
Real Time Systems
TU Graz, May 2017 Kim Larsen [13]
PlantContinuous
Controller ProgramDiscrete
Eg.: Realtime ProtocolsPump ControlAir BagsRobotsCruise ControlABSCD Players
Production Lines
Real Time SystemA system where correctness not only depends on the logical order of events but also on their timing!!
sensors
actuators
A Dumb Light Controller
TU Graz, May 2017 Kim Larsen [14]
Timed Automata
TU Graz, May 2017 Kim Larsen [15]
ADD a clock x
Synchronizing
action
Clock Guard
Conjunctions of
x~n
x: real-valued
clock
Reset
[Alur & Dill’89]
A Timed Automata (Semantics)
TU Graz, May 2017 Kim Larsen [16]
States:
( location , x=v) where v2R
Transitions:
( Off , x=0 )
delay 4.32 ( Off , x=4.32 )
press? ( Light , x=0 )
delay 2.51 ( Light , x=2.51 )
press? ( Bright , x=2.51 )
Intelligent Light Controller
TU Graz, May 2017 Kim Larsen [17]
Invariant
(Henzinger)
Intelligent Light Controller
TU Graz, May 2017 Kim Larsen [18]
Transitions:
( Off , x=0 )
delay 4.32 ( Off , x=4.32 )
press? ( Light , x=0 )
delay 4.51 ( Light , x=4.51 )
press? ( Light , x=0 )
delay 100 ( Light , x=100)
( Off , x=0)
Note:
( Light , x=0 ) delay 103
X
Invariants ensures progress
Intelligent Light Controller
TU Graz, May 2017 Kim Larsen [19]
UPPAAl Demo
TU Graz, May 2017 Kim Larsen [20]
Clock Valuations
TU Graz, May 2017 Kim Larsen [21]
Clock Valuations – Operations
TU Graz, May 2017 Kim Larsen [22]
Clock Valuations – Evaluation
TU Graz, May 2017 Kim Larsen [23]
Timed Automata – Syntax
TU Graz, May 2017 Kim Larsen [24]
Timed Automata – Semantics
TU Graz, May 2017 Kim Larsen [25]
Example
TU Graz, May 2017 Kim Larsen [26]
Example
TU Graz, May 2017 Kim Larsen [27]
Example
TU Graz, May 2017 Kim Larsen [28]
a b
c
Is L1 reachable ?
Example
TU Graz, May 2017 Kim Larsen [29]
x
y
a b
c
Example
TU Graz, May 2017 Kim Larsen [30]
x
y
a b
c
Example
TU Graz, May 2017 Kim Larsen [31]
x
y
a
a b
c
Example
TU Graz, May 2017 Kim Larsen [32]
x
y
a a
a b
c
UPPAALFirst Introduction
Light Control Interface
ControlProgram
User
Interface
Light
endhold!
touch!
starthold!
press?
release?
press? d release? touch! 0.5·d· 1press? 1 starthold! press? d release? endhold! d >1
press? 0.2 release? … press? 0.7 release? … press? 1.0 2.4 release? …
Ø touch! starthold! endhold! 34
TU Graz, May 2017
Light Control Interface
ControlProgram
User
endhold!
touch!
starthold! press?
release?
35TU Graz, May 2017
ControlProgram
Light Control Network
endhold!
touch!
starthold! press?
release?
36TU Graz, May 2017
Full Light Controller
TU Graz, May 2017 37
Dim
Dim
LEGO Mindstorms/RCX
Sensors: temperature,
light, rotation, pressure.
Actuators: motors, lamps,
Virtual machine:
10 tasks, 4 timers, 16 integers.
Several Programming Languages:
NotQuiteC, Mindstorm, Robotics, legOS, etc.
3 input ports
3 output
ports
1 infra-red port
38TU Graz, May 2017
A Real Real Timed System
TU Graz, May 2017 Kim Larsen [39]
ControllerProgram
LEGO MINDSTORM
The PlantConveyor Belt
& Bricks
First UPPAAL modelSorting of Lego Boxes
Conveyer Belt
Exercise: Design Controller so that black boxes are being pushed out
Boxes
Piston
Black
Red9 18 81 90
99
BlckYel
remove
eject
Controller
Ken Tindell
MAIN PUSH
TU Graz, May 2017 Kim Larsen [40]
NQC programs
task PUSH{
while(true){
wait(Timer(1)>DELAY && active==1);
active=0;
Rev(OUT_C,1);
Sleep(8);
Fwd(OUT_C,1);
Sleep(12);
Off(OUT_C);
}
}
int active;
int DELAY;
int LIGHT_LEVEL;
task MAIN{
DELAY=75;
LIGHT_LEVEL=35;
active=0;
Sensor(IN_1, IN_LIGHT);
Fwd(OUT_A,1);
Display(1);
start PUSH;
while(true){
wait(IN_1<=LIGHT_LEVEL);
ClearTimer(1);
active=1;
PlaySound(1);
wait(IN_1>LIGHT_LEVEL);
}
}
41TU Graz, May 2017
A Black Brick
TU Graz, May 2017 Kim Larsen [42]
Control Tasks & Piston
GLOBAL DECLARATIONS:
const int ctime = 75;
int[0,1] active;
clock x, time;
chan eject, ok;
urgent chan blck, red, remove, go;
TU Graz, May 2017 Kim Larsen [43]
From RCX to UPPAAL – and back
Model includes Round-Robin Scheduler.
Compilation of RCX tasks into TA models.
Presented at ECRTS 2000 in Stockholm.
From UPPAAL to RCX: Martijn Hendriks.
Task MAIN
44TU Graz, May 2017
The Production Cell in LEGO
Course at DTU, Copenhagen
Production Cell Rasmus Crüger Lund
Simon Tune Riemanni
45TU Graz, May 2017
UPPAAL
Modeling & Specification
Train Crossing
Time
River
Bridge
tracks
Safe Approaching Crossing Safe
03 – 5
20
TU Graz, May 2017 [47]
Train Crossing
Time
River
Bridge
tracks
Safe Approaching Crossing Safe
Safe Approaching Crossing Safe
Stop the train while it still stoppable!
1003 – 5
20
TU Graz, May 2017 [48]
Train Crossing
Time
River
Bridge
tracks
Safe Approaching Crossing Safe
Safe Approaching Crossing Safe
1003 – 5
20
Stopped
Crossing Safe
RestartedStopped
Crossing Safe
7 – 15
Crossing
Restarted
TU Graz, May 2017 [49]
Train Crossing
Safe Approaching Crossing Safe
Stopped Restarted
Add timing+ synchronization
TU Graz, May 2017 [50]
Timed Automata [Train]= Finite State Control
+ Real Valued Clocks
invariants
Guards
Synchronizations
Resets
Kim Larsen [51]TU Graz, May 2017
Timed Automata [Gate]
TU Graz, May 2017 Kim Larsen [52]
= Finite State Control
+ Real Valued Clocks
+ Discrete Variables
Demo 1
TU Graz, May 2017 Kim Larsen [53]
UPPAAL Help
TU Graz, May 2017 Kim Larsen [54]
Logical Specifications
Validation Properties
Possibly: E<> P
Safety Properties
Invariant: A[] P
Pos. Inv.: E[] P
Liveness Properties
Eventually: A<> P
Leadsto: P Q
Bounded Liveness
Leads to within: P · t Q
The expressions P and Q must be type safe, side effect free, and evaluate to a boolean.
Only references to integer variables, constants, clocks, and locations are allowed (and arrays of these).
55TU Graz, May 2017
Logical Specifications
Validation Properties
Possibly: E<> P
Safety Properties
Invariant: A[] P
Pos. Inv.: E[] P
Liveness Properties
Eventually: A<> P
Leadsto: P Q
Bounded Liveness
Leads to within: P · t Q
56TU Graz, May 2017
Logical Specifications
Validation Properties
Possibly: E<> P
Safety Properties
Invariant: A[] P
Pos. Inv.: E[] P
Liveness Properties
Eventually: A<> P
Leadsto: P Q
Bounded Liveness
Leads to within: P · t Q
57TU Graz, May 2017
Logical Specifications
Validation Properties
Possibly: E<> P
Safety Properties
Invariant: A[] P
Pos. Inv.: E[] P
Liveness Properties
Eventually: A<> P
Leadsto: P Q
Bounded Liveness
Leads to within: P · t Q
58TU Graz, May 2017
Logical Specifications
Validation Properties
Possibly: E<> P
Safety Properties
Invariant: A[] P
Pos. Inv.: E[] P
Liveness Properties
Eventually: A<> P
Leadsto: P Q
Bounded Liveness
Leads to within: P · t Q
· t
· t
59TU Graz, May 2017
Demo 2
TU Graz, May 2017 Kim Larsen [60]
Editor
TU Graz, May 2017 Kim Larsen [61]
GUI
• Unlimited undo and redo
• Syntax and bracket highlighting
• Rectangular selection
• Customization of colors
• Tooltip
• Hiding of information
• Improved help menu with search component
Language
• User defined functions (C-like)
• New types (records, type declarations, meta variables, scalars)
• Partial instantiation of templates
• Select clauses on edges
• Forall and exist quantifiers
Concrete Simulator
TU Graz, May 2017 Kim Larsen [62]
Graphical Simulator
• visualization
and recording
• inexpensive fault detection
• inspection of error traces
• Message Sequence Charts
• Gannt Charts
Symbolic Simulator
TU Graz, May 2017 Kim Larsen [63]
Graphical Simulator
• visualization
and recording
• inexpensive fault detection
• inspection of error traces
• Message Sequence Charts
• Gannt Charts
Verifier
TU Graz, May 2017 Kim Larsen [64]
Verifier
• Exhaustive & automatic
checking of requirements
• .. including validating, safety, liveness,
bounded liveness and
response properties
•.. performance properties,
e.g probabilistic and expectation.
• .. generation of debugging information
for visualisation in simulator.
• .. plot composer
Applications(some)
Bang & Olufsen IR-Link
Bug known to exist for 10 years
Ill-described: 2.800 lines of
assembler code + 3 flowchart + 1 B&O eng.
3 months for modeling.
UPPAAL detects error with 1.998 transition steps (shortest)
Error trace was confirmed in B&O laboratory.
Error corrected and verified in UPPAAL.
Arne Skou, Klaus Havelund
1st RTSS’97 talk, Klaus HavelundTU Graz, May 2017 Kim G. Larsen 66
Bang & Olufsen IR-Link
Bug known to exist for 10 years
Ill-described: 2.800 lines of
assembler code + 3 flowchart + 1 B&O eng.
3 months for modeling.
UPPAAL detects error with 1.998 transition steps (shortest)
Error trace was confirmed in B&O laboratory.
Error corrected and verified in UPPAAL.
Arne Skou, Klaus Havelund
1st RTSS’97 talk, Klaus Havelund
Reliable systems & Uppaal Arne Skou 37March 25, 1999
Message
Collision
Radio Silence
Jam
1562 ms 1562 ms2*i*1562 ms
M::=T5{T1,T2,T3}>=15T4
M1
M2
M
50.000 ms
50.000 ms
Sampling:each 781 ms
TU Graz, May 2017 Kim G. Larsen 67
Philips Bounded Retransmission Protocol
Pedro D’Argenio
Joost-Pieter Katoen
Theo Ruys
Jan Tretmans
TU Graz, May 2017 Kim Larsen [68]
FlexRay
TU Graz, May 2017 Kim Larsen [69]
Fault-tolerance
Timed hardware model
Parameterized error models
(glitches, jitter)
Voting & bit-clock alignment
BMW, Bosch, Daimler, Freescale,
General Motors, NXP
Semiconductors, and
Volkswagen
transmission
of message
byte
[Gerke, Ehlers, Finkbeiner, Peters, 2010]
Gear Controllerwith MECEL AB
Flowgraph
Magnus Lindahl
Paul Pettersson
Wang Yi
2001
TU Graz, May 2017
70
Gear Controllerwith MECEL AB
Timed Automata
Models
Magnus Lindahl
Paul Pettersson
Wang Yi
2001
TU Graz, May 2017
71
Gear Controllerwith MECEL AB
Requirements
Magnus Lindahl
Paul Pettersson
Wang Yi
2001
TU Graz, May 2017
72
UPPAAL Model Checking – Demo
TU Graz, May 2017
73
UPPAAL Model Checking – Demo
TU Graz, May 2017
74
TERMA A/S (2004)Memory Management for Radars
Radar Video Processing SubsystemAdvanced Noise Reduction Techniques
e1,2
e0,5
e0,4
e0,3
e0,2e2,4
e2,3
e2,2
e1,5
e1,4
e1,3
e3,2
e3,4e3,3
e3,5
e2,5
Air
po
rt S
urv
eilla
nce
Costal Surveillance
echo
9.170 GHz
9.438 GHz
Combiner(VP3) F
req
uen
cy D
ivers
ity
combiner
TU Graz, May 2017 Kim Larsen [75]
TERMA A/S (2011)Herschel-Planck Scientific Mission at ESA
TU Graz, May 2017 Kim Larsen [76]
Attitude and Orbit Control SoftwareTERMA A/S Steen Ulrik Palm, Jan Storbank Pedersen, Poul Hougaard
METAMOC
TU Graz, May 2017 Kim Larsen [77]
Modular Execution Time Analysis using
MOdel Checking
with
Andreas Dalsgaard
Mads Christian Olesen
Martin Toft
René Rydhof Hansen
Controllers in UPPAAL
Gearbox Controller [TACAS’98] Bang & Olufsen Power Controller [RTPS’99,FTRTFT’2k] SIDMAR Steel Production Plant [RTCSA’99, DSVV’2k] Real-Time RCX Control-Programs [ECRTS’2k] Terma, Verification of Memory Management for Radar (2001) Scheduling Lacquer Production (2005) Memory Arbiter Synthesis and Verification for a Radar Memory
Interface Card [NJC’05] Adapting the UPPAAL Model of a Distributed Lift System, 2007 Analyzing a χ model of a turntable system using Spin, CADP
and Uppaal, 2006 Designing, Modelling and Verifying a Container Terminal
System Using UPPAAL, 2008 Model-based system analysis using Chi and Uppaal: An
industrial case study, 2008 Climate Controller for Pig Stables, 2008 Optimal and Robust Controller for Hydralic Pump, 2009
TU Graz, May 2017 Kim Larsen [78]
(Wireless) Protocols in UPPAAL
Bang & Olufsen IR Link Philips Audio Protocol Collision-Avoidance Protocol Bounded Retransmission Protocol TDMA Protocol Multimedia Streams ATM ABR Protocol Lamport’s Leader Election Protocol ABB Fieldbus Protocol IEEE 1394 Firewire Root Contention Bluetooth Protocol Distributed Agreement Protocol FlexRay CHESS MAC Protocol Proprietary WSN, Other Big Danish Company MESH Protocol (MAC & Routing), NEOCORTEC
TU Graz, May 2017 Kim Larsen [79]
UPPAAL as a Back-End
Vooduu: verification of object-oriented designs using Uppaal, 2004
Moby/RT: A Tool for Specification and Verification of Real-Time Systems, 2000
Formalising the ARTS MPSOC Model in UPPAAL, 2007
Timed automata translator for Uppaal to PVS Component-Based Design and Analysis of Embedded
Systems with UPPAAL PORT, 2008 Verification of COMDES-II Systems Using UPPAAL with
Model Transformation, 2008 METAMOC: Modular WCET Analysis Using UPPAAL, 2010.
TU Graz, May 2017 Kim Larsen [80]
www.uppaal.org
TU Graz, May 2017 Kim Larsen [81]
Excercises
TU Graz, May 2017 Kim Larsen [82]
http://people.cs.aau.dk/~kgl/GRAZ17/
Exercise 1 (Brick Sorter) Excercise 19 (Train Crossing) Exercise 2 (Coffee Machine)
Exercise 28 (Jobshop Scheduling)