Formal-V Group, IIT KGP 1 Introduction to Hybrid Introduction to Hybrid Automata Automata Arijit Mondal Kapil Modi Arnab Sinha
Jan 09, 2016
Formal-V Group, IIT KGP 11
Introduction to Hybrid AutomataIntroduction to Hybrid Automata
Arijit Mondal
Kapil Modi
Arnab Sinha
Formal-V Group, IIT KGP 22
IntroductionIntroduction• A hybrid automaton is a formal model for a
mixed discrete continuous system.• Systems with ‘discrete jumps’ & ‘continuous
flow’ can be modeled into Hybrid Automata.• Bouncing Ball Example:
Here, the following properties hold:
0,,..
hgvvh
Formal-V Group, IIT KGP 33
Bouncing Ball: PropertiesBouncing Ball: Properties
• States: In air (Assumption: Rebound time is negligible)
• Continuous Variable: height (h), velocity (v)• Guard Condition : height=0, velocity=negative.• Effect (Reset Map): velocity changes due to
restitution coefficient (e)
We are ready for the Model !!!
Formal-V Group, IIT KGP 44
Bouncing Ball Model:Bouncing Ball Model:
0
.
.
h
gv
vh
Fly
)0()0( vh
evv :
0h
State
Continuous variables
Guard Condition
Reset condition
Domain (Fly)
Formal-V Group, IIT KGP 55
An Illustration: Water Tank Problem An Illustration: Water Tank Problem
Formal-V Group, IIT KGP 66
Water Tank: PropertiesWater Tank: Properties
• The supplier can supply water at a rate of w to only one reservoir at a time. [Discrete Behavior]
• The current levels are x1 and x2 respectively.[Continuous Variables]
• The minimum threshold to be maintained are r1 and r2 respectively. [Guard Conditions]
• It is assumed that while transition between reservoirs none of the level changes. [Reset Property]
Hence we can model it with Hybrid Automata!!!
Formal-V Group, IIT KGP 77
Water Tank ProblemWater Tank Problem
11
2
.
2
1
.
1
2
rx
vwx
vx
q
22 rx xx :
xx :11 rx
2211 rxrx 2211 rxrx
Guard Condition
Reset Property
state
Continuous variables
Domain(q1) Domain(q2)
1
.
1 1
.
2 2
2 2
q
x w v
x v
x r
Formal-V Group, IIT KGP 88
The AutomatonThe Automaton
• Where,• Q = set of discrete states.• X = set of continuous variables, nXQf :
),,,,,,,( RGEDInitfXQH
)(: XPQDom
XQInit
)(:
)(:
XPXER
XPEG
QQE
Where, E is the set of edges. G is the guard condition, and, R is the Reset Map
Formal-V Group, IIT KGP 99
An Illustration: Water Tank Problem An Illustration: Water Tank Problem
Formal-V Group, IIT KGP 1010
Water Tank Problem: Formal ModelWater Tank Problem: Formal Model
}|{},{
),(
,),(
},{
22112
21
2
12
2
11
2
21
rxrxxqqInit
vw
vxqf
v
vwxqf
X
qqQ
Formal-V Group, IIT KGP 1111
Water Tank Problem: Formal Model Water Tank Problem: Formal Model (Contd.)(Contd.)
}{),,(),,(
)},(),,{(
}|{)(
}|{)(
1221
1221
112
2
222
1
xxqqRxqqR
qqqqE
rxxqDom
rxxqDom
Formal-V Group, IIT KGP 1212
Water Tank ProblemWater Tank Problem
11
2
.
2
1
.
1
2
rx
vwx
vx
q
22 rx xx :
xx :11 rx
2211 rxrx 2211 rxrx
1
.
1 1
.
2 2
2 2
q
x w v
x v
x r
Formal-V Group, IIT KGP 1313
Hybrid time setHybrid time set
NiiN IIII 010 }{},..,{
It is a sequence of finite or infinite intervals such that
i
andIIN
NiI
iii
NNNNNN
iii
1'
''
'
);,[],[)(
],,[
Formal-V Group, IIT KGP 1414
Bouncing Ball: Hybrid time-setBouncing Ball: Hybrid time-set
0'0
'1
1The bouncing ball: The first half is upward movement and the next half is downwards. The first run is interval and the next run is in and so on.'
0 0[ , ] '
1 1[ , ]
Formal-V Group, IIT KGP 1515
Hybrid Trajectory Hybrid Trajectory q, x)q, x)
• A hybrid trajectory is a triple q, x) consisting of a hybrid time set, and two sequences of functions q and x such that
n0
0
0
:(.),(.)}{
:(.),(.)}{
}{
iiN
i
iiN
i
Ni
Ixxx
QIqqq
I
Formal-V Group, IIT KGP 1616
Hybrid ExecutionHybrid Execution
An execution of a hybrid automation H is hybrid trajectory,
q, x), which satisfies the following conditions.
• Initial condition:
• Discrete evolution:
Initxq ))0(),0(( 00
)).(),(),(()(
)),(),(()(,))(),((,'
11'
11
11''
11'
iiiiiiii
iiiiiiiiii
xqqRx
andqqGxEqqi
Formal-V Group, IIT KGP 1717
Hybrid Execution (contd.)Hybrid Execution (contd.)• Continuous evolution:
QIq ii :(.).1 ;),()( iiii Itqtq such that
XIx ii :(.).2 is the solution to the diff. equation
))(),(( txtqfdt
dxii
i
over starting at iI ,);( andx ii
))(()(),,[ ' tqDomtxt iiii
Formal-V Group, IIT KGP 1818
Water Tank Problem: Hybrid ExecutionWater Tank Problem: Hybrid Execution
11
2
.
2
1
.
1
2
rx
vwx
vx
q
22 rx xx :
xx :11 rx
2211 rxrx 2211 rxrx
1
.
1 1
.
2 2
2 2
q
x w v
x v
x r
Formal-V Group, IIT KGP 1919
Water Tank Problem: Hybrid Execution (Contd.)Water Tank Problem: Hybrid Execution (Contd.)
}|{},{
),(
,),(
},{
22112
21
2
12
2
11
2
21
rxrxxqqInit
vw
vxqf
v
vwxqf
X
qqQ
}{),,(),,(
)},(),,{(
}|{)(
}|{)(
1221
1221
112
2
222
1
xxqqRxqqR
qqqqE
rxxqDom
rxxqDom
'1 0 0 1[ , ]I t t q
'2 1 1 2[ , ]I t t q
'1 0 1 2 1 2( ) ; ( )q t q q t q
'1 2 1 0 2 1( , ) ( ( ), ( ))q q E q t q t E
0 0 1 1 1 2 2( (0), (0)) {( , ) | }q x q x x r x r Init Initial Condition
Discrete Evolution
Formal-V Group, IIT KGP 2020
Water Tank Problem: Hybrid Execution (Contd.)Water Tank Problem: Hybrid Execution (Contd.)
.
1 1 1, ( ) ; ( , )t I q t q x f q x
.
2 2 2, ( ) ; ( , )t I q t q x f q x
Continuous Evolution
Formal-V Group, IIT KGP 2121
Classification of ExecutionsClassification of Executions
• Finite, if is a finite sequence and the last interval in is closed.
• Infinite, if is a infinite sequence, or if,
• Zeno, if it is infinite but the sum of intervals is finite. Real life designs are mostly non-zeno i.e. time-diverging e.g. bouncing ball system.
• Maximal, if it is not a strict prefix of any other execution of H.
N
iii
0
' )(
Formal-V Group, IIT KGP 2222
0-Transition0-Transition• We know,
• Hence we define an event which triggers transition iff there exists an edge e= (q, q’) such that for some ,
• Hence we can say for all states q, of a hybrid automaton i.e. we can always construct an edge such that
)}(,,)(|{~~
XPXEeXeggG
Gg
).(,)(~
XPXXeg qq 0
),( qqe ).()( qDomeg
q0
).()( qDomeg
Formal-V Group, IIT KGP 2323
Composition of AutomataComposition of Automata• For two hybrid automata, and then we can define
the semantics of parallel composition as • But for composition, the transitions have to be
consistent.• The transitions, and are consistent if
any of the following three conditions are true,• • and .• and .
1H 2H21 || HH
111 qq a 22
2 qq a
21 aa
211 \ a 02 a
122 \ a 01 a
Formal-V Group, IIT KGP 2424
Composition: Water Tank ModelComposition: Water Tank Model• We develop two independent models of the 2 reservoirs.
12q11q
1 1x r 1 1x r
0
1 1 1 1: ,x r x r
21q22q
0
2 2x r 2 2x r2 2 2 2: ,x r x r
holds when water is supplied to tank 1.
:supply false
:supply true
:supply true
:supply false
12q
Formal-V Group, IIT KGP 2525
Composition: Water Tank ModelComposition: Water Tank Model• The complete model.
11 22{ , }q q 12 21{ , }q q
Formal-V Group, IIT KGP 2626
Example: Buck ConverterExample: Buck Converter
Buck converter driving variable load
• Switch S1 remain on for 6 secs and off for 4 secs• Switch S2 alternate between R1 and R2 in every 4 secs
Formal-V Group, IIT KGP 2727
Discrete states and State variablesDiscrete states and State variables
• Four discrete states– S1 on and S2—R1 (A)– S1 on and S2—R2 (B)– S1 off and S2—R2 (C)– S1 off and S2—R1 (D)
• For circuit dynamics:– Current through inductor (i)– Voltage across capacitor
(v)• Clock variables:
– S1: denotes the duration of on/off state of switch S1
– S2: denotes the duration of connection of switch S2 with R1 or R2
Formal-V Group, IIT KGP 2828
Dynamic activitiesDynamic activities
11 s
.
.
v Ei
L Li v
vC RC
For states (A) and (B) For states (C) and (D)
For clock variable S1 and S2 for all locations
12 s
.
.
i
vi
Li v
vC RC
Formal-V Group, IIT KGP 2929
Hybrid model of Buck converterHybrid model of Buck converter
Formal-V Group, IIT KGP 3030
Example (Buck converter) Example (Buck converter) [Santosh][Santosh]
Formal-V Group, IIT KGP 3131
DescriptionsDescriptions
• Zero pulse – Generates –ve square pulse when input crosses zero volt from any +ve voltage
• Monoshot – Generates +ve square pulse with Ton and it is triggered by a –ve edge at the input.
• Startup pulse – Generates –ve pulse to trigger the monoshot.
• Zero crossing detector – It toggles output when the input crosses zero volt. Initial output logic zero.
• Drivers – To drive power MOS switches.
Formal-V Group, IIT KGP 3232
Hysteresis comparatorHysteresis comparator
• Outputs logic high if input is below threshold• Outputs logic low if input is above threshold
Vin
Vout
Formal-V Group, IIT KGP 3333
Determination of discrete statesDetermination of discrete states
• This systems can be modeled as hybrid system and dynamics behavior of each state depends on the following– State of PMOS– State of NMOS– Control signal to PMOS– Control signal to NMOS
• Dynamic behavior of each state will depend on the following:
– Vcx : PMOS drain voltage
– Vout : Output voltage
Formal-V Group, IIT KGP 3434
Hybrid automataHybrid automata
Q State Activity Reset1 Pn, Nf, CPn, CNf
2 Pn, Nf, CPf, CNn
3 Pf, Nn, CPf, CNn
4 Pf, Nn, CPn, CNf
lvv cxout 1 Evcx
lvv cxout 1 Evcx
lvv cxout 1 kcx vv
Q Q G
1 2 T≥Ton
2 3 CPf & CNn
3 4
lvv cxout 1 kcx vv
lthoutcx vvv 0
Formal-V Group, IIT KGP 3535
Linear hybrid systems (LHS)Linear hybrid systems (LHS)
• For all locations activity (vector field) can be defined as follows:
• For all locations invariant (domain) is defined by a linear formula over continuous states (X).
• For all transitions, guarded set of nondeterministic assgn.
}|],[:{ Xxx xx
Zkkx xx ,
)()()()(),( xx vxvvXxxviffEvv
Formal-V Group, IIT KGP 3636
ExampleExample
(x+y>4)→{x:=[3x+y,2y], y:=[7,5x]}
v(αx)=21
v(βx)=24
x=3y=12
x=23y=9
v(αy)=7
v(βy)=15
v:(x=3,y=12)
Formal-V Group, IIT KGP 3737
Special casesSpecial cases
Discrete variable Qqx 0
Discrete system – All variable are discrete variable
Proposition – x is discrete variable and EexeR }1,0{),(
Clock )},0{),(()1( EexxeRQqx
Formal-V Group, IIT KGP 3838
Special cases (contd.)Special cases (contd.)
• Timed automaton – Linear hybrid system all of whose variables are propositions or clocks and linear expression are Boolean combination of inequalities. (x#c or x-y#c)
• Skewed clock:
• Multirate timed system – LHS whose variables are propositions and skewed clocks
• n-rate timed system – Multirate timed system whose skewed clocks proceed at n different rates
)},0{),((),( EexxeRZkQqkx
Formal-V Group, IIT KGP 3939
Special cases (contd.)Special cases (contd.)
• Integrator
• Parameter - x discrete variable
• Simple LHS – Domains (invariants) and Guards are of the form x≤k or x≥k
)},0{),(()}1,0{( EexxeRQqx
EexxeR ),(
Formal-V Group, IIT KGP 4040
Reachability resultsReachability results
• The reachability problem is decidable for simple multirate timed system.
• The reachability problem is undecidable for 2-rate timed system.
• The reachability problem is undecidable for simple integrator systems
Formal-V Group, IIT KGP 4141
Verification of Hybrid AutomataVerification of Hybrid Automata• A hybrid automata specification can be encoded as a set of
desirable hybrid trajectories, H. • The given model is said to meet the given specification if the set
of execution of the model is a subset of H.• Safety Property:-
• where F is the set of safe states in which we wish to remain always.
• Liveness Property:-
• where T is the set of states in which we visit eventually.
(( , ) )G q x F
(( , ) )F q x T
Formal-V Group, IIT KGP 4242
ExampleExample• Say we model a traffic system with a hybrid automata, then
the set of safe states F, are those, in which no two cars collide.
• Set of live states T, are those, in which the cars eventually reach their destination.
Formal-V Group, IIT KGP 4343
Transition System from a hybrid automatonTransition System from a hybrid automaton
• H = (Q, X, Init, f, Dom, E, G, R) be a hybrid automaton with a distinguished set of final states, F,
•
• S: set of states (finite or infinite)• A transition relation• A set of initial states• A set of final states
F Q X
0( , , , )FT S S S
: ( )S P S 0S SFS S
0
F
S Q X
S Init
S F
Hybrid Automata transformed into a transition system.
Formal-V Group, IIT KGP 4444
Transition System from a hybrid automaton (contd.)Transition System from a hybrid automaton (contd.)
{ '} ( , ), ( ) ( ( ))( , )
,e
q R e x if q q and x G eq x
otherwise
( , ')e q q E
( , ) {( ', ') |
[ ' ] [ 0, ( ( ) ') ( [0, ], ( ) ( ))]}
c q x q x Q X
q q T x T x t T x t Dom q
The transition relation can be divided into a discrete transition relation and a continuous transition relation.For each edge,
For the continuous transition relation,
Where, x(.) is the solution of the differential equation. .
( , ) , (0)x f q x with x x
Hence, ( ) ( ) ( )c ee E
s s s
Formal-V Group, IIT KGP 4545
Backward ReachabilityBackward Reachability
0 , 0FW S i
( ) { | ( )}Pre S s S s S s s
Algorithm:
Initialization:
repeatif
return ” reachable “endif
untilreturn “ not reachable“
0iW S
1 ( )i i iW Pre W W 1i i
FS
FS1i iW W
Formal-V Group, IIT KGP 4646
Backward Reachability: ExampleBackward Reachability: Example
q0
q1 q2
q3 q4 q5 q6
Formal-V Group, IIT KGP 4747
Backward Reachability: ExampleBackward Reachability: Example
q0
q1 q2
q3 q4 q5 q6
Formal-V Group, IIT KGP 4848
Backward Reachability: ExampleBackward Reachability: Example
q0
q1 q2
q3 q4 q5 q6
Formal-V Group, IIT KGP 4949
Bisimulation: ExampleBisimulation: Example• We can check, is a bisimulation
of the given system, but is not.
q0
q1 q2
q3 q4 q5 q6
0 1 2 3 6 4 5{{ },{ , },{ , },{ , }}q q q q q q q
0 1 3 4 2 5 6{{ },{ , , },{ , , }}q q q q q q q
Formal-V Group, IIT KGP 5050
Bisimulation: ExampleBisimulation: Example
q0
q1 q2
q3 q4 q5 q6
0 1 2 3 6 4 5{{ },{ , },{ , },{ , }}q q q q q q q
Formal-V Group, IIT KGP 5151
Bisimulation: ExampleBisimulation: Example
q0
q1 q2
q3 q4 q5 q6
0 1 3 4 2 5 6{{ },{ , , },{ , , }}q q q q q q q
Not a Bisimulation
Formal-V Group, IIT KGP 5252
Bisimulation: DefinitionBisimulation: Definition• A bisimulation of a transition system is a
partition of the state space S of T such that,
• is a union of elements of the partition,• is a union of elements of the partition,• If one state (say s) in some set of the partition (say ) can
transition to another set in the partition (say ), then all other states, in must be able to transition to some state in . More formally,
0( , , , )FT S S S{ }i i IS
0SFS
iSjS
s
, , , , ( ) , , ( )i j ji j I s s S if s S then s S
iS jS
Formal-V Group, IIT KGP 5353
Bisimulation: AlgorithmBisimulation: Algorithm• Let, be a bisimulation of the transition system, T and let
be the quotient-transition system. is reachable by T, iff
is reachable by .In fact, bisimulation preserves any property that can be expressed in CTL.[1]
Algorithm:
Initialization:
while such that
do
end while
return
{ }i i IS
T
TFS
FS
0 0{ , , \ ( )}F FP S S S S S ,i jS S P ( ) ( )i j i j iS Pre S S Pre S S
'
''
' ''
( )
\ ( )
( \ ) { , }
i i j
i i j
i i i
S S Pre S
S S Pre S
P P S S S
Formal-V Group, IIT KGP 5454
Bisimulation Algorithm: ExampleBisimulation Algorithm: Example
q0
q1 q2
q3 q4 q5 q6
Formal-V Group, IIT KGP 5555
Bisimulation Algorithm: ExampleBisimulation Algorithm: Example
q0
q1 q2
q3 q4 q5 q6
Formal-V Group, IIT KGP 5656
Problems at Hand:-Problems at Hand:-
1. Due to possible variations in the system parameters which are determined only after the low level synthesis is complete, our hybrid system model may change. We wish to automate the effects of change. It will also give us the range of system parameters for which the circuit behavior does not violate the system specifications.
2. In the design hierarchy, we may have a block-level design, which can be resolved into circuit-level design. To check whether, the two designs are compliant, we will check the equivalence of two hybrid automata.
Formal-V Group, IIT KGP 5757
Intuitive IdeaIntuitive Idea
• Any two equivalent hybrid systems, should follow the same differential equation, at any given cycle, assuming the designs are correct.
• Hence at any given cycle, a particular state in H1 should have a mirror state in H2.
• So, we aim to compose the two hybrid systems.
Formal-V Group, IIT KGP 5858
Intuitive Idea: Contd.Intuitive Idea: Contd.• Consider the following 2 models
H1
H2
Formal-V Group, IIT KGP 5959
Intuitive Idea: Contd.Intuitive Idea: Contd.
• Composed Model
H1 || H2
Formal-V Group, IIT KGP 6060
Informal AlgorithmInformal AlgorithmAlgorithm:
Init(c) = compose (Init1,Init2);
Q(c) = Init(c) ;while all the nodes of H1 and H2 are not in Q(c)
for each node(s(i), s’(i)) in Q(c)for each transition of s(i) to p(j) (say e(ij))
for each transition of s’(i) to p’(j) (say e’(ij)) if(!check_consistency(e(ij), e’(ij))
return FAILURE else
compose (p(j), p’(j)) ; Q(c)=union( Q(c), (p(j), p’(j)) ) ;
endforendfor
endforendwhile
Formal-V Group, IIT KGP 6161
Existing Hybrid Model Checking ToolsExisting Hybrid Model Checking Tools
• Checkmate for verifying hybrid systems.[MATLAB Based] • Chutinan, Krogh, Stursberg et. al., CMU
• Requiem for verifying hybrid systems.
• University of Pennsylvania
• d/dt for verifying and synthesis hybrid systems. • Thao Dang and Oded Maler
• HyTech for verifying linear hybrid systems. • Thomas A Henzinger, Pei-Hsin Ho, and Howard Wong-Toi
• Ptolemy II for simulating concurrent, embedded and hybrid systems. • Center for Hybrid and Embedded Software Systems
(CHESS), University of California, Berkeley.
• Edward A. Lee
Formal-V Group, IIT KGP 6262
ReferenceReference• [1]“Lecture Notes on Hybrid Systems”
John Lygeros, University of Patras
• [2]T.A.Henzinger. Hybrid automata with finite bisimulations. ICALP 95: Automata, Languages, and Programming, Lecture Notes in Computer Science 944, Pages 225-238. Springer-Verlag, 1995.
• [3]T.A.Henzinger. Theory of Hybrid automata
• [4]Rajeev Alur, T.A. Henzinger et. al. The Algorithmic Analysis of Hybrid Systems, Theoretical Computer Science, 1995
Formal-V Group, IIT KGP 6363