- 62 Views
- Uploaded on
- Presentation posted in: General

Action and Predicate Safety of Hybrid Processes

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Action and Predicate Safety of Hybrid Processes

Pieter Cuijpers

Michel Reniers

- HyPA
- Process representations
- Two levels of abstraction
- Specification of Safety
- Congruence
- Safety analysis of hybrid processes
- Conclusions

terminationdeadlockactiondiscrete actioncflow clause (V|Pred) d >> P, b >> Pre-initialization clause [V|Pred] P Palternative compositionP Psequential compositionP P, P PdisruptP || P, P P, P Pparallel compositionH(P), Pred(P)encapsulation

Xici jJ(i)dj >> actionj Xj

HAiI d’i >> Xi

d1

ci

d2

Xi(jJ(i)dj >> cj) Xi

(jJ’(i)bj >> actionj) Xi

CHP||iI Xi

XijJ(i)dj >>

jJ’(i)dj >> actionj Xj

jJ’’(i)dj >> cj Xj

SSR Xinit

- On the lowest level of abstraction, HyPA is aimed at giving different representations of the same system.
- At a higher level of abstraction,HyPA can also be used to analyse, for example, safety properties.

Robust Bisimilarity

Initially stateless bisimilarity=

X Y implies X = Y

x x

x y y x

x (y z) (x y) z

x x x

x

x (y z) (x y) z

(x y) z (x z) (y z)

x y x y y

x

x

x (y z) (xy) z

(x y) z (xz) (yz)

d >> (x y)(d >> x) (d >> y)

H(x y)H(x) H(y)

etc. etc. etc.

d >> action x=d >> action d! >> x

d >> c x=d >> c (d D(c))! >> x

Safety for actionsX= H(X)

Safety for predicatesX= Pred(X)

X[x|x+ = 0] >> a1 a2

Y[x|x+ = 0] >> a1 [x- = 0] >> a2

Z[x|x+ = 1] >> a3

X=Y

X || ZY || Z

When do we have SSR= Pred(SSR) ?

Create a re-initialization for every recursion variable, signifying its reachable set.

[true]=Rinit

(Ri dj)!Rj for all i and all jJ’(i)

(Ri dj D(cj))!Rj for all i and all jJ’’(i)

When do we have

Ri >> Xi =Pred(Ri >> Xi),

and especially

SSR [true] >> Xinit =

Pred([true] >> Xinit) Pred(SSR) ?

Ri >> Xi Ri >> (jJ(i)dj >>

jJ’(i)dj >> actionj Xj

jJ’’(i)dj >> cj Xj)

Ri >> Xi jJ(i)(Ridj) >>

jJ’(i)(Ridj) >> actionj Xj

jJ’’(i)(Ridj) >> cj Xj

Ri >> Xi =jJ(i)(Ridj) >>

jJ’(i)(Ridj) >> actionj (Rj >> Xj)

jJ’’(i)(Ridj) >> cj (Rj >> Xj)

Pred(Ri >> Xi)Pred (Ri >> (jJ(i)dj >>

jJ’(i)dj >> actionj Xj

jJ’’(i)dj >> cj Xj))

Pred(Ri >> Xi)Pred (jJ(i)(Ridj) >>

jJ’(i)(Ridj) >> actionj Xj

jJ’’(i)(Ridj) >> cj Xj)

Pred(Ri >> Xi)=Pred (jJ(i)(Ridj) >>

jJ’(i)(Ridj) >> actionj (Rj >> Xj)

jJ’’(i)(Ridj) >> cj (Rj >> Xj))

Pred(Ri >> Xi)=jJ(i)Pred ((Ridj) >> )

jJ’(i)Pred ((Ridj) >> actionj )

Pred (Rj >> Xj )

jJ’’(i)Pred ((Ridj) >> cj ) Pred (Rj >> Xj )

Assuming safety of the following processes:

Pred ((Ridj) >> )=(Ridj) >>

Pred ((Ridj) >> actionj )=(Ridj) >> actionj

Pred ((Ridj) >> cj )=(Ridj) >> cj

Assuming safety of the following processes:

Pred ((Ridj) >> actionj )=(Ridj) >> actionj

Pred ((Ridj) >> cj )=(Ridj) >> cj

Pred(Ri >> Xi)=jJ(i)(Ridj) >>

jJ’(i)(Ridj) >> actionj Pred (Rj >> Xj )

jJ’’(i)(Ridj) >> cj Pred (Rj >> Xj )

So Ri >> Xi and Pred(Ri >> Xi) are both solutions of the state space definition:

Yi = jJ(i)(Ridj) >>

jJ’(i)(Ridj) >> actionj Pred (Yi)

jJ’’(i)(Ridj) >> cj Pred (Yi )

Thus Ri >> Xi = Pred(Ri >> Xi) and hence

SSR = Pred(SSR).

- Different model representations.
- Analysis at the cost of congruence ||
- Safety of state space representations depends on safety of sub-processes.
- Termination of analysis method is a problem
- Calculation of reachable sets is a problem

- For CHP we have congruence ||
- Termination using predicate abstraction
- Calculation/approximation of reachable sets
- Algebraic specification of other properties