# - 06 - 2012-05-24 - main -

# Real-Time Systems

Lecture 06: DC Properties I

2012-05-24

Dr. Bernd Westphal

Albert-Ludwigs-Universität Freiburg, Germany

#### Contents & Goals

#### **Last Lecture:**

- DC Syntax and Semantics: Abbreviations ("almost everywhere")
- Satisfiable/Realisable/Valid (from 0)
- Semantical Correctness Proof

#### This Lecture:

- Educational Objectives: Capabilities for following tasks/questions.
  - What are obstacles on proving a design correct in the real-world, and how to overcome them?
  - Facts: decidability properties.
  - What's the idea of the considered (un)decidability proofs?

#### • Content:

• (Un-)Decidable problems of DC variants in discrete and continuous time

#### *Methodology: The World is Not Ideal...*

- (i) Choose a collection of **observables** 'Obs'.
- (ii) Provide specification 'Spec' (conjunction of DC formulae (over 'Obs')).
- (iii) Provide a description 'Ctrl' of the controller (DC formula (over 'Obs')).
- (iv) Prove 'Ctrl' is correct (wrt. 'Spec').

That looks too simple to be practical. Typical obstacles:

- (i) It may be impossible to realise 'Spec' if it doesn't consider properties of the plant.
- (ii) There are typically intermediate design levels between 'Spec' and 'Ctrl'.
- (iii) 'Spec' and 'Ctrl' may use different observables.
- (iv) Proving validity of the implication is not trivial.

- Often the controller will (or can) operate correctly only under some assumptions.
- For instance, with a level crossing
  - we may assume an upper bound on the speed of approaching trains, (otherwise we'd need to close the gates arbitrarily fast)
  - we may assume that trains are not arbitrarily slow in the crossing, (otherwise we can't make promises to the road traffic)
- We shall specify such assumptions as a DC formula 'Asm' on the **input observables** and verify correctness correctness of 'Ctrl' wrt. 'Spec' by proving validity (from 0) of the control of the contr
- Shall we care whether 'Asm' is satisfiable?



5/25

### Obstacle (ii): Intermediate Design Levels

- A top-down development approach may involve
  - Spec specification/requirements
  - Des design
  - Ctrl implementation
- Then correctness is established by proving validity of

$$Ctrl \implies Des$$
 (1)

and

$$\mathsf{Des} \implies \mathsf{Spec} \tag{2}$$

(then concluding Ctrl  $\implies$  Spec by transitivity)

Any preference on the order?

#### Obstacle (iii): Different Observables

- Assume, 'Spec' uses more abstract observables  $\mathsf{Obs}_A$  and 'Ctrl' more concrete ones  $\mathsf{Obs}_C$ .
- Example:
  - in  $\mathsf{Obs}_A$ : only consider gas valve open or closed

$$\mathcal{D}(G) = \{0, 1\}$$

• in  $\mathsf{Obs}_C$ : may control two valves and care for intermediate positions, for instance, to react to different heating requests

$$\mathcal{D}(G_1) = \{0, 1, 2, 3\}, \quad \mathcal{D}(G_2) = \{0, 1, 2, 3\}$$

- To prove correctness, we need information how the observables are related an **invariant** which **links** the data values of  $Obs_A$  and  $Obs_C$ .
- Formally: If linking invariant is given as a DC formula, say 'Link $_{C,A}$ ', then proving correctness of 'Ctrl' wrt. 'Spec' amounts to proving

$$\models_0 \mathsf{Ctrl} \wedge \mathsf{Link}_{C,A} \Longrightarrow \mathsf{Spec}.$$

• Example for linking invariant:

$$\lim_{C,A} \int G \iff (G, 46170)$$

7/25

#### Obstacle (iv): How to Prove Correctness?

- by hand on the basis of DC semantics,
- maybe supported by proof rules,
- sometimes a general theorem may fit (e.g. cycle times of PLC automata),
- algorithms as in Uppaal.

06 - 2012-05-24 - Sdcobst

#### DC Properties

- 06 - 2012-05-24 - main -

9/25

#### Decidability Results: Motivation

Recall:

Given **assumptions** as a DC formula 'Asm' on the input observables, verifying **correctness** of 'Ctrl' wrt. 'Spec' amounts to proving

$$\models_0 \mathsf{Ctrl} \land \mathsf{Asm} \implies \mathsf{Spec}$$
 (1)

- If 'Asm' is **not satisfiable** then (1) is trivially valid, and thus each 'Ctrl' correct wrt. 'Spec'.
- So: strong interest in assessing the satisfiability of DC formulae.
- Question: is there an automatic procedure to help us out?
   (a.k.a.: is it decidable whether a given DC formula is satisfiable?)
- More interesting for 'Spec': is it realisable (from 0)?
- Question: is it decidable whether a given DC formula is realisable?

- 06 - 2012-05-24 - Smotiv -

| restricted                   |                                  |                                              |
|------------------------------|----------------------------------|----------------------------------------------|
| Fragment                     | Discrete Time                    | Continous Time                               |
| RDC                          | decidable                        | decidable                                    |
| $RDC + \ell = r$             | decidable for $r \in \mathbb{N}$ | $\hbox{undecidable for } r \in \mathbb{R}^+$ |
| $RDC + \int P_1 = \int P_2$  | undecidable                      | undecidable                                  |
| $RDC + \ell = x, \forall  x$ | undecidable                      | undecidable                                  |
| DC                           | undecidaSe                       | undecidable                                  |

11/25

#### RDC in Discrete Time

Restricted DC (RDC)

$$F ::= \lceil P \rceil \mid \neg F_1 \mid F_1 \lor F_2 \mid F_1$$
;  $F_2$ 

where P is a state assertion, but with **boolean** observables **only**.

Note:

- No global variables, thus don't need  $\mathcal{V}$ .
- · chop is there
- NO J. no l (in general)

   NO function and predicate symbols
- OF ...?
- · [7...?

13/25

# Discrete Time Interpretations

• An interpretation  $\mathcal{I}$  is called **discrete time interpretation** if and only if, for each state variable X,

 $X_{\mathcal{I}}: \mathsf{Time} o \mathcal{D}(X)$ 

with

- Time  $= \mathbb{R}_0^+$ ,
- all discontinuities are in  $\mathbb{N}_0$ .





#### Discrete Time Interpretations

• An interpretation  $\mathcal I$  is called **discrete time interpretation** if and only if, for each state variable X,

 $X_{\mathcal{I}}: \mathsf{Time} o \mathcal{D}(X)$  . We say  $\mathsf{I}, \mathsf{Lb}_{\mathcal{K}} \} \not \models \mathsf{IPI}$  if  $\mathsf{IP}_{\mathcal{I}} = \mathsf{IPI}_{\mathcal{I}} = \mathsf{IPI}_{\mathcal{I}}$  in  $\mathbb{N}_0$ .

with

- Time  $= \mathbb{R}_0^+$ ,
- $\bullet$  all discontinuities are in  ${\rm I}\!{\rm N}_0.$
- An interval  $[b,e] \in \text{Intv}$  is called **discrete** if and only if  $b,e \in \mathbb{N}_0$ .
- ullet We say (for a discrete time interpretation  ${\mathcal I}$  and a discrete interval [b,e])

$$\mathcal{I}, [b,e] \models F_1$$
;  $F_2$ 

if and only if there exists  $m \in [b,e] \cap \mathbb{N}_0$  such that

$$\mathcal{I}, [b, m] \models F_1$$
 and  $\mathcal{I}, [m, e] \models F_2$ 

14/25

### Differences between Continuous and Discrete Time

• Let P be a state assertion, e.g. X=1



#### Differences between Continuous and Discrete Time

• Let P be a state assertion.

|                                                                            | Continuous Time | Discrete Time                           |
|----------------------------------------------------------------------------|-----------------|-----------------------------------------|
| $\models^{?}(\lceil P \rceil; \lceil P \rceil)$ $\implies \lceil P \rceil$ | <b>✓</b>        | ~                                       |
| $\models^? \lceil P \rceil \implies (\lceil P \rceil; \lceil P \rceil)$    | <b>✓</b>        | × 9 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 |

• In particular:  $\ell=1\iff (\lceil 1\rceil \land \neg (\lceil 1\rceil \ ; \lceil 1\rceil))$  (in discrete time).

15/25

OF: the jF; the

# Expressiveness of RDC

• 
$$\ell = 1$$
  $\iff \lceil 1 \rceil \land \neg (\lceil 1 \rceil; \lceil 1 \rceil)$ 

• 
$$\ell = 1$$
  $\iff$   $|1| \land \neg (|1|; |1|$   
•  $\ell = 0$ ,  $?$   $\iff$   $\neg [1]$ 

• 
$$\int P = 0$$
  $\iff \lceil \gamma \rceil$   $V = 0$ 

• 
$$\int P = k + 1 \iff (\int P = k) ; (\int P = 1)$$

• 
$$\int P \ge k$$
  $\iff$   $\left(\int \rho = k\right)$ ; then

• 
$$\int P > k$$
  $\iff \int P \ge k + 1$ 

• 
$$\int P \leq k \iff \neg (\int f > k)$$

• 
$$\int P \le k$$
  $\iff \neg (\int P > k)$   
•  $\int P < k$   $\iff \int P \le k - 1$ 

where  $k \in \mathbb{N}$ .

#### Theorem 3.6.

The satisfiability problem for RDC with discrete time is decidable.

#### Theorem 3.9.

The realisability problem for RDC with discrete time is decidable.

17/25

### Sketch: Proof of Theorem 3.6

- give a procedure to construct, given a formula F,
  - a **regular** language  $\mathcal{L}(F)$  such that

$$\mathcal{I}, [0, n] \models F$$
 if and only if  $w \in \mathcal{L}(F)$  (1)

$$\mathcal{L}, [0, n] \models I$$
 if and only if  $w \in \mathcal{L}(I)$  (1

where word w describes  $\mathcal{I}$  on [0, n](procedure: in a minute)

(procedure has property (1): Lemma 3.4)

- ullet then F is **satisfiable** in discrete time if and only if  $\mathcal{L}(F)$  is **not empty** (Lemma 3.5)
- Theorem 3.6 follows because
  - $\mathcal{L}(F)$  can **effectively** be constructed (by that procedure),
  - the emptyness problem is decidable for regular languages.

#### Construction of $\mathcal{L}(F)$

- Idea:
  - alphabet  $\Sigma(F)$  consists of basic conjuncts of the state variables in F,
  - a letter corresponds to an interpretation of Obs on an interval of length 1,
  - a word of length n describes an interpretation of Obs on interval [0, n].
- Example: Assume F contains exactly state variables X, Y, Z, then

$$\Sigma(F) = \{ \underbrace{X \wedge Y \wedge Z}_{}, \quad X \wedge Y \wedge \neg Z, \quad X \wedge \neg Y \wedge Z, \quad X \wedge \neg Y \wedge \neg Z, \\ \text{Is (7) = 8} \quad \neg X \wedge Y \wedge Z, \quad \neg X \wedge Y \wedge \neg Z, \quad \neg X \wedge \neg Y \wedge Z, \quad \neg X \wedge \neg Y \wedge \neg Z \}.$$



# Construction of $\mathcal{L}(F)$ more Formally

**Definition 3.2.** A word  $w = a_1 \dots a_n \in \Sigma(F)^*$  with  $n \geq 0$ **describes** a **discrete** interpretation  $\mathcal{I}$  on [0, n] if and only if

$$\forall j \in \{1, ..., n\} \ \forall t \in [j-1, j[: \mathcal{I}[a_i]](t) = 1.$$

For n=0 we put  $w=\varepsilon$ .

- Each state assertion P can be transformed into an equivalent disjunctive **normal form**  $\bigvee_{i=1}^{m} a_i$  with  $a_i \in \Sigma(F)$ .
- Set  $DNF(P) := \{a_1, \ldots, a_m\} \subseteq \Sigma(F)$ .

• Define  $\mathcal{L}(F)$  inductively:

in 
$$P$$
 can be transformed into an equivalent disjunctive  $a_i$  with  $a_i \in \Sigma(F)$ . 
$$1, \ldots, a_m\} \ (\subseteq \Sigma(F)).$$
 word of length at bot 1 ively: 
$$\mathcal{L}(\lceil P \rceil) = \text{DNF}(P)^{+}, \qquad \text{(ngular)}$$
 
$$\mathcal{L}(\neg F_1) = \Sigma(\mp)^{\times} \setminus \mathcal{L}(\mp_1), \qquad \text{(again, regular)}$$
 
$$\mathcal{L}(F_1 \vee F_2) = \mathcal{L}(\mp_1) \cup \mathcal{L}(\mp_2), \qquad \qquad -1$$
 
$$\mathcal{L}(F_1; F_2) = \mathcal{L}(\mp_1) \cdot \mathcal{L}(\mp_1). \qquad \qquad 20/2$$

**Lemma 3.4.** For all RDC formulae F, discrete interpretations  $\mathcal{I}$ ,  $n\geq 0$ , and all words  $w\in \Sigma(F)^*$  which **describe**  $\mathcal{I}$  on [0,n],  $\mathcal{I},[0,n]\models F \text{ if and only if } w\in \mathcal{L}(F).$ 

Proof: Shructural induction

Save F = [P]: assume  $W = a_1 \dots a_n$  describes I on I = [0, n]  $I = [0, n] \neq [P] \Leftrightarrow I = [0, n] \neq [P]$  and I = [0, n]  $I = [0, n] \neq [P] \Leftrightarrow I = [0, n] \neq [P] = [0, n] \neq [P]$   $I = [0, n] \neq [0, n] \neq [P] = [0, n] = [0,$ 

# Sketch: Proof of Theorem 3.9

Theorem 3.9.

The realisability problem for RDC with discrete time is decidable.

- kern(L) contains all words of L whose prefixes are again in L.
- If L is regular, then kern(L) is also regular.
- $kern(\mathcal{L}(F))$  can effectively be constructed.
- We have

**Lemma 3.8.** For all RDC formulae F, F is realisable from 0 in discrete time if and only if  $kern(\mathcal{L}(F))$  is infinite.

• Infinity of regular languages is decidable.

- 06 - 2012-05-24 - Sdisc -

06 - 2012-05-24 - main -

24/25

#### References

[Olderog and Dierks, 2008] Olderog, E.-R. and Dierks, H. (2008). *Real-Time Systems - Formal Specification and Automatic Verification*. Cambridge University Press.

06 - 2012-05-24 - main -