#### CIS 4930/6930: Principles of Cyber-Physical Systems Chapter 4: Hybrid Systems

#### Hao Zheng

Department of Computer Science and Engineering University of South Florida

- Differential equations are used to model continuous dynamics.
- State machines are used to model discrete dynamics.
- Cyber-physical systems are *hybrid systems* that include both continuous and discrete dynamics.
- *Hybrid system models* must represent continuous and discrete dynamics.

#### **FSM Model**



#### Hybrid System, or Modal Model



H. Zheng (CSE USF)

## A Thermostat Model with a Continuous-Time Input Signal



### A Thermostat Model with a Continuous-Time Output Signal



#### **Timed Automata: Modeling and Analysis**

- In time-critical systems, reactions must happen not only correctly but also timely.
- Applications:
  - ABS in cars
  - Traffic control
  - Flight control
- How is time modeled? Discrete or continuous?

#### **Discrete Modeling of Time**



- Time is represented as multiples of basic units.
- Leads to large state space.

H. Zheng (CSE USF)

- Time automata = FSMs extended with clock variables.
- Clocks are dynamic variables that progress linearly in time.

 $\forall t \in T_m, \quad \dot{s}(t) = 1$ 

- $s: \mathbb{R} \to \mathbb{R}$  is a continuous-time signal,
- s(t) is the value of the clock at time t,
- All clocks progress synchronously.

A timed automata is defined with (ignoring discrete variables)

- L: a finite set of locations.
- $I_0 \in L$ : the initial location.
- C: a finite set of clock variables.
- A: a finite set of actions.
- E: a finite set of edges connecting locations.
- 1: location invariants.

For each  $e \in E$ ,  $e = (l_1, \alpha, cc, reset, l_2)$  where

- $\alpha \in A$  is an action,
- $cc \in B(C)$  is a clock constraint,
- *reset*  $\subset$  *C* is a subset of clocks to reset to 0.

### Timed Automata: Clock Constraints: Syntax

- In timed automata, only two operations can be applied to clocks
  - It is reset to 0, or
  - its value can read and tested for some condition.
- Atomic clock constraints on clock variables  $x, y \in C$ ,

$$x \bowtie \mathbf{C}$$
 or  $x - y \bowtie \mathbf{C}$ 

where **c** is a rational constant, and  $\bowtie \in \{<, \leq, >, \geq\}$ .

- Clock constraints *B*(*C*) is a set of conjunctions over the atomic clock constraints.
- Examples:

$$x = \mathbf{c} \equiv (x \le \mathbf{c}) \land (x \ge \mathbf{c})$$

#### **Timed Automata: Clock Constraints: Semantics**

Given a clock  $x \in C$ , let  $u : C \to \mathbb{R}_{\geq 0}$  be an assignment of non-negative real numbers to clocks in C, and u(x) return the value of  $x \in C$ .

$$\begin{array}{ll} u \models x \bowtie \mathbf{c} & \text{iff} & u(x) \bowtie \mathbf{c} \\ u \models x - y \bowtie \mathbf{c} & \text{iff} & u(x) - u(y) \bowtie \mathbf{c} \\ u \models cc_1 \land cc_2 & \text{iff} & u \models cc_1 \land u \models cc_2 \end{array}$$

Example:

$$x = 0.5, y = 1.39 \models (x < 1) \land (y \le 5)$$

while

$$x = 1.01, y = 1.39 \not\models (x < 1) \land (y \le 5)$$

#### Timed Automata: An Example

A lamp has a button. When the button is pushed once, the lamp lights on at the **low** level. When the button is pushed twice in a row, the lamp lights on at the **bright** level. In either level, the lamp lights off when the button is pushed again.



#### Timed Automata: An Example



#### **Timed Automata: Understand Time**



#### **Timed Automata: Understand Time**



#### **Timed Automata: Understand Time**



#### **Timed Automata: Semantics**

#### Transitions

- A state of a timed automata is (*I*, *u*).
- The initial state is  $(I_0, u_0)$ .

#### Discrete transition: $(l_1, u_1) \xrightarrow{e} (l_2, u_2)$

- An edge (l<sub>1</sub>, α, cc, reset, l<sub>2</sub>) ∈ E is enabled/executable in a state (l, u) if
  - $I = I_1$ ,  $u \models cc$ , and
  - there is a matching synchronization action to *a*.
- A new state (l', u') after executing e such that

 $l' = l_2$ , u' is the same as u except all clocks in *reset* reset to 0.

**Delay transition:** 
$$(I, u_1) \xrightarrow{\delta} (I, u_2), \ \delta \in \mathbb{R}^+$$

 $u_2 = u_1 + \delta$  where  $u_1 + \delta$  means  $u(x) + \delta$  for every  $x \in C$ .

- Execution step:  $\rightarrow = \stackrel{e}{\rightarrow} \cup \stackrel{\delta}{\rightarrow}$
- Execution trace:

$$(I_0, u_0) \rightarrow (I_1, u_1) \rightarrow (I_2, u_2) \dots$$

• Reachability: (*i*, *u*) is reachable if there exists a trace

$$(I_0, u_0) \rightarrow (I_1, u_1) \ldots \rightarrow (I_n, u_n)$$

such that  $I = I_n$  and  $u = u_n$ .

# A Timed Automaton that Generates a Pure Output



#### **Timed Automaton Model of a Thermostat**



### Possible Execution of the Timed Thermostat Model



#### FSM for the Traffic Light Controller



It reacts in every second.

#### **Timed Automaton for the Traffic Light Controller**



#### **Timed Automaton: Exercise**



### A **zeno** trace of a timed automata has infinite number of discrete transitions within finite amount of time.



Make sure that time can progress on every cycle in timed automata.



#### **Composing Timed Automata**

Two TAs 
$$T_1 = (L_1, I_{10}, C_1, A_1, E_1, Inv_1)$$
 and  
 $T_2 = (L_2, I_{20}, C_2, A_2, E_2, Inv_2)$  such that  $C_1 \cap C_2 = \emptyset$ , their parallel  
composition,  $T_1 || T_2$  is a TA  $(L, I_0, C, A, E, Inv)$  where

• 
$$L = L_1 \times L_2$$
,

- $I_0 = (I_{10}, I_{20});$
- $C = C_1 \cup C_2$ ,
- $A=A_1\cup A_2$ ,
- $\mathit{Inv} = \mathit{I}_1(\mathit{I}_1) \land \mathit{I}_2(\mathit{I}_2)$  for all  $(\mathit{I}_1, \mathit{I}_2) \in \mathit{L}$ ,
- $E = \{...\},\$

#### Parallel Composition of Timed Automata

*E* includes edges defined as follows.

 $(l_1, \alpha, \mathit{cc}_1, \mathit{reset}_1, l_1') \in E_1 \quad (l_2, \alpha, \mathit{cc}_2, \mathit{reset}_2, l_2') \in E_2$ 

 $((l_1, l_2), \alpha, \textit{cc}_1 \land \textit{cc}_2, \textit{reset}_1 \cup \textit{reset}_2, (l_1', l_2')) \in E$ 

$$(l_1, \alpha, cc_1, reset_1, l_1') \in E_1 \quad \alpha \notin A_2$$

$$((l_1, l_2), \alpha, cc_1, reset_1, (l_1', l_2)) \in E$$

$$(l_2, \alpha, cc_2, reset_2, l_2') \in E_2 \quad \alpha \notin A_1$$

$$((l_1, l_2), \alpha, cc_2, reset_2, (l_1, l_2')) \in E$$
Async

Sync

#### A Lamp



#### A Classic Example

A road crosses a railway. In the cross, gates are controlled to block traffic on the road for safety.

- Trains communicates with the controller about its position relative to the cross. Trains signal the controller with *approach* and *exit*.
- The controller reacts to *approach* by signaling the gate with *lower*, and reacts to *exit* by signaling the gate with *raise*.
- The gate reacts to *lower* by closing the gate, and reacts to *raise* by opening the gate.

Trains communicates with the controller about its position relative to the cross. Trains signal the controller with *approach* and *exit*.



## A Train-Gate-Control Example

The controller reacts to *approach* by signaling the gate with *lower*, and reacts to *exit* by signaling the gate with *raise*.



## A Train-Gate-Control Example

The gate reacts to *lower* by closing the gate, and reacts to *raise* by opening the gate.



## Train-Gate-Control: the Whole Picture



2 or 3 minutes after the train signals the controller *approach*, it reaches the gate. At most 5 minutes after the train signals *approach*, it leaves the gate.



# A Train-Gate-Control: Timing

After receiving *approach*, it takes the controller 1 minute to produce signal *lower* to the gate. After receiving *exit*, it takes no more than 1 minute for the controller to produce *raise*.



## A Train-Gate-Control: Timing

The gate needs at most 1 minute to be closed, and between 1 and 2 minutes to be open.



# Timed Train-Gate-Control: the Whole Picture



H. Zheng (CSE USF)

# Specification in UPPAAL

#### **Computation Tree**



# **Timed Computation Tree Logic**

• State formulas  $\varphi$ : expressions whose truth can be decided on individual states.

$$i = 7, x \leq 7 \wedge y > 9$$

UPPAAL has a keyword deadlock, which, when true, indicates a deadlock.

- Path formulas  $\phi$  are
  - $\Box \varphi$ :  $\varphi$  holds in every state of a trace,
  - $\Diamond \varphi$ :  $\varphi$  holds in some state of a trace.
- Path quantifiers:
  - $\mathbf{A}\phi$ :  $\phi$  holds on *every* path from the initial state.
  - $\mathbf{E}\phi$ :  $\phi$  holds on *some* path from the initial state.

## **Timed Computation Tree Logic**

• Reachability Properties: decide if certain states are reachable.



## **Computation Tree Logic: Example**



TCTL Properties:

- A[] Obs.taken imply x>=2
- E[] Obs.idle and x>3

# **Computation Tree Logic: Example**



TCTL Properties:

- A[] Obs.taken imply x>=2
- E[] Obs.idle and x>3
- A[] Obs.taken imply (x >=2 and x <=3)

# **Computation Tree Logic: Example**



TCTL Properties:

- A[] Obs.taken imply (x >=2 and x <=3)
- E<> deadlock